Merge pull request #2 from vectra-ai-research/dev_v15

Support for Mitre v15_1

Modules/Navigator.py

@@ -5,7 +5,7 @@
 from .BaseMitreFunctions import *
 
 #Load the latest mitre data to memory
-mitre_data_ent_latest = get_attack_version("enterprise-attack", "14.0")
+mitre_data_ent_latest = get_attack_version("enterprise-attack", "15.1")
 
 def GetTechniques(mitre_data = mitre_data_ent_latest, x_mitre_platform = None, name = None, x_mitre_is_subtechnique = "All",revoked_n_deprecated=None):
     """Queries and return Technique information based on specified parameters. If no parameters are supplied, the function returns all Techniques in latest enterprise matrix"""
@@ -89,7 +89,7 @@ def CreateMitreLayerFile(layer_name, techniques, total_triggered_techniques, ten
     basic_layer_info["sorting"] = 3
 
     # Add layer description
-    basic_layer_info["description"] = f"Total Coverage : 109 , Detected : {total_triggered_techniques}"
+    basic_layer_info["description"] = f"Total Coverage : 112 , Detected : {total_triggered_techniques}"
 
     #Add link to vectra tenant
     detections_url = tenant_url+"/detections"
@@ -114,7 +114,7 @@ def CreateMitreLayerFile(layer_name, techniques, total_triggered_techniques, ten
 
 def BuildVectraMitreLayerInfo(access_token, request_url):
     '''Function to construct the techniques json for the MITRE layer file'''
-    vectra_mitre_map_file = "./Resources/vectra_att&ck_v13-detection_to_technique.json"
+    vectra_mitre_map_file = "./Resources/vectra_att&ck_v15-detection_to_technique.json"
 
     mitre_technique_to_phase_map_file = "./Resources/Mitre_Technique_To_Phase_Map.json"
 

README.md

@@ -15,12 +15,12 @@ pip install -r requirements.txt
 ```
 2. Generate MITRE Coverage Layer
 ```
-python3 VectraMitreMapper.py "tenant_url.portal.vectra.ai" "client_id" "client_secret" "optional_layer_name"
+python3 VectraMitreMapper.py "https://tenant_url.portal.vectra.ai" "client_id" "client_secret" "optional_layer_name"
 ```
 
 ### Generating Client Credentials
 
 To use the tool with a Vectra tenant, user will need to generate client credentials. This can be generated from the Vectra tenant directly by navigating to: 
 ```
-Manage > API Clients > Add API Client > Generate Credentials
+Manage > API Clients > Add API Client > Select Role : "Security Analyst" > Generate Credentials
 ```

Resources/Mitre_Technique_To_Phase_Map.json

@@ -1 +1 @@
-{"T1047": ["execution"], "T1113": ["collection"], "T1037": ["persistence", "privilege-escalation"], "T1557": ["credential-access", "collection"], "T1033": ["discovery"], "T1583": ["resource-development"], "T1613": ["discovery"], "T1592": ["reconnaissance"], "T1003": ["credential-access"], "T1129": ["execution"], "T1602": ["collection"], "T1006": ["defense-evasion"], "T1014": ["defense-evasion"], "T1123": ["collection"], "T1543": ["persistence", "privilege-escalation"], "T1133": ["persistence", "initial-access"], "T1539": ["credential-access"], "T1578": ["defense-evasion"], "T1069": ["discovery"], "T1114": ["collection"], "T1594": ["reconnaissance"], "T1561": ["impact"], "T1615": ["discovery"], "T1025": ["collection"], "T1547": ["persistence", "privilege-escalation"], "T1600": ["defense-evasion"], "T1489": ["impact"], "T1652": ["discovery"], "T1564": ["defense-evasion"], "T1080": ["lateral-movement"], "T1137": ["persistence"], "T1119": ["collection"], "T1115": ["collection"], "T1007": ["discovery"], "T1040": ["credential-access", "discovery"], "T1530": ["collection"], "T1135": ["discovery"], "T1120": ["discovery"], "T1082": ["discovery"], "T1071": ["command-and-control"], "T1053": ["execution", "persistence", "privilege-escalation"], "T1176": ["persistence"], "T1106": ["execution"], "T1202": ["defense-evasion"], "T1091": ["lateral-movement", "initial-access"], "T1005": ["collection"], "T1140": ["defense-evasion"], "T1562": ["defense-evasion"], "T1195": ["initial-access"], "T1190": ["initial-access"], "T1558": ["credential-access"], "T1555": ["credential-access"], "T1567": ["exfiltration"], "T1219": ["command-and-control"], "T1036": ["defense-evasion"], "T1552": ["credential-access"], "T1659": ["initial-access", "command-and-control"], "T1055": ["defense-evasion", "privilege-escalation"], "T1205": ["defense-evasion", "persistence", "command-and-control"], "T1218": ["defense-evasion"], "T1620": ["defense-evasion"], "T1611": ["privilege-escalation"], "T1010": ["discovery"], "T1029": ["exfiltration"], "T1525": ["persistence"], "T1572": ["command-and-control"], "T1550": ["defense-evasion", "lateral-movement"], "T1011": ["exfiltration"], "T1589": ["reconnaissance"], "T1560": ["collection"], "T1185": ["collection"], "T1021": ["lateral-movement"], "T1596": ["reconnaissance"], "T1207": ["defense-evasion"], "T1610": ["defense-evasion", "execution"], "T1112": ["defense-evasion"], "T1580": ["discovery"], "T1491": ["impact"], "T1535": ["defense-evasion"], "T1563": ["lateral-movement"], "T1217": ["discovery"], "T1092": ["command-and-control"], "T1222": ["defense-evasion"], "T1595": ["reconnaissance"], "T1548": ["privilege-escalation", "defense-evasion"], "T1125": ["collection"], "T1016": ["discovery"], "T1087": ["discovery"], "T1090": ["command-and-control"], "T1059": ["execution"], "T1482": ["discovery"], "T1020": ["exfiltration"], "T1070": ["defense-evasion"], "T1609": ["execution"], "T1083": ["discovery"], "T1568": ["command-and-control"], "T1647": ["defense-evasion"], "T1074": ["collection"], "T1649": ["credential-access"], "T1049": ["discovery"], "T1584": ["resource-development"], "T1542": ["defense-evasion", "persistence"], "T1612": ["defense-evasion"], "T1586": ["resource-development"], "T1497": ["defense-evasion", "discovery"], "T1102": ["command-and-control"], "T1608": ["resource-development"], "T1104": ["command-and-control"], "T1657": ["impact"], "T1480": ["defense-evasion"], "T1619": ["discovery"], "T1654": ["discovery"], "T1528": ["credential-access"], "T1204": ["execution"], "T1057": ["discovery"], "T1072": ["execution", "lateral-movement"], "T1041": ["exfiltration"], "T1591": ["reconnaissance"], "T1606": ["credential-access"], "T1621": ["credential-access"], "T1554": ["persistence"], "T1212": ["credential-access"], "T1590": ["reconnaissance"], "T1210": ["lateral-movement"], "T1534": ["lateral-movement"], "T1199": ["initial-access"], "T1593": ["reconnaissance"], "T1098": ["persistence", "privilege-escalation"], "T1048": ["exfiltration"], "T1597": ["reconnaissance"], "T1566": ["initial-access"], "T1110": ["credential-access"], "T1565": ["impact"], "T1559": ["execution"], "T1001": ["command-and-control"], "T1039": ["collection"], "T1601": ["defense-evasion"], "T1574": ["persistence", "privilege-escalation", "defense-evasion"], "T1078": ["defense-evasion", "persistence", "privilege-escalation", "initial-access"], "T1571": ["command-and-control"], "T1068": ["privilege-escalation"], "T1531": ["impact"], "T1027": ["defense-evasion"], "T1201": ["discovery"], "T1546": ["privilege-escalation", "persistence"], "T1187": ["credential-access"], "T1599": ["defense-evasion"], "T1486": ["impact"], "T1553": ["defense-evasion"], "T1573": ["command-and-control"], "T1056": ["collection", "credential-access"], "T1203": ["execution"], "T1570": ["lateral-movement"], "T1095": ["command-and-control"], "T1012": ["discovery"], "T1030": ["exfiltration"], "T1499": ["impact"], "T1614": ["discovery"], "T1197": ["defense-evasion", "persistence"], "T1656": ["defense-evasion"], "T1132": ["command-and-control"], "T1598": ["reconnaissance"], "T1496": ["impact"], "T1585": ["resource-development"], "T1588": ["resource-development"], "T1569": ["execution"], "T1650": ["resource-development"], "T1213": ["collection"], "T1200": ["initial-access"], "T1505": ["persistence"], "T1485": ["impact"], "T1537": ["exfiltration"], "T1189": ["initial-access"], "T1498": ["impact"], "T1651": ["execution"], "T1221": ["defense-evasion"], "T1134": ["defense-evasion", "privilege-escalation"], "T1111": ["credential-access"], "T1136": ["persistence"], "T1526": ["discovery"], "T1018": ["discovery"], "T1046": ["discovery"], "T1518": ["discovery"], "T1538": ["discovery"], "T1622": ["defense-evasion", "discovery"], "T1052": ["exfiltration"], "T1105": ["command-and-control"], "T1648": ["execution"], "T1653": ["persistence"], "T1484": ["defense-evasion", "privilege-escalation"], "T1220": ["defense-evasion"], "T1587": ["resource-development"], "T1008": ["command-and-control"], "T1124": ["discovery"], "T1556": ["credential-access", "defense-evasion", "persistence"], "T1495": ["impact"], "T1490": ["impact"], "T1216": ["defense-evasion"], "T1211": ["defense-evasion"], "T1127": ["defense-evasion"], "T1529": ["impact"]}
+{"T1047": ["execution"], "T1113": ["collection"], "T1037": ["persistence", "privilege-escalation"], "T1557": ["credential-access", "collection"], "T1033": ["discovery"], "T1583": ["resource-development"], "T1613": ["discovery"], "T1592": ["reconnaissance"], "T1003": ["credential-access"], "T1129": ["execution"], "T1602": ["collection"], "T1006": ["defense-evasion"], "T1014": ["defense-evasion"], "T1123": ["collection"], "T1543": ["persistence", "privilege-escalation"], "T1133": ["persistence", "initial-access"], "T1539": ["credential-access"], "T1578": ["defense-evasion"], "T1069": ["discovery"], "T1114": ["collection"], "T1594": ["reconnaissance"], "T1561": ["impact"], "T1615": ["discovery"], "T1025": ["collection"], "T1547": ["persistence", "privilege-escalation"], "T1600": ["defense-evasion"], "T1489": ["impact"], "T1652": ["discovery"], "T1564": ["defense-evasion"], "T1080": ["lateral-movement"], "T1137": ["persistence"], "T1119": ["collection"], "T1115": ["collection"], "T1007": ["discovery"], "T1040": ["credential-access", "discovery"], "T1530": ["collection"], "T1135": ["discovery"], "T1120": ["discovery"], "T1082": ["discovery"], "T1071": ["command-and-control"], "T1053": ["execution", "persistence", "privilege-escalation"], "T1176": ["persistence"], "T1106": ["execution"], "T1202": ["defense-evasion"], "T1091": ["lateral-movement", "initial-access"], "T1005": ["collection"], "T1140": ["defense-evasion"], "T1562": ["defense-evasion"], "T1195": ["initial-access"], "T1190": ["initial-access"], "T1558": ["credential-access"], "T1555": ["credential-access"], "T1567": ["exfiltration"], "T1219": ["command-and-control"], "T1036": ["defense-evasion"], "T1552": ["credential-access"], "T1659": ["initial-access", "command-and-control"], "T1055": ["defense-evasion", "privilege-escalation"], "T1205": ["defense-evasion", "persistence", "command-and-control"], "T1218": ["defense-evasion"], "T1620": ["defense-evasion"], "T1611": ["privilege-escalation"], "T1010": ["discovery"], "T1029": ["exfiltration"], "T1525": ["persistence"], "T1572": ["command-and-control"], "T1550": ["defense-evasion", "lateral-movement"], "T1011": ["exfiltration"], "T1589": ["reconnaissance"], "T1560": ["collection"], "T1185": ["collection"], "T1021": ["lateral-movement"], "T1596": ["reconnaissance"], "T1207": ["defense-evasion"], "T1610": ["defense-evasion", "execution"], "T1112": ["defense-evasion"], "T1580": ["discovery"], "T1491": ["impact"], "T1535": ["defense-evasion"], "T1563": ["lateral-movement"], "T1217": ["discovery"], "T1092": ["command-and-control"], "T1222": ["defense-evasion"], "T1595": ["reconnaissance"], "T1548": ["privilege-escalation", "defense-evasion"], "T1125": ["collection"], "T1016": ["discovery"], "T1087": ["discovery"], "T1090": ["command-and-control"], "T1059": ["execution"], "T1482": ["discovery"], "T1020": ["exfiltration"], "T1070": ["defense-evasion"], "T1609": ["execution"], "T1083": ["discovery"], "T1568": ["command-and-control"], "T1647": ["defense-evasion"], "T1074": ["collection"], "T1649": ["credential-access"], "T1049": ["discovery"], "T1584": ["resource-development"], "T1542": ["defense-evasion", "persistence"], "T1612": ["defense-evasion"], "T1586": ["resource-development"], "T1497": ["defense-evasion", "discovery"], "T1102": ["command-and-control"], "T1608": ["resource-development"], "T1104": ["command-and-control"], "T1657": ["impact"], "T1480": ["defense-evasion"], "T1619": ["discovery"], "T1654": ["discovery"], "T1528": ["credential-access"], "T1204": ["execution"], "T1057": ["discovery"], "T1072": ["execution", "lateral-movement"], "T1041": ["exfiltration"], "T1591": ["reconnaissance"], "T1606": ["credential-access"], "T1621": ["credential-access"], "T1554": ["persistence"], "T1212": ["credential-access"], "T1590": ["reconnaissance"], "T1210": ["lateral-movement"], "T1534": ["lateral-movement"], "T1199": ["initial-access"], "T1593": ["reconnaissance"], "T1098": ["persistence", "privilege-escalation"], "T1048": ["exfiltration"], "T1597": ["reconnaissance"], "T1566": ["initial-access"], "T1110": ["credential-access"], "T1565": ["impact"], "T1559": ["execution"], "T1001": ["command-and-control"], "T1039": ["collection"], "T1601": ["defense-evasion"], "T1574": ["persistence", "privilege-escalation", "defense-evasion"], "T1078": ["defense-evasion", "persistence", "privilege-escalation", "initial-access"], "T1571": ["command-and-control"], "T1068": ["privilege-escalation"], "T1531": ["impact"], "T1027": ["defense-evasion"], "T1201": ["discovery"], "T1546": ["privilege-escalation", "persistence"], "T1187": ["credential-access"], "T1599": ["defense-evasion"], "T1486": ["impact"], "T1553": ["defense-evasion"], "T1573": ["command-and-control"], "T1056": ["collection", "credential-access"], "T1203": ["execution"], "T1570": ["lateral-movement"], "T1095": ["command-and-control"], "T1012": ["discovery"], "T1030": ["exfiltration"], "T1499": ["impact"], "T1614": ["discovery"], "T1197": ["defense-evasion", "persistence"], "T1656": ["defense-evasion"], "T1132": ["command-and-control"], "T1598": ["reconnaissance"], "T1496": ["impact"], "T1585": ["resource-development"], "T1588": ["resource-development"], "T1569": ["execution"], "T1650": ["resource-development"], "T1213": ["collection"], "T1200": ["initial-access"], "T1505": ["persistence"], "T1485": ["impact"], "T1537": ["exfiltration"], "T1189": ["initial-access"], "T1498": ["impact"], "T1651": ["execution"], "T1221": ["defense-evasion"], "T1134": ["defense-evasion", "privilege-escalation"], "T1111": ["credential-access"], "T1136": ["persistence"], "T1526": ["discovery"], "T1018": ["discovery"], "T1046": ["discovery"], "T1518": ["discovery"], "T1538": ["discovery"], "T1622": ["defense-evasion", "discovery"], "T1052": ["exfiltration"], "T1105": ["command-and-control"], "T1648": ["execution"], "T1653": ["persistence"], "T1665": ["command-and-control"], "T1484": ["defense-evasion", "privilege-escalation"], "T1220": ["defense-evasion"], "T1587": ["resource-development"], "T1008": ["command-and-control"], "T1124": ["discovery"], "T1556": ["credential-access", "defense-evasion", "persistence"], "T1495": ["impact"], "T1490": ["impact"], "T1216": ["defense-evasion"], "T1211": ["defense-evasion"], "T1127": ["defense-evasion"], "T1529": ["impact"]}

Resources/attack-stix-data-master/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changes to ATT&CK in STIX 2.1
 
+## 23 April 2024
+
+There are no changes to the data model in the April 2024 ATT&CK Content Release (ATT&CK v15.0)
+
 ## 31 October 2023 - ATT&CK Spec v3.2.0
 
 Changes to ATT&CK in STIX for October 2023 ATT&CK Content Release (ATT&CK v14.0)

Resources/attack-stix-data-master/USAGE.md

@@ -82,7 +82,7 @@ Tools consuming ATT&CK-formatted data may support multiple versions of the ATT&C
 
 | Current ATT&CK Spec Version | Link to Changelog         |
 |:----------------------------| :------------------------ |
-| `3.0.0`                     | [changelog](CHANGELOG.md) |
+| `3.2.0`                     | [changelog](CHANGELOG.md) |
 
 ATT&CK uses a mix of predefined and custom STIX objects to implement ATT&CK concepts. The following table is a mapping of ATT&CK concepts to STIX 2.1 objects: