50fa79407d
Some checks are pending
CI — CoM Config Validation / Validate JSON Configs (push) Waiting to run
CI — CoM Config Validation / Validate YAML Configs (push) Waiting to run
CI — CoM Config Validation / Lint Shell Scripts (push) Waiting to run
CI — CoM Config Validation / Secret Detection (push) Waiting to run
CI — CoM Config Validation / Lint Markdown (push) Waiting to run
CI — CoM Config Validation / Validate CODEOWNERS (push) Waiting to run
Public, sanitized mirror of an AI orchestration command center: agents, skills, MCP servers, slash-command workflows. All infrastructure identifiers, hostnames, mesh IPs/subnets, repo paths, maintainer identity, and hardware fleet specifics scrubbed to <placeholders>; session debug logs and host-specific memory removed. No live credentials. Verified clean by automated leak sweep. See SANITIZATION.md. churchofmalware.org . authorized research only
321 lines
14 KiB
Python
321 lines
14 KiB
Python
#!/usr/bin/env python3
|
|
"""
|
|
MITRE ATT&CK Mapper
|
|
Maps threat behaviors and techniques to the MITRE ATT&CK framework.
|
|
|
|
Repository: https://github.com/Masriyan/Claude-Code-CyberSecurity-Skill
|
|
"""
|
|
|
|
import argparse
|
|
import json
|
|
import logging
|
|
import sys
|
|
import time
|
|
from typing import Any, Dict, List, Optional
|
|
|
|
logging.basicConfig(
|
|
level=logging.INFO,
|
|
format="%(asctime)s [%(levelname)s] %(message)s",
|
|
datefmt="%Y-%m-%d %H:%M:%S",
|
|
)
|
|
logger = logging.getLogger(__name__)
|
|
|
|
# Core MITRE ATT&CK technique database (subset for offline use)
|
|
ATTACK_TECHNIQUES = {
|
|
"T1059": {
|
|
"name": "Command and Scripting Interpreter",
|
|
"tactic": "Execution",
|
|
"description": "Adversaries may abuse command and script interpreters to execute commands.",
|
|
"subtechniques": {
|
|
"T1059.001": {"name": "PowerShell", "detection": "Monitor for powershell.exe execution with unusual arguments"},
|
|
"T1059.003": {"name": "Windows Command Shell", "detection": "Monitor for cmd.exe with encoded commands"},
|
|
"T1059.004": {"name": "Unix Shell", "detection": "Monitor for bash/sh with base64 decoded commands"},
|
|
"T1059.006": {"name": "Python", "detection": "Monitor for python execution from unusual paths"},
|
|
},
|
|
},
|
|
"T1053": {
|
|
"name": "Scheduled Task/Job",
|
|
"tactic": "Execution, Persistence, Privilege Escalation",
|
|
"description": "Adversaries may abuse task scheduling to execute malicious code.",
|
|
"subtechniques": {
|
|
"T1053.005": {"name": "Scheduled Task", "detection": "Monitor schtasks.exe /create commands"},
|
|
"T1053.003": {"name": "Cron", "detection": "Monitor modifications to crontab and /etc/cron.*"},
|
|
},
|
|
},
|
|
"T1055": {
|
|
"name": "Process Injection",
|
|
"tactic": "Defense Evasion, Privilege Escalation",
|
|
"description": "Adversaries may inject code into processes to evade process-based defenses.",
|
|
"subtechniques": {
|
|
"T1055.001": {"name": "DLL Injection", "detection": "Monitor for LoadLibrary calls from unusual sources"},
|
|
"T1055.003": {"name": "Thread Execution Hijacking", "detection": "Monitor for SuspendThread/SetThreadContext"},
|
|
"T1055.012": {"name": "Process Hollowing", "detection": "Monitor for NtUnmapViewOfSection followed by WriteProcessMemory"},
|
|
},
|
|
},
|
|
"T1071": {
|
|
"name": "Application Layer Protocol",
|
|
"tactic": "Command and Control",
|
|
"description": "Adversaries may communicate using application layer protocols.",
|
|
"subtechniques": {
|
|
"T1071.001": {"name": "Web Protocols", "detection": "Monitor HTTP/HTTPS traffic for C2 patterns"},
|
|
"T1071.004": {"name": "DNS", "detection": "Monitor for DNS tunneling (high query volume, TXT records)"},
|
|
},
|
|
},
|
|
"T1078": {
|
|
"name": "Valid Accounts",
|
|
"tactic": "Defense Evasion, Persistence, Privilege Escalation, Initial Access",
|
|
"description": "Adversaries may use valid accounts to gain access.",
|
|
"subtechniques": {
|
|
"T1078.001": {"name": "Default Accounts", "detection": "Monitor for logons with default/built-in accounts"},
|
|
"T1078.002": {"name": "Domain Accounts", "detection": "Monitor for unusual domain account activity"},
|
|
"T1078.003": {"name": "Local Accounts", "detection": "Monitor for local account creation and usage"},
|
|
},
|
|
},
|
|
"T1110": {
|
|
"name": "Brute Force",
|
|
"tactic": "Credential Access",
|
|
"description": "Adversaries may use brute force techniques to gain access to accounts.",
|
|
"subtechniques": {
|
|
"T1110.001": {"name": "Password Guessing", "detection": "Monitor for multiple failed logon attempts"},
|
|
"T1110.003": {"name": "Password Spraying", "detection": "Monitor for single password against many accounts"},
|
|
},
|
|
},
|
|
"T1486": {
|
|
"name": "Data Encrypted for Impact",
|
|
"tactic": "Impact",
|
|
"description": "Adversaries may encrypt data on target systems or networks to interrupt availability.",
|
|
"subtechniques": {},
|
|
},
|
|
"T1027": {
|
|
"name": "Obfuscated Files or Information",
|
|
"tactic": "Defense Evasion",
|
|
"description": "Adversaries may obfuscate files or information to hinder detection.",
|
|
"subtechniques": {
|
|
"T1027.001": {"name": "Binary Padding", "detection": "Monitor for unusually large binaries"},
|
|
"T1027.002": {"name": "Software Packing", "detection": "Detect known packer signatures"},
|
|
},
|
|
},
|
|
"T1082": {
|
|
"name": "System Information Discovery",
|
|
"tactic": "Discovery",
|
|
"description": "Adversaries may attempt to get detailed information about the operating system.",
|
|
"subtechniques": {},
|
|
},
|
|
"T1021": {
|
|
"name": "Remote Services",
|
|
"tactic": "Lateral Movement",
|
|
"description": "Adversaries may use remote services to move laterally.",
|
|
"subtechniques": {
|
|
"T1021.001": {"name": "Remote Desktop Protocol", "detection": "Monitor for unusual RDP connections"},
|
|
"T1021.002": {"name": "SMB/Windows Admin Shares", "detection": "Monitor for C$/ADMIN$ share access"},
|
|
"T1021.004": {"name": "SSH", "detection": "Monitor for SSH connections from unusual sources"},
|
|
"T1021.006": {"name": "Windows Remote Management", "detection": "Monitor for WinRM connections"},
|
|
},
|
|
},
|
|
"T1547": {
|
|
"name": "Boot or Logon Autostart Execution",
|
|
"tactic": "Persistence, Privilege Escalation",
|
|
"description": "Adversaries may configure system settings to automatically execute at startup.",
|
|
"subtechniques": {
|
|
"T1547.001": {"name": "Registry Run Keys", "detection": "Monitor HKLM/HKCU Run key modifications"},
|
|
"T1547.004": {"name": "Winlogon Helper DLL", "detection": "Monitor Winlogon registry changes"},
|
|
},
|
|
},
|
|
"T1003": {
|
|
"name": "OS Credential Dumping",
|
|
"tactic": "Credential Access",
|
|
"description": "Adversaries may attempt to dump credentials from the OS.",
|
|
"subtechniques": {
|
|
"T1003.001": {"name": "LSASS Memory", "detection": "Monitor for LSASS process access"},
|
|
"T1003.002": {"name": "Security Account Manager", "detection": "Monitor for SAM database access"},
|
|
"T1003.003": {"name": "NTDS", "detection": "Monitor for ntdsutil or volume shadow copy access"},
|
|
},
|
|
},
|
|
"T1190": {
|
|
"name": "Exploit Public-Facing Application",
|
|
"tactic": "Initial Access",
|
|
"description": "Adversaries may exploit vulnerabilities in internet-facing applications.",
|
|
"subtechniques": {},
|
|
},
|
|
"T1566": {
|
|
"name": "Phishing",
|
|
"tactic": "Initial Access",
|
|
"description": "Adversaries may send phishing messages to gain access.",
|
|
"subtechniques": {
|
|
"T1566.001": {"name": "Spearphishing Attachment", "detection": "Monitor for suspicious email attachments"},
|
|
"T1566.002": {"name": "Spearphishing Link", "detection": "Monitor for email links to known bad domains"},
|
|
},
|
|
},
|
|
"T1048": {
|
|
"name": "Exfiltration Over Alternative Protocol",
|
|
"tactic": "Exfiltration",
|
|
"description": "Adversaries may steal data by exfiltrating over alternative protocols.",
|
|
"subtechniques": {
|
|
"T1048.001": {"name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "detection": "Monitor for unusual encrypted outbound traffic"},
|
|
"T1048.003": {"name": "Exfiltration Over Unencrypted Non-C2 Protocol", "detection": "Monitor for large DNS/ICMP transfers"},
|
|
},
|
|
},
|
|
}
|
|
|
|
# SIEM query templates
|
|
SIEM_TEMPLATES = {
|
|
"splunk": {
|
|
"T1059.001": 'index=windows sourcetype=WinEventLog:Security EventCode=4688 NewProcessName="*powershell*" | table _time, Computer, Account_Name, NewProcessName, Process_Command_Line',
|
|
"T1053.005": 'index=windows sourcetype=WinEventLog:Security EventCode=4698 OR (EventCode=4688 NewProcessName="*schtasks*") | table _time, Computer, Account_Name, Task_Name',
|
|
"T1110.001": 'index=windows sourcetype=WinEventLog:Security EventCode=4625 | stats count by src_ip, Account_Name | where count > 5',
|
|
"T1021.001": 'index=windows sourcetype=WinEventLog:Security EventCode=4624 Logon_Type=10 | table _time, Source_Network_Address, Account_Name, Computer',
|
|
"T1003.001": 'index=windows sourcetype=WinEventLog:Security EventCode=4663 ObjectName="*lsass*" | table _time, Computer, Account_Name, Process_Name',
|
|
},
|
|
"elastic": {
|
|
"T1059.001": 'event.code:4688 AND process.name:powershell.exe',
|
|
"T1053.005": 'event.code:(4698 OR 4688) AND process.name:schtasks.exe',
|
|
"T1110.001": 'event.code:4625 | stats count by source.ip, user.name | where count > 5',
|
|
"T1021.001": 'event.code:4624 AND winlog.event_data.LogonType:10',
|
|
"T1003.001": 'event.code:4663 AND file.path:*lsass*',
|
|
},
|
|
}
|
|
|
|
|
|
class MITREMapper:
|
|
"""MITRE ATT&CK technique mapping and query generation engine."""
|
|
|
|
def __init__(self):
|
|
self.techniques = ATTACK_TECHNIQUES
|
|
self.siem_templates = SIEM_TEMPLATES
|
|
|
|
def lookup_technique(self, technique_id: str) -> Optional[Dict]:
|
|
"""Look up a technique by ID."""
|
|
# Check top-level
|
|
if technique_id in self.techniques:
|
|
return {"id": technique_id, **self.techniques[technique_id]}
|
|
|
|
# Check sub-techniques
|
|
parent_id = technique_id.split(".")[0]
|
|
if parent_id in self.techniques:
|
|
subtechniques = self.techniques[parent_id].get("subtechniques", {})
|
|
if technique_id in subtechniques:
|
|
return {
|
|
"id": technique_id,
|
|
"parent": parent_id,
|
|
"parent_name": self.techniques[parent_id]["name"],
|
|
"tactic": self.techniques[parent_id]["tactic"],
|
|
**subtechniques[technique_id],
|
|
}
|
|
return None
|
|
|
|
def map_techniques(self, technique_ids: List[str]) -> Dict[str, Any]:
|
|
"""Map multiple technique IDs to ATT&CK details."""
|
|
mapped = []
|
|
unmapped = []
|
|
|
|
for tid in technique_ids:
|
|
result = self.lookup_technique(tid.strip())
|
|
if result:
|
|
mapped.append(result)
|
|
else:
|
|
unmapped.append(tid)
|
|
|
|
# Group by tactic
|
|
by_tactic = {}
|
|
for tech in mapped:
|
|
tactics = tech.get("tactic", "Unknown")
|
|
for tactic in tactics.split(", "):
|
|
if tactic not in by_tactic:
|
|
by_tactic[tactic] = []
|
|
by_tactic[tactic].append(tech)
|
|
|
|
return {
|
|
"total_mapped": len(mapped),
|
|
"total_unmapped": len(unmapped),
|
|
"techniques": mapped,
|
|
"unmapped": unmapped,
|
|
"by_tactic": {k: [t["id"] for t in v] for k, v in by_tactic.items()},
|
|
"timestamp": time.strftime("%Y-%m-%dT%H:%M:%SZ", time.gmtime()),
|
|
}
|
|
|
|
def generate_detection_query(self, technique_id: str, siem: str = "splunk") -> Optional[str]:
|
|
"""Generate a SIEM detection query for a technique."""
|
|
templates = self.siem_templates.get(siem, {})
|
|
return templates.get(technique_id)
|
|
|
|
def generate_navigator_layer(self, technique_ids: List[str], name: str = "Threat Map") -> Dict:
|
|
"""Generate an ATT&CK Navigator layer JSON."""
|
|
techniques = []
|
|
for tid in technique_ids:
|
|
tech = self.lookup_technique(tid)
|
|
if tech:
|
|
techniques.append({
|
|
"techniqueID": tid,
|
|
"color": "#e60d0d",
|
|
"comment": tech.get("name", ""),
|
|
"enabled": True,
|
|
})
|
|
|
|
return {
|
|
"name": name,
|
|
"versions": {"attack": "14", "navigator": "4.9.1", "layer": "4.5"},
|
|
"domain": "enterprise-attack",
|
|
"description": f"Generated by CyberSkill MITRE Mapper — {time.strftime('%Y-%m-%d')}",
|
|
"techniques": techniques,
|
|
"gradient": {
|
|
"colors": ["#ffffff", "#ff6666"],
|
|
"minValue": 0,
|
|
"maxValue": 1,
|
|
},
|
|
}
|
|
|
|
|
|
def main():
|
|
parser = argparse.ArgumentParser(
|
|
description="MITRE ATT&CK Mapper",
|
|
epilog="https://github.com/Masriyan/Claude-Code-CyberSecurity-Skill",
|
|
)
|
|
parser.add_argument("--input", "-i", help="File with technique IDs (one per line)")
|
|
parser.add_argument("--technique", "-t", help="Single technique ID to look up")
|
|
parser.add_argument("--detection-query", choices=["splunk", "elastic"], help="Generate SIEM query")
|
|
parser.add_argument("--navigator", action="store_true", help="Export ATT&CK Navigator layer")
|
|
parser.add_argument("--output", "-o", help="Output file (JSON)")
|
|
parser.add_argument("--verbose", "-v", action="store_true")
|
|
args = parser.parse_args()
|
|
|
|
if args.verbose:
|
|
logging.getLogger().setLevel(logging.DEBUG)
|
|
|
|
mapper = MITREMapper()
|
|
|
|
if args.technique:
|
|
technique_ids = [args.technique]
|
|
elif args.input:
|
|
with open(args.input, "r") as f:
|
|
technique_ids = [line.strip() for line in f if line.strip()]
|
|
else:
|
|
parser.error("Either --technique or --input is required")
|
|
|
|
if args.detection_query:
|
|
for tid in technique_ids:
|
|
query = mapper.generate_detection_query(tid, args.detection_query)
|
|
if query:
|
|
print(f"\n# {tid} — {args.detection_query.upper()} Query:")
|
|
print(query)
|
|
else:
|
|
print(f"\n# {tid} — No query template available")
|
|
return
|
|
|
|
if args.navigator:
|
|
result = mapper.generate_navigator_layer(technique_ids)
|
|
else:
|
|
result = mapper.map_techniques(technique_ids)
|
|
|
|
output_data = json.dumps(result, indent=2)
|
|
|
|
if args.output:
|
|
with open(args.output, "w") as f:
|
|
f.write(output_data)
|
|
logger.info("Results saved to %s", args.output)
|
|
else:
|
|
print(output_data)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main()
|