src/cti/mitre.py · CTI Detection Automation

92 lines · python

TECHNIQUES = {
    "T1003.001": ("OS Credential Dumping: LSASS Memory", "credential-access"),
    "T1005": ("Data from Local System", "collection"),
    "T1041": ("Exfiltration Over C2 Channel", "exfiltration"),
    "T1055": ("Process Injection", "defense-evasion"),
    "T1056.001": ("Input Capture: Keylogging", "collection"),
    "T1059": ("Command and Scripting Interpreter", "execution"),
    "T1059.001": ("Command and Scripting Interpreter: PowerShell", "execution"),
    "T1071": ("Application Layer Protocol", "command-and-control"),
    "T1071.001": ("Application Layer Protocol: Web Protocols", "command-and-control"),
    "T1071.004": ("Application Layer Protocol: DNS", "command-and-control"),
    "T1090": ("Proxy", "command-and-control"),
    "T1102": ("Web Service", "command-and-control"),
    "T1105": ("Ingress Tool Transfer", "command-and-control"),
    "T1110": ("Brute Force", "credential-access"),
    "T1204": ("User Execution", "execution"),
    "T1204.001": ("User Execution: Malicious Link", "execution"),
    "T1204.002": ("User Execution: Malicious File", "execution"),
    "T1486": ("Data Encrypted for Impact", "impact"),
    "T1547.001": ("Registry Run Keys / Startup Folder", "persistence"),
    "T1555": ("Credentials from Password Stores", "credential-access"),
    "T1566": ("Phishing", "initial-access"),
    "T1566.001": ("Phishing: Spearphishing Attachment", "initial-access"),
    "T1566.002": ("Phishing: Spearphishing Link", "initial-access"),
    "T1573": ("Encrypted Channel", "command-and-control"),
    "T1589.001": ("Gather Victim Identity Information: Credentials", "reconnaissance"),
    "T1588.001": ("Obtain Capabilities: Malware", "resource-development"),
    "T1608": ("Stage Capabilities", "resource-development"),
}
 
MALWARE_TECHNIQUES = {
    "cobaltstrike": ["T1071.001", "T1059.001", "T1055"],
    "agenttesla": ["T1056.001", "T1555", "T1041"],
    "redline": ["T1555", "T1005", "T1041"],
    "redlinestealer": ["T1555", "T1005", "T1041"],
    "emotet": ["T1566.001", "T1071.001", "T1105"],
    "dridex": ["T1566.001", "T1071.001", "T1059.001"],
    "qakbot": ["T1566.001", "T1055", "T1071.001"],
    "qbot": ["T1566.001", "T1055", "T1071.001"],
    "icedid": ["T1566.001", "T1105", "T1071.001"],
    "trickbot": ["T1071.001", "T1055", "T1105"],
    "lokibot": ["T1555", "T1056.001", "T1041"],
    "formbook": ["T1056.001", "T1055", "T1041"],
    "njrat": ["T1059.001", "T1056.001", "T1071"],
    "asyncrat": ["T1059.001", "T1071", "T1105"],
    "remcos": ["T1059.001", "T1056.001", "T1071"],
}
 
THREAT_TYPE_TECHNIQUES = {
    "phishing": ["T1566.002", "T1204.001"],
    "exploit_kit": ["T1204.001", "T1608"],
    "botnet_cc": ["T1071.001", "T1573"],
    "c2": ["T1071.001", "T1573"],
    "malware_download": ["T1105", "T1204.002"],
    "payload_delivery": ["T1105", "T1204.002"],
    "ransomware": ["T1486", "T1071.001"],
    "leaked_credentials": ["T1589.001"],
}
 
 
def name_for(technique_id: str) -> str:
    base = technique_id.split(".")[0]
    if technique_id in TECHNIQUES:
        return TECHNIQUES[technique_id][0]
    if base in TECHNIQUES:
        return TECHNIQUES[base][0]
    return technique_id
 
 
def tactic_for(technique_id: str) -> str:
    base = technique_id.split(".")[0]
    if technique_id in TECHNIQUES:
        return TECHNIQUES[technique_id][1]
    if base in TECHNIQUES:
        return TECHNIQUES[base][1]
    return "unknown"
 
 
def techniques_for_malware(malware: str | None) -> list[str]:
    if not malware:
        return []
    key = malware.lower().replace(" ", "").replace("-", "").replace("_", "")
    for name, techniques in MALWARE_TECHNIQUES.items():
        if name in key:
            return list(techniques)
    return []
 
 
def techniques_for_threat_type(threat_type: str | None) -> list[str]:
    if not threat_type:
        return []
    return list(THREAT_TYPE_TECHNIQUES.get(threat_type.lower(), []))

1	TECHNIQUES = {
2	"T1003.001": ("OS Credential Dumping: LSASS Memory", "credential-access"),
3	"T1005": ("Data from Local System", "collection"),
4	"T1041": ("Exfiltration Over C2 Channel", "exfiltration"),
5	"T1055": ("Process Injection", "defense-evasion"),
6	"T1056.001": ("Input Capture: Keylogging", "collection"),
7	"T1059": ("Command and Scripting Interpreter", "execution"),
8	"T1059.001": ("Command and Scripting Interpreter: PowerShell", "execution"),
9	"T1071": ("Application Layer Protocol", "command-and-control"),
10	"T1071.001": ("Application Layer Protocol: Web Protocols", "command-and-control"),
11	"T1071.004": ("Application Layer Protocol: DNS", "command-and-control"),
12	"T1090": ("Proxy", "command-and-control"),
13	"T1102": ("Web Service", "command-and-control"),
14	"T1105": ("Ingress Tool Transfer", "command-and-control"),
15	"T1110": ("Brute Force", "credential-access"),
16	"T1204": ("User Execution", "execution"),
17	"T1204.001": ("User Execution: Malicious Link", "execution"),
18	"T1204.002": ("User Execution: Malicious File", "execution"),
19	"T1486": ("Data Encrypted for Impact", "impact"),
20	"T1547.001": ("Registry Run Keys / Startup Folder", "persistence"),
21	"T1555": ("Credentials from Password Stores", "credential-access"),
22	"T1566": ("Phishing", "initial-access"),
23	"T1566.001": ("Phishing: Spearphishing Attachment", "initial-access"),
24	"T1566.002": ("Phishing: Spearphishing Link", "initial-access"),
25	"T1573": ("Encrypted Channel", "command-and-control"),
26	"T1589.001": ("Gather Victim Identity Information: Credentials", "reconnaissance"),
27	"T1588.001": ("Obtain Capabilities: Malware", "resource-development"),
28	"T1608": ("Stage Capabilities", "resource-development"),
29	}
30
31	MALWARE_TECHNIQUES = {
32	"cobaltstrike": ["T1071.001", "T1059.001", "T1055"],
33	"agenttesla": ["T1056.001", "T1555", "T1041"],
34	"redline": ["T1555", "T1005", "T1041"],
35	"redlinestealer": ["T1555", "T1005", "T1041"],
36	"emotet": ["T1566.001", "T1071.001", "T1105"],
37	"dridex": ["T1566.001", "T1071.001", "T1059.001"],
38	"qakbot": ["T1566.001", "T1055", "T1071.001"],
39	"qbot": ["T1566.001", "T1055", "T1071.001"],
40	"icedid": ["T1566.001", "T1105", "T1071.001"],
41	"trickbot": ["T1071.001", "T1055", "T1105"],
42	"lokibot": ["T1555", "T1056.001", "T1041"],
43	"formbook": ["T1056.001", "T1055", "T1041"],
44	"njrat": ["T1059.001", "T1056.001", "T1071"],
45	"asyncrat": ["T1059.001", "T1071", "T1105"],
46	"remcos": ["T1059.001", "T1056.001", "T1071"],
47	}
48
49	THREAT_TYPE_TECHNIQUES = {
50	"phishing": ["T1566.002", "T1204.001"],
51	"exploit_kit": ["T1204.001", "T1608"],
52	"botnet_cc": ["T1071.001", "T1573"],
53	"c2": ["T1071.001", "T1573"],
54	"malware_download": ["T1105", "T1204.002"],
55	"payload_delivery": ["T1105", "T1204.002"],
56	"ransomware": ["T1486", "T1071.001"],
57	"leaked_credentials": ["T1589.001"],
58	}
59
60
61	def name_for(technique_id: str) -> str:
62	base = technique_id.split(".")[0]
63	if technique_id in TECHNIQUES:
64	return TECHNIQUES[technique_id][0]
65	if base in TECHNIQUES:
66	return TECHNIQUES[base][0]
67	return technique_id
68
69
70	def tactic_for(technique_id: str) -> str:
71	base = technique_id.split(".")[0]
72	if technique_id in TECHNIQUES:
73	return TECHNIQUES[technique_id][1]
74	if base in TECHNIQUES:
75	return TECHNIQUES[base][1]
76	return "unknown"
77
78
79	def techniques_for_malware(malware: str \| None) -> list[str]:
80	if not malware:
81	return []
82	key = malware.lower().replace(" ", "").replace("-", "").replace("_", "")
83	for name, techniques in MALWARE_TECHNIQUES.items():
84	if name in key:
85	return list(techniques)
86	return []
87
88
89	def techniques_for_threat_type(threat_type: str \| None) -> list[str]:
90	if not threat_type:
91	return []
92	return list(THREAT_TYPE_TECHNIQUES.get(threat_type.lower(), []))