Skip to main content

Pyattck Data

Project description

pyattck-data

PyPI Status Python Version License Tests Codecov pre-commit Black

Features

Includes data models for the following projects:

This repository contains generated contextual data utilized by pyattck.

Generated Data Access

Generated data can be retrieved from the following URLs:

Generated ATT&CK Datasets

This page outlines and provides detailed information regarding the data generated and used with the pyattck python package.

Data Categories

At this time, a shareable JSON file is generated on the 1st and 15th of the month and stored in a S3 bucket. This data is used and retrieved by pyattck.

This generated json file has the following main keys:

  • timestamp
  • techniques
    • technique_id
    • commands
    • parsed_datasets
    • command_list
    • attack_paths
    • queries
    • possible_detections
  • actors
    • israel
    • iran
    • middle_east
    • north_korea
    • china
    • unknown
    • other
    • nato
    • russia
    • Each actor will have the following data structure
      • actor_names
      • target
      • operations
      • description
      • tools
      • links
      • attck_id
      • comment
  • tools
    • names
    • links
    • family
    • comments
  • c2_data
    • name_of_c2
      • HTTP
      • Implementation
      • Custom Profile
      • DomainFront
      • Multi-User
      • SMB
      • Kill Date
      • macOS
      • GitHub
      • Key Exchange
      • Chaining
      • Price
      • TCP
      • Proxy Aware
      • HTTP3
      • HTTP2
      • Date
      • Evaluator
      • Working Hours
      • Slack
      • FTP
      • Version Reviewed
      • Logging
      • Name
      • License
      • Windows
      • Stego
      • Notes
      • Server
      • Actively Maint.
      • Dashboard
      • DNS
      • Popular Site
      • ICMP
      • IMAP
      • DoH
      • Jitter
      • How-To
      • ATT&CK Mapping
      • Kali
      • Twitter
      • MAPI
      • Site
      • Agent
      • API
      • UI
      • Linux

Generated Attck Data Structure

The generated_attck_data.json has the following base structure. This is purely an example and contains modified/fake data.

{
    "last_updated": "2019-12-06T15:21:02.175108", 
    "techniques": [
        {
            "technique_id": "T1082", 
            "commands": [
                {
                    "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", 
                    "command": "whoami /all /fo list", 
                    "name": "Built-in Windows Command"
                },
                {
                    "source": "atomics/T1033/T1033.yaml", 
                    "command": "cmd.exe /C whoami\nwmic useraccount get /ALL\nquser /SERVER:\"computer1\"\nquser\nqwinsta.exe\" /server:computer1\nqwinsta.exe\nfor /F \"tokens=1,2\" %i in ('qwinsta /server:computer1 ^| findstr \"Active Disc\"') do @echo %i | find /v \"#\" | find /v \"console\" || echo %j > usernames.txt\n@FOR /F %n in (computers.txt) DO @FOR /F \"tokens=1,2\" %i in ('qwinsta /server:%n ^| findstr \"Active Disc\"') do @echo %i | find /v \"#\" | find /v \"console\" || echo %j > usernames.txt\n", 
                    "name": null
                }
            ],
            "command_list": [
                    "ver", 
                    "shell ver", 
                    "set", 
                    "shell set", 
                    "get_env.rb", 
                    "net config workstation",
                    "net config server", 
                    "shell net config workstation",
                    "reg query HKLM\\SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum"
            ], 
            "parsed_datasets": [
                {
                    "Mitre APT3 Adversary Emulation Field Manual": {"Category": "T1033", "Built-in Windows Command": "whoami /all /fo list", "Cobalt Strike": "shell whoami /all /fo list", "Description": "Get current user information, SID, domain, groups the user belongs to, security privs of the user", "Metasploit": "getuid"}
                },
                {
                    "Atomic Red Team Test - System Owner/User Discovery": {"display_name": "System Owner/User Discovery", "atomic_tests": [{"executor": {"elevation_required": false, "command": "cmd.exe /C whoami\nwmic useraccount get /ALL\nquser /SERVER:\"#{computer_name}\"\nquser\nqwinsta.exe\" /server:#{computer_name}\nqwinsta.exe\nfor /F \"tokens=1,2\" %i in ('qwinsta /server:#{computer_name} ^| findstr \"Active Disc\"') do @echo %i | find /v \"#\" | find /v \"console\" || echo %j > usernames.txt\n@FOR /F %n in (computers.txt) DO @FOR /F \"tokens=1,2\" %i in ('qwinsta /server:%n ^| findstr \"Active Disc\"') do @echo %i | find /v \"#\" | find /v \"console\" || echo %j > usernames.txt\n", "name": "command_prompt"}, "supported_platforms": ["windows"], "description": "Identify System owner or users on an endpoint\n", "input_arguments": {"computer_name": {"default": "computer1", "type": "string", "description": "Name of remote computer"}}, "name": "System Owner/User Discovery"}, {"executor": {"elevation_required": false, "command": "users\nw\nwho\n", "name": "sh"}, "supported_platforms": ["linux", "macos"], "description": "Identify System owner or users on an endpoint\n", "name": "System Owner/User Discovery"}], "attack_technique": "T1033"}
                }
            ],
            "queries": [
                {
                    "query": "Sysmon| where EventID == 1 and (process_path contains\"sysinfo.exe\"or process_path contains \"reg.exe\")and process_commandline contains \"reg*query HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Disk\\\\Enum\"", 
                    "product": "Azure Sentinel", 
                    "name": "System Information Discovery"
                },
                {
                    "query": "title: Reconnaissance Activity with Net Command\nid: 2887e914-ce96-435f-8105-593937e90757\nstatus: experimental\ndescription: Detects a set of commands often used in recon stages by different attack groups\nreferences:\n    - https://twitter.com/haroonmeer/status/939099379834658817\n    - https://twitter.com/c_APT_ure/status/939475433711722497\n    - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html\nauthor: Florian Roth, Markus Neis\ndate: 2018/08/22\nmodified: 2018/12/11\ntags:\n    - attack.discovery\n    - attack.t1087\n    - attack.t1082\n    - car.2016-03-001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine:\n            - tasklist\n            - net time\n            - systeminfo\n            - whoami\n            - nbtstat\n            - net start\n            - '*\\net1 start'\n            - qprocess\n            - nslookup\n            - hostname.exe\n            - '*\\net1 user /domain'\n            - '*\\net1 group /domain'\n            - '*\\net1 group \"domain admins\" /domain'\n            - '*\\net1 group \"Exchange Trusted Subsystem\" /domain'\n            - '*\\net1 accounts /domain'\n            - '*\\net1 user net localgroup administrators'\n            - netstat -an\n    timeframe: 15s\n    condition: selection | count() by CommandLine > 4\nfalsepositives:\n    - False positives depend on scripts and administrative tools used in the monitored environment\nlevel: medium", "product": "Atomic Threat Coverage", 
                    "name": "Sigma rule"
                },
                {
                    "query": "(CommandLine=\"tasklist\" OR CommandLine=\"net time\" OR CommandLine=\"systeminfo\" OR CommandLine=\"whoami\" OR CommandLine=\"nbtstat\" OR CommandLine=\"net start\" OR CommandLine=\"*\\\\\\\\net1 start\" OR CommandLine=\"qprocess\" OR CommandLine=\"nslookup\" OR CommandLine=\"hostname.exe\" OR CommandLine=\"*\\\\\\\\net1 user /domain\" OR CommandLine=\"*\\\\\\\\net1 group /domain\" OR CommandLine=\"*\\\\\\\\net1 group \\\\\"domain admins\\\\\" /domain\" OR CommandLine=\"*\\\\\\\\net1 group \\\\\"Exchange Trusted Subsystem\\\\\" /domain\" OR CommandLine=\"*\\\\\\\\net1 accounts /domain\" OR CommandLine=\"*\\\\\\\\net1 user net localgroup administrators\" OR CommandLine=\"netstat -an\") | eventstats count as val by CommandLine| search val > 4", 
                    "product": "Atomic Threat Coverage", 
                    "name": "splunk"
                }
            ],
}

Sources

First of all, I would like to thank everyone who contributes to open-source projects, especially the maintainers and creators of these projects. Without them, this capability would not be possible.

This data set is generated from many different sources. As we continue to add more sources, we will continue to add them here. Again thank you to all of these projects. In no particular order, pyattck utilizes data from the following projects:

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pyattck-data-2.4.1.tar.gz (19.0 kB view details)

Uploaded Source

Built Distribution

pyattck_data-2.4.1-py3-none-any.whl (22.6 kB view details)

Uploaded Python 3

File details

Details for the file pyattck-data-2.4.1.tar.gz.

File metadata

  • Download URL: pyattck-data-2.4.1.tar.gz
  • Upload date:
  • Size: 19.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.1.13 CPython/3.10.5 Linux/5.13.0-1029-azure

File hashes

Hashes for pyattck-data-2.4.1.tar.gz
Algorithm Hash digest
SHA256 3a32f3b3a10b76c3aac6f177ea485a39ae60293531c345706cd73d2395b942bf
MD5 1b989239260eab8eeb66c40ac1955674
BLAKE2b-256 1f5d50aebc144081cdcceae9d1bf45ee4741cda0b772fc5b8eb0f91adeafa3de

See more details on using hashes here.

File details

Details for the file pyattck_data-2.4.1-py3-none-any.whl.

File metadata

  • Download URL: pyattck_data-2.4.1-py3-none-any.whl
  • Upload date:
  • Size: 22.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.1.13 CPython/3.10.5 Linux/5.13.0-1029-azure

File hashes

Hashes for pyattck_data-2.4.1-py3-none-any.whl
Algorithm Hash digest
SHA256 38e6a71908caa6d9506b4bfba8e28ad5505d8b5e35a9ab79ba3d4ed3aa1cadb7
MD5 f83eefa1d0437ad2474a1854975b3875
BLAKE2b-256 53d78ebafd2059b6b60885265610d147af6ed974406cd0a12fd9394f5985c9a1

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page