bbot icon indicating copy to clipboard operation
bbot copied to clipboard

Published 20 hours ago • verified publisher icon blacklanternsecurity

Tag Events with MITRE TTPs

Open kerrymilan opened this issue 4 months ago • 0 comments

Description For each module, add an optional property denoting which MITRE ATT&CK TTP is associated with the events being generated. These should be hard-coded into the module's properties where appropriate.

Example:

class badsecrets(BaseModule):
    watched_events = ["HTTP_RESPONSE"]
    produced_events = ["FINDING", "VULNERABILITY", "TECHNOLOGY"]
    flags = ["active", "safe", "web-basic"]
    meta = {
        "description": "Library for detecting known or weak secrets across many web frameworks",
        "created_date": "2022-11-19",
        "author": "@liquidsec",
        "mitre_ttp": "T1078.001",
    }

Result:

{
    "data": {
        "host": "evilcorp.com", 
        "severity": "INFO", 
        "description": "asdf",
        "mitre_ttp": "T1078.001",
    },
    "event_type": "VULNERABILITY",
    ...
}

kerrymilan avatar Oct 18 '24 13:10 kerrymilan