atomic-red-team icon indicating copy to clipboard operation
atomic-red-team copied to clipboard

Published 20 hours ago verified publisher icon redcanaryco

Idea: Improving the ATT&CK Layer to make it a one stop shop

Open Scoubi opened this issue 4 years ago • 1 comments

Use-cases

1- When looking at the colored Technique in the ATT&CK they are all scored 100%. Some on the test are "Manual only" such as T1176. I think they should be another color, or a lower score so we know that we won't be able to use a script to test these.

2- When looking at the layer you don't know what the test is doing. I had to go back and forth between the Layer and the .ymal file in the repo to understand what each test was doing. It would be great if the test (usually a one liner) from the .ymal would be in the "Comment" of each Technique.

Proposal

1- Either use another color than bright red for manual only test or reduce the scoring from 100 to 50 and make the color adjust automatically. This way if someone comes up with an automated test later you can just put the score back to 100 and have it bright red again. 2- Pull the attack command from the yaml (like you do for the .md file) and add that to the comment of the technique For example : wmic process get caption,executablepath,commandline /format:csv

References

Scoubi avatar Jul 17 '20 19:07 Scoubi

I like this idea.

I spec'd out the following for the maintainers to work out:

  • Update to v4 of ATT&CK Navigator
  • Add link to yaml or add one liner to comment field
  • Scores:
    • For techniques with sub-techniques, we may want to associate a "high level" score (so it has a color) to show that the technique has sub-techniques completed.
  • Set manual tests as another color

Modifications look to need to be done here - https://github.com/redcanaryco/atomic-red-team/blob/master/bin/generate-atomic-docs.rb#L211

A good example of colors/scoring/comments being used - https://mitremap.splunkresearch.com/

MHaggis avatar Nov 30 '20 18:11 MHaggis

Is this still worth pursuing since it is several years old now?

MSAdministrator avatar Feb 02 '23 17:02 MSAdministrator

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Mar 05 '23 02:03 github-actions[bot]

This issue was closed because it has been stalled for 5 days with no activity.

github-actions[bot] avatar Mar 16 '23 01:03 github-actions[bot]