Idea: Update all techniques by mitre/cti repository automatically

[socketz]

Use-cases

Many techniques had been replaced by new techniques in recent MITRE ATT&CK versions. Currently is v14.1 for Enterprise, Mobile and ICS, and PRE matrix is deprecated, and merged to Enterprise, that is bad mapped in current version of ART, e.g T1063 does not exists in v14.1 because is an older PRE technique, and now belongs to Enterprise as T1286.

Proposal

Automatic updates of TTP's by a mapping in yaml or json to test this techniques with old and new ID's when is called by Invoke-Atomic scripts. This mapping could be good integrated with STIX data to reports generated after atomic tests execution.

References

• https://github.com/mitre/cti
• https://attack.mitre.org/resources/working-with-attack/
• https://github.com/mitre-attack/mitreattack-python

Enterprise: https://github.com/mitre/cti/blob/master/enterprise-attack/enterprise-attack.json

Mobile: https://github.com/mitre/cti/blob/master/mobile-attack/mobile-attack.json

ICS: https://github.com/mitre/cti/blob/master/ics-attack/ics-attack.json

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[cyberbuff]

Hello @socketz Sorry for the delay. We don't have any atomics related to T1063 and I was wondering instead of adding adding old ATT&CK Technique ID to the yaml, would #167 work for you ? We are working on running atomics solely by GUID. This way even when the ATT&CK IDs change in the future, you can use the GUID to test them out.

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[github-actions[bot]]

This issue was closed because it has been stalled for 5 days with no activity.