Comments (2)
Awesome. Just was I was hoping to hear...
Will go with some regex for now to extract detection as a property.
(Would be cool to have it as an x_mitre in the future)
Thanks.
👍
from cti.
Hey @SadProcessor - these are both really great points/questions.
Regarding how often the JSON data will be generated/updated, the TAXII server is actually syncing on this repo, so this repo will always be up to date with the ATT&CK content updates.
About the detection info - right now it's part of the description of the corresponding attack pattern. For example, here's the description for .bash_profile and .bashrc with the detection in bold:
"description": "
and /.bash_profile/.bashrc
are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly.
is executed for login shells and /.bash_profile/.bashrc
is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH),
is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, /.bash_profile/.bashrc
is executed. This allows users more fine grained control over when they want certain commands executed.\n\nMac's Terminal.app is a little different in that it runs a login shell by default each time a new terminal window is opened, thus calling
each time instead of /.bash_profile/.bashrc
.\n\nThese files are meant to be written to by the local user to configure their own environment; however, adversaries can also insert code into these files to gain persistence each time a user logs in or opens a new shell (Citation: amnesia malware).\n\nDetection: While users may customize their
and /.bashrc/.bash_profile
files , there are only certain types of commands that typically appear in these files. Monitor for abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network when user profiles are loaded during the login process.\n\nPlatforms: Linux, macOS\n\nData Sources: File monitoring, Process Monitoring, Process command-line parameters, Process use of network\n\nPermissions Required: User, Administrator"
We're discussing whether or not we want to put this into a custom x_mitre_detection property in the attack pattern, so having you bring it up here has been helpful. We will keep you posted on whether or not the current model of having it solely in the description changes. Please let us know if you have any other questions, concerns, or suggestions!
from cti.
Related Issues (20)
- relationship between attack-pattern and tool
- Mitre Taxii Service Throwing 502 Errors
- Some revoked attack pattern miss the revoked-by relation in mobile domain HOT 2
- x_mitre_domains field for x-mitre-matrices populated only for ics
- Microsoft Defender Detection HOT 4
- [T1059.009] Cloud API - Typo in source name HOT 2
- v13.0 bundle ids match in both mitre/cti and mitre-attack/attack-stix-data, but content is different
- x_mitre_data_sources missing for Mobile ATT&CK attack-patterns HOT 2
- ICS platform information
- Some relationship missing when v12, v13 release HOT 2
- Alias of APT37 has a typo HOT 1
- The CAPEC dataset is not updated with the one available on capec.mitre.org
- Missing Some Records in 'Data Sources' HOT 1
- Request for ATT&CK version to be added to objects
- ATT&CK attack-patterns no longer have external_references to CAPEC HOT 1
- Bug: All MITRE ATT&CK ICS Techniques have "x_mitre_platforms": [ "None" ] HOT 2
- Certificate Expired
- cti-taxii.mitre.org timing out since Saturday, March 2, 2024 HOT 1
- https://cti-taxii.mitre.org seems to be down HOT 4
- Bad URL for "Dell PSP ZeuS" in "T1001.101 Junk Data" in the 11.0, 12.0, 13.0, and 14.1 MITRE ATT&CK Frameworks HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cti.