Research Automation with ATT&CK & Python

Chris Hall
Cloud Security Researcher, Lacework Labs

MITRE did the community a huge favor with the development of ATT&CK – an open source knowledge base for attack techniques. Threat intelligence can often be a nebulous undertaking but thanks to ATT&CK, the lives of analysts have been made a little bit easier.

This blog describes how to quickly research threats using Python and the ATT&CK knowledge base. Everyone’s requirements will vary, however we’ll list some general queries that may be useful despite your use case. We’ll also include a general cloud related query and platform-specific ones. These instructions are for Python 2.7 & Windows however only minor adjustments would be necessary for Mac and Linux.

To begin we can use a SQLite database that is maintained by Nader Shalab in the ATTACK-Tools repository: https://github.com/nshalabi/ATTACK-Tools (Thanks Nader!). To query the database with Python, first download the .sqlite file (attack_view_db.sqlite) from the repo. You can test the connection as follows:

import sqlite3

db_file = "attack_view_db.sqlite". # path to the local db file
conn = None

try:
    conn = sqlite3.connect(db_file)
    cur = conn.cursor()
    query = "select count(*) from aliases"
    cur.execute(query)

    data = cur.fetchall()
    print 'succesful db connection!'

except Exception, e:
    print 'cannot connect to db..'
    print(e)

Note – Python may give a “file is encrypted or is not a database” error. To fix this replace the sqlite3.dll in the Python\DLLs directory with sqlite DLL (sqlite3.dll)1 in the following archive:

https://www.sqlite.org/2019/sqlite-dll-win32-x86-3300100.zip

From here, the only difficult part is identifying the correct queries for what you need. ATT&CK is well documented however since we’re using SQL you may find it a little easier to use the DB Browser for SQLite (https://sqlitebrowser.org/). The browser will allow for easy navigation of the database and identification of the target tables and fields. You can also test out queries in the “Execute SQL” tab. 

 

 

You’ll notice there are numerous tables however the essential ones are:

aliases – contains all adversaries along with their unique IDs (which you’ll need for link analysis)

sdos_object – contains all objects and all object descriptions. Objects are any one of the following:

  • attack-pattern
  • course-of-action
  • identity
  • intrusion-set
  • malware
  • tool

relationships – contains all relationships. For example, a threat actor (intrusion-set object) may use a specific RAT (malware object). All these links are defined in the relationships table. 

With only these three tables we can identify actors and then map them to their respective tools and techniques. Conversely, we could map a specific attack pattern or tactic to all the adversaries known to use it. 

Here is some code to get you started:

import sqlite3

db_file = "attack_view_db.sqlite"# path to the local db file 
conn = None

try:
    conn = sqlite3.connect(db_file)
except Error as e:
    print(e)

cur = conn.cursor()
query = "SELECT distinct type FROM sdos_object"
cur.execute(query)
rows = cur.fetchall()

for row in rows:
    print row
    """
    process results- write to csv, db etc
    """

 

The following are a few queries you may find useful. To execute these simply replace the query parameter in the above code. 

 

Example Query

Description

SELECT name, description
FROM sdos_object
WHERE type IS "intrusion-set";

Returns list of all threat actors with a description

SELECT *
FROM sdos_object
WHERE id LIKE 'intrusion-set%' AND description LIKE '%energy%'

Returns threat actors with the keyword ‘energy’ in the description (For example if you wanted to find actors targeting the energy sector)

SELECT name, description
FROM sdos_object
WHERE type IS "malware" and description like '%linux%';
Returns all Linux malware in ATT&CK dataset
SELECT name, description
FROM sdos_object
WHERE (type IS "malware" OR type IS "tool") -- Query for tools or malwareAND id IN (SELECT target_ref -- filter tools/malware associated with FIN7
FROM relationship

WHERE relationship_type IS "uses" -- Source "uses" Target
AND source_ref IS -- Source IS FIN7 identifier"intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc");

Returns a list of all malware used by threat actor group “FIN7”. To search other threat actors, then reference the intrusion set ID for the specific actor in the aliases table

 

 

If you’re researching threats to the cloud like Lacework Labs then you can take advantage of ATT&CK ‘s
Cloud Matrix (https://attack.mitre.org/matrices/enterprise/cloud/). For this, the following queries may be useful:

 

Example Query

Description

SELECT name,description,type
FROM sdos_object
WHERE name LIKE '%cloud%' OR description LIKE '%cloud%'

Returns list of all objects with keywords “cloud” in either the description or object name. 

SELECT name,description,type
FROM sdos_object
WHERE description LIKE '%AWS%' AND type LIKE 'attack-pattern'

Returns lists of all attack patterns affecting AWS. Other keywords/platforms you can query include:

  • GCP
  • Azure
  • Azure AD
  • Office 365
  • SaaS

 

 

There are of course many other possible ways to leverage this data, but we hope this was a good primer for those looking for a place to start. ATT&CK is fast becoming the standard taxonomy so learning how to leverage the dataset can go a long way in augmenting your threat intelligence capability.  If you found this blog useful, then please share on your social media! Until next time!

 

 

 

Categories