Mitre ATT&CK
集成版本:15.0
在 Google Security Operations 中配置 MITRE ATT&CK 集成
有关如何在 Google SecOps 中配置集成的详细说明,请参阅配置集成。
集成参数
使用以下参数配置集成:
| 参数显示名称 | 类型 | 默认值 | 是否为必需属性 | 说明 |
|---|---|---|---|---|
| 实例名称 | 字符串 | 不适用 | 否 | 您打算为其配置集成的实例的名称。 |
| 说明 | 字符串 | 不适用 | 否 | 实例的说明。 |
| API 根 | 字符串 | https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json | 是 | Mitre ATT&CK 实例的地址。 |
| 验证 SSL | 复选框 | 勾选 | 否 | 如果您的 Mitre ATT&CK 连接需要 SSL 验证,请选中此复选框。 |
| 远程运行 | 复选框 | 尚未核查 | 否 | 选中此字段,以便远程运行配置的集成。选中后,系统会显示用于选择远程用户(客服人员)的选项。 |
操作
如需详细了解操作,请参阅 在工作台页面中处理待处理的操作和执行手动操作。
获取关联的入侵
说明
检索与 MITRE 攻击技术关联的入侵的相关信息。
参数
| 参数 | 类型 | 默认值 | 是否为必需属性 | 说明 |
|---|---|---|---|---|
| 分析法 ID | 字符串 | 不适用 | 是 | 指定用于查找关联入侵的标识符。 |
| 标识符类型 | DDL | 攻击 ID 可选值: 攻击名称, 攻击 ID, 外部攻击 ID |
是 | 指定要使用的标识符类型。
可能的值如下:
虽然界面将参数选项显示为 |
| 要返回的插播次数上限 | 字符串 | 20 | 否 | 指定要返回的入侵次数。 |
运行于
此操作会在所有实体上运行。
操作执行结果
脚本结果
| 脚本结果名称 | 值选项 | 示例 |
|---|---|---|
| is_success | True/False | is_success:False |
JSON 结果
以下示例展示了使用获取关联的入侵操作时收到的 JSON 结果输出:
[
{
"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description":"[APT32](https://attack.mitre.org/groups/G0050) is a threat group that has been active since at least 2014. The group ...",
"created":"2017-12-14T16:46:06.044Z",
"x_mitre_contributors":["Romain Dumont, ESET"],
"modified":"2019-07-17T13:11:37.402Z",
"name":"APT32",
"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
"x_mitre_version":"2.0",
"aliases":["APT32","SeaLotus","OceanLotus","APT-C-00"],
"type":"intrusion-set",
"id":"intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
"external_references":
[
{
"url":"https://attack.mitre.org/groups/G0050",
"source_name":"mitre-attack",
"external_id":"G0050"
},{
"source_name":"APT32",
"description":"(Citation: FireEye APT32 May 2017) (Citation: Volexity OceanLotus Nov 2017)(Citation: Cybereason Oceanlotus May 2017)"
}]},{
"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name":"BRONZE BUTLER",
"created":"2018-01-16T16:13:52.465Z",
"description":"[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with...",
"modified":"2019-03-22T19:57:36.804Z",
"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
"external_references": [
{
"url":"https://attack.mitre.org/groups/G0060",
"source_name":"mitre-attack",
"external_id":"G0060"
},{
"source_name":"BRONZE BUTLER",
"description":"(Citation: Trend Micro Daserf Nov 2017)"
}],
"x_mitre_version":"1.0",
"type":"intrusion-set",
"id":"intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"aliases":["BRONZE BUTLER","REDBALDKNIGHT","Tick"]
},{
"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name":"CopyKittens",
"created":"2018-01-16T16:13:52.465Z",
"description":"[CopyKittens](https://attack.mitre.org/groups/G0052) is a cyber espionage group that has been ...",
"modified":"2019-05-03T16:42:19.026Z",
"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
"external_references":
[{
"url":"https://attack.mitre.org/groups/G0052",
"source_name":"mitre-attack",
"external_id":"G0052"
},{
"source_name":"CopyKittens",
"description":"(Citation: ClearSky CopyKittens March 2017) (Citation: ClearSky Wilted Tulip July 2017) (Citation: CopyKittens Nov 2015)"
},],
"x_mitre_version":"1.1",
"type":"intrusion-set",
"id":"intrusion-set--dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a",
"aliases":["CopyKittens"]
}
]
获取缓解措施
说明
检索与 MITRE 攻击技术相关的缓解措施的信息。
参数
| 参数 | 类型 | 默认值 | 是否为必需属性 | 说明 |
|---|---|---|---|---|
| 分析法 ID | 字符串 | 不适用 | 是 | 指定将用于查找与攻击技术相关的缓解措施的标识符。 |
| 标识符类型 | DDL | 攻击 ID 可选值: 攻击名称, 攻击 ID, 外部攻击 ID |
是 | 指定要使用的标识符类型。
可能的值如下:
虽然界面将参数选项显示为 |
| 要返回的缓解措施数量上限 | 字符串 | 20 | 否 | 指定要返回的入侵次数。 |
运行于
此操作会在所有实体上运行。
操作执行结果
脚本结果
| 脚本结果名称 | 值选项 | 示例 |
|---|---|---|
| is_success | True/False | is_success:False |
JSON 结果
[
{
"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description":"Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to encrypt files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"created":"2018-10-17T00:14:20.652Z",
"x_mitre_deprecated":true,
"modified":"2019-07-24T14:26:14.411Z",
"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
"external_references":
[{
"url":"https://attack.mitre.org/mitigations/T1022",
"source_name":"mitre-attack",
"external_id":"T1022"
},{
"url":"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"source_name":"Beechey 2010",
"description":"Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014."
},{
"url":"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"source_name":"Windows Commands JPCERT",
"description":"Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016."
},{
"url":"https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"source_name":"NSA MS AppLocker",
"description":"NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016."
},{
"url":"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"source_name":"Corio 2008",
"description":"Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014."
},{
"url":"https://technet.microsoft.com/en-us/library/ee791851.aspx",
"source_name":"TechNet Applocker vs SRP",
"description":"Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016."
}],
"x_mitre_version":"1.0",
"type":"course-of-action",
"id":"course-of-action--2a8de25c-f743-4348-b101-3ee33ab5871b",
"name":"Data Encrypted Mitigation"
}
]
获取技术详情
说明
检索有关 MITRE 攻击技术的详细信息。
参数
| 参数 | 类型 | 默认值 | 是否为必需属性 | 说明 |
|---|---|---|---|---|
| 技术标识符 | 字符串 | 不适用 | 是 | 指定用于查找有关技术的详细信息的标识符的逗号分隔列表。示例:identifier_1、identifier_2 |
| 标识符类型 | DDL | 攻击 ID 可选值: 攻击名称, 攻击 ID, 外部攻击 ID |
是 | 指定要使用的标识符类型。
可能的值如下:
虽然界面将参数选项显示为 |
| 创建数据分析 | 复选框 | 尚未核查 | 否 | 如果启用,此操作将为每种处理后的技术创建单独的分析洞见。 |
运行于
此操作会在所有实体上运行。
操作执行结果
脚本结果
| 脚本结果名称 | 值选项 | 示例 |
|---|---|---|
| is_success | True/False | is_success:False |
JSON 结果
{
"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references":
[{
"url":"https://attack.mitre.org/techniques/T1022",
"external_id":"T1022",
"source_name":"mitre-attack"
},{
"url":"http://www.netsec.colostate.edu/~zhang/DetectingEncryptedBotnetTraffic.pdf",
"source_name":"Zhang 2013",
"description":"Zhang, H., Papadopoulos, C., & Massey, D. (2013, April). Detecting encrypted botnet traffic. Retrieved August 19, 2015."
},{
"url":"https://en.wikipedia.org/wiki/List_of_file_signatures",
"source_name":"Wikipedia File Header Signatures",
"description":"Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016."
}],
"created":"2017-05-31T21:30:30.26Z",
"x_mitre_platforms":["Linux","macOS","Windows"],
"type":"attack-pattern",
"description":"Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.\\n\\nOther exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over Command and Control Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)",
"kill_chain_phases":
[{
"phase_name":"exfiltration",
"kill_chain_name":"mitre-attack"
}],
"modified":"2018-10-17T00:14:20.652Z",
"id":"attack-pattern--d54416bd-0803-41ca-870a-ce1af7c05638",
"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
"x_mitre_network_requirements":false,
"x_mitre_version":"1.0",
"x_mitre_data_sources":["File monitoring","Process monitoring","Process command-line parameters","Binary file metadata"],
"x_mitre_detection":"Encryption software and encrypted files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known encryption utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used. Often the encryption key is stated within command-line invocation of the software. \\n\\nA process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures. \\n\\nNetwork traffic may also be analyzed for entropy to determine if encrypted data is being transmitted. (Citation: Zhang 2013) If the communications channel is unencrypted, encrypted files of known file types can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers. (Citation: Wikipedia File Header Signatures)",
"name":"Data Encrypted"
}
获取技术详情
说明
检索有关 MITRE 攻击技术的详细信息。
参数
| 参数 | 类型 | 默认值 | 是否为必需属性 | 说明 |
|---|---|---|---|---|
| 技术标识符 | 字符串 | 不适用 | 是 | 指定用于查找有关技术的详细信息的标识符的逗号分隔列表。示例:identifier_1、identifier_2 |
| 标识符类型 | DDL | 攻击 ID 可选值: 攻击名称, 攻击 ID, 外部攻击 ID |
是 | 指定要使用的标识符类型。
可能的值如下:
虽然界面将参数选项显示为 |
| 创建数据分析 | 复选框 | 尚未核查 | 否 | 如果启用,此操作将为每种处理后的技术创建单独的分析洞见。 |
运行于
此操作会在所有实体上运行。
操作执行结果
脚本结果
| 脚本结果名称 | 值选项 | 示例 |
|---|---|---|
| is_success | True/False | is_success:False |
JSON 结果
[{
"Entity": "course-of-action--4f170666-7edb-4489-85c2-9affa28a72e0",
"EntityResult": {
"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references":[{
"url":"https://attack.mitre.org/techniques/T1022",
"external_id":"T1022",
"source_name":"mitre-attack"
},{
"url":"http://www.netsec.colostate.edu/~zhang/DetectingEncryptedBotnetTraffic.pdf",
"source_name":"Zhang 2013",
"description":"Zhang, H., Papadopoulos, C., & Massey, D. (2013, April). Detecting encrypted botnet traffic. Retrieved August 19, 2015."
},{
"url":"https://en.wikipedia.org/wiki/List_of_file_signatures","source_name":"Wikipedia File Header Signatures",
"description":"Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016."
}],
"created":"2017-05-31T21:30:30.26Z",
"x_mitre_platforms":["Linux","macOS","Windows"],
"type":"attack-pattern",
"description":"Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.nnOther exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over Command and Control Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)",
"kill_chain_phases":[{
"phase_name":"exfiltration",
"kill_chain_name":"mitre-attack"
}],
"modified":"2018-10-17T00:14:20.652Z",
"id":"attack-pattern--d54416bd-0803-41ca-870a-ce1af7c05638",
"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
"x_mitre_network_requirements":false,
"x_mitre_version":"1.0",
"x_mitre_data_sources":["File monitoring","Process monitoring","Process command-line parameters","Binary file metadata"],
"x_mitre_detection":"Encryption software and encrypted files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known encryption utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used. Often the encryption key is stated within command-line invocation of the software. nnA process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures. nnNetwork traffic may also be analyzed for entropy to determine if encrypted data is being transmitted. (Citation: Zhang 2013) If the communications channel is unencrypted, encrypted files of known file types can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers. (Citation: Wikipedia File Header Signatures)",
"name":"Data Encrypted"
}
}]
案例墙
| 结果类型 | 值 / 说明 | 类型 |
|---|---|---|
| 输出消息* | 如果处理了至少一个标识符: print "Retrieved detailed information about the following techniques: {0}\n".format(new line separated list of processed techniques) 如果至少有一个标识符未处理: print "Action wasn't able to retrieve detailed information about the following techniques: {0}\n".format(new line separated list of unprocessed techniques) 如果未处理任何标识符 print "Action wasn't able to find the provided techniques." |
常规 |
获取技术缓解措施
说明
检索与 MITRE 攻击技术关联的缓解措施的相关信息。
参数
| 参数 | 类型 | 默认值 | 是否为必需属性 | 说明 |
|---|---|---|---|---|
| 分析法 ID | 字符串 | 不适用 | 是 | 指定将用于查找与攻击技术相关的缓解措施的标识符。以英文逗号分隔的值。 |
| 攻击 ID | DDL | 攻击 ID 可选值: 攻击名称, 攻击 ID, 外部攻击 ID |
是 | 指定要使用的标识符类型。可能的值:攻击名称(例如:访问令牌操纵)、攻击 ID(例如:attack-pattern--478aa214-2ca7-4ec0-9978-18798e514790)、外部攻击 ID(例如:T1050) |
| 要返回的缓解措施数量上限 | 字符串 | 20 | 否 | 指定要返回多少个缓解措施。 |
运行于
此操作会在所有实体上运行。
操作执行结果
脚本结果
| 脚本结果名称 | 值选项 | 示例 |
|---|---|---|
| is_success | True/False | is_success:False |
JSON 结果
[{
"Entity": "course-of-action--4f170666-7edb-4489-85c2-9affa28a72e0",
"EntityResult": {
"mitigations": [{
"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description":"Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to encrypt files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"created":"2018-10-17T00:14:20.652Z",
"x_mitre_deprecated":true,
"modified":"2019-07-24T14:26:14.411Z",
"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
"external_references":[{"url":"https://attack.mitre.org/mitigations/T1022",
"source_name":"mitre-attack",
"external_id":"T1022"
},{
"url":"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"source_name":"Beechey 2010",
"description":"Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014."
},{
"url":"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"source_name":"Windows Commands JPCERT",
"description":"Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016."
},{
"url":"https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"source_name":"NSA MS AppLocker",
"description":"NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016."
},{
"url":"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"source_name":"Corio 2008",
"description":"Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014."
},{
"url":"https://technet.microsoft.com/en-us/library/ee791851.aspx",
"source_name":"TechNet Applocker vs SRP",
"description":"Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016."
}],
"x_mitre_version":"1.0",
"type":"course-of-action",
"id":"course-of-action--2a8de25c-f743-4348-b101-3ee33ab5871b",
"name":"Data Encrypted Mitigation"
}]
}
}]
案例墙
| 结果类型 | 值 / 说明 | 类型 |
|---|---|---|
| 输出消息* | 操作不应失败,也不应停止 playbook 执行: 如果响应中包含“ErrorCode”(is_success=false),或者未返回任何数据(is_success=true)“操作无法找到以下技术的缓解措施:<标识符> 如果成功:“Successfully retrieved mitigations for the following techniques: <identifiers>”(已成功检索到以下技术的缓解措施:<标识符>) 操作应失败并停止 playbook 执行: 如果出现致命错误、SDK 错误(例如凭据错误、无连接)或其他错误:“执行操作‘获取技术缓解措施’时出错。原因:{0}''.format(error.Stacktrace) |
常规 |
Ping
说明
测试连接。
参数
不适用
运行于
此操作会在所有实体上运行。
操作执行结果
脚本结果
| 脚本结果名称 | 值选项 | 示例 |
|---|---|---|
| is_success | True/False | is_success:False |
需要更多帮助?从社区成员和 Google SecOps 专业人士那里获得解答。