Mitre ATT&CK

Integration version: 15.0

Configure Mitre ATT&CK integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
Instance Name String N/A No Name of the Instance you intend to configure integration for.
Description String N/A No Description of the Instance.
Api Root String https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json Yes Address of the Mitre ATT&CK instance.
Verify SSL Checkbox Checked No Use this checkbox, if your Mitre ATT&CK connection requires an SSL verification.
Run Remotely Checkbox Unchecked No Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Get Associated Intrusions

Description

Retrieves information about intrusions that are associated with MITRE attack technique.

Parameters

Parameter Type Default Value Is Mandatory Description
Technique ID String N/A Yes Specifies the identifier that will be used to find the associated intrusions.
Identifier Type DDL

Attack ID

Optional Values:

Attack Name,

Attack ID,

External Attack ID

Yes Specify what identifier type to use. Possible values: Attack Name (Example: Access Token Manipulation) Attack ID (Example: attack-pattern--478aa214-2ca7-4ec0-9978-18798e514790) External Attack ID (Example: T1050)
Max Intrusions to Return String 20 No Specify how many intrusions to return.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[
{
    "created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
    "description":"[APT32](https://attack.mitre.org/groups/G0050) is a threat group that has been active since at least 2014. The group ...",
    "created":"2017-12-14T16:46:06.044Z",
    "x_mitre_contributors":["Romain Dumont, ESET"],
    "modified":"2019-07-17T13:11:37.402Z",
    "name":"APT32",
    "object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
    "x_mitre_version":"2.0",
    "aliases":["APT32","SeaLotus","OceanLotus","APT-C-00"],
    "type":"intrusion-set",
    "id":"intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
    "external_references":
    [
        {
            "url":"https://attack.mitre.org/groups/G0050",
            "source_name":"mitre-attack",
            "external_id":"G0050"
        },{
            "source_name":"APT32",
            "description":"(Citation: FireEye APT32 May 2017) (Citation: Volexity OceanLotus Nov 2017)(Citation: Cybereason Oceanlotus May 2017)"
        }]},{
            "created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "name":"BRONZE BUTLER",
            "created":"2018-01-16T16:13:52.465Z",
            "description":"[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with...",
            "modified":"2019-03-22T19:57:36.804Z",
            "object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
            "external_references": [
                {
                    "url":"https://attack.mitre.org/groups/G0060",
                    "source_name":"mitre-attack",
                    "external_id":"G0060"
                },{
                    "source_name":"BRONZE BUTLER",
                    "description":"(Citation: Trend Micro Daserf Nov 2017)"
                }],
            "x_mitre_version":"1.0",
            "type":"intrusion-set",
            "id":"intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
            "aliases":["BRONZE BUTLER","REDBALDKNIGHT","Tick"]
        },{
            "created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "name":"CopyKittens",
            "created":"2018-01-16T16:13:52.465Z",
            "description":"[CopyKittens](https://attack.mitre.org/groups/G0052) is a cyber espionage group that has been ...",
            "modified":"2019-05-03T16:42:19.026Z",
            "object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
            "external_references":
          [{
              "url":"https://attack.mitre.org/groups/G0052",
              "source_name":"mitre-attack",
              "external_id":"G0052"
          },{
              "source_name":"CopyKittens",
              "description":"(Citation: ClearSky CopyKittens March 2017) (Citation: ClearSky Wilted Tulip July 2017) (Citation: CopyKittens Nov 2015)"
          },],
            "x_mitre_version":"1.1",
            "type":"intrusion-set",
            "id":"intrusion-set--dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a",
            "aliases":["CopyKittens"]
        }
]

Get Mitigations

Description

Retrieves information about mitigations that are associated with MITRE attack technique.

Parameters

Parameter Type Default Value Is Mandatory Description
Technique ID String N/A Yes Specifies the identifier that will be used to find the mitigations related to attack technique.
Identifier Type DDL

Attack ID

Optional Values:

Attack Name,

Attack ID,

External Attack ID

Yes Specify what identifier type to use. Possible values: Attack Name (Example: Access Token Manipulation) Attack ID (Example: attack-pattern--478aa214-2ca7-4ec0-9978-18798e514790) External Attack ID (Example: T1050)
Max Intrusions to Return String 20 No Specify how many intrusions to return.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[
    {
        "created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
        "description":"Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to encrypt files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
        "created":"2018-10-17T00:14:20.652Z",
        "x_mitre_deprecated":true,
        "modified":"2019-07-24T14:26:14.411Z",
        "object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
        "external_references":
        [{
            "url":"https://attack.mitre.org/mitigations/T1022",
            "source_name":"mitre-attack",
            "external_id":"T1022"
        },{
            "url":"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
            "source_name":"Beechey 2010",
            "description":"Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014."
        },{
            "url":"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
            "source_name":"Windows Commands JPCERT",
            "description":"Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016."
        },{
            "url":"https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
            "source_name":"NSA MS AppLocker",
            "description":"NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016."
        },{
            "url":"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
            "source_name":"Corio 2008",
            "description":"Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014."
        },{
            "url":"https://technet.microsoft.com/en-us/library/ee791851.aspx",
            "source_name":"TechNet Applocker vs SRP",
            "description":"Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016."
        }],
        "x_mitre_version":"1.0",
        "type":"course-of-action",
        "id":"course-of-action--2a8de25c-f743-4348-b101-3ee33ab5871b",
        "name":"Data Encrypted Mitigation"
    }
]

Get Technique Details

Description

Retrieves detailed information about MITRE attack technique.

Parameters

Parameter Type Default Value Is Mandatory Description
Technique Identifier String N/A Yes Specify the comma-separated list of identifiers that will be used to find the detailed information about techniques. Example: identifier_1,identifier_2
Identifier Type DDL

Attack ID

Optional Values:

Attack Name,

Attack ID,

External Attack ID

Yes Specify what identifier type to use. Possible values: Attack Name (Example: Access Token Manipulation) Attack ID (Example: attack-pattern--478aa214-2ca7-4ec0-9978-18798e514790) External Attack ID (Example: T1050)
Create Insights Checkbox Unchecked No If enabled, action will create a separate insight for every processed technique.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
    "external_references":
    [{
        "url":"https://attack.mitre.org/techniques/T1022",
        "external_id":"T1022",
        "source_name":"mitre-attack"
    },{
        "url":"http://www.netsec.colostate.edu/~zhang/DetectingEncryptedBotnetTraffic.pdf",
        "source_name":"Zhang 2013",
        "description":"Zhang, H., Papadopoulos, C., & Massey, D. (2013, April). Detecting encrypted botnet traffic. Retrieved August 19, 2015."
    },{
        "url":"https://en.wikipedia.org/wiki/List_of_file_signatures",
        "source_name":"Wikipedia File Header Signatures",
        "description":"Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016."
    }],
    "created":"2017-05-31T21:30:30.26Z",
    "x_mitre_platforms":["Linux","macOS","Windows"],
    "type":"attack-pattern",
    "description":"Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.\\n\\nOther exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over Command and Control Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)",
    "kill_chain_phases":
    [{
        "phase_name":"exfiltration",
        "kill_chain_name":"mitre-attack"
    }],
    "modified":"2018-10-17T00:14:20.652Z",
    "id":"attack-pattern--d54416bd-0803-41ca-870a-ce1af7c05638",
    "object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
    "x_mitre_network_requirements":false,
    "x_mitre_version":"1.0",
    "x_mitre_data_sources":["File monitoring","Process monitoring","Process command-line parameters","Binary file metadata"],
    "x_mitre_detection":"Encryption software and encrypted files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known encryption utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used. Often the encryption key is stated within command-line invocation of the software. \\n\\nA process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures. \\n\\nNetwork traffic may also be analyzed for entropy to determine if encrypted data is being transmitted. (Citation: Zhang 2013) If the communications channel is unencrypted, encrypted files of known file types can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers. (Citation: Wikipedia File Header Signatures)",
    "name":"Data Encrypted"
}

Get Techniques Details

Description

Retrieve detailed information about MITRE attack techniques.

Parameters

Parameter Type Default Value Is Mandatory Description
Technique Identifier String N/A Yes Specify the comma-separated list of identifiers that will be used to find the detailed information about techniques. Example: identifier_1,identifier_2
Identifier Type DDL

Attack ID

Optional Values:

Attack Name,

Attack ID,

External Attack ID

Yes Specify what identifier type to use. Possible values: Attack Name (Example: Access Token Manipulation) Attack ID (Example: attack-pattern--478aa214-2ca7-4ec0-9978-18798e514790) External Attack ID (Example: T1050)
Create Insights Checkbox Unchecked No If enabled, action will create a separate insight for every processed technique.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[{
    "Entity": "course-of-action--4f170666-7edb-4489-85c2-9affa28a72e0",
    "EntityResult": {
        "created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
        "external_references":[{
            "url":"https://attack.mitre.org/techniques/T1022",
            "external_id":"T1022",
            "source_name":"mitre-attack"
        },{
            "url":"http://www.netsec.colostate.edu/~zhang/DetectingEncryptedBotnetTraffic.pdf",
            "source_name":"Zhang 2013",
            "description":"Zhang, H., Papadopoulos, C., & Massey, D. (2013, April). Detecting encrypted botnet traffic. Retrieved August 19, 2015."
        },{
            "url":"https://en.wikipedia.org/wiki/List_of_file_signatures","source_name":"Wikipedia File Header Signatures",
            "description":"Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016."
        }],
        "created":"2017-05-31T21:30:30.26Z",
        "x_mitre_platforms":["Linux","macOS","Windows"],
        "type":"attack-pattern",
        "description":"Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.nnOther exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over Command and Control Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)",
        "kill_chain_phases":[{
            "phase_name":"exfiltration",
            "kill_chain_name":"mitre-attack"
        }],
        "modified":"2018-10-17T00:14:20.652Z",
        "id":"attack-pattern--d54416bd-0803-41ca-870a-ce1af7c05638",
        "object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
        "x_mitre_network_requirements":false,
        "x_mitre_version":"1.0",
        "x_mitre_data_sources":["File monitoring","Process monitoring","Process command-line parameters","Binary file metadata"],
        "x_mitre_detection":"Encryption software and encrypted files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known encryption utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used. Often the encryption key is stated within command-line invocation of the software. nnA process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures. nnNetwork traffic may also be analyzed for entropy to determine if encrypted data is being transmitted. (Citation: Zhang 2013) If the communications channel is unencrypted, encrypted files of known file types can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers. (Citation: Wikipedia File Header Signatures)",
        "name":"Data Encrypted"
    }
}]
Case Wall
Result Type Value / Description Type
Output message*

If at least one identifier was processed:

print "Retrieved detailed information about the following techniques: {0}\n".format(new line separated list of processed techniques)

If at least one identifier was not processed:

print "Action wasn't able to retrieve detailed information about the following techniques: {0}\n".format(new line separated list of unprocessed techniques)

If no identifier was processed

print "Action wasn't able to find the provided techniques."

General

Get Techniques Mitigations

Description

Retrieve information about mitigations that are associated with MITRE attack techniques.

Parameters

Parameter Type Default Value Is Mandatory Description
Technique ID String N/A Yes Specify the identifier that will be used to find the mitigations related to attack technique. Comma-separated values.
Attack ID DDL

Attack ID

Optional Values:

Attack Name,

Attack ID,

External Attack ID

Yes Specify what identifier type to use. Possible values: Attack Name (Example: Access Token Manipulation) Attack ID (Example: attack-pattern--478aa214-2ca7-4ec0-9978-18798e514790) External Attack ID (Example: T1050)
Max Mitigations to Return String 20 No Specify how many mitigations to return.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[{
    "Entity": "course-of-action--4f170666-7edb-4489-85c2-9affa28a72e0",
    "EntityResult": {
        "mitigations": [{
            "created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "description":"Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to encrypt files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
            "created":"2018-10-17T00:14:20.652Z",
            "x_mitre_deprecated":true,
            "modified":"2019-07-24T14:26:14.411Z",
            "object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
            "external_references":[{"url":"https://attack.mitre.org/mitigations/T1022",
                                    "source_name":"mitre-attack",
                                    "external_id":"T1022"
                                   },{
                                      "url":"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
                                       "source_name":"Beechey 2010",
                                       "description":"Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014."
                                   },{
                                       "url":"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
                                       "source_name":"Windows Commands JPCERT",
                                       "description":"Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016."
                                   },{
                                       "url":"https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
                                       "source_name":"NSA MS AppLocker",
                                       "description":"NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016."
                                   },{
                                       "url":"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
                                       "source_name":"Corio 2008",
                                       "description":"Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014."
                                   },{
                                       "url":"https://technet.microsoft.com/en-us/library/ee791851.aspx",
                                       "source_name":"TechNet Applocker vs SRP",
                                       "description":"Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016."
                                   }],
            "x_mitre_version":"1.0",
            "type":"course-of-action",
            "id":"course-of-action--2a8de25c-f743-4348-b101-3ee33ab5871b",
            "name":"Data Encrypted Mitigation"
        }]
    }
}]
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution: If "ErrorCode" in the response (is_success=false) or if no data returned (is_success=true) "Action wasn't able to find mitigations for the following techniques: <identifiers>

If successful: "Successfully retrieved mitigations for the following techniques: <identifiers>"

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection, other: "Error executing action "Get Techniques Mitigations". Reason: {0}''.format(error.Stacktrace)

General

Ping

Description

Test Connectivity.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False