diff --git a/.vscode/launch.json b/.vscode/launch.json
index 9b6627c..584c51b 100644
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -28,6 +28,15 @@
"args": "",
"cwd": "${workspaceFolder}/tools"
},
+ {
+ "name": "gen_mitre_fight",
+ "type": "debugpy",
+ "request": "launch",
+ "program": "${file}",
+ "console": "integratedTerminal",
+ "args": "",
+ "cwd": "${fileDirname}"
+ },
{
"name": "gen_mitre",
"type": "debugpy",
diff --git a/clusters/mitre-attack-pattern.json b/clusters/mitre-attack-pattern.json
index efe74e0..7de54ac 100644
--- a/clusters/mitre-attack-pattern.json
+++ b/clusters/mitre-attack-pattern.json
@@ -361,6 +361,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "51aedbd6-2837-4d15-aeb0-cb09f2bf22ac",
"value": "Abuse of iOS Enterprise App Signing Key - T1445"
},
@@ -409,6 +410,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "f296fc9c-2ff5-43ee-941e-6b49c438270a",
"value": "Device Unlock Code Guessing or Brute Force - T1459"
},
@@ -581,6 +583,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "f9e4f526-ac9d-4df5-8949-833a82a1d2df",
"value": "Malicious or Vulnerable Built-in Device Functionality - T1473"
},
@@ -938,6 +941,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"value": "Registry Run Keys / Startup Folder - T1060"
},
@@ -1038,6 +1042,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "52651225-0b3a-482d-aa7e-10618fd063b5",
"value": "Exploit SS7 to Track Device Location - T1450"
},
@@ -1075,6 +1080,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "a21a6a79-f9a1-4c87-aed9-ba2d79536881",
"value": "Stolen Developer Credentials or Signing Keys - T1441"
},
@@ -1159,6 +1165,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "76c12fc8-a4eb-45d6-a3b7-e371a7248f69",
"value": "Manipulate App Store Rankings or Ratings - T1452"
},
@@ -2167,6 +2174,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "3b0b604f-10db-41a0-b54c-493124d455b9",
"value": "Network Traffic Capture or Redirection - T1410"
},
@@ -2316,6 +2324,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4",
"value": "Windows Management Instrumentation Event Subscription - T1084"
},
@@ -2344,6 +2353,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"value": "Custom Command and Control Protocol - T1094"
},
@@ -2386,6 +2396,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "6b846ad0-cc20-4db6-aa34-91561397c5e2",
"value": "App Delivered via Web Download - T1431"
},
@@ -2418,6 +2429,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "62166220-e498-410f-a90a-19d4339d4e99",
"value": "Image File Execution Options Injection - T1183"
},
@@ -2451,6 +2463,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "72b5ef57-325c-411b-93ca-a3ca6fa17e31",
"value": "SIP and Trust Provider Hijacking - T1198"
},
@@ -2733,6 +2746,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "1f96d624-8409-4472-ad8a-30618ee6b2e2",
"value": "App Delivered via Email Attachment - T1434"
},
@@ -2830,6 +2844,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a",
"value": "Exfiltration Over Other Network Medium - T1438"
},
@@ -2858,6 +2873,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "393e8c12-a416-4575-ba90-19cc85656796",
"value": "Eavesdrop on Insecure Network Communication - T1439"
},
@@ -3117,6 +3133,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "6f86d346-f092-4abc-80df-8558a90c426a",
"value": "Remotely Track Device Without Authorization - T1468"
},
@@ -3208,6 +3225,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "cde2cb84-455e-410c-8aa9-086f2788bcd2",
"value": "Install Insecure or Malicious Configuration - T1478"
},
@@ -3324,6 +3342,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0",
"value": "LLMNR/NBT-NS Poisoning and Relay - T1171"
},
@@ -3407,6 +3426,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "633baf01-6de4-4963-bb54-ff6c6357bed3",
"value": "Rogue Wi-Fi Access Points - T1465"
},
@@ -5308,6 +5328,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "68c96494-1a50-403e-8844-69a6af278c68",
"value": "Change Default File Association - T1042"
},
@@ -5522,6 +5543,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "4579d9c9-d5b9-45e0-9848-0104637b579f",
"value": "Credentials from Web Browsers - T1503"
},
@@ -5637,6 +5659,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "46944654-fcc1-4f63-9dad-628102376586",
"value": "DLL Search Order Hijacking - T1038"
},
@@ -5668,6 +5691,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "b765efd1-02e6-4e67-aebf-0fef5c37e54b",
"value": "Detect App Analysis Environment - T1440"
},
@@ -5721,6 +5745,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a",
"value": "File System Permissions Weakness - T1044"
},
@@ -5914,6 +5939,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "39a130e1-6ab7-434a-8bd2-418e7d9d6427",
"value": "Service Registry Permissions Weakness - T1058"
},
@@ -6002,6 +6028,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "00d0b012-8a03-410e-95de-5826bf542de6",
"value": "Indicator Removal from Tools - T1066"
},
@@ -6066,6 +6093,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
"value": "Bypass User Account Control - T1088"
},
@@ -6129,6 +6157,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "52f3d5a6-8a0f-4f82-977e-750abf90d0b0",
"value": "Extra Window Memory Injection - T1181"
},
@@ -6190,6 +6219,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69",
"value": "Component Object Model Hijacking - T1122"
},
@@ -6280,6 +6310,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "6be14413-578e-46c1-8304-310762b3ecd5",
"value": "Kernel Modules and Extensions - T1215"
},
@@ -6330,6 +6361,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a",
"value": "Network Share Connection Removal - T1126"
},
@@ -6496,6 +6528,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "101c3a64-9ba5-46c9-b573-5c501053cbca",
"value": "Elevated Execution with Prompt - T1514"
},
@@ -6547,6 +6580,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93",
"value": "Hidden Files and Directories - T1158"
},
@@ -6635,6 +6669,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "1c2fd73a-e634-44ed-b1b5-9e7cf7404e9f",
"value": "Cloud Instance Metadata API - T1522"
},
@@ -6783,6 +6818,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "b928b94a-4966-4e2a-9e61-36505b896ebc",
"value": "Malicious Software Development Tools - T1462"
},
@@ -6822,6 +6858,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf",
"value": "Generate Fraudulent Advertising Revenue - T1472"
},
@@ -7459,6 +7496,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "f58cd69a-e548-478b-9248-8a9af881dc34",
"value": "Downgrade to Insecure Protocols - T1466"
},
@@ -7486,6 +7524,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "a5de0540-73e7-4c67-96da-4143afedc7ed",
"value": "Rogue Cellular Base Station - T1467"
},
@@ -8124,6 +8163,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "11bd699b-f2c2-4e48-bf46-fb3f8acd9799",
"value": "Insecure Third-Party Libraries - T1425"
},
@@ -12734,6 +12774,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "b332a960-3c04-495a-827f-f17a5daed3a6",
"value": "Disguise Root/Jailbreak Indicators - T1408"
},
@@ -12975,6 +13016,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79",
"value": "Winlogon Helper DLL - T1004"
},
@@ -13007,6 +13049,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0",
"value": "Modify System Partition - T1400"
},
@@ -13036,6 +13079,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "cf7b3a06-8b42-4c33-bbe9-012120027925",
"value": "Compile After Delivery - T1500"
},
@@ -13146,6 +13190,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "6c174520-beea-43d9-aac6-28fb77f3e446",
"value": "Security Support Provider - T1101"
},
@@ -13257,6 +13302,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1",
"value": "Install Root Certificate - T1130"
},
@@ -13284,6 +13330,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b",
"value": "Modify Existing Service - T1031"
},
@@ -13309,6 +13356,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483",
"value": "Device Administrator Permissions - T1401"
},
@@ -13416,6 +13464,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61",
"value": "Application Deployment Software - T1017"
},
@@ -13478,6 +13527,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c",
"value": "Credentials in Files - T1081"
},
@@ -13593,6 +13643,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"value": "Standard Cryptographic Protocol - T1032"
},
@@ -13637,6 +13688,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"value": "Custom Cryptographic Protocol - T1024"
},
@@ -13664,6 +13716,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "60623164-ccd8-4508-a141-b5a34820b3de",
"value": "Domain Generation Algorithms - T1520"
},
@@ -13695,6 +13748,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "9ddc2534-e91c-4dab-a8f6-43dab81e8142",
"value": "Parent PID Spoofing - T1502"
},
@@ -13859,6 +13913,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39",
"value": "Windows Remote Management - T1028"
},
@@ -13920,6 +13975,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"value": "Security Software Discovery - T1063"
},
@@ -14211,6 +14267,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "c5e31fb5-fcbd-48a4-af8c-5a6ed5b932e5",
"value": "Web Session Cookie - T1506"
},
@@ -14239,6 +14296,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
"value": "Uncommonly Used Port - T1065"
},
@@ -14262,6 +14320,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "e4c347e9-fb91-4bc5-83b8-391e389131e2",
"value": "Network Information Discovery - T1507"
},
@@ -14287,6 +14346,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff",
"value": "Pass the Hash - T1075"
},
@@ -14346,6 +14406,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "fd658820-cbba-4c95-8ac9-0fac6b1099e2",
"value": "Suppress Application Icon - T1508"
},
@@ -14450,6 +14511,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "51dea151-0898-4a45-967c-3ebee0420484",
"value": "Remote Desktop Protocol - T1076"
},
@@ -14509,6 +14571,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d",
"value": "NTFS File Attributes - T1096"
},
@@ -14582,6 +14645,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "ffe742ed-9100-4686-9e00-c331da544787",
"value": "Windows Admin Shares - T1077"
},
@@ -14610,6 +14674,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c",
"value": "Pass the Ticket - T1097"
},
@@ -14638,6 +14703,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"value": "Disabling Security Tools - T1089"
},
@@ -14667,6 +14733,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "e2907cea-4b43-4ed7-a570-0fdf0fbeea00",
"value": "Space after Filename - T1151"
},
@@ -14744,6 +14811,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"value": "Capture SMS Messages - T1412"
},
@@ -14768,6 +14836,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "2edd9d6a-5674-4326-a600-ba56de467286",
"value": "Credentials in Registry - T1214"
},
@@ -14876,6 +14945,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "bb0e0cb5-f3e4-4118-a4cb-6bf13bfbc9f2",
"value": "Netsh Helper DLL - T1128"
},
@@ -15118,6 +15188,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0",
"value": "Dynamic Data Exchange - T1173"
},
@@ -15182,6 +15253,7 @@
]
},
"related": [],
+ "revoked": true,
"uuid": "8f142a25-f6c3-4520-bd50-2ae3ab50ed3e",
"value": "URL Scheme Hijacking - T1415"
},
@@ -15207,6 +15279,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "d3046a90-580c-4004-8208-66915bc29830",
"value": "Clear Command History - T1146"
},
@@ -15266,6 +15339,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "b8c5c9dd-a662-479d-9428-ae745872537c",
"value": "Password Filter DLL - T1174"
},
@@ -15285,6 +15359,7 @@
]
},
"related": [],
+ "revoked": true,
"uuid": "89fcd02f-62dc-40b9-a54b-9ac4b1baef05",
"value": "Device Type Discovery - T1419"
},
@@ -15313,6 +15388,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "d3df754e-997b-4cf9-97d4-70feb3120847",
"value": "Spearphishing via Service - T1194"
},
@@ -15392,6 +15468,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "01df3350-ce05-4bdf-bdf8-0a919a66d4a8",
"value": "Malicious Shell Modification - T1156"
},
@@ -15479,6 +15556,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "c0df6533-30ee-4a4a-9c6d-17af5abdf0b2",
"value": "Setuid and Setgid - T1166"
},
@@ -15512,6 +15590,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8",
"value": "Local Job Scheduling - T1168"
},
@@ -15540,6 +15619,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "8df54627-376c-487c-a09c-7d2b5620f56e",
"value": "Control Panel Items - T1196"
},
@@ -15583,6 +15663,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a",
"value": "Compiled HTML File - T1223"
},
@@ -15727,6 +15808,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"value": "Access Contact List - T1432"
},
@@ -15798,6 +15880,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "786f488c-cb1f-4602-89c5-86d982ee326b",
"value": "Evade Analysis Environment - T1523"
},
@@ -15928,6 +16011,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "e30cc912-7ea1-4683-9219-543b86cbdec9",
"value": "Fake Developer Accounts - T1442"
},
@@ -16086,6 +16170,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "0bf78622-e8d2-41da-a857-731472d61a92",
"value": "Stored Data Manipulation - T1492"
},
@@ -16250,6 +16335,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "27960489-4e7f-461d-a62a-f5c0cb521e4a",
"value": "Application Access Token - T1527"
},
@@ -16390,6 +16476,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"value": "Access Call Log - T1433"
},
@@ -16421,6 +16508,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "831e3269-da49-48ac-94dc-948008e8fd16",
"value": "Remotely Install Application - T1443"
},
@@ -16470,6 +16558,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "62adb627-f647-498e-b4cc-41499361bacb",
"value": "Access Calendar Entries - T1435"
},
@@ -16511,6 +16600,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "d731c21e-f27d-4756-b418-0e2aaabd6d63",
"value": "Manipulate Device Communication - T1463"
},
@@ -16589,6 +16679,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "54456690-84de-4538-9101-643e26437e09",
"value": "Domain Generation Algorithms - T1483"
},
@@ -16618,6 +16709,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "cc1e737c-236c-4e3b-83ba-32039a626ef8",
"value": "Transmitted Data Manipulation - T1493"
},
@@ -16677,6 +16769,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "3b4121aa-fc8b-40c8-ac4f-afcb5838b72c",
"value": "Revert Cloud Instance - T1536"
},
@@ -16826,6 +16919,7 @@
]
},
"related": [],
+ "revoked": true,
"uuid": "0bcc4ec1-a897-49a9-a9ff-c00df1d1209d",
"value": "Malicious SMS Message - T1454"
},
@@ -16895,6 +16989,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "8e27551a-5080-4148-a584-c64348212e4f",
"value": "Delete Device Data - T1447"
},
@@ -16920,6 +17015,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
"value": "Carrier Billing Fraud - T1448"
},
@@ -16949,6 +17045,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "ca205a36-c1ad-488b-aa6c-ab34bdd3a36b",
"value": "Runtime Data Manipulation - T1494"
},
@@ -16966,6 +17063,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "c91c304a-975d-4501-9789-0db1c57afd3f",
"value": "Exploit Baseband Vulnerability - T1455"
},
@@ -17033,6 +17131,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "a9cab8f6-4c94-4c9b-9e7d-9d863ff53431",
"value": "Malicious Media Content - T1457"
},
@@ -17127,6 +17226,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "2e114e45-2c50-404c-804a-3af9564d240e",
"value": "Disk Structure Wipe - T1487"
},
@@ -17157,6 +17257,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7",
"value": "Disk Content Wipe - T1488"
},
@@ -17252,6 +17353,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "8c7862ff-3449-4ac6-b0fd-ac1298a822a5",
"value": "Uninstall Malicious Application - T1576"
},
@@ -17374,6 +17476,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "6636bc83-0611-45a6-b74f-1f3daf635b8e",
"value": "At (Linux) - T1053.001"
},
@@ -17916,6 +18019,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "b2001907-166b-4d71-bb3c-9d26c871de09",
"value": "DLL Side-Loading - T1073"
},
@@ -17941,6 +18045,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "e083305c-49e7-4c87-aae8-9689213bffbe",
"value": "Command-Line Interface - T1605"
},
@@ -17984,6 +18089,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "6a3be63a-64c5-4678-a036-03ff8fc35300",
"value": "Re-opened Applications - T1164"
},
@@ -18042,6 +18148,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d",
"value": "SID-History Injection - T1178"
},
@@ -18069,6 +18176,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "7d751199-05fa-4a72-920f-85df4506c76c",
"value": "Multi-hop Proxy - T1188"
},
@@ -24397,6 +24505,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a",
"value": "Plist Modification - T1547.011"
},
@@ -24835,6 +24944,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df",
"value": "Web Shell - T1100"
},
@@ -24925,6 +25035,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
"value": "Data Compressed - T1002"
},
@@ -24995,6 +25106,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"value": "New Service - T1050"
},
@@ -25119,6 +25231,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "519630c5-f03f-4882-825c-3af924935817",
"value": "Binary Padding - T1009"
},
@@ -25281,6 +25394,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41",
"value": "AppInit DLLs - T1103"
},
@@ -25308,6 +25422,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "1f47e2fd-fa77-4f2f-88ee-e85df308f125",
"value": "Port Monitors - T1013"
},
@@ -25336,6 +25451,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "9b99b83a-1aac-4e29-b975-b374950551a3",
"value": "Accessibility Features - T1015"
},
@@ -25365,6 +25481,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "e399430e-30b7-48c5-b70a-f44dc8c175cb",
"value": "Clipboard Modification - T1510"
},
@@ -25391,6 +25508,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "06780952-177c-4247-b978-79c357fb311f",
"value": "Plist Modification - T1150"
},
@@ -25421,6 +25539,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e",
"value": "Systemd Service - T1501"
},
@@ -25540,6 +25659,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "e99ec083-abdd-48de-ad87-4dbf6f8ba2a4",
"value": "Launch Daemon - T1160"
},
@@ -25568,6 +25688,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"value": "File Deletion - T1107"
},
@@ -25631,6 +25752,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "10d5f3b7-6be6-4da5-9a77-0f1e2bbfcc44",
"value": "Component Firmware - T1109"
},
@@ -25663,6 +25785,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "6856ddd6-2df3-4379-8b87-284603c189c3",
"value": "System Firmware - T1019"
},
@@ -25692,6 +25815,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"value": "Data Encrypted - T1022"
},
@@ -25730,6 +25854,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810",
"value": "Shortcut Modification - T1023"
},
@@ -25755,6 +25880,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69",
"value": "Broadcast Receivers - T1402"
},
@@ -25903,6 +26029,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "2169ba87-1146-4fc7-a118-12b72251db7e",
"value": "Sudo Caching - T1206"
},
@@ -25931,6 +26058,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "dce31a00-1e90-4655-b0f9-e2e71a748a87",
"value": "Time Providers - T1209"
},
@@ -26049,6 +26177,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
"value": "Service Execution - T1035"
},
@@ -26088,6 +26217,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21",
"value": "Process Hollowing - T1093"
},
@@ -26135,6 +26265,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "6a5848a8-6201-4a2c-8a6a-ca5af8c6f3df",
"value": "Indicator Blocking - T1054"
},
@@ -26167,6 +26298,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "039bc59c-ecc7-4997-b2b4-4ab728bd91aa",
"value": "Code Injection - T1540"
},
@@ -26195,6 +26327,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "723e3a2b-ca0d-4daa-ada8-82ea35d3733a",
"value": "PowerShell Profile - T1504"
},
@@ -26223,6 +26356,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88",
"value": "Software Packing - T1045"
},
@@ -26240,6 +26374,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "45dcbc83-4abc-4de1-b643-e528d1e9df09",
"value": "Biometric Spoofing - T1460"
},
@@ -26598,6 +26733,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e",
"value": "Multilayer Encryption - T1079"
},
@@ -26715,6 +26851,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "52d40641-c480-4ad5-81a3-c80ccaddf82d",
"value": "Authentication Package - T1131"
},
@@ -26833,6 +26970,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"value": "Input Prompt - T1411"
},
@@ -26863,6 +27001,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b",
"value": "Input Prompt - T1141"
},
@@ -26918,6 +27057,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "04ef4356-8926-45e2-9441-634b6f3dcecb",
"value": "LC_LOAD_DYLIB Addition - T1161"
},
@@ -26947,6 +27087,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d",
"value": "Code Signing - T1116"
},
@@ -27154,6 +27295,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "36675cd3-fe00-454c-8516-aebecacbe9d9",
"value": "Login Item - T1162"
},
@@ -27182,6 +27324,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd",
"value": "Domain Fronting - T1172"
},
@@ -27209,6 +27352,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "4bf5845d-a814-4490-bc5c-ccdee6043025",
"value": "AppCert DLLs - T1182"
},
@@ -27242,6 +27386,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba",
"value": "Spearphishing Link - T1192"
},
@@ -27319,6 +27464,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "04ee0cb7-dac3-4c6c-9387-4c6aa096f4cf",
"value": "Hidden Window - T1143"
},
@@ -27431,6 +27577,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566",
"value": "Application Shimming - T1138"
},
@@ -27473,6 +27620,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38",
"value": "Spearphishing Attachment - T1193"
},
@@ -27499,6 +27647,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "44dca04b-808d-46ca-b25f-d85236d4b9f8",
"value": "Bash History - T1139"
},
@@ -27526,6 +27675,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "6fb6408c-0db3-41d9-a3a1-a32e5f16454e",
"value": "Gatekeeper Bypass - T1144"
},
@@ -27605,6 +27755,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe",
"value": "Private Keys - T1145"
},
@@ -27672,6 +27823,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "77e30eee-fd48-40b4-99ec-73e97c158b58",
"value": "URI Hijacking - T1416"
},
@@ -27719,6 +27871,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "ce73ea43-8e77-47ba-9c11-5e9c9c58b9ff",
"value": "Hidden Users - T1147"
},
@@ -27768,6 +27921,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb",
"value": "SSH Hijacking - T1184"
},
@@ -27886,6 +28040,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "2ba5aa71-9d15-4b22-b726-56af06d9ad2f",
"value": "Startup Items - T1165"
},
@@ -27932,6 +28087,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "aa8bfbc9-78dc-41a4-a03b-7453e0fdccda",
"value": "Dylib Hijacking - T1157"
},
@@ -27993,6 +28149,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "dd901512-6e37-4155-943b-453e3777b125",
"value": "Launch Agent - T1159"
},
@@ -28106,6 +28263,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "2715c335-1bf2-4efe-9f18-0691317ff83b",
"value": "Securityd Memory - T1167"
},
@@ -28135,6 +28293,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "c1a452f3-6499-4c12-b7e9-a6a0a102af76",
"value": "Process Doppelgänging - T1186"
},
@@ -28158,6 +28317,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d",
"value": "User Evasion - T1618"
},
@@ -28186,6 +28346,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352",
"value": "LSASS Driver - T1177"
},
@@ -28855,6 +29016,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"value": "Device Lockout - T1446"
},
@@ -31845,6 +32007,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "18d4ab39-12ed-4a16-9fdb-ae311bba4a0f",
"value": "Rc.common - T1163"
},
@@ -31873,6 +32036,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "215190a9-9f02-4e83-bb5f-e0589965a302",
"value": "Regsvcs/Regasm - T1121"
},
@@ -31965,6 +32129,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec",
"value": "Mshta - T1170"
},
@@ -31990,6 +32155,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "2892b9ee-ca9f-4723-b332-0dc6e843a8ae",
"value": "Screensaver - T1180"
},
@@ -32016,6 +32182,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"value": "Rundll32 - T1085"
},
@@ -32068,6 +32235,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0",
"value": "Kerberoasting - T1208"
},
@@ -32183,6 +32351,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d",
"value": "Bootkit - T1067"
},
@@ -32214,6 +32383,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"value": "PowerShell - T1086"
},
@@ -32242,6 +32412,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a",
"value": "Timestomp - T1099"
},
@@ -32270,6 +32441,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a",
"value": "Regsvr32 - T1117"
},
@@ -32296,6 +32468,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "f792d02f-813d-402b-86a5-ab98cb391d3b",
"value": "InstallUtil - T1118"
},
@@ -32326,6 +32499,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "7d6f590f-544b-45b4-9a42-e0805f342af3",
"value": "CMSTP - T1191"
},
@@ -32351,6 +32525,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d",
"value": "Keychain - T1142"
},
@@ -32377,6 +32552,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "53bfc8bf-8f76-4cd7-8958-49a884ddb3ee",
"value": "Launchctl - T1152"
},
@@ -32426,6 +32602,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "b53dbcc6-147d-48bb-9df4-bcb8bb808ff6",
"value": "Trap - T1154"
},
@@ -32452,6 +32629,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "086952c4-5b90-4185-b573-02bad8e11953",
"value": "HISTCONTROL - T1148"
},
@@ -32505,6 +32683,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "5ad95aaa-49c1-4784-821d-2e83f47b079b",
"value": "AppleScript - T1155"
},
@@ -32533,6 +32712,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "8197f026-64da-4700-93b9-b55ba55f3b31",
"value": "Geofencing - T1581"
},
@@ -32560,6 +32740,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "d376668f-b208-42de-b1f5-fdfe0ad4b753",
"value": "Emond - T1519"
},
@@ -32603,6 +32784,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "9e80ddfb-ce32-4961-a778-ca6a10cfae72",
"value": "Sudo - T1169"
},
@@ -32643,6 +32825,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "66f73398-8394-4711-85e5-34c8540b22a5",
"value": "Hooking - T1179"
},
@@ -32779,9 +32962,10 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "27f483c6-6666-44fa-8532-ffd5fc7dab38",
"value": "Keychain - T1579"
}
],
- "version": 29
+ "version": 30
}
diff --git a/clusters/mitre-intrusion-set.json b/clusters/mitre-intrusion-set.json
index f49f0b7..198ac48 100644
--- a/clusters/mitre-intrusion-set.json
+++ b/clusters/mitre-intrusion-set.json
@@ -551,6 +551,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "76d59913-1d24-4992-a8ac-05a3eb093f71",
"value": "Dragonfly 2.0 - G0074"
},
@@ -4045,6 +4046,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "92d5b3fd-3b39-438e-af68-770e447beada",
"value": "Charming Kitten - G0058"
},
@@ -4515,6 +4517,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70",
"value": "Stolen Pencil - G0086"
},
@@ -13761,6 +13764,7 @@
"type": "similar"
}
],
+ "revoked": true,
"uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772",
"value": "MONSOON - G0042"
},
@@ -14083,6 +14087,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"value": "APT34 - G0057"
},
@@ -19098,6 +19103,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "dc5e2999-ca1a-47d4-8d12-a6984b138a1b",
"value": "UNC2452 - G0118"
},
@@ -21731,5 +21737,5 @@
"value": "TeamTNT - G0139"
}
],
- "version": 34
+ "version": 35
}
diff --git a/clusters/mitre-malware.json b/clusters/mitre-malware.json
index e55e095..93d50aa 100644
--- a/clusters/mitre-malware.json
+++ b/clusters/mitre-malware.json
@@ -1027,8 +1027,8 @@
"Windows"
],
"refs": [
- "http://www.secureworks.com/cyber-threat-intelligence/threats/The_Lifecycle_of_Peer_to_Peer_Gameover_ZeuS/",
- "https://attack.mitre.org/software/S0016"
+ "https://attack.mitre.org/software/S0016",
+ "https://www.secureworks.com/research/The-Lifecycle-of-Peer-to-Peer-Gameover-ZeuS"
],
"synonyms": [
"P2P ZeuS",
@@ -6661,6 +6661,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "911fe4c3-444d-4e92-83b8-cc761ac5fd3b",
"value": "Ngrok - S9000"
},
@@ -11971,6 +11972,7 @@
"type": "revoked-by"
}
],
+ "revoked": true,
"uuid": "310f437b-29e7-4844-848c-7220868d074a",
"value": "Darkmoon - S0209"
},
@@ -53303,5 +53305,5 @@
"value": "Akira - S1129"
}
],
- "version": 33
+ "version": 34
}
diff --git a/schema_clusters.json b/schema_clusters.json
index d1cd920..65e73e9 100644
--- a/schema_clusters.json
+++ b/schema_clusters.json
@@ -42,6 +42,9 @@
"uuid": {
"type": "string"
},
+ "revoked": {
+ "type": "boolean"
+ },
"related": {
"type": "array",
"additionalProperties": false,
diff --git a/tools/gen_mitre.py b/tools/gen_mitre.py
index 2e0639b..213858d 100755
--- a/tools/gen_mitre.py
+++ b/tools/gen_mitre.py
@@ -175,8 +175,8 @@ for domain in domains:
# handle deprecated and/or revoked
# if 'x_mitre_deprecated' in item and item['x_mitre_deprecated']:
# value['deprecated'] = True
- # if 'revoked' in item and item['revoked']:
- # value['revoked'] = True
+ if 'revoked' in item and item['revoked']:
+ value['revoked'] = True
if 'external_references' in item:
for reference in item['external_references']:
diff --git a/tools/gen_mitre_fight.py b/tools/gen_mitre_fight.py
new file mode 100755
index 0000000..19ba136
--- /dev/null
+++ b/tools/gen_mitre_fight.py
@@ -0,0 +1,317 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+#
+# A simple convertor of the MITRE FiGHT to a MISP Galaxy datastructure.
+# Copyright (C) 2024 Christophe Vandeplas
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program. If not, see .
+
+from bs4 import BeautifulSoup
+from markdown import markdown
+import json
+import os
+import re
+import requests
+import uuid
+import yaml
+from pymispgalaxies import Cluster, Galaxy
+
+uuid_seed = '8666d04b-977a-434b-82b4-f36271ec1cfb'
+
+fight_url = 'https://fight.mitre.org/fight.yaml'
+
+galaxy_type = "mitre-fight"
+galaxy_description = 'MITRE Five-G Hierarchy of Threats (FiGHT™) is a globally accessible knowledge base of adversary tactics and techniques that are used or could be used against 5G networks.'
+galaxy_source = 'https://fight.mitre.org/'
+
+
+r = requests.get(fight_url)
+fight = yaml.safe_load(r.text)
+
+# with open('fight.yaml', 'w') as f:
+# f.write(r.text)
+# with open('fight.yaml', 'r') as f:
+# fight = yaml.safe_load(f)
+
+
+mitre_attack_pattern = Cluster('mitre-attack-pattern')
+
+
+def find_mitre_uuid_from_technique_id(technique_id):
+ try:
+ return mitre_attack_pattern.get_by_external_id(technique_id).uuid
+ except KeyError:
+ print("No MITRE UUID found for technique_id: ", technique_id)
+ return None
+
+
+def clean_ref(text: str) -> str:
+ '''
+ ' \\[1\\] [5GS Roaming Guidelines Version 5.0 (non-confidential), NG.113-v5.0, GSMA, December 2021](https://www.gsma.com/newsroom/wp-content/uploads//NG.113-v5.0.pdf)'
+ '''
+ html = markdown(text.replace('](', ' - ').replace(')', ' ').replace(' [', ''))
+ soup = BeautifulSoup(html, 'html.parser')
+ return soup.get_text().strip()
+
+
+def save_galaxy_and_cluster(json_galaxy, json_cluster, galaxy_fname):
+ # save the Galaxy and Cluster file
+ with open(os.path.join('..', 'galaxies', galaxy_fname), 'w') as f:
+ # sort_keys, even if it breaks the kill_chain_order , but jq_all_the_things requires sorted keys
+ json.dump(json_galaxy, f, indent=2, sort_keys=True, ensure_ascii=False)
+ f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things
+
+ with open(os.path.join('..', 'clusters', galaxy_fname), 'w') as f:
+ json.dump(json_cluster, f, indent=2, sort_keys=True, ensure_ascii=False)
+ f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things
+
+
+# tactics
+tactics = {} # key = ID, value = tactic
+for item in fight['tactics']:
+ tactics[item['id']] = item['name'].replace(' ', '-')
+
+#
+# techniques
+#
+technique_galaxy_name = "MITRE FiGHT Techniques"
+technique_cluster = Cluster({
+ 'authors': ["MITRE"],
+ 'category': 'attack-pattern',
+ 'name': technique_galaxy_name,
+ 'description': galaxy_description,
+ 'source': galaxy_source,
+ 'type': galaxy_type,
+ 'uuid': "6a1fa29f-85a5-4b1c-956b-ebb7df314486",
+ 'version': 1
+})
+
+for item in fight['techniques']:
+ technique_string = item['name'].strip().lower()
+ element = {
+ 'value': item['name'].strip(),
+ 'description': item['description'].strip(),
+ 'uuid': str(uuid.uuid5(uuid.UUID(uuid_seed), item['id'])),
+ 'meta': {
+ 'kill_chain': [],
+ 'refs': [f"https://fight.mitre.org/techniques/{item['id']}"],
+ 'external_id': item['id']
+ },
+ 'related': []
+ }
+ keys_to_skip = ['id', 'name', 'references', 'tactics', 'description']
+ for keys in item.keys():
+ if keys not in keys_to_skip:
+ element['meta'][keys] = item[keys]
+
+ if 'https://attack.mitre.org/techniques/' in item['description']:
+ # extract the references from the description
+ # add it as ref and build the relationship to the technique using uuid
+ url = re.search(r'(https?://[^\)]+)/(T[^\)]+)', item['description'])
+ if url:
+ extracted_url = url.group(0)
+ element['meta']['refs'].append(extracted_url)
+ technique_uuid = find_mitre_uuid_from_technique_id(url.group(2).replace('/', '.'))
+ if technique_uuid:
+ element['related'].append({
+ 'dest-uuid': technique_uuid,
+ 'type': 'related-to'
+ })
+ else:
+ print("WARNING: No MITRE UUID found for technique_id: ", url.group(2))
+ pass
+
+ try:
+ for ref in item['references']:
+ element['meta']['refs'].append(clean_ref(ref))
+ except KeyError:
+ pass
+
+ for tactic in item['tactics']:
+ element['meta']['kill_chain'].append(f"fight:{tactics[tactic]}")
+
+ for mitigation in item['mitigations']:
+ element['meta']['refs'].append(f"https://fight.mitre.org/mitigations/{mitigation['fgmid']}")
+ # add relationship
+ element['related'].append({
+ 'dest-uuid': str(uuid.uuid5(uuid.UUID(uuid_seed), mitigation['fgmid'])),
+ 'type': 'mitigated-by'
+ })
+
+ for detection in item['detections']:
+ element['meta']['refs'].append(f"https://fight.mitre.org/data%20sources/{detection['fgdsid']}")
+ # add relationship
+ element['related'].append({
+ 'dest-uuid': str(uuid.uuid5(uuid.UUID(uuid_seed), detection['fgdsid'])),
+ 'type': 'detected-by'
+ })
+
+ try:
+ element['related'].append({
+ 'dest-uuid': str(uuid.uuid5(uuid.UUID(uuid_seed), item['subtechnique-of'])),
+ 'type': 'subtechnique-of'
+ })
+ except KeyError:
+ pass
+
+ element['meta']['refs'] = list(set(element['meta']['refs']))
+ element['meta']['refs'].sort()
+
+ technique_cluster.append(element, skip_duplicates=True)
+
+technique_cluster.save('mitre-fight-techniques')
+
+for cluster, duplicate in technique_cluster.duplicates:
+ print(f"Skipped duplicate: {duplicate} in cluster {cluster}")
+
+kill_chain_tactics = technique_cluster.get_kill_chain_tactics()
+
+
+try:
+ technique_galaxy = Galaxy('mitre-fight-techniques')
+ # check if new kill_chain_tactics are present, add them if needed
+ for key, values in kill_chain_tactics.items():
+ if key not in technique_galaxy.kill_chain_order:
+ technique_galaxy.kill_chain_order[key] = []
+ for value in values:
+ if key not in technique_galaxy.kill_chain_order:
+ print(f"New kill_chain_tactic found: {key}:{value}")
+ technique_galaxy.kill_chain_order.append(tactic)
+except (KeyError, FileNotFoundError):
+ technique_galaxy = Galaxy({
+ 'description': galaxy_description,
+ 'icon': "map",
+ 'kill_chain_order': kill_chain_tactics,
+ 'name': technique_galaxy_name,
+ 'namespace': "mitre",
+ 'type': galaxy_type,
+ 'uuid': "c22c8c18-0ccd-4033-b2dd-804ad26af4b9",
+ 'version': 1
+ })
+
+technique_galaxy.save('mitre-fight-techniques')
+
+
+#
+# mitigations
+#
+mitigation_galaxy_name = "MITRE FiGHT Mitigations"
+mitigation_cluster = Cluster({
+ 'authors': ["MITRE"],
+ 'category': 'mitigation',
+ 'name': mitigation_galaxy_name,
+ 'description': galaxy_description,
+ 'source': galaxy_source,
+ 'type': galaxy_type,
+ 'uuid': "fe20707f-2dfb-4436-8520-8fedb8c79668",
+ 'version': 1
+})
+
+for item in fight['mitigations']:
+ element = {
+ 'value': item['name'].strip(),
+ 'description': item['description'].strip(),
+ 'uuid': str(uuid.uuid5(uuid.UUID(uuid_seed), item['id'])),
+ 'meta': {
+ 'kill_chain': [],
+ 'refs': [f"https://fight.mitre.org/mitigations/{item['id']}"],
+ 'external_id': item['id']
+ },
+ 'related': []
+ }
+ # rel to techniques
+ for technique in item['techniques']:
+ element['related'].append({
+ 'dest-uuid': str(uuid.uuid5(uuid.UUID(uuid_seed), technique)),
+ 'type': 'mitigates'
+ })
+ mitigation_cluster.append(element, skip_duplicates=True)
+
+mitigation_cluster.save('mitre-fight-mitigations')
+
+for cluster, duplicate in mitigation_cluster.duplicates:
+ print(f"Skipped duplicate: {duplicate} in cluster {cluster}")
+
+try:
+ mitigation_galaxy = Galaxy('mitre-fight-mitigations')
+except (KeyError, FileNotFoundError):
+ mitigation_galaxy = Galaxy({
+ 'description': galaxy_description,
+ 'icon': "shield-alt",
+ 'name': mitigation_galaxy_name,
+ 'namespace': "mitre",
+ 'type': galaxy_type,
+ 'uuid': "bcd85ca5-5ed7-4536-bca6-d16fb51adf55",
+ 'version': 1
+ })
+
+mitigation_galaxy.save('mitre-fight-mitigations')
+
+#
+# data sources / detections
+#
+detection_galaxy_name = "MITRE FiGHT Data Sources"
+detection_cluster = Cluster({
+ 'authors': ["MITRE"],
+ 'category': 'data-source',
+ 'name': detection_galaxy_name,
+ 'description': galaxy_description,
+ 'source': galaxy_source,
+ 'type': galaxy_type,
+ 'uuid': "fb4410a1-5a39-4b30-934a-9cdfbcd4d2ad",
+ 'version': 1
+})
+
+for item in fight['data sources']:
+ element = {
+ 'value': item['name'].strip(),
+ 'description': item['description'].strip(),
+ 'uuid': str(uuid.uuid5(uuid.UUID(uuid_seed), item['id'])),
+ 'meta': {
+ 'kill_chain': [],
+ 'refs': [f"https://fight.mitre.org/data%sources/{item['id']}"],
+ 'external_id': item['id']
+ },
+ 'related': []
+ }
+ # rel to techniques
+ for technique in item['techniques']:
+ element['related'].append({
+ 'dest-uuid': str(uuid.uuid5(uuid.UUID(uuid_seed), technique)),
+ 'type': 'detects'
+ })
+ detection_cluster.append(element, skip_duplicates=True)
+
+detection_cluster.save('mitre-fight-datasources')
+
+for cluster, duplicate in detection_cluster.duplicates:
+ print(f"Skipped duplicate: {duplicate} in cluster {cluster}")
+
+try:
+ detection_galaxy = Galaxy('mitre-fight-datasources')
+except (KeyError, FileNotFoundError):
+ detection_galaxy = Galaxy({
+ 'description': galaxy_description,
+ 'icon': "bell",
+ 'name': detection_galaxy_name,
+ 'namespace': "mitre",
+ 'type': galaxy_type,
+ 'uuid': "4ccc2400-55e4-42c2-bb8d-1d41883cef46",
+ 'version': 1
+ })
+
+detection_galaxy.save('mitre-fight-datasources')
+
+
+print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh.")
diff --git a/tools/requirements.txt b/tools/requirements.txt
index 716098f..42627b0 100644
--- a/tools/requirements.txt
+++ b/tools/requirements.txt
@@ -1,5 +1,7 @@
-
-pdfplumber==0.11.0
+pdfplumber==0.11.1
graphviz==0.20.3
-requests==2.32.2
-
+requests==2.32.3
+PyYAML==6.0.1
+beautifulsoup4==4.12.3
+Markdown==3.6
+PyMISPGalaxies @ git+https://github.com/MISP/PyMISPGalaxies.git
\ No newline at end of file