API parsing

[g1ldedm1n1on]

Awesome tool! I haven't had a chance to dig into the code but was using it to quickly fill out some details on the different techniques and I noticed that when it is pulling description or mitigation from the API it is also pulling in the reference included in those descriptions. Here is an example of what is being stored for T1002. You can see there is addition of the references in the mitigation section.

https://attack.mitre.org/wiki/Technique/T1002

: Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to compress files, and audit and/or block them by using whitelistingBeechey 2010 tools, like AppLocker,Windows Commands JPCERTNSA MS AppLocker or Software Restriction PoliciesCorio 2008 where appropriate.TechNet Applocker vs SRP

Thought I'd share in case you are able to look at the sooner then me. Again, also PowerShell usage, and thank you!

[Cyb3rWard0g]

hey @g1ldedm1n1on ! Thank you for the observation. I actually noticed that since day 1 and I forgot to get back to it. Something that I remember doing at the beginning that I planned on testing later was to look into the references property values as shown in the figure below. For example, T1002 has all the "extra" strings showing up in the description text in the Reference property. I believe all I have to do is replace those values in a "foreach" loop on every description from "Technique", "Group" & "Software. I havent got the time to get to it yet. I will take a look at it soon. Thank you for the feedback :)

[dm-mitre]

@Cyb3rWard0g is right on the find replace loop. Each tag in the Reference list uniquely identifies a reference on the site. As a note, if you wanted to make the references more obvious you could switch the underlying API queries to return the raw text by adding #-ia to each property you want to be raw e.g. ?Has technical description#-ia. This will show citations in like this [[CiteRef::<reference key>]] rather than just <reference key>.

[Cyb3rWard0g]

Thank you very much @dm-mitre for the input. That is very helpful. I will try to add the #-ia to each property and test it. :) Thank you

[Cyb3rWard0g]

Hey @g1ldedm1n1on ! I just got back from vacation and was able to add @dm-mitre recommendation to the script (#-ia) in description, analytic details and mitigation properties. It works as expected and looks cleaner. I like to keep the references in there but with [[CiteRef::]] syntax. I updated the example csvs and README in the repo. Please whenever you have a chance, test it and let me know if this is helpful :) . After testing your example (T1002), I now get the following:

You can see the references being displayed with the right syntax :) . Thank you for the feedback . I hope you have a great weekend! Also, once again thank you @dm-mitre for sharing the #-ia information. it made things so much easier.

[Cyb3rWard0g]

@g1ldedm1n1on , I am closing this issue since it is working fine with the latest update applied to the script. Let me know if you need me to open it back up for more testing or additional features related to the same topic.

[g1ldedm1n1on]

Thanks, I must of missed the notification on github of this. I will give it a test but looks good from what you displayed. Thanks for making the modifications!