Closed mvelazc0 closed 5 years ago
Thank you very much @mvelazc0 . I fixed it with Version 1.7 . When the parsers were being applied to Software STIX objects, it was not taking in consideration that some fields do not have values anymore. ATT&CK updated their content and there were several changes that broker some of the parsers. It was an easy fix. Thank you very much. You can uninstall it and install version 1.7.
Test:
>>>
>>> from attackcti import attack_client
>>>
>>> lift = attack_client()
>>>
>>> all_enterprise = lift.get_all_enterprise()
>>>
>>> all_enterprise['techniques'][0]
{'type': 'attack-pattern', 'id': 'attack-pattern--65917ae0-b854-4139-83fe-bf2441cf0196', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'created': '2018-10-17 00:14:20.652000+00:00', 'modified': '2018-10-31 13:45:13.024000+00:00', 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'url': 'https://attack.mitre.org/techniques/T1222', 'matrix': 'mitre-attack', 'technique': 'File Permissions Modification', 'technique_description': "File permissions are commonly managed by discretionary access control lists (DACLs) specified by the file owner. File DACL implementation may vary by platform, but generally explicitly designate which users/groups can perform which actions (ex: read, write, execute, etc.). (Citation: Microsoft DACL May 2018) (Citation: Microsoft File Rights May 2018) (Citation: Unix File Permissions)\n\nAdversaries may modify file permissions/attributes to evade intended DACLs. (Citation: Hybrid Analysis Icacls1 June 2018) (Citation: Hybrid Analysis Icacls2 May 2018) Modifications may include changing specific access rights, which may require taking ownership of a file and/or elevated permissions such as Administrator/root depending on the file's existing permissions to enable malicious activity such as modifying, replacing, or deleting specific files. Specific file modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1015), [Logon Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files.", 'tactic': ['defense-evasion'], 'technique_id': 'T1222', 'platform': ['Linux', 'Windows', 'macOS'], 'data_sources': ['File monitoring', 'Process monitoring', 'Process command-line parameters', 'Windows event logs'], 'defense_bypassed': ['File system access controls'], 'permissions_required': ['User', 'Administrator', 'SYSTEM', 'root'], 'effective_permissions': None, 'system_requirements': None, 'network_requirements': None, 'remote_support': None, 'contributors': ['Jan Miller, CrowdStrike'], 'technique_references': ['https://attack.mitre.org/techniques/T1222', 'https://docs.microsoft.com/windows/desktop/secauthz/dacls-and-aces', 'https://docs.microsoft.com/windows/desktop/fileio/file-security-and-access-rights', 'https://www.tutorialspoint.com/unix/unix-file-permission.htm', 'https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100', 'https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110', 'https://docs.microsoft.com/windows-server/administration/windows-commands/icacls', 'https://docs.microsoft.com/windows-server/administration/windows-commands/attrib', 'https://linux.die.net/man/1/chmod', 'https://linux.die.net/man/1/chown', 'https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/', 'https://docs.microsoft.com/windows-server/administration/windows-commands/takeown', 'https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-acl'], 'detectable_by_common_defenses': None, 'detectable_explanation': None, 'difficulty_for_adversary': None, 'difficulty_explanation': None, 'tactic_type': None}
>>>