search

SecurityRiskAdvisors / VECTR

VECTR is a tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios
1.36k stars 161 forks source link

Not finding technique while creating assessment #100

Closed f1r3walled closed 3 years ago

f1r3walled commented 3 years ago

Hey, guys! Sorry! Maybe the question is quite dumb, but why while creating a new assessment or even a test case, I could not find anything related to the technique Impact, most specifically Data Manipulation (T1565) and the respectives sub-techniques? Do you know why? Will I need to manually create it?

Cheers!

thebleucheese commented 3 years ago

What VECTR version are you using? Impact techniques should be present in more recent versions (5.7+)

If you start typing the name in the Technique field the Data Manipulation techniques should be present. image

f1r3walled commented 3 years ago

I think I got it... I just needed to create some new test cases associated to those technique and sub-techniques (T1565, T1565.001, T1565.002 and T1565.003). I am using the version 6.0.2, but I was expecting to see some test cases automatically created and linked to a default organization (SRA, MITRE, Atomic Red Team), just like other previously existing test cases. So, I am assuming that sometimes you will need to create new test cases associated to your organization. Did you get my point? Am I right?

thebleucheese commented 3 years ago

Yes, that's correct.
Atomic Red doesn't look like they have anything for 1565 (you can import their combined index.yaml file in the Administration -> File Import section if they update to include procedures for those Techniques).

The data we (SRA) include with VECTR is a smaller sample of some of the procedures we run during Purple Team engagements so it's non-exhaustive and may require external tools or knowledge.

MITRE CTI does have some data that covers these techniques. You can import the MITRE enterprise-attack JSON from here (https://github.com/mitre/cti/blob/ATT%26CK-v7.2/enterprise-attack/enterprise-attack.json) in the Administration -> File Import section and then select FIN4 and click submit to import that campaign. FIN4 uses Stored Data Manipulation. Some other groups use 1565.x techniques as well. Note that v7.2 is the latest Mitre ATT&CK version supported by the current VECTR version. We're working on a new release that should be completed this week to support ATT&CK version 8.0 and 8.1.

With FIN4 imported you'll have a test case that looks like this: image

f1r3walled commented 3 years ago

Crystal clear! :)