search

mitre-attack / mitreattack-python

A python module for working with ATT&CK
https://mitreattack-python.readthedocs.io/
Apache License 2.0
447 stars 103 forks source link

[Bug] get_all_mitigations_mitigating_all_techniques() - malformatted object #161

Closed SnowPatrolXV closed 9 months ago

SnowPatrolXV commented 9 months ago

Expected Behavior

The function should return for each teachnique, a mitigation list well formatted.

Actual Behavior

The function returns a malformatted object. For each technique, the mitigation list seems to be malformatted. Please find below the mitigation list of a technique. [{'object': CourseOfAction(type='course-of-action', spec_version='2.1', id='course-of-action--90f39ee1-d5a3-4aaa-9f28-3b42815b0d46', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2019-06-11T16:43:05.712Z', modified='2019-06-11T16:43:05.712Z', name='Behavior Prevention on Endpoint', description='Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.', revoked=False, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/mitigations/M1040', external_id='M1040')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_attack_spec_version='2.1.0', x_mitre_domains=['enterprise-attack'], x_mitre_modified_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', x_mitre_version='1.0'), 'relationships': [Relationship(type='relationship', spec_version='2.1', id='relationship--ffe0659a-ff5b-4ffb-a842-38bb630fd6b8', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-11-22T15:02:15.265Z', modified='2022-05-24T14:00:00.188Z', relationship_type='mitigates', description='Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.', source_ref='course-of-action--90f39ee1-d5a3-4aaa-9f28-3b42815b0d46', target_ref='attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99', revoked=False, object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_attack_spec_version='2.1.0', x_mitre_domains=['enterprise-attack'], x_mitre_modified_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', x_mitre_version='1.0')]}]

The issue seems to come from the first attribute of the mitigation. it should be [{'object': 'CourseOfAction', type='course-of-action' ...

The same behaviour is also observed on get_all_techniques_mitigated_by_all_mitigations function.

Steps to Reproduce the Problem

from mitreattack.stix20 import MitreAttackData

def main():
    mitre_attack_data = MitreAttackData("enterprise-attack.json")

    # get all mitigations related to techniques
    mitigations_mitigating = mitre_attack_data.get_all_mitigations_mitigating_all_techniques()
    for technique_internal_id,mitigations in mitigations_mitigating.items():
        print(mitigations)
        print("\n")

Possible Solution

clemiller commented 9 months ago

Hi @SnowPatrolXV,

From your description, I suspect this may be a misunderstanding of how the value returned by the get_all_mitigations_mitigating_all_techniques() function is structured. The example code you provided returns the expected values as described in the function documentation:

Returns
-------
dict
    a mapping of technique_stix_id => 
    [
       {
            "object": CourseOfAction,
            "relationships": Relationship[]
        }
    ]
    for each mitigation mitigating the technique

The function returns a list of dicts for each technique containing two keys, "object" and "relationships", where "object" is the stix2 CourseOfAction object and "relationships" is the list of stix2 Relationship objects that the CourseOfAction has with the given technique.

For example, the following is returned for technique T1564.008 (attack-pattern--0cf55441-b176-4332-89e7-2c4c7799d0ff):

[
    {
        'object': 
            CourseOfAction(
                type='course-of-action',
                id='course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8',
                created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
                created='2019-06-11T17:06:14.029Z', 
                modified='2022-10-21T15:52:12.722Z', 
                name='Audit', 
                description='Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.', 
                revoked=False, 
                external_references=[
                    ExternalReference(
                        source_name='mitre-attack', 
                        url='https://attack.mitre.org/mitigations/M1047', 
                        external_id='M1047'
                    )
                ], 
                object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
                x_mitre_attack_spec_version='2.1.0', 
                x_mitre_deprecated=False, 
                x_mitre_domains=['enterprise-attack'], 
                x_mitre_modified_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 
                x_mitre_version='1.1'
            ), 
        'relationships': [
            Relationship(
                type='relationship', 
                id='relationship--3b2ca38e-351d-4595-8ddb-17b648f196ef', 
                created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 
                created='2021-06-10T14:20:55.541Z', 
                modified='2021-10-16T01:24:32.138Z', 
                relationship_type='mitigates', 
                description='Enterprise email solutions may have monitoring mechanisms that may include the ability to audit inbox rules on a regular basis. \n\nIn an Exchange environment, Administrators can use <code>Get-InboxRule</code> to discover and remove potentially malicious inbox rules.(Citation: Microsoft Get-InboxRule)', 
                source_ref='course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8', 
                target_ref='attack-pattern--0cf55441-b176-4332-89e7-2c4c7799d0ff', 
                revoked=False, 
                external_references=[
                    ExternalReference(
                        source_name='Microsoft Get-InboxRule', 
                        description='Microsoft. (n.d.). Get-InboxRule. Retrieved June 10, 2021.', 
                        url='https://docs.microsoft.com/en-us/powershell/module/exchange/get-inboxrule?view=exchange-ps'
                    )
                ], 
                object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 
                x_mitre_modified_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 
                x_mitre_version='1.0'
            )
        ]
    }
]

Technique T1564.008 has a relationship with one mitigation M1047. The mitigation object can be retrieved by accessing the 'object' key: mitigations[0]['object']. Similarly, the relationships between the given technique and the mitigation can be retrieved: mitigations[0]['relationships'].

Here is a modified version of your example code that prints the STIX ID of the related mitigation(s):

from mitreattack.stix20 import MitreAttackData

def main():
    mitre_attack_data = MitreAttackData("enterprise-attack.json")

    # get all mitigations related to techniques
    mitigations_mitigating = mitre_attack_data.get_all_mitigations_mitigating_all_techniques()
    for technique_internal_id, mitigations in mitigations_mitigating.items():
        print(f"Technique {technique_internal_id}:"
        for mitigation in mitigations:
            print(f"\tMitigation {mitigation['object'].id}")
        print("\n")

This is the standard return structure for all functions that retrieve relationships between objects in MitreAttackData; there are more details and documentation for MitreAttackData on ReadTheDocs if you're interested.

I hope this helps!

SnowPatrolXV commented 9 months ago

Thanks for your reply. Your explanation helps me and my code works now.