As an individual or organization seeking to host an ATT&CK Extension via the ATT&CK website, I want to be able to view techniques while they are still being drafted.
Currently the ATT&CK website build will crash if any techniques in the input STIX data have an empty array for platforms:
$ python3 update-attack.py --modules clean website_build techniques matrices
clean : ---------------------------------------- 0.01s
matrices : ---------------------------------------- Running...Traceback (most recent call last):
File "update-attack.py", line 154, in <module>
ptr['run_module']()
File "/Users/jtrahan/working/workspaces/attack/attack-website/modules/matrices/__init__.py", line 18, in run_module
return (matrices.generate_matrices(), matrices_config.module_name)
File "/Users/jtrahan/working/workspaces/attack/attack-website/modules/matrices/matrices.py", line 35, in generate_matrices
matrix_generated = generate_platform_matrices(matrix, notes, side_menu_data)
File "/Users/jtrahan/working/workspaces/attack/attack-website/modules/matrices/matrices.py", line 52, in generate_platform_matrices
data['matrices'], data["has_subtechniques"], data["tour_technique"] = get_sub_matrices(matrix)
File "/Users/jtrahan/working/workspaces/attack/attack-website/modules/matrices/matrices.py", line 125, in get_sub_matrices
platform_techniques = util.buildhelpers.filter_techniques_by_platform(techniques, matrix['platforms'])
File "/Users/jtrahan/working/workspaces/attack/attack-website/modules/util/buildhelpers.py", line 786, in filter_techniques_by_platform
if platform in obj["x_mitre_platforms"]:
File "/Users/jtrahan/working/workspaces/attack/attack-website/env/lib/python3.8/site-packages/stix2/base.py", line 179, in __getitem__
return self._inner[key]
KeyError: 'x_mitre_platforms'
To reproduce, simply delete the platforms values from any technique in the stock Enterprise-ATT&CK STIX data and build the website from that data. Example technique with no defined platforms:
{
"created": "2020-02-11T18:46:56.263Z",
"modified": "2020-03-20T15:56:55.022Z",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"type": "attack-pattern",
"id": "attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4",
"description": "Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)\n\nThe Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) <code># /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db</code>\n",
"name": "/etc/passwd and /etc/shadow",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1003/008",
"external_id": "T1003.008",
"source_name": "mitre-attack"
},
{
"description": "The Linux Documentation Project. (n.d.). Linux Password and Shadow File Formats. Retrieved February 19, 2020.",
"url": "https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html",
"source_name": "Linux Password and Shadow File Formats"
},
{
"description": "Vivek Gite. (2014, September 17). Linux Password Cracking: Explain unshadow and john Commands (John the Ripper Tool). Retrieved February 19, 2020.",
"url": "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/",
"source_name": "nixCraft - John the Ripper"
}
],
"x_mitre_platforms": [
],
"x_mitre_is_subtechnique": true,
"x_mitre_version": "1.0",
"x_mitre_permissions_required": [
"root"
],
"x_mitre_detection": "The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes attempting to access <code>/etc/passwd</code> and <code>/etc/shadow</code>, alerting on the pid, process name, and arguments of such programs.",
"x_mitre_data_sources": [
"Command: Command Execution",
"File: File Access"
]
}
As an individual or organization seeking to host an ATT&CK Extension via the ATT&CK website, I want to be able to view techniques while they are still being drafted.
Currently the ATT&CK website build will crash if any techniques in the input STIX data have an empty array for platforms:
To reproduce, simply delete the platforms values from any technique in the stock Enterprise-ATT&CK STIX data and build the website from that data. Example technique with no defined platforms:
{ "created": "2020-02-11T18:46:56.263Z", "modified": "2020-03-20T15:56:55.022Z", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "type": "attack-pattern", "id": "attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", "description": "Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)\n\nThe Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) <code># /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db</code>\n", "name": "/etc/passwd and /etc/shadow", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { "url": "https://attack.mitre.org/techniques/T1003/008", "external_id": "T1003.008", "source_name": "mitre-attack" }, { "description": "The Linux Documentation Project. (n.d.). Linux Password and Shadow File Formats. Retrieved February 19, 2020.", "url": "https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html", "source_name": "Linux Password and Shadow File Formats" }, { "description": "Vivek Gite. (2014, September 17). Linux Password Cracking: Explain unshadow and john Commands (John the Ripper Tool). Retrieved February 19, 2020.", "url": "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/", "source_name": "nixCraft - John the Ripper" } ], "x_mitre_platforms": [ ], "x_mitre_is_subtechnique": true, "x_mitre_version": "1.0", "x_mitre_permissions_required": [ "root" ], "x_mitre_detection": "The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes attempting to access <code>/etc/passwd</code> and <code>/etc/shadow</code>, alerting on the pid, process name, and arguments of such programs.", "x_mitre_data_sources": [ "Command: Command Execution", "File: File Access" ] }