If you are reading this blog post via a 3rd party source it is very likely that many parts of it will not render correctly. Please view the post on signalscorps.com for the full interactive viewing experience.
In this post I will show you I will show you how to create new and and edit existing ATT&CK Objects.
Note: this tutorial is written for MITRE ATT&CK version 11.0 (published on 2022-04-24) and Workbench v1.1.0 (released on 2021-10-21). Some of the concepts discussed are not correct for different versions.
Almost a year to the day, MITRE Enguenuity announced the ATT&CK Workbench.
The workbench can perform a lot of functions, though arguably its most useful is the ability to create new objects or extend existing objects with new content. Matrices, techniques, tactics, mitigations, groups, and software can all be created and edited.
Think of it as an extension of core ATT&CK.
Using the ATT&CK Workbench you can create an extension of the knowledge base according to your own needs, or even an entirely new dataset aligned with ATT&CK terminology and usable with ATT&CK tools.
By sticking to the ATT&CK format (built on STIX 2.1 Objects) for customisation it also facilitaes a greater level of collaboration within the community.
In this post I will walkthrough some use-cases for creating objects using the ATT&CK Workbench.
Install and run
I use Docker on my local machine, so will proceed with the Docker installation steps. You can also install manually from source by following the steps linked here.
1. Download the required repositories:
git clone https://github.com/center-for-threat-informed-defense/attack-workbench-frontend.git; git clone https://github.com/center-for-threat-informed-defense/attack-workbench-collection-manager.git; git clone https://github.com/center-for-threat-informed-defense/attack-workbench-rest-api.git
2. Build and run
cd attack-workbench-frontend
docker-compose up
Now open up a browser and navigate to localhost.
Setting the organisation
On the first run you will be prompted to create an Organization Identity;
Your organization identity is used for attribution of edits you make to objects in the knowledge base. Essentially what this does is create a STIX 2.1 Identity Object with the organization details you enter, which is then referenced in STIX Objects you create or update.
Objects you create will be marked with your organization as the creator, new major versions of existing objects will likewise be marked with your organization as the modifier (this is espeically useful when multiple groups are working on the knowledgebase)
Importing MITRE’s version of ATT&CK
Out-of-the-box, the ATT&CK Workbench will contain no Objects. Clicking any of the options in the Navigation bar will show no data.
The first thing you will want to do is add an existing version of ATT&CK. For example, importing the core MITRE ATT&CK data.
You can also import a custom ATT&CK dataset created in another ATT&CK workbench, perhaps by another organisation you collaborate with.
For this tutorial I will start by importing MITRE’s core ATT&CK data as a Collection, although the process is the same wherever you gather your ATT&CK data from.
A Collection is a set of related ATT&CK Objects; Collections may be used represent specific releases of a dataset such as “Enterprise ATT&CK v11”. Collections can be created by anyone, not just MITRE.
Data providers (like MITRE) can publish their Collections through a Collection Index. A Collection Index contains custom STIX Objects x-mitre-collection.
{
"id": "10296991-439b-4202-90a3-e38812613ad4",
"name": "MITRE ATT&CK",
"description": "MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.",
"created": "2018-01-17T12:56:55.080000+00:00",
"modified": "2022-05-24T14:00:00.188000+00:00",
"collections": [
{
"id": "x-mitre-collection--402e24b4-436e-4936-b19b-2038648f489",
"created": "2018-01-17T12:56:55.080Z",
"versions": [
{
"version": "11.2",
"url": "https://raw.githubusercontent.com/mitre-attack/attack-stix-data/master/enterprise-attack/enterprise-attack-11.2.json",
"modified": "2022-05-24T14:00:00.188Z"
},
{
"version": "11.1",
"url": "https://raw.githubusercontent.com/mitre-attack/attack-stix-data/master/enterprise-attack/enterprise-attack-11.1.json",
"modified": "2022-05-11T14:00:00.188Z"
},
Each domain of ATT&CK (Enterprise, Mobile and ICS) is represented as a x-mitre-collection Object with the individual releases as a series of STIX 2.1 Bundles inside it.
MITRE publish their ATT&CK versions as Collection Bundles via the ATT&CK STIX data GitHub repository. Here is the JSON document describing the Collections.
The above snippet, for example, shows the MITRE x-mitre-collection Object for Enterprise ATT&CK with the latest 2 releases (previous releases are cut to save space in this post) as nested Objects with links to the related STIX Bundles.
The ATT&CK Workbench can be configured to subscribe to Collection Indexes so that it automatically receives updates when they are available, or to allow the user to easily browse the new Collections added to the index.
I will go ahead and import the core MITRE ATT&CK Collection Bundle.
To do this go to Collections > Imported Collections > Add a Collection Index and enter the Collection Bundle URL: https://raw.githubusercontent.com/mitre-attack/attack-stix-data/master/index.json.
Clicking preview will show you all the Collections in the Collection Bundle. In the case of MITRE’s version of ATT&CK that is Enterprise, Mobile and ICS (and each published version).
All that is left to do is to click Add.
Once the Collection Index is added I then have choose the Domain and version to import. To do this go to Collections > MITRE ATT&CK. I can then choose the Collection (e.g. Enterprise) and the version I want.
To import, click the download icon.
In some cases, you might only want to sync certain Objects from the core ATT&CK repository, for example, only downloading Group Objects.
For this exercise I will download the entire Enterprise ATT&CK version 11 Collection (17,671 Objects in total – most are Relationship Objects).
Once the import completes, you will now see the MITRE ATT&CK core data populated for each Object type as you browse around the Workbench.
Creating new Objects
You might be tempted to create your own Matrix and adding existing (or custom) Tactics and Techniques to it.
You probably do not want to do that.
In most case, you will be wanting to extend the knowledge in the core ATT&CK Domains with new Data Sources, Software, Mitigations and Groups linked to Techniques already captured in the three default Matrices.
Going back to the Unit 42 report used previously in this tutorial; Popping Eagle: How We Leveraged Global Analytics to Discover a Sophisticated Threat Actor.
It reports:
It also includes a second stage malicious tool written in Go dubbed “Going Eagle.”
This attacker-controlled IP used the first-stage malware to load a second stage DLL that we call “Going Eagle.”
This tool was created for one task only – to create a reverse SOCKS proxy to get the attacker control over the machine (as described in the “Lateral Movement” section later on).
“Going Eagle” appears to be a new Tool specific to this campaign, and is not captured in MITRE’s own version of ATT&CK.
It is the perfect opportunity for us to create a custom ATT&CK Software Object.
When creating a new tool, you will be prompted to select either Software (Malware) or Software (Tool).
The descriptions shown are not particularly clear.
I find the specification descriptions of the STIX 2.1 Domain Objects easier to determine the distinction, versus the distinctions shown in the description above.
Tools are legitimate software that can be used by threat actors to perform attacks. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users.
Source: STIX 2.1 Specification
Malware is a type of TTP that represents malicious code. It generally refers to a program that is inserted into a system, usually covertly.
Source: STIX 2.1 Specification
Using these characterisations and after studying the report, I would classify Going Eagle as a Malware.
I can now fill in the required and optional fields for the object:
- type: Software (Malware)
- STIX Property:
type - Note: already set as a result of creation
- STIX Property:
- name: name of the Object
- STIX Property:
name
- STIX Property:
- ID
- STIX Property:
external_references.external_id - Note: must follow ATT&CK Object ID structure (must start with
S)
- STIX Property:
- version
- STIX Property:
x_mitre_version
- STIX Property:
- platforms
- STIX Property:
x_mitre_platforms
- STIX Property:
- contributors
- STIX Property:
x_mitre_contributors - Note: A list of strings detailing contributors, e.g. David G (is not a reference to an Identity Object)
- STIX Property:
- associated software
- STIX Property:
x_mitre_aliases(software name),external_references.source_name(software name) andexternal_references.description(software description)
- STIX Property:
- description
- STIX Property:
description
- STIX Property:
- domains
- STIX Property:
x_mitre_domains
- STIX Property:
Here is the STIX Malware SDO generated by the Workbench;
Once you have added the Object information, it is now time to link it to other Objects to ensure it shows up in the right places.
For example, I know from the Popping Eagle report some of the MITRE ATT&CK Techniques the Malware leverages.
When editing the Software Object, after it has been created, I can create the supported Relationships for the STIX 2.1 Object type, in this case, Malware.
Here is the STIX SRO generated by the Workbench; bundle–177c6477-2dee-43d5-b4c9-8b7f3f5ec001.json
Now that you can create and link Objects it is always a good ideas to have some sort of review process to validate them.
All Objects move through a workflow starting life as “work in progress” in the Workbench.
You can change the state of the workflow too “awaiting review”, or “reviewed”. Objects can also be revoked or deprecated.
Sharing and Collaborating with Workbench
When creating or updating ATT&CK Objects, whether for internal or external sharing and collaboration, you will eventually get to a point where you need to share and disseminate your work.
There are a few native ways to the this with the ATT&CK Workbench that I will show you in the next post.
ATT&CK Certification (Virtual and In Person)
The content used in this post is a small subset of our full training material used in our ATT&CK training.
If you want to join a select group of certified ATT&CK professionals, subscribe to our newsletter below to be notified of new course dates.
Discuss this post
Never miss an update
Sign up to receive new articles in your inbox as they published.