Posted by:

David Greenwood, Chief of Signal

If you are reading this blog post via a 3rd party source it is very likely that many parts of it will not render correctly. Please view the post on signalscorps.com for the full interactive viewing experience.

In this post I will show you how to export and share your custom versions of ATT&CK.

You will eventually get to a point where you need to share and disseminate the ATT&CK Object you have created or modified.

There are a few ways in which this can be done, depending on your objectives. I will show you them all and let you decide that for yourself.

Custom Collections

As you have already seen it is possible to import Collections to Workbench.

It is also possible to create your own that can be used to share and collaborate from.

Here I create a new Collection by navigating to; Collections > My Collections > Create New Collection;

Inside this new Collection I will add the one Object I created in the previous tutorial, the Software Object;

Once it is successfully created, the Workbench will show the new Collection (and the API endpoint to grab the STIX 2.1 Bundle for the Collection from).

To share this with the community (and offer the opportunity for others to submit updates and changes), I will use GitHub to store the Bundle.

Here is the Bundle for my Collection: https://github.com/signalscorps/tutorials/blob/main/attack-workbench-tutorial/bundle–2c73efd0-2b59-4234-b3dc-2961f4b2e8e6.json

In order to make it importable to the Workbench, you also need to create a Collection Index, pointing to the STIX 2.1 Bundle .json.

Here is the Collection Index for my Collection.

Here is MITRE’s Collection Index for the default ATT&CK version for additional reference.

Now all that is left to do is share my Collection Index URL so others can import and work on it.

The Workbench API

The Workbench ships with an API that covers all the functions to work with data; view (GET), create (POST), update (PUT), and delete (DELETE actions).

This is the option with most functionality with regards to integrations.

You can access the docs when the Workbench is running at; localhost/api-docs/.

Last week I created a new Software Object (Tool), called Going Eagle.

I can use the GET /api/software Endpoint for this using the search Parameter;

GET http://localhost/api/software?search=Going%20Eagle

Here is the full json response.

The response is returned in JSON structured into various sections;

• stix: contains the full STIX 2.1 Object for the Software (STIX malware Object).
• workspace: this contains Workbench information, including workflow status
• created_by_identity: contains a nested stix Identity Object (for creator)
• modified_by_identity: in case Objects are modified by another user (and thus new major STIX version created) a nested stix object which contains the STIX Identity Object of editor

I can also GET the Relationship I created, using the sourceRef paramater now that I know the STIX id of the malware Object.

GET http://localhost/api/relationships?sourceRef=malware--ee25ab98-d40c-46c1-8fbe-eed63ca48f7b

Here is the full json response.

You can also start creating some Objects. Here is a dummy Technique I created.

POST localhost/api/techniques

Example body for the request.

I would recommend using a tool like Postman to form these requests.

To do this download the OpenAPI specification I have generated for the current version of Workbench (v1.1.0).

Then import it to Postman.

1. Find the; techniques > POST Create a technique endpoint
2. Make sure the URL of the POST endpoint matches your Workbench install
3. Click; Body, then raw
4. Paste in the JSON above (or modified for your own custom Object)
5. When done click send
6. You will see the response from the server in the bottom box, this contains the entire STIX 2.1 Object created (including its ID Property), and the Workbench specific information (e.g. workspace info)

To find your new Object in the UI you can navigate to it directly using the URL in the following format HOST/OBJECT_TYPE/OBJECT_STIX_ID (e.g http://localhost/technique/attack-pattern--92081b2d-bb81-47f0-9714-a06a5d60e461)

Finally to update an Object, I can use the PUT endpoints.

As an example, I will update the Technique I just created. The structure of the URL for a PUT request on an Object is as follows

PUT localhost/api/techniques/<STIX_ID>/modified/<MODIFIED_DATE>

Note, STIX_ID> is the entire STIX ID (e.g. attack-pattern--92081b2d-bb81-47f0-9714-a06a5d60e461) and <MODIFIED_DATE> is the modified_time currently assigned to the STIX Object you want to changes (in my case, what I received in the response when creating the Object) – it is not the modified_time you want to set (you must set this in the request body under the modified_time field).

For example,

PUT localhost/api/techniques/attack-pattern--92081b2d-bb81-47f0-9714-a06a5d60e461/modified/2022-06-29T06:58:09.436Z

If you do not know the modified_time of the Object, you can obtain it by making a GET request for the latest version of it which will print the STIX Object with the modified_time Property:

GET localhost/api/techniques/attack-pattern--92081b2d-bb81-47f0-9714-a06a5d60e461?versions=latest

In the body of the request you need to pass all Object Properties (whether you want to update them or not), this includes the id Property. If you do not want to make changes to a Property you must pass it as it currently exists. If you want to change it, simply change the Property value.

To remove optional Properties you can simply omit them from the body of the request. Be careful, all x_mitre custom Properties are optional, but deleting them (omitting them from the body) will cause issues with ATT&CK integration.

In this example request body I am updating only updating the name and modified_time Properties of my Technique Object.

Which produces this response.

The API also exposes GET, PUT, POST, and DELETE endpoints for other Objects, and for Workbench management. I will let you discover those for yourself.

ATT&CK Navigator Integration

Now you know how to use the Navigator having reviewed earlier posts in this tutorial, you will also want to include any custom ATT&CK Objects (or even entire Matrices) in the Navigator.

The ATT&CK Navigator can be configured to display the contents of your local knowledge base.

For this, you will need a local copy of the Navigator installed on a machine you have access to (see this post for installation instructions).

Go to your local install and open the file;

nav-app/src/assets/config.json

Here is what the default looks like.

Now add the following structure to create a new ATT&CK version;

        {
            "name": "ATT&CK Workbench",
            "version": "0.1",
            "domains": [
                {   
                    "name": "Enterprise",
                    "identifier": "enterprise-attack",
                    "data": ["http://localhost/api/stix-bundles/?domain=enterprise-attack"]
                }
            ]
        },

It should look something like this;

Here is an example of a full config.json referencing a custom ATT&C version.

Note, the data URLs pointing to the STIX Bundles will differ depending on your Workbench setup and the data you want to use inside the ATT&CK Navigator.

When creating new layers, you will now be able to select the custom ATT&CK version from the Workbench in Navigator. Any changes you make inside the Workbench will also automatically be available in the Navigator layers using it.

A custom ATT&CK Website

The code for MITRE’s ATT&CK website, attack.mitre.org, is available on GitHub.

Now you are making changes to ATT&CK, you can integrate it on your own custom ATT&CK website allowing consumers to easily browse your content.

First clone a copy of the website;

git clone https://github.com/mitre-attack/attack-website.git

Now open the following file;

modules/site_config.py

Here is what the default looks like.

Now replace the domain URLs (line 36) with the relevant Workbench API endpoints.

Here is an example where I am replacing MITREs latest ATT&CK version with my own from the Navigator;

domains = [
    {
        "name" : "enterprise-attack",
        "location" : "http://localhost/api/stix-bundles/?domain=enterprise-attack",
        "alias" : "Enterprise",
        "deprecated" : False
    },
    {
        "name" : "mobile-attack",
        "location" : "STIX_LOCATION_MOBILE",
        "alias" : "Mobile",
        "deprecated" : False
    },
    {
        "name" : "ics-attack",
        "location" : "STIX_LOCATION_ICS",
        "alias" : "ICS",
        "deprecated" : False
    },
    {
        "name" : "pre-attack",
        "location" : "STIX_LOCATION_PRE,",
        "alias": "PRE-ATT&CK",
        "deprecated" : True
    }
]

ATT&CK in the wild

You have now consumed weeks of ATT&CK theory – hopefully you are still with me.

To end this tutorial series I will show you how others are putting ATT&CK to work.

Hopefully it will give you some further inspiration to use in your own workflows now that you know the basics.

---

ATT&CK Certification (Virtual and In Person)

The content used in this post is a small subset of our full training material used in our ATT&CK training.

If you want to join a select group of certified ATT&CK professionals, subscribe to our newsletter below to be notified of new course dates.

---

« MITRE ATT&CK 106: Using the Workbench to Create Custom Objects MITRE ATT&CK 108: My favourite talks from MITRE's ATT&CKCON 3.0 »

---

Similar Posts You Will Enjoy Reading...

MITRE ATT&CK 109: Sightings

MITRE ATT&CK 108: My favourite talks from MITRE's ATT&CKCON 3.0

MITRE ATT&CK 106: Using the Workbench to Create Custom Objects

MITRE ATT&CK 105: Threat Report ATT&CK Mapping (TRAM)

---

Discuss this post

JOIN US

Never miss an update

Sign up to receive new articles in your inbox as they published.