Merge pull request #875 from kn0wl3dge/feature/103-validate_attck_mbc

Validate ATT&CK/MBC categories and IDs

CHANGELOG.md

@@ -4,6 +4,8 @@
 
 ### New Features
 
+- linter: validate ATT&CK/MBC categories and IDs #103 @kn0wl3dge
+
 ### Breaking Changes
 
 ### New Rules (1)

scripts/lint.py

@@ -15,14 +15,15 @@ See the License for the specific language governing permissions and limitations
 """
 import gc
 import os
+import re
 import sys
+import json
 import time
 import string
 import difflib
 import hashlib
 import inspect
 import logging
-import os.path
 import pathlib
 import argparse
 import itertools
@@ -221,6 +222,61 @@ class ExampleFileDNE(Lint):
         return not found
 
 
+class InvalidAttckOrMbcTechnique(Lint):
+    name = "att&ck/mbc entry is malformed or does not exist"
+    recommendation = """
+    The att&ck and mbc fields must respect the following format:
+    <Tactic/Objective>::<Technique/Behavior> [<ID>]
+    OR
+    <Tactic/Objective>::<Technique/Behavior>::<Subtechnique/Method> [<ID.SubID>]
+    """
+
+    def __init__(self):
+        super(InvalidAttckOrMbcTechnique, self).__init__()
+
+        try:
+            with open(f"{os.path.dirname(__file__)}/linter-data.json", "rb") as fd:
+                self.data = json.load(fd)
+            self.enabled_frameworks = self.data.keys()
+        except BaseException:
+            # If linter-data.json is not present, or if an error happen
+            # we log an error and lint nothing.
+            logger.warning(
+                "Could not load 'scripts/linter-data.json'. The att&ck and mbc information will not be linted."
+            )
+            self.enabled_frameworks = []
+
+        # This regex matches the format defined in the recommendation attribute
+        self.reg = re.compile("^([a-zA-Z| ]+)::(.*) \[([A-Za-z0-9.]+)\]$")
+
+    def _entry_check(self, framework, category, entry, eid):
+        if category not in self.data[framework].keys():
+            self.recommendation = f'Unknown category: "{category}"'
+            return True
+        if eid not in self.data[framework][category].keys():
+            self.recommendation = f"Unknown entry ID: {eid}"
+            return True
+        if self.data[framework][category][eid] != entry:
+            self.recommendation = (
+                f'{eid} should be associated to entry "{self.data[framework][category][eid]}" instead of "{entry}"'
+            )
+            return True
+        return False
+
+    def check_rule(self, ctx: Context, rule: Rule):
+        for framework in self.enabled_frameworks:
+            if framework in rule.meta.keys():
+                for r in rule.meta[framework]:
+                    m = self.reg.match(r)
+                    if m is None:
+                        return True
+
+                    args = m.group(1, 2, 3)
+                    if self._entry_check(framework, *args):
+                        return True
+        return False
+
+
 DEFAULT_SIGNATURES = capa.main.get_default_signatures()
 
 
@@ -647,6 +703,7 @@ META_LINTS = (
     UnusualMetaField(),
     LibRuleNotInLibDirectory(),
     LibRuleHasNamespace(),
+    InvalidAttckOrMbcTechnique(),
 )
 
 

scripts/linter-data.json

@@ -0,0 +1,763 @@
+{
+  "att&ck": {
+    "Reconnaissance": {
+      "T1595": "Active Scanning",
+      "T1591.002": "Gather Victim Org Information::Business Relationships",
+      "T1596.004": "Search Open Technical Databases::CDNs",
+      "T1592.004": "Gather Victim Host Information::Client Configurations",
+      "T1589.001": "Gather Victim Identity Information::Credentials",
+      "T1590.002": "Gather Victim Network Information::DNS",
+      "T1596.001": "Search Open Technical Databases::DNS/Passive DNS",
+      "T1591.001": "Gather Victim Org Information::Determine Physical Locations",
+      "T1596.003": "Search Open Technical Databases::Digital Certificates",
+      "T1590.001": "Gather Victim Network Information::Domain Properties",
+      "T1589.002": "Gather Victim Identity Information::Email Addresses",
+      "T1589.003": "Gather Victim Identity Information::Employee Names",
+      "T1592.003": "Gather Victim Host Information::Firmware",
+      "T1592": "Gather Victim Host Information",
+      "T1589": "Gather Victim Identity Information",
+      "T1590": "Gather Victim Network Information",
+      "T1591": "Gather Victim Org Information",
+      "T1592.001": "Gather Victim Host Information::Hardware",
+      "T1590.005": "Gather Victim Network Information::IP Addresses",
+      "T1591.003": "Gather Victim Org Information::Identify Business Tempo",
+      "T1591.004": "Gather Victim Org Information::Identify Roles",
+      "T1590.006": "Gather Victim Network Information::Network Security Appliances",
+      "T1590.004": "Gather Victim Network Information::Network Topology",
+      "T1590.003": "Gather Victim Network Information::Network Trust Dependencies",
+      "T1598": "Phishing for Information",
+      "T1597.002": "Search Closed Sources::Purchase Technical Data",
+      "T1596.005": "Search Open Technical Databases::Scan Databases",
+      "T1595.001": "Active Scanning::Scanning IP Blocks",
+      "T1597": "Search Closed Sources",
+      "T1593.002": "Search Open Websites/Domains::Search Engines",
+      "T1596": "Search Open Technical Databases",
+      "T1593": "Search Open Websites/Domains",
+      "T1594": "Search Victim-Owned Websites",
+      "T1593.001": "Search Open Websites/Domains::Social Media",
+      "T1592.002": "Gather Victim Host Information::Software",
+      "T1598.002": "Phishing for Information::Spearphishing Attachment",
+      "T1598.003": "Phishing for Information::Spearphishing Link",
+      "T1598.001": "Phishing for Information::Spearphishing Service",
+      "T1597.001": "Search Closed Sources::Threat Intel Vendors",
+      "T1595.002": "Active Scanning::Vulnerability Scanning",
+      "T1596.002": "Search Open Technical Databases::WHOIS"
+    },
+    "Resource Development": {
+      "T1583": "Acquire Infrastructure",
+      "T1583.005": "Acquire Infrastructure::Botnet",
+      "T1584.005": "Compromise Infrastructure::Botnet",
+      "T1587.002": "Develop Capabilities::Code Signing Certificates",
+      "T1588.003": "Obtain Capabilities::Code Signing Certificates",
+      "T1586": "Compromise Accounts",
+      "T1584": "Compromise Infrastructure",
+      "T1583.002": "Acquire Infrastructure::DNS Server",
+      "T1584.002": "Compromise Infrastructure::DNS Server",
+      "T1587": "Develop Capabilities",
+      "T1587.003": "Develop Capabilities::Digital Certificates",
+      "T1588.004": "Obtain Capabilities::Digital Certificates",
+      "T1583.001": "Acquire Infrastructure::Domains",
+      "T1584.001": "Compromise Infrastructure::Domains",
+      "T1608.004": "Stage Capabilities::Drive-by Target",
+      "T1585.002": "Establish Accounts::Email Accounts",
+      "T1586.002": "Compromise Accounts::Email Accounts",
+      "T1585": "Establish Accounts",
+      "T1587.004": "Develop Capabilities::Exploits",
+      "T1588.005": "Obtain Capabilities::Exploits",
+      "T1608.003": "Stage Capabilities::Install Digital Certificate",
+      "T1608.005": "Stage Capabilities::Link Target",
+      "T1587.001": "Develop Capabilities::Malware",
+      "T1588.001": "Obtain Capabilities::Malware",
+      "T1588": "Obtain Capabilities",
+      "T1583.004": "Acquire Infrastructure::Server",
+      "T1584.004": "Compromise Infrastructure::Server",
+      "T1585.001": "Establish Accounts::Social Media Accounts",
+      "T1586.001": "Compromise Accounts::Social Media Accounts",
+      "T1608": "Stage Capabilities",
+      "T1588.002": "Obtain Capabilities::Tool",
+      "T1608.001": "Stage Capabilities::Upload Malware",
+      "T1608.002": "Stage Capabilities::Upload Tool",
+      "T1583.003": "Acquire Infrastructure::Virtual Private Server",
+      "T1584.003": "Compromise Infrastructure::Virtual Private Server",
+      "T1588.006": "Obtain Capabilities::Vulnerabilities",
+      "T1583.006": "Acquire Infrastructure::Web Services",
+      "T1584.006": "Compromise Infrastructure::Web Services"
+    },
+    "Initial Access": {
+      "T1078.004": "Valid Accounts::Cloud Accounts",
+      "T1195.003": "Supply Chain Compromise::Compromise Hardware Supply Chain",
+      "T1195.001": "Supply Chain Compromise::Compromise Software Dependencies and Development Tools",
+      "T1195.002": "Supply Chain Compromise::Compromise Software Supply Chain",
+      "T1078.001": "Valid Accounts::Default Accounts",
+      "T1078.002": "Valid Accounts::Domain Accounts",
+      "T1189": "Drive-by Compromise",
+      "T1190": "Exploit Public-Facing Application",
+      "T1133": "External Remote Services",
+      "T1200": "Hardware Additions",
+      "T1078.003": "Valid Accounts::Local Accounts",
+      "T1566": "Phishing",
+      "T1091": "Replication Through Removable Media",
+      "T1566.001": "Phishing::Spearphishing Attachment",
+      "T1566.002": "Phishing::Spearphishing Link",
+      "T1566.003": "Phishing::Spearphishing via Service",
+      "T1195": "Supply Chain Compromise",
+      "T1199": "Trusted Relationship",
+      "T1078": "Valid Accounts"
+    },
+    "Execution": {
+      "T1059.002": "Command and Scripting Interpreter::AppleScript",
+      "T1053.001": "Scheduled Task/Job::At (Linux)",
+      "T1053.002": "Scheduled Task/Job::At (Windows)",
+      "T1059": "Command and Scripting Interpreter",
+      "T1559.001": "Inter-Process Communication::Component Object Model",
+      "T1609": "Container Administration Command",
+      "T1053.007": "Scheduled Task/Job::Container Orchestration Job",
+      "T1053.003": "Scheduled Task/Job::Cron",
+      "T1610": "Deploy Container",
+      "T1559.002": "Inter-Process Communication::Dynamic Data Exchange",
+      "T1203": "Exploitation for Client Execution",
+      "T1559": "Inter-Process Communication",
+      "T1059.007": "Command and Scripting Interpreter::JavaScript",
+      "T1569.001": "System Services::Launchctl",
+      "T1204.002": "User Execution::Malicious File",
+      "T1204.003": "User Execution::Malicious Image",
+      "T1204.001": "User Execution::Malicious Link",
+      "T1106": "Native API",
+      "T1059.008": "Command and Scripting Interpreter::Network Device CLI",
+      "T1059.001": "Command and Scripting Interpreter::PowerShell",
+      "T1059.006": "Command and Scripting Interpreter::Python",
+      "T1053.005": "Scheduled Task/Job::Scheduled Task",
+      "T1053": "Scheduled Task/Job",
+      "T1569.002": "System Services::Service Execution",
+      "T1129": "Shared Modules",
+      "T1072": "Software Deployment Tools",
+      "T1569": "System Services",
+      "T1053.006": "Scheduled Task/Job::Systemd Timers",
+      "T1059.004": "Command and Scripting Interpreter::Unix Shell",
+      "T1204": "User Execution",
+      "T1059.005": "Command and Scripting Interpreter::Visual Basic",
+      "T1059.003": "Command and Scripting Interpreter::Windows Command Shell",
+      "T1047": "Windows Management Instrumentation"
+    },
+    "Persistence": {
+      "T1546.008": "Event Triggered Execution::Accessibility Features",
+      "T1098": "Account Manipulation",
+      "T1547.014": "Boot or Logon Autostart Execution::Active Setup",
+      "T1098.003": "Account Manipulation::Add Office 365 Global Administrator Role",
+      "T1137.006": "Office Application Startup::Add-ins",
+      "T1098.001": "Account Manipulation::Additional Cloud Credentials",
+      "T1546.009": "Event Triggered Execution::AppCert DLLs",
+      "T1546.010": "Event Triggered Execution::AppInit DLLs",
+      "T1546.011": "Event Triggered Execution::Application Shimming",
+      "T1053.001": "Scheduled Task/Job::At (Linux)",
+      "T1053.002": "Scheduled Task/Job::At (Windows)",
+      "T1547.002": "Boot or Logon Autostart Execution::Authentication Package",
+      "T1197": "BITS Jobs",
+      "T1547": "Boot or Logon Autostart Execution",
+      "T1037": "Boot or Logon Initialization Scripts",
+      "T1542.003": "Pre-OS Boot::Bootkit",
+      "T1176": "Browser Extensions",
+      "T1574.012": "Hijack Execution Flow::COR_PROFILER",
+      "T1546.001": "Event Triggered Execution::Change Default File Association",
+      "T1136.003": "Create Account::Cloud Account",
+      "T1078.004": "Valid Accounts::Cloud Accounts",
+      "T1542.002": "Pre-OS Boot::Component Firmware",
+      "T1546.015": "Event Triggered Execution::Component Object Model Hijacking",
+      "T1554": "Compromise Client Software Binary",
+      "T1053.007": "Scheduled Task/Job::Container Orchestration Job",
+      "T1136": "Create Account",
+      "T1543": "Create or Modify System Process",
+      "T1053.003": "Scheduled Task/Job::Cron",
+      "T1574.001": "Hijack Execution Flow::DLL Search Order Hijacking",
+      "T1574.002": "Hijack Execution Flow::DLL Side-Loading",
+      "T1078.001": "Valid Accounts::Default Accounts",
+      "T1136.002": "Create Account::Domain Account",
+      "T1078.002": "Valid Accounts::Domain Accounts",
+      "T1556.001": "Modify Authentication Process::Domain Controller Authentication",
+      "T1574.004": "Hijack Execution Flow::Dylib Hijacking",
+      "T1574.006": "Hijack Execution Flow::Dynamic Linker Hijacking",
+      "T1546.014": "Event Triggered Execution::Emond",
+      "T1546": "Event Triggered Execution",
+      "T1098.002": "Account Manipulation::Exchange Email Delegate Permissions",
+      "T1574.005": "Hijack Execution Flow::Executable Installer File Permissions Weakness",
+      "T1133": "External Remote Services",
+      "T1574": "Hijack Execution Flow",
+      "T1505.004": "Server Software Component::IIS Components",
+      "T1546.012": "Event Triggered Execution::Image File Execution Options Injection",
+      "T1525": "Implant Internal Image",
+      "T1547.006": "Boot or Logon Autostart Execution::Kernel Modules and Extensions",
+      "T1546.006": "Event Triggered Execution::LC_LOAD_DYLIB Addition",
+      "T1547.008": "Boot or Logon Autostart Execution::LSASS Driver",
+      "T1543.001": "Create or Modify System Process::Launch Agent",
+      "T1543.004": "Create or Modify System Process::Launch Daemon",
+      "T1136.001": "Create Account::Local Account",
+      "T1078.003": "Valid Accounts::Local Accounts",
+      "T1547.015": "Boot or Logon Autostart Execution::Login Items",
+      "T1037.002": "Boot or Logon Initialization Scripts::Logon Script (Mac)",
+      "T1037.001": "Boot or Logon Initialization Scripts::Logon Script (Windows)",
+      "T1556": "Modify Authentication Process",
+      "T1546.007": "Event Triggered Execution::Netsh Helper DLL",
+      "T1556.004": "Modify Authentication Process::Network Device Authentication",
+      "T1037.003": "Boot or Logon Initialization Scripts::Network Logon Script",
+      "T1137": "Office Application Startup",
+      "T1137.001": "Office Application Startup::Office Template Macros",
+      "T1137.002": "Office Application Startup::Office Test",
+      "T1137.003": "Office Application Startup::Outlook Forms",
+      "T1137.004": "Office Application Startup::Outlook Home Page",
+      "T1137.005": "Office Application Startup::Outlook Rules",
+      "T1556.002": "Modify Authentication Process::Password Filter DLL",
+      "T1574.007": "Hijack Execution Flow::Path Interception by PATH Environment Variable",
+      "T1574.008": "Hijack Execution Flow::Path Interception by Search Order Hijacking",
+      "T1574.009": "Hijack Execution Flow::Path Interception by Unquoted Path",
+      "T1547.011": "Boot or Logon Autostart Execution::Plist Modification",
+      "T1556.003": "Modify Authentication Process::Pluggable Authentication Modules",
+      "T1205.001": "Traffic Signaling::Port Knocking",
+      "T1547.010": "Boot or Logon Autostart Execution::Port Monitors",
+      "T1546.013": "Event Triggered Execution::PowerShell Profile",
+      "T1542": "Pre-OS Boot",
+      "T1547.012": "Boot or Logon Autostart Execution::Print Processors",
+      "T1037.004": "Boot or Logon Initialization Scripts::RC Scripts",
+      "T1542.004": "Pre-OS Boot::ROMMONkit",
+      "T1547.007": "Boot or Logon Autostart Execution::Re-opened Applications",
+      "T1547.001": "Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder",
+      "T1505.001": "Server Software Component::SQL Stored Procedures",
+      "T1098.004": "Account Manipulation::SSH Authorized Keys",
+      "T1053.005": "Scheduled Task/Job::Scheduled Task",
+      "T1053": "Scheduled Task/Job",
+      "T1546.002": "Event Triggered Execution::Screensaver",
+      "T1547.005": "Boot or Logon Autostart Execution::Security Support Provider",
+      "T1505": "Server Software Component",
+      "T1574.010": "Hijack Execution Flow::Services File Permissions Weakness",
+      "T1574.011": "Hijack Execution Flow::Services Registry Permissions Weakness",
+      "T1547.009": "Boot or Logon Autostart Execution::Shortcut Modification",
+      "T1037.005": "Boot or Logon Initialization Scripts::Startup Items",
+      "T1542.001": "Pre-OS Boot::System Firmware",
+      "T1543.002": "Create or Modify System Process::Systemd Service",
+      "T1053.006": "Scheduled Task/Job::Systemd Timers",
+      "T1542.005": "Pre-OS Boot::TFTP Boot",
+      "T1547.003": "Boot or Logon Autostart Execution::Time Providers",
+      "T1205": "Traffic Signaling",
+      "T1505.002": "Server Software Component::Transport Agent",
+      "T1546.005": "Event Triggered Execution::Trap",
+      "T1546.004": "Event Triggered Execution::Unix Shell Configuration Modification",
+      "T1078": "Valid Accounts",
+      "T1505.003": "Server Software Component::Web Shell",
+      "T1546.003": "Event Triggered Execution::Windows Management Instrumentation Event Subscription",
+      "T1543.003": "Create or Modify System Process::Windows Service",
+      "T1547.004": "Boot or Logon Autostart Execution::Winlogon Helper DLL",
+      "T1547.013": "Boot or Logon Autostart Execution::XDG Autostart Entries"
+    },
+    "Privilege Escalation": {
+      "T1548": "Abuse Elevation Control Mechanism",
+      "T1134": "Access Token Manipulation",
+      "T1546.008": "Event Triggered Execution::Accessibility Features",
+      "T1547.014": "Boot or Logon Autostart Execution::Active Setup",
+      "T1546.009": "Event Triggered Execution::AppCert DLLs",
+      "T1546.010": "Event Triggered Execution::AppInit DLLs",
+      "T1546.011": "Event Triggered Execution::Application Shimming",
+      "T1055.004": "Process Injection::Asynchronous Procedure Call",
+      "T1053.001": "Scheduled Task/Job::At (Linux)",
+      "T1053.002": "Scheduled Task/Job::At (Windows)",
+      "T1547.002": "Boot or Logon Autostart Execution::Authentication Package",
+      "T1547": "Boot or Logon Autostart Execution",
+      "T1037": "Boot or Logon Initialization Scripts",
+      "T1548.002": "Abuse Elevation Control Mechanism::Bypass User Account Control",
+      "T1574.012": "Hijack Execution Flow::COR_PROFILER",
+      "T1546.001": "Event Triggered Execution::Change Default File Association",
+      "T1078.004": "Valid Accounts::Cloud Accounts",
+      "T1546.015": "Event Triggered Execution::Component Object Model Hijacking",
+      "T1053.007": "Scheduled Task/Job::Container Orchestration Job",
+      "T1134.002": "Access Token Manipulation::Create Process with Token",
+      "T1543": "Create or Modify System Process",
+      "T1053.003": "Scheduled Task/Job::Cron",
+      "T1574.001": "Hijack Execution Flow::DLL Search Order Hijacking",
+      "T1574.002": "Hijack Execution Flow::DLL Side-Loading",
+      "T1078.001": "Valid Accounts::Default Accounts",
+      "T1078.002": "Valid Accounts::Domain Accounts",
+      "T1484": "Domain Policy Modification",
+      "T1484.002": "Domain Policy Modification::Domain Trust Modification",
+      "T1574.004": "Hijack Execution Flow::Dylib Hijacking",
+      "T1574.006": "Hijack Execution Flow::Dynamic Linker Hijacking",
+      "T1055.001": "Process Injection::Dynamic-link Library Injection",
+      "T1548.004": "Abuse Elevation Control Mechanism::Elevated Execution with Prompt",
+      "T1546.014": "Event Triggered Execution::Emond",
+      "T1611": "Escape to Host",
+      "T1546": "Event Triggered Execution",
+      "T1574.005": "Hijack Execution Flow::Executable Installer File Permissions Weakness",
+      "T1068": "Exploitation for Privilege Escalation",
+      "T1055.011": "Process Injection::Extra Window Memory Injection",
+      "T1484.001": "Domain Policy Modification::Group Policy Modification",
+      "T1574": "Hijack Execution Flow",
+      "T1546.012": "Event Triggered Execution::Image File Execution Options Injection",
+      "T1547.006": "Boot or Logon Autostart Execution::Kernel Modules and Extensions",
+      "T1546.006": "Event Triggered Execution::LC_LOAD_DYLIB Addition",
+      "T1547.008": "Boot or Logon Autostart Execution::LSASS Driver",
+      "T1543.001": "Create or Modify System Process::Launch Agent",
+      "T1543.004": "Create or Modify System Process::Launch Daemon",
+      "T1078.003": "Valid Accounts::Local Accounts",
+      "T1547.015": "Boot or Logon Autostart Execution::Login Items",
+      "T1037.002": "Boot or Logon Initialization Scripts::Logon Script (Mac)",
+      "T1037.001": "Boot or Logon Initialization Scripts::Logon Script (Windows)",
+      "T1134.003": "Access Token Manipulation::Make and Impersonate Token",
+      "T1546.007": "Event Triggered Execution::Netsh Helper DLL",
+      "T1037.003": "Boot or Logon Initialization Scripts::Network Logon Script",
+      "T1134.004": "Access Token Manipulation::Parent PID Spoofing",
+      "T1574.007": "Hijack Execution Flow::Path Interception by PATH Environment Variable",
+      "T1574.008": "Hijack Execution Flow::Path Interception by Search Order Hijacking",
+      "T1574.009": "Hijack Execution Flow::Path Interception by Unquoted Path",
+      "T1547.011": "Boot or Logon Autostart Execution::Plist Modification",
+      "T1547.010": "Boot or Logon Autostart Execution::Port Monitors",
+      "T1055.002": "Process Injection::Portable Executable Injection",
+      "T1546.013": "Event Triggered Execution::PowerShell Profile",
+      "T1547.012": "Boot or Logon Autostart Execution::Print Processors",
+      "T1055.009": "Process Injection::Proc Memory",
+      "T1055.013": "Process Injection::Process Doppelg\u00e4nging",
+      "T1055.012": "Process Injection::Process Hollowing",
+      "T1055": "Process Injection",
+      "T1055.008": "Process Injection::Ptrace System Calls",
+      "T1037.004": "Boot or Logon Initialization Scripts::RC Scripts",
+      "T1547.007": "Boot or Logon Autostart Execution::Re-opened Applications",
+      "T1547.001": "Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder",
+      "T1134.005": "Access Token Manipulation::SID-History Injection",
+      "T1053.005": "Scheduled Task/Job::Scheduled Task",
+      "T1053": "Scheduled Task/Job",
+      "T1546.002": "Event Triggered Execution::Screensaver",
+      "T1547.005": "Boot or Logon Autostart Execution::Security Support Provider",
+      "T1574.010": "Hijack Execution Flow::Services File Permissions Weakness",
+      "T1574.011": "Hijack Execution Flow::Services Registry Permissions Weakness",
+      "T1548.001": "Abuse Elevation Control Mechanism::Setuid and Setgid",
+      "T1547.009": "Boot or Logon Autostart Execution::Shortcut Modification",
+      "T1037.005": "Boot or Logon Initialization Scripts::Startup Items",
+      "T1548.003": "Abuse Elevation Control Mechanism::Sudo and Sudo Caching",
+      "T1543.002": "Create or Modify System Process::Systemd Service",
+      "T1053.006": "Scheduled Task/Job::Systemd Timers",
+      "T1055.003": "Process Injection::Thread Execution Hijacking",
+      "T1055.005": "Process Injection::Thread Local Storage",
+      "T1547.003": "Boot or Logon Autostart Execution::Time Providers",
+      "T1134.001": "Access Token Manipulation::Token Impersonation/Theft",
+      "T1546.005": "Event Triggered Execution::Trap",
+      "T1546.004": "Event Triggered Execution::Unix Shell Configuration Modification",
+      "T1055.014": "Process Injection::VDSO Hijacking",
+      "T1078": "Valid Accounts",
+      "T1546.003": "Event Triggered Execution::Windows Management Instrumentation Event Subscription",
+      "T1543.003": "Create or Modify System Process::Windows Service",
+      "T1547.004": "Boot or Logon Autostart Execution::Winlogon Helper DLL",
+      "T1547.013": "Boot or Logon Autostart Execution::XDG Autostart Entries"
+    },
+    "Defense Evasion": {
+      "T1548": "Abuse Elevation Control Mechanism",
+      "T1134": "Access Token Manipulation",
+      "T1550.001": "Use Alternate Authentication Material::Application Access Token",
+      "T1055.004": "Process Injection::Asynchronous Procedure Call",
+      "T1197": "BITS Jobs",
+      "T1027.001": "Obfuscated Files or Information::Binary Padding",
+      "T1542.003": "Pre-OS Boot::Bootkit",
+      "T1612": "Build Image on Host",
+      "T1548.002": "Abuse Elevation Control Mechanism::Bypass User Account Control",
+      "T1218.003": "Signed Binary Proxy Execution::CMSTP",
+      "T1574.012": "Hijack Execution Flow::COR_PROFILER",
+      "T1070.003": "Indicator Removal on Host::Clear Command History",
+      "T1070.002": "Indicator Removal on Host::Clear Linux or Mac System Logs",
+      "T1070.001": "Indicator Removal on Host::Clear Windows Event Logs",
+      "T1078.004": "Valid Accounts::Cloud Accounts",
+      "T1553.002": "Subvert Trust Controls::Code Signing",
+      "T1553.006": "Subvert Trust Controls::Code Signing Policy Modification",
+      "T1027.004": "Obfuscated Files or Information::Compile After Delivery",
+      "T1218.001": "Signed Binary Proxy Execution::Compiled HTML File",
+      "T1542.002": "Pre-OS Boot::Component Firmware",
+      "T1218.002": "Signed Binary Proxy Execution::Control Panel",
+      "T1578.002": "Modify Cloud Compute Infrastructure::Create Cloud Instance",
+      "T1134.002": "Access Token Manipulation::Create Process with Token",
+      "T1578.001": "Modify Cloud Compute Infrastructure::Create Snapshot",
+      "T1574.001": "Hijack Execution Flow::DLL Search Order Hijacking",
+      "T1574.002": "Hijack Execution Flow::DLL Side-Loading",
+      "T1078.001": "Valid Accounts::Default Accounts",
+      "T1578.003": "Modify Cloud Compute Infrastructure::Delete Cloud Instance",
+      "T1140": "Deobfuscate/Decode Files or Information",
+      "T1610": "Deploy Container",
+      "T1006": "Direct Volume Access",
+      "T1562.008": "Impair Defenses::Disable Cloud Logs",
+      "T1600.002": "Weaken Encryption::Disable Crypto Hardware",
+      "T1562.002": "Impair Defenses::Disable Windows Event Logging",
+      "T1562.007": "Impair Defenses::Disable or Modify Cloud Firewall",
+      "T1562.004": "Impair Defenses::Disable or Modify System Firewall",
+      "T1562.001": "Impair Defenses::Disable or Modify Tools",
+      "T1078.002": "Valid Accounts::Domain Accounts",
+      "T1556.001": "Modify Authentication Process::Domain Controller Authentication",
+      "T1484": "Domain Policy Modification",
+      "T1484.002": "Domain Policy Modification::Domain Trust Modification",
+      "T1036.007": "Masquerading::Double File Extension",
+      "T1562.010": "Impair Defenses::Downgrade Attack",
+      "T1601.002": "Modify System Image::Downgrade System Image",
+      "T1574.004": "Hijack Execution Flow::Dylib Hijacking",
+      "T1574.006": "Hijack Execution Flow::Dynamic Linker Hijacking",
+      "T1055.001": "Process Injection::Dynamic-link Library Injection",
+      "T1548.004": "Abuse Elevation Control Mechanism::Elevated Execution with Prompt",
+      "T1564.008": "Hide Artifacts::Email Hiding Rules",
+      "T1480.001": "Execution Guardrails::Environmental Keying",
+      "T1574.005": "Hijack Execution Flow::Executable Installer File Permissions Weakness",
+      "T1480": "Execution Guardrails",
+      "T1211": "Exploitation for Defense Evasion",
+      "T1055.011": "Process Injection::Extra Window Memory Injection",
+      "T1070.004": "Indicator Removal on Host::File Deletion",
+      "T1222": "File and Directory Permissions Modification",
+      "T1553.001": "Subvert Trust Controls::Gatekeeper Bypass",
+      "T1484.001": "Domain Policy Modification::Group Policy Modification",
+      "T1027.006": "Obfuscated Files or Information::HTML Smuggling",
+      "T1564.005": "Hide Artifacts::Hidden File System",
+      "T1564.001": "Hide Artifacts::Hidden Files and Directories",
+      "T1564.002": "Hide Artifacts::Hidden Users",
+      "T1564.003": "Hide Artifacts::Hidden Window",
+      "T1564": "Hide Artifacts",
+      "T1574": "Hijack Execution Flow",
+      "T1562.003": "Impair Defenses::Impair Command History Logging",
+      "T1562": "Impair Defenses",
+      "T1562.006": "Impair Defenses::Indicator Blocking",
+      "T1027.005": "Obfuscated Files or Information::Indicator Removal from Tools",
+      "T1070": "Indicator Removal on Host",
+      "T1202": "Indirect Command Execution",
+      "T1553.004": "Subvert Trust Controls::Install Root Certificate",
+      "T1218.004": "Signed Binary Proxy Execution::InstallUtil",
+      "T1036.001": "Masquerading::Invalid Code Signature",
+      "T1222.002": "File and Directory Permissions Modification::Linux and Mac File and Directory Permissions Modification",
+      "T1078.003": "Valid Accounts::Local Accounts",
+      "T1218.014": "Signed Binary Proxy Execution::MMC",
+      "T1127.001": "Trusted Developer Utilities Proxy Execution::MSBuild",
+      "T1134.003": "Access Token Manipulation::Make and Impersonate Token",
+      "T1553.005": "Subvert Trust Controls::Mark-of-the-Web Bypass",
+      "T1036.004": "Masquerading::Masquerade Task or Service",
+      "T1036": "Masquerading",
+      "T1036.005": "Masquerading::Match Legitimate Name or Location",
+      "T1218.013": "Signed Binary Proxy Execution::Mavinject",
+      "T1556": "Modify Authentication Process",
+      "T1578": "Modify Cloud Compute Infrastructure",
+      "T1112": "Modify Registry",
+      "T1601": "Modify System Image",
+      "T1218.005": "Signed Binary Proxy Execution::Mshta",
+      "T1218.007": "Signed Binary Proxy Execution::Msiexec",
+      "T1564.004": "Hide Artifacts::NTFS File Attributes",
+      "T1599.001": "Network Boundary Bridging::Network Address Translation Traversal",
+      "T1599": "Network Boundary Bridging",
+      "T1556.004": "Modify Authentication Process::Network Device Authentication",
+      "T1070.005": "Indicator Removal on Host::Network Share Connection Removal",
+      "T1027": "Obfuscated Files or Information",
+      "T1218.008": "Signed Binary Proxy Execution::Odbcconf",
+      "T1134.004": "Access Token Manipulation::Parent PID Spoofing",
+      "T1550.002": "Use Alternate Authentication Material::Pass the Hash",
+      "T1550.003": "Use Alternate Authentication Material::Pass the Ticket",
+      "T1556.002": "Modify Authentication Process::Password Filter DLL",
+      "T1601.001": "Modify System Image::Patch System Image",
+      "T1574.007": "Hijack Execution Flow::Path Interception by PATH Environment Variable",
+      "T1574.008": "Hijack Execution Flow::Path Interception by Search Order Hijacking",
+      "T1574.009": "Hijack Execution Flow::Path Interception by Unquoted Path",
+      "T1556.003": "Modify Authentication Process::Pluggable Authentication Modules",
+      "T1205.001": "Traffic Signaling::Port Knocking",
+      "T1055.002": "Process Injection::Portable Executable Injection",
+      "T1542": "Pre-OS Boot",
+      "T1055.009": "Process Injection::Proc Memory",
+      "T1055.013": "Process Injection::Process Doppelg\u00e4nging",
+      "T1055.012": "Process Injection::Process Hollowing",
+      "T1055": "Process Injection",
+      "T1055.008": "Process Injection::Ptrace System Calls",
+      "T1216.001": "Signed Script Proxy Execution::PubPrn",
+      "T1542.004": "Pre-OS Boot::ROMMONkit",
+      "T1600.001": "Weaken Encryption::Reduce Key Space",
+      "T1620": "Reflective Code Loading",
+      "T1218.009": "Signed Binary Proxy Execution::Regsvcs/Regasm",
+      "T1218.010": "Signed Binary Proxy Execution::Regsvr32",
+      "T1036.003": "Masquerading::Rename System Utilities",
+      "T1564.009": "Hide Artifacts::Resource Forking",
+      "T1578.004": "Modify Cloud Compute Infrastructure::Revert Cloud Instance",
+      "T1036.002": "Masquerading::Right-to-Left Override",
+      "T1207": "Rogue Domain Controller",
+      "T1014": "Rootkit",
+      "T1564.006": "Hide Artifacts::Run Virtual Instance",
+      "T1218.011": "Signed Binary Proxy Execution::Rundll32",
+      "T1134.005": "Access Token Manipulation::SID-History Injection",
+      "T1553.003": "Subvert Trust Controls::SIP and Trust Provider Hijacking",
+      "T1562.009": "Impair Defenses::Safe Mode Boot",
+      "T1574.010": "Hijack Execution Flow::Services File Permissions Weakness",
+      "T1574.011": "Hijack Execution Flow::Services Registry Permissions Weakness",
+      "T1548.001": "Abuse Elevation Control Mechanism::Setuid and Setgid",
+      "T1218": "Signed Binary Proxy Execution",
+      "T1216": "Signed Script Proxy Execution",
+      "T1027.002": "Obfuscated Files or Information::Software Packing",
+      "T1036.006": "Masquerading::Space after Filename",
+      "T1027.003": "Obfuscated Files or Information::Steganography",
+      "T1553": "Subvert Trust Controls",
+      "T1548.003": "Abuse Elevation Control Mechanism::Sudo and Sudo Caching",
+      "T1497.001": "Virtualization/Sandbox Evasion::System Checks",
+      "T1542.001": "Pre-OS Boot::System Firmware",
+      "T1542.005": "Pre-OS Boot::TFTP Boot",
+      "T1221": "Template Injection",
+      "T1055.003": "Process Injection::Thread Execution Hijacking",
+      "T1055.005": "Process Injection::Thread Local Storage",
+      "T1497.003": "Virtualization/Sandbox Evasion::Time Based Evasion",
+      "T1070.006": "Indicator Removal on Host::Timestomp",
+      "T1134.001": "Access Token Manipulation::Token Impersonation/Theft",
+      "T1205": "Traffic Signaling",
+      "T1127": "Trusted Developer Utilities Proxy Execution",
+      "T1535": "Unused/Unsupported Cloud Regions",
+      "T1550": "Use Alternate Authentication Material",
+      "T1497.002": "Virtualization/Sandbox Evasion::User Activity Based Checks",
+      "T1564.007": "Hide Artifacts::VBA Stomping",
+      "T1055.014": "Process Injection::VDSO Hijacking",
+      "T1078": "Valid Accounts",
+      "T1218.012": "Signed Binary Proxy Execution::Verclsid",
+      "T1497": "Virtualization/Sandbox Evasion",
+      "T1600": "Weaken Encryption",
+      "T1550.004": "Use Alternate Authentication Material::Web Session Cookie",
+      "T1222.001": "File and Directory Permissions Modification::Windows File and Directory Permissions Modification",
+      "T1220": "XSL Script Processing"
+    },
+    "Credential Access": {
+      "T1003.008": "OS Credential Dumping::/etc/passwd and /etc/shadow",
+      "T1557.002": "Adversary-in-the-Middle::ARP Cache Poisoning",
+      "T1558.004": "Steal or Forge Kerberos Tickets::AS-REP Roasting",
+      "T1557": "Adversary-in-the-Middle",
+      "T1552.003": "Unsecured Credentials::Bash History",
+      "T1110": "Brute Force",
+      "T1003.005": "OS Credential Dumping::Cached Domain Credentials",
+      "T1552.005": "Unsecured Credentials::Cloud Instance Metadata API",
+      "T1552.007": "Unsecured Credentials::Container API",
+      "T1056.004": "Input Capture::Credential API Hooking",
+      "T1110.004": "Brute Force::Credential Stuffing",
+      "T1552.001": "Unsecured Credentials::Credentials In Files",
+      "T1555": "Credentials from Password Stores",
+      "T1555.003": "Credentials from Password Stores::Credentials from Web Browsers",
+      "T1552.002": "Unsecured Credentials::Credentials in Registry",
+      "T1003.006": "OS Credential Dumping::DCSync",
+      "T1556.001": "Modify Authentication Process::Domain Controller Authentication",
+      "T1212": "Exploitation for Credential Access",
+      "T1187": "Forced Authentication",
+      "T1606": "Forge Web Credentials",
+      "T1056.002": "Input Capture::GUI Input Capture",
+      "T1558.001": "Steal or Forge Kerberos Tickets::Golden Ticket",
+      "T1552.006": "Unsecured Credentials::Group Policy Preferences",
+      "T1056": "Input Capture",
+      "T1558.003": "Steal or Forge Kerberos Tickets::Kerberoasting",
+      "T1555.001": "Credentials from Password Stores::Keychain",
+      "T1056.001": "Input Capture::Keylogging",
+      "T1557.001": "Adversary-in-the-Middle::LLMNR/NBT-NS Poisoning and SMB Relay",
+      "T1003.004": "OS Credential Dumping::LSA Secrets",
+      "T1003.001": "OS Credential Dumping::LSASS Memory",
+      "T1556": "Modify Authentication Process",
+      "T1003.003": "OS Credential Dumping::NTDS",
+      "T1556.004": "Modify Authentication Process::Network Device Authentication",
+      "T1040": "Network Sniffing",
+      "T1003": "OS Credential Dumping",
+      "T1110.002": "Brute Force::Password Cracking",
+      "T1556.002": "Modify Authentication Process::Password Filter DLL",
+      "T1110.001": "Brute Force::Password Guessing",
+      "T1555.005": "Credentials from Password Stores::Password Managers",
+      "T1110.003": "Brute Force::Password Spraying",
+      "T1556.003": "Modify Authentication Process::Pluggable Authentication Modules",
+      "T1552.004": "Unsecured Credentials::Private Keys",
+      "T1003.007": "OS Credential Dumping::Proc Filesystem",
+      "T1606.002": "Forge Web Credentials::SAML Tokens",
+      "T1003.002": "OS Credential Dumping::Security Account Manager",
+      "T1555.002": "Credentials from Password Stores::Securityd Memory",
+      "T1558.002": "Steal or Forge Kerberos Tickets::Silver Ticket",
+      "T1528": "Steal Application Access Token",
+      "T1539": "Steal Web Session Cookie",
+      "T1558": "Steal or Forge Kerberos Tickets",
+      "T1111": "Two-Factor Authentication Interception",
+      "T1552": "Unsecured Credentials",
+      "T1606.001": "Forge Web Credentials::Web Cookies",
+      "T1056.003": "Input Capture::Web Portal Capture",
+      "T1555.004": "Credentials from Password Stores::Windows Credential Manager"
+    },
+    "Discovery": {
+      "T1087": "Account Discovery",
+      "T1010": "Application Window Discovery",
+      "T1217": "Browser Bookmark Discovery",
+      "T1087.004": "Account Discovery::Cloud Account",
+      "T1069.003": "Permission Groups Discovery::Cloud Groups",
+      "T1580": "Cloud Infrastructure Discovery",
+      "T1538": "Cloud Service Dashboard",
+      "T1526": "Cloud Service Discovery",
+      "T1619": "Cloud Storage Object Discovery",
+      "T1613": "Container and Resource Discovery",
+      "T1087.002": "Account Discovery::Domain Account",
+      "T1069.002": "Permission Groups Discovery::Domain Groups",
+      "T1482": "Domain Trust Discovery",
+      "T1087.003": "Account Discovery::Email Account",
+      "T1083": "File and Directory Discovery",
+      "T1615": "Group Policy Discovery",
+      "T1016.001": "System Network Configuration Discovery::Internet Connection Discovery",
+      "T1087.001": "Account Discovery::Local Account",
+      "T1069.001": "Permission Groups Discovery::Local Groups",
+      "T1046": "Network Service Scanning",
+      "T1135": "Network Share Discovery",
+      "T1040": "Network Sniffing",
+      "T1201": "Password Policy Discovery",
+      "T1120": "Peripheral Device Discovery",
+      "T1069": "Permission Groups Discovery",
+      "T1057": "Process Discovery",
+      "T1012": "Query Registry",
+      "T1018": "Remote System Discovery",
+      "T1518.001": "Software Discovery::Security Software Discovery",
+      "T1518": "Software Discovery",
+      "T1497.001": "Virtualization/Sandbox Evasion::System Checks",
+      "T1082": "System Information Discovery",
+      "T1614.001": "System Location Discovery::System Language Discovery",
+      "T1614": "System Location Discovery",
+      "T1016": "System Network Configuration Discovery",
+      "T1049": "System Network Connections Discovery",
+      "T1033": "System Owner/User Discovery",
+      "T1007": "System Service Discovery",
+      "T1124": "System Time Discovery",
+      "T1497.003": "Virtualization/Sandbox Evasion::Time Based Evasion",
+      "T1497.002": "Virtualization/Sandbox Evasion::User Activity Based Checks",
+      "T1497": "Virtualization/Sandbox Evasion"
+    },
+    "Lateral Movement": {
+      "T1550.001": "Use Alternate Authentication Material::Application Access Token",
+      "T1021.003": "Remote Services::Distributed Component Object Model",
+      "T1210": "Exploitation of Remote Services",
+      "T1534": "Internal Spearphishing",
+      "T1570": "Lateral Tool Transfer",
+      "T1550.002": "Use Alternate Authentication Material::Pass the Hash",
+      "T1550.003": "Use Alternate Authentication Material::Pass the Ticket",
+      "T1563.002": "Remote Service Session Hijacking::RDP Hijacking",
+      "T1021.001": "Remote Services::Remote Desktop Protocol",
+      "T1563": "Remote Service Session Hijacking",
+      "T1021": "Remote Services",
+      "T1091": "Replication Through Removable Media",
+      "T1021.002": "Remote Services::SMB/Windows Admin Shares",
+      "T1021.004": "Remote Services::SSH",
+      "T1563.001": "Remote Service Session Hijacking::SSH Hijacking",
+      "T1072": "Software Deployment Tools",
+      "T1080": "Taint Shared Content",
+      "T1550": "Use Alternate Authentication Material",
+      "T1021.005": "Remote Services::VNC",
+      "T1550.004": "Use Alternate Authentication Material::Web Session Cookie",
+      "T1021.006": "Remote Services::Windows Remote Management"
+    },
+    "Collection": {
+      "T1557.002": "Adversary-in-the-Middle::ARP Cache Poisoning",
+      "T1557": "Adversary-in-the-Middle",
+      "T1560": "Archive Collected Data",
+      "T1560.003": "Archive Collected Data::Archive via Custom Method",
+      "T1560.002": "Archive Collected Data::Archive via Library",
+      "T1560.001": "Archive Collected Data::Archive via Utility",
+      "T1123": "Audio Capture",
+      "T1119": "Automated Collection",
+      "T1185": "Browser Session Hijacking",
+      "T1115": "Clipboard Data",
+      "T1213.003": "Data from Information Repositories::Code Repositories",
+      "T1213.001": "Data from Information Repositories::Confluence",
+      "T1056.004": "Input Capture::Credential API Hooking",
+      "T1074": "Data Staged",
+      "T1530": "Data from Cloud Storage Object",
+      "T1602": "Data from Configuration Repository",
+      "T1213": "Data from Information Repositories",
+      "T1005": "Data from Local System",
+      "T1039": "Data from Network Shared Drive",
+      "T1025": "Data from Removable Media",
+      "T1114": "Email Collection",
+      "T1114.003": "Email Collection::Email Forwarding Rule",
+      "T1056.002": "Input Capture::GUI Input Capture",
+      "T1056": "Input Capture",
+      "T1056.001": "Input Capture::Keylogging",
+      "T1557.001": "Adversary-in-the-Middle::LLMNR/NBT-NS Poisoning and SMB Relay",
+      "T1074.001": "Data Staged::Local Data Staging",
+      "T1114.001": "Email Collection::Local Email Collection",
+      "T1602.002": "Data from Configuration Repository::Network Device Configuration Dump",
+      "T1074.002": "Data Staged::Remote Data Staging",
+      "T1114.002": "Email Collection::Remote Email Collection",
+      "T1602.001": "Data from Configuration Repository::SNMP (MIB Dump)",
+      "T1113": "Screen Capture",
+      "T1213.002": "Data from Information Repositories::Sharepoint",
+      "T1125": "Video Capture",
+      "T1056.003": "Input Capture::Web Portal Capture"
+    },
+    "Command and Control": {
+      "T1071": "Application Layer Protocol",
+      "T1573.002": "Encrypted Channel::Asymmetric Cryptography",
+      "T1102.002": "Web Service::Bidirectional Communication",
+      "T1092": "Communication Through Removable Media",
+      "T1071.004": "Application Layer Protocol::DNS",
+      "T1568.003": "Dynamic Resolution::DNS Calculation",
+      "T1132": "Data Encoding",
+      "T1001": "Data Obfuscation",
+      "T1102.001": "Web Service::Dead Drop Resolver",
+      "T1090.004": "Proxy::Domain Fronting",
+      "T1568.002": "Dynamic Resolution::Domain Generation Algorithms",
+      "T1568": "Dynamic Resolution",
+      "T1573": "Encrypted Channel",
+      "T1090.002": "Proxy::External Proxy",
+      "T1008": "Fallback Channels",
+      "T1568.001": "Dynamic Resolution::Fast Flux DNS",
+      "T1071.002": "Application Layer Protocol::File Transfer Protocols",
+      "T1105": "Ingress Tool Transfer",
+      "T1090.001": "Proxy::Internal Proxy",
+      "T1001.001": "Data Obfuscation::Junk Data",
+      "T1071.003": "Application Layer Protocol::Mail Protocols",
+      "T1104": "Multi-Stage Channels",
+      "T1090.003": "Proxy::Multi-hop Proxy",
+      "T1095": "Non-Application Layer Protocol",
+      "T1132.002": "Data Encoding::Non-Standard Encoding",
+      "T1571": "Non-Standard Port",
+      "T1102.003": "Web Service::One-Way Communication",
+      "T1205.001": "Traffic Signaling::Port Knocking",
+      "T1001.003": "Data Obfuscation::Protocol Impersonation",
+      "T1572": "Protocol Tunneling",
+      "T1090": "Proxy",
+      "T1219": "Remote Access Software",
+      "T1132.001": "Data Encoding::Standard Encoding",
+      "T1001.002": "Data Obfuscation::Steganography",
+      "T1573.001": "Encrypted Channel::Symmetric Cryptography",
+      "T1205": "Traffic Signaling",
+      "T1071.001": "Application Layer Protocol::Web Protocols",
+      "T1102": "Web Service"
+    },
+    "Exfiltration": {
+      "T1020": "Automated Exfiltration",
+      "T1030": "Data Transfer Size Limits",
+      "T1048": "Exfiltration Over Alternative Protocol",
+      "T1048.002": "Exfiltration Over Alternative Protocol::Exfiltration Over Asymmetric Encrypted Non-C2 Protocol",
+      "T1011.001": "Exfiltration Over Other Network Medium::Exfiltration Over Bluetooth",
+      "T1041": "Exfiltration Over C2 Channel",
+      "T1011": "Exfiltration Over Other Network Medium",
+      "T1052": "Exfiltration Over Physical Medium",
+      "T1048.001": "Exfiltration Over Alternative Protocol::Exfiltration Over Symmetric Encrypted Non-C2 Protocol",
+      "T1048.003": "Exfiltration Over Alternative Protocol::Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
+      "T1567": "Exfiltration Over Web Service",
+      "T1052.001": "Exfiltration Over Physical Medium::Exfiltration over USB",
+      "T1567.002": "Exfiltration Over Web Service::Exfiltration to Cloud Storage",
+      "T1567.001": "Exfiltration Over Web Service::Exfiltration to Code Repository",
+      "T1029": "Scheduled Transfer",
+      "T1020.001": "Automated Exfiltration::Traffic Duplication",
+      "T1537": "Transfer Data to Cloud Account"
+    },
+    "Impact": {
+      "T1531": "Account Access Removal",
+      "T1499.003": "Endpoint Denial of Service::Application Exhaustion Flood",
+      "T1499.004": "Endpoint Denial of Service::Application or System Exploitation",
+      "T1485": "Data Destruction",
+      "T1486": "Data Encrypted for Impact",
+      "T1565": "Data Manipulation",
+      "T1491": "Defacement",
+      "T1498.001": "Network Denial of Service::Direct Network Flood",
+      "T1561.001": "Disk Wipe::Disk Content Wipe",
+      "T1561.002": "Disk Wipe::Disk Structure Wipe",
+      "T1561": "Disk Wipe",
+      "T1499": "Endpoint Denial of Service",
+      "T1491.002": "Defacement::External Defacement",
+      "T1495": "Firmware Corruption",
+      "T1490": "Inhibit System Recovery",
+      "T1491.001": "Defacement::Internal Defacement",
+      "T1498": "Network Denial of Service",
+      "T1499.001": "Endpoint Denial of Service::OS Exhaustion Flood",
+      "T1498.002": "Network Denial of Service::Reflection Amplification",
+      "T1496": "Resource Hijacking",
+      "T1565.003": "Data Manipulation::Runtime Data Manipulation",
+      "T1499.002": "Endpoint Denial of Service::Service Exhaustion Flood",
+      "T1489": "Service Stop",
+      "T1565.001": "Data Manipulation::Stored Data Manipulation",
+      "T1529": "System Shutdown/Reboot",
+      "T1565.002": "Data Manipulation::Transmitted Data Manipulation"
+    }
+  }
+}

scripts/setup-linter-dependencies.py

@@ -0,0 +1,190 @@
+"""
+Generate capa linter-data.json, used to validate Att&ck/MBC IDs and names.
+
+Use the --extractor option to extract data from Att&ck or MBC (or both) frameworks.
+Use the --output to choose the output json file.
+By default, the script will create a linter-data.json in the scripts/ directory for both frameworks.
+
+Note: The capa rules linter will try to load from its default location (scripts/linter-data.json).
+
+Usage:
+
+    usage: setup-linter-dependencies.py [-h] [--extractor {both,mbc,att&ck}] [--output OUTPUT]
+
+    Setup linter dependencies.
+
+    optional arguments:
+      -h, --help            show this help message and exit
+      --extractor {both,mbc,att&ck}
+                            Extractor that will be run
+      --output OUTPUT, -o OUTPUT
+                            Path to output file (lint.py will be looking for linter-data.json)
+
+
+Example:
+
+    $ python3 setup-linter-dependencies.py
+    2022-01-24 22:35:06,901 [INFO] Extracting Mitre Att&ck techniques...
+    2022-01-24 22:35:06,901 [INFO] Downloading STIX data at: https://raw.githubusercontent.com/mitre-attack/attack-stix-data/master/enterprise-attack/enterprise-attack.json
+    2022-01-24 22:35:13,001 [INFO] Starting extraction...
+    2022-01-24 22:35:39,395 [INFO] Extracting MBC behaviors...
+    2022-01-24 22:35:39,395 [INFO] Downloading STIX data at: https://raw.githubusercontent.com/MBCProject/mbc-stix2/master/mbc/mbc.json
+    2022-01-24 22:35:39,839 [INFO] Starting extraction...
+    2022-01-24 22:35:42,632 [INFO] Writing results to linter-data.json
+"""
+import json
+import logging
+import argparse
+from sys import argv
+from typing import Dict, List
+from os.path import dirname
+
+import requests
+from stix2 import Filter, MemoryStore, AttackPattern  # type: ignore
+
+logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
+
+
+class MitreExtractor:
+    """
+    This class extract Mitre techniques and sub techniques that are represented as "attack-pattern" in STIX format.
+    The STIX data is collected in JSON format by requesting the specified URL.
+
+    url: must point to json stix location
+    kill_chain_name: mitre-attack, mitre-mbc...
+    """
+
+    url = ""
+    kill_chain_name = ""
+
+    def __init__(self):
+        """Download and store in memory the STIX data on instantiation."""
+        if self.kill_chain_name == "":
+            raise ValueError(f"Kill chain name not specified in class {self.__class__.__name__}")
+
+        if self.url == "":
+            raise ValueError(f"URL not specified in class {self.__class__.__name__}")
+
+        logging.info(f"Downloading STIX data at: {self.url}")
+        stix_json = requests.get(self.url).json()
+        self._memory_store = MemoryStore(stix_data=stix_json["objects"])
+
+    @staticmethod
+    def _remove_deprecated_objetcs(stix_objects) -> List[AttackPattern]:
+        """Remove any revoked or deprecated objects from queries made to the data source."""
+        return list(
+            filter(
+                lambda x: x.get("x_mitre_deprecated", False) is False and x.get("revoked", False) is False,
+                stix_objects,
+            )
+        )
+
+    def _get_tactics(self) -> List[Dict]:
+        """Get tactics IDs from Mitre matrix."""
+        # Only one matrix for enterprise att&ck framework
+        matrix = self._remove_deprecated_objetcs(
+            self._memory_store.query(
+                [
+                    Filter("type", "=", "x-mitre-matrix"),
+                ]
+            )
+        )[0]
+        return list(map(self._memory_store.get, matrix["tactic_refs"]))
+
+    def _get_techniques_from_tactic(self, tactic: str) -> List[AttackPattern]:
+        """Get techniques and sub techniques from a Mitre tactic (kill_chain_phases->phase_name)"""
+        techniques = self._remove_deprecated_objetcs(
+            self._memory_store.query(
+                [
+                    Filter("type", "=", "attack-pattern"),
+                    Filter("kill_chain_phases.phase_name", "=", tactic),
+                    Filter("kill_chain_phases.kill_chain_name", "=", self.kill_chain_name),
+                ]
+            )
+        )
+        return techniques
+
+    def _get_parent_technique_from_subtechnique(self, technique: AttackPattern) -> AttackPattern:
+        """Get parent technique of a sub technique using the technique ID TXXXX.YYY"""
+        sub_id = technique["external_references"][0]["external_id"].split(".")[0]
+        parent_technique = self._remove_deprecated_objetcs(
+            self._memory_store.query(
+                [
+                    Filter("type", "=", "attack-pattern"),
+                    Filter("external_references.external_id", "=", sub_id),
+                ]
+            )
+        )[0]
+        return parent_technique
+
+    def run(self) -> Dict[str, Dict[str, str]]:
+        """Iterate over every technique over every tactic. If the technique is a sub technique, then
+        we also search for the parent technique name.
+        """
+        logging.info("Starting extraction...")
+        data: Dict[str, Dict[str, str]] = {}
+        for tactic in self._get_tactics():
+            data[tactic["name"]] = {}
+            for technique in self._get_techniques_from_tactic(tactic["x_mitre_shortname"]):
+                tid = technique["external_references"][0]["external_id"]
+                technique_name = technique["name"].split("::")[0]
+                if technique["x_mitre_is_subtechnique"]:
+                    parent_technique = self._get_parent_technique_from_subtechnique(technique)
+                    data[tactic["name"]][tid] = f"{parent_technique['name']}::{technique_name}"
+                else:
+                    data[tactic["name"]][tid] = technique_name
+        return data
+
+
+class AttckExtractor(MitreExtractor):
+    """Extractor for the Mitre Enterprise Att&ck Framework."""
+
+    url = "https://raw.githubusercontent.com/mitre-attack/attack-stix-data/master/enterprise-attack/enterprise-attack.json"
+    kill_chain_name = "mitre-attack"
+
+
+class MbcExtractor(MitreExtractor):
+    """Extractor for the Mitre Malware Behavior Catalog."""
+
+    url = "https://raw.githubusercontent.com/MBCProject/mbc-stix2/master/mbc/mbc.json"
+    kill_chain_name = "mitre-mbc"
+
+    def _get_tactics(self) -> List[Dict]:
+        """Override _get_tactics to edit the tactic name for Micro-objective"""
+        tactics = super(MbcExtractor, self)._get_tactics()
+        # We don't want the Micro-objective string inside objective names
+        for tactic in tactics:
+            tactic["name"] = tactic["name"].replace(" Micro-objective", "")
+        return tactics
+
+
+def main(args: argparse.Namespace) -> None:
+    data = {}
+    if args.extractor == "att&ck" or args.extractor == "both":
+        logging.info("Extracting Mitre Att&ck techniques...")
+        data["att&ck"] = AttckExtractor().run()
+    if args.extractor == "mbc" or args.extractor == "both":
+        logging.info("Extracting MBC behaviors...")
+        data["mbc"] = MbcExtractor().run()
+
+    logging.info(f"Writing results to {args.output}")
+    try:
+        with open(args.output, "w") as jf:
+            json.dump(data, jf, indent=2)
+    except BaseException as e:
+        logging.error(f"Exception encountered when writing results: {e}")
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description="Setup linter dependencies.")
+    parser.add_argument(
+        "--extractor", type=str, choices=["both", "mbc", "att&ck"], default="both", help="Extractor that will be run"
+    )
+    parser.add_argument(
+        "--output",
+        "-o",
+        type=str,
+        default=f"{dirname(__file__)}/linter-data.json",
+        help="Path to output file (lint.py will be looking for linter-data.json)",
+    )
+    main(parser.parse_args(args=argv[1:]))

setup.py

@@ -76,6 +76,8 @@ setuptools.setup(
             "isort==5.10.1",
             "mypy==0.931",
             "psutil==5.9.0",
+            "stix2==3.0.1",
+            "requests==2.27.1",
             # type stubs for mypy
             "types-backports==0.1.3",
             "types-colorama==0.4.7",
@@ -83,6 +85,7 @@ setuptools.setup(
             "types-tabulate==0.8.5",
             "types-termcolor==1.1.3",
             "types-psutil==5.8.19",
+            "types_requests==2.27.3",
         ],
     },
     zip_safe=False,