mitre-attack / attack-website Goto Github PK
View Code? Open in Web Editor NEWMITRE ATT&CK Website
Home Page: https://attack.mitre.org
License: Apache License 2.0
MITRE ATT&CK Website
Home Page: https://attack.mitre.org
License: Apache License 2.0
Refactor update-attack.py
to only run modules that are stored in the modules folder.
Add optional flag --modules
that will run selected modules.
The website toolbar will be built depending on the available modules.
As a visitor to the ATT&CK website, I want to be able to see descriptive pages for data sources and defenses bypassed instead of a simple string list.
This will require adding new STIX objects for defenses bypassed and data sources on the MITRE/CTI repo.
There's a minor typo (an }
) in the Cardinal RAT reference for T0160.
As a user of ATT&CK, I want to be able to see the most up-to-date version of the content on the website.
ATT&CK content on the MITRE/CTI repo updated to v6.2 today, we should update this repo to match.
On the cloud matrix page, the lefthand side-navigation initial state has the enterprise tree-node closed. This hides the active tree-node (cloud) from the view until enterprise is manually expanded.
The correct behavior is that the side-navigation initial state always shows the active tree-node by expanding all parent nodes of the active tree-node.
As a user, I want to be able to visit pages for each subtechnique on the website. I want to be able to see the parent technique, as well as sibling subtechniques, from that page.
On the side-navigation of the software pages, the header text reads sofware
instead of software
.
As a user, I want to be able to tell whether a relationship from a group/software/mitigation points to a subtechnique or technique.
We should redo the relationship tables (using a macro to avoid code duplication) to differentiate parent techniques from subtechniques. If a relationship exists with one or more subtechniques under a single parent (but not the parent itself), it should group them under the parent technique but mark the parent technique in such a way to make it obvious that it does not have a relationship (e.g by deemphasizing thet text).
As aa user of the ATT&CK website, I want to be able to set up a simple clone of the site using docker.
As a user of the ATT&CK website, I want to be able to be shown an automated, interactive tour of the new subtechniques features so that I can learn about what parts of the website are affected with that update.
As a user, I want to be able to see the subtechniques of a technique when on the technique page.
As a user of the ATT&CK website, I want to see accurate legal language reflecting the status of the ATT&CK trademark.
Update the readme to say ATT&CK® instead of ATT&CK™.
As a user, I want it to be easy to navigate around the ATT&CK website including across domains.
Objects with domains (e.g techniques, tactics and mitigations) have a domain selection dropdown button above the sidenav. We should refactor this to be part of the sidenav itself, thereby allowing users to access the object domain lists of other domains.
For example, on the mitigations page, we would have:
Mitigations
Enterprise
- Account Use Policies
- Active Directory Configuration
- ...
Mobile
- Application Developer Guidance
- Application Vetting
- ...
The domain-section headers can serve as links to the domain overview pages for the object type. This new design will be more consistent with the matrices page sidenav.
As a user of the ATT&CK website, I want to see accurate legal language relfecting the status of the ATT&CK trademark.
All instances of ATT&CK™
should be updated with ATT&CK®
. See Butterick's Practical Typography for best practices on placement.
As a user of the ATT&CK website, I want to see up-to-date copyright information.
Update the copyright date to 2020 in the footer and on the terms of use page.
As a developer of the ATT&CK website, I want to be able to read guidance about how to go about developing the site.
We should add a tools (tips?) for developing the website section to the readme under Implementation Overview section, which can go over common implementation stuff. Notably we can use this section to explain how module cherrypicking with the -b flag works.
For technique.py
, tactic.py
, and mitigation.py
:
modules
folder and add their own configuration file.modules/
techniques/
techniques.py
techniques_config.py
{techniques, tactics, mitigations}_config.py
{techniques, tactics, matrices}_config.py
requires module independent variables from config.py.config.related_techniques
. This should be updated to get related_techniques
from util/relationshipgetters.py.Move relevant content markdown files into resources module. See #68.
If the module does not generate a website object, make sure to remove it from the menu of the website.
As a user of the ATT&CK website, I want to see accurate legal language reflecting the status of the ATT&CK trademark.
Update the wordmarks (logos) to include ® instead of ™.
As a user of the ATT&CK website, I want to be able to see matrix timestamps showing when the ATT&CK content has last updated. These timestamps should take into account subtechniques.
As a user of the ATT&CK website with custom STIX, I want to be able to see a summary of my local STIX changes the same way I can view summaries of previous ATT&CK updates. The "STIX changes" would be the differences (additions, deletions, changes, etc) between the STIX found on the MITRE/CTI repo and the STIX found in the /data/stix/
folder.
We should add a new page, possibly under /resources/updates/
, automatically showing local STIX changes. It should also include layer links like the "Navigator Layer" buttons on group/software pages.
This feature should be optional. A build flag should be required to explicitly indicate that the page should be built.
Currently the site is built so that it would be in the root of a domain, e.g attack.mitre.org/
. However, if the site were to be deployed to a sub-path, e.g example.com/attack-site/
, we need a way of configuring it so that the absolute hyperlinks work properly. In this example, the link /techniques/
would link to example.com/techniques/
where it should link to example.com/attack-site/techniques/
.
Depending on how this is done it may affect the link-parsing in the previous-versions feature.
As a user of the ATT&CK website, I want to be able to use the browser of my choice without running into compatibility issues.
The WIP subtechniques matrix on the feature/subtechniques branch seems to have layout issues in firefox. This is probably a css issue. We need to do compatibility testing to ensure that it works properly in all browsers.
The flat layout works fine, only the side layout seems to have issues.
As a visitor to the ATT&CK website, I want to be able to find an up-to-date roadmap of upcoming ATT&CK changes.
The current ATT&CK roadmap on the resources/general-information page is outdated. We should update it with the latest version.
As a user of the ATT&CK website, I want to be able to know what version of the website and content is displayed on the previous versions pages.
Relies on mitre/cti#66. See also #10.
As a user of the ATT&CK Website, I want to be able to set links to the ATT&CK Navigator (e.g the buttons on Matrix pages, the technique usage links on group and software pages) to point to a local instance. Currently they will always lead to the official MITRE hosted instance.
This will allow users with custom STIX to host a Navigator instance with the custom STIX alongside an instance of this website with the custom STIX.
We will need to provide config options for both the enterprise and mobile instances.
As a user of the ATT&CK website, I want to see accurate legal language relfecting the status of the ATT&CK trademark.
Update the trademark language to MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
.
As a visitor to the ATT&CK website, I want to be able to see information about ATT&CKcon 2019 on the ATT&CKcon page.
On the sub-techniques branch, every matrix-page says "matrices" even if there's only one matrix on the page. This is being caused by an off-by-one error on the pluralization code: https://github.com/mitre-attack/attack-website/blob/feature/subtechniques/attack-theme/templates/matrices/matrix.html#L50
Because of how citations work, in some places broken citations will show up as an empty reference in the external references table without leaving (Citation:
on the built page. This means our citation tests never detects an issue.
To reproduce, replace APT18 in the STIX data with this intentionally broken object:
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "APT18",
"description": "[APT18](https://attack.mitre.org/groups/G0026) is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. (Citation: Dell Lateral Movemente)",
"type": "intrusion-set",
"aliases": [
"APT18",
"TG-0416",
"Dynamite Panda",
"Threat Group-0416"
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648",
"external_references": [
{
"external_id": "G0026",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/groups/G0026"
},
{
"source_name": "APT18",
"description": "(Citation: ThreatStream Evasion Analysis)(Citation: Anomali Evasive Maneuvers July 2015)"
},
{
"source_name": "TG-0416",
"description": "(Citation: ThreatStream Evasion Analysis)(Citation: Anomali Evasive Maneuvers July 2015)"
},
{
"source_name": "Dynamite Panda",
"description": "(Citation: ThreatStream Evasion Analysis)(Citation: Anomali Evasive Maneuvers July 2015)"
},
{
"source_name": "Threat Group-0416",
"description": "(Citation: ThreatStream Evasion Analysis)"
},
{
"source_name": "Dell Lateral Movement",
"description": "Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.",
"url": "http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/"
},
{
"source_name": "ThreatStream Evasion Analysis",
"description": "Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.",
"url": "https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop"
},
{
"source_name": "Anomali Evasive Maneuvers July 2015",
"description": "Shelmire, A. (2015, July 06). Evasive Maneuvers by the Wekby group with custom ROP-packing and DNS covert channels. Retrieved November 15, 2018.",
"url": "https://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop"
}
],
"modified": "2019-05-30T18:05:32.461Z",
"x_mitre_version": "2.0",
"created": "2017-05-31T21:31:57.733Z"
},
Example of how this is represented:
As a user of the ATT&CK website, I want to know when a given object (technique, group, mitigation, etc) was created and last updated.
We should add a created
and updated
field to the card on object pages.
created
field value for the object and any relationships with the object (discounting relationships with deprecated and revoked objects).modified
field value for the object and any relationships with the object (discounting relationships with deprecated and revoked objects).Dates should be displayed as %d %B %Y, e.g 04 December 2019
.
The project cannot be cloned on Windows platforms, due to the ":" placed in the names of some folders (example path: plugins/caltack/static/attack-website/mobile/index.php/Manual:Copyright)
As a user of the ATT&CK website, I want to see accurate legal language reflecting the status of the ATT&CK trademark.
The FAQ section, "How Should I reference the name ATT&CK", needs to be updated to reflect that ATT&CK is now a registered trademark.
As a user of the ATT&CK Website, I want to be able to visit the FAQ to find common questions about ATT&CK, including sub-techniques.
We should add the following entries to the FAQ:
As a user, I'd like to have better feedback when using the search bar in the ATT&CK website. Some suggested improvements:
As a user of the ATT&CK website, I want to be able to tell what version of the site I'm viewing.
The website and content (ATT&CK STIX) version numbers, as seen in the changelog, should be added to the website in the footer. It should be deemphasized using the on-color-deemphasis
scss utility so that it does not draw undue attention.
As a provider of the ATT&CK website, I want the google analytics and google-site-verification to only exist on the official instance of the ATT&CK website. Instances created by users of the source code should not include google analytics or google-site-verification.
For software.py, group.py, and matrix.py:
modules/
software/
software.py
software_config.py
Move relevant content markdown files into modules. See #68.
If the module does not generate a website object, make sure to remove it from the menu of the website.
As a user of the ATT&CK website, I want to see correct data on the sub-techniques cards. There is currently a mismatch on the sub-techniques cards from the JSON data. It appears that they are inheriting values from their sub-technique siblings.
As a user of the ATT&CK website, I want to be able to see subtechniques in the navigation elements.
Add subtechniques to the techniques sidenavs under their parent technique, and in the master techniques list nested under their parent technique.
Note: using fake data for names, IDs and descriptions.
https://attack.mitre.org/software/S0109/
WEBC2
is just a generic term for APT1 implants that use HTTP/HTML based C&C mechanisms.
Suggested change:
WEBC2 is a backdoor used by APT1
-> WEBC2 is malware used by APT1
The sticky footer on the website is unreliable at certain screen resolutions. We should refactor the sticky-footer code to fix the tendency to cover up content or position itself incorrectly in certain scenarios.
The concept of the sticky footer is that it should appear at the bottom of the screen if the page is less than the height of the view (example), or at the bottom of the content if the page is more than the height of the view (example).
A function in site.js is used to reposition the sticky footer whenever the page resizes, to catch cases where the page is resized and the breakpoint of page height > view height
is crossed.
Unfortunately, this page resize function doesn't catch all page resizes. For example, it doesn't catch cases where an expansion/accordion panel increases the page height. This can lead to issues where the footer is rendered on top of and thereby obscuring page content.
We should fix this issue by refactoring the methodology for the footer positioning. Instead of using javascript to toggle the footer sticky-ness according to page height, we should simply use a flex layout to grow the page content to the height of the view if it were shorter than the view. The footer would then statically occur at the bottom of the page content, and the flex functionality would position it at the bottom of the page due to the behavior of flex-grow.
In other words, growing the height of the HTML to actually fill the page, instead of only being the height of the content as it is currently:
As a user of the ATT&CK website, I want the layers shown on the groups/software pages to support subtechniques.
This feature should not be worked on until https://github.com/mitre-attack/attack-navigator/milestone/3 is complete.
As a user of the ATT&CK Subtechniques matrix, I want to be able to quickly expand all or collapse all subtechnique-containing techniques in the matrix. I want a button to be provided which facilitates this functionality.
As a user of the ATT&CK website, I want to be able to find training information for how to use ATT&CK.
The URLs will follow this format:
/resources/training (landing page)
/cti (topic intro)
/exercise1
/exercise2
/exercise3
/exercise4
/mappings (topic intro)
/exercise1
/exercise2
/exercise3
/exercise4
(etc)
Redirects will be created from /training
to /resources/training
and from /training/topic
to /resources/training/topic
for each topic.
These pages should make use of the sidebar macro for navigation. Each exercise should have a "previous" and "next" exercise button under the exercise content.
Remove all static markdown from the content folder. It should all be dynamically generated by the relevant module(s).
For example, content/pages/updates/
should be moved into the resources
module.
Good afternoon ATT&CK team,
I was giving a try to the build, and after running python3 update-attack.py -c -b
, I got the following error:
Clean Build : ---------------------------------------- 0.59s
Downloading STIX Data : ---------------------------------------- 1.18s
Initializing Data : ---------------------------------------- 37.38s
Index Page : ---------------------------------------- 0.35s
Group Pages : ---------------------------------------- 3.07s
Software Pages : ---------------------------------------- 8.63s
Technique Pages : ---------------------------------------- 7.11s
Matrix Pages : ---------------------------------------- 7.99s
Tactic Pages : ---------------------------------------- 0.79s
Mitigation Pages : ---------------------------------------- 0.45s
Contribute Page : ---------------------------------------- 0.10s
Resources Page : ---------------------------------------- 0.00s
Redirection Pages : ---------------------------------------- 0.50s
Search Index : ---------------------------------------- 148.65s
Previous Versions : ---------------------------------------- 9.07s
Pelican Content : ---------------------------------------- Running...CRITICAL: TemplateSyntaxError: Encountered unknown tag 'assets'. Jinja was looking for the following tags: 'endblock'. The innermost block that needs to be closed is 'block'.
Traceback (most recent call last):
File "update-attack.py", line 282, in <module>
update(args)
File "update-attack.py", line 149, in update
generate.pelican_content()
File "/opt/ATTACK/modules/generate.py", line 107, in pelican_content
returned_out = subprocess.check_output("pelican content -q", shell=True)
File "/usr/lib/python3.6/subprocess.py", line 356, in check_output
**kwargs).stdout
File "/usr/lib/python3.6/subprocess.py", line 438, in run
output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command 'pelican content -q' returned non-zero exit status 1
Any idea how I can get to the template where Jinja is looking for endblock
? Thank you in advance!
As a user, I want it to be easy to find the TAXII server URL and usage documentation from the ATT&CK website.
As a visitor to the ATT&CK website, I want to be able to learn about how ATT&CK relates to other models.
I don't if anyone maintain this repo, It seems there is a typo in T1155.
As in the website, the last sentence introducing AppleScript is:
Scripts can be run from the command lie via osascript /path/to/script or osascript -e "script here".
I guess it should be command line rather than command lie,command lie doesn't make sense.
Please check for it.
As a user, I want sub-techniques and techniques to only show up in matrices which match their platform tags. Currently sub-techniques show under their parents regardless of which platform-matrix they're being shown on, leading to (for example) mac-specific subtechniques being shown under the Windows matrix.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.