Adds support for MITRE ATT&CK References #20289
Conversation
cgranleese-r7
force-pushed
the
adds-mitre-attack-references
branch
from
c4fc3b3 to
2d669e2
Compare
|
I started adding these to all the updated persistence techniques. That PR will need to have these redone to the new format. |
|
Could we spike generating out ruby constants for the techniques so we can auto-complete values in our editors; past experience shows it's very easy for people to get magic values wrong |
| [ 'URL', 'http://sourceforge.net/projects/smbexec/' ], | ||
| [ 'ATT&CK', 'T1021.002' ], # SMB/Windows Admin Shares | ||
| [ 'ATT&CK', 'T1569.002' ], # Service Execution | ||
| [ 'ATT&CK', 'T1077' ], # Windows Admin Shares |
There was a problem hiding this comment.
Looks like T1077 was consolidated into T1021.002 - so I think this is redundant 🤔
There was a problem hiding this comment.
Will look into this 👍
cgranleese-r7
force-pushed
the
adds-mitre-attack-references
branch
4 times, most recently
from
e7e32c0 to
f2fb402
Compare
cgranleese-r7
force-pushed
the
adds-mitre-attack-references
branch
from
f2fb402 to
3167922
Compare
| @@ -81,6 +82,12 @@ def initialize(info = {}) | |||
|
|
|||
| # Win 8 | |||
| ['EDB', '42030'], | |||
|
|
|||
| # MITRE ATT&CK | |||
There was a problem hiding this comment.
Do we have a plan for how payloads will impact the att&ck metadata here? As well as conditional techniques that are based on actions, or changing datastore values etc
There was a problem hiding this comment.
Hmm, good question - do you have any thoughts on this @smcintyre-r7
There was a problem hiding this comment.
We have the same issue for side effects. I think at this time, we can completely ignore what a payload is going to do otherwise everything capable of delivering a meterpreter payload would be tagged with everything meterpreter can do. At that point, we'll have diminishing returns on the content.
I'm happy to focus the tags on what the module does. There will need to be a judgement call in regards to tags that are only applicable for particular targets / actions. The precedence we've set in the past is that we add them to the side effects if any target or action uses it and we should probably continue to do that. Long term though, having a way to separate the tags for different targets and actions would enable us to better inform our users of what is going to happen based on their configuration. I'm guessing that'd be a much larger engineering effort and would be happy to leave that out of scope for this work item.
cgranleese-r7
force-pushed
the
adds-mitre-attack-references
branch
3 times, most recently
from
6002bac to
98ce403
Compare
cgranleese-r7
force-pushed
the
adds-mitre-attack-references
branch
4 times, most recently
from
5311092 to
57d28d9
Compare
cgranleese-r7
force-pushed
the
adds-mitre-attack-references
branch
from
464ed53 to
18604a0
Compare
| output << 'module Msf' | ||
| output << ' module Mitre' | ||
| output << ' module Attack' | ||
| output << ' module Technique' |
There was a problem hiding this comment.
| output << ' module Technique' | |
| output << " # This file was auto-generated by #{__FILE__} please do not manually edit it" | |
| output << ' module Technique' |
This PR adds support for MITRE ATT&CK References in Metasploit modules, this will allow users to now search for MITRE ATT&CK techniques via our existing search functionality.
Metasploit Pro
I have verified this also work with Metasploit Pro. Links are rendered and clickable etc. The search functionality also works there as well 🚀
Verification
Requirements
Manual testing
info)info -d):search att&ck:T1190)search attack:T1190)search att&ck:T1021should return modules containing[ 'ATT&CK', 'T1021.001' ]).