forked from rabobank-cdc/DeTTECT
-
Notifications
You must be signed in to change notification settings - Fork 0
/
constants.py
216 lines (182 loc) · 10.6 KB
/
constants.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
import re
import json
import os
APP_NAME = 'DeTT&CT'
APP_DESC = 'Detect Tactics, Techniques & Combat Threats'
VERSION = '1.9.0'
EXPIRE_TIME = 60 * 60 * 24 * 30
# MITRE ATT&CK data types for custom schema and STIX
DATA_TYPE_CUSTOM_TECH_BY_GROUP = 'mitre_techniques_used_by_group'
DATA_TYPE_CUSTOM_TECH_BY_SOFTWARE = 'mitre_techniques_used_by_software'
DATA_TYPE_CUSTOM_TECH_IN_CAMPAIGN = 'mitre_techniques_used_in_campaign'
DATA_TYPE_CUSTOM_SOFTWARE_BY_GROUP = 'mitre_software_used_by_group'
DATA_TYPE_CUSTOM_SOFTWARE_IN_CAMPAIGN = 'mitre_software_used_in_campaign'
DATA_TYPE_STIX_ALL_TECH = 'mitre_all_techniques'
DATA_TYPE_STIX_ALL_TECH_ENTERPRISE = 'mitre_all_techniques_enterprise'
DATA_TYPE_STIX_ALL_TECH_ICS = 'mitre_all_techniques_ics'
DATA_TYPE_STIX_ALL_TECH_MOBILE = 'mitre_all_techniques_mobile'
DATA_TYPE_STIX_ALL_GROUPS = 'mitre_all_groups'
DATA_TYPE_STIX_ALL_CAMPAIGNS = 'mitre_all_campaigns'
DATA_TYPE_STIX_ALL_SOFTWARE = 'mitre_all_software'
DATA_TYPE_STIX_ALL_RELATIONSHIPS = 'mitre_all_relationships'
DATA_TYPE_STIX_ALL_ENTERPRISE_MITIGATIONS = 'mitre_all_mitigations_enterprise'
DATA_TYPE_STIX_ALL_MOBILE_MITIGATIONS = 'mitre_all_mitigations_mobile'
DATA_TYPE_STIX_ALL_ICS_MITIGATIONS = 'mitre_all_mitigations_ics'
# ATT&CK matrix support:
DETTECT_DOMAIN_SUPPORT = ['enterprise-attack', 'ics-attack', 'mobile-attack']
# Group colors
COLOR_GROUP_OVERLAY_MATCH = '#f9a825' # orange
COLOR_GROUP_OVERLAY_NO_MATCH = '#ffee58' # yellow
COLOR_SOFTWARE = '#0d47a1 ' # dark blue
COLOR_GROUP_AND_SOFTWARE = '#64b5f6 ' # light blue
COLOR_GRADIENT_DISABLE = '#aeb6bf' # white
COLOR_GRADIENT_MIN = '#ffcece' # light red
COLOR_GRADIENT_MAX = '#ff0000' # red
COLOR_TACTIC_ROW_BACKGRND = '#dddddd' # light grey
COLOR_GROUP_OVERLAY_ONLY_DETECTION = '#8BC34A' # green
COLOR_GROUP_OVERLAY_ONLY_VISIBILITY = '#1976D2' # blue
# data source colors (purple range)
COLOR_DS_25p = '#E1BEE7'
COLOR_DS_50p = '#CE93D8'
COLOR_DS_75p = '#AB47BC'
COLOR_DS_99p = '#7B1FA2'
COLOR_DS_100p = '#4A148C'
# data source colors HAPPY (green range)
COLOR_DS_25p_HAPPY = '#DCEDC8'
COLOR_DS_50p_HAPPY = '#AED581'
COLOR_DS_75p_HAPPY = '#8BC34A'
COLOR_DS_99p_HAPPY = '#689F38'
COLOR_DS_100p_HAPPY = '#33691E'
# Detection colors (green range)
COLOR_D_0 = '#9C27B0' # Purple: Forensics/Context
COLOR_D_1 = '#DCEDC8'
COLOR_D_2 = '#AED581'
COLOR_D_3 = '#8BC34A'
COLOR_D_4 = '#689F38'
COLOR_D_5 = '#33691E'
# Visibility colors (blue range)
COLOR_V_1 = '#BBDEFB'
COLOR_V_2 = '#64B5F6'
COLOR_V_3 = '#1976D2'
COLOR_V_4 = '#0D47A1'
# Orange overlay colors
COLOR_O_0 = '#FFECB7'
COLOR_O_1 = '#FFE07A'
COLOR_O_2 = '#FFCA28'
COLOR_O_3 = '#FFAE00'
COLOR_O_4 = '#FF8F00'
COLOR_O_5 = '#FF6F00'
COLOR_WHITE = '#FFFFFF'
# Detection and visibility overlay color:
COLOR_OVERLAY_VISIBILITY = COLOR_V_3
COLOR_OVERLAY_DETECTION = COLOR_D_3
COLOR_OVERLAY_BOTH = COLOR_GROUP_OVERLAY_MATCH
# Overlay types as used within the group functionality
OVERLAY_TYPE_GROUP = 'group'
OVERLAY_TYPE_CAMPAIGN = 'campaign'
OVERLAY_TYPE_VISIBILITY = 'visibility'
OVERLAY_TYPE_DETECTION = 'detection'
FILE_TYPE_DATA_SOURCE_ADMINISTRATION = 'data-source-administration'
FILE_TYPE_TECHNIQUE_ADMINISTRATION = 'technique-administration'
FILE_TYPE_GROUP_ADMINISTRATION = 'group-administration'
# YAML administration file versions
FILE_TYPE_DATA_SOURCE_ADMINISTRATION_VERSION = 1.1
FILE_TYPE_TECHNIQUE_ADMINISTRATION_VERSION = 1.2
FILE_TYPE_GROUP_ADMINISTRATION_VERSION = 1.0
# YAML file upgrade text
FILE_TYPE_DATA_SOURCE_UPGRADE_TEXT = {
1.1: """ * Adding a new object 'systems'
* Adding a new key-value pair 'applicable_to' to the data source objects
[!] ----------------------------------------------------------------------[!]
This upgrade can only ensure the data format will be in line with v1.1. But
cannot handle how you've recorded information on your data sources. It's
therefore advised to put some manual work into the data source administration
file after this upgrade. For example, to do things like:
- Assign data sources to the correct type of Systems
(which are furthermore linked to ATT&CK platforms).
- As we recommend and explain on the Wiki, have matching
Systems/applicable to between your technique and data source YAML files.
- Merge multiple data source files into one single file when you had
multiple data source files per ATT&CK platform, type of system,
environment, etc. The new v1.1 data format supports combining all of that
within the same data source YAML file using the new Systems object.
You can find further information on this new applicable to/type of System
functionality on the following URLs:
- Applicable to / type of System:
https://github.com/rabobank-cdc/DeTTECT/wiki/how-to-use-the-framework#matching-system--applicable-to-values
- The new Systems object:
https://github.com/rabobank-cdc/DeTTECT/wiki/YAML-administration-data-sources#Systems
[!] ----------------------------------------------------------------------[!]
"""
}
# Text for user to enter key to continue
TXT_ANY_KEY_TO_CONTINUE = 'Press a key to continue'
# YAML regex
REGEX_YAML_VERSION_10 = re.compile(r'^\s*version:\s+1\.0\s*$', re.IGNORECASE)
REGEX_YAML_TECHNIQUE_ID = re.compile(r'^-\s+technique_id:\s+T\d{4}(\.\d{3}|)\s*$', re.IGNORECASE)
REGEX_YAML_TECHNIQUE_ID_FORMAT = re.compile(r'T\d{4}(\.\d{3}|)', re.IGNORECASE)
REGEX_YAML_DETECTION = re.compile(r'^\s+detection:\s*$', re.IGNORECASE)
REGEX_YAML_VISIBILITY = re.compile(r'^\s+visibility:\s*$', re.IGNORECASE)
REGEX_YAML_INDENT_CHARS = re.compile(r'(^[\s-]+).*', re.IGNORECASE)
REGEX_YAML_VALID_DATE = re.compile(r'([12]\d{3}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01]))', re.IGNORECASE)
REGEX_YAML_DATE = re.compile(r'^[\s-]+date:.*$', re.IGNORECASE)
REGEX_YAML_TECHNIQUE_ID_GROUP = re.compile(r'^-\s+technique_id:\s+(T\d{4})\s*$', re.IGNORECASE)
# YAML objects
YAML_OBJ_VISIBILITY = {'applicable_to': ['all'],
'comment': '',
'score_logbook':
[
{'date': None,
'score': 0,
'comment': '',
'auto_generated': True}
]
}
YAML_OBJ_DETECTION = {'applicable_to': ['all'],
'location': [''],
'comment': '',
'score_logbook':
[
{'date': None,
'score': -1,
'comment': ''}
]}
YAML_OBJ_TECHNIQUE = {'technique_id': '',
'technique_name': '',
'detection': [YAML_OBJ_DETECTION],
'visibility': []}
# EQL
EQL_INVALID_RESULT_DS = '[!] Invalid data source administration content. Check your EQL query to return data_sources object(s):'
EQL_INVALID_RESULT_TECH = '[!] Invalid technique administration content. Check your EQL query to return '
# Health text
HEALTH_ERROR_TXT = '[!] The below YAML file contains possible errors. It\'s recommended to check via the ' \
'\'--health\' argument: \n - '
PLATFORMS_ENTERPRISE = {'pre': 'PRE', 'windows': 'Windows', 'macos': 'macOS', 'linux': 'Linux', 'office 365': 'Office 365',
'azure ad': 'Azure AD', 'google workspace': 'Google Workspace', 'iaas': 'IaaS', 'saas': 'SaaS',
'network': 'Network', 'containers': 'Containers'}
PLATFORMS_ICS = {'control server': 'Control Server', 'data historian': 'Data Historian', 'device configuration/parameters': 'Device Configuration/Parameters',
'engineering workstation': 'Engineering Workstation', 'field controller/rtu/plc/ied': 'Field Controller/RTU/PLC/IED',
'human-machine interface': 'Human-Machine Interface', 'input/output server': 'Input/Output Server',
'safety instrumented system/protection relay': 'Safety Instrumented System/Protection Relay', 'none': 'None'}
PLATFORMS_MOBILE = {'android': 'Android', 'ios': 'iOS'}
DATA_SOURCES_ATTACK_V8 = set(['Access tokens', 'Anti-virus', 'API monitoring', 'Application logs', 'Asset management', 'Authentication logs', 'AWS CloudTrail logs', 'AWS OS logs', 'Azure activity logs', 'Azure OS logs', 'Binary file metadata', 'BIOS', 'Browser extensions', 'Component firmware', 'Data loss prevention', 'Detonation chamber', 'Digital certificate logs', 'Disk forensics', 'DLL monitoring', 'DNS records', 'Domain registration', 'EFI', 'Email gateway', 'Environment variable', 'File monitoring', 'GCP audit logs', 'Host network interface', 'Kernel drivers', 'Loaded DLLs', 'Mail server', 'Malware reverse engineering', 'MBR', 'Named Pipes', 'Netflow/Enclave netflow', 'Network device command history',
'Network device configuration', 'Network device logs', 'Network device run-time memory', 'Network intrusion detection system', 'Network protocol analysis', 'OAuth audit logs', 'Office 365 account logs', 'Office 365 audit logs', 'Office 365 trace logs', 'Packet capture', 'PowerShell logs', 'Process command-line parameters', 'Process monitoring', 'Process use of network', 'Sensor health and status', 'Services', 'Social media monitoring', 'SSL/TLS certificates', 'SSL/TLS inspection', 'Stackdriver logs', 'System calls', 'Third-party application logs', 'User interface', 'VBR', 'Web application firewall logs', 'Web logs', 'Web proxy', 'Windows Error Reporting', 'Windows event logs', 'Windows Registry', 'WMI Objects'])
DETTECT_DATA_SOURCES = {}
with open(os.path.dirname(__file__) + '/data/dettect_data_sources.json', 'r') as input_file:
DETTECT_DATA_SOURCES = json.load(input_file)
DATA_SOURCES_ENTERPRISE = {}
DATA_SOURCES_ICS = {}
DATA_SOURCES_MOBILE = {}
DETTECT_DATA_SOURCES_PLATFORMS_ENTERPRISE = {}
DETTECT_DATA_SOURCES_PLATFORMS_ICS = {}
DETTECT_DATA_SOURCES_PLATFORMS_MOBILE = {}
with open(os.path.dirname(__file__) + '/data/data_source_platforms.json', 'r') as input_file:
input_data = json.load(input_file)
DATA_SOURCES_ENTERPRISE = input_data['ATT&CK-Enterprise']
DATA_SOURCES_ICS = input_data['ATT&CK-ICS']
DATA_SOURCES_MOBILE = input_data['ATT&CK-Mobile']
DETTECT_DATA_SOURCES_PLATFORMS_ENTERPRISE = input_data['DeTT&CT-Enterprise']
DETTECT_DATA_SOURCES_PLATFORMS_ICS = input_data['DeTT&CT-ICS']
DETTECT_DATA_SOURCES_PLATFORMS_MOBILE = input_data['DeTT&CT-Mobile']
LAYER_SETTINGS = {'showAggregateScores': ['True', 'False'], 'layout': ['side', 'flat', 'mini'], 'showMetadata': ['True', 'False']}
LAYER_LAYOUT_SETTINGS = ['showAggregateScores', 'layout', 'showMetadata']