-
Notifications
You must be signed in to change notification settings - Fork 213
/
attack_view_db_structure.sql
413 lines (370 loc) · 12.3 KB
/
attack_view_db_structure.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
--
-- +-------------------------------------------------------------------------------------------------------------------+
-- | Relational Data Model (SQLite) for MITRE ATT&CK™ Data |
-- +-------------------------------------------------------------------------------------------------------------------+
-- | AUTHOR : NADER SHALABI |
-- | www.cyber-distance.com |
-- +-------------------------------------------------------------------------------------------------------------------+
--
create table aliases
(
fk_object_id VARCHAR,
alias VARCHAR
);
create table atomic_attack
(
id VARCHAR,
fk_attack_id VARCHAR,
fk_attack_external_id VARCHAR,
display_name VARCHAR
);
create table atomic_attack_test
(
id VARCHAR,
fk_atomic_attack_id VARCHAR,
name VARCHAR,
description VARCHAR,
windows VARCHAR,
linux VARCHAR,
macos VARCHAR,
office_365 VARCHAR,
azure_ad VARCHAR,
azure VARCHAR,
gcp VARCHAR,
aws VARCHAR,
saas VARCHAR,
android VARCHAR,
executor_name VARCHAR,
executor_command VARCHAR
);
create table atomic_input_arguments
(
id VARCHAR,
fk_atomic_attack_test_id VARCHAR,
name VARCHAR,
description VARCHAR,
input_type VARCHAR,
default_value VARCHAR
);
create table bundle
(
id VARCHAR,
spec_version VARCHAR default '2.0'
);
create table emulation_plan
(
id VARCHAR,
fk_bundle_id VARCHAR,
created_by_ref VARCHAR,
name VARCHAR,
description VARCHAR,
created VARCHAR,
modified VARCHAR,
start_date VARCHAR,
end_date VARCHAR,
revoked VARCHAR,
marked_color VARCHAR default "#c0dcc0"
);
create table emulation_plan_tags
(
id VARCHAR,
fk_emulation_plan_id VARCHAR,
tag VARCHAR,
tag_color VARCHAR
);
create table external_references
(
fk_object_id VARCHAR,
url VARCHAR,
source_name VARCHAR,
external_id VARCHAR,
description VARCHAR
);
create table goals
(
fk_intrusion_set_id VARCHAR,
goal VARCHAR
);
create table granular_markings
(
fk_object_id VARCHAR,
fk_marking_definition_id VARCHAR,
selector VARCHAR
);
create table intrusion_set_secondary_motivations
(
fk_intrusion_set_id VARCHAR,
secondary_motivation VARCHAR
);
create table kill_chain_phases
(
fk_object_id VARCHAR,
kill_chain_name VARCHAR,
phase_name VARCHAR
);
create table labels
(
fk_object_id VARCHAR,
label VARCHAR
);
create table marking_definition
(
id VARCHAR,
fk_bundle_id VARCHAR,
definition_type VARCHAR,
definition VARCHAR,
created_by_ref VARCHAR,
created VARCHAR,
x_mitre_attack_spec_version VARCHAR
);
create table object_marking_refs
(
fk_object_id VARCHAR,
fk_marking_definition_id VARCHAR
);
create table platforms
(
id VARCHAR,
platform_name VARCHAR
);
create table relationship
(
id VARCHAR,
fk_bundle_id VARCHAR,
relationship_type VARCHAR,
description VARCHAR,
source_ref VARCHAR,
source_ref_type VARCHAR,
target_ref VARCHAR,
target_ref_type VARCHAR,
object_marking_refs VARCHAR,
created VARCHAR,
created_by_ref VARCHAR,
modified VARCHAR,
x_mitre_version VARCHAR,
x_mitre_modified_by_ref VARCHAR,
revoked VARCHAR,
x_mitre_deprecated VARCHAR,
x_mitre_attack_spec_version VARCHAR
);
create table report_object_refs
(
fk_report_id VARCHAR,
fk_object_id VARCHAR,
object_reference_type VARCHAR
);
create table sdos_object
(
id VARCHAR,
fk_bundle_id VARCHAR,
created_by_ref VARCHAR,
created VARCHAR,
modified VARCHAR,
object_marking_refs VARCHAR,
revoked VARCHAR,
name VARCHAR,
description VARCHAR,
type VARCHAR,
first_seen VARCHAR,
last_seen VARCHAR,
objective VARCHAR,
identity_class VARCHAR,
contact_information VARCHAR,
pattern VARCHAR,
valid_from VARCHAR,
valid_until VARCHAR,
resource_level VARCHAR,
primary_motivation VARCHAR,
first_observed VARCHAR,
last_observed VARCHAR,
number_observed VARCHAR,
published VARCHAR,
sophistication VARCHAR,
tool_version VARCHAR,
count VARCHAR,
sighting_of_ref VARCHAR,
sighting_of_ref_type VARCHAR,
summary VARCHAR,
x_mitre_platforms_windows VARCHAR,
x_mitre_platforms_network VARCHAR,
x_mitre_platforms_linux VARCHAR,
x_mitre_platforms_macOS VARCHAR,
x_mitre_platforms_android VARCHAR,
x_mitre_platforms_containers VARCHAR,
x_mitre_platforms_iaas VARCHAR,
x_mitre_platforms_ios VARCHAR,
x_mitre_platforms_field_controller_rtu_plc_ied VARCHAR,
x_mitre_platforms_engineering_workstation VARCHAR,
x_mitre_platforms_office_365 VARCHAR,
x_mitre_platforms_azure_ad VARCHAR,
x_mitre_platforms_pre VARCHAR,
x_mitre_platforms_saas VARCHAR,
x_mitre_platforms_google_workspace VARCHAR,
x_mitre_platforms_safety_instrumented_system_protection_relay VARCHAR,
x_mitre_platforms_none VARCHAR,
x_mitre_platforms_human_machine_interface VARCHAR,
x_mitre_platforms_control_server VARCHAR,
x_mitre_platforms_data_historian VARCHAR,
x_mitre_platforms_input_output_server VARCHAR,
x_mitre_system_requirements VARCHAR,
x_mitre_remote_support VARCHAR,
x_mitre_network_requirements VARCHAR,
x_mitre_detection VARCHAR,
x_mitre_version VARCHAR,
x_mitre_is_subtechnique VARCHAR,
x_mitre_first_seen_citation VARCHAR,
x_mitre_last_seen_citation VARCHAR,
x_mitre_deprecated VARCHAR,
x_mitre_attack_spec_version VARCHAR,
x_mitre_modified_by_ref VARCHAR,
x_mitre_data_source_ref VARCHAR
);
create table sdos_object_platforms
(
fk_platforms_id VARCHAR,
fk_sdos_object_id VARCHAR
);
create table search_database_config
(
k not null
primary key,
v
)
without rowid;
create table search_database_content
(
id INTEGER
primary key,
c0,
c1,
c2,
c3
);
create table search_database_data
(
id INTEGER
primary key,
block BLOB
);
create table search_database_docsize
(
id INTEGER
primary key,
sz BLOB
);
create table search_database_idx
(
segid not null,
term not null,
pgno,
primary key (segid, term)
)
without rowid;
create table sectors
(
fk_identity_id VARCHAR,
sector VARCHAR
);
create table testing_guideline
(
id VARCHAR,
fk_emulation_plan_id VARCHAR,
name VARCHAR,
description VARCHAR,
framework VARCHAR,
implementation VARCHAR,
result VARCHAR,
detected_ioc VARCHAR,
lessons_learned VARCHAR,
revoked VARCHAR,
test_completed VARCHAR default "false",
order_no VARCHAR default "",
marked_color VARCHAR default "#a6caf0"
);
create table testing_guideline_tags
(
id VARCHAR,
fk_testing_guideline_id VARCHAR,
tag VARCHAR,
tag_color VARCHAR
);
create table testing_guideline_technique
(
id VARCHAR,
fk_testing_guideline_id VARCHAR,
fk_attack_id VARCHAR,
fk_attack_external_id VARCHAR
);
create table testing_target
(
id VARCHAR,
ip_v4_address VARCHAR,
ip_v6_address VARCHAR,
hostname VARCHAR,
tag VARCHAR,
owner VARCHAR,
type VARCHAR
);
create table testing_target_guideline
(
id VARCHAR,
fk_target_id VARCHAR,
fk_testing_guideline_id VARCHAR
);
create table threat_actor_personal_motivations
(
fk_threat_actor_id VARCHAR,
personal_motivation VARCHAR
);
create table threat_actor_secondary_motivations
(
fk_threat_actor_id VARCHAR,
secondary_motivation VARCHAR
);
create table x_mitre_aliases
(
fk_object_id VARCHAR,
x_mitre_alias VARCHAR
);
create table x_mitre_collection_layers
(
fk_object_id VARCHAR,
layer VARCHAR
);
create table x_mitre_contributors
(
fk_object_id VARCHAR,
x_mitre_contributor VARCHAR
);
create table x_mitre_data_sources
(
fk_object_id VARCHAR,
x_mitre_data_source VARCHAR
);
create table x_mitre_defenses_bypassed
(
fk_object_id VARCHAR,
x_mitre_defense_bypassed VARCHAR
);
create table x_mitre_domains
(
fk_object_id VARCHAR,
x_mitre_domain VARCHAR
);
create table x_mitre_effective_permissions
(
fk_object_id VARCHAR,
x_mitre_effective_permission VARCHAR
);
create table x_mitre_permissions_required
(
fk_object_id VARCHAR,
x_mitre_permission_required VARCHAR
);
create virtual table search_database using FTS5
(
object_id,
source_table,
source_column,
search_result
);