v1.1
-
Technique administration YAML file version 1.1
New version (1.1) of the technique administration YAML file introducing the following improvements:- A technique can now have multiple
detection
andvisibility
objects. This allows you to have more detailed scores for a different type of systems by making use of the new key-value pairapplicable_to
. - Added the key-value pair
applicable_to
to thedetection
andvisibility
object. This allows you to specify a list of the type of system(s) to which it applies. For example: crown jewel X, endpoints, etc. You can use the value['all']
to have the detection or visibility be applicable to all type of systems. - Added the key-value pair
technique_name
, containing the techniques' name (e.g. "Process Injection"), to every technique ID.
Older technique administration files can be automatically upgraded to this new version. DeTT&CT will prompt you on this if an upgrade is available.
- A technique can now have multiple
-
Excel output
It is now possible to export your technique administration for visibility and detections to Excel:
python dettect.py d -ft sample-data/techniques-administration-endpoints.yaml -fd sample-data/data-sources-endpoints.yaml --excel
File written: output/techniques.xlsx
- Several smaller improvements
- The detection and visibility layer file contains a score to allow sorting within the ATT&CK Navigator.
- Added a score for detection/visibility when overlaid with a group to improve the visual comparison.
- The ATT&CK Navigator's legend is improved when overlaying detection or visibility on a group.
- Added colours to the Excel output to visualise the scores for data source quality, visibility and detections.
- Remember the selected path for a YAML administration file in the interactive menu.
- Added a more detailed error message for invalid YAML files.
- Constants have been moved to its own file
constants.py
.
- Bug fixes
- Fixed a bug reported by @tuckner: issue #3 - product list not appending for visibility ATT&CK layer)
- Fixed a bug that would cause a crash when doing a software-group using a visibility or detection overlay.
- Fixed a bug that would cause a crash when the YAML 'score' key-value pair had no value assigned.