While helping clients that chose to work on coverage of the “ATT&CK” framework I found myself lacking a solid way to represent their options, which led me to the following approach.
I wanted to create a tool to see what is already potentially possible with the available data and what data should be onboarded to cover certain techniques, if possible.
Techniques (nearly) all state one or multiple data sources, this is still very generic in terms of dealing with logs so I made an attempt at adding that layer. I wanted to create something everyone on a normal Windows box is able to run, without having to install additional software.
I’ve ended up with a toolkit that consists of an Excel file and a PowerShell module, which can be downloaded here
This tool is developed by me and has no affiliation with “MITRE” nor with its great “ATT&CK” team, it is developed with the intention to ease the mapping of data sources to assess one’s potential coverage.
These scores will depict the potential value of the data source in finding more information about the technique, not everything is useful for detection rules. Some will be more useful for hunting or even only in Incident response.
This assessment will not be all covering, not will it be super exact on all levels. I’ve made the choice in favor of usability to not add weights to each individual event per technique, this would make it unusable for most people.
Opening the file will take you to the DataSourceEvents worksheet. This is the most important page of the document in terms of scoring and maintaining.
The sheet contains the DataSource and Events, of which you can add as much as you like. Next to that are three subscores for Completeness, Timeliness and Availability, which result in the score for that Event.
Scoring your events is relatively straight forward, the legend is also included in the document on the RatingLegend page. I’ve tried to make this as simple as possible by using a 0–5 system. The total score is based on (2 * Completeness + Timeliness + 2 * Availability / 5) My rationale being the timeliness is less crucial than the other two, but should obviously be accounted for in the creation of hunts or detection rules.
Since not every data source is as important to each individual technique I decided to rate them by assigning a weight to them on a scale of 0–100, where the total should sum up to 100. This workbook can be edited, the weighing is based on my knowledge and experience. Pull requests are always welcome with improvements.
I’ve been keeping track of a lot of logs, most of the relevant logs I’ve added to a workbook for easy reference;
The PowerShell module
This tool requires module ImportExcel,
Install it like this
PS C:\> Install-Module ImportExcel
Import the module with
There are three commandlets available; Get-ATTACKdata, Invoke-ATTACK-UpdateExcel and Request-ATTACKjson.
This downloads the MITRE ATT&CK Enterprise JSON file
PS C:\> Get-ATTACKdata -AttackPath ./enterprise-attack.json
The -AttackPath parameter is optional
This generates all MITRE ATT&CK relevant fields into a table and creates or updates the REF-DataSources worksheet in an Excel sheet
PS C:\> Invoke-ATTACK-UpdateExcel -AttackPath .\enterprise-attack.json -Excelfile .\mitre_data_assessment.xlsx
The -AttackPath and -Excelfile parameters are optional
Generates a JSON file to be imported into the ATT&CK Navigator.
Each technique contains DataSources, which are individually scored by me with a weight. The DataSourceEventTypes need to be scored per environment.
This script multiplies the respective DataSource scores and adds them to a total technique score. The generation date is added to the description.
PS C:\> Request-ATTACKjson -Excelfile .\mitre_data_assessment.xlsx -Template .\template.json -Output 2019-03-23-ATTACKcoverage.json
This is all gathered into a JSON file which can be opened here; MITRE ATT&CK Navigator/enterprise/