Exemple #1
0
        public AttackCTI(string Url)
        {
            CTIRoot AllAttack;
            string  json;

            if (String.IsNullOrEmpty(Program.Arguments.AttackPath))
            {
                using (var w = new WebClient())
                {
                    try
                    {
                        // Need to find a way to switch to MITRE TAXII server instead of the json file
                        PrintUtils.Warning("Pulling latest ATT&CK matrix data from github.com/mitre/cti");
                        json = w.DownloadString(Url);
                    }
                    catch
                    {
                        throw new Exception("Unable to obtain latest Mitre Att&CK information. Please ensure that the device is connected to the internet. Consider using the -AttackPath flag to point to the file on disk");
                    }
                }
            }
            else
            {
                try
                {
                    PrintUtils.Warning($"Pulling latest ATT&CK matrix data from {Program.Arguments.AttackPath}");
                    json = File.ReadAllText(Program.Arguments.AttackPath);
                }
                catch (Exception ex)
                {
                    throw new Exception($"Unable to read {Program.Arguments.AttackPath} due to: {ex.Message}");
                }
            }

            try
            {
                var JSON = new JavaScriptSerializer();
                JSON.MaxJsonLength = int.MaxValue;
                AllAttack          = JSON.Deserialize <CTIRoot>(json);
            }
            catch (Exception ex)
            {
                throw new Exception("ATT&CK Json deserialiazation failed");
            }

            Technique[] items = AllAttack.objects;
            // Filtering all techniques
            var AllTechniques = items.Where(o => o.type == "attack-pattern" && o.revoked == false);

            // Getting all win techniques
            WindowsTechniques = AllTechniques.Where(o => o.x_mitre_platforms.Contains("Windows"));
            // Getting all windows mitigations
            MitigationRelationships = items.Where(o => o.type == "relationship" && o.relationship_type == "mitigates");
            Mitigations             = items.Where(o => o.type == "course-of-action");
            AllAttack = null;
            items     = null;
        }
Exemple #2
0
        public static void Main(string[] args)
        {
            /////////////////////
            /// Initial setup ///
            /////////////////////
            PrintUtils.DisableConsoleQuickEdit();
            Console.OutputEncoding = System.Text.Encoding.UTF8;
            // Arg Parsing
            try
            {
                Arguments = new MitigateArgumentParser(args);
            }
            catch (Exception ex)
            {
                PrintUtils.Error(ex.Message);
                MitigateArgumentParser.PrintUsage();
                Environment.Exit(1);
            }

            PrintUtils.PrintBanner();
            PrintUtils.PrintInit(version);
            PrintUtils.PrintLegend();
            IsDomainJoined = SystemUtils.IsDomainJoined();

            // Check if it's running as admin
            if (!UserUtils.IsItRunningAsAdmin())
            {
                PrintUtils.Warning("Mitigate is not running as an administrator." +
                                   " This might restrict its ability to perform the necessary checks");
            }
            AttackCTI ATTCK     = null;
            Navigator navigator = null;

            // Pulling ATT&CK json from GitHub
            try
            {
                ATTCK     = new AttackCTI(AttackUrl);
                navigator = new Navigator();
            }
            catch (Exception ex)
            {
                PrintUtils.Error(ex.Message);
                Environment.Exit(1);
            }
            // Getting some user info and deciding the user for least priv checks
            PrintUtils.Warning("Collecting some machine information. This might take some time...");
            if (!string.IsNullOrEmpty(Arguments.Username))
            {
                try
                {
                    UserToCheck = UserUtils.GetUser(Arguments.Username);
                    SIDsToCheck = UserUtils.GetGroups(UserToCheck);
                }
                catch (Exception ex)
                {
                    PrintUtils.Error(ex.Message);
                    Environment.Exit(1);
                }
            }
            else
            {
                try
                {
                    UserToCheck = UserUtils.GetLastLoggedInUser();
                    SIDsToCheck = UserUtils.GetGroups(UserToCheck);
                }
                catch (Exception ex)
                {
                    PrintUtils.Error(ex.Message);
                    Environment.Exit(1);
                }
            }
            PrintUtils.Warning($"Least privilege checks will be performed for user {UserToCheck.SamAccountName}");
            /////////////////
            /// Main Loop ///
            /////////////////

            // Keeping track on tested techniques to stop from testing twice
            HashSet <string> TestedTechniques = new HashSet <string>();

            // For all tactics
            foreach (string tactic in ATTCK.GetAllTactics())
            {
                PrintUtils.PrintTactic(tactic);
                // For all techniques
                foreach (Technique technique in ATTCK.GetRootTechniquesByTactic(tactic))
                {
                    // Check if the technique has been already tested
                    if (TestedTechniques.Contains(technique.GetID()))
                    {
                        // If it has:
                        continue;
                    }
                    TestedTechniques.Add(technique.GetID());
                    var subtechniques = ATTCK.GetSubTechniquesByTechnique(technique);
                    // Does it have subtechniques?
                    if (subtechniques.Count() > 0)
                    {
                        // Subtechniques found. Handle them
                        Tests.Execute(technique, subtechniques, navigator, ATTCK);
                    }
                    else
                    {
                        // No subtechniques. Just handle root technique
                        Tests.Execute(technique, navigator, ATTCK);
                    }
                }
            }

            // Exporting the file for the navigator
            navigator.ToJSON(Arguments.OutFile);
            if (Arguments.ExportCoverage)
            {
                navigator.ExportCoverage("Coverage.json");
            }
        }