public AttackCTI(string Url)
{
CTIRoot AllAttack;
string json;
if (String.IsNullOrEmpty(Program.Arguments.AttackPath))
{
using (var w = new WebClient())
{
try
{
// Need to find a way to switch to MITRE TAXII server instead of the json file
PrintUtils.Warning("Pulling latest ATT&CK matrix data from github.com/mitre/cti");
json = w.DownloadString(Url);
}
catch
{
throw new Exception("Unable to obtain latest Mitre Att&CK information. Please ensure that the device is connected to the internet. Consider using the -AttackPath flag to point to the file on disk");
}
}
}
else
{
try
{
PrintUtils.Warning($"Pulling latest ATT&CK matrix data from {Program.Arguments.AttackPath}");
json = File.ReadAllText(Program.Arguments.AttackPath);
}
catch (Exception ex)
{
throw new Exception($"Unable to read {Program.Arguments.AttackPath} due to: {ex.Message}");
}
}
try
{
var JSON = new JavaScriptSerializer();
JSON.MaxJsonLength = int.MaxValue;
AllAttack = JSON.Deserialize <CTIRoot>(json);
}
catch (Exception ex)
{
throw new Exception("ATT&CK Json deserialiazation failed");
}
Technique[] items = AllAttack.objects;
// Filtering all techniques
var AllTechniques = items.Where(o => o.type == "attack-pattern" && o.revoked == false);
// Getting all win techniques
WindowsTechniques = AllTechniques.Where(o => o.x_mitre_platforms.Contains("Windows"));
// Getting all windows mitigations
MitigationRelationships = items.Where(o => o.type == "relationship" && o.relationship_type == "mitigates");
Mitigations = items.Where(o => o.type == "course-of-action");
AllAttack = null;
items = null;
}
public static void Main(string[] args)
{
/////////////////////
/// Initial setup ///
/////////////////////
PrintUtils.DisableConsoleQuickEdit();
Console.OutputEncoding = System.Text.Encoding.UTF8;
// Arg Parsing
try
{
Arguments = new MitigateArgumentParser(args);
}
catch (Exception ex)
{
PrintUtils.Error(ex.Message);
MitigateArgumentParser.PrintUsage();
Environment.Exit(1);
}
PrintUtils.PrintBanner();
PrintUtils.PrintInit(version);
PrintUtils.PrintLegend();
IsDomainJoined = SystemUtils.IsDomainJoined();
// Check if it's running as admin
if (!UserUtils.IsItRunningAsAdmin())
{
PrintUtils.Warning("Mitigate is not running as an administrator." +
" This might restrict its ability to perform the necessary checks");
}
AttackCTI ATTCK = null;
Navigator navigator = null;
// Pulling ATT&CK json from GitHub
try
{
ATTCK = new AttackCTI(AttackUrl);
navigator = new Navigator();
}
catch (Exception ex)
{
PrintUtils.Error(ex.Message);
Environment.Exit(1);
}
// Getting some user info and deciding the user for least priv checks
PrintUtils.Warning("Collecting some machine information. This might take some time...");
if (!string.IsNullOrEmpty(Arguments.Username))
{
try
{
UserToCheck = UserUtils.GetUser(Arguments.Username);
SIDsToCheck = UserUtils.GetGroups(UserToCheck);
}
catch (Exception ex)
{
PrintUtils.Error(ex.Message);
Environment.Exit(1);
}
}
else
{
try
{
UserToCheck = UserUtils.GetLastLoggedInUser();
SIDsToCheck = UserUtils.GetGroups(UserToCheck);
}
catch (Exception ex)
{
PrintUtils.Error(ex.Message);
Environment.Exit(1);
}
}
PrintUtils.Warning($"Least privilege checks will be performed for user {UserToCheck.SamAccountName}");
/////////////////
/// Main Loop ///
/////////////////
// Keeping track on tested techniques to stop from testing twice
HashSet <string> TestedTechniques = new HashSet <string>();
// For all tactics
foreach (string tactic in ATTCK.GetAllTactics())
{
PrintUtils.PrintTactic(tactic);
// For all techniques
foreach (Technique technique in ATTCK.GetRootTechniquesByTactic(tactic))
{
// Check if the technique has been already tested
if (TestedTechniques.Contains(technique.GetID()))
{
// If it has:
continue;
}
TestedTechniques.Add(technique.GetID());
var subtechniques = ATTCK.GetSubTechniquesByTechnique(technique);
// Does it have subtechniques?
if (subtechniques.Count() > 0)
{
// Subtechniques found. Handle them
Tests.Execute(technique, subtechniques, navigator, ATTCK);
}
else
{
// No subtechniques. Just handle root technique
Tests.Execute(technique, navigator, ATTCK);
}
}
}
// Exporting the file for the navigator
navigator.ToJSON(Arguments.OutFile);
if (Arguments.ExportCoverage)
{
navigator.ExportCoverage("Coverage.json");
}
}