Skip to content

Interrelation of APT groups based on their TTPs. Extraction of APT TTP's layers.

License

Notifications You must be signed in to change notification settings

JavierMun/WhoIsWhoAPT

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

WhoIsWhoAPT License: GPL v3 Open Source Love

About

WhoIsWhoAPT is a tool whose purpose is to help malware analysts, threat hunters and researchers to interrelate the different APT groups (Advanced Persistent Threats) based on their tactics, techniques and procedures (TTP) assigned by MITRE ATT&CK® (https://attack.mitre.org/) to each group, thus obtaining their relationship index. In addition, the tool allows you to compare your own TTP sets with the rest of the APTs defined in MITRE, thus obtaining their degree of similarity.

Finally, it is possible from an APT to generate a layer with its TTPs or from two APTs to be able to generate a layer in which the TTPs of each group are differentiated and in which they coincide. These layers are intended to work with the MITRE ATT&CK® Navigator tool (https://mitre-attack.github.io/attack-navigator/) thus facilitating their reading and analysis/modification.

Hope you can find my tool useful and if you want to report any bugs, add/suggest new features or ask any questions do not hesitate to contact me on LinkedIn.

linkedin My LinkedIn  

Installation

  1. Install Python3 (and create a virtual environment*) python3.9 -m venv env source env/bin/activate
  2. Download project:
  • git clone https://github.com/JavierMun/WhoIsWhoAPT
  • Download directly from github*
  1. Install python packages python -m pip install -r WhoIsWhoAPTrequirements.txt
  2. Run WhoIsWhoAPT.py

* Note1: The creation of the virtual environment is recommended, although it is not necessary for the tool's execution.

* Note2: Although it is not necessary, I recommend to download the "resources" folder and its content along with the tool as it prevents the tool from having to download the latest version of MITRE ATT&CK® and configure the APTs database on its first run, an action that can take several minutes

Usage

Add custom layer

You can add any custom layers to the APT database, you just have to create the layer json with your custom TTPs on MITRE ATT&CK® Navigator and add it into the resources folder e.g. Name your group of TTPs as you want. This will be the name they will have on our tool.

Captura6

Add the .json generated into the resources folder.

Captura7

Now you can already work with your custom "APT"

Commands

Command Parameters Command Details
-c, --compare <APT Name> Compare an APT with all the others APTs
-v, --versus <APT1 Name> <APT2 Name> Compare two APTs and extract the comparison matrix. Default layer colour: (AP1 -> Green) (APT2 -> Blue) (Matching TTP -> Purple)
-l, --layer <APT Name> Create a layer with selected APT's TTPs. Default colour: Green
-col, --colours <APT1 Colour> <APT2 Colour> <Match Colour> Choose the colours with which the data will be represented in the layer. Most be a colour hexcode.

Usage examples

  • Comparing APT "Wizard Spider" with all other APTs

captura1

  • Obtaining comparison layer between two APTs ("Wizard Spider" and "FIN8")

Captura2

Captura3

  • Obtaining comparison layer between two APTs ("Wizard Spider" and "FIN8") and modifying its colours

customcolor3

customcolor4

  • Obtaining APT "Wizard Spider" layer

Captura4

Captura5

  • Obtaining APT "Wizard Spider" layer with modified colour

customcolor1

customcolor2

About

Interrelation of APT groups based on their TTPs. Extraction of APT TTP's layers.

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages