Jonathan Cran jcran

MITRE ATT&CK Data Format

The MITRE ATT&CK JSON file is a flat JSON structure which is difficult to parse. To parse this JSON file, there are several different approaches but the type key is the, well, key!

The types within this JSON are the following (as well as the common wording used for this type):

attack-pattern (Techniques)
relationship (This is a unique type that contains relationships between types)
course-of-action (Mitigations)
identity (unused)

Best UNIX Shell tools

These are a list of usages of shell commands I can't live without on UNIX-based systems.

Install

Mac OS X

Using Homebrew (yes, I am opinionated) you can install the following tools with the following packages:

	<?xml version="1.0" encoding="UTF-8"?>

	<opml version="1.0">
	<head>
	<title>Nops subscriptions in feedly Cloud</title>
	</head>
	<body>
	<outline text="Security" title="Security">
	<outline type="rss" text="X-Force Research – Security Intelligence" title="X-Force Research – Security Intelligence" xmlUrl="http://securityintelligence.com/topics/x-force/feed/" htmlUrl="https://securityintelligence.com"/>
	<outline type="rss" text="SecurityIntelligence" title="SecurityIntelligence" xmlUrl="http://securityint.blogspot.com/feeds/posts/default" htmlUrl="http://securityint.blogspot.com/"/>

	#!/bin/bash

	# Cache sudo password
	sudo -v

	# Get latest OpenSSL 1.0.2 version from https://openssl.org/source/
	# v1.1.0 seems to have removed SSLv2/3 support
	openssl_version=1.0.2k

	# Install build dependencies

	#!/usr/bin/env ruby
	# encoding: UTF-8

	require'json'
	def yank
	gemname = (ARGV.index('-g') && ARGV[ARGV.index('-g') + 1]) \|\| (puts('Please enter gem name:') \|\| gets.strip)
	data = JSON.parse `curl -s https://rubygems.org/api/v1/versions/#{gemname}.json`
	versions = data.map {\|v\| v['number']} .reverse
	puts "\n\n#{gemname} versions: #{versions.join ', '}"
	puts "\nHow many versions to yank (starting at the first release) (none/ALL/number)?"

	// create an IAM Lambda role with access to dynamodb
	// Launch Lambda in the same region as your dynamodb region
	// (here: us-east-1)
	// dynamodb table with hash key = user and range key = datetime

	console.log('Loading event');
	var AWS = require('aws-sdk');
	var dynamodb = new AWS.DynamoDB({apiVersion: '2012-08-10'});

	exports.handler = function(event, context) {

	# IDS signatures for https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1:
	alert udp any any -> any 500 (msg:"FOX-SRT - Suspicious - Possible Fragmented Cisco IKE/isakmp Packet HeapSpray (CVE-2018-0101)"; flow:to_server; content:"\|84\|"; offset:16; depth:1; content:"\|02\|"; distance:1; within:1; fast_pattern; byte_test:4,>,5000,5,relative; byte_test:2,>,5000,11,relative; byte_extract:4,36,fragment_match; byte_test:4,=,fragment_match,53,relative; byte_test:4,=,fragment_match,137,relative; byte_test:4,=,fragment_match,237,relative; threshold:type limit, track by_dst, count 1, seconds 600; classtype:attempted-admin; sid:21002339; rev:5;)
	alert udp any any -> any 500 (msg:"FOX-SRT - Exploit - Possible Shellcode in Cisco IKE/isakmp - tcp/CONNECT/"; content:"tcp/CONNECT/"; fast_pattern:only; threshold:type limit, track by_src, count 1, seconds 600; priority:1; classtype:attempted-admin; sid:21002340; rev:2;)