timb-machine · October 25, 2022 19:29
diff --git a/ATT&CK v11 vs v12 for Linux b/ATT&CK v11 vs v12 for Linux
 $ jq '.objects[] | select(.type | contains("attack-pattern")) | select(.x_mitre_platforms[] | contains("Linux")) | .name' enterprise-attack-11.0.json | sort | uniq > 11.out
 $ jq '.objects[] | select(.type | contains("attack-pattern")) | select(.x_mitre_platforms[] | contains("Linux")) | .name' enterprise-attack-12.0.json | sort | uniq > 12.out
 $ diff 11.out 12.out
 33a34,36
 > "Clear Mailbox Data"
 > "Clear Network Connection History and Configurations"
 > "Clear Persistence"
 93a97
 > "Embedded Payloads"
 145c149
 < "Indicator Removal on Host"
 ---
 > "Indicator Removal"
 149a154
 > "Installer Packages"
 175a181
 > "Multi-Factor Authentication"
 241a248
 > "Socket Filters"
 252a260
 > "Steal or Forge Authentication Certificates"
 255a264
 > "Stripped Payloads"
	$ jq '.objects[] \| select(.type \| contains("attack-pattern")) \| select(.x_mitre_platforms[] \| contains("Linux")) \| .name' enterprise-attack-11.0.json \| sort \| uniq > 11.out
	$ jq '.objects[] \| select(.type \| contains("attack-pattern")) \| select(.x_mitre_platforms[] \| contains("Linux")) \| .name' enterprise-attack-12.0.json \| sort \| uniq > 12.out
	$ diff 11.out 12.out
	33a34,36
	> "Clear Mailbox Data"
	> "Clear Network Connection History and Configurations"
	> "Clear Persistence"
	93a97
	> "Embedded Payloads"
	145c149
	< "Indicator Removal on Host"
	---
	> "Indicator Removal"
	149a154
	> "Installer Packages"
	175a181
	> "Multi-Factor Authentication"
	241a248
	> "Socket Filters"
	252a260
	> "Steal or Forge Authentication Certificates"
	255a264
	> "Stripped Payloads"