import { DocumentSource, SecurityDocument } from "../types.js";
export class MITRESource implements DocumentSource {
name = "MITRE";
async fetchDocuments(): Promise<SecurityDocument[]> {
const documents: SecurityDocument[] = [];
try {
console.error("Fetching MITRE ATT&CK documents...");
// ATT&CK Framework Overview
documents.push({
id: "mitre-attack-overview",
source: "MITRE",
title: "MITRE ATT&CK Framework Overview",
url: "https://attack.mitre.org/",
content: `MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK is used as a foundation for the development of specific threat models and methodologies. The framework is organized into matrices for different environments: Enterprise (Windows, macOS, Linux, Cloud, Network, Containers), Mobile (Android, iOS), and ICS (Industrial Control Systems). Each matrix contains Tactics (the adversary's technical goals), Techniques (how they achieve goals), and Sub-techniques (more specific descriptions). ATT&CK is used for: threat intelligence, detection and analytics, adversary emulation and red teaming, assessment and engineering, security operations center (SOC) maturity assessments. The framework helps organizations understand the threat landscape, prioritize defenses, and communicate about threats using a common taxonomy.`,
category: "Threat Intelligence",
lastUpdated: new Date(),
metadata: { framework: "ATT&CK" },
});
// Enterprise ATT&CK Tactics
const tactics = this.getEnterpriseTactics();
documents.push(...tactics);
// Common Techniques
const techniques = this.getCommonTechniques();
documents.push(...techniques);
// ATT&CK for Cloud
const cloudAttack = this.getCloudATTACK();
documents.push(...cloudAttack);
// ATT&CK Use Cases
documents.push({
id: "mitre-attack-use-cases",
source: "MITRE",
title: "MITRE ATT&CK Use Cases",
url: "https://attack.mitre.org/resources/getting-started/",
content: `MITRE ATT&CK provides value across multiple security use cases. Threat Intelligence: Map adversary behaviors to ATT&CK techniques to understand threats, track threat groups, and share intelligence using common language. Detection and Analytics: Develop detection rules and analytics based on ATT&CK techniques, identify detection gaps, and prioritize detection development. Adversary Emulation: Create threat-informed red team scenarios based on real adversary behaviors, test defenses against known techniques. Security Assessment: Evaluate security posture against ATT&CK techniques, identify gaps in coverage, prioritize security investments. SOC Assessment: Measure SOC detection and response capabilities against ATT&CK, track maturity over time. Vendor Evaluation: Compare security products based on ATT&CK coverage, evaluate detection capabilities. Training: Educate security teams on adversary tradecraft, develop hands-on exercises based on ATT&CK. The ATT&CK Navigator tool helps visualize coverage and gaps across the framework.`,
category: "Threat Intelligence",
lastUpdated: new Date(),
metadata: { framework: "ATT&CK", type: "Use Cases" },
});
// D3FEND
documents.push({
id: "mitre-d3fend",
source: "MITRE",
title: "MITRE D3FEND - Defensive Techniques",
url: "https://d3fend.mitre.org/",
content: `MITRE D3FEND is a knowledge graph of cybersecurity countermeasures. It complements ATT&CK by providing a framework for describing defensive techniques. D3FEND organizes defenses into categories: Harden - techniques that reduce attack surface (application hardening, credential hardening, message hardening, platform hardening). Detect - techniques that identify adversary activity (file analysis, identifier analysis, message analysis, network traffic analysis, platform monitoring, process analysis, user behavior analysis). Isolate - techniques that create logical or physical barriers (execution isolation, network isolation). Deceive - techniques that mislead adversaries (decoy environment, decoy object). Evict - techniques that remove adversary artifacts (credential eviction, file eviction, process eviction). Each defensive technique is mapped to ATT&CK techniques it can counter. D3FEND helps organizations: understand available defensive options, map defenses to threats, identify defensive gaps, communicate about security controls. Use D3FEND with ATT&CK for comprehensive threat-informed defense.`,
category: "Defensive Security",
lastUpdated: new Date(),
metadata: { framework: "D3FEND" },
});
// MITRE Engage
documents.push({
id: "mitre-engage",
source: "MITRE",
title: "MITRE Engage - Adversary Engagement",
url: "https://engage.mitre.org/",
content: `MITRE Engage is a framework for planning and discussing adversary engagement operations. It provides vocabulary and approach for denial, deception, and adversary engagement. Goals include: Expose - reveal adversary presence and activity. Affect - negatively impact adversary operations. Elicit - learn about adversary behaviors, tools, and intent. Engagement activities: Collect - gather information about adversary. Detect - identify adversary presence. Prevent - stop adversary from achieving objectives. Direct - guide adversary to engage with specific resources. Disrupt - interrupt adversary operations. Reassure - reinforce adversary confidence in environment. Motivate - encourage adversary to take specific actions. Key concepts: Strategic planning involves defining objectives and approach. Operational planning covers specific engagement scenarios. Activities are tactical implementations. Engage helps organizations move from passive defense to active engagement, gathering intelligence while disrupting adversaries. Use with ATT&CK to understand adversary behaviors being engaged.`,
category: "Active Defense",
lastUpdated: new Date(),
metadata: { framework: "Engage" },
});
console.error(`Fetched ${documents.length} MITRE documents`);
} catch (error) {
console.error("Error fetching MITRE documents:", error);
}
return documents;
}
private getEnterpriseTactics(): SecurityDocument[] {
return [
{
id: "mitre-tactic-reconnaissance",
source: "MITRE",
title: "ATT&CK Tactic: Reconnaissance (TA0043)",
url: "https://attack.mitre.org/tactics/TA0043/",
content: `Reconnaissance consists of techniques involving adversaries gathering information to plan future operations. This includes gathering information about the target organization and its infrastructure. Techniques include: Active Scanning (T1595) - scanning infrastructure to identify targets, vulnerabilities. Gather Victim Host Information (T1592) - hardware, software, firmware details. Gather Victim Identity Information (T1589) - credentials, email addresses, employee names. Gather Victim Network Information (T1590) - domain properties, DNS, network topology. Gather Victim Org Information (T1591) - business relationships, locations, organizational structure. Phishing for Information (T1598) - spearphishing to gather information before attacks. Search Closed Sources (T1597) - threat intel vendors, purchase data. Search Open Technical Databases (T1596) - WHOIS, DNS, certificate databases. Search Open Websites/Domains (T1593) - social media, search engines. Search Victim-Owned Websites (T1594) - organization websites for useful information. Defense: Monitor for suspicious reconnaissance activity, implement information exposure controls.`,
category: "ATT&CK Tactics",
lastUpdated: new Date(),
metadata: { framework: "ATT&CK", tactic: "Reconnaissance" },
},
{
id: "mitre-tactic-initial-access",
source: "MITRE",
title: "ATT&CK Tactic: Initial Access (TA0001)",
url: "https://attack.mitre.org/tactics/TA0001/",
content: `Initial Access consists of techniques adversaries use to gain an initial foothold within a network. Entry vectors include targeted spearphishing, exploiting public-facing web servers, and compromising trusted relationships. Common techniques: Drive-by Compromise (T1189) - malicious code executed when visiting website. Exploit Public-Facing Application (T1190) - exploiting vulnerabilities in internet-facing applications. External Remote Services (T1133) - using VPN, Citrix, or other remote access services. Hardware Additions (T1200) - introducing malicious hardware. Phishing (T1566) - spearphishing attachments, links, or via services. Replication Through Removable Media (T1091) - malware on USB drives. Supply Chain Compromise (T1195) - compromise software/hardware supply chain. Trusted Relationship (T1199) - exploiting third-party relationships. Valid Accounts (T1078) - using compromised credentials. Defense: Email filtering, web filtering, patch management, MFA, network segmentation, supply chain security.`,
category: "ATT&CK Tactics",
lastUpdated: new Date(),
metadata: { framework: "ATT&CK", tactic: "Initial Access" },
},
{
id: "mitre-tactic-persistence",
source: "MITRE",
title: "ATT&CK Tactic: Persistence (TA0003)",
url: "https://attack.mitre.org/tactics/TA0003/",
content: `Persistence consists of techniques adversaries use to maintain access to systems across restarts, credential changes, and other interruptions. Persistence mechanisms let adversaries maintain their foothold on compromised systems. Common techniques: Account Manipulation (T1098) - modifying account attributes. BITS Jobs (T1197) - Windows Background Intelligent Transfer Service for persistence. Boot or Logon Autostart Execution (T1547) - Registry Run keys, Startup folders, etc. Boot or Logon Initialization Scripts (T1037) - logon scripts, boot scripts. Browser Extensions (T1176) - malicious browser extensions. Compromise Client Software Binary (T1554) - modifying client software. Create Account (T1136) - creating new accounts for access. Create or Modify System Process (T1543) - Windows services, systemd services. Event Triggered Execution (T1546) - AppInit DLLs, screensaver, WMI subscriptions. Hijack Execution Flow (T1574) - DLL hijacking, path interception. Implant Internal Image (T1525) - backdoor cloud/container images. Pre-OS Boot (T1542) - bootkit, MBR modification. Scheduled Task/Job (T1053) - cron, scheduled tasks, at jobs. Valid Accounts (T1078) - maintaining access via compromised accounts.`,
category: "ATT&CK Tactics",
lastUpdated: new Date(),
metadata: { framework: "ATT&CK", tactic: "Persistence" },
},
{
id: "mitre-tactic-privilege-escalation",
source: "MITRE",
title: "ATT&CK Tactic: Privilege Escalation (TA0004)",
url: "https://attack.mitre.org/tactics/TA0004/",
content: `Privilege Escalation consists of techniques adversaries use to gain higher-level permissions on a system or network. Adversaries often enter with unprivileged access and need to elevate to accomplish their objectives. Techniques include: Abuse Elevation Control Mechanism (T1548) - bypass UAC, sudo caching, setuid/setgid binaries. Access Token Manipulation (T1134) - token impersonation, create process with token. Boot or Logon Autostart Execution (T1547) - same as persistence but for escalation. Boot or Logon Initialization Scripts (T1037) - modify scripts run with elevated privileges. Create or Modify System Process (T1543) - modify services running as SYSTEM/root. Domain Policy Modification (T1484) - Group Policy modification. Escape to Host (T1611) - container escape to host. Event Triggered Execution (T1546) - accessibility features, AppCert DLLs. Exploitation for Privilege Escalation (T1068) - exploit vulnerabilities for higher privileges. Hijack Execution Flow (T1574) - DLL search order hijacking, PATH manipulation. Process Injection (T1055) - inject code into higher-privilege processes. Scheduled Task/Job (T1053) - scheduled tasks running with elevated privileges. Valid Accounts (T1078) - use credentials for higher-privilege accounts.`,
category: "ATT&CK Tactics",
lastUpdated: new Date(),
metadata: { framework: "ATT&CK", tactic: "Privilege Escalation" },
},
{
id: "mitre-tactic-defense-evasion",
source: "MITRE",
title: "ATT&CK Tactic: Defense Evasion (TA0005)",
url: "https://attack.mitre.org/tactics/TA0005/",
content: `Defense Evasion consists of techniques adversaries use to avoid detection throughout their intrusion. Techniques include disabling security software, obfuscating malware, and exploiting trusted processes. Common techniques: Abuse Elevation Control Mechanism (T1548) - bypass security controls. Deobfuscate/Decode Files or Information (T1140) - decode payloads at runtime. Direct Volume Access (T1006) - read files directly from disk bypassing file APIs. Disable or Modify Tools (T1562) - disable AV, EDR, logging. Execution Guardrails (T1480) - environmental keying, only execute in target environment. Hide Artifacts (T1564) - hidden files, NTFS file attributes, run virtual instance. Impair Defenses (T1562) - disable security tools, modify firewall rules. Indicator Removal (T1070) - clear logs, timestomp, file deletion. Masquerading (T1036) - rename system utilities, match legitimate names. Modify Registry (T1112) - modify registry to disable security. Obfuscated Files or Information (T1027) - encoding, encryption, packing. Process Injection (T1055) - inject into legitimate processes. Rootkit (T1014) - hide presence using kernel-level modifications. Virtualization/Sandbox Evasion (T1497) - detect VM/sandbox and alter behavior.`,
category: "ATT&CK Tactics",
lastUpdated: new Date(),
metadata: { framework: "ATT&CK", tactic: "Defense Evasion" },
},
{
id: "mitre-tactic-lateral-movement",
source: "MITRE",
title: "ATT&CK Tactic: Lateral Movement (TA0008)",
url: "https://attack.mitre.org/tactics/TA0008/",
content: `Lateral Movement consists of techniques adversaries use to move through the network to reach their target. After gaining initial access, adversaries move laterally to access additional systems and resources. Techniques include: Exploitation of Remote Services (T1210) - exploit vulnerabilities in remote services. Internal Spearphishing (T1534) - phishing from compromised internal accounts. Lateral Tool Transfer (T1570) - transfer tools between systems. Remote Service Session Hijacking (T1563) - RDP hijacking, SSH hijacking. Remote Services (T1021) - RDP, SSH, SMB/Windows Admin Shares, VNC, WinRM. Replication Through Removable Media (T1091) - spread via USB drives. Software Deployment Tools (T1072) - abuse software deployment for lateral movement. Taint Shared Content (T1080) - add malicious content to shared locations. Use Alternate Authentication Material (T1550) - pass the hash, pass the ticket, application access tokens. Defense: Network segmentation, privileged access management, disable unnecessary remote services, monitor for unusual lateral movement patterns, implement MFA for remote access.`,
category: "ATT&CK Tactics",
lastUpdated: new Date(),
metadata: { framework: "ATT&CK", tactic: "Lateral Movement" },
},
{
id: "mitre-tactic-exfiltration",
source: "MITRE",
title: "ATT&CK Tactic: Exfiltration (TA0010)",
url: "https://attack.mitre.org/tactics/TA0010/",
content: `Exfiltration consists of techniques adversaries use to steal data from your network. Data is often packaged and encrypted before removal. Techniques include: Automated Exfiltration (T1020) - automated data transfer using scripts. Data Transfer Size Limits (T1030) - transfer in small chunks to avoid detection. Exfiltration Over Alternative Protocol (T1048) - DNS, ICMP, or other non-standard protocols. Exfiltration Over C2 Channel (T1041) - exfiltrate over existing command and control. Exfiltration Over Other Network Medium (T1011) - Bluetooth, RF, cellular. Exfiltration Over Physical Medium (T1052) - USB drives, other removable media. Exfiltration Over Web Service (T1567) - cloud storage, code repositories. Scheduled Transfer (T1029) - exfiltrate at specific times to blend in. Transfer Data to Cloud Account (T1537) - exfiltrate to adversary-controlled cloud storage. Defense: Data loss prevention (DLP), network monitoring for unusual data transfers, egress filtering, monitoring cloud service usage, USB device controls, encryption of sensitive data.`,
category: "ATT&CK Tactics",
lastUpdated: new Date(),
metadata: { framework: "ATT&CK", tactic: "Exfiltration" },
},
];
}
private getCommonTechniques(): SecurityDocument[] {
return [
{
id: "mitre-technique-phishing",
source: "MITRE",
title: "ATT&CK Technique: Phishing (T1566)",
url: "https://attack.mitre.org/techniques/T1566/",
content: `Phishing is a common initial access technique where adversaries send messages to gain access to victim systems. Sub-techniques: Spearphishing Attachment (T1566.001) - emails with malicious attachments (Office docs, PDFs, executables). Spearphishing Link (T1566.002) - emails with malicious links to credential harvesting or drive-by download sites. Spearphishing via Service (T1566.003) - phishing via social media, messaging platforms. Mitigations: User training on phishing recognition. Email filtering and sandboxing. Disable macros or use protected view. URL filtering and reputation services. Multi-factor authentication. Restrict attachment types. Detection: Monitor email gateways for suspicious attachments and links. Analyze URLs in emails. Monitor for suspicious Office macro execution. Track user report of suspicious emails. Monitor for credential harvesting page access. Real-world examples: APT29 used spearphishing with malicious attachments. FIN7 sent phishing emails with malicious Word documents.`,
category: "ATT&CK Techniques",
lastUpdated: new Date(),
metadata: { framework: "ATT&CK", technique: "T1566" },
},
{
id: "mitre-technique-command-scripting",
source: "MITRE",
title: "ATT&CK Technique: Command and Scripting Interpreter (T1059)",
url: "https://attack.mitre.org/techniques/T1059/",
content: `Adversaries abuse command and script interpreters to execute commands, scripts, or binaries. Sub-techniques: PowerShell (T1059.001) - widely abused for post-exploitation, offers extensive access to Windows APIs. Windows Command Shell (T1059.003) - cmd.exe for batch scripts and commands. Unix Shell (T1059.004) - bash, sh for Linux/macOS execution. Visual Basic (T1059.005) - VBScript, VBA macros in Office documents. Python (T1059.006) - cross-platform scripting. JavaScript (T1059.007) - JScript, node.js execution. Network Device CLI (T1059.008) - router and switch command lines. Cloud API (T1059.009) - cloud provider CLIs and APIs. Mitigations: Script block logging, constrained language mode, application whitelisting, disable unused scripting engines, code signing. Detection: Monitor process creation for interpreters, log script content, analyze command-line arguments, monitor for encoded commands. PowerShell logging (ScriptBlock, Module, Transcription) is essential for detection.`,
category: "ATT&CK Techniques",
lastUpdated: new Date(),
metadata: { framework: "ATT&CK", technique: "T1059" },
},
{
id: "mitre-technique-credential-dumping",
source: "MITRE",
title: "ATT&CK Technique: OS Credential Dumping (T1003)",
url: "https://attack.mitre.org/techniques/T1003/",
content: `Adversaries dump credentials to obtain account login and credential material, usually in form of hashes or clear-text passwords. Sub-techniques: LSASS Memory (T1003.001) - dump credentials from Windows LSASS process using tools like Mimikatz. Security Account Manager (T1003.002) - extract hashes from SAM database. NTDS (T1003.003) - extract credentials from Active Directory NTDS.dit file. LSA Secrets (T1003.004) - extract secrets from LSA storage. Cached Domain Credentials (T1003.005) - dump cached domain logon information. DCSync (T1003.006) - use domain replication to obtain credentials. Proc Filesystem (T1003.007) - dump credentials from Linux /proc. /etc/passwd and /etc/shadow (T1003.008) - Linux password files. Mitigations: Credential Guard, privileged access management, limit credential overlap, disable WDigest, protect LSASS (PPL). Detection: Monitor for LSASS access, detect Mimikatz patterns, monitor for DCSync replication requests, alert on ntdsutil.exe usage.`,
category: "ATT&CK Techniques",
lastUpdated: new Date(),
metadata: { framework: "ATT&CK", technique: "T1003" },
},
];
}
private getCloudATTACK(): SecurityDocument[] {
return [
{
id: "mitre-attack-cloud",
source: "MITRE",
title: "MITRE ATT&CK for Cloud",
url: "https://attack.mitre.org/matrices/enterprise/cloud/",
content: `MITRE ATT&CK for Cloud covers adversary tactics and techniques targeting cloud environments including AWS, Azure, GCP, and SaaS. Cloud-specific techniques include: Initial Access - compromised credentials, OAuth consent phishing, trusted relationships with cloud providers. Persistence - account manipulation, implant container images, modify cloud compute infrastructure. Privilege Escalation - abuse cloud IAM permissions, modify cloud policies. Defense Evasion - disable cloud logs, use cloud-native tools (living off the land), modify cloud compute infrastructure. Credential Access - steal application access tokens, unsecured credentials in cloud metadata, brute force cloud accounts. Discovery - cloud infrastructure discovery, cloud service discovery, cloud storage enumeration. Lateral Movement - internal spearphishing, use alternate authentication (tokens, keys). Collection - data from cloud storage, email collection via cloud API. Exfiltration - transfer to cloud account, exfiltration via cloud services. Impact - resource hijacking (cryptomining), data destruction, defacement.`,
category: "Cloud Security",
lastUpdated: new Date(),
metadata: { framework: "ATT&CK", domain: "Cloud" },
},
{
id: "mitre-attack-cloud-techniques",
source: "MITRE",
title: "Common Cloud ATT&CK Techniques",
url: "https://attack.mitre.org/matrices/enterprise/cloud/",
content: `Key cloud-specific ATT&CK techniques: Steal Application Access Token (T1528) - steal OAuth tokens, service principal credentials. Cloud Service Discovery (T1526) - enumerate cloud services and resources. Cloud Infrastructure Discovery (T1580) - discover VMs, storage, networking. Unsecured Credentials (T1552) - credentials in instance metadata, cloud shell history, configuration files. Modify Cloud Compute Infrastructure (T1578) - create snapshots, modify images, add instances. Valid Accounts: Cloud Accounts (T1078.004) - use compromised cloud credentials. Transfer Data to Cloud Account (T1537) - exfiltrate to attacker's cloud storage. Cloud Service Dashboard (T1538) - GUI-based reconnaissance and attacks. Cloud Storage Object Discovery (T1619) - enumerate S3 buckets, blob storage. Data from Cloud Storage (T1530) - steal data from cloud storage. Resource Hijacking (T1496) - cryptomining on compromised instances. Defense: Cloud security posture management, least privilege IAM, cloud workload protection, cloud access security broker (CASB), cloud audit logging.`,
category: "Cloud Security",
lastUpdated: new Date(),
metadata: { framework: "ATT&CK", domain: "Cloud" },
},
];
}
}
