AttackIQ Platform
AttackIQ Platform Pack.#
This Integration is part of theUse the AttackIQ integration to simulate a platform that provides validations for security controls, responses, and remediation exercises.
This integration was integrated and tested with AttackIQ FireDrill v2.15.96.
#
Use Cases- Retrieves a list of testing scenarios.
- Executes testing of penetration assessments.
- Retrieves detailed assessment results.
- Triggers other playbook-based assessment results.
#
Configure AttackIQ Platform in CortexParameter | Description | Example |
---|---|---|
Name | A meaningful name for the integration instance. | AttackIQFireDrill_instance_2 |
Server URL | The URL to the Proofpoint server, including the scheme. | https://example.net |
API Token | Account's private token (as appears in attackIQ UI). | N/A |
Trust any certificate (not secure) | When selected, certificates are not checked. | N/A |
Use System Proxy Settings | Runs the integration instance using the proxy server (HTTP or HTTPS) that you defined in the server configuration. | https://proxyserver.com |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
Get assessment information by IDReturns all assessment information by ID.
#
Base Commandattackiq-get-assessment-by-id
#
InputArgument Name | Description | Required |
---|---|---|
assessment_id | The ID of the assessment to return. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
AttackIQ.Assessment.Id | String | The ID of the assessment. |
AttackIQ.Assessment.Name | String | The name of the assessment. |
AttackIQ.Assessment.Description | String | The description of the assessment. |
AttackIQ.Assessment.StartDate | Date | The start date of the assessment. |
AttackIQ.Assessment.EndDate | Date | The end date of the assessment. |
AttackIQ.Assessment.AssessmentState | String | The state of the assessment. Can be, "Active" or "Inactive". |
AttackIQ.Assessment.DefaultSchedule | String | The default schedule timing (cron) of the assessment. |
AttackIQ.Assessment.AssessmentTemplateId | String | The template ID of the assessment. |
AttackIQ.Assessment.AssessmentTemplateName | String | The template name of the assessment. |
AttackIQ.Assessment.AssessmentTemplateDescription | String | The template description of the assessment. |
AttackIQ.Assessment.AssessmentTemplateDefaultSchedule | Unknown | The assessment's template default schedule timing (cron). |
AttackIQ.Assessment.AssessmentTemplateCompany | String | The owner of the template. |
AttackIQ.Assessment.AssessmentTemplateCreated | Date | The date that the template was created. |
AttackIQ.Assessment.AssessmentTemplateModified | Date | The date the template was last modified. |
AttackIQ.Assessment.Creator | String | The user who created the assessment. |
AttackIQ.Assessment.Owner | String | The user who owns the assessment. |
AttackIQ.Assessment.User | String | The user who ran the assessment. |
AttackIQ.Assessment.Created | String | The time that the assessment was created. |
AttackIQ.Assessment.Modified | String | The time that the assessment was last modified. |
AttackIQ.Assessment.Users | String | The user IDs that can access the assessment. |
AttackIQ.Assessment.Groups | String | The user groups who can access the assessment. |
AttackIQ.Assessment.DefaultAssetCount | Number | The number of machines (assets) that are connected to the assessment. |
AttackIQ.Assessment.DefaultAssetGroupCount | Number | The number of asset groups that are connected to the assessment. |
AttackIQ.Assessment.MasterJobCount | Number | The number of tests that ran in the assessment. |
AttackIQ.Assessment.Count | Number | The total number of assessments. |
AttackIQ.Assessment.RemainingPages | Number | The number of remaining pages to return. For example, if the total number of pages is 6, and the last fetch was page 5, the value is 1. |
#
Command Example#
Context Example#
Human Readable Output#
AttackIQ Assessment c4e352ae-1506-4c74-bd90-853f02dd765aId | Name | Description | User | Created | Modified |
---|---|---|---|---|---|
c4e352ae-1506-4c74-bd90-853f02dd765a | Arseny's ransomware project | Test of common ransomware variants | foo@test.com | 2019-08-27T10:17:09.809036Z | 2019-09-18T08:16:23.079961Z |
#
Get all assessments details by pageReturns all assessment details by page.
#
Base Commandattackiq-list-assessments
#
InputArgument Name | Description | Required |
---|---|---|
page_number | The page number to return. | Optional |
page_size | The number of results to return per page. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AttackIQ.Assessment.Id | String | The ID of the assessment. |
AttackIQ.Assessment.Name | String | The name of the assessment. |
AttackIQ.Assessment.Description | String | The description of the assessment. |
AttackIQ.Assessment.StartDate | Date | The start date of the assessment. |
AttackIQ.Assessment.EndDate | Date | The end date of the assessment. |
AttackIQ.Assessment.AssessmentState | String | The state of the assessment. Can be, "Active" or "Inactive". |
AttackIQ.Assessment.DefaultSchedule | String | The default schedule timing (cron) of the assessment. |
AttackIQ.Assessment.AssessmentTemplateId | String | The template ID of the assessment. |
AttackIQ.Assessment.AssessmentTemplateName | String | The template name of the assessment. |
AttackIQ.Assessment.AssessmentTemplateDescription | String | The template description of the assessment. |
AttackIQ.Assessment.AssessmentTemplateDefaultSchedule | Unknown | The default schedule timing (cron) of the template assessment. |
AttackIQ.Assessment.AssessmentTemplateCompany | String | The owner of the template. |
AttackIQ.Assessment.AssessmentTemplateCreated | Date | The date that the template was created. |
AttackIQ.Assessment.AssessmentTemplateModified | Date | The date the template was last modified. |
AttackIQ.Assessment.Creator | String | The user who created the assessment. |
AttackIQ.Assessment.Owner | String | The user who owned the assessment. |
AttackIQ.Assessment.User | String | The user that ran the assessment. |
AttackIQ.Assessment.Created | String | The time that the assessment was created. |
AttackIQ.Assessment.Modified | String | The time that the assessment was last modified. |
AttackIQ.Assessment.Users | String | The User IDs that can access the assessment. |
AttackIQ.Assessment.Groups | String | The user groups who can access the assessment. |
AttackIQ.Assessment.DefaultAssetCount | Number | The number of machines (assets) that are connected to the assessment. |
AttackIQ.Assessment.DefaultAssetGroupCount | Number | The number of asset groups that are connected to the assessment. |
AttackIQ.Assessment.MasterJobCount | Number | The number of tests that ran in the assessment. |
#
Command Example#
Context Example#
Human Readable Output#
AttackIQ Assessments Page 1/12Id | Name | Description | User | Created | Modified |
---|---|---|---|---|---|
c4e352ae-1506-4c74-bd90-853f02dd765a | Arseny's ransomware project | Test of common ransomware variants | foo@test.com | 2019-08-27T10:17:09.809036Z | 2019-09-18T08:16:23.079961Z |
f57edb34-ccb2-4695-b79c-bb739cab70a1 | Arseny's ransomware project | Test of common ransomware variants | foo@test.com | 2019-09-02T11:52:09.915614Z | 2019-09-16T09:02:59.401994Z |
8978fe24-607a-4815-a36a-89fb6191b318 | ATT&CK by the Numbers @ NOVA BSides 2019 | AttackIQ’s analysis and mapping of the “ATT&CK by the Numbers” @ NOVA BSides 2019 | foo@test.com | 2019-09-05T08:47:38.243320Z | 2019-09-10T11:16:25.619197Z |
5baca9b4-e55c-497f-a05a-8004b9a36efe | Custom | Custom project | goo@test.com | 2019-09-10T08:38:55.165853Z | 2019-09-10T08:38:55.165874Z |
58440d47-d7b5-4f57-913f-3e13903fa2fc | Arseny's ransomware project | Test of common ransomware variants | foo@test.com | 2019-09-02T11:52:13.933084Z | 2019-09-02T11:52:16.100942Z |
#
Activate an assessmentÂDeprecated, without available replacement. Activates the assessment, which is required for execution.
#
Base Commandattackiq-activate-assessment
#
InputArgument Name | Description | Required |
---|---|---|
assessment_id | ID of the assessment to activate. | Required |
#
Command Example#
Human Readable OutputSuccessfully activated project c4e352ae-1506-4c74-bd90-853f02dd765a
#
Run tests in the assessmentRuns all tests in the assessment.
#
Base Commandattackiq-run-all-tests-in-assessment
#
InputArgument Name | Description | Required |
---|---|---|
assessment_id | The ID of the assessment. | Required |
on_demand_only | Runs only on-demand tests in the assessment. True executes tests in the assessment that are not scheduled to run. False executes all tests in the assessment including scheduled tests. The default is false. | Optional |
#
Command Example#
Human Readable OutputSuccessfully started running all tests in project: ATT&CK by the Numbers @ NOVA BSides 2019
#
Get an assessment execution statusReturns an assessment execution status when running an on-demand execution only.
#
Base Commandattackiq-get-assessment-execution-status
#
InputArgument Name | Description | Required |
---|---|---|
assessment_id | The assessment to check status. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
AttackIQ.Assessment.Running | Boolean | Whether the assessment is running. |
AttackIQ.Assessment.Id | String | The ID of the assessment. |
#
Command Example#
Context Example#
Human Readable OutputAssessment c4e352ae-1506-4c74-bd90-853f02dd765a execution is not running.
#
Get a test execution statusReturns the status of the test.
#
Base Commandattackiq-get-test-execution-status
#
InputArgument Name | Description | Required |
---|---|---|
test_id | The ID of the Test. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
AttackIQTest.Detected | Number | The number of detections in the test. |
AttackIQTest.Failed | Number | The number of failures in the test. |
AttackIQTest.Finished | Boolean | Whether the test is finished. |
AttackIQTest.Passed | Number | The number of passed tests. |
AttackIQTest.Errored | Number | The number of tests that returned errors. |
AttackIQTest.Total | Number | The total number of tests that ran. |
AttackIQTest.Id | String | The ID of the assessment test. |
#
Command Example#
Context Example#
Human Readable Output#
Test 9aed2cef-8c64-4e29-83b4-709de5963b66 statusDetected | Errored | Failed | Finished | Id | Passed | Total |
---|---|---|---|---|---|---|
0 | 0 | 9 | true | 9aed2cef-8c64-4e29-83b4-709de5963b66 | 1 | 10 |
#
Get a list of tests by assessmentReturns a list of tests by an assessment.
#
Base Commandattackiq-list-tests-by-assessment
#
InputArgument Name | Description | Required |
---|---|---|
assessment_id | The ID of the assessment that contains the tests. | Required |
page_size | The Maximum page size for the results. | Optional |
page_number | The page number to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AttackIQTest.Id | String | The ID of the test. |
AttackIQTest.Name | String | The name of the test. |
AttackIQTest.Description | String | The description of the test. |
AttackIQTest.Scenarios.Id | String | The ID of the test scenario. |
AttackIQTest.Scenarios.Name | String | The name of the test scenario. |
AttackIQTest.Assets.Id | String | The ID of the test asset. |
AttackIQTest.Assets.Ipv4Address | String | The IP version 4 address of the test asset. |
AttackIQTest.Assets.Hostname | String | The host name of the test asset. |
AttackIQTest.Assets.ProductName | String | The product name of the test asset. |
AttackIQTest.Assets.Modified | String | The last modified date of the test asset. |
AttackIQTest.Assets.Status | Date | The status of the test asset. Can be, "Active" or "Inactive". |
AttackIQTest.TotalAssetCount | Number | The number of assets in which the test ran. |
AttackIQTest.CronExpression | String | The Cron expression of the test. |
AttackIQTest.Runnable | Boolean | Whether the test can run. |
AttackIQTest.LastResult | String | The last result of the test. |
AttackIQTest.User | String | The name of the user that ran the test in the assessment. |
AttackIQTest.Created | Date | The date that the test was created. |
AttackIQTest.Modified | Date | The date that the test was last modified. |
AttackIQTest.LatestInstanceId | Number | The ID of the most recent run of the test. |
AttackIQTest.UsingDefaultAssets | Boolean | Whether the test uses default assets. |
AttackIQTest.UsingDefaultSchedule | Boolean | Whether the test uses the default schedule. |
AttackIQTest.RemainingPages | Number | The number of remaining pages to return. For example, if the total number of pages is 6, and the last fetch was page 5, the value is 1. |
AttackIQTest.Count | Number | The total number of tests. |
#
Command Example#
Context Example#
Human Readable Output#
Assessment c4e352ae-1506-4c74-bd90-853f02dd765a tests#
Page 1 / 1#
Test - Ransomware DownloadId | Name | Created | Modified | Runnable | Last Result |
---|---|---|---|---|---|
1c350a5a-84f2-4938-93d8-cc31f0a99482 | Ransomware Download | 2019-08-27T10:17:10.132074Z | 2019-09-02T07:08:25.237823Z | true | Failed |
#
Assets (Ransomware Download)Hostname | Id | Ipv4Address | Modified | ProductName | Status |
---|---|---|---|---|---|
ec2amaz-g4iu5no | 03e17460-849e-4b86-b6c6-ef0db72823ff | 172.31.39.254 | 2019-09-18T08:12:16.957300Z | Windows Server 2016 Datacenter | Active |
#
Scenarios (Ransomware Download)Id | Name |
---|---|
7f188dbb-4d75-4c75-97bc-ff2d03fc0a1f | Download WannaCry Ransomware Sample |
35097add-888e-4916-ad25-38afef5d3b73 | Download 7ev3n Ransomware |
c12c0cea-96e8-40b2-80af-fb897cffbe6a | Download Alpha Ransomware |
8b4eac5c-0475-475a-8521-dc30670d4212 | Download BlackShades Crypter Ransomware |
25b85e85-5255-49d3-8805-8ded910f1a63 | Download AutoLocky Ransomware |
ce58ac59-f08a-4b72-918c-25fdfd0f7e4b | Download Bandarchor Ransomware |
66b167f6-acf7-491a-bfd6-ddd513d7290d | Download Bucbi Ransomware |
b2eb8dec-1db0-46fe-b7af-bf87285d0d30 | Download BadBlock Ransomeware |
fd81172c-f7f3-4811-a4e8-ebdf10044c85 | Download Chimera Ransomware |
193f6df4-aff7-44cd-8553-ed32dab8aac2 | Download CoinVault Ransomware |
c75275eb-cf51-47d1-a031-c48e0ce8a3a1 | Download Cerber Ransomware |
595e522e-3ef2-4d6c-bfb0-f1e4841455aa | Download Crypren Ransomware |
8c89ab68-12d2-4cd8-8469-97d1a5586400 | Download Cryptolocker Ransomware |
0d78245f-fb7e-4a1b-a4ee-c3f06d62ec2c | Download CryptoDefense Ransomware |
59e127c1-4d33-4564-8df1-a4acd4c6d564 | Download CryptoWall Ransomware |
ec3d4c58-937d-43be-9283-41ba43380f98 | Download Cryptear Ransomware |
3f22d898-2fa2-4824-992a-207f71fe61ce | Download CTBLocker Ransomware |
b1c12d92-7754-45b1-bc85-e52960ba3a6c | Download CryptXXX Ransomware |
d70c6af1-aef4-4748-8bb6-3c1414d4488c | Download DMALocker Ransomware |
fd202846-f523-41d8-9e56-d388e50e1bcb | Download Fakben Ransomware |
e2e94c6a-8749-4630-b2a5-a068a1cdf432 | Download GhostCrypt Ransomware |
3aa03297-3732-432d-b79b-7180275712d3 | Download Jigsaw Ransomware |
65ef68fa-d62e-4dd1-8892-1b56beb6bd1e | Download HydraCrypt Ransomware |
00c3d6eb-d9c3-4109-b373-8f934a84162d | Download Harasom Ransomware |
c17581f3-6a85-4a98-8803-2a6479117769 | Download Zcrypt Ransomware |
264bc140-52db-4f20-a0a2-e50cd37f459a | Download Zyklon Ransomware |
1febae73-86d0-4e2d-9494-051f6629ed7e | Download VaultCrypt Ransomware |
ce98ba43-4293-401e-a203-c4d04e31dacb | Download Xorist Ransomware |
0805f45c-ecb6-4cc2-a531-7a61e5452b2c | Download TeslaCrypt Ransomware |
a25e0c4e-a117-48f5-b05e-39a38144c372 | Download TrueCrypt Ransomware |
f116c1fb-9373-4b54-9c7d-3a7e50edbf70 | Download SynoLocker Ransomware |
f1590467-b28f-4b9a-84ee-676bfbee2add | Download Sanction Ransomware |
fc057ae4-c56d-4e9a-8c0f-9f22ec1e5576 | Download SNSLock Ransomware |
b7425756-ab9a-4c7e-8fda-d1080c170910 | Download Rector Ransomware |
00a2bbf3-7faa-4a44-b125-580ebe007931 | Download Rokku Ransomware |
0f8097da-345d-4516-9730-8efa68b427e2 | Download Rakhni Ransomware |
11270129-4b0a-47f7-a019-45b45568befe | Download Powerware Ransomware |
43dc33fe-f7c2-4741-845c-6ce3f6d703a8 | Download Radamant Ransomware |
98cc1e97-9240-4bd5-8448-7d9e71b27249 | Download Petya Ransomware |
dc07c76e-b891-43d3-9244-6992524a57f9 | Download Nemucod Ransomware |
366a6950-0a08-4295-a7ca-890e47f2cc9b | Download Mobef Ransomware |
16f39816-d245-46fd-ab5d-bd9b18c1d47d | Download Maktub Ransomware |
207144d0-aa40-48c4-99e6-5b246840e7e7 | Download Linux Encoder Ransomware |
68d41700-100e-4145-9e34-d38cfa4d75c5 | Download KeRanger Ransomware |
8daab70f-0b85-4f24-87a2-40d88effad87 | Download Locky Ransomware |
0d5e4988-cffc-4c83-b3e5-3775d0735e3d | Download Kimcilware Ransomware |
b434bb61-67d7-4556-8ff9-99a88b52b566 | Download Lechiffre Ransomware |
afb2d3db-7107-40d0-bf28-067c84e144e6 | Download Mischa Ransomware |
c567a416-f320-4b9a-8268-50ad6aa0818d | Download ODCODC Ransomware |
5b075299-0368-48f9-a380-b46974b574ca | Download Ransom32 Ransomware |
ef72cfc8-796c-4a35-abea-547f0d898713 | Download Coverton Ransomware |
#
Test - LockyId | Name | Created | Modified | Runnable | Last Result |
---|---|---|---|---|---|
529eebb2-a53c-4f82-9a0e-fc59763cb542 | Locky | 2019-08-27T10:17:09.968467Z | 2019-09-02T07:08:20.393468Z | true | Failed |
#
Assets (Locky)Hostname | Id | Ipv4Address | Modified | ProductName | Status |
---|---|---|---|---|---|
ec2amaz-g4iu5no | 03e17460-849e-4b86-b6c6-ef0db72823ff | 172.31.39.254 | 2019-09-18T08:12:16.957300Z | Windows Server 2016 Datacenter | Active |
#
Scenarios (Locky)Id | Name |
---|---|
7701f8fb-a725-4a6d-b48d-1881868e24ea | Locky File Encryption |
874d2a63-0cc2-4700-b8b5-6fd31d151c7b | Locky Ransomware Persistence |
150473e3-995b-4c10-81e8-29037f877bf1 | Locky Ransomware DGA |
#
Test - CryptolockerId | Name | Created | Modified | Runnable | Last Result |
---|---|---|---|---|---|
10413458-7bae-4d47-94e9-06197c60d156 | Cryptolocker | 2019-08-27T10:17:09.842767Z | 2019-09-02T07:08:17.069927Z | true | Failed |
#
Assets (Cryptolocker)Hostname | Id | Ipv4Address | Modified | ProductName | Status |
---|---|---|---|---|---|
ec2amaz-g4iu5no | 03e17460-849e-4b86-b6c6-ef0db72823ff | 172.31.39.254 | 2019-09-18T08:12:16.957300Z | Windows Server 2016 Datacenter | Active |
#
Scenarios (Cryptolocker)Id | Name |
---|---|
0f45019b-817e-43f2-82c6-accb28c22b7b | Cryptolocker DGA |
411eb1a9-8e00-4d77-b8a1-8f204987a2d2 | CryptoLocker Persistence |
#
Get the test results of an assessmentReturns the test results of an assessment.
#
Base Commandattackiq-get-test-results
#
InputArgument Name | Description | Required |
---|---|---|
test_id | The ID of the test in which to show results. | Required |
show_last_result | Shows the last result. True shows the last result. | Optional |
page_number | The page number of the test results. | Optional |
page_size | The maximum page size of the results. | Optional |
outcome_filter | Filters results according to user choice. Selecting "Passed" will return only tests that passed. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AttackIQTestResult.Id | String | The ID of the test result. |
AttackIQTestResult.Modified | Date | The date the test result was last modified. |
AttackIQTestResult.Assessment.Id | String | The ID of the test assessment. |
AttackIQTestResult.Assessment.Name | String | The name of the test assessment. |
AttackIQTestResult.LastResult | String | The result of the test's last run. |
AttackIQTestResult.Scenario.Id | String | The scenario ID of the test results. |
AttackIQTestResult.Scenario.Name | String | The scenario name of the test results. |
AttackIQTestResult.Scenario.Description | String | The scenario description of the test results. |
AttackIQTestResult.Asset.Id | String | The ID of the test results asset. |
AttackIQTestResult.Asset.Ipv4Address | String | The IP address of the test results scenario asset. |
AttackIQTestResult.Asset.Hostname | String | The host name of the test results asset. |
AttackIQTestResult.Asset.ProductName | String | The product name of the test results asset. |
AttackIQTestResult.Asset.Modified | Date | The date that the asset was last modified. |
AttackIQTestResult.AssetGroup | String | The asset group of the test. |
AttackIQTestResult.JobState | String | The state of the job. |
AttackIQTestResult.Outcome | String | The result outcome of the test. |
AttackIQTestResult.RemainingPages | Number | The number of remaining pages to return. For example, if the total number pages is 6, and the last fetch was page 5, the value is 1. |
AttackIQTestResult.Count | Number | The total number of tests. |
#
Command Example#
Context Example#
Human Readable Output#
Test Results for 1c350a5a-84f2-4938-93d8-cc31f0a99482#
Page 10/72Assessment Name | Scenario Name | Hostname | Asset IP | Job State | Modified | Outcome |
---|---|---|---|---|---|---|
Arseny's ransomware project | Download Mischa Ransomware | ec2amaz-g4iu5no | 172.31.39.254 | Â | 2019-09-16T08:41:37.542585Z | Â |
Arseny's ransomware project | Download AutoLocky Ransomware | ec2amaz-g4iu5no | 172.31.39.254 | Â | 2019-09-16T08:41:32.646222Z | Â |
Arseny's ransomware project | Download Mobef Ransomware | ec2amaz-g4iu5no | 172.31.39.254 | Â | 2019-09-16T08:41:23.089756Z | Â |
Arseny's ransomware project | Download BadBlock Ransomeware | ec2amaz-g4iu5no | 172.31.39.254 | Â | 2019-09-16T08:41:18.225112Z | Â |
#
List all assessment templatesLists all available assessment templates.
#
Base Commandattackiq-list-assessment-templates
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
AttackIQ.Template.ID | String | The template ID. |
AttackIQ.Template.Name | String | The template name. |
AttackIQ.Template.ProjectName | String | The name of the project the template is in. |
AttackIQ.Template.Description | String | The description of the template. |
AttackIQ.Template.ProjectDescription | String | The description of the project the template is in. |
AttackIQ.Template.Hidden | Boolean | Whether the template is hidden. |
#
Command Example#
Context Example#
Human Readable OutputID | Name | Description | ProjectName | ProjectDescription |
---|---|---|---|---|
d09d29ba-eed8-4212-bff2-4d1ee11ed80c | Custom | Custom project template | Custom | Custom project |
b30063b9-8f98-4f95-8f32-3a489f239dc8 | Crowdstrike Global Threat Report 2019 | AttackIQ’s analysis and mapping of the “2019 Crowdstrike Global Threat Report” | 2019 Crowdstrike Global Threat Report – Top ATT&CK Techniques | AttackIQ’s analysis and mapping of the “2019 Crowdstrike Global Threat Report” |
2b118268-3fbd-42d0-9839-730c3bfa242b | ATT&CK by the Numbers | AttackIQ’s analysis and mapping of the “ATT&CK by the Numbers” @ NOVA BSides 2019 | ATT&CK by the Numbers @ NOVA BSides 2019 | AttackIQ’s analysis and mapping of the “ATT&CK by the Numbers” @ NOVA BSides 2019 |
28933bd5-9323-4a01-8d02-3da3eb0c5d9e | Red Canary Threat Detection Report 2019 | AttackIQ’s analysis and mapping of the “2019 Red Canary Threat Detection Report – Top ATT&CK Techniques” | 2019 Red Canary Threat Detection Report – Top ATT&CK Techniques | AttackIQ’s analysis and mapping of the “2019 Red Canary Threat Detection Report – Top ATT&CK Techniques” |
59d35f4a-2da0-4c4a-a08a-c30cb41dae6b | Ransomware | Test the Ransomware kill-chain for different samples: Download sample, Save it to disk and Encrypt user's files | Ransomware | Test the Ransomware kill-chain for different samples: Download sample, Save it to disk and Encrypt user's files |
f876dcbd-77bb-4321-b2a8-c279151b9490 | Managed Privileges | Test your security controls by running scenarios with different user privileges (Windows only) | Managed Privileges | Test your security controls by running scenarios with different user privileges (Windows only) |
6108a03e-16be-47d0-b455-7955c74a43f5 | Security Control Coverage | Are you a CISO joining a new company? This will help you assess the baseline of the security controls inside your network. | Security Control Coverage | Test your security controls |
c11d1a86-df25-452d-8054-7e7cae7d4167 | Cryptocurrency Threats | Test common threats focused on cryptocurrency | Cryptocurrency Threats | Test common threats focused on cryptocurrency |
14908dc4-0c6f-4445-9af7-cb5438de950b | MITRE Threat Assessment | How would your security controls, processes and people respond against common attack techniques used by known threat actors? | MITRE Threat Assessment | Test several adversarial techniques based on MITRE ATT&CK |
c297b3fa-1c56-4e57-88bd-08ec19ec09bd | Windows Credential Theft | Common techniques to obtain passwords from Windows and browsers | Windows Credential Theft | Common techniques to obtain passwords from Windows and browsers |
73599a2c-ee91-44a8-b017-febccd64b364 | MITRE ATT&CK | Use the MITRE ATT&CK Matrix to assess your security controls. | MITRE ATT&CK | Select and test various adversarial techniques based on MITRE ATT&CK |
438bbcb8-c573-49b0-8ed8-31f6e7d4257e | C&C | Test adversarial techniques focused on command and control | C&C | Test adversarial techniques focused on command and control |
f75f1e9e-d01a-4ee2-aba3-883aaee498fe | Discovery | Test adversarial techniques focused on discovery | Discovery | Test adversarial techniques focused on discovery |
6386735a-9d6d-40a5-826c-635298b02acc | Credential Access | Test adversarial techniques focused on credential access | Credential Access | Test adversarial techniques focused on credential access |
db958dfd-2da1-440e-9c93-0dc7fd64dfbf | Persistence | Test adversarial techniques focused on persistence | Persistence | Test adversarial techniques focused on persistence |
b5e8a1a5-78fa-4003-a4c2-8b3142e42388 | Defense Evasion | Test adversarial techniques focused on defense evasion | Defense Evasion | Test adversarial techniques focused on defense evasion |
15984ed5-b93e-4ef2-9550-8d36fd49cc58 | Exfiltration | Test adversarial techniques focused on exfiltration | Exfiltration | Test adversarial techniques focused on exfiltration |
6bee8a19-d997-419a-b799-64a67a71644a | Execution | Test adversarial techniques focused on execution | Execution | Test adversarial techniques focused on execution |
517bab19-d382-4835-99f4-74dcbe428f81 | DLP Data Exfiltration | Test of data loss prevention capabilities by trying to exfiltrate credit card numbers and password patterns over HTTP, ICMP, and DNS | DLP Data Exfiltration | Test of data loss prevention capabilities by trying to exfiltrate credit card numbers and password patterns over HTTP, ICMP, and DNS |
219a9735-2923-49c6-bde6-775db3a12655 | Antivirus | Basic test of antivirus capabilities | Antivirus | Basic test of antivirus capabilities |
efff3e44-eea4-4eaa-80e7-d2c5aec44e76 | Firewall | Basic test of common ingress/egress ports | Firewall | Basic test of common ingress/egress ports |
4b7bfd88-ff3e-4949-b0b7-3268f5967084 | Content Filtering | C&C communication, circumvention by proxy services or tor, and general content filtering configuration tests | Content Filtering | C&C communication, circumvention by proxy services or tor, and general content filtering configuration tests |
5a8909d7-2e50-4a81-bab9-884005e3e824 | IDS/IPS | Malicious network traffic and network attacks | IDS/IPS | Malicious network traffic and network attacks |
7dd68971-0448-4784-884b-3d143b3c80df | Advanced Endpoint (Windows) | Basic tests of advanced endpoint solutions on selected machines | Advanced Endpoint (Windows) | Basic tests of advanced endpoint solutions on selected machines |
#
List all assetsLists all assets.
#
Base Commandattackiq-list-assets
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
AttackIQ.Asset.ID | String | The ID of the asset. |
AttackIQ.Asset.Description | String | The description of the asset. |
AttackIQ.Asset.IPv4 | String | The IPv4 address of the asset. |
AttackIQ.Asset.IPv6 | String | The IPv6 address of the asset. |
AttackIQ.Asset.MacAddress | String | The MAC address of the asset. |
AttackIQ.Asset.ProcessorArch | String | The processor arch of the asset. |
AttackIQ.Asset.ProductName | String | The name of the asset. |
AttackIQ.Asset.Hostname | String | The hostname of the asset. |
AttackIQ.Asset.Domain | String | The domain of the asset. |
AttackIQ.Asset.User | String | The user of the asset. |
AttackIQ.Asset.Status | String | Status of the asset. |
AttackIQ.Asset.Groups.ID | String | The ID of the asset's group. |
AttackIQ.Asset.Groups.Name | String | The name of the asset's group. |
#
Command Example#
Context Example#
Human Readable Output#
Assets:ID | Hostname | IPv4 | MacAddress | Domain | Description | User | Status |
---|---|---|---|---|---|---|---|
03e17460-849e-4b86-b6c6-ef0db72823ff | ec2amaz-g4iu5no | 172.31.39.254 | 06-FB-B8-38-E2-2A | workgroup | agent_7377e1fa-d49d-44bf-84ef-4e1dfb8e4748@demisto.com | Active |
#
Create an assessmentCreates a new assesment.
#
Base Commandattackiq-create-assessment
#
InputArgument Name | Description | Required |
---|---|---|
name | The name of the new assesment | Required |
template_id | The ID of the template from which to create the assesment. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
AttackIQ.Assessment.Id | String | The ID of the assessment. |
AttackIQ.Assessment.Name | String | The name of the assessment name. |
AttackIQ.Assessment.Description | String | The description of the assessment. |
AttackIQ.Assessment.StartDate | Date | The start date of the assessment. |
AttackIQ.Assessment.EndDate | Date | The end date of the assessment. |
AttackIQ.Assessment.AssessmentState | String | The state of the assessment. Can be, "Active" or "Inactive". |
AttackIQ.Assessment.DefaultSchedule | String | The default schedule timing (cron) of the assessment. |
AttackIQ.Assessment.AssessmentTemplateId | String | The template ID of the assessment. |
AttackIQ.Assessment.AssessmentTemplateName | String | The template name of the assessment. |
AttackIQ.Assessment.AssessmentTemplateDescription | String | The template description of the assessment. |
AttackIQ.Assessment.AssessmentTemplateDefaultSchedule | Unknown | The assessment's template default schedule timing (cron). |
AttackIQ.Assessment.AssessmentTemplateCompany | String | The owner of the template. |
AttackIQ.Assessment.AssessmentTemplateCreated | Date | The date that the template was created. |
AttackIQ.Assessment.AssessmentTemplateModified | Date | The date that the template was last modified. |
AttackIQ.Assessment.Creator | String | The user who created the assessment. |
AttackIQ.Assessment.Owner | String | The user who owns the assessment. |
AttackIQ.Assessment.User | String | The user who ran the assessment. |
AttackIQ.Assessment.Created | String | The date that the assessment was created. |
AttackIQ.Assessment.Modified | String | The date that the assessment was last modified. |
AttackIQ.Assessment.Users | String | The user IDs that can access the assessment. |
AttackIQ.Assessment.Groups | String | The user groups that can access the assessment. |
AttackIQ.Assessment.DefaultAssetCount | Number | The number of machines (assets) that are connected to the assessment. |
AttackIQ.Assessment.DefaultAssetGroupCount | Number | The number of asset groups that are connected to the assessment. |
AttackIQ.Assessment.MasterJobCount | Number | The number of tests that ran in the assessment. |
AttackIQ.Assessment.Count | Number | The total number of assessments. |
AttackIQ.Assessment.RemainingPages | Number | The number of remaining pages to return. For example, if the total number of pages is 6, and the last fetch was page 5, the value is 1. |
#
Command Example#
Context Example#
Human Readable Output#
Created Assessment: 08023e86-3b8c-4f98-ab46-7c931d759157 successfully.Id | Name | Description | User | Created | Modified |
---|---|---|---|---|---|
08023e86-3b8c-4f98-ab46-7c931d759157 | Assessment from test playbook | Custom project | woo@test.com | 2019-10-29T08:37:22.187577Z | 2019-10-29T08:37:22.187603Z |
#
Add assets to an assesmentAdds assets or asset groups to an assesment.
#
Base Commandattackiq-add-assets-to-assessment
#
InputArgument Name | Description | Required |
---|---|---|
assets | A comma-seperated list of asset IDs. | Optional |
asset_groups | A comma-seperated list of asset group IDs. | Optional |
assessment_id | The ID of the assessment to which the assets will be added. | Required |
#
Context OutputThere are no context outputs for this command.
#
Command Example#
Human Readable OutputSuccessfully updated default assets/asset groups for project b2fc06d4-5d0a-4924-a126-66320887dce0
#
Delete an assessmentDeletes an assessment.
#
Base Commandattackiq-delete-assessment
#
InputArgument Name | Description | Required |
---|---|---|
assessment_id | The ID of the assessment to delete. | Required |
#
Context OutputThere are no context outputs for this command.
#
Command Example#
Human Readable OutputDeleted assessment b2fc06d4-5d0a-4924-a126-66320887dce0 successfully.