Skip to main content

Visualizing Adversary Techniques


note
  • Adversary techniques can be obtained from your intel analysts or any threat intel reports – these are the techniques you want to hunt/monitor for
  • If duplicate technique IDs are added to the text file, then the conversion script will give those techniques higher scoring relative to other techniques – increasing the color gradient when visualized

  1. Manually populate a simple text file with MITRE ATT&CK technique and sub-technique IDs (T####, T####.###) – one per line

  2. Copy the Convert-TIDsToATTACK.psm1 script (found in \\fileserver\share\share\SCRIPTS\262COS-MITRE_ATTACK_Scripts-PACKAGE-001\) to your Windows host

  3. Open a PowerShell terminal, navigate to the script location, and import the script as a module:

    Import-Module -Force .\Convert-TIDsToATTACK.psm1
  4. Run the Convert-TIDsToATTACK script against the file containing the list of MITRE ATT&CK technique and sub-technique IDs to convert it to a MITRE ATT&CK Navigator Layer JSON file:

    Convert-TIDsToATTACK -File "<TECHNIQUE_ID_LIST_FILE>" -Output "technique_id_coverage.json"
  5. From the MITRE ATT&CK Navigator, click on the + plus sign at the top of the page next to the existing layer name (Detection Rule Coverage)

  6. Click on Open Existing Layer -> Upload from Local and upload your newly converted technique_id_coverage.json

  7. A new layer named Technique Coverage will be loaded:

  8. You can now customize the layer visuals and render layer to SVG to export the layer as an SVG image file, if desired