Home
Latest version: 1.9.0
To get started with DeTT&CT, check out one of these resources:
- This page on the Wiki.
- This blog written by Renaud Frère from NVISO has a comprehensive and recent description on the capabilities of DeTT&CT.
- Blog: mbsecure.nl/blog/2019/5/dettact-mapping-your-blue-team-to-mitre-attack or
- Blog: siriussecurity.nl/blog/2019/5/8/mapping-your-blue-team-to-mitre-attack.
Videos
- Our talk at hack.lu 2019.
- The video from Justin Henderson on data source visibility and mapping.
DeTT&CT aims to assist blue teams in using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviours. All of which can help, in different ways, to get more resilient against attacks targeting your organisation. The DeTT&CT framework consists of a Python tool (DeTT&CT CLI), YAML administration files, the DeTT&CT Editor (to create and edit the YAML administration files) and scoring tables for detections, data sources and visibility.
DeTT&CT provides the following functionality for the ATT&CK domains Enterprise, ICS and Mobile:
- Administrate and score the quality of your data sources.
- Get insight on the visibility you have on for example endpoints.
- Map your detection coverage.
- Map threat actor behaviours.
- Compare visibility, detection coverage and threat actor behaviours to uncover possible improvements in detection and visibility (which is based on your available data sources). This can help you to prioritise your blue teaming efforts.
- Get statistics (per platform) on the number of techniques covered per data source.
The coloured visualisations are created with the help of MITRE's ATT&CK™ Navigator. For layer files created by DeTT&CT, we recommend using this URL to the Navigator as it will make sure metadata in the layer file does not have a yellow underline: https://mitre-attack.github.io/attack-navigator/#comment_underline=false&metadata_underline=false
This project is developed and maintained by Marcus Bakker (Twitter: @Bakk3rM) and Ruben Bouman (Twitter: @rubinatorz). Feel free to contact, DMs are open. We do appreciate if you ask any question on how to use DeTT&CT by making a GitHub issue. Having the questions and answers over there will greatly help others having similar questions and challenges.
We welcome contributions! Contributions can be both in code and in ideas you might have for further development, usability improvements, etc.
The following parties have supported the development of DeTT&CT in time or financially.
-
Rabobank - Dutch multinational banking and financial services company. Food and agribusiness constitute the primary international focus of the Rabobank.
Significant parts of DeTT&CT have been developed in the time that we worked as contractors at Rabobank.
-
Cyber Security Sharing & Analytics (CSSA) - Founded in November 2014 by seven major German companies as an alliance for jointly facing cyber security challenges in a proactive, fast and effective manner. Currently, CSSA has 13 member companies.
With the financial sponsorship of the CSSA, we added support for ATT&CK ICS to DeTT&CT.
-
Dutch National Police. With the financial sponsorship of the Dutch National Police, we added support for ATT&CK Mobile to DeTT&CT.
The work of others inspired some functionality within DeTT&CT:
- Roberto Rodriguez's work on data quality and scoring of MITRE ATT&CK™ techniques (How Hot Is Your Hunt Team?, Ready to hunt? First, Show me your data!).
- The MITRE ATT&CK Mapping project on GitHub: https://github.com/siriussecurity/mitre-attack-mapping.
The Python library to your DeTT&CT YAML files.
Dettectinator is built to be included in your SOC automation tooling. It can be included as a Python library or it can be used via the command line.
Dettectinator provides plugins to read detections from your SIEM or EDR and create/update the DeTT&CT YAML file, so that you can use it to visualize your ATT&CK detection coverage in the ATT&CK Navigator.
More information can be found on Github: Dettectinator.
YAML files are used for administrating scores and relevant properties. All of which can be visualised by loading JSON layer files into the ATT&CK Navigator (some types of scores and properties can also be exported to Excel).
See below an example of mapping your data sources to ATT&CK, which gives you a rough overview of your visibility coverage:
Using the command python dettect.py generic -ds, you can determine which data sources within ATT&CK cover the most techniques. This can, for example, be useful to guide you in identifying which data sources will provide you with a lot of visibility and are hence a good candidate to have available in a SIEM (like) solution.
Count Data Source Platform(s)
------------------------------------------------------------------------------------------------------------------------
255 Command Execution Containers, Linux, Network, Windows, macOS
206 Process Creation Linux, Windows, macOS
98 File Modification Linux, Network, Windows, macOS
88 File Creation Linux, Network, Windows, macOS
82 Network Traffic Flow IaaS, Linux, Windows, macOS
78 OS API Execution Linux, Windows, macOS
70 Network Traffic Content IaaS, Linux, Windows, macOS
58 Windows Registry Key Modification Windows
58 Network Connection Creation IaaS, Linux, Windows, macOS
55 Application Log Content Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
50 Module Load Linux, Windows, macOS
46 File Access Linux, Network, Windows, macOS
46 Web [DeTT&CT data source] Windows, macOS, Linux, IaaS, Office 365, Google Workspace, SaaS,
Network, Containers
37 File Metadata Linux, Network, Windows, macOS
32 Logon Session Creation Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows,
macOS
26 Script Execution Windows
22 Response Content PRE
21 Internal DNS [DeTT&CT data source] Windows, macOS, Linux, IaaS, Network, Containers
20 User Account Authentication Azure AD, Containers, Google Workspace, IaaS, Linux, Office 365, SaaS,
Windows, macOS
18 Process Access Linux, Windows, macOS
17 Windows Registry Key Creation Windows
17 Email [DeTT&CT data source] Windows, macOS, Linux, Office 365, Google Workspace, SaaS
15 Service Creation Linux, Windows, macOS
15 Host Status Linux, Windows, macOS
13 Active Directory Object Modification Azure AD, Windows
12 Service Metadata Linux, Windows, macOS
11 Process Metadata Linux, Windows, macOS
10 Driver Load Linux, Windows, macOS
10 File Deletion Linux, Network, Windows, macOS
9 Firmware Modification Linux, Windows, macOS
9 Logon Session Metadata Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows,
macOS
9 Process Modification Linux, Windows, macOS
8 User Account Metadata Azure AD, Containers, Google Workspace, IaaS, Linux, Office 365, SaaS,
Windows, macOS
7 Windows Registry Key Access Windows
7 Scheduled Job Creation Containers, Linux, Windows, macOS
7 Malware Metadata PRE
7 Active Directory Credential Request Azure AD, Windows
6 Container Creation Containers
6 Web Credential Usage Azure AD, Google Workspace, Linux, Office 365, SaaS, Windows, macOS
6 Response Metadata PRE
6 User Account Creation Azure AD, Containers, Google Workspace, IaaS, Linux, Office 365, SaaS,
Windows, macOS
6 Drive Modification Linux, Windows, macOS
6 User Account Modification Azure AD, Containers, Google Workspace, IaaS, Linux, Office 365, SaaS,
Windows, macOS
5 Instance Creation IaaS
5 Active DNS PRE
5 Passive DNS PRE
5 Network Share Access Linux, Windows, macOS
5 Drive Access Linux, Windows, macOS
5 Service Modification Linux, Windows, macOS
4 Image Creation IaaS
4 Instance Start IaaS
4 Active Directory Object Creation Azure AD, Windows
4 Malware Content PRE
4 Social Media PRE
4 Domain Registration PRE
4 Drive Creation Linux, Windows, macOS
4 Windows Registry Key Deletion Windows
3 Active Directory Object Access Azure AD, Windows
3 Instance Metadata IaaS
3 Container Start Containers
3 Web Credential Creation Azure AD, Google Workspace, Linux, Office 365, SaaS, Windows, macOS
3 Firewall Rule Modification Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows,
macOS
3 Firewall Disable Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows,
macOS
3 Instance Deletion IaaS
3 Snapshot Creation IaaS
3 Process Termination Linux, Windows, macOS
2 Cloud Storage Enumeration IaaS
2 Cloud Storage Access IaaS
2 Pod Metadata Containers
2 Active Directory Object Deletion Azure AD, Windows
2 Cloud Service Modification Azure AD, Google Workspace, IaaS, Office 365, SaaS
2 Cloud Service Disable Azure AD, Google Workspace, IaaS, Office 365, SaaS
2 Certificate Registration PRE
2 Cloud Storage Metadata IaaS
2 Instance Modification IaaS
2 Instance Stop IaaS
2 Firewall Metadata Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows,
macOS
2 Firewall Enumeration Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows,
macOS
2 Group Enumeration Azure AD, Google Workspace, IaaS, Office 365, SaaS, Windows
2 Group Metadata Azure AD, Google Workspace, IaaS, Office 365, SaaS, Windows
2 Image Metadata IaaS
2 Scheduled Job Metadata Containers, Linux, Windows, macOS
2 Scheduled Job Modification Containers, Linux, Windows, macOS
2 Kernel Module Load Linux, macOS
2 WMI Creation Windows
2 Group Modification Azure AD, Google Workspace, IaaS, Office 365, SaaS, Windows
2 Driver Metadata Linux, Windows, macOS
2 Snapshot Modification IaaS
2 Snapshot Deletion IaaS
2 Volume Deletion IaaS, Linux, Windows, macOS
2 Cloud Storage Modification IaaS
2 Cloud Service Enumeration Azure AD, Google Workspace, IaaS, Office 365, SaaS
1 Cluster Metadata Containers
1 Container Enumeration Containers
1 Container Metadata Containers
1 Pod Enumeration Containers
1 Pod Creation Containers
1 Pod Modification Containers
1 Instance Enumeration IaaS
1 Snapshot Metadata IaaS
1 Snapshot Enumeration IaaS
1 Volume Metadata IaaS, Linux, Windows, macOS
1 Volume Enumeration IaaS, Linux, Windows, macOS
1 Named Pipe Metadata Linux, Windows, macOS
1 User Account Deletion Azure AD, Containers, Google Workspace, IaaS, Linux, Office 365, SaaS,
Windows, macOS
1 Image Modification IaaS
1 Volume Creation IaaS, Linux, Windows, macOS
1 Volume Modification IaaS, Linux, Windows, macOS
1 Cloud Storage Creation IaaS
1 Cloud Service Metadata Azure AD, Google Workspace, IaaS, Office 365, SaaS
1 Image Deletion IaaS
1 Cloud Storage Deletion IaaS
1 DHCP [DeTT&CT data source] Windows, macOS, Linux
See our GitHub Wiki: Installation and requirements.