v1.4.1

CLI

• Added a new argument (-p/--platform) to the data source, detection and visibility menu that allows you to overwrite, when generating a Navigator layer, the platform value(s) as specified in the YAML file.
  • This also improves the group menu, as this now allows you to specify multiple ATT&CK platforms by providing extra -p/--platform arguments.
• Changed how ATT&CK Groups are specified within the group menu. No longer are multiple Groups provided using a double-quoted string in which Groups are separated by commas. Instead, multiple Groups can be provided by additional -g/--group arguments.
• Updated all Python packages.
• Bug fixes:
  • Crash on updating a techniques file based on a data source when having null values in the date key-value pair in the visibility score_logbook. (already pushed to master before the release of 1.4.1)
  • Issue #36 reported by @driesbuyck. DeTT&CT crashed when generating a detection or visibility layer file when having a technique administration file with different Python date formats. (already pushed to master before the release of 1.4.1)
  • Detections with a score of -1, or visibility items with a score of 0 were included in the graph showing the progression of added detection/visibility over time. (already pushed to master before the release of 1.4.1)
  • Within particular circumstances the update of visibility scores, based on updated data sources, would not write the updated technique YAML file to disk.
  • Techniques with a detection score of 0 and a visibility score of 0 where coloured white within a detection/visibility overlay instead of purple.

Editor

• Moved the maximise icon within text fields more to the left to improve the user experience for browsers running on Windows.
• The list editor for the detection's locations no longer shows empty values. This improves the user experience.
• Removed the service worker module to solve a caching problem that could prevent a new version of the Editor from being loaded in the browser.
• Updated all JavaScript dependencies.
• Bug fixes:
  • The detection score slider was missing the score 0 (already pushed to master before the release of 1.4.1)
  • A very long group name would run off the page.

Generic

• Added threat intelligence data from Cisco Talos: 20200901-Cisco-Talos.yaml
  • (already pushed to master before the release of 1.4.1)

v1.4.0

CLI

• Added support for sub-techniques. This includes:
  • A new command-line option (--update-to-sub-techniques) to update the techniques administration YAML file to the new ATT&CK sub-techniques. Most updates are automated using the crosswalk provided by MITRE. Some manual actions are required for techniques which cannot be automatically migrated. These are listed after: Messages that need your attention:.
  • A function that checks if a techniques administration YAML file needs to be updated to ATT&CK sub-techniques.
  • Support for the new Navigator Layer 3.0 format.
• Added a new option (--local-stix-path LOCAL_STIX_PATH) to use local STIX objects instead of using the TAXII server. Can be used to use DeTT&CT offline or to use a specific version of STIX objects.
• When an unknown technique exists in the techniques administration YAML file, DeTT&CT will ignore and continue, but it will also report this.

Editor

• Added support for sub-techniques.
• Added navigation buttons to easily navigate through the list of data sources and techniques.
  • Keyboard shortcut: Ctrl+Shift+Up/Down: go to the next or previous item when editing a data source or technique administration YAML file.
• Updated all JavaScript dependencies.

Generic

• Moved existing threat actor data into a new folder pre-sub-techniques.

v1.3.1

CLI

• All overlays now have shades of colours. When comparing a group with detection coverage the orange colour (a threat actor uses the TTP and you have detection) has shades of orange that reflect the detection level. Also, the green (detection) and blue (visibility) in overlays now have shades of colours.
• New options:
  • The output filename for the data source, visibility, detection and group modes can now be specified: -of OUTPUT_FILENAME, --output-filename OUTPUT_FILENAME
  • The name as shown within a Navigator tab can now be specified: -ln LAYER_NAME, --layer-name LAYER_NAME
• Improved the information displayed within the metadata for all type of overlays. For example, when comparing detection coverage with group data.
• Updated all Python packages.
• Bug fixes:
  • The date format in an auto-updated YAML file conflicted with the date format used in the Editor.
  • The health check crashed when the value for the key-value pair location was not a YAML list.
  • Detections with score=0 (Forensics/Context) were not shown in some layer files.

Editor

• Updated all JavaScript dependencies.
• Added a Notes text field to the File Details section of Data Sources, Techniques and Groups.
• Bug fixes:
  • Within a specific scenario, a YAML file was created with an empty score_logbook.

v1.3.0

• YAML files can now be edited by loading them into the DeTT&CT Editor. It's no longer necessary to edit YAML files using a text editor!
  • All code in the Editor is running within the browser. Therefore, the content of your YAML file is not send to a server.
  • The Editor is hosted on GitHub and can be found here. The Editor can also be run locally using the following command: python dettect.py editor
  • With a few exceptions, all key-value pairs within a data source, techniques or group YAML file can be edited. More info can be found here.
  • Please note that comments (#) within your YAML files are not preserved due to lack of support in the YAML JavaScript library. Put your comments within a key-value pair to keep them. E.g. my-comment-1: your comment goes here.
  • Contributed as a beta tester @rcfontana. Thanks!
• Bug fixes:
  • The logic to determine if a data source was available or not contained several errors.
  • Using a lowercase value for the key-value pair platform in a data source YAML file resulted in an error.

v1.2.7

• The automatic scoring of visibility (based on the number of available data sources) is now more accurate. This was mainly necessary after the introduction of the cloud platforms and data sources in the 2019 October ATT&CK update.
  • On this page you can find which data sources are applicable per platform. We created this specifically for DeTT&CT and is thus not part of ATT&CK.
• Upgraded all used Python packages to their latest version.
• Several small improvements.
• Bug fixes:
  • A data source administration YAML file without the exceptions key-value pair resulted in an error. Reported by @s4vgR.
  • A group YAML file without the software_id key-value pair resulted in an error. Reported by @mavjs.
  • Within specific circumstances, an invalid health error message was shown.

v1.2.6

• It is now possible to perform an EQL search on custom key-value pairs of a technique administration YAML file.
• Added new functionality to support a platform key-value pair in a group YAML file.
• Added a new feature to the data source menu to include all ATT&CK techniques in the generated YAML file (when the argument -y, --yaml is provided) that apply to the platform(s) specified in the data source YAML file:
  • --yaml-all-techniques
• Revoked ATT&CK STIX objects are now removed from the results that are retrieved from the ATT&CK TAXII server.
• Added new functionality to make sure the metadata in a Navigator layer file is compliant with the expected data structure.
• Upgraded all used Python packages to their latest version.
• Several other small improvements.
• Health checks:
  • Added a check for when the data source YAML administration file is missing one of the ATT&CK data sources.
  • Added a check for an empty item in the key-value pair 'location' (in a detection) and 'applicable_to'.
• Bug fixes:
  • A bug that could result in an invalid message in the Excel for a missing ATT&CK data source.
  • An Excel export for a technique administration YAML file would cause a crash when having an empty/None value for a detection or visibility comment. Reported by @sreemanshanker.
  • Within specific circumstances a wrong colour for visibility was used when detection coverage is overlaid with visibility. Reported by @sreemanshanker

v1.2.5

Fixes for two bugs related to the data source administration YAML file:

• Using 'all' for key-value pair 'platform' to generate a technique administration YAML file did not work.
• EQL searches on data source YAML files were broken.

v1.2.4

Fixes for two small bugs that resulted in:

• An invalid Navigator layer file for a group/threat actor heat map, or when overlaid with a group, visibility or detection coverage.
• A crash when generating a Group Navigator layer file overlaid with a non-existing ATT&CK Group.

v1.2.3

• Added the new data sources introduced with the ATT&CK October update to the sample-data file:
  • AWS CloudTrail logs, AWS OS logs, Azure OS logs, Azure activity logs, OAuth audit logs, Office 365 account logs, Office 365 audit logs, Office 365 trace logs, Stackdriver logs.
• Added support for new the platforms introduced with the ATT&CK October update: AWS, GCP, Azure, Azure AD, Office 365, SaaS.
• Added support for using multiple platform values in the data sources administration and techniques administration files.
• Added a health check for an empty or invalid 'platform' value in the techniques administration file.
• Updated to support the ATT&CK Navigator layer version 2.2.
• A small bug fix in the health check

v1.2.2

• Added two new health checks for the data source administration YAML:

  • check on invalid technique IDs in the 'exceptions' list.
  • check on an empty or invalid value for 'platform'.

• Fixed issue #13 reported by @hRun that caused a crash when having empty technique ID entries within the 'exceptions' list of a data source administration YAML file.