ATT&CK Powered Suit is a browser extension that puts the complete MITRE ATT&CK® knowledge base at your fingertips with text search, context menus, and ATT&CK Navigator integration.
Home Page: https://ctid.io/attack-powered-suit
License: Apache License 2.0
I used to have a bookmark for T1547.001 and T1012 on this list, but I clicked the green bookmark next to them to remove them.
Now T1547.001 and T1012 are not on the list but when I export, they are still in my layer.
Describe the bug
Intermittently I am unable to scroll the results window when multiple results are returned for a particular search. Unfortunately I am not able to figure out what is causing it, not getting any error messages in the extension devtools console either. Sometimes I am able to scroll through the results as expected and sometimes it doesn't allow scrolling. Using the devtools I can see the results in the DOM so I do not believe it is an issue with the search results.
To Reproduce
Note: due to the random nature of the issue it may take multiple attempts to replicate.
denial or tunnel that is expected to have many resultsPlatform:
If you want to express positive or negative feedback on a bug report, please leave a Thumbs Up or Thumbs Down so that we can keep track of demand. Please do not reply just to say +1 or -1. Thanks!
Describe the bug
I discovered a limitation in the implementation of #20, for some items the matrix value in the external_references field of the STIX data is incorrect (or I am misunderstanding its intended use). For example T1521.002 belongs to the Mobile matrix but the reference's source_name is "mitre-attack" (Enterprise) instead of "mitre-mobile-attack" (Mobile).
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "T1521.002",
"url": "https://attack.mitre.org/techniques/T1521/002"
}
],So I then switched the code to utilize the x_mitre_domains value which seems to be accurate as far as I can tell. But that introduces another issue because some items like G0088 have multiple matrices assigned to them which impacts both display and filtering functionality.
"x_mitre_domains": [
"enterprise-attack",
"ics-attack"
],Reading data/enterprise-attack.json… warning: object M1013 has more than one matrix listed in 'x_mitre_domains'
warning: object S0182 has more than one matrix listed in 'x_mitre_domains'
done
Reading data/ics-attack.json… warning: object G0035 has more than one matrix listed in 'x_mitre_domains'
warning: object G0034 has more than one matrix listed in 'x_mitre_domains'
warning: object G0049 has more than one matrix listed in 'x_mitre_domains'
warning: object G0074 has more than one matrix listed in 'x_mitre_domains'
warning: object G0088 has more than one matrix listed in 'x_mitre_domains'
warning: object G0032 has more than one matrix listed in 'x_mitre_domains'
warning: object G0064 has more than one matrix listed in 'x_mitre_domains'
warning: object S0605 has more than one matrix listed in 'x_mitre_domains'
warning: object S0093 has more than one matrix listed in 'x_mitre_domains'
warning: object S0603 has more than one matrix listed in 'x_mitre_domains'
warning: object S0606 has more than one matrix listed in 'x_mitre_domains'
warning: object S0089 has more than one matrix listed in 'x_mitre_domains'
warning: object S0368 has more than one matrix listed in 'x_mitre_domains'
warning: object S0608 has more than one matrix listed in 'x_mitre_domains'
warning: object S0372 has more than one matrix listed in 'x_mitre_domains'
warning: object S0038 has more than one matrix listed in 'x_mitre_domains'
warning: object S0366 has more than one matrix listed in 'x_mitre_domains'
warning: object S0446 has more than one matrix listed in 'x_mitre_domains'
warning: object S0496 has more than one matrix listed in 'x_mitre_domains'
warning: object S0607 has more than one matrix listed in 'x_mitre_domains'
warning: object S0604 has more than one matrix listed in 'x_mitre_domains'
warning: object S0143 has more than one matrix listed in 'x_mitre_domains'
warning: object DS0002 has more than one matrix listed in 'x_mitre_domains'
warning: object DS0024 has more than one matrix listed in 'x_mitre_domains'
warning: object DS0012 has more than one matrix listed in 'x_mitre_domains'
warning: object DS0015 has more than one matrix listed in 'x_mitre_domains'
warning: object DS0028 has more than one matrix listed in 'x_mitre_domains'
warning: object DS0022 has more than one matrix listed in 'x_mitre_domains'
warning: object DS0016 has more than one matrix listed in 'x_mitre_domains'
warning: object DS0017 has more than one matrix listed in 'x_mitre_domains'
warning: object DS0033 has more than one matrix listed in 'x_mitre_domains'
warning: object DS0029 has more than one matrix listed in 'x_mitre_domains'
warning: object DS0003 has more than one matrix listed in 'x_mitre_domains'
warning: object DS0001 has more than one matrix listed in 'x_mitre_domains'
warning: object DS0019 has more than one matrix listed in 'x_mitre_domains'
warning: object DS0009 has more than one matrix listed in 'x_mitre_domains'
warning: object DS0011 has more than one matrix listed in 'x_mitre_domains'
warning: object M1013 has more than one matrix listed in 'x_mitre_domains'
done
Reading data/mobile-attack.json… warning: object M1013 has more than one matrix listed in 'x_mitre_domains'
warning: object S0182 has more than one matrix listed in 'x_mitre_domains'If you want to express positive or negative feedback on a bug report, please leave a Thumbs Up or Thumbs Down so that we can keep track of demand. Please do not reply just to say +1 or -1. Thanks!
What capability are you seeking? What do you want to be able to do?
Use this extension in Firefox browser
Do you have any ideas about how the feature would work?
No
Describe the bug
Right now the "Open in new tab" context menu item only appears when you have text selected. It should appear even when no text is selected.
To Reproduce
Platform:
If you want to express positive or negative feedback on a bug report, please leave a Thumbs Up or Thumbs Down so that we can keep track of demand. Please do not reply just to say +1 or -1. Thanks!
In the 1.0.1 release we are using fuse.js, which uses a "fuzzy search" that leads to undesired results in some cases:
In this screenshot, a search for "evasion" also matches the "avoi" in "avoid" and the "enses" in "defenses". This is not useful.
A few requirements for a replacement library:
Nice to have:
If you want to express positive or negative feedback on a bug report, please leave a Thumbs Up or Thumbs Down so that we can keep track of demand. Please do not reply just to say +1 or -1. Thanks!
I would expect my bookmarked techniques to be colored black in this case but they aren't. Even if I select a different default color, nothing happens.
What capability are you seeking? What do you want to be able to do?
ATT&CK v12 is set to launch on Oct 25. We would like to consume their update and make it available in APS soon after that.
Do you have any ideas about how the feature would work?
Two important changes:
If you want to express positive or negative feedback on a bug report, please leave a Thumbs Up or Thumbs Down so that we can keep track of demand. Please do not reply just to say +1 or -1. Thanks!
When searching for software using the extension some software doesn't show up. A couple of examples I tested so far are
Also some software do not show up until you type more not the initial for example "PJApps" doesn't show up until we add a third letter.
I would like to see "Uncheck All" and "Check All" Buttons (or toggle switch) for ATT&CK Power Suit Page.
It will unselect or select all the types of objects (except Deprecated) to include in search results.
I realized it would be a nice-to-have feature when I tried to select only Techniques.
Powered Suit does not label deprecated objects correctly with ATT&CK v11 data.
If you want to express positive or negative feedback on a bug report, please leave a Thumbs Up or Thumbs Down so that we can keep track of demand. Please do not reply just to say +1 or -1. Thanks!
What capability are you seeking? What do you want to be able to do?
When opening the extension, it requires a second manual click into the search box before you can begin typing. Being able to type without the second manual click would be great QOL
Are there any existing features that come close to doing what you need? Explain why those features aren't quite right.
No. Current implementation requires a second manual entry before beginning search operations.
Do you have any ideas about how the feature would work?
When opening the chrome extension from the menu bar, the user would be able to immediately type without first manually clicking on the search bar first.
If you want to express positive or negative feedback on a bug report, please leave a Thumbs Up or Thumbs Down so that we can keep track of demand. Please do not reply just to say +1 or -1. Thanks!
I exported a layer with these settings
The custom Layer Title I used was ignored and since I didn't specify a layer color I would expect the cells to be colored based on their score and the default color gradient.
If I search "mimikatz" in the Navigator, it selects all the techniques that use that software.
But exporting software bookmarks to a layer doesn't do anything to the visual layer in navigator, so isn't a useful option as is.
Per Jared:
Also, v14 introduced a new STIX type - x-mitre-asset that is currently only found in the ICS domain. Not sure how you want to handle that, but it might go here:
https://github.com/center-for-threat-informed-defense/attack-sync/blob/attack14/src/attack_sync/site_builder.py#L62-L70You can see the Asset files here: https://github.com/mitre/cti/tree/master/ics-attack/x-mitre-asset
What capability are you seeking? What do you want to be able to do?
Run ATT&CK Powered Suit in the Apple Safari browser.
If you want to express positive or negative feedback on a bug report, please leave a Thumbs Up or Thumbs Down so that we can keep track of demand. Please do not reply just to say +1 or -1. Thanks!
On a fresh install, the global preference to choose between score and color is not initialized correctly and so the user sees a broken UI. Need to choose a default if that key is not found in storage.
What capability are you seeking? What do you want to be able to do?
Run ATT&CK Powered Suit in the MS Edge browser.
If you want to express positive or negative feedback on a bug report, please leave a Thumbs Up or Thumbs Down so that we can keep track of demand. Please do not reply just to say +1 or -1. Thanks!
The initial development for this was all done directly on the main branch, so it did not go through PRs. Nick Schwane reviewed the code on the main branch and had the following feedback:
Opening this issue to address this feedback.
To reproduce:
Describe the bug
When doing a search for different objects in the ATT&CK extension, the filter requires all of an object's types to be active before that object appears in the results.
For instance, if we search "Panda" with the "Enterprise" and "Group" filters on, we can see various groups in the results.
But if either one of those filters are switched off, we do not get any results, even though the objects clearly have both tags.
Another example of this behaviour would be when searching for "phishing". A lot of results have the "Enterprise" and "Techniques" type assigned to them. If either "enterprise" or "techniques" are turned off in the filters, there will be no results shown.
If this is expected behaviour, implementing the option to have a less restrictive filter might be a good idea.
To Reproduce
Provide detailed steps to reproduce this outcome.
Platform:
If you want to express positive or negative feedback on a bug report, please leave a Thumbs Up or Thumbs Down so that we can keep track of demand. Please do not reply just to say +1 or -1. Thanks!
Describe the bug
If you try to export bookmarks in the Safari extension, you'll get the following error:
This is a known bug in Safari with no published workaround. There's no feature detection that can be done, and user agent sniffing is too unreliable, so I'm leaving this as is for now.
If you want to express positive or negative feedback on a bug report, please leave a Thumbs Up or Thumbs Down so that we can keep track of demand. Please do not reply just to say +1 or -1. Thanks!
When I search for procdump on the mitre site I get results
But I don't when searching with the extension
shouldn't it be suite? I know, probably not, but I'm just trying understand why it is "suit" - something you wear?
On Chrome
What capability are you seeking? What do you want to be able to do?
It would be helpful to visually depict what Matrix (Enterprise, ICS, Mobile) a result belongs to so the user can quickly identify the item they need. In the screenshot below, a search for supply chain compromise results in the technique from all three matrices being displayed. Say for example you needed the technique for Enterprise, you would have to click around to find the correct one.
Are there any existing features that come close to doing what you need? Explain why those features aren't quite right.
I am not aware of any existing features that either displays the corresponding matrix or filter search results to a particular matrix.
Do you have any ideas about how the feature would work?
My suggestion for a relatively quick and easy implementation would be to display a "chip" element similar to the existing purple chip element that displays the type of the result (technique, group, software, etc.)
Mockup:
Another option that probably belongs in a separate feature request would be to allow the user to include/exclude matrices from the results. So for example a user who works in the critical infrastructure industry could exclude Mobile and Enterprise only leaving the ICS matrix. Albeit that suggestion solves a different use case while inefficiently solving this one 🙂
If you want to express positive or negative feedback on a bug report, please leave a Thumbs Up or Thumbs Down so that we can keep track of demand. Please do not reply just to say +1 or -1. Thanks!
To Reproduce
Provide detailed steps to reproduce this outcome.
Platform:
Chrome MacOS
If you want to express positive or negative feedback on a bug report, please leave a Thumbs Up or Thumbs Down so that we can keep track of demand. Please do not reply just to say +1 or -1. Thanks!
What capability are you seeking? What do you want to be able to do?
When searching for specific subtechniques there are some that have "name collisions" in the search results. One example is Spearphishing Attachment, in the current output it is difficult to determine which technique the entry belongs to (could be Phishing [T1566] or Phishing for Information [T1598]) if you do not have the technique IDs memorized.
It would be helpful if the parent technique could be displayed for subtechniques to make it easier to resolve these, perhaps controlled by a setting to allow users to control the output. A non-exhaustive list of other examples is Spearphishing Link, Web Services, Social Media Accounts, Server.
Screenshot:
Are there any existing features that come close to doing what you need? Explain why those features aren't quite right.
No existing features to my knowledge.
Do you have any ideas about how the feature would work?
For subtechniques, the technique could be displayed alongside subtechnique name.
I am not sure the best way to approach the format specification but it would also be amazing to have the ability to include the parent technique when copying the output. Many people in the community will represent a subtechnique such as T1204.002 along the lines of T1204.002 - User Execution: Malicious File
Mockup Screenshot:
If you want to express positive or negative feedback on a bug report, please leave a Thumbs Up or Thumbs Down so that we can keep track of demand. Please do not reply just to say +1 or -1. Thanks!
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.