Awesome Mitre ATT&CK™ Framework

A curated list of awesome resources related to Mitre ATT&CK™ Framework

Red and Purple Team

Cobalt Strike - Software for Adversary Simulations and Red Team Operations
PoshC2 - PoshC2 is a proxy aware C2 framework that utilises Powershell and/or equivalent (System.Management.Automation.dll) to aid penetration testers with red teaming, post-exploitation and lateral movement.
Empire - Post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent.
PowerSploit - Collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.
Invoke-PSImage - Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image.

RE:TERNAL - RE:TERNAL is a centralised purple team simulation platform. Reternal uses agents installed on a simulation network to execute various known red-teaming techniques in order to test blue-teaming capabilities.
Purple Team ATT&CK Automation - Praetorian's public release of our Metasploit automation of MITRE ATT&CK™ TTPs
VECTR - VECTR is a tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios
Mordor - The Mordor project provides pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption.

MITRE CALDERA - CALDERA is an automated adversary emulation system, built on the MITRE ATT&CK™ framework.
Atomic Red Team - Small and highly portable detection tests based on MITRE's ATT&CK.
Metta - An information security preparedness tool to do adversarial simulation.
Red Team Automation (RTA) - RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK.

osquery-attck - Mapping the MITRE ATT&CK Matrix with Osquery
ATTACKdatamap - A datasource assessment on an event level to show potential coverage or the MITRE ATT&CK framework
Splunk Mitre ATT&CK App - A Splunk app mapped to MITRE ATT&CK to guide your threat hunts
auditd-attack - A Linux Auditd rule set mapped to MITRE's Attack Framework
DeTTACT - DeTT&CT aims to assist blue teams using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviours.
HELK - A Hunting ELK (Elasticsearch, Logstash, Kibana) with advanced analytic capabilities.
Sigma - Generic Signature Format for SIEM Systems
atomic-threat-coverage - Automatically generated actionable analytics designed to combat threats based on MITRE's ATT&CK.
CyberMenace - A one stop shop hunting app in Splunk that can ingest Zeek, Suricata, Sysmon, and Windows event data to find malicious indicators of compromise relating to the MITRE ATT&CK Matrix.
Wayfinder - Artificial Intelligence Agent to extract threat intelligence TTPs from feeds of malicious and benign event sources and automate threat hunting activities.
pyattck - A python package to interact with the Mitre ATT&CK Framework. You can find documentation here

cti - Cyber Threat Intelligence Repository expressed in STIX 2.0
TALR - A public repository for the collection and sharing of detection rules in STIX format.

To the extent possible under law, Rahmat Nurfauzi "@infosecn1nja" has waived all copyright and related or neighboring rights to this work.