Skip to content

DeTT&CT tools

Jump to bottom
ruben edited this page Nov 16, 2022 · 3 revisions

DeTT&CT tools consist of the CLI and the Editor.

Third party tools:

CLI

Besides a few optional arguments, DeTT&CT has five modes which are described in the help text below. Please note that each mode has a dedicated help function. For example, you can show the help function for group using the following command: python dettect.py group -h. You can find an overview of all help texts here.

usage: dettect.py [-h] [--version]  ...

Detect Tactics, Techniques & Combat Threats

options:
  -h, --help       show this help message and exit
  --version        show program's version number and exit

MODE:
  Select the mode to use. Every mode has its own arguments and help info
  displayed using: {editor, datasource, visibility, detection, group,
  generic} --help


    editor (e)     DeTT&CT Editor
    datasource (ds)
                   data source mapping and quality
    visibility (v)
                   visibility coverage mapping based on techniques and data
                   sources
    detection (d)  detection coverage mapping based on techniques
    group (g)      threat actor group mapping
    generic (ge)   includes: statistics on ATT&CK data source and updates on
                   techniques, groups and software

Source: https://github.com/rabobank-cdc/DeTTECT

DeTT&CT Editor

The data source, technique and group YAML files can be edited using the DeTT&CT Editor, or your favourite text editor. The DeTT&CT Editor is entirely client-side. Therefore, the content of your YAML file is not sent to a server.

You can find more information on the Editor here.

Third party tool: Dettectinator

Dettectinator - The Python library to your DeTT&CT YAML files.

Dettectinator is built to be included in your SOC automation tooling. It can be included as a Python library or it can be used via the command line.

Dettectinator provides plugins to read detections from your SIEM or EDR and create/update the DeTT&CT YAML file, so that you can use it to visualize your ATT&CK detection coverage in the ATT&CK Navigator.

More information can be found on Github: Dettectinator.

Overview

  1. Home
  2. Introduction
  3. Installation and requirements
  4. Getting started / How to
  5. Changelog
  6. Future developments
  7. ICS - Inconsistencies

Data sources

  1. Introduction
  2. DeTT&CT data sources
  3. Data sources per platform
  4. Data quality
  5. Scoring data quality
  6. Improvement graph

Visibility Coverage

  1. Introduction
  2. Scoring visibility
  3. Improvement graph

Detection coverage

  1. Introduction
  2. Scoring detection
  3. Improvement graph

Threat actor group mapping

  1. Introduction

YAML administration files

  1. Introduction
  2. Data sources
  3. Techniques
  4. Groups
  5. DeTT&CT Editor
Clone this wiki locally