WhoIsWhoAPT is a tool whose purpose is to help malware analysts, threat hunters and researchers to interrelate the different APT groups (Advanced Persistent Threats) based on their tactics, techniques and procedures (TTP) assigned by MITRE ATT&CK® (https://attack.mitre.org/) to each group, thus obtaining their relationship index. In addition, the tool allows you to compare your own TTP sets with the rest of the APTs defined in MITRE, thus obtaining their degree of similarity.
Finally, it is possible from an APT to generate a layer with its TTPs or from two APTs to be able to generate a layer in which the TTPs of each group are differentiated and in which they coincide. These layers are intended to work with the MITRE ATT&CK® Navigator tool (https://mitre-attack.github.io/attack-navigator/) thus facilitating their reading and analysis/modification.
Hope you can find my tool useful and if you want to report any bugs, add/suggest new features or ask any questions do not hesitate to contact me on LinkedIn.
My LinkedIn
- Install Python3 (and create a virtual environment*)
python3.9 -m venv envsource env/bin/activate - Download project:
git clone https://github.com/JavierMun/WhoIsWhoAPT- Download directly from github*
- Install python packages python -m pip install -r WhoIsWhoAPTrequirements.txt
- Run WhoIsWhoAPT.py
* Note1: The creation of the virtual environment is recommended, although it is not necessary for the tool's execution.
* Note2: Although it is not necessary, I recommend to download the "resources" folder and its content along with the tool as it prevents the tool from having to download the latest version of MITRE ATT&CK® and configure the APTs database on its first run, an action that can take several minutes
You can add any custom layers to the APT database, you just have to create the layer json with your custom TTPs on MITRE ATT&CK® Navigator and add it into the resources folder e.g. Name your group of TTPs as you want. This will be the name they will have on our tool.
Add the .json generated into the resources folder.
Now you can already work with your custom "APT"
| Command | Parameters | Command Details |
|---|---|---|
| -c, --compare | <APT Name> | Compare an APT with all the others APTs |
| -v, --versus | <APT1 Name> <APT2 Name> | Compare two APTs and extract the comparison matrix. Default layer colour: (AP1 -> Green) (APT2 -> Blue) (Matching TTP -> Purple) |
| -l, --layer | <APT Name> | Create a layer with selected APT's TTPs. Default colour: Green |
| -col, --colours | <APT1 Colour> <APT2 Colour> <Match Colour> | Choose the colours with which the data will be represented in the layer. Most be a colour hexcode. |
- Comparing APT "Wizard Spider" with all other APTs
- Obtaining comparison layer between two APTs ("Wizard Spider" and "FIN8")
- Obtaining comparison layer between two APTs ("Wizard Spider" and "FIN8") and modifying its colours
- Obtaining APT "Wizard Spider" layer
- Obtaining APT "Wizard Spider" layer with modified colour
