Unprotect.it support

tkisason · Mar 30, 2023 · c09cf4a · c09cf4a
1 parent 5938162
commit c09cf4a
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 3 deletions.
diff --git a/commands/attackmatrix/command.py b/commands/attackmatrix/command.py
@@ -28,11 +28,11 @@
 
 def process(command, channel, username, params):
     messages = []
-    querytypes = ('search', 'mitre', 'actoroverlap', 'ttpoverlap', 'findactor')
+    querytypes = ('search', 'mitre', 'actoroverlap', 'ttpoverlap', 'findactor', 'matrices', 'config')
     querytype = params[0].strip()
     stripchars = '`\n\r\'\"'
     regex = re.compile('[%s]' % stripchars)
-    categories = ('Actors', 'Techniques', 'Malwares', 'Tools', 'Mitigations', 'Tactics', 'Data Sources', 'Case Studies', 'Campaigns', 'Matrices')
+    categories = ('Actors', 'Techniques', 'Malwares', 'Tools', 'Mitigations', 'Tactics', 'Data Sources', 'Case Studies', 'Campaigns', 'Detection Rules', 'Code Snippets', 'Matrices')
     tableheaders = collections.OrderedDict({
         'type': 'Type',
         'name': 'Name',
@@ -43,12 +43,27 @@ def process(command, channel, username, params):
     else:
         try:
             keywords = params[1:]
-            if len(' '.join(keywords))<4:
+            if len(' '.join(keywords))<4 and not querytype in ('matrices', 'config'):
                 messages.append({'text': 'Please specify at least one reasonably-sized keyword to query the AttackMatrix `'+querytype+'`.'})
             else:
                 headers={
                     'Content-Type': settings.CONTENTTYPE,
                 }
+                if querytype in ('matrices', 'config'):
+                    APIENDPOINT = settings.APIURL['attackmatrix']['url']+'/explore/'
+                    with requests.get(APIENDPOINT, headers=headers) as response:
+                        json_response = response.json()
+                        if len(json_response):
+                            table = 'ATT&CK Matrix API endpoint currently has ' + str(len(json_response['Metadata']['matrices'])) + ' databases loaded:'
+                            table += '\n\n'
+                            table += '| **Matrix Name** | **Description** |\n'
+                            table += '|:- |:- |\n'
+                            for matrix in json_response['Metadata']['matrices']:
+                                name = json_response['Metadata']['matrices'][matrix]['Metadata']['name'][0]
+                                description = json_response['Metadata']['matrices'][matrix]['Metadata']['description'][0]
+                                table += '| '+name+' | '+description+' |\n'
+                            table += '\n\n'
+                            messages.append({'text': table})
                 if querytype == 'search':
                     searchterms = '&params='.join([urllib.parse.quote(_) for _ in keywords])
                     APIENDPOINT = settings.APIURL['attackmatrix']['url']+'/search?params='+searchterms

diff --git a/commands/attackmatrix/defaults.py b/commands/attackmatrix/defaults.py
@@ -47,4 +47,14 @@
         'the resulting list of matching actors with the matching certainty. Particularly useful with the '
         'lists of MITRE IDs, such as the `easy pivoting` one from the VirusTotal module output.',
     },
+    'matrices': {
+        'args': None,
+        'desc': 'Display all ATT&CK Matrices and other databases that have been loaded into the '
+                'configured AttackMatrix API endpoint: ' + APIURL['attackmatrix']['url'] + '.',
+    },
+    'config': {
+        'args': None,
+        'desc': 'Display all ATT&CK Matrices and other databases that have been loaded into the '
+                'configured AttackMatrix API endpoint: ' + APIURL['attackmatrix']['url'] + '.',
+    },
 }