{"id":13618707,"url":"https://github.com/rabobank-cdc/DeTTECT","last_synced_at":"2025-04-14T13:31:36.453Z","repository":{"id":34404809,"uuid":"178419209","full_name":"rabobank-cdc/DeTTECT","owner":"rabobank-cdc","description":"Detect Tactics, Techniques \u0026 Combat Threats","archived":false,"fork":false,"pushed_at":"2025-01-29T14:35:38.000Z","size":17944,"stargazers_count":2139,"open_issues_count":12,"forks_count":339,"subscribers_count":90,"default_branch":"master","last_synced_at":"2025-04-10T00:02:42.209Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"SCSS","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rabobank-cdc.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-03-29T14:20:34.000Z","updated_at":"2025-04-09T15:26:03.000Z","dependencies_parsed_at":"2023-02-16T20:30:39.188Z","dependency_job_id":"f8b3d8d8-0d23-4a13-814f-88bfe38e3d7a","html_url":"https://github.com/rabobank-cdc/DeTTECT","commit_stats":{"total_commits":782,"total_committers":10,"mean_commits":78.2,"dds":0.4578005115089514,"last_synced_commit":"8dd2d8ed38a653027c86135e4efe15f26f1daa9e"},"previous_names":["rabobank-cdc/dettact"],"tags_count":25,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rabobank-cdc%2FDeTTECT","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rabobank-cdc%2FDeTTECT/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rabobank-cdc%2FDeTTECT/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rabobank-cdc%2FDeTTECT/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rabobank-cdc","download_url":"https://codeload.github.com/rabobank-cdc/DeTTECT/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248888676,"owners_count":21178093,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T21:00:29.390Z","updated_at":"2025-04-14T13:31:36.430Z","avatar_url":"https://github.com/rabobank-cdc.png","language":"SCSS","readme":"\u003cimg src=\"https://github.com/rabobank-cdc/DeTTECT/wiki/images/logo_dark.png#gh-dark-mode-only\" alt=\"DeTT\u0026CT\" width=30% height=30%\u003e\n\u003cimg src=\"https://github.com/rabobank-cdc/DeTTECT/wiki/images/logo.png#gh-light-mode-only\" alt=\"DeTT\u0026CT\" width=30% height=30%\u003e\n\n#### Detect Tactics, Techniques \u0026 Combat Threats\nLatest version: [2.0.0](https://github.com/rabobank-cdc/DeTTECT/wiki/Changelog#version-200)\n\nTo get started with DeTT\u0026CT, check out one of these resources:\n- This [page](https://github.com/rabobank-cdc/DeTTECT/wiki/Getting-started) on the Wiki.\n- This [blog](https://blog.nviso.eu/2022/03/09/dettct-mapping-detection-to-mitre-attck/) written by [Renaud Frère](https://twitter.com/Azotium) from NVISO has a comprehensive and recent description on the capabilities of DeTT\u0026CT.\n- Blog: [mbsecure.nl/blog/2019/5/dettact-mapping-your-blue-team-to-mitre-attack](https://www.mbsecure.nl/blog/2019/5/dettact-mapping-your-blue-team-to-mitre-attack) or\n- Blog: [siriussecurity.nl/blog/2019/5/8/mapping-your-blue-team-to-mitre-attack](https://www.siriussecurity.nl/blog/2019/5/8/mapping-your-blue-team-to-mitre-attack).\n\n**Videos**\n- Our [talk](https://www.youtube.com/watch?v=_kWpekkhomU) at hack.lu 2019.\n- The [video](https://www.youtube.com/watch?v=EXnutTLKS5o) from [Justin Henderson](https://twitter.com/SecurityMapper) on data source visibility and mapping.\n\nDeTT\u0026CT aims to assist blue teams in using ATT\u0026CK to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviours. All of which can help, in different ways, to get more resilient against attacks targeting your organisation. The DeTT\u0026CT framework consists of a Python tool (DeTT\u0026CT CLI), YAML administration files, the [DeTT\u0026CT Editor](https://rabobank-cdc.github.io/dettect-editor) (to create and edit the YAML administration files) and [scoring tables](https://github.com/rabobank-cdc/DeTTECT/raw/master/scoring_table.xlsx) for [detections](https://github.com/rabobank-cdc/DeTTECT/wiki/How-to-use-the-framework#detection), [data sources](https://github.com/rabobank-cdc/DeTTECT/wiki/How-to-use-the-framework#data-source) and [visibility](https://github.com/rabobank-cdc/DeTTECT/wiki/How-to-use-the-framework#visibility).\n\nDeTT\u0026CT provides the following functionality for the ATT\u0026CK domains Enterprise, ICS and Mobile:\n\n- Administrate and score the quality of your data sources.\n- Get insight on the visibility you have on for example endpoints.\n- Map your detection coverage.\n- Map threat actor behaviours.\n- Compare visibility, detection coverage and threat actor behaviours to uncover possible improvements in detection and visibility (which is based on your available data sources). This can help you to prioritise your blue teaming efforts.\n- Get statistics (per platform) on the number of techniques covered per data source.\n\nThe coloured visualisations are created with the help of MITRE's [ATT\u0026CK™ Navigator](https://mitre-attack.github.io/attack-navigator/#comment_underline=false\u0026metadata_underline=false). *For layer files created by DeTT\u0026CT, we recommend using this URL to the Navigator as it will make sure metadata in the layer file does not have a yellow underline: [https://mitre-attack.github.io/attack-navigator/#comment_underline=false\u0026metadata_underline=false](https://mitre-attack.github.io/attack-navigator/#comment_underline=false\u0026metadata_underline=false)*\n\n## Authors and contributions\nThis project is developed and maintained by [Marcus Bakker](https://github.com/marcusbakker) (Twitter: [@Bakk3rM](https://twitter.com/Bakk3rM)) and [Ruben Bouman](https://github.com/rubinatorz) (Twitter: [@rubinatorz](https://twitter.com/rubinatorz/)). Feel free to contact, DMs are open. We do appreciate if you ask any question on how to use DeTT\u0026CT by making a GitHub issue. Having the questions and answers over there will greatly help others having similar questions and challenges.\n\nWe welcome contributions! Contributions can be both in code and in ideas you might have for further development, usability improvements, etc.\n\n### Sponsors\nThe following parties have supported the development of DeTT\u0026CT in time or financially.\n\n- **[Rabobank](https://www.rabobank.com/en/home/index.html)** - *Dutch multinational banking and financial services company. Food and agribusiness constitute the primary international focus of the Rabobank.*\n\n Significant parts of DeTT\u0026CT have been developed in the time that we worked as contractors at Rabobank.\n- **[Cyber Security Sharing \u0026 Analytics (CSSA)](https://cssa.de/en/index.html#top)** - *Founded in November 2014 by seven major German companies as an alliance for jointly facing cyber security challenges in a proactive, fast and effective manner. Currently, CSSA has 13 member companies.*\n\n With the financial sponsorship of the CSSA, we added support for [ATT\u0026CK ICS](https://collaborate.mitre.org/attackics/index.php/Main_Page) to DeTT\u0026CT.\n\n- **[Dutch National Police](https://www.politie.nl/en)**. With the financial sponsorship of the Dutch National Police, we added support for ATT\u0026CK Mobile to DeTT\u0026CT.\n\n\n### Work of others\nThe work of others inspired some functionality within DeTT\u0026CT:\n- Roberto Rodriguez's work on data quality and scoring of MITRE ATT\u0026CK™ techniques ([How Hot Is Your Hunt Team?](https://cyberwardog.blogspot.com/2017/07/how-hot-is-your-hunt-team.html), [Ready to hunt? First, Show me your data!](https://cyberwardog.blogspot.com/2017/12/ready-to-hunt-first-show-me-your-data.html)).\n- The MITRE ATT\u0026CK Mapping project on GitHub:\n https://github.com/siriussecurity/mitre-attack-mapping.\n\n### Third party tool: Dettectinator\n\u003ci\u003eThe Python library to your DeTT\u0026CT YAML files.\u003c/i\u003e\n\nDettectinator is built to be included in your SOC automation tooling. It can be included as a Python library or it can be used via the command line.\n\nDettectinator provides plugins to read detections from your SIEM or EDR and create/update the DeTT\u0026CT YAML file, so that you can use it to visualize your ATT\u0026CK detection coverage in the ATT\u0026CK Navigator.\n\nMore information can be found on Github: [Dettectinator](https://github.com/siriussecurity/dettectinator/).\n\n## Example\n\nYAML files are used for administrating scores and relevant properties. All of which can be visualised by loading JSON layer files into the [ATT\u0026CK Navigator](https://mitre-attack.github.io/attack-navigator/#comment_underline=false\u0026metadata_underline=false) (some types of scores and properties can also be exported to Excel).\n\nSee below an example of mapping your data sources to ATT\u0026CK, which gives you a rough overview of your visibility coverage:\n\n \u003cimg src=\"https://raw.githubusercontent.com/wiki/rabobank-cdc/DeTTECT/images/example_data_sources.png\" alt=\"DeTT\u0026CT - Data quality\"\u003e\n\n\\\nUsing the command `python dettect.py generic -ds`, you can determine which data sources within ATT\u0026CK cover the most techniques. This can, for example, be useful to guide you in identifying which data sources will provide you with a lot of visibility and are hence a good candidate to have available in a SIEM (like) solution.\n\n```\nCount Data Source\n--------------------------------------------------\n255 Command Execution\n206 Process Creation\n98 File Modification\n88 File Creation\n82 Network Traffic Flow\n78 OS API Execution\n70 Network Traffic Content\n58 Windows Registry Key Modification\n58 Network Connection Creation\n55 Application Log Content\n50 Module Load\n46 File Access\n46 Web [DeTT\u0026CT data source]\n37 File Metadata\n32 Logon Session Creation\n26 Script Execution\n22 Response Content\n21 Internal DNS [DeTT\u0026CT data source]\n20 User Account Authentication\n18 Process Access\n17 Windows Registry Key Creation\n17 Email [DeTT\u0026CT data source]\n15 Service Creation\n15 Host Status\n13 Active Directory Object Modification\n12 Service Metadata\n11 Process Metadata\n10 Driver Load\n10 File Deletion\n9 Firmware Modification\n9 Logon Session Metadata\n9 Process Modification\n8 User Account Metadata\n7 Windows Registry Key Access\n7 Scheduled Job Creation\n7 Malware Metadata\n7 Active Directory Credential Request\n6 Container Creation\n6 Web Credential Usage\n6 Response Metadata\n6 User Account Creation\n6 Drive Modification\n6 User Account Modification\n5 Instance Creation\n5 Active DNS\n5 Passive DNS\n5 Network Share Access\n5 Drive Access\n5 Service Modification\n4 Image Creation\n4 Instance Start\n4 Active Directory Object Creation\n4 Malware Content\n4 Social Media\n4 Domain Registration\n4 Drive Creation\n4 Windows Registry Key Deletion\n3 Active Directory Object Access\n3 Instance Metadata\n3 Container Start\n3 Web Credential Creation\n3 Firewall Rule Modification\n3 Firewall Disable\n3 Instance Deletion\n3 Snapshot Creation\n3 Process Termination\n2 Cloud Storage Enumeration\n2 Cloud Storage Access\n2 Pod Metadata\n2 Active Directory Object Deletion\n2 Cloud Service Modification\n2 Cloud Service Disable\n2 Certificate Registration\n2 Cloud Storage Metadata\n2 Instance Modification\n2 Instance Stop\n2 Firewall Metadata\n2 Firewall Enumeration\n2 Group Enumeration\n2 Group Metadata\n2 Image Metadata\n2 Scheduled Job Metadata\n2 Scheduled Job Modification\n2 Kernel Module Load\n2 WMI Creation\n2 Group Modification\n2 Driver Metadata\n2 Snapshot Modification\n2 Snapshot Deletion\n2 Volume Deletion\n2 Cloud Storage Modification\n2 Cloud Service Enumeration\n1 Cluster Metadata\n1 Container Enumeration\n1 Container Metadata\n1 Pod Enumeration\n1 Pod Creation\n1 Pod Modification\n1 Instance Enumeration\n1 Snapshot Metadata\n1 Snapshot Enumeration\n1 Volume Metadata\n1 Volume Enumeration\n1 Named Pipe Metadata\n1 User Account Deletion\n1 Image Modification\n1 Volume Creation\n1 Volume Modification\n1 Cloud Storage Creation\n1 Cloud Service Metadata\n1 Image Deletion\n1 Cloud Storage Deletion\n1 DHCP [DeTT\u0026CT data source]\n```\n\n## Installation and requirements\n\nSee our GitHub Wiki: [Installation and requirements](https://github.com/rabobank-cdc/DeTTECT/wiki/Installation-and-requirements).\n\n## License: GPL-3.0\n[DeTT\u0026CT's GNU General Public License v3.0](https://github.com/rabobank-cdc/DeTTECT/blob/master/LICENSE)\n","funding_links":[],"categories":["For a SOC","Python (1887)","Python","Other Lists","SCSS","Blue Team"],"sub_categories":["📊 TI TTP/Framework/Model/Trackers","Volatility"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frabobank-cdc%2FDeTTECT","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frabobank-cdc%2FDeTTECT","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frabobank-cdc%2FDeTTECT/lists"}