MITRE ATT&CK Integration¶
Stentor includes a built-in MITRE ATT&CK knowledge base with 85 technique definitions (62 official MITRE techniques + 23 custom internal techniques). The knowledge base powers technique-aware reporting, OPSEC guidance, and CNA scripting functions.
Knowledge Base¶
Technique definitions are stored as YAML files in server/knowledge_base/techniques/. Each file contains:
- Technique ID (MITRE or internal)
- Name and description
- Tactic mapping (comma-separated for multi-tactic techniques)
- Execution methods with parameter schemas
- OPSEC guidance -- risk level, detection indicators, and mitigations
- Expected forensic artifacts -- event log sources, event IDs, and descriptions
- Related techniques
Coverage¶
The knowledge base covers techniques across all major ATT&CK tactics:
| Tactic | Example Techniques |
|---|---|
| Execution | T1059.001 (PowerShell), T1059.003 (Cmd Shell), T1047 (WMI), T1106 (Native API) |
| Persistence | T1547.001 (Registry Run Keys), T1543.003 (Windows Service) |
| Privilege Escalation | T1134.001 (Token Theft), T1134.002 (Create Process with Token) |
| Defense Evasion | T1055.003 (Process Injection), T1562.001 (Impair Defenses), T1027.006 (Obfuscation) |
| Credential Access | T1003.001-006 (LSASS/SAM/NTDS/LSA/Cached/DCSync), T1558.001-004 (Kerberos) |
| Discovery | T1046 (Port Scan), T1018 (Network Enumeration), T1482 (Domain Trusts) |
| Lateral Movement | T1021.002 (SMB), T1021.003 (DCOM), T1021.006 (WinRM), T1047 (WMI) |
| Collection | T1115 (Clipboard Data) |
CNA Scripting Functions¶
Six attack_* functions provide programmatic access to the knowledge base:
| Function | Signature | Returns |
|---|---|---|
attack_describe | attack_describe($technique_id) | Full technique description |
attack_name | attack_name($technique_id) | Technique display name |
attack_detect | attack_detect($technique_id) | Detection indicators (newline-separated) |
attack_mitigate | attack_mitigate($technique_id) | Mitigation guidance (newline-separated) |
attack_tactics | attack_tactics($technique_id) | Array of tactic names |
attack_url | attack_url($technique_id) | Direct MITRE ATT&CK URL |
Examples¶
# Look up a technique
println("Name: " . attack_name("T1003.001"));
# → OS Credential Dumping: LSASS Memory
println("URL: " . attack_url("T1003.001"));
# → https://attack.mitre.org/techniques/T1003/001/
# Get detection guidance
println("Detection:\n" . attack_detect("T1003.001"));
# → Suspicious API calls detected
# → Unusual memory allocation patterns
# Get associated tactics
@tactics = attack_tactics("T1003.001");
println("Tactics: " . join(", ", @tactics));
# → Tactics: credential-access
# Use in a custom report
report("TTP Analysis");
page("Technique Details");
h2(attack_name("T1055.003"));
p(attack_describe("T1055.003"));
h3("Detection Guidance");
p(attack_detect("T1055.003"));
report_save("/tmp/ttp-analysis.pdf");
Lookup Methods¶
Techniques can be looked up by either their MITRE ID or internal ID:
# By MITRE ID
attack_name("T1003.001"); # → "OS Credential Dumping: LSASS Memory"
# By internal ID
attack_name("BOF_EXECUTE"); # → "BOF Execution (Native API)"
Automatic TTP Tracking¶
When beacons execute tasks, the activity timeline report automatically maps known task types to MITRE ATT&CK technique IDs:
| Task Type | MITRE Technique |
|---|---|
| PowerShell execution | T1059.001 |
| Command shell | T1059.003 |
| WMI lateral movement | T1047 |
| DCOM execution | T1021.003 |
| WinRM execution | T1021.006 |
| Process injection | T1055.003 |
| Token theft | T1134.001 |
| Token creation | T1134.002 |
| SAM dump | T1003.002 |
| LSASS access | T1003.001 |
| NTDS dump | T1003.003 |
| LSA secrets | T1003.004 |
| Cached credentials | T1003.005 |
| DCSync | T1003.006 |
| Port scanning | T1046 |
| Network enumeration | T1018 |
| Domain trust discovery | T1482 |
| Registry persistence | T1547.001 |
This mapping feeds into the TTP Report (type=ttp), which provides tactic-level statistics and per-technique usage counts.
Artifact Tracking¶
Stentor automatically records artifacts generated during operations. Every beacon task, payload generation, and post-exploitation action creates an artifact record with its associated MITRE ATT&CK technique.
How It Works¶
The ArtifactRecorderInterface (defined in server/internal/c2/) records artifacts in real-time:
- Inference: When a task is executed, the recorder infers the MITRE technique from the task type using the
taskTypeToMitremapping table above - Recording: Artifact records are written via non-blocking goroutines with batch
INSERTfor performance - Payload tracking: Build-time artifacts (e.g., "Code Mutation" when mutation is enabled) are recorded alongside runtime artifacts
Artifact Record Fields¶
| Field | Description |
|---|---|
technique_id | MITRE ATT&CK technique ID (e.g., T1055.003) |
technique_name | Human-readable technique name |
tactic | ATT&CK tactic category |
beacon_id | Beacon that generated the artifact |
task_type | Task type that triggered the artifact |
timestamp | When the artifact was recorded |
details | Additional context (command arguments, target PID, etc.) |
Querying Artifacts¶
REST API:
# List all artifacts (paginated)
curl -s "https://stentor.app/api/v1/artifacts?page=1&per_page=50" \
-H "Authorization: Bearer $TOKEN"
# Filter by technique
curl -s "https://stentor.app/api/v1/artifacts?technique=T1055.003" \
-H "Authorization: Bearer $TOKEN"
# Filter by task type
curl -s "https://stentor.app/api/v1/artifacts?type=inject" \
-H "Authorization: Bearer $TOKEN"
ATT&CK Navigator Export¶
Export your operation's technique coverage as an ATT&CK Navigator layer JSON file. The Navigator layer provides a visual heatmap of techniques used during an engagement, with color intensity based on usage frequency.
Export Endpoint¶
GET /api/v1/artifacts/navigator
# Download Navigator layer JSON
curl -s "https://stentor.app/api/v1/artifacts/navigator" \
-H "Authorization: Bearer $TOKEN" \
--output navigator-layer.json
# Preview in browser (no Content-Disposition header)
curl -s "https://stentor.app/api/v1/artifacts/navigator?preview=true" \
-H "Authorization: Bearer $TOKEN"
Filtering¶
| Parameter | Description |
|---|---|
technique | Filter to specific technique ID(s) |
type | Filter by task type |
from | Start date (ISO 8601) |
to | End date (ISO 8601) |
Color Mapping¶
The Navigator layer uses color interpolation (white to red) based on technique usage frequency:
| Usage Count | Color | Interpretation |
|---|---|---|
| 0 | White | Not used |
| 1-5 | Light pink | Low usage |
| 6-20 | Medium red | Moderate usage |
| 21+ | Dark red | Heavy usage |
Using with ATT&CK Navigator¶
- Export the layer JSON from Stentor
- Open ATT&CK Navigator in a browser
- Click "Open Existing Layer" and upload the JSON file
- The heatmap shows which techniques were used and their frequency
This is valuable for engagement reports -- it provides a visual summary of the operation's technique coverage that maps directly to the MITRE ATT&CK framework.
UI Access¶
The Navigator export is also available from the Stentor UI:
- Navigate to Reporting > Artifacts
- Apply type/technique filters as needed (select "all" to clear filters)
- Click Export Navigator Layer
- The JSON file downloads automatically
The UI uses server-side filtering -- switching type or technique filters refreshes the entire query.