Class/Classes.ps1

class PSAttck {
}

class Enterprise : PSAttck  {
    [String] $Id
    [String] $Name
    [System.Collections.ArrayList] $Aliases
    [System.Collections.ArrayList] $Alias
    [String] $Description
    [PSCustomObject] $Reference
    [String] $Created
    [String] $Modified
    [String] $Stix
    [String] $Type
    [String] $Wiki
    [String] $Contributor

    static $relationships

    Enterprise($attckObj) : base() {

        if (-not([Enterprise]::relationships)){
            $relationshipObj = @{}
            $Global:PSAttckJson.objects.Where{$_.type -eq 'relationship'}.ForEach{
                $sourceID = $_.source_ref
                $targetID = $_.target_ref
                if(-not $relationshipObj.ContainsKey($sourceID)){
                    $relationshipObj[$sourceID] = @()
                }
                $relationshipObj[$sourceID] += $targetID

                if(-not $relationshipObj.ContainsKey($targetID)){
                    $relationshipObj[$targetID] = @()
                }
                $relationshipObj[$targetID] += $sourceID
                [Enterprise]::relationships = $relationshipObj
            }
        }

        $this.Id   = $this.SetIdAttribute($attckObj)
        $this.Name = $this.SetAttribute($attckObj,'name')
     # $this.Alias = $this.SetAliasAttribute($attckObj)
      # $this.Aliases = $this.Alias
        $this.Description = $this.SetAttribute($attckObj, 'description')
        $this.Reference = $this.SetReferenceAttribute($attckObj)
        $this.Created = $this.SetDateTimeAttribute($attckObj, 'created')
        $this.Modified = $this.SetDateTimeAttribute($attckObj, 'modified')
        $this.Stix = $this.SetAttribute($attckObj, 'id')
        $this.Type = $this.SetAttribute($attckObj, 'type')
        $this.Wiki = $this.SetWikiAttribute($attckObj)
        $this.Contributor = $this.SetListAttribute($attckObj, 'x_mitre_contributors')
    }

    [String] hidden SetIdAttribute($obj){
        try {
            foreach ($ref in $obj.external_references){
                if ($ref.source_name -eq 'mitre-attack'){
                    return $ref.external_id
                }
                else{
                    return 'no external_id found'
                }
            }
        }
        catch {
            Write-Error -ErrorRecord $Error[0] -RecommendedAction 'Unable to set Mitre ATT&CK ID Attribute'
        }
        return $null
    }

    [System.Collections.ArrayList] hidden SetAliasAttribute ($obj){
        $returnObject = [System.Collections.ArrayList]::new()
        if ($obj."aliases"){
            foreach ($item in $obj."aliases"){
                $returnObject.Add($item)
            }
        }
        if ($obj."x_mitre_aliases"){
            foreach ($item in $obj."x_mitre_aliases"){
                $returnObject.Add($item)
            }
        }
        return $returnObject
    }

    [System.Collections.ArrayList] hidden SetListAttribute ($obj, [string] $name){
        $returnObject = [System.Collections.ArrayList]::new()
        if ($obj."$name"){
            foreach ($item in $obj."$name"){
                $returnObject.Add($item)
            }
        }
        return $returnObject
    }

    [String] hidden SetAttribute ($obj, [string] $name){
        if ($obj.PSobject.Properties.name -match $name){
            $tempObj = $obj | Select-Object -Property $name
            if ($tempObj.PSobject.Properties.name -match 'name'){
                return $tempObj."$name"
            }
            else{
                return $obj."$name"
            }
        }
        else{
            return "No $name attribute found"
        }
    }

    [string] hidden SetDateTimeAttribute($obj, $name){
        if ($obj -and $obj.name){
            $tempObject = $obj | Select-Object -Property $name
            return [datetime]$tempObject.$name
        }
        else{
            return "No value for $name property"
        }
    }

    [String] hidden SetWikiAttribute($obj){
        try {
            foreach ($ref in $obj.external_references){
                if ($ref.source_name -eq 'mitre-attack'){
                    return $ref.url
                }
                else{
                    return 'No url attribute found'
                }
            }
        }
        catch {
            Write-Error -ErrorRecord $Error[0] -RecommendedAction 'Unable to set Mitre ATT&CK url Attribute'
        }
        return $null
    }

    [PSCustomObject] hidden SetReferenceAttribute($obj){

        $ReturnObject = @()
        $extId       = ''
        $url         = ''
        $sourceName  = ''
        $descr       = ''

        try {
            foreach ($ref in $obj.external_references){
                foreach ($attr in $ref){
                    if ($attr.external_id){
                        $extId = $attr.external_id
                    }
                    else {
                        $extId = 'No external_id attribute found'
                    }
                    if ($attr.url){
                        $url = $attr.url
                    }
                    else {
                        $url = 'No url attribute found'
                    }
                    if ($attr.source_name){
                        $sourceName = $attr.source_name
                    }
                    else {
                        $sourceName = 'No source_name attribute found'
                    }
                    if ($attr.description){
                        $descr = $attr.description
                    }
                    else {
                        $descr = 'No description attribute found'
                    }

                $props = @{
                    ExternalId  = $extId
                    Url         = $url
                    SourceName  = $sourceName
                    Description = $descr
                }

                $tempObject = New-Object -TypeName PSCustomObject -Property $props
                $ReturnObject += $tempObject
                }
            }
            return $ReturnObject
        }
        catch {
            Write-Error -ErrorRecord $Error[0] -RecommendedAction 'Unable to set Mitre ATT&CK url Attribute'
        }
        return $null
    }
}


class EnterpriseActor : Enterprise {

    [String] $CreatedByReference
    [String] $Revoked
    hidden $attckObj = @()

    [System.Collections.ArrayList] $Dataset = [System.Collections.ArrayList]::new()
    [String] $Country
    [System.Collections.ArrayList] $Operations = [System.Collections.ArrayList]::new()
    [System.Collections.ArrayList] $AttributionLinks = [System.Collections.ArrayList]::new()
    [System.Collections.ArrayList] $KnownTools = [System.Collections.ArrayList]::new()
    [System.Collections.ArrayList] $Targets = [System.Collections.ArrayList]::new()
    [System.Collections.ArrayList] $AdditionalComments = [System.Collections.ArrayList]::new()
    [System.Collections.ArrayList] $ExternalDescription = [System.Collections.ArrayList]::new()
    static hidden $generatedDataSet

    EnterpriseActor($attckObj) : base($attckObj) {

        if (-not([EnterpriseActor]::generatedDataSet)){
            [EnterpriseActor]::generatedDataSet = Get-AttckDataFiles -AttckDataset
        }

        $this.attckObj = $attckObj

        $this.CreatedByReference = $this.SetAttribute($this.attckObj, 'created_by_ref')
        $this.Revoked = $this.SetAttribute($this.attckObj, 'revoked')

        $this.Dataset = $this.GetFilteredDataset()
    }

    [System.Collections.ArrayList] hidden GetFilteredDataset(){
        $countrys = @()
        [EnterpriseActor]::generatedDataSet.actors.ForEach({
            $_ | get-member -MemberType NoteProperty -ErrorAction SilentlyContinue | ForEach-Object {
                $countrys += $_.Name
            }
        })

        $returnObject = [System.Collections.ArrayList]::new()

        $countrys.ForEach({
            $currentCountry = $_
            [EnterpriseActor]::generatedDataSet.actors.$_.actors.ForEach({
                if ($_.names -contains $this.Name){
                    $this.Country = $currentCountry
                    if ($_.operations){
                        $this.Operations.Add($_.operations)
                    }
                    if ($_.links){
                        $this.AttributionLinks.Add($_.links)
                    }
                    if ($_.tools){
                        $this.KnownTools.Add($_.tools)
                    }
                    if ($_.targets){
                        $this.Targets.Add($_.targets)
                    }
                    if ($_.comment){
                        $this.AdditionalComments.Add($_.comment)
                    }
                    if ($_.description){
                        $this.ExternalDescription.Add($_.description)
                    }
                    $returnObject.Add($_)
                }
            })
        })
        return $returnObject
    }

    [System.Collections.ArrayList] Malwares(){
        $returnObject = [System.Collections.ArrayList]::new()

        $malwareObj = @{}
        $global:PSAttckJson.objects.Where{$_.type -eq 'malware'}.ForEach{
            $malwareObj[$_.id] = $_
        }

        [Enterprise]::relationships[$this.Stix].ForEach{
            if ($malwareObj[$_]){
                $returnObject.Add((New-AttckObject -Object $malwareObj[$_] -Type 'EnterpriseMalware'))
            }
        }
        return $returnObject
    }

    [System.Collections.ArrayList] Tools(){
        $returnObject = [System.Collections.ArrayList]::new()

        $toolObj = @{}
        $global:PSAttckJson.objects.Where{$_.type -eq 'tool'}.ForEach{
            $toolObj[$_.id] = $_
        }

        [Enterprise]::relationships[$this.Stix].ForEach{
            if ($toolObj[$_]){
                $returnObject.Add((New-AttckObject -Object $toolObj[$_] -Type 'EnterpriseTool'))
            }
        }
        return $returnObject
    }

    [System.Collections.ArrayList] Techniques(){
        $returnObject = [System.Collections.ArrayList]::new()

        $techniqueObj = @{}
        $global:PSAttckJson.objects.Where{$_.type -eq 'attack-pattern'}.ForEach{
            $techniqueObj[$_.id] = $_
        }

        [Enterprise]::relationships[$this.Stix].ForEach{
            if ($techniqueObj[$_]){
                $returnObject.Add((New-AttckObject -Object $techniqueObj[$_] -Type 'EnterpriseTechnique'))
            }
        }
        return $returnObject
    }
}


class EnterpriseMalware : Enterprise {

    [String] $CreatedByReference
    [String] $Revoked
    [System.Collections.ArrayList] $Label
    [System.Collections.ArrayList] $Platform

    EnterpriseMalware($JsonObject) : base($JsonObject) {

        $this.Label = $this.SetListAttribute($JsonObject, 'labels')
        $this.Platform = $this.SetListAttribute($JsonObject, 'x_mitre_platforms')
        $this.CreatedByReference = $this.SetAttribute($JsonObject, 'created_by_ref')
        $this.Revoked = $this.SetAttribute($JsonObject, 'revoked')
    }

    [System.Collections.ArrayList] Actors(){
        $returnObject = [System.Collections.ArrayList]::new()

        $actorObj = @{}
        $global:PSAttckJson.objects.Where{$_.type -eq 'intrusion-set'}.ForEach{
            $actorObj[$_.id] = $_
        }

        [Enterprise]::relationships[$this.Stix].ForEach{
            if ($actorObj[$_]){
                $returnObject.Add((New-AttckObject -Object $actorObj[$_] -Type 'EnterpriseActor'))
            }
        }
        return $returnObject
    }

    [System.Collections.ArrayList] Techniques(){
        $returnObject = [System.Collections.ArrayList]::new()

        $techniqueObj = @{}
        $global:PSAttckJson.objects.Where{$_.type -eq 'attack-pattern'}.ForEach{
            $techniqueObj[$_.id] = $_
        }

        [Enterprise]::relationships[$this.Stix].ForEach{
            if ($techniqueObj[$_]){
                $returnObject.Add((New-AttckObject -Object $techniqueObj[$_] -Type 'EnterpriseTechnique'))
            }
        }
        return $returnObject
    }
}

class EnterpriseMitigation : Enterprise {

    [String] $CreatedByReference

    EnterpriseMitigation($JsonObject) : base($JsonObject) {

        $this.CreatedByReference = $this.SetAttribute($JsonObject, 'created_by_ref')
    }

    [System.Collections.ArrayList] Techniques(){
        $returnObject = [System.Collections.ArrayList]::new()

        $techniqueObj = @{}
        $global:PSAttckJson.objects.Where{$_.type -eq 'attack-pattern'}.ForEach{
            $techniqueObj[$_.id] = $_
        }

        [Enterprise]::relationships[$this.Stix].ForEach{
            if ($techniqueObj[$_]){
                $returnObject.Add((New-AttckObject -Object $techniqueObj[$_] -Type 'EnterpriseTechnique'))
            }
        }
        return $returnObject
    }
}


class EnterpriseTactic : Enterprise {

    [String] $CreatedByReference
    [String] $ShortName

    EnterpriseTactic($JsonObject) : base($JsonObject) {

        $this.ShortName = $this.SetAttribute($JsonObject, 'x_mitre_shortname')
        $this.CreatedByReference = $this.SetAttribute($JsonObject, 'created_by_ref')
    }

    [System.Collections.ArrayList] Techniques(){
        $returnObject = [System.Collections.ArrayList]::new()

        $global:PSAttckJson.objects.ForEach{
            if ($_.kill_chain_phases){
                foreach ($name in $_.kill_chain_phases){
                    if ($name.phase_name.ToLower() -eq $this.ShortName){
                        $returnObject.Add((New-AttckObject -Object $_ -Type 'EnterpriseTechnique'))
                    }
                }
            }
        }
        return $returnObject
    }
}


class EnterpriseTechnique : Enterprise {

    [String] $CreatedByReference
    [System.Collections.ArrayList] $Platform
    [System.Collections.ArrayList] $Permission
    [System.Collections.ArrayList] $Bypass
    [System.Collections.ArrayList] $EffectivePermissions
    [System.Collections.ArrayList] $CommandList
    [System.Collections.ArrayList] $Commands
    [System.Collections.ArrayList] $Queries
    [System.Collections.ArrayList] $RawDatasets
    [System.Collections.ArrayList] $RawDetections
    [String] $Network
    [String] $Remote
    [String] $SystemRequirements
    [String] $Detection
    [System.Collections.ArrayList] $DataSource
    [System.Collections.ArrayList] hidden $phaseNames

    static hidden $generatedDataSet

    EnterpriseTechnique($JsonObject) : base($JsonObject) {

        if (-not([EnterpriseTechnique]::generatedDataSet)){
            [EnterpriseTechnique]::generatedDataSet = Get-AttckDataFiles -AttckDataset
        }

        $this.CreatedByReference = $this.SetAttribute($JsonObject, 'created_by_ref')
        $this.Platform = $this.SetListAttribute($JsonObject, 'x_mitre_platforms')

        $this.Permission = $this.SetListAttribute($JsonObject, 'x_mitre_permissions_required')
        $this.Bypass = $this.SetListAttribute($JsonObject, 'x_mitre_defense_bypassed')
        $this.EffectivePermissions = $this.SetListAttribute($JsonObject, 'x_mitre_effective_permissions')
        $this.Network = $this.SetAttribute($JsonObject, 'x_mitre_network_requirements')
        $this.Remote = $this.SetAttribute($JsonObject, 'x_mitre_remote_support')
        $this.SystemRequirements = $this.SetAttribute($JsonObject, 'x_mitre_system_requirements')
        $this.Detection = $this.SetAttribute($JsonObject, 'x_mitre_detection')
        $this.DataSource = $this.GetDataSourcesDict($JsonObject.x_mitre_data_sources)
        #$this.SetListAttribute($JsonObject, 'x_mitre_data_sources')

        $this.SetTactic($JsonObject)

        $this.CommandList = $this.GetFilteredDataset('command_list')
        $this.Commands = $this.GetFilteredDataset('commands')
        $this.Queries = $this.GetFilteredDataset('queries')
        $this.RawDatasets = $this.GetFilteredDataset('parsed_datasets')
        $this.RawDetections = $this.GetFilteredDataset('possible_detections')
    }

    [PSCustomObject] hidden GetDataSourcesDict($obj){
        $returnObj = @{}
        foreach ($item in $obj){
            if ($item -contains ':'){
                $tempDataSource = $item.split(':')
                if(-not ($returnObj.ContainsKey($tempDataSource[0]))){
                    $returnObj[$tempDataSource[0]] = @()
                }
                $returnObj[$tempDataSource[0]] += $tempDataSource[1]
            }
        }
        return $returnObj
    }
    [System.Collections.ArrayList] hidden GetFilteredDataset($attribute){
        $returnObject = [System.Collections.ArrayList]::new()
        [EnterpriseTechnique]::generatedDataSet.techniques.ForEach({
            if ($_.technique_id -eq $this.Id){
                $returnObject.Add($_."$attribute")
            }
        })
        return $returnObject
    }

    [void] hidden SetTactic($obj){
        $returnObject = [System.Collections.ArrayList]::new()

        foreach ($phase in $obj.kill_chain_phases){
            $returnObject.Add($phase.phase_name)
        }
        $this.phaseNames = $returnObject
    }

    [System.Collections.ArrayList] Tactics(){
        $returnObject = [System.Collections.ArrayList]::new()

        $global:PSAttckJson.objects.Where{$_.type -eq 'x-mitre-tactic'}.ForEach{
            foreach ($phase in $this.phaseNames){
                if ($phase.ToLower() -eq $_.x_mitre_shortname){
                    $returnObject.Add((New-AttckObject -Object $_ -Type 'EnterpriseTactic'))
                }
            }
        }
        return $returnObject
    }

    [System.Collections.ArrayList] Actors(){
        $returnObject = [System.Collections.ArrayList]::new()

        $actorObj = @{}
        $global:PSAttckJson.objects.Where{$_.type -eq 'intrusion-set'}.ForEach{
            $actorObj[$_.id] = $_
        }

        [Enterprise]::relationships[$this.Stix].ForEach{
            if ($actorObj[$_]){
                $returnObject.Add((New-AttckObject -Object $actorObj[$_] -Type 'EnterpriseActor'))
            }
        }
        return $returnObject
    }

    [System.Collections.ArrayList] Mitigations(){
        $returnObject = [System.Collections.ArrayList]::new()

        $mitigationObj = @{}
        $global:PSAttckJson.objects.Where{$_.type -eq 'course-of-action'}.ForEach{
            $mitigationObj[$_.id] = $_
        }

        [Enterprise]::relationships[$this.Stix].ForEach{
            if ($mitigationObj[$_]){
                $returnObject.Add((New-AttckObject -Object $mitigationObj[$_] -Type 'EnterpriseMitigation'))
            }
        }
        return $returnObject
    }
}


class EnterpriseTool : Enterprise {

    [System.Collections.ArrayList] $C2Matrix = [System.Collections.ArrayList]::new()
    [System.Collections.ArrayList] $ToolsDataset = [System.Collections.ArrayList]::new()
    [System.Collections.ArrayList] $AdditionalNames = [System.Collections.ArrayList]::new()
    [System.Collections.ArrayList] $AttributionLinks = [System.Collections.ArrayList]::new()
    [System.Collections.ArrayList] $Family = [System.Collections.ArrayList]::new()
    [System.Collections.ArrayList] $AdditionalComments = [System.Collections.ArrayList]::new()
    ${Actively Maint.}
    $Agent
    $API
    ${ATT&CK Mapping}
    $Chaining
    ${Custom Profile}
    $Dashboard
    $Date
    $DNS
    $DoH
    $DomainFront
    $Evaluator
    $FTP
    ${GH Issues}
    $GitHub
    ${How-To}
    $HTTP
    $HTTP2
    $HTTP3
    $ICMP
    $IMAP
    $Implementation
    $Jitter
    $Kali
    ${Key Exchange}
    ${Kill Date}
    $License
    $Linux
    $Logging
    $macOS
    $MAPI
    ${Multi-User}
    $c2Name
    $Notes
    $Price
    ${Proxy Aware}
    $Server
    $Site
    $Slack
    ${Slack Members}
    $SMB
    $Stego
    $TCP
    $Twitter
    $UI
    ${Version Reviewed}
    $Windows
    ${Working Hours}
    $NetWitness
    static hidden $generatedDataSet


    EnterpriseTool($JsonObject) : base($JsonObject) {
        if (-not([EnterpriseTool]::generatedDataSet)){
            [EnterpriseTool]::generatedDataSet = Get-AttckDataFiles -AttckDataset
        }

        $this.C2Matrix = $this.GetC2Dataset()
        $this.ToolsDataset = $this.GetToolsDataset()
    }

    [System.Collections.ArrayList] hidden GetToolsDataset(){
        $returnObject = [System.Collections.ArrayList]::new()

        [EnterpriseTool]::generatedDataSet.tools.tools.ForEach({
            if ($this.Name -in $_.names -or $this.Aliases -in $_.names){
                $returnObject.Add($_)
                foreach ($item in $_.names){
                    $this.AdditionalNames.Add($item)
                }
                foreach ($item in $_.links){
                    $this.AttributionLinks.Add($item)
                }
                foreach ($item in $_.family){
                    $this.Family.Add($item)
                }
                foreach ($item in $_.comments){
                    $this.AdditionalComments.Add($item)
                }
            }
        })
        return $returnObject
    }

    [System.Collections.ArrayList] hidden GetC2Dataset(){
        $returnObject = [System.Collections.ArrayList]::new()

        $tools = @()
        [EnterpriseTool]::generatedDataSet.c2_data.ForEach({
            $tools += ($_ | Get-Member -MemberType NoteProperty | Select-Object Name).Name
        })

        $tools.ForEach({
            $currentTool = $_
            if ($_ -match $this.Name -or $_ -in $this.Aliases){
                $props = @()
                [EnterpriseTool]::generatedDataSet.c2_data.$_.ForEach({
                    ($_ | Get-Member -MemberType NoteProperty | Select-Object Name).Name.ForEach({
                        $props += $_
                    })
                    if ($props){
                        foreach ($item in $props){
                            if ($item -eq 'Name'){
                                $this.$('c2'+$item) = $_.$item
                            }
                            try{
                                $this.$($item) = $_.$item
                            }
                            catch{
                                Write-Debug -Message "Unable to find property $item but ignoring for now"
                            }
                        }
                    $returnObject.Add($_)
                    }
                })
            }
        })
        return $returnObject
    }

    [System.Collections.ArrayList] Actors(){
        $returnObject = [System.Collections.ArrayList]::new()

        $actorObj = @{}
        $global:PSAttckJson.objects.Where{$_.type -eq 'intrusion-set'}.ForEach{
            $actorObj[$_.id] = $_
        }

        [Enterprise]::relationships[$this.Stix].ForEach{
            if ($actorObj[$_]){
                $returnObject.Add((New-AttckObject -Object $actorObj[$_] -Type 'EnterpriseActor'))
            }
        }
        return $returnObject
    }

    [System.Collections.ArrayList] Techniques(){
        $returnObject = [System.Collections.ArrayList]::new()

        $techniqueObj = @{}
        $global:PSAttckJson.objects.Where{$_.type -eq 'attack-pattern'}.ForEach{
            $techniqueObj[$_.id] = $_
        }

        [Enterprise]::relationships[$this.Stix].ForEach{
            if ($techniqueObj[$_]){
                $returnObject.Add((New-AttckObject -Object $techniqueObj[$_] -Type 'EnterpriseTechnique'))
            }
        }
        return $returnObject
    }
}