Let Us Find Out Whodunit

Adam Goss
4 min readJan 11

Hey friend, welcome back!

Let’s take a look at a cool new tool that we can add to our threat hunting arsenal!

The tool we’re taking a look at today is called whodunit and its goal is adversary attribution.

Whodunit is a tool that can be used to identify the most likely Advanced Persistent Threat (APT) group responsible for an attack. The tool ingests a cyber security report that contains MITRE ATT&CK techniques identified in an attack and then outputs the APT groups most likely to have been responsible for the incident.

The whodunit tool is written in Python and can be found on GitLab at https://gitlab.com/bontchev/whodunit. The installation steps are shown below:

There is a small sample report that comes with the tool named report.txt which you can use to demonstrate the tool’s capabilities. This text file is a simple threat intelligence report which includes several MITRE ATT&CK techniques. Executing the tool, with this report as input, is shown below.

So it’s APT28 we need to take off our Christmas card list.

How Can whodunit Help Me?

Adversary attribution is a very difficult problem to solve.

  • Did the Russians do this cyber attack?
  • Did China do this cyber attack but pretended to be Russia to avoid blame?
  • Did the US do this cyber attack but framed China framing Russia to achieve some political motive?

As you can see, there are a lot of whodunits in there.

However, this is at the international espionage level where tradecraft and deceit are the pillars of a successful operation. In the world of cybercrime, the world the majority of Threat Intelligence Analysts interact with (despite the newspaper headlines being keen to attribute an attack to a nation), mimicking another cybercrime group to a degree where it is…

Adam Goss

Cyber Security Professional | Red Teamer | Adversary Emulator | Malware Analysis | Threat Hunter | Threat Intelligence