Hey friend, welcome back!
Let’s take a look at a cool new tool that we can add to our threat hunting arsenal!
The tool we’re taking a look at today is called whodunit and its goal is adversary attribution.
Whodunit is a tool that can be used to identify the most likely Advanced Persistent Threat (APT) group responsible for an attack. The tool ingests a cyber security report that contains MITRE ATT&CK techniques identified in an attack and then outputs the APT groups most likely to have been responsible for the incident.
The whodunit tool is written in Python and can be found on GitLab at https://gitlab.com/bontchev/whodunit. The installation steps are shown below:
There is a small sample report that comes with the tool named report.txt which you can use to demonstrate the tool’s capabilities. This text file is a simple threat intelligence report which includes several MITRE ATT&CK techniques. Executing the tool, with this report as input, is shown below.