1+ import openpyxl
2+ from openpyxl .styles import Font , Alignment , Border , Side , PatternFill
3+
4+ def BadTemplateException (exception ):
5+ pass
6+
7+ class excel_templates :
8+ enterprise_template = {(1 , 1 ): 'Initial Access' ,
9+ (1 , 2 ): 'Execution' ,
10+ (1 , 3 ): 'Persistence' ,
11+ (1 , 4 ): 'Privilege Escalation' ,
12+ (1 , 5 ): 'Defense Evasion' ,
13+ (1 , 6 ): 'Credential Access' ,
14+ (1 , 7 ): None ,
15+ (1 , 8 ): 'Discovery' ,
16+ (1 , 9 ): 'Lateral Movement' ,
17+ (1 , 10 ): 'Collection' ,
18+ (1 , 11 ): 'Command and Control' ,
19+ (1 , 12 ): 'Exfiltration' ,
20+ (1 , 13 ): 'Impact' ,
21+ (2 , 1 ): 'Drive-by Compromise' ,
22+ (2 , 2 ): 'Command and Scripting Interpreter' ,
23+ (2 , 3 ): 'Account Manipulation' ,
24+ (2 , 4 ): 'Abuse Elevation Control Mechanism' ,
25+ (2 , 5 ): 'Abuse Elevation Control Mechanism' ,
26+ (2 , 6 ): 'Brute Force' ,
27+ (2 , 7 ): 'Credential Stuffing' ,
28+ (2 , 8 ): 'Account Discovery' ,
29+ (2 , 9 ): 'Exploitation of Remote Services' ,
30+ (2 , 10 ): 'Archive Collected Data' ,
31+ (2 , 11 ): 'Application Layer Protocol' ,
32+ (2 , 12 ): 'Automated Exfiltration' ,
33+ (2 , 13 ): 'Account Access Removal' ,
34+ (3 , 1 ): 'Exploit Public-Facing Application' ,
35+ (3 , 2 ): 'Exploitation for Client Execution' ,
36+ (3 , 3 ): 'BITS Jobs' ,
37+ (3 , 4 ): 'Access Token Manipulation' ,
38+ (3 , 5 ): 'BITS Jobs' ,
39+ (3 , 6 ): None ,
40+ (3 , 7 ): 'Password Cracking' ,
41+ (3 , 8 ): 'Application Window Discovery' ,
42+ (3 , 9 ): 'Internal Spearphishing' ,
43+ (3 , 10 ): 'Audio Capture' ,
44+ (3 , 11 ): 'Communication Through Removable Media' ,
45+ (3 , 12 ): 'Data Transfer Size Limits' ,
46+ (3 , 13 ): 'Data Destruction' ,
47+ (4 , 1 ): 'External Remote Services' ,
48+ (4 , 2 ): 'Inter-Process Communication' ,
49+ (4 , 3 ): 'Boot or Logon Autostart Execution' ,
50+ (4 , 4 ): 'Boot or Logon Autostart Execution' ,
51+ (4 , 5 ): 'Deobfuscate/Decode Files or Information' ,
52+ (4 , 6 ): None ,
53+ (4 , 7 ): 'Password Guessing' ,
54+ (4 , 8 ): 'Browser Bookmark Discovery' ,
55+ (4 , 9 ): 'Lateral Tool Transfer' ,
56+ (4 , 10 ): 'Automated Collection' ,
57+ (4 , 11 ): 'Data Encoding' ,
58+ (4 , 12 ): 'Exfiltration Over Alternative Protocol' ,
59+ (4 , 13 ): 'Data Encrypted for Impact' ,
60+ (5 , 1 ): 'Hardware Additions' ,
61+ (5 , 2 ): 'Native API' ,
62+ (5 , 3 ): 'Boot or Logon Initialization Scripts' ,
63+ (5 , 4 ): 'Boot or Logon Initialization Scripts' ,
64+ (5 , 5 ): 'Direct Volume Access' ,
65+ (5 , 6 ): None ,
66+ (5 , 7 ): 'Password Spraying' ,
67+ (5 , 8 ): 'Domain Trust Discovery' ,
68+ (5 , 9 ): 'Remote Service Session Hijacking' ,
69+ (5 , 10 ): 'Clipboard Data' ,
70+ (5 , 11 ): 'Data Obfuscation' ,
71+ (5 , 12 ): 'Exfiltration Over C2 Channel' ,
72+ (5 , 13 ): 'Data Manipulation' ,
73+ (6 , 1 ): 'Phishing' ,
74+ (6 , 2 ): 'Scheduled Task/Job' ,
75+ (6 , 3 ): 'Browser Extensions' ,
76+ (6 , 4 ): 'Create or Modify System Process' ,
77+ (6 , 5 ): 'Execution Guardrails' ,
78+ (6 , 6 ): 'Credentials from Password Stores' ,
79+ (6 , 8 ): 'File and Directory Discovery' ,
80+ (6 , 9 ): 'Remote Services' ,
81+ (6 , 10 ): 'Data from Information Repositories' ,
82+ (6 , 11 ): 'Dynamic Resolution' ,
83+ (6 , 12 ): 'Exfiltration Over Other Network Medium' ,
84+ (6 , 13 ): 'Defacement' ,
85+ (7 , 1 ): 'Replication Through Removable Media' ,
86+ (7 , 2 ): 'Shared Modules' ,
87+ (7 , 3 ): 'Compromise Client Software Binary' ,
88+ (7 , 4 ): 'Event Triggered Execution' ,
89+ (7 , 5 ): 'Exploitation for Defense Evasion' ,
90+ (7 , 6 ): 'Exploitation for Credential Access' ,
91+ (7 , 8 ): 'Network Service Scanning' ,
92+ (7 , 9 ): 'Replication Through Removable Media' ,
93+ (7 , 10 ): 'Data from Local System' ,
94+ (7 , 11 ): 'Encrypted Channel' ,
95+ (7 , 12 ): 'Exfiltration Over Physical Medium' ,
96+ (7 , 13 ): 'Disk Wipe' ,
97+ (8 , 1 ): 'Supply Chain Compromise' ,
98+ (8 , 2 ): 'Software Deployment Tools' ,
99+ (8 , 3 ): 'Create Account' ,
100+ (8 , 4 ): 'Exploitation for Privilege Escalation' ,
101+ (8 , 5 ): 'File and Directory Permissions Modification' ,
102+ (8 , 6 ): 'Forced Authentication' ,
103+ (8 , 8 ): 'Network Share Discovery' ,
104+ (8 , 9 ): 'Software Deployment Tools' ,
105+ (8 , 10 ): 'Data from Network Shared Drive' ,
106+ (8 , 11 ): 'Fallback Channels' ,
107+ (8 , 12 ): 'Exfiltration Over Web Service' ,
108+ (8 , 13 ): 'Endpoint Denial of Service' ,
109+ (9 , 1 ): 'Trusted Relationship' ,
110+ (9 , 2 ): 'System Services' ,
111+ (9 , 3 ): 'Create or Modify System Process' ,
112+ (9 , 4 ): 'Group Policy Modification' ,
113+ (9 , 5 ): 'Group Policy Modification' ,
114+ (9 , 6 ): 'Input Capture' ,
115+ (9 , 8 ): 'Network Sniffing' ,
116+ (9 , 9 ): 'Taint Shared Content' ,
117+ (9 , 10 ): 'Data from Removable Media' ,
118+ (9 , 11 ): 'Ingress Tool Transfer' ,
119+ (9 , 12 ): 'Scheduled Transfer' ,
120+ (9 , 13 ): 'Firmware Corruption' ,
121+ (10 , 1 ): 'Valid Accounts' ,
122+ (10 , 2 ): 'User Execution' ,
123+ (10 , 3 ): 'Event Triggered Execution' ,
124+ (10 , 4 ): 'Hijack Execution Flow' ,
125+ (10 , 5 ): 'Hide Artifacts' ,
126+ (10 , 6 ): 'Man-in-the-Middle' ,
127+ (10 , 8 ): 'Password Policy Discovery' ,
128+ (10 , 9 ): 'Use Alternate Authentication Material' ,
129+ (10 , 10 ): 'Data Staged' ,
130+ (10 , 11 ): 'Multi-Stage Channels' ,
131+ (10 , 13 ): 'Inhibit System Recovery' ,
132+ (11 , 2 ): 'Windows Management Instrumentation' ,
133+ (11 , 3 ): 'External Remote Services' ,
134+ (11 , 4 ): 'Process Injection' ,
135+ (11 , 5 ): 'Hijack Execution Flow' ,
136+ (11 , 6 ): 'Modify Authentication Process' ,
137+ (11 , 8 ): 'Peripheral Device Discovery' ,
138+ (11 , 10 ): 'Email Collection' ,
139+ (11 , 11 ): 'Non-Application Layer Protocol' ,
140+ (11 , 13 ): 'Network Denial of Service' ,
141+ (12 , 3 ): 'Hijack Execution Flow' ,
142+ (12 , 4 ): 'Scheduled Task/Job' ,
143+ (12 , 5 ): 'Impair Defenses' ,
144+ (12 , 6 ): 'Network Sniffing' ,
145+ (12 , 8 ): 'Permission Groups Discovery' ,
146+ (12 , 10 ): 'Input Capture' ,
147+ (12 , 11 ): 'Non-Standard Port' ,
148+ (12 , 13 ): 'Resource Hijacking' ,
149+ (13 , 3 ): 'Office Application Startup' ,
150+ (13 , 4 ): 'Valid Accounts' ,
151+ (13 , 5 ): 'Indicator Removal on Host' ,
152+ (13 , 6 ): 'OS Credential Dumping' ,
153+ (13 , 8 ): 'Process Discovery' ,
154+ (13 , 10 ): 'Man in the Browser' ,
155+ (13 , 11 ): 'Protocol Tunneling' ,
156+ (13 , 13 ): 'Service Stop' ,
157+ (14 , 3 ): 'Pre-OS Boot' ,
158+ (14 , 5 ): 'Indirect Command Execution' ,
159+ (14 , 6 ): 'Steal or Forge Kerberos Tickets' ,
160+ (14 , 8 ): 'Query Registry' ,
161+ (14 , 10 ): 'Man-in-the-Middle' ,
162+ (14 , 11 ): 'Proxy' ,
163+ (14 , 13 ): 'System Shutdown/Reboot' ,
164+ (15 , 3 ): 'Scheduled Task/Job' ,
165+ (15 , 5 ): 'Masquerading' ,
166+ (15 , 6 ): 'Steal Web Session Cookie' ,
167+ (15 , 8 ): 'Remote System Discovery' ,
168+ (15 , 10 ): 'Screen Capture' ,
169+ (15 , 11 ): 'Remote Access Software' ,
170+ (16 , 3 ): 'Server Software Component' ,
171+ (16 , 5 ): 'Modify Authentication Process' ,
172+ (16 , 6 ): 'Two-Factor Authentication Interception' ,
173+ (16 , 8 ): 'Software Discovery' ,
174+ (16 , 10 ): 'Video Capture' ,
175+ (16 , 11 ): 'Traffic Signaling' ,
176+ (17 , 3 ): 'Traffic Signaling' ,
177+ (17 , 5 ): 'Modify Registry' ,
178+ (17 , 6 ): 'Unsecured Credentials' ,
179+ (17 , 8 ): 'System Information Discovery' ,
180+ (17 , 11 ): 'Web Service' ,
181+ (18 , 3 ): 'Valid Accounts' ,
182+ (18 , 5 ): 'Obfuscated Files or Information' ,
183+ (18 , 8 ): 'System Network Configuration Discovery' ,
184+ (19 , 5 ): 'Pre-OS Boot' ,
185+ (19 , 8 ): 'System Network Connections Discovery' ,
186+ (20 , 5 ): 'Process Injection' ,
187+ (20 , 8 ): 'System Owner/User Discovery' ,
188+ (21 , 5 ): 'Rogue Domain Controller' ,
189+ (21 , 8 ): 'System Service Discovery' ,
190+ (22 , 5 ): 'Rootkit' ,
191+ (22 , 8 ): 'System Time Discovery' ,
192+ (23 , 5 ): 'Signed Binary Proxy Execution' ,
193+ (24 , 5 ): 'Signed Script Proxy Execution' ,
194+ (25 , 5 ): 'Subvert Trust Controls' ,
195+ (26 , 5 ): 'Template Injection' ,
196+ (27 , 5 ): 'Traffic Signaling' ,
197+ (28 , 5 ): 'Trusted Developer Utilities Proxy Execution' ,
198+ (29 , 5 ): 'Use Alternate Authentication Material' ,
199+ (30 , 5 ): 'Valid Accounts' ,
200+ (31 , 5 ): 'Virtualization/Sandbox Evasion' ,
201+ (32 , 5 ): 'XSL Script Processing' ,
202+ (33 , 5 ): 'Access Token Manipulation' }
203+ mobile_template = {(1 , 1 ): 'Initial Access' ,
204+ (1 , 2 ): 'Execution' ,
205+ (1 , 3 ): 'Persistence' ,
206+ (1 , 4 ): 'Privilege Escalation' ,
207+ (1 , 5 ): 'Defense Evasion' ,
208+ (1 , 6 ): 'Credential Access' ,
209+ (1 , 7 ): 'Discovery' ,
210+ (1 , 8 ): 'Lateral Movement' ,
211+ (1 , 9 ): 'Collection' ,
212+ (1 , 10 ): 'Command and Control' ,
213+ (1 , 11 ): 'Exfiltration' ,
214+ (1 , 12 ): 'Impact' ,
215+ (2 , 1 ): 'Deliver Malicious App via Authorized App Store' ,
216+ (2 , 2 ): 'Broadcast Receivers' ,
217+ (2 , 3 ): 'Abuse Device Administrator Access to Prevent Removal' ,
218+ (2 , 4 ): 'Code Injection' ,
219+ (2 , 5 ): 'Application Discovery' ,
220+ (2 , 6 ): 'Access Notifications' ,
221+ (2 , 7 ): 'Application Discovery' ,
222+ (2 , 8 ): 'Attack PC via USB Connection' ,
223+ (2 , 9 ): 'Access Calendar Entries' ,
224+ (2 , 10 ): 'Alternate Network Mediums' ,
225+ (2 , 11 ): 'Alternate Network Mediums' ,
226+ (2 , 12 ): 'Carrier Billing Fraud' ,
227+ (3 , 1 ): 'Deliver Malicious App via Other Means' ,
228+ (3 , 2 ): 'Native Code' ,
229+ (3 , 3 ): 'Broadcast Receivers' ,
230+ (3 , 4 ): 'Exploit OS Vulnerability' ,
231+ (3 , 5 ): 'Code Injection' ,
232+ (3 , 6 ): 'Access Sensitive Data in Device Logs' ,
233+ (3 , 7 ): 'Evade Analysis Environment' ,
234+ (3 , 8 ): 'Exploit Enterprise Resources' ,
235+ (3 , 9 ): 'Access Call Log' ,
236+ (3 , 10 ): 'Commonly Used Port' ,
237+ (3 , 11 ): 'Commonly Used Port' ,
238+ (3 , 12 ): 'Clipboard Modification' ,
239+ (4 , 1 ): 'Drive-by Compromise' ,
240+ (4 , 3 ): 'Code Injection' ,
241+ (4 , 4 ): 'Exploit TEE Vulnerability' ,
242+ (4 , 5 ): 'Device Lockout' ,
243+ (4 , 6 ): 'Access Stored Application Data' ,
244+ (4 , 7 ): 'File and Directory Discovery' ,
245+ (4 , 9 ): 'Access Contact List' ,
246+ (4 , 10 ): 'Domain Generation Algorithms' ,
247+ (4 , 11 ): 'Data Encrypted' ,
248+ (4 , 12 ): 'Data Encrypted for Impact' ,
249+ (5 , 1 ): 'Exploit via Charging Station or PC' ,
250+ (5 , 3 ): 'Compromise Application Executable' ,
251+ (5 , 5 ): 'Disguise Root/Jailbreak Indicators' ,
252+ (5 , 6 ): 'Android Intent Hijacking' ,
253+ (5 , 7 ): 'Location Tracking' ,
254+ (5 , 9 ): 'Access Notifications' ,
255+ (5 , 10 ): 'Remote File Copy' ,
256+ (5 , 11 ): 'Standard Application Layer Protocol' ,
257+ (5 , 12 ): 'Delete Device Data' ,
258+ (6 , 1 ): 'Exploit via Radio Interfaces' ,
259+ (6 , 3 ): 'Foreground Persistence' ,
260+ (6 , 5 ): 'Download New Code at Runtime' ,
261+ (6 , 6 ): 'Capture Clipboard Data' ,
262+ (6 , 7 ): 'Network Service Scanning' ,
263+ (6 , 9 ): 'Access Sensitive Data in Device Logs' ,
264+ (6 , 10 ): 'Standard Application Layer Protocol' ,
265+ (6 , 12 ): 'Device Lockout' ,
266+ (7 , 1 ): 'Install Insecure or Malicious Configuration' ,
267+ (7 , 3 ): 'Modify Cached Executable Code' ,
268+ (7 , 5 ): 'Evade Analysis Environment' ,
269+ (7 , 6 ): 'Capture SMS Messages' ,
270+ (7 , 7 ): 'Process Discovery' ,
271+ (7 , 9 ): 'Access Stored Application Data' ,
272+ (7 , 10 ): 'Standard Cryptographic Protocol' ,
273+ (7 , 12 ): 'Generate Fraudulent Advertising Revenue' ,
274+ (8 , 1 ): 'Lockscreen Bypass' ,
275+ (8 , 3 ): 'Modify OS Kernel or Boot Partition' ,
276+ (8 , 5 ): 'Input Injection' ,
277+ (8 , 6 ): 'Exploit TEE Vulnerability' ,
278+ (8 , 7 ): 'System Information Discovery' ,
279+ (8 , 9 ): 'Capture Audio' ,
280+ (8 , 10 ): 'Uncommonly Used Port' ,
281+ (8 , 12 ): 'Input Injection' ,
282+ (9 , 1 ): 'Masquerade as Legitimate Application' ,
283+ (9 , 3 ): 'Modify System Partition' ,
284+ (9 , 5 ): 'Install Insecure or Malicious Configuration' ,
285+ (9 , 6 ): 'Input Capture' ,
286+ (9 , 7 ): 'System Network Configuration Discovery' ,
287+ (9 , 9 ): 'Capture Camera' ,
288+ (9 , 10 ): 'Web Service' ,
289+ (9 , 12 ): 'Manipulate App Store Rankings or Ratings' ,
290+ (10 , 1 ): 'Supply Chain Compromise' ,
291+ (10 , 3 ): 'Modify Trusted Execution Environment' ,
292+ (10 , 5 ): 'Kill Switch' ,
293+ (10 , 6 ): 'Input Prompt' ,
294+ (10 , 7 ): 'System Network Connections Discovery' ,
295+ (10 , 9 ): 'Capture Clipboard Data' ,
296+ (10 , 12 ): 'Modify System Partition' ,
297+ (11 , 5 ): 'Masquerade as Legitimate Application' ,
298+ (11 , 6 ): 'Network Traffic Capture or Redirection' ,
299+ (11 , 9 ): 'Capture SMS Messages' ,
300+ (12 , 5 ): 'Modify OS Kernel or Boot Partition' ,
301+ (12 , 6 ): 'URL Scheme Hijacking' ,
302+ (12 , 9 ): 'Data from Local System' ,
303+ (13 , 5 ): 'Modify System Partition' ,
304+ (13 , 9 ): 'Foreground Persistence' ,
305+ (14 , 5 ): 'Modify Trusted Execution Environment' ,
306+ (14 , 9 ): 'Input Capture' ,
307+ (15 , 5 ): 'Native Code' ,
308+ (15 , 9 ): 'Location Tracking' ,
309+ (16 , 5 ): 'Obfuscated Files or Information' ,
310+ (16 , 9 ): 'Network Information Discovery' ,
311+ (17 , 5 ): 'Suppress Application Icon' ,
312+ (17 , 9 ): 'Network Traffic Capture or Redirection' ,
313+ (18 , 9 ): 'Screen Capture' }
314+
315+ def __init__ (self , mode = 'enterprise' ):
316+ if mode in ['enterprise' , 'mobile' ]:
317+ self .mode = mode
318+ else :
319+ raise BadTemplateException
320+
321+ def _build_raw (self ):
322+ template = self .mobile_template
323+ if self .mode == 'enterprise' :
324+ template = self .enterprise_template
325+ wb = openpyxl .Workbook ()
326+
327+ sheet = wb .active
328+
329+ header_template_f = Font (name = 'Calibri' , bold = True )
330+ header_template_a = Alignment (horizontal = 'center' , vertical = 'bottom' )
331+ header_template_b = Border (bottom = Side (border_style = 'thin' ))
332+ header_template_c = PatternFill (patternType = 'solid' , start_color = 'DDDDDD' , end_color = 'DDDDDD' )
333+
334+ for entry in template :
335+ c = sheet .cell (row = entry [0 ], column = entry [1 ])
336+ c .value = template [entry ]
337+ if entry [0 ] == 1 :
338+ c .font = header_template_f
339+ c .alignment = header_template_a
340+ c .border = header_template_b
341+ c .fill = header_template_c
342+
343+ ## patch widths
344+ dims = {}
345+ sheet_handle = wb .active
346+ for row in sheet_handle :
347+ for cell in row :
348+ if cell .value :
349+ dims [cell .column_letter ] = max ((dims .get (cell .column_letter , 0 ), len (str (cell .value ))))
350+ for col , value in dims .items ():
351+ sheet_handle .column_dimensions [col ].width = value
352+ return wb
353+
354+
355+ def export (self ):
356+ wb = self ._build_raw ()
357+ if self .mode == 'enterprise' :
358+ sheet_handle = wb .active
359+ sheet_handle .merge_cells ('F2:F5' )
360+
361+ adjust = sheet_handle .cell (row = 2 , column = 6 )
362+ adjust .alignment = Alignment (vertical = 'top' )
363+ return wb
364+ else :
365+ return wb
0 commit comments