# RAG - AutoGen and ATT&CK Groups
---
* Collaborators:
    * Roberto Rodriguez (@Cyb3rWard0g)
* References:
    * https://github.com/microsoft/autogen/blob/main/notebook/agentchat_RetrieveChat.ipynb

## Import Modules

In [1]:
import autogen
from dotenv import load_dotenv
import os

## Define Initial Variables

In [2]:
current_directory = os.path.dirname("__file__")
chroma_db = os.path.join(current_directory, "../source-knowledge/chroma_db")

## Set Up API Endpoint

In [3]:
# Get your key: https://platform.openai.com/account/api-keys
load_dotenv()

# Set up AutoGen config list
config_list = autogen.config_list_from_models(
    model_list=["gpt-4", "gpt-3.5-turbo"]
)

# Set up LLM Config
llm_config = {
    "request_timeout" : 600,
    "seed" : 42,
    "config_list" : config_list,
    "temperature" : 0
}

## Construct agents for RetrieveChat

In [4]:
from autogen.agentchat.contrib.retrieve_assistant_agent import RetrieveAssistantAgent
from autogen.agentchat.contrib.retrieve_user_proxy_agent import RetrieveUserProxyAgent
import chromadb

autogen.ChatCompletion.start_logging()

### Create the RetrieveAssistantAgent

In [5]:
assistant = RetrieveAssistantAgent(
    name="assistant", 
    system_message="You are a helpful assistant.",
    llm_config=llm_config,
)

### Create the RetrieveUserProxyAgent

In [6]:
ragproxyagent = RetrieveUserProxyAgent(
    name="ragproxyagent",
    human_input_mode="NEVER",
    max_consecutive_auto_reply=5,
    retrieve_config={
        "task": "qa",
        "collection_name": "groups_collection",
        "model": config_list[0]["model"],
        "client": chromadb.PersistentClient(path=chroma_db),
        "embedding_model": "all-mpnet-base-v2", #Sentence-transformers model
    },
)

## Query ATT&CK Groups Knowledge Base

In [7]:
qa_problem = "Describe the ATT&CK Group CURIUM"
ragproxyagent.initiate_chat(assistant, problem=qa_problem)

  from .autonotebook import tqdm as notebook_tqdm


doc_ids:  [['50b52dc3-6c5f-11ee-a92e-6479f0659de9', '50b5070b-6c5f-11ee-95d5-6479f0659de9', '50b50711-6c5f-11ee-8573-6479f0659de9', '50b507a0-6c5f-11ee-a94c-6479f0659de9', '50b5075b-6c5f-11ee-8a2d-6479f0659de9', '50b52df5-6c5f-11ee-b1f9-6479f0659de9', '50b507a2-6c5f-11ee-80fb-6479f0659de9', '50b50705-6c5f-11ee-8831-6479f0659de9', '50b52dbe-6c5f-11ee-bce4-6479f0659de9', '50b507a1-6c5f-11ee-a264-6479f0659de9', '50b52dc4-6c5f-11ee-bbb2-6479f0659de9', '50b507a4-6c5f-11ee-b040-6479f0659de9', '50b52d89-6c5f-11ee-a906-6479f0659de9', '50b506cb-6c5f-11ee-a5d7-6479f0659de9', '50b50761-6c5f-11ee-9e87-6479f0659de9', '50b50762-6c5f-11ee-9ac7-6479f0659de9', '50b50707-6c5f-11ee-a422-6479f0659de9', '50b52dc2-6c5f-11ee-b170-6479f0659de9', '50b5075c-6c5f-11ee-bc89-6479f0659de9', '50b50708-6c5f-11ee-baaa-6479f0659de9']]
[32mAdding doc_id 50b52dc3-6c5f-11ee-a92e-6479f0659de9 to context.[0m
[32mAdding doc_id 50b5070b-6c5f-11ee-95d5-6479f0659de9 to context.[0m
[32mAdding doc_id 50b50711-6c5f-11ee-8573-


--------------------------------------------------------------------------------
[33massistant[0m (to ragproxyagent):

CURIUM is an Iranian threat group first reported in November 2021. They build relationships with potential targets via social media over months to establish trust before sending malware. They have demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to lower their security consciousness. They have used techniques such as exfiltrating data from a compromised machine, using social media to deliver malicious files to victims, and luring users into opening malicious files delivered via social media.

--------------------------------------------------------------------------------


In [8]:
# reset the assistant. Always reset the assistant before starting a new conversation.
assistant.reset()

qa_problem = "List the most used Phishing techniques across all threat actors"
ragproxyagent.initiate_chat(assistant, problem=qa_problem)

doc_ids:  [['50b507ca-6c5f-11ee-9f30-6479f0659de9', '50b50778-6c5f-11ee-b752-6479f0659de9', '50b506f1-6c5f-11ee-909b-6479f0659de9', '50b5073b-6c5f-11ee-a971-6479f0659de9', '50b50779-6c5f-11ee-a428-6479f0659de9', '50b507a2-6c5f-11ee-80fb-6479f0659de9', '50b52dbc-6c5f-11ee-ab0e-6479f0659de9', '50b52d94-6c5f-11ee-a52f-6479f0659de9', '50b50743-6c5f-11ee-aaa3-6479f0659de9', '50b5074b-6c5f-11ee-b4b7-6479f0659de9', '50b52dcd-6c5f-11ee-84e2-6479f0659de9', '50b52dfd-6c5f-11ee-a5d4-6479f0659de9', '50b506fb-6c5f-11ee-9003-6479f0659de9', '50b50734-6c5f-11ee-bfff-6479f0659de9', '50b507cb-6c5f-11ee-a84c-6479f0659de9', '50b50738-6c5f-11ee-81b0-6479f0659de9', '50b50736-6c5f-11ee-8d9b-6479f0659de9', '50b50742-6c5f-11ee-bf76-6479f0659de9', '50b507e3-6c5f-11ee-bba3-6479f0659de9', '50b52d90-6c5f-11ee-8013-6479f0659de9']]
[32mAdding doc_id 50b507ca-6c5f-11ee-9f30-6479f0659de9 to context.[0m
[32mAdding doc_id 50b50778-6c5f-11ee-b752-6479f0659de9 to context.[0m
[32mAdding doc_id 50b506f1-6c5f-11ee-909b-


--------------------------------------------------------------------------------
[33massistant[0m (to ragproxyagent):

The most used phishing techniques across all threat actors include:

1. Luring victims into opening malicious email attachments.
2. Creating fake social media accounts to contact targets and convince them to open malicious links.
3. Using compromised domains to host phishing links.
4. Registering fraudulent domains to target specific victims.
5. Using SMS and email messages with links designed to steal credentials or track victims.
6. Compromising email credentials to steal sensitive data.
7. Identifying specific potential victims at targeted organizations.
8. Using spearphishing emails with malicious attachments or links.
9. Using social engineering via social media platforms for spearphishing.
10. Compromising servers to stage malicious tools.
11. Using malicious payloads hosted on cloud storage.
12. Compromising software supply chain to gain access to victim's en