from attackcti import attack_client
from pandas import *
from pandas.io.json import json_normalize
pandas.__version__
'0.23.4'
lift = attack_client()
Collect ALL Enterprise ATT&CK (TAXII)
all_enterprise = lift.get_all_enterprise()
Collect ALL PRE-ATT&CK (TAXII)
all_pre = lift.get_all_pre()
Collect ALL Mobile ATT&CK (TAXII)
all_mobile = lift.get_all_mobile()
Collect ALL (It runs All 3 functions and collects all the results)
The get_all_stix_objects() function returns a dictionary with all the stix object types from all matrices:
all_attack = lift.get_all_stix_objects()
type(all_attack)
dict
print("Number of Techniques in ATT&CK")
print(len(all_attack['techniques']))
techniques = all_attack['techniques']
df = json_normalize(techniques)
df.reindex(['matrix', 'created','tactic', 'technique', 'technique_id', 'data_sources'], axis=1)[0:5]
Number of Techniques in ATT&CK 478
matrix | created | tactic | technique | technique_id | data_sources | |
---|---|---|---|---|---|---|
0 | mitre-attack | 2018-10-17 00:14:20.652000+00:00 | [defense-evasion] | File Permissions Modification | T1222 | [File monitoring, Process monitoring, Process ... |
1 | mitre-attack | 2018-10-17 00:14:20.652000+00:00 | [defense-evasion, execution] | XSL Script Processing | T1220 | [Process monitoring, Process command-line para... |
2 | mitre-attack | 2018-10-17 00:14:20.652000+00:00 | [defense-evasion, execution] | Compiled HTML File | T1223 | [File monitoring, Process monitoring, Process ... |
3 | mitre-attack | 2018-10-17 00:14:20.652000+00:00 | [defense-evasion] | Template Injection | T1221 | [Anti-virus, Email gateway, Network intrusion ... |
4 | mitre-attack | 2018-04-18 17:59:24.739000+00:00 | [defense-evasion, persistence] | BITS Jobs | T1197 | [API monitoring, Packet capture, Windows event... |
len(df.loc[df['matrix'] == 'mitre-attack'])
223
Showing the schema of Techniques
This schema covers techniques from Enterprise, PRE and Mobile ATT&CK
list(df)
['capec_id', 'capec_url', 'contributors', 'created', 'created_by_ref', 'data_sources', 'defense_bypassed', 'detectable_by_common_defenses', 'detectable_explanation', 'difficulty_explanation', 'difficulty_for_adversary', 'effective_permissions', 'id', 'matrix', 'modified', 'network_requirements', 'object_marking_refs', 'permissions_required', 'platform', 'remote_support', 'system_requirements', 'tactic', 'tactic_type', 'technique', 'technique_description', 'technique_detection', 'technique_id', 'technique_references', 'type', 'url']
Showing one technique example
techniques[0]
{'type': 'attack-pattern', 'id': 'attack-pattern--65917ae0-b854-4139-83fe-bf2441cf0196', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'created': '2018-10-17 00:14:20.652000+00:00', 'modified': '2018-10-31 13:45:13.024000+00:00', 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'url': 'https://attack.mitre.org/techniques/T1222', 'matrix': 'mitre-attack', 'technique': 'File Permissions Modification', 'technique_description': "File permissions are commonly managed by discretionary access control lists (DACLs) specified by the file owner. File DACL implementation may vary by platform, but generally explicitly designate which users/groups can perform which actions (ex: read, write, execute, etc.). (Citation: Microsoft DACL May 2018) (Citation: Microsoft File Rights May 2018) (Citation: Unix File Permissions)\n\nAdversaries may modify file permissions/attributes to evade intended DACLs. (Citation: Hybrid Analysis Icacls1 June 2018) (Citation: Hybrid Analysis Icacls2 May 2018) Modifications may include changing specific access rights, which may require taking ownership of a file and/or elevated permissions such as Administrator/root depending on the file's existing permissions to enable malicious activity such as modifying, replacing, or deleting specific files. Specific file modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1015), [Logon Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files.", 'technique_detection': 'Monitor and investigate attempts to modify DACLs and file ownership, such as use of icacls (Citation: Microsoft icacls OCT 2017), takeown (Citation: Microsoft takeown OCT 2017), attrib (Citation: Microsoft attrib OCT 2017), and [PowerShell](https://attack.mitre.org/techniques/T1086) Set-Acl (Citation: Microsoft SetAcl) in Windows and chmod (Citation: Linux chmod)/chown (Citation: Linux chown) in macOS/Linux. Many of these are built-in system utilities and may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.\n\nConsider enabling file permission change auditing on folders containing key binary/configuration files. Windows Security Log events (Event ID 4670) are used when DACLs are modified. (Citation: EventTracker File Permissions Feb 2014)', 'tactic': ['defense-evasion'], 'technique_id': 'T1222', 'capec_id': None, 'capec_url': None, 'platform': ['Linux', 'Windows', 'macOS'], 'data_sources': ['File monitoring', 'Process monitoring', 'Process command-line parameters', 'Windows event logs'], 'defense_bypassed': ['File system access controls'], 'permissions_required': ['User', 'Administrator', 'SYSTEM', 'root'], 'effective_permissions': None, 'system_requirements': None, 'network_requirements': None, 'remote_support': None, 'contributors': ['Jan Miller, CrowdStrike'], 'technique_references': ['https://attack.mitre.org/techniques/T1222', 'https://docs.microsoft.com/windows/desktop/secauthz/dacls-and-aces', 'https://docs.microsoft.com/windows/desktop/fileio/file-security-and-access-rights', 'https://www.tutorialspoint.com/unix/unix-file-permission.htm', 'https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100', 'https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110', 'https://docs.microsoft.com/windows-server/administration/windows-commands/icacls', 'https://docs.microsoft.com/windows-server/administration/windows-commands/attrib', 'https://linux.die.net/man/1/chmod', 'https://linux.die.net/man/1/chown', 'https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/', 'https://docs.microsoft.com/windows-server/administration/windows-commands/takeown', 'https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-acl'], 'detectable_by_common_defenses': None, 'detectable_explanation': None, 'difficulty_for_adversary': None, 'difficulty_explanation': None, 'tactic_type': None}
print("Number of Mitigations in ATT&CK")
print(len(all_attack['mitigations']))
mitigations = all_attack['mitigations']
df = json_normalize(mitigations)
df.reindex(['matrix','mitigation', 'mitigation_description','url'], axis=1)[0:5]
Number of Mitigations in ATT&CK 236
matrix | mitigation | mitigation_description | url | |
---|---|---|---|---|
0 | mitre-attack | Account Manipulation Mitigation | Use multifactor authentication. Follow guideli... | https://attack.mitre.org/techniques/T1098 |
1 | mitre-attack | Application Shimming Mitigation | There currently aren't a lot of ways to mitiga... | https://attack.mitre.org/techniques/T1138 |
2 | mitre-attack | Automated Exfiltration Mitigation | Identify unnecessary system utilities, scripts... | https://attack.mitre.org/techniques/T1020 |
3 | mitre-attack | Browser Bookmark Discovery Mitigation | File system activity is a common part of an op... | https://attack.mitre.org/techniques/T1217 |
4 | mitre-attack | Change Default File Association Mitigation | Direct mitigation of this technique is not rec... | https://attack.mitre.org/techniques/T1042 |
Showing the schema of Mitigations
list(df)
['created', 'created_by_ref', 'id', 'matrix', 'mitigation', 'mitigation_description', 'mitigation_references', 'modified', 'technique_id', 'type', 'url']
Showing one Mitigation example
mitigations[0]
{'type': 'course-of-action', 'id': 'course-of-action--fdb1ae84-7b00-4d3d-b7dc-c774beef6425', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'created': '2018-10-17 00:14:20.652000+00:00', 'modified': '2018-10-17 00:14:20.652000+00:00', 'matrix': 'mitre-attack', 'url': 'https://attack.mitre.org/techniques/T1098', 'mitigation': 'Account Manipulation Mitigation', 'mitigation_description': 'Use multifactor authentication. Follow guidelines to prevent or limit adversary access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).\n\nProtect domain controllers by ensuring proper security configuration for critical servers. Configure access controls and firewalls to limit access to these systems. Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.', 'technique_id': 'T1098', 'mitigation_references': ['https://attack.mitre.org/techniques/T1098']}
print("Number of Groups in ATT&CK")
print(len(all_attack['groups']))
groups = all_attack['groups']
df = json_normalize(groups)
df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]
Number of Groups in ATT&CK 80
matrix | group | group_aliases | group_id | group_description | |
---|---|---|---|---|---|
0 | mitre-attack | Honeybee | [Honeybee] | G0072 | [Honeybee](https://attack.mitre.org/groups/G00... |
1 | mitre-attack | Orangeworm | [Orangeworm] | G0071 | [Orangeworm](https://attack.mitre.org/groups/G... |
2 | mitre-attack | APT19 | [APT19, Codoso, C0d0so0, Codoso Team, Sunshop ... | G0073 | [APT19](https://attack.mitre.org/groups/G0073)... |
3 | mitre-attack | Cobalt Group | [Cobalt Group, Cobalt Gang, Cobalt Spider] | G0080 | [Cobalt Group](https://attack.mitre.org/groups... |
4 | mitre-attack | Thrip | [Thrip] | G0076 | [Thrip](https://attack.mitre.org/groups/G0076)... |
Showing the schema of Groups
list(df)
['created', 'created_by_ref', 'group', 'group_aliases', 'group_description', 'group_id', 'group_references', 'id', 'matrix', 'modified', 'type', 'url']
Showing one Groups example
groups[0]
{'type': 'intrusion-set', 'id': 'intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'matrix': 'mitre-attack', 'created': '2018-10-17 00:14:20.652000+00:00', 'modified': '2018-10-17 00:14:20.652000+00:00', 'url': 'https://attack.mitre.org/groups/G0072', 'group': 'Honeybee', 'group_description': '[Honeybee](https://attack.mitre.org/groups/G0072) is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japans, Indonesia, and Canada. It has been an active operation since August of 2017 and as recently as February 2018. (Citation: McAfee Honeybee)', 'group_aliases': ['Honeybee'], 'group_id': 'G0072', 'group_references': ['https://attack.mitre.org/groups/G0072', 'Honeybee', 'https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/']}
print("Number of Malware in ATT&CK")
print(len(all_attack['malware']))
malware = all_attack['malware']
df = json_normalize(malware)
df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]
Number of Malware in ATT&CK 281
matrix | software | software_labels | software_id | software_description | |
---|---|---|---|---|---|
0 | mitre-attack | Bandook | [malware] | S0234 | [Bandook](https://attack.mitre.org/software/S0... |
1 | mitre-attack | CrossRAT | [malware] | S0235 | [CrossRAT](https://attack.mitre.org/software/S... |
2 | mitre-attack | DealersChoice | [malware] | S0243 | [DealersChoice](https://attack.mitre.org/softw... |
3 | mitre-attack | FELIXROOT | [malware] | S0267 | [FELIXROOT](https://attack.mitre.org/software/... |
4 | mitre-attack | KEYMARBLE | [malware] | S0271 | [KEYMARBLE](https://attack.mitre.org/software/... |
Showing the schema of Malware
list(df)
['created', 'created_by_ref', 'id', 'matrix', 'modified', 'software', 'software_aliases', 'software_description', 'software_id', 'software_labels', 'software_platform', 'software_references', 'type', 'url']
Showing one Malware example
malware[0]
{'type': 'malware', 'id': 'malware--835a79f1-842d-472d-b8f4-d54b545c341b', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'created': '2018-10-17 00:14:20.652000+00:00', 'modified': '2018-10-17 00:14:20.652000+00:00', 'matrix': 'mitre-attack', 'software': 'Bandook', 'software_description': '[Bandook](https://attack.mitre.org/software/S0234) is a commercially available RAT, written in Delphi, which has been available since roughly 2007 (Citation: EFF Manul Aug 2016) (Citation: Lookout Dark Caracal Jan 2018).', 'software_labels': ['malware'], 'software_id': 'S0234', 'url': 'https://attack.mitre.org/software/S0234', 'software_aliases': ['Bandook'], 'software_references': ['https://attack.mitre.org/software/S0234', 'https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf', 'https://www.eff.org/files/2016/08/03/i-got-a-letter-from-the-government.pdf'], 'software_platform': ['Windows']}
print("Number of Tools in ATT&CK")
print(len(all_attack['tools']))
tools = all_attack['tools']
df = json_normalize(tools)
df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]
Number of Tools in ATT&CK 48
matrix | software | software_labels | software_id | software_description | |
---|---|---|---|---|---|
0 | mitre-attack | Koadic | [tool] | S0250 | [Koadic](https://attack.mitre.org/software/S02... |
1 | mitre-attack | QuasarRAT | [tool] | S0262 | [QuasarRAT](https://attack.mitre.org/software/... |
2 | mitre-attack | Invoke-PSImage | [tool] | S0231 | [Invoke-PSImage](https://attack.mitre.org/soft... |
3 | mitre-attack | Pupy | [tool] | S0192 | [Pupy](https://attack.mitre.org/software/S0192... |
4 | mitre-attack | Winexe | [tool] | S0191 | [Winexe](https://attack.mitre.org/software/S01... |
Showing the schema of Tools
list(df)
['created', 'created_by_ref', 'id', 'matrix', 'modified', 'software', 'software_aliases', 'software_description', 'software_id', 'software_labels', 'software_platform', 'software_references', 'type', 'url']
Showing one Tool example
tools[0]
{'type': 'tool', 'id': 'tool--c8655260-9f4b-44e3-85e1-6538a5f6e4f4', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'created': '2018-10-17 00:14:20.652000+00:00', 'modified': '2018-10-17 00:14:20.652000+00:00', 'matrix': 'mitre-attack', 'software': 'Koadic', 'software_description': '[Koadic](https://attack.mitre.org/software/S0250) is a Windows post-exploitation framework and penetration testing tool. [Koadic](https://attack.mitre.org/software/S0250) is publicly available on GitHub and the tool is executed via the command-line. [Koadic](https://attack.mitre.org/software/S0250) has several options for staging payloads and creating implants. [Koadic](https://attack.mitre.org/software/S0250) performs most of its operations using Windows Script Host. (Citation: Github Koadic) (Citation: Palo Alto Sofacy 06-2018)', 'software_labels': ['tool'], 'software_id': 'S0250', 'url': 'https://attack.mitre.org/software/S0250', 'software_aliases': ['Koadic'], 'software_references': ['https://attack.mitre.org/software/S0250', 'Koadic', 'https://github.com/zerosum0x0/koadic', 'https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/'], 'software_platform': ['Windows']}
print("Number of Relationships in ATT&CK")
print(len(all_attack['relationships']))
relationships = all_attack['relationships']
df = json_normalize(relationships)
df.reindex(['id','relationship', 'source_object', 'target_object'], axis=1)[0:5]
Number of Relationships in ATT&CK 4092
id | relationship | source_object | target_object | |
---|---|---|---|---|
0 | relationship--322703cc-c8f9-4046-8a61-e165a2d1... | uses | intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e99... | attack-pattern--707399d6-ab3e-4963-9315-d9d381... |
1 | relationship--1ba59a68-1883-492d-8cd8-f22656eb... | uses | intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8... | attack-pattern--1608f3e1-598a-42f4-a01a-2e252e... |
2 | relationship--40032198-f003-4171-92a0-faf038f6... | uses | intrusion-set--247cb30b-955f-42eb-97a5-a89fef6... | attack-pattern--03d7999c-1f4c-42cc-8373-e7690d... |
3 | relationship--70d1a246-4ff2-452d-babf-ed47bccb... | uses | intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d246... | attack-pattern--f4882e23-8aa7-4b12-b28a-b349c1... |
4 | relationship--2db02b07-4dd3-4810-9103-1f8d7bd4... | uses | intrusion-set--6b9ebeb5-20bf-48b0-afb7-988d769... | attack-pattern--b77cf5f3-6060-475d-bd60-40ccbf... |
Showing the schema of Relationships
list(df)
['created', 'created_by_ref', 'id', 'modified', 'relationship', 'relationship_description', 'source_object', 'target_object', 'type']
Showing one Relationship example
relationships[0]
{'type': 'relationship', 'id': 'relationship--322703cc-c8f9-4046-8a61-e165a2d11bc7', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'created': '2018-10-17 00:14:20.652000+00:00', 'modified': '2018-10-17 00:14:20.652000+00:00', 'relationship': 'uses', 'relationship_description': '[APT19](https://attack.mitre.org/groups/G0073) used an HTTP malware variant and a Port 22 malware variant to collect the MAC address and IP address from the victim’s machine.', 'source_object': 'intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6', 'target_object': 'attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0'}
Enterprise Techniques
print("Number of Techniques in Enterprise ATT&CK")
print(len(all_enterprise['techniques']))
df = all_enterprise['techniques']
df = json_normalize(df)
df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'data_sources'], axis=1)[0:5]
Number of Techniques in Enterprise ATT&CK 223
matrix | tactic | technique | technique_id | data_sources | |
---|---|---|---|---|---|
0 | mitre-attack | [defense-evasion] | File Permissions Modification | T1222 | [File monitoring, Process monitoring, Process ... |
1 | mitre-attack | [defense-evasion, execution] | XSL Script Processing | T1220 | [Process monitoring, Process command-line para... |
2 | mitre-attack | [defense-evasion, execution] | Compiled HTML File | T1223 | [File monitoring, Process monitoring, Process ... |
3 | mitre-attack | [defense-evasion] | Template Injection | T1221 | [Anti-virus, Email gateway, Network intrusion ... |
4 | mitre-attack | [defense-evasion, persistence] | BITS Jobs | T1197 | [API monitoring, Packet capture, Windows event... |
Enterprise Mitigations
print("Number of Mitigations in Enterprise ATT&CK")
print(len(all_enterprise['mitigations']))
df = all_enterprise['mitigations']
df = json_normalize(df)
df.reindex(['matrix','mitigation', 'mitigation_description', 'url'], axis=1)[0:5]
Number of Mitigations in Enterprise ATT&CK 222
matrix | mitigation | mitigation_description | url | |
---|---|---|---|---|
0 | mitre-attack | Account Manipulation Mitigation | Use multifactor authentication. Follow guideli... | https://attack.mitre.org/techniques/T1098 |
1 | mitre-attack | Application Shimming Mitigation | There currently aren't a lot of ways to mitiga... | https://attack.mitre.org/techniques/T1138 |
2 | mitre-attack | Automated Exfiltration Mitigation | Identify unnecessary system utilities, scripts... | https://attack.mitre.org/techniques/T1020 |
3 | mitre-attack | Browser Bookmark Discovery Mitigation | File system activity is a common part of an op... | https://attack.mitre.org/techniques/T1217 |
4 | mitre-attack | Change Default File Association Mitigation | Direct mitigation of this technique is not rec... | https://attack.mitre.org/techniques/T1042 |
Enterprise Groups
print("Number of Groups in Enterprise ATT&CK")
print(len(all_enterprise['groups']))
df = all_enterprise['groups']
df = json_normalize(df)
df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]
Number of Groups in Enterprise ATT&CK 80
matrix | group | group_aliases | group_id | group_description | |
---|---|---|---|---|---|
0 | mitre-attack | Honeybee | [Honeybee] | G0072 | [Honeybee](https://attack.mitre.org/groups/G00... |
1 | mitre-attack | Orangeworm | [Orangeworm] | G0071 | [Orangeworm](https://attack.mitre.org/groups/G... |
2 | mitre-attack | APT19 | [APT19, Codoso, C0d0so0, Codoso Team, Sunshop ... | G0073 | [APT19](https://attack.mitre.org/groups/G0073)... |
3 | mitre-attack | Cobalt Group | [Cobalt Group, Cobalt Gang, Cobalt Spider] | G0080 | [Cobalt Group](https://attack.mitre.org/groups... |
4 | mitre-attack | Thrip | [Thrip] | G0076 | [Thrip](https://attack.mitre.org/groups/G0076)... |
Enterprise Malware
print("Number of Malware objects in Enterprise ATT&CK")
print(len(all_enterprise['malware']))
df = all_enterprise['malware']
df = json_normalize(df)
df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]
Number of Malware objects in Enterprise ATT&CK 237
matrix | software | software_labels | software_id | software_description | |
---|---|---|---|---|---|
0 | mitre-attack | Bandook | [malware] | S0234 | [Bandook](https://attack.mitre.org/software/S0... |
1 | mitre-attack | CrossRAT | [malware] | S0235 | [CrossRAT](https://attack.mitre.org/software/S... |
2 | mitre-attack | DealersChoice | [malware] | S0243 | [DealersChoice](https://attack.mitre.org/softw... |
3 | mitre-attack | FELIXROOT | [malware] | S0267 | [FELIXROOT](https://attack.mitre.org/software/... |
4 | mitre-attack | KEYMARBLE | [malware] | S0271 | [KEYMARBLE](https://attack.mitre.org/software/... |
Enterprise Tools
print("Number of Tools in Enterprise ATT&CK")
print(len(all_enterprise['tools']))
df = all_enterprise['tools']
df = json_normalize(df)
df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]
Number of Tools in Enterprise ATT&CK 47
matrix | software | software_labels | software_id | software_description | |
---|---|---|---|---|---|
0 | mitre-attack | Koadic | [tool] | S0250 | [Koadic](https://attack.mitre.org/software/S02... |
1 | mitre-attack | QuasarRAT | [tool] | S0262 | [QuasarRAT](https://attack.mitre.org/software/... |
2 | mitre-attack | Invoke-PSImage | [tool] | S0231 | [Invoke-PSImage](https://attack.mitre.org/soft... |
3 | mitre-attack | Pupy | [tool] | S0192 | [Pupy](https://attack.mitre.org/software/S0192... |
4 | mitre-attack | Winexe | [tool] | S0191 | [Winexe](https://attack.mitre.org/software/S01... |
Enterprise Relationships
print("Number of Relationships in Enterprise ATT&CK")
print(len(all_enterprise['relationships']))
df = all_enterprise['relationships']
df = json_normalize(df)
df.reindex(['id','relationship', 'source_object', 'target_object'], axis=1)[0:5]
Number of Relationships in Enterprise ATT&CK 3725
id | relationship | source_object | target_object | |
---|---|---|---|---|
0 | relationship--322703cc-c8f9-4046-8a61-e165a2d1... | uses | intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e99... | attack-pattern--707399d6-ab3e-4963-9315-d9d381... |
1 | relationship--1ba59a68-1883-492d-8cd8-f22656eb... | uses | intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8... | attack-pattern--1608f3e1-598a-42f4-a01a-2e252e... |
2 | relationship--40032198-f003-4171-92a0-faf038f6... | uses | intrusion-set--247cb30b-955f-42eb-97a5-a89fef6... | attack-pattern--03d7999c-1f4c-42cc-8373-e7690d... |
3 | relationship--70d1a246-4ff2-452d-babf-ed47bccb... | uses | intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d246... | attack-pattern--f4882e23-8aa7-4b12-b28a-b349c1... |
4 | relationship--2db02b07-4dd3-4810-9103-1f8d7bd4... | uses | intrusion-set--6b9ebeb5-20bf-48b0-afb7-988d769... | attack-pattern--b77cf5f3-6060-475d-bd60-40ccbf... |
PRE Techniques
print("Number of Techniques in PRE-ATT&CK")
print(len(all_pre['techniques']))
df = all_pre['techniques']
df = json_normalize(df)
df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'detectable_by_common_defenses'], axis=1)[0:5]
Number of Techniques in PRE-ATT&CK 174
matrix | tactic | technique | technique_id | detectable_by_common_defenses | |
---|---|---|---|---|---|
0 | mitre-pre-attack | [technical-information-gathering] | Spearphishing for Information | T1397 | Partial |
1 | mitre-pre-attack | [establish-&-maintain-infrastructure] | Acquire and/or use 3rd party infrastructure se... | T1329 | No |
2 | mitre-pre-attack | [people-information-gathering] | Aggregate individual's digital footprint | T1275 | No |
3 | mitre-pre-attack | [technical-weakness-identification] | Analyze hardware/software security defensive c... | T1294 | No |
4 | mitre-pre-attack | [people-weakness-identification] | Analyze social and business relationships, int... | T1295 | No |
PRE Groups
print("Number of Groups in PRE-ATT&CK")
print(len(all_pre['groups']))
df = all_pre['groups']
df = json_normalize(df)
df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]
Number of Groups in PRE-ATT&CK 6
matrix | group | group_aliases | group_id | group_description | |
---|---|---|---|---|---|
0 | mitre-attack | APT17 | [APT17, Deputy Dog] | G0025 | [APT17](https://attack.mitre.org/groups/G0025)... |
1 | mitre-attack | APT16 | [APT16] | G0023 | [APT16](https://attack.mitre.org/groups/G0023)... |
2 | mitre-attack | Night Dragon | [Night Dragon, Musical Chairs] | G0014 | [Night Dragon](https://attack.mitre.org/groups... |
3 | mitre-attack | APT28 | [APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear... | G0007 | [APT28](https://attack.mitre.org/groups/G0007)... |
4 | mitre-attack | APT1 | [APT1, Comment Crew, Comment Group, Comment Pa... | G0006 | [APT1](https://attack.mitre.org/groups/G0006) ... |
PRE Relationships
print("Number of Relationships in PRE-ATT&CK")
print(len(all_pre['relationships']))
df = all_pre['relationships']
df = json_normalize(df)
df.reindex(['id','relationship', 'source_object', 'target_object'], axis=1)[0:5]
Number of Relationships in PRE-ATT&CK 68
id | relationship | source_object | target_object | |
---|---|---|---|---|
0 | relationship--6ba71250-1dc7-4b8d-88e7-698440ea... | related-to | attack-pattern--028ad431-84c5-4eb7-a364-2b797c... | attack-pattern--2b9a666e-bd59-4f67-9031-ed41b4... |
1 | relationship--ad510f42-e745-42d0-8b54-4bf7a2f3... | related-to | attack-pattern--af358cad-eb71-4e91-a752-236edc... | attack-pattern--74a3288e-eee9-4f8e-973a-fbc128... |
2 | relationship--cc22ab71-f2fc-4885-832b-e75dadee... | uses | intrusion-set--6a2e693f-24e5-451a-9f88-b36a108... | attack-pattern--4900fabf-1142-4c1f-92f5-0b590e... |
3 | relationship--5dc0b076-5f25-4bda-83c7-1d8bd214... | related-to | attack-pattern--286cc500-4291-45c2-99a1-e760db... | attack-pattern--795c1a92-3a26-453e-b99a-6a566a... |
4 | relationship--87239038-7693-49b3-b595-b828cc2b... | related-to | attack-pattern--103d72e6-7e0d-4b3a-9373-c38567... | attack-pattern--eacd1efe-ee30-4b03-b58f-5b3b1a... |
Mobile Techniques
print("Number of Techniques in Mobile ATT&CK")
print(len(all_mobile['techniques']))
df = all_mobile['techniques']
df = json_normalize(df)
df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'tactic_type'], axis=1)[0:5]
Number of Techniques in Mobile ATT&CK 81
matrix | tactic | technique | technique_id | tactic_type | |
---|---|---|---|---|---|
0 | mitre-mobile-attack | [initial-access] | Exploit via Radio Interfaces | T1477 | [Post-Adversary Device Access] |
1 | mitre-mobile-attack | [defense-evasion, initial-access] | Install Insecure or Malicious Configuration | T1478 | [Post-Adversary Device Access] |
2 | mitre-mobile-attack | [initial-access] | Supply Chain Compromise | T1474 | [Post-Adversary Device Access] |
3 | mitre-mobile-attack | [initial-access] | Deliver Malicious App via Other Means | T1476 | [Post-Adversary Device Access] |
4 | mitre-mobile-attack | [initial-access] | Deliver Malicious App via Authorized App Store | T1475 | [Post-Adversary Device Access] |
Mobile Mitigations
print("Number of Mitigations in Mobile ATT&CK")
print(len(all_mobile['mitigations']))
print(" ")
df = all_mobile['mitigations']
df = json_normalize(df)
df.reindex(['matrix', 'mitigation', 'mitigation_description', 'url'], axis=1)[0:5]
Number of Mitigations in Mobile ATT&CK 14
matrix | mitigation | mitigation_description | url | |
---|---|---|---|---|
0 | mitre-mobile-attack | Application Developer Guidance | This mitigation describes any guidance or trai... | https://attack.mitre.org/mitigations/M1013 |
1 | mitre-mobile-attack | Enterprise Policy | An enterprise mobility management (EMM), also ... | https://attack.mitre.org/mitigations/M1012 |
2 | mitre-mobile-attack | Attestation | Enable remote attestation capabilities when av... | https://attack.mitre.org/mitigations/M1002 |
3 | mitre-mobile-attack | Deploy Compromised Device Detection Method | A variety of methods exist that can be used to... | https://attack.mitre.org/mitigations/M1010 |
4 | mitre-mobile-attack | System Partition Integrity | Ensure that Android devices being used include... | https://attack.mitre.org/mitigations/M1004 |
Mobile Groups
print("Number of Groups in Mobile ATT&CK")
print(len(all_mobile['groups']))
df = all_mobile['groups']
df = json_normalize(df)
df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]
Number of Groups in Mobile ATT&CK 1
matrix | group | group_aliases | group_id | group_description | |
---|---|---|---|---|---|
0 | mitre-attack | APT28 | [APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear... | G0007 | [APT28](https://attack.mitre.org/groups/G0007)... |
Mobile Malware
print("Number of Malware in Mobile ATT&CK")
print(len(all_mobile['malware']))
df = all_mobile['malware']
df = json_normalize(df)
df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]
Number of Malware in Mobile ATT&CK 44
matrix | software | software_labels | software_id | software_description | |
---|---|---|---|---|---|
0 | mitre-mobile-attack | Allwinner | [malware] | S0319 | [Allwinner](https://attack.mitre.org/software/... |
1 | mitre-mobile-attack | Marcher | [malware] | S0317 | [Marcher](https://attack.mitre.org/software/S0... |
2 | mitre-mobile-attack | Stealth Mango | [malware] | S0328 | [Stealth Mango](https://attack.mitre.org/softw... |
3 | mitre-mobile-attack | RedDrop | [malware] | S0326 | [RedDrop](https://attack.mitre.org/software/S0... |
4 | mitre-mobile-attack | Judy | [malware] | S0325 | [Judy](https://attack.mitre.org/software/S0325... |
Mobile Tools
print("Number of Tools in Mobile ATT&CK")
print(len(all_mobile['tools']))
df = all_mobile['tools']
df = json_normalize(df)
df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]
Number of Tools in Mobile ATT&CK 1
matrix | software | software_labels | software_id | software_description | |
---|---|---|---|---|---|
0 | mitre-mobile-attack | Xbot | [tool] | S0298 | [Xbot](https://attack.mitre.org/software/S0298... |
Mobile Relationships
print("Number of Relationships in Mobile ATT&CK")
print(len(all_mobile['relationships']))
df = all_mobile['relationships']
df = json_normalize(df)
df.reindex(['object id','relationship', 'relationship_description','source_object', 'target_object'], axis=1)[0:5]
Number of Relationships in Mobile ATT&CK 299
object id | relationship | relationship_description | source_object | target_object | |
---|---|---|---|---|---|
0 | NaN | revoked-by | None | attack-pattern--831e3269-da49-48ac-94dc-948008... | attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97c... |
1 | NaN | uses | Most [KeyRaider](https://attack.mitre.org/soft... | malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50 | attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530... |
2 | NaN | uses | [Pegasus for Android](https://attack.mitre.org... | malware--93799a9d-3537-43d8-b6f4-17215de1657c | attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97c... |
3 | NaN | uses | [RedDrop](https://attack.mitre.org/software/S0... | malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381 | attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e99... |
4 | NaN | uses | [SpyDealer](https://attack.mitre.org/software/... | malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b | attack-pattern--b3c2e5de-0941-4b57-ba61-af029e... |
print("Number of Techniques in Enterprise ATT&CK")
techniques = lift.get_all_enterprise_techniques()
print(len(techniques))
df = json_normalize(techniques)
df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'data_sources','contributors'], axis=1)[0:5]
Number of Techniques in Enterprise ATT&CK 223
matrix | tactic | technique | technique_id | data_sources | contributors | |
---|---|---|---|---|---|---|
0 | mitre-attack | [defense-evasion] | File Permissions Modification | T1222 | [File monitoring, Process monitoring, Process ... | [Jan Miller, CrowdStrike] |
1 | mitre-attack | [defense-evasion, execution] | XSL Script Processing | T1220 | [Process monitoring, Process command-line para... | [Casey Smith, Praetorian] |
2 | mitre-attack | [defense-evasion, execution] | Compiled HTML File | T1223 | [File monitoring, Process monitoring, Process ... | [Rahmat Nurfauzi, @infosecn1nja, PT Xynexis In... |
3 | mitre-attack | [defense-evasion] | Template Injection | T1221 | [Anti-virus, Email gateway, Network intrusion ... | [Patrick Campbell, @pjcampbe11] |
4 | mitre-attack | [defense-evasion, persistence] | BITS Jobs | T1197 | [API monitoring, Packet capture, Windows event... | [Ricardo Dias, Red Canary] |
print("Number of Techniques in PRE-ATT&CK")
techniques = lift.get_all_pre_techniques()
print(len(techniques))
df = json_normalize(techniques)
df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'detectable_by_common_defenses', 'contributors'], axis=1)[0:5]
Number of Techniques in PRE-ATT&CK 174
matrix | tactic | technique | technique_id | detectable_by_common_defenses | contributors | |
---|---|---|---|---|---|---|
0 | mitre-pre-attack | [technical-information-gathering] | Spearphishing for Information | T1397 | Partial | None |
1 | mitre-pre-attack | [establish-&-maintain-infrastructure] | Acquire and/or use 3rd party infrastructure se... | T1329 | No | None |
2 | mitre-pre-attack | [people-information-gathering] | Aggregate individual's digital footprint | T1275 | No | None |
3 | mitre-pre-attack | [technical-weakness-identification] | Analyze hardware/software security defensive c... | T1294 | No | None |
4 | mitre-pre-attack | [people-weakness-identification] | Analyze social and business relationships, int... | T1295 | No | None |
print("Number of Techniques in Mobile ATT&CK")
techniques = lift.get_all_mobile_techniques()
print(len(techniques))
df = json_normalize(techniques)
df.reindex(['matrix', 'id','tactic', 'technique', 'tactic_type','contributors'], axis=1)[0:5]
Number of Techniques in Mobile ATT&CK 81
matrix | id | tactic | technique | tactic_type | contributors | |
---|---|---|---|---|---|---|
0 | mitre-mobile-attack | attack-pattern--2d646840-f6f5-4619-a5a8-29c831... | [initial-access] | Exploit via Radio Interfaces | [Post-Adversary Device Access] | None |
1 | mitre-mobile-attack | attack-pattern--cde2cb84-455e-410c-8aa9-086f27... | [defense-evasion, initial-access] | Install Insecure or Malicious Configuration | [Post-Adversary Device Access] | None |
2 | mitre-mobile-attack | attack-pattern--0d95940f-9583-4e0f-824c-a42c1b... | [initial-access] | Supply Chain Compromise | [Post-Adversary Device Access] | None |
3 | mitre-mobile-attack | attack-pattern--53263a67-075e-48fa-974b-91c5b5... | [initial-access] | Deliver Malicious App via Other Means | [Post-Adversary Device Access] | None |
4 | mitre-mobile-attack | attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97c... | [initial-access] | Deliver Malicious App via Authorized App Store | [Post-Adversary Device Access] | None |
print("Number of Techniques in ATT&CK")
techniques = lift.get_all_techniques()
print(len(techniques))
df = json_normalize(techniques)
df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'data_sources'], axis=1)[0:5]
Number of Techniques in ATT&CK 478
matrix | tactic | technique | technique_id | data_sources | |
---|---|---|---|---|---|
0 | mitre-attack | [defense-evasion] | File Permissions Modification | T1222 | [File monitoring, Process monitoring, Process ... |
1 | mitre-attack | [defense-evasion, execution] | XSL Script Processing | T1220 | [Process monitoring, Process command-line para... |
2 | mitre-attack | [defense-evasion, execution] | Compiled HTML File | T1223 | [File monitoring, Process monitoring, Process ... |
3 | mitre-attack | [defense-evasion] | Template Injection | T1221 | [Anti-virus, Email gateway, Network intrusion ... |
4 | mitre-attack | [defense-evasion, persistence] | BITS Jobs | T1197 | [API monitoring, Packet capture, Windows event... |
print("Number of Mitigations in Enterprise ATT&CK")
mitigations = lift.get_all_enterprise_mitigations()
print(len(mitigations))
df = json_normalize(mitigations)
df.reindex(['matrix', 'mitigation', 'mitigation_description', 'url'], axis=1)[0:5]
Number of Mitigations in Enterprise ATT&CK 222
matrix | mitigation | mitigation_description | url | |
---|---|---|---|---|
0 | mitre-attack | Account Manipulation Mitigation | Use multifactor authentication. Follow guideli... | https://attack.mitre.org/techniques/T1098 |
1 | mitre-attack | Application Shimming Mitigation | There currently aren't a lot of ways to mitiga... | https://attack.mitre.org/techniques/T1138 |
2 | mitre-attack | Automated Exfiltration Mitigation | Identify unnecessary system utilities, scripts... | https://attack.mitre.org/techniques/T1020 |
3 | mitre-attack | Browser Bookmark Discovery Mitigation | File system activity is a common part of an op... | https://attack.mitre.org/techniques/T1217 |
4 | mitre-attack | Change Default File Association Mitigation | Direct mitigation of this technique is not rec... | https://attack.mitre.org/techniques/T1042 |
print("Number of Mitigations in Mobile ATT&CK")
mitigations = lift.get_all_mobile_mitigations()
print(len(mitigations))
df = json_normalize(mitigations)
df.reindex(['matrix', 'mitigation', 'mitigation_description', 'url'], axis=1)[0:5]
Number of Mitigations in Mobile ATT&CK 14
matrix | mitigation | mitigation_description | url | |
---|---|---|---|---|
0 | mitre-mobile-attack | Application Developer Guidance | This mitigation describes any guidance or trai... | https://attack.mitre.org/mitigations/M1013 |
1 | mitre-mobile-attack | Enterprise Policy | An enterprise mobility management (EMM), also ... | https://attack.mitre.org/mitigations/M1012 |
2 | mitre-mobile-attack | Attestation | Enable remote attestation capabilities when av... | https://attack.mitre.org/mitigations/M1002 |
3 | mitre-mobile-attack | Deploy Compromised Device Detection Method | A variety of methods exist that can be used to... | https://attack.mitre.org/mitigations/M1010 |
4 | mitre-mobile-attack | System Partition Integrity | Ensure that Android devices being used include... | https://attack.mitre.org/mitigations/M1004 |
print("Number of Mitigations in ATT&CK")
mitigations = lift.get_all_mitigations()
print(len(mitigations))
df = json_normalize(mitigations)
df.reindex(['matrix', 'mitigation', 'mitigation_description', 'url'], axis=1)[0:5]
Number of Mitigations in ATT&CK 236
matrix | mitigation | mitigation_description | url | |
---|---|---|---|---|
0 | mitre-attack | Account Manipulation Mitigation | Use multifactor authentication. Follow guideli... | https://attack.mitre.org/techniques/T1098 |
1 | mitre-attack | Application Shimming Mitigation | There currently aren't a lot of ways to mitiga... | https://attack.mitre.org/techniques/T1138 |
2 | mitre-attack | Automated Exfiltration Mitigation | Identify unnecessary system utilities, scripts... | https://attack.mitre.org/techniques/T1020 |
3 | mitre-attack | Browser Bookmark Discovery Mitigation | File system activity is a common part of an op... | https://attack.mitre.org/techniques/T1217 |
4 | mitre-attack | Change Default File Association Mitigation | Direct mitigation of this technique is not rec... | https://attack.mitre.org/techniques/T1042 |
print("Number of Groups in Enterprise ATT&CK")
groups = lift.get_all_enterprise_groups()
print(len(groups))
df = json_normalize(groups)
df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]
Number of Groups in Enterprise ATT&CK 80
matrix | group | group_aliases | group_id | group_description | |
---|---|---|---|---|---|
0 | mitre-attack | Honeybee | [Honeybee] | G0072 | [Honeybee](https://attack.mitre.org/groups/G00... |
1 | mitre-attack | Orangeworm | [Orangeworm] | G0071 | [Orangeworm](https://attack.mitre.org/groups/G... |
2 | mitre-attack | APT19 | [APT19, Codoso, C0d0so0, Codoso Team, Sunshop ... | G0073 | [APT19](https://attack.mitre.org/groups/G0073)... |
3 | mitre-attack | Cobalt Group | [Cobalt Group, Cobalt Gang, Cobalt Spider] | G0080 | [Cobalt Group](https://attack.mitre.org/groups... |
4 | mitre-attack | Thrip | [Thrip] | G0076 | [Thrip](https://attack.mitre.org/groups/G0076)... |
print("Number of Groups in PRE-ATT&CK")
groups = lift.get_all_pre_groups()
print(len(groups))
df = json_normalize(groups)
df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]
Number of Groups in PRE-ATT&CK 6
matrix | group | group_aliases | group_id | group_description | |
---|---|---|---|---|---|
0 | mitre-attack | APT17 | [APT17, Deputy Dog] | G0025 | [APT17](https://attack.mitre.org/groups/G0025)... |
1 | mitre-attack | APT16 | [APT16] | G0023 | [APT16](https://attack.mitre.org/groups/G0023)... |
2 | mitre-attack | Night Dragon | [Night Dragon, Musical Chairs] | G0014 | [Night Dragon](https://attack.mitre.org/groups... |
3 | mitre-attack | APT28 | [APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear... | G0007 | [APT28](https://attack.mitre.org/groups/G0007)... |
4 | mitre-attack | APT1 | [APT1, Comment Crew, Comment Group, Comment Pa... | G0006 | [APT1](https://attack.mitre.org/groups/G0006) ... |
print("Number of Groups in Mobile ATT&CK")
groups = lift.get_all_mobile_groups()
print(len(groups))
df = json_normalize(groups)
df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]
Number of Groups in Mobile ATT&CK 1
matrix | group | group_aliases | group_id | group_description | |
---|---|---|---|---|---|
0 | mitre-attack | APT28 | [APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear... | G0007 | [APT28](https://attack.mitre.org/groups/G0007)... |
print("Number of Groups in ATT&CK")
groups = lift.get_all_groups()
print(len(groups))
df = json_normalize(groups)
df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]
Number of Groups in ATT&CK 80
matrix | group | group_aliases | group_id | group_description | |
---|---|---|---|---|---|
0 | mitre-attack | Honeybee | [Honeybee] | G0072 | [Honeybee](https://attack.mitre.org/groups/G00... |
1 | mitre-attack | Orangeworm | [Orangeworm] | G0071 | [Orangeworm](https://attack.mitre.org/groups/G... |
2 | mitre-attack | APT19 | [APT19, Codoso, C0d0so0, Codoso Team, Sunshop ... | G0073 | [APT19](https://attack.mitre.org/groups/G0073)... |
3 | mitre-attack | Cobalt Group | [Cobalt Group, Cobalt Gang, Cobalt Spider] | G0080 | [Cobalt Group](https://attack.mitre.org/groups... |
4 | mitre-attack | Thrip | [Thrip] | G0076 | [Thrip](https://attack.mitre.org/groups/G0076)... |
print("Number of Software in ATT&CK")
software = lift.get_all_software()
print(len(software))
df = json_normalize(software)
df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]
Number of Software in ATT&CK 329
matrix | software | software_labels | software_id | software_description | |
---|---|---|---|---|---|
0 | mitre-attack | Koadic | [tool] | S0250 | [Koadic](https://attack.mitre.org/software/S02... |
1 | mitre-attack | QuasarRAT | [tool] | S0262 | [QuasarRAT](https://attack.mitre.org/software/... |
2 | mitre-attack | Invoke-PSImage | [tool] | S0231 | [Invoke-PSImage](https://attack.mitre.org/soft... |
3 | mitre-attack | Pupy | [tool] | S0192 | [Pupy](https://attack.mitre.org/software/S0192... |
4 | mitre-attack | Winexe | [tool] | S0191 | [Winexe](https://attack.mitre.org/software/S01... |
print("Number of Relationships in Enterprise ATT&CK")
relationships = lift.get_all_enterprise_relationships()
print(len(relationships))
df = json_normalize(relationships)
df.reindex(['id','relationship', 'relationship_description', 'source_object', 'target_object'], axis=1)[0:5]
Number of Relationships in Enterprise ATT&CK 3725
id | relationship | relationship_description | source_object | target_object | |
---|---|---|---|---|---|
0 | relationship--322703cc-c8f9-4046-8a61-e165a2d1... | uses | [APT19](https://attack.mitre.org/groups/G0073)... | intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e99... | attack-pattern--707399d6-ab3e-4963-9315-d9d381... |
1 | relationship--1ba59a68-1883-492d-8cd8-f22656eb... | uses | [APT28](https://attack.mitre.org/groups/G0007)... | intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8... | attack-pattern--1608f3e1-598a-42f4-a01a-2e252e... |
2 | relationship--40032198-f003-4171-92a0-faf038f6... | uses | [APT32](https://attack.mitre.org/groups/G0050)... | intrusion-set--247cb30b-955f-42eb-97a5-a89fef6... | attack-pattern--03d7999c-1f4c-42cc-8373-e7690d... |
3 | relationship--70d1a246-4ff2-452d-babf-ed47bccb... | uses | [Cobalt Group](https://attack.mitre.org/groups... | intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d246... | attack-pattern--f4882e23-8aa7-4b12-b28a-b349c1... |
4 | relationship--2db02b07-4dd3-4810-9103-1f8d7bd4... | uses | [DarkHydrus](https://attack.mitre.org/groups/G... | intrusion-set--6b9ebeb5-20bf-48b0-afb7-988d769... | attack-pattern--b77cf5f3-6060-475d-bd60-40ccbf... |
print("Number of Relationships in PRE-ATT&CK")
relationships = lift.get_all_pre_relationships()
print(len(relationships))
df = json_normalize(relationships)
df.reindex(['id','relationship', 'relationship_description', 'source_object', 'target_object'], axis=1)[0:5]
Number of Relationships in PRE-ATT&CK 68
id | relationship | relationship_description | source_object | target_object | |
---|---|---|---|---|---|
0 | relationship--6ba71250-1dc7-4b8d-88e7-698440ea... | related-to | None | attack-pattern--028ad431-84c5-4eb7-a364-2b797c... | attack-pattern--2b9a666e-bd59-4f67-9031-ed41b4... |
1 | relationship--ad510f42-e745-42d0-8b54-4bf7a2f3... | related-to | None | attack-pattern--af358cad-eb71-4e91-a752-236edc... | attack-pattern--74a3288e-eee9-4f8e-973a-fbc128... |
2 | relationship--cc22ab71-f2fc-4885-832b-e75dadee... | uses | [APT1](https://attack.mitre.org/groups/G0006) ... | intrusion-set--6a2e693f-24e5-451a-9f88-b36a108... | attack-pattern--4900fabf-1142-4c1f-92f5-0b590e... |
3 | relationship--5dc0b076-5f25-4bda-83c7-1d8bd214... | related-to | None | attack-pattern--286cc500-4291-45c2-99a1-e760db... | attack-pattern--795c1a92-3a26-453e-b99a-6a566a... |
4 | relationship--87239038-7693-49b3-b595-b828cc2b... | related-to | None | attack-pattern--103d72e6-7e0d-4b3a-9373-c38567... | attack-pattern--eacd1efe-ee30-4b03-b58f-5b3b1a... |
print("Number of Relationships in Mobile ATT&CK")
relationships = lift.get_all_mobile_relationships()
print(len(relationships))
df = json_normalize(relationships)
df.reindex(['id','relationship', 'relationship_description', 'source_object', 'target_object'], axis=1)[0:5]
Number of Relationships in Mobile ATT&CK 299
id | relationship | relationship_description | source_object | target_object | |
---|---|---|---|---|---|
0 | relationship--c53170a0-ca7f-4827-9c3c-1803ecd1... | revoked-by | None | attack-pattern--831e3269-da49-48ac-94dc-948008... | attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97c... |
1 | relationship--05563777-5771-4bd6-a1af-3e244cf4... | uses | Most [KeyRaider](https://attack.mitre.org/soft... | malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50 | attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530... |
2 | relationship--93103ac2-0e3b-4f0f-a054-7f9b947b... | uses | [Pegasus for Android](https://attack.mitre.org... | malware--93799a9d-3537-43d8-b6f4-17215de1657c | attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97c... |
3 | relationship--ffddcabb-0f03-46ae-abd6-7ab94e91... | uses | [RedDrop](https://attack.mitre.org/software/S0... | malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381 | attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e99... |
4 | relationship--935fd3e3-dd47-4c43-bdd8-1668af26... | uses | [SpyDealer](https://attack.mitre.org/software/... | malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b | attack-pattern--b3c2e5de-0941-4b57-ba61-af029e... |
print("Number of Relationships in ATT&CK")
relationships = lift.get_all_relationships()
print(len(relationships))
df = json_normalize(relationships)
df.reindex(['id','relationship', 'relationship_description', 'source_object', 'target_object'], axis=1)[0:5]
Number of Relationships in ATT&CK 4092
id | relationship | relationship_description | source_object | target_object | |
---|---|---|---|---|---|
0 | relationship--322703cc-c8f9-4046-8a61-e165a2d1... | uses | [APT19](https://attack.mitre.org/groups/G0073)... | intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e99... | attack-pattern--707399d6-ab3e-4963-9315-d9d381... |
1 | relationship--1ba59a68-1883-492d-8cd8-f22656eb... | uses | [APT28](https://attack.mitre.org/groups/G0007)... | intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8... | attack-pattern--1608f3e1-598a-42f4-a01a-2e252e... |
2 | relationship--40032198-f003-4171-92a0-faf038f6... | uses | [APT32](https://attack.mitre.org/groups/G0050)... | intrusion-set--247cb30b-955f-42eb-97a5-a89fef6... | attack-pattern--03d7999c-1f4c-42cc-8373-e7690d... |
3 | relationship--70d1a246-4ff2-452d-babf-ed47bccb... | uses | [Cobalt Group](https://attack.mitre.org/groups... | intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d246... | attack-pattern--f4882e23-8aa7-4b12-b28a-b349c1... |
4 | relationship--2db02b07-4dd3-4810-9103-1f8d7bd4... | uses | [DarkHydrus](https://attack.mitre.org/groups/G... | intrusion-set--6b9ebeb5-20bf-48b0-afb7-988d769... | attack-pattern--b77cf5f3-6060-475d-bd60-40ccbf... |