from attackcti import attack_client
from pandas import *
import json
pandas.__version__
'1.1.2'
lift = attack_client()
Collect ALL Enterprise ATT&CK (TAXII)
%time all_enterprise = lift.get_enterprise()
CPU times: user 2.75 s, sys: 107 ms, total: 2.86 s Wall time: 5.05 s
Collect ALL PRE-ATT&CK (TAXII)
%time all_pre = lift.get_pre()
/usr/local/lib/python3.8/site-packages/attackcti/attack_api.py:426: UserWarning: PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application warnings.warn("PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application")
CPU times: user 124 ms, sys: 9.77 ms, total: 133 ms Wall time: 539 ms
Collect ALL Mobile ATT&CK (TAXII)
%time all_mobile = lift.get_mobile()
CPU times: user 300 ms, sys: 16.7 ms, total: 317 ms Wall time: 766 ms
The get_stix_objects() function returns a dictionary with all the stix object types from all matrices:
%time all_attack = lift.get_stix_objects()
CPU times: user 2min 48s, sys: 823 ms, total: 2min 49s Wall time: 2min 54s
type(all_attack)
dict
print("Number of Techniques in ATT&CK")
print(len(all_attack['techniques']))
Number of Techniques in ATT&CK 1024
techniques = []
for t in all_attack['techniques']:
techniques.append(json.loads(t.serialize()))
df = pandas.json_normalize(techniques)
df.reindex(['created','name', 'x_mitre_data_sources', 'x_mitre_platforms'], axis=1)[0:5]
created | name | x_mitre_data_sources | x_mitre_platforms | |
---|---|---|---|---|
0 | 2020-10-20T00:09:33.072Z | Network Device CLI | [Network device logs, Network device run-time ... | [Network] |
1 | 2020-10-20T00:08:21.745Z | Network Device Configuration Dump | [Netflow/Enclave netflow, Network protocol ana... | [Network] |
2 | 2020-10-20T00:06:56.180Z | TFTP Boot | [Network device run-time memory, Network devic... | [Network] |
3 | 2020-10-20T00:05:48.790Z | ROMMONkit | [File monitoring, Netflow/Enclave netflow, Net... | [Network] |
4 | 2020-10-19T23:51:05.953Z | SNMP (MIB Dump) | [Netflow/Enclave netflow, Network protocol ana... | [Network] |
Showing the schema of Techniques
This schema covers techniques from Enterprise, PRE and Mobile ATT&CK
list(df)
['id', 'description', 'name', 'created_by_ref', 'object_marking_refs', 'external_references', 'type', 'kill_chain_phases', 'modified', 'created', 'x_mitre_data_sources', 'x_mitre_platforms', 'x_mitre_is_subtechnique', 'x_mitre_version', 'x_mitre_detection', 'x_mitre_permissions_required', 'x_mitre_defense_bypassed', 'x_mitre_contributors', 'x_mitre_system_requirements', 'x_mitre_network_requirements', 'x_mitre_effective_permissions', 'x_mitre_remote_support', 'x_mitre_impact_type', 'revoked', 'x_mitre_deprecated', 'x_mitre_old_attack_id', 'x_mitre_difficulty_for_adversary_explanation', 'x_mitre_difficulty_for_adversary', 'x_mitre_detectable_by_common_defenses_explanation', 'x_mitre_detectable_by_common_defenses', 'x_mitre_tactic_type']
Showing one technique example
techniques[0]
{'id': 'attack-pattern--818302b2-d640-477b-bf88-873120ce85c4', 'description': 'Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. \n\nScripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or secure shell (SSH).\n\nAdversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection. (Citation: Cisco Synful Knock Evolution)', 'name': 'Network Device CLI', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'source_name': 'mitre-attack', 'external_id': 'T1059.008', 'url': 'https://attack.mitre.org/techniques/T1059/008'}, {'source_name': 'Cisco Synful Knock Evolution', 'url': 'https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices', 'description': 'Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.'}, {'source_name': 'Cisco IOS Software Integrity Assurance - Command History', 'url': 'https://tools.cisco.com/security/center/resources/integrity_assurance.html#23', 'description': 'Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020.'}], 'type': 'attack-pattern', 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack', 'phase_name': 'execution'}], 'modified': '2020-10-22T16:43:38.388Z', 'created': '2020-10-20T00:09:33.072Z', 'x_mitre_data_sources': ['Network device logs', 'Network device run-time memory', 'Network device command history', 'Network device configuration'], 'x_mitre_platforms': ['Network'], 'x_mitre_is_subtechnique': True, 'x_mitre_version': '1.0', 'x_mitre_detection': 'Consider reviewing command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration.(Citation: Cisco IOS Software Integrity Assurance - Command History)\n\nConsider comparing a copy of the network device configuration against a known-good version to discover unauthorized changes to the command interpreter. The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor.', 'x_mitre_permissions_required': ['Administrator', 'User']}
print("Number of Mitigations in ATT&CK")
print(len(all_attack['mitigations']))
Number of Mitigations in ATT&CK 296
mitigations = []
for t in all_attack['mitigations']:
mitigations.append(json.loads(t.serialize()))
df = pandas.json_normalize(mitigations)
df[0:4]
created_by_ref | object_marking_refs | external_references | description | name | id | type | modified | created | x_mitre_version | x_mitre_deprecated | x_mitre_old_attack_id | |
---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | This category is used for any applicable mitig... | Pre-compromise | course-of-action--78bb71be-92b4-46de-acd6-5f99... | course-of-action | 2020-10-20T19:52:32.439Z | 2020-10-19T14:57:58.771Z | 1.0 | NaN | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | This category is to associate techniques that ... | Do Not Mitigate | course-of-action--787fb64d-c87b-4ee5-a341-0ef1... | course-of-action | 2019-07-23T14:44:24.727Z | 2019-07-19T14:58:42.715Z | 1.0 | NaN | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | Implement configuration changes to software (o... | Software Configuration | course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8... | course-of-action | 2020-03-31T13:11:09.471Z | 2019-07-19T14:40:23.529Z | 1.1 | NaN | NaN |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | Take and store data backups from end user syst... | Data Backup | course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73... | course-of-action | 2020-03-31T13:11:28.201Z | 2019-07-19T14:33:33.543Z | 1.1 | NaN | NaN |
list(df)
['created_by_ref', 'object_marking_refs', 'external_references', 'description', 'name', 'id', 'type', 'modified', 'created', 'x_mitre_version', 'x_mitre_deprecated', 'x_mitre_old_attack_id']
print("Number of Groups in ATT&CK")
print(len(all_attack['groups']))
Number of Groups in ATT&CK 113
groups = []
for t in all_attack['groups']:
groups.append(json.loads(t.serialize()))
df = pandas.json_normalize(groups)
df[0:4]
created_by_ref | object_marking_refs | external_references | name | description | type | id | aliases | modified | created | x_mitre_version | x_mitre_contributors | revoked | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'G0115', 'source_name': 'mitr... | GOLD SOUTHFIELD | [GOLD SOUTHFIELD](https://attack.mitre.org/gro... | intrusion-set | intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a... | [GOLD SOUTHFIELD] | 2020-10-06T15:32:20.089Z | 2020-09-22T19:41:27.845Z | 1.0 | NaN | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'G0114', 'source_name': 'mitr... | Chimera | [Chimera](https://attack.mitre.org/groups/G011... | intrusion-set | intrusion-set--8c1f0187-0826-4320-bddc-5f326cf... | [Chimera] | 2020-10-05T20:59:57.694Z | 2020-08-24T17:01:55.842Z | 1.0 | NaN | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'G0112', 'source_name': 'mitr... | Windshift | [Windshift](https://attack.mitre.org/groups/G0... | intrusion-set | intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a... | [Windshift, Bahamut] | 2020-06-26T13:46:14.122Z | 2020-06-25T17:16:39.168Z | 1.0 | NaN | NaN |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'G0108', 'source_name': 'mitr... | Blue Mockingbird | [Blue Mockingbird](https://attack.mitre.org/gr... | intrusion-set | intrusion-set--73a80fab-2aa3-48e0-a4d0-3a48282... | [Blue Mockingbird] | 2020-06-25T13:59:09.596Z | 2020-05-26T20:09:39.139Z | 1.0 | [Tony Lambert, Red Canary] | NaN |
Showing the schema of Groups
list(df)
['created_by_ref', 'object_marking_refs', 'external_references', 'name', 'description', 'type', 'id', 'aliases', 'modified', 'created', 'x_mitre_version', 'x_mitre_contributors', 'revoked']
Showing one Groups example
groups[0]
{'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'external_id': 'G0115', 'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0115'}, {'source_name': 'Secureworks REvil September 2019', 'url': 'https://www.secureworks.com/research/revil-sodinokibi-ransomware', 'description': 'Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.'}, {'source_name': 'Secureworks GandCrab and REvil September 2019', 'url': 'https://www.secureworks.com/blog/revil-the-gandcrab-connection', 'description': 'Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.'}, {'source_name': 'Secureworks GOLD SOUTHFIELD', 'url': 'https://www.secureworks.com/research/threat-profiles/gold-southfield', 'description': 'Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.'}], 'name': 'GOLD SOUTHFIELD', 'description': '[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2019 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)', 'type': 'intrusion-set', 'id': 'intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133', 'aliases': ['GOLD SOUTHFIELD'], 'modified': '2020-10-06T15:32:20.089Z', 'created': '2020-09-22T19:41:27.845Z', 'x_mitre_version': '1.0'}
print("Number of Malware in ATT&CK")
print(len(all_attack['malware']))
Number of Malware in ATT&CK 459
malware = []
for t in all_attack['malware']:
malware.append(json.loads(t.serialize()))
df = pandas.json_normalize(malware)
df[0:4]
external_references | object_marking_refs | created_by_ref | description | name | id | type | labels | modified | created | x_mitre_version | x_mitre_aliases | x_mitre_platforms | x_mitre_contributors | revoked | x_mitre_old_attack_id | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | [{'external_id': 'S0519', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [SYNful Knock](https://attack.mitre.org/softwa... | SYNful Knock | malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053 | malware | [malware] | 2020-10-22T17:35:04.950Z | 2020-10-19T16:38:11.279Z | 1.0 | [SYNful Knock] | [Network] | NaN | NaN | NaN |
1 | [{'external_id': 'S0516', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [SoreFang](https://attack.mitre.org/software/S... | SoreFang | malware--e33e4603-afab-402d-b2a1-248d435b5fe0 | malware | [malware] | 2020-10-06T16:10:42.422Z | 2020-09-29T19:33:35.122Z | 1.0 | [SoreFang] | [Windows] | NaN | NaN | NaN |
2 | [{'external_id': 'S0515', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [WellMail](https://attack.mitre.org/software/S... | WellMail | malware--959f3b19-2dc8-48d5-8942-c66813a5101a | malware | [malware] | 2020-10-09T15:38:41.755Z | 2020-09-29T17:48:27.517Z | 1.0 | [WellMail] | [Windows] | [Josh Campbell, Cyborg Security, @cyb0rgsecur1ty] | NaN | NaN |
3 | [{'external_id': 'S0514', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [WellMess](https://attack.mitre.org/software/S... | WellMess | malware--3a4197ae-ec63-4162-907b-9a073d1157e4 | malware | [malware] | 2020-10-09T19:41:25.983Z | 2020-09-24T19:39:44.392Z | 1.0 | [WellMess] | [Windows] | [Daniyal Naeem, @Mrdaniyalnaeem] | NaN | NaN |
Showing the schema of Malware
list(df)
['external_references', 'object_marking_refs', 'created_by_ref', 'description', 'name', 'id', 'type', 'labels', 'modified', 'created', 'x_mitre_version', 'x_mitre_aliases', 'x_mitre_platforms', 'x_mitre_contributors', 'revoked', 'x_mitre_old_attack_id']
Showing one Malware example
malware[0]
{'external_references': [{'external_id': 'S0519', 'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/software/S0519'}, {'source_name': 'FireEye - Synful Knock', 'url': 'https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html', 'description': 'Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020.'}, {'source_name': 'Cisco Synful Knock Evolution', 'url': 'https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices', 'description': 'Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'description': "[SYNful Knock](https://attack.mitre.org/software/S0519) is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.(Citation: FireEye - Synful Knock)(Citation: Cisco Synful Knock Evolution)", 'name': 'SYNful Knock', 'id': 'malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053', 'type': 'malware', 'labels': ['malware'], 'modified': '2020-10-22T17:35:04.950Z', 'created': '2020-10-19T16:38:11.279Z', 'x_mitre_version': '1.0', 'x_mitre_aliases': ['SYNful Knock'], 'x_mitre_platforms': ['Network']}
print("Number of Tools in ATT&CK")
print(len(all_attack['tools']))
Number of Tools in ATT&CK 64
tools = []
for t in all_attack['tools']:
tools.append(json.loads(t.serialize()))
df = pandas.json_normalize(tools)
df[0:4]
id | name | description | created_by_ref | object_marking_refs | external_references | type | labels | modified | created | x_mitre_version | x_mitre_aliases | x_mitre_platforms | x_mitre_contributors | x_mitre_old_attack_id | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | tool--975737f1-b10d-476f-8bda-3ec26ea57172 | MCMD | [MCMD](https://attack.mitre.org/software/S0500... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'S0500', 'source_name': 'mitr... | tool | [tool] | 2020-08-20T14:52:23.369Z | 2020-08-13T17:15:25.702Z | 1.0 | [MCMD] | [Windows] | NaN | NaN |
1 | tool--c4810609-7da6-48ec-8057-1b70a7814db0 | CrackMapExec | [CrackMapExec](https://attack.mitre.org/softwa... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'S0488', 'source_name': 'mitr... | tool | [tool] | 2020-07-29T20:19:40.544Z | 2020-07-17T14:23:05.958Z | 1.0 | [CrackMapExec] | [Windows] | NaN | NaN |
2 | tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4 | CARROTBALL | [CARROTBALL](https://attack.mitre.org/software... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'S0465', 'source_name': 'mitr... | tool | [tool] | 2020-06-10T14:44:23.055Z | 2020-06-02T19:10:29.513Z | 1.0 | [CARROTBALL] | [Windows] | NaN | NaN |
3 | tool--115f88dd-0618-4389-83cb-98d33ae81848 | ShimRatReporter | [ShimRatReporter](https://attack.mitre.org/sof... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'S0445', 'source_name': 'mitr... | tool | [tool] | 2020-05-27T22:39:28.701Z | 2020-05-12T21:29:48.294Z | 1.0 | [ShimRatReporter] | [Windows] | NaN | NaN |
Showing the schema of Tools
list(df)
['id', 'name', 'description', 'created_by_ref', 'object_marking_refs', 'external_references', 'type', 'labels', 'modified', 'created', 'x_mitre_version', 'x_mitre_aliases', 'x_mitre_platforms', 'x_mitre_contributors', 'x_mitre_old_attack_id']
Showing one Tool example
tools[0]
{'id': 'tool--975737f1-b10d-476f-8bda-3ec26ea57172', 'name': 'MCMD', 'description': '[MCMD](https://attack.mitre.org/software/S0500) is a remote access tool that provides remote command shell capability used by [Dragonfly 2.0](https://attack.mitre.org/groups/G0074).(Citation: Secureworks MCMD July 2019)', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'external_id': 'S0500', 'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/software/S0500'}, {'source_name': 'Secureworks MCMD July 2019', 'url': 'https://www.secureworks.com/research/mcmd-malware-analysis', 'description': 'Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.'}], 'type': 'tool', 'labels': ['tool'], 'modified': '2020-08-20T14:52:23.369Z', 'created': '2020-08-13T17:15:25.702Z', 'x_mitre_version': '1.0', 'x_mitre_aliases': ['MCMD'], 'x_mitre_platforms': ['Windows']}
print("Number of Relationships in ATT&CK")
print(len(all_attack['relationships']))
Number of Relationships in ATT&CK 10635
relationships = []
for t in all_attack['relationships']:
relationships.append(json.loads(t.serialize()))
df = pandas.json_normalize(relationships)
df[0:4]
object_marking_refs | external_references | id | type | created | description | created_by_ref | modified | source_ref | relationship_type | target_ref | |
---|---|---|---|---|---|---|---|---|---|---|---|
0 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... | relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd... | relationship | 2020-11-10T18:04:03.668Z | (Citation: FireEye KEGTAP SINGLEMALT October 2... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | 2020-11-10T18:04:03.668Z | intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | uses | malware--a7881f21-e978-4fe4-af56-92c9416a2616 |
1 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... | relationship--c118e50b-4559-4bff-bde5-78aa426f... | relationship | 2020-11-10T18:04:03.666Z | (Citation: FireEye KEGTAP SINGLEMALT October 2... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | 2020-11-10T18:04:03.666Z | intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | uses | tool--afc079f3-c0ea-4096-b75d-3f05338b7f60 |
2 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'DFIR Ryuk's Return October 2... | relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e... | relationship | 2020-11-10T18:04:03.589Z | (Citation: DFIR Ryuk's Return October 2020)(Ci... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | 2020-11-10T18:04:03.589Z | intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | uses | tool--b77b563c-34bb-4fb8-86a3-3694338f7b47 |
3 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... | relationship--585842e6-fe9a-4508-8e67-c232f8aa... | relationship | 2020-11-10T18:04:03.571Z | (Citation: FireEye KEGTAP SINGLEMALT October 2... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | 2020-11-10T18:04:03.571Z | intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | uses | tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf |
Showing the schema of Relationships
list(df)
['object_marking_refs', 'external_references', 'id', 'type', 'created', 'description', 'created_by_ref', 'modified', 'source_ref', 'relationship_type', 'target_ref']
Showing one Relationship example
relationships[0]
{'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'source_name': 'FireEye KEGTAP SINGLEMALT October 2020', 'description': 'Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.', 'url': 'https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html'}, {'source_name': 'DHS/CISA Ransomware Targeting Healthcare October 2020', 'description': 'DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.', 'url': 'https://us-cert.cisa.gov/ncas/alerts/aa20-302a'}, {'source_name': "DFIR Ryuk's Return October 2020", 'description': 'The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.', 'url': 'https://thedfirreport.com/2020/10/08/ryuks-return/'}, {'source_name': 'DFIR Ryuk 2 Hour Speed Run November 2020', 'description': 'The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.', 'url': 'https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/'}, {'source_name': 'DFIR Ryuk in 5 Hours October 2020', 'description': 'The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.', 'url': 'https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/'}, {'source_name': 'Sophos New Ryuk Attack October 2020', 'description': 'Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.', 'url': 'https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/'}], 'id': 'relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd06b0', 'type': 'relationship', 'created': '2020-11-10T18:04:03.668Z', 'description': "(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)(Citation: Sophos New Ryuk Attack October 2020)", 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'modified': '2020-11-10T18:04:03.668Z', 'source_ref': 'intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7', 'relationship_type': 'uses', 'target_ref': 'malware--a7881f21-e978-4fe4-af56-92c9416a2616'}
print("Number of Tactics in ATT&CK")
print(len(all_attack['tactics']))
Number of Tactics in ATT&CK 54
df = pandas.json_normalize(all_attack['tactics'])
df[0:4]
created_by_ref | object_marking_refs | external_references | name | description | id | type | modified | created | x_mitre_shortname | x_mitre_deprecated | |
---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'TA0043', 'source_name': 'mit... | Reconnaissance | The adversary is trying to gather information ... | x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd... | x-mitre-tactic | 2020-10-18T02:04:50.842Z | 2020-10-02T14:48:41.809Z | reconnaissance | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'TA0042', 'source_name': 'mit... | Resource Development | The adversary is trying to establish resources... | x-mitre-tactic--d679bca2-e57d-4935-8650-8031c8... | x-mitre-tactic | 2020-09-30T16:31:36.322Z | 2020-09-30T16:11:59.650Z | resource-development | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'TA0040', 'source_name': 'mit... | Impact | The adversary is trying to manipulate, interru... | x-mitre-tactic--5569339b-94c2-49ee-afb3-222293... | x-mitre-tactic | 2019-07-25T18:42:23.222Z | 2019-03-14T18:44:44.639Z | impact | NaN |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'TA0005', 'url': 'https://att... | Defense Evasion | The adversary is trying to avoid being detecte... | x-mitre-tactic--78b23412-0651-46d7-a540-170a1c... | x-mitre-tactic | 2019-07-19T17:43:23.473Z | 2018-10-17T00:14:20.652Z | defense-evasion | NaN |
Showing the schema of Tactics
list(df)
['created_by_ref', 'object_marking_refs', 'external_references', 'name', 'description', 'id', 'type', 'modified', 'created', 'x_mitre_shortname', 'x_mitre_deprecated']
print("Number of Matrices in ATT&CK")
print(len(all_attack['matrix']))
Number of Matrices in ATT&CK 5
df = pandas.json_normalize(all_attack['matrix'])
df[0:4]
id | created_by_ref | name | description | external_references | object_marking_refs | type | tactic_refs | modified | created | x_mitre_deprecated | |
---|---|---|---|---|---|---|---|---|---|---|---|
0 | x-mitre-matrix--eafc1b4c-5e56-4965-bd4e-66a6a8... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Enterprise ATT&CK | Below are the tactics and technique representi... | [{'external_id': 'enterprise-attack', 'source_... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | x-mitre-matrix | [x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1ef... | 2020-10-27T02:27:31.332Z | 2018-10-17T00:14:20.652Z | NaN |
1 | x-mitre-matrix--2e2c97c3-1908-4e2d-a711-a27d38... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | PRE-ATT&CK | This object is deprecated as its content has b... | [{'external_id': 'pre-attack', 'source_name': ... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | x-mitre-matrix | [x-mitre-tactic--b2a086f2-d3db-408b-b4d4-e09a1... | 2020-10-22T15:43:48.844Z | 2018-10-17T00:14:20.652Z | True |
2 | x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff0... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Device Access | Below are the tactics and techniques represent... | [{'external_id': 'mobile-attack', 'url': 'http... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | x-mitre-matrix | [x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290... | 2020-10-23T15:05:40.962Z | 2018-10-17T00:14:20.652Z | NaN |
3 | x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Network-Based Effects | Below are the tactics and techniques represent... | [{'external_id': 'mobile-attack', 'url': 'http... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | x-mitre-matrix | [x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc4... | 2020-07-02T14:18:17.535Z | 2018-10-17T00:14:20.652Z | NaN |
Showing the schema of Tactics
list(df)
['id', 'created_by_ref', 'name', 'description', 'external_references', 'object_marking_refs', 'type', 'tactic_refs', 'modified', 'created', 'x_mitre_deprecated']
Enterprise Techniques
print("Number of Techniques in Enterprise ATT&CK")
print(len(all_enterprise['techniques']))
Number of Techniques in Enterprise ATT&CK 665
techniques = []
for t in all_enterprise['techniques']:
techniques.append(json.loads(t.serialize()))
df = pandas.json_normalize(techniques)
df[0:4]
id | description | name | created_by_ref | object_marking_refs | external_references | type | kill_chain_phases | modified | created | ... | x_mitre_permissions_required | x_mitre_defense_bypassed | x_mitre_contributors | x_mitre_system_requirements | x_mitre_network_requirements | x_mitre_effective_permissions | x_mitre_remote_support | x_mitre_impact_type | revoked | x_mitre_deprecated | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | attack-pattern--818302b2-d640-477b-bf88-873120... | Adversaries may abuse scripting or built-in co... | Network Device CLI | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | attack-pattern | [{'kill_chain_name': 'mitre-attack', 'phase_na... | 2020-10-22T16:43:38.388Z | 2020-10-20T00:09:33.072Z | ... | [Administrator, User] | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
1 | attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf... | Adversaries may access network configuration f... | Network Device Configuration Dump | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | attack-pattern | [{'kill_chain_name': 'mitre-attack', 'phase_na... | 2020-10-22T01:45:55.144Z | 2020-10-20T00:08:21.745Z | ... | [Administrator] | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
2 | attack-pattern--28abec6c-4443-4b03-8206-07f2e2... | Adversaries may abuse netbooting to load an un... | TFTP Boot | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | attack-pattern | [{'kill_chain_name': 'mitre-attack', 'phase_na... | 2020-10-22T16:35:53.806Z | 2020-10-20T00:06:56.180Z | ... | [Administrator] | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
3 | attack-pattern--a6557c75-798f-42e4-be70-ab4502... | Adversaries may abuse the ROM Monitor (ROMMON)... | ROMMONkit | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | attack-pattern | [{'kill_chain_name': 'mitre-attack', 'phase_na... | 2020-10-22T02:18:19.568Z | 2020-10-20T00:05:48.790Z | ... | [Administrator] | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
4 rows × 25 columns
Enterprise Mitigations
print("Number of Mitigations in Enterprise ATT&CK")
print(len(all_enterprise['mitigations']))
Number of Mitigations in Enterprise ATT&CK 267
mitigations = []
for t in all_enterprise['mitigations']:
mitigations.append(json.loads(t.serialize()))
df = pandas.json_normalize(mitigations)
df[0:5]
created_by_ref | object_marking_refs | external_references | description | name | id | type | modified | created | x_mitre_version | x_mitre_deprecated | x_mitre_old_attack_id | |
---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | This category is used for any applicable mitig... | Pre-compromise | course-of-action--78bb71be-92b4-46de-acd6-5f99... | course-of-action | 2020-10-20T19:52:32.439Z | 2020-10-19T14:57:58.771Z | 1.0 | NaN | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | This category is to associate techniques that ... | Do Not Mitigate | course-of-action--787fb64d-c87b-4ee5-a341-0ef1... | course-of-action | 2019-07-23T14:44:24.727Z | 2019-07-19T14:58:42.715Z | 1.0 | NaN | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | Implement configuration changes to software (o... | Software Configuration | course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8... | course-of-action | 2020-03-31T13:11:09.471Z | 2019-07-19T14:40:23.529Z | 1.1 | NaN | NaN |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | Take and store data backups from end user syst... | Data Backup | course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73... | course-of-action | 2020-03-31T13:11:28.201Z | 2019-07-19T14:33:33.543Z | 1.1 | NaN | NaN |
4 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | Configure Windows User Account Control to miti... | User Account Control | course-of-action--2c2ad92a-d710-41ab-a996-1db1... | course-of-action | 2020-03-31T13:49:49.636Z | 2019-06-11T17:14:35.170Z | 1.1 | NaN | NaN |
Enterprise Groups
print("Number of Groups in Enterprise ATT&CK")
print(len(all_enterprise['groups']))
Number of Groups in Enterprise ATT&CK 110
groups = []
for t in all_enterprise['groups']:
groups.append(json.loads(t.serialize()))
df = pandas.json_normalize(groups)
df[0:4]
created_by_ref | object_marking_refs | external_references | name | description | type | id | aliases | modified | created | x_mitre_version | x_mitre_contributors | revoked | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'G0115', 'source_name': 'mitr... | GOLD SOUTHFIELD | [GOLD SOUTHFIELD](https://attack.mitre.org/gro... | intrusion-set | intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a... | [GOLD SOUTHFIELD] | 2020-10-06T15:32:20.089Z | 2020-09-22T19:41:27.845Z | 1.0 | NaN | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'G0114', 'source_name': 'mitr... | Chimera | [Chimera](https://attack.mitre.org/groups/G011... | intrusion-set | intrusion-set--8c1f0187-0826-4320-bddc-5f326cf... | [Chimera] | 2020-10-05T20:59:57.694Z | 2020-08-24T17:01:55.842Z | 1.0 | NaN | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'G0112', 'source_name': 'mitr... | Windshift | [Windshift](https://attack.mitre.org/groups/G0... | intrusion-set | intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a... | [Windshift, Bahamut] | 2020-06-26T13:46:14.122Z | 2020-06-25T17:16:39.168Z | 1.0 | NaN | NaN |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'G0108', 'source_name': 'mitr... | Blue Mockingbird | [Blue Mockingbird](https://attack.mitre.org/gr... | intrusion-set | intrusion-set--73a80fab-2aa3-48e0-a4d0-3a48282... | [Blue Mockingbird] | 2020-06-25T13:59:09.596Z | 2020-05-26T20:09:39.139Z | 1.0 | [Tony Lambert, Red Canary] | NaN |
Enterprise Malware
print("Number of Malware objects in Enterprise ATT&CK")
print(len(all_enterprise['malware']))
Number of Malware objects in Enterprise ATT&CK 376
malware = []
for t in all_enterprise['malware']:
malware.append(json.loads(t.serialize()))
df = pandas.json_normalize(malware)
df[0:4]
external_references | object_marking_refs | created_by_ref | description | name | id | type | labels | modified | created | x_mitre_version | x_mitre_aliases | x_mitre_platforms | x_mitre_contributors | revoked | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | [{'external_id': 'S0519', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [SYNful Knock](https://attack.mitre.org/softwa... | SYNful Knock | malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053 | malware | [malware] | 2020-10-22T17:35:04.950Z | 2020-10-19T16:38:11.279Z | 1.0 | [SYNful Knock] | [Network] | NaN | NaN |
1 | [{'external_id': 'S0516', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [SoreFang](https://attack.mitre.org/software/S... | SoreFang | malware--e33e4603-afab-402d-b2a1-248d435b5fe0 | malware | [malware] | 2020-10-06T16:10:42.422Z | 2020-09-29T19:33:35.122Z | 1.0 | [SoreFang] | [Windows] | NaN | NaN |
2 | [{'external_id': 'S0515', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [WellMail](https://attack.mitre.org/software/S... | WellMail | malware--959f3b19-2dc8-48d5-8942-c66813a5101a | malware | [malware] | 2020-10-09T15:38:41.755Z | 2020-09-29T17:48:27.517Z | 1.0 | [WellMail] | [Windows] | [Josh Campbell, Cyborg Security, @cyb0rgsecur1ty] | NaN |
3 | [{'external_id': 'S0514', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [WellMess](https://attack.mitre.org/software/S... | WellMess | malware--3a4197ae-ec63-4162-907b-9a073d1157e4 | malware | [malware] | 2020-10-09T19:41:25.983Z | 2020-09-24T19:39:44.392Z | 1.0 | [WellMess] | [Windows] | [Daniyal Naeem, @Mrdaniyalnaeem] | NaN |
Enterprise Tools
print("Number of Tools in Enterprise ATT&CK")
print(len(all_enterprise['tools']))
Number of Tools in Enterprise ATT&CK 62
tools = []
for t in all_enterprise['tools']:
tools.append(json.loads(t.serialize()))
df = pandas.json_normalize(tools)
df[0:4]
id | name | description | created_by_ref | object_marking_refs | external_references | type | labels | modified | created | x_mitre_version | x_mitre_aliases | x_mitre_platforms | x_mitre_contributors | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | tool--975737f1-b10d-476f-8bda-3ec26ea57172 | MCMD | [MCMD](https://attack.mitre.org/software/S0500... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'S0500', 'source_name': 'mitr... | tool | [tool] | 2020-08-20T14:52:23.369Z | 2020-08-13T17:15:25.702Z | 1.0 | [MCMD] | [Windows] | NaN |
1 | tool--c4810609-7da6-48ec-8057-1b70a7814db0 | CrackMapExec | [CrackMapExec](https://attack.mitre.org/softwa... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'S0488', 'source_name': 'mitr... | tool | [tool] | 2020-07-29T20:19:40.544Z | 2020-07-17T14:23:05.958Z | 1.0 | [CrackMapExec] | [Windows] | NaN |
2 | tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4 | CARROTBALL | [CARROTBALL](https://attack.mitre.org/software... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'S0465', 'source_name': 'mitr... | tool | [tool] | 2020-06-10T14:44:23.055Z | 2020-06-02T19:10:29.513Z | 1.0 | [CARROTBALL] | [Windows] | NaN |
3 | tool--115f88dd-0618-4389-83cb-98d33ae81848 | ShimRatReporter | [ShimRatReporter](https://attack.mitre.org/sof... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'S0445', 'source_name': 'mitr... | tool | [tool] | 2020-05-27T22:39:28.701Z | 2020-05-12T21:29:48.294Z | 1.0 | [ShimRatReporter] | [Windows] | NaN |
Enterprise Relationships
print("Number of Relationships in Enterprise ATT&CK")
print(len(all_enterprise['relationships']))
Number of Relationships in Enterprise ATT&CK 9263
relations = []
for t in all_enterprise['relationships']:
relations.append(json.loads(t.serialize()))
df = pandas.json_normalize(relations)
df[0:4]
object_marking_refs | external_references | id | type | created | description | created_by_ref | modified | source_ref | relationship_type | target_ref | |
---|---|---|---|---|---|---|---|---|---|---|---|
0 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... | relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd... | relationship | 2020-11-10T18:04:03.668Z | (Citation: FireEye KEGTAP SINGLEMALT October 2... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | 2020-11-10T18:04:03.668Z | intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | uses | malware--a7881f21-e978-4fe4-af56-92c9416a2616 |
1 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... | relationship--c118e50b-4559-4bff-bde5-78aa426f... | relationship | 2020-11-10T18:04:03.666Z | (Citation: FireEye KEGTAP SINGLEMALT October 2... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | 2020-11-10T18:04:03.666Z | intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | uses | tool--afc079f3-c0ea-4096-b75d-3f05338b7f60 |
2 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'DFIR Ryuk's Return October 2... | relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e... | relationship | 2020-11-10T18:04:03.589Z | (Citation: DFIR Ryuk's Return October 2020)(Ci... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | 2020-11-10T18:04:03.589Z | intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | uses | tool--b77b563c-34bb-4fb8-86a3-3694338f7b47 |
3 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... | relationship--585842e6-fe9a-4508-8e67-c232f8aa... | relationship | 2020-11-10T18:04:03.571Z | (Citation: FireEye KEGTAP SINGLEMALT October 2... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | 2020-11-10T18:04:03.571Z | intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | uses | tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf |
Mobile Techniques
print("Number of Techniques in Mobile ATT&CK")
print(len(all_mobile['techniques']))
Number of Techniques in Mobile ATT&CK 104
techniques = []
for t in all_mobile['techniques']:
techniques.append(json.loads(t.serialize()))
df = pandas.json_normalize(techniques)
df[0:4]
external_references | object_marking_refs | created_by_ref | name | description | id | type | kill_chain_phases | modified | created | x_mitre_version | x_mitre_is_subtechnique | x_mitre_tactic_type | x_mitre_detection | x_mitre_platforms | x_mitre_contributors | x_mitre_old_attack_id | revoked | x_mitre_deprecated | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | [{'source_name': 'mitre-mobile-attack', 'exter... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | SMS Control | Adversaries may delete, alter, or send SMS mes... | attack-pattern--b327a9c0-e709-495c-aa6e-00b042... | attack-pattern | [{'kill_chain_name': 'mitre-mobile-attack', 'p... | 2020-10-22T17:04:15.578Z | 2020-09-11T15:14:33.730Z | 1.0 | False | [Post-Adversary Device Access] | Users can view the default SMS handler in syst... | [Android] | NaN | NaN | NaN | NaN |
1 | [{'source_name': 'mitre-mobile-attack', 'exter... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Geofencing | Adversaries may use a device’s geographical lo... | attack-pattern--8197f026-64da-4700-93b9-b55ba5... | attack-pattern | [{'kill_chain_name': 'mitre-mobile-attack', 'p... | 2020-10-01T12:43:41.494Z | 2020-09-11T15:04:14.532Z | 1.0 | False | [Post-Adversary Device Access] | Users can review which applications have locat... | [Android, iOS] | NaN | NaN | NaN | NaN |
2 | [{'source_name': 'mitre-mobile-attack', 'exter... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Keychain | Adversaries may collect the keychain storage d... | attack-pattern--27f483c6-6666-44fa-8532-ffd5fc... | attack-pattern | [{'kill_chain_name': 'mitre-mobile-attack', 'p... | 2020-06-24T19:02:46.237Z | 2020-06-24T17:33:49.778Z | 1.0 | False | [Post-Adversary Device Access] | Mobile security products can potentially detec... | [iOS] | NaN | NaN | NaN | NaN |
3 | [{'source_name': 'mitre-mobile-attack', 'exter... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Compromise Application Executable | Adversaries may modify applications installed ... | attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e5631... | attack-pattern | [{'kill_chain_name': 'mitre-mobile-attack', 'p... | 2020-05-27T13:23:34.159Z | 2020-05-07T15:24:49.068Z | 1.0 | False | [Post-Adversary Device Access] | This behavior is seamless to the user and is t... | [Android] | NaN | NaN | NaN | NaN |
Mobile Mitigations
print("Number of Mitigations in Mobile ATT&CK")
print(len(all_mobile['mitigations']))
Number of Mitigations in Mobile ATT&CK 13
mitigations = []
for t in all_mobile['mitigations']:
mitigations.append(json.loads(t.serialize()))
df = pandas.json_normalize(mitigations)
df[0:4]
created_by_ref | object_marking_refs | external_references | name | description | id | type | modified | created | x_mitre_version | x_mitre_old_attack_id | |
---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | User Guidance | Describes any guidance or training given to us... | course-of-action--653492e3-27be-4a0e-b08c-938d... | course-of-action | 2019-10-18T15:51:48.318Z | 2019-10-18T12:53:03.508Z | 1.0 | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | Security Updates | Install security updates in response to discov... | course-of-action--bcecd036-f40e-4916-9f8e-fd0c... | course-of-action | 2019-10-18T14:56:15.631Z | 2019-10-18T12:51:36.488Z | 1.0 | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | Attestation | Enable remote attestation capabilities when av... | course-of-action--ff4821f6-5afb-481b-8c0f-26c2... | course-of-action | 2019-10-18T14:52:53.019Z | 2019-10-18T12:50:35.335Z | 1.0 | NaN |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | Application Vetting | Enterprises can vet applications for exploitab... | course-of-action--1553b156-6767-47f7-9eb4-2a69... | course-of-action | 2019-10-18T15:53:07.393Z | 2019-10-18T12:49:58.924Z | 1.0 | NaN |
Mobile Groups
print("Number of Groups in Mobile ATT&CK")
print(len(all_mobile['groups']))
Number of Groups in Mobile ATT&CK 3
groups = []
for t in all_mobile['groups']:
groups.append(json.loads(t.serialize()))
df = pandas.json_normalize(groups)
df[0:4]
created_by_ref | object_marking_refs | external_references | description | name | type | id | aliases | modified | created | x_mitre_version | x_mitre_contributors | |
---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'G0097', 'source_name': 'mitr... | [Bouncing Golf](https://attack.mitre.org/group... | Bouncing Golf | intrusion-set | intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a... | [Bouncing Golf] | 2020-03-26T20:58:44.722Z | 2020-01-27T16:55:39.688Z | 1.0 | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'url': 'https... | [Dark Caracal](https://attack.mitre.org/groups... | Dark Caracal | intrusion-set | intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74... | [Dark Caracal] | 2020-06-03T20:22:40.401Z | 2018-10-17T00:14:20.652Z | 1.2 | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'G0007', 'url': 'https://atta... | [APT28](https://attack.mitre.org/groups/G0007)... | APT28 | intrusion-set | intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8... | [APT28, SNAKEMACKEREL, Swallowtail, Group 74, ... | 2020-10-06T23:32:21.793Z | 2017-05-31T21:31:48.664Z | 3.0 | [Sébastien Ruel, CGI, Drew Church, Splunk, Emi... |
Mobile Malware
print("Number of Malware in Mobile ATT&CK")
print(len(all_mobile['malware']))
Number of Malware in Mobile ATT&CK 74
malware = []
for t in all_mobile['malware']:
malware.append(json.loads(t.serialize()))
df = pandas.json_normalize(malware)
df[0:4]
external_references | object_marking_refs | created_by_ref | description | name | id | type | labels | modified | created | x_mitre_version | x_mitre_aliases | x_mitre_platforms | x_mitre_contributors | x_mitre_old_attack_id | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | [{'external_id': 'S0509', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [FakeSpy](https://attack.mitre.org/software/S0... | FakeSpy | malware--838f647e-8ff8-48bd-bbd5-613cee7736cb | malware | [malware] | 2020-10-06T20:09:57.659Z | 2020-09-15T15:18:11.971Z | 1.0 | [FakeSpy] | [Android] | [Ofir Almkias, Cybereason] | NaN |
1 | [{'external_id': 'S0507', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [eSurv](https://attack.mitre.org/software/S050... | eSurv | malware--680f680c-eef9-4f8a-b5f5-f451bf47e403 | malware | [malware] | 2020-09-14T15:39:17.698Z | 2020-09-14T14:13:45.032Z | 1.0 | [eSurv] | [Android, iOS] | NaN | NaN |
2 | [{'external_id': 'S0506', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [ViperRAT](https://attack.mitre.org/software/S... | ViperRAT | malware--f666e17c-b290-43b3-8947-b96bd5148fbb | malware | [malware] | 2020-09-29T20:03:42.662Z | 2020-09-11T16:22:02.954Z | 1.0 | [ViperRAT] | [Android] | NaN | NaN |
3 | [{'external_id': 'S0505', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Desert Scorpion](https://attack.mitre.org/sof... | Desert Scorpion | malware--3271c107-92c4-442e-9506-e76d62230ee8 | malware | [malware] | 2020-09-11T16:23:16.039Z | 2020-09-11T14:54:16.188Z | 1.0 | [Desert Scorpion] | [Android] | NaN | NaN |
Mobile Tools
print("Number of Tools in Mobile ATT&CK")
print(len(all_mobile['tools']))
Number of Tools in Mobile ATT&CK 2
tools = []
for t in all_mobile['tools']:
tools.append(json.loads(t.serialize()))
df = pandas.json_normalize(tools)
df[0:4]
external_references | object_marking_refs | created_by_ref | description | name | id | type | labels | modified | created | x_mitre_version | x_mitre_aliases | x_mitre_platforms | x_mitre_contributors | x_mitre_old_attack_id | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | [{'external_id': 'S0408', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [FlexiSpy](https://attack.mitre.org/software/S... | FlexiSpy | tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81 | tool | [tool] | 2019-10-14T18:08:28.349Z | 2019-09-04T15:38:56.070Z | 1.0 | [FlexiSpy] | [Android] | [Emily Ratliff, IBM] | NaN |
1 | [{'source_name': 'mitre-mobile-attack', 'url':... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Xbot](https://attack.mitre.org/software/S0298... | Xbot | tool--da21929e-40c0-443d-bdf4-6b60d15448b4 | tool | [tool] | 2018-12-11T20:40:31.461Z | 2017-10-25T14:48:48.609Z | 1.1 | [Xbot] | [Android] | NaN | MOB-S0014 |
Mobile Relationships
print("Number of Relationships in Mobile ATT&CK")
print(len(all_mobile['relationships']))
Number of Relationships in Mobile ATT&CK 795
relations = []
for t in all_mobile['relationships']:
relations.append(json.loads(t.serialize()))
df = pandas.json_normalize(relations)
df[0:4]
created_by_ref | object_marking_refs | id | type | modified | created | source_ref | relationship_type | target_ref | description | external_references | |
---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--39f46abc-d9e3-463d-9340-3bc8334a... | relationship | 2020-10-23T15:05:40.967Z | 2020-10-23T15:05:40.967Z | attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab... | revoked-by | attack-pattern--77e30eee-fd48-40b4-99ec-73e97c... | NaN | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--e373111c-aa34-4686-a286-7c9b4267... | relationship | 2020-10-01T12:43:42.238Z | 2020-09-30T14:48:16.522Z | course-of-action--0beabf44-e8d8-4ae4-9122-ef56... | mitigates | attack-pattern--8197f026-64da-4700-93b9-b55ba5... | New OS releases frequently contain additional ... | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--37459382-00b7-4699-a294-d25f53bf... | relationship | 2020-10-01T12:42:21.985Z | 2020-09-30T14:36:43.256Z | course-of-action--0beabf44-e8d8-4ae4-9122-ef56... | mitigates | attack-pattern--77e30eee-fd48-40b4-99ec-73e97c... | iOS 11 introduced a first-come-first-served pr... | [{'source_name': 'Trend Micro iOS URL Hijackin... |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--455b1287-5784-42b4-91fb-01dac007... | relationship | 2020-09-29T13:24:15.234Z | 2020-09-29T13:24:15.234Z | malware--317a2c10-d489-431e-b6b2-f0251fddc88e | uses | attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd2... | [Dendroid](https://attack.mitre.org/software/S... | [{'source_name': 'Lookout-Dendroid', 'descript... |
print("Number of Techniques in Enterprise ATT&CK")
techniques = lift.get_enterprise_techniques()
print(len(techniques))
Number of Techniques in Enterprise ATT&CK 665
techniques_list = []
for t in techniques:
techniques_list.append(json.loads(t.serialize()))
df = pandas.json_normalize(techniques_list)
df[0:4]
id | description | name | created_by_ref | object_marking_refs | external_references | type | kill_chain_phases | modified | created | ... | x_mitre_permissions_required | x_mitre_defense_bypassed | x_mitre_contributors | x_mitre_system_requirements | x_mitre_network_requirements | x_mitre_effective_permissions | x_mitre_remote_support | x_mitre_impact_type | revoked | x_mitre_deprecated | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | attack-pattern--818302b2-d640-477b-bf88-873120... | Adversaries may abuse scripting or built-in co... | Network Device CLI | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | attack-pattern | [{'kill_chain_name': 'mitre-attack', 'phase_na... | 2020-10-22T16:43:38.388Z | 2020-10-20T00:09:33.072Z | ... | [Administrator, User] | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
1 | attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf... | Adversaries may access network configuration f... | Network Device Configuration Dump | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | attack-pattern | [{'kill_chain_name': 'mitre-attack', 'phase_na... | 2020-10-22T01:45:55.144Z | 2020-10-20T00:08:21.745Z | ... | [Administrator] | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
2 | attack-pattern--28abec6c-4443-4b03-8206-07f2e2... | Adversaries may abuse netbooting to load an un... | TFTP Boot | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | attack-pattern | [{'kill_chain_name': 'mitre-attack', 'phase_na... | 2020-10-22T16:35:53.806Z | 2020-10-20T00:06:56.180Z | ... | [Administrator] | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
3 | attack-pattern--a6557c75-798f-42e4-be70-ab4502... | Adversaries may abuse the ROM Monitor (ROMMON)... | ROMMONkit | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | attack-pattern | [{'kill_chain_name': 'mitre-attack', 'phase_na... | 2020-10-22T02:18:19.568Z | 2020-10-20T00:05:48.790Z | ... | [Administrator] | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
4 rows × 25 columns
print("Number of Techniques in PRE-ATT&CK")
techniques = lift.get_pre_techniques()
print(len(techniques))
Number of Techniques in PRE-ATT&CK
/usr/local/lib/python3.8/site-packages/attackcti/attack_api.py:455: UserWarning: PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application warnings.warn("PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application")
174
techniques_list = []
for t in techniques:
techniques_list.append(json.loads(t.serialize()))
df = pandas.json_normalize(techniques_list)
df[0:4]
id | created_by_ref | name | description | external_references | object_marking_refs | type | kill_chain_phases | modified | created | x_mitre_is_subtechnique | x_mitre_old_attack_id | x_mitre_version | x_mitre_difficulty_for_adversary_explanation | x_mitre_difficulty_for_adversary | x_mitre_detectable_by_common_defenses_explanation | x_mitre_detectable_by_common_defenses | x_mitre_deprecated | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | attack-pattern--b182f29c-2505-4b32-a000-0440ef... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Spearphishing for Information | This object is deprecated as its content has b... | [{'source_name': 'mitre-pre-attack', 'url': 'h... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | attack-pattern | [{'kill_chain_name': 'mitre-pre-attack', 'phas... | 2020-10-26T13:42:49.342Z | 2018-04-18T17:59:24.739Z | False | PRE-T1174 | 1.0 | Sending emails is trivial, and, over time, an ... | Yes | Depending on the specific method of phishing, ... | Partial | True |
1 | attack-pattern--2b9a666e-bd59-4f67-9031-ed41b4... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Acquire OSINT data sets and information | This object is deprecated as its content has b... | [{'source_name': 'mitre-pre-attack', 'url': 'h... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | attack-pattern | [{'kill_chain_name': 'mitre-pre-attack', 'phas... | 2020-10-26T13:42:49.342Z | 2017-12-14T16:46:06.044Z | NaN | PRE-T1043 | 1.0 | Possible to gather digital intelligence about ... | Yes | This activity is indistinguishable from legiti... | No | True |
2 | attack-pattern--1a295f87-af63-4d94-b130-039d62... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Acquire and/or use 3rd party software services | This object is deprecated as its content has b... | [{'source_name': 'mitre-pre-attack', 'url': 'h... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | attack-pattern | [{'kill_chain_name': 'mitre-pre-attack', 'phas... | 2020-10-26T13:42:49.342Z | 2017-12-14T16:46:06.044Z | NaN | PRE-T1085 | 1.0 | 3rd party services like these listed are freel... | Yes | Defender will not have visibility over account... | No | True |
3 | attack-pattern--fe421ab9-c8f3-42f7-9ae1-5d6c32... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Analyze application security posture | This object is deprecated as its content has b... | [{'source_name': 'mitre-pre-attack', 'url': 'h... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | attack-pattern | [{'kill_chain_name': 'mitre-pre-attack', 'phas... | 2020-10-26T13:42:49.342Z | 2017-12-14T16:46:06.044Z | NaN | PRE-T1070 | 1.0 | Analyze technical scanning results to identify... | Yes | This can be done offline after the data has be... | No | True |
print("Number of Techniques in Mobile ATT&CK")
techniques = lift.get_mobile_techniques()
print(len(techniques))
Number of Techniques in Mobile ATT&CK 104
techniques_list = []
for t in techniques:
techniques_list.append(json.loads(t.serialize()))
df = pandas.json_normalize(techniques_list)
df[0:4]
external_references | object_marking_refs | created_by_ref | name | description | id | type | kill_chain_phases | modified | created | x_mitre_version | x_mitre_is_subtechnique | x_mitre_tactic_type | x_mitre_detection | x_mitre_platforms | x_mitre_contributors | x_mitre_old_attack_id | revoked | x_mitre_deprecated | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | [{'source_name': 'mitre-mobile-attack', 'exter... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | SMS Control | Adversaries may delete, alter, or send SMS mes... | attack-pattern--b327a9c0-e709-495c-aa6e-00b042... | attack-pattern | [{'kill_chain_name': 'mitre-mobile-attack', 'p... | 2020-10-22T17:04:15.578Z | 2020-09-11T15:14:33.730Z | 1.0 | False | [Post-Adversary Device Access] | Users can view the default SMS handler in syst... | [Android] | NaN | NaN | NaN | NaN |
1 | [{'source_name': 'mitre-mobile-attack', 'exter... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Geofencing | Adversaries may use a device’s geographical lo... | attack-pattern--8197f026-64da-4700-93b9-b55ba5... | attack-pattern | [{'kill_chain_name': 'mitre-mobile-attack', 'p... | 2020-10-01T12:43:41.494Z | 2020-09-11T15:04:14.532Z | 1.0 | False | [Post-Adversary Device Access] | Users can review which applications have locat... | [Android, iOS] | NaN | NaN | NaN | NaN |
2 | [{'source_name': 'mitre-mobile-attack', 'exter... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Keychain | Adversaries may collect the keychain storage d... | attack-pattern--27f483c6-6666-44fa-8532-ffd5fc... | attack-pattern | [{'kill_chain_name': 'mitre-mobile-attack', 'p... | 2020-06-24T19:02:46.237Z | 2020-06-24T17:33:49.778Z | 1.0 | False | [Post-Adversary Device Access] | Mobile security products can potentially detec... | [iOS] | NaN | NaN | NaN | NaN |
3 | [{'source_name': 'mitre-mobile-attack', 'exter... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Compromise Application Executable | Adversaries may modify applications installed ... | attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e5631... | attack-pattern | [{'kill_chain_name': 'mitre-mobile-attack', 'p... | 2020-05-27T13:23:34.159Z | 2020-05-07T15:24:49.068Z | 1.0 | False | [Post-Adversary Device Access] | This behavior is seamless to the user and is t... | [Android] | NaN | NaN | NaN | NaN |
print("Number of Techniques in ATT&CK")
techniques = lift.get_techniques()
print(len(techniques))
Number of Techniques in ATT&CK 1024
techniques_list = []
for t in techniques:
techniques_list.append(json.loads(t.serialize()))
df = pandas.json_normalize(techniques_list)
df[0:4]
id | description | name | created_by_ref | object_marking_refs | external_references | type | kill_chain_phases | modified | created | ... | x_mitre_remote_support | x_mitre_impact_type | revoked | x_mitre_deprecated | x_mitre_old_attack_id | x_mitre_difficulty_for_adversary_explanation | x_mitre_difficulty_for_adversary | x_mitre_detectable_by_common_defenses_explanation | x_mitre_detectable_by_common_defenses | x_mitre_tactic_type | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | attack-pattern--818302b2-d640-477b-bf88-873120... | Adversaries may abuse scripting or built-in co... | Network Device CLI | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | attack-pattern | [{'kill_chain_name': 'mitre-attack', 'phase_na... | 2020-10-22T16:43:38.388Z | 2020-10-20T00:09:33.072Z | ... | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
1 | attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf... | Adversaries may access network configuration f... | Network Device Configuration Dump | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | attack-pattern | [{'kill_chain_name': 'mitre-attack', 'phase_na... | 2020-10-22T01:45:55.144Z | 2020-10-20T00:08:21.745Z | ... | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
2 | attack-pattern--28abec6c-4443-4b03-8206-07f2e2... | Adversaries may abuse netbooting to load an un... | TFTP Boot | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | attack-pattern | [{'kill_chain_name': 'mitre-attack', 'phase_na... | 2020-10-22T16:35:53.806Z | 2020-10-20T00:06:56.180Z | ... | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
3 | attack-pattern--a6557c75-798f-42e4-be70-ab4502... | Adversaries may abuse the ROM Monitor (ROMMON)... | ROMMONkit | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | attack-pattern | [{'kill_chain_name': 'mitre-attack', 'phase_na... | 2020-10-22T02:18:19.568Z | 2020-10-20T00:05:48.790Z | ... | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
4 rows × 31 columns
print("Number of Mitigations in Enterprise ATT&CK")
mitigations = lift.get_enterprise_mitigations()
print(len(mitigations))
Number of Mitigations in Enterprise ATT&CK 267
mitigations_list = []
for t in mitigations:
mitigations_list.append(json.loads(t.serialize()))
df = pandas.json_normalize(mitigations_list)
df[0:4]
created_by_ref | object_marking_refs | external_references | description | name | id | type | modified | created | x_mitre_version | x_mitre_deprecated | x_mitre_old_attack_id | |
---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | This category is used for any applicable mitig... | Pre-compromise | course-of-action--78bb71be-92b4-46de-acd6-5f99... | course-of-action | 2020-10-20T19:52:32.439Z | 2020-10-19T14:57:58.771Z | 1.0 | NaN | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | This category is to associate techniques that ... | Do Not Mitigate | course-of-action--787fb64d-c87b-4ee5-a341-0ef1... | course-of-action | 2019-07-23T14:44:24.727Z | 2019-07-19T14:58:42.715Z | 1.0 | NaN | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | Implement configuration changes to software (o... | Software Configuration | course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8... | course-of-action | 2020-03-31T13:11:09.471Z | 2019-07-19T14:40:23.529Z | 1.1 | NaN | NaN |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | Take and store data backups from end user syst... | Data Backup | course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73... | course-of-action | 2020-03-31T13:11:28.201Z | 2019-07-19T14:33:33.543Z | 1.1 | NaN | NaN |
print("Number of Mitigations in Mobile ATT&CK")
mitigations = lift.get_mobile_mitigations()
print(len(mitigations))
Number of Mitigations in Mobile ATT&CK 13
mitigations_list = []
for t in mitigations:
mitigations_list.append(json.loads(t.serialize()))
df = pandas.json_normalize(mitigations_list)
df[0:4]
created_by_ref | object_marking_refs | external_references | name | description | id | type | modified | created | x_mitre_version | x_mitre_old_attack_id | |
---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | User Guidance | Describes any guidance or training given to us... | course-of-action--653492e3-27be-4a0e-b08c-938d... | course-of-action | 2019-10-18T15:51:48.318Z | 2019-10-18T12:53:03.508Z | 1.0 | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | Security Updates | Install security updates in response to discov... | course-of-action--bcecd036-f40e-4916-9f8e-fd0c... | course-of-action | 2019-10-18T14:56:15.631Z | 2019-10-18T12:51:36.488Z | 1.0 | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | Attestation | Enable remote attestation capabilities when av... | course-of-action--ff4821f6-5afb-481b-8c0f-26c2... | course-of-action | 2019-10-18T14:52:53.019Z | 2019-10-18T12:50:35.335Z | 1.0 | NaN |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | Application Vetting | Enterprises can vet applications for exploitab... | course-of-action--1553b156-6767-47f7-9eb4-2a69... | course-of-action | 2019-10-18T15:53:07.393Z | 2019-10-18T12:49:58.924Z | 1.0 | NaN |
print("Number of Mitigations in ATT&CK")
mitigations = lift.get_mitigations()
print(len(mitigations))
Number of Mitigations in ATT&CK 296
mitigations_list = []
for t in mitigations:
mitigations_list.append(json.loads(t.serialize()))
df = pandas.json_normalize(mitigations_list)
df[0:4]
created_by_ref | object_marking_refs | external_references | description | name | id | type | modified | created | x_mitre_version | x_mitre_deprecated | x_mitre_old_attack_id | |
---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | This category is used for any applicable mitig... | Pre-compromise | course-of-action--78bb71be-92b4-46de-acd6-5f99... | course-of-action | 2020-10-20T19:52:32.439Z | 2020-10-19T14:57:58.771Z | 1.0 | NaN | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | This category is to associate techniques that ... | Do Not Mitigate | course-of-action--787fb64d-c87b-4ee5-a341-0ef1... | course-of-action | 2019-07-23T14:44:24.727Z | 2019-07-19T14:58:42.715Z | 1.0 | NaN | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | Implement configuration changes to software (o... | Software Configuration | course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8... | course-of-action | 2020-03-31T13:11:09.471Z | 2019-07-19T14:40:23.529Z | 1.1 | NaN | NaN |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'external_id'... | Take and store data backups from end user syst... | Data Backup | course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73... | course-of-action | 2020-03-31T13:11:28.201Z | 2019-07-19T14:33:33.543Z | 1.1 | NaN | NaN |
print("Number of Groups in Enterprise ATT&CK")
groups = lift.get_enterprise_groups()
print(len(groups))
Number of Groups in Enterprise ATT&CK 110
print("Number of Groups in PRE-ATT&CK")
groups = lift.get_pre_groups()
print(len(groups))
Number of Groups in PRE-ATT&CK 7
/usr/local/lib/python3.8/site-packages/attackcti/attack_api.py:473: UserWarning: PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application warnings.warn("PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application")
groups_list = []
for t in groups:
groups_list.append(json.loads(t.serialize()))
df = pandas.json_normalize(groups_list)
df[0:4]
created_by_ref | object_marking_refs | external_references | name | description | type | id | aliases | modified | created | x_mitre_version | x_mitre_contributors | |
---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'url': 'https://attack.mitre.org/groups/G008... | TEMP.Veles | [TEMP.Veles](https://attack.mitre.org/groups/G... | intrusion-set | intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca... | [TEMP.Veles, XENOTIME] | 2020-10-04T23:31:36.937Z | 2019-04-16T15:14:38.533Z | 1.2 | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'url': 'https... | APT17 | [APT17](https://attack.mitre.org/groups/G0025)... | intrusion-set | intrusion-set--090242d7-73fc-4738-af68-20162f7... | [APT17, Deputy Dog] | 2020-10-13T22:33:14.018Z | 2017-05-31T21:31:57.307Z | 1.1 | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'url': 'https... | APT16 | [APT16](https://attack.mitre.org/groups/G0023)... | intrusion-set | intrusion-set--d6e88e18-81e8-4709-82d8-973095d... | [APT16] | 2020-10-12T19:54:58.537Z | 2017-05-31T21:31:56.270Z | 1.1 | NaN |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'url': 'https... | Night Dragon | [Night Dragon](https://attack.mitre.org/groups... | intrusion-set | intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e... | [Night Dragon] | 2020-10-15T00:54:00.656Z | 2017-05-31T21:31:51.643Z | 1.3 | NaN |
print("Number of Groups in Mobile ATT&CK")
groups = lift.get_mobile_groups()
print(len(groups))
Number of Groups in Mobile ATT&CK 3
groups_list = []
for t in groups:
groups_list.append(json.loads(t.serialize()))
df = pandas.json_normalize(groups_list)
df[0:4]
created_by_ref | object_marking_refs | external_references | description | name | type | id | aliases | modified | created | x_mitre_version | x_mitre_contributors | |
---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'G0097', 'source_name': 'mitr... | [Bouncing Golf](https://attack.mitre.org/group... | Bouncing Golf | intrusion-set | intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a... | [Bouncing Golf] | 2020-03-26T20:58:44.722Z | 2020-01-27T16:55:39.688Z | 1.0 | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'mitre-attack', 'url': 'https... | [Dark Caracal](https://attack.mitre.org/groups... | Dark Caracal | intrusion-set | intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74... | [Dark Caracal] | 2020-06-03T20:22:40.401Z | 2018-10-17T00:14:20.652Z | 1.2 | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'G0007', 'url': 'https://atta... | [APT28](https://attack.mitre.org/groups/G0007)... | APT28 | intrusion-set | intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8... | [APT28, SNAKEMACKEREL, Swallowtail, Group 74, ... | 2020-10-06T23:32:21.793Z | 2017-05-31T21:31:48.664Z | 3.0 | [Sébastien Ruel, CGI, Drew Church, Splunk, Emi... |
print("Number of Groups in ATT&CK")
groups = lift.get_groups()
print(len(groups))
Number of Groups in ATT&CK 113
groups_list = []
for t in groups:
groups_list.append(json.loads(t.serialize()))
df = pandas.json_normalize(groups_list)
df[0:4]
created_by_ref | object_marking_refs | external_references | name | description | type | id | aliases | modified | created | x_mitre_version | x_mitre_contributors | revoked | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'G0115', 'source_name': 'mitr... | GOLD SOUTHFIELD | [GOLD SOUTHFIELD](https://attack.mitre.org/gro... | intrusion-set | intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a... | [GOLD SOUTHFIELD] | 2020-10-06T15:32:20.089Z | 2020-09-22T19:41:27.845Z | 1.0 | NaN | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'G0114', 'source_name': 'mitr... | Chimera | [Chimera](https://attack.mitre.org/groups/G011... | intrusion-set | intrusion-set--8c1f0187-0826-4320-bddc-5f326cf... | [Chimera] | 2020-10-05T20:59:57.694Z | 2020-08-24T17:01:55.842Z | 1.0 | NaN | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'G0112', 'source_name': 'mitr... | Windshift | [Windshift](https://attack.mitre.org/groups/G0... | intrusion-set | intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a... | [Windshift, Bahamut] | 2020-06-26T13:46:14.122Z | 2020-06-25T17:16:39.168Z | 1.0 | NaN | NaN |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'G0108', 'source_name': 'mitr... | Blue Mockingbird | [Blue Mockingbird](https://attack.mitre.org/gr... | intrusion-set | intrusion-set--73a80fab-2aa3-48e0-a4d0-3a48282... | [Blue Mockingbird] | 2020-06-25T13:59:09.596Z | 2020-05-26T20:09:39.139Z | 1.0 | [Tony Lambert, Red Canary] | NaN |
print("Number of Software in ATT&CK")
software = lift.get_software()
print(len(software))
Number of Software in ATT&CK 523
software_list = []
for t in software:
software_list.append(json.loads(t.serialize()))
df = pandas.json_normalize(software_list)
df[0:4]
id | name | description | created_by_ref | object_marking_refs | external_references | type | labels | modified | created | x_mitre_version | x_mitre_aliases | x_mitre_platforms | x_mitre_contributors | x_mitre_old_attack_id | revoked | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | tool--975737f1-b10d-476f-8bda-3ec26ea57172 | MCMD | [MCMD](https://attack.mitre.org/software/S0500... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'S0500', 'source_name': 'mitr... | tool | [tool] | 2020-08-20T14:52:23.369Z | 2020-08-13T17:15:25.702Z | 1.0 | [MCMD] | [Windows] | NaN | NaN | NaN |
1 | tool--c4810609-7da6-48ec-8057-1b70a7814db0 | CrackMapExec | [CrackMapExec](https://attack.mitre.org/softwa... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'S0488', 'source_name': 'mitr... | tool | [tool] | 2020-07-29T20:19:40.544Z | 2020-07-17T14:23:05.958Z | 1.0 | [CrackMapExec] | [Windows] | NaN | NaN | NaN |
2 | tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4 | CARROTBALL | [CARROTBALL](https://attack.mitre.org/software... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'S0465', 'source_name': 'mitr... | tool | [tool] | 2020-06-10T14:44:23.055Z | 2020-06-02T19:10:29.513Z | 1.0 | [CARROTBALL] | [Windows] | NaN | NaN | NaN |
3 | tool--115f88dd-0618-4389-83cb-98d33ae81848 | ShimRatReporter | [ShimRatReporter](https://attack.mitre.org/sof... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'external_id': 'S0445', 'source_name': 'mitr... | tool | [tool] | 2020-05-27T22:39:28.701Z | 2020-05-12T21:29:48.294Z | 1.0 | [ShimRatReporter] | [Windows] | NaN | NaN | NaN |
print("Number of Relationships in Enterprise ATT&CK")
relationships = lift.get_enterprise_relationships()
print(len(relationships))
Number of Relationships in Enterprise ATT&CK 9263
relations_list = []
for t in relationships:
relations_list.append(json.loads(t.serialize()))
df = pandas.json_normalize(relations_list)
df[0:4]
object_marking_refs | external_references | id | type | created | description | created_by_ref | modified | source_ref | relationship_type | target_ref | |
---|---|---|---|---|---|---|---|---|---|---|---|
0 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... | relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd... | relationship | 2020-11-10T18:04:03.668Z | (Citation: FireEye KEGTAP SINGLEMALT October 2... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | 2020-11-10T18:04:03.668Z | intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | uses | malware--a7881f21-e978-4fe4-af56-92c9416a2616 |
1 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... | relationship--c118e50b-4559-4bff-bde5-78aa426f... | relationship | 2020-11-10T18:04:03.666Z | (Citation: FireEye KEGTAP SINGLEMALT October 2... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | 2020-11-10T18:04:03.666Z | intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | uses | tool--afc079f3-c0ea-4096-b75d-3f05338b7f60 |
2 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'DFIR Ryuk's Return October 2... | relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e... | relationship | 2020-11-10T18:04:03.589Z | (Citation: DFIR Ryuk's Return October 2020)(Ci... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | 2020-11-10T18:04:03.589Z | intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | uses | tool--b77b563c-34bb-4fb8-86a3-3694338f7b47 |
3 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... | relationship--585842e6-fe9a-4508-8e67-c232f8aa... | relationship | 2020-11-10T18:04:03.571Z | (Citation: FireEye KEGTAP SINGLEMALT October 2... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | 2020-11-10T18:04:03.571Z | intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | uses | tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf |
print("Number of Relationships in PRE-ATT&CK")
relationships = lift.get_pre_relationships()
print(len(relationships))
Number of Relationships in PRE-ATT&CK 69
/usr/local/lib/python3.8/site-packages/attackcti/attack_api.py:491: UserWarning: PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application warnings.warn("PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application")
relations_list = []
for t in relationships:
relations_list.append(json.loads(t.serialize()))
df = pandas.json_normalize(relations_list)
df[0:4]
created_by_ref | object_marking_refs | external_references | description | id | type | modified | created | source_ref | relationship_type | target_ref | |
---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'Mandiant APT1', 'description... | [APT1](https://attack.mitre.org/groups/G0006) ... | relationship--980656e3-ba60-49ee-9ce8-cbe1a0dc... | relationship | 2020-03-25T13:59:27.774Z | 2020-03-25T13:59:27.774Z | intrusion-set--6a2e693f-24e5-451a-9f88-b36a108... | uses | attack-pattern--4900fabf-1142-4c1f-92f5-0b590e... |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'description': 'Miller, S, et al. (2019, Apr... | [TEMP.Veles](https://attack.mitre.org/groups/G... | relationship--21842707-0f15-43bf-bc42-2bceadf2... | relationship | 2019-04-29T18:59:16.596Z | 2019-04-24T19:45:44.212Z | intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca... | uses | attack-pattern--20a66013-8dab-4ca3-a67d-766c84... |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'description': 'Miller, S, et al. (2019, Apr... | [TEMP.Veles](https://attack.mitre.org/groups/G... | relationship--2d95ed6f-52e7-4708-af15-9a6c0839... | relationship | 2019-04-29T18:59:16.595Z | 2019-04-24T19:45:44.205Z | intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca... | uses | attack-pattern--795c1a92-3a26-453e-b99a-6a566a... |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | NaN | NaN | relationship--83379e43-4bc5-4c49-b0b3-f41161e8... | relationship | 2019-02-19T18:56:56.770Z | 2019-02-19T18:56:56.770Z | attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1... | related-to | attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42... |
print("Number of Relationships in Mobile ATT&CK")
relationships = lift.get_mobile_relationships()
print(len(relationships))
Number of Relationships in Mobile ATT&CK 795
relations_list = []
for t in relationships:
relations_list.append(json.loads(t.serialize()))
df = pandas.json_normalize(relations_list)
df[0:4]
created_by_ref | object_marking_refs | id | type | modified | created | source_ref | relationship_type | target_ref | description | external_references | |
---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--39f46abc-d9e3-463d-9340-3bc8334a... | relationship | 2020-10-23T15:05:40.967Z | 2020-10-23T15:05:40.967Z | attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab... | revoked-by | attack-pattern--77e30eee-fd48-40b4-99ec-73e97c... | NaN | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--e373111c-aa34-4686-a286-7c9b4267... | relationship | 2020-10-01T12:43:42.238Z | 2020-09-30T14:48:16.522Z | course-of-action--0beabf44-e8d8-4ae4-9122-ef56... | mitigates | attack-pattern--8197f026-64da-4700-93b9-b55ba5... | New OS releases frequently contain additional ... | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--37459382-00b7-4699-a294-d25f53bf... | relationship | 2020-10-01T12:42:21.985Z | 2020-09-30T14:36:43.256Z | course-of-action--0beabf44-e8d8-4ae4-9122-ef56... | mitigates | attack-pattern--77e30eee-fd48-40b4-99ec-73e97c... | iOS 11 introduced a first-come-first-served pr... | [{'source_name': 'Trend Micro iOS URL Hijackin... |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--455b1287-5784-42b4-91fb-01dac007... | relationship | 2020-09-29T13:24:15.234Z | 2020-09-29T13:24:15.234Z | malware--317a2c10-d489-431e-b6b2-f0251fddc88e | uses | attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd2... | [Dendroid](https://attack.mitre.org/software/S... | [{'source_name': 'Lookout-Dendroid', 'descript... |
print("Number of Relationships in ATT&CK")
relationships = lift.get_relationships()
print(len(relationships))
Number of Relationships in ATT&CK 10635
relations_list = []
for t in relationships:
relations_list.append(json.loads(t.serialize()))
df = pandas.json_normalize(relations_list)
df[0:4]
object_marking_refs | external_references | id | type | created | description | created_by_ref | modified | source_ref | relationship_type | target_ref | |
---|---|---|---|---|---|---|---|---|---|---|---|
0 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... | relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd... | relationship | 2020-11-10T18:04:03.668Z | (Citation: FireEye KEGTAP SINGLEMALT October 2... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | 2020-11-10T18:04:03.668Z | intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | uses | malware--a7881f21-e978-4fe4-af56-92c9416a2616 |
1 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... | relationship--c118e50b-4559-4bff-bde5-78aa426f... | relationship | 2020-11-10T18:04:03.666Z | (Citation: FireEye KEGTAP SINGLEMALT October 2... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | 2020-11-10T18:04:03.666Z | intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | uses | tool--afc079f3-c0ea-4096-b75d-3f05338b7f60 |
2 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'DFIR Ryuk's Return October 2... | relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e... | relationship | 2020-11-10T18:04:03.589Z | (Citation: DFIR Ryuk's Return October 2020)(Ci... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | 2020-11-10T18:04:03.589Z | intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | uses | tool--b77b563c-34bb-4fb8-86a3-3694338f7b47 |
3 | [marking-definition--fa42a846-8d90-4e51-bc29-7... | [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... | relationship--585842e6-fe9a-4508-8e67-c232f8aa... | relationship | 2020-11-10T18:04:03.571Z | (Citation: FireEye KEGTAP SINGLEMALT October 2... | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | 2020-11-10T18:04:03.571Z | intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | uses | tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf |