#!/usr/bin/env python # coding: utf-8 # # **MITRE ATT&CK API BASICS**: Python Client # ------------------ # ## Import ATTACK API Client # In[1]: from attackcti import attack_client # ## Import Extra Libraries # In[2]: from pandas import * from pandas.io.json import json_normalize # ## Initialize ATT&CK Client Variable # In[3]: lift = attack_client() # ## **Collect ALL (Enterprise ATT&CK, Pre-ATT&CK & Mobile ATT&CK)** # * I usually collect all the stix object types available from all the ATT&CK Matrices first when I want to analyze ATT&CK's data. # * In this section, we will collect everything from Enterprise ATT&CK, PRE-ATT&CK and Mobile ATT&CK via three functions that query ATT&CK content available in STIX™ 2.0 via a public TAXII™ 2.0 server: # * get_all_enterprise() # * get_all_pre() # * get_all_mobile() # * The get_all_stix_objects() function just combines the results of the other three locally. # * Then, we will grab the results from each get_all_* function and start getting specific stix object types such as techniques, mitigations, groups, malware, tools and relationships. # * It is important to remember that the stix object types are being obtained from the results of the initial three **get_all_*** functions and not querying the TAXII Server every time we want to get information about a specific stix object type. # **Collect ALL Enterprise ATT&CK (TAXII)** # In[4]: all_enterprise = lift.get_all_enterprise() # **Collect ALL PRE-ATT&CK (TAXII)** # In[5]: all_pre = lift.get_all_pre() # **Collect ALL Mobile ATT&CK (TAXII)** # In[6]: all_mobile = lift.get_all_mobile() # **Collect ALL (It runs All 3 functions and collects all the results)** # The **get_all_stix_objects()** function returns a dictionary with all the stix object types from all matrices: # * techniques # * mitigations # * groups # * malware # * tools # * relationships # In[7]: all_attack = lift.get_all_stix_objects() # In[8]: type(all_attack) # ### Get All Techniques from ATT&CK Results (Locally) # * The results of this function shows every single technique across the whole ATT&CK framework without their mitigations information # * Mitigations information has its own stix object type (Mitigation) that needs to be correlated with the help of relationship properties # * There is a function already created in this library named **get_all_techniques_with_mitigations()** that allows you to get a more complete view of techniques # In[9]: print("Number of Techniques in ATT&CK") print(len(all_attack['techniques'])) techniques = all_attack['techniques'] df = json_normalize(techniques) df.reindex(['matrix', 'created','tactic', 'technique', 'technique_id', 'data_sources'], axis=1)[0:5] # In[10]: len(df.loc[df['matrix'] == 'mitre-attack']) # **Showing the schema of Techniques** # This schema covers techniques from Enterprise, PRE and Mobile ATT&CK # In[11]: list(df) # **Showing one technique example** # In[12]: techniques[0] # ### Get All Mitigations from ATT&CK Results (Locally) # In[13]: print("Number of Mitigations in ATT&CK") print(len(all_attack['mitigations'])) mitigations = all_attack['mitigations'] df = json_normalize(mitigations) df.reindex(['matrix','mitigation', 'mitigation_description','url'], axis=1)[0:5] # **Showing the schema of Mitigations** # In[14]: list(df) # **Showing one Mitigation example** # In[15]: mitigations[0] # ### Get All Groups from ATT&CK Results (Locally) # In[16]: print("Number of Groups in ATT&CK") print(len(all_attack['groups'])) groups = all_attack['groups'] df = json_normalize(groups) df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5] # **Showing the schema of Groups** # In[17]: list(df) # **Showing one Groups example** # In[18]: groups[0] # ### Get All Malware objects from ATT&CK Results (Locally) # In[19]: print("Number of Malware in ATT&CK") print(len(all_attack['malware'])) malware = all_attack['malware'] df = json_normalize(malware) df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5] # **Showing the schema of Malware** # In[20]: list(df) # **Showing one Malware example** # In[21]: malware[0] # ### Get All Tools from ATT&CK Results (Locally) # In[22]: print("Number of Tools in ATT&CK") print(len(all_attack['tools'])) tools = all_attack['tools'] df = json_normalize(tools) df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5] # **Showing the schema of Tools** # In[23]: list(df) # **Showing one Tool example** # In[24]: tools[0] # ### Get All Relationships from ATT&CK Results (Locally) # In[25]: print("Number of Relationships in ATT&CK") print(len(all_attack['relationships'])) relationships = all_attack['relationships'] df = json_normalize(relationships) df.reindex(['id','relationship', 'source_object', 'target_object'], axis=1)[0:5] # **Showing the schema of Relationships** # In[26]: list(df) # **Showing one Relationship example** # In[27]: relationships[0] # ### Get All Enterprise ATT&CK ONLY from Results (Locally) # **Enterprise Techniques** # In[28]: print("Number of Techniques in Enterprise ATT&CK") print(len(all_enterprise['techniques'])) df = all_enterprise['techniques'] df = json_normalize(df) df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'data_sources'], axis=1)[0:5] # **Enterprise Mitigations** # In[29]: print("Number of Mitigations in Enterprise ATT&CK") print(len(all_enterprise['mitigations'])) df = all_enterprise['mitigations'] df = json_normalize(df) df.reindex(['matrix','mitigation', 'mitigation_description', 'url'], axis=1)[0:5] # **Enterprise Groups** # In[30]: print("Number of Groups in Enterprise ATT&CK") print(len(all_enterprise['groups'])) df = all_enterprise['groups'] df = json_normalize(df) df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5] # **Enterprise Malware** # In[31]: print("Number of Malware objects in Enterprise ATT&CK") print(len(all_enterprise['malware'])) df = all_enterprise['malware'] df = json_normalize(df) df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5] # **Enterprise Tools** # In[32]: print("Number of Tools in Enterprise ATT&CK") print(len(all_enterprise['tools'])) df = all_enterprise['tools'] df = json_normalize(df) df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5] # **Enterprise Relationships** # In[33]: print("Number of Relationships in Enterprise ATT&CK") print(len(all_enterprise['relationships'])) df = all_enterprise['relationships'] df = json_normalize(df) df.reindex(['id','relationship', 'source_object', 'target_object'], axis=1)[0:5] # ### Get All PRE-ATT&CK ONLY from Results (Locally) # **PRE Techniques** # In[34]: print("Number of Techniques in PRE-ATT&CK") print(len(all_pre['techniques'])) df = all_pre['techniques'] df = json_normalize(df) df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'detectable_by_common_defenses'], axis=1)[0:5] # **PRE Groups** # In[35]: print("Number of Groups in PRE-ATT&CK") print(len(all_pre['groups'])) df = all_pre['groups'] df = json_normalize(df) df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5] # **PRE Relationships** # In[36]: print("Number of Relationships in PRE-ATT&CK") print(len(all_pre['relationships'])) df = all_pre['relationships'] df = json_normalize(df) df.reindex(['id','relationship', 'source_object', 'target_object'], axis=1)[0:5] # ### Get All Mobile ATT&CK ONLY from Results (Locally) # **Mobile Techniques** # In[37]: print("Number of Techniques in Mobile ATT&CK") print(len(all_mobile['techniques'])) df = all_mobile['techniques'] df = json_normalize(df) df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'tactic_type'], axis=1)[0:5] # **Mobile Mitigations** # In[38]: print("Number of Mitigations in Mobile ATT&CK") print(len(all_mobile['mitigations'])) print(" ") df = all_mobile['mitigations'] df = json_normalize(df) df.reindex(['matrix', 'mitigation', 'mitigation_description', 'url'], axis=1)[0:5] # **Mobile Groups** # In[39]: print("Number of Groups in Mobile ATT&CK") print(len(all_mobile['groups'])) df = all_mobile['groups'] df = json_normalize(df) df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5] # **Mobile Malware** # In[40]: print("Number of Malware in Mobile ATT&CK") print(len(all_mobile['malware'])) df = all_mobile['malware'] df = json_normalize(df) df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5] # **Mobile Tools** # In[41]: print("Number of Tools in Mobile ATT&CK") print(len(all_mobile['tools'])) df = all_mobile['tools'] df = json_normalize(df) df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5] # **Mobile Relationships** # In[42]: print("Number of Relationships in Mobile ATT&CK") print(len(all_mobile['relationships'])) df = all_mobile['relationships'] df = json_normalize(df) df.reindex(['object id','relationship', 'relationship_description','source_object', 'target_object'], axis=1)[0:5] # ## **Get STIX Object Types Directly from TAXII Server (Enterprise ATT&CK, Pre-ATT&CK & Mobile ATT&CK)** # * In this section, we will query the ATT&CK TAXII Server in order to collect specific stix object types such as techniques, mitigations, groups, malware, tools and relationships from the Enterprise, PRE and Mobile Matrices. # * There is no need to get all the stix objects available per each matrix unlike the first section of this notebook. # ### Get All Enterprise Techniques ONLY (TAXII) # In[43]: print("Number of Techniques in Enterprise ATT&CK") techniques = lift.get_all_enterprise_techniques() print(len(techniques)) df = json_normalize(techniques) df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'data_sources','contributors'], axis=1)[0:5] # ### Get All PRE Techniques ONLY (TAXII) # In[44]: print("Number of Techniques in PRE-ATT&CK") techniques = lift.get_all_pre_techniques() print(len(techniques)) df = json_normalize(techniques) df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'detectable_by_common_defenses', 'contributors'], axis=1)[0:5] # ### Get All Mobile Techniques ONLY (TAXII) # In[45]: print("Number of Techniques in Mobile ATT&CK") techniques = lift.get_all_mobile_techniques() print(len(techniques)) df = json_normalize(techniques) df.reindex(['matrix', 'id','tactic', 'technique', 'tactic_type','contributors'], axis=1)[0:5] # ### Get All Techniques (TAXII) # * The results of this function shows every single technique across the whole ATT&CK framework without their mitigations information # * Mitigations information has its own stix object type (Mitigation) that needs to be correlated with the help of relationship properties # * There is a function already created in this library named **get_all_techniques_with_mitigations()** that allows you to get a more complete view of techniques # In[46]: print("Number of Techniques in ATT&CK") techniques = lift.get_all_techniques() print(len(techniques)) df = json_normalize(techniques) df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'data_sources'], axis=1)[0:5] # ### Get All Enterprise Mitigations ONLY (TAXII) # In[47]: print("Number of Mitigations in Enterprise ATT&CK") mitigations = lift.get_all_enterprise_mitigations() print(len(mitigations)) df = json_normalize(mitigations) df.reindex(['matrix', 'mitigation', 'mitigation_description', 'url'], axis=1)[0:5] # ### Get All Mobile Mitigations ONLY (TAXII) # In[48]: print("Number of Mitigations in Mobile ATT&CK") mitigations = lift.get_all_mobile_mitigations() print(len(mitigations)) df = json_normalize(mitigations) df.reindex(['matrix', 'mitigation', 'mitigation_description', 'url'], axis=1)[0:5] # ### Get All Mitigations (TAXII) # In[49]: print("Number of Mitigations in ATT&CK") mitigations = lift.get_all_mitigations() print(len(mitigations)) df = json_normalize(mitigations) df.reindex(['matrix', 'mitigation', 'mitigation_description', 'url'], axis=1)[0:5] # ### Get All Enterprise Groups ONLY (TAXII) # In[50]: print("Number of Groups in Enterprise ATT&CK") groups = lift.get_all_enterprise_groups() print(len(groups)) df = json_normalize(groups) df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5] # ### Get All PRE Groups ONLY (TAXII) # In[51]: print("Number of Groups in PRE-ATT&CK") groups = lift.get_all_pre_groups() print(len(groups)) df = json_normalize(groups) df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5] # ### Get All Mobile Groups ONLY (TAXII) # In[52]: print("Number of Groups in Mobile ATT&CK") groups = lift.get_all_mobile_groups() print(len(groups)) df = json_normalize(groups) df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5] # ### Get All Groups (TAXII) # * This function gathers all groups defined in each Matrix (Enterprise, PRE & Mobile) and returns the unique ones # * This is because groups can be repeated across matrices # In[53]: print("Number of Groups in ATT&CK") groups = lift.get_all_groups() print(len(groups)) df = json_normalize(groups) df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5] # ### Get All Enterprise & Mobile Software (Malware & Tools) (TAXII) # In[54]: print("Number of Software in ATT&CK") software = lift.get_all_software() print(len(software)) df = json_normalize(software) df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5] # ### Get All Enterprise Relationships ONLY (TAXII) # In[55]: print("Number of Relationships in Enterprise ATT&CK") relationships = lift.get_all_enterprise_relationships() print(len(relationships)) df = json_normalize(relationships) df.reindex(['id','relationship', 'relationship_description', 'source_object', 'target_object'], axis=1)[0:5] # ### Get All PRE Relationships ONLY (TAXII) # In[56]: print("Number of Relationships in PRE-ATT&CK") relationships = lift.get_all_pre_relationships() print(len(relationships)) df = json_normalize(relationships) df.reindex(['id','relationship', 'relationship_description', 'source_object', 'target_object'], axis=1)[0:5] # ### Get All Mobile Relationships ONLY (TAXII) # In[57]: print("Number of Relationships in Mobile ATT&CK") relationships = lift.get_all_mobile_relationships() print(len(relationships)) df = json_normalize(relationships) df.reindex(['id','relationship', 'relationship_description', 'source_object', 'target_object'], axis=1)[0:5] # ### Get All Relationships (TAXII) # In[58]: print("Number of Relationships in ATT&CK") relationships = lift.get_all_relationships() print(len(relationships)) df = json_normalize(relationships) df.reindex(['id','relationship', 'relationship_description', 'source_object', 'target_object'], axis=1)[0:5] # In[ ]: