from attackcti import attack_client
from pandas import *
from pandas.io.json import json_normalize
import json
pandas.__version__
'0.25.0'
lift = attack_client()
Collect ALL Enterprise ATT&CK (TAXII)
%time all_enterprise = lift.get_enterprise()
CPU times: user 5.18 s, sys: 820 ms, total: 6 s Wall time: 11.7 s
Collect ALL PRE-ATT&CK (TAXII)
%time all_pre = lift.get_pre()
CPU times: user 170 ms, sys: 100 ms, total: 270 ms Wall time: 1.52 s
Collect ALL Mobile ATT&CK (TAXII)
%time all_mobile = lift.get_mobile()
CPU times: user 640 ms, sys: 120 ms, total: 760 ms Wall time: 2.98 s
The get_stix_objects() function returns a dictionary with all the stix object types from all matrices:
%time all_attack = lift.get_stix_objects()
CPU times: user 51 s, sys: 730 ms, total: 51.7 s Wall time: 1min
type(all_attack)
dict
print("Number of Techniques in ATT&CK")
print(len(all_attack['techniques']))
Number of Techniques in ATT&CK 500
techniques = []
for t in all_attack['techniques']:
techniques.append(json.loads(t.serialize()))
df = json_normalize(techniques)
df.reindex(['created','name', 'x_mitre_data_sources', 'x_mitre_platforms'], axis=1)[0:5]
created | name | x_mitre_data_sources | x_mitre_platforms | |
---|---|---|---|---|
0 | 2019-04-25T20:53:07.719Z | Compile After Delivery | [Process command-line parameters, Process moni... | [Linux, macOS, Windows] |
1 | 2019-04-23T15:34:30.008Z | Systemd Service | [Process command-line parameters, Process moni... | [Linux] |
2 | 2019-04-18T11:00:55.862Z | Endpoint Denial of Service | [SSL/TLS inspection, Web logs, Web application... | [Linux, macOS, Windows] |
3 | 2019-04-17T22:22:24.505Z | Virtualization/Sandbox Evasion | [Process monitoring, Process command-line para... | [Windows] |
4 | 2019-04-17T20:23:15.105Z | Network Denial of Service | [Sensor health and status, Network protocol an... | [Linux, macOS, Windows] |
Showing the schema of Techniques
This schema covers techniques from Enterprise, PRE and Mobile ATT&CK
list(df)
['external_references', 'object_marking_refs', 'type', 'modified', 'created_by_ref', 'kill_chain_phases', 'id', 'name', 'created', 'description', 'x_mitre_contributors', 'x_mitre_permissions_required', 'x_mitre_data_sources', 'x_mitre_detection', 'x_mitre_platforms', 'x_mitre_version', 'x_mitre_system_requirements', 'x_mitre_defense_bypassed', 'x_mitre_impact_type', 'x_mitre_remote_support', 'x_mitre_effective_permissions', 'x_mitre_network_requirements', 'x_mitre_detectable_by_common_defenses', 'x_mitre_difficulty_for_adversary_explanation', 'x_mitre_old_attack_id', 'x_mitre_difficulty_for_adversary', 'x_mitre_detectable_by_common_defenses_explanation', 'x_mitre_deprecated', 'x_mitre_tactic_type', 'revoked']
Showing one technique example
techniques[0]
{'external_references': [{'external_id': 'T1500', 'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/techniques/T1500'}, {'url': 'https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf', 'source_name': 'ClearSky MuddyWater Nov 2018', 'description': 'ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.'}, {'url': 'https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/', 'source_name': 'TrendMicro WindowsAppMac', 'description': 'Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads Info Stealer and Adware. Retrieved April 25, 2019.'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'type': 'attack-pattern', 'modified': '2019-04-29T21:13:49.686Z', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'kill_chain_phases': [{'phase_name': 'defense-evasion', 'kill_chain_name': 'mitre-attack'}], 'id': 'attack-pattern--cf7b3a06-8b42-4c33-bbe9-012120027925', 'name': 'Compile After Delivery', 'created': '2019-04-25T20:53:07.719Z', 'description': 'Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)\n\nSource code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)\n', 'x_mitre_contributors': ['Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank', 'Praetorian'], 'x_mitre_permissions_required': ['User'], 'x_mitre_data_sources': ['Process command-line parameters', 'Process monitoring', 'File monitoring'], 'x_mitre_detection': 'Monitor the execution file paths and command-line arguments for common compilers, such as csc.exe and GCC/MinGW, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior. The compilation of payloads may also generate file creation and/or file write events. Look for non-native binary formats and cross-platform compiler and execution frameworks like Mono and determine if they have a legitimate purpose on the system.(Citation: TrendMicro WindowsAppMac) Typically these should only be used in specific and limited cases, like for software development.', 'x_mitre_platforms': ['Linux', 'macOS', 'Windows'], 'x_mitre_version': '1.0', 'x_mitre_system_requirements': ['Compiler software (either native to the system or delivered by the adversary)'], 'x_mitre_defense_bypassed': ['Static File Analysis', 'Binary Analysis', 'Anti-virus', 'Host intrusion prevention systems', 'Signature-based detection']}
print("Number of Mitigations in ATT&CK")
print(len(all_attack['mitigations']))
Number of Mitigations in ATT&CK 295
mitigations = []
for t in all_attack['mitigations']:
mitigations.append(json.loads(t.serialize()))
df = json_normalize(mitigations)
df[0:4]
created_by_ref | description | type | name | object_marking_refs | id | external_references | modified | created | x_mitre_version | x_mitre_deprecated | x_mitre_old_attack_id | |
---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | This category is to associate techniques that ... | course-of-action | Do Not Mitigate | [marking-definition--fa42a846-8d90-4e51-bc29-7... | course-of-action--787fb64d-c87b-4ee5-a341-0ef1... | [{'external_id': 'M1055', 'source_name': 'mitr... | 2019-07-23T14:44:24.727Z | 2019-07-19T14:58:42.715Z | 1.0 | NaN | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Implement configuration changes to software (o... | course-of-action | Software Configuration | [marking-definition--fa42a846-8d90-4e51-bc29-7... | course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8... | [{'external_id': 'M1054', 'source_name': 'mitr... | 2019-07-19T14:57:15.656Z | 2019-07-19T14:40:23.529Z | 1.0 | NaN | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Take and store data backups from end user syst... | course-of-action | Data Backup | [marking-definition--fa42a846-8d90-4e51-bc29-7... | course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73... | [{'external_id': 'M1053', 'source_name': 'mitr... | 2019-07-19T14:33:33.543Z | 2019-07-19T14:33:33.543Z | 1.0 | NaN | NaN |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Configure Windows User Account Control to miti... | course-of-action | User Account Control | [marking-definition--fa42a846-8d90-4e51-bc29-7... | course-of-action--2c2ad92a-d710-41ab-a996-1db1... | [{'external_id': 'M1052', 'source_name': 'mitr... | 2019-06-11T17:14:35.170Z | 2019-06-11T17:14:35.170Z | 1.0 | NaN | NaN |
list(df)
['created_by_ref', 'description', 'type', 'name', 'object_marking_refs', 'id', 'external_references', 'modified', 'created', 'x_mitre_version', 'x_mitre_deprecated', 'x_mitre_old_attack_id']
print("Number of Groups in ATT&CK")
print(len(all_attack['groups']))
Number of Groups in ATT&CK 93
groups = []
for t in all_attack['groups']:
groups.append(json.loads(t.serialize()))
df = json_normalize(groups)
df[0:4]
created_by_ref | description | aliases | id | external_references | modified | type | created | object_marking_refs | name | x_mitre_version | x_mitre_contributors | revoked | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Operation [Soft Cell](https://attack.mitre.org... | [Soft Cell] | intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... | [{'external_id': 'G0093', 'source_name': 'mitr... | 2019-07-22T15:49:28.637Z | intrusion-set | 2019-07-18T20:47:50.050Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | Soft Cell | 1.0 | [Cybereason Nocturnus, @nocturnus] | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [TA505](https://attack.mitre.org/groups/G0092)... | [TA505] | intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb... | [{'external_id': 'G0092', 'source_name': 'mitr... | 2019-06-24T19:11:41.060Z | intrusion-set | 2019-05-28T15:54:17.213Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | TA505 | 1.0 | NaN | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Silence](https://attack.mitre.org/groups/G009... | [Silence] | intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb... | [{'external_id': 'G0091', 'source_name': 'mitr... | 2019-07-16T16:12:09.085Z | intrusion-set | 2019-05-24T17:57:36.491Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | Silence | 1.0 | [Oleg Skulkin, Group-IB] | NaN |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [WIRTE](https://attack.mitre.org/groups/G0090)... | [WIRTE] | intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3... | [{'external_id': 'G0090', 'source_name': 'mitr... | 2019-06-20T15:30:38.517Z | intrusion-set | 2019-05-24T17:02:44.226Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | WIRTE | 1.0 | [Lab52 by S2 Grupo] | NaN |
Showing the schema of Groups
list(df)
['created_by_ref', 'description', 'aliases', 'id', 'external_references', 'modified', 'type', 'created', 'object_marking_refs', 'name', 'x_mitre_version', 'x_mitre_contributors', 'revoked']
Showing one Groups example
groups[0]
{'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'description': 'Operation [Soft Cell](https://attack.mitre.org/groups/G0093) is a group that is reportedly affiliated with China and is likely state-sponsored. The group has operated since at least 2012 and has compromised high-profile telecommunications networks.(Citation: Cybereason Soft Cell June 2019)', 'aliases': ['Soft Cell'], 'id': 'intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258', 'external_references': [{'external_id': 'G0093', 'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G0093'}, {'source_name': 'Soft Cell', 'description': '(Citation: Cybereason Soft Cell June 2019)'}, {'source_name': 'Cybereason Soft Cell June 2019', 'description': 'Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.', 'url': 'https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers'}], 'modified': '2019-07-22T15:49:28.637Z', 'type': 'intrusion-set', 'created': '2019-07-18T20:47:50.050Z', 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'name': 'Soft Cell', 'x_mitre_version': '1.0', 'x_mitre_contributors': ['Cybereason Nocturnus, @nocturnus']}
print("Number of Malware in ATT&CK")
print(len(all_attack['malware']))
Number of Malware in ATT&CK 341
malware = []
for t in all_attack['malware']:
malware.append(json.loads(t.serialize()))
df = json_normalize(malware)
df[0:4]
created_by_ref | description | id | external_references | object_marking_refs | modified | type | created | name | labels | x_mitre_version | x_mitre_platforms | x_mitre_aliases | x_mitre_contributors | revoked | x_mitre_old_attack_id | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [HyperBro ](https://attack.mitre.org/software/... | malware--5e814485-012d-423d-b769-026bfed0f451 | [{'external_id': 'S0398', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-07-14T21:14:18.656Z | malware | 2019-07-09T17:42:44.777Z | HyperBro | [malware] | 1.0 | [Windows] | [HyperBro ] | NaN | NaN | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [LoJax](https://attack.mitre.org/software/S039... | malware--b865dded-0553-4962-a44b-6fe7863effed | [{'external_id': 'S0397', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-07-02T20:53:26.470Z | malware | 2019-07-02T12:58:09.598Z | LoJax | [malware] | 1.0 | [Windows] | [LoJax] | [Jean-Ian Boutin, ESET] | NaN | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [EvilBunny](https://attack.mitre.org/software/... | malware--a8a778f5-0035-4870-bb25-53dc05029586 | [{'external_id': 'S0396', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-07-01T18:16:32.917Z | malware | 2019-06-28T17:40:32.217Z | EvilBunny | [malware] | 1.0 | [Windows] | [EvilBunny] | [ESET] | NaN | NaN |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [LightNeuron](https://attack.mitre.org/softwar... | malware--6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb | [{'external_id': 'S0395', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-07-16T17:12:00.360Z | malware | 2019-06-28T13:09:26.710Z | LightNeuron | [malware] | 1.0 | [Windows, Linux] | [LightNeuron] | NaN | NaN | NaN |
Showing the schema of Malware
list(df)
['created_by_ref', 'description', 'id', 'external_references', 'object_marking_refs', 'modified', 'type', 'created', 'name', 'labels', 'x_mitre_version', 'x_mitre_platforms', 'x_mitre_aliases', 'x_mitre_contributors', 'revoked', 'x_mitre_old_attack_id']
Showing one Malware example
malware[0]
{'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'description': '[HyperBro ](https://attack.mitre.org/software/S0398) is a custom in-memory backdoor used by [Threat Group-3390](https://attack.mitre.org/groups/G0027).(Citation: Unit42 Emissary Panda May 2019)(Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018)', 'id': 'malware--5e814485-012d-423d-b769-026bfed0f451', 'external_references': [{'external_id': 'S0398', 'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/software/S0398'}, {'source_name': 'HyperBro ', 'description': '(Citation: Unit42 Emissary Panda May 2019)'}, {'source_name': 'Unit42 Emissary Panda May 2019', 'description': 'Falcone, R. and Lancaster, T.. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.', 'url': 'https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/'}, {'source_name': 'Securelist LuckyMouse June 2018', 'description': 'Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.', 'url': 'https://securelist.com/luckymouse-hits-national-data-center/86083/'}, {'source_name': 'Hacker News LuckyMouse June 2018', 'description': 'Khandelwal, S. (2018, June 14). Chinese Hackers Carried Out Country-Level Watering Hole Attack. Retrieved August 18, 2018.', 'url': 'https://thehackernews.com/2018/06/chinese-watering-hole-attack.html'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'modified': '2019-07-14T21:14:18.656Z', 'type': 'malware', 'created': '2019-07-09T17:42:44.777Z', 'name': 'HyperBro ', 'labels': ['malware'], 'x_mitre_version': '1.0', 'x_mitre_platforms': ['Windows'], 'x_mitre_aliases': ['HyperBro ']}
print("Number of Tools in ATT&CK")
print(len(all_attack['tools']))
Number of Tools in ATT&CK 57
tools = []
for t in all_attack['tools']:
tools.append(json.loads(t.serialize()))
df = json_normalize(tools)
df[0:4]
created_by_ref | description | id | external_references | object_marking_refs | modified | type | created | name | labels | x_mitre_version | x_mitre_platforms | x_mitre_aliases | x_mitre_contributors | x_mitre_old_attack_id | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [PoshC2](https://attack.mitre.org/software/S03... | tool--4b57c098-f043-4da2-83ef-7588a6d426bc | [{'external_id': 'S0378', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-04-23T18:29:12.005Z | tool | 2019-04-23T12:31:58.125Z | PoshC2 | [tool] | 1.0 | [Windows, Linux, macOS] | [PoshC2] | NaN | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [RawDisk](https://attack.mitre.org/software/S0... | tool--3ffbdc1f-d2bf-41ab-91a2-c7b857e98079 | [{'external_id': 'S0364', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-04-19T19:04:55.892Z | tool | 2019-03-25T12:30:40.919Z | RawDisk | [tool] | 1.0 | [Windows] | [RawDisk] | NaN | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Empire](https://attack.mitre.org/software/S03... | tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3 | [{'external_id': 'S0363', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-06-24T17:15:43.818Z | tool | 2019-03-11T14:13:40.648Z | Empire | [tool] | 1.0 | [Linux, macOS, Windows] | [Empire, EmPyre, PowerShell Empire] | NaN | NaN |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Expand](https://attack.mitre.org/software/S03... | tool--ca656c25-44f1-471b-9d9f-e2a3bbb84973 | [{'external_id': 'S0361', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-04-19T18:52:30.033Z | tool | 2019-02-19T19:17:14.971Z | Expand | [tool] | 1.0 | [Windows] | [Expand] | [Matthew Demaske, Adaptforward] | NaN |
Showing the schema of Tools
list(df)
['created_by_ref', 'description', 'id', 'external_references', 'object_marking_refs', 'modified', 'type', 'created', 'name', 'labels', 'x_mitre_version', 'x_mitre_platforms', 'x_mitre_aliases', 'x_mitre_contributors', 'x_mitre_old_attack_id']
Showing one Tool example
tools[0]
{'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'description': '[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in [PowerShell](https://attack.mitre.org/techniques/T1086). Although [PoshC2](https://attack.mitre.org/software/S0378) is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.(Citation: GitHub PoshC2)', 'id': 'tool--4b57c098-f043-4da2-83ef-7588a6d426bc', 'external_references': [{'external_id': 'S0378', 'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/software/S0378'}, {'source_name': 'GitHub PoshC2', 'description': 'Nettitude. (2016, June 8). PoshC2: Powershell C2 Server and Implants. Retrieved April 23, 2019.', 'url': 'https://github.com/nettitude/PoshC2'}], 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'modified': '2019-04-23T18:29:12.005Z', 'type': 'tool', 'created': '2019-04-23T12:31:58.125Z', 'name': 'PoshC2', 'labels': ['tool'], 'x_mitre_version': '1.0', 'x_mitre_platforms': ['Windows', 'Linux', 'macOS'], 'x_mitre_aliases': ['PoshC2']}
print("Number of Relationships in ATT&CK")
print(len(all_attack['relationships']))
Number of Relationships in ATT&CK 6067
relationships = []
for t in all_attack['relationships']:
relationships.append(json.loads(t.serialize()))
df = json_normalize(relationships)
df[0:4]
created_by_ref | description | type | created | object_marking_refs | id | external_references | modified | source_ref | relationship_type | target_ref | |
---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Soft Cell](https://attack.mitre.org/groups/G0... | relationship | 2019-07-22T15:49:28.744Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--380743e5-616c-4524-96e6-d545e5b6... | [{'source_name': 'Cybereason Soft Cell June 20... | 2019-07-22T15:49:28.744Z | intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... | uses | attack-pattern--92d7da27-2d91-488e-a00c-059dc1... |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Soft Cell](https://attack.mitre.org/groups/G0... | relationship | 2019-07-22T15:35:24.376Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--919f6143-eb8c-48cd-8741-118040c3... | [{'source_name': 'Cybereason Soft Cell June 20... | 2019-07-22T15:49:29.135Z | intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... | uses | attack-pattern--00d0b012-8a03-410e-95de-5826bf... |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Soft Cell](https://attack.mitre.org/groups/G0... | relationship | 2019-07-22T15:35:24.363Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--ee4d1b24-603f-40df-8f21-3c053fba... | [{'source_name': 'Cybereason Soft Cell June 20... | 2019-07-22T15:49:29.090Z | intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... | uses | attack-pattern--c23b740b-a42b-47a1-aec2-9d48dd... |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Soft Cell](https://attack.mitre.org/groups/G0... | relationship | 2019-07-22T15:35:24.351Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--38be247c-74b0-42f3-964e-5f23ef42... | [{'source_name': 'Cybereason Soft Cell June 20... | 2019-07-22T15:49:29.092Z | intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... | uses | attack-pattern--3c4a2599-71ee-4405-ba1e-0e2841... |
Showing the schema of Relationships
list(df)
['created_by_ref', 'description', 'type', 'created', 'object_marking_refs', 'id', 'external_references', 'modified', 'source_ref', 'relationship_type', 'target_ref']
Showing one Relationship example
relationships[0]
{'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'description': '[Soft Cell](https://attack.mitre.org/groups/G0093) used Web shells and [HTRAN](https://attack.mitre.org/software/S0040) for C2 as well as to exfiltrate data.', 'type': 'relationship', 'created': '2019-07-22T15:49:28.744Z', 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'id': 'relationship--380743e5-616c-4524-96e6-d545e5b653ea', 'external_references': [{'source_name': 'Cybereason Soft Cell June 2019', 'description': 'Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.', 'url': 'https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers'}], 'modified': '2019-07-22T15:49:28.744Z', 'source_ref': 'intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258', 'relationship_type': 'uses', 'target_ref': 'attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d'}
print("Number of Tactics in ATT&CK")
print(len(all_attack['tactics']))
Number of Tactics in ATT&CK 40
df = json_normalize(all_attack['tactics'])
df[0:4]
created_by_ref | description | type | name | object_marking_refs | id | external_references | modified | created | x_mitre_shortname | |
---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | The adversary is trying to manipulate, interru... | x-mitre-tactic | Impact | [marking-definition--fa42a846-8d90-4e51-bc29-7... | x-mitre-tactic--5569339b-94c2-49ee-afb3-222293... | [{'external_id': 'TA0040', 'source_name': 'mit... | 2019-07-25T18:42:23.222Z | 2019-03-14T18:44:44.639Z | impact |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | The adversary is trying to gather data of inte... | x-mitre-tactic | Collection | [marking-definition--fa42a846-8d90-4e51-bc29-7... | x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d... | [{'external_id': 'TA0009', 'source_name': 'mit... | 2019-07-19T17:44:53.176Z | 2018-10-17T00:14:20.652Z | collection |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | The adversary is trying to communicate with co... | x-mitre-tactic | Command and Control | [marking-definition--fa42a846-8d90-4e51-bc29-7... | x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd1... | [{'external_id': 'TA0011', 'source_name': 'mit... | 2019-07-19T17:45:30.644Z | 2018-10-17T00:14:20.652Z | command-and-control |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | The adversary is trying to steal account names... | x-mitre-tactic | Credential Access | [marking-definition--fa42a846-8d90-4e51-bc29-7... | x-mitre-tactic--2558fd61-8c75-4730-94c4-11926d... | [{'external_id': 'TA0006', 'source_name': 'mit... | 2019-07-19T17:43:41.967Z | 2018-10-17T00:14:20.652Z | credential-access |
Showing the schema of Tactics
list(df)
['created_by_ref', 'description', 'type', 'name', 'object_marking_refs', 'id', 'external_references', 'modified', 'created', 'x_mitre_shortname']
print("Number of Matrices in ATT&CK")
print(len(all_attack['matrix']))
Number of Matrices in ATT&CK 4
df = json_normalize(all_attack['matrix'])
df[0:4]
external_references | object_marking_refs | id | name | created | modified | type | created_by_ref | description | tactic_refs | |
---|---|---|---|---|---|---|---|---|---|---|
0 | [{'external_id': 'enterprise-attack', 'source_... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | x-mitre-matrix--eafc1b4c-5e56-4965-bd4e-66a6a8... | Enterprise ATT&CK | 2018-10-17T00:14:20.652Z | 2019-04-16T21:39:18.247Z | x-mitre-matrix | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | The full ATT&CK Matrix includes techniques spa... | [x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3be... |
1 | [{'external_id': 'pre-attack', 'source_name': ... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | x-mitre-matrix--2e2c97c3-1908-4e2d-a711-a27d38... | PRE-ATT&CK | 2018-10-17T00:14:20.652Z | 2018-11-06T19:05:34.143Z | x-mitre-matrix | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | The MITRE PRE-ATT&CK Matrix™ is an overview of... | [x-mitre-tactic--b2a086f2-d3db-408b-b4d4-e09a1... |
2 | [{'external_id': 'mobile-attack', 'source_name... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd... | Network-Based Effects | 2018-10-17T00:14:20.652Z | 2018-10-17T00:14:20.652Z | x-mitre-matrix | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | The MITRE ATT&CK Matrix™ provides a visual rep... | [x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc4... |
3 | [{'external_id': 'mobile-attack', 'source_name... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff0... | Device Access | 2018-10-17T00:14:20.652Z | 2018-10-17T00:14:20.652Z | x-mitre-matrix | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | The MITRE ATT&CK Matrix™ provides a visual rep... | [x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290... |
Showing the schema of Tactics
list(df)
['external_references', 'object_marking_refs', 'id', 'name', 'created', 'modified', 'type', 'created_by_ref', 'description', 'tactic_refs']
Enterprise Techniques
print("Number of Techniques in Enterprise ATT&CK")
print(len(all_enterprise['techniques']))
Number of Techniques in Enterprise ATT&CK 244
techniques = []
for t in all_enterprise['techniques']:
techniques.append(json.loads(t.serialize()))
df = json_normalize(techniques)
df[0:4]
external_references | object_marking_refs | type | modified | created_by_ref | kill_chain_phases | id | name | created | description | ... | x_mitre_data_sources | x_mitre_detection | x_mitre_platforms | x_mitre_version | x_mitre_system_requirements | x_mitre_defense_bypassed | x_mitre_impact_type | x_mitre_remote_support | x_mitre_effective_permissions | x_mitre_network_requirements | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | [{'external_id': 'T1500', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | attack-pattern | 2019-04-29T21:13:49.686Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'defense-evasion', 'kill_chain... | attack-pattern--cf7b3a06-8b42-4c33-bbe9-012120... | Compile After Delivery | 2019-04-25T20:53:07.719Z | Adversaries may attempt to make payloads diffi... | ... | [Process command-line parameters, Process moni... | Monitor the execution file paths and command-l... | [Linux, macOS, Windows] | 1.0 | [Compiler software (either native to the syste... | [Static File Analysis, Binary Analysis, Anti-v... | NaN | NaN | NaN | NaN |
1 | [{'external_id': 'T1501', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | attack-pattern | 2019-04-29T14:14:08.450Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'persistence', 'kill_chain_nam... | attack-pattern--0fff2797-19cb-41ea-a5f1-8a9303... | Systemd Service | 2019-04-23T15:34:30.008Z | Systemd services can be used to establish pers... | ... | [Process command-line parameters, Process moni... | Systemd service unit files may be detected by ... | [Linux] | 1.0 | NaN | NaN | NaN | NaN | NaN | NaN |
2 | [{'external_id': 'T1499', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | attack-pattern | 2019-04-29T13:20:36.795Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'impact', 'kill_chain_name': '... | attack-pattern--c675646d-e204-4aa8-978d-e3d6d6... | Endpoint Denial of Service | 2019-04-18T11:00:55.862Z | Adversaries may perform Endpoint Denial of Ser... | ... | [SSL/TLS inspection, Web logs, Web application... | Detection of Endpoint DoS can sometimes be ach... | [Linux, macOS, Windows] | 1.0 | NaN | NaN | [Availability] | NaN | NaN | NaN |
3 | [{'external_id': 'T1497', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | attack-pattern | 2019-06-10T17:37:37.138Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'defense-evasion', 'kill_chain... | attack-pattern--82caa33e-d11a-433a-94ea-9b5a5f... | Virtualization/Sandbox Evasion | 2019-04-17T22:22:24.505Z | Adversaries may check for the presence of a vi... | ... | [Process monitoring, Process command-line para... | Virtualization, sandbox, and related discovery... | [Windows] | 1.0 | NaN | [Anti-virus, Host forensic analysis, Signature... | NaN | NaN | NaN | NaN |
4 rows × 22 columns
Enterprise Mitigations
print("Number of Mitigations in Enterprise ATT&CK")
print(len(all_enterprise['mitigations']))
Number of Mitigations in Enterprise ATT&CK 281
mitigations = []
for t in all_enterprise['mitigations']:
mitigations.append(json.loads(t.serialize()))
df = json_normalize(mitigations)
df[0:5]
created_by_ref | description | type | name | object_marking_refs | id | external_references | modified | created | x_mitre_version | x_mitre_deprecated | |
---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | This category is to associate techniques that ... | course-of-action | Do Not Mitigate | [marking-definition--fa42a846-8d90-4e51-bc29-7... | course-of-action--787fb64d-c87b-4ee5-a341-0ef1... | [{'external_id': 'M1055', 'source_name': 'mitr... | 2019-07-23T14:44:24.727Z | 2019-07-19T14:58:42.715Z | 1.0 | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Implement configuration changes to software (o... | course-of-action | Software Configuration | [marking-definition--fa42a846-8d90-4e51-bc29-7... | course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8... | [{'external_id': 'M1054', 'source_name': 'mitr... | 2019-07-19T14:57:15.656Z | 2019-07-19T14:40:23.529Z | 1.0 | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Take and store data backups from end user syst... | course-of-action | Data Backup | [marking-definition--fa42a846-8d90-4e51-bc29-7... | course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73... | [{'external_id': 'M1053', 'source_name': 'mitr... | 2019-07-19T14:33:33.543Z | 2019-07-19T14:33:33.543Z | 1.0 | NaN |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Configure Windows User Account Control to miti... | course-of-action | User Account Control | [marking-definition--fa42a846-8d90-4e51-bc29-7... | course-of-action--2c2ad92a-d710-41ab-a996-1db1... | [{'external_id': 'M1052', 'source_name': 'mitr... | 2019-06-11T17:14:35.170Z | 2019-06-11T17:14:35.170Z | 1.0 | NaN |
4 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Perform regular software updates to mitigate e... | course-of-action | Update Software | [marking-definition--fa42a846-8d90-4e51-bc29-7... | course-of-action--e5d930e9-775a-40ad-9bdb-b941... | [{'external_id': 'M1051', 'source_name': 'mitr... | 2019-06-11T17:12:55.207Z | 2019-06-11T17:12:55.207Z | 1.0 | NaN |
Enterprise Groups
print("Number of Groups in Enterprise ATT&CK")
print(len(all_enterprise['groups']))
Number of Groups in Enterprise ATT&CK 93
groups = []
for t in all_enterprise['groups']:
groups.append(json.loads(t.serialize()))
df = json_normalize(groups)
df[0:4]
created_by_ref | description | aliases | id | external_references | modified | type | created | object_marking_refs | name | x_mitre_version | x_mitre_contributors | revoked | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Operation [Soft Cell](https://attack.mitre.org... | [Soft Cell] | intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... | [{'external_id': 'G0093', 'source_name': 'mitr... | 2019-07-22T15:49:28.637Z | intrusion-set | 2019-07-18T20:47:50.050Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | Soft Cell | 1.0 | [Cybereason Nocturnus, @nocturnus] | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [TA505](https://attack.mitre.org/groups/G0092)... | [TA505] | intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb... | [{'external_id': 'G0092', 'source_name': 'mitr... | 2019-06-24T19:11:41.060Z | intrusion-set | 2019-05-28T15:54:17.213Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | TA505 | 1.0 | NaN | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Silence](https://attack.mitre.org/groups/G009... | [Silence] | intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb... | [{'external_id': 'G0091', 'source_name': 'mitr... | 2019-07-16T16:12:09.085Z | intrusion-set | 2019-05-24T17:57:36.491Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | Silence | 1.0 | [Oleg Skulkin, Group-IB] | NaN |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [WIRTE](https://attack.mitre.org/groups/G0090)... | [WIRTE] | intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3... | [{'external_id': 'G0090', 'source_name': 'mitr... | 2019-06-20T15:30:38.517Z | intrusion-set | 2019-05-24T17:02:44.226Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | WIRTE | 1.0 | [Lab52 by S2 Grupo] | NaN |
Enterprise Malware
print("Number of Malware objects in Enterprise ATT&CK")
print(len(all_enterprise['malware']))
Number of Malware objects in Enterprise ATT&CK 297
malware = []
for t in all_enterprise['malware']:
malware.append(json.loads(t.serialize()))
df = json_normalize(malware)
df[0:4]
created_by_ref | description | id | external_references | object_marking_refs | modified | type | created | name | labels | x_mitre_version | x_mitre_platforms | x_mitre_aliases | x_mitre_contributors | revoked | x_mitre_old_attack_id | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [HyperBro ](https://attack.mitre.org/software/... | malware--5e814485-012d-423d-b769-026bfed0f451 | [{'external_id': 'S0398', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-07-14T21:14:18.656Z | malware | 2019-07-09T17:42:44.777Z | HyperBro | [malware] | 1.0 | [Windows] | [HyperBro ] | NaN | NaN | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [LoJax](https://attack.mitre.org/software/S039... | malware--b865dded-0553-4962-a44b-6fe7863effed | [{'external_id': 'S0397', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-07-02T20:53:26.470Z | malware | 2019-07-02T12:58:09.598Z | LoJax | [malware] | 1.0 | [Windows] | [LoJax] | [Jean-Ian Boutin, ESET] | NaN | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [EvilBunny](https://attack.mitre.org/software/... | malware--a8a778f5-0035-4870-bb25-53dc05029586 | [{'external_id': 'S0396', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-07-01T18:16:32.917Z | malware | 2019-06-28T17:40:32.217Z | EvilBunny | [malware] | 1.0 | [Windows] | [EvilBunny] | [ESET] | NaN | NaN |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [LightNeuron](https://attack.mitre.org/softwar... | malware--6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb | [{'external_id': 'S0395', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-07-16T17:12:00.360Z | malware | 2019-06-28T13:09:26.710Z | LightNeuron | [malware] | 1.0 | [Windows, Linux] | [LightNeuron] | NaN | NaN | NaN |
Enterprise Tools
print("Number of Tools in Enterprise ATT&CK")
print(len(all_enterprise['tools']))
Number of Tools in Enterprise ATT&CK 56
tools = []
for t in all_enterprise['tools']:
tools.append(json.loads(t.serialize()))
df = json_normalize(tools)
df[0:4]
created_by_ref | description | id | external_references | object_marking_refs | modified | type | created | name | labels | x_mitre_version | x_mitre_platforms | x_mitre_aliases | x_mitre_contributors | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [PoshC2](https://attack.mitre.org/software/S03... | tool--4b57c098-f043-4da2-83ef-7588a6d426bc | [{'external_id': 'S0378', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-04-23T18:29:12.005Z | tool | 2019-04-23T12:31:58.125Z | PoshC2 | [tool] | 1.0 | [Windows, Linux, macOS] | [PoshC2] | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [RawDisk](https://attack.mitre.org/software/S0... | tool--3ffbdc1f-d2bf-41ab-91a2-c7b857e98079 | [{'external_id': 'S0364', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-04-19T19:04:55.892Z | tool | 2019-03-25T12:30:40.919Z | RawDisk | [tool] | 1.0 | [Windows] | [RawDisk] | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Empire](https://attack.mitre.org/software/S03... | tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3 | [{'external_id': 'S0363', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-06-24T17:15:43.818Z | tool | 2019-03-11T14:13:40.648Z | Empire | [tool] | 1.0 | [Linux, macOS, Windows] | [Empire, EmPyre, PowerShell Empire] | NaN |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Expand](https://attack.mitre.org/software/S03... | tool--ca656c25-44f1-471b-9d9f-e2a3bbb84973 | [{'external_id': 'S0361', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-04-19T18:52:30.033Z | tool | 2019-02-19T19:17:14.971Z | Expand | [tool] | 1.0 | [Windows] | [Expand] | [Matthew Demaske, Adaptforward] |
Enterprise Relationships
print("Number of Relationships in Enterprise ATT&CK")
print(len(all_enterprise['relationships']))
Number of Relationships in Enterprise ATT&CK 5675
relations = []
for t in all_enterprise['relationships']:
relations.append(json.loads(t.serialize()))
df = json_normalize(relations)
df[0:4]
created_by_ref | description | type | created | object_marking_refs | id | external_references | modified | source_ref | relationship_type | target_ref | |
---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Soft Cell](https://attack.mitre.org/groups/G0... | relationship | 2019-07-22T15:49:28.744Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--380743e5-616c-4524-96e6-d545e5b6... | [{'source_name': 'Cybereason Soft Cell June 20... | 2019-07-22T15:49:28.744Z | intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... | uses | attack-pattern--92d7da27-2d91-488e-a00c-059dc1... |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Soft Cell](https://attack.mitre.org/groups/G0... | relationship | 2019-07-22T15:35:24.376Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--919f6143-eb8c-48cd-8741-118040c3... | [{'source_name': 'Cybereason Soft Cell June 20... | 2019-07-22T15:49:29.135Z | intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... | uses | attack-pattern--00d0b012-8a03-410e-95de-5826bf... |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Soft Cell](https://attack.mitre.org/groups/G0... | relationship | 2019-07-22T15:35:24.363Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--ee4d1b24-603f-40df-8f21-3c053fba... | [{'source_name': 'Cybereason Soft Cell June 20... | 2019-07-22T15:49:29.090Z | intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... | uses | attack-pattern--c23b740b-a42b-47a1-aec2-9d48dd... |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Soft Cell](https://attack.mitre.org/groups/G0... | relationship | 2019-07-22T15:35:24.351Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--38be247c-74b0-42f3-964e-5f23ef42... | [{'source_name': 'Cybereason Soft Cell June 20... | 2019-07-22T15:49:29.092Z | intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... | uses | attack-pattern--3c4a2599-71ee-4405-ba1e-0e2841... |
PRE Techniques
print("Number of Techniques in PRE-ATT&CK")
print(len(all_pre['techniques']))
Number of Techniques in PRE-ATT&CK 174
techniques = []
for t in all_pre['techniques']:
techniques.append(json.loads(t.serialize()))
df = json_normalize(techniques)
df[0:4]
external_references | object_marking_refs | modified | created_by_ref | kill_chain_phases | id | name | created | type | description | x_mitre_detectable_by_common_defenses | x_mitre_version | x_mitre_difficulty_for_adversary_explanation | x_mitre_old_attack_id | x_mitre_difficulty_for_adversary | x_mitre_detectable_by_common_defenses_explanation | x_mitre_deprecated | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | [{'url': 'https://attack.mitre.org/techniques/... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2018-10-17T00:14:20.652Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'technical-information-gatheri... | attack-pattern--b182f29c-2505-4b32-a000-0440ef... | Spearphishing for Information | 2018-04-18T17:59:24.739Z | attack-pattern | Spearphishing for information is a specific va... | Partial | 1.0 | Sending emails is trivial, and, over time, an ... | PRE-T1174 | Yes | Depending on the specific method of phishing, ... | NaN |
1 | [{'url': 'https://attack.mitre.org/techniques/... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2018-10-17T00:14:20.652Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'adversary-opsec', 'kill_chain... | attack-pattern--286cc500-4291-45c2-99a1-e760db... | Acquire and/or use 3rd party infrastructure se... | 2017-12-14T16:46:06.044Z | attack-pattern | A wide variety of cloud, virtual private servi... | No | 1.0 | Wide range of 3rd party services for hosting, ... | PRE-T1084 | Yes | 3rd party services highly leveraged by legitim... | NaN |
2 | [{'url': 'https://attack.mitre.org/techniques/... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2018-10-17T00:14:20.652Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'people-information-gathering'... | attack-pattern--b3f36317-3940-4d71-968f-e11ac1... | Aggregate individual's digital footprint | 2017-12-14T16:46:06.044Z | attack-pattern | In addition to a target's social media presenc... | No | 1.0 | Information readily available through searches | PRE-T1052 | Yes | Searching publicly available sources that cann... | NaN |
3 | [{'url': 'https://attack.mitre.org/techniques/... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2018-10-17T00:14:20.652Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'technical-weakness-identifica... | attack-pattern--a1e8d61b-22e1-4983-8485-964201... | Analyze hardware/software security defensive c... | 2017-12-14T16:46:06.044Z | attack-pattern | An adversary can probe a victim's network to d... | No | 1.0 | Analyze network traffic to determine security ... | PRE-T1071 | Yes | This can be done offline after the data has be... | NaN |
PRE Groups
print("Number of Groups in PRE-ATT&CK")
print(len(all_pre['groups']))
Number of Groups in PRE-ATT&CK 7
groups = []
for t in all_pre['groups']:
groups.append(json.loads(t.serialize()))
df = json_normalize(groups)
df[0:4]
created_by_ref | name | description | type | aliases | object_marking_refs | id | external_references | modified | created | x_mitre_version | x_mitre_contributors | |
---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | TEMP.Veles | [TEMP.Veles](https://attack.mitre.org/groups/G... | intrusion-set | [TEMP.Veles, XENOTIME] | [marking-definition--fa42a846-8d90-4e51-bc29-7... | intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca... | [{'external_id': 'G0088', 'source_name': 'mitr... | 2019-04-29T18:59:16.079Z | 2019-04-16T15:14:38.533Z | 1.0 | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | APT17 | [APT17](https://attack.mitre.org/groups/G0025)... | intrusion-set | [APT17, Deputy Dog] | [marking-definition--fa42a846-8d90-4e51-bc29-7... | intrusion-set--090242d7-73fc-4738-af68-20162f7... | [{'external_id': 'G0025', 'source_name': 'mitr... | 2019-03-22T14:21:19.419Z | 2017-05-31T21:31:57.307Z | 1.0 | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | APT16 | [APT16](https://attack.mitre.org/groups/G0023)... | intrusion-set | [APT16] | [marking-definition--fa42a846-8d90-4e51-bc29-7... | intrusion-set--d6e88e18-81e8-4709-82d8-973095d... | [{'external_id': 'G0023', 'source_name': 'mitr... | 2019-03-22T14:20:45.561Z | 2017-05-31T21:31:56.270Z | 1.0 | NaN |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Night Dragon | [Night Dragon](https://attack.mitre.org/groups... | intrusion-set | [Night Dragon] | [marking-definition--fa42a846-8d90-4e51-bc29-7... | intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e... | [{'external_id': 'G0014', 'source_name': 'mitr... | 2019-03-25T14:36:29.638Z | 2017-05-31T21:31:51.643Z | 1.1 | NaN |
PRE Relationships
print("Number of Relationships in PRE-ATT&CK")
print(len(all_pre['relationships']))
Number of Relationships in PRE-ATT&CK 70
relations = []
for t in all_pre['relationships']:
relations.append(json.loads(t.serialize()))
df = json_normalize(relations)
df[0:4]
created_by_ref | description | type | created | object_marking_refs | id | external_references | modified | source_ref | relationship_type | target_ref | |
---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [TEMP.Veles](https://attack.mitre.org/groups/G... | relationship | 2019-04-24T19:45:44.212Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--21842707-0f15-43bf-bc42-2bceadf2... | [{'source_name': 'FireEye TRITON 2019', 'descr... | 2019-04-29T18:59:16.596Z | intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca... | uses | attack-pattern--20a66013-8dab-4ca3-a67d-766c84... |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [TEMP.Veles](https://attack.mitre.org/groups/G... | relationship | 2019-04-24T19:45:44.205Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--2d95ed6f-52e7-4708-af15-9a6c0839... | [{'source_name': 'FireEye TRITON 2019', 'descr... | 2019-04-29T18:59:16.595Z | intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca... | uses | attack-pattern--795c1a92-3a26-453e-b99a-6a566a... |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | NaN | relationship | 2019-02-19T18:56:56.770Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--83379e43-4bc5-4c49-b0b3-f41161e8... | NaN | 2019-02-19T18:56:56.770Z | attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1... | related-to | attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42... |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | NaN | relationship | 2019-02-19T18:56:56.136Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--1aafdefb-304e-4998-87cc-81aad295... | NaN | 2019-02-19T18:56:56.136Z | attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42... | related-to | attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1... |
Mobile Techniques
print("Number of Techniques in Mobile ATT&CK")
print(len(all_mobile['techniques']))
Number of Techniques in Mobile ATT&CK 82
techniques = []
for t in all_mobile['techniques']:
techniques.append(json.loads(t.serialize()))
df = json_normalize(techniques)
df[0:4]
external_references | object_marking_refs | modified | created_by_ref | kill_chain_phases | id | name | created | type | description | x_mitre_platforms | x_mitre_version | x_mitre_tactic_type | x_mitre_detection | x_mitre_old_attack_id | revoked | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | [{'url': 'https://attack.mitre.org/techniques/... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-02-01T17:29:43.503Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'command-and-control', 'kill_c... | attack-pattern--c6a146ae-9c63-4606-97ff-e261e7... | Web Service | 2019-02-01T17:29:43.503Z | attack-pattern | Adversaries may use an existing, legitimate ex... | [Android, iOS] | 1.0 | [Post-Adversary Device Access] | NaN | NaN | NaN |
1 | [{'url': 'https://attack.mitre.org/techniques/... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-02-03T14:08:44.916Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'initial-access', 'kill_chain_... | attack-pattern--53263a67-075e-48fa-974b-91c5b5... | Deliver Malicious App via Other Means | 2018-10-17T00:14:20.652Z | attack-pattern | Malicious applications are a common attack vec... | [Android, iOS] | 1.1 | [Post-Adversary Device Access] | * An EMM/MDM or mobile threat defense solution... | MOB-T1079 | NaN |
2 | [{'url': 'https://attack.mitre.org/techniques/... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-02-03T17:31:51.215Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'initial-access', 'kill_chain_... | attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97c... | Deliver Malicious App via Authorized App Store | 2018-10-17T00:14:20.652Z | attack-pattern | Malicious applications are a common attack vec... | [Android, iOS] | 1.0 | [Post-Adversary Device Access] | * An EMM/MDM or mobile threat defense solution... | MOB-T1078 | NaN |
3 | [{'url': 'https://attack.mitre.org/techniques/... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2018-10-17T00:14:20.652Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'initial-access', 'kill_chain_... | attack-pattern--0d95940f-9583-4e0f-824c-a42c1b... | Supply Chain Compromise | 2018-10-17T00:14:20.652Z | attack-pattern | As further described in [Supply Chain Compromi... | [Android, iOS] | 1.0 | [Post-Adversary Device Access] | * Insecure third-party libraries could be dete... | MOB-T1077 | NaN |
Mobile Mitigations
print("Number of Mitigations in Mobile ATT&CK")
print(len(all_mobile['mitigations']))
Number of Mitigations in Mobile ATT&CK 14
mitigations = []
for t in all_mobile['mitigations']:
mitigations.append(json.loads(t.serialize()))
df = json_normalize(mitigations)
df[0:4]
created_by_ref | description | type | name | object_marking_refs | id | external_references | modified | created | x_mitre_old_attack_id | x_mitre_version | |
---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | This mitigation describes any guidance or trai... | course-of-action | Application Developer Guidance | [marking-definition--fa42a846-8d90-4e51-bc29-7... | course-of-action--25dc1ce8-eb55-4333-ae30-a7cb... | [{'external_id': 'M1013', 'source_name': 'mitr... | 2018-10-17T00:14:20.652Z | 2017-10-25T14:48:53.732Z | MOB-M1013 | 1.0 |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | An enterprise mobility management (EMM), also ... | course-of-action | Enterprise Policy | [marking-definition--fa42a846-8d90-4e51-bc29-7... | course-of-action--649f7268-4c12-483b-ac84-4b7b... | [{'external_id': 'M1012', 'source_name': 'mitr... | 2018-10-17T00:14:20.652Z | 2017-10-25T14:48:53.318Z | MOB-M1012 | 1.0 |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Enable remote attestation capabilities when av... | course-of-action | Attestation | [marking-definition--fa42a846-8d90-4e51-bc29-7... | course-of-action--ff4821f6-5afb-481b-8c0f-26c2... | [{'external_id': 'M1002', 'source_name': 'mitr... | 2018-10-17T00:14:20.652Z | 2017-10-25T14:48:52.933Z | MOB-M1002 | 1.0 |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | A variety of methods exist that can be used to... | course-of-action | Deploy Compromised Device Detection Method | [marking-definition--fa42a846-8d90-4e51-bc29-7... | course-of-action--cf2cccb1-cab8-431a-8ecf-f787... | [{'external_id': 'M1010', 'source_name': 'mitr... | 2018-10-17T00:14:20.652Z | 2017-10-25T14:48:52.601Z | MOB-M1010 | 1.0 |
Mobile Groups
print("Number of Groups in Mobile ATT&CK")
print(len(all_mobile['groups']))
Number of Groups in Mobile ATT&CK 2
groups = []
for t in all_mobile['groups']:
groups.append(json.loads(t.serialize()))
df = json_normalize(groups)
df[0:4]
created_by_ref | name | description | type | aliases | object_marking_refs | id | external_references | modified | created | x_mitre_version | x_mitre_contributors | |
---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Dark Caracal | [Dark Caracal](https://attack.mitre.org/groups... | intrusion-set | [Dark Caracal] | [marking-definition--fa42a846-8d90-4e51-bc29-7... | intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74... | [{'external_id': 'G0070', 'source_name': 'mitr... | 2019-07-16T15:35:20.554Z | 2018-10-17T00:14:20.652Z | 1.1 | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | APT28 | [APT28](https://attack.mitre.org/groups/G0007)... | intrusion-set | [APT28, SNAKEMACKEREL, Swallowtail, Group 74, ... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8... | [{'external_id': 'G0007', 'source_name': 'mitr... | 2019-07-27T00:09:33.254Z | 2017-05-31T21:31:48.664Z | 2.1 | [Emily Ratliff, IBM, Richard Gold, Digital Sha... |
Mobile Malware
print("Number of Malware in Mobile ATT&CK")
print(len(all_mobile['malware']))
Number of Malware in Mobile ATT&CK 45
malware = []
for t in all_mobile['malware']:
malware.append(json.loads(t.serialize()))
df = json_normalize(malware)
df[0:4]
created_by_ref | description | id | external_references | object_marking_refs | modified | type | created | name | labels | x_mitre_version | x_mitre_platforms | x_mitre_aliases | x_mitre_old_attack_id | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Pallas](https://attack.mitre.org/software/S03... | malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878 | [{'external_id': 'S0399', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-07-14T21:33:23.330Z | malware | 2019-07-10T15:35:43.217Z | Pallas | [malware] | 1.0 | [Android] | [Pallas] | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Tangelo](https://attack.mitre.org/software/S0... | malware--35aae10a-97c5-471a-9c67-02c231a7a31a | [{'external_id': 'S0329', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2018-12-11T20:40:31.461Z | malware | 2018-10-17T00:14:20.652Z | Tangelo | [malware] | 1.1 | [iOS] | [Tangelo] | MOB-S0045 |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Stealth Mango](https://attack.mitre.org/softw... | malware--085eb36d-697d-4d9a-bac3-96eb879fe73c | [{'external_id': 'S0328', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2018-12-11T20:40:31.461Z | malware | 2018-10-17T00:14:20.652Z | Stealth Mango | [malware] | 1.1 | [Android] | [Stealth Mango] | MOB-S0044 |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Marcher](https://attack.mitre.org/software/S0... | malware--f9854ba6-989d-43bf-828b-7240b8a65291 | [{'external_id': 'S0317', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2018-12-11T20:40:31.461Z | malware | 2018-10-17T00:14:20.652Z | Marcher | [malware] | 1.1 | [Android] | [Marcher] | MOB-S0033 |
Mobile Tools
print("Number of Tools in Mobile ATT&CK")
print(len(all_mobile['tools']))
Number of Tools in Mobile ATT&CK 1
tools = []
for t in all_mobile['tools']:
tools.append(json.loads(t.serialize()))
df = json_normalize(tools)
df[0:4]
created_by_ref | description | id | external_references | object_marking_refs | modified | type | created | name | labels | x_mitre_old_attack_id | x_mitre_version | x_mitre_platforms | x_mitre_aliases | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Xbot](https://attack.mitre.org/software/S0298... | tool--da21929e-40c0-443d-bdf4-6b60d15448b4 | [{'external_id': 'S0298', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2018-12-11T20:40:31.461Z | tool | 2017-10-25T14:48:48.609Z | Xbot | [tool] | MOB-S0014 | 1.1 | [Android] | [Xbot] |
Mobile Relationships
print("Number of Relationships in Mobile ATT&CK")
print(len(all_mobile['relationships']))
Number of Relationships in Mobile ATT&CK 322
relations = []
for t in all_mobile['relationships']:
relations.append(json.loads(t.serialize()))
df = json_normalize(relations)
df[0:4]
created_by_ref | description | type | id | object_marking_refs | created | modified | source_ref | relationship_type | target_ref | external_references | |
---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | An EMM/MDM can use the Android `DevicePolicyMa... | relationship | relationship--fbd2d4f7-96ff-4624-a567-d4882f0c... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-07-23T15:35:23.530Z | 2019-07-23T15:35:23.530Z | course-of-action--649f7268-4c12-483b-ac84-4b7b... | mitigates | attack-pattern--2204c371-6100-4ae0-82f3-25c07c... | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Dark Caracal](https://attack.mitre.org/groups... | relationship | relationship--61071d73-fcdf-4820-afd0-e3f0983e... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-07-10T15:42:09.606Z | 2019-07-16T15:35:20.953Z | intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74... | uses | attack-pattern--6a3f6490-9c44-40de-b059-e5940f... | [{'source_name': 'Lookout Dark Caracal Jan 201... |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Dark Caracal](https://attack.mitre.org/groups... | relationship | relationship--ae9a0fb3-901b-4da2-b6ad-633ddbfa... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-07-10T15:42:09.591Z | 2019-07-16T15:35:21.028Z | intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74... | uses | attack-pattern--53263a67-075e-48fa-974b-91c5b5... | [{'source_name': 'Lookout Dark Caracal Jan 201... |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Pallas](https://attack.mitre.org/software/S03... | relationship | relationship--60ecd154-e907-419a-b41d-1a9a1f59... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-07-10T15:35:43.712Z | 2019-07-14T21:33:23.556Z | malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878 | uses | attack-pattern--8e27551a-5080-4148-a584-c64348... | [{'source_name': 'Lookout Dark Caracal Jan 201... |
print("Number of Techniques in Enterprise ATT&CK")
techniques = lift.get_enterprise_techniques()
print(len(techniques))
Number of Techniques in Enterprise ATT&CK 244
techniques_list = []
for t in techniques:
techniques_list.append(json.loads(t.serialize()))
df = json_normalize(techniques_list)
df[0:4]
external_references | object_marking_refs | type | modified | created_by_ref | kill_chain_phases | id | name | created | description | ... | x_mitre_data_sources | x_mitre_detection | x_mitre_platforms | x_mitre_version | x_mitre_system_requirements | x_mitre_defense_bypassed | x_mitre_impact_type | x_mitre_remote_support | x_mitre_effective_permissions | x_mitre_network_requirements | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | [{'external_id': 'T1500', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | attack-pattern | 2019-04-29T21:13:49.686Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'defense-evasion', 'kill_chain... | attack-pattern--cf7b3a06-8b42-4c33-bbe9-012120... | Compile After Delivery | 2019-04-25T20:53:07.719Z | Adversaries may attempt to make payloads diffi... | ... | [Process command-line parameters, Process moni... | Monitor the execution file paths and command-l... | [Linux, macOS, Windows] | 1.0 | [Compiler software (either native to the syste... | [Static File Analysis, Binary Analysis, Anti-v... | NaN | NaN | NaN | NaN |
1 | [{'external_id': 'T1501', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | attack-pattern | 2019-04-29T14:14:08.450Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'persistence', 'kill_chain_nam... | attack-pattern--0fff2797-19cb-41ea-a5f1-8a9303... | Systemd Service | 2019-04-23T15:34:30.008Z | Systemd services can be used to establish pers... | ... | [Process command-line parameters, Process moni... | Systemd service unit files may be detected by ... | [Linux] | 1.0 | NaN | NaN | NaN | NaN | NaN | NaN |
2 | [{'external_id': 'T1499', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | attack-pattern | 2019-04-29T13:20:36.795Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'impact', 'kill_chain_name': '... | attack-pattern--c675646d-e204-4aa8-978d-e3d6d6... | Endpoint Denial of Service | 2019-04-18T11:00:55.862Z | Adversaries may perform Endpoint Denial of Ser... | ... | [SSL/TLS inspection, Web logs, Web application... | Detection of Endpoint DoS can sometimes be ach... | [Linux, macOS, Windows] | 1.0 | NaN | NaN | [Availability] | NaN | NaN | NaN |
3 | [{'external_id': 'T1497', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | attack-pattern | 2019-06-10T17:37:37.138Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'defense-evasion', 'kill_chain... | attack-pattern--82caa33e-d11a-433a-94ea-9b5a5f... | Virtualization/Sandbox Evasion | 2019-04-17T22:22:24.505Z | Adversaries may check for the presence of a vi... | ... | [Process monitoring, Process command-line para... | Virtualization, sandbox, and related discovery... | [Windows] | 1.0 | NaN | [Anti-virus, Host forensic analysis, Signature... | NaN | NaN | NaN | NaN |
4 rows × 22 columns
print("Number of Techniques in PRE-ATT&CK")
techniques = lift.get_pre_techniques()
print(len(techniques))
Number of Techniques in PRE-ATT&CK 174
techniques_list = []
for t in techniques:
techniques_list.append(json.loads(t.serialize()))
df = json_normalize(techniques_list)
df[0:4]
external_references | object_marking_refs | modified | created_by_ref | kill_chain_phases | id | name | created | type | description | x_mitre_detectable_by_common_defenses | x_mitre_version | x_mitre_difficulty_for_adversary_explanation | x_mitre_old_attack_id | x_mitre_difficulty_for_adversary | x_mitre_detectable_by_common_defenses_explanation | x_mitre_deprecated | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | [{'url': 'https://attack.mitre.org/techniques/... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2018-10-17T00:14:20.652Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'technical-information-gatheri... | attack-pattern--b182f29c-2505-4b32-a000-0440ef... | Spearphishing for Information | 2018-04-18T17:59:24.739Z | attack-pattern | Spearphishing for information is a specific va... | Partial | 1.0 | Sending emails is trivial, and, over time, an ... | PRE-T1174 | Yes | Depending on the specific method of phishing, ... | NaN |
1 | [{'url': 'https://attack.mitre.org/techniques/... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2018-10-17T00:14:20.652Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'adversary-opsec', 'kill_chain... | attack-pattern--286cc500-4291-45c2-99a1-e760db... | Acquire and/or use 3rd party infrastructure se... | 2017-12-14T16:46:06.044Z | attack-pattern | A wide variety of cloud, virtual private servi... | No | 1.0 | Wide range of 3rd party services for hosting, ... | PRE-T1084 | Yes | 3rd party services highly leveraged by legitim... | NaN |
2 | [{'url': 'https://attack.mitre.org/techniques/... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2018-10-17T00:14:20.652Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'people-information-gathering'... | attack-pattern--b3f36317-3940-4d71-968f-e11ac1... | Aggregate individual's digital footprint | 2017-12-14T16:46:06.044Z | attack-pattern | In addition to a target's social media presenc... | No | 1.0 | Information readily available through searches | PRE-T1052 | Yes | Searching publicly available sources that cann... | NaN |
3 | [{'url': 'https://attack.mitre.org/techniques/... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2018-10-17T00:14:20.652Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'technical-weakness-identifica... | attack-pattern--a1e8d61b-22e1-4983-8485-964201... | Analyze hardware/software security defensive c... | 2017-12-14T16:46:06.044Z | attack-pattern | An adversary can probe a victim's network to d... | No | 1.0 | Analyze network traffic to determine security ... | PRE-T1071 | Yes | This can be done offline after the data has be... | NaN |
print("Number of Techniques in Mobile ATT&CK")
techniques = lift.get_mobile_techniques()
print(len(techniques))
Number of Techniques in Mobile ATT&CK 82
techniques_list = []
for t in techniques:
techniques_list.append(json.loads(t.serialize()))
df = json_normalize(techniques_list)
df[0:4]
external_references | object_marking_refs | modified | created_by_ref | kill_chain_phases | id | name | created | type | description | x_mitre_platforms | x_mitre_version | x_mitre_tactic_type | x_mitre_detection | x_mitre_old_attack_id | revoked | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | [{'url': 'https://attack.mitre.org/techniques/... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-02-01T17:29:43.503Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'command-and-control', 'kill_c... | attack-pattern--c6a146ae-9c63-4606-97ff-e261e7... | Web Service | 2019-02-01T17:29:43.503Z | attack-pattern | Adversaries may use an existing, legitimate ex... | [Android, iOS] | 1.0 | [Post-Adversary Device Access] | NaN | NaN | NaN |
1 | [{'url': 'https://attack.mitre.org/techniques/... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-02-03T14:08:44.916Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'initial-access', 'kill_chain_... | attack-pattern--53263a67-075e-48fa-974b-91c5b5... | Deliver Malicious App via Other Means | 2018-10-17T00:14:20.652Z | attack-pattern | Malicious applications are a common attack vec... | [Android, iOS] | 1.1 | [Post-Adversary Device Access] | * An EMM/MDM or mobile threat defense solution... | MOB-T1079 | NaN |
2 | [{'url': 'https://attack.mitre.org/techniques/... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-02-03T17:31:51.215Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'initial-access', 'kill_chain_... | attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97c... | Deliver Malicious App via Authorized App Store | 2018-10-17T00:14:20.652Z | attack-pattern | Malicious applications are a common attack vec... | [Android, iOS] | 1.0 | [Post-Adversary Device Access] | * An EMM/MDM or mobile threat defense solution... | MOB-T1078 | NaN |
3 | [{'url': 'https://attack.mitre.org/techniques/... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2018-10-17T00:14:20.652Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'initial-access', 'kill_chain_... | attack-pattern--0d95940f-9583-4e0f-824c-a42c1b... | Supply Chain Compromise | 2018-10-17T00:14:20.652Z | attack-pattern | As further described in [Supply Chain Compromi... | [Android, iOS] | 1.0 | [Post-Adversary Device Access] | * Insecure third-party libraries could be dete... | MOB-T1077 | NaN |
print("Number of Techniques in ATT&CK")
techniques = lift.get_techniques()
print(len(techniques))
Number of Techniques in ATT&CK 500
techniques_list = []
for t in techniques:
techniques_list.append(json.loads(t.serialize()))
df = json_normalize(techniques_list)
df[0:4]
external_references | object_marking_refs | type | modified | created_by_ref | kill_chain_phases | id | name | created | description | ... | x_mitre_effective_permissions | x_mitre_network_requirements | x_mitre_detectable_by_common_defenses | x_mitre_difficulty_for_adversary_explanation | x_mitre_old_attack_id | x_mitre_difficulty_for_adversary | x_mitre_detectable_by_common_defenses_explanation | x_mitre_deprecated | x_mitre_tactic_type | revoked | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | [{'external_id': 'T1500', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | attack-pattern | 2019-04-29T21:13:49.686Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'defense-evasion', 'kill_chain... | attack-pattern--cf7b3a06-8b42-4c33-bbe9-012120... | Compile After Delivery | 2019-04-25T20:53:07.719Z | Adversaries may attempt to make payloads diffi... | ... | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
1 | [{'external_id': 'T1501', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | attack-pattern | 2019-04-29T14:14:08.450Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'persistence', 'kill_chain_nam... | attack-pattern--0fff2797-19cb-41ea-a5f1-8a9303... | Systemd Service | 2019-04-23T15:34:30.008Z | Systemd services can be used to establish pers... | ... | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
2 | [{'external_id': 'T1499', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | attack-pattern | 2019-04-29T13:20:36.795Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'impact', 'kill_chain_name': '... | attack-pattern--c675646d-e204-4aa8-978d-e3d6d6... | Endpoint Denial of Service | 2019-04-18T11:00:55.862Z | Adversaries may perform Endpoint Denial of Ser... | ... | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
3 | [{'external_id': 'T1497', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | attack-pattern | 2019-06-10T17:37:37.138Z | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [{'phase_name': 'defense-evasion', 'kill_chain... | attack-pattern--82caa33e-d11a-433a-94ea-9b5a5f... | Virtualization/Sandbox Evasion | 2019-04-17T22:22:24.505Z | Adversaries may check for the presence of a vi... | ... | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN | NaN |
4 rows × 30 columns
print("Number of Mitigations in Enterprise ATT&CK")
mitigations = lift.get_enterprise_mitigations()
print(len(mitigations))
Number of Mitigations in Enterprise ATT&CK 281
mitigations_list = []
for t in mitigations:
mitigations_list.append(json.loads(t.serialize()))
df = json_normalize(mitigations_list)
df[0:4]
created_by_ref | description | type | name | object_marking_refs | id | external_references | modified | created | x_mitre_version | x_mitre_deprecated | |
---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | This category is to associate techniques that ... | course-of-action | Do Not Mitigate | [marking-definition--fa42a846-8d90-4e51-bc29-7... | course-of-action--787fb64d-c87b-4ee5-a341-0ef1... | [{'external_id': 'M1055', 'source_name': 'mitr... | 2019-07-23T14:44:24.727Z | 2019-07-19T14:58:42.715Z | 1.0 | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Implement configuration changes to software (o... | course-of-action | Software Configuration | [marking-definition--fa42a846-8d90-4e51-bc29-7... | course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8... | [{'external_id': 'M1054', 'source_name': 'mitr... | 2019-07-19T14:57:15.656Z | 2019-07-19T14:40:23.529Z | 1.0 | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Take and store data backups from end user syst... | course-of-action | Data Backup | [marking-definition--fa42a846-8d90-4e51-bc29-7... | course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73... | [{'external_id': 'M1053', 'source_name': 'mitr... | 2019-07-19T14:33:33.543Z | 2019-07-19T14:33:33.543Z | 1.0 | NaN |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Configure Windows User Account Control to miti... | course-of-action | User Account Control | [marking-definition--fa42a846-8d90-4e51-bc29-7... | course-of-action--2c2ad92a-d710-41ab-a996-1db1... | [{'external_id': 'M1052', 'source_name': 'mitr... | 2019-06-11T17:14:35.170Z | 2019-06-11T17:14:35.170Z | 1.0 | NaN |
print("Number of Mitigations in Mobile ATT&CK")
mitigations = lift.get_mobile_mitigations()
print(len(mitigations))
Number of Mitigations in Mobile ATT&CK 14
mitigations_list = []
for t in mitigations:
mitigations_list.append(json.loads(t.serialize()))
df = json_normalize(mitigations_list)
df[0:4]
created_by_ref | description | type | name | object_marking_refs | id | external_references | modified | created | x_mitre_old_attack_id | x_mitre_version | |
---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | This mitigation describes any guidance or trai... | course-of-action | Application Developer Guidance | [marking-definition--fa42a846-8d90-4e51-bc29-7... | course-of-action--25dc1ce8-eb55-4333-ae30-a7cb... | [{'external_id': 'M1013', 'source_name': 'mitr... | 2018-10-17T00:14:20.652Z | 2017-10-25T14:48:53.732Z | MOB-M1013 | 1.0 |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | An enterprise mobility management (EMM), also ... | course-of-action | Enterprise Policy | [marking-definition--fa42a846-8d90-4e51-bc29-7... | course-of-action--649f7268-4c12-483b-ac84-4b7b... | [{'external_id': 'M1012', 'source_name': 'mitr... | 2018-10-17T00:14:20.652Z | 2017-10-25T14:48:53.318Z | MOB-M1012 | 1.0 |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Enable remote attestation capabilities when av... | course-of-action | Attestation | [marking-definition--fa42a846-8d90-4e51-bc29-7... | course-of-action--ff4821f6-5afb-481b-8c0f-26c2... | [{'external_id': 'M1002', 'source_name': 'mitr... | 2018-10-17T00:14:20.652Z | 2017-10-25T14:48:52.933Z | MOB-M1002 | 1.0 |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | A variety of methods exist that can be used to... | course-of-action | Deploy Compromised Device Detection Method | [marking-definition--fa42a846-8d90-4e51-bc29-7... | course-of-action--cf2cccb1-cab8-431a-8ecf-f787... | [{'external_id': 'M1010', 'source_name': 'mitr... | 2018-10-17T00:14:20.652Z | 2017-10-25T14:48:52.601Z | MOB-M1010 | 1.0 |
print("Number of Mitigations in ATT&CK")
mitigations = lift.get_mitigations()
print(len(mitigations))
Number of Mitigations in ATT&CK 295
mitigations_list = []
for t in mitigations:
mitigations_list.append(json.loads(t.serialize()))
df = json_normalize(mitigations_list)
df[0:4]
created_by_ref | description | type | name | object_marking_refs | id | external_references | modified | created | x_mitre_version | x_mitre_deprecated | x_mitre_old_attack_id | |
---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | This category is to associate techniques that ... | course-of-action | Do Not Mitigate | [marking-definition--fa42a846-8d90-4e51-bc29-7... | course-of-action--787fb64d-c87b-4ee5-a341-0ef1... | [{'external_id': 'M1055', 'source_name': 'mitr... | 2019-07-23T14:44:24.727Z | 2019-07-19T14:58:42.715Z | 1.0 | NaN | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Implement configuration changes to software (o... | course-of-action | Software Configuration | [marking-definition--fa42a846-8d90-4e51-bc29-7... | course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8... | [{'external_id': 'M1054', 'source_name': 'mitr... | 2019-07-19T14:57:15.656Z | 2019-07-19T14:40:23.529Z | 1.0 | NaN | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Take and store data backups from end user syst... | course-of-action | Data Backup | [marking-definition--fa42a846-8d90-4e51-bc29-7... | course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73... | [{'external_id': 'M1053', 'source_name': 'mitr... | 2019-07-19T14:33:33.543Z | 2019-07-19T14:33:33.543Z | 1.0 | NaN | NaN |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Configure Windows User Account Control to miti... | course-of-action | User Account Control | [marking-definition--fa42a846-8d90-4e51-bc29-7... | course-of-action--2c2ad92a-d710-41ab-a996-1db1... | [{'external_id': 'M1052', 'source_name': 'mitr... | 2019-06-11T17:14:35.170Z | 2019-06-11T17:14:35.170Z | 1.0 | NaN | NaN |
print("Number of Groups in Enterprise ATT&CK")
groups = lift.get_enterprise_groups()
print(len(groups))
Number of Groups in Enterprise ATT&CK 93
print("Number of Groups in PRE-ATT&CK")
groups = lift.get_pre_groups()
print(len(groups))
Number of Groups in PRE-ATT&CK 7
groups_list = []
for t in groups:
groups_list.append(json.loads(t.serialize()))
df = json_normalize(groups_list)
df[0:4]
created_by_ref | name | description | type | aliases | object_marking_refs | id | external_references | modified | created | x_mitre_version | x_mitre_contributors | |
---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | TEMP.Veles | [TEMP.Veles](https://attack.mitre.org/groups/G... | intrusion-set | [TEMP.Veles, XENOTIME] | [marking-definition--fa42a846-8d90-4e51-bc29-7... | intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca... | [{'external_id': 'G0088', 'source_name': 'mitr... | 2019-04-29T18:59:16.079Z | 2019-04-16T15:14:38.533Z | 1.0 | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | APT17 | [APT17](https://attack.mitre.org/groups/G0025)... | intrusion-set | [APT17, Deputy Dog] | [marking-definition--fa42a846-8d90-4e51-bc29-7... | intrusion-set--090242d7-73fc-4738-af68-20162f7... | [{'external_id': 'G0025', 'source_name': 'mitr... | 2019-03-22T14:21:19.419Z | 2017-05-31T21:31:57.307Z | 1.0 | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | APT16 | [APT16](https://attack.mitre.org/groups/G0023)... | intrusion-set | [APT16] | [marking-definition--fa42a846-8d90-4e51-bc29-7... | intrusion-set--d6e88e18-81e8-4709-82d8-973095d... | [{'external_id': 'G0023', 'source_name': 'mitr... | 2019-03-22T14:20:45.561Z | 2017-05-31T21:31:56.270Z | 1.0 | NaN |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Night Dragon | [Night Dragon](https://attack.mitre.org/groups... | intrusion-set | [Night Dragon] | [marking-definition--fa42a846-8d90-4e51-bc29-7... | intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e... | [{'external_id': 'G0014', 'source_name': 'mitr... | 2019-03-25T14:36:29.638Z | 2017-05-31T21:31:51.643Z | 1.1 | NaN |
print("Number of Groups in Mobile ATT&CK")
groups = lift.get_mobile_groups()
print(len(groups))
Number of Groups in Mobile ATT&CK 2
groups_list = []
for t in groups:
groups_list.append(json.loads(t.serialize()))
df = json_normalize(groups_list)
df[0:4]
created_by_ref | name | description | type | aliases | object_marking_refs | id | external_references | modified | created | x_mitre_version | x_mitre_contributors | |
---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Dark Caracal | [Dark Caracal](https://attack.mitre.org/groups... | intrusion-set | [Dark Caracal] | [marking-definition--fa42a846-8d90-4e51-bc29-7... | intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74... | [{'external_id': 'G0070', 'source_name': 'mitr... | 2019-07-16T15:35:20.554Z | 2018-10-17T00:14:20.652Z | 1.1 | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | APT28 | [APT28](https://attack.mitre.org/groups/G0007)... | intrusion-set | [APT28, SNAKEMACKEREL, Swallowtail, Group 74, ... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8... | [{'external_id': 'G0007', 'source_name': 'mitr... | 2019-07-27T00:09:33.254Z | 2017-05-31T21:31:48.664Z | 2.1 | [Emily Ratliff, IBM, Richard Gold, Digital Sha... |
print("Number of Groups in ATT&CK")
groups = lift.get_groups()
print(len(groups))
Number of Groups in ATT&CK 93
groups_list = []
for t in groups:
groups_list.append(json.loads(t.serialize()))
df = json_normalize(groups_list)
df[0:4]
created_by_ref | description | aliases | id | external_references | modified | type | created | object_marking_refs | name | x_mitre_version | x_mitre_contributors | revoked | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | Operation [Soft Cell](https://attack.mitre.org... | [Soft Cell] | intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... | [{'external_id': 'G0093', 'source_name': 'mitr... | 2019-07-22T15:49:28.637Z | intrusion-set | 2019-07-18T20:47:50.050Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | Soft Cell | 1.0 | [Cybereason Nocturnus, @nocturnus] | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [TA505](https://attack.mitre.org/groups/G0092)... | [TA505] | intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb... | [{'external_id': 'G0092', 'source_name': 'mitr... | 2019-06-24T19:11:41.060Z | intrusion-set | 2019-05-28T15:54:17.213Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | TA505 | 1.0 | NaN | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Silence](https://attack.mitre.org/groups/G009... | [Silence] | intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb... | [{'external_id': 'G0091', 'source_name': 'mitr... | 2019-07-16T16:12:09.085Z | intrusion-set | 2019-05-24T17:57:36.491Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | Silence | 1.0 | [Oleg Skulkin, Group-IB] | NaN |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [WIRTE](https://attack.mitre.org/groups/G0090)... | [WIRTE] | intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3... | [{'external_id': 'G0090', 'source_name': 'mitr... | 2019-06-20T15:30:38.517Z | intrusion-set | 2019-05-24T17:02:44.226Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | WIRTE | 1.0 | [Lab52 by S2 Grupo] | NaN |
print("Number of Software in ATT&CK")
software = lift.get_software()
print(len(software))
Number of Software in ATT&CK 398
software_list = []
for t in software:
software_list.append(json.loads(t.serialize()))
df = json_normalize(software_list)
df[0:4]
created_by_ref | description | id | external_references | object_marking_refs | modified | type | created | name | labels | x_mitre_version | x_mitre_platforms | x_mitre_aliases | x_mitre_contributors | x_mitre_old_attack_id | revoked | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [PoshC2](https://attack.mitre.org/software/S03... | tool--4b57c098-f043-4da2-83ef-7588a6d426bc | [{'external_id': 'S0378', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-04-23T18:29:12.005Z | tool | 2019-04-23T12:31:58.125Z | PoshC2 | [tool] | 1.0 | [Windows, Linux, macOS] | [PoshC2] | NaN | NaN | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [RawDisk](https://attack.mitre.org/software/S0... | tool--3ffbdc1f-d2bf-41ab-91a2-c7b857e98079 | [{'external_id': 'S0364', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-04-19T19:04:55.892Z | tool | 2019-03-25T12:30:40.919Z | RawDisk | [tool] | 1.0 | [Windows] | [RawDisk] | NaN | NaN | NaN |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Empire](https://attack.mitre.org/software/S03... | tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3 | [{'external_id': 'S0363', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-06-24T17:15:43.818Z | tool | 2019-03-11T14:13:40.648Z | Empire | [tool] | 1.0 | [Linux, macOS, Windows] | [Empire, EmPyre, PowerShell Empire] | NaN | NaN | NaN |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Expand](https://attack.mitre.org/software/S03... | tool--ca656c25-44f1-471b-9d9f-e2a3bbb84973 | [{'external_id': 'S0361', 'source_name': 'mitr... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-04-19T18:52:30.033Z | tool | 2019-02-19T19:17:14.971Z | Expand | [tool] | 1.0 | [Windows] | [Expand] | [Matthew Demaske, Adaptforward] | NaN | NaN |
print("Number of Relationships in Enterprise ATT&CK")
relationships = lift.get_enterprise_relationships()
print(len(relationships))
Number of Relationships in Enterprise ATT&CK 5675
relations_list = []
for t in relationships:
relations_list.append(json.loads(t.serialize()))
df = json_normalize(relations_list)
df[0:4]
created_by_ref | description | type | created | object_marking_refs | id | external_references | modified | source_ref | relationship_type | target_ref | |
---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Soft Cell](https://attack.mitre.org/groups/G0... | relationship | 2019-07-22T15:49:28.744Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--380743e5-616c-4524-96e6-d545e5b6... | [{'source_name': 'Cybereason Soft Cell June 20... | 2019-07-22T15:49:28.744Z | intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... | uses | attack-pattern--92d7da27-2d91-488e-a00c-059dc1... |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Soft Cell](https://attack.mitre.org/groups/G0... | relationship | 2019-07-22T15:35:24.376Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--919f6143-eb8c-48cd-8741-118040c3... | [{'source_name': 'Cybereason Soft Cell June 20... | 2019-07-22T15:49:29.135Z | intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... | uses | attack-pattern--00d0b012-8a03-410e-95de-5826bf... |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Soft Cell](https://attack.mitre.org/groups/G0... | relationship | 2019-07-22T15:35:24.363Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--ee4d1b24-603f-40df-8f21-3c053fba... | [{'source_name': 'Cybereason Soft Cell June 20... | 2019-07-22T15:49:29.090Z | intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... | uses | attack-pattern--c23b740b-a42b-47a1-aec2-9d48dd... |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Soft Cell](https://attack.mitre.org/groups/G0... | relationship | 2019-07-22T15:35:24.351Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--38be247c-74b0-42f3-964e-5f23ef42... | [{'source_name': 'Cybereason Soft Cell June 20... | 2019-07-22T15:49:29.092Z | intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... | uses | attack-pattern--3c4a2599-71ee-4405-ba1e-0e2841... |
print("Number of Relationships in PRE-ATT&CK")
relationships = lift.get_pre_relationships()
print(len(relationships))
Number of Relationships in PRE-ATT&CK 70
relations_list = []
for t in relationships:
relations_list.append(json.loads(t.serialize()))
df = json_normalize(relations_list)
df[0:4]
created_by_ref | description | type | created | object_marking_refs | id | external_references | modified | source_ref | relationship_type | target_ref | |
---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [TEMP.Veles](https://attack.mitre.org/groups/G... | relationship | 2019-04-24T19:45:44.212Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--21842707-0f15-43bf-bc42-2bceadf2... | [{'source_name': 'FireEye TRITON 2019', 'descr... | 2019-04-29T18:59:16.596Z | intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca... | uses | attack-pattern--20a66013-8dab-4ca3-a67d-766c84... |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [TEMP.Veles](https://attack.mitre.org/groups/G... | relationship | 2019-04-24T19:45:44.205Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--2d95ed6f-52e7-4708-af15-9a6c0839... | [{'source_name': 'FireEye TRITON 2019', 'descr... | 2019-04-29T18:59:16.595Z | intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca... | uses | attack-pattern--795c1a92-3a26-453e-b99a-6a566a... |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | NaN | relationship | 2019-02-19T18:56:56.770Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--83379e43-4bc5-4c49-b0b3-f41161e8... | NaN | 2019-02-19T18:56:56.770Z | attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1... | related-to | attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42... |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | NaN | relationship | 2019-02-19T18:56:56.136Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--1aafdefb-304e-4998-87cc-81aad295... | NaN | 2019-02-19T18:56:56.136Z | attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42... | related-to | attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1... |
print("Number of Relationships in Mobile ATT&CK")
relationships = lift.get_mobile_relationships()
print(len(relationships))
Number of Relationships in Mobile ATT&CK 322
relations_list = []
for t in relationships:
relations_list.append(json.loads(t.serialize()))
df = json_normalize(relations_list)
df[0:4]
created_by_ref | description | type | id | object_marking_refs | created | modified | source_ref | relationship_type | target_ref | external_references | |
---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | An EMM/MDM can use the Android `DevicePolicyMa... | relationship | relationship--fbd2d4f7-96ff-4624-a567-d4882f0c... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-07-23T15:35:23.530Z | 2019-07-23T15:35:23.530Z | course-of-action--649f7268-4c12-483b-ac84-4b7b... | mitigates | attack-pattern--2204c371-6100-4ae0-82f3-25c07c... | NaN |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Dark Caracal](https://attack.mitre.org/groups... | relationship | relationship--61071d73-fcdf-4820-afd0-e3f0983e... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-07-10T15:42:09.606Z | 2019-07-16T15:35:20.953Z | intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74... | uses | attack-pattern--6a3f6490-9c44-40de-b059-e5940f... | [{'source_name': 'Lookout Dark Caracal Jan 201... |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Dark Caracal](https://attack.mitre.org/groups... | relationship | relationship--ae9a0fb3-901b-4da2-b6ad-633ddbfa... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-07-10T15:42:09.591Z | 2019-07-16T15:35:21.028Z | intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74... | uses | attack-pattern--53263a67-075e-48fa-974b-91c5b5... | [{'source_name': 'Lookout Dark Caracal Jan 201... |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Pallas](https://attack.mitre.org/software/S03... | relationship | relationship--60ecd154-e907-419a-b41d-1a9a1f59... | [marking-definition--fa42a846-8d90-4e51-bc29-7... | 2019-07-10T15:35:43.712Z | 2019-07-14T21:33:23.556Z | malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878 | uses | attack-pattern--8e27551a-5080-4148-a584-c64348... | [{'source_name': 'Lookout Dark Caracal Jan 201... |
print("Number of Relationships in ATT&CK")
relationships = lift.get_relationships()
print(len(relationships))
Number of Relationships in ATT&CK 6067
relations_list = []
for t in relationships:
relations_list.append(json.loads(t.serialize()))
df = json_normalize(relations_list)
df[0:4]
created_by_ref | description | type | created | object_marking_refs | id | external_references | modified | source_ref | relationship_type | target_ref | |
---|---|---|---|---|---|---|---|---|---|---|---|
0 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Soft Cell](https://attack.mitre.org/groups/G0... | relationship | 2019-07-22T15:49:28.744Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--380743e5-616c-4524-96e6-d545e5b6... | [{'source_name': 'Cybereason Soft Cell June 20... | 2019-07-22T15:49:28.744Z | intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... | uses | attack-pattern--92d7da27-2d91-488e-a00c-059dc1... |
1 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Soft Cell](https://attack.mitre.org/groups/G0... | relationship | 2019-07-22T15:35:24.376Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--919f6143-eb8c-48cd-8741-118040c3... | [{'source_name': 'Cybereason Soft Cell June 20... | 2019-07-22T15:49:29.135Z | intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... | uses | attack-pattern--00d0b012-8a03-410e-95de-5826bf... |
2 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Soft Cell](https://attack.mitre.org/groups/G0... | relationship | 2019-07-22T15:35:24.363Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--ee4d1b24-603f-40df-8f21-3c053fba... | [{'source_name': 'Cybereason Soft Cell June 20... | 2019-07-22T15:49:29.090Z | intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... | uses | attack-pattern--c23b740b-a42b-47a1-aec2-9d48dd... |
3 | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | [Soft Cell](https://attack.mitre.org/groups/G0... | relationship | 2019-07-22T15:35:24.351Z | [marking-definition--fa42a846-8d90-4e51-bc29-7... | relationship--38be247c-74b0-42f3-964e-5f23ef42... | [{'source_name': 'Cybereason Soft Cell June 20... | 2019-07-22T15:49:29.092Z | intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... | uses | attack-pattern--3c4a2599-71ee-4405-ba1e-0e2841... |