from attackcti import attack_client
from pandas import *
from pandas.io.json import json_normalize
lift = attack_client()
Collect ALL Enterprise ATT&CK (TAXII)
all_enterprise = lift.get_all_enterprise()
Collect ALL PRE-ATT&CK (TAXII)
all_pre = lift.get_all_pre()
Collect ALL Mobile ATT&CK (TAXII)
all_mobile = lift.get_all_mobile()
Collect ALL (It runs All 3 functions and collects all the results)
The get_all_stix_objects() function returns a dictionary with all the stix object types from all matrices:
all_attack = lift.get_all_stix_objects()
type(all_attack)
dict
print("Number of Techniques in ATT&CK")
print(len(all_attack['techniques']))
techniques = all_attack['techniques']
df = json_normalize(techniques)
df.reindex(['matrix', 'created','tactic', 'technique', 'technique_id', 'data_sources'], axis=1)[0:5]
Number of Techniques in ATT&CK 469
matrix | created | tactic | technique | technique_id | data_sources | |
---|---|---|---|---|---|---|
0 | mitre-attack | 2017-12-14 16:46:06.044000+00:00 | [persistence] | .bash_profile and .bashrc | T1156 | [File monitoring, Process Monitoring, Process ... |
1 | mitre-attack | 2017-12-14 16:46:06.044000+00:00 | [defense-evasion, privilege-escalation] | Access Token Manipulation | T1134 | [API monitoring, Access Tokens] |
2 | mitre-attack | 2017-05-31 21:30:26.946000+00:00 | [persistence, privilege-escalation] | Accessibility Features | T1015 | [Windows Registry, File monitoring, Process mo... |
3 | mitre-attack | 2017-05-31 21:31:12.196000+00:00 | [credential-access] | Account Manipulation | T1098 | [Authentication logs, API monitoring, Windows ... |
4 | mitre-attack | 2017-05-31 21:31:06.988000+00:00 | [discovery] | Account Discovery | T1087 | [API monitoring, Process command-line paramete... |
len(df.loc[df['matrix'] == 'mitre-attack'])
219
Showing the schema of Techniques
This schema covers techniques from Enterprise, PRE and Mobile ATT&CK
list(df)
['contributors', 'created', 'created_by_ref', 'data_sources', 'defense_bypassed', 'detectable_by_common_defenses', 'detectable_explanation', 'difficulty_explanation', 'difficulty_for_adversary', 'effective_permissions', 'id', 'matrix', 'modified', 'network_requirements', 'object_marking_refs', 'permissions_required', 'platform', 'remote_support', 'system_requirements', 'tactic', 'tactic_type', 'technique', 'technique_description', 'technique_id', 'technique_references', 'type', 'url']
Showing one technique example
techniques[0]
{'type': 'attack-pattern', 'id': 'attack-pattern--01df3350-ce05-4bdf-bdf8-0a919a66d4a8', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'created': '2017-12-14 16:46:06.044000+00:00', 'modified': '2018-04-18 17:59:24.739000+00:00', 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'url': 'https://attack.mitre.org/wiki/Technique/T1156', 'matrix': 'mitre-attack', 'technique': '.bash_profile and .bashrc', 'technique_description': "<code>~/.bash_profile</code> and <code>~/.bashrc</code> are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. <code>~/.bash_profile</code> is executed for login shells and <code>~/.bashrc</code> is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), <code>~/.bash_profile</code> is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, <code>~/.bashrc</code> is executed. This allows users more fine grained control over when they want certain commands executed.\n\nMac's Terminal.app is a little different in that it runs a login shell by default each time a new terminal window is opened, thus calling <code>~/.bash_profile</code> each time instead of <code>~/.bashrc</code>.\n\nThese files are meant to be written to by the local user to configure their own environment; however, adversaries can also insert code into these files to gain persistence each time a user logs in or opens a new shell (Citation: amnesia malware).\n\nDetection: While users may customize their <code>~/.bashrc</code> and <code>~/.bash_profile</code> files , there are only certain types of commands that typically appear in these files. Monitor for abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network when user profiles are loaded during the login process.\n\nPlatforms: Linux, macOS\n\nData Sources: File monitoring, Process Monitoring, Process command-line parameters, Process use of network\n\nPermissions Required: User, Administrator", 'tactic': ['persistence'], 'technique_id': 'T1156', 'platform': ['Linux', 'macOS'], 'data_sources': ['File monitoring', 'Process Monitoring', 'Process command-line parameters', 'Process use of network'], 'defense_bypassed': None, 'permissions_required': ['User', 'Administrator'], 'effective_permissions': None, 'system_requirements': None, 'network_requirements': None, 'remote_support': None, 'contributors': None, 'technique_references': ['https://attack.mitre.org/wiki/Technique/T1156', 'https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/'], 'detectable_by_common_defenses': None, 'detectable_explanation': None, 'difficulty_for_adversary': None, 'difficulty_explanation': None, 'tactic_type': None}
print("Number of Mitigations in ATT&CK")
print(len(all_attack['mitigations']))
mitigations = all_attack['mitigations']
df = json_normalize(mitigations)
df.reindex(['matrix','mitigation', 'mitigation_description','url'], axis=1)[0:5]
Number of Mitigations in ATT&CK 229
matrix | mitigation | mitigation_description | url | |
---|---|---|---|---|
0 | mitre-attack | .bash_profile and .bashrc Mitigation | Making these files immutable and only changeab... | https://attack.mitre.org/wiki/Technique/T1156 |
1 | mitre-attack | Access Token Manipulation Mitigation | Access tokens are an integral part of the secu... | https://attack.mitre.org/wiki/Technique/T1134 |
2 | mitre-attack | Accessibility Features Mitigation | To use this technique remotely, an adversary m... | https://attack.mitre.org/wiki/Technique/T1015 |
3 | mitre-attack | Account Discovery Mitigation | Prevent administrator accounts from being enum... | https://attack.mitre.org/wiki/Technique/T1087 |
4 | mitre-attack | Account Manipulation Mitigation | Use multifactor authentication. Follow guideli... | https://attack.mitre.org/wiki/Technique/T1098 |
Showing the schema of Mitigations
list(df)
['created', 'created_by_ref', 'id', 'matrix', 'mitigation', 'mitigation_description', 'mitigation_id', 'mitigation_references', 'modified', 'type', 'url']
Showing one Mitigation example
mitigations[0]
{'type': 'course-of-action', 'id': 'course-of-action--4f170666-7edb-4489-85c2-9affa28a72e0', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'created': '2018-04-18 17:59:24.739000+00:00', 'modified': '2018-04-18 17:59:24.739000+00:00', 'matrix': 'mitre-attack', 'url': 'https://attack.mitre.org/wiki/Technique/T1156', 'mitigation': '.bash_profile and .bashrc Mitigation', 'mitigation_description': 'Making these files immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence.', 'mitigation_id': 'T1156', 'mitigation_references': ['https://attack.mitre.org/wiki/Technique/T1156']}
print("Number of Groups in ATT&CK")
print(len(all_attack['groups']))
groups = all_attack['groups']
df = json_normalize(groups)
df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]
Number of Groups in ATT&CK 69
matrix | group | group_aliases | group_id | group_description | |
---|---|---|---|---|---|
0 | mitre-attack | APT12 | [APT12, IXESHE, DynCalc, Numbered Panda, DNSCALC] | G0005 | APT12 is a threat group that has been attribut... |
1 | mitre-attack | APT29 | [APT29, The Dukes, Cozy Bear, CozyDuke] | G0016 | APT29 is threat group that has been attributed... |
2 | mitre-attack | APT34 | [APT34] | G0057 | APT34 is an Iranian cyber espionage group that... |
3 | mitre-attack | Carbanak | [Carbanak, Anunak, Carbon Spider] | G0008 | Carbanak is a threat group that mainly targets... |
4 | mitre-attack | Deep Panda | [Deep Panda, Shell Crew, WebMasters, KungFu Ki... | G0009 | Deep Panda is a suspected Chinese threat group... |
Showing the schema of Groups
list(df)
['created', 'created_by_ref', 'group', 'group_aliases', 'group_description', 'group_id', 'group_references', 'id', 'matrix', 'modified', 'type', 'url']
Showing one Groups example
groups[0]
{'type': 'intrusion-set', 'id': 'intrusion-set--c47f937f-1022-4f42-8525-e7a4779a14cb', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'matrix': 'mitre-attack', 'created': '2017-05-31 21:31:47.537000+00:00', 'modified': '2018-01-17 12:56:55.080000+00:00', 'url': 'https://attack.mitre.org/wiki/Group/G0005', 'group': 'APT12', 'group_description': 'APT12 is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)', 'group_aliases': ['APT12', 'IXESHE', 'DynCalc', 'Numbered Panda', 'DNSCALC'], 'group_id': 'G0005', 'group_references': ['https://attack.mitre.org/wiki/Group/G0005', 'http://www.crowdstrike.com/blog/whois-numbered-panda/']}
print("Number of Malware in ATT&CK")
print(len(all_attack['malware']))
malware = all_attack['malware']
df = json_normalize(malware)
df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]
Number of Malware in ATT&CK 223
matrix | software | software_labels | software_id | software_description | |
---|---|---|---|---|---|
0 | mitre-attack | ADVSTORESHELL | [malware] | S0045 | ADVSTORESHELL is a spying backdoor that has be... |
1 | mitre-attack | BACKSPACE | [malware] | S0031 | BACKSPACE is a backdoor used by APT30 that dat... |
2 | mitre-attack | BLACKCOFFEE | [malware] | S0069 | BLACKCOFFEE is malware that has been used by s... |
3 | mitre-attack | BlackEnergy | [malware] | S0089 | BlackEnergy is a malware toolkit that has been... |
4 | mitre-attack | CORALDECK | [malware] | S0212 | is an exfiltration tool used by APT37. (Citati... |
Showing the schema of Malware
list(df)
['created', 'created_by_ref', 'id', 'matrix', 'modified', 'software', 'software_aliases', 'software_description', 'software_id', 'software_labels', 'software_references', 'type', 'url']
Showing one Malware example
malware[0]
{'type': 'malware', 'id': 'malware--fb575479-14ef-41e9-bfab-0b7cf10bec73', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'created': '2017-05-31 21:32:34.648000+00:00', 'modified': '2018-01-17 12:56:55.080000+00:00', 'matrix': 'mitre-attack', 'software': 'ADVSTORESHELL', 'software_description': 'ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 2)\n\nAliases: ADVSTORESHELL, NETUI, EVILTOSS, AZZY, Sedreco', 'software_labels': ['malware'], 'software_id': 'S0045', 'url': 'https://attack.mitre.org/wiki/Software/S0045', 'software_aliases': ['ADVSTORESHELL', 'NETUI', 'EVILTOSS', 'AZZY', 'Sedreco'], 'software_references': ['https://attack.mitre.org/wiki/Software/S0045', 'https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/', 'http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf']}
print("Number of Tools in ATT&CK")
print(len(all_attack['tools']))
tools = all_attack['tools']
df = json_normalize(tools)
df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]
Number of Tools in ATT&CK 46
matrix | software | software_labels | software_id | software_description | |
---|---|---|---|---|---|
0 | mitre-attack | Cobalt Strike | [tool] | S0154 | Cobalt Strike is a commercial, full-featured, ... |
1 | mitre-attack | HTRAN | [tool] | S0040 | HTRAN is a tool that proxies connections throu... |
2 | mitre-attack | Lslsass | [tool] | S0121 | Lslsass is a publicly-available tool that can ... |
3 | mitre-attack | Mimikatz | [tool] | S0002 | Mimikatz is a credential dumper capable of obt... |
4 | mitre-attack | PowerSploit | [tool] | S0194 | PowerSploit is an open source, offensive secur... |
Showing the schema of Tools
list(df)
['created', 'created_by_ref', 'id', 'matrix', 'modified', 'software', 'software_aliases', 'software_description', 'software_id', 'software_labels', 'software_references', 'type', 'url']
Showing one Tool example
tools[0]
{'type': 'tool', 'id': 'tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'created': '2017-12-14 16:46:06.044000+00:00', 'modified': '2018-04-18 17:59:24.739000+00:00', 'matrix': 'mitre-attack', 'software': 'Cobalt Strike', 'software_description': 'Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. (Citation: cobaltstrike manual)\n\nAliases: Cobalt Strike\n\nContributors: Josh Abraham', 'software_labels': ['tool'], 'software_id': 'S0154', 'url': 'https://attack.mitre.org/wiki/Software/S0154', 'software_aliases': ['Cobalt Strike'], 'software_references': ['https://attack.mitre.org/wiki/Software/S0154', 'https://cobaltstrike.com/downloads/csmanual38.pdf']}
print("Number of Relationships in ATT&CK")
print(len(all_attack['relationships']))
relationships = all_attack['relationships']
df = json_normalize(relationships)
df.reindex(['id','relationship', 'source_object', 'target_object'], axis=1)[0:5]
Number of Relationships in ATT&CK 3066
id | relationship | source_object | target_object | |
---|---|---|---|---|
0 | relationship--bb55d7e7-28af-4efd-8384-289f1a8b... | mitigates | course-of-action--fdb1ae84-7b00-4d3d-b7dc-c774... | attack-pattern--a10641f4-87b4-45a3-a906-92a149... |
1 | relationship--a38d4ac5-1d3d-4a2f-9493-ff3e2a46... | mitigates | course-of-action--cfc2d2fc-14ff-495f-bd99-585b... | attack-pattern--7c93aa74-4bc0-4a9e-90ea-f25f86... |
2 | relationship--b8306976-370f-403d-9983-fe3327c0... | mitigates | course-of-action--2497ac92-e751-4391-82c6-1b86... | attack-pattern--774a3188-6ba9-4dc4-879d-d54ee4... |
3 | relationship--6f7ca160-cd38-4ff4-b297-e95b3111... | mitigates | course-of-action--1c0b39f9-a0c5-42b2-abd8-dc8f... | attack-pattern--5e4a2073-9643-44cb-a0b5-e7f404... |
4 | relationship--0b0884f1-1a40-436e-9a74-8cbe9c9d... | mitigates | course-of-action--d7c49196-b40e-42bc-8eed-b803... | attack-pattern--68c96494-1a50-403e-8844-69a6af... |
Showing the schema of Relationships
list(df)
['created', 'created_by_ref', 'id', 'modified', 'relationship', 'relationship_description', 'source_object', 'target_object', 'type']
Showing one Relationship example
relationships[0]
{'type': 'relationship', 'id': 'relationship--bb55d7e7-28af-4efd-8384-289f1a8b173e', 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'created': '2017-05-31 21:33:27.028000+00:00', 'modified': '2018-01-17 12:56:55.080000+00:00', 'relationship': 'mitigates', 'relationship_description': None, 'source_object': 'course-of-action--fdb1ae84-7b00-4d3d-b7dc-c774beef6425', 'target_object': 'attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27'}
Enterprise Techniques
print("Number of Techniques in Enterprise ATT&CK")
print(len(all_enterprise['techniques']))
df = all_enterprise['techniques']
df = json_normalize(df)
df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'data_sources'], axis=1)[0:5]
Number of Techniques in Enterprise ATT&CK 219
matrix | tactic | technique | technique_id | data_sources | |
---|---|---|---|---|---|
0 | mitre-attack | [persistence] | .bash_profile and .bashrc | T1156 | [File monitoring, Process Monitoring, Process ... |
1 | mitre-attack | [defense-evasion, privilege-escalation] | Access Token Manipulation | T1134 | [API monitoring, Access Tokens] |
2 | mitre-attack | [persistence, privilege-escalation] | Accessibility Features | T1015 | [Windows Registry, File monitoring, Process mo... |
3 | mitre-attack | [credential-access] | Account Manipulation | T1098 | [Authentication logs, API monitoring, Windows ... |
4 | mitre-attack | [discovery] | Account Discovery | T1087 | [API monitoring, Process command-line paramete... |
Enterprise Mitigations
print("Number of Mitigations in Enterprise ATT&CK")
print(len(all_enterprise['mitigations']))
df = all_enterprise['mitigations']
df = json_normalize(df)
df.reindex(['matrix','mitigation', 'mitigation_description', 'url'], axis=1)[0:5]
Number of Mitigations in Enterprise ATT&CK 215
matrix | mitigation | mitigation_description | url | |
---|---|---|---|---|
0 | mitre-attack | .bash_profile and .bashrc Mitigation | Making these files immutable and only changeab... | https://attack.mitre.org/wiki/Technique/T1156 |
1 | mitre-attack | Access Token Manipulation Mitigation | Access tokens are an integral part of the secu... | https://attack.mitre.org/wiki/Technique/T1134 |
2 | mitre-attack | Accessibility Features Mitigation | To use this technique remotely, an adversary m... | https://attack.mitre.org/wiki/Technique/T1015 |
3 | mitre-attack | Account Discovery Mitigation | Prevent administrator accounts from being enum... | https://attack.mitre.org/wiki/Technique/T1087 |
4 | mitre-attack | Account Manipulation Mitigation | Use multifactor authentication. Follow guideli... | https://attack.mitre.org/wiki/Technique/T1098 |
Enterprise Groups
print("Number of Groups in Enterprise ATT&CK")
print(len(all_enterprise['groups']))
df = all_enterprise['groups']
df = json_normalize(df)
df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]
Number of Groups in Enterprise ATT&CK 69
matrix | group | group_aliases | group_id | group_description | |
---|---|---|---|---|---|
0 | mitre-attack | APT12 | [APT12, IXESHE, DynCalc, Numbered Panda, DNSCALC] | G0005 | APT12 is a threat group that has been attribut... |
1 | mitre-attack | APT29 | [APT29, The Dukes, Cozy Bear, CozyDuke] | G0016 | APT29 is threat group that has been attributed... |
2 | mitre-attack | APT34 | [APT34] | G0057 | APT34 is an Iranian cyber espionage group that... |
3 | mitre-attack | Carbanak | [Carbanak, Anunak, Carbon Spider] | G0008 | Carbanak is a threat group that mainly targets... |
4 | mitre-attack | Deep Panda | [Deep Panda, Shell Crew, WebMasters, KungFu Ki... | G0009 | Deep Panda is a suspected Chinese threat group... |
Enterprise Malware
print("Number of Malware objects in Enterprise ATT&CK")
print(len(all_enterprise['malware']))
df = all_enterprise['malware']
df = json_normalize(df)
df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]
Number of Malware objects in Enterprise ATT&CK 188
matrix | software | software_labels | software_id | software_description | |
---|---|---|---|---|---|
0 | mitre-attack | ADVSTORESHELL | [malware] | S0045 | ADVSTORESHELL is a spying backdoor that has be... |
1 | mitre-attack | BACKSPACE | [malware] | S0031 | BACKSPACE is a backdoor used by APT30 that dat... |
2 | mitre-attack | BLACKCOFFEE | [malware] | S0069 | BLACKCOFFEE is malware that has been used by s... |
3 | mitre-attack | BlackEnergy | [malware] | S0089 | BlackEnergy is a malware toolkit that has been... |
4 | mitre-attack | CORALDECK | [malware] | S0212 | is an exfiltration tool used by APT37. (Citati... |
Enterprise Tools
print("Number of Tools in Enterprise ATT&CK")
print(len(all_enterprise['tools']))
df = all_enterprise['tools']
df = json_normalize(df)
df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]
Number of Tools in Enterprise ATT&CK 45
matrix | software | software_labels | software_id | software_description | |
---|---|---|---|---|---|
0 | mitre-attack | Cobalt Strike | [tool] | S0154 | Cobalt Strike is a commercial, full-featured, ... |
1 | mitre-attack | HTRAN | [tool] | S0040 | HTRAN is a tool that proxies connections throu... |
2 | mitre-attack | Lslsass | [tool] | S0121 | Lslsass is a publicly-available tool that can ... |
3 | mitre-attack | Mimikatz | [tool] | S0002 | Mimikatz is a credential dumper capable of obt... |
4 | mitre-attack | PowerSploit | [tool] | S0194 | PowerSploit is an open source, offensive secur... |
Enterprise Relationships
print("Number of Relationships in Enterprise ATT&CK")
print(len(all_enterprise['relationships']))
df = all_enterprise['relationships']
df = json_normalize(df)
df.reindex(['id','relationship', 'source_object', 'target_object'], axis=1)[0:5]
Number of Relationships in Enterprise ATT&CK 2707
id | relationship | source_object | target_object | |
---|---|---|---|---|
0 | relationship--bb55d7e7-28af-4efd-8384-289f1a8b... | mitigates | course-of-action--fdb1ae84-7b00-4d3d-b7dc-c774... | attack-pattern--a10641f4-87b4-45a3-a906-92a149... |
1 | relationship--a38d4ac5-1d3d-4a2f-9493-ff3e2a46... | mitigates | course-of-action--cfc2d2fc-14ff-495f-bd99-585b... | attack-pattern--7c93aa74-4bc0-4a9e-90ea-f25f86... |
2 | relationship--b8306976-370f-403d-9983-fe3327c0... | mitigates | course-of-action--2497ac92-e751-4391-82c6-1b86... | attack-pattern--774a3188-6ba9-4dc4-879d-d54ee4... |
3 | relationship--6f7ca160-cd38-4ff4-b297-e95b3111... | mitigates | course-of-action--1c0b39f9-a0c5-42b2-abd8-dc8f... | attack-pattern--5e4a2073-9643-44cb-a0b5-e7f404... |
4 | relationship--0b0884f1-1a40-436e-9a74-8cbe9c9d... | mitigates | course-of-action--d7c49196-b40e-42bc-8eed-b803... | attack-pattern--68c96494-1a50-403e-8844-69a6af... |
PRE Techniques
print("Number of Techniques in PRE-ATT&CK")
print(len(all_pre['techniques']))
df = all_pre['techniques']
df = json_normalize(df)
df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'detectable_by_common_defenses'], axis=1)[0:5]
Number of Techniques in PRE-ATT&CK 174
matrix | tactic | technique | technique_id | detectable_by_common_defenses | |
---|---|---|---|---|---|
0 | mitre-pre-attack | [adversary-opsec] | Acquire and/or use 3rd party infrastructure se... | PRE-T1084 | No |
1 | mitre-pre-attack | [establish-&-maintain-infrastructure] | Acquire or compromise 3rd party signing certif... | PRE-T1109 | No |
2 | mitre-pre-attack | [technical-weakness-identification] | Analyze data collected | PRE-T1064 | No |
3 | mitre-pre-attack | [organizational-weakness-identification] | Analyze presence of outsourced capabilities | PRE-T1080 | No |
4 | mitre-pre-attack | [priority-definition-planning] | Assess leadership areas of interest | PRE-T1001 | No |
PRE Groups
print("Number of Groups in PRE-ATT&CK")
print(len(all_pre['groups']))
df = all_pre['groups']
df = json_normalize(df)
df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]
Number of Groups in PRE-ATT&CK 7
matrix | group | group_aliases | group_id | group_description | |
---|---|---|---|---|---|
0 | mitre-attack | APT12 | [APT12, IXESHE, DynCalc, Numbered Panda, DNSCALC] | G0005 | APT12 is a threat group that has been attribut... |
1 | mitre-attack | APT1 | [APT1, Comment Crew, Comment Group, Comment Pa... | G0006 | APT1 is a Chinese threat group that has been a... |
2 | mitre-attack | APT28 | [APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear... | G0007 | APT28 is a threat group that has been attribut... |
3 | mitre-attack | Night Dragon | [Night Dragon, Musical Chairs] | G0014 | Night Dragon is a campaign name for activity i... |
4 | mitre-attack | APT16 | [APT16] | G0023 | APT16 is a China-based threat group that has l... |
PRE Relationships
print("Number of Relationships in PRE-ATT&CK")
print(len(all_pre['relationships']))
df = all_pre['relationships']
df = json_normalize(df)
df.reindex(['id','relationship', 'source_object', 'target_object'], axis=1)[0:5]
Number of Relationships in PRE-ATT&CK 114
id | relationship | source_object | target_object | |
---|---|---|---|---|
0 | relationship--1143e6a6-deef-4dbd-8c91-7bf537d8... | related-to | attack-pattern--784ff1bc-1483-41fe-a172-4cd9ae... | attack-pattern--2b9a666e-bd59-4f67-9031-ed41b4... |
1 | relationship--3d781e9a-d3f8-4e9f-bb23-ba6c2ff2... | related-to | attack-pattern--1a295f87-af63-4d94-b130-039d62... | attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc... |
2 | relationship--d5bd7a33-a249-46e5-bb19-a498eba4... | related-to | attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6e... | attack-pattern--7baccb84-356c-4e89-8c5d-58e701... |
3 | relationship--bc165934-7ef6-4aed-a0d7-81d33725... | related-to | attack-pattern--e51398e6-53dc-4e9f-a323-e54683... | attack-pattern--4900fabf-1142-4c1f-92f5-0b590e... |
4 | relationship--46f1e7d4-4d73-4e33-b88b-b3bcde5d... | related-to | attack-pattern--a757670d-d600-48d9-8ae9-601d42... | attack-pattern--af358cad-eb71-4e91-a752-236edc... |
Mobile Techniques
print("Number of Techniques in Mobile ATT&CK")
print(len(all_mobile['techniques']))
df = all_mobile['techniques']
df = json_normalize(df)
df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'tactic_type'], axis=1)[0:5]
Number of Techniques in Mobile ATT&CK 76
matrix | tactic | technique | technique_id | tactic_type | |
---|---|---|---|---|---|
0 | mitre-mobile-attack | [collection, credential-access] | Abuse Accessibility Features | MOB-T1056 | [Post-Adversary Device Access] |
1 | mitre-mobile-attack | [collection] | Access Contact List | MOB-T1035 | [Post-Adversary Device Access] |
2 | mitre-mobile-attack | [persistence] | App Auto-Start at Device Boot | MOB-T1005 | [Post-Adversary Device Access] |
3 | mitre-mobile-attack | [exploit-via-physical-access] | Biometric Spoofing | MOB-T1063 | [Pre-Adversary Device Access] |
4 | mitre-mobile-attack | [discovery] | Device Type Discovery | MOB-T1022 | [Post-Adversary Device Access] |
Mobile Mitigations
print("Number of Mitigations in Mobile ATT&CK")
print(len(all_mobile['mitigations']))
print(" ")
df = all_mobile['mitigations']
df = json_normalize(df)
df.reindex(['matrix', 'mitigation', 'mitigation_description', 'url'], axis=1)[0:5]
Number of Mitigations in Mobile ATT&CK 14
matrix | mitigation | mitigation_description | url | |
---|---|---|---|---|
0 | mitre-mobile-attack | Attestation | Enable remote attestation capabilities when av... | https://attack.mitre.org/mobile/index.php/Miti... |
1 | mitre-mobile-attack | Interconnection Filtering | In order to mitigate Signaling System 7 (SS7) ... | https://attack.mitre.org/mobile/index.php/Miti... |
2 | mitre-mobile-attack | Use Recent OS Version | New mobile operating system versions bring not... | https://attack.mitre.org/mobile/index.php/Miti... |
3 | mitre-mobile-attack | Caution with Device Administrator Access | Warn device users not to accept requests to gr... | https://attack.mitre.org/mobile/index.php/Miti... |
4 | mitre-mobile-attack | Lock Bootloader | On devices that provide the capability to unlo... | https://attack.mitre.org/mobile/index.php/Miti... |
Mobile Groups
print("Number of Groups in Mobile ATT&CK")
print(len(all_mobile['groups']))
df = all_mobile['groups']
df = json_normalize(df)
df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]
Number of Groups in Mobile ATT&CK 1
matrix | group | group_aliases | group_id | group_description | |
---|---|---|---|---|---|
0 | mitre-attack | APT28 | [APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear... | G0007 | APT28 is a threat group that has been attribut... |
Mobile Malware
print("Number of Malware in Mobile ATT&CK")
print(len(all_mobile['malware']))
df = all_mobile['malware']
df = json_normalize(df)
df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]
Number of Malware in Mobile ATT&CK 35
matrix | software | software_labels | software_id | software_description | |
---|---|---|---|---|---|
0 | mitre-mobile-attack | Android/Chuli.A | [malware] | MOB-S0020 | As reported by Kaspersky (Citation: Kaspersky-... |
1 | mitre-mobile-attack | DressCode | [malware] | MOB-S0016 | Android malware family analyzed by Trend Micro... |
2 | mitre-mobile-attack | HummingWhale | [malware] | MOB-S0037 | The HummingWhale Android malware family "inclu... |
3 | mitre-mobile-attack | OldBoot | [malware] | MOB-S0001 | OldBoot is a family of Android malware describ... |
4 | mitre-mobile-attack | RuMMS | [malware] | MOB-S0029 | RuMMS is a family of Android malware (Citation... |
Mobile Tools
print("Number of Tools in Mobile ATT&CK")
print(len(all_mobile['tools']))
df = all_mobile['tools']
df = json_normalize(df)
df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]
Number of Tools in Mobile ATT&CK 1
matrix | software | software_labels | software_id | software_description | |
---|---|---|---|---|---|
0 | mitre-mobile-attack | Xbot | [tool] | MOB-S0014 | Xbot is a family of Android malware analyzed b... |
Mobile Relationships
print("Number of Relationships in Mobile ATT&CK")
print(len(all_mobile['relationships']))
df = all_mobile['relationships']
df = json_normalize(df)
df.reindex(['object id','relationship', 'relationship_description','source_object', 'target_object'], axis=1)[0:5]
Number of Relationships in Mobile ATT&CK 245
object id | relationship | relationship_description | source_object | target_object | |
---|---|---|---|---|---|
0 | NaN | mitigates | NaN | course-of-action--0beabf44-e8d8-4ae4-9122-ef56... | attack-pattern--82f04b1e-5371-4a6f-be06-411f0f... |
1 | NaN | mitigates | NaN | course-of-action--bcecd036-f40e-4916-9f8e-fd0c... | attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e... |
2 | NaN | mitigates | NaN | course-of-action--1553b156-6767-47f7-9eb4-2a69... | attack-pattern--29e07491-8947-43a3-8d4e-9a787c... |
3 | NaN | mitigates | NaN | course-of-action--0beabf44-e8d8-4ae4-9122-ef56... | attack-pattern--702055ac-4e54-4ae9-9527-e23a38... |
4 | NaN | mitigates | NaN | course-of-action--653492e3-27be-4a0e-b08c-938d... | attack-pattern--1f96d624-8409-4472-ad8a-30618e... |
print("Number of Techniques in Enterprise ATT&CK")
techniques = lift.get_all_enterprise_techniques()
print(len(techniques))
df = json_normalize(techniques)
df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'data_sources','contributors'], axis=1)[0:5]
Number of Techniques in Enterprise ATT&CK 219
matrix | tactic | technique | technique_id | data_sources | contributors | |
---|---|---|---|---|---|---|
0 | mitre-attack | [persistence] | .bash_profile and .bashrc | T1156 | [File monitoring, Process Monitoring, Process ... | NaN |
1 | mitre-attack | [defense-evasion, privilege-escalation] | Access Token Manipulation | T1134 | [API monitoring, Access Tokens] | [Tom Ueltschi @c_APT_ure, Travis Smith, Tripwi... |
2 | mitre-attack | [persistence, privilege-escalation] | Accessibility Features | T1015 | [Windows Registry, File monitoring, Process mo... | [Paul Speulstra, AECOM Global Security Operati... |
3 | mitre-attack | [credential-access] | Account Manipulation | T1098 | [Authentication logs, API monitoring, Windows ... | NaN |
4 | mitre-attack | [discovery] | Account Discovery | T1087 | [API monitoring, Process command-line paramete... | [Travis Smith, Tripwire] |
print("Number of Techniques in PRE-ATT&CK")
techniques = lift.get_all_pre_techniques()
print(len(techniques))
df = json_normalize(techniques)
df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'detectable_by_common_defenses', 'contributors'], axis=1)[0:5]
Number of Techniques in PRE-ATT&CK 174
matrix | tactic | technique | technique_id | detectable_by_common_defenses | contributors | |
---|---|---|---|---|---|---|
0 | mitre-pre-attack | [adversary-opsec] | Acquire and/or use 3rd party infrastructure se... | PRE-T1084 | No | NaN |
1 | mitre-pre-attack | [establish-&-maintain-infrastructure] | Acquire or compromise 3rd party signing certif... | PRE-T1109 | No | NaN |
2 | mitre-pre-attack | [technical-weakness-identification] | Analyze data collected | PRE-T1064 | No | NaN |
3 | mitre-pre-attack | [organizational-weakness-identification] | Analyze presence of outsourced capabilities | PRE-T1080 | No | NaN |
4 | mitre-pre-attack | [priority-definition-planning] | Assess leadership areas of interest | PRE-T1001 | No | NaN |
print("Number of Techniques in Mobile ATT&CK")
techniques = lift.get_all_mobile_techniques()
print(len(techniques))
df = json_normalize(techniques)
df.reindex(['matrix', 'id','tactic', 'technique', 'tactic_type','contributors'], axis=1)[0:5]
Number of Techniques in Mobile ATT&CK 76
matrix | id | tactic | technique | tactic_type | contributors | |
---|---|---|---|---|---|---|
0 | mitre-mobile-attack | attack-pattern--2204c371-6100-4ae0-82f3-25c07c... | [collection, credential-access] | Abuse Accessibility Features | [Post-Adversary Device Access] | NaN |
1 | mitre-mobile-attack | attack-pattern--4e6620ac-c30c-4f6d-918e-fa20ca... | [collection] | Access Contact List | [Post-Adversary Device Access] | NaN |
2 | mitre-mobile-attack | attack-pattern--bd4d32f5-eed4-4018-a649-40b229... | [persistence] | App Auto-Start at Device Boot | [Post-Adversary Device Access] | NaN |
3 | mitre-mobile-attack | attack-pattern--45dcbc83-4abc-4de1-b643-e528d1... | [exploit-via-physical-access] | Biometric Spoofing | [Pre-Adversary Device Access] | NaN |
4 | mitre-mobile-attack | attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1... | [discovery] | Device Type Discovery | [Post-Adversary Device Access] | NaN |
print("Number of Techniques in ATT&CK")
techniques = lift.get_all_techniques()
print(len(techniques))
df = json_normalize(techniques)
df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'data_sources'], axis=1)[0:5]
Number of Techniques in ATT&CK 469
matrix | tactic | technique | technique_id | data_sources | |
---|---|---|---|---|---|
0 | mitre-attack | [persistence] | .bash_profile and .bashrc | T1156 | [File monitoring, Process Monitoring, Process ... |
1 | mitre-attack | [defense-evasion, privilege-escalation] | Access Token Manipulation | T1134 | [API monitoring, Access Tokens] |
2 | mitre-attack | [persistence, privilege-escalation] | Accessibility Features | T1015 | [Windows Registry, File monitoring, Process mo... |
3 | mitre-attack | [credential-access] | Account Manipulation | T1098 | [Authentication logs, API monitoring, Windows ... |
4 | mitre-attack | [discovery] | Account Discovery | T1087 | [API monitoring, Process command-line paramete... |
print("Number of Mitigations in Enterprise ATT&CK")
mitigations = lift.get_all_enterprise_mitigations()
print(len(mitigations))
df = json_normalize(mitigations)
df.reindex(['matrix', 'mitigation', 'mitigation_description', 'url'], axis=1)[0:5]
Number of Mitigations in Enterprise ATT&CK 215
matrix | mitigation | mitigation_description | url | |
---|---|---|---|---|
0 | mitre-attack | .bash_profile and .bashrc Mitigation | Making these files immutable and only changeab... | https://attack.mitre.org/wiki/Technique/T1156 |
1 | mitre-attack | Access Token Manipulation Mitigation | Access tokens are an integral part of the secu... | https://attack.mitre.org/wiki/Technique/T1134 |
2 | mitre-attack | Accessibility Features Mitigation | To use this technique remotely, an adversary m... | https://attack.mitre.org/wiki/Technique/T1015 |
3 | mitre-attack | Account Discovery Mitigation | Prevent administrator accounts from being enum... | https://attack.mitre.org/wiki/Technique/T1087 |
4 | mitre-attack | Account Manipulation Mitigation | Use multifactor authentication. Follow guideli... | https://attack.mitre.org/wiki/Technique/T1098 |
print("Number of Mitigations in Mobile ATT&CK")
mitigations = lift.get_all_mobile_mitigations()
print(len(mitigations))
df = json_normalize(mitigations)
df.reindex(['matrix', 'mitigation', 'mitigation_description', 'url'], axis=1)[0:5]
Number of Mitigations in Mobile ATT&CK 14
matrix | mitigation | mitigation_description | url | |
---|---|---|---|---|
0 | mitre-mobile-attack | Attestation | Enable remote attestation capabilities when av... | https://attack.mitre.org/mobile/index.php/Miti... |
1 | mitre-mobile-attack | Interconnection Filtering | In order to mitigate Signaling System 7 (SS7) ... | https://attack.mitre.org/mobile/index.php/Miti... |
2 | mitre-mobile-attack | Use Recent OS Version | New mobile operating system versions bring not... | https://attack.mitre.org/mobile/index.php/Miti... |
3 | mitre-mobile-attack | Caution with Device Administrator Access | Warn device users not to accept requests to gr... | https://attack.mitre.org/mobile/index.php/Miti... |
4 | mitre-mobile-attack | Lock Bootloader | On devices that provide the capability to unlo... | https://attack.mitre.org/mobile/index.php/Miti... |
print("Number of Mitigations in ATT&CK")
mitigations = lift.get_all_mitigations()
print(len(mitigations))
df = json_normalize(mitigations)
df.reindex(['matrix', 'mitigation', 'mitigation_description', 'url'], axis=1)[0:5]
Number of Mitigations in ATT&CK 229
matrix | mitigation | mitigation_description | url | |
---|---|---|---|---|
0 | mitre-attack | .bash_profile and .bashrc Mitigation | Making these files immutable and only changeab... | https://attack.mitre.org/wiki/Technique/T1156 |
1 | mitre-attack | Access Token Manipulation Mitigation | Access tokens are an integral part of the secu... | https://attack.mitre.org/wiki/Technique/T1134 |
2 | mitre-attack | Accessibility Features Mitigation | To use this technique remotely, an adversary m... | https://attack.mitre.org/wiki/Technique/T1015 |
3 | mitre-attack | Account Discovery Mitigation | Prevent administrator accounts from being enum... | https://attack.mitre.org/wiki/Technique/T1087 |
4 | mitre-attack | Account Manipulation Mitigation | Use multifactor authentication. Follow guideli... | https://attack.mitre.org/wiki/Technique/T1098 |
print("Number of Groups in Enterprise ATT&CK")
groups = lift.get_all_enterprise_groups()
print(len(groups))
df = json_normalize(groups)
df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]
Number of Groups in Enterprise ATT&CK 69
matrix | group | group_aliases | group_id | group_description | |
---|---|---|---|---|---|
0 | mitre-attack | APT12 | [APT12, IXESHE, DynCalc, Numbered Panda, DNSCALC] | G0005 | APT12 is a threat group that has been attribut... |
1 | mitre-attack | APT29 | [APT29, The Dukes, Cozy Bear, CozyDuke] | G0016 | APT29 is threat group that has been attributed... |
2 | mitre-attack | APT34 | [APT34] | G0057 | APT34 is an Iranian cyber espionage group that... |
3 | mitre-attack | Carbanak | [Carbanak, Anunak, Carbon Spider] | G0008 | Carbanak is a threat group that mainly targets... |
4 | mitre-attack | Deep Panda | [Deep Panda, Shell Crew, WebMasters, KungFu Ki... | G0009 | Deep Panda is a suspected Chinese threat group... |
print("Number of Groups in PRE-ATT&CK")
groups = lift.get_all_pre_groups()
print(len(groups))
df = json_normalize(groups)
df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]
Number of Groups in PRE-ATT&CK 7
matrix | group | group_aliases | group_id | group_description | |
---|---|---|---|---|---|
0 | mitre-attack | APT12 | [APT12, IXESHE, DynCalc, Numbered Panda, DNSCALC] | G0005 | APT12 is a threat group that has been attribut... |
1 | mitre-attack | APT1 | [APT1, Comment Crew, Comment Group, Comment Pa... | G0006 | APT1 is a Chinese threat group that has been a... |
2 | mitre-attack | APT28 | [APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear... | G0007 | APT28 is a threat group that has been attribut... |
3 | mitre-attack | Night Dragon | [Night Dragon, Musical Chairs] | G0014 | Night Dragon is a campaign name for activity i... |
4 | mitre-attack | APT16 | [APT16] | G0023 | APT16 is a China-based threat group that has l... |
print("Number of Groups in Mobile ATT&CK")
groups = lift.get_all_mobile_groups()
print(len(groups))
df = json_normalize(groups)
df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]
Number of Groups in Mobile ATT&CK 1
matrix | group | group_aliases | group_id | group_description | |
---|---|---|---|---|---|
0 | mitre-attack | APT28 | [APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear... | G0007 | APT28 is a threat group that has been attribut... |
print("Number of Groups in ATT&CK")
groups = lift.get_all_groups()
print(len(groups))
df = json_normalize(groups)
df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]
Number of Groups in ATT&CK 69
matrix | group | group_aliases | group_id | group_description | |
---|---|---|---|---|---|
0 | mitre-attack | APT12 | [APT12, IXESHE, DynCalc, Numbered Panda, DNSCALC] | G0005 | APT12 is a threat group that has been attribut... |
1 | mitre-attack | APT29 | [APT29, The Dukes, Cozy Bear, CozyDuke] | G0016 | APT29 is threat group that has been attributed... |
2 | mitre-attack | APT34 | [APT34] | G0057 | APT34 is an Iranian cyber espionage group that... |
3 | mitre-attack | Carbanak | [Carbanak, Anunak, Carbon Spider] | G0008 | Carbanak is a threat group that mainly targets... |
4 | mitre-attack | Deep Panda | [Deep Panda, Shell Crew, WebMasters, KungFu Ki... | G0009 | Deep Panda is a suspected Chinese threat group... |
print("Number of Software in ATT&CK")
software = lift.get_all_software()
print(len(software))
df = json_normalize(software)
df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]
Number of Software in ATT&CK 269
matrix | software | software_labels | software_id | software_description | |
---|---|---|---|---|---|
0 | mitre-attack | Cobalt Strike | [tool] | S0154 | Cobalt Strike is a commercial, full-featured, ... |
1 | mitre-attack | HTRAN | [tool] | S0040 | HTRAN is a tool that proxies connections throu... |
2 | mitre-attack | Lslsass | [tool] | S0121 | Lslsass is a publicly-available tool that can ... |
3 | mitre-attack | Mimikatz | [tool] | S0002 | Mimikatz is a credential dumper capable of obt... |
4 | mitre-attack | PowerSploit | [tool] | S0194 | PowerSploit is an open source, offensive secur... |
print("Number of Relationships in Enterprise ATT&CK")
relationships = lift.get_all_enterprise_relationships()
print(len(relationships))
df = json_normalize(relationships)
df.reindex(['id','relationship', 'relationship_description', 'source_object', 'target_object'], axis=1)[0:5]
Number of Relationships in Enterprise ATT&CK 2707
id | relationship | relationship_description | source_object | target_object | |
---|---|---|---|---|---|
0 | relationship--bb55d7e7-28af-4efd-8384-289f1a8b... | mitigates | NaN | course-of-action--fdb1ae84-7b00-4d3d-b7dc-c774... | attack-pattern--a10641f4-87b4-45a3-a906-92a149... |
1 | relationship--a38d4ac5-1d3d-4a2f-9493-ff3e2a46... | mitigates | NaN | course-of-action--cfc2d2fc-14ff-495f-bd99-585b... | attack-pattern--7c93aa74-4bc0-4a9e-90ea-f25f86... |
2 | relationship--b8306976-370f-403d-9983-fe3327c0... | mitigates | NaN | course-of-action--2497ac92-e751-4391-82c6-1b86... | attack-pattern--774a3188-6ba9-4dc4-879d-d54ee4... |
3 | relationship--6f7ca160-cd38-4ff4-b297-e95b3111... | mitigates | NaN | course-of-action--1c0b39f9-a0c5-42b2-abd8-dc8f... | attack-pattern--5e4a2073-9643-44cb-a0b5-e7f404... |
4 | relationship--0b0884f1-1a40-436e-9a74-8cbe9c9d... | mitigates | NaN | course-of-action--d7c49196-b40e-42bc-8eed-b803... | attack-pattern--68c96494-1a50-403e-8844-69a6af... |
print("Number of Relationships in PRE-ATT&CK")
relationships = lift.get_all_pre_relationships()
print(len(relationships))
df = json_normalize(relationships)
df.reindex(['id','relationship', 'relationship_description', 'source_object', 'target_object'], axis=1)[0:5]
Number of Relationships in PRE-ATT&CK 114
id | relationship | relationship_description | source_object | target_object | |
---|---|---|---|---|---|
0 | relationship--1143e6a6-deef-4dbd-8c91-7bf537d8... | related-to | NaN | attack-pattern--784ff1bc-1483-41fe-a172-4cd9ae... | attack-pattern--2b9a666e-bd59-4f67-9031-ed41b4... |
1 | relationship--3d781e9a-d3f8-4e9f-bb23-ba6c2ff2... | related-to | NaN | attack-pattern--1a295f87-af63-4d94-b130-039d62... | attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc... |
2 | relationship--d5bd7a33-a249-46e5-bb19-a498eba4... | related-to | NaN | attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6e... | attack-pattern--7baccb84-356c-4e89-8c5d-58e701... |
3 | relationship--bc165934-7ef6-4aed-a0d7-81d33725... | related-to | NaN | attack-pattern--e51398e6-53dc-4e9f-a323-e54683... | attack-pattern--4900fabf-1142-4c1f-92f5-0b590e... |
4 | relationship--46f1e7d4-4d73-4e33-b88b-b3bcde5d... | related-to | NaN | attack-pattern--a757670d-d600-48d9-8ae9-601d42... | attack-pattern--af358cad-eb71-4e91-a752-236edc... |
print("Number of Relationships in Mobile ATT&CK")
relationships = lift.get_all_mobile_relationships()
print(len(relationships))
df = json_normalize(relationships)
df.reindex(['id','relationship', 'relationship_description', 'source_object', 'target_object'], axis=1)[0:5]
Number of Relationships in Mobile ATT&CK 245
id | relationship | relationship_description | source_object | target_object | |
---|---|---|---|---|---|
0 | relationship--b2c289bf-e981-4bcd-87dd-b6c06805... | mitigates | NaN | course-of-action--0beabf44-e8d8-4ae4-9122-ef56... | attack-pattern--82f04b1e-5371-4a6f-be06-411f0f... |
1 | relationship--93a524e2-cb17-4b40-8640-a03949e8... | mitigates | NaN | course-of-action--bcecd036-f40e-4916-9f8e-fd0c... | attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e... |
2 | relationship--9e83607e-2936-4f25-b6d2-c3578468... | mitigates | NaN | course-of-action--1553b156-6767-47f7-9eb4-2a69... | attack-pattern--29e07491-8947-43a3-8d4e-9a787c... |
3 | relationship--3ebcd3d8-dd8e-4cc9-8087-ce9e93df... | mitigates | NaN | course-of-action--0beabf44-e8d8-4ae4-9122-ef56... | attack-pattern--702055ac-4e54-4ae9-9527-e23a38... |
4 | relationship--bf859944-d097-45ba-ae01-2f85a00c... | mitigates | NaN | course-of-action--653492e3-27be-4a0e-b08c-938d... | attack-pattern--1f96d624-8409-4472-ad8a-30618e... |
print("Number of Relationships in ATT&CK")
relationships = lift.get_all_relationships()
print(len(relationships))
df = json_normalize(relationships)
df.reindex(['id','relationship', 'relationship_description', 'source_object', 'target_object'], axis=1)[0:5]
Number of Relationships in ATT&CK 3066
id | relationship | relationship_description | source_object | target_object | |
---|---|---|---|---|---|
0 | relationship--bb55d7e7-28af-4efd-8384-289f1a8b... | mitigates | NaN | course-of-action--fdb1ae84-7b00-4d3d-b7dc-c774... | attack-pattern--a10641f4-87b4-45a3-a906-92a149... |
1 | relationship--a38d4ac5-1d3d-4a2f-9493-ff3e2a46... | mitigates | NaN | course-of-action--cfc2d2fc-14ff-495f-bd99-585b... | attack-pattern--7c93aa74-4bc0-4a9e-90ea-f25f86... |
2 | relationship--b8306976-370f-403d-9983-fe3327c0... | mitigates | NaN | course-of-action--2497ac92-e751-4391-82c6-1b86... | attack-pattern--774a3188-6ba9-4dc4-879d-d54ee4... |
3 | relationship--6f7ca160-cd38-4ff4-b297-e95b3111... | mitigates | NaN | course-of-action--1c0b39f9-a0c5-42b2-abd8-dc8f... | attack-pattern--5e4a2073-9643-44cb-a0b5-e7f404... |
4 | relationship--0b0884f1-1a40-436e-9a74-8cbe9c9d... | mitigates | NaN | course-of-action--d7c49196-b40e-42bc-8eed-b803... | attack-pattern--68c96494-1a50-403e-8844-69a6af... |