# **MITRE ATT&CK API FILTERS**: Python Client
------------------

## Import ATTACK API Client

In [1]:
from attackcti import attack_client

## Import Extra Libraries

In [2]:
from pandas import *
from pandas.io.json import json_normalize

## Initialize ATT&CK Client Variable

In [3]:
lift = attack_client()

## Get Technique by Name (TAXII)
You can use a custom method in the attack_client class to get a technique across all the matrices by its name. It is case sensitive.

In [4]:
technique_name = lift.get_technique_by_name('Rundll32')

In [5]:
technique_name

[AttackPattern(type='attack-pattern', id='attack-pattern--62b8c999-dcc0-4755-bd69-09442d9359f5', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2017-05-31T21:31:06.045Z', modified='2019-01-31T01:30:34.695Z', name='Rundll32', description='The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.\n\nRundll32.exe can be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also been used to execute scripts such as JavaScript. This can be done using a syntax similar to thi

## Get Data Sources from All Techniques (TAXII)
* You can also get all the data sources available in ATT&CK
* Currently the only techniques with data sources are the ones in Enterprise ATT&CK.

In [6]:
data_sources = lift.get_all_data_sources()

In [7]:
len(data_sources)

50

In [8]:
data_sources

['anti-virus',
 'powershell logs',
 'process monitoring',
 'kernel drivers',
 'disk forensics',
 'services',
 'third-party application logs',
 'authentication logs',
 'loaded dlls',
 'bios',
 'process use of network',
 'file monitoring',
 'api monitoring',
 'browser extensions',
 'host network interface',
 'vbr',
 'network intrusion detection system',
 'network protocol analysis',
 'netflow/enclave netflow',
 'asset management',
 'application logs',
 'detonation chamber',
 'wmi objects',
 'user interface',
 'component firmware',
 'dll monitoring',
 'mail server',
 'ssl/tls inspection',
 'email gateway',
 'windows registry',
 'process command-line parameters',
 'data loss prevention',
 'malware reverse engineering',
 'web logs',
 'web proxy',
 'access tokens',
 'windows error reporting',
 'packet capture',
 'dns records',
 'binary file metadata',
 'digital certificate logs',
 'system calls',
 'mbr',
 'named pipes',
 'windows event logs',
 'web application firewall logs',
 'efi',
 'netwo

## Get Any STIX Object by ID (TAXII)
* You can get any STIX object by its id across all the matrices. It is case sensitive.
* You can use the following STIX Object Types:
  * attack-pattern >  techniques
  * course-of-action > mitigations
  * intrusion-set > groups
  * malware
  * tool

In [9]:
object_by_id = lift.get_object_by_attack_id('attack-pattern', 'T1307')

In [10]:
object_by_id

[AttackPattern(type='attack-pattern', id='attack-pattern--286cc500-4291-45c2-99a1-e760db176402', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2017-12-14T16:46:06.044Z', modified='2018-10-17T00:14:20.652Z', name='Acquire and/or use 3rd party infrastructure services', description='A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LUCKYCAT2012)', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-pre-attack', phase_name='adversary-opsec')], external_references=[ExternalReference(source_name='mitre-pre-attack', url='https://attack.mitre.org/techniques/T1307', external_id='T1307'), ExternalReference(source_name='LUCKYCAT2012', descriptio

## Get Any Group by Alias (TAXII)
You can get any Group by its Alias property across all the matrices. It is case sensitive.

In [11]:
group_name = lift.get_group_by_alias('Cozy Bear')

In [12]:
group_name

[IntrusionSet(type='intrusion-set', id='intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2017-05-31T21:31:52.748Z', modified='2019-04-15T21:56:31.571Z', name='APT29', description='[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to the Russian government and has operated since at least 2008. (Citation: F-Secure The Dukes) (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee starting in the summer of 2015. (Citation: Crowdstrike DNC June 2016)', aliases=['APT29', 'YTTRIUM', 'The Dukes', 'Cozy Bear', 'CozyDuke'], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/groups/G0016', external_id='G0016'), ExternalReference(source_name='APT29', description='(Citation: F-Secure The Dukes)(Citation: FireEye APT29 Nov 2018)'), ExternalReference(source_name='YTTRIUM', description='(Citation: 

## Get Relationships by Any Object (TAXII)
* You can get available relationships defined in ATT&CK of type **uses** and **mitigates** for specific objects across all the matrices.

In [13]:
groups = lift.get_all_groups()
one_group = groups[0]
relationships = lift.get_relationships_by_object(one_group)

In [14]:
relationships[0]

Relationship(type='relationship', id='relationship--60d2b385-14cf-454a-ac92-0d41e3ec397a', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2019-04-24T19:50:33.751Z', modified='2019-04-29T18:59:16.590Z', relationship_type='uses', description='[TEMP.Veles](https://attack.mitre.org/groups/G0088) has modified files based on the open-source project cryptcat in an apparent attempt to decrease AV detection rates.', source_ref='intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4', target_ref='attack-pattern--00d0b012-8a03-410e-95de-5826bf542de6', external_references=[ExternalReference(source_name='FireEye TEMP.Veles 2018', description='FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.', url='https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html ')], object_marking_

## Get All Techniques with Mitigations (TAXII)
The difference with this function and **get_all_techniques()** is that **get_techniques_mitigated_by_all_mitigations** returns techniques that have mitigations mapped to them.

In [15]:
techniques_mitigated = lift.get_techniques_mitigated_by_all_mitigations()

In [16]:
techniques_mitigated[0]

AttackPattern(type='attack-pattern', id='attack-pattern--f5bb433e-bdf6-4781-84bc-35e97e43be89', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2019-04-12T18:28:15.451Z', modified='2019-04-29T13:50:06.026Z', name='Firmware Corruption', description='Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices could include the motherboard, hard drive, or video cards.', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-attack', phase_name='impact')], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1495', external_id='T1495'), ExternalReference(source_name='Symantec Chernobyl W95

## Get Techniques Used by Software (TAXII)
This the function returns information about a specific software STIX object.

In [17]:
all_software = lift.get_all_software()
one_software = all_software[0]
software_techniques = lift.get_techniques_used_by_software(one_software)

In [18]:
software_techniques[0]

AttackPattern(type='attack-pattern', id='attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2019-02-14T16:15:05.974Z', modified='2019-04-29T14:06:06.900Z', name='Domain Trust Discovery', description='Adversaries may attempt to gather information on domain trust relationships that may be used to identify [Lateral Movement](https://attack.mitre.org/tactics/TA0008) opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1178), [Pass the Ticket](https://attack.mitre.org/techniques/T1097), and [Kerberoasting](https://attack.mitre.org/techniq

## Get Techniques Used by Group (TAXII)
If you do not provide the name of a specific **Group** (Case Sensitive), the function returns information about all the groups available across all the matrices.

In [19]:
groups = lift.get_all_groups()
one_group = groups[0]
group_techniques = lift.get_techniques_used_by_group(one_group)

In [20]:
group_techniques[0]

AttackPattern(type='attack-pattern', id='attack-pattern--62166220-e498-410f-a90a-19d4339d4e99', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2018-01-16T16:13:52.465Z', modified='2018-10-31T13:45:13.024Z', name='Image File Execution Options Injection', description='Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., “C:\\dbg\\ntsd.exe -g  notepad.exe”). (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nIFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as <code>Debugger</code> values in the Registry under <code>HKLM\\SOFTWARE{\\Wow6432Node}\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\<executable></code> where <code><executabl

## Get Software Used by Group (TAXII)
You can retrieve every software (malware or tool) mapped to a specific Group STIX object

In [21]:
groups = lift.get_all_groups()
one_group = groups[0]
group_software = lift.get_software_used_by_group(one_group)

In [22]:
group_software[0]

Tool(type='tool', id='tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2017-05-31T21:32:21.771Z', modified='2018-10-17T00:14:20.652Z', name='PsExec', description='[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers. (Citation: Russinovich Sysinternals) (Citation: SANS PsExec)', labels=['tool'], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0029', external_id='S0029'), ExternalReference(source_name='Russinovich Sysinternals', description='Russinovich, M. (2014, May 2). Windows Sysinternals PsExec v2.11. Retrieved May 13, 2015.', url='https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx'), ExternalReference(source_name='SANS PsExec', description='Pilkington, M.. (2012, December 17). Protecting Privileged Domain Accounts: Ps