{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# **MITRE ATT&CK API BASICS**: Python Client\n",
"------------------"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Import ATTACK API Client"
]
},
{
"cell_type": "code",
"execution_count": 1,
"metadata": {},
"outputs": [],
"source": [
"from attackcti import attack_client"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Import Extra Libraries"
]
},
{
"cell_type": "code",
"execution_count": 2,
"metadata": {},
"outputs": [],
"source": [
"from pandas import *\n",
"import json"
]
},
{
"cell_type": "code",
"execution_count": 3,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"'1.1.2'"
]
},
"execution_count": 3,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"pandas.__version__"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Initialize ATT&CK Client Variable"
]
},
{
"cell_type": "code",
"execution_count": 4,
"metadata": {},
"outputs": [],
"source": [
"lift = attack_client()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## **Collect (Enterprise ATT&CK, Pre-ATT&CK & Mobile ATT&CK)**\n",
"* I usually collect all the stix object types available from all the ATT&CK Matrices first when I want to analyze ATT&CK's data.\n",
"* In this section, we will collect everything from Enterprise ATT&CK, PRE-ATT&CK and Mobile ATT&CK via three functions that query ATT&CK content available in STIX™ 2.0 format via its own public TAXII™ 2.0 server:\n",
" * get_enterprise()\n",
" * get_pre()\n",
" * get_mobile()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Collect ALL Enterprise ATT&CK (TAXII)**"
]
},
{
"cell_type": "code",
"execution_count": 5,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"CPU times: user 2.75 s, sys: 107 ms, total: 2.86 s\n",
"Wall time: 5.05 s\n"
]
}
],
"source": [
"%time all_enterprise = lift.get_enterprise()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Collect ALL PRE-ATT&CK (TAXII)**"
]
},
{
"cell_type": "code",
"execution_count": 6,
"metadata": {},
"outputs": [
{
"name": "stderr",
"output_type": "stream",
"text": [
"/usr/local/lib/python3.8/site-packages/attackcti/attack_api.py:426: UserWarning: PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application\n",
" warnings.warn(\"PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application\")\n"
]
},
{
"name": "stdout",
"output_type": "stream",
"text": [
"CPU times: user 124 ms, sys: 9.77 ms, total: 133 ms\n",
"Wall time: 539 ms\n"
]
}
],
"source": [
"%time all_pre = lift.get_pre()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Collect ALL Mobile ATT&CK (TAXII)**"
]
},
{
"cell_type": "code",
"execution_count": 7,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"CPU times: user 300 ms, sys: 16.7 ms, total: 317 ms\n",
"Wall time: 766 ms\n"
]
}
],
"source": [
"%time all_mobile = lift.get_mobile()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## **Collect ALL (It runs All 3 previous functions and collects all the results)**"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"The **get_stix_objects()** function returns a dictionary with all the stix object types from all matrices:\n",
"* techniques\n",
"* mitigations\n",
"* groups\n",
"* malware\n",
"* tools\n",
"* relationships"
]
},
{
"cell_type": "code",
"execution_count": 8,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"CPU times: user 2min 48s, sys: 823 ms, total: 2min 49s\n",
"Wall time: 2min 54s\n"
]
}
],
"source": [
"%time all_attack = lift.get_stix_objects()"
]
},
{
"cell_type": "code",
"execution_count": 9,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"dict"
]
},
"execution_count": 9,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"type(all_attack)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Get All Techniques from ATT&CK Results (Locally - STIX format)\n",
"* The results of this function shows every single technique across the whole ATT&CK framework without their mitigations information"
]
},
{
"cell_type": "code",
"execution_count": 10,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Techniques in ATT&CK\n",
"1024\n"
]
}
],
"source": [
"print(\"Number of Techniques in ATT&CK\")\n",
"print(len(all_attack['techniques']))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"* By default, the data returned by the available functions in the attackcti library is of type **stix2**\n",
"* However, if you want to interact with libraries such as **Pandas**, it needs to be of type **dict**"
]
},
{
"cell_type": "code",
"execution_count": 11,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"
\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" created | \n",
" name | \n",
" x_mitre_data_sources | \n",
" x_mitre_platforms | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" 2020-10-20T00:09:33.072Z | \n",
" Network Device CLI | \n",
" [Network device logs, Network device run-time ... | \n",
" [Network] | \n",
"
\n",
" \n",
" 1 | \n",
" 2020-10-20T00:08:21.745Z | \n",
" Network Device Configuration Dump | \n",
" [Netflow/Enclave netflow, Network protocol ana... | \n",
" [Network] | \n",
"
\n",
" \n",
" 2 | \n",
" 2020-10-20T00:06:56.180Z | \n",
" TFTP Boot | \n",
" [Network device run-time memory, Network devic... | \n",
" [Network] | \n",
"
\n",
" \n",
" 3 | \n",
" 2020-10-20T00:05:48.790Z | \n",
" ROMMONkit | \n",
" [File monitoring, Netflow/Enclave netflow, Net... | \n",
" [Network] | \n",
"
\n",
" \n",
" 4 | \n",
" 2020-10-19T23:51:05.953Z | \n",
" SNMP (MIB Dump) | \n",
" [Netflow/Enclave netflow, Network protocol ana... | \n",
" [Network] | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" created name \\\n",
"0 2020-10-20T00:09:33.072Z Network Device CLI \n",
"1 2020-10-20T00:08:21.745Z Network Device Configuration Dump \n",
"2 2020-10-20T00:06:56.180Z TFTP Boot \n",
"3 2020-10-20T00:05:48.790Z ROMMONkit \n",
"4 2020-10-19T23:51:05.953Z SNMP (MIB Dump) \n",
"\n",
" x_mitre_data_sources x_mitre_platforms \n",
"0 [Network device logs, Network device run-time ... [Network] \n",
"1 [Netflow/Enclave netflow, Network protocol ana... [Network] \n",
"2 [Network device run-time memory, Network devic... [Network] \n",
"3 [File monitoring, Netflow/Enclave netflow, Net... [Network] \n",
"4 [Netflow/Enclave netflow, Network protocol ana... [Network] "
]
},
"execution_count": 11,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"techniques = []\n",
"for t in all_attack['techniques']:\n",
" techniques.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(techniques)\n",
"df.reindex(['created','name', 'x_mitre_data_sources', 'x_mitre_platforms'], axis=1)[0:5]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Showing the schema of Techniques**"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"This schema covers techniques from Enterprise, PRE and Mobile ATT&CK"
]
},
{
"cell_type": "code",
"execution_count": 12,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"['id',\n",
" 'description',\n",
" 'name',\n",
" 'created_by_ref',\n",
" 'object_marking_refs',\n",
" 'external_references',\n",
" 'type',\n",
" 'kill_chain_phases',\n",
" 'modified',\n",
" 'created',\n",
" 'x_mitre_data_sources',\n",
" 'x_mitre_platforms',\n",
" 'x_mitre_is_subtechnique',\n",
" 'x_mitre_version',\n",
" 'x_mitre_detection',\n",
" 'x_mitre_permissions_required',\n",
" 'x_mitre_defense_bypassed',\n",
" 'x_mitre_contributors',\n",
" 'x_mitre_system_requirements',\n",
" 'x_mitre_network_requirements',\n",
" 'x_mitre_effective_permissions',\n",
" 'x_mitre_remote_support',\n",
" 'x_mitre_impact_type',\n",
" 'revoked',\n",
" 'x_mitre_deprecated',\n",
" 'x_mitre_old_attack_id',\n",
" 'x_mitre_difficulty_for_adversary_explanation',\n",
" 'x_mitre_difficulty_for_adversary',\n",
" 'x_mitre_detectable_by_common_defenses_explanation',\n",
" 'x_mitre_detectable_by_common_defenses',\n",
" 'x_mitre_tactic_type']"
]
},
"execution_count": 12,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"list(df)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Showing one technique example**"
]
},
{
"cell_type": "code",
"execution_count": 13,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"{'id': 'attack-pattern--818302b2-d640-477b-bf88-873120ce85c4',\n",
" 'description': 'Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. \\n\\nScripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or secure shell (SSH).\\n\\nAdversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection. (Citation: Cisco Synful Knock Evolution)',\n",
" 'name': 'Network Device CLI',\n",
" 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n",
" 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n",
" 'external_references': [{'source_name': 'mitre-attack',\n",
" 'external_id': 'T1059.008',\n",
" 'url': 'https://attack.mitre.org/techniques/T1059/008'},\n",
" {'source_name': 'Cisco Synful Knock Evolution',\n",
" 'url': 'https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices',\n",
" 'description': 'Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.'},\n",
" {'source_name': 'Cisco IOS Software Integrity Assurance - Command History',\n",
" 'url': 'https://tools.cisco.com/security/center/resources/integrity_assurance.html#23',\n",
" 'description': 'Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020.'}],\n",
" 'type': 'attack-pattern',\n",
" 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',\n",
" 'phase_name': 'execution'}],\n",
" 'modified': '2020-10-22T16:43:38.388Z',\n",
" 'created': '2020-10-20T00:09:33.072Z',\n",
" 'x_mitre_data_sources': ['Network device logs',\n",
" 'Network device run-time memory',\n",
" 'Network device command history',\n",
" 'Network device configuration'],\n",
" 'x_mitre_platforms': ['Network'],\n",
" 'x_mitre_is_subtechnique': True,\n",
" 'x_mitre_version': '1.0',\n",
" 'x_mitre_detection': 'Consider reviewing command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration.(Citation: Cisco IOS Software Integrity Assurance - Command History)\\n\\nConsider comparing a copy of the network device configuration against a known-good version to discover unauthorized changes to the command interpreter. The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor.',\n",
" 'x_mitre_permissions_required': ['Administrator', 'User']}"
]
},
"execution_count": 13,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"techniques[0]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Get All Mitigations from ATT&CK Results (Locally)"
]
},
{
"cell_type": "code",
"execution_count": 14,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Mitigations in ATT&CK\n",
"296\n"
]
}
],
"source": [
"print(\"Number of Mitigations in ATT&CK\")\n",
"print(len(all_attack['mitigations']))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"* Remember, we need to transform our results to dictionaries to be able to use them as pandas dataframes"
]
},
{
"cell_type": "code",
"execution_count": 15,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" created_by_ref | \n",
" object_marking_refs | \n",
" external_references | \n",
" description | \n",
" name | \n",
" id | \n",
" type | \n",
" modified | \n",
" created | \n",
" x_mitre_version | \n",
" x_mitre_deprecated | \n",
" x_mitre_old_attack_id | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" This category is used for any applicable mitig... | \n",
" Pre-compromise | \n",
" course-of-action--78bb71be-92b4-46de-acd6-5f99... | \n",
" course-of-action | \n",
" 2020-10-20T19:52:32.439Z | \n",
" 2020-10-19T14:57:58.771Z | \n",
" 1.0 | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" This category is to associate techniques that ... | \n",
" Do Not Mitigate | \n",
" course-of-action--787fb64d-c87b-4ee5-a341-0ef1... | \n",
" course-of-action | \n",
" 2019-07-23T14:44:24.727Z | \n",
" 2019-07-19T14:58:42.715Z | \n",
" 1.0 | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 2 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" Implement configuration changes to software (o... | \n",
" Software Configuration | \n",
" course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8... | \n",
" course-of-action | \n",
" 2020-03-31T13:11:09.471Z | \n",
" 2019-07-19T14:40:23.529Z | \n",
" 1.1 | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 3 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" Take and store data backups from end user syst... | \n",
" Data Backup | \n",
" course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73... | \n",
" course-of-action | \n",
" 2020-03-31T13:11:28.201Z | \n",
" 2019-07-19T14:33:33.543Z | \n",
" 1.1 | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" external_references \\\n",
"0 [{'source_name': 'mitre-attack', 'external_id'... \n",
"1 [{'source_name': 'mitre-attack', 'external_id'... \n",
"2 [{'source_name': 'mitre-attack', 'external_id'... \n",
"3 [{'source_name': 'mitre-attack', 'external_id'... \n",
"\n",
" description name \\\n",
"0 This category is used for any applicable mitig... Pre-compromise \n",
"1 This category is to associate techniques that ... Do Not Mitigate \n",
"2 Implement configuration changes to software (o... Software Configuration \n",
"3 Take and store data backups from end user syst... Data Backup \n",
"\n",
" id type \\\n",
"0 course-of-action--78bb71be-92b4-46de-acd6-5f99... course-of-action \n",
"1 course-of-action--787fb64d-c87b-4ee5-a341-0ef1... course-of-action \n",
"2 course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8... course-of-action \n",
"3 course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73... course-of-action \n",
"\n",
" modified created x_mitre_version \\\n",
"0 2020-10-20T19:52:32.439Z 2020-10-19T14:57:58.771Z 1.0 \n",
"1 2019-07-23T14:44:24.727Z 2019-07-19T14:58:42.715Z 1.0 \n",
"2 2020-03-31T13:11:09.471Z 2019-07-19T14:40:23.529Z 1.1 \n",
"3 2020-03-31T13:11:28.201Z 2019-07-19T14:33:33.543Z 1.1 \n",
"\n",
" x_mitre_deprecated x_mitre_old_attack_id \n",
"0 NaN NaN \n",
"1 NaN NaN \n",
"2 NaN NaN \n",
"3 NaN NaN "
]
},
"execution_count": 15,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"mitigations = []\n",
"for t in all_attack['mitigations']:\n",
" mitigations.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(mitigations)\n",
"df[0:4]"
]
},
{
"cell_type": "code",
"execution_count": 16,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"['created_by_ref',\n",
" 'object_marking_refs',\n",
" 'external_references',\n",
" 'description',\n",
" 'name',\n",
" 'id',\n",
" 'type',\n",
" 'modified',\n",
" 'created',\n",
" 'x_mitre_version',\n",
" 'x_mitre_deprecated',\n",
" 'x_mitre_old_attack_id']"
]
},
"execution_count": 16,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"list(df)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Get All Groups from ATT&CK Results (Locally)"
]
},
{
"cell_type": "code",
"execution_count": 17,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Groups in ATT&CK\n",
"113\n"
]
}
],
"source": [
"print(\"Number of Groups in ATT&CK\")\n",
"print(len(all_attack['groups']))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"* Once again, we need to transform our results to dictionaries to be able to use them as pandas dataframes"
]
},
{
"cell_type": "code",
"execution_count": 18,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" created_by_ref | \n",
" object_marking_refs | \n",
" external_references | \n",
" name | \n",
" description | \n",
" type | \n",
" id | \n",
" aliases | \n",
" modified | \n",
" created | \n",
" x_mitre_version | \n",
" x_mitre_contributors | \n",
" revoked | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'G0115', 'source_name': 'mitr... | \n",
" GOLD SOUTHFIELD | \n",
" [GOLD SOUTHFIELD](https://attack.mitre.org/gro... | \n",
" intrusion-set | \n",
" intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a... | \n",
" [GOLD SOUTHFIELD] | \n",
" 2020-10-06T15:32:20.089Z | \n",
" 2020-09-22T19:41:27.845Z | \n",
" 1.0 | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'G0114', 'source_name': 'mitr... | \n",
" Chimera | \n",
" [Chimera](https://attack.mitre.org/groups/G011... | \n",
" intrusion-set | \n",
" intrusion-set--8c1f0187-0826-4320-bddc-5f326cf... | \n",
" [Chimera] | \n",
" 2020-10-05T20:59:57.694Z | \n",
" 2020-08-24T17:01:55.842Z | \n",
" 1.0 | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 2 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'G0112', 'source_name': 'mitr... | \n",
" Windshift | \n",
" [Windshift](https://attack.mitre.org/groups/G0... | \n",
" intrusion-set | \n",
" intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a... | \n",
" [Windshift, Bahamut] | \n",
" 2020-06-26T13:46:14.122Z | \n",
" 2020-06-25T17:16:39.168Z | \n",
" 1.0 | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 3 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'G0108', 'source_name': 'mitr... | \n",
" Blue Mockingbird | \n",
" [Blue Mockingbird](https://attack.mitre.org/gr... | \n",
" intrusion-set | \n",
" intrusion-set--73a80fab-2aa3-48e0-a4d0-3a48282... | \n",
" [Blue Mockingbird] | \n",
" 2020-06-25T13:59:09.596Z | \n",
" 2020-05-26T20:09:39.139Z | \n",
" 1.0 | \n",
" [Tony Lambert, Red Canary] | \n",
" NaN | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" external_references name \\\n",
"0 [{'external_id': 'G0115', 'source_name': 'mitr... GOLD SOUTHFIELD \n",
"1 [{'external_id': 'G0114', 'source_name': 'mitr... Chimera \n",
"2 [{'external_id': 'G0112', 'source_name': 'mitr... Windshift \n",
"3 [{'external_id': 'G0108', 'source_name': 'mitr... Blue Mockingbird \n",
"\n",
" description type \\\n",
"0 [GOLD SOUTHFIELD](https://attack.mitre.org/gro... intrusion-set \n",
"1 [Chimera](https://attack.mitre.org/groups/G011... intrusion-set \n",
"2 [Windshift](https://attack.mitre.org/groups/G0... intrusion-set \n",
"3 [Blue Mockingbird](https://attack.mitre.org/gr... intrusion-set \n",
"\n",
" id aliases \\\n",
"0 intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a... [GOLD SOUTHFIELD] \n",
"1 intrusion-set--8c1f0187-0826-4320-bddc-5f326cf... [Chimera] \n",
"2 intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a... [Windshift, Bahamut] \n",
"3 intrusion-set--73a80fab-2aa3-48e0-a4d0-3a48282... [Blue Mockingbird] \n",
"\n",
" modified created x_mitre_version \\\n",
"0 2020-10-06T15:32:20.089Z 2020-09-22T19:41:27.845Z 1.0 \n",
"1 2020-10-05T20:59:57.694Z 2020-08-24T17:01:55.842Z 1.0 \n",
"2 2020-06-26T13:46:14.122Z 2020-06-25T17:16:39.168Z 1.0 \n",
"3 2020-06-25T13:59:09.596Z 2020-05-26T20:09:39.139Z 1.0 \n",
"\n",
" x_mitre_contributors revoked \n",
"0 NaN NaN \n",
"1 NaN NaN \n",
"2 NaN NaN \n",
"3 [Tony Lambert, Red Canary] NaN "
]
},
"execution_count": 18,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"groups = []\n",
"for t in all_attack['groups']:\n",
" groups.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(groups)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Showing the schema of Groups**"
]
},
{
"cell_type": "code",
"execution_count": 19,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"['created_by_ref',\n",
" 'object_marking_refs',\n",
" 'external_references',\n",
" 'name',\n",
" 'description',\n",
" 'type',\n",
" 'id',\n",
" 'aliases',\n",
" 'modified',\n",
" 'created',\n",
" 'x_mitre_version',\n",
" 'x_mitre_contributors',\n",
" 'revoked']"
]
},
"execution_count": 19,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"list(df)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Showing one Groups example**"
]
},
{
"cell_type": "code",
"execution_count": 20,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"{'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n",
" 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n",
" 'external_references': [{'external_id': 'G0115',\n",
" 'source_name': 'mitre-attack',\n",
" 'url': 'https://attack.mitre.org/groups/G0115'},\n",
" {'source_name': 'Secureworks REvil September 2019',\n",
" 'url': 'https://www.secureworks.com/research/revil-sodinokibi-ransomware',\n",
" 'description': 'Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.'},\n",
" {'source_name': 'Secureworks GandCrab and REvil September 2019',\n",
" 'url': 'https://www.secureworks.com/blog/revil-the-gandcrab-connection',\n",
" 'description': 'Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.'},\n",
" {'source_name': 'Secureworks GOLD SOUTHFIELD',\n",
" 'url': 'https://www.secureworks.com/research/threat-profiles/gold-southfield',\n",
" 'description': 'Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.'}],\n",
" 'name': 'GOLD SOUTHFIELD',\n",
" 'description': '[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2019 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)',\n",
" 'type': 'intrusion-set',\n",
" 'id': 'intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133',\n",
" 'aliases': ['GOLD SOUTHFIELD'],\n",
" 'modified': '2020-10-06T15:32:20.089Z',\n",
" 'created': '2020-09-22T19:41:27.845Z',\n",
" 'x_mitre_version': '1.0'}"
]
},
"execution_count": 20,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"groups[0]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Get All Malware objects from ATT&CK Results (Locally)"
]
},
{
"cell_type": "code",
"execution_count": 21,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Malware in ATT&CK\n",
"459\n"
]
}
],
"source": [
"print(\"Number of Malware in ATT&CK\")\n",
"print(len(all_attack['malware']))"
]
},
{
"cell_type": "code",
"execution_count": 22,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" external_references | \n",
" object_marking_refs | \n",
" created_by_ref | \n",
" description | \n",
" name | \n",
" id | \n",
" type | \n",
" labels | \n",
" modified | \n",
" created | \n",
" x_mitre_version | \n",
" x_mitre_aliases | \n",
" x_mitre_platforms | \n",
" x_mitre_contributors | \n",
" revoked | \n",
" x_mitre_old_attack_id | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" [{'external_id': 'S0519', 'source_name': 'mitr... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [SYNful Knock](https://attack.mitre.org/softwa... | \n",
" SYNful Knock | \n",
" malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053 | \n",
" malware | \n",
" [malware] | \n",
" 2020-10-22T17:35:04.950Z | \n",
" 2020-10-19T16:38:11.279Z | \n",
" 1.0 | \n",
" [SYNful Knock] | \n",
" [Network] | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" [{'external_id': 'S0516', 'source_name': 'mitr... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [SoreFang](https://attack.mitre.org/software/S... | \n",
" SoreFang | \n",
" malware--e33e4603-afab-402d-b2a1-248d435b5fe0 | \n",
" malware | \n",
" [malware] | \n",
" 2020-10-06T16:10:42.422Z | \n",
" 2020-09-29T19:33:35.122Z | \n",
" 1.0 | \n",
" [SoreFang] | \n",
" [Windows] | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 2 | \n",
" [{'external_id': 'S0515', 'source_name': 'mitr... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [WellMail](https://attack.mitre.org/software/S... | \n",
" WellMail | \n",
" malware--959f3b19-2dc8-48d5-8942-c66813a5101a | \n",
" malware | \n",
" [malware] | \n",
" 2020-10-09T15:38:41.755Z | \n",
" 2020-09-29T17:48:27.517Z | \n",
" 1.0 | \n",
" [WellMail] | \n",
" [Windows] | \n",
" [Josh Campbell, Cyborg Security, @cyb0rgsecur1ty] | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 3 | \n",
" [{'external_id': 'S0514', 'source_name': 'mitr... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [WellMess](https://attack.mitre.org/software/S... | \n",
" WellMess | \n",
" malware--3a4197ae-ec63-4162-907b-9a073d1157e4 | \n",
" malware | \n",
" [malware] | \n",
" 2020-10-09T19:41:25.983Z | \n",
" 2020-09-24T19:39:44.392Z | \n",
" 1.0 | \n",
" [WellMess] | \n",
" [Windows] | \n",
" [Daniyal Naeem, @Mrdaniyalnaeem] | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" external_references \\\n",
"0 [{'external_id': 'S0519', 'source_name': 'mitr... \n",
"1 [{'external_id': 'S0516', 'source_name': 'mitr... \n",
"2 [{'external_id': 'S0515', 'source_name': 'mitr... \n",
"3 [{'external_id': 'S0514', 'source_name': 'mitr... \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" description name \\\n",
"0 [SYNful Knock](https://attack.mitre.org/softwa... SYNful Knock \n",
"1 [SoreFang](https://attack.mitre.org/software/S... SoreFang \n",
"2 [WellMail](https://attack.mitre.org/software/S... WellMail \n",
"3 [WellMess](https://attack.mitre.org/software/S... WellMess \n",
"\n",
" id type labels \\\n",
"0 malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053 malware [malware] \n",
"1 malware--e33e4603-afab-402d-b2a1-248d435b5fe0 malware [malware] \n",
"2 malware--959f3b19-2dc8-48d5-8942-c66813a5101a malware [malware] \n",
"3 malware--3a4197ae-ec63-4162-907b-9a073d1157e4 malware [malware] \n",
"\n",
" modified created x_mitre_version \\\n",
"0 2020-10-22T17:35:04.950Z 2020-10-19T16:38:11.279Z 1.0 \n",
"1 2020-10-06T16:10:42.422Z 2020-09-29T19:33:35.122Z 1.0 \n",
"2 2020-10-09T15:38:41.755Z 2020-09-29T17:48:27.517Z 1.0 \n",
"3 2020-10-09T19:41:25.983Z 2020-09-24T19:39:44.392Z 1.0 \n",
"\n",
" x_mitre_aliases x_mitre_platforms \\\n",
"0 [SYNful Knock] [Network] \n",
"1 [SoreFang] [Windows] \n",
"2 [WellMail] [Windows] \n",
"3 [WellMess] [Windows] \n",
"\n",
" x_mitre_contributors revoked \\\n",
"0 NaN NaN \n",
"1 NaN NaN \n",
"2 [Josh Campbell, Cyborg Security, @cyb0rgsecur1ty] NaN \n",
"3 [Daniyal Naeem, @Mrdaniyalnaeem] NaN \n",
"\n",
" x_mitre_old_attack_id \n",
"0 NaN \n",
"1 NaN \n",
"2 NaN \n",
"3 NaN "
]
},
"execution_count": 22,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"malware = []\n",
"for t in all_attack['malware']:\n",
" malware.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(malware)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Showing the schema of Malware**"
]
},
{
"cell_type": "code",
"execution_count": 23,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"['external_references',\n",
" 'object_marking_refs',\n",
" 'created_by_ref',\n",
" 'description',\n",
" 'name',\n",
" 'id',\n",
" 'type',\n",
" 'labels',\n",
" 'modified',\n",
" 'created',\n",
" 'x_mitre_version',\n",
" 'x_mitre_aliases',\n",
" 'x_mitre_platforms',\n",
" 'x_mitre_contributors',\n",
" 'revoked',\n",
" 'x_mitre_old_attack_id']"
]
},
"execution_count": 23,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"list(df)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Showing one Malware example**"
]
},
{
"cell_type": "code",
"execution_count": 24,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"{'external_references': [{'external_id': 'S0519',\n",
" 'source_name': 'mitre-attack',\n",
" 'url': 'https://attack.mitre.org/software/S0519'},\n",
" {'source_name': 'FireEye - Synful Knock',\n",
" 'url': 'https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html',\n",
" 'description': 'Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020.'},\n",
" {'source_name': 'Cisco Synful Knock Evolution',\n",
" 'url': 'https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices',\n",
" 'description': 'Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.'}],\n",
" 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n",
" 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n",
" 'description': \"[SYNful Knock](https://attack.mitre.org/software/S0519) is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.(Citation: FireEye - Synful Knock)(Citation: Cisco Synful Knock Evolution)\",\n",
" 'name': 'SYNful Knock',\n",
" 'id': 'malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053',\n",
" 'type': 'malware',\n",
" 'labels': ['malware'],\n",
" 'modified': '2020-10-22T17:35:04.950Z',\n",
" 'created': '2020-10-19T16:38:11.279Z',\n",
" 'x_mitre_version': '1.0',\n",
" 'x_mitre_aliases': ['SYNful Knock'],\n",
" 'x_mitre_platforms': ['Network']}"
]
},
"execution_count": 24,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"malware[0]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Get All Tools from ATT&CK Results (Locally)"
]
},
{
"cell_type": "code",
"execution_count": 25,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Tools in ATT&CK\n",
"64\n"
]
}
],
"source": [
"print(\"Number of Tools in ATT&CK\")\n",
"print(len(all_attack['tools']))"
]
},
{
"cell_type": "code",
"execution_count": 26,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" id | \n",
" name | \n",
" description | \n",
" created_by_ref | \n",
" object_marking_refs | \n",
" external_references | \n",
" type | \n",
" labels | \n",
" modified | \n",
" created | \n",
" x_mitre_version | \n",
" x_mitre_aliases | \n",
" x_mitre_platforms | \n",
" x_mitre_contributors | \n",
" x_mitre_old_attack_id | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" tool--975737f1-b10d-476f-8bda-3ec26ea57172 | \n",
" MCMD | \n",
" [MCMD](https://attack.mitre.org/software/S0500... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'S0500', 'source_name': 'mitr... | \n",
" tool | \n",
" [tool] | \n",
" 2020-08-20T14:52:23.369Z | \n",
" 2020-08-13T17:15:25.702Z | \n",
" 1.0 | \n",
" [MCMD] | \n",
" [Windows] | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" tool--c4810609-7da6-48ec-8057-1b70a7814db0 | \n",
" CrackMapExec | \n",
" [CrackMapExec](https://attack.mitre.org/softwa... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'S0488', 'source_name': 'mitr... | \n",
" tool | \n",
" [tool] | \n",
" 2020-07-29T20:19:40.544Z | \n",
" 2020-07-17T14:23:05.958Z | \n",
" 1.0 | \n",
" [CrackMapExec] | \n",
" [Windows] | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 2 | \n",
" tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4 | \n",
" CARROTBALL | \n",
" [CARROTBALL](https://attack.mitre.org/software... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'S0465', 'source_name': 'mitr... | \n",
" tool | \n",
" [tool] | \n",
" 2020-06-10T14:44:23.055Z | \n",
" 2020-06-02T19:10:29.513Z | \n",
" 1.0 | \n",
" [CARROTBALL] | \n",
" [Windows] | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 3 | \n",
" tool--115f88dd-0618-4389-83cb-98d33ae81848 | \n",
" ShimRatReporter | \n",
" [ShimRatReporter](https://attack.mitre.org/sof... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'S0445', 'source_name': 'mitr... | \n",
" tool | \n",
" [tool] | \n",
" 2020-05-27T22:39:28.701Z | \n",
" 2020-05-12T21:29:48.294Z | \n",
" 1.0 | \n",
" [ShimRatReporter] | \n",
" [Windows] | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" id name \\\n",
"0 tool--975737f1-b10d-476f-8bda-3ec26ea57172 MCMD \n",
"1 tool--c4810609-7da6-48ec-8057-1b70a7814db0 CrackMapExec \n",
"2 tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4 CARROTBALL \n",
"3 tool--115f88dd-0618-4389-83cb-98d33ae81848 ShimRatReporter \n",
"\n",
" description \\\n",
"0 [MCMD](https://attack.mitre.org/software/S0500... \n",
"1 [CrackMapExec](https://attack.mitre.org/softwa... \n",
"2 [CARROTBALL](https://attack.mitre.org/software... \n",
"3 [ShimRatReporter](https://attack.mitre.org/sof... \n",
"\n",
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" external_references type labels \\\n",
"0 [{'external_id': 'S0500', 'source_name': 'mitr... tool [tool] \n",
"1 [{'external_id': 'S0488', 'source_name': 'mitr... tool [tool] \n",
"2 [{'external_id': 'S0465', 'source_name': 'mitr... tool [tool] \n",
"3 [{'external_id': 'S0445', 'source_name': 'mitr... tool [tool] \n",
"\n",
" modified created x_mitre_version \\\n",
"0 2020-08-20T14:52:23.369Z 2020-08-13T17:15:25.702Z 1.0 \n",
"1 2020-07-29T20:19:40.544Z 2020-07-17T14:23:05.958Z 1.0 \n",
"2 2020-06-10T14:44:23.055Z 2020-06-02T19:10:29.513Z 1.0 \n",
"3 2020-05-27T22:39:28.701Z 2020-05-12T21:29:48.294Z 1.0 \n",
"\n",
" x_mitre_aliases x_mitre_platforms x_mitre_contributors \\\n",
"0 [MCMD] [Windows] NaN \n",
"1 [CrackMapExec] [Windows] NaN \n",
"2 [CARROTBALL] [Windows] NaN \n",
"3 [ShimRatReporter] [Windows] NaN \n",
"\n",
" x_mitre_old_attack_id \n",
"0 NaN \n",
"1 NaN \n",
"2 NaN \n",
"3 NaN "
]
},
"execution_count": 26,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"tools = []\n",
"for t in all_attack['tools']:\n",
" tools.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(tools)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Showing the schema of Tools**"
]
},
{
"cell_type": "code",
"execution_count": 27,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"['id',\n",
" 'name',\n",
" 'description',\n",
" 'created_by_ref',\n",
" 'object_marking_refs',\n",
" 'external_references',\n",
" 'type',\n",
" 'labels',\n",
" 'modified',\n",
" 'created',\n",
" 'x_mitre_version',\n",
" 'x_mitre_aliases',\n",
" 'x_mitre_platforms',\n",
" 'x_mitre_contributors',\n",
" 'x_mitre_old_attack_id']"
]
},
"execution_count": 27,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"list(df)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Showing one Tool example**"
]
},
{
"cell_type": "code",
"execution_count": 28,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"{'id': 'tool--975737f1-b10d-476f-8bda-3ec26ea57172',\n",
" 'name': 'MCMD',\n",
" 'description': '[MCMD](https://attack.mitre.org/software/S0500) is a remote access tool that provides remote command shell capability used by [Dragonfly 2.0](https://attack.mitre.org/groups/G0074).(Citation: Secureworks MCMD July 2019)',\n",
" 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n",
" 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n",
" 'external_references': [{'external_id': 'S0500',\n",
" 'source_name': 'mitre-attack',\n",
" 'url': 'https://attack.mitre.org/software/S0500'},\n",
" {'source_name': 'Secureworks MCMD July 2019',\n",
" 'url': 'https://www.secureworks.com/research/mcmd-malware-analysis',\n",
" 'description': 'Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.'}],\n",
" 'type': 'tool',\n",
" 'labels': ['tool'],\n",
" 'modified': '2020-08-20T14:52:23.369Z',\n",
" 'created': '2020-08-13T17:15:25.702Z',\n",
" 'x_mitre_version': '1.0',\n",
" 'x_mitre_aliases': ['MCMD'],\n",
" 'x_mitre_platforms': ['Windows']}"
]
},
"execution_count": 28,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"tools[0]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Get All Relationships from ATT&CK Results (Locally)"
]
},
{
"cell_type": "code",
"execution_count": 29,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Relationships in ATT&CK\n",
"10635\n"
]
}
],
"source": [
"print(\"Number of Relationships in ATT&CK\")\n",
"print(len(all_attack['relationships']))"
]
},
{
"cell_type": "code",
"execution_count": 30,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" object_marking_refs | \n",
" external_references | \n",
" id | \n",
" type | \n",
" created | \n",
" description | \n",
" created_by_ref | \n",
" modified | \n",
" source_ref | \n",
" relationship_type | \n",
" target_ref | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... | \n",
" relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd... | \n",
" relationship | \n",
" 2020-11-10T18:04:03.668Z | \n",
" (Citation: FireEye KEGTAP SINGLEMALT October 2... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" 2020-11-10T18:04:03.668Z | \n",
" intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | \n",
" uses | \n",
" malware--a7881f21-e978-4fe4-af56-92c9416a2616 | \n",
"
\n",
" \n",
" 1 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... | \n",
" relationship--c118e50b-4559-4bff-bde5-78aa426f... | \n",
" relationship | \n",
" 2020-11-10T18:04:03.666Z | \n",
" (Citation: FireEye KEGTAP SINGLEMALT October 2... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" 2020-11-10T18:04:03.666Z | \n",
" intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | \n",
" uses | \n",
" tool--afc079f3-c0ea-4096-b75d-3f05338b7f60 | \n",
"
\n",
" \n",
" 2 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'DFIR Ryuk's Return October 2... | \n",
" relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e... | \n",
" relationship | \n",
" 2020-11-10T18:04:03.589Z | \n",
" (Citation: DFIR Ryuk's Return October 2020)(Ci... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" 2020-11-10T18:04:03.589Z | \n",
" intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | \n",
" uses | \n",
" tool--b77b563c-34bb-4fb8-86a3-3694338f7b47 | \n",
"
\n",
" \n",
" 3 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... | \n",
" relationship--585842e6-fe9a-4508-8e67-c232f8aa... | \n",
" relationship | \n",
" 2020-11-10T18:04:03.571Z | \n",
" (Citation: FireEye KEGTAP SINGLEMALT October 2... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" 2020-11-10T18:04:03.571Z | \n",
" intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | \n",
" uses | \n",
" tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" external_references \\\n",
"0 [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... \n",
"1 [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... \n",
"2 [{'source_name': 'DFIR Ryuk's Return October 2... \n",
"3 [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... \n",
"\n",
" id type \\\n",
"0 relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd... relationship \n",
"1 relationship--c118e50b-4559-4bff-bde5-78aa426f... relationship \n",
"2 relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e... relationship \n",
"3 relationship--585842e6-fe9a-4508-8e67-c232f8aa... relationship \n",
"\n",
" created \\\n",
"0 2020-11-10T18:04:03.668Z \n",
"1 2020-11-10T18:04:03.666Z \n",
"2 2020-11-10T18:04:03.589Z \n",
"3 2020-11-10T18:04:03.571Z \n",
"\n",
" description \\\n",
"0 (Citation: FireEye KEGTAP SINGLEMALT October 2... \n",
"1 (Citation: FireEye KEGTAP SINGLEMALT October 2... \n",
"2 (Citation: DFIR Ryuk's Return October 2020)(Ci... \n",
"3 (Citation: FireEye KEGTAP SINGLEMALT October 2... \n",
"\n",
" created_by_ref modified \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.668Z \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.666Z \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.589Z \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.571Z \n",
"\n",
" source_ref relationship_type \\\n",
"0 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n",
"1 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n",
"2 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n",
"3 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n",
"\n",
" target_ref \n",
"0 malware--a7881f21-e978-4fe4-af56-92c9416a2616 \n",
"1 tool--afc079f3-c0ea-4096-b75d-3f05338b7f60 \n",
"2 tool--b77b563c-34bb-4fb8-86a3-3694338f7b47 \n",
"3 tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf "
]
},
"execution_count": 30,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"relationships = []\n",
"for t in all_attack['relationships']:\n",
" relationships.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(relationships)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Showing the schema of Relationships**"
]
},
{
"cell_type": "code",
"execution_count": 31,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"['object_marking_refs',\n",
" 'external_references',\n",
" 'id',\n",
" 'type',\n",
" 'created',\n",
" 'description',\n",
" 'created_by_ref',\n",
" 'modified',\n",
" 'source_ref',\n",
" 'relationship_type',\n",
" 'target_ref']"
]
},
"execution_count": 31,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"list(df)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Showing one Relationship example**"
]
},
{
"cell_type": "code",
"execution_count": 32,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"{'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n",
" 'external_references': [{'source_name': 'FireEye KEGTAP SINGLEMALT October 2020',\n",
" 'description': 'Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.',\n",
" 'url': 'https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html'},\n",
" {'source_name': 'DHS/CISA Ransomware Targeting Healthcare October 2020',\n",
" 'description': 'DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.',\n",
" 'url': 'https://us-cert.cisa.gov/ncas/alerts/aa20-302a'},\n",
" {'source_name': \"DFIR Ryuk's Return October 2020\",\n",
" 'description': 'The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.',\n",
" 'url': 'https://thedfirreport.com/2020/10/08/ryuks-return/'},\n",
" {'source_name': 'DFIR Ryuk 2 Hour Speed Run November 2020',\n",
" 'description': 'The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.',\n",
" 'url': 'https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/'},\n",
" {'source_name': 'DFIR Ryuk in 5 Hours October 2020',\n",
" 'description': 'The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.',\n",
" 'url': 'https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/'},\n",
" {'source_name': 'Sophos New Ryuk Attack October 2020',\n",
" 'description': 'Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.',\n",
" 'url': 'https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/'}],\n",
" 'id': 'relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd06b0',\n",
" 'type': 'relationship',\n",
" 'created': '2020-11-10T18:04:03.668Z',\n",
" 'description': \"(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)(Citation: Sophos New Ryuk Attack October 2020)\",\n",
" 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n",
" 'modified': '2020-11-10T18:04:03.668Z',\n",
" 'source_ref': 'intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7',\n",
" 'relationship_type': 'uses',\n",
" 'target_ref': 'malware--a7881f21-e978-4fe4-af56-92c9416a2616'}"
]
},
"execution_count": 32,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"relationships[0]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Get All Tactics from ATT&CK Results (Locally)"
]
},
{
"cell_type": "code",
"execution_count": 33,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Tactics in ATT&CK\n",
"54\n"
]
}
],
"source": [
"print(\"Number of Tactics in ATT&CK\")\n",
"print(len(all_attack['tactics']))"
]
},
{
"cell_type": "code",
"execution_count": 34,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" created_by_ref | \n",
" object_marking_refs | \n",
" external_references | \n",
" name | \n",
" description | \n",
" id | \n",
" type | \n",
" modified | \n",
" created | \n",
" x_mitre_shortname | \n",
" x_mitre_deprecated | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'TA0043', 'source_name': 'mit... | \n",
" Reconnaissance | \n",
" The adversary is trying to gather information ... | \n",
" x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd... | \n",
" x-mitre-tactic | \n",
" 2020-10-18T02:04:50.842Z | \n",
" 2020-10-02T14:48:41.809Z | \n",
" reconnaissance | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'TA0042', 'source_name': 'mit... | \n",
" Resource Development | \n",
" The adversary is trying to establish resources... | \n",
" x-mitre-tactic--d679bca2-e57d-4935-8650-8031c8... | \n",
" x-mitre-tactic | \n",
" 2020-09-30T16:31:36.322Z | \n",
" 2020-09-30T16:11:59.650Z | \n",
" resource-development | \n",
" NaN | \n",
"
\n",
" \n",
" 2 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'TA0040', 'source_name': 'mit... | \n",
" Impact | \n",
" The adversary is trying to manipulate, interru... | \n",
" x-mitre-tactic--5569339b-94c2-49ee-afb3-222293... | \n",
" x-mitre-tactic | \n",
" 2019-07-25T18:42:23.222Z | \n",
" 2019-03-14T18:44:44.639Z | \n",
" impact | \n",
" NaN | \n",
"
\n",
" \n",
" 3 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'TA0005', 'url': 'https://att... | \n",
" Defense Evasion | \n",
" The adversary is trying to avoid being detecte... | \n",
" x-mitre-tactic--78b23412-0651-46d7-a540-170a1c... | \n",
" x-mitre-tactic | \n",
" 2019-07-19T17:43:23.473Z | \n",
" 2018-10-17T00:14:20.652Z | \n",
" defense-evasion | \n",
" NaN | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" external_references name \\\n",
"0 [{'external_id': 'TA0043', 'source_name': 'mit... Reconnaissance \n",
"1 [{'external_id': 'TA0042', 'source_name': 'mit... Resource Development \n",
"2 [{'external_id': 'TA0040', 'source_name': 'mit... Impact \n",
"3 [{'external_id': 'TA0005', 'url': 'https://att... Defense Evasion \n",
"\n",
" description \\\n",
"0 The adversary is trying to gather information ... \n",
"1 The adversary is trying to establish resources... \n",
"2 The adversary is trying to manipulate, interru... \n",
"3 The adversary is trying to avoid being detecte... \n",
"\n",
" id type \\\n",
"0 x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd... x-mitre-tactic \n",
"1 x-mitre-tactic--d679bca2-e57d-4935-8650-8031c8... x-mitre-tactic \n",
"2 x-mitre-tactic--5569339b-94c2-49ee-afb3-222293... x-mitre-tactic \n",
"3 x-mitre-tactic--78b23412-0651-46d7-a540-170a1c... x-mitre-tactic \n",
"\n",
" modified created x_mitre_shortname \\\n",
"0 2020-10-18T02:04:50.842Z 2020-10-02T14:48:41.809Z reconnaissance \n",
"1 2020-09-30T16:31:36.322Z 2020-09-30T16:11:59.650Z resource-development \n",
"2 2019-07-25T18:42:23.222Z 2019-03-14T18:44:44.639Z impact \n",
"3 2019-07-19T17:43:23.473Z 2018-10-17T00:14:20.652Z defense-evasion \n",
"\n",
" x_mitre_deprecated \n",
"0 NaN \n",
"1 NaN \n",
"2 NaN \n",
"3 NaN "
]
},
"execution_count": 34,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"df = pandas.json_normalize(all_attack['tactics'])\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Showing the schema of Tactics**"
]
},
{
"cell_type": "code",
"execution_count": 35,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"['created_by_ref',\n",
" 'object_marking_refs',\n",
" 'external_references',\n",
" 'name',\n",
" 'description',\n",
" 'id',\n",
" 'type',\n",
" 'modified',\n",
" 'created',\n",
" 'x_mitre_shortname',\n",
" 'x_mitre_deprecated']"
]
},
"execution_count": 35,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"list(df)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Get All Matrices from ATT&CK Results (Locally)"
]
},
{
"cell_type": "code",
"execution_count": 36,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Matrices in ATT&CK\n",
"5\n"
]
}
],
"source": [
"print(\"Number of Matrices in ATT&CK\")\n",
"print(len(all_attack['matrix']))"
]
},
{
"cell_type": "code",
"execution_count": 37,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" id | \n",
" created_by_ref | \n",
" name | \n",
" description | \n",
" external_references | \n",
" object_marking_refs | \n",
" type | \n",
" tactic_refs | \n",
" modified | \n",
" created | \n",
" x_mitre_deprecated | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" x-mitre-matrix--eafc1b4c-5e56-4965-bd4e-66a6a8... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" Enterprise ATT&CK | \n",
" Below are the tactics and technique representi... | \n",
" [{'external_id': 'enterprise-attack', 'source_... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" x-mitre-matrix | \n",
" [x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1ef... | \n",
" 2020-10-27T02:27:31.332Z | \n",
" 2018-10-17T00:14:20.652Z | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" x-mitre-matrix--2e2c97c3-1908-4e2d-a711-a27d38... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" PRE-ATT&CK | \n",
" This object is deprecated as its content has b... | \n",
" [{'external_id': 'pre-attack', 'source_name': ... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" x-mitre-matrix | \n",
" [x-mitre-tactic--b2a086f2-d3db-408b-b4d4-e09a1... | \n",
" 2020-10-22T15:43:48.844Z | \n",
" 2018-10-17T00:14:20.652Z | \n",
" True | \n",
"
\n",
" \n",
" 2 | \n",
" x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff0... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" Device Access | \n",
" Below are the tactics and techniques represent... | \n",
" [{'external_id': 'mobile-attack', 'url': 'http... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" x-mitre-matrix | \n",
" [x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290... | \n",
" 2020-10-23T15:05:40.962Z | \n",
" 2018-10-17T00:14:20.652Z | \n",
" NaN | \n",
"
\n",
" \n",
" 3 | \n",
" x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" Network-Based Effects | \n",
" Below are the tactics and techniques represent... | \n",
" [{'external_id': 'mobile-attack', 'url': 'http... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" x-mitre-matrix | \n",
" [x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc4... | \n",
" 2020-07-02T14:18:17.535Z | \n",
" 2018-10-17T00:14:20.652Z | \n",
" NaN | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" id \\\n",
"0 x-mitre-matrix--eafc1b4c-5e56-4965-bd4e-66a6a8... \n",
"1 x-mitre-matrix--2e2c97c3-1908-4e2d-a711-a27d38... \n",
"2 x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff0... \n",
"3 x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd... \n",
"\n",
" created_by_ref name \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 Enterprise ATT&CK \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 PRE-ATT&CK \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 Device Access \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 Network-Based Effects \n",
"\n",
" description \\\n",
"0 Below are the tactics and technique representi... \n",
"1 This object is deprecated as its content has b... \n",
"2 Below are the tactics and techniques represent... \n",
"3 Below are the tactics and techniques represent... \n",
"\n",
" external_references \\\n",
"0 [{'external_id': 'enterprise-attack', 'source_... \n",
"1 [{'external_id': 'pre-attack', 'source_name': ... \n",
"2 [{'external_id': 'mobile-attack', 'url': 'http... \n",
"3 [{'external_id': 'mobile-attack', 'url': 'http... \n",
"\n",
" object_marking_refs type \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... x-mitre-matrix \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... x-mitre-matrix \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... x-mitre-matrix \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... x-mitre-matrix \n",
"\n",
" tactic_refs \\\n",
"0 [x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1ef... \n",
"1 [x-mitre-tactic--b2a086f2-d3db-408b-b4d4-e09a1... \n",
"2 [x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290... \n",
"3 [x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc4... \n",
"\n",
" modified created x_mitre_deprecated \n",
"0 2020-10-27T02:27:31.332Z 2018-10-17T00:14:20.652Z NaN \n",
"1 2020-10-22T15:43:48.844Z 2018-10-17T00:14:20.652Z True \n",
"2 2020-10-23T15:05:40.962Z 2018-10-17T00:14:20.652Z NaN \n",
"3 2020-07-02T14:18:17.535Z 2018-10-17T00:14:20.652Z NaN "
]
},
"execution_count": 37,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"df = pandas.json_normalize(all_attack['matrix'])\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Showing the schema of Tactics**"
]
},
{
"cell_type": "code",
"execution_count": 38,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"['id',\n",
" 'created_by_ref',\n",
" 'name',\n",
" 'description',\n",
" 'external_references',\n",
" 'object_marking_refs',\n",
" 'type',\n",
" 'tactic_refs',\n",
" 'modified',\n",
" 'created',\n",
" 'x_mitre_deprecated']"
]
},
"execution_count": 38,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"list(df)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Get All Enterprise ATT&CK ONLY from Results (Locally)\n",
"* We can also grab the results from each get_* function that we run earlier, and start getting specific stix object types such as techniques, mitigations, groups, malware, tools and relationships on each specific matrix.\n",
"* It is important to remember that the stix objec information is being retrieved from the results of the initial three **get_*** functions and not querying the TAXII Server every time we want to get information about a specific stix object type."
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Enterprise Techniques**"
]
},
{
"cell_type": "code",
"execution_count": 39,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Techniques in Enterprise ATT&CK\n",
"665\n"
]
}
],
"source": [
"print(\"Number of Techniques in Enterprise ATT&CK\")\n",
"print(len(all_enterprise['techniques']))"
]
},
{
"cell_type": "code",
"execution_count": 40,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" id | \n",
" description | \n",
" name | \n",
" created_by_ref | \n",
" object_marking_refs | \n",
" external_references | \n",
" type | \n",
" kill_chain_phases | \n",
" modified | \n",
" created | \n",
" ... | \n",
" x_mitre_permissions_required | \n",
" x_mitre_defense_bypassed | \n",
" x_mitre_contributors | \n",
" x_mitre_system_requirements | \n",
" x_mitre_network_requirements | \n",
" x_mitre_effective_permissions | \n",
" x_mitre_remote_support | \n",
" x_mitre_impact_type | \n",
" revoked | \n",
" x_mitre_deprecated | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" attack-pattern--818302b2-d640-477b-bf88-873120... | \n",
" Adversaries may abuse scripting or built-in co... | \n",
" Network Device CLI | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" attack-pattern | \n",
" [{'kill_chain_name': 'mitre-attack', 'phase_na... | \n",
" 2020-10-22T16:43:38.388Z | \n",
" 2020-10-20T00:09:33.072Z | \n",
" ... | \n",
" [Administrator, User] | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf... | \n",
" Adversaries may access network configuration f... | \n",
" Network Device Configuration Dump | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" attack-pattern | \n",
" [{'kill_chain_name': 'mitre-attack', 'phase_na... | \n",
" 2020-10-22T01:45:55.144Z | \n",
" 2020-10-20T00:08:21.745Z | \n",
" ... | \n",
" [Administrator] | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 2 | \n",
" attack-pattern--28abec6c-4443-4b03-8206-07f2e2... | \n",
" Adversaries may abuse netbooting to load an un... | \n",
" TFTP Boot | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" attack-pattern | \n",
" [{'kill_chain_name': 'mitre-attack', 'phase_na... | \n",
" 2020-10-22T16:35:53.806Z | \n",
" 2020-10-20T00:06:56.180Z | \n",
" ... | \n",
" [Administrator] | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 3 | \n",
" attack-pattern--a6557c75-798f-42e4-be70-ab4502... | \n",
" Adversaries may abuse the ROM Monitor (ROMMON)... | \n",
" ROMMONkit | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" attack-pattern | \n",
" [{'kill_chain_name': 'mitre-attack', 'phase_na... | \n",
" 2020-10-22T02:18:19.568Z | \n",
" 2020-10-20T00:05:48.790Z | \n",
" ... | \n",
" [Administrator] | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
"
\n",
"
4 rows × 25 columns
\n",
"
"
],
"text/plain": [
" id \\\n",
"0 attack-pattern--818302b2-d640-477b-bf88-873120... \n",
"1 attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf... \n",
"2 attack-pattern--28abec6c-4443-4b03-8206-07f2e2... \n",
"3 attack-pattern--a6557c75-798f-42e4-be70-ab4502... \n",
"\n",
" description \\\n",
"0 Adversaries may abuse scripting or built-in co... \n",
"1 Adversaries may access network configuration f... \n",
"2 Adversaries may abuse netbooting to load an un... \n",
"3 Adversaries may abuse the ROM Monitor (ROMMON)... \n",
"\n",
" name \\\n",
"0 Network Device CLI \n",
"1 Network Device Configuration Dump \n",
"2 TFTP Boot \n",
"3 ROMMONkit \n",
"\n",
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" external_references type \\\n",
"0 [{'source_name': 'mitre-attack', 'external_id'... attack-pattern \n",
"1 [{'source_name': 'mitre-attack', 'external_id'... attack-pattern \n",
"2 [{'source_name': 'mitre-attack', 'external_id'... attack-pattern \n",
"3 [{'source_name': 'mitre-attack', 'external_id'... attack-pattern \n",
"\n",
" kill_chain_phases \\\n",
"0 [{'kill_chain_name': 'mitre-attack', 'phase_na... \n",
"1 [{'kill_chain_name': 'mitre-attack', 'phase_na... \n",
"2 [{'kill_chain_name': 'mitre-attack', 'phase_na... \n",
"3 [{'kill_chain_name': 'mitre-attack', 'phase_na... \n",
"\n",
" modified created ... \\\n",
"0 2020-10-22T16:43:38.388Z 2020-10-20T00:09:33.072Z ... \n",
"1 2020-10-22T01:45:55.144Z 2020-10-20T00:08:21.745Z ... \n",
"2 2020-10-22T16:35:53.806Z 2020-10-20T00:06:56.180Z ... \n",
"3 2020-10-22T02:18:19.568Z 2020-10-20T00:05:48.790Z ... \n",
"\n",
" x_mitre_permissions_required x_mitre_defense_bypassed x_mitre_contributors \\\n",
"0 [Administrator, User] NaN NaN \n",
"1 [Administrator] NaN NaN \n",
"2 [Administrator] NaN NaN \n",
"3 [Administrator] NaN NaN \n",
"\n",
" x_mitre_system_requirements x_mitre_network_requirements \\\n",
"0 NaN NaN \n",
"1 NaN NaN \n",
"2 NaN NaN \n",
"3 NaN NaN \n",
"\n",
" x_mitre_effective_permissions x_mitre_remote_support x_mitre_impact_type \\\n",
"0 NaN NaN NaN \n",
"1 NaN NaN NaN \n",
"2 NaN NaN NaN \n",
"3 NaN NaN NaN \n",
"\n",
" revoked x_mitre_deprecated \n",
"0 NaN NaN \n",
"1 NaN NaN \n",
"2 NaN NaN \n",
"3 NaN NaN \n",
"\n",
"[4 rows x 25 columns]"
]
},
"execution_count": 40,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"techniques = []\n",
"for t in all_enterprise['techniques']:\n",
" techniques.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(techniques)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Enterprise Mitigations**"
]
},
{
"cell_type": "code",
"execution_count": 41,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Mitigations in Enterprise ATT&CK\n",
"267\n"
]
}
],
"source": [
"print(\"Number of Mitigations in Enterprise ATT&CK\")\n",
"print(len(all_enterprise['mitigations']))"
]
},
{
"cell_type": "code",
"execution_count": 42,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" created_by_ref | \n",
" object_marking_refs | \n",
" external_references | \n",
" description | \n",
" name | \n",
" id | \n",
" type | \n",
" modified | \n",
" created | \n",
" x_mitre_version | \n",
" x_mitre_deprecated | \n",
" x_mitre_old_attack_id | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" This category is used for any applicable mitig... | \n",
" Pre-compromise | \n",
" course-of-action--78bb71be-92b4-46de-acd6-5f99... | \n",
" course-of-action | \n",
" 2020-10-20T19:52:32.439Z | \n",
" 2020-10-19T14:57:58.771Z | \n",
" 1.0 | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" This category is to associate techniques that ... | \n",
" Do Not Mitigate | \n",
" course-of-action--787fb64d-c87b-4ee5-a341-0ef1... | \n",
" course-of-action | \n",
" 2019-07-23T14:44:24.727Z | \n",
" 2019-07-19T14:58:42.715Z | \n",
" 1.0 | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 2 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" Implement configuration changes to software (o... | \n",
" Software Configuration | \n",
" course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8... | \n",
" course-of-action | \n",
" 2020-03-31T13:11:09.471Z | \n",
" 2019-07-19T14:40:23.529Z | \n",
" 1.1 | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 3 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" Take and store data backups from end user syst... | \n",
" Data Backup | \n",
" course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73... | \n",
" course-of-action | \n",
" 2020-03-31T13:11:28.201Z | \n",
" 2019-07-19T14:33:33.543Z | \n",
" 1.1 | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 4 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" Configure Windows User Account Control to miti... | \n",
" User Account Control | \n",
" course-of-action--2c2ad92a-d710-41ab-a996-1db1... | \n",
" course-of-action | \n",
" 2020-03-31T13:49:49.636Z | \n",
" 2019-06-11T17:14:35.170Z | \n",
" 1.1 | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"4 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"4 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" external_references \\\n",
"0 [{'source_name': 'mitre-attack', 'external_id'... \n",
"1 [{'source_name': 'mitre-attack', 'external_id'... \n",
"2 [{'source_name': 'mitre-attack', 'external_id'... \n",
"3 [{'source_name': 'mitre-attack', 'external_id'... \n",
"4 [{'source_name': 'mitre-attack', 'external_id'... \n",
"\n",
" description name \\\n",
"0 This category is used for any applicable mitig... Pre-compromise \n",
"1 This category is to associate techniques that ... Do Not Mitigate \n",
"2 Implement configuration changes to software (o... Software Configuration \n",
"3 Take and store data backups from end user syst... Data Backup \n",
"4 Configure Windows User Account Control to miti... User Account Control \n",
"\n",
" id type \\\n",
"0 course-of-action--78bb71be-92b4-46de-acd6-5f99... course-of-action \n",
"1 course-of-action--787fb64d-c87b-4ee5-a341-0ef1... course-of-action \n",
"2 course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8... course-of-action \n",
"3 course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73... course-of-action \n",
"4 course-of-action--2c2ad92a-d710-41ab-a996-1db1... course-of-action \n",
"\n",
" modified created x_mitre_version \\\n",
"0 2020-10-20T19:52:32.439Z 2020-10-19T14:57:58.771Z 1.0 \n",
"1 2019-07-23T14:44:24.727Z 2019-07-19T14:58:42.715Z 1.0 \n",
"2 2020-03-31T13:11:09.471Z 2019-07-19T14:40:23.529Z 1.1 \n",
"3 2020-03-31T13:11:28.201Z 2019-07-19T14:33:33.543Z 1.1 \n",
"4 2020-03-31T13:49:49.636Z 2019-06-11T17:14:35.170Z 1.1 \n",
"\n",
" x_mitre_deprecated x_mitre_old_attack_id \n",
"0 NaN NaN \n",
"1 NaN NaN \n",
"2 NaN NaN \n",
"3 NaN NaN \n",
"4 NaN NaN "
]
},
"execution_count": 42,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"mitigations = []\n",
"for t in all_enterprise['mitigations']:\n",
" mitigations.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(mitigations)\n",
"df[0:5]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Enterprise Groups**"
]
},
{
"cell_type": "code",
"execution_count": 43,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Groups in Enterprise ATT&CK\n",
"110\n"
]
}
],
"source": [
"print(\"Number of Groups in Enterprise ATT&CK\")\n",
"print(len(all_enterprise['groups']))"
]
},
{
"cell_type": "code",
"execution_count": 44,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" created_by_ref | \n",
" object_marking_refs | \n",
" external_references | \n",
" name | \n",
" description | \n",
" type | \n",
" id | \n",
" aliases | \n",
" modified | \n",
" created | \n",
" x_mitre_version | \n",
" x_mitre_contributors | \n",
" revoked | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'G0115', 'source_name': 'mitr... | \n",
" GOLD SOUTHFIELD | \n",
" [GOLD SOUTHFIELD](https://attack.mitre.org/gro... | \n",
" intrusion-set | \n",
" intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a... | \n",
" [GOLD SOUTHFIELD] | \n",
" 2020-10-06T15:32:20.089Z | \n",
" 2020-09-22T19:41:27.845Z | \n",
" 1.0 | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'G0114', 'source_name': 'mitr... | \n",
" Chimera | \n",
" [Chimera](https://attack.mitre.org/groups/G011... | \n",
" intrusion-set | \n",
" intrusion-set--8c1f0187-0826-4320-bddc-5f326cf... | \n",
" [Chimera] | \n",
" 2020-10-05T20:59:57.694Z | \n",
" 2020-08-24T17:01:55.842Z | \n",
" 1.0 | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 2 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'G0112', 'source_name': 'mitr... | \n",
" Windshift | \n",
" [Windshift](https://attack.mitre.org/groups/G0... | \n",
" intrusion-set | \n",
" intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a... | \n",
" [Windshift, Bahamut] | \n",
" 2020-06-26T13:46:14.122Z | \n",
" 2020-06-25T17:16:39.168Z | \n",
" 1.0 | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 3 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'G0108', 'source_name': 'mitr... | \n",
" Blue Mockingbird | \n",
" [Blue Mockingbird](https://attack.mitre.org/gr... | \n",
" intrusion-set | \n",
" intrusion-set--73a80fab-2aa3-48e0-a4d0-3a48282... | \n",
" [Blue Mockingbird] | \n",
" 2020-06-25T13:59:09.596Z | \n",
" 2020-05-26T20:09:39.139Z | \n",
" 1.0 | \n",
" [Tony Lambert, Red Canary] | \n",
" NaN | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" external_references name \\\n",
"0 [{'external_id': 'G0115', 'source_name': 'mitr... GOLD SOUTHFIELD \n",
"1 [{'external_id': 'G0114', 'source_name': 'mitr... Chimera \n",
"2 [{'external_id': 'G0112', 'source_name': 'mitr... Windshift \n",
"3 [{'external_id': 'G0108', 'source_name': 'mitr... Blue Mockingbird \n",
"\n",
" description type \\\n",
"0 [GOLD SOUTHFIELD](https://attack.mitre.org/gro... intrusion-set \n",
"1 [Chimera](https://attack.mitre.org/groups/G011... intrusion-set \n",
"2 [Windshift](https://attack.mitre.org/groups/G0... intrusion-set \n",
"3 [Blue Mockingbird](https://attack.mitre.org/gr... intrusion-set \n",
"\n",
" id aliases \\\n",
"0 intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a... [GOLD SOUTHFIELD] \n",
"1 intrusion-set--8c1f0187-0826-4320-bddc-5f326cf... [Chimera] \n",
"2 intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a... [Windshift, Bahamut] \n",
"3 intrusion-set--73a80fab-2aa3-48e0-a4d0-3a48282... [Blue Mockingbird] \n",
"\n",
" modified created x_mitre_version \\\n",
"0 2020-10-06T15:32:20.089Z 2020-09-22T19:41:27.845Z 1.0 \n",
"1 2020-10-05T20:59:57.694Z 2020-08-24T17:01:55.842Z 1.0 \n",
"2 2020-06-26T13:46:14.122Z 2020-06-25T17:16:39.168Z 1.0 \n",
"3 2020-06-25T13:59:09.596Z 2020-05-26T20:09:39.139Z 1.0 \n",
"\n",
" x_mitre_contributors revoked \n",
"0 NaN NaN \n",
"1 NaN NaN \n",
"2 NaN NaN \n",
"3 [Tony Lambert, Red Canary] NaN "
]
},
"execution_count": 44,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"groups = []\n",
"for t in all_enterprise['groups']:\n",
" groups.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(groups)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Enterprise Malware**"
]
},
{
"cell_type": "code",
"execution_count": 45,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Malware objects in Enterprise ATT&CK\n",
"376\n"
]
}
],
"source": [
"print(\"Number of Malware objects in Enterprise ATT&CK\")\n",
"print(len(all_enterprise['malware']))"
]
},
{
"cell_type": "code",
"execution_count": 46,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" external_references | \n",
" object_marking_refs | \n",
" created_by_ref | \n",
" description | \n",
" name | \n",
" id | \n",
" type | \n",
" labels | \n",
" modified | \n",
" created | \n",
" x_mitre_version | \n",
" x_mitre_aliases | \n",
" x_mitre_platforms | \n",
" x_mitre_contributors | \n",
" revoked | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" [{'external_id': 'S0519', 'source_name': 'mitr... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [SYNful Knock](https://attack.mitre.org/softwa... | \n",
" SYNful Knock | \n",
" malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053 | \n",
" malware | \n",
" [malware] | \n",
" 2020-10-22T17:35:04.950Z | \n",
" 2020-10-19T16:38:11.279Z | \n",
" 1.0 | \n",
" [SYNful Knock] | \n",
" [Network] | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" [{'external_id': 'S0516', 'source_name': 'mitr... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [SoreFang](https://attack.mitre.org/software/S... | \n",
" SoreFang | \n",
" malware--e33e4603-afab-402d-b2a1-248d435b5fe0 | \n",
" malware | \n",
" [malware] | \n",
" 2020-10-06T16:10:42.422Z | \n",
" 2020-09-29T19:33:35.122Z | \n",
" 1.0 | \n",
" [SoreFang] | \n",
" [Windows] | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 2 | \n",
" [{'external_id': 'S0515', 'source_name': 'mitr... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [WellMail](https://attack.mitre.org/software/S... | \n",
" WellMail | \n",
" malware--959f3b19-2dc8-48d5-8942-c66813a5101a | \n",
" malware | \n",
" [malware] | \n",
" 2020-10-09T15:38:41.755Z | \n",
" 2020-09-29T17:48:27.517Z | \n",
" 1.0 | \n",
" [WellMail] | \n",
" [Windows] | \n",
" [Josh Campbell, Cyborg Security, @cyb0rgsecur1ty] | \n",
" NaN | \n",
"
\n",
" \n",
" 3 | \n",
" [{'external_id': 'S0514', 'source_name': 'mitr... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [WellMess](https://attack.mitre.org/software/S... | \n",
" WellMess | \n",
" malware--3a4197ae-ec63-4162-907b-9a073d1157e4 | \n",
" malware | \n",
" [malware] | \n",
" 2020-10-09T19:41:25.983Z | \n",
" 2020-09-24T19:39:44.392Z | \n",
" 1.0 | \n",
" [WellMess] | \n",
" [Windows] | \n",
" [Daniyal Naeem, @Mrdaniyalnaeem] | \n",
" NaN | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" external_references \\\n",
"0 [{'external_id': 'S0519', 'source_name': 'mitr... \n",
"1 [{'external_id': 'S0516', 'source_name': 'mitr... \n",
"2 [{'external_id': 'S0515', 'source_name': 'mitr... \n",
"3 [{'external_id': 'S0514', 'source_name': 'mitr... \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" description name \\\n",
"0 [SYNful Knock](https://attack.mitre.org/softwa... SYNful Knock \n",
"1 [SoreFang](https://attack.mitre.org/software/S... SoreFang \n",
"2 [WellMail](https://attack.mitre.org/software/S... WellMail \n",
"3 [WellMess](https://attack.mitre.org/software/S... WellMess \n",
"\n",
" id type labels \\\n",
"0 malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053 malware [malware] \n",
"1 malware--e33e4603-afab-402d-b2a1-248d435b5fe0 malware [malware] \n",
"2 malware--959f3b19-2dc8-48d5-8942-c66813a5101a malware [malware] \n",
"3 malware--3a4197ae-ec63-4162-907b-9a073d1157e4 malware [malware] \n",
"\n",
" modified created x_mitre_version \\\n",
"0 2020-10-22T17:35:04.950Z 2020-10-19T16:38:11.279Z 1.0 \n",
"1 2020-10-06T16:10:42.422Z 2020-09-29T19:33:35.122Z 1.0 \n",
"2 2020-10-09T15:38:41.755Z 2020-09-29T17:48:27.517Z 1.0 \n",
"3 2020-10-09T19:41:25.983Z 2020-09-24T19:39:44.392Z 1.0 \n",
"\n",
" x_mitre_aliases x_mitre_platforms \\\n",
"0 [SYNful Knock] [Network] \n",
"1 [SoreFang] [Windows] \n",
"2 [WellMail] [Windows] \n",
"3 [WellMess] [Windows] \n",
"\n",
" x_mitre_contributors revoked \n",
"0 NaN NaN \n",
"1 NaN NaN \n",
"2 [Josh Campbell, Cyborg Security, @cyb0rgsecur1ty] NaN \n",
"3 [Daniyal Naeem, @Mrdaniyalnaeem] NaN "
]
},
"execution_count": 46,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"malware = []\n",
"for t in all_enterprise['malware']:\n",
" malware.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(malware)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Enterprise Tools**"
]
},
{
"cell_type": "code",
"execution_count": 47,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Tools in Enterprise ATT&CK\n",
"62\n"
]
}
],
"source": [
"print(\"Number of Tools in Enterprise ATT&CK\")\n",
"print(len(all_enterprise['tools']))"
]
},
{
"cell_type": "code",
"execution_count": 48,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" id | \n",
" name | \n",
" description | \n",
" created_by_ref | \n",
" object_marking_refs | \n",
" external_references | \n",
" type | \n",
" labels | \n",
" modified | \n",
" created | \n",
" x_mitre_version | \n",
" x_mitre_aliases | \n",
" x_mitre_platforms | \n",
" x_mitre_contributors | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" tool--975737f1-b10d-476f-8bda-3ec26ea57172 | \n",
" MCMD | \n",
" [MCMD](https://attack.mitre.org/software/S0500... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'S0500', 'source_name': 'mitr... | \n",
" tool | \n",
" [tool] | \n",
" 2020-08-20T14:52:23.369Z | \n",
" 2020-08-13T17:15:25.702Z | \n",
" 1.0 | \n",
" [MCMD] | \n",
" [Windows] | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" tool--c4810609-7da6-48ec-8057-1b70a7814db0 | \n",
" CrackMapExec | \n",
" [CrackMapExec](https://attack.mitre.org/softwa... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'S0488', 'source_name': 'mitr... | \n",
" tool | \n",
" [tool] | \n",
" 2020-07-29T20:19:40.544Z | \n",
" 2020-07-17T14:23:05.958Z | \n",
" 1.0 | \n",
" [CrackMapExec] | \n",
" [Windows] | \n",
" NaN | \n",
"
\n",
" \n",
" 2 | \n",
" tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4 | \n",
" CARROTBALL | \n",
" [CARROTBALL](https://attack.mitre.org/software... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'S0465', 'source_name': 'mitr... | \n",
" tool | \n",
" [tool] | \n",
" 2020-06-10T14:44:23.055Z | \n",
" 2020-06-02T19:10:29.513Z | \n",
" 1.0 | \n",
" [CARROTBALL] | \n",
" [Windows] | \n",
" NaN | \n",
"
\n",
" \n",
" 3 | \n",
" tool--115f88dd-0618-4389-83cb-98d33ae81848 | \n",
" ShimRatReporter | \n",
" [ShimRatReporter](https://attack.mitre.org/sof... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'S0445', 'source_name': 'mitr... | \n",
" tool | \n",
" [tool] | \n",
" 2020-05-27T22:39:28.701Z | \n",
" 2020-05-12T21:29:48.294Z | \n",
" 1.0 | \n",
" [ShimRatReporter] | \n",
" [Windows] | \n",
" NaN | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" id name \\\n",
"0 tool--975737f1-b10d-476f-8bda-3ec26ea57172 MCMD \n",
"1 tool--c4810609-7da6-48ec-8057-1b70a7814db0 CrackMapExec \n",
"2 tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4 CARROTBALL \n",
"3 tool--115f88dd-0618-4389-83cb-98d33ae81848 ShimRatReporter \n",
"\n",
" description \\\n",
"0 [MCMD](https://attack.mitre.org/software/S0500... \n",
"1 [CrackMapExec](https://attack.mitre.org/softwa... \n",
"2 [CARROTBALL](https://attack.mitre.org/software... \n",
"3 [ShimRatReporter](https://attack.mitre.org/sof... \n",
"\n",
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" external_references type labels \\\n",
"0 [{'external_id': 'S0500', 'source_name': 'mitr... tool [tool] \n",
"1 [{'external_id': 'S0488', 'source_name': 'mitr... tool [tool] \n",
"2 [{'external_id': 'S0465', 'source_name': 'mitr... tool [tool] \n",
"3 [{'external_id': 'S0445', 'source_name': 'mitr... tool [tool] \n",
"\n",
" modified created x_mitre_version \\\n",
"0 2020-08-20T14:52:23.369Z 2020-08-13T17:15:25.702Z 1.0 \n",
"1 2020-07-29T20:19:40.544Z 2020-07-17T14:23:05.958Z 1.0 \n",
"2 2020-06-10T14:44:23.055Z 2020-06-02T19:10:29.513Z 1.0 \n",
"3 2020-05-27T22:39:28.701Z 2020-05-12T21:29:48.294Z 1.0 \n",
"\n",
" x_mitre_aliases x_mitre_platforms x_mitre_contributors \n",
"0 [MCMD] [Windows] NaN \n",
"1 [CrackMapExec] [Windows] NaN \n",
"2 [CARROTBALL] [Windows] NaN \n",
"3 [ShimRatReporter] [Windows] NaN "
]
},
"execution_count": 48,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"tools = []\n",
"for t in all_enterprise['tools']:\n",
" tools.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(tools)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Enterprise Relationships**"
]
},
{
"cell_type": "code",
"execution_count": 49,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Relationships in Enterprise ATT&CK\n",
"9263\n"
]
}
],
"source": [
"print(\"Number of Relationships in Enterprise ATT&CK\")\n",
"print(len(all_enterprise['relationships']))"
]
},
{
"cell_type": "code",
"execution_count": 50,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" object_marking_refs | \n",
" external_references | \n",
" id | \n",
" type | \n",
" created | \n",
" description | \n",
" created_by_ref | \n",
" modified | \n",
" source_ref | \n",
" relationship_type | \n",
" target_ref | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... | \n",
" relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd... | \n",
" relationship | \n",
" 2020-11-10T18:04:03.668Z | \n",
" (Citation: FireEye KEGTAP SINGLEMALT October 2... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" 2020-11-10T18:04:03.668Z | \n",
" intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | \n",
" uses | \n",
" malware--a7881f21-e978-4fe4-af56-92c9416a2616 | \n",
"
\n",
" \n",
" 1 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... | \n",
" relationship--c118e50b-4559-4bff-bde5-78aa426f... | \n",
" relationship | \n",
" 2020-11-10T18:04:03.666Z | \n",
" (Citation: FireEye KEGTAP SINGLEMALT October 2... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" 2020-11-10T18:04:03.666Z | \n",
" intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | \n",
" uses | \n",
" tool--afc079f3-c0ea-4096-b75d-3f05338b7f60 | \n",
"
\n",
" \n",
" 2 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'DFIR Ryuk's Return October 2... | \n",
" relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e... | \n",
" relationship | \n",
" 2020-11-10T18:04:03.589Z | \n",
" (Citation: DFIR Ryuk's Return October 2020)(Ci... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" 2020-11-10T18:04:03.589Z | \n",
" intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | \n",
" uses | \n",
" tool--b77b563c-34bb-4fb8-86a3-3694338f7b47 | \n",
"
\n",
" \n",
" 3 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... | \n",
" relationship--585842e6-fe9a-4508-8e67-c232f8aa... | \n",
" relationship | \n",
" 2020-11-10T18:04:03.571Z | \n",
" (Citation: FireEye KEGTAP SINGLEMALT October 2... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" 2020-11-10T18:04:03.571Z | \n",
" intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | \n",
" uses | \n",
" tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" external_references \\\n",
"0 [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... \n",
"1 [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... \n",
"2 [{'source_name': 'DFIR Ryuk's Return October 2... \n",
"3 [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... \n",
"\n",
" id type \\\n",
"0 relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd... relationship \n",
"1 relationship--c118e50b-4559-4bff-bde5-78aa426f... relationship \n",
"2 relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e... relationship \n",
"3 relationship--585842e6-fe9a-4508-8e67-c232f8aa... relationship \n",
"\n",
" created \\\n",
"0 2020-11-10T18:04:03.668Z \n",
"1 2020-11-10T18:04:03.666Z \n",
"2 2020-11-10T18:04:03.589Z \n",
"3 2020-11-10T18:04:03.571Z \n",
"\n",
" description \\\n",
"0 (Citation: FireEye KEGTAP SINGLEMALT October 2... \n",
"1 (Citation: FireEye KEGTAP SINGLEMALT October 2... \n",
"2 (Citation: DFIR Ryuk's Return October 2020)(Ci... \n",
"3 (Citation: FireEye KEGTAP SINGLEMALT October 2... \n",
"\n",
" created_by_ref modified \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.668Z \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.666Z \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.589Z \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.571Z \n",
"\n",
" source_ref relationship_type \\\n",
"0 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n",
"1 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n",
"2 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n",
"3 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n",
"\n",
" target_ref \n",
"0 malware--a7881f21-e978-4fe4-af56-92c9416a2616 \n",
"1 tool--afc079f3-c0ea-4096-b75d-3f05338b7f60 \n",
"2 tool--b77b563c-34bb-4fb8-86a3-3694338f7b47 \n",
"3 tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf "
]
},
"execution_count": 50,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"relations = []\n",
"for t in all_enterprise['relationships']:\n",
" relations.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(relations)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Get All Mobile ATT&CK ONLY from Results (Locally)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Mobile Techniques**"
]
},
{
"cell_type": "code",
"execution_count": 51,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Techniques in Mobile ATT&CK\n",
"104\n"
]
}
],
"source": [
"print(\"Number of Techniques in Mobile ATT&CK\")\n",
"print(len(all_mobile['techniques']))"
]
},
{
"cell_type": "code",
"execution_count": 52,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" external_references | \n",
" object_marking_refs | \n",
" created_by_ref | \n",
" name | \n",
" description | \n",
" id | \n",
" type | \n",
" kill_chain_phases | \n",
" modified | \n",
" created | \n",
" x_mitre_version | \n",
" x_mitre_is_subtechnique | \n",
" x_mitre_tactic_type | \n",
" x_mitre_detection | \n",
" x_mitre_platforms | \n",
" x_mitre_contributors | \n",
" x_mitre_old_attack_id | \n",
" revoked | \n",
" x_mitre_deprecated | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" [{'source_name': 'mitre-mobile-attack', 'exter... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" SMS Control | \n",
" Adversaries may delete, alter, or send SMS mes... | \n",
" attack-pattern--b327a9c0-e709-495c-aa6e-00b042... | \n",
" attack-pattern | \n",
" [{'kill_chain_name': 'mitre-mobile-attack', 'p... | \n",
" 2020-10-22T17:04:15.578Z | \n",
" 2020-09-11T15:14:33.730Z | \n",
" 1.0 | \n",
" False | \n",
" [Post-Adversary Device Access] | \n",
" Users can view the default SMS handler in syst... | \n",
" [Android] | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" [{'source_name': 'mitre-mobile-attack', 'exter... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" Geofencing | \n",
" Adversaries may use a device’s geographical lo... | \n",
" attack-pattern--8197f026-64da-4700-93b9-b55ba5... | \n",
" attack-pattern | \n",
" [{'kill_chain_name': 'mitre-mobile-attack', 'p... | \n",
" 2020-10-01T12:43:41.494Z | \n",
" 2020-09-11T15:04:14.532Z | \n",
" 1.0 | \n",
" False | \n",
" [Post-Adversary Device Access] | \n",
" Users can review which applications have locat... | \n",
" [Android, iOS] | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 2 | \n",
" [{'source_name': 'mitre-mobile-attack', 'exter... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" Keychain | \n",
" Adversaries may collect the keychain storage d... | \n",
" attack-pattern--27f483c6-6666-44fa-8532-ffd5fc... | \n",
" attack-pattern | \n",
" [{'kill_chain_name': 'mitre-mobile-attack', 'p... | \n",
" 2020-06-24T19:02:46.237Z | \n",
" 2020-06-24T17:33:49.778Z | \n",
" 1.0 | \n",
" False | \n",
" [Post-Adversary Device Access] | \n",
" Mobile security products can potentially detec... | \n",
" [iOS] | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 3 | \n",
" [{'source_name': 'mitre-mobile-attack', 'exter... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" Compromise Application Executable | \n",
" Adversaries may modify applications installed ... | \n",
" attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e5631... | \n",
" attack-pattern | \n",
" [{'kill_chain_name': 'mitre-mobile-attack', 'p... | \n",
" 2020-05-27T13:23:34.159Z | \n",
" 2020-05-07T15:24:49.068Z | \n",
" 1.0 | \n",
" False | \n",
" [Post-Adversary Device Access] | \n",
" This behavior is seamless to the user and is t... | \n",
" [Android] | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" external_references \\\n",
"0 [{'source_name': 'mitre-mobile-attack', 'exter... \n",
"1 [{'source_name': 'mitre-mobile-attack', 'exter... \n",
"2 [{'source_name': 'mitre-mobile-attack', 'exter... \n",
"3 [{'source_name': 'mitre-mobile-attack', 'exter... \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" name \\\n",
"0 SMS Control \n",
"1 Geofencing \n",
"2 Keychain \n",
"3 Compromise Application Executable \n",
"\n",
" description \\\n",
"0 Adversaries may delete, alter, or send SMS mes... \n",
"1 Adversaries may use a device’s geographical lo... \n",
"2 Adversaries may collect the keychain storage d... \n",
"3 Adversaries may modify applications installed ... \n",
"\n",
" id type \\\n",
"0 attack-pattern--b327a9c0-e709-495c-aa6e-00b042... attack-pattern \n",
"1 attack-pattern--8197f026-64da-4700-93b9-b55ba5... attack-pattern \n",
"2 attack-pattern--27f483c6-6666-44fa-8532-ffd5fc... attack-pattern \n",
"3 attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e5631... attack-pattern \n",
"\n",
" kill_chain_phases \\\n",
"0 [{'kill_chain_name': 'mitre-mobile-attack', 'p... \n",
"1 [{'kill_chain_name': 'mitre-mobile-attack', 'p... \n",
"2 [{'kill_chain_name': 'mitre-mobile-attack', 'p... \n",
"3 [{'kill_chain_name': 'mitre-mobile-attack', 'p... \n",
"\n",
" modified created x_mitre_version \\\n",
"0 2020-10-22T17:04:15.578Z 2020-09-11T15:14:33.730Z 1.0 \n",
"1 2020-10-01T12:43:41.494Z 2020-09-11T15:04:14.532Z 1.0 \n",
"2 2020-06-24T19:02:46.237Z 2020-06-24T17:33:49.778Z 1.0 \n",
"3 2020-05-27T13:23:34.159Z 2020-05-07T15:24:49.068Z 1.0 \n",
"\n",
" x_mitre_is_subtechnique x_mitre_tactic_type \\\n",
"0 False [Post-Adversary Device Access] \n",
"1 False [Post-Adversary Device Access] \n",
"2 False [Post-Adversary Device Access] \n",
"3 False [Post-Adversary Device Access] \n",
"\n",
" x_mitre_detection x_mitre_platforms \\\n",
"0 Users can view the default SMS handler in syst... [Android] \n",
"1 Users can review which applications have locat... [Android, iOS] \n",
"2 Mobile security products can potentially detec... [iOS] \n",
"3 This behavior is seamless to the user and is t... [Android] \n",
"\n",
" x_mitre_contributors x_mitre_old_attack_id revoked x_mitre_deprecated \n",
"0 NaN NaN NaN NaN \n",
"1 NaN NaN NaN NaN \n",
"2 NaN NaN NaN NaN \n",
"3 NaN NaN NaN NaN "
]
},
"execution_count": 52,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"techniques = []\n",
"for t in all_mobile['techniques']:\n",
" techniques.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(techniques)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Mobile Mitigations**"
]
},
{
"cell_type": "code",
"execution_count": 53,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Mitigations in Mobile ATT&CK\n",
"13\n"
]
}
],
"source": [
"print(\"Number of Mitigations in Mobile ATT&CK\")\n",
"print(len(all_mobile['mitigations']))"
]
},
{
"cell_type": "code",
"execution_count": 54,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" created_by_ref | \n",
" object_marking_refs | \n",
" external_references | \n",
" name | \n",
" description | \n",
" id | \n",
" type | \n",
" modified | \n",
" created | \n",
" x_mitre_version | \n",
" x_mitre_old_attack_id | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" User Guidance | \n",
" Describes any guidance or training given to us... | \n",
" course-of-action--653492e3-27be-4a0e-b08c-938d... | \n",
" course-of-action | \n",
" 2019-10-18T15:51:48.318Z | \n",
" 2019-10-18T12:53:03.508Z | \n",
" 1.0 | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" Security Updates | \n",
" Install security updates in response to discov... | \n",
" course-of-action--bcecd036-f40e-4916-9f8e-fd0c... | \n",
" course-of-action | \n",
" 2019-10-18T14:56:15.631Z | \n",
" 2019-10-18T12:51:36.488Z | \n",
" 1.0 | \n",
" NaN | \n",
"
\n",
" \n",
" 2 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" Attestation | \n",
" Enable remote attestation capabilities when av... | \n",
" course-of-action--ff4821f6-5afb-481b-8c0f-26c2... | \n",
" course-of-action | \n",
" 2019-10-18T14:52:53.019Z | \n",
" 2019-10-18T12:50:35.335Z | \n",
" 1.0 | \n",
" NaN | \n",
"
\n",
" \n",
" 3 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" Application Vetting | \n",
" Enterprises can vet applications for exploitab... | \n",
" course-of-action--1553b156-6767-47f7-9eb4-2a69... | \n",
" course-of-action | \n",
" 2019-10-18T15:53:07.393Z | \n",
" 2019-10-18T12:49:58.924Z | \n",
" 1.0 | \n",
" NaN | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" external_references name \\\n",
"0 [{'source_name': 'mitre-attack', 'external_id'... User Guidance \n",
"1 [{'source_name': 'mitre-attack', 'external_id'... Security Updates \n",
"2 [{'source_name': 'mitre-attack', 'external_id'... Attestation \n",
"3 [{'source_name': 'mitre-attack', 'external_id'... Application Vetting \n",
"\n",
" description \\\n",
"0 Describes any guidance or training given to us... \n",
"1 Install security updates in response to discov... \n",
"2 Enable remote attestation capabilities when av... \n",
"3 Enterprises can vet applications for exploitab... \n",
"\n",
" id type \\\n",
"0 course-of-action--653492e3-27be-4a0e-b08c-938d... course-of-action \n",
"1 course-of-action--bcecd036-f40e-4916-9f8e-fd0c... course-of-action \n",
"2 course-of-action--ff4821f6-5afb-481b-8c0f-26c2... course-of-action \n",
"3 course-of-action--1553b156-6767-47f7-9eb4-2a69... course-of-action \n",
"\n",
" modified created x_mitre_version \\\n",
"0 2019-10-18T15:51:48.318Z 2019-10-18T12:53:03.508Z 1.0 \n",
"1 2019-10-18T14:56:15.631Z 2019-10-18T12:51:36.488Z 1.0 \n",
"2 2019-10-18T14:52:53.019Z 2019-10-18T12:50:35.335Z 1.0 \n",
"3 2019-10-18T15:53:07.393Z 2019-10-18T12:49:58.924Z 1.0 \n",
"\n",
" x_mitre_old_attack_id \n",
"0 NaN \n",
"1 NaN \n",
"2 NaN \n",
"3 NaN "
]
},
"execution_count": 54,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"mitigations = []\n",
"for t in all_mobile['mitigations']:\n",
" mitigations.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(mitigations)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Mobile Groups**"
]
},
{
"cell_type": "code",
"execution_count": 55,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Groups in Mobile ATT&CK\n",
"3\n"
]
}
],
"source": [
"print(\"Number of Groups in Mobile ATT&CK\")\n",
"print(len(all_mobile['groups']))"
]
},
{
"cell_type": "code",
"execution_count": 56,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" created_by_ref | \n",
" object_marking_refs | \n",
" external_references | \n",
" description | \n",
" name | \n",
" type | \n",
" id | \n",
" aliases | \n",
" modified | \n",
" created | \n",
" x_mitre_version | \n",
" x_mitre_contributors | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'G0097', 'source_name': 'mitr... | \n",
" [Bouncing Golf](https://attack.mitre.org/group... | \n",
" Bouncing Golf | \n",
" intrusion-set | \n",
" intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a... | \n",
" [Bouncing Golf] | \n",
" 2020-03-26T20:58:44.722Z | \n",
" 2020-01-27T16:55:39.688Z | \n",
" 1.0 | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'url': 'https... | \n",
" [Dark Caracal](https://attack.mitre.org/groups... | \n",
" Dark Caracal | \n",
" intrusion-set | \n",
" intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74... | \n",
" [Dark Caracal] | \n",
" 2020-06-03T20:22:40.401Z | \n",
" 2018-10-17T00:14:20.652Z | \n",
" 1.2 | \n",
" NaN | \n",
"
\n",
" \n",
" 2 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'G0007', 'url': 'https://atta... | \n",
" [APT28](https://attack.mitre.org/groups/G0007)... | \n",
" APT28 | \n",
" intrusion-set | \n",
" intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8... | \n",
" [APT28, SNAKEMACKEREL, Swallowtail, Group 74, ... | \n",
" 2020-10-06T23:32:21.793Z | \n",
" 2017-05-31T21:31:48.664Z | \n",
" 3.0 | \n",
" [Sébastien Ruel, CGI, Drew Church, Splunk, Emi... | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" external_references \\\n",
"0 [{'external_id': 'G0097', 'source_name': 'mitr... \n",
"1 [{'source_name': 'mitre-attack', 'url': 'https... \n",
"2 [{'external_id': 'G0007', 'url': 'https://atta... \n",
"\n",
" description name \\\n",
"0 [Bouncing Golf](https://attack.mitre.org/group... Bouncing Golf \n",
"1 [Dark Caracal](https://attack.mitre.org/groups... Dark Caracal \n",
"2 [APT28](https://attack.mitre.org/groups/G0007)... APT28 \n",
"\n",
" type id \\\n",
"0 intrusion-set intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a... \n",
"1 intrusion-set intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74... \n",
"2 intrusion-set intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8... \n",
"\n",
" aliases \\\n",
"0 [Bouncing Golf] \n",
"1 [Dark Caracal] \n",
"2 [APT28, SNAKEMACKEREL, Swallowtail, Group 74, ... \n",
"\n",
" modified created x_mitre_version \\\n",
"0 2020-03-26T20:58:44.722Z 2020-01-27T16:55:39.688Z 1.0 \n",
"1 2020-06-03T20:22:40.401Z 2018-10-17T00:14:20.652Z 1.2 \n",
"2 2020-10-06T23:32:21.793Z 2017-05-31T21:31:48.664Z 3.0 \n",
"\n",
" x_mitre_contributors \n",
"0 NaN \n",
"1 NaN \n",
"2 [Sébastien Ruel, CGI, Drew Church, Splunk, Emi... "
]
},
"execution_count": 56,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"groups = []\n",
"for t in all_mobile['groups']:\n",
" groups.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(groups)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Mobile Malware**"
]
},
{
"cell_type": "code",
"execution_count": 57,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Malware in Mobile ATT&CK\n",
"74\n"
]
}
],
"source": [
"print(\"Number of Malware in Mobile ATT&CK\")\n",
"print(len(all_mobile['malware']))"
]
},
{
"cell_type": "code",
"execution_count": 58,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" external_references | \n",
" object_marking_refs | \n",
" created_by_ref | \n",
" description | \n",
" name | \n",
" id | \n",
" type | \n",
" labels | \n",
" modified | \n",
" created | \n",
" x_mitre_version | \n",
" x_mitre_aliases | \n",
" x_mitre_platforms | \n",
" x_mitre_contributors | \n",
" x_mitre_old_attack_id | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" [{'external_id': 'S0509', 'source_name': 'mitr... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [FakeSpy](https://attack.mitre.org/software/S0... | \n",
" FakeSpy | \n",
" malware--838f647e-8ff8-48bd-bbd5-613cee7736cb | \n",
" malware | \n",
" [malware] | \n",
" 2020-10-06T20:09:57.659Z | \n",
" 2020-09-15T15:18:11.971Z | \n",
" 1.0 | \n",
" [FakeSpy] | \n",
" [Android] | \n",
" [Ofir Almkias, Cybereason] | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" [{'external_id': 'S0507', 'source_name': 'mitr... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [eSurv](https://attack.mitre.org/software/S050... | \n",
" eSurv | \n",
" malware--680f680c-eef9-4f8a-b5f5-f451bf47e403 | \n",
" malware | \n",
" [malware] | \n",
" 2020-09-14T15:39:17.698Z | \n",
" 2020-09-14T14:13:45.032Z | \n",
" 1.0 | \n",
" [eSurv] | \n",
" [Android, iOS] | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 2 | \n",
" [{'external_id': 'S0506', 'source_name': 'mitr... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [ViperRAT](https://attack.mitre.org/software/S... | \n",
" ViperRAT | \n",
" malware--f666e17c-b290-43b3-8947-b96bd5148fbb | \n",
" malware | \n",
" [malware] | \n",
" 2020-09-29T20:03:42.662Z | \n",
" 2020-09-11T16:22:02.954Z | \n",
" 1.0 | \n",
" [ViperRAT] | \n",
" [Android] | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 3 | \n",
" [{'external_id': 'S0505', 'source_name': 'mitr... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [Desert Scorpion](https://attack.mitre.org/sof... | \n",
" Desert Scorpion | \n",
" malware--3271c107-92c4-442e-9506-e76d62230ee8 | \n",
" malware | \n",
" [malware] | \n",
" 2020-09-11T16:23:16.039Z | \n",
" 2020-09-11T14:54:16.188Z | \n",
" 1.0 | \n",
" [Desert Scorpion] | \n",
" [Android] | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" external_references \\\n",
"0 [{'external_id': 'S0509', 'source_name': 'mitr... \n",
"1 [{'external_id': 'S0507', 'source_name': 'mitr... \n",
"2 [{'external_id': 'S0506', 'source_name': 'mitr... \n",
"3 [{'external_id': 'S0505', 'source_name': 'mitr... \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" description name \\\n",
"0 [FakeSpy](https://attack.mitre.org/software/S0... FakeSpy \n",
"1 [eSurv](https://attack.mitre.org/software/S050... eSurv \n",
"2 [ViperRAT](https://attack.mitre.org/software/S... ViperRAT \n",
"3 [Desert Scorpion](https://attack.mitre.org/sof... Desert Scorpion \n",
"\n",
" id type labels \\\n",
"0 malware--838f647e-8ff8-48bd-bbd5-613cee7736cb malware [malware] \n",
"1 malware--680f680c-eef9-4f8a-b5f5-f451bf47e403 malware [malware] \n",
"2 malware--f666e17c-b290-43b3-8947-b96bd5148fbb malware [malware] \n",
"3 malware--3271c107-92c4-442e-9506-e76d62230ee8 malware [malware] \n",
"\n",
" modified created x_mitre_version \\\n",
"0 2020-10-06T20:09:57.659Z 2020-09-15T15:18:11.971Z 1.0 \n",
"1 2020-09-14T15:39:17.698Z 2020-09-14T14:13:45.032Z 1.0 \n",
"2 2020-09-29T20:03:42.662Z 2020-09-11T16:22:02.954Z 1.0 \n",
"3 2020-09-11T16:23:16.039Z 2020-09-11T14:54:16.188Z 1.0 \n",
"\n",
" x_mitre_aliases x_mitre_platforms x_mitre_contributors \\\n",
"0 [FakeSpy] [Android] [Ofir Almkias, Cybereason] \n",
"1 [eSurv] [Android, iOS] NaN \n",
"2 [ViperRAT] [Android] NaN \n",
"3 [Desert Scorpion] [Android] NaN \n",
"\n",
" x_mitre_old_attack_id \n",
"0 NaN \n",
"1 NaN \n",
"2 NaN \n",
"3 NaN "
]
},
"execution_count": 58,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"malware = []\n",
"for t in all_mobile['malware']:\n",
" malware.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(malware)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Mobile Tools**"
]
},
{
"cell_type": "code",
"execution_count": 59,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Tools in Mobile ATT&CK\n",
"2\n"
]
}
],
"source": [
"print(\"Number of Tools in Mobile ATT&CK\")\n",
"print(len(all_mobile['tools']))"
]
},
{
"cell_type": "code",
"execution_count": 60,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" external_references | \n",
" object_marking_refs | \n",
" created_by_ref | \n",
" description | \n",
" name | \n",
" id | \n",
" type | \n",
" labels | \n",
" modified | \n",
" created | \n",
" x_mitre_version | \n",
" x_mitre_aliases | \n",
" x_mitre_platforms | \n",
" x_mitre_contributors | \n",
" x_mitre_old_attack_id | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" [{'external_id': 'S0408', 'source_name': 'mitr... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [FlexiSpy](https://attack.mitre.org/software/S... | \n",
" FlexiSpy | \n",
" tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81 | \n",
" tool | \n",
" [tool] | \n",
" 2019-10-14T18:08:28.349Z | \n",
" 2019-09-04T15:38:56.070Z | \n",
" 1.0 | \n",
" [FlexiSpy] | \n",
" [Android] | \n",
" [Emily Ratliff, IBM] | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" [{'source_name': 'mitre-mobile-attack', 'url':... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [Xbot](https://attack.mitre.org/software/S0298... | \n",
" Xbot | \n",
" tool--da21929e-40c0-443d-bdf4-6b60d15448b4 | \n",
" tool | \n",
" [tool] | \n",
" 2018-12-11T20:40:31.461Z | \n",
" 2017-10-25T14:48:48.609Z | \n",
" 1.1 | \n",
" [Xbot] | \n",
" [Android] | \n",
" NaN | \n",
" MOB-S0014 | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" external_references \\\n",
"0 [{'external_id': 'S0408', 'source_name': 'mitr... \n",
"1 [{'source_name': 'mitre-mobile-attack', 'url':... \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" description name \\\n",
"0 [FlexiSpy](https://attack.mitre.org/software/S... FlexiSpy \n",
"1 [Xbot](https://attack.mitre.org/software/S0298... Xbot \n",
"\n",
" id type labels \\\n",
"0 tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81 tool [tool] \n",
"1 tool--da21929e-40c0-443d-bdf4-6b60d15448b4 tool [tool] \n",
"\n",
" modified created x_mitre_version \\\n",
"0 2019-10-14T18:08:28.349Z 2019-09-04T15:38:56.070Z 1.0 \n",
"1 2018-12-11T20:40:31.461Z 2017-10-25T14:48:48.609Z 1.1 \n",
"\n",
" x_mitre_aliases x_mitre_platforms x_mitre_contributors \\\n",
"0 [FlexiSpy] [Android] [Emily Ratliff, IBM] \n",
"1 [Xbot] [Android] NaN \n",
"\n",
" x_mitre_old_attack_id \n",
"0 NaN \n",
"1 MOB-S0014 "
]
},
"execution_count": 60,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"tools = []\n",
"for t in all_mobile['tools']:\n",
" tools.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(tools)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"**Mobile Relationships**"
]
},
{
"cell_type": "code",
"execution_count": 61,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Relationships in Mobile ATT&CK\n",
"795\n"
]
}
],
"source": [
"print(\"Number of Relationships in Mobile ATT&CK\")\n",
"print(len(all_mobile['relationships']))"
]
},
{
"cell_type": "code",
"execution_count": 62,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" created_by_ref | \n",
" object_marking_refs | \n",
" id | \n",
" type | \n",
" modified | \n",
" created | \n",
" source_ref | \n",
" relationship_type | \n",
" target_ref | \n",
" description | \n",
" external_references | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" relationship--39f46abc-d9e3-463d-9340-3bc8334a... | \n",
" relationship | \n",
" 2020-10-23T15:05:40.967Z | \n",
" 2020-10-23T15:05:40.967Z | \n",
" attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab... | \n",
" revoked-by | \n",
" attack-pattern--77e30eee-fd48-40b4-99ec-73e97c... | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" relationship--e373111c-aa34-4686-a286-7c9b4267... | \n",
" relationship | \n",
" 2020-10-01T12:43:42.238Z | \n",
" 2020-09-30T14:48:16.522Z | \n",
" course-of-action--0beabf44-e8d8-4ae4-9122-ef56... | \n",
" mitigates | \n",
" attack-pattern--8197f026-64da-4700-93b9-b55ba5... | \n",
" New OS releases frequently contain additional ... | \n",
" NaN | \n",
"
\n",
" \n",
" 2 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" relationship--37459382-00b7-4699-a294-d25f53bf... | \n",
" relationship | \n",
" 2020-10-01T12:42:21.985Z | \n",
" 2020-09-30T14:36:43.256Z | \n",
" course-of-action--0beabf44-e8d8-4ae4-9122-ef56... | \n",
" mitigates | \n",
" attack-pattern--77e30eee-fd48-40b4-99ec-73e97c... | \n",
" iOS 11 introduced a first-come-first-served pr... | \n",
" [{'source_name': 'Trend Micro iOS URL Hijackin... | \n",
"
\n",
" \n",
" 3 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" relationship--455b1287-5784-42b4-91fb-01dac007... | \n",
" relationship | \n",
" 2020-09-29T13:24:15.234Z | \n",
" 2020-09-29T13:24:15.234Z | \n",
" malware--317a2c10-d489-431e-b6b2-f0251fddc88e | \n",
" uses | \n",
" attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd2... | \n",
" [Dendroid](https://attack.mitre.org/software/S... | \n",
" [{'source_name': 'Lookout-Dendroid', 'descript... | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" id type \\\n",
"0 relationship--39f46abc-d9e3-463d-9340-3bc8334a... relationship \n",
"1 relationship--e373111c-aa34-4686-a286-7c9b4267... relationship \n",
"2 relationship--37459382-00b7-4699-a294-d25f53bf... relationship \n",
"3 relationship--455b1287-5784-42b4-91fb-01dac007... relationship \n",
"\n",
" modified created \\\n",
"0 2020-10-23T15:05:40.967Z 2020-10-23T15:05:40.967Z \n",
"1 2020-10-01T12:43:42.238Z 2020-09-30T14:48:16.522Z \n",
"2 2020-10-01T12:42:21.985Z 2020-09-30T14:36:43.256Z \n",
"3 2020-09-29T13:24:15.234Z 2020-09-29T13:24:15.234Z \n",
"\n",
" source_ref relationship_type \\\n",
"0 attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab... revoked-by \n",
"1 course-of-action--0beabf44-e8d8-4ae4-9122-ef56... mitigates \n",
"2 course-of-action--0beabf44-e8d8-4ae4-9122-ef56... mitigates \n",
"3 malware--317a2c10-d489-431e-b6b2-f0251fddc88e uses \n",
"\n",
" target_ref \\\n",
"0 attack-pattern--77e30eee-fd48-40b4-99ec-73e97c... \n",
"1 attack-pattern--8197f026-64da-4700-93b9-b55ba5... \n",
"2 attack-pattern--77e30eee-fd48-40b4-99ec-73e97c... \n",
"3 attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd2... \n",
"\n",
" description \\\n",
"0 NaN \n",
"1 New OS releases frequently contain additional ... \n",
"2 iOS 11 introduced a first-come-first-served pr... \n",
"3 [Dendroid](https://attack.mitre.org/software/S... \n",
"\n",
" external_references \n",
"0 NaN \n",
"1 NaN \n",
"2 [{'source_name': 'Trend Micro iOS URL Hijackin... \n",
"3 [{'source_name': 'Lookout-Dendroid', 'descript... "
]
},
"execution_count": 62,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"relations = []\n",
"for t in all_mobile['relationships']:\n",
" relations.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(relations)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## **Get STIX Object Types Directly from TAXII Server (Enterprise ATT&CK, Pre-ATT&CK & Mobile ATT&CK)**\n",
"* In this section, we will query the ATT&CK TAXII Server directly in order to collect specific stix object types such as techniques, mitigations, groups, malware, tools and relationships from the Enterprise, PRE and Mobile Matrices.\n",
"* There is no need to get all the stix objects available per each matrix unlike the first section of this notebook."
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Get All Enterprise Techniques ONLY (TAXII)"
]
},
{
"cell_type": "code",
"execution_count": 63,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Techniques in Enterprise ATT&CK\n",
"665\n"
]
}
],
"source": [
"print(\"Number of Techniques in Enterprise ATT&CK\")\n",
"techniques = lift.get_enterprise_techniques()\n",
"print(len(techniques))"
]
},
{
"cell_type": "code",
"execution_count": 64,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" id | \n",
" description | \n",
" name | \n",
" created_by_ref | \n",
" object_marking_refs | \n",
" external_references | \n",
" type | \n",
" kill_chain_phases | \n",
" modified | \n",
" created | \n",
" ... | \n",
" x_mitre_permissions_required | \n",
" x_mitre_defense_bypassed | \n",
" x_mitre_contributors | \n",
" x_mitre_system_requirements | \n",
" x_mitre_network_requirements | \n",
" x_mitre_effective_permissions | \n",
" x_mitre_remote_support | \n",
" x_mitre_impact_type | \n",
" revoked | \n",
" x_mitre_deprecated | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" attack-pattern--818302b2-d640-477b-bf88-873120... | \n",
" Adversaries may abuse scripting or built-in co... | \n",
" Network Device CLI | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" attack-pattern | \n",
" [{'kill_chain_name': 'mitre-attack', 'phase_na... | \n",
" 2020-10-22T16:43:38.388Z | \n",
" 2020-10-20T00:09:33.072Z | \n",
" ... | \n",
" [Administrator, User] | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf... | \n",
" Adversaries may access network configuration f... | \n",
" Network Device Configuration Dump | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" attack-pattern | \n",
" [{'kill_chain_name': 'mitre-attack', 'phase_na... | \n",
" 2020-10-22T01:45:55.144Z | \n",
" 2020-10-20T00:08:21.745Z | \n",
" ... | \n",
" [Administrator] | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 2 | \n",
" attack-pattern--28abec6c-4443-4b03-8206-07f2e2... | \n",
" Adversaries may abuse netbooting to load an un... | \n",
" TFTP Boot | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" attack-pattern | \n",
" [{'kill_chain_name': 'mitre-attack', 'phase_na... | \n",
" 2020-10-22T16:35:53.806Z | \n",
" 2020-10-20T00:06:56.180Z | \n",
" ... | \n",
" [Administrator] | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 3 | \n",
" attack-pattern--a6557c75-798f-42e4-be70-ab4502... | \n",
" Adversaries may abuse the ROM Monitor (ROMMON)... | \n",
" ROMMONkit | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" attack-pattern | \n",
" [{'kill_chain_name': 'mitre-attack', 'phase_na... | \n",
" 2020-10-22T02:18:19.568Z | \n",
" 2020-10-20T00:05:48.790Z | \n",
" ... | \n",
" [Administrator] | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
"
\n",
"
4 rows × 25 columns
\n",
"
"
],
"text/plain": [
" id \\\n",
"0 attack-pattern--818302b2-d640-477b-bf88-873120... \n",
"1 attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf... \n",
"2 attack-pattern--28abec6c-4443-4b03-8206-07f2e2... \n",
"3 attack-pattern--a6557c75-798f-42e4-be70-ab4502... \n",
"\n",
" description \\\n",
"0 Adversaries may abuse scripting or built-in co... \n",
"1 Adversaries may access network configuration f... \n",
"2 Adversaries may abuse netbooting to load an un... \n",
"3 Adversaries may abuse the ROM Monitor (ROMMON)... \n",
"\n",
" name \\\n",
"0 Network Device CLI \n",
"1 Network Device Configuration Dump \n",
"2 TFTP Boot \n",
"3 ROMMONkit \n",
"\n",
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" external_references type \\\n",
"0 [{'source_name': 'mitre-attack', 'external_id'... attack-pattern \n",
"1 [{'source_name': 'mitre-attack', 'external_id'... attack-pattern \n",
"2 [{'source_name': 'mitre-attack', 'external_id'... attack-pattern \n",
"3 [{'source_name': 'mitre-attack', 'external_id'... attack-pattern \n",
"\n",
" kill_chain_phases \\\n",
"0 [{'kill_chain_name': 'mitre-attack', 'phase_na... \n",
"1 [{'kill_chain_name': 'mitre-attack', 'phase_na... \n",
"2 [{'kill_chain_name': 'mitre-attack', 'phase_na... \n",
"3 [{'kill_chain_name': 'mitre-attack', 'phase_na... \n",
"\n",
" modified created ... \\\n",
"0 2020-10-22T16:43:38.388Z 2020-10-20T00:09:33.072Z ... \n",
"1 2020-10-22T01:45:55.144Z 2020-10-20T00:08:21.745Z ... \n",
"2 2020-10-22T16:35:53.806Z 2020-10-20T00:06:56.180Z ... \n",
"3 2020-10-22T02:18:19.568Z 2020-10-20T00:05:48.790Z ... \n",
"\n",
" x_mitre_permissions_required x_mitre_defense_bypassed x_mitre_contributors \\\n",
"0 [Administrator, User] NaN NaN \n",
"1 [Administrator] NaN NaN \n",
"2 [Administrator] NaN NaN \n",
"3 [Administrator] NaN NaN \n",
"\n",
" x_mitre_system_requirements x_mitre_network_requirements \\\n",
"0 NaN NaN \n",
"1 NaN NaN \n",
"2 NaN NaN \n",
"3 NaN NaN \n",
"\n",
" x_mitre_effective_permissions x_mitre_remote_support x_mitre_impact_type \\\n",
"0 NaN NaN NaN \n",
"1 NaN NaN NaN \n",
"2 NaN NaN NaN \n",
"3 NaN NaN NaN \n",
"\n",
" revoked x_mitre_deprecated \n",
"0 NaN NaN \n",
"1 NaN NaN \n",
"2 NaN NaN \n",
"3 NaN NaN \n",
"\n",
"[4 rows x 25 columns]"
]
},
"execution_count": 64,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"techniques_list = []\n",
"for t in techniques:\n",
" techniques_list.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(techniques_list)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Get All PRE Techniques ONLY (TAXII)"
]
},
{
"cell_type": "code",
"execution_count": 65,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Techniques in PRE-ATT&CK\n"
]
},
{
"name": "stderr",
"output_type": "stream",
"text": [
"/usr/local/lib/python3.8/site-packages/attackcti/attack_api.py:455: UserWarning: PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application\n",
" warnings.warn(\"PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application\")\n"
]
},
{
"name": "stdout",
"output_type": "stream",
"text": [
"174\n"
]
}
],
"source": [
"print(\"Number of Techniques in PRE-ATT&CK\")\n",
"techniques = lift.get_pre_techniques()\n",
"print(len(techniques))"
]
},
{
"cell_type": "code",
"execution_count": 66,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" id | \n",
" created_by_ref | \n",
" name | \n",
" description | \n",
" external_references | \n",
" object_marking_refs | \n",
" type | \n",
" kill_chain_phases | \n",
" modified | \n",
" created | \n",
" x_mitre_is_subtechnique | \n",
" x_mitre_old_attack_id | \n",
" x_mitre_version | \n",
" x_mitre_difficulty_for_adversary_explanation | \n",
" x_mitre_difficulty_for_adversary | \n",
" x_mitre_detectable_by_common_defenses_explanation | \n",
" x_mitre_detectable_by_common_defenses | \n",
" x_mitre_deprecated | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" attack-pattern--b182f29c-2505-4b32-a000-0440ef... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" Spearphishing for Information | \n",
" This object is deprecated as its content has b... | \n",
" [{'source_name': 'mitre-pre-attack', 'url': 'h... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" attack-pattern | \n",
" [{'kill_chain_name': 'mitre-pre-attack', 'phas... | \n",
" 2020-10-26T13:42:49.342Z | \n",
" 2018-04-18T17:59:24.739Z | \n",
" False | \n",
" PRE-T1174 | \n",
" 1.0 | \n",
" Sending emails is trivial, and, over time, an ... | \n",
" Yes | \n",
" Depending on the specific method of phishing, ... | \n",
" Partial | \n",
" True | \n",
"
\n",
" \n",
" 1 | \n",
" attack-pattern--2b9a666e-bd59-4f67-9031-ed41b4... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" Acquire OSINT data sets and information | \n",
" This object is deprecated as its content has b... | \n",
" [{'source_name': 'mitre-pre-attack', 'url': 'h... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" attack-pattern | \n",
" [{'kill_chain_name': 'mitre-pre-attack', 'phas... | \n",
" 2020-10-26T13:42:49.342Z | \n",
" 2017-12-14T16:46:06.044Z | \n",
" NaN | \n",
" PRE-T1043 | \n",
" 1.0 | \n",
" Possible to gather digital intelligence about ... | \n",
" Yes | \n",
" This activity is indistinguishable from legiti... | \n",
" No | \n",
" True | \n",
"
\n",
" \n",
" 2 | \n",
" attack-pattern--1a295f87-af63-4d94-b130-039d62... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" Acquire and/or use 3rd party software services | \n",
" This object is deprecated as its content has b... | \n",
" [{'source_name': 'mitre-pre-attack', 'url': 'h... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" attack-pattern | \n",
" [{'kill_chain_name': 'mitre-pre-attack', 'phas... | \n",
" 2020-10-26T13:42:49.342Z | \n",
" 2017-12-14T16:46:06.044Z | \n",
" NaN | \n",
" PRE-T1085 | \n",
" 1.0 | \n",
" 3rd party services like these listed are freel... | \n",
" Yes | \n",
" Defender will not have visibility over account... | \n",
" No | \n",
" True | \n",
"
\n",
" \n",
" 3 | \n",
" attack-pattern--fe421ab9-c8f3-42f7-9ae1-5d6c32... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" Analyze application security posture | \n",
" This object is deprecated as its content has b... | \n",
" [{'source_name': 'mitre-pre-attack', 'url': 'h... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" attack-pattern | \n",
" [{'kill_chain_name': 'mitre-pre-attack', 'phas... | \n",
" 2020-10-26T13:42:49.342Z | \n",
" 2017-12-14T16:46:06.044Z | \n",
" NaN | \n",
" PRE-T1070 | \n",
" 1.0 | \n",
" Analyze technical scanning results to identify... | \n",
" Yes | \n",
" This can be done offline after the data has be... | \n",
" No | \n",
" True | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" id \\\n",
"0 attack-pattern--b182f29c-2505-4b32-a000-0440ef... \n",
"1 attack-pattern--2b9a666e-bd59-4f67-9031-ed41b4... \n",
"2 attack-pattern--1a295f87-af63-4d94-b130-039d62... \n",
"3 attack-pattern--fe421ab9-c8f3-42f7-9ae1-5d6c32... \n",
"\n",
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" name \\\n",
"0 Spearphishing for Information \n",
"1 Acquire OSINT data sets and information \n",
"2 Acquire and/or use 3rd party software services \n",
"3 Analyze application security posture \n",
"\n",
" description \\\n",
"0 This object is deprecated as its content has b... \n",
"1 This object is deprecated as its content has b... \n",
"2 This object is deprecated as its content has b... \n",
"3 This object is deprecated as its content has b... \n",
"\n",
" external_references \\\n",
"0 [{'source_name': 'mitre-pre-attack', 'url': 'h... \n",
"1 [{'source_name': 'mitre-pre-attack', 'url': 'h... \n",
"2 [{'source_name': 'mitre-pre-attack', 'url': 'h... \n",
"3 [{'source_name': 'mitre-pre-attack', 'url': 'h... \n",
"\n",
" object_marking_refs type \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... attack-pattern \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... attack-pattern \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... attack-pattern \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... attack-pattern \n",
"\n",
" kill_chain_phases \\\n",
"0 [{'kill_chain_name': 'mitre-pre-attack', 'phas... \n",
"1 [{'kill_chain_name': 'mitre-pre-attack', 'phas... \n",
"2 [{'kill_chain_name': 'mitre-pre-attack', 'phas... \n",
"3 [{'kill_chain_name': 'mitre-pre-attack', 'phas... \n",
"\n",
" modified created x_mitre_is_subtechnique \\\n",
"0 2020-10-26T13:42:49.342Z 2018-04-18T17:59:24.739Z False \n",
"1 2020-10-26T13:42:49.342Z 2017-12-14T16:46:06.044Z NaN \n",
"2 2020-10-26T13:42:49.342Z 2017-12-14T16:46:06.044Z NaN \n",
"3 2020-10-26T13:42:49.342Z 2017-12-14T16:46:06.044Z NaN \n",
"\n",
" x_mitre_old_attack_id x_mitre_version \\\n",
"0 PRE-T1174 1.0 \n",
"1 PRE-T1043 1.0 \n",
"2 PRE-T1085 1.0 \n",
"3 PRE-T1070 1.0 \n",
"\n",
" x_mitre_difficulty_for_adversary_explanation \\\n",
"0 Sending emails is trivial, and, over time, an ... \n",
"1 Possible to gather digital intelligence about ... \n",
"2 3rd party services like these listed are freel... \n",
"3 Analyze technical scanning results to identify... \n",
"\n",
" x_mitre_difficulty_for_adversary \\\n",
"0 Yes \n",
"1 Yes \n",
"2 Yes \n",
"3 Yes \n",
"\n",
" x_mitre_detectable_by_common_defenses_explanation \\\n",
"0 Depending on the specific method of phishing, ... \n",
"1 This activity is indistinguishable from legiti... \n",
"2 Defender will not have visibility over account... \n",
"3 This can be done offline after the data has be... \n",
"\n",
" x_mitre_detectable_by_common_defenses x_mitre_deprecated \n",
"0 Partial True \n",
"1 No True \n",
"2 No True \n",
"3 No True "
]
},
"execution_count": 66,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"techniques_list = []\n",
"for t in techniques:\n",
" techniques_list.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(techniques_list)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Get All Mobile Techniques ONLY (TAXII)"
]
},
{
"cell_type": "code",
"execution_count": 67,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Techniques in Mobile ATT&CK\n",
"104\n"
]
}
],
"source": [
"print(\"Number of Techniques in Mobile ATT&CK\")\n",
"techniques = lift.get_mobile_techniques()\n",
"print(len(techniques))"
]
},
{
"cell_type": "code",
"execution_count": 68,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" external_references | \n",
" object_marking_refs | \n",
" created_by_ref | \n",
" name | \n",
" description | \n",
" id | \n",
" type | \n",
" kill_chain_phases | \n",
" modified | \n",
" created | \n",
" x_mitre_version | \n",
" x_mitre_is_subtechnique | \n",
" x_mitre_tactic_type | \n",
" x_mitre_detection | \n",
" x_mitre_platforms | \n",
" x_mitre_contributors | \n",
" x_mitre_old_attack_id | \n",
" revoked | \n",
" x_mitre_deprecated | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" [{'source_name': 'mitre-mobile-attack', 'exter... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" SMS Control | \n",
" Adversaries may delete, alter, or send SMS mes... | \n",
" attack-pattern--b327a9c0-e709-495c-aa6e-00b042... | \n",
" attack-pattern | \n",
" [{'kill_chain_name': 'mitre-mobile-attack', 'p... | \n",
" 2020-10-22T17:04:15.578Z | \n",
" 2020-09-11T15:14:33.730Z | \n",
" 1.0 | \n",
" False | \n",
" [Post-Adversary Device Access] | \n",
" Users can view the default SMS handler in syst... | \n",
" [Android] | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" [{'source_name': 'mitre-mobile-attack', 'exter... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" Geofencing | \n",
" Adversaries may use a device’s geographical lo... | \n",
" attack-pattern--8197f026-64da-4700-93b9-b55ba5... | \n",
" attack-pattern | \n",
" [{'kill_chain_name': 'mitre-mobile-attack', 'p... | \n",
" 2020-10-01T12:43:41.494Z | \n",
" 2020-09-11T15:04:14.532Z | \n",
" 1.0 | \n",
" False | \n",
" [Post-Adversary Device Access] | \n",
" Users can review which applications have locat... | \n",
" [Android, iOS] | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 2 | \n",
" [{'source_name': 'mitre-mobile-attack', 'exter... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" Keychain | \n",
" Adversaries may collect the keychain storage d... | \n",
" attack-pattern--27f483c6-6666-44fa-8532-ffd5fc... | \n",
" attack-pattern | \n",
" [{'kill_chain_name': 'mitre-mobile-attack', 'p... | \n",
" 2020-06-24T19:02:46.237Z | \n",
" 2020-06-24T17:33:49.778Z | \n",
" 1.0 | \n",
" False | \n",
" [Post-Adversary Device Access] | \n",
" Mobile security products can potentially detec... | \n",
" [iOS] | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 3 | \n",
" [{'source_name': 'mitre-mobile-attack', 'exter... | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" Compromise Application Executable | \n",
" Adversaries may modify applications installed ... | \n",
" attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e5631... | \n",
" attack-pattern | \n",
" [{'kill_chain_name': 'mitre-mobile-attack', 'p... | \n",
" 2020-05-27T13:23:34.159Z | \n",
" 2020-05-07T15:24:49.068Z | \n",
" 1.0 | \n",
" False | \n",
" [Post-Adversary Device Access] | \n",
" This behavior is seamless to the user and is t... | \n",
" [Android] | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" external_references \\\n",
"0 [{'source_name': 'mitre-mobile-attack', 'exter... \n",
"1 [{'source_name': 'mitre-mobile-attack', 'exter... \n",
"2 [{'source_name': 'mitre-mobile-attack', 'exter... \n",
"3 [{'source_name': 'mitre-mobile-attack', 'exter... \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" name \\\n",
"0 SMS Control \n",
"1 Geofencing \n",
"2 Keychain \n",
"3 Compromise Application Executable \n",
"\n",
" description \\\n",
"0 Adversaries may delete, alter, or send SMS mes... \n",
"1 Adversaries may use a device’s geographical lo... \n",
"2 Adversaries may collect the keychain storage d... \n",
"3 Adversaries may modify applications installed ... \n",
"\n",
" id type \\\n",
"0 attack-pattern--b327a9c0-e709-495c-aa6e-00b042... attack-pattern \n",
"1 attack-pattern--8197f026-64da-4700-93b9-b55ba5... attack-pattern \n",
"2 attack-pattern--27f483c6-6666-44fa-8532-ffd5fc... attack-pattern \n",
"3 attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e5631... attack-pattern \n",
"\n",
" kill_chain_phases \\\n",
"0 [{'kill_chain_name': 'mitre-mobile-attack', 'p... \n",
"1 [{'kill_chain_name': 'mitre-mobile-attack', 'p... \n",
"2 [{'kill_chain_name': 'mitre-mobile-attack', 'p... \n",
"3 [{'kill_chain_name': 'mitre-mobile-attack', 'p... \n",
"\n",
" modified created x_mitre_version \\\n",
"0 2020-10-22T17:04:15.578Z 2020-09-11T15:14:33.730Z 1.0 \n",
"1 2020-10-01T12:43:41.494Z 2020-09-11T15:04:14.532Z 1.0 \n",
"2 2020-06-24T19:02:46.237Z 2020-06-24T17:33:49.778Z 1.0 \n",
"3 2020-05-27T13:23:34.159Z 2020-05-07T15:24:49.068Z 1.0 \n",
"\n",
" x_mitre_is_subtechnique x_mitre_tactic_type \\\n",
"0 False [Post-Adversary Device Access] \n",
"1 False [Post-Adversary Device Access] \n",
"2 False [Post-Adversary Device Access] \n",
"3 False [Post-Adversary Device Access] \n",
"\n",
" x_mitre_detection x_mitre_platforms \\\n",
"0 Users can view the default SMS handler in syst... [Android] \n",
"1 Users can review which applications have locat... [Android, iOS] \n",
"2 Mobile security products can potentially detec... [iOS] \n",
"3 This behavior is seamless to the user and is t... [Android] \n",
"\n",
" x_mitre_contributors x_mitre_old_attack_id revoked x_mitre_deprecated \n",
"0 NaN NaN NaN NaN \n",
"1 NaN NaN NaN NaN \n",
"2 NaN NaN NaN NaN \n",
"3 NaN NaN NaN NaN "
]
},
"execution_count": 68,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"techniques_list = []\n",
"for t in techniques:\n",
" techniques_list.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(techniques_list)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Get All Techniques (TAXII)\n",
"* The results of this function shows every single technique across the whole ATT&CK framework without their mitigations information\n",
"* Mitigations information has its own stix object type (Mitigation) that needs to be correlated with the help of relationship properties\n",
"* There is a function already created in this library named **get_techniques_with_mitigations()** that allows you to get a more complete view of techniques"
]
},
{
"cell_type": "code",
"execution_count": 69,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Techniques in ATT&CK\n",
"1024\n"
]
}
],
"source": [
"print(\"Number of Techniques in ATT&CK\")\n",
"techniques = lift.get_techniques()\n",
"print(len(techniques))"
]
},
{
"cell_type": "code",
"execution_count": 70,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" id | \n",
" description | \n",
" name | \n",
" created_by_ref | \n",
" object_marking_refs | \n",
" external_references | \n",
" type | \n",
" kill_chain_phases | \n",
" modified | \n",
" created | \n",
" ... | \n",
" x_mitre_remote_support | \n",
" x_mitre_impact_type | \n",
" revoked | \n",
" x_mitre_deprecated | \n",
" x_mitre_old_attack_id | \n",
" x_mitre_difficulty_for_adversary_explanation | \n",
" x_mitre_difficulty_for_adversary | \n",
" x_mitre_detectable_by_common_defenses_explanation | \n",
" x_mitre_detectable_by_common_defenses | \n",
" x_mitre_tactic_type | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" attack-pattern--818302b2-d640-477b-bf88-873120... | \n",
" Adversaries may abuse scripting or built-in co... | \n",
" Network Device CLI | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" attack-pattern | \n",
" [{'kill_chain_name': 'mitre-attack', 'phase_na... | \n",
" 2020-10-22T16:43:38.388Z | \n",
" 2020-10-20T00:09:33.072Z | \n",
" ... | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf... | \n",
" Adversaries may access network configuration f... | \n",
" Network Device Configuration Dump | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" attack-pattern | \n",
" [{'kill_chain_name': 'mitre-attack', 'phase_na... | \n",
" 2020-10-22T01:45:55.144Z | \n",
" 2020-10-20T00:08:21.745Z | \n",
" ... | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 2 | \n",
" attack-pattern--28abec6c-4443-4b03-8206-07f2e2... | \n",
" Adversaries may abuse netbooting to load an un... | \n",
" TFTP Boot | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" attack-pattern | \n",
" [{'kill_chain_name': 'mitre-attack', 'phase_na... | \n",
" 2020-10-22T16:35:53.806Z | \n",
" 2020-10-20T00:06:56.180Z | \n",
" ... | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 3 | \n",
" attack-pattern--a6557c75-798f-42e4-be70-ab4502... | \n",
" Adversaries may abuse the ROM Monitor (ROMMON)... | \n",
" ROMMONkit | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" attack-pattern | \n",
" [{'kill_chain_name': 'mitre-attack', 'phase_na... | \n",
" 2020-10-22T02:18:19.568Z | \n",
" 2020-10-20T00:05:48.790Z | \n",
" ... | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
"
\n",
"
4 rows × 31 columns
\n",
"
"
],
"text/plain": [
" id \\\n",
"0 attack-pattern--818302b2-d640-477b-bf88-873120... \n",
"1 attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf... \n",
"2 attack-pattern--28abec6c-4443-4b03-8206-07f2e2... \n",
"3 attack-pattern--a6557c75-798f-42e4-be70-ab4502... \n",
"\n",
" description \\\n",
"0 Adversaries may abuse scripting or built-in co... \n",
"1 Adversaries may access network configuration f... \n",
"2 Adversaries may abuse netbooting to load an un... \n",
"3 Adversaries may abuse the ROM Monitor (ROMMON)... \n",
"\n",
" name \\\n",
"0 Network Device CLI \n",
"1 Network Device Configuration Dump \n",
"2 TFTP Boot \n",
"3 ROMMONkit \n",
"\n",
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" external_references type \\\n",
"0 [{'source_name': 'mitre-attack', 'external_id'... attack-pattern \n",
"1 [{'source_name': 'mitre-attack', 'external_id'... attack-pattern \n",
"2 [{'source_name': 'mitre-attack', 'external_id'... attack-pattern \n",
"3 [{'source_name': 'mitre-attack', 'external_id'... attack-pattern \n",
"\n",
" kill_chain_phases \\\n",
"0 [{'kill_chain_name': 'mitre-attack', 'phase_na... \n",
"1 [{'kill_chain_name': 'mitre-attack', 'phase_na... \n",
"2 [{'kill_chain_name': 'mitre-attack', 'phase_na... \n",
"3 [{'kill_chain_name': 'mitre-attack', 'phase_na... \n",
"\n",
" modified created ... \\\n",
"0 2020-10-22T16:43:38.388Z 2020-10-20T00:09:33.072Z ... \n",
"1 2020-10-22T01:45:55.144Z 2020-10-20T00:08:21.745Z ... \n",
"2 2020-10-22T16:35:53.806Z 2020-10-20T00:06:56.180Z ... \n",
"3 2020-10-22T02:18:19.568Z 2020-10-20T00:05:48.790Z ... \n",
"\n",
" x_mitre_remote_support x_mitre_impact_type revoked x_mitre_deprecated \\\n",
"0 NaN NaN NaN NaN \n",
"1 NaN NaN NaN NaN \n",
"2 NaN NaN NaN NaN \n",
"3 NaN NaN NaN NaN \n",
"\n",
" x_mitre_old_attack_id x_mitre_difficulty_for_adversary_explanation \\\n",
"0 NaN NaN \n",
"1 NaN NaN \n",
"2 NaN NaN \n",
"3 NaN NaN \n",
"\n",
" x_mitre_difficulty_for_adversary \\\n",
"0 NaN \n",
"1 NaN \n",
"2 NaN \n",
"3 NaN \n",
"\n",
" x_mitre_detectable_by_common_defenses_explanation \\\n",
"0 NaN \n",
"1 NaN \n",
"2 NaN \n",
"3 NaN \n",
"\n",
" x_mitre_detectable_by_common_defenses x_mitre_tactic_type \n",
"0 NaN NaN \n",
"1 NaN NaN \n",
"2 NaN NaN \n",
"3 NaN NaN \n",
"\n",
"[4 rows x 31 columns]"
]
},
"execution_count": 70,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"techniques_list = []\n",
"for t in techniques:\n",
" techniques_list.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(techniques_list)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Get All Enterprise Mitigations ONLY (TAXII)"
]
},
{
"cell_type": "code",
"execution_count": 71,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Mitigations in Enterprise ATT&CK\n",
"267\n"
]
}
],
"source": [
"print(\"Number of Mitigations in Enterprise ATT&CK\")\n",
"mitigations = lift.get_enterprise_mitigations()\n",
"print(len(mitigations))"
]
},
{
"cell_type": "code",
"execution_count": 72,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" created_by_ref | \n",
" object_marking_refs | \n",
" external_references | \n",
" description | \n",
" name | \n",
" id | \n",
" type | \n",
" modified | \n",
" created | \n",
" x_mitre_version | \n",
" x_mitre_deprecated | \n",
" x_mitre_old_attack_id | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" This category is used for any applicable mitig... | \n",
" Pre-compromise | \n",
" course-of-action--78bb71be-92b4-46de-acd6-5f99... | \n",
" course-of-action | \n",
" 2020-10-20T19:52:32.439Z | \n",
" 2020-10-19T14:57:58.771Z | \n",
" 1.0 | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" This category is to associate techniques that ... | \n",
" Do Not Mitigate | \n",
" course-of-action--787fb64d-c87b-4ee5-a341-0ef1... | \n",
" course-of-action | \n",
" 2019-07-23T14:44:24.727Z | \n",
" 2019-07-19T14:58:42.715Z | \n",
" 1.0 | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 2 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" Implement configuration changes to software (o... | \n",
" Software Configuration | \n",
" course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8... | \n",
" course-of-action | \n",
" 2020-03-31T13:11:09.471Z | \n",
" 2019-07-19T14:40:23.529Z | \n",
" 1.1 | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 3 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" Take and store data backups from end user syst... | \n",
" Data Backup | \n",
" course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73... | \n",
" course-of-action | \n",
" 2020-03-31T13:11:28.201Z | \n",
" 2019-07-19T14:33:33.543Z | \n",
" 1.1 | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" external_references \\\n",
"0 [{'source_name': 'mitre-attack', 'external_id'... \n",
"1 [{'source_name': 'mitre-attack', 'external_id'... \n",
"2 [{'source_name': 'mitre-attack', 'external_id'... \n",
"3 [{'source_name': 'mitre-attack', 'external_id'... \n",
"\n",
" description name \\\n",
"0 This category is used for any applicable mitig... Pre-compromise \n",
"1 This category is to associate techniques that ... Do Not Mitigate \n",
"2 Implement configuration changes to software (o... Software Configuration \n",
"3 Take and store data backups from end user syst... Data Backup \n",
"\n",
" id type \\\n",
"0 course-of-action--78bb71be-92b4-46de-acd6-5f99... course-of-action \n",
"1 course-of-action--787fb64d-c87b-4ee5-a341-0ef1... course-of-action \n",
"2 course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8... course-of-action \n",
"3 course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73... course-of-action \n",
"\n",
" modified created x_mitre_version \\\n",
"0 2020-10-20T19:52:32.439Z 2020-10-19T14:57:58.771Z 1.0 \n",
"1 2019-07-23T14:44:24.727Z 2019-07-19T14:58:42.715Z 1.0 \n",
"2 2020-03-31T13:11:09.471Z 2019-07-19T14:40:23.529Z 1.1 \n",
"3 2020-03-31T13:11:28.201Z 2019-07-19T14:33:33.543Z 1.1 \n",
"\n",
" x_mitre_deprecated x_mitre_old_attack_id \n",
"0 NaN NaN \n",
"1 NaN NaN \n",
"2 NaN NaN \n",
"3 NaN NaN "
]
},
"execution_count": 72,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"mitigations_list = []\n",
"for t in mitigations:\n",
" mitigations_list.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(mitigations_list)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Get All Mobile Mitigations ONLY (TAXII)"
]
},
{
"cell_type": "code",
"execution_count": 73,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Mitigations in Mobile ATT&CK\n",
"13\n"
]
}
],
"source": [
"print(\"Number of Mitigations in Mobile ATT&CK\")\n",
"mitigations = lift.get_mobile_mitigations()\n",
"print(len(mitigations))"
]
},
{
"cell_type": "code",
"execution_count": 74,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" created_by_ref | \n",
" object_marking_refs | \n",
" external_references | \n",
" name | \n",
" description | \n",
" id | \n",
" type | \n",
" modified | \n",
" created | \n",
" x_mitre_version | \n",
" x_mitre_old_attack_id | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" User Guidance | \n",
" Describes any guidance or training given to us... | \n",
" course-of-action--653492e3-27be-4a0e-b08c-938d... | \n",
" course-of-action | \n",
" 2019-10-18T15:51:48.318Z | \n",
" 2019-10-18T12:53:03.508Z | \n",
" 1.0 | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" Security Updates | \n",
" Install security updates in response to discov... | \n",
" course-of-action--bcecd036-f40e-4916-9f8e-fd0c... | \n",
" course-of-action | \n",
" 2019-10-18T14:56:15.631Z | \n",
" 2019-10-18T12:51:36.488Z | \n",
" 1.0 | \n",
" NaN | \n",
"
\n",
" \n",
" 2 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" Attestation | \n",
" Enable remote attestation capabilities when av... | \n",
" course-of-action--ff4821f6-5afb-481b-8c0f-26c2... | \n",
" course-of-action | \n",
" 2019-10-18T14:52:53.019Z | \n",
" 2019-10-18T12:50:35.335Z | \n",
" 1.0 | \n",
" NaN | \n",
"
\n",
" \n",
" 3 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" Application Vetting | \n",
" Enterprises can vet applications for exploitab... | \n",
" course-of-action--1553b156-6767-47f7-9eb4-2a69... | \n",
" course-of-action | \n",
" 2019-10-18T15:53:07.393Z | \n",
" 2019-10-18T12:49:58.924Z | \n",
" 1.0 | \n",
" NaN | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" external_references name \\\n",
"0 [{'source_name': 'mitre-attack', 'external_id'... User Guidance \n",
"1 [{'source_name': 'mitre-attack', 'external_id'... Security Updates \n",
"2 [{'source_name': 'mitre-attack', 'external_id'... Attestation \n",
"3 [{'source_name': 'mitre-attack', 'external_id'... Application Vetting \n",
"\n",
" description \\\n",
"0 Describes any guidance or training given to us... \n",
"1 Install security updates in response to discov... \n",
"2 Enable remote attestation capabilities when av... \n",
"3 Enterprises can vet applications for exploitab... \n",
"\n",
" id type \\\n",
"0 course-of-action--653492e3-27be-4a0e-b08c-938d... course-of-action \n",
"1 course-of-action--bcecd036-f40e-4916-9f8e-fd0c... course-of-action \n",
"2 course-of-action--ff4821f6-5afb-481b-8c0f-26c2... course-of-action \n",
"3 course-of-action--1553b156-6767-47f7-9eb4-2a69... course-of-action \n",
"\n",
" modified created x_mitre_version \\\n",
"0 2019-10-18T15:51:48.318Z 2019-10-18T12:53:03.508Z 1.0 \n",
"1 2019-10-18T14:56:15.631Z 2019-10-18T12:51:36.488Z 1.0 \n",
"2 2019-10-18T14:52:53.019Z 2019-10-18T12:50:35.335Z 1.0 \n",
"3 2019-10-18T15:53:07.393Z 2019-10-18T12:49:58.924Z 1.0 \n",
"\n",
" x_mitre_old_attack_id \n",
"0 NaN \n",
"1 NaN \n",
"2 NaN \n",
"3 NaN "
]
},
"execution_count": 74,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"mitigations_list = []\n",
"for t in mitigations:\n",
" mitigations_list.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(mitigations_list)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Get All Mitigations (TAXII)"
]
},
{
"cell_type": "code",
"execution_count": 75,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Mitigations in ATT&CK\n",
"296\n"
]
}
],
"source": [
"print(\"Number of Mitigations in ATT&CK\")\n",
"mitigations = lift.get_mitigations()\n",
"print(len(mitigations))"
]
},
{
"cell_type": "code",
"execution_count": 76,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" created_by_ref | \n",
" object_marking_refs | \n",
" external_references | \n",
" description | \n",
" name | \n",
" id | \n",
" type | \n",
" modified | \n",
" created | \n",
" x_mitre_version | \n",
" x_mitre_deprecated | \n",
" x_mitre_old_attack_id | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" This category is used for any applicable mitig... | \n",
" Pre-compromise | \n",
" course-of-action--78bb71be-92b4-46de-acd6-5f99... | \n",
" course-of-action | \n",
" 2020-10-20T19:52:32.439Z | \n",
" 2020-10-19T14:57:58.771Z | \n",
" 1.0 | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" This category is to associate techniques that ... | \n",
" Do Not Mitigate | \n",
" course-of-action--787fb64d-c87b-4ee5-a341-0ef1... | \n",
" course-of-action | \n",
" 2019-07-23T14:44:24.727Z | \n",
" 2019-07-19T14:58:42.715Z | \n",
" 1.0 | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 2 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" Implement configuration changes to software (o... | \n",
" Software Configuration | \n",
" course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8... | \n",
" course-of-action | \n",
" 2020-03-31T13:11:09.471Z | \n",
" 2019-07-19T14:40:23.529Z | \n",
" 1.1 | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 3 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'external_id'... | \n",
" Take and store data backups from end user syst... | \n",
" Data Backup | \n",
" course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73... | \n",
" course-of-action | \n",
" 2020-03-31T13:11:28.201Z | \n",
" 2019-07-19T14:33:33.543Z | \n",
" 1.1 | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" external_references \\\n",
"0 [{'source_name': 'mitre-attack', 'external_id'... \n",
"1 [{'source_name': 'mitre-attack', 'external_id'... \n",
"2 [{'source_name': 'mitre-attack', 'external_id'... \n",
"3 [{'source_name': 'mitre-attack', 'external_id'... \n",
"\n",
" description name \\\n",
"0 This category is used for any applicable mitig... Pre-compromise \n",
"1 This category is to associate techniques that ... Do Not Mitigate \n",
"2 Implement configuration changes to software (o... Software Configuration \n",
"3 Take and store data backups from end user syst... Data Backup \n",
"\n",
" id type \\\n",
"0 course-of-action--78bb71be-92b4-46de-acd6-5f99... course-of-action \n",
"1 course-of-action--787fb64d-c87b-4ee5-a341-0ef1... course-of-action \n",
"2 course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8... course-of-action \n",
"3 course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73... course-of-action \n",
"\n",
" modified created x_mitre_version \\\n",
"0 2020-10-20T19:52:32.439Z 2020-10-19T14:57:58.771Z 1.0 \n",
"1 2019-07-23T14:44:24.727Z 2019-07-19T14:58:42.715Z 1.0 \n",
"2 2020-03-31T13:11:09.471Z 2019-07-19T14:40:23.529Z 1.1 \n",
"3 2020-03-31T13:11:28.201Z 2019-07-19T14:33:33.543Z 1.1 \n",
"\n",
" x_mitre_deprecated x_mitre_old_attack_id \n",
"0 NaN NaN \n",
"1 NaN NaN \n",
"2 NaN NaN \n",
"3 NaN NaN "
]
},
"execution_count": 76,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"mitigations_list = []\n",
"for t in mitigations:\n",
" mitigations_list.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(mitigations_list)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Get All Enterprise Groups ONLY (TAXII)"
]
},
{
"cell_type": "code",
"execution_count": 77,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Groups in Enterprise ATT&CK\n",
"110\n"
]
}
],
"source": [
"print(\"Number of Groups in Enterprise ATT&CK\")\n",
"groups = lift.get_enterprise_groups()\n",
"print(len(groups))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Get All PRE Groups ONLY (TAXII)"
]
},
{
"cell_type": "code",
"execution_count": 78,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Groups in PRE-ATT&CK\n",
"7\n"
]
},
{
"name": "stderr",
"output_type": "stream",
"text": [
"/usr/local/lib/python3.8/site-packages/attackcti/attack_api.py:473: UserWarning: PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application\n",
" warnings.warn(\"PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application\")\n"
]
}
],
"source": [
"print(\"Number of Groups in PRE-ATT&CK\")\n",
"groups = lift.get_pre_groups()\n",
"print(len(groups))"
]
},
{
"cell_type": "code",
"execution_count": 79,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" created_by_ref | \n",
" object_marking_refs | \n",
" external_references | \n",
" name | \n",
" description | \n",
" type | \n",
" id | \n",
" aliases | \n",
" modified | \n",
" created | \n",
" x_mitre_version | \n",
" x_mitre_contributors | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'url': 'https://attack.mitre.org/groups/G008... | \n",
" TEMP.Veles | \n",
" [TEMP.Veles](https://attack.mitre.org/groups/G... | \n",
" intrusion-set | \n",
" intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca... | \n",
" [TEMP.Veles, XENOTIME] | \n",
" 2020-10-04T23:31:36.937Z | \n",
" 2019-04-16T15:14:38.533Z | \n",
" 1.2 | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'url': 'https... | \n",
" APT17 | \n",
" [APT17](https://attack.mitre.org/groups/G0025)... | \n",
" intrusion-set | \n",
" intrusion-set--090242d7-73fc-4738-af68-20162f7... | \n",
" [APT17, Deputy Dog] | \n",
" 2020-10-13T22:33:14.018Z | \n",
" 2017-05-31T21:31:57.307Z | \n",
" 1.1 | \n",
" NaN | \n",
"
\n",
" \n",
" 2 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'url': 'https... | \n",
" APT16 | \n",
" [APT16](https://attack.mitre.org/groups/G0023)... | \n",
" intrusion-set | \n",
" intrusion-set--d6e88e18-81e8-4709-82d8-973095d... | \n",
" [APT16] | \n",
" 2020-10-12T19:54:58.537Z | \n",
" 2017-05-31T21:31:56.270Z | \n",
" 1.1 | \n",
" NaN | \n",
"
\n",
" \n",
" 3 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'url': 'https... | \n",
" Night Dragon | \n",
" [Night Dragon](https://attack.mitre.org/groups... | \n",
" intrusion-set | \n",
" intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e... | \n",
" [Night Dragon] | \n",
" 2020-10-15T00:54:00.656Z | \n",
" 2017-05-31T21:31:51.643Z | \n",
" 1.3 | \n",
" NaN | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" external_references name \\\n",
"0 [{'url': 'https://attack.mitre.org/groups/G008... TEMP.Veles \n",
"1 [{'source_name': 'mitre-attack', 'url': 'https... APT17 \n",
"2 [{'source_name': 'mitre-attack', 'url': 'https... APT16 \n",
"3 [{'source_name': 'mitre-attack', 'url': 'https... Night Dragon \n",
"\n",
" description type \\\n",
"0 [TEMP.Veles](https://attack.mitre.org/groups/G... intrusion-set \n",
"1 [APT17](https://attack.mitre.org/groups/G0025)... intrusion-set \n",
"2 [APT16](https://attack.mitre.org/groups/G0023)... intrusion-set \n",
"3 [Night Dragon](https://attack.mitre.org/groups... intrusion-set \n",
"\n",
" id aliases \\\n",
"0 intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca... [TEMP.Veles, XENOTIME] \n",
"1 intrusion-set--090242d7-73fc-4738-af68-20162f7... [APT17, Deputy Dog] \n",
"2 intrusion-set--d6e88e18-81e8-4709-82d8-973095d... [APT16] \n",
"3 intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e... [Night Dragon] \n",
"\n",
" modified created x_mitre_version \\\n",
"0 2020-10-04T23:31:36.937Z 2019-04-16T15:14:38.533Z 1.2 \n",
"1 2020-10-13T22:33:14.018Z 2017-05-31T21:31:57.307Z 1.1 \n",
"2 2020-10-12T19:54:58.537Z 2017-05-31T21:31:56.270Z 1.1 \n",
"3 2020-10-15T00:54:00.656Z 2017-05-31T21:31:51.643Z 1.3 \n",
"\n",
" x_mitre_contributors \n",
"0 NaN \n",
"1 NaN \n",
"2 NaN \n",
"3 NaN "
]
},
"execution_count": 79,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"groups_list = []\n",
"for t in groups:\n",
" groups_list.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(groups_list)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Get All Mobile Groups ONLY (TAXII)"
]
},
{
"cell_type": "code",
"execution_count": 80,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Groups in Mobile ATT&CK\n",
"3\n"
]
}
],
"source": [
"print(\"Number of Groups in Mobile ATT&CK\")\n",
"groups = lift.get_mobile_groups()\n",
"print(len(groups))"
]
},
{
"cell_type": "code",
"execution_count": 81,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" created_by_ref | \n",
" object_marking_refs | \n",
" external_references | \n",
" description | \n",
" name | \n",
" type | \n",
" id | \n",
" aliases | \n",
" modified | \n",
" created | \n",
" x_mitre_version | \n",
" x_mitre_contributors | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'G0097', 'source_name': 'mitr... | \n",
" [Bouncing Golf](https://attack.mitre.org/group... | \n",
" Bouncing Golf | \n",
" intrusion-set | \n",
" intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a... | \n",
" [Bouncing Golf] | \n",
" 2020-03-26T20:58:44.722Z | \n",
" 2020-01-27T16:55:39.688Z | \n",
" 1.0 | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'mitre-attack', 'url': 'https... | \n",
" [Dark Caracal](https://attack.mitre.org/groups... | \n",
" Dark Caracal | \n",
" intrusion-set | \n",
" intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74... | \n",
" [Dark Caracal] | \n",
" 2020-06-03T20:22:40.401Z | \n",
" 2018-10-17T00:14:20.652Z | \n",
" 1.2 | \n",
" NaN | \n",
"
\n",
" \n",
" 2 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'G0007', 'url': 'https://atta... | \n",
" [APT28](https://attack.mitre.org/groups/G0007)... | \n",
" APT28 | \n",
" intrusion-set | \n",
" intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8... | \n",
" [APT28, SNAKEMACKEREL, Swallowtail, Group 74, ... | \n",
" 2020-10-06T23:32:21.793Z | \n",
" 2017-05-31T21:31:48.664Z | \n",
" 3.0 | \n",
" [Sébastien Ruel, CGI, Drew Church, Splunk, Emi... | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" external_references \\\n",
"0 [{'external_id': 'G0097', 'source_name': 'mitr... \n",
"1 [{'source_name': 'mitre-attack', 'url': 'https... \n",
"2 [{'external_id': 'G0007', 'url': 'https://atta... \n",
"\n",
" description name \\\n",
"0 [Bouncing Golf](https://attack.mitre.org/group... Bouncing Golf \n",
"1 [Dark Caracal](https://attack.mitre.org/groups... Dark Caracal \n",
"2 [APT28](https://attack.mitre.org/groups/G0007)... APT28 \n",
"\n",
" type id \\\n",
"0 intrusion-set intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a... \n",
"1 intrusion-set intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74... \n",
"2 intrusion-set intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8... \n",
"\n",
" aliases \\\n",
"0 [Bouncing Golf] \n",
"1 [Dark Caracal] \n",
"2 [APT28, SNAKEMACKEREL, Swallowtail, Group 74, ... \n",
"\n",
" modified created x_mitre_version \\\n",
"0 2020-03-26T20:58:44.722Z 2020-01-27T16:55:39.688Z 1.0 \n",
"1 2020-06-03T20:22:40.401Z 2018-10-17T00:14:20.652Z 1.2 \n",
"2 2020-10-06T23:32:21.793Z 2017-05-31T21:31:48.664Z 3.0 \n",
"\n",
" x_mitre_contributors \n",
"0 NaN \n",
"1 NaN \n",
"2 [Sébastien Ruel, CGI, Drew Church, Splunk, Emi... "
]
},
"execution_count": 81,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"groups_list = []\n",
"for t in groups:\n",
" groups_list.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(groups_list)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Get All Groups (TAXII)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"* This function gathers all groups defined in each Matrix (Enterprise, PRE & Mobile) and returns the unique ones\n",
" * This is because groups can be repeated across matrices"
]
},
{
"cell_type": "code",
"execution_count": 82,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Groups in ATT&CK\n",
"113\n"
]
}
],
"source": [
"print(\"Number of Groups in ATT&CK\")\n",
"groups = lift.get_groups()\n",
"print(len(groups))"
]
},
{
"cell_type": "code",
"execution_count": 83,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" created_by_ref | \n",
" object_marking_refs | \n",
" external_references | \n",
" name | \n",
" description | \n",
" type | \n",
" id | \n",
" aliases | \n",
" modified | \n",
" created | \n",
" x_mitre_version | \n",
" x_mitre_contributors | \n",
" revoked | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'G0115', 'source_name': 'mitr... | \n",
" GOLD SOUTHFIELD | \n",
" [GOLD SOUTHFIELD](https://attack.mitre.org/gro... | \n",
" intrusion-set | \n",
" intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a... | \n",
" [GOLD SOUTHFIELD] | \n",
" 2020-10-06T15:32:20.089Z | \n",
" 2020-09-22T19:41:27.845Z | \n",
" 1.0 | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'G0114', 'source_name': 'mitr... | \n",
" Chimera | \n",
" [Chimera](https://attack.mitre.org/groups/G011... | \n",
" intrusion-set | \n",
" intrusion-set--8c1f0187-0826-4320-bddc-5f326cf... | \n",
" [Chimera] | \n",
" 2020-10-05T20:59:57.694Z | \n",
" 2020-08-24T17:01:55.842Z | \n",
" 1.0 | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 2 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'G0112', 'source_name': 'mitr... | \n",
" Windshift | \n",
" [Windshift](https://attack.mitre.org/groups/G0... | \n",
" intrusion-set | \n",
" intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a... | \n",
" [Windshift, Bahamut] | \n",
" 2020-06-26T13:46:14.122Z | \n",
" 2020-06-25T17:16:39.168Z | \n",
" 1.0 | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 3 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'G0108', 'source_name': 'mitr... | \n",
" Blue Mockingbird | \n",
" [Blue Mockingbird](https://attack.mitre.org/gr... | \n",
" intrusion-set | \n",
" intrusion-set--73a80fab-2aa3-48e0-a4d0-3a48282... | \n",
" [Blue Mockingbird] | \n",
" 2020-06-25T13:59:09.596Z | \n",
" 2020-05-26T20:09:39.139Z | \n",
" 1.0 | \n",
" [Tony Lambert, Red Canary] | \n",
" NaN | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" external_references name \\\n",
"0 [{'external_id': 'G0115', 'source_name': 'mitr... GOLD SOUTHFIELD \n",
"1 [{'external_id': 'G0114', 'source_name': 'mitr... Chimera \n",
"2 [{'external_id': 'G0112', 'source_name': 'mitr... Windshift \n",
"3 [{'external_id': 'G0108', 'source_name': 'mitr... Blue Mockingbird \n",
"\n",
" description type \\\n",
"0 [GOLD SOUTHFIELD](https://attack.mitre.org/gro... intrusion-set \n",
"1 [Chimera](https://attack.mitre.org/groups/G011... intrusion-set \n",
"2 [Windshift](https://attack.mitre.org/groups/G0... intrusion-set \n",
"3 [Blue Mockingbird](https://attack.mitre.org/gr... intrusion-set \n",
"\n",
" id aliases \\\n",
"0 intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a... [GOLD SOUTHFIELD] \n",
"1 intrusion-set--8c1f0187-0826-4320-bddc-5f326cf... [Chimera] \n",
"2 intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a... [Windshift, Bahamut] \n",
"3 intrusion-set--73a80fab-2aa3-48e0-a4d0-3a48282... [Blue Mockingbird] \n",
"\n",
" modified created x_mitre_version \\\n",
"0 2020-10-06T15:32:20.089Z 2020-09-22T19:41:27.845Z 1.0 \n",
"1 2020-10-05T20:59:57.694Z 2020-08-24T17:01:55.842Z 1.0 \n",
"2 2020-06-26T13:46:14.122Z 2020-06-25T17:16:39.168Z 1.0 \n",
"3 2020-06-25T13:59:09.596Z 2020-05-26T20:09:39.139Z 1.0 \n",
"\n",
" x_mitre_contributors revoked \n",
"0 NaN NaN \n",
"1 NaN NaN \n",
"2 NaN NaN \n",
"3 [Tony Lambert, Red Canary] NaN "
]
},
"execution_count": 83,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"groups_list = []\n",
"for t in groups:\n",
" groups_list.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(groups_list)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Get All Enterprise & Mobile Software (Malware & Tools) (TAXII)"
]
},
{
"cell_type": "code",
"execution_count": 84,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Software in ATT&CK\n",
"523\n"
]
}
],
"source": [
"print(\"Number of Software in ATT&CK\")\n",
"software = lift.get_software()\n",
"print(len(software))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Get All Enterprise Relationships ONLY (TAXII)"
]
},
{
"cell_type": "code",
"execution_count": 85,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" id | \n",
" name | \n",
" description | \n",
" created_by_ref | \n",
" object_marking_refs | \n",
" external_references | \n",
" type | \n",
" labels | \n",
" modified | \n",
" created | \n",
" x_mitre_version | \n",
" x_mitre_aliases | \n",
" x_mitre_platforms | \n",
" x_mitre_contributors | \n",
" x_mitre_old_attack_id | \n",
" revoked | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" tool--975737f1-b10d-476f-8bda-3ec26ea57172 | \n",
" MCMD | \n",
" [MCMD](https://attack.mitre.org/software/S0500... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'S0500', 'source_name': 'mitr... | \n",
" tool | \n",
" [tool] | \n",
" 2020-08-20T14:52:23.369Z | \n",
" 2020-08-13T17:15:25.702Z | \n",
" 1.0 | \n",
" [MCMD] | \n",
" [Windows] | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" tool--c4810609-7da6-48ec-8057-1b70a7814db0 | \n",
" CrackMapExec | \n",
" [CrackMapExec](https://attack.mitre.org/softwa... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'S0488', 'source_name': 'mitr... | \n",
" tool | \n",
" [tool] | \n",
" 2020-07-29T20:19:40.544Z | \n",
" 2020-07-17T14:23:05.958Z | \n",
" 1.0 | \n",
" [CrackMapExec] | \n",
" [Windows] | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 2 | \n",
" tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4 | \n",
" CARROTBALL | \n",
" [CARROTBALL](https://attack.mitre.org/software... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'S0465', 'source_name': 'mitr... | \n",
" tool | \n",
" [tool] | \n",
" 2020-06-10T14:44:23.055Z | \n",
" 2020-06-02T19:10:29.513Z | \n",
" 1.0 | \n",
" [CARROTBALL] | \n",
" [Windows] | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 3 | \n",
" tool--115f88dd-0618-4389-83cb-98d33ae81848 | \n",
" ShimRatReporter | \n",
" [ShimRatReporter](https://attack.mitre.org/sof... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'external_id': 'S0445', 'source_name': 'mitr... | \n",
" tool | \n",
" [tool] | \n",
" 2020-05-27T22:39:28.701Z | \n",
" 2020-05-12T21:29:48.294Z | \n",
" 1.0 | \n",
" [ShimRatReporter] | \n",
" [Windows] | \n",
" NaN | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" id name \\\n",
"0 tool--975737f1-b10d-476f-8bda-3ec26ea57172 MCMD \n",
"1 tool--c4810609-7da6-48ec-8057-1b70a7814db0 CrackMapExec \n",
"2 tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4 CARROTBALL \n",
"3 tool--115f88dd-0618-4389-83cb-98d33ae81848 ShimRatReporter \n",
"\n",
" description \\\n",
"0 [MCMD](https://attack.mitre.org/software/S0500... \n",
"1 [CrackMapExec](https://attack.mitre.org/softwa... \n",
"2 [CARROTBALL](https://attack.mitre.org/software... \n",
"3 [ShimRatReporter](https://attack.mitre.org/sof... \n",
"\n",
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" external_references type labels \\\n",
"0 [{'external_id': 'S0500', 'source_name': 'mitr... tool [tool] \n",
"1 [{'external_id': 'S0488', 'source_name': 'mitr... tool [tool] \n",
"2 [{'external_id': 'S0465', 'source_name': 'mitr... tool [tool] \n",
"3 [{'external_id': 'S0445', 'source_name': 'mitr... tool [tool] \n",
"\n",
" modified created x_mitre_version \\\n",
"0 2020-08-20T14:52:23.369Z 2020-08-13T17:15:25.702Z 1.0 \n",
"1 2020-07-29T20:19:40.544Z 2020-07-17T14:23:05.958Z 1.0 \n",
"2 2020-06-10T14:44:23.055Z 2020-06-02T19:10:29.513Z 1.0 \n",
"3 2020-05-27T22:39:28.701Z 2020-05-12T21:29:48.294Z 1.0 \n",
"\n",
" x_mitre_aliases x_mitre_platforms x_mitre_contributors \\\n",
"0 [MCMD] [Windows] NaN \n",
"1 [CrackMapExec] [Windows] NaN \n",
"2 [CARROTBALL] [Windows] NaN \n",
"3 [ShimRatReporter] [Windows] NaN \n",
"\n",
" x_mitre_old_attack_id revoked \n",
"0 NaN NaN \n",
"1 NaN NaN \n",
"2 NaN NaN \n",
"3 NaN NaN "
]
},
"execution_count": 85,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"software_list = []\n",
"for t in software:\n",
" software_list.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(software_list)\n",
"df[0:4]"
]
},
{
"cell_type": "code",
"execution_count": 86,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Relationships in Enterprise ATT&CK\n",
"9263\n"
]
}
],
"source": [
"print(\"Number of Relationships in Enterprise ATT&CK\")\n",
"relationships = lift.get_enterprise_relationships()\n",
"print(len(relationships))"
]
},
{
"cell_type": "code",
"execution_count": 87,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" object_marking_refs | \n",
" external_references | \n",
" id | \n",
" type | \n",
" created | \n",
" description | \n",
" created_by_ref | \n",
" modified | \n",
" source_ref | \n",
" relationship_type | \n",
" target_ref | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... | \n",
" relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd... | \n",
" relationship | \n",
" 2020-11-10T18:04:03.668Z | \n",
" (Citation: FireEye KEGTAP SINGLEMALT October 2... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" 2020-11-10T18:04:03.668Z | \n",
" intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | \n",
" uses | \n",
" malware--a7881f21-e978-4fe4-af56-92c9416a2616 | \n",
"
\n",
" \n",
" 1 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... | \n",
" relationship--c118e50b-4559-4bff-bde5-78aa426f... | \n",
" relationship | \n",
" 2020-11-10T18:04:03.666Z | \n",
" (Citation: FireEye KEGTAP SINGLEMALT October 2... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" 2020-11-10T18:04:03.666Z | \n",
" intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | \n",
" uses | \n",
" tool--afc079f3-c0ea-4096-b75d-3f05338b7f60 | \n",
"
\n",
" \n",
" 2 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'DFIR Ryuk's Return October 2... | \n",
" relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e... | \n",
" relationship | \n",
" 2020-11-10T18:04:03.589Z | \n",
" (Citation: DFIR Ryuk's Return October 2020)(Ci... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" 2020-11-10T18:04:03.589Z | \n",
" intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | \n",
" uses | \n",
" tool--b77b563c-34bb-4fb8-86a3-3694338f7b47 | \n",
"
\n",
" \n",
" 3 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... | \n",
" relationship--585842e6-fe9a-4508-8e67-c232f8aa... | \n",
" relationship | \n",
" 2020-11-10T18:04:03.571Z | \n",
" (Citation: FireEye KEGTAP SINGLEMALT October 2... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" 2020-11-10T18:04:03.571Z | \n",
" intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | \n",
" uses | \n",
" tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" external_references \\\n",
"0 [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... \n",
"1 [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... \n",
"2 [{'source_name': 'DFIR Ryuk's Return October 2... \n",
"3 [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... \n",
"\n",
" id type \\\n",
"0 relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd... relationship \n",
"1 relationship--c118e50b-4559-4bff-bde5-78aa426f... relationship \n",
"2 relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e... relationship \n",
"3 relationship--585842e6-fe9a-4508-8e67-c232f8aa... relationship \n",
"\n",
" created \\\n",
"0 2020-11-10T18:04:03.668Z \n",
"1 2020-11-10T18:04:03.666Z \n",
"2 2020-11-10T18:04:03.589Z \n",
"3 2020-11-10T18:04:03.571Z \n",
"\n",
" description \\\n",
"0 (Citation: FireEye KEGTAP SINGLEMALT October 2... \n",
"1 (Citation: FireEye KEGTAP SINGLEMALT October 2... \n",
"2 (Citation: DFIR Ryuk's Return October 2020)(Ci... \n",
"3 (Citation: FireEye KEGTAP SINGLEMALT October 2... \n",
"\n",
" created_by_ref modified \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.668Z \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.666Z \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.589Z \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.571Z \n",
"\n",
" source_ref relationship_type \\\n",
"0 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n",
"1 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n",
"2 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n",
"3 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n",
"\n",
" target_ref \n",
"0 malware--a7881f21-e978-4fe4-af56-92c9416a2616 \n",
"1 tool--afc079f3-c0ea-4096-b75d-3f05338b7f60 \n",
"2 tool--b77b563c-34bb-4fb8-86a3-3694338f7b47 \n",
"3 tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf "
]
},
"execution_count": 87,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"relations_list = []\n",
"for t in relationships:\n",
" relations_list.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(relations_list)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Get All PRE Relationships ONLY (TAXII)"
]
},
{
"cell_type": "code",
"execution_count": 88,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Relationships in PRE-ATT&CK\n",
"69\n"
]
},
{
"name": "stderr",
"output_type": "stream",
"text": [
"/usr/local/lib/python3.8/site-packages/attackcti/attack_api.py:491: UserWarning: PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application\n",
" warnings.warn(\"PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application\")\n"
]
}
],
"source": [
"print(\"Number of Relationships in PRE-ATT&CK\")\n",
"relationships = lift.get_pre_relationships()\n",
"print(len(relationships))"
]
},
{
"cell_type": "code",
"execution_count": 89,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" created_by_ref | \n",
" object_marking_refs | \n",
" external_references | \n",
" description | \n",
" id | \n",
" type | \n",
" modified | \n",
" created | \n",
" source_ref | \n",
" relationship_type | \n",
" target_ref | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'Mandiant APT1', 'description... | \n",
" [APT1](https://attack.mitre.org/groups/G0006) ... | \n",
" relationship--980656e3-ba60-49ee-9ce8-cbe1a0dc... | \n",
" relationship | \n",
" 2020-03-25T13:59:27.774Z | \n",
" 2020-03-25T13:59:27.774Z | \n",
" intrusion-set--6a2e693f-24e5-451a-9f88-b36a108... | \n",
" uses | \n",
" attack-pattern--4900fabf-1142-4c1f-92f5-0b590e... | \n",
"
\n",
" \n",
" 1 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'description': 'Miller, S, et al. (2019, Apr... | \n",
" [TEMP.Veles](https://attack.mitre.org/groups/G... | \n",
" relationship--21842707-0f15-43bf-bc42-2bceadf2... | \n",
" relationship | \n",
" 2019-04-29T18:59:16.596Z | \n",
" 2019-04-24T19:45:44.212Z | \n",
" intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca... | \n",
" uses | \n",
" attack-pattern--20a66013-8dab-4ca3-a67d-766c84... | \n",
"
\n",
" \n",
" 2 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'description': 'Miller, S, et al. (2019, Apr... | \n",
" [TEMP.Veles](https://attack.mitre.org/groups/G... | \n",
" relationship--2d95ed6f-52e7-4708-af15-9a6c0839... | \n",
" relationship | \n",
" 2019-04-29T18:59:16.595Z | \n",
" 2019-04-24T19:45:44.205Z | \n",
" intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca... | \n",
" uses | \n",
" attack-pattern--795c1a92-3a26-453e-b99a-6a566a... | \n",
"
\n",
" \n",
" 3 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" NaN | \n",
" NaN | \n",
" relationship--83379e43-4bc5-4c49-b0b3-f41161e8... | \n",
" relationship | \n",
" 2019-02-19T18:56:56.770Z | \n",
" 2019-02-19T18:56:56.770Z | \n",
" attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1... | \n",
" related-to | \n",
" attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42... | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" external_references \\\n",
"0 [{'source_name': 'Mandiant APT1', 'description... \n",
"1 [{'description': 'Miller, S, et al. (2019, Apr... \n",
"2 [{'description': 'Miller, S, et al. (2019, Apr... \n",
"3 NaN \n",
"\n",
" description \\\n",
"0 [APT1](https://attack.mitre.org/groups/G0006) ... \n",
"1 [TEMP.Veles](https://attack.mitre.org/groups/G... \n",
"2 [TEMP.Veles](https://attack.mitre.org/groups/G... \n",
"3 NaN \n",
"\n",
" id type \\\n",
"0 relationship--980656e3-ba60-49ee-9ce8-cbe1a0dc... relationship \n",
"1 relationship--21842707-0f15-43bf-bc42-2bceadf2... relationship \n",
"2 relationship--2d95ed6f-52e7-4708-af15-9a6c0839... relationship \n",
"3 relationship--83379e43-4bc5-4c49-b0b3-f41161e8... relationship \n",
"\n",
" modified created \\\n",
"0 2020-03-25T13:59:27.774Z 2020-03-25T13:59:27.774Z \n",
"1 2019-04-29T18:59:16.596Z 2019-04-24T19:45:44.212Z \n",
"2 2019-04-29T18:59:16.595Z 2019-04-24T19:45:44.205Z \n",
"3 2019-02-19T18:56:56.770Z 2019-02-19T18:56:56.770Z \n",
"\n",
" source_ref relationship_type \\\n",
"0 intrusion-set--6a2e693f-24e5-451a-9f88-b36a108... uses \n",
"1 intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca... uses \n",
"2 intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca... uses \n",
"3 attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1... related-to \n",
"\n",
" target_ref \n",
"0 attack-pattern--4900fabf-1142-4c1f-92f5-0b590e... \n",
"1 attack-pattern--20a66013-8dab-4ca3-a67d-766c84... \n",
"2 attack-pattern--795c1a92-3a26-453e-b99a-6a566a... \n",
"3 attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42... "
]
},
"execution_count": 89,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"relations_list = []\n",
"for t in relationships:\n",
" relations_list.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(relations_list)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Get All Mobile Relationships ONLY (TAXII)"
]
},
{
"cell_type": "code",
"execution_count": 90,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Relationships in Mobile ATT&CK\n",
"795\n"
]
}
],
"source": [
"print(\"Number of Relationships in Mobile ATT&CK\")\n",
"relationships = lift.get_mobile_relationships()\n",
"print(len(relationships))"
]
},
{
"cell_type": "code",
"execution_count": 91,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" created_by_ref | \n",
" object_marking_refs | \n",
" id | \n",
" type | \n",
" modified | \n",
" created | \n",
" source_ref | \n",
" relationship_type | \n",
" target_ref | \n",
" description | \n",
" external_references | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" relationship--39f46abc-d9e3-463d-9340-3bc8334a... | \n",
" relationship | \n",
" 2020-10-23T15:05:40.967Z | \n",
" 2020-10-23T15:05:40.967Z | \n",
" attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab... | \n",
" revoked-by | \n",
" attack-pattern--77e30eee-fd48-40b4-99ec-73e97c... | \n",
" NaN | \n",
" NaN | \n",
"
\n",
" \n",
" 1 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" relationship--e373111c-aa34-4686-a286-7c9b4267... | \n",
" relationship | \n",
" 2020-10-01T12:43:42.238Z | \n",
" 2020-09-30T14:48:16.522Z | \n",
" course-of-action--0beabf44-e8d8-4ae4-9122-ef56... | \n",
" mitigates | \n",
" attack-pattern--8197f026-64da-4700-93b9-b55ba5... | \n",
" New OS releases frequently contain additional ... | \n",
" NaN | \n",
"
\n",
" \n",
" 2 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" relationship--37459382-00b7-4699-a294-d25f53bf... | \n",
" relationship | \n",
" 2020-10-01T12:42:21.985Z | \n",
" 2020-09-30T14:36:43.256Z | \n",
" course-of-action--0beabf44-e8d8-4ae4-9122-ef56... | \n",
" mitigates | \n",
" attack-pattern--77e30eee-fd48-40b4-99ec-73e97c... | \n",
" iOS 11 introduced a first-come-first-served pr... | \n",
" [{'source_name': 'Trend Micro iOS URL Hijackin... | \n",
"
\n",
" \n",
" 3 | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" relationship--455b1287-5784-42b4-91fb-01dac007... | \n",
" relationship | \n",
" 2020-09-29T13:24:15.234Z | \n",
" 2020-09-29T13:24:15.234Z | \n",
" malware--317a2c10-d489-431e-b6b2-f0251fddc88e | \n",
" uses | \n",
" attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd2... | \n",
" [Dendroid](https://attack.mitre.org/software/S... | \n",
" [{'source_name': 'Lookout-Dendroid', 'descript... | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" created_by_ref \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n",
"\n",
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" id type \\\n",
"0 relationship--39f46abc-d9e3-463d-9340-3bc8334a... relationship \n",
"1 relationship--e373111c-aa34-4686-a286-7c9b4267... relationship \n",
"2 relationship--37459382-00b7-4699-a294-d25f53bf... relationship \n",
"3 relationship--455b1287-5784-42b4-91fb-01dac007... relationship \n",
"\n",
" modified created \\\n",
"0 2020-10-23T15:05:40.967Z 2020-10-23T15:05:40.967Z \n",
"1 2020-10-01T12:43:42.238Z 2020-09-30T14:48:16.522Z \n",
"2 2020-10-01T12:42:21.985Z 2020-09-30T14:36:43.256Z \n",
"3 2020-09-29T13:24:15.234Z 2020-09-29T13:24:15.234Z \n",
"\n",
" source_ref relationship_type \\\n",
"0 attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab... revoked-by \n",
"1 course-of-action--0beabf44-e8d8-4ae4-9122-ef56... mitigates \n",
"2 course-of-action--0beabf44-e8d8-4ae4-9122-ef56... mitigates \n",
"3 malware--317a2c10-d489-431e-b6b2-f0251fddc88e uses \n",
"\n",
" target_ref \\\n",
"0 attack-pattern--77e30eee-fd48-40b4-99ec-73e97c... \n",
"1 attack-pattern--8197f026-64da-4700-93b9-b55ba5... \n",
"2 attack-pattern--77e30eee-fd48-40b4-99ec-73e97c... \n",
"3 attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd2... \n",
"\n",
" description \\\n",
"0 NaN \n",
"1 New OS releases frequently contain additional ... \n",
"2 iOS 11 introduced a first-come-first-served pr... \n",
"3 [Dendroid](https://attack.mitre.org/software/S... \n",
"\n",
" external_references \n",
"0 NaN \n",
"1 NaN \n",
"2 [{'source_name': 'Trend Micro iOS URL Hijackin... \n",
"3 [{'source_name': 'Lookout-Dendroid', 'descript... "
]
},
"execution_count": 91,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"relations_list = []\n",
"for t in relationships:\n",
" relations_list.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(relations_list)\n",
"df[0:4]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Get All Relationships (TAXII)"
]
},
{
"cell_type": "code",
"execution_count": 92,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Number of Relationships in ATT&CK\n",
"10635\n"
]
}
],
"source": [
"print(\"Number of Relationships in ATT&CK\")\n",
"relationships = lift.get_relationships()\n",
"print(len(relationships))"
]
},
{
"cell_type": "code",
"execution_count": 93,
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"\n",
"\n",
"
\n",
" \n",
" \n",
" | \n",
" object_marking_refs | \n",
" external_references | \n",
" id | \n",
" type | \n",
" created | \n",
" description | \n",
" created_by_ref | \n",
" modified | \n",
" source_ref | \n",
" relationship_type | \n",
" target_ref | \n",
"
\n",
" \n",
" \n",
" \n",
" 0 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... | \n",
" relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd... | \n",
" relationship | \n",
" 2020-11-10T18:04:03.668Z | \n",
" (Citation: FireEye KEGTAP SINGLEMALT October 2... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" 2020-11-10T18:04:03.668Z | \n",
" intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | \n",
" uses | \n",
" malware--a7881f21-e978-4fe4-af56-92c9416a2616 | \n",
"
\n",
" \n",
" 1 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... | \n",
" relationship--c118e50b-4559-4bff-bde5-78aa426f... | \n",
" relationship | \n",
" 2020-11-10T18:04:03.666Z | \n",
" (Citation: FireEye KEGTAP SINGLEMALT October 2... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" 2020-11-10T18:04:03.666Z | \n",
" intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | \n",
" uses | \n",
" tool--afc079f3-c0ea-4096-b75d-3f05338b7f60 | \n",
"
\n",
" \n",
" 2 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'DFIR Ryuk's Return October 2... | \n",
" relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e... | \n",
" relationship | \n",
" 2020-11-10T18:04:03.589Z | \n",
" (Citation: DFIR Ryuk's Return October 2020)(Ci... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" 2020-11-10T18:04:03.589Z | \n",
" intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | \n",
" uses | \n",
" tool--b77b563c-34bb-4fb8-86a3-3694338f7b47 | \n",
"
\n",
" \n",
" 3 | \n",
" [marking-definition--fa42a846-8d90-4e51-bc29-7... | \n",
" [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... | \n",
" relationship--585842e6-fe9a-4508-8e67-c232f8aa... | \n",
" relationship | \n",
" 2020-11-10T18:04:03.571Z | \n",
" (Citation: FireEye KEGTAP SINGLEMALT October 2... | \n",
" identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | \n",
" 2020-11-10T18:04:03.571Z | \n",
" intrusion-set--dd2d9ca6-505b-4860-a604-233685b... | \n",
" uses | \n",
" tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf | \n",
"
\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" object_marking_refs \\\n",
"0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n",
"\n",
" external_references \\\n",
"0 [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... \n",
"1 [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... \n",
"2 [{'source_name': 'DFIR Ryuk's Return October 2... \n",
"3 [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... \n",
"\n",
" id type \\\n",
"0 relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd... relationship \n",
"1 relationship--c118e50b-4559-4bff-bde5-78aa426f... relationship \n",
"2 relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e... relationship \n",
"3 relationship--585842e6-fe9a-4508-8e67-c232f8aa... relationship \n",
"\n",
" created \\\n",
"0 2020-11-10T18:04:03.668Z \n",
"1 2020-11-10T18:04:03.666Z \n",
"2 2020-11-10T18:04:03.589Z \n",
"3 2020-11-10T18:04:03.571Z \n",
"\n",
" description \\\n",
"0 (Citation: FireEye KEGTAP SINGLEMALT October 2... \n",
"1 (Citation: FireEye KEGTAP SINGLEMALT October 2... \n",
"2 (Citation: DFIR Ryuk's Return October 2020)(Ci... \n",
"3 (Citation: FireEye KEGTAP SINGLEMALT October 2... \n",
"\n",
" created_by_ref modified \\\n",
"0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.668Z \n",
"1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.666Z \n",
"2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.589Z \n",
"3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.571Z \n",
"\n",
" source_ref relationship_type \\\n",
"0 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n",
"1 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n",
"2 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n",
"3 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n",
"\n",
" target_ref \n",
"0 malware--a7881f21-e978-4fe4-af56-92c9416a2616 \n",
"1 tool--afc079f3-c0ea-4096-b75d-3f05338b7f60 \n",
"2 tool--b77b563c-34bb-4fb8-86a3-3694338f7b47 \n",
"3 tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf "
]
},
"execution_count": 93,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"relations_list = []\n",
"for t in relationships:\n",
" relations_list.append(json.loads(t.serialize()))\n",
"df = pandas.json_normalize(relations_list)\n",
"df[0:4]"
]
}
],
"metadata": {
"kernelspec": {
"display_name": "Python 3",
"language": "python",
"name": "python3"
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
"version": 3
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython3",
"version": "3.8.5"
}
},
"nbformat": 4,
"nbformat_minor": 4
}