{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# **MITRE ATT&CK API BASICS**: Python Client\n", "------------------" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Import ATTACK API Client" ] }, { "cell_type": "code", "execution_count": 1, "metadata": {}, "outputs": [], "source": [ "from attackcti import attack_client" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Import Extra Libraries" ] }, { "cell_type": "code", "execution_count": 2, "metadata": {}, "outputs": [], "source": [ "from pandas import *\n", "import json" ] }, { "cell_type": "code", "execution_count": 3, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "'1.1.2'" ] }, "execution_count": 3, "metadata": {}, "output_type": "execute_result" } ], "source": [ "pandas.__version__" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Initialize ATT&CK Client Variable" ] }, { "cell_type": "code", "execution_count": 4, "metadata": {}, "outputs": [], "source": [ "lift = attack_client()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## **Collect (Enterprise ATT&CK, Pre-ATT&CK & Mobile ATT&CK)**\n", "* I usually collect all the stix object types available from all the ATT&CK Matrices first when I want to analyze ATT&CK's data.\n", "* In this section, we will collect everything from Enterprise ATT&CK, PRE-ATT&CK and Mobile ATT&CK via three functions that query ATT&CK content available in STIX™ 2.0 format via its own public TAXII™ 2.0 server:\n", " * get_enterprise()\n", " * get_pre()\n", " * get_mobile()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Collect ALL Enterprise ATT&CK (TAXII)**" ] }, { "cell_type": "code", "execution_count": 5, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "CPU times: user 2.75 s, sys: 107 ms, total: 2.86 s\n", "Wall time: 5.05 s\n" ] } ], "source": [ "%time all_enterprise = lift.get_enterprise()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Collect ALL PRE-ATT&CK (TAXII)**" ] }, { "cell_type": "code", "execution_count": 6, "metadata": {}, "outputs": [ { "name": "stderr", "output_type": "stream", "text": [ "/usr/local/lib/python3.8/site-packages/attackcti/attack_api.py:426: UserWarning: PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application\n", " warnings.warn(\"PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application\")\n" ] }, { "name": "stdout", "output_type": "stream", "text": [ "CPU times: user 124 ms, sys: 9.77 ms, total: 133 ms\n", "Wall time: 539 ms\n" ] } ], "source": [ "%time all_pre = lift.get_pre()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Collect ALL Mobile ATT&CK (TAXII)**" ] }, { "cell_type": "code", "execution_count": 7, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "CPU times: user 300 ms, sys: 16.7 ms, total: 317 ms\n", "Wall time: 766 ms\n" ] } ], "source": [ "%time all_mobile = lift.get_mobile()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## **Collect ALL (It runs All 3 previous functions and collects all the results)**" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "The **get_stix_objects()** function returns a dictionary with all the stix object types from all matrices:\n", "* techniques\n", "* mitigations\n", "* groups\n", "* malware\n", "* tools\n", "* relationships" ] }, { "cell_type": "code", "execution_count": 8, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "CPU times: user 2min 48s, sys: 823 ms, total: 2min 49s\n", "Wall time: 2min 54s\n" ] } ], "source": [ "%time all_attack = lift.get_stix_objects()" ] }, { "cell_type": "code", "execution_count": 9, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "dict" ] }, "execution_count": 9, "metadata": {}, "output_type": "execute_result" } ], "source": [ "type(all_attack)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Techniques from ATT&CK Results (Locally - STIX format)\n", "* The results of this function shows every single technique across the whole ATT&CK framework without their mitigations information" ] }, { "cell_type": "code", "execution_count": 10, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Techniques in ATT&CK\n", "1024\n" ] } ], "source": [ "print(\"Number of Techniques in ATT&CK\")\n", "print(len(all_attack['techniques']))" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "* By default, the data returned by the available functions in the attackcti library is of type **stix2**\n", "* However, if you want to interact with libraries such as **Pandas**, it needs to be of type **dict**" ] }, { "cell_type": "code", "execution_count": 11, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
creatednamex_mitre_data_sourcesx_mitre_platforms
02020-10-20T00:09:33.072ZNetwork Device CLI[Network device logs, Network device run-time ...[Network]
12020-10-20T00:08:21.745ZNetwork Device Configuration Dump[Netflow/Enclave netflow, Network protocol ana...[Network]
22020-10-20T00:06:56.180ZTFTP Boot[Network device run-time memory, Network devic...[Network]
32020-10-20T00:05:48.790ZROMMONkit[File monitoring, Netflow/Enclave netflow, Net...[Network]
42020-10-19T23:51:05.953ZSNMP (MIB Dump)[Netflow/Enclave netflow, Network protocol ana...[Network]
\n", "
" ], "text/plain": [ " created name \\\n", "0 2020-10-20T00:09:33.072Z Network Device CLI \n", "1 2020-10-20T00:08:21.745Z Network Device Configuration Dump \n", "2 2020-10-20T00:06:56.180Z TFTP Boot \n", "3 2020-10-20T00:05:48.790Z ROMMONkit \n", "4 2020-10-19T23:51:05.953Z SNMP (MIB Dump) \n", "\n", " x_mitre_data_sources x_mitre_platforms \n", "0 [Network device logs, Network device run-time ... [Network] \n", "1 [Netflow/Enclave netflow, Network protocol ana... [Network] \n", "2 [Network device run-time memory, Network devic... [Network] \n", "3 [File monitoring, Netflow/Enclave netflow, Net... [Network] \n", "4 [Netflow/Enclave netflow, Network protocol ana... [Network] " ] }, "execution_count": 11, "metadata": {}, "output_type": "execute_result" } ], "source": [ "techniques = []\n", "for t in all_attack['techniques']:\n", " techniques.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(techniques)\n", "df.reindex(['created','name', 'x_mitre_data_sources', 'x_mitre_platforms'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing the schema of Techniques**" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "This schema covers techniques from Enterprise, PRE and Mobile ATT&CK" ] }, { "cell_type": "code", "execution_count": 12, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['id',\n", " 'description',\n", " 'name',\n", " 'created_by_ref',\n", " 'object_marking_refs',\n", " 'external_references',\n", " 'type',\n", " 'kill_chain_phases',\n", " 'modified',\n", " 'created',\n", " 'x_mitre_data_sources',\n", " 'x_mitre_platforms',\n", " 'x_mitre_is_subtechnique',\n", " 'x_mitre_version',\n", " 'x_mitre_detection',\n", " 'x_mitre_permissions_required',\n", " 'x_mitre_defense_bypassed',\n", " 'x_mitre_contributors',\n", " 'x_mitre_system_requirements',\n", " 'x_mitre_network_requirements',\n", " 'x_mitre_effective_permissions',\n", " 'x_mitre_remote_support',\n", " 'x_mitre_impact_type',\n", " 'revoked',\n", " 'x_mitre_deprecated',\n", " 'x_mitre_old_attack_id',\n", " 'x_mitre_difficulty_for_adversary_explanation',\n", " 'x_mitre_difficulty_for_adversary',\n", " 'x_mitre_detectable_by_common_defenses_explanation',\n", " 'x_mitre_detectable_by_common_defenses',\n", " 'x_mitre_tactic_type']" ] }, "execution_count": 12, "metadata": {}, "output_type": "execute_result" } ], "source": [ "list(df)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing one technique example**" ] }, { "cell_type": "code", "execution_count": 13, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "{'id': 'attack-pattern--818302b2-d640-477b-bf88-873120ce85c4',\n", " 'description': 'Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. \\n\\nScripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or secure shell (SSH).\\n\\nAdversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection. (Citation: Cisco Synful Knock Evolution)',\n", " 'name': 'Network Device CLI',\n", " 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n", " 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n", " 'external_references': [{'source_name': 'mitre-attack',\n", " 'external_id': 'T1059.008',\n", " 'url': 'https://attack.mitre.org/techniques/T1059/008'},\n", " {'source_name': 'Cisco Synful Knock Evolution',\n", " 'url': 'https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices',\n", " 'description': 'Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.'},\n", " {'source_name': 'Cisco IOS Software Integrity Assurance - Command History',\n", " 'url': 'https://tools.cisco.com/security/center/resources/integrity_assurance.html#23',\n", " 'description': 'Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020.'}],\n", " 'type': 'attack-pattern',\n", " 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',\n", " 'phase_name': 'execution'}],\n", " 'modified': '2020-10-22T16:43:38.388Z',\n", " 'created': '2020-10-20T00:09:33.072Z',\n", " 'x_mitre_data_sources': ['Network device logs',\n", " 'Network device run-time memory',\n", " 'Network device command history',\n", " 'Network device configuration'],\n", " 'x_mitre_platforms': ['Network'],\n", " 'x_mitre_is_subtechnique': True,\n", " 'x_mitre_version': '1.0',\n", " 'x_mitre_detection': 'Consider reviewing command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration.(Citation: Cisco IOS Software Integrity Assurance - Command History)\\n\\nConsider comparing a copy of the network device configuration against a known-good version to discover unauthorized changes to the command interpreter. The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor.',\n", " 'x_mitre_permissions_required': ['Administrator', 'User']}" ] }, "execution_count": 13, "metadata": {}, "output_type": "execute_result" } ], "source": [ "techniques[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Mitigations from ATT&CK Results (Locally)" ] }, { "cell_type": "code", "execution_count": 14, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Mitigations in ATT&CK\n", "296\n" ] } ], "source": [ "print(\"Number of Mitigations in ATT&CK\")\n", "print(len(all_attack['mitigations']))" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "* Remember, we need to transform our results to dictionaries to be able to use them as pandas dataframes" ] }, { "cell_type": "code", "execution_count": 15, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refobject_marking_refsexternal_referencesdescriptionnameidtypemodifiedcreatedx_mitre_versionx_mitre_deprecatedx_mitre_old_attack_id
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...This category is used for any applicable mitig...Pre-compromisecourse-of-action--78bb71be-92b4-46de-acd6-5f99...course-of-action2020-10-20T19:52:32.439Z2020-10-19T14:57:58.771Z1.0NaNNaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...This category is to associate techniques that ...Do Not Mitigatecourse-of-action--787fb64d-c87b-4ee5-a341-0ef1...course-of-action2019-07-23T14:44:24.727Z2019-07-19T14:58:42.715Z1.0NaNNaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...Implement configuration changes to software (o...Software Configurationcourse-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8...course-of-action2020-03-31T13:11:09.471Z2019-07-19T14:40:23.529Z1.1NaNNaN
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...Take and store data backups from end user syst...Data Backupcourse-of-action--3efe43d1-6f3f-4fcb-ab39-4a73...course-of-action2020-03-31T13:11:28.201Z2019-07-19T14:33:33.543Z1.1NaNNaN
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " external_references \\\n", "0 [{'source_name': 'mitre-attack', 'external_id'... \n", "1 [{'source_name': 'mitre-attack', 'external_id'... \n", "2 [{'source_name': 'mitre-attack', 'external_id'... \n", "3 [{'source_name': 'mitre-attack', 'external_id'... \n", "\n", " description name \\\n", "0 This category is used for any applicable mitig... Pre-compromise \n", "1 This category is to associate techniques that ... Do Not Mitigate \n", "2 Implement configuration changes to software (o... Software Configuration \n", "3 Take and store data backups from end user syst... Data Backup \n", "\n", " id type \\\n", "0 course-of-action--78bb71be-92b4-46de-acd6-5f99... course-of-action \n", "1 course-of-action--787fb64d-c87b-4ee5-a341-0ef1... course-of-action \n", "2 course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8... course-of-action \n", "3 course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73... course-of-action \n", "\n", " modified created x_mitre_version \\\n", "0 2020-10-20T19:52:32.439Z 2020-10-19T14:57:58.771Z 1.0 \n", "1 2019-07-23T14:44:24.727Z 2019-07-19T14:58:42.715Z 1.0 \n", "2 2020-03-31T13:11:09.471Z 2019-07-19T14:40:23.529Z 1.1 \n", "3 2020-03-31T13:11:28.201Z 2019-07-19T14:33:33.543Z 1.1 \n", "\n", " x_mitre_deprecated x_mitre_old_attack_id \n", "0 NaN NaN \n", "1 NaN NaN \n", "2 NaN NaN \n", "3 NaN NaN " ] }, "execution_count": 15, "metadata": {}, "output_type": "execute_result" } ], "source": [ "mitigations = []\n", "for t in all_attack['mitigations']:\n", " mitigations.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(mitigations)\n", "df[0:4]" ] }, { "cell_type": "code", "execution_count": 16, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['created_by_ref',\n", " 'object_marking_refs',\n", " 'external_references',\n", " 'description',\n", " 'name',\n", " 'id',\n", " 'type',\n", " 'modified',\n", " 'created',\n", " 'x_mitre_version',\n", " 'x_mitre_deprecated',\n", " 'x_mitre_old_attack_id']" ] }, "execution_count": 16, "metadata": {}, "output_type": "execute_result" } ], "source": [ "list(df)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Groups from ATT&CK Results (Locally)" ] }, { "cell_type": "code", "execution_count": 17, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Groups in ATT&CK\n", "113\n" ] } ], "source": [ "print(\"Number of Groups in ATT&CK\")\n", "print(len(all_attack['groups']))" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "* Once again, we need to transform our results to dictionaries to be able to use them as pandas dataframes" ] }, { "cell_type": "code", "execution_count": 18, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refobject_marking_refsexternal_referencesnamedescriptiontypeidaliasesmodifiedcreatedx_mitre_versionx_mitre_contributorsrevoked
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'G0115', 'source_name': 'mitr...GOLD SOUTHFIELD[GOLD SOUTHFIELD](https://attack.mitre.org/gro...intrusion-setintrusion-set--c77c5576-ca19-42ed-a36f-4b4486a...[GOLD SOUTHFIELD]2020-10-06T15:32:20.089Z2020-09-22T19:41:27.845Z1.0NaNNaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'G0114', 'source_name': 'mitr...Chimera[Chimera](https://attack.mitre.org/groups/G011...intrusion-setintrusion-set--8c1f0187-0826-4320-bddc-5f326cf...[Chimera]2020-10-05T20:59:57.694Z2020-08-24T17:01:55.842Z1.0NaNNaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'G0112', 'source_name': 'mitr...Windshift[Windshift](https://attack.mitre.org/groups/G0...intrusion-setintrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a...[Windshift, Bahamut]2020-06-26T13:46:14.122Z2020-06-25T17:16:39.168Z1.0NaNNaN
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'G0108', 'source_name': 'mitr...Blue Mockingbird[Blue Mockingbird](https://attack.mitre.org/gr...intrusion-setintrusion-set--73a80fab-2aa3-48e0-a4d0-3a48282...[Blue Mockingbird]2020-06-25T13:59:09.596Z2020-05-26T20:09:39.139Z1.0[Tony Lambert, Red Canary]NaN
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " external_references name \\\n", "0 [{'external_id': 'G0115', 'source_name': 'mitr... GOLD SOUTHFIELD \n", "1 [{'external_id': 'G0114', 'source_name': 'mitr... Chimera \n", "2 [{'external_id': 'G0112', 'source_name': 'mitr... Windshift \n", "3 [{'external_id': 'G0108', 'source_name': 'mitr... Blue Mockingbird \n", "\n", " description type \\\n", "0 [GOLD SOUTHFIELD](https://attack.mitre.org/gro... intrusion-set \n", "1 [Chimera](https://attack.mitre.org/groups/G011... intrusion-set \n", "2 [Windshift](https://attack.mitre.org/groups/G0... intrusion-set \n", "3 [Blue Mockingbird](https://attack.mitre.org/gr... intrusion-set \n", "\n", " id aliases \\\n", "0 intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a... [GOLD SOUTHFIELD] \n", "1 intrusion-set--8c1f0187-0826-4320-bddc-5f326cf... [Chimera] \n", "2 intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a... [Windshift, Bahamut] \n", "3 intrusion-set--73a80fab-2aa3-48e0-a4d0-3a48282... [Blue Mockingbird] \n", "\n", " modified created x_mitre_version \\\n", "0 2020-10-06T15:32:20.089Z 2020-09-22T19:41:27.845Z 1.0 \n", "1 2020-10-05T20:59:57.694Z 2020-08-24T17:01:55.842Z 1.0 \n", "2 2020-06-26T13:46:14.122Z 2020-06-25T17:16:39.168Z 1.0 \n", "3 2020-06-25T13:59:09.596Z 2020-05-26T20:09:39.139Z 1.0 \n", "\n", " x_mitre_contributors revoked \n", "0 NaN NaN \n", "1 NaN NaN \n", "2 NaN NaN \n", "3 [Tony Lambert, Red Canary] NaN " ] }, "execution_count": 18, "metadata": {}, "output_type": "execute_result" } ], "source": [ "groups = []\n", "for t in all_attack['groups']:\n", " groups.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(groups)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing the schema of Groups**" ] }, { "cell_type": "code", "execution_count": 19, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['created_by_ref',\n", " 'object_marking_refs',\n", " 'external_references',\n", " 'name',\n", " 'description',\n", " 'type',\n", " 'id',\n", " 'aliases',\n", " 'modified',\n", " 'created',\n", " 'x_mitre_version',\n", " 'x_mitre_contributors',\n", " 'revoked']" ] }, "execution_count": 19, "metadata": {}, "output_type": "execute_result" } ], "source": [ "list(df)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing one Groups example**" ] }, { "cell_type": "code", "execution_count": 20, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "{'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n", " 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n", " 'external_references': [{'external_id': 'G0115',\n", " 'source_name': 'mitre-attack',\n", " 'url': 'https://attack.mitre.org/groups/G0115'},\n", " {'source_name': 'Secureworks REvil September 2019',\n", " 'url': 'https://www.secureworks.com/research/revil-sodinokibi-ransomware',\n", " 'description': 'Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.'},\n", " {'source_name': 'Secureworks GandCrab and REvil September 2019',\n", " 'url': 'https://www.secureworks.com/blog/revil-the-gandcrab-connection',\n", " 'description': 'Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.'},\n", " {'source_name': 'Secureworks GOLD SOUTHFIELD',\n", " 'url': 'https://www.secureworks.com/research/threat-profiles/gold-southfield',\n", " 'description': 'Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.'}],\n", " 'name': 'GOLD SOUTHFIELD',\n", " 'description': '[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2019 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)',\n", " 'type': 'intrusion-set',\n", " 'id': 'intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133',\n", " 'aliases': ['GOLD SOUTHFIELD'],\n", " 'modified': '2020-10-06T15:32:20.089Z',\n", " 'created': '2020-09-22T19:41:27.845Z',\n", " 'x_mitre_version': '1.0'}" ] }, "execution_count": 20, "metadata": {}, "output_type": "execute_result" } ], "source": [ "groups[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Malware objects from ATT&CK Results (Locally)" ] }, { "cell_type": "code", "execution_count": 21, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Malware in ATT&CK\n", "459\n" ] } ], "source": [ "print(\"Number of Malware in ATT&CK\")\n", "print(len(all_attack['malware']))" ] }, { "cell_type": "code", "execution_count": 22, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
external_referencesobject_marking_refscreated_by_refdescriptionnameidtypelabelsmodifiedcreatedx_mitre_versionx_mitre_aliasesx_mitre_platformsx_mitre_contributorsrevokedx_mitre_old_attack_id
0[{'external_id': 'S0519', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[SYNful Knock](https://attack.mitre.org/softwa...SYNful Knockmalware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053malware[malware]2020-10-22T17:35:04.950Z2020-10-19T16:38:11.279Z1.0[SYNful Knock][Network]NaNNaNNaN
1[{'external_id': 'S0516', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[SoreFang](https://attack.mitre.org/software/S...SoreFangmalware--e33e4603-afab-402d-b2a1-248d435b5fe0malware[malware]2020-10-06T16:10:42.422Z2020-09-29T19:33:35.122Z1.0[SoreFang][Windows]NaNNaNNaN
2[{'external_id': 'S0515', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[WellMail](https://attack.mitre.org/software/S...WellMailmalware--959f3b19-2dc8-48d5-8942-c66813a5101amalware[malware]2020-10-09T15:38:41.755Z2020-09-29T17:48:27.517Z1.0[WellMail][Windows][Josh Campbell, Cyborg Security, @cyb0rgsecur1ty]NaNNaN
3[{'external_id': 'S0514', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[WellMess](https://attack.mitre.org/software/S...WellMessmalware--3a4197ae-ec63-4162-907b-9a073d1157e4malware[malware]2020-10-09T19:41:25.983Z2020-09-24T19:39:44.392Z1.0[WellMess][Windows][Daniyal Naeem, @Mrdaniyalnaeem]NaNNaN
\n", "
" ], "text/plain": [ " external_references \\\n", "0 [{'external_id': 'S0519', 'source_name': 'mitr... \n", "1 [{'external_id': 'S0516', 'source_name': 'mitr... \n", "2 [{'external_id': 'S0515', 'source_name': 'mitr... \n", "3 [{'external_id': 'S0514', 'source_name': 'mitr... \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description name \\\n", "0 [SYNful Knock](https://attack.mitre.org/softwa... SYNful Knock \n", "1 [SoreFang](https://attack.mitre.org/software/S... SoreFang \n", "2 [WellMail](https://attack.mitre.org/software/S... WellMail \n", "3 [WellMess](https://attack.mitre.org/software/S... WellMess \n", "\n", " id type labels \\\n", "0 malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053 malware [malware] \n", "1 malware--e33e4603-afab-402d-b2a1-248d435b5fe0 malware [malware] \n", "2 malware--959f3b19-2dc8-48d5-8942-c66813a5101a malware [malware] \n", "3 malware--3a4197ae-ec63-4162-907b-9a073d1157e4 malware [malware] \n", "\n", " modified created x_mitre_version \\\n", "0 2020-10-22T17:35:04.950Z 2020-10-19T16:38:11.279Z 1.0 \n", "1 2020-10-06T16:10:42.422Z 2020-09-29T19:33:35.122Z 1.0 \n", "2 2020-10-09T15:38:41.755Z 2020-09-29T17:48:27.517Z 1.0 \n", "3 2020-10-09T19:41:25.983Z 2020-09-24T19:39:44.392Z 1.0 \n", "\n", " x_mitre_aliases x_mitre_platforms \\\n", "0 [SYNful Knock] [Network] \n", "1 [SoreFang] [Windows] \n", "2 [WellMail] [Windows] \n", "3 [WellMess] [Windows] \n", "\n", " x_mitre_contributors revoked \\\n", "0 NaN NaN \n", "1 NaN NaN \n", "2 [Josh Campbell, Cyborg Security, @cyb0rgsecur1ty] NaN \n", "3 [Daniyal Naeem, @Mrdaniyalnaeem] NaN \n", "\n", " x_mitre_old_attack_id \n", "0 NaN \n", "1 NaN \n", "2 NaN \n", "3 NaN " ] }, "execution_count": 22, "metadata": {}, "output_type": "execute_result" } ], "source": [ "malware = []\n", "for t in all_attack['malware']:\n", " malware.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(malware)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing the schema of Malware**" ] }, { "cell_type": "code", "execution_count": 23, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['external_references',\n", " 'object_marking_refs',\n", " 'created_by_ref',\n", " 'description',\n", " 'name',\n", " 'id',\n", " 'type',\n", " 'labels',\n", " 'modified',\n", " 'created',\n", " 'x_mitre_version',\n", " 'x_mitre_aliases',\n", " 'x_mitre_platforms',\n", " 'x_mitre_contributors',\n", " 'revoked',\n", " 'x_mitre_old_attack_id']" ] }, "execution_count": 23, "metadata": {}, "output_type": "execute_result" } ], "source": [ "list(df)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing one Malware example**" ] }, { "cell_type": "code", "execution_count": 24, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "{'external_references': [{'external_id': 'S0519',\n", " 'source_name': 'mitre-attack',\n", " 'url': 'https://attack.mitre.org/software/S0519'},\n", " {'source_name': 'FireEye - Synful Knock',\n", " 'url': 'https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html',\n", " 'description': 'Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020.'},\n", " {'source_name': 'Cisco Synful Knock Evolution',\n", " 'url': 'https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices',\n", " 'description': 'Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.'}],\n", " 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n", " 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n", " 'description': \"[SYNful Knock](https://attack.mitre.org/software/S0519) is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.(Citation: FireEye - Synful Knock)(Citation: Cisco Synful Knock Evolution)\",\n", " 'name': 'SYNful Knock',\n", " 'id': 'malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053',\n", " 'type': 'malware',\n", " 'labels': ['malware'],\n", " 'modified': '2020-10-22T17:35:04.950Z',\n", " 'created': '2020-10-19T16:38:11.279Z',\n", " 'x_mitre_version': '1.0',\n", " 'x_mitre_aliases': ['SYNful Knock'],\n", " 'x_mitre_platforms': ['Network']}" ] }, "execution_count": 24, "metadata": {}, "output_type": "execute_result" } ], "source": [ "malware[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Tools from ATT&CK Results (Locally)" ] }, { "cell_type": "code", "execution_count": 25, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Tools in ATT&CK\n", "64\n" ] } ], "source": [ "print(\"Number of Tools in ATT&CK\")\n", "print(len(all_attack['tools']))" ] }, { "cell_type": "code", "execution_count": 26, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
idnamedescriptioncreated_by_refobject_marking_refsexternal_referencestypelabelsmodifiedcreatedx_mitre_versionx_mitre_aliasesx_mitre_platformsx_mitre_contributorsx_mitre_old_attack_id
0tool--975737f1-b10d-476f-8bda-3ec26ea57172MCMD[MCMD](https://attack.mitre.org/software/S0500...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'S0500', 'source_name': 'mitr...tool[tool]2020-08-20T14:52:23.369Z2020-08-13T17:15:25.702Z1.0[MCMD][Windows]NaNNaN
1tool--c4810609-7da6-48ec-8057-1b70a7814db0CrackMapExec[CrackMapExec](https://attack.mitre.org/softwa...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'S0488', 'source_name': 'mitr...tool[tool]2020-07-29T20:19:40.544Z2020-07-17T14:23:05.958Z1.0[CrackMapExec][Windows]NaNNaN
2tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4CARROTBALL[CARROTBALL](https://attack.mitre.org/software...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'S0465', 'source_name': 'mitr...tool[tool]2020-06-10T14:44:23.055Z2020-06-02T19:10:29.513Z1.0[CARROTBALL][Windows]NaNNaN
3tool--115f88dd-0618-4389-83cb-98d33ae81848ShimRatReporter[ShimRatReporter](https://attack.mitre.org/sof...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'S0445', 'source_name': 'mitr...tool[tool]2020-05-27T22:39:28.701Z2020-05-12T21:29:48.294Z1.0[ShimRatReporter][Windows]NaNNaN
\n", "
" ], "text/plain": [ " id name \\\n", "0 tool--975737f1-b10d-476f-8bda-3ec26ea57172 MCMD \n", "1 tool--c4810609-7da6-48ec-8057-1b70a7814db0 CrackMapExec \n", "2 tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4 CARROTBALL \n", "3 tool--115f88dd-0618-4389-83cb-98d33ae81848 ShimRatReporter \n", "\n", " description \\\n", "0 [MCMD](https://attack.mitre.org/software/S0500... \n", "1 [CrackMapExec](https://attack.mitre.org/softwa... \n", "2 [CARROTBALL](https://attack.mitre.org/software... \n", "3 [ShimRatReporter](https://attack.mitre.org/sof... \n", "\n", " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " external_references type labels \\\n", "0 [{'external_id': 'S0500', 'source_name': 'mitr... tool [tool] \n", "1 [{'external_id': 'S0488', 'source_name': 'mitr... tool [tool] \n", "2 [{'external_id': 'S0465', 'source_name': 'mitr... tool [tool] \n", "3 [{'external_id': 'S0445', 'source_name': 'mitr... tool [tool] \n", "\n", " modified created x_mitre_version \\\n", "0 2020-08-20T14:52:23.369Z 2020-08-13T17:15:25.702Z 1.0 \n", "1 2020-07-29T20:19:40.544Z 2020-07-17T14:23:05.958Z 1.0 \n", "2 2020-06-10T14:44:23.055Z 2020-06-02T19:10:29.513Z 1.0 \n", "3 2020-05-27T22:39:28.701Z 2020-05-12T21:29:48.294Z 1.0 \n", "\n", " x_mitre_aliases x_mitre_platforms x_mitre_contributors \\\n", "0 [MCMD] [Windows] NaN \n", "1 [CrackMapExec] [Windows] NaN \n", "2 [CARROTBALL] [Windows] NaN \n", "3 [ShimRatReporter] [Windows] NaN \n", "\n", " x_mitre_old_attack_id \n", "0 NaN \n", "1 NaN \n", "2 NaN \n", "3 NaN " ] }, "execution_count": 26, "metadata": {}, "output_type": "execute_result" } ], "source": [ "tools = []\n", "for t in all_attack['tools']:\n", " tools.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(tools)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing the schema of Tools**" ] }, { "cell_type": "code", "execution_count": 27, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['id',\n", " 'name',\n", " 'description',\n", " 'created_by_ref',\n", " 'object_marking_refs',\n", " 'external_references',\n", " 'type',\n", " 'labels',\n", " 'modified',\n", " 'created',\n", " 'x_mitre_version',\n", " 'x_mitre_aliases',\n", " 'x_mitre_platforms',\n", " 'x_mitre_contributors',\n", " 'x_mitre_old_attack_id']" ] }, "execution_count": 27, "metadata": {}, "output_type": "execute_result" } ], "source": [ "list(df)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing one Tool example**" ] }, { "cell_type": "code", "execution_count": 28, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "{'id': 'tool--975737f1-b10d-476f-8bda-3ec26ea57172',\n", " 'name': 'MCMD',\n", " 'description': '[MCMD](https://attack.mitre.org/software/S0500) is a remote access tool that provides remote command shell capability used by [Dragonfly 2.0](https://attack.mitre.org/groups/G0074).(Citation: Secureworks MCMD July 2019)',\n", " 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n", " 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n", " 'external_references': [{'external_id': 'S0500',\n", " 'source_name': 'mitre-attack',\n", " 'url': 'https://attack.mitre.org/software/S0500'},\n", " {'source_name': 'Secureworks MCMD July 2019',\n", " 'url': 'https://www.secureworks.com/research/mcmd-malware-analysis',\n", " 'description': 'Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.'}],\n", " 'type': 'tool',\n", " 'labels': ['tool'],\n", " 'modified': '2020-08-20T14:52:23.369Z',\n", " 'created': '2020-08-13T17:15:25.702Z',\n", " 'x_mitre_version': '1.0',\n", " 'x_mitre_aliases': ['MCMD'],\n", " 'x_mitre_platforms': ['Windows']}" ] }, "execution_count": 28, "metadata": {}, "output_type": "execute_result" } ], "source": [ "tools[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Relationships from ATT&CK Results (Locally)" ] }, { "cell_type": "code", "execution_count": 29, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Relationships in ATT&CK\n", "10635\n" ] } ], "source": [ "print(\"Number of Relationships in ATT&CK\")\n", "print(len(all_attack['relationships']))" ] }, { "cell_type": "code", "execution_count": 30, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
object_marking_refsexternal_referencesidtypecreateddescriptioncreated_by_refmodifiedsource_refrelationship_typetarget_ref
0[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd...relationship2020-11-10T18:04:03.668Z(Citation: FireEye KEGTAP SINGLEMALT October 2...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b52020-11-10T18:04:03.668Zintrusion-set--dd2d9ca6-505b-4860-a604-233685b...usesmalware--a7881f21-e978-4fe4-af56-92c9416a2616
1[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...relationship--c118e50b-4559-4bff-bde5-78aa426f...relationship2020-11-10T18:04:03.666Z(Citation: FireEye KEGTAP SINGLEMALT October 2...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b52020-11-10T18:04:03.666Zintrusion-set--dd2d9ca6-505b-4860-a604-233685b...usestool--afc079f3-c0ea-4096-b75d-3f05338b7f60
2[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'DFIR Ryuk's Return October 2...relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e...relationship2020-11-10T18:04:03.589Z(Citation: DFIR Ryuk's Return October 2020)(Ci...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b52020-11-10T18:04:03.589Zintrusion-set--dd2d9ca6-505b-4860-a604-233685b...usestool--b77b563c-34bb-4fb8-86a3-3694338f7b47
3[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...relationship--585842e6-fe9a-4508-8e67-c232f8aa...relationship2020-11-10T18:04:03.571Z(Citation: FireEye KEGTAP SINGLEMALT October 2...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b52020-11-10T18:04:03.571Zintrusion-set--dd2d9ca6-505b-4860-a604-233685b...usestool--981acc4c-2ede-4b56-be6e-fa1a75f37acf
\n", "
" ], "text/plain": [ " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " external_references \\\n", "0 [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... \n", "1 [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... \n", "2 [{'source_name': 'DFIR Ryuk's Return October 2... \n", "3 [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... \n", "\n", " id type \\\n", "0 relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd... relationship \n", "1 relationship--c118e50b-4559-4bff-bde5-78aa426f... relationship \n", "2 relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e... relationship \n", "3 relationship--585842e6-fe9a-4508-8e67-c232f8aa... relationship \n", "\n", " created \\\n", "0 2020-11-10T18:04:03.668Z \n", "1 2020-11-10T18:04:03.666Z \n", "2 2020-11-10T18:04:03.589Z \n", "3 2020-11-10T18:04:03.571Z \n", "\n", " description \\\n", "0 (Citation: FireEye KEGTAP SINGLEMALT October 2... \n", "1 (Citation: FireEye KEGTAP SINGLEMALT October 2... \n", "2 (Citation: DFIR Ryuk's Return October 2020)(Ci... \n", "3 (Citation: FireEye KEGTAP SINGLEMALT October 2... \n", "\n", " created_by_ref modified \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.668Z \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.666Z \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.589Z \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.571Z \n", "\n", " source_ref relationship_type \\\n", "0 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n", "1 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n", "2 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n", "3 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n", "\n", " target_ref \n", "0 malware--a7881f21-e978-4fe4-af56-92c9416a2616 \n", "1 tool--afc079f3-c0ea-4096-b75d-3f05338b7f60 \n", "2 tool--b77b563c-34bb-4fb8-86a3-3694338f7b47 \n", "3 tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf " ] }, "execution_count": 30, "metadata": {}, "output_type": "execute_result" } ], "source": [ "relationships = []\n", "for t in all_attack['relationships']:\n", " relationships.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(relationships)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing the schema of Relationships**" ] }, { "cell_type": "code", "execution_count": 31, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['object_marking_refs',\n", " 'external_references',\n", " 'id',\n", " 'type',\n", " 'created',\n", " 'description',\n", " 'created_by_ref',\n", " 'modified',\n", " 'source_ref',\n", " 'relationship_type',\n", " 'target_ref']" ] }, "execution_count": 31, "metadata": {}, "output_type": "execute_result" } ], "source": [ "list(df)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing one Relationship example**" ] }, { "cell_type": "code", "execution_count": 32, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "{'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n", " 'external_references': [{'source_name': 'FireEye KEGTAP SINGLEMALT October 2020',\n", " 'description': 'Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.',\n", " 'url': 'https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html'},\n", " {'source_name': 'DHS/CISA Ransomware Targeting Healthcare October 2020',\n", " 'description': 'DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.',\n", " 'url': 'https://us-cert.cisa.gov/ncas/alerts/aa20-302a'},\n", " {'source_name': \"DFIR Ryuk's Return October 2020\",\n", " 'description': 'The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.',\n", " 'url': 'https://thedfirreport.com/2020/10/08/ryuks-return/'},\n", " {'source_name': 'DFIR Ryuk 2 Hour Speed Run November 2020',\n", " 'description': 'The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.',\n", " 'url': 'https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/'},\n", " {'source_name': 'DFIR Ryuk in 5 Hours October 2020',\n", " 'description': 'The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.',\n", " 'url': 'https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/'},\n", " {'source_name': 'Sophos New Ryuk Attack October 2020',\n", " 'description': 'Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.',\n", " 'url': 'https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/'}],\n", " 'id': 'relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd06b0',\n", " 'type': 'relationship',\n", " 'created': '2020-11-10T18:04:03.668Z',\n", " 'description': \"(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)(Citation: Sophos New Ryuk Attack October 2020)\",\n", " 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n", " 'modified': '2020-11-10T18:04:03.668Z',\n", " 'source_ref': 'intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7',\n", " 'relationship_type': 'uses',\n", " 'target_ref': 'malware--a7881f21-e978-4fe4-af56-92c9416a2616'}" ] }, "execution_count": 32, "metadata": {}, "output_type": "execute_result" } ], "source": [ "relationships[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Tactics from ATT&CK Results (Locally)" ] }, { "cell_type": "code", "execution_count": 33, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Tactics in ATT&CK\n", "54\n" ] } ], "source": [ "print(\"Number of Tactics in ATT&CK\")\n", "print(len(all_attack['tactics']))" ] }, { "cell_type": "code", "execution_count": 34, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refobject_marking_refsexternal_referencesnamedescriptionidtypemodifiedcreatedx_mitre_shortnamex_mitre_deprecated
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'TA0043', 'source_name': 'mit...ReconnaissanceThe adversary is trying to gather information ...x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd...x-mitre-tactic2020-10-18T02:04:50.842Z2020-10-02T14:48:41.809ZreconnaissanceNaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'TA0042', 'source_name': 'mit...Resource DevelopmentThe adversary is trying to establish resources...x-mitre-tactic--d679bca2-e57d-4935-8650-8031c8...x-mitre-tactic2020-09-30T16:31:36.322Z2020-09-30T16:11:59.650Zresource-developmentNaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'TA0040', 'source_name': 'mit...ImpactThe adversary is trying to manipulate, interru...x-mitre-tactic--5569339b-94c2-49ee-afb3-222293...x-mitre-tactic2019-07-25T18:42:23.222Z2019-03-14T18:44:44.639ZimpactNaN
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'TA0005', 'url': 'https://att...Defense EvasionThe adversary is trying to avoid being detecte...x-mitre-tactic--78b23412-0651-46d7-a540-170a1c...x-mitre-tactic2019-07-19T17:43:23.473Z2018-10-17T00:14:20.652Zdefense-evasionNaN
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " external_references name \\\n", "0 [{'external_id': 'TA0043', 'source_name': 'mit... Reconnaissance \n", "1 [{'external_id': 'TA0042', 'source_name': 'mit... Resource Development \n", "2 [{'external_id': 'TA0040', 'source_name': 'mit... Impact \n", "3 [{'external_id': 'TA0005', 'url': 'https://att... Defense Evasion \n", "\n", " description \\\n", "0 The adversary is trying to gather information ... \n", "1 The adversary is trying to establish resources... \n", "2 The adversary is trying to manipulate, interru... \n", "3 The adversary is trying to avoid being detecte... \n", "\n", " id type \\\n", "0 x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd... x-mitre-tactic \n", "1 x-mitre-tactic--d679bca2-e57d-4935-8650-8031c8... x-mitre-tactic \n", "2 x-mitre-tactic--5569339b-94c2-49ee-afb3-222293... x-mitre-tactic \n", "3 x-mitre-tactic--78b23412-0651-46d7-a540-170a1c... x-mitre-tactic \n", "\n", " modified created x_mitre_shortname \\\n", "0 2020-10-18T02:04:50.842Z 2020-10-02T14:48:41.809Z reconnaissance \n", "1 2020-09-30T16:31:36.322Z 2020-09-30T16:11:59.650Z resource-development \n", "2 2019-07-25T18:42:23.222Z 2019-03-14T18:44:44.639Z impact \n", "3 2019-07-19T17:43:23.473Z 2018-10-17T00:14:20.652Z defense-evasion \n", "\n", " x_mitre_deprecated \n", "0 NaN \n", "1 NaN \n", "2 NaN \n", "3 NaN " ] }, "execution_count": 34, "metadata": {}, "output_type": "execute_result" } ], "source": [ "df = pandas.json_normalize(all_attack['tactics'])\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing the schema of Tactics**" ] }, { "cell_type": "code", "execution_count": 35, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['created_by_ref',\n", " 'object_marking_refs',\n", " 'external_references',\n", " 'name',\n", " 'description',\n", " 'id',\n", " 'type',\n", " 'modified',\n", " 'created',\n", " 'x_mitre_shortname',\n", " 'x_mitre_deprecated']" ] }, "execution_count": 35, "metadata": {}, "output_type": "execute_result" } ], "source": [ "list(df)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Matrices from ATT&CK Results (Locally)" ] }, { "cell_type": "code", "execution_count": 36, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Matrices in ATT&CK\n", "5\n" ] } ], "source": [ "print(\"Number of Matrices in ATT&CK\")\n", "print(len(all_attack['matrix']))" ] }, { "cell_type": "code", "execution_count": 37, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
idcreated_by_refnamedescriptionexternal_referencesobject_marking_refstypetactic_refsmodifiedcreatedx_mitre_deprecated
0x-mitre-matrix--eafc1b4c-5e56-4965-bd4e-66a6a8...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Enterprise ATT&CKBelow are the tactics and technique representi...[{'external_id': 'enterprise-attack', 'source_...[marking-definition--fa42a846-8d90-4e51-bc29-7...x-mitre-matrix[x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1ef...2020-10-27T02:27:31.332Z2018-10-17T00:14:20.652ZNaN
1x-mitre-matrix--2e2c97c3-1908-4e2d-a711-a27d38...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5PRE-ATT&CKThis object is deprecated as its content has b...[{'external_id': 'pre-attack', 'source_name': ...[marking-definition--fa42a846-8d90-4e51-bc29-7...x-mitre-matrix[x-mitre-tactic--b2a086f2-d3db-408b-b4d4-e09a1...2020-10-22T15:43:48.844Z2018-10-17T00:14:20.652ZTrue
2x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff0...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Device AccessBelow are the tactics and techniques represent...[{'external_id': 'mobile-attack', 'url': 'http...[marking-definition--fa42a846-8d90-4e51-bc29-7...x-mitre-matrix[x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290...2020-10-23T15:05:40.962Z2018-10-17T00:14:20.652ZNaN
3x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Network-Based EffectsBelow are the tactics and techniques represent...[{'external_id': 'mobile-attack', 'url': 'http...[marking-definition--fa42a846-8d90-4e51-bc29-7...x-mitre-matrix[x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc4...2020-07-02T14:18:17.535Z2018-10-17T00:14:20.652ZNaN
\n", "
" ], "text/plain": [ " id \\\n", "0 x-mitre-matrix--eafc1b4c-5e56-4965-bd4e-66a6a8... \n", "1 x-mitre-matrix--2e2c97c3-1908-4e2d-a711-a27d38... \n", "2 x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff0... \n", "3 x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd... \n", "\n", " created_by_ref name \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 Enterprise ATT&CK \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 PRE-ATT&CK \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 Device Access \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 Network-Based Effects \n", "\n", " description \\\n", "0 Below are the tactics and technique representi... \n", "1 This object is deprecated as its content has b... \n", "2 Below are the tactics and techniques represent... \n", "3 Below are the tactics and techniques represent... \n", "\n", " external_references \\\n", "0 [{'external_id': 'enterprise-attack', 'source_... \n", "1 [{'external_id': 'pre-attack', 'source_name': ... \n", "2 [{'external_id': 'mobile-attack', 'url': 'http... \n", "3 [{'external_id': 'mobile-attack', 'url': 'http... \n", "\n", " object_marking_refs type \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... x-mitre-matrix \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... x-mitre-matrix \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... x-mitre-matrix \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... x-mitre-matrix \n", "\n", " tactic_refs \\\n", "0 [x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1ef... \n", "1 [x-mitre-tactic--b2a086f2-d3db-408b-b4d4-e09a1... \n", "2 [x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290... \n", "3 [x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc4... \n", "\n", " modified created x_mitre_deprecated \n", "0 2020-10-27T02:27:31.332Z 2018-10-17T00:14:20.652Z NaN \n", "1 2020-10-22T15:43:48.844Z 2018-10-17T00:14:20.652Z True \n", "2 2020-10-23T15:05:40.962Z 2018-10-17T00:14:20.652Z NaN \n", "3 2020-07-02T14:18:17.535Z 2018-10-17T00:14:20.652Z NaN " ] }, "execution_count": 37, "metadata": {}, "output_type": "execute_result" } ], "source": [ "df = pandas.json_normalize(all_attack['matrix'])\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing the schema of Tactics**" ] }, { "cell_type": "code", "execution_count": 38, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['id',\n", " 'created_by_ref',\n", " 'name',\n", " 'description',\n", " 'external_references',\n", " 'object_marking_refs',\n", " 'type',\n", " 'tactic_refs',\n", " 'modified',\n", " 'created',\n", " 'x_mitre_deprecated']" ] }, "execution_count": 38, "metadata": {}, "output_type": "execute_result" } ], "source": [ "list(df)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Enterprise ATT&CK ONLY from Results (Locally)\n", "* We can also grab the results from each get_* function that we run earlier, and start getting specific stix object types such as techniques, mitigations, groups, malware, tools and relationships on each specific matrix.\n", "* It is important to remember that the stix objec information is being retrieved from the results of the initial three **get_*** functions and not querying the TAXII Server every time we want to get information about a specific stix object type." ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Enterprise Techniques**" ] }, { "cell_type": "code", "execution_count": 39, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Techniques in Enterprise ATT&CK\n", "665\n" ] } ], "source": [ "print(\"Number of Techniques in Enterprise ATT&CK\")\n", "print(len(all_enterprise['techniques']))" ] }, { "cell_type": "code", "execution_count": 40, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
iddescriptionnamecreated_by_refobject_marking_refsexternal_referencestypekill_chain_phasesmodifiedcreated...x_mitre_permissions_requiredx_mitre_defense_bypassedx_mitre_contributorsx_mitre_system_requirementsx_mitre_network_requirementsx_mitre_effective_permissionsx_mitre_remote_supportx_mitre_impact_typerevokedx_mitre_deprecated
0attack-pattern--818302b2-d640-477b-bf88-873120...Adversaries may abuse scripting or built-in co...Network Device CLIidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...attack-pattern[{'kill_chain_name': 'mitre-attack', 'phase_na...2020-10-22T16:43:38.388Z2020-10-20T00:09:33.072Z...[Administrator, User]NaNNaNNaNNaNNaNNaNNaNNaNNaN
1attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf...Adversaries may access network configuration f...Network Device Configuration Dumpidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...attack-pattern[{'kill_chain_name': 'mitre-attack', 'phase_na...2020-10-22T01:45:55.144Z2020-10-20T00:08:21.745Z...[Administrator]NaNNaNNaNNaNNaNNaNNaNNaNNaN
2attack-pattern--28abec6c-4443-4b03-8206-07f2e2...Adversaries may abuse netbooting to load an un...TFTP Bootidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...attack-pattern[{'kill_chain_name': 'mitre-attack', 'phase_na...2020-10-22T16:35:53.806Z2020-10-20T00:06:56.180Z...[Administrator]NaNNaNNaNNaNNaNNaNNaNNaNNaN
3attack-pattern--a6557c75-798f-42e4-be70-ab4502...Adversaries may abuse the ROM Monitor (ROMMON)...ROMMONkitidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...attack-pattern[{'kill_chain_name': 'mitre-attack', 'phase_na...2020-10-22T02:18:19.568Z2020-10-20T00:05:48.790Z...[Administrator]NaNNaNNaNNaNNaNNaNNaNNaNNaN
\n", "

4 rows × 25 columns

\n", "
" ], "text/plain": [ " id \\\n", "0 attack-pattern--818302b2-d640-477b-bf88-873120... \n", "1 attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf... \n", "2 attack-pattern--28abec6c-4443-4b03-8206-07f2e2... \n", "3 attack-pattern--a6557c75-798f-42e4-be70-ab4502... \n", "\n", " description \\\n", "0 Adversaries may abuse scripting or built-in co... \n", "1 Adversaries may access network configuration f... \n", "2 Adversaries may abuse netbooting to load an un... \n", "3 Adversaries may abuse the ROM Monitor (ROMMON)... \n", "\n", " name \\\n", "0 Network Device CLI \n", "1 Network Device Configuration Dump \n", "2 TFTP Boot \n", "3 ROMMONkit \n", "\n", " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " external_references type \\\n", "0 [{'source_name': 'mitre-attack', 'external_id'... attack-pattern \n", "1 [{'source_name': 'mitre-attack', 'external_id'... attack-pattern \n", "2 [{'source_name': 'mitre-attack', 'external_id'... attack-pattern \n", "3 [{'source_name': 'mitre-attack', 'external_id'... attack-pattern \n", "\n", " kill_chain_phases \\\n", "0 [{'kill_chain_name': 'mitre-attack', 'phase_na... \n", "1 [{'kill_chain_name': 'mitre-attack', 'phase_na... \n", "2 [{'kill_chain_name': 'mitre-attack', 'phase_na... \n", "3 [{'kill_chain_name': 'mitre-attack', 'phase_na... \n", "\n", " modified created ... \\\n", "0 2020-10-22T16:43:38.388Z 2020-10-20T00:09:33.072Z ... \n", "1 2020-10-22T01:45:55.144Z 2020-10-20T00:08:21.745Z ... \n", "2 2020-10-22T16:35:53.806Z 2020-10-20T00:06:56.180Z ... \n", "3 2020-10-22T02:18:19.568Z 2020-10-20T00:05:48.790Z ... \n", "\n", " x_mitre_permissions_required x_mitre_defense_bypassed x_mitre_contributors \\\n", "0 [Administrator, User] NaN NaN \n", "1 [Administrator] NaN NaN \n", "2 [Administrator] NaN NaN \n", "3 [Administrator] NaN NaN \n", "\n", " x_mitre_system_requirements x_mitre_network_requirements \\\n", "0 NaN NaN \n", "1 NaN NaN \n", "2 NaN NaN \n", "3 NaN NaN \n", "\n", " x_mitre_effective_permissions x_mitre_remote_support x_mitre_impact_type \\\n", "0 NaN NaN NaN \n", "1 NaN NaN NaN \n", "2 NaN NaN NaN \n", "3 NaN NaN NaN \n", "\n", " revoked x_mitre_deprecated \n", "0 NaN NaN \n", "1 NaN NaN \n", "2 NaN NaN \n", "3 NaN NaN \n", "\n", "[4 rows x 25 columns]" ] }, "execution_count": 40, "metadata": {}, "output_type": "execute_result" } ], "source": [ "techniques = []\n", "for t in all_enterprise['techniques']:\n", " techniques.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(techniques)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Enterprise Mitigations**" ] }, { "cell_type": "code", "execution_count": 41, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Mitigations in Enterprise ATT&CK\n", "267\n" ] } ], "source": [ "print(\"Number of Mitigations in Enterprise ATT&CK\")\n", "print(len(all_enterprise['mitigations']))" ] }, { "cell_type": "code", "execution_count": 42, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refobject_marking_refsexternal_referencesdescriptionnameidtypemodifiedcreatedx_mitre_versionx_mitre_deprecatedx_mitre_old_attack_id
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...This category is used for any applicable mitig...Pre-compromisecourse-of-action--78bb71be-92b4-46de-acd6-5f99...course-of-action2020-10-20T19:52:32.439Z2020-10-19T14:57:58.771Z1.0NaNNaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...This category is to associate techniques that ...Do Not Mitigatecourse-of-action--787fb64d-c87b-4ee5-a341-0ef1...course-of-action2019-07-23T14:44:24.727Z2019-07-19T14:58:42.715Z1.0NaNNaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...Implement configuration changes to software (o...Software Configurationcourse-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8...course-of-action2020-03-31T13:11:09.471Z2019-07-19T14:40:23.529Z1.1NaNNaN
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...Take and store data backups from end user syst...Data Backupcourse-of-action--3efe43d1-6f3f-4fcb-ab39-4a73...course-of-action2020-03-31T13:11:28.201Z2019-07-19T14:33:33.543Z1.1NaNNaN
4identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...Configure Windows User Account Control to miti...User Account Controlcourse-of-action--2c2ad92a-d710-41ab-a996-1db1...course-of-action2020-03-31T13:49:49.636Z2019-06-11T17:14:35.170Z1.1NaNNaN
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "4 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "4 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " external_references \\\n", "0 [{'source_name': 'mitre-attack', 'external_id'... \n", "1 [{'source_name': 'mitre-attack', 'external_id'... \n", "2 [{'source_name': 'mitre-attack', 'external_id'... \n", "3 [{'source_name': 'mitre-attack', 'external_id'... \n", "4 [{'source_name': 'mitre-attack', 'external_id'... \n", "\n", " description name \\\n", "0 This category is used for any applicable mitig... Pre-compromise \n", "1 This category is to associate techniques that ... Do Not Mitigate \n", "2 Implement configuration changes to software (o... Software Configuration \n", "3 Take and store data backups from end user syst... Data Backup \n", "4 Configure Windows User Account Control to miti... User Account Control \n", "\n", " id type \\\n", "0 course-of-action--78bb71be-92b4-46de-acd6-5f99... course-of-action \n", "1 course-of-action--787fb64d-c87b-4ee5-a341-0ef1... course-of-action \n", "2 course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8... course-of-action \n", "3 course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73... course-of-action \n", "4 course-of-action--2c2ad92a-d710-41ab-a996-1db1... course-of-action \n", "\n", " modified created x_mitre_version \\\n", "0 2020-10-20T19:52:32.439Z 2020-10-19T14:57:58.771Z 1.0 \n", "1 2019-07-23T14:44:24.727Z 2019-07-19T14:58:42.715Z 1.0 \n", "2 2020-03-31T13:11:09.471Z 2019-07-19T14:40:23.529Z 1.1 \n", "3 2020-03-31T13:11:28.201Z 2019-07-19T14:33:33.543Z 1.1 \n", "4 2020-03-31T13:49:49.636Z 2019-06-11T17:14:35.170Z 1.1 \n", "\n", " x_mitre_deprecated x_mitre_old_attack_id \n", "0 NaN NaN \n", "1 NaN NaN \n", "2 NaN NaN \n", "3 NaN NaN \n", "4 NaN NaN " ] }, "execution_count": 42, "metadata": {}, "output_type": "execute_result" } ], "source": [ "mitigations = []\n", "for t in all_enterprise['mitigations']:\n", " mitigations.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(mitigations)\n", "df[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Enterprise Groups**" ] }, { "cell_type": "code", "execution_count": 43, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Groups in Enterprise ATT&CK\n", "110\n" ] } ], "source": [ "print(\"Number of Groups in Enterprise ATT&CK\")\n", "print(len(all_enterprise['groups']))" ] }, { "cell_type": "code", "execution_count": 44, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refobject_marking_refsexternal_referencesnamedescriptiontypeidaliasesmodifiedcreatedx_mitre_versionx_mitre_contributorsrevoked
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'G0115', 'source_name': 'mitr...GOLD SOUTHFIELD[GOLD SOUTHFIELD](https://attack.mitre.org/gro...intrusion-setintrusion-set--c77c5576-ca19-42ed-a36f-4b4486a...[GOLD SOUTHFIELD]2020-10-06T15:32:20.089Z2020-09-22T19:41:27.845Z1.0NaNNaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'G0114', 'source_name': 'mitr...Chimera[Chimera](https://attack.mitre.org/groups/G011...intrusion-setintrusion-set--8c1f0187-0826-4320-bddc-5f326cf...[Chimera]2020-10-05T20:59:57.694Z2020-08-24T17:01:55.842Z1.0NaNNaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'G0112', 'source_name': 'mitr...Windshift[Windshift](https://attack.mitre.org/groups/G0...intrusion-setintrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a...[Windshift, Bahamut]2020-06-26T13:46:14.122Z2020-06-25T17:16:39.168Z1.0NaNNaN
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'G0108', 'source_name': 'mitr...Blue Mockingbird[Blue Mockingbird](https://attack.mitre.org/gr...intrusion-setintrusion-set--73a80fab-2aa3-48e0-a4d0-3a48282...[Blue Mockingbird]2020-06-25T13:59:09.596Z2020-05-26T20:09:39.139Z1.0[Tony Lambert, Red Canary]NaN
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " external_references name \\\n", "0 [{'external_id': 'G0115', 'source_name': 'mitr... GOLD SOUTHFIELD \n", "1 [{'external_id': 'G0114', 'source_name': 'mitr... Chimera \n", "2 [{'external_id': 'G0112', 'source_name': 'mitr... Windshift \n", "3 [{'external_id': 'G0108', 'source_name': 'mitr... Blue Mockingbird \n", "\n", " description type \\\n", "0 [GOLD SOUTHFIELD](https://attack.mitre.org/gro... intrusion-set \n", "1 [Chimera](https://attack.mitre.org/groups/G011... intrusion-set \n", "2 [Windshift](https://attack.mitre.org/groups/G0... intrusion-set \n", "3 [Blue Mockingbird](https://attack.mitre.org/gr... intrusion-set \n", "\n", " id aliases \\\n", "0 intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a... [GOLD SOUTHFIELD] \n", "1 intrusion-set--8c1f0187-0826-4320-bddc-5f326cf... [Chimera] \n", "2 intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a... [Windshift, Bahamut] \n", "3 intrusion-set--73a80fab-2aa3-48e0-a4d0-3a48282... [Blue Mockingbird] \n", "\n", " modified created x_mitre_version \\\n", "0 2020-10-06T15:32:20.089Z 2020-09-22T19:41:27.845Z 1.0 \n", "1 2020-10-05T20:59:57.694Z 2020-08-24T17:01:55.842Z 1.0 \n", "2 2020-06-26T13:46:14.122Z 2020-06-25T17:16:39.168Z 1.0 \n", "3 2020-06-25T13:59:09.596Z 2020-05-26T20:09:39.139Z 1.0 \n", "\n", " x_mitre_contributors revoked \n", "0 NaN NaN \n", "1 NaN NaN \n", "2 NaN NaN \n", "3 [Tony Lambert, Red Canary] NaN " ] }, "execution_count": 44, "metadata": {}, "output_type": "execute_result" } ], "source": [ "groups = []\n", "for t in all_enterprise['groups']:\n", " groups.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(groups)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Enterprise Malware**" ] }, { "cell_type": "code", "execution_count": 45, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Malware objects in Enterprise ATT&CK\n", "376\n" ] } ], "source": [ "print(\"Number of Malware objects in Enterprise ATT&CK\")\n", "print(len(all_enterprise['malware']))" ] }, { "cell_type": "code", "execution_count": 46, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
external_referencesobject_marking_refscreated_by_refdescriptionnameidtypelabelsmodifiedcreatedx_mitre_versionx_mitre_aliasesx_mitre_platformsx_mitre_contributorsrevoked
0[{'external_id': 'S0519', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[SYNful Knock](https://attack.mitre.org/softwa...SYNful Knockmalware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053malware[malware]2020-10-22T17:35:04.950Z2020-10-19T16:38:11.279Z1.0[SYNful Knock][Network]NaNNaN
1[{'external_id': 'S0516', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[SoreFang](https://attack.mitre.org/software/S...SoreFangmalware--e33e4603-afab-402d-b2a1-248d435b5fe0malware[malware]2020-10-06T16:10:42.422Z2020-09-29T19:33:35.122Z1.0[SoreFang][Windows]NaNNaN
2[{'external_id': 'S0515', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[WellMail](https://attack.mitre.org/software/S...WellMailmalware--959f3b19-2dc8-48d5-8942-c66813a5101amalware[malware]2020-10-09T15:38:41.755Z2020-09-29T17:48:27.517Z1.0[WellMail][Windows][Josh Campbell, Cyborg Security, @cyb0rgsecur1ty]NaN
3[{'external_id': 'S0514', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[WellMess](https://attack.mitre.org/software/S...WellMessmalware--3a4197ae-ec63-4162-907b-9a073d1157e4malware[malware]2020-10-09T19:41:25.983Z2020-09-24T19:39:44.392Z1.0[WellMess][Windows][Daniyal Naeem, @Mrdaniyalnaeem]NaN
\n", "
" ], "text/plain": [ " external_references \\\n", "0 [{'external_id': 'S0519', 'source_name': 'mitr... \n", "1 [{'external_id': 'S0516', 'source_name': 'mitr... \n", "2 [{'external_id': 'S0515', 'source_name': 'mitr... \n", "3 [{'external_id': 'S0514', 'source_name': 'mitr... \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description name \\\n", "0 [SYNful Knock](https://attack.mitre.org/softwa... SYNful Knock \n", "1 [SoreFang](https://attack.mitre.org/software/S... SoreFang \n", "2 [WellMail](https://attack.mitre.org/software/S... WellMail \n", "3 [WellMess](https://attack.mitre.org/software/S... WellMess \n", "\n", " id type labels \\\n", "0 malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053 malware [malware] \n", "1 malware--e33e4603-afab-402d-b2a1-248d435b5fe0 malware [malware] \n", "2 malware--959f3b19-2dc8-48d5-8942-c66813a5101a malware [malware] \n", "3 malware--3a4197ae-ec63-4162-907b-9a073d1157e4 malware [malware] \n", "\n", " modified created x_mitre_version \\\n", "0 2020-10-22T17:35:04.950Z 2020-10-19T16:38:11.279Z 1.0 \n", "1 2020-10-06T16:10:42.422Z 2020-09-29T19:33:35.122Z 1.0 \n", "2 2020-10-09T15:38:41.755Z 2020-09-29T17:48:27.517Z 1.0 \n", "3 2020-10-09T19:41:25.983Z 2020-09-24T19:39:44.392Z 1.0 \n", "\n", " x_mitre_aliases x_mitre_platforms \\\n", "0 [SYNful Knock] [Network] \n", "1 [SoreFang] [Windows] \n", "2 [WellMail] [Windows] \n", "3 [WellMess] [Windows] \n", "\n", " x_mitre_contributors revoked \n", "0 NaN NaN \n", "1 NaN NaN \n", "2 [Josh Campbell, Cyborg Security, @cyb0rgsecur1ty] NaN \n", "3 [Daniyal Naeem, @Mrdaniyalnaeem] NaN " ] }, "execution_count": 46, "metadata": {}, "output_type": "execute_result" } ], "source": [ "malware = []\n", "for t in all_enterprise['malware']:\n", " malware.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(malware)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Enterprise Tools**" ] }, { "cell_type": "code", "execution_count": 47, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Tools in Enterprise ATT&CK\n", "62\n" ] } ], "source": [ "print(\"Number of Tools in Enterprise ATT&CK\")\n", "print(len(all_enterprise['tools']))" ] }, { "cell_type": "code", "execution_count": 48, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
idnamedescriptioncreated_by_refobject_marking_refsexternal_referencestypelabelsmodifiedcreatedx_mitre_versionx_mitre_aliasesx_mitre_platformsx_mitre_contributors
0tool--975737f1-b10d-476f-8bda-3ec26ea57172MCMD[MCMD](https://attack.mitre.org/software/S0500...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'S0500', 'source_name': 'mitr...tool[tool]2020-08-20T14:52:23.369Z2020-08-13T17:15:25.702Z1.0[MCMD][Windows]NaN
1tool--c4810609-7da6-48ec-8057-1b70a7814db0CrackMapExec[CrackMapExec](https://attack.mitre.org/softwa...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'S0488', 'source_name': 'mitr...tool[tool]2020-07-29T20:19:40.544Z2020-07-17T14:23:05.958Z1.0[CrackMapExec][Windows]NaN
2tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4CARROTBALL[CARROTBALL](https://attack.mitre.org/software...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'S0465', 'source_name': 'mitr...tool[tool]2020-06-10T14:44:23.055Z2020-06-02T19:10:29.513Z1.0[CARROTBALL][Windows]NaN
3tool--115f88dd-0618-4389-83cb-98d33ae81848ShimRatReporter[ShimRatReporter](https://attack.mitre.org/sof...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'S0445', 'source_name': 'mitr...tool[tool]2020-05-27T22:39:28.701Z2020-05-12T21:29:48.294Z1.0[ShimRatReporter][Windows]NaN
\n", "
" ], "text/plain": [ " id name \\\n", "0 tool--975737f1-b10d-476f-8bda-3ec26ea57172 MCMD \n", "1 tool--c4810609-7da6-48ec-8057-1b70a7814db0 CrackMapExec \n", "2 tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4 CARROTBALL \n", "3 tool--115f88dd-0618-4389-83cb-98d33ae81848 ShimRatReporter \n", "\n", " description \\\n", "0 [MCMD](https://attack.mitre.org/software/S0500... \n", "1 [CrackMapExec](https://attack.mitre.org/softwa... \n", "2 [CARROTBALL](https://attack.mitre.org/software... \n", "3 [ShimRatReporter](https://attack.mitre.org/sof... \n", "\n", " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " external_references type labels \\\n", "0 [{'external_id': 'S0500', 'source_name': 'mitr... tool [tool] \n", "1 [{'external_id': 'S0488', 'source_name': 'mitr... tool [tool] \n", "2 [{'external_id': 'S0465', 'source_name': 'mitr... tool [tool] \n", "3 [{'external_id': 'S0445', 'source_name': 'mitr... tool [tool] \n", "\n", " modified created x_mitre_version \\\n", "0 2020-08-20T14:52:23.369Z 2020-08-13T17:15:25.702Z 1.0 \n", "1 2020-07-29T20:19:40.544Z 2020-07-17T14:23:05.958Z 1.0 \n", "2 2020-06-10T14:44:23.055Z 2020-06-02T19:10:29.513Z 1.0 \n", "3 2020-05-27T22:39:28.701Z 2020-05-12T21:29:48.294Z 1.0 \n", "\n", " x_mitre_aliases x_mitre_platforms x_mitre_contributors \n", "0 [MCMD] [Windows] NaN \n", "1 [CrackMapExec] [Windows] NaN \n", "2 [CARROTBALL] [Windows] NaN \n", "3 [ShimRatReporter] [Windows] NaN " ] }, "execution_count": 48, "metadata": {}, "output_type": "execute_result" } ], "source": [ "tools = []\n", "for t in all_enterprise['tools']:\n", " tools.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(tools)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Enterprise Relationships**" ] }, { "cell_type": "code", "execution_count": 49, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Relationships in Enterprise ATT&CK\n", "9263\n" ] } ], "source": [ "print(\"Number of Relationships in Enterprise ATT&CK\")\n", "print(len(all_enterprise['relationships']))" ] }, { "cell_type": "code", "execution_count": 50, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
object_marking_refsexternal_referencesidtypecreateddescriptioncreated_by_refmodifiedsource_refrelationship_typetarget_ref
0[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd...relationship2020-11-10T18:04:03.668Z(Citation: FireEye KEGTAP SINGLEMALT October 2...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b52020-11-10T18:04:03.668Zintrusion-set--dd2d9ca6-505b-4860-a604-233685b...usesmalware--a7881f21-e978-4fe4-af56-92c9416a2616
1[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...relationship--c118e50b-4559-4bff-bde5-78aa426f...relationship2020-11-10T18:04:03.666Z(Citation: FireEye KEGTAP SINGLEMALT October 2...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b52020-11-10T18:04:03.666Zintrusion-set--dd2d9ca6-505b-4860-a604-233685b...usestool--afc079f3-c0ea-4096-b75d-3f05338b7f60
2[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'DFIR Ryuk's Return October 2...relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e...relationship2020-11-10T18:04:03.589Z(Citation: DFIR Ryuk's Return October 2020)(Ci...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b52020-11-10T18:04:03.589Zintrusion-set--dd2d9ca6-505b-4860-a604-233685b...usestool--b77b563c-34bb-4fb8-86a3-3694338f7b47
3[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...relationship--585842e6-fe9a-4508-8e67-c232f8aa...relationship2020-11-10T18:04:03.571Z(Citation: FireEye KEGTAP SINGLEMALT October 2...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b52020-11-10T18:04:03.571Zintrusion-set--dd2d9ca6-505b-4860-a604-233685b...usestool--981acc4c-2ede-4b56-be6e-fa1a75f37acf
\n", "
" ], "text/plain": [ " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " external_references \\\n", "0 [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... \n", "1 [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... \n", "2 [{'source_name': 'DFIR Ryuk's Return October 2... \n", "3 [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... \n", "\n", " id type \\\n", "0 relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd... relationship \n", "1 relationship--c118e50b-4559-4bff-bde5-78aa426f... relationship \n", "2 relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e... relationship \n", "3 relationship--585842e6-fe9a-4508-8e67-c232f8aa... relationship \n", "\n", " created \\\n", "0 2020-11-10T18:04:03.668Z \n", "1 2020-11-10T18:04:03.666Z \n", "2 2020-11-10T18:04:03.589Z \n", "3 2020-11-10T18:04:03.571Z \n", "\n", " description \\\n", "0 (Citation: FireEye KEGTAP SINGLEMALT October 2... \n", "1 (Citation: FireEye KEGTAP SINGLEMALT October 2... \n", "2 (Citation: DFIR Ryuk's Return October 2020)(Ci... \n", "3 (Citation: FireEye KEGTAP SINGLEMALT October 2... \n", "\n", " created_by_ref modified \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.668Z \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.666Z \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.589Z \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.571Z \n", "\n", " source_ref relationship_type \\\n", "0 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n", "1 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n", "2 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n", "3 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n", "\n", " target_ref \n", "0 malware--a7881f21-e978-4fe4-af56-92c9416a2616 \n", "1 tool--afc079f3-c0ea-4096-b75d-3f05338b7f60 \n", "2 tool--b77b563c-34bb-4fb8-86a3-3694338f7b47 \n", "3 tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf " ] }, "execution_count": 50, "metadata": {}, "output_type": "execute_result" } ], "source": [ "relations = []\n", "for t in all_enterprise['relationships']:\n", " relations.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(relations)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Mobile ATT&CK ONLY from Results (Locally)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Mobile Techniques**" ] }, { "cell_type": "code", "execution_count": 51, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Techniques in Mobile ATT&CK\n", "104\n" ] } ], "source": [ "print(\"Number of Techniques in Mobile ATT&CK\")\n", "print(len(all_mobile['techniques']))" ] }, { "cell_type": "code", "execution_count": 52, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
external_referencesobject_marking_refscreated_by_refnamedescriptionidtypekill_chain_phasesmodifiedcreatedx_mitre_versionx_mitre_is_subtechniquex_mitre_tactic_typex_mitre_detectionx_mitre_platformsx_mitre_contributorsx_mitre_old_attack_idrevokedx_mitre_deprecated
0[{'source_name': 'mitre-mobile-attack', 'exter...[marking-definition--fa42a846-8d90-4e51-bc29-7...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5SMS ControlAdversaries may delete, alter, or send SMS mes...attack-pattern--b327a9c0-e709-495c-aa6e-00b042...attack-pattern[{'kill_chain_name': 'mitre-mobile-attack', 'p...2020-10-22T17:04:15.578Z2020-09-11T15:14:33.730Z1.0False[Post-Adversary Device Access]Users can view the default SMS handler in syst...[Android]NaNNaNNaNNaN
1[{'source_name': 'mitre-mobile-attack', 'exter...[marking-definition--fa42a846-8d90-4e51-bc29-7...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5GeofencingAdversaries may use a device’s geographical lo...attack-pattern--8197f026-64da-4700-93b9-b55ba5...attack-pattern[{'kill_chain_name': 'mitre-mobile-attack', 'p...2020-10-01T12:43:41.494Z2020-09-11T15:04:14.532Z1.0False[Post-Adversary Device Access]Users can review which applications have locat...[Android, iOS]NaNNaNNaNNaN
2[{'source_name': 'mitre-mobile-attack', 'exter...[marking-definition--fa42a846-8d90-4e51-bc29-7...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5KeychainAdversaries may collect the keychain storage d...attack-pattern--27f483c6-6666-44fa-8532-ffd5fc...attack-pattern[{'kill_chain_name': 'mitre-mobile-attack', 'p...2020-06-24T19:02:46.237Z2020-06-24T17:33:49.778Z1.0False[Post-Adversary Device Access]Mobile security products can potentially detec...[iOS]NaNNaNNaNNaN
3[{'source_name': 'mitre-mobile-attack', 'exter...[marking-definition--fa42a846-8d90-4e51-bc29-7...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Compromise Application ExecutableAdversaries may modify applications installed ...attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e5631...attack-pattern[{'kill_chain_name': 'mitre-mobile-attack', 'p...2020-05-27T13:23:34.159Z2020-05-07T15:24:49.068Z1.0False[Post-Adversary Device Access]This behavior is seamless to the user and is t...[Android]NaNNaNNaNNaN
\n", "
" ], "text/plain": [ " external_references \\\n", "0 [{'source_name': 'mitre-mobile-attack', 'exter... \n", "1 [{'source_name': 'mitre-mobile-attack', 'exter... \n", "2 [{'source_name': 'mitre-mobile-attack', 'exter... \n", "3 [{'source_name': 'mitre-mobile-attack', 'exter... \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " name \\\n", "0 SMS Control \n", "1 Geofencing \n", "2 Keychain \n", "3 Compromise Application Executable \n", "\n", " description \\\n", "0 Adversaries may delete, alter, or send SMS mes... \n", "1 Adversaries may use a device’s geographical lo... \n", "2 Adversaries may collect the keychain storage d... \n", "3 Adversaries may modify applications installed ... \n", "\n", " id type \\\n", "0 attack-pattern--b327a9c0-e709-495c-aa6e-00b042... attack-pattern \n", "1 attack-pattern--8197f026-64da-4700-93b9-b55ba5... attack-pattern \n", "2 attack-pattern--27f483c6-6666-44fa-8532-ffd5fc... attack-pattern \n", "3 attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e5631... attack-pattern \n", "\n", " kill_chain_phases \\\n", "0 [{'kill_chain_name': 'mitre-mobile-attack', 'p... \n", "1 [{'kill_chain_name': 'mitre-mobile-attack', 'p... \n", "2 [{'kill_chain_name': 'mitre-mobile-attack', 'p... \n", "3 [{'kill_chain_name': 'mitre-mobile-attack', 'p... \n", "\n", " modified created x_mitre_version \\\n", "0 2020-10-22T17:04:15.578Z 2020-09-11T15:14:33.730Z 1.0 \n", "1 2020-10-01T12:43:41.494Z 2020-09-11T15:04:14.532Z 1.0 \n", "2 2020-06-24T19:02:46.237Z 2020-06-24T17:33:49.778Z 1.0 \n", "3 2020-05-27T13:23:34.159Z 2020-05-07T15:24:49.068Z 1.0 \n", "\n", " x_mitre_is_subtechnique x_mitre_tactic_type \\\n", "0 False [Post-Adversary Device Access] \n", "1 False [Post-Adversary Device Access] \n", "2 False [Post-Adversary Device Access] \n", "3 False [Post-Adversary Device Access] \n", "\n", " x_mitre_detection x_mitre_platforms \\\n", "0 Users can view the default SMS handler in syst... [Android] \n", "1 Users can review which applications have locat... [Android, iOS] \n", "2 Mobile security products can potentially detec... [iOS] \n", "3 This behavior is seamless to the user and is t... [Android] \n", "\n", " x_mitre_contributors x_mitre_old_attack_id revoked x_mitre_deprecated \n", "0 NaN NaN NaN NaN \n", "1 NaN NaN NaN NaN \n", "2 NaN NaN NaN NaN \n", "3 NaN NaN NaN NaN " ] }, "execution_count": 52, "metadata": {}, "output_type": "execute_result" } ], "source": [ "techniques = []\n", "for t in all_mobile['techniques']:\n", " techniques.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(techniques)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Mobile Mitigations**" ] }, { "cell_type": "code", "execution_count": 53, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Mitigations in Mobile ATT&CK\n", "13\n" ] } ], "source": [ "print(\"Number of Mitigations in Mobile ATT&CK\")\n", "print(len(all_mobile['mitigations']))" ] }, { "cell_type": "code", "execution_count": 54, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refobject_marking_refsexternal_referencesnamedescriptionidtypemodifiedcreatedx_mitre_versionx_mitre_old_attack_id
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...User GuidanceDescribes any guidance or training given to us...course-of-action--653492e3-27be-4a0e-b08c-938d...course-of-action2019-10-18T15:51:48.318Z2019-10-18T12:53:03.508Z1.0NaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...Security UpdatesInstall security updates in response to discov...course-of-action--bcecd036-f40e-4916-9f8e-fd0c...course-of-action2019-10-18T14:56:15.631Z2019-10-18T12:51:36.488Z1.0NaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...AttestationEnable remote attestation capabilities when av...course-of-action--ff4821f6-5afb-481b-8c0f-26c2...course-of-action2019-10-18T14:52:53.019Z2019-10-18T12:50:35.335Z1.0NaN
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...Application VettingEnterprises can vet applications for exploitab...course-of-action--1553b156-6767-47f7-9eb4-2a69...course-of-action2019-10-18T15:53:07.393Z2019-10-18T12:49:58.924Z1.0NaN
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " external_references name \\\n", "0 [{'source_name': 'mitre-attack', 'external_id'... User Guidance \n", "1 [{'source_name': 'mitre-attack', 'external_id'... Security Updates \n", "2 [{'source_name': 'mitre-attack', 'external_id'... Attestation \n", "3 [{'source_name': 'mitre-attack', 'external_id'... Application Vetting \n", "\n", " description \\\n", "0 Describes any guidance or training given to us... \n", "1 Install security updates in response to discov... \n", "2 Enable remote attestation capabilities when av... \n", "3 Enterprises can vet applications for exploitab... \n", "\n", " id type \\\n", "0 course-of-action--653492e3-27be-4a0e-b08c-938d... course-of-action \n", "1 course-of-action--bcecd036-f40e-4916-9f8e-fd0c... course-of-action \n", "2 course-of-action--ff4821f6-5afb-481b-8c0f-26c2... course-of-action \n", "3 course-of-action--1553b156-6767-47f7-9eb4-2a69... course-of-action \n", "\n", " modified created x_mitre_version \\\n", "0 2019-10-18T15:51:48.318Z 2019-10-18T12:53:03.508Z 1.0 \n", "1 2019-10-18T14:56:15.631Z 2019-10-18T12:51:36.488Z 1.0 \n", "2 2019-10-18T14:52:53.019Z 2019-10-18T12:50:35.335Z 1.0 \n", "3 2019-10-18T15:53:07.393Z 2019-10-18T12:49:58.924Z 1.0 \n", "\n", " x_mitre_old_attack_id \n", "0 NaN \n", "1 NaN \n", "2 NaN \n", "3 NaN " ] }, "execution_count": 54, "metadata": {}, "output_type": "execute_result" } ], "source": [ "mitigations = []\n", "for t in all_mobile['mitigations']:\n", " mitigations.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(mitigations)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Mobile Groups**" ] }, { "cell_type": "code", "execution_count": 55, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Groups in Mobile ATT&CK\n", "3\n" ] } ], "source": [ "print(\"Number of Groups in Mobile ATT&CK\")\n", "print(len(all_mobile['groups']))" ] }, { "cell_type": "code", "execution_count": 56, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refobject_marking_refsexternal_referencesdescriptionnametypeidaliasesmodifiedcreatedx_mitre_versionx_mitre_contributors
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'G0097', 'source_name': 'mitr...[Bouncing Golf](https://attack.mitre.org/group...Bouncing Golfintrusion-setintrusion-set--049cef3b-22d5-4be6-b50c-9839c7a...[Bouncing Golf]2020-03-26T20:58:44.722Z2020-01-27T16:55:39.688Z1.0NaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'url': 'https...[Dark Caracal](https://attack.mitre.org/groups...Dark Caracalintrusion-setintrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74...[Dark Caracal]2020-06-03T20:22:40.401Z2018-10-17T00:14:20.652Z1.2NaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'G0007', 'url': 'https://atta...[APT28](https://attack.mitre.org/groups/G0007)...APT28intrusion-setintrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8...[APT28, SNAKEMACKEREL, Swallowtail, Group 74, ...2020-10-06T23:32:21.793Z2017-05-31T21:31:48.664Z3.0[Sébastien Ruel, CGI, Drew Church, Splunk, Emi...
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " external_references \\\n", "0 [{'external_id': 'G0097', 'source_name': 'mitr... \n", "1 [{'source_name': 'mitre-attack', 'url': 'https... \n", "2 [{'external_id': 'G0007', 'url': 'https://atta... \n", "\n", " description name \\\n", "0 [Bouncing Golf](https://attack.mitre.org/group... Bouncing Golf \n", "1 [Dark Caracal](https://attack.mitre.org/groups... Dark Caracal \n", "2 [APT28](https://attack.mitre.org/groups/G0007)... APT28 \n", "\n", " type id \\\n", "0 intrusion-set intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a... \n", "1 intrusion-set intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74... \n", "2 intrusion-set intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8... \n", "\n", " aliases \\\n", "0 [Bouncing Golf] \n", "1 [Dark Caracal] \n", "2 [APT28, SNAKEMACKEREL, Swallowtail, Group 74, ... \n", "\n", " modified created x_mitre_version \\\n", "0 2020-03-26T20:58:44.722Z 2020-01-27T16:55:39.688Z 1.0 \n", "1 2020-06-03T20:22:40.401Z 2018-10-17T00:14:20.652Z 1.2 \n", "2 2020-10-06T23:32:21.793Z 2017-05-31T21:31:48.664Z 3.0 \n", "\n", " x_mitre_contributors \n", "0 NaN \n", "1 NaN \n", "2 [Sébastien Ruel, CGI, Drew Church, Splunk, Emi... " ] }, "execution_count": 56, "metadata": {}, "output_type": "execute_result" } ], "source": [ "groups = []\n", "for t in all_mobile['groups']:\n", " groups.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(groups)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Mobile Malware**" ] }, { "cell_type": "code", "execution_count": 57, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Malware in Mobile ATT&CK\n", "74\n" ] } ], "source": [ "print(\"Number of Malware in Mobile ATT&CK\")\n", "print(len(all_mobile['malware']))" ] }, { "cell_type": "code", "execution_count": 58, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
external_referencesobject_marking_refscreated_by_refdescriptionnameidtypelabelsmodifiedcreatedx_mitre_versionx_mitre_aliasesx_mitre_platformsx_mitre_contributorsx_mitre_old_attack_id
0[{'external_id': 'S0509', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[FakeSpy](https://attack.mitre.org/software/S0...FakeSpymalware--838f647e-8ff8-48bd-bbd5-613cee7736cbmalware[malware]2020-10-06T20:09:57.659Z2020-09-15T15:18:11.971Z1.0[FakeSpy][Android][Ofir Almkias, Cybereason]NaN
1[{'external_id': 'S0507', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[eSurv](https://attack.mitre.org/software/S050...eSurvmalware--680f680c-eef9-4f8a-b5f5-f451bf47e403malware[malware]2020-09-14T15:39:17.698Z2020-09-14T14:13:45.032Z1.0[eSurv][Android, iOS]NaNNaN
2[{'external_id': 'S0506', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[ViperRAT](https://attack.mitre.org/software/S...ViperRATmalware--f666e17c-b290-43b3-8947-b96bd5148fbbmalware[malware]2020-09-29T20:03:42.662Z2020-09-11T16:22:02.954Z1.0[ViperRAT][Android]NaNNaN
3[{'external_id': 'S0505', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Desert Scorpion](https://attack.mitre.org/sof...Desert Scorpionmalware--3271c107-92c4-442e-9506-e76d62230ee8malware[malware]2020-09-11T16:23:16.039Z2020-09-11T14:54:16.188Z1.0[Desert Scorpion][Android]NaNNaN
\n", "
" ], "text/plain": [ " external_references \\\n", "0 [{'external_id': 'S0509', 'source_name': 'mitr... \n", "1 [{'external_id': 'S0507', 'source_name': 'mitr... \n", "2 [{'external_id': 'S0506', 'source_name': 'mitr... \n", "3 [{'external_id': 'S0505', 'source_name': 'mitr... \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description name \\\n", "0 [FakeSpy](https://attack.mitre.org/software/S0... FakeSpy \n", "1 [eSurv](https://attack.mitre.org/software/S050... eSurv \n", "2 [ViperRAT](https://attack.mitre.org/software/S... ViperRAT \n", "3 [Desert Scorpion](https://attack.mitre.org/sof... Desert Scorpion \n", "\n", " id type labels \\\n", "0 malware--838f647e-8ff8-48bd-bbd5-613cee7736cb malware [malware] \n", "1 malware--680f680c-eef9-4f8a-b5f5-f451bf47e403 malware [malware] \n", "2 malware--f666e17c-b290-43b3-8947-b96bd5148fbb malware [malware] \n", "3 malware--3271c107-92c4-442e-9506-e76d62230ee8 malware [malware] \n", "\n", " modified created x_mitre_version \\\n", "0 2020-10-06T20:09:57.659Z 2020-09-15T15:18:11.971Z 1.0 \n", "1 2020-09-14T15:39:17.698Z 2020-09-14T14:13:45.032Z 1.0 \n", "2 2020-09-29T20:03:42.662Z 2020-09-11T16:22:02.954Z 1.0 \n", "3 2020-09-11T16:23:16.039Z 2020-09-11T14:54:16.188Z 1.0 \n", "\n", " x_mitre_aliases x_mitre_platforms x_mitre_contributors \\\n", "0 [FakeSpy] [Android] [Ofir Almkias, Cybereason] \n", "1 [eSurv] [Android, iOS] NaN \n", "2 [ViperRAT] [Android] NaN \n", "3 [Desert Scorpion] [Android] NaN \n", "\n", " x_mitre_old_attack_id \n", "0 NaN \n", "1 NaN \n", "2 NaN \n", "3 NaN " ] }, "execution_count": 58, "metadata": {}, "output_type": "execute_result" } ], "source": [ "malware = []\n", "for t in all_mobile['malware']:\n", " malware.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(malware)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Mobile Tools**" ] }, { "cell_type": "code", "execution_count": 59, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Tools in Mobile ATT&CK\n", "2\n" ] } ], "source": [ "print(\"Number of Tools in Mobile ATT&CK\")\n", "print(len(all_mobile['tools']))" ] }, { "cell_type": "code", "execution_count": 60, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
external_referencesobject_marking_refscreated_by_refdescriptionnameidtypelabelsmodifiedcreatedx_mitre_versionx_mitre_aliasesx_mitre_platformsx_mitre_contributorsx_mitre_old_attack_id
0[{'external_id': 'S0408', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[FlexiSpy](https://attack.mitre.org/software/S...FlexiSpytool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81tool[tool]2019-10-14T18:08:28.349Z2019-09-04T15:38:56.070Z1.0[FlexiSpy][Android][Emily Ratliff, IBM]NaN
1[{'source_name': 'mitre-mobile-attack', 'url':...[marking-definition--fa42a846-8d90-4e51-bc29-7...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Xbot](https://attack.mitre.org/software/S0298...Xbottool--da21929e-40c0-443d-bdf4-6b60d15448b4tool[tool]2018-12-11T20:40:31.461Z2017-10-25T14:48:48.609Z1.1[Xbot][Android]NaNMOB-S0014
\n", "
" ], "text/plain": [ " external_references \\\n", "0 [{'external_id': 'S0408', 'source_name': 'mitr... \n", "1 [{'source_name': 'mitre-mobile-attack', 'url':... \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description name \\\n", "0 [FlexiSpy](https://attack.mitre.org/software/S... FlexiSpy \n", "1 [Xbot](https://attack.mitre.org/software/S0298... Xbot \n", "\n", " id type labels \\\n", "0 tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81 tool [tool] \n", "1 tool--da21929e-40c0-443d-bdf4-6b60d15448b4 tool [tool] \n", "\n", " modified created x_mitre_version \\\n", "0 2019-10-14T18:08:28.349Z 2019-09-04T15:38:56.070Z 1.0 \n", "1 2018-12-11T20:40:31.461Z 2017-10-25T14:48:48.609Z 1.1 \n", "\n", " x_mitre_aliases x_mitre_platforms x_mitre_contributors \\\n", "0 [FlexiSpy] [Android] [Emily Ratliff, IBM] \n", "1 [Xbot] [Android] NaN \n", "\n", " x_mitre_old_attack_id \n", "0 NaN \n", "1 MOB-S0014 " ] }, "execution_count": 60, "metadata": {}, "output_type": "execute_result" } ], "source": [ "tools = []\n", "for t in all_mobile['tools']:\n", " tools.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(tools)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Mobile Relationships**" ] }, { "cell_type": "code", "execution_count": 61, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Relationships in Mobile ATT&CK\n", "795\n" ] } ], "source": [ "print(\"Number of Relationships in Mobile ATT&CK\")\n", "print(len(all_mobile['relationships']))" ] }, { "cell_type": "code", "execution_count": 62, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refobject_marking_refsidtypemodifiedcreatedsource_refrelationship_typetarget_refdescriptionexternal_references
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--39f46abc-d9e3-463d-9340-3bc8334a...relationship2020-10-23T15:05:40.967Z2020-10-23T15:05:40.967Zattack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab...revoked-byattack-pattern--77e30eee-fd48-40b4-99ec-73e97c...NaNNaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--e373111c-aa34-4686-a286-7c9b4267...relationship2020-10-01T12:43:42.238Z2020-09-30T14:48:16.522Zcourse-of-action--0beabf44-e8d8-4ae4-9122-ef56...mitigatesattack-pattern--8197f026-64da-4700-93b9-b55ba5...New OS releases frequently contain additional ...NaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--37459382-00b7-4699-a294-d25f53bf...relationship2020-10-01T12:42:21.985Z2020-09-30T14:36:43.256Zcourse-of-action--0beabf44-e8d8-4ae4-9122-ef56...mitigatesattack-pattern--77e30eee-fd48-40b4-99ec-73e97c...iOS 11 introduced a first-come-first-served pr...[{'source_name': 'Trend Micro iOS URL Hijackin...
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--455b1287-5784-42b4-91fb-01dac007...relationship2020-09-29T13:24:15.234Z2020-09-29T13:24:15.234Zmalware--317a2c10-d489-431e-b6b2-f0251fddc88eusesattack-pattern--3dd58c80-4c2e-458c-9503-1b2cd2...[Dendroid](https://attack.mitre.org/software/S...[{'source_name': 'Lookout-Dendroid', 'descript...
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " id type \\\n", "0 relationship--39f46abc-d9e3-463d-9340-3bc8334a... relationship \n", "1 relationship--e373111c-aa34-4686-a286-7c9b4267... relationship \n", "2 relationship--37459382-00b7-4699-a294-d25f53bf... relationship \n", "3 relationship--455b1287-5784-42b4-91fb-01dac007... relationship \n", "\n", " modified created \\\n", "0 2020-10-23T15:05:40.967Z 2020-10-23T15:05:40.967Z \n", "1 2020-10-01T12:43:42.238Z 2020-09-30T14:48:16.522Z \n", "2 2020-10-01T12:42:21.985Z 2020-09-30T14:36:43.256Z \n", "3 2020-09-29T13:24:15.234Z 2020-09-29T13:24:15.234Z \n", "\n", " source_ref relationship_type \\\n", "0 attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab... revoked-by \n", "1 course-of-action--0beabf44-e8d8-4ae4-9122-ef56... mitigates \n", "2 course-of-action--0beabf44-e8d8-4ae4-9122-ef56... mitigates \n", "3 malware--317a2c10-d489-431e-b6b2-f0251fddc88e uses \n", "\n", " target_ref \\\n", "0 attack-pattern--77e30eee-fd48-40b4-99ec-73e97c... \n", "1 attack-pattern--8197f026-64da-4700-93b9-b55ba5... \n", "2 attack-pattern--77e30eee-fd48-40b4-99ec-73e97c... \n", "3 attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd2... \n", "\n", " description \\\n", "0 NaN \n", "1 New OS releases frequently contain additional ... \n", "2 iOS 11 introduced a first-come-first-served pr... \n", "3 [Dendroid](https://attack.mitre.org/software/S... \n", "\n", " external_references \n", "0 NaN \n", "1 NaN \n", "2 [{'source_name': 'Trend Micro iOS URL Hijackin... \n", "3 [{'source_name': 'Lookout-Dendroid', 'descript... " ] }, "execution_count": 62, "metadata": {}, "output_type": "execute_result" } ], "source": [ "relations = []\n", "for t in all_mobile['relationships']:\n", " relations.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(relations)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## **Get STIX Object Types Directly from TAXII Server (Enterprise ATT&CK, Pre-ATT&CK & Mobile ATT&CK)**\n", "* In this section, we will query the ATT&CK TAXII Server directly in order to collect specific stix object types such as techniques, mitigations, groups, malware, tools and relationships from the Enterprise, PRE and Mobile Matrices.\n", "* There is no need to get all the stix objects available per each matrix unlike the first section of this notebook." ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Enterprise Techniques ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 63, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Techniques in Enterprise ATT&CK\n", "665\n" ] } ], "source": [ "print(\"Number of Techniques in Enterprise ATT&CK\")\n", "techniques = lift.get_enterprise_techniques()\n", "print(len(techniques))" ] }, { "cell_type": "code", "execution_count": 64, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
iddescriptionnamecreated_by_refobject_marking_refsexternal_referencestypekill_chain_phasesmodifiedcreated...x_mitre_permissions_requiredx_mitre_defense_bypassedx_mitre_contributorsx_mitre_system_requirementsx_mitre_network_requirementsx_mitre_effective_permissionsx_mitre_remote_supportx_mitre_impact_typerevokedx_mitre_deprecated
0attack-pattern--818302b2-d640-477b-bf88-873120...Adversaries may abuse scripting or built-in co...Network Device CLIidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...attack-pattern[{'kill_chain_name': 'mitre-attack', 'phase_na...2020-10-22T16:43:38.388Z2020-10-20T00:09:33.072Z...[Administrator, User]NaNNaNNaNNaNNaNNaNNaNNaNNaN
1attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf...Adversaries may access network configuration f...Network Device Configuration Dumpidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...attack-pattern[{'kill_chain_name': 'mitre-attack', 'phase_na...2020-10-22T01:45:55.144Z2020-10-20T00:08:21.745Z...[Administrator]NaNNaNNaNNaNNaNNaNNaNNaNNaN
2attack-pattern--28abec6c-4443-4b03-8206-07f2e2...Adversaries may abuse netbooting to load an un...TFTP Bootidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...attack-pattern[{'kill_chain_name': 'mitre-attack', 'phase_na...2020-10-22T16:35:53.806Z2020-10-20T00:06:56.180Z...[Administrator]NaNNaNNaNNaNNaNNaNNaNNaNNaN
3attack-pattern--a6557c75-798f-42e4-be70-ab4502...Adversaries may abuse the ROM Monitor (ROMMON)...ROMMONkitidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...attack-pattern[{'kill_chain_name': 'mitre-attack', 'phase_na...2020-10-22T02:18:19.568Z2020-10-20T00:05:48.790Z...[Administrator]NaNNaNNaNNaNNaNNaNNaNNaNNaN
\n", "

4 rows × 25 columns

\n", "
" ], "text/plain": [ " id \\\n", "0 attack-pattern--818302b2-d640-477b-bf88-873120... \n", "1 attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf... \n", "2 attack-pattern--28abec6c-4443-4b03-8206-07f2e2... \n", "3 attack-pattern--a6557c75-798f-42e4-be70-ab4502... \n", "\n", " description \\\n", "0 Adversaries may abuse scripting or built-in co... \n", "1 Adversaries may access network configuration f... \n", "2 Adversaries may abuse netbooting to load an un... \n", "3 Adversaries may abuse the ROM Monitor (ROMMON)... \n", "\n", " name \\\n", "0 Network Device CLI \n", "1 Network Device Configuration Dump \n", "2 TFTP Boot \n", "3 ROMMONkit \n", "\n", " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " external_references type \\\n", "0 [{'source_name': 'mitre-attack', 'external_id'... attack-pattern \n", "1 [{'source_name': 'mitre-attack', 'external_id'... attack-pattern \n", "2 [{'source_name': 'mitre-attack', 'external_id'... attack-pattern \n", "3 [{'source_name': 'mitre-attack', 'external_id'... attack-pattern \n", "\n", " kill_chain_phases \\\n", "0 [{'kill_chain_name': 'mitre-attack', 'phase_na... \n", "1 [{'kill_chain_name': 'mitre-attack', 'phase_na... \n", "2 [{'kill_chain_name': 'mitre-attack', 'phase_na... \n", "3 [{'kill_chain_name': 'mitre-attack', 'phase_na... \n", "\n", " modified created ... \\\n", "0 2020-10-22T16:43:38.388Z 2020-10-20T00:09:33.072Z ... \n", "1 2020-10-22T01:45:55.144Z 2020-10-20T00:08:21.745Z ... \n", "2 2020-10-22T16:35:53.806Z 2020-10-20T00:06:56.180Z ... \n", "3 2020-10-22T02:18:19.568Z 2020-10-20T00:05:48.790Z ... \n", "\n", " x_mitre_permissions_required x_mitre_defense_bypassed x_mitre_contributors \\\n", "0 [Administrator, User] NaN NaN \n", "1 [Administrator] NaN NaN \n", "2 [Administrator] NaN NaN \n", "3 [Administrator] NaN NaN \n", "\n", " x_mitre_system_requirements x_mitre_network_requirements \\\n", "0 NaN NaN \n", "1 NaN NaN \n", "2 NaN NaN \n", "3 NaN NaN \n", "\n", " x_mitre_effective_permissions x_mitre_remote_support x_mitre_impact_type \\\n", "0 NaN NaN NaN \n", "1 NaN NaN NaN \n", "2 NaN NaN NaN \n", "3 NaN NaN NaN \n", "\n", " revoked x_mitre_deprecated \n", "0 NaN NaN \n", "1 NaN NaN \n", "2 NaN NaN \n", "3 NaN NaN \n", "\n", "[4 rows x 25 columns]" ] }, "execution_count": 64, "metadata": {}, "output_type": "execute_result" } ], "source": [ "techniques_list = []\n", "for t in techniques:\n", " techniques_list.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(techniques_list)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All PRE Techniques ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 65, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Techniques in PRE-ATT&CK\n" ] }, { "name": "stderr", "output_type": "stream", "text": [ "/usr/local/lib/python3.8/site-packages/attackcti/attack_api.py:455: UserWarning: PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application\n", " warnings.warn(\"PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application\")\n" ] }, { "name": "stdout", "output_type": "stream", "text": [ "174\n" ] } ], "source": [ "print(\"Number of Techniques in PRE-ATT&CK\")\n", "techniques = lift.get_pre_techniques()\n", "print(len(techniques))" ] }, { "cell_type": "code", "execution_count": 66, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
idcreated_by_refnamedescriptionexternal_referencesobject_marking_refstypekill_chain_phasesmodifiedcreatedx_mitre_is_subtechniquex_mitre_old_attack_idx_mitre_versionx_mitre_difficulty_for_adversary_explanationx_mitre_difficulty_for_adversaryx_mitre_detectable_by_common_defenses_explanationx_mitre_detectable_by_common_defensesx_mitre_deprecated
0attack-pattern--b182f29c-2505-4b32-a000-0440ef...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Spearphishing for InformationThis object is deprecated as its content has b...[{'source_name': 'mitre-pre-attack', 'url': 'h...[marking-definition--fa42a846-8d90-4e51-bc29-7...attack-pattern[{'kill_chain_name': 'mitre-pre-attack', 'phas...2020-10-26T13:42:49.342Z2018-04-18T17:59:24.739ZFalsePRE-T11741.0Sending emails is trivial, and, over time, an ...YesDepending on the specific method of phishing, ...PartialTrue
1attack-pattern--2b9a666e-bd59-4f67-9031-ed41b4...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Acquire OSINT data sets and informationThis object is deprecated as its content has b...[{'source_name': 'mitre-pre-attack', 'url': 'h...[marking-definition--fa42a846-8d90-4e51-bc29-7...attack-pattern[{'kill_chain_name': 'mitre-pre-attack', 'phas...2020-10-26T13:42:49.342Z2017-12-14T16:46:06.044ZNaNPRE-T10431.0Possible to gather digital intelligence about ...YesThis activity is indistinguishable from legiti...NoTrue
2attack-pattern--1a295f87-af63-4d94-b130-039d62...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Acquire and/or use 3rd party software servicesThis object is deprecated as its content has b...[{'source_name': 'mitre-pre-attack', 'url': 'h...[marking-definition--fa42a846-8d90-4e51-bc29-7...attack-pattern[{'kill_chain_name': 'mitre-pre-attack', 'phas...2020-10-26T13:42:49.342Z2017-12-14T16:46:06.044ZNaNPRE-T10851.03rd party services like these listed are freel...YesDefender will not have visibility over account...NoTrue
3attack-pattern--fe421ab9-c8f3-42f7-9ae1-5d6c32...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Analyze application security postureThis object is deprecated as its content has b...[{'source_name': 'mitre-pre-attack', 'url': 'h...[marking-definition--fa42a846-8d90-4e51-bc29-7...attack-pattern[{'kill_chain_name': 'mitre-pre-attack', 'phas...2020-10-26T13:42:49.342Z2017-12-14T16:46:06.044ZNaNPRE-T10701.0Analyze technical scanning results to identify...YesThis can be done offline after the data has be...NoTrue
\n", "
" ], "text/plain": [ " id \\\n", "0 attack-pattern--b182f29c-2505-4b32-a000-0440ef... \n", "1 attack-pattern--2b9a666e-bd59-4f67-9031-ed41b4... \n", "2 attack-pattern--1a295f87-af63-4d94-b130-039d62... \n", "3 attack-pattern--fe421ab9-c8f3-42f7-9ae1-5d6c32... \n", "\n", " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " name \\\n", "0 Spearphishing for Information \n", "1 Acquire OSINT data sets and information \n", "2 Acquire and/or use 3rd party software services \n", "3 Analyze application security posture \n", "\n", " description \\\n", "0 This object is deprecated as its content has b... \n", "1 This object is deprecated as its content has b... \n", "2 This object is deprecated as its content has b... \n", "3 This object is deprecated as its content has b... \n", "\n", " external_references \\\n", "0 [{'source_name': 'mitre-pre-attack', 'url': 'h... \n", "1 [{'source_name': 'mitre-pre-attack', 'url': 'h... \n", "2 [{'source_name': 'mitre-pre-attack', 'url': 'h... \n", "3 [{'source_name': 'mitre-pre-attack', 'url': 'h... \n", "\n", " object_marking_refs type \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... attack-pattern \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... attack-pattern \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... attack-pattern \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... attack-pattern \n", "\n", " kill_chain_phases \\\n", "0 [{'kill_chain_name': 'mitre-pre-attack', 'phas... \n", "1 [{'kill_chain_name': 'mitre-pre-attack', 'phas... \n", "2 [{'kill_chain_name': 'mitre-pre-attack', 'phas... \n", "3 [{'kill_chain_name': 'mitre-pre-attack', 'phas... \n", "\n", " modified created x_mitre_is_subtechnique \\\n", "0 2020-10-26T13:42:49.342Z 2018-04-18T17:59:24.739Z False \n", "1 2020-10-26T13:42:49.342Z 2017-12-14T16:46:06.044Z NaN \n", "2 2020-10-26T13:42:49.342Z 2017-12-14T16:46:06.044Z NaN \n", "3 2020-10-26T13:42:49.342Z 2017-12-14T16:46:06.044Z NaN \n", "\n", " x_mitre_old_attack_id x_mitre_version \\\n", "0 PRE-T1174 1.0 \n", "1 PRE-T1043 1.0 \n", "2 PRE-T1085 1.0 \n", "3 PRE-T1070 1.0 \n", "\n", " x_mitre_difficulty_for_adversary_explanation \\\n", "0 Sending emails is trivial, and, over time, an ... \n", "1 Possible to gather digital intelligence about ... \n", "2 3rd party services like these listed are freel... \n", "3 Analyze technical scanning results to identify... \n", "\n", " x_mitre_difficulty_for_adversary \\\n", "0 Yes \n", "1 Yes \n", "2 Yes \n", "3 Yes \n", "\n", " x_mitre_detectable_by_common_defenses_explanation \\\n", "0 Depending on the specific method of phishing, ... \n", "1 This activity is indistinguishable from legiti... \n", "2 Defender will not have visibility over account... \n", "3 This can be done offline after the data has be... \n", "\n", " x_mitre_detectable_by_common_defenses x_mitre_deprecated \n", "0 Partial True \n", "1 No True \n", "2 No True \n", "3 No True " ] }, "execution_count": 66, "metadata": {}, "output_type": "execute_result" } ], "source": [ "techniques_list = []\n", "for t in techniques:\n", " techniques_list.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(techniques_list)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Mobile Techniques ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 67, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Techniques in Mobile ATT&CK\n", "104\n" ] } ], "source": [ "print(\"Number of Techniques in Mobile ATT&CK\")\n", "techniques = lift.get_mobile_techniques()\n", "print(len(techniques))" ] }, { "cell_type": "code", "execution_count": 68, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
external_referencesobject_marking_refscreated_by_refnamedescriptionidtypekill_chain_phasesmodifiedcreatedx_mitre_versionx_mitre_is_subtechniquex_mitre_tactic_typex_mitre_detectionx_mitre_platformsx_mitre_contributorsx_mitre_old_attack_idrevokedx_mitre_deprecated
0[{'source_name': 'mitre-mobile-attack', 'exter...[marking-definition--fa42a846-8d90-4e51-bc29-7...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5SMS ControlAdversaries may delete, alter, or send SMS mes...attack-pattern--b327a9c0-e709-495c-aa6e-00b042...attack-pattern[{'kill_chain_name': 'mitre-mobile-attack', 'p...2020-10-22T17:04:15.578Z2020-09-11T15:14:33.730Z1.0False[Post-Adversary Device Access]Users can view the default SMS handler in syst...[Android]NaNNaNNaNNaN
1[{'source_name': 'mitre-mobile-attack', 'exter...[marking-definition--fa42a846-8d90-4e51-bc29-7...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5GeofencingAdversaries may use a device’s geographical lo...attack-pattern--8197f026-64da-4700-93b9-b55ba5...attack-pattern[{'kill_chain_name': 'mitre-mobile-attack', 'p...2020-10-01T12:43:41.494Z2020-09-11T15:04:14.532Z1.0False[Post-Adversary Device Access]Users can review which applications have locat...[Android, iOS]NaNNaNNaNNaN
2[{'source_name': 'mitre-mobile-attack', 'exter...[marking-definition--fa42a846-8d90-4e51-bc29-7...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5KeychainAdversaries may collect the keychain storage d...attack-pattern--27f483c6-6666-44fa-8532-ffd5fc...attack-pattern[{'kill_chain_name': 'mitre-mobile-attack', 'p...2020-06-24T19:02:46.237Z2020-06-24T17:33:49.778Z1.0False[Post-Adversary Device Access]Mobile security products can potentially detec...[iOS]NaNNaNNaNNaN
3[{'source_name': 'mitre-mobile-attack', 'exter...[marking-definition--fa42a846-8d90-4e51-bc29-7...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Compromise Application ExecutableAdversaries may modify applications installed ...attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e5631...attack-pattern[{'kill_chain_name': 'mitre-mobile-attack', 'p...2020-05-27T13:23:34.159Z2020-05-07T15:24:49.068Z1.0False[Post-Adversary Device Access]This behavior is seamless to the user and is t...[Android]NaNNaNNaNNaN
\n", "
" ], "text/plain": [ " external_references \\\n", "0 [{'source_name': 'mitre-mobile-attack', 'exter... \n", "1 [{'source_name': 'mitre-mobile-attack', 'exter... \n", "2 [{'source_name': 'mitre-mobile-attack', 'exter... \n", "3 [{'source_name': 'mitre-mobile-attack', 'exter... \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " name \\\n", "0 SMS Control \n", "1 Geofencing \n", "2 Keychain \n", "3 Compromise Application Executable \n", "\n", " description \\\n", "0 Adversaries may delete, alter, or send SMS mes... \n", "1 Adversaries may use a device’s geographical lo... \n", "2 Adversaries may collect the keychain storage d... \n", "3 Adversaries may modify applications installed ... \n", "\n", " id type \\\n", "0 attack-pattern--b327a9c0-e709-495c-aa6e-00b042... attack-pattern \n", "1 attack-pattern--8197f026-64da-4700-93b9-b55ba5... attack-pattern \n", "2 attack-pattern--27f483c6-6666-44fa-8532-ffd5fc... attack-pattern \n", "3 attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e5631... attack-pattern \n", "\n", " kill_chain_phases \\\n", "0 [{'kill_chain_name': 'mitre-mobile-attack', 'p... \n", "1 [{'kill_chain_name': 'mitre-mobile-attack', 'p... \n", "2 [{'kill_chain_name': 'mitre-mobile-attack', 'p... \n", "3 [{'kill_chain_name': 'mitre-mobile-attack', 'p... \n", "\n", " modified created x_mitre_version \\\n", "0 2020-10-22T17:04:15.578Z 2020-09-11T15:14:33.730Z 1.0 \n", "1 2020-10-01T12:43:41.494Z 2020-09-11T15:04:14.532Z 1.0 \n", "2 2020-06-24T19:02:46.237Z 2020-06-24T17:33:49.778Z 1.0 \n", "3 2020-05-27T13:23:34.159Z 2020-05-07T15:24:49.068Z 1.0 \n", "\n", " x_mitre_is_subtechnique x_mitre_tactic_type \\\n", "0 False [Post-Adversary Device Access] \n", "1 False [Post-Adversary Device Access] \n", "2 False [Post-Adversary Device Access] \n", "3 False [Post-Adversary Device Access] \n", "\n", " x_mitre_detection x_mitre_platforms \\\n", "0 Users can view the default SMS handler in syst... [Android] \n", "1 Users can review which applications have locat... [Android, iOS] \n", "2 Mobile security products can potentially detec... [iOS] \n", "3 This behavior is seamless to the user and is t... [Android] \n", "\n", " x_mitre_contributors x_mitre_old_attack_id revoked x_mitre_deprecated \n", "0 NaN NaN NaN NaN \n", "1 NaN NaN NaN NaN \n", "2 NaN NaN NaN NaN \n", "3 NaN NaN NaN NaN " ] }, "execution_count": 68, "metadata": {}, "output_type": "execute_result" } ], "source": [ "techniques_list = []\n", "for t in techniques:\n", " techniques_list.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(techniques_list)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Techniques (TAXII)\n", "* The results of this function shows every single technique across the whole ATT&CK framework without their mitigations information\n", "* Mitigations information has its own stix object type (Mitigation) that needs to be correlated with the help of relationship properties\n", "* There is a function already created in this library named **get_techniques_with_mitigations()** that allows you to get a more complete view of techniques" ] }, { "cell_type": "code", "execution_count": 69, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Techniques in ATT&CK\n", "1024\n" ] } ], "source": [ "print(\"Number of Techniques in ATT&CK\")\n", "techniques = lift.get_techniques()\n", "print(len(techniques))" ] }, { "cell_type": "code", "execution_count": 70, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
iddescriptionnamecreated_by_refobject_marking_refsexternal_referencestypekill_chain_phasesmodifiedcreated...x_mitre_remote_supportx_mitre_impact_typerevokedx_mitre_deprecatedx_mitre_old_attack_idx_mitre_difficulty_for_adversary_explanationx_mitre_difficulty_for_adversaryx_mitre_detectable_by_common_defenses_explanationx_mitre_detectable_by_common_defensesx_mitre_tactic_type
0attack-pattern--818302b2-d640-477b-bf88-873120...Adversaries may abuse scripting or built-in co...Network Device CLIidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...attack-pattern[{'kill_chain_name': 'mitre-attack', 'phase_na...2020-10-22T16:43:38.388Z2020-10-20T00:09:33.072Z...NaNNaNNaNNaNNaNNaNNaNNaNNaNNaN
1attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf...Adversaries may access network configuration f...Network Device Configuration Dumpidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...attack-pattern[{'kill_chain_name': 'mitre-attack', 'phase_na...2020-10-22T01:45:55.144Z2020-10-20T00:08:21.745Z...NaNNaNNaNNaNNaNNaNNaNNaNNaNNaN
2attack-pattern--28abec6c-4443-4b03-8206-07f2e2...Adversaries may abuse netbooting to load an un...TFTP Bootidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...attack-pattern[{'kill_chain_name': 'mitre-attack', 'phase_na...2020-10-22T16:35:53.806Z2020-10-20T00:06:56.180Z...NaNNaNNaNNaNNaNNaNNaNNaNNaNNaN
3attack-pattern--a6557c75-798f-42e4-be70-ab4502...Adversaries may abuse the ROM Monitor (ROMMON)...ROMMONkitidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...attack-pattern[{'kill_chain_name': 'mitre-attack', 'phase_na...2020-10-22T02:18:19.568Z2020-10-20T00:05:48.790Z...NaNNaNNaNNaNNaNNaNNaNNaNNaNNaN
\n", "

4 rows × 31 columns

\n", "
" ], "text/plain": [ " id \\\n", "0 attack-pattern--818302b2-d640-477b-bf88-873120... \n", "1 attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf... \n", "2 attack-pattern--28abec6c-4443-4b03-8206-07f2e2... \n", "3 attack-pattern--a6557c75-798f-42e4-be70-ab4502... \n", "\n", " description \\\n", "0 Adversaries may abuse scripting or built-in co... \n", "1 Adversaries may access network configuration f... \n", "2 Adversaries may abuse netbooting to load an un... \n", "3 Adversaries may abuse the ROM Monitor (ROMMON)... \n", "\n", " name \\\n", "0 Network Device CLI \n", "1 Network Device Configuration Dump \n", "2 TFTP Boot \n", "3 ROMMONkit \n", "\n", " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " external_references type \\\n", "0 [{'source_name': 'mitre-attack', 'external_id'... attack-pattern \n", "1 [{'source_name': 'mitre-attack', 'external_id'... attack-pattern \n", "2 [{'source_name': 'mitre-attack', 'external_id'... attack-pattern \n", "3 [{'source_name': 'mitre-attack', 'external_id'... attack-pattern \n", "\n", " kill_chain_phases \\\n", "0 [{'kill_chain_name': 'mitre-attack', 'phase_na... \n", "1 [{'kill_chain_name': 'mitre-attack', 'phase_na... \n", "2 [{'kill_chain_name': 'mitre-attack', 'phase_na... \n", "3 [{'kill_chain_name': 'mitre-attack', 'phase_na... \n", "\n", " modified created ... \\\n", "0 2020-10-22T16:43:38.388Z 2020-10-20T00:09:33.072Z ... \n", "1 2020-10-22T01:45:55.144Z 2020-10-20T00:08:21.745Z ... \n", "2 2020-10-22T16:35:53.806Z 2020-10-20T00:06:56.180Z ... \n", "3 2020-10-22T02:18:19.568Z 2020-10-20T00:05:48.790Z ... \n", "\n", " x_mitre_remote_support x_mitre_impact_type revoked x_mitre_deprecated \\\n", "0 NaN NaN NaN NaN \n", "1 NaN NaN NaN NaN \n", "2 NaN NaN NaN NaN \n", "3 NaN NaN NaN NaN \n", "\n", " x_mitre_old_attack_id x_mitre_difficulty_for_adversary_explanation \\\n", "0 NaN NaN \n", "1 NaN NaN \n", "2 NaN NaN \n", "3 NaN NaN \n", "\n", " x_mitre_difficulty_for_adversary \\\n", "0 NaN \n", "1 NaN \n", "2 NaN \n", "3 NaN \n", "\n", " x_mitre_detectable_by_common_defenses_explanation \\\n", "0 NaN \n", "1 NaN \n", "2 NaN \n", "3 NaN \n", "\n", " x_mitre_detectable_by_common_defenses x_mitre_tactic_type \n", "0 NaN NaN \n", "1 NaN NaN \n", "2 NaN NaN \n", "3 NaN NaN \n", "\n", "[4 rows x 31 columns]" ] }, "execution_count": 70, "metadata": {}, "output_type": "execute_result" } ], "source": [ "techniques_list = []\n", "for t in techniques:\n", " techniques_list.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(techniques_list)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Enterprise Mitigations ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 71, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Mitigations in Enterprise ATT&CK\n", "267\n" ] } ], "source": [ "print(\"Number of Mitigations in Enterprise ATT&CK\")\n", "mitigations = lift.get_enterprise_mitigations()\n", "print(len(mitigations))" ] }, { "cell_type": "code", "execution_count": 72, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refobject_marking_refsexternal_referencesdescriptionnameidtypemodifiedcreatedx_mitre_versionx_mitre_deprecatedx_mitre_old_attack_id
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...This category is used for any applicable mitig...Pre-compromisecourse-of-action--78bb71be-92b4-46de-acd6-5f99...course-of-action2020-10-20T19:52:32.439Z2020-10-19T14:57:58.771Z1.0NaNNaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...This category is to associate techniques that ...Do Not Mitigatecourse-of-action--787fb64d-c87b-4ee5-a341-0ef1...course-of-action2019-07-23T14:44:24.727Z2019-07-19T14:58:42.715Z1.0NaNNaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...Implement configuration changes to software (o...Software Configurationcourse-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8...course-of-action2020-03-31T13:11:09.471Z2019-07-19T14:40:23.529Z1.1NaNNaN
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...Take and store data backups from end user syst...Data Backupcourse-of-action--3efe43d1-6f3f-4fcb-ab39-4a73...course-of-action2020-03-31T13:11:28.201Z2019-07-19T14:33:33.543Z1.1NaNNaN
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " external_references \\\n", "0 [{'source_name': 'mitre-attack', 'external_id'... \n", "1 [{'source_name': 'mitre-attack', 'external_id'... \n", "2 [{'source_name': 'mitre-attack', 'external_id'... \n", "3 [{'source_name': 'mitre-attack', 'external_id'... \n", "\n", " description name \\\n", "0 This category is used for any applicable mitig... Pre-compromise \n", "1 This category is to associate techniques that ... Do Not Mitigate \n", "2 Implement configuration changes to software (o... Software Configuration \n", "3 Take and store data backups from end user syst... Data Backup \n", "\n", " id type \\\n", "0 course-of-action--78bb71be-92b4-46de-acd6-5f99... course-of-action \n", "1 course-of-action--787fb64d-c87b-4ee5-a341-0ef1... course-of-action \n", "2 course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8... course-of-action \n", "3 course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73... course-of-action \n", "\n", " modified created x_mitre_version \\\n", "0 2020-10-20T19:52:32.439Z 2020-10-19T14:57:58.771Z 1.0 \n", "1 2019-07-23T14:44:24.727Z 2019-07-19T14:58:42.715Z 1.0 \n", "2 2020-03-31T13:11:09.471Z 2019-07-19T14:40:23.529Z 1.1 \n", "3 2020-03-31T13:11:28.201Z 2019-07-19T14:33:33.543Z 1.1 \n", "\n", " x_mitre_deprecated x_mitre_old_attack_id \n", "0 NaN NaN \n", "1 NaN NaN \n", "2 NaN NaN \n", "3 NaN NaN " ] }, "execution_count": 72, "metadata": {}, "output_type": "execute_result" } ], "source": [ "mitigations_list = []\n", "for t in mitigations:\n", " mitigations_list.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(mitigations_list)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Mobile Mitigations ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 73, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Mitigations in Mobile ATT&CK\n", "13\n" ] } ], "source": [ "print(\"Number of Mitigations in Mobile ATT&CK\")\n", "mitigations = lift.get_mobile_mitigations()\n", "print(len(mitigations))" ] }, { "cell_type": "code", "execution_count": 74, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refobject_marking_refsexternal_referencesnamedescriptionidtypemodifiedcreatedx_mitre_versionx_mitre_old_attack_id
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...User GuidanceDescribes any guidance or training given to us...course-of-action--653492e3-27be-4a0e-b08c-938d...course-of-action2019-10-18T15:51:48.318Z2019-10-18T12:53:03.508Z1.0NaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...Security UpdatesInstall security updates in response to discov...course-of-action--bcecd036-f40e-4916-9f8e-fd0c...course-of-action2019-10-18T14:56:15.631Z2019-10-18T12:51:36.488Z1.0NaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...AttestationEnable remote attestation capabilities when av...course-of-action--ff4821f6-5afb-481b-8c0f-26c2...course-of-action2019-10-18T14:52:53.019Z2019-10-18T12:50:35.335Z1.0NaN
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...Application VettingEnterprises can vet applications for exploitab...course-of-action--1553b156-6767-47f7-9eb4-2a69...course-of-action2019-10-18T15:53:07.393Z2019-10-18T12:49:58.924Z1.0NaN
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " external_references name \\\n", "0 [{'source_name': 'mitre-attack', 'external_id'... User Guidance \n", "1 [{'source_name': 'mitre-attack', 'external_id'... Security Updates \n", "2 [{'source_name': 'mitre-attack', 'external_id'... Attestation \n", "3 [{'source_name': 'mitre-attack', 'external_id'... Application Vetting \n", "\n", " description \\\n", "0 Describes any guidance or training given to us... \n", "1 Install security updates in response to discov... \n", "2 Enable remote attestation capabilities when av... \n", "3 Enterprises can vet applications for exploitab... \n", "\n", " id type \\\n", "0 course-of-action--653492e3-27be-4a0e-b08c-938d... course-of-action \n", "1 course-of-action--bcecd036-f40e-4916-9f8e-fd0c... course-of-action \n", "2 course-of-action--ff4821f6-5afb-481b-8c0f-26c2... course-of-action \n", "3 course-of-action--1553b156-6767-47f7-9eb4-2a69... course-of-action \n", "\n", " modified created x_mitre_version \\\n", "0 2019-10-18T15:51:48.318Z 2019-10-18T12:53:03.508Z 1.0 \n", "1 2019-10-18T14:56:15.631Z 2019-10-18T12:51:36.488Z 1.0 \n", "2 2019-10-18T14:52:53.019Z 2019-10-18T12:50:35.335Z 1.0 \n", "3 2019-10-18T15:53:07.393Z 2019-10-18T12:49:58.924Z 1.0 \n", "\n", " x_mitre_old_attack_id \n", "0 NaN \n", "1 NaN \n", "2 NaN \n", "3 NaN " ] }, "execution_count": 74, "metadata": {}, "output_type": "execute_result" } ], "source": [ "mitigations_list = []\n", "for t in mitigations:\n", " mitigations_list.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(mitigations_list)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Mitigations (TAXII)" ] }, { "cell_type": "code", "execution_count": 75, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Mitigations in ATT&CK\n", "296\n" ] } ], "source": [ "print(\"Number of Mitigations in ATT&CK\")\n", "mitigations = lift.get_mitigations()\n", "print(len(mitigations))" ] }, { "cell_type": "code", "execution_count": 76, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refobject_marking_refsexternal_referencesdescriptionnameidtypemodifiedcreatedx_mitre_versionx_mitre_deprecatedx_mitre_old_attack_id
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...This category is used for any applicable mitig...Pre-compromisecourse-of-action--78bb71be-92b4-46de-acd6-5f99...course-of-action2020-10-20T19:52:32.439Z2020-10-19T14:57:58.771Z1.0NaNNaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...This category is to associate techniques that ...Do Not Mitigatecourse-of-action--787fb64d-c87b-4ee5-a341-0ef1...course-of-action2019-07-23T14:44:24.727Z2019-07-19T14:58:42.715Z1.0NaNNaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...Implement configuration changes to software (o...Software Configurationcourse-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8...course-of-action2020-03-31T13:11:09.471Z2019-07-19T14:40:23.529Z1.1NaNNaN
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'external_id'...Take and store data backups from end user syst...Data Backupcourse-of-action--3efe43d1-6f3f-4fcb-ab39-4a73...course-of-action2020-03-31T13:11:28.201Z2019-07-19T14:33:33.543Z1.1NaNNaN
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " external_references \\\n", "0 [{'source_name': 'mitre-attack', 'external_id'... \n", "1 [{'source_name': 'mitre-attack', 'external_id'... \n", "2 [{'source_name': 'mitre-attack', 'external_id'... \n", "3 [{'source_name': 'mitre-attack', 'external_id'... \n", "\n", " description name \\\n", "0 This category is used for any applicable mitig... Pre-compromise \n", "1 This category is to associate techniques that ... Do Not Mitigate \n", "2 Implement configuration changes to software (o... Software Configuration \n", "3 Take and store data backups from end user syst... Data Backup \n", "\n", " id type \\\n", "0 course-of-action--78bb71be-92b4-46de-acd6-5f99... course-of-action \n", "1 course-of-action--787fb64d-c87b-4ee5-a341-0ef1... course-of-action \n", "2 course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8... course-of-action \n", "3 course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73... course-of-action \n", "\n", " modified created x_mitre_version \\\n", "0 2020-10-20T19:52:32.439Z 2020-10-19T14:57:58.771Z 1.0 \n", "1 2019-07-23T14:44:24.727Z 2019-07-19T14:58:42.715Z 1.0 \n", "2 2020-03-31T13:11:09.471Z 2019-07-19T14:40:23.529Z 1.1 \n", "3 2020-03-31T13:11:28.201Z 2019-07-19T14:33:33.543Z 1.1 \n", "\n", " x_mitre_deprecated x_mitre_old_attack_id \n", "0 NaN NaN \n", "1 NaN NaN \n", "2 NaN NaN \n", "3 NaN NaN " ] }, "execution_count": 76, "metadata": {}, "output_type": "execute_result" } ], "source": [ "mitigations_list = []\n", "for t in mitigations:\n", " mitigations_list.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(mitigations_list)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Enterprise Groups ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 77, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Groups in Enterprise ATT&CK\n", "110\n" ] } ], "source": [ "print(\"Number of Groups in Enterprise ATT&CK\")\n", "groups = lift.get_enterprise_groups()\n", "print(len(groups))" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All PRE Groups ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 78, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Groups in PRE-ATT&CK\n", "7\n" ] }, { "name": "stderr", "output_type": "stream", "text": [ "/usr/local/lib/python3.8/site-packages/attackcti/attack_api.py:473: UserWarning: PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application\n", " warnings.warn(\"PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application\")\n" ] } ], "source": [ "print(\"Number of Groups in PRE-ATT&CK\")\n", "groups = lift.get_pre_groups()\n", "print(len(groups))" ] }, { "cell_type": "code", "execution_count": 79, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refobject_marking_refsexternal_referencesnamedescriptiontypeidaliasesmodifiedcreatedx_mitre_versionx_mitre_contributors
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'url': 'https://attack.mitre.org/groups/G008...TEMP.Veles[TEMP.Veles](https://attack.mitre.org/groups/G...intrusion-setintrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...[TEMP.Veles, XENOTIME]2020-10-04T23:31:36.937Z2019-04-16T15:14:38.533Z1.2NaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'url': 'https...APT17[APT17](https://attack.mitre.org/groups/G0025)...intrusion-setintrusion-set--090242d7-73fc-4738-af68-20162f7...[APT17, Deputy Dog]2020-10-13T22:33:14.018Z2017-05-31T21:31:57.307Z1.1NaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'url': 'https...APT16[APT16](https://attack.mitre.org/groups/G0023)...intrusion-setintrusion-set--d6e88e18-81e8-4709-82d8-973095d...[APT16]2020-10-12T19:54:58.537Z2017-05-31T21:31:56.270Z1.1NaN
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'url': 'https...Night Dragon[Night Dragon](https://attack.mitre.org/groups...intrusion-setintrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e...[Night Dragon]2020-10-15T00:54:00.656Z2017-05-31T21:31:51.643Z1.3NaN
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " external_references name \\\n", "0 [{'url': 'https://attack.mitre.org/groups/G008... TEMP.Veles \n", "1 [{'source_name': 'mitre-attack', 'url': 'https... APT17 \n", "2 [{'source_name': 'mitre-attack', 'url': 'https... APT16 \n", "3 [{'source_name': 'mitre-attack', 'url': 'https... Night Dragon \n", "\n", " description type \\\n", "0 [TEMP.Veles](https://attack.mitre.org/groups/G... intrusion-set \n", "1 [APT17](https://attack.mitre.org/groups/G0025)... intrusion-set \n", "2 [APT16](https://attack.mitre.org/groups/G0023)... intrusion-set \n", "3 [Night Dragon](https://attack.mitre.org/groups... intrusion-set \n", "\n", " id aliases \\\n", "0 intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca... [TEMP.Veles, XENOTIME] \n", "1 intrusion-set--090242d7-73fc-4738-af68-20162f7... [APT17, Deputy Dog] \n", "2 intrusion-set--d6e88e18-81e8-4709-82d8-973095d... [APT16] \n", "3 intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e... [Night Dragon] \n", "\n", " modified created x_mitre_version \\\n", "0 2020-10-04T23:31:36.937Z 2019-04-16T15:14:38.533Z 1.2 \n", "1 2020-10-13T22:33:14.018Z 2017-05-31T21:31:57.307Z 1.1 \n", "2 2020-10-12T19:54:58.537Z 2017-05-31T21:31:56.270Z 1.1 \n", "3 2020-10-15T00:54:00.656Z 2017-05-31T21:31:51.643Z 1.3 \n", "\n", " x_mitre_contributors \n", "0 NaN \n", "1 NaN \n", "2 NaN \n", "3 NaN " ] }, "execution_count": 79, "metadata": {}, "output_type": "execute_result" } ], "source": [ "groups_list = []\n", "for t in groups:\n", " groups_list.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(groups_list)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Mobile Groups ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 80, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Groups in Mobile ATT&CK\n", "3\n" ] } ], "source": [ "print(\"Number of Groups in Mobile ATT&CK\")\n", "groups = lift.get_mobile_groups()\n", "print(len(groups))" ] }, { "cell_type": "code", "execution_count": 81, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refobject_marking_refsexternal_referencesdescriptionnametypeidaliasesmodifiedcreatedx_mitre_versionx_mitre_contributors
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'G0097', 'source_name': 'mitr...[Bouncing Golf](https://attack.mitre.org/group...Bouncing Golfintrusion-setintrusion-set--049cef3b-22d5-4be6-b50c-9839c7a...[Bouncing Golf]2020-03-26T20:58:44.722Z2020-01-27T16:55:39.688Z1.0NaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'mitre-attack', 'url': 'https...[Dark Caracal](https://attack.mitre.org/groups...Dark Caracalintrusion-setintrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74...[Dark Caracal]2020-06-03T20:22:40.401Z2018-10-17T00:14:20.652Z1.2NaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'G0007', 'url': 'https://atta...[APT28](https://attack.mitre.org/groups/G0007)...APT28intrusion-setintrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8...[APT28, SNAKEMACKEREL, Swallowtail, Group 74, ...2020-10-06T23:32:21.793Z2017-05-31T21:31:48.664Z3.0[Sébastien Ruel, CGI, Drew Church, Splunk, Emi...
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " external_references \\\n", "0 [{'external_id': 'G0097', 'source_name': 'mitr... \n", "1 [{'source_name': 'mitre-attack', 'url': 'https... \n", "2 [{'external_id': 'G0007', 'url': 'https://atta... \n", "\n", " description name \\\n", "0 [Bouncing Golf](https://attack.mitre.org/group... Bouncing Golf \n", "1 [Dark Caracal](https://attack.mitre.org/groups... Dark Caracal \n", "2 [APT28](https://attack.mitre.org/groups/G0007)... APT28 \n", "\n", " type id \\\n", "0 intrusion-set intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a... \n", "1 intrusion-set intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74... \n", "2 intrusion-set intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8... \n", "\n", " aliases \\\n", "0 [Bouncing Golf] \n", "1 [Dark Caracal] \n", "2 [APT28, SNAKEMACKEREL, Swallowtail, Group 74, ... \n", "\n", " modified created x_mitre_version \\\n", "0 2020-03-26T20:58:44.722Z 2020-01-27T16:55:39.688Z 1.0 \n", "1 2020-06-03T20:22:40.401Z 2018-10-17T00:14:20.652Z 1.2 \n", "2 2020-10-06T23:32:21.793Z 2017-05-31T21:31:48.664Z 3.0 \n", "\n", " x_mitre_contributors \n", "0 NaN \n", "1 NaN \n", "2 [Sébastien Ruel, CGI, Drew Church, Splunk, Emi... " ] }, "execution_count": 81, "metadata": {}, "output_type": "execute_result" } ], "source": [ "groups_list = []\n", "for t in groups:\n", " groups_list.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(groups_list)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Groups (TAXII)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "* This function gathers all groups defined in each Matrix (Enterprise, PRE & Mobile) and returns the unique ones\n", " * This is because groups can be repeated across matrices" ] }, { "cell_type": "code", "execution_count": 82, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Groups in ATT&CK\n", "113\n" ] } ], "source": [ "print(\"Number of Groups in ATT&CK\")\n", "groups = lift.get_groups()\n", "print(len(groups))" ] }, { "cell_type": "code", "execution_count": 83, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refobject_marking_refsexternal_referencesnamedescriptiontypeidaliasesmodifiedcreatedx_mitre_versionx_mitre_contributorsrevoked
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'G0115', 'source_name': 'mitr...GOLD SOUTHFIELD[GOLD SOUTHFIELD](https://attack.mitre.org/gro...intrusion-setintrusion-set--c77c5576-ca19-42ed-a36f-4b4486a...[GOLD SOUTHFIELD]2020-10-06T15:32:20.089Z2020-09-22T19:41:27.845Z1.0NaNNaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'G0114', 'source_name': 'mitr...Chimera[Chimera](https://attack.mitre.org/groups/G011...intrusion-setintrusion-set--8c1f0187-0826-4320-bddc-5f326cf...[Chimera]2020-10-05T20:59:57.694Z2020-08-24T17:01:55.842Z1.0NaNNaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'G0112', 'source_name': 'mitr...Windshift[Windshift](https://attack.mitre.org/groups/G0...intrusion-setintrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a...[Windshift, Bahamut]2020-06-26T13:46:14.122Z2020-06-25T17:16:39.168Z1.0NaNNaN
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'G0108', 'source_name': 'mitr...Blue Mockingbird[Blue Mockingbird](https://attack.mitre.org/gr...intrusion-setintrusion-set--73a80fab-2aa3-48e0-a4d0-3a48282...[Blue Mockingbird]2020-06-25T13:59:09.596Z2020-05-26T20:09:39.139Z1.0[Tony Lambert, Red Canary]NaN
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " external_references name \\\n", "0 [{'external_id': 'G0115', 'source_name': 'mitr... GOLD SOUTHFIELD \n", "1 [{'external_id': 'G0114', 'source_name': 'mitr... Chimera \n", "2 [{'external_id': 'G0112', 'source_name': 'mitr... Windshift \n", "3 [{'external_id': 'G0108', 'source_name': 'mitr... Blue Mockingbird \n", "\n", " description type \\\n", "0 [GOLD SOUTHFIELD](https://attack.mitre.org/gro... intrusion-set \n", "1 [Chimera](https://attack.mitre.org/groups/G011... intrusion-set \n", "2 [Windshift](https://attack.mitre.org/groups/G0... intrusion-set \n", "3 [Blue Mockingbird](https://attack.mitre.org/gr... intrusion-set \n", "\n", " id aliases \\\n", "0 intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a... [GOLD SOUTHFIELD] \n", "1 intrusion-set--8c1f0187-0826-4320-bddc-5f326cf... [Chimera] \n", "2 intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a... [Windshift, Bahamut] \n", "3 intrusion-set--73a80fab-2aa3-48e0-a4d0-3a48282... [Blue Mockingbird] \n", "\n", " modified created x_mitre_version \\\n", "0 2020-10-06T15:32:20.089Z 2020-09-22T19:41:27.845Z 1.0 \n", "1 2020-10-05T20:59:57.694Z 2020-08-24T17:01:55.842Z 1.0 \n", "2 2020-06-26T13:46:14.122Z 2020-06-25T17:16:39.168Z 1.0 \n", "3 2020-06-25T13:59:09.596Z 2020-05-26T20:09:39.139Z 1.0 \n", "\n", " x_mitre_contributors revoked \n", "0 NaN NaN \n", "1 NaN NaN \n", "2 NaN NaN \n", "3 [Tony Lambert, Red Canary] NaN " ] }, "execution_count": 83, "metadata": {}, "output_type": "execute_result" } ], "source": [ "groups_list = []\n", "for t in groups:\n", " groups_list.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(groups_list)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Enterprise & Mobile Software (Malware & Tools) (TAXII)" ] }, { "cell_type": "code", "execution_count": 84, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Software in ATT&CK\n", "523\n" ] } ], "source": [ "print(\"Number of Software in ATT&CK\")\n", "software = lift.get_software()\n", "print(len(software))" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Enterprise Relationships ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 85, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
idnamedescriptioncreated_by_refobject_marking_refsexternal_referencestypelabelsmodifiedcreatedx_mitre_versionx_mitre_aliasesx_mitre_platformsx_mitre_contributorsx_mitre_old_attack_idrevoked
0tool--975737f1-b10d-476f-8bda-3ec26ea57172MCMD[MCMD](https://attack.mitre.org/software/S0500...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'S0500', 'source_name': 'mitr...tool[tool]2020-08-20T14:52:23.369Z2020-08-13T17:15:25.702Z1.0[MCMD][Windows]NaNNaNNaN
1tool--c4810609-7da6-48ec-8057-1b70a7814db0CrackMapExec[CrackMapExec](https://attack.mitre.org/softwa...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'S0488', 'source_name': 'mitr...tool[tool]2020-07-29T20:19:40.544Z2020-07-17T14:23:05.958Z1.0[CrackMapExec][Windows]NaNNaNNaN
2tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4CARROTBALL[CARROTBALL](https://attack.mitre.org/software...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'S0465', 'source_name': 'mitr...tool[tool]2020-06-10T14:44:23.055Z2020-06-02T19:10:29.513Z1.0[CARROTBALL][Windows]NaNNaNNaN
3tool--115f88dd-0618-4389-83cb-98d33ae81848ShimRatReporter[ShimRatReporter](https://attack.mitre.org/sof...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'external_id': 'S0445', 'source_name': 'mitr...tool[tool]2020-05-27T22:39:28.701Z2020-05-12T21:29:48.294Z1.0[ShimRatReporter][Windows]NaNNaNNaN
\n", "
" ], "text/plain": [ " id name \\\n", "0 tool--975737f1-b10d-476f-8bda-3ec26ea57172 MCMD \n", "1 tool--c4810609-7da6-48ec-8057-1b70a7814db0 CrackMapExec \n", "2 tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4 CARROTBALL \n", "3 tool--115f88dd-0618-4389-83cb-98d33ae81848 ShimRatReporter \n", "\n", " description \\\n", "0 [MCMD](https://attack.mitre.org/software/S0500... \n", "1 [CrackMapExec](https://attack.mitre.org/softwa... \n", "2 [CARROTBALL](https://attack.mitre.org/software... \n", "3 [ShimRatReporter](https://attack.mitre.org/sof... \n", "\n", " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " external_references type labels \\\n", "0 [{'external_id': 'S0500', 'source_name': 'mitr... tool [tool] \n", "1 [{'external_id': 'S0488', 'source_name': 'mitr... tool [tool] \n", "2 [{'external_id': 'S0465', 'source_name': 'mitr... tool [tool] \n", "3 [{'external_id': 'S0445', 'source_name': 'mitr... tool [tool] \n", "\n", " modified created x_mitre_version \\\n", "0 2020-08-20T14:52:23.369Z 2020-08-13T17:15:25.702Z 1.0 \n", "1 2020-07-29T20:19:40.544Z 2020-07-17T14:23:05.958Z 1.0 \n", "2 2020-06-10T14:44:23.055Z 2020-06-02T19:10:29.513Z 1.0 \n", "3 2020-05-27T22:39:28.701Z 2020-05-12T21:29:48.294Z 1.0 \n", "\n", " x_mitre_aliases x_mitre_platforms x_mitre_contributors \\\n", "0 [MCMD] [Windows] NaN \n", "1 [CrackMapExec] [Windows] NaN \n", "2 [CARROTBALL] [Windows] NaN \n", "3 [ShimRatReporter] [Windows] NaN \n", "\n", " x_mitre_old_attack_id revoked \n", "0 NaN NaN \n", "1 NaN NaN \n", "2 NaN NaN \n", "3 NaN NaN " ] }, "execution_count": 85, "metadata": {}, "output_type": "execute_result" } ], "source": [ "software_list = []\n", "for t in software:\n", " software_list.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(software_list)\n", "df[0:4]" ] }, { "cell_type": "code", "execution_count": 86, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Relationships in Enterprise ATT&CK\n", "9263\n" ] } ], "source": [ "print(\"Number of Relationships in Enterprise ATT&CK\")\n", "relationships = lift.get_enterprise_relationships()\n", "print(len(relationships))" ] }, { "cell_type": "code", "execution_count": 87, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
object_marking_refsexternal_referencesidtypecreateddescriptioncreated_by_refmodifiedsource_refrelationship_typetarget_ref
0[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd...relationship2020-11-10T18:04:03.668Z(Citation: FireEye KEGTAP SINGLEMALT October 2...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b52020-11-10T18:04:03.668Zintrusion-set--dd2d9ca6-505b-4860-a604-233685b...usesmalware--a7881f21-e978-4fe4-af56-92c9416a2616
1[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...relationship--c118e50b-4559-4bff-bde5-78aa426f...relationship2020-11-10T18:04:03.666Z(Citation: FireEye KEGTAP SINGLEMALT October 2...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b52020-11-10T18:04:03.666Zintrusion-set--dd2d9ca6-505b-4860-a604-233685b...usestool--afc079f3-c0ea-4096-b75d-3f05338b7f60
2[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'DFIR Ryuk's Return October 2...relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e...relationship2020-11-10T18:04:03.589Z(Citation: DFIR Ryuk's Return October 2020)(Ci...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b52020-11-10T18:04:03.589Zintrusion-set--dd2d9ca6-505b-4860-a604-233685b...usestool--b77b563c-34bb-4fb8-86a3-3694338f7b47
3[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...relationship--585842e6-fe9a-4508-8e67-c232f8aa...relationship2020-11-10T18:04:03.571Z(Citation: FireEye KEGTAP SINGLEMALT October 2...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b52020-11-10T18:04:03.571Zintrusion-set--dd2d9ca6-505b-4860-a604-233685b...usestool--981acc4c-2ede-4b56-be6e-fa1a75f37acf
\n", "
" ], "text/plain": [ " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " external_references \\\n", "0 [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... \n", "1 [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... \n", "2 [{'source_name': 'DFIR Ryuk's Return October 2... \n", "3 [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... \n", "\n", " id type \\\n", "0 relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd... relationship \n", "1 relationship--c118e50b-4559-4bff-bde5-78aa426f... relationship \n", "2 relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e... relationship \n", "3 relationship--585842e6-fe9a-4508-8e67-c232f8aa... relationship \n", "\n", " created \\\n", "0 2020-11-10T18:04:03.668Z \n", "1 2020-11-10T18:04:03.666Z \n", "2 2020-11-10T18:04:03.589Z \n", "3 2020-11-10T18:04:03.571Z \n", "\n", " description \\\n", "0 (Citation: FireEye KEGTAP SINGLEMALT October 2... \n", "1 (Citation: FireEye KEGTAP SINGLEMALT October 2... \n", "2 (Citation: DFIR Ryuk's Return October 2020)(Ci... \n", "3 (Citation: FireEye KEGTAP SINGLEMALT October 2... \n", "\n", " created_by_ref modified \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.668Z \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.666Z \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.589Z \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.571Z \n", "\n", " source_ref relationship_type \\\n", "0 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n", "1 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n", "2 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n", "3 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n", "\n", " target_ref \n", "0 malware--a7881f21-e978-4fe4-af56-92c9416a2616 \n", "1 tool--afc079f3-c0ea-4096-b75d-3f05338b7f60 \n", "2 tool--b77b563c-34bb-4fb8-86a3-3694338f7b47 \n", "3 tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf " ] }, "execution_count": 87, "metadata": {}, "output_type": "execute_result" } ], "source": [ "relations_list = []\n", "for t in relationships:\n", " relations_list.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(relations_list)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All PRE Relationships ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 88, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Relationships in PRE-ATT&CK\n", "69\n" ] }, { "name": "stderr", "output_type": "stream", "text": [ "/usr/local/lib/python3.8/site-packages/attackcti/attack_api.py:491: UserWarning: PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application\n", " warnings.warn(\"PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application\")\n" ] } ], "source": [ "print(\"Number of Relationships in PRE-ATT&CK\")\n", "relationships = lift.get_pre_relationships()\n", "print(len(relationships))" ] }, { "cell_type": "code", "execution_count": 89, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refobject_marking_refsexternal_referencesdescriptionidtypemodifiedcreatedsource_refrelationship_typetarget_ref
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'Mandiant APT1', 'description...[APT1](https://attack.mitre.org/groups/G0006) ...relationship--980656e3-ba60-49ee-9ce8-cbe1a0dc...relationship2020-03-25T13:59:27.774Z2020-03-25T13:59:27.774Zintrusion-set--6a2e693f-24e5-451a-9f88-b36a108...usesattack-pattern--4900fabf-1142-4c1f-92f5-0b590e...
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'description': 'Miller, S, et al. (2019, Apr...[TEMP.Veles](https://attack.mitre.org/groups/G...relationship--21842707-0f15-43bf-bc42-2bceadf2...relationship2019-04-29T18:59:16.596Z2019-04-24T19:45:44.212Zintrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...usesattack-pattern--20a66013-8dab-4ca3-a67d-766c84...
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'description': 'Miller, S, et al. (2019, Apr...[TEMP.Veles](https://attack.mitre.org/groups/G...relationship--2d95ed6f-52e7-4708-af15-9a6c0839...relationship2019-04-29T18:59:16.595Z2019-04-24T19:45:44.205Zintrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...usesattack-pattern--795c1a92-3a26-453e-b99a-6a566a...
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...NaNNaNrelationship--83379e43-4bc5-4c49-b0b3-f41161e8...relationship2019-02-19T18:56:56.770Z2019-02-19T18:56:56.770Zattack-pattern--e5164428-03ca-4336-a9a7-4d9ea1...related-toattack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42...
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " external_references \\\n", "0 [{'source_name': 'Mandiant APT1', 'description... \n", "1 [{'description': 'Miller, S, et al. (2019, Apr... \n", "2 [{'description': 'Miller, S, et al. (2019, Apr... \n", "3 NaN \n", "\n", " description \\\n", "0 [APT1](https://attack.mitre.org/groups/G0006) ... \n", "1 [TEMP.Veles](https://attack.mitre.org/groups/G... \n", "2 [TEMP.Veles](https://attack.mitre.org/groups/G... \n", "3 NaN \n", "\n", " id type \\\n", "0 relationship--980656e3-ba60-49ee-9ce8-cbe1a0dc... relationship \n", "1 relationship--21842707-0f15-43bf-bc42-2bceadf2... relationship \n", "2 relationship--2d95ed6f-52e7-4708-af15-9a6c0839... relationship \n", "3 relationship--83379e43-4bc5-4c49-b0b3-f41161e8... relationship \n", "\n", " modified created \\\n", "0 2020-03-25T13:59:27.774Z 2020-03-25T13:59:27.774Z \n", "1 2019-04-29T18:59:16.596Z 2019-04-24T19:45:44.212Z \n", "2 2019-04-29T18:59:16.595Z 2019-04-24T19:45:44.205Z \n", "3 2019-02-19T18:56:56.770Z 2019-02-19T18:56:56.770Z \n", "\n", " source_ref relationship_type \\\n", "0 intrusion-set--6a2e693f-24e5-451a-9f88-b36a108... uses \n", "1 intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca... uses \n", "2 intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca... uses \n", "3 attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1... related-to \n", "\n", " target_ref \n", "0 attack-pattern--4900fabf-1142-4c1f-92f5-0b590e... \n", "1 attack-pattern--20a66013-8dab-4ca3-a67d-766c84... \n", "2 attack-pattern--795c1a92-3a26-453e-b99a-6a566a... \n", "3 attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42... " ] }, "execution_count": 89, "metadata": {}, "output_type": "execute_result" } ], "source": [ "relations_list = []\n", "for t in relationships:\n", " relations_list.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(relations_list)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Mobile Relationships ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 90, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Relationships in Mobile ATT&CK\n", "795\n" ] } ], "source": [ "print(\"Number of Relationships in Mobile ATT&CK\")\n", "relationships = lift.get_mobile_relationships()\n", "print(len(relationships))" ] }, { "cell_type": "code", "execution_count": 91, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refobject_marking_refsidtypemodifiedcreatedsource_refrelationship_typetarget_refdescriptionexternal_references
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--39f46abc-d9e3-463d-9340-3bc8334a...relationship2020-10-23T15:05:40.967Z2020-10-23T15:05:40.967Zattack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab...revoked-byattack-pattern--77e30eee-fd48-40b4-99ec-73e97c...NaNNaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--e373111c-aa34-4686-a286-7c9b4267...relationship2020-10-01T12:43:42.238Z2020-09-30T14:48:16.522Zcourse-of-action--0beabf44-e8d8-4ae4-9122-ef56...mitigatesattack-pattern--8197f026-64da-4700-93b9-b55ba5...New OS releases frequently contain additional ...NaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--37459382-00b7-4699-a294-d25f53bf...relationship2020-10-01T12:42:21.985Z2020-09-30T14:36:43.256Zcourse-of-action--0beabf44-e8d8-4ae4-9122-ef56...mitigatesattack-pattern--77e30eee-fd48-40b4-99ec-73e97c...iOS 11 introduced a first-come-first-served pr...[{'source_name': 'Trend Micro iOS URL Hijackin...
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--455b1287-5784-42b4-91fb-01dac007...relationship2020-09-29T13:24:15.234Z2020-09-29T13:24:15.234Zmalware--317a2c10-d489-431e-b6b2-f0251fddc88eusesattack-pattern--3dd58c80-4c2e-458c-9503-1b2cd2...[Dendroid](https://attack.mitre.org/software/S...[{'source_name': 'Lookout-Dendroid', 'descript...
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " id type \\\n", "0 relationship--39f46abc-d9e3-463d-9340-3bc8334a... relationship \n", "1 relationship--e373111c-aa34-4686-a286-7c9b4267... relationship \n", "2 relationship--37459382-00b7-4699-a294-d25f53bf... relationship \n", "3 relationship--455b1287-5784-42b4-91fb-01dac007... relationship \n", "\n", " modified created \\\n", "0 2020-10-23T15:05:40.967Z 2020-10-23T15:05:40.967Z \n", "1 2020-10-01T12:43:42.238Z 2020-09-30T14:48:16.522Z \n", "2 2020-10-01T12:42:21.985Z 2020-09-30T14:36:43.256Z \n", "3 2020-09-29T13:24:15.234Z 2020-09-29T13:24:15.234Z \n", "\n", " source_ref relationship_type \\\n", "0 attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab... revoked-by \n", "1 course-of-action--0beabf44-e8d8-4ae4-9122-ef56... mitigates \n", "2 course-of-action--0beabf44-e8d8-4ae4-9122-ef56... mitigates \n", "3 malware--317a2c10-d489-431e-b6b2-f0251fddc88e uses \n", "\n", " target_ref \\\n", "0 attack-pattern--77e30eee-fd48-40b4-99ec-73e97c... \n", "1 attack-pattern--8197f026-64da-4700-93b9-b55ba5... \n", "2 attack-pattern--77e30eee-fd48-40b4-99ec-73e97c... \n", "3 attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd2... \n", "\n", " description \\\n", "0 NaN \n", "1 New OS releases frequently contain additional ... \n", "2 iOS 11 introduced a first-come-first-served pr... \n", "3 [Dendroid](https://attack.mitre.org/software/S... \n", "\n", " external_references \n", "0 NaN \n", "1 NaN \n", "2 [{'source_name': 'Trend Micro iOS URL Hijackin... \n", "3 [{'source_name': 'Lookout-Dendroid', 'descript... " ] }, "execution_count": 91, "metadata": {}, "output_type": "execute_result" } ], "source": [ "relations_list = []\n", "for t in relationships:\n", " relations_list.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(relations_list)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Relationships (TAXII)" ] }, { "cell_type": "code", "execution_count": 92, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Relationships in ATT&CK\n", "10635\n" ] } ], "source": [ "print(\"Number of Relationships in ATT&CK\")\n", "relationships = lift.get_relationships()\n", "print(len(relationships))" ] }, { "cell_type": "code", "execution_count": 93, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
object_marking_refsexternal_referencesidtypecreateddescriptioncreated_by_refmodifiedsource_refrelationship_typetarget_ref
0[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd...relationship2020-11-10T18:04:03.668Z(Citation: FireEye KEGTAP SINGLEMALT October 2...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b52020-11-10T18:04:03.668Zintrusion-set--dd2d9ca6-505b-4860-a604-233685b...usesmalware--a7881f21-e978-4fe4-af56-92c9416a2616
1[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...relationship--c118e50b-4559-4bff-bde5-78aa426f...relationship2020-11-10T18:04:03.666Z(Citation: FireEye KEGTAP SINGLEMALT October 2...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b52020-11-10T18:04:03.666Zintrusion-set--dd2d9ca6-505b-4860-a604-233685b...usestool--afc079f3-c0ea-4096-b75d-3f05338b7f60
2[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'DFIR Ryuk's Return October 2...relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e...relationship2020-11-10T18:04:03.589Z(Citation: DFIR Ryuk's Return October 2020)(Ci...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b52020-11-10T18:04:03.589Zintrusion-set--dd2d9ca6-505b-4860-a604-233685b...usestool--b77b563c-34bb-4fb8-86a3-3694338f7b47
3[marking-definition--fa42a846-8d90-4e51-bc29-7...[{'source_name': 'FireEye KEGTAP SINGLEMALT Oc...relationship--585842e6-fe9a-4508-8e67-c232f8aa...relationship2020-11-10T18:04:03.571Z(Citation: FireEye KEGTAP SINGLEMALT October 2...identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b52020-11-10T18:04:03.571Zintrusion-set--dd2d9ca6-505b-4860-a604-233685b...usestool--981acc4c-2ede-4b56-be6e-fa1a75f37acf
\n", "
" ], "text/plain": [ " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " external_references \\\n", "0 [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... \n", "1 [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... \n", "2 [{'source_name': 'DFIR Ryuk's Return October 2... \n", "3 [{'source_name': 'FireEye KEGTAP SINGLEMALT Oc... \n", "\n", " id type \\\n", "0 relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd... relationship \n", "1 relationship--c118e50b-4559-4bff-bde5-78aa426f... relationship \n", "2 relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e... relationship \n", "3 relationship--585842e6-fe9a-4508-8e67-c232f8aa... relationship \n", "\n", " created \\\n", "0 2020-11-10T18:04:03.668Z \n", "1 2020-11-10T18:04:03.666Z \n", "2 2020-11-10T18:04:03.589Z \n", "3 2020-11-10T18:04:03.571Z \n", "\n", " description \\\n", "0 (Citation: FireEye KEGTAP SINGLEMALT October 2... \n", "1 (Citation: FireEye KEGTAP SINGLEMALT October 2... \n", "2 (Citation: DFIR Ryuk's Return October 2020)(Ci... \n", "3 (Citation: FireEye KEGTAP SINGLEMALT October 2... \n", "\n", " created_by_ref modified \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.668Z \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.666Z \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.589Z \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 2020-11-10T18:04:03.571Z \n", "\n", " source_ref relationship_type \\\n", "0 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n", "1 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n", "2 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n", "3 intrusion-set--dd2d9ca6-505b-4860-a604-233685b... uses \n", "\n", " target_ref \n", "0 malware--a7881f21-e978-4fe4-af56-92c9416a2616 \n", "1 tool--afc079f3-c0ea-4096-b75d-3f05338b7f60 \n", "2 tool--b77b563c-34bb-4fb8-86a3-3694338f7b47 \n", "3 tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf " ] }, "execution_count": 93, "metadata": {}, "output_type": "execute_result" } ], "source": [ "relations_list = []\n", "for t in relationships:\n", " relations_list.append(json.loads(t.serialize()))\n", "df = pandas.json_normalize(relations_list)\n", "df[0:4]" ] } ], "metadata": { "kernelspec": { "display_name": "Python 3", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.8.5" } }, "nbformat": 4, "nbformat_minor": 4 }