{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# **MITRE ATT&CK API BASICS**: Python Client\n", "------------------" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Import ATTACK API Client" ] }, { "cell_type": "code", "execution_count": 1, "metadata": {}, "outputs": [], "source": [ "from attackcti import attack_client" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Import Extra Libraries" ] }, { "cell_type": "code", "execution_count": 2, "metadata": {}, "outputs": [], "source": [ "from pandas import *\n", "from pandas.io.json import json_normalize\n", "import json" ] }, { "cell_type": "code", "execution_count": 3, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "'0.25.0'" ] }, "execution_count": 3, "metadata": {}, "output_type": "execute_result" } ], "source": [ "pandas.__version__" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Initialize ATT&CK Client Variable" ] }, { "cell_type": "code", "execution_count": 4, "metadata": {}, "outputs": [], "source": [ "lift = attack_client()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## **Collect (Enterprise ATT&CK, Pre-ATT&CK & Mobile ATT&CK)**\n", "* I usually collect all the stix object types available from all the ATT&CK Matrices first when I want to analyze ATT&CK's data.\n", "* In this section, we will collect everything from Enterprise ATT&CK, PRE-ATT&CK and Mobile ATT&CK via three functions that query ATT&CK content available in STIX™ 2.0 format via its own public TAXII™ 2.0 server:\n", " * get_enterprise()\n", " * get_pre()\n", " * get_mobile()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Collect ALL Enterprise ATT&CK (TAXII)**" ] }, { "cell_type": "code", "execution_count": 5, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "CPU times: user 5.18 s, sys: 820 ms, total: 6 s\n", "Wall time: 11.7 s\n" ] } ], "source": [ "%time all_enterprise = lift.get_enterprise()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Collect ALL PRE-ATT&CK (TAXII)**" ] }, { "cell_type": "code", "execution_count": 6, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "CPU times: user 170 ms, sys: 100 ms, total: 270 ms\n", "Wall time: 1.52 s\n" ] } ], "source": [ "%time all_pre = lift.get_pre()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Collect ALL Mobile ATT&CK (TAXII)**" ] }, { "cell_type": "code", "execution_count": 7, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "CPU times: user 640 ms, sys: 120 ms, total: 760 ms\n", "Wall time: 2.98 s\n" ] } ], "source": [ "%time all_mobile = lift.get_mobile()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## **Collect ALL (It runs All 3 previous functions and collects all the results)**" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "The **get_stix_objects()** function returns a dictionary with all the stix object types from all matrices:\n", "* techniques\n", "* mitigations\n", "* groups\n", "* malware\n", "* tools\n", "* relationships" ] }, { "cell_type": "code", "execution_count": 8, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "CPU times: user 51 s, sys: 730 ms, total: 51.7 s\n", "Wall time: 1min\n" ] } ], "source": [ "%time all_attack = lift.get_stix_objects()" ] }, { "cell_type": "code", "execution_count": 9, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "dict" ] }, "execution_count": 9, "metadata": {}, "output_type": "execute_result" } ], "source": [ "type(all_attack)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Techniques from ATT&CK Results (Locally - STIX format)\n", "* The results of this function shows every single technique across the whole ATT&CK framework without their mitigations information" ] }, { "cell_type": "code", "execution_count": 10, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Techniques in ATT&CK\n", "500\n" ] } ], "source": [ "print(\"Number of Techniques in ATT&CK\")\n", "print(len(all_attack['techniques']))" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "* By default, the data returned by the available functions in the attackcti library is of type **stix2**\n", "* However, if you want to interact with libraries such as **Pandas**, it needs to be of type **dict**" ] }, { "cell_type": "code", "execution_count": 11, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
creatednamex_mitre_data_sourcesx_mitre_platforms
02019-04-25T20:53:07.719ZCompile After Delivery[Process command-line parameters, Process moni...[Linux, macOS, Windows]
12019-04-23T15:34:30.008ZSystemd Service[Process command-line parameters, Process moni...[Linux]
22019-04-18T11:00:55.862ZEndpoint Denial of Service[SSL/TLS inspection, Web logs, Web application...[Linux, macOS, Windows]
32019-04-17T22:22:24.505ZVirtualization/Sandbox Evasion[Process monitoring, Process command-line para...[Windows]
42019-04-17T20:23:15.105ZNetwork Denial of Service[Sensor health and status, Network protocol an...[Linux, macOS, Windows]
\n", "
" ], "text/plain": [ " created name \\\n", "0 2019-04-25T20:53:07.719Z Compile After Delivery \n", "1 2019-04-23T15:34:30.008Z Systemd Service \n", "2 2019-04-18T11:00:55.862Z Endpoint Denial of Service \n", "3 2019-04-17T22:22:24.505Z Virtualization/Sandbox Evasion \n", "4 2019-04-17T20:23:15.105Z Network Denial of Service \n", "\n", " x_mitre_data_sources x_mitre_platforms \n", "0 [Process command-line parameters, Process moni... [Linux, macOS, Windows] \n", "1 [Process command-line parameters, Process moni... [Linux] \n", "2 [SSL/TLS inspection, Web logs, Web application... [Linux, macOS, Windows] \n", "3 [Process monitoring, Process command-line para... [Windows] \n", "4 [Sensor health and status, Network protocol an... [Linux, macOS, Windows] " ] }, "execution_count": 11, "metadata": {}, "output_type": "execute_result" } ], "source": [ "techniques = []\n", "for t in all_attack['techniques']:\n", " techniques.append(json.loads(t.serialize()))\n", "df = json_normalize(techniques)\n", "df.reindex(['created','name', 'x_mitre_data_sources', 'x_mitre_platforms'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing the schema of Techniques**" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "This schema covers techniques from Enterprise, PRE and Mobile ATT&CK" ] }, { "cell_type": "code", "execution_count": 12, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['external_references',\n", " 'object_marking_refs',\n", " 'type',\n", " 'modified',\n", " 'created_by_ref',\n", " 'kill_chain_phases',\n", " 'id',\n", " 'name',\n", " 'created',\n", " 'description',\n", " 'x_mitre_contributors',\n", " 'x_mitre_permissions_required',\n", " 'x_mitre_data_sources',\n", " 'x_mitre_detection',\n", " 'x_mitre_platforms',\n", " 'x_mitre_version',\n", " 'x_mitre_system_requirements',\n", " 'x_mitre_defense_bypassed',\n", " 'x_mitre_impact_type',\n", " 'x_mitre_remote_support',\n", " 'x_mitre_effective_permissions',\n", " 'x_mitre_network_requirements',\n", " 'x_mitre_detectable_by_common_defenses',\n", " 'x_mitre_difficulty_for_adversary_explanation',\n", " 'x_mitre_old_attack_id',\n", " 'x_mitre_difficulty_for_adversary',\n", " 'x_mitre_detectable_by_common_defenses_explanation',\n", " 'x_mitre_deprecated',\n", " 'x_mitre_tactic_type',\n", " 'revoked']" ] }, "execution_count": 12, "metadata": {}, "output_type": "execute_result" } ], "source": [ "list(df)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing one technique example**" ] }, { "cell_type": "code", "execution_count": 13, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "{'external_references': [{'external_id': 'T1500',\n", " 'source_name': 'mitre-attack',\n", " 'url': 'https://attack.mitre.org/techniques/T1500'},\n", " {'url': 'https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf',\n", " 'source_name': 'ClearSky MuddyWater Nov 2018',\n", " 'description': 'ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.'},\n", " {'url': 'https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/',\n", " 'source_name': 'TrendMicro WindowsAppMac',\n", " 'description': 'Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads Info Stealer and Adware. Retrieved April 25, 2019.'}],\n", " 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n", " 'type': 'attack-pattern',\n", " 'modified': '2019-04-29T21:13:49.686Z',\n", " 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n", " 'kill_chain_phases': [{'phase_name': 'defense-evasion',\n", " 'kill_chain_name': 'mitre-attack'}],\n", " 'id': 'attack-pattern--cf7b3a06-8b42-4c33-bbe9-012120027925',\n", " 'name': 'Compile After Delivery',\n", " 'created': '2019-04-25T20:53:07.719Z',\n", " 'description': 'Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)\\n\\nSource code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)\\n',\n", " 'x_mitre_contributors': ['Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank',\n", " 'Praetorian'],\n", " 'x_mitre_permissions_required': ['User'],\n", " 'x_mitre_data_sources': ['Process command-line parameters',\n", " 'Process monitoring',\n", " 'File monitoring'],\n", " 'x_mitre_detection': 'Monitor the execution file paths and command-line arguments for common compilers, such as csc.exe and GCC/MinGW, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior. The compilation of payloads may also generate file creation and/or file write events. Look for non-native binary formats and cross-platform compiler and execution frameworks like Mono and determine if they have a legitimate purpose on the system.(Citation: TrendMicro WindowsAppMac) Typically these should only be used in specific and limited cases, like for software development.',\n", " 'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],\n", " 'x_mitre_version': '1.0',\n", " 'x_mitre_system_requirements': ['Compiler software (either native to the system or delivered by the adversary)'],\n", " 'x_mitre_defense_bypassed': ['Static File Analysis',\n", " 'Binary Analysis',\n", " 'Anti-virus',\n", " 'Host intrusion prevention systems',\n", " 'Signature-based detection']}" ] }, "execution_count": 13, "metadata": {}, "output_type": "execute_result" } ], "source": [ "techniques[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Mitigations from ATT&CK Results (Locally)" ] }, { "cell_type": "code", "execution_count": 14, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Mitigations in ATT&CK\n", "295\n" ] } ], "source": [ "print(\"Number of Mitigations in ATT&CK\")\n", "print(len(all_attack['mitigations']))" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "* Remember, we need to transform our results to dictionaries to be able to use them as pandas dataframes" ] }, { "cell_type": "code", "execution_count": 15, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refdescriptiontypenameobject_marking_refsidexternal_referencesmodifiedcreatedx_mitre_versionx_mitre_deprecatedx_mitre_old_attack_id
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5This category is to associate techniques that ...course-of-actionDo Not Mitigate[marking-definition--fa42a846-8d90-4e51-bc29-7...course-of-action--787fb64d-c87b-4ee5-a341-0ef1...[{'external_id': 'M1055', 'source_name': 'mitr...2019-07-23T14:44:24.727Z2019-07-19T14:58:42.715Z1.0NaNNaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Implement configuration changes to software (o...course-of-actionSoftware Configuration[marking-definition--fa42a846-8d90-4e51-bc29-7...course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8...[{'external_id': 'M1054', 'source_name': 'mitr...2019-07-19T14:57:15.656Z2019-07-19T14:40:23.529Z1.0NaNNaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Take and store data backups from end user syst...course-of-actionData Backup[marking-definition--fa42a846-8d90-4e51-bc29-7...course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73...[{'external_id': 'M1053', 'source_name': 'mitr...2019-07-19T14:33:33.543Z2019-07-19T14:33:33.543Z1.0NaNNaN
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Configure Windows User Account Control to miti...course-of-actionUser Account Control[marking-definition--fa42a846-8d90-4e51-bc29-7...course-of-action--2c2ad92a-d710-41ab-a996-1db1...[{'external_id': 'M1052', 'source_name': 'mitr...2019-06-11T17:14:35.170Z2019-06-11T17:14:35.170Z1.0NaNNaN
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description type \\\n", "0 This category is to associate techniques that ... course-of-action \n", "1 Implement configuration changes to software (o... course-of-action \n", "2 Take and store data backups from end user syst... course-of-action \n", "3 Configure Windows User Account Control to miti... course-of-action \n", "\n", " name object_marking_refs \\\n", "0 Do Not Mitigate [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 Software Configuration [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 Data Backup [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 User Account Control [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " id \\\n", "0 course-of-action--787fb64d-c87b-4ee5-a341-0ef1... \n", "1 course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8... \n", "2 course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73... \n", "3 course-of-action--2c2ad92a-d710-41ab-a996-1db1... \n", "\n", " external_references \\\n", "0 [{'external_id': 'M1055', 'source_name': 'mitr... \n", "1 [{'external_id': 'M1054', 'source_name': 'mitr... \n", "2 [{'external_id': 'M1053', 'source_name': 'mitr... \n", "3 [{'external_id': 'M1052', 'source_name': 'mitr... \n", "\n", " modified created x_mitre_version \\\n", "0 2019-07-23T14:44:24.727Z 2019-07-19T14:58:42.715Z 1.0 \n", "1 2019-07-19T14:57:15.656Z 2019-07-19T14:40:23.529Z 1.0 \n", "2 2019-07-19T14:33:33.543Z 2019-07-19T14:33:33.543Z 1.0 \n", "3 2019-06-11T17:14:35.170Z 2019-06-11T17:14:35.170Z 1.0 \n", "\n", " x_mitre_deprecated x_mitre_old_attack_id \n", "0 NaN NaN \n", "1 NaN NaN \n", "2 NaN NaN \n", "3 NaN NaN " ] }, "execution_count": 15, "metadata": {}, "output_type": "execute_result" } ], "source": [ "mitigations = []\n", "for t in all_attack['mitigations']:\n", " mitigations.append(json.loads(t.serialize()))\n", "df = json_normalize(mitigations)\n", "df[0:4]" ] }, { "cell_type": "code", "execution_count": 16, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['created_by_ref',\n", " 'description',\n", " 'type',\n", " 'name',\n", " 'object_marking_refs',\n", " 'id',\n", " 'external_references',\n", " 'modified',\n", " 'created',\n", " 'x_mitre_version',\n", " 'x_mitre_deprecated',\n", " 'x_mitre_old_attack_id']" ] }, "execution_count": 16, "metadata": {}, "output_type": "execute_result" } ], "source": [ "list(df)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Groups from ATT&CK Results (Locally)" ] }, { "cell_type": "code", "execution_count": 17, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Groups in ATT&CK\n", "93\n" ] } ], "source": [ "print(\"Number of Groups in ATT&CK\")\n", "print(len(all_attack['groups']))" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "* Once again, we need to transform our results to dictionaries to be able to use them as pandas dataframes" ] }, { "cell_type": "code", "execution_count": 18, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refdescriptionaliasesidexternal_referencesmodifiedtypecreatedobject_marking_refsnamex_mitre_versionx_mitre_contributorsrevoked
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Operation [Soft Cell](https://attack.mitre.org...[Soft Cell]intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...[{'external_id': 'G0093', 'source_name': 'mitr...2019-07-22T15:49:28.637Zintrusion-set2019-07-18T20:47:50.050Z[marking-definition--fa42a846-8d90-4e51-bc29-7...Soft Cell1.0[Cybereason Nocturnus, @nocturnus]NaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[TA505](https://attack.mitre.org/groups/G0092)...[TA505]intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb...[{'external_id': 'G0092', 'source_name': 'mitr...2019-06-24T19:11:41.060Zintrusion-set2019-05-28T15:54:17.213Z[marking-definition--fa42a846-8d90-4e51-bc29-7...TA5051.0NaNNaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Silence](https://attack.mitre.org/groups/G009...[Silence]intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb...[{'external_id': 'G0091', 'source_name': 'mitr...2019-07-16T16:12:09.085Zintrusion-set2019-05-24T17:57:36.491Z[marking-definition--fa42a846-8d90-4e51-bc29-7...Silence1.0[Oleg Skulkin, Group-IB]NaN
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[WIRTE](https://attack.mitre.org/groups/G0090)...[WIRTE]intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3...[{'external_id': 'G0090', 'source_name': 'mitr...2019-06-20T15:30:38.517Zintrusion-set2019-05-24T17:02:44.226Z[marking-definition--fa42a846-8d90-4e51-bc29-7...WIRTE1.0[Lab52 by S2 Grupo]NaN
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description aliases \\\n", "0 Operation [Soft Cell](https://attack.mitre.org... [Soft Cell] \n", "1 [TA505](https://attack.mitre.org/groups/G0092)... [TA505] \n", "2 [Silence](https://attack.mitre.org/groups/G009... [Silence] \n", "3 [WIRTE](https://attack.mitre.org/groups/G0090)... [WIRTE] \n", "\n", " id \\\n", "0 intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... \n", "1 intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb... \n", "2 intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb... \n", "3 intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3... \n", "\n", " external_references \\\n", "0 [{'external_id': 'G0093', 'source_name': 'mitr... \n", "1 [{'external_id': 'G0092', 'source_name': 'mitr... \n", "2 [{'external_id': 'G0091', 'source_name': 'mitr... \n", "3 [{'external_id': 'G0090', 'source_name': 'mitr... \n", "\n", " modified type created \\\n", "0 2019-07-22T15:49:28.637Z intrusion-set 2019-07-18T20:47:50.050Z \n", "1 2019-06-24T19:11:41.060Z intrusion-set 2019-05-28T15:54:17.213Z \n", "2 2019-07-16T16:12:09.085Z intrusion-set 2019-05-24T17:57:36.491Z \n", "3 2019-06-20T15:30:38.517Z intrusion-set 2019-05-24T17:02:44.226Z \n", "\n", " object_marking_refs name \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... Soft Cell \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... TA505 \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... Silence \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... WIRTE \n", "\n", " x_mitre_version x_mitre_contributors revoked \n", "0 1.0 [Cybereason Nocturnus, @nocturnus] NaN \n", "1 1.0 NaN NaN \n", "2 1.0 [Oleg Skulkin, Group-IB] NaN \n", "3 1.0 [Lab52 by S2 Grupo] NaN " ] }, "execution_count": 18, "metadata": {}, "output_type": "execute_result" } ], "source": [ "groups = []\n", "for t in all_attack['groups']:\n", " groups.append(json.loads(t.serialize()))\n", "df = json_normalize(groups)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing the schema of Groups**" ] }, { "cell_type": "code", "execution_count": 19, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['created_by_ref',\n", " 'description',\n", " 'aliases',\n", " 'id',\n", " 'external_references',\n", " 'modified',\n", " 'type',\n", " 'created',\n", " 'object_marking_refs',\n", " 'name',\n", " 'x_mitre_version',\n", " 'x_mitre_contributors',\n", " 'revoked']" ] }, "execution_count": 19, "metadata": {}, "output_type": "execute_result" } ], "source": [ "list(df)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing one Groups example**" ] }, { "cell_type": "code", "execution_count": 20, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "{'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n", " 'description': 'Operation [Soft Cell](https://attack.mitre.org/groups/G0093) is a group that is reportedly affiliated with China and is likely state-sponsored. The group has operated since at least 2012 and has compromised high-profile telecommunications networks.(Citation: Cybereason Soft Cell June 2019)',\n", " 'aliases': ['Soft Cell'],\n", " 'id': 'intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258',\n", " 'external_references': [{'external_id': 'G0093',\n", " 'source_name': 'mitre-attack',\n", " 'url': 'https://attack.mitre.org/groups/G0093'},\n", " {'source_name': 'Soft Cell',\n", " 'description': '(Citation: Cybereason Soft Cell June 2019)'},\n", " {'source_name': 'Cybereason Soft Cell June 2019',\n", " 'description': 'Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.',\n", " 'url': 'https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers'}],\n", " 'modified': '2019-07-22T15:49:28.637Z',\n", " 'type': 'intrusion-set',\n", " 'created': '2019-07-18T20:47:50.050Z',\n", " 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n", " 'name': 'Soft Cell',\n", " 'x_mitre_version': '1.0',\n", " 'x_mitre_contributors': ['Cybereason Nocturnus, @nocturnus']}" ] }, "execution_count": 20, "metadata": {}, "output_type": "execute_result" } ], "source": [ "groups[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Malware objects from ATT&CK Results (Locally)" ] }, { "cell_type": "code", "execution_count": 21, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Malware in ATT&CK\n", "341\n" ] } ], "source": [ "print(\"Number of Malware in ATT&CK\")\n", "print(len(all_attack['malware']))" ] }, { "cell_type": "code", "execution_count": 22, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refdescriptionidexternal_referencesobject_marking_refsmodifiedtypecreatednamelabelsx_mitre_versionx_mitre_platformsx_mitre_aliasesx_mitre_contributorsrevokedx_mitre_old_attack_id
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[HyperBro ](https://attack.mitre.org/software/...malware--5e814485-012d-423d-b769-026bfed0f451[{'external_id': 'S0398', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-07-14T21:14:18.656Zmalware2019-07-09T17:42:44.777ZHyperBro[malware]1.0[Windows][HyperBro ]NaNNaNNaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[LoJax](https://attack.mitre.org/software/S039...malware--b865dded-0553-4962-a44b-6fe7863effed[{'external_id': 'S0397', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-07-02T20:53:26.470Zmalware2019-07-02T12:58:09.598ZLoJax[malware]1.0[Windows][LoJax][Jean-Ian Boutin, ESET]NaNNaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[EvilBunny](https://attack.mitre.org/software/...malware--a8a778f5-0035-4870-bb25-53dc05029586[{'external_id': 'S0396', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-07-01T18:16:32.917Zmalware2019-06-28T17:40:32.217ZEvilBunny[malware]1.0[Windows][EvilBunny][ESET]NaNNaN
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[LightNeuron](https://attack.mitre.org/softwar...malware--6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb[{'external_id': 'S0395', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-07-16T17:12:00.360Zmalware2019-06-28T13:09:26.710ZLightNeuron[malware]1.0[Windows, Linux][LightNeuron]NaNNaNNaN
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description \\\n", "0 [HyperBro ](https://attack.mitre.org/software/... \n", "1 [LoJax](https://attack.mitre.org/software/S039... \n", "2 [EvilBunny](https://attack.mitre.org/software/... \n", "3 [LightNeuron](https://attack.mitre.org/softwar... \n", "\n", " id \\\n", "0 malware--5e814485-012d-423d-b769-026bfed0f451 \n", "1 malware--b865dded-0553-4962-a44b-6fe7863effed \n", "2 malware--a8a778f5-0035-4870-bb25-53dc05029586 \n", "3 malware--6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb \n", "\n", " external_references \\\n", "0 [{'external_id': 'S0398', 'source_name': 'mitr... \n", "1 [{'external_id': 'S0397', 'source_name': 'mitr... \n", "2 [{'external_id': 'S0396', 'source_name': 'mitr... \n", "3 [{'external_id': 'S0395', 'source_name': 'mitr... \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " modified type created name \\\n", "0 2019-07-14T21:14:18.656Z malware 2019-07-09T17:42:44.777Z HyperBro \n", "1 2019-07-02T20:53:26.470Z malware 2019-07-02T12:58:09.598Z LoJax \n", "2 2019-07-01T18:16:32.917Z malware 2019-06-28T17:40:32.217Z EvilBunny \n", "3 2019-07-16T17:12:00.360Z malware 2019-06-28T13:09:26.710Z LightNeuron \n", "\n", " labels x_mitre_version x_mitre_platforms x_mitre_aliases \\\n", "0 [malware] 1.0 [Windows] [HyperBro ] \n", "1 [malware] 1.0 [Windows] [LoJax] \n", "2 [malware] 1.0 [Windows] [EvilBunny] \n", "3 [malware] 1.0 [Windows, Linux] [LightNeuron] \n", "\n", " x_mitre_contributors revoked x_mitre_old_attack_id \n", "0 NaN NaN NaN \n", "1 [Jean-Ian Boutin, ESET] NaN NaN \n", "2 [ESET] NaN NaN \n", "3 NaN NaN NaN " ] }, "execution_count": 22, "metadata": {}, "output_type": "execute_result" } ], "source": [ "malware = []\n", "for t in all_attack['malware']:\n", " malware.append(json.loads(t.serialize()))\n", "df = json_normalize(malware)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing the schema of Malware**" ] }, { "cell_type": "code", "execution_count": 23, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['created_by_ref',\n", " 'description',\n", " 'id',\n", " 'external_references',\n", " 'object_marking_refs',\n", " 'modified',\n", " 'type',\n", " 'created',\n", " 'name',\n", " 'labels',\n", " 'x_mitre_version',\n", " 'x_mitre_platforms',\n", " 'x_mitre_aliases',\n", " 'x_mitre_contributors',\n", " 'revoked',\n", " 'x_mitre_old_attack_id']" ] }, "execution_count": 23, "metadata": {}, "output_type": "execute_result" } ], "source": [ "list(df)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing one Malware example**" ] }, { "cell_type": "code", "execution_count": 24, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "{'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n", " 'description': '[HyperBro ](https://attack.mitre.org/software/S0398) is a custom in-memory backdoor used by [Threat Group-3390](https://attack.mitre.org/groups/G0027).(Citation: Unit42 Emissary Panda May 2019)(Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018)',\n", " 'id': 'malware--5e814485-012d-423d-b769-026bfed0f451',\n", " 'external_references': [{'external_id': 'S0398',\n", " 'source_name': 'mitre-attack',\n", " 'url': 'https://attack.mitre.org/software/S0398'},\n", " {'source_name': 'HyperBro ',\n", " 'description': '(Citation: Unit42 Emissary Panda May 2019)'},\n", " {'source_name': 'Unit42 Emissary Panda May 2019',\n", " 'description': 'Falcone, R. and Lancaster, T.. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.',\n", " 'url': 'https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/'},\n", " {'source_name': 'Securelist LuckyMouse June 2018',\n", " 'description': 'Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.',\n", " 'url': 'https://securelist.com/luckymouse-hits-national-data-center/86083/'},\n", " {'source_name': 'Hacker News LuckyMouse June 2018',\n", " 'description': 'Khandelwal, S. (2018, June 14). Chinese Hackers Carried Out Country-Level Watering Hole Attack. Retrieved August 18, 2018.',\n", " 'url': 'https://thehackernews.com/2018/06/chinese-watering-hole-attack.html'}],\n", " 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n", " 'modified': '2019-07-14T21:14:18.656Z',\n", " 'type': 'malware',\n", " 'created': '2019-07-09T17:42:44.777Z',\n", " 'name': 'HyperBro ',\n", " 'labels': ['malware'],\n", " 'x_mitre_version': '1.0',\n", " 'x_mitre_platforms': ['Windows'],\n", " 'x_mitre_aliases': ['HyperBro ']}" ] }, "execution_count": 24, "metadata": {}, "output_type": "execute_result" } ], "source": [ "malware[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Tools from ATT&CK Results (Locally)" ] }, { "cell_type": "code", "execution_count": 25, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Tools in ATT&CK\n", "57\n" ] } ], "source": [ "print(\"Number of Tools in ATT&CK\")\n", "print(len(all_attack['tools']))" ] }, { "cell_type": "code", "execution_count": 26, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refdescriptionidexternal_referencesobject_marking_refsmodifiedtypecreatednamelabelsx_mitre_versionx_mitre_platformsx_mitre_aliasesx_mitre_contributorsx_mitre_old_attack_id
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[PoshC2](https://attack.mitre.org/software/S03...tool--4b57c098-f043-4da2-83ef-7588a6d426bc[{'external_id': 'S0378', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-04-23T18:29:12.005Ztool2019-04-23T12:31:58.125ZPoshC2[tool]1.0[Windows, Linux, macOS][PoshC2]NaNNaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[RawDisk](https://attack.mitre.org/software/S0...tool--3ffbdc1f-d2bf-41ab-91a2-c7b857e98079[{'external_id': 'S0364', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-04-19T19:04:55.892Ztool2019-03-25T12:30:40.919ZRawDisk[tool]1.0[Windows][RawDisk]NaNNaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Empire](https://attack.mitre.org/software/S03...tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3[{'external_id': 'S0363', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-06-24T17:15:43.818Ztool2019-03-11T14:13:40.648ZEmpire[tool]1.0[Linux, macOS, Windows][Empire, EmPyre, PowerShell Empire]NaNNaN
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Expand](https://attack.mitre.org/software/S03...tool--ca656c25-44f1-471b-9d9f-e2a3bbb84973[{'external_id': 'S0361', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-04-19T18:52:30.033Ztool2019-02-19T19:17:14.971ZExpand[tool]1.0[Windows][Expand][Matthew Demaske, Adaptforward]NaN
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description \\\n", "0 [PoshC2](https://attack.mitre.org/software/S03... \n", "1 [RawDisk](https://attack.mitre.org/software/S0... \n", "2 [Empire](https://attack.mitre.org/software/S03... \n", "3 [Expand](https://attack.mitre.org/software/S03... \n", "\n", " id \\\n", "0 tool--4b57c098-f043-4da2-83ef-7588a6d426bc \n", "1 tool--3ffbdc1f-d2bf-41ab-91a2-c7b857e98079 \n", "2 tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3 \n", "3 tool--ca656c25-44f1-471b-9d9f-e2a3bbb84973 \n", "\n", " external_references \\\n", "0 [{'external_id': 'S0378', 'source_name': 'mitr... \n", "1 [{'external_id': 'S0364', 'source_name': 'mitr... \n", "2 [{'external_id': 'S0363', 'source_name': 'mitr... \n", "3 [{'external_id': 'S0361', 'source_name': 'mitr... \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " modified type created name labels \\\n", "0 2019-04-23T18:29:12.005Z tool 2019-04-23T12:31:58.125Z PoshC2 [tool] \n", "1 2019-04-19T19:04:55.892Z tool 2019-03-25T12:30:40.919Z RawDisk [tool] \n", "2 2019-06-24T17:15:43.818Z tool 2019-03-11T14:13:40.648Z Empire [tool] \n", "3 2019-04-19T18:52:30.033Z tool 2019-02-19T19:17:14.971Z Expand [tool] \n", "\n", " x_mitre_version x_mitre_platforms \\\n", "0 1.0 [Windows, Linux, macOS] \n", "1 1.0 [Windows] \n", "2 1.0 [Linux, macOS, Windows] \n", "3 1.0 [Windows] \n", "\n", " x_mitre_aliases x_mitre_contributors \\\n", "0 [PoshC2] NaN \n", "1 [RawDisk] NaN \n", "2 [Empire, EmPyre, PowerShell Empire] NaN \n", "3 [Expand] [Matthew Demaske, Adaptforward] \n", "\n", " x_mitre_old_attack_id \n", "0 NaN \n", "1 NaN \n", "2 NaN \n", "3 NaN " ] }, "execution_count": 26, "metadata": {}, "output_type": "execute_result" } ], "source": [ "tools = []\n", "for t in all_attack['tools']:\n", " tools.append(json.loads(t.serialize()))\n", "df = json_normalize(tools)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing the schema of Tools**" ] }, { "cell_type": "code", "execution_count": 27, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['created_by_ref',\n", " 'description',\n", " 'id',\n", " 'external_references',\n", " 'object_marking_refs',\n", " 'modified',\n", " 'type',\n", " 'created',\n", " 'name',\n", " 'labels',\n", " 'x_mitre_version',\n", " 'x_mitre_platforms',\n", " 'x_mitre_aliases',\n", " 'x_mitre_contributors',\n", " 'x_mitre_old_attack_id']" ] }, "execution_count": 27, "metadata": {}, "output_type": "execute_result" } ], "source": [ "list(df)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing one Tool example**" ] }, { "cell_type": "code", "execution_count": 28, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "{'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n", " 'description': '[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in [PowerShell](https://attack.mitre.org/techniques/T1086). Although [PoshC2](https://attack.mitre.org/software/S0378) is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.(Citation: GitHub PoshC2)',\n", " 'id': 'tool--4b57c098-f043-4da2-83ef-7588a6d426bc',\n", " 'external_references': [{'external_id': 'S0378',\n", " 'source_name': 'mitre-attack',\n", " 'url': 'https://attack.mitre.org/software/S0378'},\n", " {'source_name': 'GitHub PoshC2',\n", " 'description': 'Nettitude. (2016, June 8). PoshC2: Powershell C2 Server and Implants. Retrieved April 23, 2019.',\n", " 'url': 'https://github.com/nettitude/PoshC2'}],\n", " 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n", " 'modified': '2019-04-23T18:29:12.005Z',\n", " 'type': 'tool',\n", " 'created': '2019-04-23T12:31:58.125Z',\n", " 'name': 'PoshC2',\n", " 'labels': ['tool'],\n", " 'x_mitre_version': '1.0',\n", " 'x_mitre_platforms': ['Windows', 'Linux', 'macOS'],\n", " 'x_mitre_aliases': ['PoshC2']}" ] }, "execution_count": 28, "metadata": {}, "output_type": "execute_result" } ], "source": [ "tools[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Relationships from ATT&CK Results (Locally)" ] }, { "cell_type": "code", "execution_count": 29, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Relationships in ATT&CK\n", "6067\n" ] } ], "source": [ "print(\"Number of Relationships in ATT&CK\")\n", "print(len(all_attack['relationships']))" ] }, { "cell_type": "code", "execution_count": 30, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refdescriptiontypecreatedobject_marking_refsidexternal_referencesmodifiedsource_refrelationship_typetarget_ref
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Soft Cell](https://attack.mitre.org/groups/G0...relationship2019-07-22T15:49:28.744Z[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--380743e5-616c-4524-96e6-d545e5b6...[{'source_name': 'Cybereason Soft Cell June 20...2019-07-22T15:49:28.744Zintrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...usesattack-pattern--92d7da27-2d91-488e-a00c-059dc1...
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Soft Cell](https://attack.mitre.org/groups/G0...relationship2019-07-22T15:35:24.376Z[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--919f6143-eb8c-48cd-8741-118040c3...[{'source_name': 'Cybereason Soft Cell June 20...2019-07-22T15:49:29.135Zintrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...usesattack-pattern--00d0b012-8a03-410e-95de-5826bf...
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Soft Cell](https://attack.mitre.org/groups/G0...relationship2019-07-22T15:35:24.363Z[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--ee4d1b24-603f-40df-8f21-3c053fba...[{'source_name': 'Cybereason Soft Cell June 20...2019-07-22T15:49:29.090Zintrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...usesattack-pattern--c23b740b-a42b-47a1-aec2-9d48dd...
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Soft Cell](https://attack.mitre.org/groups/G0...relationship2019-07-22T15:35:24.351Z[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--38be247c-74b0-42f3-964e-5f23ef42...[{'source_name': 'Cybereason Soft Cell June 20...2019-07-22T15:49:29.092Zintrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...usesattack-pattern--3c4a2599-71ee-4405-ba1e-0e2841...
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description type \\\n", "0 [Soft Cell](https://attack.mitre.org/groups/G0... relationship \n", "1 [Soft Cell](https://attack.mitre.org/groups/G0... relationship \n", "2 [Soft Cell](https://attack.mitre.org/groups/G0... relationship \n", "3 [Soft Cell](https://attack.mitre.org/groups/G0... relationship \n", "\n", " created \\\n", "0 2019-07-22T15:49:28.744Z \n", "1 2019-07-22T15:35:24.376Z \n", "2 2019-07-22T15:35:24.363Z \n", "3 2019-07-22T15:35:24.351Z \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " id \\\n", "0 relationship--380743e5-616c-4524-96e6-d545e5b6... \n", "1 relationship--919f6143-eb8c-48cd-8741-118040c3... \n", "2 relationship--ee4d1b24-603f-40df-8f21-3c053fba... \n", "3 relationship--38be247c-74b0-42f3-964e-5f23ef42... \n", "\n", " external_references \\\n", "0 [{'source_name': 'Cybereason Soft Cell June 20... \n", "1 [{'source_name': 'Cybereason Soft Cell June 20... \n", "2 [{'source_name': 'Cybereason Soft Cell June 20... \n", "3 [{'source_name': 'Cybereason Soft Cell June 20... \n", "\n", " modified \\\n", "0 2019-07-22T15:49:28.744Z \n", "1 2019-07-22T15:49:29.135Z \n", "2 2019-07-22T15:49:29.090Z \n", "3 2019-07-22T15:49:29.092Z \n", "\n", " source_ref relationship_type \\\n", "0 intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... uses \n", "1 intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... uses \n", "2 intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... uses \n", "3 intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... uses \n", "\n", " target_ref \n", "0 attack-pattern--92d7da27-2d91-488e-a00c-059dc1... \n", "1 attack-pattern--00d0b012-8a03-410e-95de-5826bf... \n", "2 attack-pattern--c23b740b-a42b-47a1-aec2-9d48dd... \n", "3 attack-pattern--3c4a2599-71ee-4405-ba1e-0e2841... " ] }, "execution_count": 30, "metadata": {}, "output_type": "execute_result" } ], "source": [ "relationships = []\n", "for t in all_attack['relationships']:\n", " relationships.append(json.loads(t.serialize()))\n", "df = json_normalize(relationships)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing the schema of Relationships**" ] }, { "cell_type": "code", "execution_count": 31, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['created_by_ref',\n", " 'description',\n", " 'type',\n", " 'created',\n", " 'object_marking_refs',\n", " 'id',\n", " 'external_references',\n", " 'modified',\n", " 'source_ref',\n", " 'relationship_type',\n", " 'target_ref']" ] }, "execution_count": 31, "metadata": {}, "output_type": "execute_result" } ], "source": [ "list(df)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing one Relationship example**" ] }, { "cell_type": "code", "execution_count": 32, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "{'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n", " 'description': '[Soft Cell](https://attack.mitre.org/groups/G0093) used Web shells and [HTRAN](https://attack.mitre.org/software/S0040) for C2 as well as to exfiltrate data.',\n", " 'type': 'relationship',\n", " 'created': '2019-07-22T15:49:28.744Z',\n", " 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n", " 'id': 'relationship--380743e5-616c-4524-96e6-d545e5b653ea',\n", " 'external_references': [{'source_name': 'Cybereason Soft Cell June 2019',\n", " 'description': 'Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.',\n", " 'url': 'https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers'}],\n", " 'modified': '2019-07-22T15:49:28.744Z',\n", " 'source_ref': 'intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258',\n", " 'relationship_type': 'uses',\n", " 'target_ref': 'attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d'}" ] }, "execution_count": 32, "metadata": {}, "output_type": "execute_result" } ], "source": [ "relationships[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Tactics from ATT&CK Results (Locally)" ] }, { "cell_type": "code", "execution_count": 33, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Tactics in ATT&CK\n", "40\n" ] } ], "source": [ "print(\"Number of Tactics in ATT&CK\")\n", "print(len(all_attack['tactics']))" ] }, { "cell_type": "code", "execution_count": 34, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refdescriptiontypenameobject_marking_refsidexternal_referencesmodifiedcreatedx_mitre_shortname
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5The adversary is trying to manipulate, interru...x-mitre-tacticImpact[marking-definition--fa42a846-8d90-4e51-bc29-7...x-mitre-tactic--5569339b-94c2-49ee-afb3-222293...[{'external_id': 'TA0040', 'source_name': 'mit...2019-07-25T18:42:23.222Z2019-03-14T18:44:44.639Zimpact
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5The adversary is trying to gather data of inte...x-mitre-tacticCollection[marking-definition--fa42a846-8d90-4e51-bc29-7...x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d...[{'external_id': 'TA0009', 'source_name': 'mit...2019-07-19T17:44:53.176Z2018-10-17T00:14:20.652Zcollection
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5The adversary is trying to communicate with co...x-mitre-tacticCommand and Control[marking-definition--fa42a846-8d90-4e51-bc29-7...x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd1...[{'external_id': 'TA0011', 'source_name': 'mit...2019-07-19T17:45:30.644Z2018-10-17T00:14:20.652Zcommand-and-control
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5The adversary is trying to steal account names...x-mitre-tacticCredential Access[marking-definition--fa42a846-8d90-4e51-bc29-7...x-mitre-tactic--2558fd61-8c75-4730-94c4-11926d...[{'external_id': 'TA0006', 'source_name': 'mit...2019-07-19T17:43:41.967Z2018-10-17T00:14:20.652Zcredential-access
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description type \\\n", "0 The adversary is trying to manipulate, interru... x-mitre-tactic \n", "1 The adversary is trying to gather data of inte... x-mitre-tactic \n", "2 The adversary is trying to communicate with co... x-mitre-tactic \n", "3 The adversary is trying to steal account names... x-mitre-tactic \n", "\n", " name object_marking_refs \\\n", "0 Impact [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 Collection [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 Command and Control [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 Credential Access [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " id \\\n", "0 x-mitre-tactic--5569339b-94c2-49ee-afb3-222293... \n", "1 x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d... \n", "2 x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd1... \n", "3 x-mitre-tactic--2558fd61-8c75-4730-94c4-11926d... \n", "\n", " external_references \\\n", "0 [{'external_id': 'TA0040', 'source_name': 'mit... \n", "1 [{'external_id': 'TA0009', 'source_name': 'mit... \n", "2 [{'external_id': 'TA0011', 'source_name': 'mit... \n", "3 [{'external_id': 'TA0006', 'source_name': 'mit... \n", "\n", " modified created x_mitre_shortname \n", "0 2019-07-25T18:42:23.222Z 2019-03-14T18:44:44.639Z impact \n", "1 2019-07-19T17:44:53.176Z 2018-10-17T00:14:20.652Z collection \n", "2 2019-07-19T17:45:30.644Z 2018-10-17T00:14:20.652Z command-and-control \n", "3 2019-07-19T17:43:41.967Z 2018-10-17T00:14:20.652Z credential-access " ] }, "execution_count": 34, "metadata": {}, "output_type": "execute_result" } ], "source": [ "df = json_normalize(all_attack['tactics'])\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing the schema of Tactics**" ] }, { "cell_type": "code", "execution_count": 35, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['created_by_ref',\n", " 'description',\n", " 'type',\n", " 'name',\n", " 'object_marking_refs',\n", " 'id',\n", " 'external_references',\n", " 'modified',\n", " 'created',\n", " 'x_mitre_shortname']" ] }, "execution_count": 35, "metadata": {}, "output_type": "execute_result" } ], "source": [ "list(df)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Matrices from ATT&CK Results (Locally)" ] }, { "cell_type": "code", "execution_count": 36, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Matrices in ATT&CK\n", "4\n" ] } ], "source": [ "print(\"Number of Matrices in ATT&CK\")\n", "print(len(all_attack['matrix']))" ] }, { "cell_type": "code", "execution_count": 37, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
external_referencesobject_marking_refsidnamecreatedmodifiedtypecreated_by_refdescriptiontactic_refs
0[{'external_id': 'enterprise-attack', 'source_...[marking-definition--fa42a846-8d90-4e51-bc29-7...x-mitre-matrix--eafc1b4c-5e56-4965-bd4e-66a6a8...Enterprise ATT&CK2018-10-17T00:14:20.652Z2019-04-16T21:39:18.247Zx-mitre-matrixidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5The full ATT&CK Matrix includes techniques spa...[x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3be...
1[{'external_id': 'pre-attack', 'source_name': ...[marking-definition--fa42a846-8d90-4e51-bc29-7...x-mitre-matrix--2e2c97c3-1908-4e2d-a711-a27d38...PRE-ATT&CK2018-10-17T00:14:20.652Z2018-11-06T19:05:34.143Zx-mitre-matrixidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5The MITRE PRE-ATT&CK Matrix™ is an overview of...[x-mitre-tactic--b2a086f2-d3db-408b-b4d4-e09a1...
2[{'external_id': 'mobile-attack', 'source_name...[marking-definition--fa42a846-8d90-4e51-bc29-7...x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd...Network-Based Effects2018-10-17T00:14:20.652Z2018-10-17T00:14:20.652Zx-mitre-matrixidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5The MITRE ATT&CK Matrix™ provides a visual rep...[x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc4...
3[{'external_id': 'mobile-attack', 'source_name...[marking-definition--fa42a846-8d90-4e51-bc29-7...x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff0...Device Access2018-10-17T00:14:20.652Z2018-10-17T00:14:20.652Zx-mitre-matrixidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5The MITRE ATT&CK Matrix™ provides a visual rep...[x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290...
\n", "
" ], "text/plain": [ " external_references \\\n", "0 [{'external_id': 'enterprise-attack', 'source_... \n", "1 [{'external_id': 'pre-attack', 'source_name': ... \n", "2 [{'external_id': 'mobile-attack', 'source_name... \n", "3 [{'external_id': 'mobile-attack', 'source_name... \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " id name \\\n", "0 x-mitre-matrix--eafc1b4c-5e56-4965-bd4e-66a6a8... Enterprise ATT&CK \n", "1 x-mitre-matrix--2e2c97c3-1908-4e2d-a711-a27d38... PRE-ATT&CK \n", "2 x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd... Network-Based Effects \n", "3 x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff0... Device Access \n", "\n", " created modified type \\\n", "0 2018-10-17T00:14:20.652Z 2019-04-16T21:39:18.247Z x-mitre-matrix \n", "1 2018-10-17T00:14:20.652Z 2018-11-06T19:05:34.143Z x-mitre-matrix \n", "2 2018-10-17T00:14:20.652Z 2018-10-17T00:14:20.652Z x-mitre-matrix \n", "3 2018-10-17T00:14:20.652Z 2018-10-17T00:14:20.652Z x-mitre-matrix \n", "\n", " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description \\\n", "0 The full ATT&CK Matrix includes techniques spa... \n", "1 The MITRE PRE-ATT&CK Matrix™ is an overview of... \n", "2 The MITRE ATT&CK Matrix™ provides a visual rep... \n", "3 The MITRE ATT&CK Matrix™ provides a visual rep... \n", "\n", " tactic_refs \n", "0 [x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3be... \n", "1 [x-mitre-tactic--b2a086f2-d3db-408b-b4d4-e09a1... \n", "2 [x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc4... \n", "3 [x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290... " ] }, "execution_count": 37, "metadata": {}, "output_type": "execute_result" } ], "source": [ "df = json_normalize(all_attack['matrix'])\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing the schema of Tactics**" ] }, { "cell_type": "code", "execution_count": 38, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['external_references',\n", " 'object_marking_refs',\n", " 'id',\n", " 'name',\n", " 'created',\n", " 'modified',\n", " 'type',\n", " 'created_by_ref',\n", " 'description',\n", " 'tactic_refs']" ] }, "execution_count": 38, "metadata": {}, "output_type": "execute_result" } ], "source": [ "list(df)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Enterprise ATT&CK ONLY from Results (Locally)\n", "* We can also grab the results from each get_* function that we run earlier, and start getting specific stix object types such as techniques, mitigations, groups, malware, tools and relationships on each specific matrix.\n", "* It is important to remember that the stix objec information is being retrieved from the results of the initial three **get_*** functions and not querying the TAXII Server every time we want to get information about a specific stix object type." ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Enterprise Techniques**" ] }, { "cell_type": "code", "execution_count": 39, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Techniques in Enterprise ATT&CK\n", "244\n" ] } ], "source": [ "print(\"Number of Techniques in Enterprise ATT&CK\")\n", "print(len(all_enterprise['techniques']))" ] }, { "cell_type": "code", "execution_count": 40, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
external_referencesobject_marking_refstypemodifiedcreated_by_refkill_chain_phasesidnamecreateddescription...x_mitre_data_sourcesx_mitre_detectionx_mitre_platformsx_mitre_versionx_mitre_system_requirementsx_mitre_defense_bypassedx_mitre_impact_typex_mitre_remote_supportx_mitre_effective_permissionsx_mitre_network_requirements
0[{'external_id': 'T1500', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...attack-pattern2019-04-29T21:13:49.686Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'defense-evasion', 'kill_chain...attack-pattern--cf7b3a06-8b42-4c33-bbe9-012120...Compile After Delivery2019-04-25T20:53:07.719ZAdversaries may attempt to make payloads diffi......[Process command-line parameters, Process moni...Monitor the execution file paths and command-l...[Linux, macOS, Windows]1.0[Compiler software (either native to the syste...[Static File Analysis, Binary Analysis, Anti-v...NaNNaNNaNNaN
1[{'external_id': 'T1501', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...attack-pattern2019-04-29T14:14:08.450Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'persistence', 'kill_chain_nam...attack-pattern--0fff2797-19cb-41ea-a5f1-8a9303...Systemd Service2019-04-23T15:34:30.008ZSystemd services can be used to establish pers......[Process command-line parameters, Process moni...Systemd service unit files may be detected by ...[Linux]1.0NaNNaNNaNNaNNaNNaN
2[{'external_id': 'T1499', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...attack-pattern2019-04-29T13:20:36.795Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'impact', 'kill_chain_name': '...attack-pattern--c675646d-e204-4aa8-978d-e3d6d6...Endpoint Denial of Service2019-04-18T11:00:55.862ZAdversaries may perform Endpoint Denial of Ser......[SSL/TLS inspection, Web logs, Web application...Detection of Endpoint DoS can sometimes be ach...[Linux, macOS, Windows]1.0NaNNaN[Availability]NaNNaNNaN
3[{'external_id': 'T1497', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...attack-pattern2019-06-10T17:37:37.138Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'defense-evasion', 'kill_chain...attack-pattern--82caa33e-d11a-433a-94ea-9b5a5f...Virtualization/Sandbox Evasion2019-04-17T22:22:24.505ZAdversaries may check for the presence of a vi......[Process monitoring, Process command-line para...Virtualization, sandbox, and related discovery...[Windows]1.0NaN[Anti-virus, Host forensic analysis, Signature...NaNNaNNaNNaN
\n", "

4 rows × 22 columns

\n", "
" ], "text/plain": [ " external_references \\\n", "0 [{'external_id': 'T1500', 'source_name': 'mitr... \n", "1 [{'external_id': 'T1501', 'source_name': 'mitr... \n", "2 [{'external_id': 'T1499', 'source_name': 'mitr... \n", "3 [{'external_id': 'T1497', 'source_name': 'mitr... \n", "\n", " object_marking_refs type \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... attack-pattern \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... attack-pattern \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... attack-pattern \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... attack-pattern \n", "\n", " modified created_by_ref \\\n", "0 2019-04-29T21:13:49.686Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 2019-04-29T14:14:08.450Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 2019-04-29T13:20:36.795Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 2019-06-10T17:37:37.138Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " kill_chain_phases \\\n", "0 [{'phase_name': 'defense-evasion', 'kill_chain... \n", "1 [{'phase_name': 'persistence', 'kill_chain_nam... \n", "2 [{'phase_name': 'impact', 'kill_chain_name': '... \n", "3 [{'phase_name': 'defense-evasion', 'kill_chain... \n", "\n", " id \\\n", "0 attack-pattern--cf7b3a06-8b42-4c33-bbe9-012120... \n", "1 attack-pattern--0fff2797-19cb-41ea-a5f1-8a9303... \n", "2 attack-pattern--c675646d-e204-4aa8-978d-e3d6d6... \n", "3 attack-pattern--82caa33e-d11a-433a-94ea-9b5a5f... \n", "\n", " name created \\\n", "0 Compile After Delivery 2019-04-25T20:53:07.719Z \n", "1 Systemd Service 2019-04-23T15:34:30.008Z \n", "2 Endpoint Denial of Service 2019-04-18T11:00:55.862Z \n", "3 Virtualization/Sandbox Evasion 2019-04-17T22:22:24.505Z \n", "\n", " description ... \\\n", "0 Adversaries may attempt to make payloads diffi... ... \n", "1 Systemd services can be used to establish pers... ... \n", "2 Adversaries may perform Endpoint Denial of Ser... ... \n", "3 Adversaries may check for the presence of a vi... ... \n", "\n", " x_mitre_data_sources \\\n", "0 [Process command-line parameters, Process moni... \n", "1 [Process command-line parameters, Process moni... \n", "2 [SSL/TLS inspection, Web logs, Web application... \n", "3 [Process monitoring, Process command-line para... \n", "\n", " x_mitre_detection x_mitre_platforms \\\n", "0 Monitor the execution file paths and command-l... [Linux, macOS, Windows] \n", "1 Systemd service unit files may be detected by ... [Linux] \n", "2 Detection of Endpoint DoS can sometimes be ach... [Linux, macOS, Windows] \n", "3 Virtualization, sandbox, and related discovery... [Windows] \n", "\n", " x_mitre_version x_mitre_system_requirements \\\n", "0 1.0 [Compiler software (either native to the syste... \n", "1 1.0 NaN \n", "2 1.0 NaN \n", "3 1.0 NaN \n", "\n", " x_mitre_defense_bypassed x_mitre_impact_type \\\n", "0 [Static File Analysis, Binary Analysis, Anti-v... NaN \n", "1 NaN NaN \n", "2 NaN [Availability] \n", "3 [Anti-virus, Host forensic analysis, Signature... NaN \n", "\n", " x_mitre_remote_support x_mitre_effective_permissions \\\n", "0 NaN NaN \n", "1 NaN NaN \n", "2 NaN NaN \n", "3 NaN NaN \n", "\n", " x_mitre_network_requirements \n", "0 NaN \n", "1 NaN \n", "2 NaN \n", "3 NaN \n", "\n", "[4 rows x 22 columns]" ] }, "execution_count": 40, "metadata": {}, "output_type": "execute_result" } ], "source": [ "techniques = []\n", "for t in all_enterprise['techniques']:\n", " techniques.append(json.loads(t.serialize()))\n", "df = json_normalize(techniques)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Enterprise Mitigations**" ] }, { "cell_type": "code", "execution_count": 41, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Mitigations in Enterprise ATT&CK\n", "281\n" ] } ], "source": [ "print(\"Number of Mitigations in Enterprise ATT&CK\")\n", "print(len(all_enterprise['mitigations']))" ] }, { "cell_type": "code", "execution_count": 42, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refdescriptiontypenameobject_marking_refsidexternal_referencesmodifiedcreatedx_mitre_versionx_mitre_deprecated
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5This category is to associate techniques that ...course-of-actionDo Not Mitigate[marking-definition--fa42a846-8d90-4e51-bc29-7...course-of-action--787fb64d-c87b-4ee5-a341-0ef1...[{'external_id': 'M1055', 'source_name': 'mitr...2019-07-23T14:44:24.727Z2019-07-19T14:58:42.715Z1.0NaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Implement configuration changes to software (o...course-of-actionSoftware Configuration[marking-definition--fa42a846-8d90-4e51-bc29-7...course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8...[{'external_id': 'M1054', 'source_name': 'mitr...2019-07-19T14:57:15.656Z2019-07-19T14:40:23.529Z1.0NaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Take and store data backups from end user syst...course-of-actionData Backup[marking-definition--fa42a846-8d90-4e51-bc29-7...course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73...[{'external_id': 'M1053', 'source_name': 'mitr...2019-07-19T14:33:33.543Z2019-07-19T14:33:33.543Z1.0NaN
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Configure Windows User Account Control to miti...course-of-actionUser Account Control[marking-definition--fa42a846-8d90-4e51-bc29-7...course-of-action--2c2ad92a-d710-41ab-a996-1db1...[{'external_id': 'M1052', 'source_name': 'mitr...2019-06-11T17:14:35.170Z2019-06-11T17:14:35.170Z1.0NaN
4identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Perform regular software updates to mitigate e...course-of-actionUpdate Software[marking-definition--fa42a846-8d90-4e51-bc29-7...course-of-action--e5d930e9-775a-40ad-9bdb-b941...[{'external_id': 'M1051', 'source_name': 'mitr...2019-06-11T17:12:55.207Z2019-06-11T17:12:55.207Z1.0NaN
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "4 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description type \\\n", "0 This category is to associate techniques that ... course-of-action \n", "1 Implement configuration changes to software (o... course-of-action \n", "2 Take and store data backups from end user syst... course-of-action \n", "3 Configure Windows User Account Control to miti... course-of-action \n", "4 Perform regular software updates to mitigate e... course-of-action \n", "\n", " name object_marking_refs \\\n", "0 Do Not Mitigate [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 Software Configuration [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 Data Backup [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 User Account Control [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "4 Update Software [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " id \\\n", "0 course-of-action--787fb64d-c87b-4ee5-a341-0ef1... \n", "1 course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8... \n", "2 course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73... \n", "3 course-of-action--2c2ad92a-d710-41ab-a996-1db1... \n", "4 course-of-action--e5d930e9-775a-40ad-9bdb-b941... \n", "\n", " external_references \\\n", "0 [{'external_id': 'M1055', 'source_name': 'mitr... \n", "1 [{'external_id': 'M1054', 'source_name': 'mitr... \n", "2 [{'external_id': 'M1053', 'source_name': 'mitr... \n", "3 [{'external_id': 'M1052', 'source_name': 'mitr... \n", "4 [{'external_id': 'M1051', 'source_name': 'mitr... \n", "\n", " modified created x_mitre_version \\\n", "0 2019-07-23T14:44:24.727Z 2019-07-19T14:58:42.715Z 1.0 \n", "1 2019-07-19T14:57:15.656Z 2019-07-19T14:40:23.529Z 1.0 \n", "2 2019-07-19T14:33:33.543Z 2019-07-19T14:33:33.543Z 1.0 \n", "3 2019-06-11T17:14:35.170Z 2019-06-11T17:14:35.170Z 1.0 \n", "4 2019-06-11T17:12:55.207Z 2019-06-11T17:12:55.207Z 1.0 \n", "\n", " x_mitre_deprecated \n", "0 NaN \n", "1 NaN \n", "2 NaN \n", "3 NaN \n", "4 NaN " ] }, "execution_count": 42, "metadata": {}, "output_type": "execute_result" } ], "source": [ "mitigations = []\n", "for t in all_enterprise['mitigations']:\n", " mitigations.append(json.loads(t.serialize()))\n", "df = json_normalize(mitigations)\n", "df[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Enterprise Groups**" ] }, { "cell_type": "code", "execution_count": 43, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Groups in Enterprise ATT&CK\n", "93\n" ] } ], "source": [ "print(\"Number of Groups in Enterprise ATT&CK\")\n", "print(len(all_enterprise['groups']))" ] }, { "cell_type": "code", "execution_count": 44, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refdescriptionaliasesidexternal_referencesmodifiedtypecreatedobject_marking_refsnamex_mitre_versionx_mitre_contributorsrevoked
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Operation [Soft Cell](https://attack.mitre.org...[Soft Cell]intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...[{'external_id': 'G0093', 'source_name': 'mitr...2019-07-22T15:49:28.637Zintrusion-set2019-07-18T20:47:50.050Z[marking-definition--fa42a846-8d90-4e51-bc29-7...Soft Cell1.0[Cybereason Nocturnus, @nocturnus]NaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[TA505](https://attack.mitre.org/groups/G0092)...[TA505]intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb...[{'external_id': 'G0092', 'source_name': 'mitr...2019-06-24T19:11:41.060Zintrusion-set2019-05-28T15:54:17.213Z[marking-definition--fa42a846-8d90-4e51-bc29-7...TA5051.0NaNNaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Silence](https://attack.mitre.org/groups/G009...[Silence]intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb...[{'external_id': 'G0091', 'source_name': 'mitr...2019-07-16T16:12:09.085Zintrusion-set2019-05-24T17:57:36.491Z[marking-definition--fa42a846-8d90-4e51-bc29-7...Silence1.0[Oleg Skulkin, Group-IB]NaN
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[WIRTE](https://attack.mitre.org/groups/G0090)...[WIRTE]intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3...[{'external_id': 'G0090', 'source_name': 'mitr...2019-06-20T15:30:38.517Zintrusion-set2019-05-24T17:02:44.226Z[marking-definition--fa42a846-8d90-4e51-bc29-7...WIRTE1.0[Lab52 by S2 Grupo]NaN
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description aliases \\\n", "0 Operation [Soft Cell](https://attack.mitre.org... [Soft Cell] \n", "1 [TA505](https://attack.mitre.org/groups/G0092)... [TA505] \n", "2 [Silence](https://attack.mitre.org/groups/G009... [Silence] \n", "3 [WIRTE](https://attack.mitre.org/groups/G0090)... [WIRTE] \n", "\n", " id \\\n", "0 intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... \n", "1 intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb... \n", "2 intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb... \n", "3 intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3... \n", "\n", " external_references \\\n", "0 [{'external_id': 'G0093', 'source_name': 'mitr... \n", "1 [{'external_id': 'G0092', 'source_name': 'mitr... \n", "2 [{'external_id': 'G0091', 'source_name': 'mitr... \n", "3 [{'external_id': 'G0090', 'source_name': 'mitr... \n", "\n", " modified type created \\\n", "0 2019-07-22T15:49:28.637Z intrusion-set 2019-07-18T20:47:50.050Z \n", "1 2019-06-24T19:11:41.060Z intrusion-set 2019-05-28T15:54:17.213Z \n", "2 2019-07-16T16:12:09.085Z intrusion-set 2019-05-24T17:57:36.491Z \n", "3 2019-06-20T15:30:38.517Z intrusion-set 2019-05-24T17:02:44.226Z \n", "\n", " object_marking_refs name \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... Soft Cell \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... TA505 \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... Silence \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... WIRTE \n", "\n", " x_mitre_version x_mitre_contributors revoked \n", "0 1.0 [Cybereason Nocturnus, @nocturnus] NaN \n", "1 1.0 NaN NaN \n", "2 1.0 [Oleg Skulkin, Group-IB] NaN \n", "3 1.0 [Lab52 by S2 Grupo] NaN " ] }, "execution_count": 44, "metadata": {}, "output_type": "execute_result" } ], "source": [ "groups = []\n", "for t in all_enterprise['groups']:\n", " groups.append(json.loads(t.serialize()))\n", "df = json_normalize(groups)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Enterprise Malware**" ] }, { "cell_type": "code", "execution_count": 45, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Malware objects in Enterprise ATT&CK\n", "297\n" ] } ], "source": [ "print(\"Number of Malware objects in Enterprise ATT&CK\")\n", "print(len(all_enterprise['malware']))" ] }, { "cell_type": "code", "execution_count": 46, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refdescriptionidexternal_referencesobject_marking_refsmodifiedtypecreatednamelabelsx_mitre_versionx_mitre_platformsx_mitre_aliasesx_mitre_contributorsrevokedx_mitre_old_attack_id
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[HyperBro ](https://attack.mitre.org/software/...malware--5e814485-012d-423d-b769-026bfed0f451[{'external_id': 'S0398', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-07-14T21:14:18.656Zmalware2019-07-09T17:42:44.777ZHyperBro[malware]1.0[Windows][HyperBro ]NaNNaNNaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[LoJax](https://attack.mitre.org/software/S039...malware--b865dded-0553-4962-a44b-6fe7863effed[{'external_id': 'S0397', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-07-02T20:53:26.470Zmalware2019-07-02T12:58:09.598ZLoJax[malware]1.0[Windows][LoJax][Jean-Ian Boutin, ESET]NaNNaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[EvilBunny](https://attack.mitre.org/software/...malware--a8a778f5-0035-4870-bb25-53dc05029586[{'external_id': 'S0396', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-07-01T18:16:32.917Zmalware2019-06-28T17:40:32.217ZEvilBunny[malware]1.0[Windows][EvilBunny][ESET]NaNNaN
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[LightNeuron](https://attack.mitre.org/softwar...malware--6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb[{'external_id': 'S0395', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-07-16T17:12:00.360Zmalware2019-06-28T13:09:26.710ZLightNeuron[malware]1.0[Windows, Linux][LightNeuron]NaNNaNNaN
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description \\\n", "0 [HyperBro ](https://attack.mitre.org/software/... \n", "1 [LoJax](https://attack.mitre.org/software/S039... \n", "2 [EvilBunny](https://attack.mitre.org/software/... \n", "3 [LightNeuron](https://attack.mitre.org/softwar... \n", "\n", " id \\\n", "0 malware--5e814485-012d-423d-b769-026bfed0f451 \n", "1 malware--b865dded-0553-4962-a44b-6fe7863effed \n", "2 malware--a8a778f5-0035-4870-bb25-53dc05029586 \n", "3 malware--6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb \n", "\n", " external_references \\\n", "0 [{'external_id': 'S0398', 'source_name': 'mitr... \n", "1 [{'external_id': 'S0397', 'source_name': 'mitr... \n", "2 [{'external_id': 'S0396', 'source_name': 'mitr... \n", "3 [{'external_id': 'S0395', 'source_name': 'mitr... \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " modified type created name \\\n", "0 2019-07-14T21:14:18.656Z malware 2019-07-09T17:42:44.777Z HyperBro \n", "1 2019-07-02T20:53:26.470Z malware 2019-07-02T12:58:09.598Z LoJax \n", "2 2019-07-01T18:16:32.917Z malware 2019-06-28T17:40:32.217Z EvilBunny \n", "3 2019-07-16T17:12:00.360Z malware 2019-06-28T13:09:26.710Z LightNeuron \n", "\n", " labels x_mitre_version x_mitre_platforms x_mitre_aliases \\\n", "0 [malware] 1.0 [Windows] [HyperBro ] \n", "1 [malware] 1.0 [Windows] [LoJax] \n", "2 [malware] 1.0 [Windows] [EvilBunny] \n", "3 [malware] 1.0 [Windows, Linux] [LightNeuron] \n", "\n", " x_mitre_contributors revoked x_mitre_old_attack_id \n", "0 NaN NaN NaN \n", "1 [Jean-Ian Boutin, ESET] NaN NaN \n", "2 [ESET] NaN NaN \n", "3 NaN NaN NaN " ] }, "execution_count": 46, "metadata": {}, "output_type": "execute_result" } ], "source": [ "malware = []\n", "for t in all_enterprise['malware']:\n", " malware.append(json.loads(t.serialize()))\n", "df = json_normalize(malware)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Enterprise Tools**" ] }, { "cell_type": "code", "execution_count": 47, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Tools in Enterprise ATT&CK\n", "56\n" ] } ], "source": [ "print(\"Number of Tools in Enterprise ATT&CK\")\n", "print(len(all_enterprise['tools']))" ] }, { "cell_type": "code", "execution_count": 48, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refdescriptionidexternal_referencesobject_marking_refsmodifiedtypecreatednamelabelsx_mitre_versionx_mitre_platformsx_mitre_aliasesx_mitre_contributors
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[PoshC2](https://attack.mitre.org/software/S03...tool--4b57c098-f043-4da2-83ef-7588a6d426bc[{'external_id': 'S0378', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-04-23T18:29:12.005Ztool2019-04-23T12:31:58.125ZPoshC2[tool]1.0[Windows, Linux, macOS][PoshC2]NaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[RawDisk](https://attack.mitre.org/software/S0...tool--3ffbdc1f-d2bf-41ab-91a2-c7b857e98079[{'external_id': 'S0364', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-04-19T19:04:55.892Ztool2019-03-25T12:30:40.919ZRawDisk[tool]1.0[Windows][RawDisk]NaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Empire](https://attack.mitre.org/software/S03...tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3[{'external_id': 'S0363', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-06-24T17:15:43.818Ztool2019-03-11T14:13:40.648ZEmpire[tool]1.0[Linux, macOS, Windows][Empire, EmPyre, PowerShell Empire]NaN
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Expand](https://attack.mitre.org/software/S03...tool--ca656c25-44f1-471b-9d9f-e2a3bbb84973[{'external_id': 'S0361', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-04-19T18:52:30.033Ztool2019-02-19T19:17:14.971ZExpand[tool]1.0[Windows][Expand][Matthew Demaske, Adaptforward]
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description \\\n", "0 [PoshC2](https://attack.mitre.org/software/S03... \n", "1 [RawDisk](https://attack.mitre.org/software/S0... \n", "2 [Empire](https://attack.mitre.org/software/S03... \n", "3 [Expand](https://attack.mitre.org/software/S03... \n", "\n", " id \\\n", "0 tool--4b57c098-f043-4da2-83ef-7588a6d426bc \n", "1 tool--3ffbdc1f-d2bf-41ab-91a2-c7b857e98079 \n", "2 tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3 \n", "3 tool--ca656c25-44f1-471b-9d9f-e2a3bbb84973 \n", "\n", " external_references \\\n", "0 [{'external_id': 'S0378', 'source_name': 'mitr... \n", "1 [{'external_id': 'S0364', 'source_name': 'mitr... \n", "2 [{'external_id': 'S0363', 'source_name': 'mitr... \n", "3 [{'external_id': 'S0361', 'source_name': 'mitr... \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " modified type created name labels \\\n", "0 2019-04-23T18:29:12.005Z tool 2019-04-23T12:31:58.125Z PoshC2 [tool] \n", "1 2019-04-19T19:04:55.892Z tool 2019-03-25T12:30:40.919Z RawDisk [tool] \n", "2 2019-06-24T17:15:43.818Z tool 2019-03-11T14:13:40.648Z Empire [tool] \n", "3 2019-04-19T18:52:30.033Z tool 2019-02-19T19:17:14.971Z Expand [tool] \n", "\n", " x_mitre_version x_mitre_platforms \\\n", "0 1.0 [Windows, Linux, macOS] \n", "1 1.0 [Windows] \n", "2 1.0 [Linux, macOS, Windows] \n", "3 1.0 [Windows] \n", "\n", " x_mitre_aliases x_mitre_contributors \n", "0 [PoshC2] NaN \n", "1 [RawDisk] NaN \n", "2 [Empire, EmPyre, PowerShell Empire] NaN \n", "3 [Expand] [Matthew Demaske, Adaptforward] " ] }, "execution_count": 48, "metadata": {}, "output_type": "execute_result" } ], "source": [ "tools = []\n", "for t in all_enterprise['tools']:\n", " tools.append(json.loads(t.serialize()))\n", "df = json_normalize(tools)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Enterprise Relationships**" ] }, { "cell_type": "code", "execution_count": 49, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Relationships in Enterprise ATT&CK\n", "5675\n" ] } ], "source": [ "print(\"Number of Relationships in Enterprise ATT&CK\")\n", "print(len(all_enterprise['relationships']))" ] }, { "cell_type": "code", "execution_count": 50, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refdescriptiontypecreatedobject_marking_refsidexternal_referencesmodifiedsource_refrelationship_typetarget_ref
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Soft Cell](https://attack.mitre.org/groups/G0...relationship2019-07-22T15:49:28.744Z[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--380743e5-616c-4524-96e6-d545e5b6...[{'source_name': 'Cybereason Soft Cell June 20...2019-07-22T15:49:28.744Zintrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...usesattack-pattern--92d7da27-2d91-488e-a00c-059dc1...
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Soft Cell](https://attack.mitre.org/groups/G0...relationship2019-07-22T15:35:24.376Z[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--919f6143-eb8c-48cd-8741-118040c3...[{'source_name': 'Cybereason Soft Cell June 20...2019-07-22T15:49:29.135Zintrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...usesattack-pattern--00d0b012-8a03-410e-95de-5826bf...
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Soft Cell](https://attack.mitre.org/groups/G0...relationship2019-07-22T15:35:24.363Z[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--ee4d1b24-603f-40df-8f21-3c053fba...[{'source_name': 'Cybereason Soft Cell June 20...2019-07-22T15:49:29.090Zintrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...usesattack-pattern--c23b740b-a42b-47a1-aec2-9d48dd...
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Soft Cell](https://attack.mitre.org/groups/G0...relationship2019-07-22T15:35:24.351Z[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--38be247c-74b0-42f3-964e-5f23ef42...[{'source_name': 'Cybereason Soft Cell June 20...2019-07-22T15:49:29.092Zintrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...usesattack-pattern--3c4a2599-71ee-4405-ba1e-0e2841...
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description type \\\n", "0 [Soft Cell](https://attack.mitre.org/groups/G0... relationship \n", "1 [Soft Cell](https://attack.mitre.org/groups/G0... relationship \n", "2 [Soft Cell](https://attack.mitre.org/groups/G0... relationship \n", "3 [Soft Cell](https://attack.mitre.org/groups/G0... relationship \n", "\n", " created \\\n", "0 2019-07-22T15:49:28.744Z \n", "1 2019-07-22T15:35:24.376Z \n", "2 2019-07-22T15:35:24.363Z \n", "3 2019-07-22T15:35:24.351Z \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " id \\\n", "0 relationship--380743e5-616c-4524-96e6-d545e5b6... \n", "1 relationship--919f6143-eb8c-48cd-8741-118040c3... \n", "2 relationship--ee4d1b24-603f-40df-8f21-3c053fba... \n", "3 relationship--38be247c-74b0-42f3-964e-5f23ef42... \n", "\n", " external_references \\\n", "0 [{'source_name': 'Cybereason Soft Cell June 20... \n", "1 [{'source_name': 'Cybereason Soft Cell June 20... \n", "2 [{'source_name': 'Cybereason Soft Cell June 20... \n", "3 [{'source_name': 'Cybereason Soft Cell June 20... \n", "\n", " modified \\\n", "0 2019-07-22T15:49:28.744Z \n", "1 2019-07-22T15:49:29.135Z \n", "2 2019-07-22T15:49:29.090Z \n", "3 2019-07-22T15:49:29.092Z \n", "\n", " source_ref relationship_type \\\n", "0 intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... uses \n", "1 intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... uses \n", "2 intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... uses \n", "3 intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... uses \n", "\n", " target_ref \n", "0 attack-pattern--92d7da27-2d91-488e-a00c-059dc1... \n", "1 attack-pattern--00d0b012-8a03-410e-95de-5826bf... \n", "2 attack-pattern--c23b740b-a42b-47a1-aec2-9d48dd... \n", "3 attack-pattern--3c4a2599-71ee-4405-ba1e-0e2841... " ] }, "execution_count": 50, "metadata": {}, "output_type": "execute_result" } ], "source": [ "relations = []\n", "for t in all_enterprise['relationships']:\n", " relations.append(json.loads(t.serialize()))\n", "df = json_normalize(relations)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All PRE-ATT&CK ONLY from Results (Locally)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**PRE Techniques**" ] }, { "cell_type": "code", "execution_count": 51, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Techniques in PRE-ATT&CK\n", "174\n" ] } ], "source": [ "print(\"Number of Techniques in PRE-ATT&CK\")\n", "print(len(all_pre['techniques']))" ] }, { "cell_type": "code", "execution_count": 52, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
external_referencesobject_marking_refsmodifiedcreated_by_refkill_chain_phasesidnamecreatedtypedescriptionx_mitre_detectable_by_common_defensesx_mitre_versionx_mitre_difficulty_for_adversary_explanationx_mitre_old_attack_idx_mitre_difficulty_for_adversaryx_mitre_detectable_by_common_defenses_explanationx_mitre_deprecated
0[{'url': 'https://attack.mitre.org/techniques/...[marking-definition--fa42a846-8d90-4e51-bc29-7...2018-10-17T00:14:20.652Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'technical-information-gatheri...attack-pattern--b182f29c-2505-4b32-a000-0440ef...Spearphishing for Information2018-04-18T17:59:24.739Zattack-patternSpearphishing for information is a specific va...Partial1.0Sending emails is trivial, and, over time, an ...PRE-T1174YesDepending on the specific method of phishing, ...NaN
1[{'url': 'https://attack.mitre.org/techniques/...[marking-definition--fa42a846-8d90-4e51-bc29-7...2018-10-17T00:14:20.652Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'adversary-opsec', 'kill_chain...attack-pattern--286cc500-4291-45c2-99a1-e760db...Acquire and/or use 3rd party infrastructure se...2017-12-14T16:46:06.044Zattack-patternA wide variety of cloud, virtual private servi...No1.0Wide range of 3rd party services for hosting, ...PRE-T1084Yes3rd party services highly leveraged by legitim...NaN
2[{'url': 'https://attack.mitre.org/techniques/...[marking-definition--fa42a846-8d90-4e51-bc29-7...2018-10-17T00:14:20.652Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'people-information-gathering'...attack-pattern--b3f36317-3940-4d71-968f-e11ac1...Aggregate individual's digital footprint2017-12-14T16:46:06.044Zattack-patternIn addition to a target's social media presenc...No1.0Information readily available through searchesPRE-T1052YesSearching publicly available sources that cann...NaN
3[{'url': 'https://attack.mitre.org/techniques/...[marking-definition--fa42a846-8d90-4e51-bc29-7...2018-10-17T00:14:20.652Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'technical-weakness-identifica...attack-pattern--a1e8d61b-22e1-4983-8485-964201...Analyze hardware/software security defensive c...2017-12-14T16:46:06.044Zattack-patternAn adversary can probe a victim's network to d...No1.0Analyze network traffic to determine security ...PRE-T1071YesThis can be done offline after the data has be...NaN
\n", "
" ], "text/plain": [ " external_references \\\n", "0 [{'url': 'https://attack.mitre.org/techniques/... \n", "1 [{'url': 'https://attack.mitre.org/techniques/... \n", "2 [{'url': 'https://attack.mitre.org/techniques/... \n", "3 [{'url': 'https://attack.mitre.org/techniques/... \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " modified created_by_ref \\\n", "0 2018-10-17T00:14:20.652Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 2018-10-17T00:14:20.652Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 2018-10-17T00:14:20.652Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 2018-10-17T00:14:20.652Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " kill_chain_phases \\\n", "0 [{'phase_name': 'technical-information-gatheri... \n", "1 [{'phase_name': 'adversary-opsec', 'kill_chain... \n", "2 [{'phase_name': 'people-information-gathering'... \n", "3 [{'phase_name': 'technical-weakness-identifica... \n", "\n", " id \\\n", "0 attack-pattern--b182f29c-2505-4b32-a000-0440ef... \n", "1 attack-pattern--286cc500-4291-45c2-99a1-e760db... \n", "2 attack-pattern--b3f36317-3940-4d71-968f-e11ac1... \n", "3 attack-pattern--a1e8d61b-22e1-4983-8485-964201... \n", "\n", " name \\\n", "0 Spearphishing for Information \n", "1 Acquire and/or use 3rd party infrastructure se... \n", "2 Aggregate individual's digital footprint \n", "3 Analyze hardware/software security defensive c... \n", "\n", " created type \\\n", "0 2018-04-18T17:59:24.739Z attack-pattern \n", "1 2017-12-14T16:46:06.044Z attack-pattern \n", "2 2017-12-14T16:46:06.044Z attack-pattern \n", "3 2017-12-14T16:46:06.044Z attack-pattern \n", "\n", " description \\\n", "0 Spearphishing for information is a specific va... \n", "1 A wide variety of cloud, virtual private servi... \n", "2 In addition to a target's social media presenc... \n", "3 An adversary can probe a victim's network to d... \n", "\n", " x_mitre_detectable_by_common_defenses x_mitre_version \\\n", "0 Partial 1.0 \n", "1 No 1.0 \n", "2 No 1.0 \n", "3 No 1.0 \n", "\n", " x_mitre_difficulty_for_adversary_explanation x_mitre_old_attack_id \\\n", "0 Sending emails is trivial, and, over time, an ... PRE-T1174 \n", "1 Wide range of 3rd party services for hosting, ... PRE-T1084 \n", "2 Information readily available through searches PRE-T1052 \n", "3 Analyze network traffic to determine security ... PRE-T1071 \n", "\n", " x_mitre_difficulty_for_adversary \\\n", "0 Yes \n", "1 Yes \n", "2 Yes \n", "3 Yes \n", "\n", " x_mitre_detectable_by_common_defenses_explanation x_mitre_deprecated \n", "0 Depending on the specific method of phishing, ... NaN \n", "1 3rd party services highly leveraged by legitim... NaN \n", "2 Searching publicly available sources that cann... NaN \n", "3 This can be done offline after the data has be... NaN " ] }, "execution_count": 52, "metadata": {}, "output_type": "execute_result" } ], "source": [ "techniques = []\n", "for t in all_pre['techniques']:\n", " techniques.append(json.loads(t.serialize()))\n", "df = json_normalize(techniques)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**PRE Groups**" ] }, { "cell_type": "code", "execution_count": 53, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Groups in PRE-ATT&CK\n", "7\n" ] } ], "source": [ "print(\"Number of Groups in PRE-ATT&CK\")\n", "print(len(all_pre['groups']))" ] }, { "cell_type": "code", "execution_count": 54, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refnamedescriptiontypealiasesobject_marking_refsidexternal_referencesmodifiedcreatedx_mitre_versionx_mitre_contributors
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5TEMP.Veles[TEMP.Veles](https://attack.mitre.org/groups/G...intrusion-set[TEMP.Veles, XENOTIME][marking-definition--fa42a846-8d90-4e51-bc29-7...intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...[{'external_id': 'G0088', 'source_name': 'mitr...2019-04-29T18:59:16.079Z2019-04-16T15:14:38.533Z1.0NaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5APT17[APT17](https://attack.mitre.org/groups/G0025)...intrusion-set[APT17, Deputy Dog][marking-definition--fa42a846-8d90-4e51-bc29-7...intrusion-set--090242d7-73fc-4738-af68-20162f7...[{'external_id': 'G0025', 'source_name': 'mitr...2019-03-22T14:21:19.419Z2017-05-31T21:31:57.307Z1.0NaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5APT16[APT16](https://attack.mitre.org/groups/G0023)...intrusion-set[APT16][marking-definition--fa42a846-8d90-4e51-bc29-7...intrusion-set--d6e88e18-81e8-4709-82d8-973095d...[{'external_id': 'G0023', 'source_name': 'mitr...2019-03-22T14:20:45.561Z2017-05-31T21:31:56.270Z1.0NaN
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Night Dragon[Night Dragon](https://attack.mitre.org/groups...intrusion-set[Night Dragon][marking-definition--fa42a846-8d90-4e51-bc29-7...intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e...[{'external_id': 'G0014', 'source_name': 'mitr...2019-03-25T14:36:29.638Z2017-05-31T21:31:51.643Z1.1NaN
\n", "
" ], "text/plain": [ " created_by_ref name \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 TEMP.Veles \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 APT17 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 APT16 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 Night Dragon \n", "\n", " description type \\\n", "0 [TEMP.Veles](https://attack.mitre.org/groups/G... intrusion-set \n", "1 [APT17](https://attack.mitre.org/groups/G0025)... intrusion-set \n", "2 [APT16](https://attack.mitre.org/groups/G0023)... intrusion-set \n", "3 [Night Dragon](https://attack.mitre.org/groups... intrusion-set \n", "\n", " aliases object_marking_refs \\\n", "0 [TEMP.Veles, XENOTIME] [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [APT17, Deputy Dog] [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [APT16] [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [Night Dragon] [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " id \\\n", "0 intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca... \n", "1 intrusion-set--090242d7-73fc-4738-af68-20162f7... \n", "2 intrusion-set--d6e88e18-81e8-4709-82d8-973095d... \n", "3 intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e... \n", "\n", " external_references \\\n", "0 [{'external_id': 'G0088', 'source_name': 'mitr... \n", "1 [{'external_id': 'G0025', 'source_name': 'mitr... \n", "2 [{'external_id': 'G0023', 'source_name': 'mitr... \n", "3 [{'external_id': 'G0014', 'source_name': 'mitr... \n", "\n", " modified created x_mitre_version \\\n", "0 2019-04-29T18:59:16.079Z 2019-04-16T15:14:38.533Z 1.0 \n", "1 2019-03-22T14:21:19.419Z 2017-05-31T21:31:57.307Z 1.0 \n", "2 2019-03-22T14:20:45.561Z 2017-05-31T21:31:56.270Z 1.0 \n", "3 2019-03-25T14:36:29.638Z 2017-05-31T21:31:51.643Z 1.1 \n", "\n", " x_mitre_contributors \n", "0 NaN \n", "1 NaN \n", "2 NaN \n", "3 NaN " ] }, "execution_count": 54, "metadata": {}, "output_type": "execute_result" } ], "source": [ "groups = []\n", "for t in all_pre['groups']:\n", " groups.append(json.loads(t.serialize()))\n", "df = json_normalize(groups)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**PRE Relationships**" ] }, { "cell_type": "code", "execution_count": 55, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Relationships in PRE-ATT&CK\n", "70\n" ] } ], "source": [ "print(\"Number of Relationships in PRE-ATT&CK\")\n", "print(len(all_pre['relationships']))" ] }, { "cell_type": "code", "execution_count": 56, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refdescriptiontypecreatedobject_marking_refsidexternal_referencesmodifiedsource_refrelationship_typetarget_ref
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[TEMP.Veles](https://attack.mitre.org/groups/G...relationship2019-04-24T19:45:44.212Z[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--21842707-0f15-43bf-bc42-2bceadf2...[{'source_name': 'FireEye TRITON 2019', 'descr...2019-04-29T18:59:16.596Zintrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...usesattack-pattern--20a66013-8dab-4ca3-a67d-766c84...
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[TEMP.Veles](https://attack.mitre.org/groups/G...relationship2019-04-24T19:45:44.205Z[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--2d95ed6f-52e7-4708-af15-9a6c0839...[{'source_name': 'FireEye TRITON 2019', 'descr...2019-04-29T18:59:16.595Zintrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...usesattack-pattern--795c1a92-3a26-453e-b99a-6a566a...
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5NaNrelationship2019-02-19T18:56:56.770Z[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--83379e43-4bc5-4c49-b0b3-f41161e8...NaN2019-02-19T18:56:56.770Zattack-pattern--e5164428-03ca-4336-a9a7-4d9ea1...related-toattack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42...
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5NaNrelationship2019-02-19T18:56:56.136Z[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--1aafdefb-304e-4998-87cc-81aad295...NaN2019-02-19T18:56:56.136Zattack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42...related-toattack-pattern--e5164428-03ca-4336-a9a7-4d9ea1...
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description type \\\n", "0 [TEMP.Veles](https://attack.mitre.org/groups/G... relationship \n", "1 [TEMP.Veles](https://attack.mitre.org/groups/G... relationship \n", "2 NaN relationship \n", "3 NaN relationship \n", "\n", " created \\\n", "0 2019-04-24T19:45:44.212Z \n", "1 2019-04-24T19:45:44.205Z \n", "2 2019-02-19T18:56:56.770Z \n", "3 2019-02-19T18:56:56.136Z \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " id \\\n", "0 relationship--21842707-0f15-43bf-bc42-2bceadf2... \n", "1 relationship--2d95ed6f-52e7-4708-af15-9a6c0839... \n", "2 relationship--83379e43-4bc5-4c49-b0b3-f41161e8... \n", "3 relationship--1aafdefb-304e-4998-87cc-81aad295... \n", "\n", " external_references \\\n", "0 [{'source_name': 'FireEye TRITON 2019', 'descr... \n", "1 [{'source_name': 'FireEye TRITON 2019', 'descr... \n", "2 NaN \n", "3 NaN \n", "\n", " modified \\\n", "0 2019-04-29T18:59:16.596Z \n", "1 2019-04-29T18:59:16.595Z \n", "2 2019-02-19T18:56:56.770Z \n", "3 2019-02-19T18:56:56.136Z \n", "\n", " source_ref relationship_type \\\n", "0 intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca... uses \n", "1 intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca... uses \n", "2 attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1... related-to \n", "3 attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42... related-to \n", "\n", " target_ref \n", "0 attack-pattern--20a66013-8dab-4ca3-a67d-766c84... \n", "1 attack-pattern--795c1a92-3a26-453e-b99a-6a566a... \n", "2 attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42... \n", "3 attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1... " ] }, "execution_count": 56, "metadata": {}, "output_type": "execute_result" } ], "source": [ "relations = []\n", "for t in all_pre['relationships']:\n", " relations.append(json.loads(t.serialize()))\n", "df = json_normalize(relations)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Mobile ATT&CK ONLY from Results (Locally)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Mobile Techniques**" ] }, { "cell_type": "code", "execution_count": 57, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Techniques in Mobile ATT&CK\n", "82\n" ] } ], "source": [ "print(\"Number of Techniques in Mobile ATT&CK\")\n", "print(len(all_mobile['techniques']))" ] }, { "cell_type": "code", "execution_count": 58, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
external_referencesobject_marking_refsmodifiedcreated_by_refkill_chain_phasesidnamecreatedtypedescriptionx_mitre_platformsx_mitre_versionx_mitre_tactic_typex_mitre_detectionx_mitre_old_attack_idrevoked
0[{'url': 'https://attack.mitre.org/techniques/...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-02-01T17:29:43.503Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'command-and-control', 'kill_c...attack-pattern--c6a146ae-9c63-4606-97ff-e261e7...Web Service2019-02-01T17:29:43.503Zattack-patternAdversaries may use an existing, legitimate ex...[Android, iOS]1.0[Post-Adversary Device Access]NaNNaNNaN
1[{'url': 'https://attack.mitre.org/techniques/...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-02-03T14:08:44.916Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'initial-access', 'kill_chain_...attack-pattern--53263a67-075e-48fa-974b-91c5b5...Deliver Malicious App via Other Means2018-10-17T00:14:20.652Zattack-patternMalicious applications are a common attack vec...[Android, iOS]1.1[Post-Adversary Device Access]* An EMM/MDM or mobile threat defense solution...MOB-T1079NaN
2[{'url': 'https://attack.mitre.org/techniques/...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-02-03T17:31:51.215Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'initial-access', 'kill_chain_...attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97c...Deliver Malicious App via Authorized App Store2018-10-17T00:14:20.652Zattack-patternMalicious applications are a common attack vec...[Android, iOS]1.0[Post-Adversary Device Access]* An EMM/MDM or mobile threat defense solution...MOB-T1078NaN
3[{'url': 'https://attack.mitre.org/techniques/...[marking-definition--fa42a846-8d90-4e51-bc29-7...2018-10-17T00:14:20.652Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'initial-access', 'kill_chain_...attack-pattern--0d95940f-9583-4e0f-824c-a42c1b...Supply Chain Compromise2018-10-17T00:14:20.652Zattack-patternAs further described in [Supply Chain Compromi...[Android, iOS]1.0[Post-Adversary Device Access]* Insecure third-party libraries could be dete...MOB-T1077NaN
\n", "
" ], "text/plain": [ " external_references \\\n", "0 [{'url': 'https://attack.mitre.org/techniques/... \n", "1 [{'url': 'https://attack.mitre.org/techniques/... \n", "2 [{'url': 'https://attack.mitre.org/techniques/... \n", "3 [{'url': 'https://attack.mitre.org/techniques/... \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " modified created_by_ref \\\n", "0 2019-02-01T17:29:43.503Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 2019-02-03T14:08:44.916Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 2019-02-03T17:31:51.215Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 2018-10-17T00:14:20.652Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " kill_chain_phases \\\n", "0 [{'phase_name': 'command-and-control', 'kill_c... \n", "1 [{'phase_name': 'initial-access', 'kill_chain_... \n", "2 [{'phase_name': 'initial-access', 'kill_chain_... \n", "3 [{'phase_name': 'initial-access', 'kill_chain_... \n", "\n", " id \\\n", "0 attack-pattern--c6a146ae-9c63-4606-97ff-e261e7... \n", "1 attack-pattern--53263a67-075e-48fa-974b-91c5b5... \n", "2 attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97c... \n", "3 attack-pattern--0d95940f-9583-4e0f-824c-a42c1b... \n", "\n", " name created \\\n", "0 Web Service 2019-02-01T17:29:43.503Z \n", "1 Deliver Malicious App via Other Means 2018-10-17T00:14:20.652Z \n", "2 Deliver Malicious App via Authorized App Store 2018-10-17T00:14:20.652Z \n", "3 Supply Chain Compromise 2018-10-17T00:14:20.652Z \n", "\n", " type description \\\n", "0 attack-pattern Adversaries may use an existing, legitimate ex... \n", "1 attack-pattern Malicious applications are a common attack vec... \n", "2 attack-pattern Malicious applications are a common attack vec... \n", "3 attack-pattern As further described in [Supply Chain Compromi... \n", "\n", " x_mitre_platforms x_mitre_version x_mitre_tactic_type \\\n", "0 [Android, iOS] 1.0 [Post-Adversary Device Access] \n", "1 [Android, iOS] 1.1 [Post-Adversary Device Access] \n", "2 [Android, iOS] 1.0 [Post-Adversary Device Access] \n", "3 [Android, iOS] 1.0 [Post-Adversary Device Access] \n", "\n", " x_mitre_detection x_mitre_old_attack_id \\\n", "0 NaN NaN \n", "1 * An EMM/MDM or mobile threat defense solution... MOB-T1079 \n", "2 * An EMM/MDM or mobile threat defense solution... MOB-T1078 \n", "3 * Insecure third-party libraries could be dete... MOB-T1077 \n", "\n", " revoked \n", "0 NaN \n", "1 NaN \n", "2 NaN \n", "3 NaN " ] }, "execution_count": 58, "metadata": {}, "output_type": "execute_result" } ], "source": [ "techniques = []\n", "for t in all_mobile['techniques']:\n", " techniques.append(json.loads(t.serialize()))\n", "df = json_normalize(techniques)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Mobile Mitigations**" ] }, { "cell_type": "code", "execution_count": 59, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Mitigations in Mobile ATT&CK\n", "14\n" ] } ], "source": [ "print(\"Number of Mitigations in Mobile ATT&CK\")\n", "print(len(all_mobile['mitigations']))" ] }, { "cell_type": "code", "execution_count": 60, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refdescriptiontypenameobject_marking_refsidexternal_referencesmodifiedcreatedx_mitre_old_attack_idx_mitre_version
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5This mitigation describes any guidance or trai...course-of-actionApplication Developer Guidance[marking-definition--fa42a846-8d90-4e51-bc29-7...course-of-action--25dc1ce8-eb55-4333-ae30-a7cb...[{'external_id': 'M1013', 'source_name': 'mitr...2018-10-17T00:14:20.652Z2017-10-25T14:48:53.732ZMOB-M10131.0
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5An enterprise mobility management (EMM), also ...course-of-actionEnterprise Policy[marking-definition--fa42a846-8d90-4e51-bc29-7...course-of-action--649f7268-4c12-483b-ac84-4b7b...[{'external_id': 'M1012', 'source_name': 'mitr...2018-10-17T00:14:20.652Z2017-10-25T14:48:53.318ZMOB-M10121.0
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Enable remote attestation capabilities when av...course-of-actionAttestation[marking-definition--fa42a846-8d90-4e51-bc29-7...course-of-action--ff4821f6-5afb-481b-8c0f-26c2...[{'external_id': 'M1002', 'source_name': 'mitr...2018-10-17T00:14:20.652Z2017-10-25T14:48:52.933ZMOB-M10021.0
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5A variety of methods exist that can be used to...course-of-actionDeploy Compromised Device Detection Method[marking-definition--fa42a846-8d90-4e51-bc29-7...course-of-action--cf2cccb1-cab8-431a-8ecf-f787...[{'external_id': 'M1010', 'source_name': 'mitr...2018-10-17T00:14:20.652Z2017-10-25T14:48:52.601ZMOB-M10101.0
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description type \\\n", "0 This mitigation describes any guidance or trai... course-of-action \n", "1 An enterprise mobility management (EMM), also ... course-of-action \n", "2 Enable remote attestation capabilities when av... course-of-action \n", "3 A variety of methods exist that can be used to... course-of-action \n", "\n", " name \\\n", "0 Application Developer Guidance \n", "1 Enterprise Policy \n", "2 Attestation \n", "3 Deploy Compromised Device Detection Method \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " id \\\n", "0 course-of-action--25dc1ce8-eb55-4333-ae30-a7cb... \n", "1 course-of-action--649f7268-4c12-483b-ac84-4b7b... \n", "2 course-of-action--ff4821f6-5afb-481b-8c0f-26c2... \n", "3 course-of-action--cf2cccb1-cab8-431a-8ecf-f787... \n", "\n", " external_references \\\n", "0 [{'external_id': 'M1013', 'source_name': 'mitr... \n", "1 [{'external_id': 'M1012', 'source_name': 'mitr... \n", "2 [{'external_id': 'M1002', 'source_name': 'mitr... \n", "3 [{'external_id': 'M1010', 'source_name': 'mitr... \n", "\n", " modified created x_mitre_old_attack_id \\\n", "0 2018-10-17T00:14:20.652Z 2017-10-25T14:48:53.732Z MOB-M1013 \n", "1 2018-10-17T00:14:20.652Z 2017-10-25T14:48:53.318Z MOB-M1012 \n", "2 2018-10-17T00:14:20.652Z 2017-10-25T14:48:52.933Z MOB-M1002 \n", "3 2018-10-17T00:14:20.652Z 2017-10-25T14:48:52.601Z MOB-M1010 \n", "\n", " x_mitre_version \n", "0 1.0 \n", "1 1.0 \n", "2 1.0 \n", "3 1.0 " ] }, "execution_count": 60, "metadata": {}, "output_type": "execute_result" } ], "source": [ "mitigations = []\n", "for t in all_mobile['mitigations']:\n", " mitigations.append(json.loads(t.serialize()))\n", "df = json_normalize(mitigations)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Mobile Groups**" ] }, { "cell_type": "code", "execution_count": 61, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Groups in Mobile ATT&CK\n", "2\n" ] } ], "source": [ "print(\"Number of Groups in Mobile ATT&CK\")\n", "print(len(all_mobile['groups']))" ] }, { "cell_type": "code", "execution_count": 62, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refnamedescriptiontypealiasesobject_marking_refsidexternal_referencesmodifiedcreatedx_mitre_versionx_mitre_contributors
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Dark Caracal[Dark Caracal](https://attack.mitre.org/groups...intrusion-set[Dark Caracal][marking-definition--fa42a846-8d90-4e51-bc29-7...intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74...[{'external_id': 'G0070', 'source_name': 'mitr...2019-07-16T15:35:20.554Z2018-10-17T00:14:20.652Z1.1NaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5APT28[APT28](https://attack.mitre.org/groups/G0007)...intrusion-set[APT28, SNAKEMACKEREL, Swallowtail, Group 74, ...[marking-definition--fa42a846-8d90-4e51-bc29-7...intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8...[{'external_id': 'G0007', 'source_name': 'mitr...2019-07-27T00:09:33.254Z2017-05-31T21:31:48.664Z2.1[Emily Ratliff, IBM, Richard Gold, Digital Sha...
\n", "
" ], "text/plain": [ " created_by_ref name \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 Dark Caracal \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 APT28 \n", "\n", " description type \\\n", "0 [Dark Caracal](https://attack.mitre.org/groups... intrusion-set \n", "1 [APT28](https://attack.mitre.org/groups/G0007)... intrusion-set \n", "\n", " aliases \\\n", "0 [Dark Caracal] \n", "1 [APT28, SNAKEMACKEREL, Swallowtail, Group 74, ... \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " id \\\n", "0 intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74... \n", "1 intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8... \n", "\n", " external_references \\\n", "0 [{'external_id': 'G0070', 'source_name': 'mitr... \n", "1 [{'external_id': 'G0007', 'source_name': 'mitr... \n", "\n", " modified created x_mitre_version \\\n", "0 2019-07-16T15:35:20.554Z 2018-10-17T00:14:20.652Z 1.1 \n", "1 2019-07-27T00:09:33.254Z 2017-05-31T21:31:48.664Z 2.1 \n", "\n", " x_mitre_contributors \n", "0 NaN \n", "1 [Emily Ratliff, IBM, Richard Gold, Digital Sha... " ] }, "execution_count": 62, "metadata": {}, "output_type": "execute_result" } ], "source": [ "groups = []\n", "for t in all_mobile['groups']:\n", " groups.append(json.loads(t.serialize()))\n", "df = json_normalize(groups)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Mobile Malware**" ] }, { "cell_type": "code", "execution_count": 63, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Malware in Mobile ATT&CK\n", "45\n" ] } ], "source": [ "print(\"Number of Malware in Mobile ATT&CK\")\n", "print(len(all_mobile['malware']))" ] }, { "cell_type": "code", "execution_count": 64, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refdescriptionidexternal_referencesobject_marking_refsmodifiedtypecreatednamelabelsx_mitre_versionx_mitre_platformsx_mitre_aliasesx_mitre_old_attack_id
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Pallas](https://attack.mitre.org/software/S03...malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878[{'external_id': 'S0399', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-07-14T21:33:23.330Zmalware2019-07-10T15:35:43.217ZPallas[malware]1.0[Android][Pallas]NaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Tangelo](https://attack.mitre.org/software/S0...malware--35aae10a-97c5-471a-9c67-02c231a7a31a[{'external_id': 'S0329', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...2018-12-11T20:40:31.461Zmalware2018-10-17T00:14:20.652ZTangelo[malware]1.1[iOS][Tangelo]MOB-S0045
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Stealth Mango](https://attack.mitre.org/softw...malware--085eb36d-697d-4d9a-bac3-96eb879fe73c[{'external_id': 'S0328', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...2018-12-11T20:40:31.461Zmalware2018-10-17T00:14:20.652ZStealth Mango[malware]1.1[Android][Stealth Mango]MOB-S0044
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Marcher](https://attack.mitre.org/software/S0...malware--f9854ba6-989d-43bf-828b-7240b8a65291[{'external_id': 'S0317', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...2018-12-11T20:40:31.461Zmalware2018-10-17T00:14:20.652ZMarcher[malware]1.1[Android][Marcher]MOB-S0033
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description \\\n", "0 [Pallas](https://attack.mitre.org/software/S03... \n", "1 [Tangelo](https://attack.mitre.org/software/S0... \n", "2 [Stealth Mango](https://attack.mitre.org/softw... \n", "3 [Marcher](https://attack.mitre.org/software/S0... \n", "\n", " id \\\n", "0 malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878 \n", "1 malware--35aae10a-97c5-471a-9c67-02c231a7a31a \n", "2 malware--085eb36d-697d-4d9a-bac3-96eb879fe73c \n", "3 malware--f9854ba6-989d-43bf-828b-7240b8a65291 \n", "\n", " external_references \\\n", "0 [{'external_id': 'S0399', 'source_name': 'mitr... \n", "1 [{'external_id': 'S0329', 'source_name': 'mitr... \n", "2 [{'external_id': 'S0328', 'source_name': 'mitr... \n", "3 [{'external_id': 'S0317', 'source_name': 'mitr... \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " modified type created name \\\n", "0 2019-07-14T21:33:23.330Z malware 2019-07-10T15:35:43.217Z Pallas \n", "1 2018-12-11T20:40:31.461Z malware 2018-10-17T00:14:20.652Z Tangelo \n", "2 2018-12-11T20:40:31.461Z malware 2018-10-17T00:14:20.652Z Stealth Mango \n", "3 2018-12-11T20:40:31.461Z malware 2018-10-17T00:14:20.652Z Marcher \n", "\n", " labels x_mitre_version x_mitre_platforms x_mitre_aliases \\\n", "0 [malware] 1.0 [Android] [Pallas] \n", "1 [malware] 1.1 [iOS] [Tangelo] \n", "2 [malware] 1.1 [Android] [Stealth Mango] \n", "3 [malware] 1.1 [Android] [Marcher] \n", "\n", " x_mitre_old_attack_id \n", "0 NaN \n", "1 MOB-S0045 \n", "2 MOB-S0044 \n", "3 MOB-S0033 " ] }, "execution_count": 64, "metadata": {}, "output_type": "execute_result" } ], "source": [ "malware = []\n", "for t in all_mobile['malware']:\n", " malware.append(json.loads(t.serialize()))\n", "df = json_normalize(malware)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Mobile Tools**" ] }, { "cell_type": "code", "execution_count": 65, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Tools in Mobile ATT&CK\n", "1\n" ] } ], "source": [ "print(\"Number of Tools in Mobile ATT&CK\")\n", "print(len(all_mobile['tools']))" ] }, { "cell_type": "code", "execution_count": 66, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refdescriptionidexternal_referencesobject_marking_refsmodifiedtypecreatednamelabelsx_mitre_old_attack_idx_mitre_versionx_mitre_platformsx_mitre_aliases
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Xbot](https://attack.mitre.org/software/S0298...tool--da21929e-40c0-443d-bdf4-6b60d15448b4[{'external_id': 'S0298', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...2018-12-11T20:40:31.461Ztool2017-10-25T14:48:48.609ZXbot[tool]MOB-S00141.1[Android][Xbot]
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description \\\n", "0 [Xbot](https://attack.mitre.org/software/S0298... \n", "\n", " id \\\n", "0 tool--da21929e-40c0-443d-bdf4-6b60d15448b4 \n", "\n", " external_references \\\n", "0 [{'external_id': 'S0298', 'source_name': 'mitr... \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " modified type created name labels \\\n", "0 2018-12-11T20:40:31.461Z tool 2017-10-25T14:48:48.609Z Xbot [tool] \n", "\n", " x_mitre_old_attack_id x_mitre_version x_mitre_platforms x_mitre_aliases \n", "0 MOB-S0014 1.1 [Android] [Xbot] " ] }, "execution_count": 66, "metadata": {}, "output_type": "execute_result" } ], "source": [ "tools = []\n", "for t in all_mobile['tools']:\n", " tools.append(json.loads(t.serialize()))\n", "df = json_normalize(tools)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Mobile Relationships**" ] }, { "cell_type": "code", "execution_count": 67, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Relationships in Mobile ATT&CK\n", "322\n" ] } ], "source": [ "print(\"Number of Relationships in Mobile ATT&CK\")\n", "print(len(all_mobile['relationships']))" ] }, { "cell_type": "code", "execution_count": 68, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refdescriptiontypeidobject_marking_refscreatedmodifiedsource_refrelationship_typetarget_refexternal_references
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5An EMM/MDM can use the Android `DevicePolicyMa...relationshiprelationship--fbd2d4f7-96ff-4624-a567-d4882f0c...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-07-23T15:35:23.530Z2019-07-23T15:35:23.530Zcourse-of-action--649f7268-4c12-483b-ac84-4b7b...mitigatesattack-pattern--2204c371-6100-4ae0-82f3-25c07c...NaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Dark Caracal](https://attack.mitre.org/groups...relationshiprelationship--61071d73-fcdf-4820-afd0-e3f0983e...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-07-10T15:42:09.606Z2019-07-16T15:35:20.953Zintrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74...usesattack-pattern--6a3f6490-9c44-40de-b059-e5940f...[{'source_name': 'Lookout Dark Caracal Jan 201...
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Dark Caracal](https://attack.mitre.org/groups...relationshiprelationship--ae9a0fb3-901b-4da2-b6ad-633ddbfa...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-07-10T15:42:09.591Z2019-07-16T15:35:21.028Zintrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74...usesattack-pattern--53263a67-075e-48fa-974b-91c5b5...[{'source_name': 'Lookout Dark Caracal Jan 201...
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Pallas](https://attack.mitre.org/software/S03...relationshiprelationship--60ecd154-e907-419a-b41d-1a9a1f59...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-07-10T15:35:43.712Z2019-07-14T21:33:23.556Zmalware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878usesattack-pattern--8e27551a-5080-4148-a584-c64348...[{'source_name': 'Lookout Dark Caracal Jan 201...
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description type \\\n", "0 An EMM/MDM can use the Android `DevicePolicyMa... relationship \n", "1 [Dark Caracal](https://attack.mitre.org/groups... relationship \n", "2 [Dark Caracal](https://attack.mitre.org/groups... relationship \n", "3 [Pallas](https://attack.mitre.org/software/S03... relationship \n", "\n", " id \\\n", "0 relationship--fbd2d4f7-96ff-4624-a567-d4882f0c... \n", "1 relationship--61071d73-fcdf-4820-afd0-e3f0983e... \n", "2 relationship--ae9a0fb3-901b-4da2-b6ad-633ddbfa... \n", "3 relationship--60ecd154-e907-419a-b41d-1a9a1f59... \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " created modified \\\n", "0 2019-07-23T15:35:23.530Z 2019-07-23T15:35:23.530Z \n", "1 2019-07-10T15:42:09.606Z 2019-07-16T15:35:20.953Z \n", "2 2019-07-10T15:42:09.591Z 2019-07-16T15:35:21.028Z \n", "3 2019-07-10T15:35:43.712Z 2019-07-14T21:33:23.556Z \n", "\n", " source_ref relationship_type \\\n", "0 course-of-action--649f7268-4c12-483b-ac84-4b7b... mitigates \n", "1 intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74... uses \n", "2 intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74... uses \n", "3 malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878 uses \n", "\n", " target_ref \\\n", "0 attack-pattern--2204c371-6100-4ae0-82f3-25c07c... \n", "1 attack-pattern--6a3f6490-9c44-40de-b059-e5940f... \n", "2 attack-pattern--53263a67-075e-48fa-974b-91c5b5... \n", "3 attack-pattern--8e27551a-5080-4148-a584-c64348... \n", "\n", " external_references \n", "0 NaN \n", "1 [{'source_name': 'Lookout Dark Caracal Jan 201... \n", "2 [{'source_name': 'Lookout Dark Caracal Jan 201... \n", "3 [{'source_name': 'Lookout Dark Caracal Jan 201... " ] }, "execution_count": 68, "metadata": {}, "output_type": "execute_result" } ], "source": [ "relations = []\n", "for t in all_mobile['relationships']:\n", " relations.append(json.loads(t.serialize()))\n", "df = json_normalize(relations)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## **Get STIX Object Types Directly from TAXII Server (Enterprise ATT&CK, Pre-ATT&CK & Mobile ATT&CK)**\n", "* In this section, we will query the ATT&CK TAXII Server directly in order to collect specific stix object types such as techniques, mitigations, groups, malware, tools and relationships from the Enterprise, PRE and Mobile Matrices.\n", "* There is no need to get all the stix objects available per each matrix unlike the first section of this notebook." ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Enterprise Techniques ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 69, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Techniques in Enterprise ATT&CK\n", "244\n" ] } ], "source": [ "print(\"Number of Techniques in Enterprise ATT&CK\")\n", "techniques = lift.get_enterprise_techniques()\n", "print(len(techniques))" ] }, { "cell_type": "code", "execution_count": 70, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
external_referencesobject_marking_refstypemodifiedcreated_by_refkill_chain_phasesidnamecreateddescription...x_mitre_data_sourcesx_mitre_detectionx_mitre_platformsx_mitre_versionx_mitre_system_requirementsx_mitre_defense_bypassedx_mitre_impact_typex_mitre_remote_supportx_mitre_effective_permissionsx_mitre_network_requirements
0[{'external_id': 'T1500', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...attack-pattern2019-04-29T21:13:49.686Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'defense-evasion', 'kill_chain...attack-pattern--cf7b3a06-8b42-4c33-bbe9-012120...Compile After Delivery2019-04-25T20:53:07.719ZAdversaries may attempt to make payloads diffi......[Process command-line parameters, Process moni...Monitor the execution file paths and command-l...[Linux, macOS, Windows]1.0[Compiler software (either native to the syste...[Static File Analysis, Binary Analysis, Anti-v...NaNNaNNaNNaN
1[{'external_id': 'T1501', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...attack-pattern2019-04-29T14:14:08.450Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'persistence', 'kill_chain_nam...attack-pattern--0fff2797-19cb-41ea-a5f1-8a9303...Systemd Service2019-04-23T15:34:30.008ZSystemd services can be used to establish pers......[Process command-line parameters, Process moni...Systemd service unit files may be detected by ...[Linux]1.0NaNNaNNaNNaNNaNNaN
2[{'external_id': 'T1499', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...attack-pattern2019-04-29T13:20:36.795Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'impact', 'kill_chain_name': '...attack-pattern--c675646d-e204-4aa8-978d-e3d6d6...Endpoint Denial of Service2019-04-18T11:00:55.862ZAdversaries may perform Endpoint Denial of Ser......[SSL/TLS inspection, Web logs, Web application...Detection of Endpoint DoS can sometimes be ach...[Linux, macOS, Windows]1.0NaNNaN[Availability]NaNNaNNaN
3[{'external_id': 'T1497', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...attack-pattern2019-06-10T17:37:37.138Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'defense-evasion', 'kill_chain...attack-pattern--82caa33e-d11a-433a-94ea-9b5a5f...Virtualization/Sandbox Evasion2019-04-17T22:22:24.505ZAdversaries may check for the presence of a vi......[Process monitoring, Process command-line para...Virtualization, sandbox, and related discovery...[Windows]1.0NaN[Anti-virus, Host forensic analysis, Signature...NaNNaNNaNNaN
\n", "

4 rows × 22 columns

\n", "
" ], "text/plain": [ " external_references \\\n", "0 [{'external_id': 'T1500', 'source_name': 'mitr... \n", "1 [{'external_id': 'T1501', 'source_name': 'mitr... \n", "2 [{'external_id': 'T1499', 'source_name': 'mitr... \n", "3 [{'external_id': 'T1497', 'source_name': 'mitr... \n", "\n", " object_marking_refs type \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... attack-pattern \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... attack-pattern \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... attack-pattern \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... attack-pattern \n", "\n", " modified created_by_ref \\\n", "0 2019-04-29T21:13:49.686Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 2019-04-29T14:14:08.450Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 2019-04-29T13:20:36.795Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 2019-06-10T17:37:37.138Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " kill_chain_phases \\\n", "0 [{'phase_name': 'defense-evasion', 'kill_chain... \n", "1 [{'phase_name': 'persistence', 'kill_chain_nam... \n", "2 [{'phase_name': 'impact', 'kill_chain_name': '... \n", "3 [{'phase_name': 'defense-evasion', 'kill_chain... \n", "\n", " id \\\n", "0 attack-pattern--cf7b3a06-8b42-4c33-bbe9-012120... \n", "1 attack-pattern--0fff2797-19cb-41ea-a5f1-8a9303... \n", "2 attack-pattern--c675646d-e204-4aa8-978d-e3d6d6... \n", "3 attack-pattern--82caa33e-d11a-433a-94ea-9b5a5f... \n", "\n", " name created \\\n", "0 Compile After Delivery 2019-04-25T20:53:07.719Z \n", "1 Systemd Service 2019-04-23T15:34:30.008Z \n", "2 Endpoint Denial of Service 2019-04-18T11:00:55.862Z \n", "3 Virtualization/Sandbox Evasion 2019-04-17T22:22:24.505Z \n", "\n", " description ... \\\n", "0 Adversaries may attempt to make payloads diffi... ... \n", "1 Systemd services can be used to establish pers... ... \n", "2 Adversaries may perform Endpoint Denial of Ser... ... \n", "3 Adversaries may check for the presence of a vi... ... \n", "\n", " x_mitre_data_sources \\\n", "0 [Process command-line parameters, Process moni... \n", "1 [Process command-line parameters, Process moni... \n", "2 [SSL/TLS inspection, Web logs, Web application... \n", "3 [Process monitoring, Process command-line para... \n", "\n", " x_mitre_detection x_mitre_platforms \\\n", "0 Monitor the execution file paths and command-l... [Linux, macOS, Windows] \n", "1 Systemd service unit files may be detected by ... [Linux] \n", "2 Detection of Endpoint DoS can sometimes be ach... [Linux, macOS, Windows] \n", "3 Virtualization, sandbox, and related discovery... [Windows] \n", "\n", " x_mitre_version x_mitre_system_requirements \\\n", "0 1.0 [Compiler software (either native to the syste... \n", "1 1.0 NaN \n", "2 1.0 NaN \n", "3 1.0 NaN \n", "\n", " x_mitre_defense_bypassed x_mitre_impact_type \\\n", "0 [Static File Analysis, Binary Analysis, Anti-v... NaN \n", "1 NaN NaN \n", "2 NaN [Availability] \n", "3 [Anti-virus, Host forensic analysis, Signature... NaN \n", "\n", " x_mitre_remote_support x_mitre_effective_permissions \\\n", "0 NaN NaN \n", "1 NaN NaN \n", "2 NaN NaN \n", "3 NaN NaN \n", "\n", " x_mitre_network_requirements \n", "0 NaN \n", "1 NaN \n", "2 NaN \n", "3 NaN \n", "\n", "[4 rows x 22 columns]" ] }, "execution_count": 70, "metadata": {}, "output_type": "execute_result" } ], "source": [ "techniques_list = []\n", "for t in techniques:\n", " techniques_list.append(json.loads(t.serialize()))\n", "df = json_normalize(techniques_list)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All PRE Techniques ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 71, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Techniques in PRE-ATT&CK\n", "174\n" ] } ], "source": [ "print(\"Number of Techniques in PRE-ATT&CK\")\n", "techniques = lift.get_pre_techniques()\n", "print(len(techniques))" ] }, { "cell_type": "code", "execution_count": 72, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
external_referencesobject_marking_refsmodifiedcreated_by_refkill_chain_phasesidnamecreatedtypedescriptionx_mitre_detectable_by_common_defensesx_mitre_versionx_mitre_difficulty_for_adversary_explanationx_mitre_old_attack_idx_mitre_difficulty_for_adversaryx_mitre_detectable_by_common_defenses_explanationx_mitre_deprecated
0[{'url': 'https://attack.mitre.org/techniques/...[marking-definition--fa42a846-8d90-4e51-bc29-7...2018-10-17T00:14:20.652Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'technical-information-gatheri...attack-pattern--b182f29c-2505-4b32-a000-0440ef...Spearphishing for Information2018-04-18T17:59:24.739Zattack-patternSpearphishing for information is a specific va...Partial1.0Sending emails is trivial, and, over time, an ...PRE-T1174YesDepending on the specific method of phishing, ...NaN
1[{'url': 'https://attack.mitre.org/techniques/...[marking-definition--fa42a846-8d90-4e51-bc29-7...2018-10-17T00:14:20.652Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'adversary-opsec', 'kill_chain...attack-pattern--286cc500-4291-45c2-99a1-e760db...Acquire and/or use 3rd party infrastructure se...2017-12-14T16:46:06.044Zattack-patternA wide variety of cloud, virtual private servi...No1.0Wide range of 3rd party services for hosting, ...PRE-T1084Yes3rd party services highly leveraged by legitim...NaN
2[{'url': 'https://attack.mitre.org/techniques/...[marking-definition--fa42a846-8d90-4e51-bc29-7...2018-10-17T00:14:20.652Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'people-information-gathering'...attack-pattern--b3f36317-3940-4d71-968f-e11ac1...Aggregate individual's digital footprint2017-12-14T16:46:06.044Zattack-patternIn addition to a target's social media presenc...No1.0Information readily available through searchesPRE-T1052YesSearching publicly available sources that cann...NaN
3[{'url': 'https://attack.mitre.org/techniques/...[marking-definition--fa42a846-8d90-4e51-bc29-7...2018-10-17T00:14:20.652Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'technical-weakness-identifica...attack-pattern--a1e8d61b-22e1-4983-8485-964201...Analyze hardware/software security defensive c...2017-12-14T16:46:06.044Zattack-patternAn adversary can probe a victim's network to d...No1.0Analyze network traffic to determine security ...PRE-T1071YesThis can be done offline after the data has be...NaN
\n", "
" ], "text/plain": [ " external_references \\\n", "0 [{'url': 'https://attack.mitre.org/techniques/... \n", "1 [{'url': 'https://attack.mitre.org/techniques/... \n", "2 [{'url': 'https://attack.mitre.org/techniques/... \n", "3 [{'url': 'https://attack.mitre.org/techniques/... \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " modified created_by_ref \\\n", "0 2018-10-17T00:14:20.652Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 2018-10-17T00:14:20.652Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 2018-10-17T00:14:20.652Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 2018-10-17T00:14:20.652Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " kill_chain_phases \\\n", "0 [{'phase_name': 'technical-information-gatheri... \n", "1 [{'phase_name': 'adversary-opsec', 'kill_chain... \n", "2 [{'phase_name': 'people-information-gathering'... \n", "3 [{'phase_name': 'technical-weakness-identifica... \n", "\n", " id \\\n", "0 attack-pattern--b182f29c-2505-4b32-a000-0440ef... \n", "1 attack-pattern--286cc500-4291-45c2-99a1-e760db... \n", "2 attack-pattern--b3f36317-3940-4d71-968f-e11ac1... \n", "3 attack-pattern--a1e8d61b-22e1-4983-8485-964201... \n", "\n", " name \\\n", "0 Spearphishing for Information \n", "1 Acquire and/or use 3rd party infrastructure se... \n", "2 Aggregate individual's digital footprint \n", "3 Analyze hardware/software security defensive c... \n", "\n", " created type \\\n", "0 2018-04-18T17:59:24.739Z attack-pattern \n", "1 2017-12-14T16:46:06.044Z attack-pattern \n", "2 2017-12-14T16:46:06.044Z attack-pattern \n", "3 2017-12-14T16:46:06.044Z attack-pattern \n", "\n", " description \\\n", "0 Spearphishing for information is a specific va... \n", "1 A wide variety of cloud, virtual private servi... \n", "2 In addition to a target's social media presenc... \n", "3 An adversary can probe a victim's network to d... \n", "\n", " x_mitre_detectable_by_common_defenses x_mitre_version \\\n", "0 Partial 1.0 \n", "1 No 1.0 \n", "2 No 1.0 \n", "3 No 1.0 \n", "\n", " x_mitre_difficulty_for_adversary_explanation x_mitre_old_attack_id \\\n", "0 Sending emails is trivial, and, over time, an ... PRE-T1174 \n", "1 Wide range of 3rd party services for hosting, ... PRE-T1084 \n", "2 Information readily available through searches PRE-T1052 \n", "3 Analyze network traffic to determine security ... PRE-T1071 \n", "\n", " x_mitre_difficulty_for_adversary \\\n", "0 Yes \n", "1 Yes \n", "2 Yes \n", "3 Yes \n", "\n", " x_mitre_detectable_by_common_defenses_explanation x_mitre_deprecated \n", "0 Depending on the specific method of phishing, ... NaN \n", "1 3rd party services highly leveraged by legitim... NaN \n", "2 Searching publicly available sources that cann... NaN \n", "3 This can be done offline after the data has be... NaN " ] }, "execution_count": 72, "metadata": {}, "output_type": "execute_result" } ], "source": [ "techniques_list = []\n", "for t in techniques:\n", " techniques_list.append(json.loads(t.serialize()))\n", "df = json_normalize(techniques_list)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Mobile Techniques ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 73, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Techniques in Mobile ATT&CK\n", "82\n" ] } ], "source": [ "print(\"Number of Techniques in Mobile ATT&CK\")\n", "techniques = lift.get_mobile_techniques()\n", "print(len(techniques))" ] }, { "cell_type": "code", "execution_count": 74, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
external_referencesobject_marking_refsmodifiedcreated_by_refkill_chain_phasesidnamecreatedtypedescriptionx_mitre_platformsx_mitre_versionx_mitre_tactic_typex_mitre_detectionx_mitre_old_attack_idrevoked
0[{'url': 'https://attack.mitre.org/techniques/...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-02-01T17:29:43.503Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'command-and-control', 'kill_c...attack-pattern--c6a146ae-9c63-4606-97ff-e261e7...Web Service2019-02-01T17:29:43.503Zattack-patternAdversaries may use an existing, legitimate ex...[Android, iOS]1.0[Post-Adversary Device Access]NaNNaNNaN
1[{'url': 'https://attack.mitre.org/techniques/...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-02-03T14:08:44.916Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'initial-access', 'kill_chain_...attack-pattern--53263a67-075e-48fa-974b-91c5b5...Deliver Malicious App via Other Means2018-10-17T00:14:20.652Zattack-patternMalicious applications are a common attack vec...[Android, iOS]1.1[Post-Adversary Device Access]* An EMM/MDM or mobile threat defense solution...MOB-T1079NaN
2[{'url': 'https://attack.mitre.org/techniques/...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-02-03T17:31:51.215Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'initial-access', 'kill_chain_...attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97c...Deliver Malicious App via Authorized App Store2018-10-17T00:14:20.652Zattack-patternMalicious applications are a common attack vec...[Android, iOS]1.0[Post-Adversary Device Access]* An EMM/MDM or mobile threat defense solution...MOB-T1078NaN
3[{'url': 'https://attack.mitre.org/techniques/...[marking-definition--fa42a846-8d90-4e51-bc29-7...2018-10-17T00:14:20.652Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'initial-access', 'kill_chain_...attack-pattern--0d95940f-9583-4e0f-824c-a42c1b...Supply Chain Compromise2018-10-17T00:14:20.652Zattack-patternAs further described in [Supply Chain Compromi...[Android, iOS]1.0[Post-Adversary Device Access]* Insecure third-party libraries could be dete...MOB-T1077NaN
\n", "
" ], "text/plain": [ " external_references \\\n", "0 [{'url': 'https://attack.mitre.org/techniques/... \n", "1 [{'url': 'https://attack.mitre.org/techniques/... \n", "2 [{'url': 'https://attack.mitre.org/techniques/... \n", "3 [{'url': 'https://attack.mitre.org/techniques/... \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " modified created_by_ref \\\n", "0 2019-02-01T17:29:43.503Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 2019-02-03T14:08:44.916Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 2019-02-03T17:31:51.215Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 2018-10-17T00:14:20.652Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " kill_chain_phases \\\n", "0 [{'phase_name': 'command-and-control', 'kill_c... \n", "1 [{'phase_name': 'initial-access', 'kill_chain_... \n", "2 [{'phase_name': 'initial-access', 'kill_chain_... \n", "3 [{'phase_name': 'initial-access', 'kill_chain_... \n", "\n", " id \\\n", "0 attack-pattern--c6a146ae-9c63-4606-97ff-e261e7... \n", "1 attack-pattern--53263a67-075e-48fa-974b-91c5b5... \n", "2 attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97c... \n", "3 attack-pattern--0d95940f-9583-4e0f-824c-a42c1b... \n", "\n", " name created \\\n", "0 Web Service 2019-02-01T17:29:43.503Z \n", "1 Deliver Malicious App via Other Means 2018-10-17T00:14:20.652Z \n", "2 Deliver Malicious App via Authorized App Store 2018-10-17T00:14:20.652Z \n", "3 Supply Chain Compromise 2018-10-17T00:14:20.652Z \n", "\n", " type description \\\n", "0 attack-pattern Adversaries may use an existing, legitimate ex... \n", "1 attack-pattern Malicious applications are a common attack vec... \n", "2 attack-pattern Malicious applications are a common attack vec... \n", "3 attack-pattern As further described in [Supply Chain Compromi... \n", "\n", " x_mitre_platforms x_mitre_version x_mitre_tactic_type \\\n", "0 [Android, iOS] 1.0 [Post-Adversary Device Access] \n", "1 [Android, iOS] 1.1 [Post-Adversary Device Access] \n", "2 [Android, iOS] 1.0 [Post-Adversary Device Access] \n", "3 [Android, iOS] 1.0 [Post-Adversary Device Access] \n", "\n", " x_mitre_detection x_mitre_old_attack_id \\\n", "0 NaN NaN \n", "1 * An EMM/MDM or mobile threat defense solution... MOB-T1079 \n", "2 * An EMM/MDM or mobile threat defense solution... MOB-T1078 \n", "3 * Insecure third-party libraries could be dete... MOB-T1077 \n", "\n", " revoked \n", "0 NaN \n", "1 NaN \n", "2 NaN \n", "3 NaN " ] }, "execution_count": 74, "metadata": {}, "output_type": "execute_result" } ], "source": [ "techniques_list = []\n", "for t in techniques:\n", " techniques_list.append(json.loads(t.serialize()))\n", "df = json_normalize(techniques_list)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Techniques (TAXII)\n", "* The results of this function shows every single technique across the whole ATT&CK framework without their mitigations information\n", "* Mitigations information has its own stix object type (Mitigation) that needs to be correlated with the help of relationship properties\n", "* There is a function already created in this library named **get_techniques_with_mitigations()** that allows you to get a more complete view of techniques" ] }, { "cell_type": "code", "execution_count": 75, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Techniques in ATT&CK\n", "500\n" ] } ], "source": [ "print(\"Number of Techniques in ATT&CK\")\n", "techniques = lift.get_techniques()\n", "print(len(techniques))" ] }, { "cell_type": "code", "execution_count": 76, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
external_referencesobject_marking_refstypemodifiedcreated_by_refkill_chain_phasesidnamecreateddescription...x_mitre_effective_permissionsx_mitre_network_requirementsx_mitre_detectable_by_common_defensesx_mitre_difficulty_for_adversary_explanationx_mitre_old_attack_idx_mitre_difficulty_for_adversaryx_mitre_detectable_by_common_defenses_explanationx_mitre_deprecatedx_mitre_tactic_typerevoked
0[{'external_id': 'T1500', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...attack-pattern2019-04-29T21:13:49.686Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'defense-evasion', 'kill_chain...attack-pattern--cf7b3a06-8b42-4c33-bbe9-012120...Compile After Delivery2019-04-25T20:53:07.719ZAdversaries may attempt to make payloads diffi......NaNNaNNaNNaNNaNNaNNaNNaNNaNNaN
1[{'external_id': 'T1501', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...attack-pattern2019-04-29T14:14:08.450Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'persistence', 'kill_chain_nam...attack-pattern--0fff2797-19cb-41ea-a5f1-8a9303...Systemd Service2019-04-23T15:34:30.008ZSystemd services can be used to establish pers......NaNNaNNaNNaNNaNNaNNaNNaNNaNNaN
2[{'external_id': 'T1499', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...attack-pattern2019-04-29T13:20:36.795Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'impact', 'kill_chain_name': '...attack-pattern--c675646d-e204-4aa8-978d-e3d6d6...Endpoint Denial of Service2019-04-18T11:00:55.862ZAdversaries may perform Endpoint Denial of Ser......NaNNaNNaNNaNNaNNaNNaNNaNNaNNaN
3[{'external_id': 'T1497', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...attack-pattern2019-06-10T17:37:37.138Zidentity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[{'phase_name': 'defense-evasion', 'kill_chain...attack-pattern--82caa33e-d11a-433a-94ea-9b5a5f...Virtualization/Sandbox Evasion2019-04-17T22:22:24.505ZAdversaries may check for the presence of a vi......NaNNaNNaNNaNNaNNaNNaNNaNNaNNaN
\n", "

4 rows × 30 columns

\n", "
" ], "text/plain": [ " external_references \\\n", "0 [{'external_id': 'T1500', 'source_name': 'mitr... \n", "1 [{'external_id': 'T1501', 'source_name': 'mitr... \n", "2 [{'external_id': 'T1499', 'source_name': 'mitr... \n", "3 [{'external_id': 'T1497', 'source_name': 'mitr... \n", "\n", " object_marking_refs type \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... attack-pattern \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... attack-pattern \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... attack-pattern \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... attack-pattern \n", "\n", " modified created_by_ref \\\n", "0 2019-04-29T21:13:49.686Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 2019-04-29T14:14:08.450Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 2019-04-29T13:20:36.795Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 2019-06-10T17:37:37.138Z identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " kill_chain_phases \\\n", "0 [{'phase_name': 'defense-evasion', 'kill_chain... \n", "1 [{'phase_name': 'persistence', 'kill_chain_nam... \n", "2 [{'phase_name': 'impact', 'kill_chain_name': '... \n", "3 [{'phase_name': 'defense-evasion', 'kill_chain... \n", "\n", " id \\\n", "0 attack-pattern--cf7b3a06-8b42-4c33-bbe9-012120... \n", "1 attack-pattern--0fff2797-19cb-41ea-a5f1-8a9303... \n", "2 attack-pattern--c675646d-e204-4aa8-978d-e3d6d6... \n", "3 attack-pattern--82caa33e-d11a-433a-94ea-9b5a5f... \n", "\n", " name created \\\n", "0 Compile After Delivery 2019-04-25T20:53:07.719Z \n", "1 Systemd Service 2019-04-23T15:34:30.008Z \n", "2 Endpoint Denial of Service 2019-04-18T11:00:55.862Z \n", "3 Virtualization/Sandbox Evasion 2019-04-17T22:22:24.505Z \n", "\n", " description ... \\\n", "0 Adversaries may attempt to make payloads diffi... ... \n", "1 Systemd services can be used to establish pers... ... \n", "2 Adversaries may perform Endpoint Denial of Ser... ... \n", "3 Adversaries may check for the presence of a vi... ... \n", "\n", " x_mitre_effective_permissions x_mitre_network_requirements \\\n", "0 NaN NaN \n", "1 NaN NaN \n", "2 NaN NaN \n", "3 NaN NaN \n", "\n", " x_mitre_detectable_by_common_defenses \\\n", "0 NaN \n", "1 NaN \n", "2 NaN \n", "3 NaN \n", "\n", " x_mitre_difficulty_for_adversary_explanation x_mitre_old_attack_id \\\n", "0 NaN NaN \n", "1 NaN NaN \n", "2 NaN NaN \n", "3 NaN NaN \n", "\n", " x_mitre_difficulty_for_adversary \\\n", "0 NaN \n", "1 NaN \n", "2 NaN \n", "3 NaN \n", "\n", " x_mitre_detectable_by_common_defenses_explanation x_mitre_deprecated \\\n", "0 NaN NaN \n", "1 NaN NaN \n", "2 NaN NaN \n", "3 NaN NaN \n", "\n", " x_mitre_tactic_type revoked \n", "0 NaN NaN \n", "1 NaN NaN \n", "2 NaN NaN \n", "3 NaN NaN \n", "\n", "[4 rows x 30 columns]" ] }, "execution_count": 76, "metadata": {}, "output_type": "execute_result" } ], "source": [ "techniques_list = []\n", "for t in techniques:\n", " techniques_list.append(json.loads(t.serialize()))\n", "df = json_normalize(techniques_list)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Enterprise Mitigations ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 77, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Mitigations in Enterprise ATT&CK\n", "281\n" ] } ], "source": [ "print(\"Number of Mitigations in Enterprise ATT&CK\")\n", "mitigations = lift.get_enterprise_mitigations()\n", "print(len(mitigations))" ] }, { "cell_type": "code", "execution_count": 78, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refdescriptiontypenameobject_marking_refsidexternal_referencesmodifiedcreatedx_mitre_versionx_mitre_deprecated
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5This category is to associate techniques that ...course-of-actionDo Not Mitigate[marking-definition--fa42a846-8d90-4e51-bc29-7...course-of-action--787fb64d-c87b-4ee5-a341-0ef1...[{'external_id': 'M1055', 'source_name': 'mitr...2019-07-23T14:44:24.727Z2019-07-19T14:58:42.715Z1.0NaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Implement configuration changes to software (o...course-of-actionSoftware Configuration[marking-definition--fa42a846-8d90-4e51-bc29-7...course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8...[{'external_id': 'M1054', 'source_name': 'mitr...2019-07-19T14:57:15.656Z2019-07-19T14:40:23.529Z1.0NaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Take and store data backups from end user syst...course-of-actionData Backup[marking-definition--fa42a846-8d90-4e51-bc29-7...course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73...[{'external_id': 'M1053', 'source_name': 'mitr...2019-07-19T14:33:33.543Z2019-07-19T14:33:33.543Z1.0NaN
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Configure Windows User Account Control to miti...course-of-actionUser Account Control[marking-definition--fa42a846-8d90-4e51-bc29-7...course-of-action--2c2ad92a-d710-41ab-a996-1db1...[{'external_id': 'M1052', 'source_name': 'mitr...2019-06-11T17:14:35.170Z2019-06-11T17:14:35.170Z1.0NaN
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description type \\\n", "0 This category is to associate techniques that ... course-of-action \n", "1 Implement configuration changes to software (o... course-of-action \n", "2 Take and store data backups from end user syst... course-of-action \n", "3 Configure Windows User Account Control to miti... course-of-action \n", "\n", " name object_marking_refs \\\n", "0 Do Not Mitigate [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 Software Configuration [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 Data Backup [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 User Account Control [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " id \\\n", "0 course-of-action--787fb64d-c87b-4ee5-a341-0ef1... \n", "1 course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8... \n", "2 course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73... \n", "3 course-of-action--2c2ad92a-d710-41ab-a996-1db1... \n", "\n", " external_references \\\n", "0 [{'external_id': 'M1055', 'source_name': 'mitr... \n", "1 [{'external_id': 'M1054', 'source_name': 'mitr... \n", "2 [{'external_id': 'M1053', 'source_name': 'mitr... \n", "3 [{'external_id': 'M1052', 'source_name': 'mitr... \n", "\n", " modified created x_mitre_version \\\n", "0 2019-07-23T14:44:24.727Z 2019-07-19T14:58:42.715Z 1.0 \n", "1 2019-07-19T14:57:15.656Z 2019-07-19T14:40:23.529Z 1.0 \n", "2 2019-07-19T14:33:33.543Z 2019-07-19T14:33:33.543Z 1.0 \n", "3 2019-06-11T17:14:35.170Z 2019-06-11T17:14:35.170Z 1.0 \n", "\n", " x_mitre_deprecated \n", "0 NaN \n", "1 NaN \n", "2 NaN \n", "3 NaN " ] }, "execution_count": 78, "metadata": {}, "output_type": "execute_result" } ], "source": [ "mitigations_list = []\n", "for t in mitigations:\n", " mitigations_list.append(json.loads(t.serialize()))\n", "df = json_normalize(mitigations_list)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Mobile Mitigations ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 79, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Mitigations in Mobile ATT&CK\n", "14\n" ] } ], "source": [ "print(\"Number of Mitigations in Mobile ATT&CK\")\n", "mitigations = lift.get_mobile_mitigations()\n", "print(len(mitigations))" ] }, { "cell_type": "code", "execution_count": 80, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refdescriptiontypenameobject_marking_refsidexternal_referencesmodifiedcreatedx_mitre_old_attack_idx_mitre_version
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5This mitigation describes any guidance or trai...course-of-actionApplication Developer Guidance[marking-definition--fa42a846-8d90-4e51-bc29-7...course-of-action--25dc1ce8-eb55-4333-ae30-a7cb...[{'external_id': 'M1013', 'source_name': 'mitr...2018-10-17T00:14:20.652Z2017-10-25T14:48:53.732ZMOB-M10131.0
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5An enterprise mobility management (EMM), also ...course-of-actionEnterprise Policy[marking-definition--fa42a846-8d90-4e51-bc29-7...course-of-action--649f7268-4c12-483b-ac84-4b7b...[{'external_id': 'M1012', 'source_name': 'mitr...2018-10-17T00:14:20.652Z2017-10-25T14:48:53.318ZMOB-M10121.0
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Enable remote attestation capabilities when av...course-of-actionAttestation[marking-definition--fa42a846-8d90-4e51-bc29-7...course-of-action--ff4821f6-5afb-481b-8c0f-26c2...[{'external_id': 'M1002', 'source_name': 'mitr...2018-10-17T00:14:20.652Z2017-10-25T14:48:52.933ZMOB-M10021.0
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5A variety of methods exist that can be used to...course-of-actionDeploy Compromised Device Detection Method[marking-definition--fa42a846-8d90-4e51-bc29-7...course-of-action--cf2cccb1-cab8-431a-8ecf-f787...[{'external_id': 'M1010', 'source_name': 'mitr...2018-10-17T00:14:20.652Z2017-10-25T14:48:52.601ZMOB-M10101.0
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description type \\\n", "0 This mitigation describes any guidance or trai... course-of-action \n", "1 An enterprise mobility management (EMM), also ... course-of-action \n", "2 Enable remote attestation capabilities when av... course-of-action \n", "3 A variety of methods exist that can be used to... course-of-action \n", "\n", " name \\\n", "0 Application Developer Guidance \n", "1 Enterprise Policy \n", "2 Attestation \n", "3 Deploy Compromised Device Detection Method \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " id \\\n", "0 course-of-action--25dc1ce8-eb55-4333-ae30-a7cb... \n", "1 course-of-action--649f7268-4c12-483b-ac84-4b7b... \n", "2 course-of-action--ff4821f6-5afb-481b-8c0f-26c2... \n", "3 course-of-action--cf2cccb1-cab8-431a-8ecf-f787... \n", "\n", " external_references \\\n", "0 [{'external_id': 'M1013', 'source_name': 'mitr... \n", "1 [{'external_id': 'M1012', 'source_name': 'mitr... \n", "2 [{'external_id': 'M1002', 'source_name': 'mitr... \n", "3 [{'external_id': 'M1010', 'source_name': 'mitr... \n", "\n", " modified created x_mitre_old_attack_id \\\n", "0 2018-10-17T00:14:20.652Z 2017-10-25T14:48:53.732Z MOB-M1013 \n", "1 2018-10-17T00:14:20.652Z 2017-10-25T14:48:53.318Z MOB-M1012 \n", "2 2018-10-17T00:14:20.652Z 2017-10-25T14:48:52.933Z MOB-M1002 \n", "3 2018-10-17T00:14:20.652Z 2017-10-25T14:48:52.601Z MOB-M1010 \n", "\n", " x_mitre_version \n", "0 1.0 \n", "1 1.0 \n", "2 1.0 \n", "3 1.0 " ] }, "execution_count": 80, "metadata": {}, "output_type": "execute_result" } ], "source": [ "mitigations_list = []\n", "for t in mitigations:\n", " mitigations_list.append(json.loads(t.serialize()))\n", "df = json_normalize(mitigations_list)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Mitigations (TAXII)" ] }, { "cell_type": "code", "execution_count": 81, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Mitigations in ATT&CK\n", "295\n" ] } ], "source": [ "print(\"Number of Mitigations in ATT&CK\")\n", "mitigations = lift.get_mitigations()\n", "print(len(mitigations))" ] }, { "cell_type": "code", "execution_count": 82, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refdescriptiontypenameobject_marking_refsidexternal_referencesmodifiedcreatedx_mitre_versionx_mitre_deprecatedx_mitre_old_attack_id
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5This category is to associate techniques that ...course-of-actionDo Not Mitigate[marking-definition--fa42a846-8d90-4e51-bc29-7...course-of-action--787fb64d-c87b-4ee5-a341-0ef1...[{'external_id': 'M1055', 'source_name': 'mitr...2019-07-23T14:44:24.727Z2019-07-19T14:58:42.715Z1.0NaNNaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Implement configuration changes to software (o...course-of-actionSoftware Configuration[marking-definition--fa42a846-8d90-4e51-bc29-7...course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8...[{'external_id': 'M1054', 'source_name': 'mitr...2019-07-19T14:57:15.656Z2019-07-19T14:40:23.529Z1.0NaNNaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Take and store data backups from end user syst...course-of-actionData Backup[marking-definition--fa42a846-8d90-4e51-bc29-7...course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73...[{'external_id': 'M1053', 'source_name': 'mitr...2019-07-19T14:33:33.543Z2019-07-19T14:33:33.543Z1.0NaNNaN
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Configure Windows User Account Control to miti...course-of-actionUser Account Control[marking-definition--fa42a846-8d90-4e51-bc29-7...course-of-action--2c2ad92a-d710-41ab-a996-1db1...[{'external_id': 'M1052', 'source_name': 'mitr...2019-06-11T17:14:35.170Z2019-06-11T17:14:35.170Z1.0NaNNaN
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description type \\\n", "0 This category is to associate techniques that ... course-of-action \n", "1 Implement configuration changes to software (o... course-of-action \n", "2 Take and store data backups from end user syst... course-of-action \n", "3 Configure Windows User Account Control to miti... course-of-action \n", "\n", " name object_marking_refs \\\n", "0 Do Not Mitigate [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 Software Configuration [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 Data Backup [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 User Account Control [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " id \\\n", "0 course-of-action--787fb64d-c87b-4ee5-a341-0ef1... \n", "1 course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e8... \n", "2 course-of-action--3efe43d1-6f3f-4fcb-ab39-4a73... \n", "3 course-of-action--2c2ad92a-d710-41ab-a996-1db1... \n", "\n", " external_references \\\n", "0 [{'external_id': 'M1055', 'source_name': 'mitr... \n", "1 [{'external_id': 'M1054', 'source_name': 'mitr... \n", "2 [{'external_id': 'M1053', 'source_name': 'mitr... \n", "3 [{'external_id': 'M1052', 'source_name': 'mitr... \n", "\n", " modified created x_mitre_version \\\n", "0 2019-07-23T14:44:24.727Z 2019-07-19T14:58:42.715Z 1.0 \n", "1 2019-07-19T14:57:15.656Z 2019-07-19T14:40:23.529Z 1.0 \n", "2 2019-07-19T14:33:33.543Z 2019-07-19T14:33:33.543Z 1.0 \n", "3 2019-06-11T17:14:35.170Z 2019-06-11T17:14:35.170Z 1.0 \n", "\n", " x_mitre_deprecated x_mitre_old_attack_id \n", "0 NaN NaN \n", "1 NaN NaN \n", "2 NaN NaN \n", "3 NaN NaN " ] }, "execution_count": 82, "metadata": {}, "output_type": "execute_result" } ], "source": [ "mitigations_list = []\n", "for t in mitigations:\n", " mitigations_list.append(json.loads(t.serialize()))\n", "df = json_normalize(mitigations_list)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Enterprise Groups ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 83, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Groups in Enterprise ATT&CK\n", "93\n" ] } ], "source": [ "print(\"Number of Groups in Enterprise ATT&CK\")\n", "groups = lift.get_enterprise_groups()\n", "print(len(groups))" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All PRE Groups ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 84, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Groups in PRE-ATT&CK\n", "7\n" ] } ], "source": [ "print(\"Number of Groups in PRE-ATT&CK\")\n", "groups = lift.get_pre_groups()\n", "print(len(groups))" ] }, { "cell_type": "code", "execution_count": 85, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refnamedescriptiontypealiasesobject_marking_refsidexternal_referencesmodifiedcreatedx_mitre_versionx_mitre_contributors
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5TEMP.Veles[TEMP.Veles](https://attack.mitre.org/groups/G...intrusion-set[TEMP.Veles, XENOTIME][marking-definition--fa42a846-8d90-4e51-bc29-7...intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...[{'external_id': 'G0088', 'source_name': 'mitr...2019-04-29T18:59:16.079Z2019-04-16T15:14:38.533Z1.0NaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5APT17[APT17](https://attack.mitre.org/groups/G0025)...intrusion-set[APT17, Deputy Dog][marking-definition--fa42a846-8d90-4e51-bc29-7...intrusion-set--090242d7-73fc-4738-af68-20162f7...[{'external_id': 'G0025', 'source_name': 'mitr...2019-03-22T14:21:19.419Z2017-05-31T21:31:57.307Z1.0NaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5APT16[APT16](https://attack.mitre.org/groups/G0023)...intrusion-set[APT16][marking-definition--fa42a846-8d90-4e51-bc29-7...intrusion-set--d6e88e18-81e8-4709-82d8-973095d...[{'external_id': 'G0023', 'source_name': 'mitr...2019-03-22T14:20:45.561Z2017-05-31T21:31:56.270Z1.0NaN
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Night Dragon[Night Dragon](https://attack.mitre.org/groups...intrusion-set[Night Dragon][marking-definition--fa42a846-8d90-4e51-bc29-7...intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e...[{'external_id': 'G0014', 'source_name': 'mitr...2019-03-25T14:36:29.638Z2017-05-31T21:31:51.643Z1.1NaN
\n", "
" ], "text/plain": [ " created_by_ref name \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 TEMP.Veles \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 APT17 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 APT16 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 Night Dragon \n", "\n", " description type \\\n", "0 [TEMP.Veles](https://attack.mitre.org/groups/G... intrusion-set \n", "1 [APT17](https://attack.mitre.org/groups/G0025)... intrusion-set \n", "2 [APT16](https://attack.mitre.org/groups/G0023)... intrusion-set \n", "3 [Night Dragon](https://attack.mitre.org/groups... intrusion-set \n", "\n", " aliases object_marking_refs \\\n", "0 [TEMP.Veles, XENOTIME] [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [APT17, Deputy Dog] [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [APT16] [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [Night Dragon] [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " id \\\n", "0 intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca... \n", "1 intrusion-set--090242d7-73fc-4738-af68-20162f7... \n", "2 intrusion-set--d6e88e18-81e8-4709-82d8-973095d... \n", "3 intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e... \n", "\n", " external_references \\\n", "0 [{'external_id': 'G0088', 'source_name': 'mitr... \n", "1 [{'external_id': 'G0025', 'source_name': 'mitr... \n", "2 [{'external_id': 'G0023', 'source_name': 'mitr... \n", "3 [{'external_id': 'G0014', 'source_name': 'mitr... \n", "\n", " modified created x_mitre_version \\\n", "0 2019-04-29T18:59:16.079Z 2019-04-16T15:14:38.533Z 1.0 \n", "1 2019-03-22T14:21:19.419Z 2017-05-31T21:31:57.307Z 1.0 \n", "2 2019-03-22T14:20:45.561Z 2017-05-31T21:31:56.270Z 1.0 \n", "3 2019-03-25T14:36:29.638Z 2017-05-31T21:31:51.643Z 1.1 \n", "\n", " x_mitre_contributors \n", "0 NaN \n", "1 NaN \n", "2 NaN \n", "3 NaN " ] }, "execution_count": 85, "metadata": {}, "output_type": "execute_result" } ], "source": [ "groups_list = []\n", "for t in groups:\n", " groups_list.append(json.loads(t.serialize()))\n", "df = json_normalize(groups_list)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Mobile Groups ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 86, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Groups in Mobile ATT&CK\n", "2\n" ] } ], "source": [ "print(\"Number of Groups in Mobile ATT&CK\")\n", "groups = lift.get_mobile_groups()\n", "print(len(groups))" ] }, { "cell_type": "code", "execution_count": 87, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refnamedescriptiontypealiasesobject_marking_refsidexternal_referencesmodifiedcreatedx_mitre_versionx_mitre_contributors
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Dark Caracal[Dark Caracal](https://attack.mitre.org/groups...intrusion-set[Dark Caracal][marking-definition--fa42a846-8d90-4e51-bc29-7...intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74...[{'external_id': 'G0070', 'source_name': 'mitr...2019-07-16T15:35:20.554Z2018-10-17T00:14:20.652Z1.1NaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5APT28[APT28](https://attack.mitre.org/groups/G0007)...intrusion-set[APT28, SNAKEMACKEREL, Swallowtail, Group 74, ...[marking-definition--fa42a846-8d90-4e51-bc29-7...intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8...[{'external_id': 'G0007', 'source_name': 'mitr...2019-07-27T00:09:33.254Z2017-05-31T21:31:48.664Z2.1[Emily Ratliff, IBM, Richard Gold, Digital Sha...
\n", "
" ], "text/plain": [ " created_by_ref name \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 Dark Caracal \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 APT28 \n", "\n", " description type \\\n", "0 [Dark Caracal](https://attack.mitre.org/groups... intrusion-set \n", "1 [APT28](https://attack.mitre.org/groups/G0007)... intrusion-set \n", "\n", " aliases \\\n", "0 [Dark Caracal] \n", "1 [APT28, SNAKEMACKEREL, Swallowtail, Group 74, ... \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " id \\\n", "0 intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74... \n", "1 intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e8... \n", "\n", " external_references \\\n", "0 [{'external_id': 'G0070', 'source_name': 'mitr... \n", "1 [{'external_id': 'G0007', 'source_name': 'mitr... \n", "\n", " modified created x_mitre_version \\\n", "0 2019-07-16T15:35:20.554Z 2018-10-17T00:14:20.652Z 1.1 \n", "1 2019-07-27T00:09:33.254Z 2017-05-31T21:31:48.664Z 2.1 \n", "\n", " x_mitre_contributors \n", "0 NaN \n", "1 [Emily Ratliff, IBM, Richard Gold, Digital Sha... " ] }, "execution_count": 87, "metadata": {}, "output_type": "execute_result" } ], "source": [ "groups_list = []\n", "for t in groups:\n", " groups_list.append(json.loads(t.serialize()))\n", "df = json_normalize(groups_list)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Groups (TAXII)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "* This function gathers all groups defined in each Matrix (Enterprise, PRE & Mobile) and returns the unique ones\n", " * This is because groups can be repeated across matrices" ] }, { "cell_type": "code", "execution_count": 88, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Groups in ATT&CK\n", "93\n" ] } ], "source": [ "print(\"Number of Groups in ATT&CK\")\n", "groups = lift.get_groups()\n", "print(len(groups))" ] }, { "cell_type": "code", "execution_count": 89, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refdescriptionaliasesidexternal_referencesmodifiedtypecreatedobject_marking_refsnamex_mitre_versionx_mitre_contributorsrevoked
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5Operation [Soft Cell](https://attack.mitre.org...[Soft Cell]intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...[{'external_id': 'G0093', 'source_name': 'mitr...2019-07-22T15:49:28.637Zintrusion-set2019-07-18T20:47:50.050Z[marking-definition--fa42a846-8d90-4e51-bc29-7...Soft Cell1.0[Cybereason Nocturnus, @nocturnus]NaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[TA505](https://attack.mitre.org/groups/G0092)...[TA505]intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb...[{'external_id': 'G0092', 'source_name': 'mitr...2019-06-24T19:11:41.060Zintrusion-set2019-05-28T15:54:17.213Z[marking-definition--fa42a846-8d90-4e51-bc29-7...TA5051.0NaNNaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Silence](https://attack.mitre.org/groups/G009...[Silence]intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb...[{'external_id': 'G0091', 'source_name': 'mitr...2019-07-16T16:12:09.085Zintrusion-set2019-05-24T17:57:36.491Z[marking-definition--fa42a846-8d90-4e51-bc29-7...Silence1.0[Oleg Skulkin, Group-IB]NaN
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[WIRTE](https://attack.mitre.org/groups/G0090)...[WIRTE]intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3...[{'external_id': 'G0090', 'source_name': 'mitr...2019-06-20T15:30:38.517Zintrusion-set2019-05-24T17:02:44.226Z[marking-definition--fa42a846-8d90-4e51-bc29-7...WIRTE1.0[Lab52 by S2 Grupo]NaN
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description aliases \\\n", "0 Operation [Soft Cell](https://attack.mitre.org... [Soft Cell] \n", "1 [TA505](https://attack.mitre.org/groups/G0092)... [TA505] \n", "2 [Silence](https://attack.mitre.org/groups/G009... [Silence] \n", "3 [WIRTE](https://attack.mitre.org/groups/G0090)... [WIRTE] \n", "\n", " id \\\n", "0 intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... \n", "1 intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb... \n", "2 intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb... \n", "3 intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3... \n", "\n", " external_references \\\n", "0 [{'external_id': 'G0093', 'source_name': 'mitr... \n", "1 [{'external_id': 'G0092', 'source_name': 'mitr... \n", "2 [{'external_id': 'G0091', 'source_name': 'mitr... \n", "3 [{'external_id': 'G0090', 'source_name': 'mitr... \n", "\n", " modified type created \\\n", "0 2019-07-22T15:49:28.637Z intrusion-set 2019-07-18T20:47:50.050Z \n", "1 2019-06-24T19:11:41.060Z intrusion-set 2019-05-28T15:54:17.213Z \n", "2 2019-07-16T16:12:09.085Z intrusion-set 2019-05-24T17:57:36.491Z \n", "3 2019-06-20T15:30:38.517Z intrusion-set 2019-05-24T17:02:44.226Z \n", "\n", " object_marking_refs name \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... Soft Cell \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... TA505 \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... Silence \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... WIRTE \n", "\n", " x_mitre_version x_mitre_contributors revoked \n", "0 1.0 [Cybereason Nocturnus, @nocturnus] NaN \n", "1 1.0 NaN NaN \n", "2 1.0 [Oleg Skulkin, Group-IB] NaN \n", "3 1.0 [Lab52 by S2 Grupo] NaN " ] }, "execution_count": 89, "metadata": {}, "output_type": "execute_result" } ], "source": [ "groups_list = []\n", "for t in groups:\n", " groups_list.append(json.loads(t.serialize()))\n", "df = json_normalize(groups_list)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Enterprise & Mobile Software (Malware & Tools) (TAXII)" ] }, { "cell_type": "code", "execution_count": 90, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Software in ATT&CK\n", "398\n" ] } ], "source": [ "print(\"Number of Software in ATT&CK\")\n", "software = lift.get_software()\n", "print(len(software))" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Enterprise Relationships ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 91, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refdescriptionidexternal_referencesobject_marking_refsmodifiedtypecreatednamelabelsx_mitre_versionx_mitre_platformsx_mitre_aliasesx_mitre_contributorsx_mitre_old_attack_idrevoked
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[PoshC2](https://attack.mitre.org/software/S03...tool--4b57c098-f043-4da2-83ef-7588a6d426bc[{'external_id': 'S0378', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-04-23T18:29:12.005Ztool2019-04-23T12:31:58.125ZPoshC2[tool]1.0[Windows, Linux, macOS][PoshC2]NaNNaNNaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[RawDisk](https://attack.mitre.org/software/S0...tool--3ffbdc1f-d2bf-41ab-91a2-c7b857e98079[{'external_id': 'S0364', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-04-19T19:04:55.892Ztool2019-03-25T12:30:40.919ZRawDisk[tool]1.0[Windows][RawDisk]NaNNaNNaN
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Empire](https://attack.mitre.org/software/S03...tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3[{'external_id': 'S0363', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-06-24T17:15:43.818Ztool2019-03-11T14:13:40.648ZEmpire[tool]1.0[Linux, macOS, Windows][Empire, EmPyre, PowerShell Empire]NaNNaNNaN
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Expand](https://attack.mitre.org/software/S03...tool--ca656c25-44f1-471b-9d9f-e2a3bbb84973[{'external_id': 'S0361', 'source_name': 'mitr...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-04-19T18:52:30.033Ztool2019-02-19T19:17:14.971ZExpand[tool]1.0[Windows][Expand][Matthew Demaske, Adaptforward]NaNNaN
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description \\\n", "0 [PoshC2](https://attack.mitre.org/software/S03... \n", "1 [RawDisk](https://attack.mitre.org/software/S0... \n", "2 [Empire](https://attack.mitre.org/software/S03... \n", "3 [Expand](https://attack.mitre.org/software/S03... \n", "\n", " id \\\n", "0 tool--4b57c098-f043-4da2-83ef-7588a6d426bc \n", "1 tool--3ffbdc1f-d2bf-41ab-91a2-c7b857e98079 \n", "2 tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3 \n", "3 tool--ca656c25-44f1-471b-9d9f-e2a3bbb84973 \n", "\n", " external_references \\\n", "0 [{'external_id': 'S0378', 'source_name': 'mitr... \n", "1 [{'external_id': 'S0364', 'source_name': 'mitr... \n", "2 [{'external_id': 'S0363', 'source_name': 'mitr... \n", "3 [{'external_id': 'S0361', 'source_name': 'mitr... \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " modified type created name labels \\\n", "0 2019-04-23T18:29:12.005Z tool 2019-04-23T12:31:58.125Z PoshC2 [tool] \n", "1 2019-04-19T19:04:55.892Z tool 2019-03-25T12:30:40.919Z RawDisk [tool] \n", "2 2019-06-24T17:15:43.818Z tool 2019-03-11T14:13:40.648Z Empire [tool] \n", "3 2019-04-19T18:52:30.033Z tool 2019-02-19T19:17:14.971Z Expand [tool] \n", "\n", " x_mitre_version x_mitre_platforms \\\n", "0 1.0 [Windows, Linux, macOS] \n", "1 1.0 [Windows] \n", "2 1.0 [Linux, macOS, Windows] \n", "3 1.0 [Windows] \n", "\n", " x_mitre_aliases x_mitre_contributors \\\n", "0 [PoshC2] NaN \n", "1 [RawDisk] NaN \n", "2 [Empire, EmPyre, PowerShell Empire] NaN \n", "3 [Expand] [Matthew Demaske, Adaptforward] \n", "\n", " x_mitre_old_attack_id revoked \n", "0 NaN NaN \n", "1 NaN NaN \n", "2 NaN NaN \n", "3 NaN NaN " ] }, "execution_count": 91, "metadata": {}, "output_type": "execute_result" } ], "source": [ "software_list = []\n", "for t in software:\n", " software_list.append(json.loads(t.serialize()))\n", "df = json_normalize(software_list)\n", "df[0:4]" ] }, { "cell_type": "code", "execution_count": 92, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Relationships in Enterprise ATT&CK\n", "5675\n" ] } ], "source": [ "print(\"Number of Relationships in Enterprise ATT&CK\")\n", "relationships = lift.get_enterprise_relationships()\n", "print(len(relationships))" ] }, { "cell_type": "code", "execution_count": 93, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refdescriptiontypecreatedobject_marking_refsidexternal_referencesmodifiedsource_refrelationship_typetarget_ref
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Soft Cell](https://attack.mitre.org/groups/G0...relationship2019-07-22T15:49:28.744Z[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--380743e5-616c-4524-96e6-d545e5b6...[{'source_name': 'Cybereason Soft Cell June 20...2019-07-22T15:49:28.744Zintrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...usesattack-pattern--92d7da27-2d91-488e-a00c-059dc1...
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Soft Cell](https://attack.mitre.org/groups/G0...relationship2019-07-22T15:35:24.376Z[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--919f6143-eb8c-48cd-8741-118040c3...[{'source_name': 'Cybereason Soft Cell June 20...2019-07-22T15:49:29.135Zintrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...usesattack-pattern--00d0b012-8a03-410e-95de-5826bf...
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Soft Cell](https://attack.mitre.org/groups/G0...relationship2019-07-22T15:35:24.363Z[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--ee4d1b24-603f-40df-8f21-3c053fba...[{'source_name': 'Cybereason Soft Cell June 20...2019-07-22T15:49:29.090Zintrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...usesattack-pattern--c23b740b-a42b-47a1-aec2-9d48dd...
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Soft Cell](https://attack.mitre.org/groups/G0...relationship2019-07-22T15:35:24.351Z[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--38be247c-74b0-42f3-964e-5f23ef42...[{'source_name': 'Cybereason Soft Cell June 20...2019-07-22T15:49:29.092Zintrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...usesattack-pattern--3c4a2599-71ee-4405-ba1e-0e2841...
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description type \\\n", "0 [Soft Cell](https://attack.mitre.org/groups/G0... relationship \n", "1 [Soft Cell](https://attack.mitre.org/groups/G0... relationship \n", "2 [Soft Cell](https://attack.mitre.org/groups/G0... relationship \n", "3 [Soft Cell](https://attack.mitre.org/groups/G0... relationship \n", "\n", " created \\\n", "0 2019-07-22T15:49:28.744Z \n", "1 2019-07-22T15:35:24.376Z \n", "2 2019-07-22T15:35:24.363Z \n", "3 2019-07-22T15:35:24.351Z \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " id \\\n", "0 relationship--380743e5-616c-4524-96e6-d545e5b6... \n", "1 relationship--919f6143-eb8c-48cd-8741-118040c3... \n", "2 relationship--ee4d1b24-603f-40df-8f21-3c053fba... \n", "3 relationship--38be247c-74b0-42f3-964e-5f23ef42... \n", "\n", " external_references \\\n", "0 [{'source_name': 'Cybereason Soft Cell June 20... \n", "1 [{'source_name': 'Cybereason Soft Cell June 20... \n", "2 [{'source_name': 'Cybereason Soft Cell June 20... \n", "3 [{'source_name': 'Cybereason Soft Cell June 20... \n", "\n", " modified \\\n", "0 2019-07-22T15:49:28.744Z \n", "1 2019-07-22T15:49:29.135Z \n", "2 2019-07-22T15:49:29.090Z \n", "3 2019-07-22T15:49:29.092Z \n", "\n", " source_ref relationship_type \\\n", "0 intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... uses \n", "1 intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... uses \n", "2 intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... uses \n", "3 intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... uses \n", "\n", " target_ref \n", "0 attack-pattern--92d7da27-2d91-488e-a00c-059dc1... \n", "1 attack-pattern--00d0b012-8a03-410e-95de-5826bf... \n", "2 attack-pattern--c23b740b-a42b-47a1-aec2-9d48dd... \n", "3 attack-pattern--3c4a2599-71ee-4405-ba1e-0e2841... " ] }, "execution_count": 93, "metadata": {}, "output_type": "execute_result" } ], "source": [ "relations_list = []\n", "for t in relationships:\n", " relations_list.append(json.loads(t.serialize()))\n", "df = json_normalize(relations_list)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All PRE Relationships ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 94, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Relationships in PRE-ATT&CK\n", "70\n" ] } ], "source": [ "print(\"Number of Relationships in PRE-ATT&CK\")\n", "relationships = lift.get_pre_relationships()\n", "print(len(relationships))" ] }, { "cell_type": "code", "execution_count": 95, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refdescriptiontypecreatedobject_marking_refsidexternal_referencesmodifiedsource_refrelationship_typetarget_ref
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[TEMP.Veles](https://attack.mitre.org/groups/G...relationship2019-04-24T19:45:44.212Z[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--21842707-0f15-43bf-bc42-2bceadf2...[{'source_name': 'FireEye TRITON 2019', 'descr...2019-04-29T18:59:16.596Zintrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...usesattack-pattern--20a66013-8dab-4ca3-a67d-766c84...
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[TEMP.Veles](https://attack.mitre.org/groups/G...relationship2019-04-24T19:45:44.205Z[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--2d95ed6f-52e7-4708-af15-9a6c0839...[{'source_name': 'FireEye TRITON 2019', 'descr...2019-04-29T18:59:16.595Zintrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca...usesattack-pattern--795c1a92-3a26-453e-b99a-6a566a...
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5NaNrelationship2019-02-19T18:56:56.770Z[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--83379e43-4bc5-4c49-b0b3-f41161e8...NaN2019-02-19T18:56:56.770Zattack-pattern--e5164428-03ca-4336-a9a7-4d9ea1...related-toattack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42...
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5NaNrelationship2019-02-19T18:56:56.136Z[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--1aafdefb-304e-4998-87cc-81aad295...NaN2019-02-19T18:56:56.136Zattack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42...related-toattack-pattern--e5164428-03ca-4336-a9a7-4d9ea1...
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description type \\\n", "0 [TEMP.Veles](https://attack.mitre.org/groups/G... relationship \n", "1 [TEMP.Veles](https://attack.mitre.org/groups/G... relationship \n", "2 NaN relationship \n", "3 NaN relationship \n", "\n", " created \\\n", "0 2019-04-24T19:45:44.212Z \n", "1 2019-04-24T19:45:44.205Z \n", "2 2019-02-19T18:56:56.770Z \n", "3 2019-02-19T18:56:56.136Z \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " id \\\n", "0 relationship--21842707-0f15-43bf-bc42-2bceadf2... \n", "1 relationship--2d95ed6f-52e7-4708-af15-9a6c0839... \n", "2 relationship--83379e43-4bc5-4c49-b0b3-f41161e8... \n", "3 relationship--1aafdefb-304e-4998-87cc-81aad295... \n", "\n", " external_references \\\n", "0 [{'source_name': 'FireEye TRITON 2019', 'descr... \n", "1 [{'source_name': 'FireEye TRITON 2019', 'descr... \n", "2 NaN \n", "3 NaN \n", "\n", " modified \\\n", "0 2019-04-29T18:59:16.596Z \n", "1 2019-04-29T18:59:16.595Z \n", "2 2019-02-19T18:56:56.770Z \n", "3 2019-02-19T18:56:56.136Z \n", "\n", " source_ref relationship_type \\\n", "0 intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca... uses \n", "1 intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fca... uses \n", "2 attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1... related-to \n", "3 attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42... related-to \n", "\n", " target_ref \n", "0 attack-pattern--20a66013-8dab-4ca3-a67d-766c84... \n", "1 attack-pattern--795c1a92-3a26-453e-b99a-6a566a... \n", "2 attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf42... \n", "3 attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1... " ] }, "execution_count": 95, "metadata": {}, "output_type": "execute_result" } ], "source": [ "relations_list = []\n", "for t in relationships:\n", " relations_list.append(json.loads(t.serialize()))\n", "df = json_normalize(relations_list)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Mobile Relationships ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 96, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Relationships in Mobile ATT&CK\n", "322\n" ] } ], "source": [ "print(\"Number of Relationships in Mobile ATT&CK\")\n", "relationships = lift.get_mobile_relationships()\n", "print(len(relationships))" ] }, { "cell_type": "code", "execution_count": 97, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refdescriptiontypeidobject_marking_refscreatedmodifiedsource_refrelationship_typetarget_refexternal_references
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5An EMM/MDM can use the Android `DevicePolicyMa...relationshiprelationship--fbd2d4f7-96ff-4624-a567-d4882f0c...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-07-23T15:35:23.530Z2019-07-23T15:35:23.530Zcourse-of-action--649f7268-4c12-483b-ac84-4b7b...mitigatesattack-pattern--2204c371-6100-4ae0-82f3-25c07c...NaN
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Dark Caracal](https://attack.mitre.org/groups...relationshiprelationship--61071d73-fcdf-4820-afd0-e3f0983e...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-07-10T15:42:09.606Z2019-07-16T15:35:20.953Zintrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74...usesattack-pattern--6a3f6490-9c44-40de-b059-e5940f...[{'source_name': 'Lookout Dark Caracal Jan 201...
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Dark Caracal](https://attack.mitre.org/groups...relationshiprelationship--ae9a0fb3-901b-4da2-b6ad-633ddbfa...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-07-10T15:42:09.591Z2019-07-16T15:35:21.028Zintrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74...usesattack-pattern--53263a67-075e-48fa-974b-91c5b5...[{'source_name': 'Lookout Dark Caracal Jan 201...
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Pallas](https://attack.mitre.org/software/S03...relationshiprelationship--60ecd154-e907-419a-b41d-1a9a1f59...[marking-definition--fa42a846-8d90-4e51-bc29-7...2019-07-10T15:35:43.712Z2019-07-14T21:33:23.556Zmalware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878usesattack-pattern--8e27551a-5080-4148-a584-c64348...[{'source_name': 'Lookout Dark Caracal Jan 201...
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description type \\\n", "0 An EMM/MDM can use the Android `DevicePolicyMa... relationship \n", "1 [Dark Caracal](https://attack.mitre.org/groups... relationship \n", "2 [Dark Caracal](https://attack.mitre.org/groups... relationship \n", "3 [Pallas](https://attack.mitre.org/software/S03... relationship \n", "\n", " id \\\n", "0 relationship--fbd2d4f7-96ff-4624-a567-d4882f0c... \n", "1 relationship--61071d73-fcdf-4820-afd0-e3f0983e... \n", "2 relationship--ae9a0fb3-901b-4da2-b6ad-633ddbfa... \n", "3 relationship--60ecd154-e907-419a-b41d-1a9a1f59... \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " created modified \\\n", "0 2019-07-23T15:35:23.530Z 2019-07-23T15:35:23.530Z \n", "1 2019-07-10T15:42:09.606Z 2019-07-16T15:35:20.953Z \n", "2 2019-07-10T15:42:09.591Z 2019-07-16T15:35:21.028Z \n", "3 2019-07-10T15:35:43.712Z 2019-07-14T21:33:23.556Z \n", "\n", " source_ref relationship_type \\\n", "0 course-of-action--649f7268-4c12-483b-ac84-4b7b... mitigates \n", "1 intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74... uses \n", "2 intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced74... uses \n", "3 malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878 uses \n", "\n", " target_ref \\\n", "0 attack-pattern--2204c371-6100-4ae0-82f3-25c07c... \n", "1 attack-pattern--6a3f6490-9c44-40de-b059-e5940f... \n", "2 attack-pattern--53263a67-075e-48fa-974b-91c5b5... \n", "3 attack-pattern--8e27551a-5080-4148-a584-c64348... \n", "\n", " external_references \n", "0 NaN \n", "1 [{'source_name': 'Lookout Dark Caracal Jan 201... \n", "2 [{'source_name': 'Lookout Dark Caracal Jan 201... \n", "3 [{'source_name': 'Lookout Dark Caracal Jan 201... " ] }, "execution_count": 97, "metadata": {}, "output_type": "execute_result" } ], "source": [ "relations_list = []\n", "for t in relationships:\n", " relations_list.append(json.loads(t.serialize()))\n", "df = json_normalize(relations_list)\n", "df[0:4]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Relationships (TAXII)" ] }, { "cell_type": "code", "execution_count": 98, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Relationships in ATT&CK\n", "6067\n" ] } ], "source": [ "print(\"Number of Relationships in ATT&CK\")\n", "relationships = lift.get_relationships()\n", "print(len(relationships))" ] }, { "cell_type": "code", "execution_count": 99, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
created_by_refdescriptiontypecreatedobject_marking_refsidexternal_referencesmodifiedsource_refrelationship_typetarget_ref
0identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Soft Cell](https://attack.mitre.org/groups/G0...relationship2019-07-22T15:49:28.744Z[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--380743e5-616c-4524-96e6-d545e5b6...[{'source_name': 'Cybereason Soft Cell June 20...2019-07-22T15:49:28.744Zintrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...usesattack-pattern--92d7da27-2d91-488e-a00c-059dc1...
1identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Soft Cell](https://attack.mitre.org/groups/G0...relationship2019-07-22T15:35:24.376Z[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--919f6143-eb8c-48cd-8741-118040c3...[{'source_name': 'Cybereason Soft Cell June 20...2019-07-22T15:49:29.135Zintrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...usesattack-pattern--00d0b012-8a03-410e-95de-5826bf...
2identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Soft Cell](https://attack.mitre.org/groups/G0...relationship2019-07-22T15:35:24.363Z[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--ee4d1b24-603f-40df-8f21-3c053fba...[{'source_name': 'Cybereason Soft Cell June 20...2019-07-22T15:49:29.090Zintrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...usesattack-pattern--c23b740b-a42b-47a1-aec2-9d48dd...
3identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5[Soft Cell](https://attack.mitre.org/groups/G0...relationship2019-07-22T15:35:24.351Z[marking-definition--fa42a846-8d90-4e51-bc29-7...relationship--38be247c-74b0-42f3-964e-5f23ef42...[{'source_name': 'Cybereason Soft Cell June 20...2019-07-22T15:49:29.092Zintrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d...usesattack-pattern--3c4a2599-71ee-4405-ba1e-0e2841...
\n", "
" ], "text/plain": [ " created_by_ref \\\n", "0 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "1 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "2 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "3 identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 \n", "\n", " description type \\\n", "0 [Soft Cell](https://attack.mitre.org/groups/G0... relationship \n", "1 [Soft Cell](https://attack.mitre.org/groups/G0... relationship \n", "2 [Soft Cell](https://attack.mitre.org/groups/G0... relationship \n", "3 [Soft Cell](https://attack.mitre.org/groups/G0... relationship \n", "\n", " created \\\n", "0 2019-07-22T15:49:28.744Z \n", "1 2019-07-22T15:35:24.376Z \n", "2 2019-07-22T15:35:24.363Z \n", "3 2019-07-22T15:35:24.351Z \n", "\n", " object_marking_refs \\\n", "0 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "1 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "2 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "3 [marking-definition--fa42a846-8d90-4e51-bc29-7... \n", "\n", " id \\\n", "0 relationship--380743e5-616c-4524-96e6-d545e5b6... \n", "1 relationship--919f6143-eb8c-48cd-8741-118040c3... \n", "2 relationship--ee4d1b24-603f-40df-8f21-3c053fba... \n", "3 relationship--38be247c-74b0-42f3-964e-5f23ef42... \n", "\n", " external_references \\\n", "0 [{'source_name': 'Cybereason Soft Cell June 20... \n", "1 [{'source_name': 'Cybereason Soft Cell June 20... \n", "2 [{'source_name': 'Cybereason Soft Cell June 20... \n", "3 [{'source_name': 'Cybereason Soft Cell June 20... \n", "\n", " modified \\\n", "0 2019-07-22T15:49:28.744Z \n", "1 2019-07-22T15:49:29.135Z \n", "2 2019-07-22T15:49:29.090Z \n", "3 2019-07-22T15:49:29.092Z \n", "\n", " source_ref relationship_type \\\n", "0 intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... uses \n", "1 intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... uses \n", "2 intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... uses \n", "3 intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265d... uses \n", "\n", " target_ref \n", "0 attack-pattern--92d7da27-2d91-488e-a00c-059dc1... \n", "1 attack-pattern--00d0b012-8a03-410e-95de-5826bf... \n", "2 attack-pattern--c23b740b-a42b-47a1-aec2-9d48dd... \n", "3 attack-pattern--3c4a2599-71ee-4405-ba1e-0e2841... " ] }, "execution_count": 99, "metadata": {}, "output_type": "execute_result" } ], "source": [ "relations_list = []\n", "for t in relationships:\n", " relations_list.append(json.loads(t.serialize()))\n", "df = json_normalize(relations_list)\n", "df[0:4]" ] } ], "metadata": { "kernelspec": { "display_name": "Python 3", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.7.3" } }, "nbformat": 4, "nbformat_minor": 4 }