# **MITRE ATT&CK API BASICS**: Python Client
------------------

## Import ATTACK API Client

In [1]:
from attackcti import attack_client

## Import Extra Libraries

In [2]:
from pandas import *
from pandas.io.json import json_normalize

## Initialize ATT&CK Client Variable

In [3]:
lift = attack_client()

## **Collect ALL (Enterprise ATT&CK, Pre-ATT&CK & Mobile ATT&CK)**
* I usually collect all the stix object types available from all the ATT&CK Matrices first when I want to analyze ATT&CK's data.
* In this section, we will collect everything from Enterprise ATT&CK, PRE-ATT&CK and Mobile ATT&CK via three functions that query ATT&CK content available in STIX™ 2.0 via a public TAXII™ 2.0 server:
  * get_all_enterprise()
  * get_all_pre()
  * get_all_mobile()
* The get_all_stix_objects() function just combines the results of the other three locally.
* Then, we will grab the results from each get_all_* function and start getting specific stix object types such as techniques, mitigations, groups, malware, tools and relationships.
* It is important to remember that the stix object types are being obtained from the results of the initial three **get_all_*** functions and not querying the TAXII Server every time we want to get information about a specific stix object type.

**Collect ALL Enterprise ATT&CK (TAXII)**

In [4]:
all_enterprise = lift.get_all_enterprise()

**Collect ALL PRE-ATT&CK (TAXII)**

In [5]:
all_pre = lift.get_all_pre()

**Collect ALL Mobile ATT&CK (TAXII)**

In [6]:
all_mobile = lift.get_all_mobile()

**Collect ALL (It runs All 3 functions and collects all the results)**

The **get_all_stix_objects()** function returns a dictionary with all the stix object types from all matrices:
* techniques
* mitigations
* groups
* malware
* tools
* relationships

In [7]:
all_attack = lift.get_all_stix_objects()

In [8]:
type(all_attack)

dict

### Get All Techniques from ATT&CK Results (Locally)
* The results of this function shows every single technique across the whole ATT&CK framework without their mitigations information
* Mitigations information has its own stix object type (Mitigation) that needs to be correlated with the help of relationship properties
* There is a function already created in this library named **get_all_techniques_with_mitigations()** that allows you to get a more complete view of techniques

In [9]:
print("Number of Techniques in ATT&CK")
print(len(all_attack['techniques']))
techniques = all_attack['techniques']
df = json_normalize(techniques)
df.reindex(['matrix', 'created','tactic', 'technique', 'technique_id', 'data_sources'], axis=1)[0:5]

Number of Techniques in ATT&CK
469


Unnamed: 0,matrix,created,tactic,technique,technique_id,data_sources
0,mitre-attack,2017-12-14 16:46:06.044000+00:00,[persistence],.bash_profile and .bashrc,T1156,"[File monitoring, Process Monitoring, Process ..."
1,mitre-attack,2017-12-14 16:46:06.044000+00:00,"[defense-evasion, privilege-escalation]",Access Token Manipulation,T1134,"[API monitoring, Access Tokens]"
2,mitre-attack,2017-05-31 21:30:26.946000+00:00,"[persistence, privilege-escalation]",Accessibility Features,T1015,"[Windows Registry, File monitoring, Process mo..."
3,mitre-attack,2017-05-31 21:31:12.196000+00:00,[credential-access],Account Manipulation,T1098,"[Authentication logs, API monitoring, Windows ..."
4,mitre-attack,2017-05-31 21:31:06.988000+00:00,[discovery],Account Discovery,T1087,"[API monitoring, Process command-line paramete..."


In [10]:
len(df.loc[df['matrix'] == 'mitre-attack'])

219

**Showing the schema of Techniques**

This schema covers techniques from Enterprise, PRE and Mobile ATT&CK

In [11]:
list(df)

['contributors',
 'created',
 'created_by_ref',
 'data_sources',
 'defense_bypassed',
 'detectable_by_common_defenses',
 'detectable_explanation',
 'difficulty_explanation',
 'difficulty_for_adversary',
 'effective_permissions',
 'id',
 'matrix',
 'modified',
 'network_requirements',
 'object_marking_refs',
 'permissions_required',
 'platform',
 'remote_support',
 'system_requirements',
 'tactic',
 'tactic_type',
 'technique',
 'technique_description',
 'technique_id',
 'technique_references',
 'type',
 'url']

**Showing one technique example**

In [12]:
techniques[0]

{'type': 'attack-pattern',
 'id': 'attack-pattern--01df3350-ce05-4bdf-bdf8-0a919a66d4a8',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'created': '2017-12-14 16:46:06.044000+00:00',
 'modified': '2018-04-18 17:59:24.739000+00:00',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'url': 'https://attack.mitre.org/wiki/Technique/T1156',
 'matrix': 'mitre-attack',
 'technique': '.bash_profile and .bashrc',
 'technique_description': "<code>~/.bash_profile</code> and <code>~/.bashrc</code> are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. <code>~/.bash_profile</code> is executed for login shells and <code>~/.bashrc</code> is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), <code>~/.bash_profile</code> is executed before the initial co

### Get All Mitigations from ATT&CK Results (Locally)

In [13]:
print("Number of Mitigations in ATT&CK")
print(len(all_attack['mitigations']))
mitigations = all_attack['mitigations']
df = json_normalize(mitigations)
df.reindex(['matrix','mitigation', 'mitigation_description','url'], axis=1)[0:5]

Number of Mitigations in ATT&CK
229


Unnamed: 0,matrix,mitigation,mitigation_description,url
0,mitre-attack,.bash_profile and .bashrc Mitigation,Making these files immutable and only changeab...,https://attack.mitre.org/wiki/Technique/T1156
1,mitre-attack,Access Token Manipulation Mitigation,Access tokens are an integral part of the secu...,https://attack.mitre.org/wiki/Technique/T1134
2,mitre-attack,Accessibility Features Mitigation,"To use this technique remotely, an adversary m...",https://attack.mitre.org/wiki/Technique/T1015
3,mitre-attack,Account Discovery Mitigation,Prevent administrator accounts from being enum...,https://attack.mitre.org/wiki/Technique/T1087
4,mitre-attack,Account Manipulation Mitigation,Use multifactor authentication. Follow guideli...,https://attack.mitre.org/wiki/Technique/T1098


**Showing the schema of Mitigations**

In [14]:
list(df)

['created',
 'created_by_ref',
 'id',
 'matrix',
 'mitigation',
 'mitigation_description',
 'mitigation_id',
 'mitigation_references',
 'modified',
 'type',
 'url']

**Showing one Mitigation example**

In [15]:
mitigations[0]

{'type': 'course-of-action',
 'id': 'course-of-action--4f170666-7edb-4489-85c2-9affa28a72e0',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'created': '2018-04-18 17:59:24.739000+00:00',
 'modified': '2018-04-18 17:59:24.739000+00:00',
 'matrix': 'mitre-attack',
 'url': 'https://attack.mitre.org/wiki/Technique/T1156',
 'mitigation': '.bash_profile and .bashrc Mitigation',
 'mitigation_description': 'Making these files immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence.',
 'mitigation_id': 'T1156',
 'mitigation_references': ['https://attack.mitre.org/wiki/Technique/T1156']}

### Get All Groups from ATT&CK Results (Locally)

In [16]:
print("Number of Groups in ATT&CK")
print(len(all_attack['groups']))
groups = all_attack['groups']
df = json_normalize(groups)
df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]

Number of Groups in ATT&CK
69


Unnamed: 0,matrix,group,group_aliases,group_id,group_description
0,mitre-attack,APT12,"[APT12, IXESHE, DynCalc, Numbered Panda, DNSCALC]",G0005,APT12 is a threat group that has been attribut...
1,mitre-attack,APT29,"[APT29, The Dukes, Cozy Bear, CozyDuke]",G0016,APT29 is threat group that has been attributed...
2,mitre-attack,APT34,[APT34],G0057,APT34 is an Iranian cyber espionage group that...
3,mitre-attack,Carbanak,"[Carbanak, Anunak, Carbon Spider]",G0008,Carbanak is a threat group that mainly targets...
4,mitre-attack,Deep Panda,"[Deep Panda, Shell Crew, WebMasters, KungFu Ki...",G0009,Deep Panda is a suspected Chinese threat group...


**Showing the schema of Groups**

In [17]:
list(df)

['created',
 'created_by_ref',
 'group',
 'group_aliases',
 'group_description',
 'group_id',
 'group_references',
 'id',
 'matrix',
 'modified',
 'type',
 'url']

**Showing one Groups example**

In [18]:
groups[0]

{'type': 'intrusion-set',
 'id': 'intrusion-set--c47f937f-1022-4f42-8525-e7a4779a14cb',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'matrix': 'mitre-attack',
 'created': '2017-05-31 21:31:47.537000+00:00',
 'modified': '2018-01-17 12:56:55.080000+00:00',
 'url': 'https://attack.mitre.org/wiki/Group/G0005',
 'group': 'APT12',
 'group_description': 'APT12 is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)',
 'group_aliases': ['APT12', 'IXESHE', 'DynCalc', 'Numbered Panda', 'DNSCALC'],
 'group_id': 'G0005',
 'group_references': ['https://attack.mitre.org/wiki/Group/G0005',
  'http://www.crowdstrike.com/blog/whois-numbered-panda/']}

### Get All Malware objects from ATT&CK Results (Locally)

In [19]:
print("Number of Malware in ATT&CK")
print(len(all_attack['malware']))
malware = all_attack['malware']
df = json_normalize(malware)
df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]

Number of Malware in ATT&CK
223


Unnamed: 0,matrix,software,software_labels,software_id,software_description
0,mitre-attack,ADVSTORESHELL,[malware],S0045,ADVSTORESHELL is a spying backdoor that has be...
1,mitre-attack,BACKSPACE,[malware],S0031,BACKSPACE is a backdoor used by APT30 that dat...
2,mitre-attack,BLACKCOFFEE,[malware],S0069,BLACKCOFFEE is malware that has been used by s...
3,mitre-attack,BlackEnergy,[malware],S0089,BlackEnergy is a malware toolkit that has been...
4,mitre-attack,CORALDECK,[malware],S0212,is an exfiltration tool used by APT37. (Citati...


**Showing the schema of Malware**

In [20]:
list(df)

['created',
 'created_by_ref',
 'id',
 'matrix',
 'modified',
 'software',
 'software_aliases',
 'software_description',
 'software_id',
 'software_labels',
 'software_references',
 'type',
 'url']

**Showing one Malware example**

In [21]:
malware[0]

{'type': 'malware',
 'id': 'malware--fb575479-14ef-41e9-bfab-0b7cf10bec73',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'created': '2017-05-31 21:32:34.648000+00:00',
 'modified': '2018-01-17 12:56:55.080000+00:00',
 'matrix': 'mitre-attack',
 'software': 'ADVSTORESHELL',
 'software_description': 'ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 2)\n\nAliases: ADVSTORESHELL, NETUI, EVILTOSS, AZZY, Sedreco',
 'software_labels': ['malware'],
 'software_id': 'S0045',
 'url': 'https://attack.mitre.org/wiki/Software/S0045',
 'software_aliases': ['ADVSTORESHELL', 'NETUI', 'EVILTOSS', 'AZZY', 'Sedreco'],
 'software_references': ['https://attack.mitre.org/wiki/Software/S0045',
  'https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-

### Get All Tools from ATT&CK Results (Locally)

In [22]:
print("Number of Tools in ATT&CK")
print(len(all_attack['tools']))
tools = all_attack['tools']
df = json_normalize(tools)
df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]

Number of Tools in ATT&CK
46


Unnamed: 0,matrix,software,software_labels,software_id,software_description
0,mitre-attack,Cobalt Strike,[tool],S0154,"Cobalt Strike is a commercial, full-featured, ..."
1,mitre-attack,HTRAN,[tool],S0040,HTRAN is a tool that proxies connections throu...
2,mitre-attack,Lslsass,[tool],S0121,Lslsass is a publicly-available tool that can ...
3,mitre-attack,Mimikatz,[tool],S0002,Mimikatz is a credential dumper capable of obt...
4,mitre-attack,PowerSploit,[tool],S0194,"PowerSploit is an open source, offensive secur..."


**Showing the schema of Tools**

In [23]:
list(df)

['created',
 'created_by_ref',
 'id',
 'matrix',
 'modified',
 'software',
 'software_aliases',
 'software_description',
 'software_id',
 'software_labels',
 'software_references',
 'type',
 'url']

**Showing one Tool example**

In [24]:
tools[0]

{'type': 'tool',
 'id': 'tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'created': '2017-12-14 16:46:06.044000+00:00',
 'modified': '2018-04-18 17:59:24.739000+00:00',
 'matrix': 'mitre-attack',
 'software': 'Cobalt Strike',
 'software_description': 'Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”.  Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. (Citation: cobaltstrike manual)\n\nAliases: Cobalt Strike\n\nContributors: Josh Abraham',
 'software_labels': ['tool'],
 'software_id'

### Get All Relationships from ATT&CK Results (Locally)

In [25]:
print("Number of Relationships in ATT&CK")
print(len(all_attack['relationships']))
relationships = all_attack['relationships']
df = json_normalize(relationships)
df.reindex(['id','relationship', 'source_object', 'target_object'], axis=1)[0:5]

Number of Relationships in ATT&CK
3066


Unnamed: 0,id,relationship,source_object,target_object
0,relationship--bb55d7e7-28af-4efd-8384-289f1a8b...,mitigates,course-of-action--fdb1ae84-7b00-4d3d-b7dc-c774...,attack-pattern--a10641f4-87b4-45a3-a906-92a149...
1,relationship--a38d4ac5-1d3d-4a2f-9493-ff3e2a46...,mitigates,course-of-action--cfc2d2fc-14ff-495f-bd99-585b...,attack-pattern--7c93aa74-4bc0-4a9e-90ea-f25f86...
2,relationship--b8306976-370f-403d-9983-fe3327c0...,mitigates,course-of-action--2497ac92-e751-4391-82c6-1b86...,attack-pattern--774a3188-6ba9-4dc4-879d-d54ee4...
3,relationship--6f7ca160-cd38-4ff4-b297-e95b3111...,mitigates,course-of-action--1c0b39f9-a0c5-42b2-abd8-dc8f...,attack-pattern--5e4a2073-9643-44cb-a0b5-e7f404...
4,relationship--0b0884f1-1a40-436e-9a74-8cbe9c9d...,mitigates,course-of-action--d7c49196-b40e-42bc-8eed-b803...,attack-pattern--68c96494-1a50-403e-8844-69a6af...


**Showing the schema of Relationships**

In [26]:
list(df)

['created',
 'created_by_ref',
 'id',
 'modified',
 'relationship',
 'relationship_description',
 'source_object',
 'target_object',
 'type']

**Showing one Relationship example**

In [27]:
relationships[0]

{'type': 'relationship',
 'id': 'relationship--bb55d7e7-28af-4efd-8384-289f1a8b173e',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'created': '2017-05-31 21:33:27.028000+00:00',
 'modified': '2018-01-17 12:56:55.080000+00:00',
 'relationship': 'mitigates',
 'relationship_description': None,
 'source_object': 'course-of-action--fdb1ae84-7b00-4d3d-b7dc-c774beef6425',
 'target_object': 'attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27'}

### Get All Enterprise ATT&CK ONLY from Results (Locally)

**Enterprise Techniques**

In [28]:
print("Number of Techniques in Enterprise ATT&CK")
print(len(all_enterprise['techniques']))
df = all_enterprise['techniques']
df = json_normalize(df)
df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'data_sources'], axis=1)[0:5]

Number of Techniques in Enterprise ATT&CK
219


Unnamed: 0,matrix,tactic,technique,technique_id,data_sources
0,mitre-attack,[persistence],.bash_profile and .bashrc,T1156,"[File monitoring, Process Monitoring, Process ..."
1,mitre-attack,"[defense-evasion, privilege-escalation]",Access Token Manipulation,T1134,"[API monitoring, Access Tokens]"
2,mitre-attack,"[persistence, privilege-escalation]",Accessibility Features,T1015,"[Windows Registry, File monitoring, Process mo..."
3,mitre-attack,[credential-access],Account Manipulation,T1098,"[Authentication logs, API monitoring, Windows ..."
4,mitre-attack,[discovery],Account Discovery,T1087,"[API monitoring, Process command-line paramete..."


**Enterprise Mitigations**

In [29]:
print("Number of Mitigations in Enterprise ATT&CK")
print(len(all_enterprise['mitigations']))
df = all_enterprise['mitigations']
df = json_normalize(df)
df.reindex(['matrix','mitigation', 'mitigation_description', 'url'], axis=1)[0:5]

Number of Mitigations in Enterprise ATT&CK
215


Unnamed: 0,matrix,mitigation,mitigation_description,url
0,mitre-attack,.bash_profile and .bashrc Mitigation,Making these files immutable and only changeab...,https://attack.mitre.org/wiki/Technique/T1156
1,mitre-attack,Access Token Manipulation Mitigation,Access tokens are an integral part of the secu...,https://attack.mitre.org/wiki/Technique/T1134
2,mitre-attack,Accessibility Features Mitigation,"To use this technique remotely, an adversary m...",https://attack.mitre.org/wiki/Technique/T1015
3,mitre-attack,Account Discovery Mitigation,Prevent administrator accounts from being enum...,https://attack.mitre.org/wiki/Technique/T1087
4,mitre-attack,Account Manipulation Mitigation,Use multifactor authentication. Follow guideli...,https://attack.mitre.org/wiki/Technique/T1098


**Enterprise Groups**

In [30]:
print("Number of Groups in Enterprise ATT&CK")
print(len(all_enterprise['groups']))
df = all_enterprise['groups']
df = json_normalize(df)
df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]

Number of Groups in Enterprise ATT&CK
69


Unnamed: 0,matrix,group,group_aliases,group_id,group_description
0,mitre-attack,APT12,"[APT12, IXESHE, DynCalc, Numbered Panda, DNSCALC]",G0005,APT12 is a threat group that has been attribut...
1,mitre-attack,APT29,"[APT29, The Dukes, Cozy Bear, CozyDuke]",G0016,APT29 is threat group that has been attributed...
2,mitre-attack,APT34,[APT34],G0057,APT34 is an Iranian cyber espionage group that...
3,mitre-attack,Carbanak,"[Carbanak, Anunak, Carbon Spider]",G0008,Carbanak is a threat group that mainly targets...
4,mitre-attack,Deep Panda,"[Deep Panda, Shell Crew, WebMasters, KungFu Ki...",G0009,Deep Panda is a suspected Chinese threat group...


**Enterprise Malware**

In [31]:
print("Number of Malware objects in Enterprise ATT&CK")
print(len(all_enterprise['malware']))
df = all_enterprise['malware']
df = json_normalize(df)
df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]

Number of Malware objects in Enterprise ATT&CK
188


Unnamed: 0,matrix,software,software_labels,software_id,software_description
0,mitre-attack,ADVSTORESHELL,[malware],S0045,ADVSTORESHELL is a spying backdoor that has be...
1,mitre-attack,BACKSPACE,[malware],S0031,BACKSPACE is a backdoor used by APT30 that dat...
2,mitre-attack,BLACKCOFFEE,[malware],S0069,BLACKCOFFEE is malware that has been used by s...
3,mitre-attack,BlackEnergy,[malware],S0089,BlackEnergy is a malware toolkit that has been...
4,mitre-attack,CORALDECK,[malware],S0212,is an exfiltration tool used by APT37. (Citati...


**Enterprise Tools**

In [32]:
print("Number of Tools in Enterprise ATT&CK")
print(len(all_enterprise['tools']))
df = all_enterprise['tools']
df = json_normalize(df)
df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]

Number of Tools in Enterprise ATT&CK
45


Unnamed: 0,matrix,software,software_labels,software_id,software_description
0,mitre-attack,Cobalt Strike,[tool],S0154,"Cobalt Strike is a commercial, full-featured, ..."
1,mitre-attack,HTRAN,[tool],S0040,HTRAN is a tool that proxies connections throu...
2,mitre-attack,Lslsass,[tool],S0121,Lslsass is a publicly-available tool that can ...
3,mitre-attack,Mimikatz,[tool],S0002,Mimikatz is a credential dumper capable of obt...
4,mitre-attack,PowerSploit,[tool],S0194,"PowerSploit is an open source, offensive secur..."


**Enterprise Relationships**

In [33]:
print("Number of Relationships in Enterprise ATT&CK")
print(len(all_enterprise['relationships']))
df = all_enterprise['relationships']
df = json_normalize(df)
df.reindex(['id','relationship', 'source_object', 'target_object'], axis=1)[0:5]

Number of Relationships in Enterprise ATT&CK
2707


Unnamed: 0,id,relationship,source_object,target_object
0,relationship--bb55d7e7-28af-4efd-8384-289f1a8b...,mitigates,course-of-action--fdb1ae84-7b00-4d3d-b7dc-c774...,attack-pattern--a10641f4-87b4-45a3-a906-92a149...
1,relationship--a38d4ac5-1d3d-4a2f-9493-ff3e2a46...,mitigates,course-of-action--cfc2d2fc-14ff-495f-bd99-585b...,attack-pattern--7c93aa74-4bc0-4a9e-90ea-f25f86...
2,relationship--b8306976-370f-403d-9983-fe3327c0...,mitigates,course-of-action--2497ac92-e751-4391-82c6-1b86...,attack-pattern--774a3188-6ba9-4dc4-879d-d54ee4...
3,relationship--6f7ca160-cd38-4ff4-b297-e95b3111...,mitigates,course-of-action--1c0b39f9-a0c5-42b2-abd8-dc8f...,attack-pattern--5e4a2073-9643-44cb-a0b5-e7f404...
4,relationship--0b0884f1-1a40-436e-9a74-8cbe9c9d...,mitigates,course-of-action--d7c49196-b40e-42bc-8eed-b803...,attack-pattern--68c96494-1a50-403e-8844-69a6af...


### Get All PRE-ATT&CK ONLY from Results (Locally)

**PRE Techniques**

In [34]:
print("Number of Techniques in PRE-ATT&CK")
print(len(all_pre['techniques']))
df = all_pre['techniques']
df = json_normalize(df)
df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'detectable_by_common_defenses'], axis=1)[0:5]

Number of Techniques in PRE-ATT&CK
174


Unnamed: 0,matrix,tactic,technique,technique_id,detectable_by_common_defenses
0,mitre-pre-attack,[adversary-opsec],Acquire and/or use 3rd party infrastructure se...,PRE-T1084,No
1,mitre-pre-attack,[establish-&-maintain-infrastructure],Acquire or compromise 3rd party signing certif...,PRE-T1109,No
2,mitre-pre-attack,[technical-weakness-identification],Analyze data collected,PRE-T1064,No
3,mitre-pre-attack,[organizational-weakness-identification],Analyze presence of outsourced capabilities,PRE-T1080,No
4,mitre-pre-attack,[priority-definition-planning],Assess leadership areas of interest,PRE-T1001,No


**PRE Groups**

In [35]:
print("Number of Groups in PRE-ATT&CK")
print(len(all_pre['groups']))
df = all_pre['groups']
df = json_normalize(df)
df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]

Number of Groups in PRE-ATT&CK
7


Unnamed: 0,matrix,group,group_aliases,group_id,group_description
0,mitre-attack,APT12,"[APT12, IXESHE, DynCalc, Numbered Panda, DNSCALC]",G0005,APT12 is a threat group that has been attribut...
1,mitre-attack,APT1,"[APT1, Comment Crew, Comment Group, Comment Pa...",G0006,APT1 is a Chinese threat group that has been a...
2,mitre-attack,APT28,"[APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear...",G0007,APT28 is a threat group that has been attribut...
3,mitre-attack,Night Dragon,"[Night Dragon, Musical Chairs]",G0014,Night Dragon is a campaign name for activity i...
4,mitre-attack,APT16,[APT16],G0023,APT16 is a China-based threat group that has l...


**PRE Relationships**

In [36]:
print("Number of Relationships in PRE-ATT&CK")
print(len(all_pre['relationships']))
df = all_pre['relationships']
df = json_normalize(df)
df.reindex(['id','relationship', 'source_object', 'target_object'], axis=1)[0:5]

Number of Relationships in PRE-ATT&CK
114


Unnamed: 0,id,relationship,source_object,target_object
0,relationship--1143e6a6-deef-4dbd-8c91-7bf537d8...,related-to,attack-pattern--784ff1bc-1483-41fe-a172-4cd9ae...,attack-pattern--2b9a666e-bd59-4f67-9031-ed41b4...
1,relationship--3d781e9a-d3f8-4e9f-bb23-ba6c2ff2...,related-to,attack-pattern--1a295f87-af63-4d94-b130-039d62...,attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc...
2,relationship--d5bd7a33-a249-46e5-bb19-a498eba4...,related-to,attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6e...,attack-pattern--7baccb84-356c-4e89-8c5d-58e701...
3,relationship--bc165934-7ef6-4aed-a0d7-81d33725...,related-to,attack-pattern--e51398e6-53dc-4e9f-a323-e54683...,attack-pattern--4900fabf-1142-4c1f-92f5-0b590e...
4,relationship--46f1e7d4-4d73-4e33-b88b-b3bcde5d...,related-to,attack-pattern--a757670d-d600-48d9-8ae9-601d42...,attack-pattern--af358cad-eb71-4e91-a752-236edc...


### Get All Mobile ATT&CK ONLY from Results (Locally)

**Mobile Techniques**

In [37]:
print("Number of Techniques in Mobile ATT&CK")
print(len(all_mobile['techniques']))
df = all_mobile['techniques']
df = json_normalize(df)
df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'tactic_type'], axis=1)[0:5]

Number of Techniques in Mobile ATT&CK
76


Unnamed: 0,matrix,tactic,technique,technique_id,tactic_type
0,mitre-mobile-attack,"[collection, credential-access]",Abuse Accessibility Features,MOB-T1056,[Post-Adversary Device Access]
1,mitre-mobile-attack,[collection],Access Contact List,MOB-T1035,[Post-Adversary Device Access]
2,mitre-mobile-attack,[persistence],App Auto-Start at Device Boot,MOB-T1005,[Post-Adversary Device Access]
3,mitre-mobile-attack,[exploit-via-physical-access],Biometric Spoofing,MOB-T1063,[Pre-Adversary Device Access]
4,mitre-mobile-attack,[discovery],Device Type Discovery,MOB-T1022,[Post-Adversary Device Access]


**Mobile Mitigations**

In [38]:
print("Number of Mitigations in Mobile ATT&CK")
print(len(all_mobile['mitigations']))
print(" ")
df = all_mobile['mitigations']
df = json_normalize(df)
df.reindex(['matrix', 'mitigation', 'mitigation_description', 'url'], axis=1)[0:5]

Number of Mitigations in Mobile ATT&CK
14
 


Unnamed: 0,matrix,mitigation,mitigation_description,url
0,mitre-mobile-attack,Attestation,Enable remote attestation capabilities when av...,https://attack.mitre.org/mobile/index.php/Miti...
1,mitre-mobile-attack,Interconnection Filtering,In order to mitigate Signaling System 7 (SS7) ...,https://attack.mitre.org/mobile/index.php/Miti...
2,mitre-mobile-attack,Use Recent OS Version,New mobile operating system versions bring not...,https://attack.mitre.org/mobile/index.php/Miti...
3,mitre-mobile-attack,Caution with Device Administrator Access,Warn device users not to accept requests to gr...,https://attack.mitre.org/mobile/index.php/Miti...
4,mitre-mobile-attack,Lock Bootloader,On devices that provide the capability to unlo...,https://attack.mitre.org/mobile/index.php/Miti...


**Mobile Groups**

In [39]:
print("Number of Groups in Mobile ATT&CK")
print(len(all_mobile['groups']))
df = all_mobile['groups']
df = json_normalize(df)
df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]

Number of Groups in Mobile ATT&CK
1


Unnamed: 0,matrix,group,group_aliases,group_id,group_description
0,mitre-attack,APT28,"[APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear...",G0007,APT28 is a threat group that has been attribut...


**Mobile Malware**

In [40]:
print("Number of Malware in Mobile ATT&CK")
print(len(all_mobile['malware']))
df = all_mobile['malware']
df = json_normalize(df)
df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]

Number of Malware in Mobile ATT&CK
35


Unnamed: 0,matrix,software,software_labels,software_id,software_description
0,mitre-mobile-attack,Android/Chuli.A,[malware],MOB-S0020,As reported by Kaspersky (Citation: Kaspersky-...
1,mitre-mobile-attack,DressCode,[malware],MOB-S0016,Android malware family analyzed by Trend Micro...
2,mitre-mobile-attack,HummingWhale,[malware],MOB-S0037,"The HummingWhale Android malware family ""inclu..."
3,mitre-mobile-attack,OldBoot,[malware],MOB-S0001,OldBoot is a family of Android malware describ...
4,mitre-mobile-attack,RuMMS,[malware],MOB-S0029,RuMMS is a family of Android malware (Citation...


**Mobile Tools**

In [41]:
print("Number of Tools in Mobile ATT&CK")
print(len(all_mobile['tools']))
df = all_mobile['tools']
df = json_normalize(df)
df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]

Number of Tools in Mobile ATT&CK
1


Unnamed: 0,matrix,software,software_labels,software_id,software_description
0,mitre-mobile-attack,Xbot,[tool],MOB-S0014,Xbot is a family of Android malware analyzed b...


**Mobile Relationships**

In [42]:
print("Number of Relationships in Mobile ATT&CK")
print(len(all_mobile['relationships']))
df = all_mobile['relationships']
df = json_normalize(df)
df.reindex(['object id','relationship', 'relationship_description','source_object', 'target_object'], axis=1)[0:5]

Number of Relationships in Mobile ATT&CK
245


Unnamed: 0,object id,relationship,relationship_description,source_object,target_object
0,,mitigates,,course-of-action--0beabf44-e8d8-4ae4-9122-ef56...,attack-pattern--82f04b1e-5371-4a6f-be06-411f0f...
1,,mitigates,,course-of-action--bcecd036-f40e-4916-9f8e-fd0c...,attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e...
2,,mitigates,,course-of-action--1553b156-6767-47f7-9eb4-2a69...,attack-pattern--29e07491-8947-43a3-8d4e-9a787c...
3,,mitigates,,course-of-action--0beabf44-e8d8-4ae4-9122-ef56...,attack-pattern--702055ac-4e54-4ae9-9527-e23a38...
4,,mitigates,,course-of-action--653492e3-27be-4a0e-b08c-938d...,attack-pattern--1f96d624-8409-4472-ad8a-30618e...


## **Get STIX Object Types Directly from TAXII Server (Enterprise ATT&CK, Pre-ATT&CK & Mobile ATT&CK)**
* In this section, we will query the ATT&CK TAXII Server in order to collect specific stix object types such as techniques, mitigations, groups, malware, tools and relationships from the Enterprise, PRE and Mobile Matrices.
* There is no need to get all the stix objects available per each matrix unlike the first section of this notebook.

### Get All Enterprise Techniques ONLY (TAXII)

In [43]:
print("Number of Techniques in Enterprise ATT&CK")
techniques = lift.get_all_enterprise_techniques()
print(len(techniques))
df = json_normalize(techniques)
df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'data_sources','contributors'], axis=1)[0:5]

Number of Techniques in Enterprise ATT&CK
219


Unnamed: 0,matrix,tactic,technique,technique_id,data_sources,contributors
0,mitre-attack,[persistence],.bash_profile and .bashrc,T1156,"[File monitoring, Process Monitoring, Process ...",
1,mitre-attack,"[defense-evasion, privilege-escalation]",Access Token Manipulation,T1134,"[API monitoring, Access Tokens]","[Tom Ueltschi @c_APT_ure, Travis Smith, Tripwi..."
2,mitre-attack,"[persistence, privilege-escalation]",Accessibility Features,T1015,"[Windows Registry, File monitoring, Process mo...","[Paul Speulstra, AECOM Global Security Operati..."
3,mitre-attack,[credential-access],Account Manipulation,T1098,"[Authentication logs, API monitoring, Windows ...",
4,mitre-attack,[discovery],Account Discovery,T1087,"[API monitoring, Process command-line paramete...","[Travis Smith, Tripwire]"


### Get All PRE Techniques ONLY (TAXII)

In [44]:
print("Number of Techniques in PRE-ATT&CK")
techniques = lift.get_all_pre_techniques()
print(len(techniques))
df = json_normalize(techniques)
df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'detectable_by_common_defenses', 'contributors'], axis=1)[0:5]

Number of Techniques in PRE-ATT&CK
174


Unnamed: 0,matrix,tactic,technique,technique_id,detectable_by_common_defenses,contributors
0,mitre-pre-attack,[adversary-opsec],Acquire and/or use 3rd party infrastructure se...,PRE-T1084,No,
1,mitre-pre-attack,[establish-&-maintain-infrastructure],Acquire or compromise 3rd party signing certif...,PRE-T1109,No,
2,mitre-pre-attack,[technical-weakness-identification],Analyze data collected,PRE-T1064,No,
3,mitre-pre-attack,[organizational-weakness-identification],Analyze presence of outsourced capabilities,PRE-T1080,No,
4,mitre-pre-attack,[priority-definition-planning],Assess leadership areas of interest,PRE-T1001,No,


### Get All Mobile Techniques ONLY (TAXII)

In [45]:
print("Number of Techniques in Mobile ATT&CK")
techniques = lift.get_all_mobile_techniques()
print(len(techniques))
df = json_normalize(techniques)
df.reindex(['matrix', 'id','tactic', 'technique', 'tactic_type','contributors'], axis=1)[0:5]

Number of Techniques in Mobile ATT&CK
76


Unnamed: 0,matrix,id,tactic,technique,tactic_type,contributors
0,mitre-mobile-attack,attack-pattern--2204c371-6100-4ae0-82f3-25c07c...,"[collection, credential-access]",Abuse Accessibility Features,[Post-Adversary Device Access],
1,mitre-mobile-attack,attack-pattern--4e6620ac-c30c-4f6d-918e-fa20ca...,[collection],Access Contact List,[Post-Adversary Device Access],
2,mitre-mobile-attack,attack-pattern--bd4d32f5-eed4-4018-a649-40b229...,[persistence],App Auto-Start at Device Boot,[Post-Adversary Device Access],
3,mitre-mobile-attack,attack-pattern--45dcbc83-4abc-4de1-b643-e528d1...,[exploit-via-physical-access],Biometric Spoofing,[Pre-Adversary Device Access],
4,mitre-mobile-attack,attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1...,[discovery],Device Type Discovery,[Post-Adversary Device Access],


### Get All Techniques (TAXII)
* The results of this function shows every single technique across the whole ATT&CK framework without their mitigations information
* Mitigations information has its own stix object type (Mitigation) that needs to be correlated with the help of relationship properties
* There is a function already created in this library named **get_all_techniques_with_mitigations()** that allows you to get a more complete view of techniques

In [46]:
print("Number of Techniques in ATT&CK")
techniques = lift.get_all_techniques()
print(len(techniques))
df = json_normalize(techniques)
df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'data_sources'], axis=1)[0:5]

Number of Techniques in ATT&CK
469


Unnamed: 0,matrix,tactic,technique,technique_id,data_sources
0,mitre-attack,[persistence],.bash_profile and .bashrc,T1156,"[File monitoring, Process Monitoring, Process ..."
1,mitre-attack,"[defense-evasion, privilege-escalation]",Access Token Manipulation,T1134,"[API monitoring, Access Tokens]"
2,mitre-attack,"[persistence, privilege-escalation]",Accessibility Features,T1015,"[Windows Registry, File monitoring, Process mo..."
3,mitre-attack,[credential-access],Account Manipulation,T1098,"[Authentication logs, API monitoring, Windows ..."
4,mitre-attack,[discovery],Account Discovery,T1087,"[API monitoring, Process command-line paramete..."


### Get All Enterprise Mitigations ONLY (TAXII)

In [47]:
print("Number of Mitigations in Enterprise ATT&CK")
mitigations = lift.get_all_enterprise_mitigations()
print(len(mitigations))
df = json_normalize(mitigations)
df.reindex(['matrix', 'mitigation', 'mitigation_description', 'url'], axis=1)[0:5]

Number of Mitigations in Enterprise ATT&CK
215


Unnamed: 0,matrix,mitigation,mitigation_description,url
0,mitre-attack,.bash_profile and .bashrc Mitigation,Making these files immutable and only changeab...,https://attack.mitre.org/wiki/Technique/T1156
1,mitre-attack,Access Token Manipulation Mitigation,Access tokens are an integral part of the secu...,https://attack.mitre.org/wiki/Technique/T1134
2,mitre-attack,Accessibility Features Mitigation,"To use this technique remotely, an adversary m...",https://attack.mitre.org/wiki/Technique/T1015
3,mitre-attack,Account Discovery Mitigation,Prevent administrator accounts from being enum...,https://attack.mitre.org/wiki/Technique/T1087
4,mitre-attack,Account Manipulation Mitigation,Use multifactor authentication. Follow guideli...,https://attack.mitre.org/wiki/Technique/T1098


### Get All Mobile Mitigations ONLY (TAXII)

In [48]:
print("Number of Mitigations in Mobile ATT&CK")
mitigations = lift.get_all_mobile_mitigations()
print(len(mitigations))
df = json_normalize(mitigations)
df.reindex(['matrix', 'mitigation', 'mitigation_description', 'url'], axis=1)[0:5]

Number of Mitigations in Mobile ATT&CK
14


Unnamed: 0,matrix,mitigation,mitigation_description,url
0,mitre-mobile-attack,Attestation,Enable remote attestation capabilities when av...,https://attack.mitre.org/mobile/index.php/Miti...
1,mitre-mobile-attack,Interconnection Filtering,In order to mitigate Signaling System 7 (SS7) ...,https://attack.mitre.org/mobile/index.php/Miti...
2,mitre-mobile-attack,Use Recent OS Version,New mobile operating system versions bring not...,https://attack.mitre.org/mobile/index.php/Miti...
3,mitre-mobile-attack,Caution with Device Administrator Access,Warn device users not to accept requests to gr...,https://attack.mitre.org/mobile/index.php/Miti...
4,mitre-mobile-attack,Lock Bootloader,On devices that provide the capability to unlo...,https://attack.mitre.org/mobile/index.php/Miti...


### Get All Mitigations (TAXII)

In [49]:
print("Number of Mitigations in ATT&CK")
mitigations = lift.get_all_mitigations()
print(len(mitigations))
df = json_normalize(mitigations)
df.reindex(['matrix', 'mitigation', 'mitigation_description', 'url'], axis=1)[0:5]

Number of Mitigations in ATT&CK
229


Unnamed: 0,matrix,mitigation,mitigation_description,url
0,mitre-attack,.bash_profile and .bashrc Mitigation,Making these files immutable and only changeab...,https://attack.mitre.org/wiki/Technique/T1156
1,mitre-attack,Access Token Manipulation Mitigation,Access tokens are an integral part of the secu...,https://attack.mitre.org/wiki/Technique/T1134
2,mitre-attack,Accessibility Features Mitigation,"To use this technique remotely, an adversary m...",https://attack.mitre.org/wiki/Technique/T1015
3,mitre-attack,Account Discovery Mitigation,Prevent administrator accounts from being enum...,https://attack.mitre.org/wiki/Technique/T1087
4,mitre-attack,Account Manipulation Mitigation,Use multifactor authentication. Follow guideli...,https://attack.mitre.org/wiki/Technique/T1098


### Get All Enterprise Groups ONLY (TAXII)

In [50]:
print("Number of Groups in Enterprise ATT&CK")
groups = lift.get_all_enterprise_groups()
print(len(groups))
df = json_normalize(groups)
df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]

Number of Groups in Enterprise ATT&CK
69


Unnamed: 0,matrix,group,group_aliases,group_id,group_description
0,mitre-attack,APT12,"[APT12, IXESHE, DynCalc, Numbered Panda, DNSCALC]",G0005,APT12 is a threat group that has been attribut...
1,mitre-attack,APT29,"[APT29, The Dukes, Cozy Bear, CozyDuke]",G0016,APT29 is threat group that has been attributed...
2,mitre-attack,APT34,[APT34],G0057,APT34 is an Iranian cyber espionage group that...
3,mitre-attack,Carbanak,"[Carbanak, Anunak, Carbon Spider]",G0008,Carbanak is a threat group that mainly targets...
4,mitre-attack,Deep Panda,"[Deep Panda, Shell Crew, WebMasters, KungFu Ki...",G0009,Deep Panda is a suspected Chinese threat group...


### Get All PRE Groups ONLY (TAXII)

In [51]:
print("Number of Groups in PRE-ATT&CK")
groups = lift.get_all_pre_groups()
print(len(groups))
df = json_normalize(groups)
df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]

Number of Groups in PRE-ATT&CK
7


Unnamed: 0,matrix,group,group_aliases,group_id,group_description
0,mitre-attack,APT12,"[APT12, IXESHE, DynCalc, Numbered Panda, DNSCALC]",G0005,APT12 is a threat group that has been attribut...
1,mitre-attack,APT1,"[APT1, Comment Crew, Comment Group, Comment Pa...",G0006,APT1 is a Chinese threat group that has been a...
2,mitre-attack,APT28,"[APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear...",G0007,APT28 is a threat group that has been attribut...
3,mitre-attack,Night Dragon,"[Night Dragon, Musical Chairs]",G0014,Night Dragon is a campaign name for activity i...
4,mitre-attack,APT16,[APT16],G0023,APT16 is a China-based threat group that has l...


### Get All Mobile Groups ONLY (TAXII)

In [52]:
print("Number of Groups in Mobile ATT&CK")
groups = lift.get_all_mobile_groups()
print(len(groups))
df = json_normalize(groups)
df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]

Number of Groups in Mobile ATT&CK
1


Unnamed: 0,matrix,group,group_aliases,group_id,group_description
0,mitre-attack,APT28,"[APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear...",G0007,APT28 is a threat group that has been attribut...


### Get All Groups (TAXII)

* This function gathers all groups defined in each Matrix (Enterprise, PRE & Mobile) and returns the unique ones
  * This is because groups can be repeated across matrices

In [53]:
print("Number of Groups in ATT&CK")
groups = lift.get_all_groups()
print(len(groups))
df = json_normalize(groups)
df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]

Number of Groups in ATT&CK
69


Unnamed: 0,matrix,group,group_aliases,group_id,group_description
0,mitre-attack,APT12,"[APT12, IXESHE, DynCalc, Numbered Panda, DNSCALC]",G0005,APT12 is a threat group that has been attribut...
1,mitre-attack,APT29,"[APT29, The Dukes, Cozy Bear, CozyDuke]",G0016,APT29 is threat group that has been attributed...
2,mitre-attack,APT34,[APT34],G0057,APT34 is an Iranian cyber espionage group that...
3,mitre-attack,Carbanak,"[Carbanak, Anunak, Carbon Spider]",G0008,Carbanak is a threat group that mainly targets...
4,mitre-attack,Deep Panda,"[Deep Panda, Shell Crew, WebMasters, KungFu Ki...",G0009,Deep Panda is a suspected Chinese threat group...


### Get All Enterprise & Mobile Software (Malware & Tools) (TAXII)

In [54]:
print("Number of Software in ATT&CK")
software = lift.get_all_software()
print(len(software))
df = json_normalize(software)
df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]

Number of Software in ATT&CK
269


Unnamed: 0,matrix,software,software_labels,software_id,software_description
0,mitre-attack,Cobalt Strike,[tool],S0154,"Cobalt Strike is a commercial, full-featured, ..."
1,mitre-attack,HTRAN,[tool],S0040,HTRAN is a tool that proxies connections throu...
2,mitre-attack,Lslsass,[tool],S0121,Lslsass is a publicly-available tool that can ...
3,mitre-attack,Mimikatz,[tool],S0002,Mimikatz is a credential dumper capable of obt...
4,mitre-attack,PowerSploit,[tool],S0194,"PowerSploit is an open source, offensive secur..."


### Get All Enterprise Relationships ONLY (TAXII)

In [55]:
print("Number of Relationships in Enterprise ATT&CK")
relationships = lift.get_all_enterprise_relationships()
print(len(relationships))
df = json_normalize(relationships)
df.reindex(['id','relationship', 'relationship_description', 'source_object', 'target_object'], axis=1)[0:5]

Number of Relationships in Enterprise ATT&CK
2707


Unnamed: 0,id,relationship,relationship_description,source_object,target_object
0,relationship--bb55d7e7-28af-4efd-8384-289f1a8b...,mitigates,,course-of-action--fdb1ae84-7b00-4d3d-b7dc-c774...,attack-pattern--a10641f4-87b4-45a3-a906-92a149...
1,relationship--a38d4ac5-1d3d-4a2f-9493-ff3e2a46...,mitigates,,course-of-action--cfc2d2fc-14ff-495f-bd99-585b...,attack-pattern--7c93aa74-4bc0-4a9e-90ea-f25f86...
2,relationship--b8306976-370f-403d-9983-fe3327c0...,mitigates,,course-of-action--2497ac92-e751-4391-82c6-1b86...,attack-pattern--774a3188-6ba9-4dc4-879d-d54ee4...
3,relationship--6f7ca160-cd38-4ff4-b297-e95b3111...,mitigates,,course-of-action--1c0b39f9-a0c5-42b2-abd8-dc8f...,attack-pattern--5e4a2073-9643-44cb-a0b5-e7f404...
4,relationship--0b0884f1-1a40-436e-9a74-8cbe9c9d...,mitigates,,course-of-action--d7c49196-b40e-42bc-8eed-b803...,attack-pattern--68c96494-1a50-403e-8844-69a6af...


### Get All PRE Relationships ONLY (TAXII)

In [56]:
print("Number of Relationships in PRE-ATT&CK")
relationships = lift.get_all_pre_relationships()
print(len(relationships))
df = json_normalize(relationships)
df.reindex(['id','relationship', 'relationship_description', 'source_object', 'target_object'], axis=1)[0:5]

Number of Relationships in PRE-ATT&CK
114


Unnamed: 0,id,relationship,relationship_description,source_object,target_object
0,relationship--1143e6a6-deef-4dbd-8c91-7bf537d8...,related-to,,attack-pattern--784ff1bc-1483-41fe-a172-4cd9ae...,attack-pattern--2b9a666e-bd59-4f67-9031-ed41b4...
1,relationship--3d781e9a-d3f8-4e9f-bb23-ba6c2ff2...,related-to,,attack-pattern--1a295f87-af63-4d94-b130-039d62...,attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc...
2,relationship--d5bd7a33-a249-46e5-bb19-a498eba4...,related-to,,attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6e...,attack-pattern--7baccb84-356c-4e89-8c5d-58e701...
3,relationship--bc165934-7ef6-4aed-a0d7-81d33725...,related-to,,attack-pattern--e51398e6-53dc-4e9f-a323-e54683...,attack-pattern--4900fabf-1142-4c1f-92f5-0b590e...
4,relationship--46f1e7d4-4d73-4e33-b88b-b3bcde5d...,related-to,,attack-pattern--a757670d-d600-48d9-8ae9-601d42...,attack-pattern--af358cad-eb71-4e91-a752-236edc...


### Get All Mobile Relationships ONLY (TAXII)

In [57]:
print("Number of Relationships in Mobile ATT&CK")
relationships = lift.get_all_mobile_relationships()
print(len(relationships))
df = json_normalize(relationships)
df.reindex(['id','relationship', 'relationship_description', 'source_object', 'target_object'], axis=1)[0:5]

Number of Relationships in Mobile ATT&CK
245


Unnamed: 0,id,relationship,relationship_description,source_object,target_object
0,relationship--b2c289bf-e981-4bcd-87dd-b6c06805...,mitigates,,course-of-action--0beabf44-e8d8-4ae4-9122-ef56...,attack-pattern--82f04b1e-5371-4a6f-be06-411f0f...
1,relationship--93a524e2-cb17-4b40-8640-a03949e8...,mitigates,,course-of-action--bcecd036-f40e-4916-9f8e-fd0c...,attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e...
2,relationship--9e83607e-2936-4f25-b6d2-c3578468...,mitigates,,course-of-action--1553b156-6767-47f7-9eb4-2a69...,attack-pattern--29e07491-8947-43a3-8d4e-9a787c...
3,relationship--3ebcd3d8-dd8e-4cc9-8087-ce9e93df...,mitigates,,course-of-action--0beabf44-e8d8-4ae4-9122-ef56...,attack-pattern--702055ac-4e54-4ae9-9527-e23a38...
4,relationship--bf859944-d097-45ba-ae01-2f85a00c...,mitigates,,course-of-action--653492e3-27be-4a0e-b08c-938d...,attack-pattern--1f96d624-8409-4472-ad8a-30618e...


### Get All Relationships (TAXII)

In [58]:
print("Number of Relationships in ATT&CK")
relationships = lift.get_all_relationships()
print(len(relationships))
df = json_normalize(relationships)
df.reindex(['id','relationship', 'relationship_description', 'source_object', 'target_object'], axis=1)[0:5]

Number of Relationships in ATT&CK
3066


Unnamed: 0,id,relationship,relationship_description,source_object,target_object
0,relationship--bb55d7e7-28af-4efd-8384-289f1a8b...,mitigates,,course-of-action--fdb1ae84-7b00-4d3d-b7dc-c774...,attack-pattern--a10641f4-87b4-45a3-a906-92a149...
1,relationship--a38d4ac5-1d3d-4a2f-9493-ff3e2a46...,mitigates,,course-of-action--cfc2d2fc-14ff-495f-bd99-585b...,attack-pattern--7c93aa74-4bc0-4a9e-90ea-f25f86...
2,relationship--b8306976-370f-403d-9983-fe3327c0...,mitigates,,course-of-action--2497ac92-e751-4391-82c6-1b86...,attack-pattern--774a3188-6ba9-4dc4-879d-d54ee4...
3,relationship--6f7ca160-cd38-4ff4-b297-e95b3111...,mitigates,,course-of-action--1c0b39f9-a0c5-42b2-abd8-dc8f...,attack-pattern--5e4a2073-9643-44cb-a0b5-e7f404...
4,relationship--0b0884f1-1a40-436e-9a74-8cbe9c9d...,mitigates,,course-of-action--d7c49196-b40e-42bc-8eed-b803...,attack-pattern--68c96494-1a50-403e-8844-69a6af...
