{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# **MITRE ATT&CK API BASICS**: Python Client\n", "------------------" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Import ATTACK API Client" ] }, { "cell_type": "code", "execution_count": 1, "metadata": { "collapsed": true }, "outputs": [], "source": [ "from attackcti import attack_client" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Import Extra Libraries" ] }, { "cell_type": "code", "execution_count": 2, "metadata": { "collapsed": true }, "outputs": [], "source": [ "from pandas import *\n", "from pandas.io.json import json_normalize" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Initialize ATT&CK Client Variable" ] }, { "cell_type": "code", "execution_count": 3, "metadata": { "collapsed": true }, "outputs": [], "source": [ "lift = attack_client()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## **Collect ALL (Enterprise ATT&CK, Pre-ATT&CK & Mobile ATT&CK)**\n", "* I usually collect all the stix object types available from all the ATT&CK Matrices first when I want to analyze ATT&CK's data.\n", "* In this section, we will collect everything from Enterprise ATT&CK, PRE-ATT&CK and Mobile ATT&CK via three functions that query ATT&CK content available in STIX™ 2.0 via a public TAXII™ 2.0 server:\n", " * get_all_enterprise()\n", " * get_all_pre()\n", " * get_all_mobile()\n", "* The get_all_stix_objects() function just combines the results of the other three locally.\n", "* Then, we will grab the results from each get_all_* function and start getting specific stix object types such as techniques, mitigations, groups, malware, tools and relationships.\n", "* It is important to remember that the stix object types are being obtained from the results of the initial three **get_all_*** functions and not querying the TAXII Server every time we want to get information about a specific stix object type." ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Collect ALL Enterprise ATT&CK (TAXII)**" ] }, { "cell_type": "code", "execution_count": 4, "metadata": { "collapsed": true }, "outputs": [], "source": [ "all_enterprise = lift.get_all_enterprise()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Collect ALL PRE-ATT&CK (TAXII)**" ] }, { "cell_type": "code", "execution_count": 5, "metadata": { "collapsed": true }, "outputs": [], "source": [ "all_pre = lift.get_all_pre()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Collect ALL Mobile ATT&CK (TAXII)**" ] }, { "cell_type": "code", "execution_count": 6, "metadata": { "collapsed": true }, "outputs": [], "source": [ "all_mobile = lift.get_all_mobile()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Collect ALL (It runs All 3 functions and collects all the results)**" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "The **get_all_stix_objects()** function returns a dictionary with all the stix object types from all matrices:\n", "* techniques\n", "* mitigations\n", "* groups\n", "* malware\n", "* tools\n", "* relationships" ] }, { "cell_type": "code", "execution_count": 7, "metadata": { "collapsed": true }, "outputs": [], "source": [ "all_attack = lift.get_all_stix_objects()" ] }, { "cell_type": "code", "execution_count": 8, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "dict" ] }, "execution_count": 8, "metadata": {}, "output_type": "execute_result" } ], "source": [ "type(all_attack)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Techniques from ATT&CK Results (Locally)\n", "* The results of this function shows every single technique across the whole ATT&CK framework without their mitigations information\n", "* Mitigations information has its own stix object type (Mitigation) that needs to be correlated with the help of relationship properties\n", "* There is a function already created in this library named **get_all_techniques_with_mitigations()** that allows you to get a more complete view of techniques" ] }, { "cell_type": "code", "execution_count": 9, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Techniques in ATT&CK\n", "469\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixcreatedtactictechniquetechnique_iddata_sources
0mitre-attack2017-12-14 16:46:06.044000+00:00[persistence].bash_profile and .bashrcT1156[File monitoring, Process Monitoring, Process ...
1mitre-attack2017-12-14 16:46:06.044000+00:00[defense-evasion, privilege-escalation]Access Token ManipulationT1134[API monitoring, Access Tokens]
2mitre-attack2017-05-31 21:30:26.946000+00:00[persistence, privilege-escalation]Accessibility FeaturesT1015[Windows Registry, File monitoring, Process mo...
3mitre-attack2017-05-31 21:31:12.196000+00:00[credential-access]Account ManipulationT1098[Authentication logs, API monitoring, Windows ...
4mitre-attack2017-05-31 21:31:06.988000+00:00[discovery]Account DiscoveryT1087[API monitoring, Process command-line paramete...
\n", "
" ], "text/plain": [ " matrix created \\\n", "0 mitre-attack 2017-12-14 16:46:06.044000+00:00 \n", "1 mitre-attack 2017-12-14 16:46:06.044000+00:00 \n", "2 mitre-attack 2017-05-31 21:30:26.946000+00:00 \n", "3 mitre-attack 2017-05-31 21:31:12.196000+00:00 \n", "4 mitre-attack 2017-05-31 21:31:06.988000+00:00 \n", "\n", " tactic technique \\\n", "0 [persistence] .bash_profile and .bashrc \n", "1 [defense-evasion, privilege-escalation] Access Token Manipulation \n", "2 [persistence, privilege-escalation] Accessibility Features \n", "3 [credential-access] Account Manipulation \n", "4 [discovery] Account Discovery \n", "\n", " technique_id data_sources \n", "0 T1156 [File monitoring, Process Monitoring, Process ... \n", "1 T1134 [API monitoring, Access Tokens] \n", "2 T1015 [Windows Registry, File monitoring, Process mo... \n", "3 T1098 [Authentication logs, API monitoring, Windows ... \n", "4 T1087 [API monitoring, Process command-line paramete... " ] }, "execution_count": 9, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Techniques in ATT&CK\")\n", "print(len(all_attack['techniques']))\n", "techniques = all_attack['techniques']\n", "df = json_normalize(techniques)\n", "df.reindex(['matrix', 'created','tactic', 'technique', 'technique_id', 'data_sources'], axis=1)[0:5]" ] }, { "cell_type": "code", "execution_count": 10, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "219" ] }, "execution_count": 10, "metadata": {}, "output_type": "execute_result" } ], "source": [ "len(df.loc[df['matrix'] == 'mitre-attack'])" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing the schema of Techniques**" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "This schema covers techniques from Enterprise, PRE and Mobile ATT&CK" ] }, { "cell_type": "code", "execution_count": 11, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['contributors',\n", " 'created',\n", " 'created_by_ref',\n", " 'data_sources',\n", " 'defense_bypassed',\n", " 'detectable_by_common_defenses',\n", " 'detectable_explanation',\n", " 'difficulty_explanation',\n", " 'difficulty_for_adversary',\n", " 'effective_permissions',\n", " 'id',\n", " 'matrix',\n", " 'modified',\n", " 'network_requirements',\n", " 'object_marking_refs',\n", " 'permissions_required',\n", " 'platform',\n", " 'remote_support',\n", " 'system_requirements',\n", " 'tactic',\n", " 'tactic_type',\n", " 'technique',\n", " 'technique_description',\n", " 'technique_id',\n", " 'technique_references',\n", " 'type',\n", " 'url']" ] }, "execution_count": 11, "metadata": {}, "output_type": "execute_result" } ], "source": [ "list(df)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing one technique example**" ] }, { "cell_type": "code", "execution_count": 12, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "{'type': 'attack-pattern',\n", " 'id': 'attack-pattern--01df3350-ce05-4bdf-bdf8-0a919a66d4a8',\n", " 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n", " 'created': '2017-12-14 16:46:06.044000+00:00',\n", " 'modified': '2018-04-18 17:59:24.739000+00:00',\n", " 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],\n", " 'url': 'https://attack.mitre.org/wiki/Technique/T1156',\n", " 'matrix': 'mitre-attack',\n", " 'technique': '.bash_profile and .bashrc',\n", " 'technique_description': \"~/.bash_profile and ~/.bashrc are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. ~/.bash_profile is executed for login shells and ~/.bashrc is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), ~/.bash_profile is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, ~/.bashrc is executed. This allows users more fine grained control over when they want certain commands executed.\\n\\nMac's Terminal.app is a little different in that it runs a login shell by default each time a new terminal window is opened, thus calling ~/.bash_profile each time instead of ~/.bashrc.\\n\\nThese files are meant to be written to by the local user to configure their own environment; however, adversaries can also insert code into these files to gain persistence each time a user logs in or opens a new shell (Citation: amnesia malware).\\n\\nDetection: While users may customize their ~/.bashrc and ~/.bash_profile files , there are only certain types of commands that typically appear in these files. Monitor for abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network when user profiles are loaded during the login process.\\n\\nPlatforms: Linux, macOS\\n\\nData Sources: File monitoring, Process Monitoring, Process command-line parameters, Process use of network\\n\\nPermissions Required: User, Administrator\",\n", " 'tactic': ['persistence'],\n", " 'technique_id': 'T1156',\n", " 'platform': ['Linux', 'macOS'],\n", " 'data_sources': ['File monitoring',\n", " 'Process Monitoring',\n", " 'Process command-line parameters',\n", " 'Process use of network'],\n", " 'defense_bypassed': None,\n", " 'permissions_required': ['User', 'Administrator'],\n", " 'effective_permissions': None,\n", " 'system_requirements': None,\n", " 'network_requirements': None,\n", " 'remote_support': None,\n", " 'contributors': None,\n", " 'technique_references': ['https://attack.mitre.org/wiki/Technique/T1156',\n", " 'https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/'],\n", " 'detectable_by_common_defenses': None,\n", " 'detectable_explanation': None,\n", " 'difficulty_for_adversary': None,\n", " 'difficulty_explanation': None,\n", " 'tactic_type': None}" ] }, "execution_count": 12, "metadata": {}, "output_type": "execute_result" } ], "source": [ "techniques[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Mitigations from ATT&CK Results (Locally)" ] }, { "cell_type": "code", "execution_count": 13, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Mitigations in ATT&CK\n", "229\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixmitigationmitigation_descriptionurl
0mitre-attack.bash_profile and .bashrc MitigationMaking these files immutable and only changeab...https://attack.mitre.org/wiki/Technique/T1156
1mitre-attackAccess Token Manipulation MitigationAccess tokens are an integral part of the secu...https://attack.mitre.org/wiki/Technique/T1134
2mitre-attackAccessibility Features MitigationTo use this technique remotely, an adversary m...https://attack.mitre.org/wiki/Technique/T1015
3mitre-attackAccount Discovery MitigationPrevent administrator accounts from being enum...https://attack.mitre.org/wiki/Technique/T1087
4mitre-attackAccount Manipulation MitigationUse multifactor authentication. Follow guideli...https://attack.mitre.org/wiki/Technique/T1098
\n", "
" ], "text/plain": [ " matrix mitigation \\\n", "0 mitre-attack .bash_profile and .bashrc Mitigation \n", "1 mitre-attack Access Token Manipulation Mitigation \n", "2 mitre-attack Accessibility Features Mitigation \n", "3 mitre-attack Account Discovery Mitigation \n", "4 mitre-attack Account Manipulation Mitigation \n", "\n", " mitigation_description \\\n", "0 Making these files immutable and only changeab... \n", "1 Access tokens are an integral part of the secu... \n", "2 To use this technique remotely, an adversary m... \n", "3 Prevent administrator accounts from being enum... \n", "4 Use multifactor authentication. Follow guideli... \n", "\n", " url \n", "0 https://attack.mitre.org/wiki/Technique/T1156 \n", "1 https://attack.mitre.org/wiki/Technique/T1134 \n", "2 https://attack.mitre.org/wiki/Technique/T1015 \n", "3 https://attack.mitre.org/wiki/Technique/T1087 \n", "4 https://attack.mitre.org/wiki/Technique/T1098 " ] }, "execution_count": 13, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Mitigations in ATT&CK\")\n", "print(len(all_attack['mitigations']))\n", "mitigations = all_attack['mitigations']\n", "df = json_normalize(mitigations)\n", "df.reindex(['matrix','mitigation', 'mitigation_description','url'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing the schema of Mitigations**" ] }, { "cell_type": "code", "execution_count": 14, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['created',\n", " 'created_by_ref',\n", " 'id',\n", " 'matrix',\n", " 'mitigation',\n", " 'mitigation_description',\n", " 'mitigation_id',\n", " 'mitigation_references',\n", " 'modified',\n", " 'type',\n", " 'url']" ] }, "execution_count": 14, "metadata": {}, "output_type": "execute_result" } ], "source": [ "list(df)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing one Mitigation example**" ] }, { "cell_type": "code", "execution_count": 15, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "{'type': 'course-of-action',\n", " 'id': 'course-of-action--4f170666-7edb-4489-85c2-9affa28a72e0',\n", " 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n", " 'created': '2018-04-18 17:59:24.739000+00:00',\n", " 'modified': '2018-04-18 17:59:24.739000+00:00',\n", " 'matrix': 'mitre-attack',\n", " 'url': 'https://attack.mitre.org/wiki/Technique/T1156',\n", " 'mitigation': '.bash_profile and .bashrc Mitigation',\n", " 'mitigation_description': 'Making these files immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence.',\n", " 'mitigation_id': 'T1156',\n", " 'mitigation_references': ['https://attack.mitre.org/wiki/Technique/T1156']}" ] }, "execution_count": 15, "metadata": {}, "output_type": "execute_result" } ], "source": [ "mitigations[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Groups from ATT&CK Results (Locally)" ] }, { "cell_type": "code", "execution_count": 16, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Groups in ATT&CK\n", "69\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixgroupgroup_aliasesgroup_idgroup_description
0mitre-attackAPT12[APT12, IXESHE, DynCalc, Numbered Panda, DNSCALC]G0005APT12 is a threat group that has been attribut...
1mitre-attackAPT29[APT29, The Dukes, Cozy Bear, CozyDuke]G0016APT29 is threat group that has been attributed...
2mitre-attackAPT34[APT34]G0057APT34 is an Iranian cyber espionage group that...
3mitre-attackCarbanak[Carbanak, Anunak, Carbon Spider]G0008Carbanak is a threat group that mainly targets...
4mitre-attackDeep Panda[Deep Panda, Shell Crew, WebMasters, KungFu Ki...G0009Deep Panda is a suspected Chinese threat group...
\n", "
" ], "text/plain": [ " matrix group \\\n", "0 mitre-attack APT12 \n", "1 mitre-attack APT29 \n", "2 mitre-attack APT34 \n", "3 mitre-attack Carbanak \n", "4 mitre-attack Deep Panda \n", "\n", " group_aliases group_id \\\n", "0 [APT12, IXESHE, DynCalc, Numbered Panda, DNSCALC] G0005 \n", "1 [APT29, The Dukes, Cozy Bear, CozyDuke] G0016 \n", "2 [APT34] G0057 \n", "3 [Carbanak, Anunak, Carbon Spider] G0008 \n", "4 [Deep Panda, Shell Crew, WebMasters, KungFu Ki... G0009 \n", "\n", " group_description \n", "0 APT12 is a threat group that has been attribut... \n", "1 APT29 is threat group that has been attributed... \n", "2 APT34 is an Iranian cyber espionage group that... \n", "3 Carbanak is a threat group that mainly targets... \n", "4 Deep Panda is a suspected Chinese threat group... " ] }, "execution_count": 16, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Groups in ATT&CK\")\n", "print(len(all_attack['groups']))\n", "groups = all_attack['groups']\n", "df = json_normalize(groups)\n", "df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing the schema of Groups**" ] }, { "cell_type": "code", "execution_count": 17, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['created',\n", " 'created_by_ref',\n", " 'group',\n", " 'group_aliases',\n", " 'group_description',\n", " 'group_id',\n", " 'group_references',\n", " 'id',\n", " 'matrix',\n", " 'modified',\n", " 'type',\n", " 'url']" ] }, "execution_count": 17, "metadata": {}, "output_type": "execute_result" } ], "source": [ "list(df)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing one Groups example**" ] }, { "cell_type": "code", "execution_count": 18, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "{'type': 'intrusion-set',\n", " 'id': 'intrusion-set--c47f937f-1022-4f42-8525-e7a4779a14cb',\n", " 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n", " 'matrix': 'mitre-attack',\n", " 'created': '2017-05-31 21:31:47.537000+00:00',\n", " 'modified': '2018-01-17 12:56:55.080000+00:00',\n", " 'url': 'https://attack.mitre.org/wiki/Group/G0005',\n", " 'group': 'APT12',\n", " 'group_description': 'APT12 is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)',\n", " 'group_aliases': ['APT12', 'IXESHE', 'DynCalc', 'Numbered Panda', 'DNSCALC'],\n", " 'group_id': 'G0005',\n", " 'group_references': ['https://attack.mitre.org/wiki/Group/G0005',\n", " 'http://www.crowdstrike.com/blog/whois-numbered-panda/']}" ] }, "execution_count": 18, "metadata": {}, "output_type": "execute_result" } ], "source": [ "groups[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Malware objects from ATT&CK Results (Locally)" ] }, { "cell_type": "code", "execution_count": 19, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Malware in ATT&CK\n", "223\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixsoftwaresoftware_labelssoftware_idsoftware_description
0mitre-attackADVSTORESHELL[malware]S0045ADVSTORESHELL is a spying backdoor that has be...
1mitre-attackBACKSPACE[malware]S0031BACKSPACE is a backdoor used by APT30 that dat...
2mitre-attackBLACKCOFFEE[malware]S0069BLACKCOFFEE is malware that has been used by s...
3mitre-attackBlackEnergy[malware]S0089BlackEnergy is a malware toolkit that has been...
4mitre-attackCORALDECK[malware]S0212is an exfiltration tool used by APT37. (Citati...
\n", "
" ], "text/plain": [ " matrix software software_labels software_id \\\n", "0 mitre-attack ADVSTORESHELL [malware] S0045 \n", "1 mitre-attack BACKSPACE [malware] S0031 \n", "2 mitre-attack BLACKCOFFEE [malware] S0069 \n", "3 mitre-attack BlackEnergy [malware] S0089 \n", "4 mitre-attack CORALDECK [malware] S0212 \n", "\n", " software_description \n", "0 ADVSTORESHELL is a spying backdoor that has be... \n", "1 BACKSPACE is a backdoor used by APT30 that dat... \n", "2 BLACKCOFFEE is malware that has been used by s... \n", "3 BlackEnergy is a malware toolkit that has been... \n", "4 is an exfiltration tool used by APT37. (Citati... " ] }, "execution_count": 19, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Malware in ATT&CK\")\n", "print(len(all_attack['malware']))\n", "malware = all_attack['malware']\n", "df = json_normalize(malware)\n", "df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing the schema of Malware**" ] }, { "cell_type": "code", "execution_count": 20, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['created',\n", " 'created_by_ref',\n", " 'id',\n", " 'matrix',\n", " 'modified',\n", " 'software',\n", " 'software_aliases',\n", " 'software_description',\n", " 'software_id',\n", " 'software_labels',\n", " 'software_references',\n", " 'type',\n", " 'url']" ] }, "execution_count": 20, "metadata": {}, "output_type": "execute_result" } ], "source": [ "list(df)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing one Malware example**" ] }, { "cell_type": "code", "execution_count": 21, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "{'type': 'malware',\n", " 'id': 'malware--fb575479-14ef-41e9-bfab-0b7cf10bec73',\n", " 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n", " 'created': '2017-05-31 21:32:34.648000+00:00',\n", " 'modified': '2018-01-17 12:56:55.080000+00:00',\n", " 'matrix': 'mitre-attack',\n", " 'software': 'ADVSTORESHELL',\n", " 'software_description': 'ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 2)\\n\\nAliases: ADVSTORESHELL, NETUI, EVILTOSS, AZZY, Sedreco',\n", " 'software_labels': ['malware'],\n", " 'software_id': 'S0045',\n", " 'url': 'https://attack.mitre.org/wiki/Software/S0045',\n", " 'software_aliases': ['ADVSTORESHELL', 'NETUI', 'EVILTOSS', 'AZZY', 'Sedreco'],\n", " 'software_references': ['https://attack.mitre.org/wiki/Software/S0045',\n", " 'https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/',\n", " 'http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf']}" ] }, "execution_count": 21, "metadata": {}, "output_type": "execute_result" } ], "source": [ "malware[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Tools from ATT&CK Results (Locally)" ] }, { "cell_type": "code", "execution_count": 22, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Tools in ATT&CK\n", "46\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixsoftwaresoftware_labelssoftware_idsoftware_description
0mitre-attackCobalt Strike[tool]S0154Cobalt Strike is a commercial, full-featured, ...
1mitre-attackHTRAN[tool]S0040HTRAN is a tool that proxies connections throu...
2mitre-attackLslsass[tool]S0121Lslsass is a publicly-available tool that can ...
3mitre-attackMimikatz[tool]S0002Mimikatz is a credential dumper capable of obt...
4mitre-attackPowerSploit[tool]S0194PowerSploit is an open source, offensive secur...
\n", "
" ], "text/plain": [ " matrix software software_labels software_id \\\n", "0 mitre-attack Cobalt Strike [tool] S0154 \n", "1 mitre-attack HTRAN [tool] S0040 \n", "2 mitre-attack Lslsass [tool] S0121 \n", "3 mitre-attack Mimikatz [tool] S0002 \n", "4 mitre-attack PowerSploit [tool] S0194 \n", "\n", " software_description \n", "0 Cobalt Strike is a commercial, full-featured, ... \n", "1 HTRAN is a tool that proxies connections throu... \n", "2 Lslsass is a publicly-available tool that can ... \n", "3 Mimikatz is a credential dumper capable of obt... \n", "4 PowerSploit is an open source, offensive secur... " ] }, "execution_count": 22, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Tools in ATT&CK\")\n", "print(len(all_attack['tools']))\n", "tools = all_attack['tools']\n", "df = json_normalize(tools)\n", "df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing the schema of Tools**" ] }, { "cell_type": "code", "execution_count": 23, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['created',\n", " 'created_by_ref',\n", " 'id',\n", " 'matrix',\n", " 'modified',\n", " 'software',\n", " 'software_aliases',\n", " 'software_description',\n", " 'software_id',\n", " 'software_labels',\n", " 'software_references',\n", " 'type',\n", " 'url']" ] }, "execution_count": 23, "metadata": {}, "output_type": "execute_result" } ], "source": [ "list(df)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing one Tool example**" ] }, { "cell_type": "code", "execution_count": 24, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "{'type': 'tool',\n", " 'id': 'tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39',\n", " 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n", " 'created': '2017-12-14 16:46:06.044000+00:00',\n", " 'modified': '2018-04-18 17:59:24.739000+00:00',\n", " 'matrix': 'mitre-attack',\n", " 'software': 'Cobalt Strike',\n", " 'software_description': 'Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual)\\n\\nIn addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. (Citation: cobaltstrike manual)\\n\\nAliases: Cobalt Strike\\n\\nContributors: Josh Abraham',\n", " 'software_labels': ['tool'],\n", " 'software_id': 'S0154',\n", " 'url': 'https://attack.mitre.org/wiki/Software/S0154',\n", " 'software_aliases': ['Cobalt Strike'],\n", " 'software_references': ['https://attack.mitre.org/wiki/Software/S0154',\n", " 'https://cobaltstrike.com/downloads/csmanual38.pdf']}" ] }, "execution_count": 24, "metadata": {}, "output_type": "execute_result" } ], "source": [ "tools[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Relationships from ATT&CK Results (Locally)" ] }, { "cell_type": "code", "execution_count": 25, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Relationships in ATT&CK\n", "3066\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
idrelationshipsource_objecttarget_object
0relationship--bb55d7e7-28af-4efd-8384-289f1a8b...mitigatescourse-of-action--fdb1ae84-7b00-4d3d-b7dc-c774...attack-pattern--a10641f4-87b4-45a3-a906-92a149...
1relationship--a38d4ac5-1d3d-4a2f-9493-ff3e2a46...mitigatescourse-of-action--cfc2d2fc-14ff-495f-bd99-585b...attack-pattern--7c93aa74-4bc0-4a9e-90ea-f25f86...
2relationship--b8306976-370f-403d-9983-fe3327c0...mitigatescourse-of-action--2497ac92-e751-4391-82c6-1b86...attack-pattern--774a3188-6ba9-4dc4-879d-d54ee4...
3relationship--6f7ca160-cd38-4ff4-b297-e95b3111...mitigatescourse-of-action--1c0b39f9-a0c5-42b2-abd8-dc8f...attack-pattern--5e4a2073-9643-44cb-a0b5-e7f404...
4relationship--0b0884f1-1a40-436e-9a74-8cbe9c9d...mitigatescourse-of-action--d7c49196-b40e-42bc-8eed-b803...attack-pattern--68c96494-1a50-403e-8844-69a6af...
\n", "
" ], "text/plain": [ " id relationship \\\n", "0 relationship--bb55d7e7-28af-4efd-8384-289f1a8b... mitigates \n", "1 relationship--a38d4ac5-1d3d-4a2f-9493-ff3e2a46... mitigates \n", "2 relationship--b8306976-370f-403d-9983-fe3327c0... mitigates \n", "3 relationship--6f7ca160-cd38-4ff4-b297-e95b3111... mitigates \n", "4 relationship--0b0884f1-1a40-436e-9a74-8cbe9c9d... mitigates \n", "\n", " source_object \\\n", "0 course-of-action--fdb1ae84-7b00-4d3d-b7dc-c774... \n", "1 course-of-action--cfc2d2fc-14ff-495f-bd99-585b... \n", "2 course-of-action--2497ac92-e751-4391-82c6-1b86... \n", "3 course-of-action--1c0b39f9-a0c5-42b2-abd8-dc8f... \n", "4 course-of-action--d7c49196-b40e-42bc-8eed-b803... \n", "\n", " target_object \n", "0 attack-pattern--a10641f4-87b4-45a3-a906-92a149... \n", "1 attack-pattern--7c93aa74-4bc0-4a9e-90ea-f25f86... \n", "2 attack-pattern--774a3188-6ba9-4dc4-879d-d54ee4... \n", "3 attack-pattern--5e4a2073-9643-44cb-a0b5-e7f404... \n", "4 attack-pattern--68c96494-1a50-403e-8844-69a6af... " ] }, "execution_count": 25, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Relationships in ATT&CK\")\n", "print(len(all_attack['relationships']))\n", "relationships = all_attack['relationships']\n", "df = json_normalize(relationships)\n", "df.reindex(['id','relationship', 'source_object', 'target_object'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing the schema of Relationships**" ] }, { "cell_type": "code", "execution_count": 26, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['created',\n", " 'created_by_ref',\n", " 'id',\n", " 'modified',\n", " 'relationship',\n", " 'relationship_description',\n", " 'source_object',\n", " 'target_object',\n", " 'type']" ] }, "execution_count": 26, "metadata": {}, "output_type": "execute_result" } ], "source": [ "list(df)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Showing one Relationship example**" ] }, { "cell_type": "code", "execution_count": 27, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "{'type': 'relationship',\n", " 'id': 'relationship--bb55d7e7-28af-4efd-8384-289f1a8b173e',\n", " 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',\n", " 'created': '2017-05-31 21:33:27.028000+00:00',\n", " 'modified': '2018-01-17 12:56:55.080000+00:00',\n", " 'relationship': 'mitigates',\n", " 'relationship_description': None,\n", " 'source_object': 'course-of-action--fdb1ae84-7b00-4d3d-b7dc-c774beef6425',\n", " 'target_object': 'attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27'}" ] }, "execution_count": 27, "metadata": {}, "output_type": "execute_result" } ], "source": [ "relationships[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Enterprise ATT&CK ONLY from Results (Locally)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Enterprise Techniques**" ] }, { "cell_type": "code", "execution_count": 28, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Techniques in Enterprise ATT&CK\n", "219\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixtactictechniquetechnique_iddata_sources
0mitre-attack[persistence].bash_profile and .bashrcT1156[File monitoring, Process Monitoring, Process ...
1mitre-attack[defense-evasion, privilege-escalation]Access Token ManipulationT1134[API monitoring, Access Tokens]
2mitre-attack[persistence, privilege-escalation]Accessibility FeaturesT1015[Windows Registry, File monitoring, Process mo...
3mitre-attack[credential-access]Account ManipulationT1098[Authentication logs, API monitoring, Windows ...
4mitre-attack[discovery]Account DiscoveryT1087[API monitoring, Process command-line paramete...
\n", "
" ], "text/plain": [ " matrix tactic \\\n", "0 mitre-attack [persistence] \n", "1 mitre-attack [defense-evasion, privilege-escalation] \n", "2 mitre-attack [persistence, privilege-escalation] \n", "3 mitre-attack [credential-access] \n", "4 mitre-attack [discovery] \n", "\n", " technique technique_id \\\n", "0 .bash_profile and .bashrc T1156 \n", "1 Access Token Manipulation T1134 \n", "2 Accessibility Features T1015 \n", "3 Account Manipulation T1098 \n", "4 Account Discovery T1087 \n", "\n", " data_sources \n", "0 [File monitoring, Process Monitoring, Process ... \n", "1 [API monitoring, Access Tokens] \n", "2 [Windows Registry, File monitoring, Process mo... \n", "3 [Authentication logs, API monitoring, Windows ... \n", "4 [API monitoring, Process command-line paramete... " ] }, "execution_count": 28, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Techniques in Enterprise ATT&CK\")\n", "print(len(all_enterprise['techniques']))\n", "df = all_enterprise['techniques']\n", "df = json_normalize(df)\n", "df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'data_sources'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Enterprise Mitigations**" ] }, { "cell_type": "code", "execution_count": 29, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Mitigations in Enterprise ATT&CK\n", "215\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixmitigationmitigation_descriptionurl
0mitre-attack.bash_profile and .bashrc MitigationMaking these files immutable and only changeab...https://attack.mitre.org/wiki/Technique/T1156
1mitre-attackAccess Token Manipulation MitigationAccess tokens are an integral part of the secu...https://attack.mitre.org/wiki/Technique/T1134
2mitre-attackAccessibility Features MitigationTo use this technique remotely, an adversary m...https://attack.mitre.org/wiki/Technique/T1015
3mitre-attackAccount Discovery MitigationPrevent administrator accounts from being enum...https://attack.mitre.org/wiki/Technique/T1087
4mitre-attackAccount Manipulation MitigationUse multifactor authentication. Follow guideli...https://attack.mitre.org/wiki/Technique/T1098
\n", "
" ], "text/plain": [ " matrix mitigation \\\n", "0 mitre-attack .bash_profile and .bashrc Mitigation \n", "1 mitre-attack Access Token Manipulation Mitigation \n", "2 mitre-attack Accessibility Features Mitigation \n", "3 mitre-attack Account Discovery Mitigation \n", "4 mitre-attack Account Manipulation Mitigation \n", "\n", " mitigation_description \\\n", "0 Making these files immutable and only changeab... \n", "1 Access tokens are an integral part of the secu... \n", "2 To use this technique remotely, an adversary m... \n", "3 Prevent administrator accounts from being enum... \n", "4 Use multifactor authentication. Follow guideli... \n", "\n", " url \n", "0 https://attack.mitre.org/wiki/Technique/T1156 \n", "1 https://attack.mitre.org/wiki/Technique/T1134 \n", "2 https://attack.mitre.org/wiki/Technique/T1015 \n", "3 https://attack.mitre.org/wiki/Technique/T1087 \n", "4 https://attack.mitre.org/wiki/Technique/T1098 " ] }, "execution_count": 29, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Mitigations in Enterprise ATT&CK\")\n", "print(len(all_enterprise['mitigations']))\n", "df = all_enterprise['mitigations']\n", "df = json_normalize(df)\n", "df.reindex(['matrix','mitigation', 'mitigation_description', 'url'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Enterprise Groups**" ] }, { "cell_type": "code", "execution_count": 30, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Groups in Enterprise ATT&CK\n", "69\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixgroupgroup_aliasesgroup_idgroup_description
0mitre-attackAPT12[APT12, IXESHE, DynCalc, Numbered Panda, DNSCALC]G0005APT12 is a threat group that has been attribut...
1mitre-attackAPT29[APT29, The Dukes, Cozy Bear, CozyDuke]G0016APT29 is threat group that has been attributed...
2mitre-attackAPT34[APT34]G0057APT34 is an Iranian cyber espionage group that...
3mitre-attackCarbanak[Carbanak, Anunak, Carbon Spider]G0008Carbanak is a threat group that mainly targets...
4mitre-attackDeep Panda[Deep Panda, Shell Crew, WebMasters, KungFu Ki...G0009Deep Panda is a suspected Chinese threat group...
\n", "
" ], "text/plain": [ " matrix group \\\n", "0 mitre-attack APT12 \n", "1 mitre-attack APT29 \n", "2 mitre-attack APT34 \n", "3 mitre-attack Carbanak \n", "4 mitre-attack Deep Panda \n", "\n", " group_aliases group_id \\\n", "0 [APT12, IXESHE, DynCalc, Numbered Panda, DNSCALC] G0005 \n", "1 [APT29, The Dukes, Cozy Bear, CozyDuke] G0016 \n", "2 [APT34] G0057 \n", "3 [Carbanak, Anunak, Carbon Spider] G0008 \n", "4 [Deep Panda, Shell Crew, WebMasters, KungFu Ki... G0009 \n", "\n", " group_description \n", "0 APT12 is a threat group that has been attribut... \n", "1 APT29 is threat group that has been attributed... \n", "2 APT34 is an Iranian cyber espionage group that... \n", "3 Carbanak is a threat group that mainly targets... \n", "4 Deep Panda is a suspected Chinese threat group... " ] }, "execution_count": 30, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Groups in Enterprise ATT&CK\")\n", "print(len(all_enterprise['groups']))\n", "df = all_enterprise['groups']\n", "df = json_normalize(df)\n", "df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Enterprise Malware**" ] }, { "cell_type": "code", "execution_count": 31, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Malware objects in Enterprise ATT&CK\n", "188\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixsoftwaresoftware_labelssoftware_idsoftware_description
0mitre-attackADVSTORESHELL[malware]S0045ADVSTORESHELL is a spying backdoor that has be...
1mitre-attackBACKSPACE[malware]S0031BACKSPACE is a backdoor used by APT30 that dat...
2mitre-attackBLACKCOFFEE[malware]S0069BLACKCOFFEE is malware that has been used by s...
3mitre-attackBlackEnergy[malware]S0089BlackEnergy is a malware toolkit that has been...
4mitre-attackCORALDECK[malware]S0212is an exfiltration tool used by APT37. (Citati...
\n", "
" ], "text/plain": [ " matrix software software_labels software_id \\\n", "0 mitre-attack ADVSTORESHELL [malware] S0045 \n", "1 mitre-attack BACKSPACE [malware] S0031 \n", "2 mitre-attack BLACKCOFFEE [malware] S0069 \n", "3 mitre-attack BlackEnergy [malware] S0089 \n", "4 mitre-attack CORALDECK [malware] S0212 \n", "\n", " software_description \n", "0 ADVSTORESHELL is a spying backdoor that has be... \n", "1 BACKSPACE is a backdoor used by APT30 that dat... \n", "2 BLACKCOFFEE is malware that has been used by s... \n", "3 BlackEnergy is a malware toolkit that has been... \n", "4 is an exfiltration tool used by APT37. (Citati... " ] }, "execution_count": 31, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Malware objects in Enterprise ATT&CK\")\n", "print(len(all_enterprise['malware']))\n", "df = all_enterprise['malware']\n", "df = json_normalize(df)\n", "df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Enterprise Tools**" ] }, { "cell_type": "code", "execution_count": 32, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Tools in Enterprise ATT&CK\n", "45\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixsoftwaresoftware_labelssoftware_idsoftware_description
0mitre-attackCobalt Strike[tool]S0154Cobalt Strike is a commercial, full-featured, ...
1mitre-attackHTRAN[tool]S0040HTRAN is a tool that proxies connections throu...
2mitre-attackLslsass[tool]S0121Lslsass is a publicly-available tool that can ...
3mitre-attackMimikatz[tool]S0002Mimikatz is a credential dumper capable of obt...
4mitre-attackPowerSploit[tool]S0194PowerSploit is an open source, offensive secur...
\n", "
" ], "text/plain": [ " matrix software software_labels software_id \\\n", "0 mitre-attack Cobalt Strike [tool] S0154 \n", "1 mitre-attack HTRAN [tool] S0040 \n", "2 mitre-attack Lslsass [tool] S0121 \n", "3 mitre-attack Mimikatz [tool] S0002 \n", "4 mitre-attack PowerSploit [tool] S0194 \n", "\n", " software_description \n", "0 Cobalt Strike is a commercial, full-featured, ... \n", "1 HTRAN is a tool that proxies connections throu... \n", "2 Lslsass is a publicly-available tool that can ... \n", "3 Mimikatz is a credential dumper capable of obt... \n", "4 PowerSploit is an open source, offensive secur... " ] }, "execution_count": 32, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Tools in Enterprise ATT&CK\")\n", "print(len(all_enterprise['tools']))\n", "df = all_enterprise['tools']\n", "df = json_normalize(df)\n", "df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Enterprise Relationships**" ] }, { "cell_type": "code", "execution_count": 33, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Relationships in Enterprise ATT&CK\n", "2707\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
idrelationshipsource_objecttarget_object
0relationship--bb55d7e7-28af-4efd-8384-289f1a8b...mitigatescourse-of-action--fdb1ae84-7b00-4d3d-b7dc-c774...attack-pattern--a10641f4-87b4-45a3-a906-92a149...
1relationship--a38d4ac5-1d3d-4a2f-9493-ff3e2a46...mitigatescourse-of-action--cfc2d2fc-14ff-495f-bd99-585b...attack-pattern--7c93aa74-4bc0-4a9e-90ea-f25f86...
2relationship--b8306976-370f-403d-9983-fe3327c0...mitigatescourse-of-action--2497ac92-e751-4391-82c6-1b86...attack-pattern--774a3188-6ba9-4dc4-879d-d54ee4...
3relationship--6f7ca160-cd38-4ff4-b297-e95b3111...mitigatescourse-of-action--1c0b39f9-a0c5-42b2-abd8-dc8f...attack-pattern--5e4a2073-9643-44cb-a0b5-e7f404...
4relationship--0b0884f1-1a40-436e-9a74-8cbe9c9d...mitigatescourse-of-action--d7c49196-b40e-42bc-8eed-b803...attack-pattern--68c96494-1a50-403e-8844-69a6af...
\n", "
" ], "text/plain": [ " id relationship \\\n", "0 relationship--bb55d7e7-28af-4efd-8384-289f1a8b... mitigates \n", "1 relationship--a38d4ac5-1d3d-4a2f-9493-ff3e2a46... mitigates \n", "2 relationship--b8306976-370f-403d-9983-fe3327c0... mitigates \n", "3 relationship--6f7ca160-cd38-4ff4-b297-e95b3111... mitigates \n", "4 relationship--0b0884f1-1a40-436e-9a74-8cbe9c9d... mitigates \n", "\n", " source_object \\\n", "0 course-of-action--fdb1ae84-7b00-4d3d-b7dc-c774... \n", "1 course-of-action--cfc2d2fc-14ff-495f-bd99-585b... \n", "2 course-of-action--2497ac92-e751-4391-82c6-1b86... \n", "3 course-of-action--1c0b39f9-a0c5-42b2-abd8-dc8f... \n", "4 course-of-action--d7c49196-b40e-42bc-8eed-b803... \n", "\n", " target_object \n", "0 attack-pattern--a10641f4-87b4-45a3-a906-92a149... \n", "1 attack-pattern--7c93aa74-4bc0-4a9e-90ea-f25f86... \n", "2 attack-pattern--774a3188-6ba9-4dc4-879d-d54ee4... \n", "3 attack-pattern--5e4a2073-9643-44cb-a0b5-e7f404... \n", "4 attack-pattern--68c96494-1a50-403e-8844-69a6af... " ] }, "execution_count": 33, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Relationships in Enterprise ATT&CK\")\n", "print(len(all_enterprise['relationships']))\n", "df = all_enterprise['relationships']\n", "df = json_normalize(df)\n", "df.reindex(['id','relationship', 'source_object', 'target_object'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All PRE-ATT&CK ONLY from Results (Locally)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**PRE Techniques**" ] }, { "cell_type": "code", "execution_count": 34, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Techniques in PRE-ATT&CK\n", "174\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixtactictechniquetechnique_iddetectable_by_common_defenses
0mitre-pre-attack[adversary-opsec]Acquire and/or use 3rd party infrastructure se...PRE-T1084No
1mitre-pre-attack[establish-&-maintain-infrastructure]Acquire or compromise 3rd party signing certif...PRE-T1109No
2mitre-pre-attack[technical-weakness-identification]Analyze data collectedPRE-T1064No
3mitre-pre-attack[organizational-weakness-identification]Analyze presence of outsourced capabilitiesPRE-T1080No
4mitre-pre-attack[priority-definition-planning]Assess leadership areas of interestPRE-T1001No
\n", "
" ], "text/plain": [ " matrix tactic \\\n", "0 mitre-pre-attack [adversary-opsec] \n", "1 mitre-pre-attack [establish-&-maintain-infrastructure] \n", "2 mitre-pre-attack [technical-weakness-identification] \n", "3 mitre-pre-attack [organizational-weakness-identification] \n", "4 mitre-pre-attack [priority-definition-planning] \n", "\n", " technique technique_id \\\n", "0 Acquire and/or use 3rd party infrastructure se... PRE-T1084 \n", "1 Acquire or compromise 3rd party signing certif... PRE-T1109 \n", "2 Analyze data collected PRE-T1064 \n", "3 Analyze presence of outsourced capabilities PRE-T1080 \n", "4 Assess leadership areas of interest PRE-T1001 \n", "\n", " detectable_by_common_defenses \n", "0 No \n", "1 No \n", "2 No \n", "3 No \n", "4 No " ] }, "execution_count": 34, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Techniques in PRE-ATT&CK\")\n", "print(len(all_pre['techniques']))\n", "df = all_pre['techniques']\n", "df = json_normalize(df)\n", "df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'detectable_by_common_defenses'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**PRE Groups**" ] }, { "cell_type": "code", "execution_count": 35, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Groups in PRE-ATT&CK\n", "7\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixgroupgroup_aliasesgroup_idgroup_description
0mitre-attackAPT12[APT12, IXESHE, DynCalc, Numbered Panda, DNSCALC]G0005APT12 is a threat group that has been attribut...
1mitre-attackAPT1[APT1, Comment Crew, Comment Group, Comment Pa...G0006APT1 is a Chinese threat group that has been a...
2mitre-attackAPT28[APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear...G0007APT28 is a threat group that has been attribut...
3mitre-attackNight Dragon[Night Dragon, Musical Chairs]G0014Night Dragon is a campaign name for activity i...
4mitre-attackAPT16[APT16]G0023APT16 is a China-based threat group that has l...
\n", "
" ], "text/plain": [ " matrix group \\\n", "0 mitre-attack APT12 \n", "1 mitre-attack APT1 \n", "2 mitre-attack APT28 \n", "3 mitre-attack Night Dragon \n", "4 mitre-attack APT16 \n", "\n", " group_aliases group_id \\\n", "0 [APT12, IXESHE, DynCalc, Numbered Panda, DNSCALC] G0005 \n", "1 [APT1, Comment Crew, Comment Group, Comment Pa... G0006 \n", "2 [APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear... G0007 \n", "3 [Night Dragon, Musical Chairs] G0014 \n", "4 [APT16] G0023 \n", "\n", " group_description \n", "0 APT12 is a threat group that has been attribut... \n", "1 APT1 is a Chinese threat group that has been a... \n", "2 APT28 is a threat group that has been attribut... \n", "3 Night Dragon is a campaign name for activity i... \n", "4 APT16 is a China-based threat group that has l... " ] }, "execution_count": 35, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Groups in PRE-ATT&CK\")\n", "print(len(all_pre['groups']))\n", "df = all_pre['groups']\n", "df = json_normalize(df)\n", "df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**PRE Relationships**" ] }, { "cell_type": "code", "execution_count": 36, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Relationships in PRE-ATT&CK\n", "114\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
idrelationshipsource_objecttarget_object
0relationship--1143e6a6-deef-4dbd-8c91-7bf537d8...related-toattack-pattern--784ff1bc-1483-41fe-a172-4cd9ae...attack-pattern--2b9a666e-bd59-4f67-9031-ed41b4...
1relationship--3d781e9a-d3f8-4e9f-bb23-ba6c2ff2...related-toattack-pattern--1a295f87-af63-4d94-b130-039d62...attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc...
2relationship--d5bd7a33-a249-46e5-bb19-a498eba4...related-toattack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6e...attack-pattern--7baccb84-356c-4e89-8c5d-58e701...
3relationship--bc165934-7ef6-4aed-a0d7-81d33725...related-toattack-pattern--e51398e6-53dc-4e9f-a323-e54683...attack-pattern--4900fabf-1142-4c1f-92f5-0b590e...
4relationship--46f1e7d4-4d73-4e33-b88b-b3bcde5d...related-toattack-pattern--a757670d-d600-48d9-8ae9-601d42...attack-pattern--af358cad-eb71-4e91-a752-236edc...
\n", "
" ], "text/plain": [ " id relationship \\\n", "0 relationship--1143e6a6-deef-4dbd-8c91-7bf537d8... related-to \n", "1 relationship--3d781e9a-d3f8-4e9f-bb23-ba6c2ff2... related-to \n", "2 relationship--d5bd7a33-a249-46e5-bb19-a498eba4... related-to \n", "3 relationship--bc165934-7ef6-4aed-a0d7-81d33725... related-to \n", "4 relationship--46f1e7d4-4d73-4e33-b88b-b3bcde5d... related-to \n", "\n", " source_object \\\n", "0 attack-pattern--784ff1bc-1483-41fe-a172-4cd9ae... \n", "1 attack-pattern--1a295f87-af63-4d94-b130-039d62... \n", "2 attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6e... \n", "3 attack-pattern--e51398e6-53dc-4e9f-a323-e54683... \n", "4 attack-pattern--a757670d-d600-48d9-8ae9-601d42... \n", "\n", " target_object \n", "0 attack-pattern--2b9a666e-bd59-4f67-9031-ed41b4... \n", "1 attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc... \n", "2 attack-pattern--7baccb84-356c-4e89-8c5d-58e701... \n", "3 attack-pattern--4900fabf-1142-4c1f-92f5-0b590e... \n", "4 attack-pattern--af358cad-eb71-4e91-a752-236edc... " ] }, "execution_count": 36, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Relationships in PRE-ATT&CK\")\n", "print(len(all_pre['relationships']))\n", "df = all_pre['relationships']\n", "df = json_normalize(df)\n", "df.reindex(['id','relationship', 'source_object', 'target_object'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Mobile ATT&CK ONLY from Results (Locally)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Mobile Techniques**" ] }, { "cell_type": "code", "execution_count": 37, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Techniques in Mobile ATT&CK\n", "76\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixtactictechniquetechnique_idtactic_type
0mitre-mobile-attack[collection, credential-access]Abuse Accessibility FeaturesMOB-T1056[Post-Adversary Device Access]
1mitre-mobile-attack[collection]Access Contact ListMOB-T1035[Post-Adversary Device Access]
2mitre-mobile-attack[persistence]App Auto-Start at Device BootMOB-T1005[Post-Adversary Device Access]
3mitre-mobile-attack[exploit-via-physical-access]Biometric SpoofingMOB-T1063[Pre-Adversary Device Access]
4mitre-mobile-attack[discovery]Device Type DiscoveryMOB-T1022[Post-Adversary Device Access]
\n", "
" ], "text/plain": [ " matrix tactic \\\n", "0 mitre-mobile-attack [collection, credential-access] \n", "1 mitre-mobile-attack [collection] \n", "2 mitre-mobile-attack [persistence] \n", "3 mitre-mobile-attack [exploit-via-physical-access] \n", "4 mitre-mobile-attack [discovery] \n", "\n", " technique technique_id tactic_type \n", "0 Abuse Accessibility Features MOB-T1056 [Post-Adversary Device Access] \n", "1 Access Contact List MOB-T1035 [Post-Adversary Device Access] \n", "2 App Auto-Start at Device Boot MOB-T1005 [Post-Adversary Device Access] \n", "3 Biometric Spoofing MOB-T1063 [Pre-Adversary Device Access] \n", "4 Device Type Discovery MOB-T1022 [Post-Adversary Device Access] " ] }, "execution_count": 37, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Techniques in Mobile ATT&CK\")\n", "print(len(all_mobile['techniques']))\n", "df = all_mobile['techniques']\n", "df = json_normalize(df)\n", "df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'tactic_type'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Mobile Mitigations**" ] }, { "cell_type": "code", "execution_count": 38, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Mitigations in Mobile ATT&CK\n", "14\n", " \n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixmitigationmitigation_descriptionurl
0mitre-mobile-attackAttestationEnable remote attestation capabilities when av...https://attack.mitre.org/mobile/index.php/Miti...
1mitre-mobile-attackInterconnection FilteringIn order to mitigate Signaling System 7 (SS7) ...https://attack.mitre.org/mobile/index.php/Miti...
2mitre-mobile-attackUse Recent OS VersionNew mobile operating system versions bring not...https://attack.mitre.org/mobile/index.php/Miti...
3mitre-mobile-attackCaution with Device Administrator AccessWarn device users not to accept requests to gr...https://attack.mitre.org/mobile/index.php/Miti...
4mitre-mobile-attackLock BootloaderOn devices that provide the capability to unlo...https://attack.mitre.org/mobile/index.php/Miti...
\n", "
" ], "text/plain": [ " matrix mitigation \\\n", "0 mitre-mobile-attack Attestation \n", "1 mitre-mobile-attack Interconnection Filtering \n", "2 mitre-mobile-attack Use Recent OS Version \n", "3 mitre-mobile-attack Caution with Device Administrator Access \n", "4 mitre-mobile-attack Lock Bootloader \n", "\n", " mitigation_description \\\n", "0 Enable remote attestation capabilities when av... \n", "1 In order to mitigate Signaling System 7 (SS7) ... \n", "2 New mobile operating system versions bring not... \n", "3 Warn device users not to accept requests to gr... \n", "4 On devices that provide the capability to unlo... \n", "\n", " url \n", "0 https://attack.mitre.org/mobile/index.php/Miti... \n", "1 https://attack.mitre.org/mobile/index.php/Miti... \n", "2 https://attack.mitre.org/mobile/index.php/Miti... \n", "3 https://attack.mitre.org/mobile/index.php/Miti... \n", "4 https://attack.mitre.org/mobile/index.php/Miti... " ] }, "execution_count": 38, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Mitigations in Mobile ATT&CK\")\n", "print(len(all_mobile['mitigations']))\n", "print(\" \")\n", "df = all_mobile['mitigations']\n", "df = json_normalize(df)\n", "df.reindex(['matrix', 'mitigation', 'mitigation_description', 'url'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Mobile Groups**" ] }, { "cell_type": "code", "execution_count": 39, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Groups in Mobile ATT&CK\n", "1\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixgroupgroup_aliasesgroup_idgroup_description
0mitre-attackAPT28[APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear...G0007APT28 is a threat group that has been attribut...
\n", "
" ], "text/plain": [ " matrix group group_aliases \\\n", "0 mitre-attack APT28 [APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear... \n", "\n", " group_id group_description \n", "0 G0007 APT28 is a threat group that has been attribut... " ] }, "execution_count": 39, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Groups in Mobile ATT&CK\")\n", "print(len(all_mobile['groups']))\n", "df = all_mobile['groups']\n", "df = json_normalize(df)\n", "df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Mobile Malware**" ] }, { "cell_type": "code", "execution_count": 40, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Malware in Mobile ATT&CK\n", "35\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixsoftwaresoftware_labelssoftware_idsoftware_description
0mitre-mobile-attackAndroid/Chuli.A[malware]MOB-S0020As reported by Kaspersky (Citation: Kaspersky-...
1mitre-mobile-attackDressCode[malware]MOB-S0016Android malware family analyzed by Trend Micro...
2mitre-mobile-attackHummingWhale[malware]MOB-S0037The HummingWhale Android malware family \"inclu...
3mitre-mobile-attackOldBoot[malware]MOB-S0001OldBoot is a family of Android malware describ...
4mitre-mobile-attackRuMMS[malware]MOB-S0029RuMMS is a family of Android malware (Citation...
\n", "
" ], "text/plain": [ " matrix software software_labels software_id \\\n", "0 mitre-mobile-attack Android/Chuli.A [malware] MOB-S0020 \n", "1 mitre-mobile-attack DressCode [malware] MOB-S0016 \n", "2 mitre-mobile-attack HummingWhale [malware] MOB-S0037 \n", "3 mitre-mobile-attack OldBoot [malware] MOB-S0001 \n", "4 mitre-mobile-attack RuMMS [malware] MOB-S0029 \n", "\n", " software_description \n", "0 As reported by Kaspersky (Citation: Kaspersky-... \n", "1 Android malware family analyzed by Trend Micro... \n", "2 The HummingWhale Android malware family \"inclu... \n", "3 OldBoot is a family of Android malware describ... \n", "4 RuMMS is a family of Android malware (Citation... " ] }, "execution_count": 40, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Malware in Mobile ATT&CK\")\n", "print(len(all_mobile['malware']))\n", "df = all_mobile['malware']\n", "df = json_normalize(df)\n", "df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Mobile Tools**" ] }, { "cell_type": "code", "execution_count": 41, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Tools in Mobile ATT&CK\n", "1\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixsoftwaresoftware_labelssoftware_idsoftware_description
0mitre-mobile-attackXbot[tool]MOB-S0014Xbot is a family of Android malware analyzed b...
\n", "
" ], "text/plain": [ " matrix software software_labels software_id \\\n", "0 mitre-mobile-attack Xbot [tool] MOB-S0014 \n", "\n", " software_description \n", "0 Xbot is a family of Android malware analyzed b... " ] }, "execution_count": 41, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Tools in Mobile ATT&CK\")\n", "print(len(all_mobile['tools']))\n", "df = all_mobile['tools']\n", "df = json_normalize(df)\n", "df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**Mobile Relationships**" ] }, { "cell_type": "code", "execution_count": 42, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Relationships in Mobile ATT&CK\n", "245\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
object idrelationshiprelationship_descriptionsource_objecttarget_object
0NaNmitigatesNaNcourse-of-action--0beabf44-e8d8-4ae4-9122-ef56...attack-pattern--82f04b1e-5371-4a6f-be06-411f0f...
1NaNmitigatesNaNcourse-of-action--bcecd036-f40e-4916-9f8e-fd0c...attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e...
2NaNmitigatesNaNcourse-of-action--1553b156-6767-47f7-9eb4-2a69...attack-pattern--29e07491-8947-43a3-8d4e-9a787c...
3NaNmitigatesNaNcourse-of-action--0beabf44-e8d8-4ae4-9122-ef56...attack-pattern--702055ac-4e54-4ae9-9527-e23a38...
4NaNmitigatesNaNcourse-of-action--653492e3-27be-4a0e-b08c-938d...attack-pattern--1f96d624-8409-4472-ad8a-30618e...
\n", "
" ], "text/plain": [ " object id relationship relationship_description \\\n", "0 NaN mitigates NaN \n", "1 NaN mitigates NaN \n", "2 NaN mitigates NaN \n", "3 NaN mitigates NaN \n", "4 NaN mitigates NaN \n", "\n", " source_object \\\n", "0 course-of-action--0beabf44-e8d8-4ae4-9122-ef56... \n", "1 course-of-action--bcecd036-f40e-4916-9f8e-fd0c... \n", "2 course-of-action--1553b156-6767-47f7-9eb4-2a69... \n", "3 course-of-action--0beabf44-e8d8-4ae4-9122-ef56... \n", "4 course-of-action--653492e3-27be-4a0e-b08c-938d... \n", "\n", " target_object \n", "0 attack-pattern--82f04b1e-5371-4a6f-be06-411f0f... \n", "1 attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e... \n", "2 attack-pattern--29e07491-8947-43a3-8d4e-9a787c... \n", "3 attack-pattern--702055ac-4e54-4ae9-9527-e23a38... \n", "4 attack-pattern--1f96d624-8409-4472-ad8a-30618e... " ] }, "execution_count": 42, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Relationships in Mobile ATT&CK\")\n", "print(len(all_mobile['relationships']))\n", "df = all_mobile['relationships']\n", "df = json_normalize(df)\n", "df.reindex(['object id','relationship', 'relationship_description','source_object', 'target_object'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## **Get STIX Object Types Directly from TAXII Server (Enterprise ATT&CK, Pre-ATT&CK & Mobile ATT&CK)**\n", "* In this section, we will query the ATT&CK TAXII Server in order to collect specific stix object types such as techniques, mitigations, groups, malware, tools and relationships from the Enterprise, PRE and Mobile Matrices.\n", "* There is no need to get all the stix objects available per each matrix unlike the first section of this notebook." ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Enterprise Techniques ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 43, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Techniques in Enterprise ATT&CK\n", "219\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixtactictechniquetechnique_iddata_sourcescontributors
0mitre-attack[persistence].bash_profile and .bashrcT1156[File monitoring, Process Monitoring, Process ...NaN
1mitre-attack[defense-evasion, privilege-escalation]Access Token ManipulationT1134[API monitoring, Access Tokens][Tom Ueltschi @c_APT_ure, Travis Smith, Tripwi...
2mitre-attack[persistence, privilege-escalation]Accessibility FeaturesT1015[Windows Registry, File monitoring, Process mo...[Paul Speulstra, AECOM Global Security Operati...
3mitre-attack[credential-access]Account ManipulationT1098[Authentication logs, API monitoring, Windows ...NaN
4mitre-attack[discovery]Account DiscoveryT1087[API monitoring, Process command-line paramete...[Travis Smith, Tripwire]
\n", "
" ], "text/plain": [ " matrix tactic \\\n", "0 mitre-attack [persistence] \n", "1 mitre-attack [defense-evasion, privilege-escalation] \n", "2 mitre-attack [persistence, privilege-escalation] \n", "3 mitre-attack [credential-access] \n", "4 mitre-attack [discovery] \n", "\n", " technique technique_id \\\n", "0 .bash_profile and .bashrc T1156 \n", "1 Access Token Manipulation T1134 \n", "2 Accessibility Features T1015 \n", "3 Account Manipulation T1098 \n", "4 Account Discovery T1087 \n", "\n", " data_sources \\\n", "0 [File monitoring, Process Monitoring, Process ... \n", "1 [API monitoring, Access Tokens] \n", "2 [Windows Registry, File monitoring, Process mo... \n", "3 [Authentication logs, API monitoring, Windows ... \n", "4 [API monitoring, Process command-line paramete... \n", "\n", " contributors \n", "0 NaN \n", "1 [Tom Ueltschi @c_APT_ure, Travis Smith, Tripwi... \n", "2 [Paul Speulstra, AECOM Global Security Operati... \n", "3 NaN \n", "4 [Travis Smith, Tripwire] " ] }, "execution_count": 43, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Techniques in Enterprise ATT&CK\")\n", "techniques = lift.get_all_enterprise_techniques()\n", "print(len(techniques))\n", "df = json_normalize(techniques)\n", "df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'data_sources','contributors'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All PRE Techniques ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 44, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Techniques in PRE-ATT&CK\n", "174\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixtactictechniquetechnique_iddetectable_by_common_defensescontributors
0mitre-pre-attack[adversary-opsec]Acquire and/or use 3rd party infrastructure se...PRE-T1084NoNaN
1mitre-pre-attack[establish-&-maintain-infrastructure]Acquire or compromise 3rd party signing certif...PRE-T1109NoNaN
2mitre-pre-attack[technical-weakness-identification]Analyze data collectedPRE-T1064NoNaN
3mitre-pre-attack[organizational-weakness-identification]Analyze presence of outsourced capabilitiesPRE-T1080NoNaN
4mitre-pre-attack[priority-definition-planning]Assess leadership areas of interestPRE-T1001NoNaN
\n", "
" ], "text/plain": [ " matrix tactic \\\n", "0 mitre-pre-attack [adversary-opsec] \n", "1 mitre-pre-attack [establish-&-maintain-infrastructure] \n", "2 mitre-pre-attack [technical-weakness-identification] \n", "3 mitre-pre-attack [organizational-weakness-identification] \n", "4 mitre-pre-attack [priority-definition-planning] \n", "\n", " technique technique_id \\\n", "0 Acquire and/or use 3rd party infrastructure se... PRE-T1084 \n", "1 Acquire or compromise 3rd party signing certif... PRE-T1109 \n", "2 Analyze data collected PRE-T1064 \n", "3 Analyze presence of outsourced capabilities PRE-T1080 \n", "4 Assess leadership areas of interest PRE-T1001 \n", "\n", " detectable_by_common_defenses contributors \n", "0 No NaN \n", "1 No NaN \n", "2 No NaN \n", "3 No NaN \n", "4 No NaN " ] }, "execution_count": 44, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Techniques in PRE-ATT&CK\")\n", "techniques = lift.get_all_pre_techniques()\n", "print(len(techniques))\n", "df = json_normalize(techniques)\n", "df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'detectable_by_common_defenses', 'contributors'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Mobile Techniques ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 45, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Techniques in Mobile ATT&CK\n", "76\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixidtactictechniquetactic_typecontributors
0mitre-mobile-attackattack-pattern--2204c371-6100-4ae0-82f3-25c07c...[collection, credential-access]Abuse Accessibility Features[Post-Adversary Device Access]NaN
1mitre-mobile-attackattack-pattern--4e6620ac-c30c-4f6d-918e-fa20ca...[collection]Access Contact List[Post-Adversary Device Access]NaN
2mitre-mobile-attackattack-pattern--bd4d32f5-eed4-4018-a649-40b229...[persistence]App Auto-Start at Device Boot[Post-Adversary Device Access]NaN
3mitre-mobile-attackattack-pattern--45dcbc83-4abc-4de1-b643-e528d1...[exploit-via-physical-access]Biometric Spoofing[Pre-Adversary Device Access]NaN
4mitre-mobile-attackattack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1...[discovery]Device Type Discovery[Post-Adversary Device Access]NaN
\n", "
" ], "text/plain": [ " matrix id \\\n", "0 mitre-mobile-attack attack-pattern--2204c371-6100-4ae0-82f3-25c07c... \n", "1 mitre-mobile-attack attack-pattern--4e6620ac-c30c-4f6d-918e-fa20ca... \n", "2 mitre-mobile-attack attack-pattern--bd4d32f5-eed4-4018-a649-40b229... \n", "3 mitre-mobile-attack attack-pattern--45dcbc83-4abc-4de1-b643-e528d1... \n", "4 mitre-mobile-attack attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1... \n", "\n", " tactic technique \\\n", "0 [collection, credential-access] Abuse Accessibility Features \n", "1 [collection] Access Contact List \n", "2 [persistence] App Auto-Start at Device Boot \n", "3 [exploit-via-physical-access] Biometric Spoofing \n", "4 [discovery] Device Type Discovery \n", "\n", " tactic_type contributors \n", "0 [Post-Adversary Device Access] NaN \n", "1 [Post-Adversary Device Access] NaN \n", "2 [Post-Adversary Device Access] NaN \n", "3 [Pre-Adversary Device Access] NaN \n", "4 [Post-Adversary Device Access] NaN " ] }, "execution_count": 45, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Techniques in Mobile ATT&CK\")\n", "techniques = lift.get_all_mobile_techniques()\n", "print(len(techniques))\n", "df = json_normalize(techniques)\n", "df.reindex(['matrix', 'id','tactic', 'technique', 'tactic_type','contributors'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Techniques (TAXII)\n", "* The results of this function shows every single technique across the whole ATT&CK framework without their mitigations information\n", "* Mitigations information has its own stix object type (Mitigation) that needs to be correlated with the help of relationship properties\n", "* There is a function already created in this library named **get_all_techniques_with_mitigations()** that allows you to get a more complete view of techniques" ] }, { "cell_type": "code", "execution_count": 46, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Techniques in ATT&CK\n", "469\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixtactictechniquetechnique_iddata_sources
0mitre-attack[persistence].bash_profile and .bashrcT1156[File monitoring, Process Monitoring, Process ...
1mitre-attack[defense-evasion, privilege-escalation]Access Token ManipulationT1134[API monitoring, Access Tokens]
2mitre-attack[persistence, privilege-escalation]Accessibility FeaturesT1015[Windows Registry, File monitoring, Process mo...
3mitre-attack[credential-access]Account ManipulationT1098[Authentication logs, API monitoring, Windows ...
4mitre-attack[discovery]Account DiscoveryT1087[API monitoring, Process command-line paramete...
\n", "
" ], "text/plain": [ " matrix tactic \\\n", "0 mitre-attack [persistence] \n", "1 mitre-attack [defense-evasion, privilege-escalation] \n", "2 mitre-attack [persistence, privilege-escalation] \n", "3 mitre-attack [credential-access] \n", "4 mitre-attack [discovery] \n", "\n", " technique technique_id \\\n", "0 .bash_profile and .bashrc T1156 \n", "1 Access Token Manipulation T1134 \n", "2 Accessibility Features T1015 \n", "3 Account Manipulation T1098 \n", "4 Account Discovery T1087 \n", "\n", " data_sources \n", "0 [File monitoring, Process Monitoring, Process ... \n", "1 [API monitoring, Access Tokens] \n", "2 [Windows Registry, File monitoring, Process mo... \n", "3 [Authentication logs, API monitoring, Windows ... \n", "4 [API monitoring, Process command-line paramete... " ] }, "execution_count": 46, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Techniques in ATT&CK\")\n", "techniques = lift.get_all_techniques()\n", "print(len(techniques))\n", "df = json_normalize(techniques)\n", "df.reindex(['matrix', 'tactic', 'technique', 'technique_id', 'data_sources'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Enterprise Mitigations ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 47, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Mitigations in Enterprise ATT&CK\n", "215\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixmitigationmitigation_descriptionurl
0mitre-attack.bash_profile and .bashrc MitigationMaking these files immutable and only changeab...https://attack.mitre.org/wiki/Technique/T1156
1mitre-attackAccess Token Manipulation MitigationAccess tokens are an integral part of the secu...https://attack.mitre.org/wiki/Technique/T1134
2mitre-attackAccessibility Features MitigationTo use this technique remotely, an adversary m...https://attack.mitre.org/wiki/Technique/T1015
3mitre-attackAccount Discovery MitigationPrevent administrator accounts from being enum...https://attack.mitre.org/wiki/Technique/T1087
4mitre-attackAccount Manipulation MitigationUse multifactor authentication. Follow guideli...https://attack.mitre.org/wiki/Technique/T1098
\n", "
" ], "text/plain": [ " matrix mitigation \\\n", "0 mitre-attack .bash_profile and .bashrc Mitigation \n", "1 mitre-attack Access Token Manipulation Mitigation \n", "2 mitre-attack Accessibility Features Mitigation \n", "3 mitre-attack Account Discovery Mitigation \n", "4 mitre-attack Account Manipulation Mitigation \n", "\n", " mitigation_description \\\n", "0 Making these files immutable and only changeab... \n", "1 Access tokens are an integral part of the secu... \n", "2 To use this technique remotely, an adversary m... \n", "3 Prevent administrator accounts from being enum... \n", "4 Use multifactor authentication. Follow guideli... \n", "\n", " url \n", "0 https://attack.mitre.org/wiki/Technique/T1156 \n", "1 https://attack.mitre.org/wiki/Technique/T1134 \n", "2 https://attack.mitre.org/wiki/Technique/T1015 \n", "3 https://attack.mitre.org/wiki/Technique/T1087 \n", "4 https://attack.mitre.org/wiki/Technique/T1098 " ] }, "execution_count": 47, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Mitigations in Enterprise ATT&CK\")\n", "mitigations = lift.get_all_enterprise_mitigations()\n", "print(len(mitigations))\n", "df = json_normalize(mitigations)\n", "df.reindex(['matrix', 'mitigation', 'mitigation_description', 'url'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Mobile Mitigations ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 48, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Mitigations in Mobile ATT&CK\n", "14\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixmitigationmitigation_descriptionurl
0mitre-mobile-attackAttestationEnable remote attestation capabilities when av...https://attack.mitre.org/mobile/index.php/Miti...
1mitre-mobile-attackInterconnection FilteringIn order to mitigate Signaling System 7 (SS7) ...https://attack.mitre.org/mobile/index.php/Miti...
2mitre-mobile-attackUse Recent OS VersionNew mobile operating system versions bring not...https://attack.mitre.org/mobile/index.php/Miti...
3mitre-mobile-attackCaution with Device Administrator AccessWarn device users not to accept requests to gr...https://attack.mitre.org/mobile/index.php/Miti...
4mitre-mobile-attackLock BootloaderOn devices that provide the capability to unlo...https://attack.mitre.org/mobile/index.php/Miti...
\n", "
" ], "text/plain": [ " matrix mitigation \\\n", "0 mitre-mobile-attack Attestation \n", "1 mitre-mobile-attack Interconnection Filtering \n", "2 mitre-mobile-attack Use Recent OS Version \n", "3 mitre-mobile-attack Caution with Device Administrator Access \n", "4 mitre-mobile-attack Lock Bootloader \n", "\n", " mitigation_description \\\n", "0 Enable remote attestation capabilities when av... \n", "1 In order to mitigate Signaling System 7 (SS7) ... \n", "2 New mobile operating system versions bring not... \n", "3 Warn device users not to accept requests to gr... \n", "4 On devices that provide the capability to unlo... \n", "\n", " url \n", "0 https://attack.mitre.org/mobile/index.php/Miti... \n", "1 https://attack.mitre.org/mobile/index.php/Miti... \n", "2 https://attack.mitre.org/mobile/index.php/Miti... \n", "3 https://attack.mitre.org/mobile/index.php/Miti... \n", "4 https://attack.mitre.org/mobile/index.php/Miti... " ] }, "execution_count": 48, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Mitigations in Mobile ATT&CK\")\n", "mitigations = lift.get_all_mobile_mitigations()\n", "print(len(mitigations))\n", "df = json_normalize(mitigations)\n", "df.reindex(['matrix', 'mitigation', 'mitigation_description', 'url'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Mitigations (TAXII)" ] }, { "cell_type": "code", "execution_count": 49, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Mitigations in ATT&CK\n", "229\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixmitigationmitigation_descriptionurl
0mitre-attack.bash_profile and .bashrc MitigationMaking these files immutable and only changeab...https://attack.mitre.org/wiki/Technique/T1156
1mitre-attackAccess Token Manipulation MitigationAccess tokens are an integral part of the secu...https://attack.mitre.org/wiki/Technique/T1134
2mitre-attackAccessibility Features MitigationTo use this technique remotely, an adversary m...https://attack.mitre.org/wiki/Technique/T1015
3mitre-attackAccount Discovery MitigationPrevent administrator accounts from being enum...https://attack.mitre.org/wiki/Technique/T1087
4mitre-attackAccount Manipulation MitigationUse multifactor authentication. Follow guideli...https://attack.mitre.org/wiki/Technique/T1098
\n", "
" ], "text/plain": [ " matrix mitigation \\\n", "0 mitre-attack .bash_profile and .bashrc Mitigation \n", "1 mitre-attack Access Token Manipulation Mitigation \n", "2 mitre-attack Accessibility Features Mitigation \n", "3 mitre-attack Account Discovery Mitigation \n", "4 mitre-attack Account Manipulation Mitigation \n", "\n", " mitigation_description \\\n", "0 Making these files immutable and only changeab... \n", "1 Access tokens are an integral part of the secu... \n", "2 To use this technique remotely, an adversary m... \n", "3 Prevent administrator accounts from being enum... \n", "4 Use multifactor authentication. Follow guideli... \n", "\n", " url \n", "0 https://attack.mitre.org/wiki/Technique/T1156 \n", "1 https://attack.mitre.org/wiki/Technique/T1134 \n", "2 https://attack.mitre.org/wiki/Technique/T1015 \n", "3 https://attack.mitre.org/wiki/Technique/T1087 \n", "4 https://attack.mitre.org/wiki/Technique/T1098 " ] }, "execution_count": 49, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Mitigations in ATT&CK\")\n", "mitigations = lift.get_all_mitigations()\n", "print(len(mitigations))\n", "df = json_normalize(mitigations)\n", "df.reindex(['matrix', 'mitigation', 'mitigation_description', 'url'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Enterprise Groups ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 50, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Groups in Enterprise ATT&CK\n", "69\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixgroupgroup_aliasesgroup_idgroup_description
0mitre-attackAPT12[APT12, IXESHE, DynCalc, Numbered Panda, DNSCALC]G0005APT12 is a threat group that has been attribut...
1mitre-attackAPT29[APT29, The Dukes, Cozy Bear, CozyDuke]G0016APT29 is threat group that has been attributed...
2mitre-attackAPT34[APT34]G0057APT34 is an Iranian cyber espionage group that...
3mitre-attackCarbanak[Carbanak, Anunak, Carbon Spider]G0008Carbanak is a threat group that mainly targets...
4mitre-attackDeep Panda[Deep Panda, Shell Crew, WebMasters, KungFu Ki...G0009Deep Panda is a suspected Chinese threat group...
\n", "
" ], "text/plain": [ " matrix group \\\n", "0 mitre-attack APT12 \n", "1 mitre-attack APT29 \n", "2 mitre-attack APT34 \n", "3 mitre-attack Carbanak \n", "4 mitre-attack Deep Panda \n", "\n", " group_aliases group_id \\\n", "0 [APT12, IXESHE, DynCalc, Numbered Panda, DNSCALC] G0005 \n", "1 [APT29, The Dukes, Cozy Bear, CozyDuke] G0016 \n", "2 [APT34] G0057 \n", "3 [Carbanak, Anunak, Carbon Spider] G0008 \n", "4 [Deep Panda, Shell Crew, WebMasters, KungFu Ki... G0009 \n", "\n", " group_description \n", "0 APT12 is a threat group that has been attribut... \n", "1 APT29 is threat group that has been attributed... \n", "2 APT34 is an Iranian cyber espionage group that... \n", "3 Carbanak is a threat group that mainly targets... \n", "4 Deep Panda is a suspected Chinese threat group... " ] }, "execution_count": 50, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Groups in Enterprise ATT&CK\")\n", "groups = lift.get_all_enterprise_groups()\n", "print(len(groups))\n", "df = json_normalize(groups)\n", "df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All PRE Groups ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 51, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Groups in PRE-ATT&CK\n", "7\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixgroupgroup_aliasesgroup_idgroup_description
0mitre-attackAPT12[APT12, IXESHE, DynCalc, Numbered Panda, DNSCALC]G0005APT12 is a threat group that has been attribut...
1mitre-attackAPT1[APT1, Comment Crew, Comment Group, Comment Pa...G0006APT1 is a Chinese threat group that has been a...
2mitre-attackAPT28[APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear...G0007APT28 is a threat group that has been attribut...
3mitre-attackNight Dragon[Night Dragon, Musical Chairs]G0014Night Dragon is a campaign name for activity i...
4mitre-attackAPT16[APT16]G0023APT16 is a China-based threat group that has l...
\n", "
" ], "text/plain": [ " matrix group \\\n", "0 mitre-attack APT12 \n", "1 mitre-attack APT1 \n", "2 mitre-attack APT28 \n", "3 mitre-attack Night Dragon \n", "4 mitre-attack APT16 \n", "\n", " group_aliases group_id \\\n", "0 [APT12, IXESHE, DynCalc, Numbered Panda, DNSCALC] G0005 \n", "1 [APT1, Comment Crew, Comment Group, Comment Pa... G0006 \n", "2 [APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear... G0007 \n", "3 [Night Dragon, Musical Chairs] G0014 \n", "4 [APT16] G0023 \n", "\n", " group_description \n", "0 APT12 is a threat group that has been attribut... \n", "1 APT1 is a Chinese threat group that has been a... \n", "2 APT28 is a threat group that has been attribut... \n", "3 Night Dragon is a campaign name for activity i... \n", "4 APT16 is a China-based threat group that has l... " ] }, "execution_count": 51, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Groups in PRE-ATT&CK\")\n", "groups = lift.get_all_pre_groups()\n", "print(len(groups))\n", "df = json_normalize(groups)\n", "df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Mobile Groups ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 52, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Groups in Mobile ATT&CK\n", "1\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixgroupgroup_aliasesgroup_idgroup_description
0mitre-attackAPT28[APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear...G0007APT28 is a threat group that has been attribut...
\n", "
" ], "text/plain": [ " matrix group group_aliases \\\n", "0 mitre-attack APT28 [APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear... \n", "\n", " group_id group_description \n", "0 G0007 APT28 is a threat group that has been attribut... " ] }, "execution_count": 52, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Groups in Mobile ATT&CK\")\n", "groups = lift.get_all_mobile_groups()\n", "print(len(groups))\n", "df = json_normalize(groups)\n", "df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Groups (TAXII)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "* This function gathers all groups defined in each Matrix (Enterprise, PRE & Mobile) and returns the unique ones\n", " * This is because groups can be repeated across matrices" ] }, { "cell_type": "code", "execution_count": 53, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Groups in ATT&CK\n", "69\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixgroupgroup_aliasesgroup_idgroup_description
0mitre-attackAPT12[APT12, IXESHE, DynCalc, Numbered Panda, DNSCALC]G0005APT12 is a threat group that has been attribut...
1mitre-attackAPT29[APT29, The Dukes, Cozy Bear, CozyDuke]G0016APT29 is threat group that has been attributed...
2mitre-attackAPT34[APT34]G0057APT34 is an Iranian cyber espionage group that...
3mitre-attackCarbanak[Carbanak, Anunak, Carbon Spider]G0008Carbanak is a threat group that mainly targets...
4mitre-attackDeep Panda[Deep Panda, Shell Crew, WebMasters, KungFu Ki...G0009Deep Panda is a suspected Chinese threat group...
\n", "
" ], "text/plain": [ " matrix group \\\n", "0 mitre-attack APT12 \n", "1 mitre-attack APT29 \n", "2 mitre-attack APT34 \n", "3 mitre-attack Carbanak \n", "4 mitre-attack Deep Panda \n", "\n", " group_aliases group_id \\\n", "0 [APT12, IXESHE, DynCalc, Numbered Panda, DNSCALC] G0005 \n", "1 [APT29, The Dukes, Cozy Bear, CozyDuke] G0016 \n", "2 [APT34] G0057 \n", "3 [Carbanak, Anunak, Carbon Spider] G0008 \n", "4 [Deep Panda, Shell Crew, WebMasters, KungFu Ki... G0009 \n", "\n", " group_description \n", "0 APT12 is a threat group that has been attribut... \n", "1 APT29 is threat group that has been attributed... \n", "2 APT34 is an Iranian cyber espionage group that... \n", "3 Carbanak is a threat group that mainly targets... \n", "4 Deep Panda is a suspected Chinese threat group... " ] }, "execution_count": 53, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Groups in ATT&CK\")\n", "groups = lift.get_all_groups()\n", "print(len(groups))\n", "df = json_normalize(groups)\n", "df.reindex(['matrix', 'group', 'group_aliases', 'group_id', 'group_description'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Enterprise & Mobile Software (Malware & Tools) (TAXII)" ] }, { "cell_type": "code", "execution_count": 54, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Software in ATT&CK\n", "269\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
matrixsoftwaresoftware_labelssoftware_idsoftware_description
0mitre-attackCobalt Strike[tool]S0154Cobalt Strike is a commercial, full-featured, ...
1mitre-attackHTRAN[tool]S0040HTRAN is a tool that proxies connections throu...
2mitre-attackLslsass[tool]S0121Lslsass is a publicly-available tool that can ...
3mitre-attackMimikatz[tool]S0002Mimikatz is a credential dumper capable of obt...
4mitre-attackPowerSploit[tool]S0194PowerSploit is an open source, offensive secur...
\n", "
" ], "text/plain": [ " matrix software software_labels software_id \\\n", "0 mitre-attack Cobalt Strike [tool] S0154 \n", "1 mitre-attack HTRAN [tool] S0040 \n", "2 mitre-attack Lslsass [tool] S0121 \n", "3 mitre-attack Mimikatz [tool] S0002 \n", "4 mitre-attack PowerSploit [tool] S0194 \n", "\n", " software_description \n", "0 Cobalt Strike is a commercial, full-featured, ... \n", "1 HTRAN is a tool that proxies connections throu... \n", "2 Lslsass is a publicly-available tool that can ... \n", "3 Mimikatz is a credential dumper capable of obt... \n", "4 PowerSploit is an open source, offensive secur... " ] }, "execution_count": 54, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Software in ATT&CK\")\n", "software = lift.get_all_software()\n", "print(len(software))\n", "df = json_normalize(software)\n", "df.reindex(['matrix', 'software', 'software_labels', 'software_id', 'software_description'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Enterprise Relationships ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 55, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Relationships in Enterprise ATT&CK\n", "2707\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
idrelationshiprelationship_descriptionsource_objecttarget_object
0relationship--bb55d7e7-28af-4efd-8384-289f1a8b...mitigatesNaNcourse-of-action--fdb1ae84-7b00-4d3d-b7dc-c774...attack-pattern--a10641f4-87b4-45a3-a906-92a149...
1relationship--a38d4ac5-1d3d-4a2f-9493-ff3e2a46...mitigatesNaNcourse-of-action--cfc2d2fc-14ff-495f-bd99-585b...attack-pattern--7c93aa74-4bc0-4a9e-90ea-f25f86...
2relationship--b8306976-370f-403d-9983-fe3327c0...mitigatesNaNcourse-of-action--2497ac92-e751-4391-82c6-1b86...attack-pattern--774a3188-6ba9-4dc4-879d-d54ee4...
3relationship--6f7ca160-cd38-4ff4-b297-e95b3111...mitigatesNaNcourse-of-action--1c0b39f9-a0c5-42b2-abd8-dc8f...attack-pattern--5e4a2073-9643-44cb-a0b5-e7f404...
4relationship--0b0884f1-1a40-436e-9a74-8cbe9c9d...mitigatesNaNcourse-of-action--d7c49196-b40e-42bc-8eed-b803...attack-pattern--68c96494-1a50-403e-8844-69a6af...
\n", "
" ], "text/plain": [ " id relationship \\\n", "0 relationship--bb55d7e7-28af-4efd-8384-289f1a8b... mitigates \n", "1 relationship--a38d4ac5-1d3d-4a2f-9493-ff3e2a46... mitigates \n", "2 relationship--b8306976-370f-403d-9983-fe3327c0... mitigates \n", "3 relationship--6f7ca160-cd38-4ff4-b297-e95b3111... mitigates \n", "4 relationship--0b0884f1-1a40-436e-9a74-8cbe9c9d... mitigates \n", "\n", " relationship_description source_object \\\n", "0 NaN course-of-action--fdb1ae84-7b00-4d3d-b7dc-c774... \n", "1 NaN course-of-action--cfc2d2fc-14ff-495f-bd99-585b... \n", "2 NaN course-of-action--2497ac92-e751-4391-82c6-1b86... \n", "3 NaN course-of-action--1c0b39f9-a0c5-42b2-abd8-dc8f... \n", "4 NaN course-of-action--d7c49196-b40e-42bc-8eed-b803... \n", "\n", " target_object \n", "0 attack-pattern--a10641f4-87b4-45a3-a906-92a149... \n", "1 attack-pattern--7c93aa74-4bc0-4a9e-90ea-f25f86... \n", "2 attack-pattern--774a3188-6ba9-4dc4-879d-d54ee4... \n", "3 attack-pattern--5e4a2073-9643-44cb-a0b5-e7f404... \n", "4 attack-pattern--68c96494-1a50-403e-8844-69a6af... " ] }, "execution_count": 55, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Relationships in Enterprise ATT&CK\")\n", "relationships = lift.get_all_enterprise_relationships()\n", "print(len(relationships))\n", "df = json_normalize(relationships)\n", "df.reindex(['id','relationship', 'relationship_description', 'source_object', 'target_object'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All PRE Relationships ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 56, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Relationships in PRE-ATT&CK\n", "114\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
idrelationshiprelationship_descriptionsource_objecttarget_object
0relationship--1143e6a6-deef-4dbd-8c91-7bf537d8...related-toNaNattack-pattern--784ff1bc-1483-41fe-a172-4cd9ae...attack-pattern--2b9a666e-bd59-4f67-9031-ed41b4...
1relationship--3d781e9a-d3f8-4e9f-bb23-ba6c2ff2...related-toNaNattack-pattern--1a295f87-af63-4d94-b130-039d62...attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc...
2relationship--d5bd7a33-a249-46e5-bb19-a498eba4...related-toNaNattack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6e...attack-pattern--7baccb84-356c-4e89-8c5d-58e701...
3relationship--bc165934-7ef6-4aed-a0d7-81d33725...related-toNaNattack-pattern--e51398e6-53dc-4e9f-a323-e54683...attack-pattern--4900fabf-1142-4c1f-92f5-0b590e...
4relationship--46f1e7d4-4d73-4e33-b88b-b3bcde5d...related-toNaNattack-pattern--a757670d-d600-48d9-8ae9-601d42...attack-pattern--af358cad-eb71-4e91-a752-236edc...
\n", "
" ], "text/plain": [ " id relationship \\\n", "0 relationship--1143e6a6-deef-4dbd-8c91-7bf537d8... related-to \n", "1 relationship--3d781e9a-d3f8-4e9f-bb23-ba6c2ff2... related-to \n", "2 relationship--d5bd7a33-a249-46e5-bb19-a498eba4... related-to \n", "3 relationship--bc165934-7ef6-4aed-a0d7-81d33725... related-to \n", "4 relationship--46f1e7d4-4d73-4e33-b88b-b3bcde5d... related-to \n", "\n", " relationship_description \\\n", "0 NaN \n", "1 NaN \n", "2 NaN \n", "3 NaN \n", "4 NaN \n", "\n", " source_object \\\n", "0 attack-pattern--784ff1bc-1483-41fe-a172-4cd9ae... \n", "1 attack-pattern--1a295f87-af63-4d94-b130-039d62... \n", "2 attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6e... \n", "3 attack-pattern--e51398e6-53dc-4e9f-a323-e54683... \n", "4 attack-pattern--a757670d-d600-48d9-8ae9-601d42... \n", "\n", " target_object \n", "0 attack-pattern--2b9a666e-bd59-4f67-9031-ed41b4... \n", "1 attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc... \n", "2 attack-pattern--7baccb84-356c-4e89-8c5d-58e701... \n", "3 attack-pattern--4900fabf-1142-4c1f-92f5-0b590e... \n", "4 attack-pattern--af358cad-eb71-4e91-a752-236edc... " ] }, "execution_count": 56, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Relationships in PRE-ATT&CK\")\n", "relationships = lift.get_all_pre_relationships()\n", "print(len(relationships))\n", "df = json_normalize(relationships)\n", "df.reindex(['id','relationship', 'relationship_description', 'source_object', 'target_object'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Mobile Relationships ONLY (TAXII)" ] }, { "cell_type": "code", "execution_count": 57, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Relationships in Mobile ATT&CK\n", "245\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
idrelationshiprelationship_descriptionsource_objecttarget_object
0relationship--b2c289bf-e981-4bcd-87dd-b6c06805...mitigatesNaNcourse-of-action--0beabf44-e8d8-4ae4-9122-ef56...attack-pattern--82f04b1e-5371-4a6f-be06-411f0f...
1relationship--93a524e2-cb17-4b40-8640-a03949e8...mitigatesNaNcourse-of-action--bcecd036-f40e-4916-9f8e-fd0c...attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e...
2relationship--9e83607e-2936-4f25-b6d2-c3578468...mitigatesNaNcourse-of-action--1553b156-6767-47f7-9eb4-2a69...attack-pattern--29e07491-8947-43a3-8d4e-9a787c...
3relationship--3ebcd3d8-dd8e-4cc9-8087-ce9e93df...mitigatesNaNcourse-of-action--0beabf44-e8d8-4ae4-9122-ef56...attack-pattern--702055ac-4e54-4ae9-9527-e23a38...
4relationship--bf859944-d097-45ba-ae01-2f85a00c...mitigatesNaNcourse-of-action--653492e3-27be-4a0e-b08c-938d...attack-pattern--1f96d624-8409-4472-ad8a-30618e...
\n", "
" ], "text/plain": [ " id relationship \\\n", "0 relationship--b2c289bf-e981-4bcd-87dd-b6c06805... mitigates \n", "1 relationship--93a524e2-cb17-4b40-8640-a03949e8... mitigates \n", "2 relationship--9e83607e-2936-4f25-b6d2-c3578468... mitigates \n", "3 relationship--3ebcd3d8-dd8e-4cc9-8087-ce9e93df... mitigates \n", "4 relationship--bf859944-d097-45ba-ae01-2f85a00c... mitigates \n", "\n", " relationship_description source_object \\\n", "0 NaN course-of-action--0beabf44-e8d8-4ae4-9122-ef56... \n", "1 NaN course-of-action--bcecd036-f40e-4916-9f8e-fd0c... \n", "2 NaN course-of-action--1553b156-6767-47f7-9eb4-2a69... \n", "3 NaN course-of-action--0beabf44-e8d8-4ae4-9122-ef56... \n", "4 NaN course-of-action--653492e3-27be-4a0e-b08c-938d... \n", "\n", " target_object \n", "0 attack-pattern--82f04b1e-5371-4a6f-be06-411f0f... \n", "1 attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e... \n", "2 attack-pattern--29e07491-8947-43a3-8d4e-9a787c... \n", "3 attack-pattern--702055ac-4e54-4ae9-9527-e23a38... \n", "4 attack-pattern--1f96d624-8409-4472-ad8a-30618e... " ] }, "execution_count": 57, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Relationships in Mobile ATT&CK\")\n", "relationships = lift.get_all_mobile_relationships()\n", "print(len(relationships))\n", "df = json_normalize(relationships)\n", "df.reindex(['id','relationship', 'relationship_description', 'source_object', 'target_object'], axis=1)[0:5]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Get All Relationships (TAXII)" ] }, { "cell_type": "code", "execution_count": 58, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Number of Relationships in ATT&CK\n", "3066\n" ] }, { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
idrelationshiprelationship_descriptionsource_objecttarget_object
0relationship--bb55d7e7-28af-4efd-8384-289f1a8b...mitigatesNaNcourse-of-action--fdb1ae84-7b00-4d3d-b7dc-c774...attack-pattern--a10641f4-87b4-45a3-a906-92a149...
1relationship--a38d4ac5-1d3d-4a2f-9493-ff3e2a46...mitigatesNaNcourse-of-action--cfc2d2fc-14ff-495f-bd99-585b...attack-pattern--7c93aa74-4bc0-4a9e-90ea-f25f86...
2relationship--b8306976-370f-403d-9983-fe3327c0...mitigatesNaNcourse-of-action--2497ac92-e751-4391-82c6-1b86...attack-pattern--774a3188-6ba9-4dc4-879d-d54ee4...
3relationship--6f7ca160-cd38-4ff4-b297-e95b3111...mitigatesNaNcourse-of-action--1c0b39f9-a0c5-42b2-abd8-dc8f...attack-pattern--5e4a2073-9643-44cb-a0b5-e7f404...
4relationship--0b0884f1-1a40-436e-9a74-8cbe9c9d...mitigatesNaNcourse-of-action--d7c49196-b40e-42bc-8eed-b803...attack-pattern--68c96494-1a50-403e-8844-69a6af...
\n", "
" ], "text/plain": [ " id relationship \\\n", "0 relationship--bb55d7e7-28af-4efd-8384-289f1a8b... mitigates \n", "1 relationship--a38d4ac5-1d3d-4a2f-9493-ff3e2a46... mitigates \n", "2 relationship--b8306976-370f-403d-9983-fe3327c0... mitigates \n", "3 relationship--6f7ca160-cd38-4ff4-b297-e95b3111... mitigates \n", "4 relationship--0b0884f1-1a40-436e-9a74-8cbe9c9d... mitigates \n", "\n", " relationship_description source_object \\\n", "0 NaN course-of-action--fdb1ae84-7b00-4d3d-b7dc-c774... \n", "1 NaN course-of-action--cfc2d2fc-14ff-495f-bd99-585b... \n", "2 NaN course-of-action--2497ac92-e751-4391-82c6-1b86... \n", "3 NaN course-of-action--1c0b39f9-a0c5-42b2-abd8-dc8f... \n", "4 NaN course-of-action--d7c49196-b40e-42bc-8eed-b803... \n", "\n", " target_object \n", "0 attack-pattern--a10641f4-87b4-45a3-a906-92a149... \n", "1 attack-pattern--7c93aa74-4bc0-4a9e-90ea-f25f86... \n", "2 attack-pattern--774a3188-6ba9-4dc4-879d-d54ee4... \n", "3 attack-pattern--5e4a2073-9643-44cb-a0b5-e7f404... \n", "4 attack-pattern--68c96494-1a50-403e-8844-69a6af... " ] }, "execution_count": 58, "metadata": {}, "output_type": "execute_result" } ], "source": [ "print(\"Number of Relationships in ATT&CK\")\n", "relationships = lift.get_all_relationships()\n", "print(len(relationships))\n", "df = json_normalize(relationships)\n", "df.reindex(['id','relationship', 'relationship_description', 'source_object', 'target_object'], axis=1)[0:5]" ] }, { "cell_type": "code", "execution_count": null, "metadata": { "collapsed": true }, "outputs": [], "source": [] } ], "metadata": { "kernelspec": { "display_name": "Python 3", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.6.5" } }, "nbformat": 4, "nbformat_minor": 2 }