A lightweight Python module to interact with the Mitre Att&ck Enterprise dataset.

Related tags

Miscellaneoussecurityframeworkpython3mitreblueteamthreat-intelligencemitre-attackcyber-threat-intelligence
Overview

PyPI version License: MIT image

enterpriseattack - Mitre's Enterprise Att&ck

A lightweight Python module to interact with the Mitre Att&ck Enterprise dataset. Built to be used in production applications due to it's speed and minimal depedancies. Read the docs for more info.

Mitre Att&ck

MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

Dependancies

  • Python 3.x
  • ujson >= 3.0.0
  • requests >= 2.9.2

Installation

Install via Pip:

pip install enterpriseattack

Alternatively clone the repository:

git clone https://github.com/xakepnz/enterpriseattack.git
cd enterpriseattack
python3 setup.py install

(back to top)

Usage

Initialise an Attack object:

import enterpriseattack

attack = enterpriseattack.Attack()

Example: Iterate over tactics/techniques/sub_techniques:

for tactic in attack.tactics:
   print(tactic.name)
   for technique in tactic.techniques:
      print(technique.name)
      print(technique.detection)

for software in attack.software:
    for technique in software.techniques:
        for sub_technique in technique.sub_techniques:
            print(software.name, technique.name, sub_technique.name)

For more examples, please refer to the Documentation

(back to top)

Comments
  • Sub Techniques not correctly mapped? Issue while retrieving

    Sub Techniques not correctly mapped? Issue while retrieving "sub_techniques" attribute of a specific technique

    The following code should print the sub techniques of the first listed technique (Abuse Elevation Control Mechanism, at the moment): print(next(iter(attack.techniques)).sub_techniques) However, it prints ALL the subtechniques of the entire Mitre ATT&CK framework. The following code gets ALL the subtechniques as well: next(iter(next(iter(attack.groups)).techniques)).sub_techniques It looks like every technique has the whole set of subtechniques as its child, instead of the correct subtechniques.

    bug 
    opened by sibkyd 3
  • [BUG]: The techniques used by some groups seem to be missing

    [BUG]: The techniques used by some groups seem to be missing

    What happened?

    Here is a small script to output the techniques used by a particular group:

    #!/usr/bin/env python


from __future__ import print_function


__description__ = 'Display the techniques used by an APT group'
__license__ = 'GPL'
__VERSION__ = '1.0.0'


from argparse import ArgumentParser
from enterpriseattack import Attack


def get_techniques(attack, group_id):
    for group in attack.groups:
        if group.id != group_id:
            continue
        techniques = []
        for technique in group.techniques:
            if technique.deprecated:
                continue
            if len(technique.sub_techniques):
                for subtechnique in technique.sub_techniques:
                    techniques.append(subtechnique.id)
            else:
                techniques.append(technique.id)
        return techniques


def main():
    parser = ArgumentParser(description=__description__)
    parser.add_argument('-v', '--version', action='version',
                        version='%(prog)s version {}'.format(__VERSION__))
    parser.add_argument('GID', nargs='+',
                        help='APT group ID')
    args = parser.parse_args()
    attack = Attack()
    for group_id in args.GID:
        techniques = get_techniques(attack, group_id)
        print('{}: {}'.format(group_id, ', '.join(techniques)))


if __name__ == '__main__':
    main()

    If we use it for APT group G0001, it works fine:

    G0001: T1203, T1005, T1003.002, T1003.003, T1003.004, T1003.005, T1003.001, T1003.006, T1003.007, T1003.008, T1078.003, T1078.002, T1078.004, T1078.001, T1189, T1566.003, T1566.001, T1566.002, T1553.006, T1553.004, T1553.001, T1553.005, T1553.002, T1553.003, T1190, T1560.003, T1560.001, T1560.002

    But if we use it for APT group G0002, the result is empty:

    G0002:

    However, if we go to MITRE's site, we see that group G0002 is supposed to be using the technique T1027.001.

    Maybe this is some deficiency in the data? Or is it the result of a data parsing bug?

    Version

    0.1.6 (Default)

    Relevant log output

    No response

    bug 
    opened by bontchev 2
  • [BUG]: Subscriptable objects doesn't seem to work

    [BUG]: Subscriptable objects doesn't seem to work

    What happened?

    Using the example from the documentation:

    import enterpriseattack
attack = enterpriseattack.Attack(subscriptable=True)
wizard_spider = attack.groups.get('Wizard Spider')

    results in the error

    Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
AttributeError: 'list' object has no attribute 'get'

    Version

    0.1.6

    Relevant log output

    No response

    bug 
    opened by bontchev 2
  • Feature/0.1.7

    Feature/0.1.7

    Description:

    Issue raised in #14 whereby Group objects did not have sub techniques.

    Created a new sub_techniques property: https://github.com/xakepnz/enterpriseattack/blob/75b9fb0800e070b7b543b3b38abde774d59b5c02/enterpriseattack/group.py#L71-L94

    Tests for change: https://github.com/xakepnz/enterpriseattack/blob/75b9fb0800e070b7b543b3b38abde774d59b5c02/tests/test_groupsubs.py#L15-L16

    opened by xakepnz 0
  • Feature/0.1.6

    Feature/0.1.6

    Description

    • Add more tests for code coverage (#9) - 380cec3
    • Implement MITRE ATT&CK campaigns (#8) - 1f5630e
    • Add software & groups to campaigns (#8) - cc9a6f9
    • Alter the GitHub templates (#7) - 327b98d
    • Create Subscriptable objects in the main Attack class (#6) - c99c712
    • Allow users to harcode MITRE ATT&CK data versioning (#5) - d7b5318
    opened by xakepnz 0
  • Subscript objects

    Subscript objects

    Make objects subscriptable eg:

    >>> attack = enterpriseattack.Attack()
>>> spider = attack.groups['Wizard Spider']
>>> spider.name
'Wizard Spider'

    VS:

    >>> attack = enterpriseattack.Attack()
>>> spider = None
>>> for group in attack.groups:
...     if group.name == 'Wizard Spider':
...             spider = group
...
>>> spider.name
'Wizard Spider'
    enhancement 
    opened by xakepnz 0
  • [FEATURE]: Support the other matrices too

    [FEATURE]: Support the other matrices too

    Feature Details

    Would be nice to have support for the other two matrices (Mobile and ICS) besides Enterprise. Although this would probably require some serious re-design.

    enhancement 
    opened by bontchev 0
Releases(v.0.1.7)

  • v.0.1.7(Dec 28, 2022)

    New:

    • Added sub_techniques property to Group objects (#14) - 29232d2
      • It was discovered in #14 that Group objects did not have the sub_techniques property available.
    • Added test for group sub_techniques iterations (#14) - a94394dc
    Source code(tar.gz)
    Source code(zip)

  • v.0.1.6(Dec 19, 2022)

    Changes:

    • Alter the GitHub templates (#7) - 327b98d

    New:

    • Add more tests for code coverage (#9) - 380cec3
    • Implement MITRE ATT&CK campaigns (#8) - 1f5630e
    • Add software & groups to campaigns (#8) - cc9a6f9
    • Create Subscriptable objects in the main Attack class (#6) - c99c712
    • Allow users to hardcode MITRE ATT&CK data versioning (#5) - d7b5318
    Source code(tar.gz)
    Source code(zip)

  • v.0.1.5(Mar 14, 2022)

  • v0.1.4(Mar 13, 2022)

    Modified

    • Cleaned up code line lengths
    • Fixed techniques mitigations
    • Ordered imports by type

    Added

    • Created component.py with Component class separate to Data source
    • Added tools & malware & software & components to techniques
    • Added tools & malware & tactics to groups
    • Added tools & malware & software & components & tactics to sub_techniques
    • Added tactics to software
    • Added tactics to mitigations
    • Created Code build tests with Travis CI
    • Added tactics & techniques to components
    Source code(tar.gz)
    Source code(zip)

  • v.0.1.3(Mar 11, 2022)

    Modified:

    • Converted format strings to f strings for readability/speed.
    • Updated README.md with more examples

    Added:

    • Allow proxy args to Attack() for proxy-passing.
    Source code(tar.gz)
    Source code(zip)

  • v.0.1.2(Dec 4, 2021)

    Fixed issue: https://github.com/xakepnz/enterpriseattack/issues/1

    • Issue related to all sub techniques being grouped under each technique, instead of relevant sub techniques. Fixed typo with ReadMe Documentation link
    Source code(tar.gz)
    Source code(zip)

  • v.0.1.1(Nov 3, 2021)

Owner
xakepnz
Русский интернет волшебник.
xakepnz
GitHub Repository
A Gura parser implementation for Python

Gura parser This repository contains the implementation of a Gura format parser in Python. Installation pip install gura-parser Usage import gura gur

JWare Solutions 19 Jan 25, 2022
A beacon generator using Cobalt Strike and a variety of tools.

Beaconator is an aggressor script for Cobalt Strike used to generate either staged or stageless shellcode and packing the generated shellcode using your tool of choice.

Capt. Meelo 441 Dec 17, 2022
Library management using python & MySQL

Library management using python & MySQL Dev/Editor: Pavan Ananth Sharma & MK Akash Introduction: This is an intermediate project which is a user-frie

Pavan Ananth Sharma 2 Jul 05, 2022
(Pre-)compromise operations for MITRE CALDERA

(Pre-)compromise operations for CALDERA Extend your CALDERA operations over the entire adversary killchain. In contrast to MITRE's access plugin, cald

Diederik Bakker 3 Aug 22, 2022
Decoupled Smoothing in Probabilistic Soft Logic

Decoupled Smoothing in Probabilistic Soft Logic Experiments for "Decoupled Smoothing in Probabilistic Soft Logic". Probabilistic Soft Logic Probabilis

Kushal Shingote 1 Feb 08, 2022
GEGVL: Google Earth Based Geoscience Video Library

Google Earth Based Geoscience Video Library is transforming to Server Based. The

3 Feb 11, 2022
Small pip update helpers.

pipdate pipdate is a collection of small pip update helpers. The command pipdate # or python3.9 -m pipdate updates all your pip-installed packages. (O

Nico Schlömer 69 Dec 18, 2022
Lightweight library for accessing data and configuration

accsr This lightweight library contains utilities for managing, loading, uploading, opening and generally wrangling data and configurations. It was ba

appliedAI Initiative 7 Mar 09, 2022
create cohort visualizations for a subscription business

pycohort The main revenue generator for subscription businesses is recurring payments. There might be additional one-time offerings but the number of

Yalim Demirkesen 4 Sep 09, 2022
Fiber implements an proof-of-concept Python decorator that rewrites a function

Fiber implements an proof-of-concept Python decorator that rewrites a function so that it can be paused and resumed (by moving stack variables to a heap frame and adding if statements to simulate jum

Tyler Hou 225 Dec 13, 2022
Contains the code of my learning of Python OOP.

OOP Python This repository contains the code of my learning of Python OOP. All the code: is following PEP 8 ✅ has proper concept illustrations and com

Samyak Jain 2 Jan 15, 2022
A simple single-color identicon generator

Identicons What are identicons? Setup: git clone https://github.com/vjdad4m/identicons.git cd identicons pip3 install -r requirements.txt chmod +x

Adam Vajda 1 Oct 31, 2021
Blender addons - A collection of Blender tools I've written for myself over the years.

gret A collection of Blender tools I've written for myself over the years. I use these daily so they should be bug-free, mostly. Feel free to take and

217 Jan 08, 2023
The third home of the bare Programming Language (1st there's my heart, the forest came second and then there's Github :)

The third home of the bare Programming Language (1st there's my heart, the forest came second and then there's Github :)

Garren Souza 7 Dec 24, 2022
Simple module with some functions such as generate password (get_random_string)

Simple module with some functions such as generate password (get_random_string), fix unicode strings, size converter, dynamic console, read/write speed checker, etc.

Dmitry 2 Dec 03, 2022
Functional interface for concurrent futures, including asynchronous I/O.

Futured provides a consistent interface for concurrent functional programming in Python. It wraps any callable to return a concurrent.futures.Future,

A. Coady 11 Nov 27, 2022
This is a small compiler to demonstrate how compilers work.

This is a small compiler to demonstrate how compilers work. It compiles our own dialect to C, while being written in Python.

Md. Tonoy Akando 2 Jul 19, 2022
Zotero references script (and app)

A little script (and PyInstaller build) for a very specific, somewhat hack-ish purpose: managing and exporting project references with Zotero and its API.

Marius Rödder 0 Dec 05, 2021
🥦 Send and receive nano with 2 simple functions

easy_nano Send and receive nano (without having to understand the nano protocol).

1 Feb 14, 2022
Tucan Discord Token Generator - Remastered

TucanGEN-SRC Tucan Discord Token Generator - Remastered Tucan source made better by me. -- idk if it works anymore Includes: hCaptcha Bypass Automatic

Vast 8 Nov 04, 2022