Attck¶
This documentation provides details about the main entry point called Attck within the pyattck package.
This class provides access to the MITRE Enterprise, PRE-ATT&CK, Mobile, and ICS Frameworks.
- MITRE Enterprise ATT&CK Framework
- MITRE PRE-ATT&CK Framework
- MITRE Mobile ATT&CK Framework
- MITRE ICS ATT&CK Framework
By default, subtechniques are accessible under each technique object.
As an example, the default behavior looks like the following example:
from pyattck import Attck
attack = Attck()
for technique in attack.enterprise.techniques:
print(technique.id)
print(technique.name)
for subtechnique in technique.subtechniques:
print(subtechnique.id)
print(subtechnique.name)
You can turn this behavior off by passing nested_subtechniques=False when creating your Attck object. When turning this feature off you can access subtechniques on the same level as all other techniques. Here’s an example:
from pyattck import Attck
attack = Attck()
for technique in attack.enterprise.techniques:
print(technique.id)
print(technique.name)
print(f"checking if technique is subtechnique: {technique.subtechnique}")
Attck Class¶
-
class
pyattck.attck.Attck(nested_subtechniques=True, use_config=False, save_config=False, config_file_path='~/pyattck/config.yml', data_path='~/pyattck/data', enterprise_attck_json='https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json', pre_attck_json='https://raw.githubusercontent.com/mitre/cti/master/pre-attack/pre-attack.json', mobile_attck_json='https://raw.githubusercontent.com/mitre/cti/master/mobile-attack/mobile-attack.json', ics_attck_json='https://raw.githubusercontent.com/mitre/cti/master/ics-attack/ics-attack.json', nist_controls_json='https://raw.githubusercontent.com/center-for-threat-informed-defense/attack-control-framework-mappings/master/frameworks/ATT%26CK-v9.0/nist800-53-r5/stix/nist800-53-r5-controls.json', generated_attck_json='https://swimlane-pyattck.s3.us-west-2.amazonaws.com/generated_attck_data.json', generated_nist_json='https://swimlane-pyattck.s3.us-west-2.amazonaws.com/attck_to_nist_controls.json', **kwargs)[source]¶ Bases:
objectInterface to all MITRE ATT&CK frameworks.
Currently, this class enables access to the Enterprise & PRE-ATT&CK frameworks with others coming soon. To acccess each framework, use the following properties
- enterprise
- preattack
This interface enables you to retrieve all properties within each item in the MITRE ATT&CK Enterprise Framework.
The following categorical items can be accessed using this class:
- Tactics (Tactics are the phases defined by MITRE ATT&CK)
- Techniques (Techniques are the individual actions which can
- accomplish a tactic)
- Mitigations (Mitigations are recommendations to prevent or
- protect against a technique)
- Actors (Actors or Groups are identified malicious
- actors/groups which have been identified and documented by MITRE & third-parties)
- Tools (Tools are software used to perform techniques)
- Malwares (Malwares are specific pieces of malware used by
- actors (or in general) to accomplish a technique)
You can also search the external dataset for external commands that are similar using the search_commands method.
from pyattck import Attck attck = Attck() for search in attck.enterprise.search_commands('powershell'): print(search['technique']) print(search['reason_for_match'])
You can access additional datasets related to a technique. These datasets are [documented here](https://github.com/swimlane/pyattck-data).
- Example:
Once an Attck object is instantiated, you can access each object type as a list of objects (e.g. techniques, tactics, actors, etc.)
You can iterate over each object list and access specific properties and relationship properties of each.
- The following relationship properties are accessible:
- Actors
- Tools used by the Actor or Group
- Malware used by the Actor or Group
- Techniques this Actor or Group uses
- Malwares
- Actor or Group(s) using this malware
- Techniques this malware is used with
- Mitigations
- Techniques related to a specific set of mitigation suggestions
- Tactics
- Techniques found in a specific Tactic (phase)
- Techniques
- Tactics a technique is found in
- Mitigation suggestions for a given technique
- Actor or Group(s) identified as using this technique
- Tools
- Techniques that the specified tool is used within
- Actor or Group(s) using a specified tool
- To iterate over a list, do the following:
from pyattck import Attck attck = Attck() for technique in attck.enterprise.techniques: print(technique.id) print(technique.name) print(technique.description) # etc. for mitigation in attck.enterprise.mitigations: print(mitigation.id) print(mitigation.name) print(mitigation.description) # etc.
- To access relationship properties, do the following:
from pyattck import Attck attck = Attck() for technique in attck.enterprise.techniques: print(technique.id) print(technique.name) print(technique.description) # etc. for actor in technique.enterprise.actors: print(actor.id) print(actor.name) print(actor.description) # etc. for mitigation in attck.enterprise.mitigations: print(mitigation.id) print(mitigation.name) print(mitigation.description) # etc. for technique in mitigation.enterprise.techniques: print(technique.name) print(technique.description) # etc.
- Arguments:
nested_subtechniques (bool, optional): Whether not to iterate over nested subtechniques. Defaults to True. use_config (bool, optional): Specifies if a configuration file should be used or not. Defaults to False. save_config (bool, optional): Specifies if pyattck should save a configuration file based on the provided
values. Defaults to False.- config_file_path (str, optional): Path to a yaml configuration file which contains two key value pairs.
- Defaults to ‘~/pyattck/config.yml’.
data_path (str, optional): Path to store the external data locally on your system. Defaults to ‘~/pyattck/data’. enterprise_attck_json (str, optional): A URL or local file path to the MITRE ATT&CK Json file.
- pre_attck_json (str, optional): A URL or local file path to the MITRE Pre-ATT&CK Json file.
- Defaults to https://raw.githubusercontent.com/mitre/cti/master/pre-attack/pre-attack.json.
- mobile_attck_json (str, optional): A URL or local file path to the MITRE Mobile ATT&CK Json file.
- Defaults to https://raw.githubusercontent.com/mitre/cti/master/mobile-attack/mobile-attack.json.
- ics_attck_json (str, optional): A URL or local file path to the MITRE ICS ATT&CK JSON file.
- Defaults to https://raw.githubusercontent.com/mitre/cti/master/ics-attack/ics-attack.json.
- nist_controls_json (str, optional): A URL or local file path to the NIST Controls Json file.
- Defaults to https://raw.githubusercontent.com/center-for-threat-informed-defense/attack-control-framework-mappings/master/frameworks/ATT%26CK-v9.0/nist800-53-r5/stix/nist800-53-r5-controls.json.
- generated_attck_json (str, optional): A URL or local file path to the Generated MITRE ATT&CK Json file.
- Defaults to https://swimlane-pyattck.s3.us-west-2.amazonaws.com/generated_attck_data.json.
- generated_nist_json (str, optional): A URL or local file path to the Generated NIST Controls Mapping Json file.
- Defaults to https://swimlane-pyattck.s3.us-west-2.amazonaws.com/attck_to_nist_controls.json.
- kwargs (dict, optional): Provided kwargs will be passed to any HTTP requests using the Requests library.
- Defaults to None.
- Returns:
- [Attck]: Returns a Attck object that contains all data from MITRE ATT&CK Frameworks
-
enterprise¶ Retrieve objects from the Enterprise MITRE ATT&CK Framework and additional generated data which provides additional context
- Returns:
- Enterprise: Returns an Enterprise object
-
ics¶ Retrieve objects from the MITRE ICS ATT&CK Framework
- Returns:
- PreAttack: Returns an ICSAttck object
-
mobile¶ Retrieve objects from the MITRE Mobile ATT&CK Framework
- Returns:
- PreAttack: Returns an MobileAttack object
-
preattack¶ Retrieve objects from the MITRE PRE-ATT&CK Framework
- Returns:
- PreAttack: Returns an PreAttack object