In addition to the objects on Github, MITRE also distribute the latest version of ATT&CK over a TAXII server. Using the TAXII Server to download objects can often be more convenient and stable when accessing objects programatically.
If you want to follow along with downloading objects, I’ll use the OASIS TAXII Client to interact with the MITRE TAXII server;
git clone https://github.com/oasis-open/cti-taxii-client/
cd cti-taxii-client
python3 -m venv cti-taxii-client_env
source cti-taxii-client_env/bin/activate
pip3 install taxii2-client
pip3 install stix2
MITRE’s TAXII server is accessible at https://cti-taxii.mitre.org/taxii/
Note, it’s a TAXII 2.0 server (so we’re importing .v20 content);
## python3 get_api_roots.py
### import requirements https://taxii2client.readthedocs.io/en/latest/api/taxii2client.v20.html#taxii2client.v20.Server
from taxii2client.v20 import Server
# define server and get API Root
server = Server("https://cti-taxii.mitre.org/taxii/")
api_root = server.api_roots[0]
# Print name and ID of all ATT&CK domains available as collections
for collection in api_root.collections:
print(collection.title + ": " + collection.id)
python3 get_api_roots.py
Enterprise ATT&CK: 95ecc380-afe9-11e4-9b6c-751b66dd541e
PRE-ATT&CK: 062767bd-02d2-4b72-84ba-56caef0f8658
Mobile ATT&CK: 2f669986-b40b-4423-b720-4396ca6a462b
ICS ATT&CK: 02c3ef24-9cd4-48f3-a99f-b74ce24f1d34
The ID of each collection can then be used to get the content of that collection.
In this code, I add filters, then filter on only Techniques and finally print the first technique;
## python3 get_enterprise_techniques.py
### import requirements https://taxii2client.readthedocs.io/en/latest/api/taxii2client.v20.html#taxii2client.v20.Collection
### https://stix2.readthedocs.io/en/latest/api/datastore/stix2.datastore.taxii.html#stix2.datastore.taxii.TAXIICollectionSource
from stix2 import TAXIICollectionSource, Filter
from taxii2client.v20 import Collection
# Initialize dictionary to hold Enterprise ATT&CK content
attack = {}
# Establish TAXII2 Collection instance for Enterprise ATT&CK
collection = Collection("https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/")
# Supply the collection to TAXIICollection
tc_source = TAXIICollectionSource(collection)
# Create filters to retrieve content from Enterprise ATT&CK
filter_objs = {
"techniques": [Filter("type", "=", "attack-pattern"), Filter("x_mitre_is_subtechnique", "=", False)],
"sub-techniques": [Filter("type", "=", "attack-pattern"), Filter("x_mitre_is_subtechnique", "=", True)],
"mitigations": Filter("type", "=", "course-of-action"),
"groups": Filter("type", "=", "intrusion-set"),
"malwares": Filter("type", "=", "malware"),
"tools": Filter("type", "=", "tool"),
"relationships": Filter("type", "=", "relationship"),
"x-mitre-tactics": Filter("type", "=", "x-mitre-tactic"),
"x-mitre-data-components": Filter("type", "=", "x-mitre-data-component"),
"x-mitre-data-sources": Filter("type", "=", "x-mitre-data-source"),
"x-mitre-matrix": Filter("type", "=", "x-mitre-matrix")
}
# Retrieve all Enterprise ATT&CK content
for key in filter_objs:
attack[key] = tc_source.query(filter_objs[key])
# For visual purposes, print the first technique received
print(attack["techniques"][0])
{
"type": "attack-pattern",
"id": "attack-pattern--43c9bc06-715b-42db-972f-52d25c09a20c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2023-09-01T21:03:13.406Z",
"modified": "2023-10-01T02:28:45.147Z",
"name": "Content Injection",
"description": "Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) followed by [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and other data to already compromised systems.(Citation: ESET MoustachedBouncer)\n\nAdversaries may inject content to victim systems in various ways, including:\n\n* From the middle, where the adversary is in-between legitimate online client-server communications (**Note:** this is similar but distinct from [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557), which describes AiTM activity solely within an enterprise environment) (Citation: Kaspersky Encyclopedia MiTM)\n* From the side, where malicious content is injected and races to the client as a fake response to requests of a legitimate online server (Citation: Kaspersky ManOnTheSide)\n\nContent injection is often the result of compromised upstream communication channels, for example at the level of an internet service provider (ISP) as is the case with \"lawful interception.\"(Citation: Kaspersky ManOnTheSide)(Citation: ESET MoustachedBouncer)(Citation: EFF China GitHub Attack)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1659",
"external_id": "T1659"
},
{
"source_name": "EFF China GitHub Attack",
"description": "Budington, B. (2015, April 2). China Uses Unencrypted Websites to Hijack Browsers in GitHub Attack. Retrieved September 1, 2023.",
"url": "https://www.eff.org/deeplinks/2015/04/china-uses-unencrypted-websites-to-hijack-browsers-in-github-attack"
},
{
"source_name": "ESET MoustachedBouncer",
"description": "Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 1, 2023.",
"url": "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/"
},
{
"source_name": "Kaspersky Encyclopedia MiTM",
"description": "Kaspersky IT Encyclopedia. (n.d.). Man-in-the-middle attack. Retrieved September 1, 2023.",
"url": "https://encyclopedia.kaspersky.com/glossary/man-in-the-middle-attack/"
},
{
"source_name": "Kaspersky ManOnTheSide",
"description": "Starikova, A. (2023, February 14). Man-on-the-side – peculiar attack. Retrieved September 1, 2023.",
"url": "https://usa.kaspersky.com/blog/man-on-the-side/27854/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Process: Process Creation",
"File: File Creation"
],
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.0"
}
I could also modify the code to search for a specific object based on ID, in this case Software S0104, as follows;
## python3 get_S0104_object.py
### import requirements https://taxii2client.readthedocs.io/en/latest/api/taxii2client.v20.html#taxii2client.v20.Collection
### https://stix2.readthedocs.io/en/latest/api/datastore/stix2.datastore.taxii.html#stix2.datastore.taxii.TAXIICollectionSource
from stix2 import TAXIICollectionSource, Filter
from taxii2client.v20 import Collection
# Initialize dictionary to hold Enterprise ATT&CK content
attack = {}
# Establish TAXII2 Collection instance for Enterprise ATT&CK
collection = Collection("https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/")
# Supply the collection to TAXIICollection
tc_source = TAXIICollectionSource(collection)
# Create filters to retrieve content from Enterprise ATT&CK
filter_objs = {
"S0104": Filter("external_references.external_id", "=", "S0104")
}
# Retrieve all Enterprise ATT&CK content
for key in filter_objs:
attack[key] = tc_source.query(filter_objs[key])
# For visual purposes, print the first technique received
print(attack["S0104"][0])
python3 get_S0104_object.py
{
"type": "tool",
"id": "tool--4664b683-f578-434f-919b-1c1aad2a1111",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31T21:33:04.545Z",
"modified": "2023-07-25T19:25:05.678Z",
"name": "netstat",
"description": "[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)",
"labels": [
"tool"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0104",
"external_id": "S0104"
},
{
"source_name": "TechNet Netstat",
"description": "Microsoft. (n.d.). Netstat. Retrieved April 17, 2016.",
"url": "https://technet.microsoft.com/en-us/library/bb490947.aspx"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"netstat"
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.2"
}