How can I find all objects an ATT&CK Technique has a relationship to?

0101001001001 · 6 June 2024 06:41

Let’s say I have T1113. I want to know what objects this Technique is related to (sub-techs, groups, software, etc.).

Is this possible?

dgreenwood-dogesec · 6 June 2024 06:51

Yes, it’s entirely possible.

First you need to find the STIX ID of T1113.

FOR doc IN mitre_attack_enterprise_vertex_collection
  FILTER doc._stix2arango_note != "automatically imported on collection creation"
  AND doc._stix2arango_note == "v15.1"
  AND doc.type == "attack-pattern"
  AND doc.x_mitre_is_subtechnique == false
  FOR extRef IN doc.external_references
    FILTER extRef.external_id == "T1113"
    AND extRef.source_name == "mitre-attack"
    RETURN doc.id

[
  "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688"
]

Now you can search what relationship objects link to / from it

FOR doc IN mitre_attack_enterprise_edge_collection
  FILTER doc._stix2arango_note != "automatically imported on collection creation"
  AND doc._is_ref == false
  AND doc._stix2arango_note == "v15.1"
  AND doc.target_ref == "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688"
  RETURN doc

You can change the source_ref (objects this object links to) line to target_ref (objects this object links from) depending on what you need. Note, in this example, this object does not link to any others (using source_ref returns 0 results).

Here are what the results look like on the graph returned (T1113 in the middle)

To just get a list of objects you can use the search

FOR doc IN mitre_attack_enterprise_edge_collection
  FILTER doc._stix2arango_note != "automatically imported on collection creation"
  AND doc._is_ref == false
  AND doc._stix2arango_note == "v15.1"
  AND doc.target_ref == "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688"
  RETURN doc.source_ref

[
  "malware--5f9f7648-04ba-4a9f-bb4c-2a13e74572bd",
  "malware--04fc1842-f9e4-47cf-8cb8-5c61becad142",
  "malware--8ae43c46-57ef-47d5-a77a-eebb35628db2",
  "malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
  "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
  "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4",
  "malware--db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c",
  "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d",
  "malware--a5528622-3a8a-4633-86ce-8cdaf8423858",

(there are 154 results in total)

dgreenwood-dogesec · 6 June 2024 07:15

You can achieve this in one query.

Return a graph:

FOR attackPattern IN mitre_attack_enterprise_vertex_collection
  FILTER attackPattern._stix2arango_note != "automatically imported on collection creation"
  AND attackPattern._stix2arango_note == "v15.1"
  AND attackPattern.type == "attack-pattern"
  AND attackPattern.x_mitre_is_subtechnique == false
  FOR extRef IN attackPattern.external_references
    FILTER extRef.external_id == "T1113"
    AND extRef.source_name == "mitre-attack"
    LET attackPatternId = attackPattern.id
    FOR relationship IN mitre_attack_enterprise_edge_collection
      FILTER relationship._stix2arango_note != "automatically imported on collection creation"
      AND relationship._is_ref == false
      AND relationship._stix2arango_note == "v15.1"
      AND relationship.target_ref == attackPatternId
      RETURN relationship

Or just return a list of objects

LET attackPatternId = (
  FOR attackPattern IN mitre_attack_enterprise_vertex_collection
    FILTER attackPattern._stix2arango_note != "automatically imported on collection creation"
    AND attackPattern._stix2arango_note == "v15.1"
    AND attackPattern.type == "attack-pattern"
    AND attackPattern.x_mitre_is_subtechnique == false
    FOR extRef IN attackPattern.external_references
      FILTER extRef.external_id == "T1113"
      AND extRef.source_name == "mitre-attack"
      RETURN attackPattern.id
)

FOR relationship IN mitre_attack_enterprise_edge_collection
  FILTER relationship._stix2arango_note != "automatically imported on collection creation"
  AND relationship._is_ref == false
  AND relationship._stix2arango_note == "v15.1"
  AND relationship.target_ref IN attackPatternId
  RETURN relationship.source_ref

And b/c STIX object ids are not very clear, you can also print a list of ATT&CK names instead

LET attackPatternIds = (
  FOR attackPattern IN mitre_attack_enterprise_vertex_collection
    FILTER attackPattern._stix2arango_note != "automatically imported on collection creation"
    AND attackPattern._stix2arango_note == "v15.1"
    AND attackPattern.type == "attack-pattern"
    AND attackPattern.x_mitre_is_subtechnique == false
    FOR extRef IN attackPattern.external_references
      FILTER extRef.external_id == "T1113"
      AND extRef.source_name == "mitre-attack"
      RETURN attackPattern.id
)

LET relationshipSourceRefs = (
  FOR relationship IN mitre_attack_enterprise_edge_collection
    FILTER relationship._stix2arango_note != "automatically imported on collection creation"
    AND relationship._is_ref == false
    AND relationship._stix2arango_note == "v15.1"
    AND relationship.target_ref IN attackPatternIds
    RETURN relationship.source_ref
)

FOR doc IN mitre_attack_enterprise_vertex_collection
  FILTER doc._stix2arango_note != "automatically imported on collection creation"
  AND doc._stix2arango_note == "v15.1"
  AND doc.id IN relationshipSourceRefs
  RETURN { name: doc.name, type: doc.type }

[
  {
    "name": "Screen Capture Mitigation",
    "type": "course-of-action",
    "id": "course-of-action--51b37302-b844-4c08-ac98-ae6955ed1f55"
  },
  {
    "name": "Dragonfly",
    "type": "intrusion-set",
    "id": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1"
  },
  {
    "name": "MuddyWater",
    "type": "intrusion-set",
    "id": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2"
  },