How can I retrieve the correct ATT&CK STIX object if I only know its ATT&CK ID?

0101001001001 · 11 March 2024 12:08

Say I was looking to find technique T1113 (Screen Capture, Technique T1113 - Enterprise | MITRE ATT&CK®) in the MITRE ATT&CK STIX dataset on Github (cti/enterprise-attack at master · mitre/cti · GitHub), how would I go about doing this?

dgreenwood-dogesec · 11 March 2024 12:14

ATT&CK Objects utilise the external_references.external_id STIX Property to print their IDs (where the object also has a external_references.source_name=mitre-attack).

For example,

            "external_references": [
                {
                    "external_id": "T1113",
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T1113"
                },

Same for other object types, e.g. Tool…

            "external_references": [
                {
                    "external_id": "S0592",
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/software/S0592"
                },

Or Tactics…

            "external_references": [
                {
                    "external_id": "TA0003",
                    "url": "https://attack.mitre.org/tactics/TA0003",
                    "source_name": "mitre-attack"
                }

It’s important to stress you also use the constraint external_references.source_name=mitre-attack when filtering.

Why? MITRE also link ATT&CK Technique/Sub-Technique objects to CAPEC (Common Attack Pattern Enumerations and Classifications) objects too.

For example, in the Technique T1113: Screen Capture you will see CAPEC ID 648 referenced. This is stored in the external_references of the T1113 attack-pattern Object using "source_name": "capec" and the external_id value containing the CAPEC ID in the format CAPEC-XXX. Here’s what it looks like in theSTIX object.

  {
    "external_id": "CAPEC-648",
    "source_name": "capec",
    "url": "https://capec.mitre.org/data/definitions/648.html"
  }

The external_references section is also used to render References to more information about the Object (how it was discovered, research into it, etc.). You’ll also see these on the ATT&CK website.

Again, using T1113: Screen Capture as an example, the STIX external_references for this object also contains…

  {
    "source_name": "CopyFromScreen .NET",
    "url": "https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8",
    "description": "Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020."
  },
  {
    "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/",
    "description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.",
    "source_name": "Antiquated Mac Malware"
  }