Say I was looking to find technique T1113 (Screen Capture, Technique T1113 - Enterprise | MITRE ATT&CK®) in the MITRE ATT&CK STIX dataset on Github (cti/enterprise-attack at master · mitre/cti · GitHub), how would I go about doing this?
ATT&CK Objects utilise the external_references.external_id
STIX Property to print their IDs (where the object also has a external_references.source_name=mitre-attack
).
For example,
"external_references": [
{
"external_id": "T1113",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1113"
},
Same for other object types, e.g. Tool…
"external_references": [
{
"external_id": "S0592",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0592"
},
Or Tactics…
"external_references": [
{
"external_id": "TA0003",
"url": "https://attack.mitre.org/tactics/TA0003",
"source_name": "mitre-attack"
}
It’s important to stress you also use the constraint external_references.source_name=mitre-attack
when filtering.
Why? MITRE also link ATT&CK Technique/Sub-Technique objects to CAPEC (Common Attack Pattern Enumerations and Classifications) objects too.
For example, in the Technique T1113: Screen Capture you will see CAPEC ID 648 referenced. This is stored in the external_references
of the T1113 attack-pattern
Object using "source_name": "capec"
and the external_id
value containing the CAPEC ID in the format CAPEC-XXX
. Here’s what it looks like in theSTIX object.
{
"external_id": "CAPEC-648",
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/648.html"
}
The external_references
section is also used to render References to more information about the Object (how it was discovered, research into it, etc.). You’ll also see these on the ATT&CK website.
Again, using T1113: Screen Capture as an example, the STIX external_references
for this object also contains…
{
"source_name": "CopyFromScreen .NET",
"url": "https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8",
"description": "Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020."
},
{
"url": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/",
"description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.",
"source_name": "Antiquated Mac Malware"
}