Say I was looking to find technique T1113 (Screen Capture, Technique T1113 - Enterprise | MITRE ATT&CK®) in CTI Butler, how would I write a query to go about doing this?
Lets start with the information we need to write the query…
ATT&CK Objects utilise the external_references.external_id STIX Property to print their IDs (where the object also has a external_references.source_name=mitre-attack).
For example,
"external_references": [
{
"external_id": "T1113",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1113"
},
Same for other object types, e.g. Tool…
"external_references": [
{
"external_id": "S0592",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0592"
},
Or Tactics…
"external_references": [
{
"external_id": "TA0003",
"url": "https://attack.mitre.org/tactics/TA0003",
"source_name": "mitre-attack"
}
For those new to ATT&CK, read this…
So let’s use T1113 as an example in CTI Butler. Using the information known above we get the query;
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "attack-pattern"
AND doc.x_mitre_is_subtechnique == false
FOR extRef IN doc.external_references
FILTER extRef.external_id == "T1113"
AND extRef.source_name == "mitre-attack"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN KEEP(doc, filteredKeys)
Some assumptions in this query…
- we know we want v15.1
- we know it’s a technique but not a sub-technique
- we know it’s ID
Some of this search is overkill for working in the mitre_attack_enterprise_vertex_collection, but ensures the correct results if you’re working outside this collection where conflict may occur.
1 Like