I’m also posting some notes from my own research a few years ago.
The following work is redundant to us now as we built CTI Butler to address some of the limitations of the ATT&CK TAXII server (among other things), but I appreciate not everyone will want to use CTI Butler too ![:slight_smile: :slight_smile:](https://community.dogesec.com/images/emoji/twitter/slight_smile.png?v=12)
If you want to follow along with downloading objects, I’ll use the OASIS TAXII Client to interact with the MITRE TAXII server;
git clone https://github.com/oasis-open/cti-taxii-client/
cd cti-taxii-client
python3 -m venv cti-taxii-client_env
source cti-taxii-client_env/bin/activate
pip3 install taxii2-client
pip3 install stix2
MITRE’s TAXII server is accessible at https://cti-taxii.mitre.org/taxii/
Note, it’s a TAXII 2.0 server (so we’re importing .v20
content);
## python3 get_api_roots.py
### import requirements https://taxii2client.readthedocs.io/en/latest/api/taxii2client.v20.html#taxii2client.v20.Server
from taxii2client.v20 import Server
# define server and get API Root
server = Server("https://cti-taxii.mitre.org/taxii/")
api_root = server.api_roots[0]
# Print name and ID of all ATT&CK domains available as collections
for collection in api_root.collections:
print(collection.title + ": " + collection.id)
python3 get_api_roots.py
Enterprise ATT&CK: 95ecc380-afe9-11e4-9b6c-751b66dd541e
PRE-ATT&CK: 062767bd-02d2-4b72-84ba-56caef0f8658
Mobile ATT&CK: 2f669986-b40b-4423-b720-4396ca6a462b
ICS ATT&CK: 02c3ef24-9cd4-48f3-a99f-b74ce24f1d34
The ID of each collection can then be used to get the content of that collection.
In this code, I add filters, then filter on only Techniques and finally print the first technique;
## python3 get_enterprise_techniques.py
### import requirements https://taxii2client.readthedocs.io/en/latest/api/taxii2client.v20.html#taxii2client.v20.Collection
### https://stix2.readthedocs.io/en/latest/api/datastore/stix2.datastore.taxii.html#stix2.datastore.taxii.TAXIICollectionSource
from stix2 import TAXIICollectionSource, Filter
from taxii2client.v20 import Collection
# Initialize dictionary to hold Enterprise ATT&CK content
attack = {}
# Establish TAXII2 Collection instance for Enterprise ATT&CK
collection = Collection("https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/")
# Supply the collection to TAXIICollection
tc_source = TAXIICollectionSource(collection)
# Create filters to retrieve content from Enterprise ATT&CK
filter_objs = {
"techniques": [Filter("type", "=", "attack-pattern"), Filter("x_mitre_is_subtechnique", "=", False)],
"sub-techniques": [Filter("type", "=", "attack-pattern"), Filter("x_mitre_is_subtechnique", "=", True)],
"mitigations": Filter("type", "=", "course-of-action"),
"groups": Filter("type", "=", "intrusion-set"),
"malwares": Filter("type", "=", "malware"),
"tools": Filter("type", "=", "tool"),
"relationships": Filter("type", "=", "relationship"),
"x-mitre-tactics": Filter("type", "=", "x-mitre-tactic"),
"x-mitre-data-components": Filter("type", "=", "x-mitre-data-component"),
"x-mitre-data-sources": Filter("type", "=", "x-mitre-data-source"),
"x-mitre-matrix": Filter("type", "=", "x-mitre-matrix")
}
# Retrieve all Enterprise ATT&CK content
for key in filter_objs:
attack[key] = tc_source.query(filter_objs[key])
# For visual purposes, print the first technique received
print(attack["techniques"][0])
{
"type": "attack-pattern",
"id": "attack-pattern--43c9bc06-715b-42db-972f-52d25c09a20c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2023-09-01T21:03:13.406Z",
"modified": "2023-10-01T02:28:45.147Z",
"name": "Content Injection",
"description": "Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) followed by [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and other data to already compromised systems.(Citation: ESET MoustachedBouncer)\n\nAdversaries may inject content to victim systems in various ways, including:\n\n* From the middle, where the adversary is in-between legitimate online client-server communications (**Note:** this is similar but distinct from [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557), which describes AiTM activity solely within an enterprise environment) (Citation: Kaspersky Encyclopedia MiTM)\n* From the side, where malicious content is injected and races to the client as a fake response to requests of a legitimate online server (Citation: Kaspersky ManOnTheSide)\n\nContent injection is often the result of compromised upstream communication channels, for example at the level of an internet service provider (ISP) as is the case with \"lawful interception.\"(Citation: Kaspersky ManOnTheSide)(Citation: ESET MoustachedBouncer)(Citation: EFF China GitHub Attack)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1659",
"external_id": "T1659"
},
{
"source_name": "EFF China GitHub Attack",
"description": "Budington, B. (2015, April 2). China Uses Unencrypted Websites to Hijack Browsers in GitHub Attack. Retrieved September 1, 2023.",
"url": "https://www.eff.org/deeplinks/2015/04/china-uses-unencrypted-websites-to-hijack-browsers-in-github-attack"
},
{
"source_name": "ESET MoustachedBouncer",
"description": "Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 1, 2023.",
"url": "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/"
},
{
"source_name": "Kaspersky Encyclopedia MiTM",
"description": "Kaspersky IT Encyclopedia. (n.d.). Man-in-the-middle attack. Retrieved September 1, 2023.",
"url": "https://encyclopedia.kaspersky.com/glossary/man-in-the-middle-attack/"
},
{
"source_name": "Kaspersky ManOnTheSide",
"description": "Starikova, A. (2023, February 14). Man-on-the-side – peculiar attack. Retrieved September 1, 2023.",
"url": "https://usa.kaspersky.com/blog/man-on-the-side/27854/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.2.0",
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Process: Process Creation",
"File: File Creation"
],
"x_mitre_deprecated": false,
"x_mitre_detection": "",
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.0"
}
I could also modify the code to search for a specific object based on ID, in this case Software S0104, as follows;
## python3 get_S0104_object.py
### import requirements https://taxii2client.readthedocs.io/en/latest/api/taxii2client.v20.html#taxii2client.v20.Collection
### https://stix2.readthedocs.io/en/latest/api/datastore/stix2.datastore.taxii.html#stix2.datastore.taxii.TAXIICollectionSource
from stix2 import TAXIICollectionSource, Filter
from taxii2client.v20 import Collection
# Initialize dictionary to hold Enterprise ATT&CK content
attack = {}
# Establish TAXII2 Collection instance for Enterprise ATT&CK
collection = Collection("https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/")
# Supply the collection to TAXIICollection
tc_source = TAXIICollectionSource(collection)
# Create filters to retrieve content from Enterprise ATT&CK
filter_objs = {
"S0104": Filter("external_references.external_id", "=", "S0104")
}
# Retrieve all Enterprise ATT&CK content
for key in filter_objs:
attack[key] = tc_source.query(filter_objs[key])
# For visual purposes, print the first technique received
print(attack["S0104"][0])
python3 get_S0104_object.py
{
"type": "tool",
"id": "tool--4664b683-f578-434f-919b-1c1aad2a1111",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31T21:33:04.545Z",
"modified": "2023-07-25T19:25:05.678Z",
"name": "netstat",
"description": "[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)",
"labels": [
"tool"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0104",
"external_id": "S0104"
},
{
"source_name": "TechNet Netstat",
"description": "Microsoft. (n.d.). Netstat. Retrieved April 17, 2016.",
"url": "https://technet.microsoft.com/en-us/library/bb490947.aspx"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"netstat"
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_deprecated": false,
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.2"
}