Why can't I download the ATT&CK Navigator layer for techniques?

dtp1900 · 16 November 2025 13:34

Using the API I am trying to request the navigator layer for T1134

https://api.ctibutler.com/v1/attack-enterprise/objects/T1134/navigator/

but I get

{
  "code": 400,
  "details": {
    "code": 400,
    "message": "object of type `attack-pattern` not supported"
  },
  "message": "Bad Request"
}

Why?

dgreenwood-dogesec · 16 November 2025 13:39

@dtp1900 techniques are not supported for Navigator Layers, because the output would not be particularly useful (you would just get the Techniques selected highlighted in the Navigator).

Currently in CTI Butler only the following ATT&CK object types are supported to generate a layer file:

Software (SNNNN, tool, malware)
Groups (GNNNN, intrusion-set)
Campaigns (CNNNN, campaign)
Mitigations (MNNNN, course-of-action)
Assets (ANNNN, x-mitre-asset)

e.g.

curl -X 'GET' \
  'https://api.ctibutler.com/v1/attack-enterprise/objects/C0030/navigator/' \
  -H 'accept: application/json' \
  -H 'API-KEY: HIDDEN'

{
  "description": "Techniques used by Triton Safety Instrumented System Attack (C0030)",
  "name": "C0030",
  "domain": "enterprise-attack",
  "versions": {
    "layer": "4.5",
    "attack": "18.0",
    "navigator": "5.1.0"
  },
  "techniques": [
    {
      "comment": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) used tools such as Mimikatz and other open-source software.(Citation: FireEye TEMP.Veles 2018)",
      "score": 100,
      "showSubtechniques": true,
      "techniqueID": "T1588.002"
    },
    {
      "comment": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.",
      "score": 100,
      "showSubtechniques": true,
      "techniqueID": "T1036.005"
    },
    {
      "comment": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) installed scheduled tasks defined in XML files.(Citation: FireEye TEMP.Veles 2018)",
      "score": 100,
      "showSubtechniques": true,
      "techniqueID": "T1053.005"
    },
    {
      "comment": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) used Mimikatz.(Citation: FireEye TRITON 2018)",
      "score": 100,
      "showSubtechniques": true,
      "techniqueID": "T1003.001"
    },
    {
      "comment": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) developed, prior to the attack, malware capabilities that would require access to specific and specialized hardware and software.(Citation: FireEye TRITON Dec 2017)",
      "score": 100,
      "showSubtechniques": true,
      "techniqueID": "T1587.001"
    },
    {
      "comment": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) captured credentials as they were being changed by redirecting text-based login codes to websites they controlled.(Citation: Triton-EENews-2017)",
      "score": 100,
      "showSubtechniques": true,
      "techniqueID": "T1056.003"
    },
    {
      "comment": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) used a publicly available PowerShell-based tool, WMImplant.(Citation: FireEye TEMP.Veles 2018)",
      "score": 100,
      "showSubtechniques": true,
      "techniqueID": "T1059.001"
    },
    {
      "comment": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) modified files based on the open-source project cryptcat in an apparent attempt to decrease anti-virus detection rates.(Citation: FireEye TEMP.Veles 2018)",
      "score": 100,
      "showSubtechniques": true,
      "techniqueID": "T1027.005"
    },
    {
      "comment": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) used cryptcat binaries to encrypt their traffic.(Citation: FireEye TEMP.Veles 2018)",
      "score": 100,
      "showSubtechniques": true,
      "techniqueID": "T1573"
    },
    {
      "comment": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) engaged in network reconnaissance against targets of interest.(Citation: FireEye TEMP.Veles 2018)",
      "score": 100,
      "showSubtechniques": true,
      "techniqueID": "T1595"
    }
  ],
  "gradient": {
    "colors": [
      "#ffffff",
      "#ff6666"
    ],
    "minValue": 0,
    "maxValue": 100
  },
  "legendItems": [],
  "metadata": [
    {
      "name": "stix_id",
      "value": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf"
    },
    {
      "name": "attack_id",
      "value": "C0030"
    }
  ],
  "links": [
    {
      "label": "cti_butler",
      "url": "https://app.ctibutler.com"
    }
  ],
  "layout": {
    "layout": "side"
  }
}