In [6]:
from stix2 import FileSystemSource
# fs = FileSystemSource('./cti/enterprise-attack')
fs = FileSystemSource('./enterprise-attack')

In [7]:
from stix2 import Filter

# Query for data on all malwares
malwares = fs.query(Filter("type", "=", 'malware'))

# Isolate Emotet's data in particular
emotets = [m for m in malwares if m.name == 'Emotet']

In [8]:
emotets[0].id    # View Emotet's id

'malware--32066e94-3112-48ca-b9eb-ba2b59d2f023'

In [9]:
# Query all relationships involving Emotet using its id
all_rs = fs.query(Filter("type", "=", 'relationship'))
relationships = [r for r in all_rs if r.source_ref == 'malware--32066e94-3112-48ca-b9eb-ba2b59d2f023']

In [10]:
print(relationships[0])

{
    "type": "relationship",
    "id": "relationship--088ed15f-46da-4b32-a182-68553c61f09b",
    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
    "created": "2019-04-01T15:06:38.851Z",
    "modified": "2019-06-28T15:25:29.614Z",
    "relationship_type": "uses",
    "description": "[Emotet](https://attack.mitre.org/software/S0367) has been observed encrypting the data it collects before sending it to the C2 server.",
    "source_ref": "malware--32066e94-3112-48ca-b9eb-ba2b59d2f023",
    "target_ref": "attack-pattern--d54416bd-0803-41ca-870a-ce1af7c05638",
    "external_references": [
        {
            "source_name": "Fortinet Emotet May 2017",
            "description": "Xiaopeng Zhang. (2017, May 3). Deep Analysis of New Emotet Variant \u2013 Part 1. Retrieved April 1, 2019.",
            "url": "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-1.html"
        }
    ],
    "object_marking_refs": [
        "marking-defini

In [11]:
# Store Emotet's attack patterns' ids in a list
patterns = []

for r in relationships:
    patterns.append(r.target_ref)

In [12]:
patterns

['attack-pattern--d54416bd-0803-41ca-870a-ce1af7c05638',
 'attack-pattern--4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5',
 'attack-pattern--ba8e391f-14b5-496f-81f2-2d5ecd646c1c',
 'attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd',
 'attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055',
 'attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00',
 'attack-pattern--ffe742ed-9100-4686-9e00-c331da544787',
 'attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81',
 'attack-pattern--9422fc14-1c43-410d-ab0f-a709b76c72dc',
 'attack-pattern--20138b9d-1aac-4a26-8654-a36b6bbf2bba',
 'attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d',
 'attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82',
 'attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e',
 'attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9',
 'attack-pattern--f4882e23-8aa7-4b12-b28a-b349c12ee9e0',
 'attack-pattern--7fd87010-3a00-4da3-b905-410525e8ec44',
 'attack-pattern--c848fcf7-6b62-4bde-8216-b6c157d48da0',
 'attack-pattern--8c32eb4d-805f

In [8]:
# Query all attack patterns
filt = Filter('type', '=', 'attack-pattern')
att = fs.query(filt)

In [9]:
att[0]

AttackPattern(type='attack-pattern', id='attack-pattern--00d0b012-8a03-410e-95de-5826bf542de6', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2017-05-31T21:30:54.176Z', modified='2018-10-17T00:14:20.652Z', name='Indicator Removal from Tools', description="If a malicious tool is detected and quarantined or otherwise curtailed, an adversary may be able to determine why the malicious tool was detected (the indicator), modify the tool by removing the indicator, and use the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.\n\nA good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may use [Software Packing](https://attack.mitre.org/techniques/T1045) or otherwise modify the file so it has a different signature, and then re-use the malware

In [10]:
print(len(att))     # 266 different attack patterns
print(att[0].id)    # View 1st pattern's id

266
attack-pattern--00d0b012-8a03-410e-95de-5826bf542de6


In [12]:
# View names of all Emotet's patterns
for id in patterns:
    for a in att:
        if a.id == id:
            print(a.name)

Data Encrypted
Standard Cryptographic Protocol
Credentials in Files
Brute Force
Windows Management Instrumentation
Custom Command and Control Protocol
Windows Admin Shares
Valid Accounts
Registry Run Keys / Startup Folder
Spearphishing Link
Exfiltration Over Command and Control Channel
Exploitation of Remote Services
Commonly Used Port
Scheduled Task
PowerShell
Scripting
Uncommonly Used Port
User Execution
Obfuscated Files or Information
Credential Dumping
Network Sniffing
Spearphishing Attachment
Software Packing
Process Discovery
Process Injection
Email Collection
New Service
Command-Line Interface
