In [3]:
pip install mitreattack-python

Note: you may need to restart the kernel to use updated packages.


In [4]:
import mitreattack.attackToExcel.attackToExcel as attackToExcel
import mitreattack.attackToExcel.stixToDf as stixToDf

# download and parse ATT&CK STIX data
attackdata = attackToExcel.get_stix_data("enterprise-attack")
techniques_data = stixToDf.techniquesToDf(attackdata, "enterprise-attack")

# show T1102 and sub-techniques of T1102
techniques_df = techniques_data["techniques"]
print(techniques_df[techniques_df["ID"].str.contains("T1102")]["name"])
# 512                                 Web Service
# 38     Web Service: Bidirectional Communication
# 121             Web Service: Dead Drop Resolver
# 323          Web Service: One-Way Communication
# Name: name, dtype: object

# show citation data for LOLBAS Wmic reference
citations_df = techniques_data["citations"]
print(citations_df[citations_df["reference"].str.contains("LOLBAS Wmic")])
#         reference                                           citation                                                url
# 1010  LOLBAS Wmic  LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2...  https://lolbas-project.github.io/lolbas/Binari...

[32m2025-02-23 01:45:07.633[0m | [1mINFO    [0m | [36mmitreattack.attackToExcel.attackToExcel[0m:[36mget_stix_data[0m:[36m69[0m - [1mDownloading ATT&CK data from github.com/mitre/cti[0m
parsing techniques: 100%|██████████| 656/656 [00:00<00:00, 1499.68it/s]
parsing relationships for type=technique: 100%|██████████| 19163/19163 [00:01<00:00, 15155.59it/s]


353                                 Web Service
483    Web Service: Bidirectional Communication
637             Web Service: Dead Drop Resolver
404          Web Service: One-Way Communication
Name: name, dtype: object
        reference                                           citation  \
1860  LOLBAS Wmic  LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2...   

                                                    url  
1860  https://lolbas-project.github.io/lolbas/Binari...  


In [5]:
print(techniques_df.columns)


Index(['ID', 'STIX ID', 'name', 'description', 'url', 'created',
       'last modified', 'domain', 'version', 'tactics', 'detection',
       'platforms', 'data sources', 'is sub-technique', 'sub-technique of',
       'defenses bypassed', 'contributors', 'permissions required',
       'supports remote', 'system requirements', 'impact type',
       'effective permissions', 'relationship citations'],
      dtype='object')


In [6]:
techniques_df

Unnamed: 0,ID,STIX ID,name,description,url,created,last modified,domain,version,tactics,...,is sub-technique,sub-technique of,defenses bypassed,contributors,permissions required,supports remote,system requirements,impact type,effective permissions,relationship citations
279,T1548,attack-pattern--67720091-eee3-4d2d-ae16-826456...,Abuse Elevation Control Mechanism,Adversaries may circumvent mechanisms designed...,https://attack.mitre.org/techniques/T1548,30 January 2020,15 October 2024,enterprise-attack,1.4,"Defense Evasion, Privilege Escalation",...,False,,,,"Administrator, User",,,,,"(Citation: TrendMicro RaspberryRobin 2022),(Ci..."
55,T1548.002,attack-pattern--120d5519-3098-4e1c-9191-2aa612...,Abuse Elevation Control Mechanism: Bypass User...,Adversaries may bypass UAC mechanisms to eleva...,https://attack.mitre.org/techniques/T1548/002,30 January 2020,21 April 2023,enterprise-attack,2.1,"Defense Evasion, Privilege Escalation",...,True,T1548,Windows User Account Control,Casey Smith; Stefan Kanthak,"Administrator, User",,,,Administrator,"(Citation: Microsoft BlackCat Jun 2022),(Citat..."
467,T1548.004,attack-pattern--b84903f0-c7d5-435d-a69e-de47cc...,Abuse Elevation Control Mechanism: Elevated Ex...,Adversaries may leverage the <code>Authorizati...,https://attack.mitre.org/techniques/T1548/004,30 January 2020,19 October 2022,enterprise-attack,1.0,"Defense Evasion, Privilege Escalation",...,True,T1548,,"Erika Noerenberg, @gutterchurl, Carbon Black; ...","Administrator, User",,,,root,"(Citation: Carbon Black Shlayer Feb 2019),"
281,T1548.001,attack-pattern--6831414d-bb70-42b7-8030-d4e06b...,Abuse Elevation Control Mechanism: Setuid and ...,An adversary may abuse configurations where an...,https://attack.mitre.org/techniques/T1548/001,30 January 2020,15 March 2023,enterprise-attack,1.1,"Defense Evasion, Privilege Escalation",...,True,T1548,,,User,,,,,"(Citation: ANSSI Sandworm January 2021),(Citat..."
58,T1548.003,attack-pattern--1365fe3b-0f50-455d-b4da-266ce3...,Abuse Elevation Control Mechanism: Sudo and Su...,Adversaries may perform sudo caching and/or us...,https://attack.mitre.org/techniques/T1548/003,30 January 2020,14 March 2022,enterprise-attack,1.0,"Defense Evasion, Privilege Escalation",...,True,T1548,,,User,,,,root,(Citation: Cobalt Strike Manual 4.3 November 2...
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
483,T1102.002,attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8...,Web Service: Bidirectional Communication,"Adversaries may use an existing, legitimate ex...",https://attack.mitre.org/techniques/T1102/002,14 March 2020,26 March 2020,enterprise-attack,1.0,Command and Control,...,True,T1102,,,User,,,,,"(Citation: ESET Dukes October 2019),(Citation:..."
637,T1102.001,attack-pattern--f7827069-0bf2-4764-af4f-23fae0...,Web Service: Dead Drop Resolver,"Adversaries may use an existing, legitimate ex...",https://attack.mitre.org/techniques/T1102/001,14 March 2020,26 March 2020,enterprise-attack,1.0,Command and Control,...,True,T1102,,,User,,,,,"(Citation: ESET Dukes October 2019),(Citation:..."
404,T1102.003,attack-pattern--9c99724c-a483-4d60-ad9d-7f004e...,Web Service: One-Way Communication,"Adversaries may use an existing, legitimate ex...",https://attack.mitre.org/techniques/T1102/003,14 March 2020,26 March 2020,enterprise-attack,1.0,Command and Control,...,True,T1102,,,User,,,,,"(Citation: FireEye Periscope March 2018),(Cita..."
5,T1047,attack-pattern--01a5a209-b94c-450b-b7f9-946497...,Windows Management Instrumentation,Adversaries may abuse Windows Management Instr...,https://attack.mitre.org/techniques/T1047,31 May 2017,15 October 2024,enterprise-attack,1.5,Execution,...,False,,,"@ionstorm; Olaf Hartong, Falcon Force; Tristan...",,True,,,,"(Citation: DFIR Conti Bazar Nov 2021),(Citatio..."


In [7]:
techniques_df.to_excel("techniques.xlsx", index=False)         

In [35]:
import pandas as pd
cvedata=pd.read_excel("cve_cwe_mitre_mapped.xlsx")
cvedata = cvedata.dropna(subset=["MITRE_Technique"])
print(cvedata.head())
cvedata.to_excel("processed_cve_data.xlsx", index=False)

          CVE_ID   CWE_ID                                    MITRE_Technique  \
0  CVE-1999-0509   CWE-94  1027.006 - Obfuscated Files or Information: HT...   
3  CVE-1999-0236  CWE-200  1562.003 - Impair Defenses:Impair Command Hist...   
4  CVE-1999-0236  CWE-200  1217 - Browser Bookmark Discovery; 1592 - Gath...   
5  CVE-1999-0236  CWE-200                     1018 - Remote System Discovery   
6  CVE-1999-0236  CWE-200                       1124 - System Time Discovery   

                                     CVE_Description  \
0  Perl, sh, csh, or other shell interpreters are...   
3  ScriptAlias directory in NCSA and Apache httpd...   
4  ScriptAlias directory in NCSA and Apache httpd...   
5  ScriptAlias directory in NCSA and Apache httpd...   
6  ScriptAlias directory in NCSA and Apache httpd...   

                                     CWE_Description  CVSS_Base_Score  \
0  The product constructs all or part of a code s...             10.0   
3  The product exposes sensitive inf