In [1]:
from constants import Mode, GET_ATRM_SOURCE
path = "../build/atrm_attack_compatible.json"

source = GET_ATRM_SOURCE(mode=Mode.attack_compatible)
def get_technique_id(technique):
    return [r for r in technique.external_references if r.source_name == source][0].external_id

# Get all ATRM tactics 

In [2]:
from mitreattack.stix20 import MitreAttackData
from constants import GET_ATRM_SOURCE


mitre_attack_data = MitreAttackData(path)
tactics = mitre_attack_data.get_tactics(remove_revoked_deprecated=True)
print(f"Retrieved {len(tactics)} ATRM tactics:")
for technique in tactics:
    id = get_technique_id(technique)
    print(f"- [{id}] {technique.name}")



Retrieved 7 ATRM tactics:
- [AZTA100] Reconnaissance
- [AZTA200] Initial Access
- [AZTA300] Execution
- [AZTA400] Privilege Escalation
- [AZTA500] Persistence
- [AZTA600] Credential Access
- [AZTA700] Impact



# Get all ATRM techniques

In [3]:
techniques = mitre_attack_data.get_techniques(remove_revoked_deprecated=True)
print(f"Retrieved {len(techniques)} ATRM techniques.")
for technique in techniques:
    id = get_technique_id(technique)
    print(f"-  [{id}] {technique.name}")

Retrieved 98 ATRM techniques.
-  [AZT105] Gather Application Information
-  [AZT102] IP Discovery
-  [AZT103] Public Accessible Resource
-  [AZT104] Gather User Information
-  [AZT108] Gather Victim Data
-  [AZT101] Port Mapping
-  [AZT106] Gather Role Information
-  [AZT106.001] Gather AAD Role Information
-  [AZT106.004] List Transitive Role Assignments
-  [AZT106.003] Gather Azure Resources Role Assignments
-  [AZT106.002] Gather Application Role Information
-  [AZT107] Gather Resource Data
-  [AZT202] Password Spraying
-  [AZT203] Malicious Application Consent
-  [AZT201] Valid Credentials
-  [AZT201.002] Service Principal
-  [AZT201.001] User Account
-  [AZT301.005] AKS Command Invoke
-  [AZT301.001] RunCommand
-  [AZT301] Virtual Machine Scripting
-  [AZT301.004] Compute Gallery Application
-  [AZT301.003] Desired State Configuration
-  [AZT301.007] Serial Console
-  [AZT301.006] Vmss Run Command
-  [AZT301.002] CustomScriptExtension
-  [AZT302.002] Automation Account Runbook Run

# Get ATRM techniques by tactic name

In [4]:
from constants import GET_ATRM_DOMAIN


tactic = "execution"
techniques = mitre_attack_data.get_techniques_by_tactic(tactic_shortname=tactic, domain=GET_ATRM_DOMAIN(), remove_revoked_deprecated=True)

print(f"Retrieved {len(techniques)} ATRM {tactic} techniques.")
for technique in techniques:
    id = get_technique_id(technique)
    print(f"-  [{id}] {technique.name}")

Retrieved 14 ATRM execution techniques.
-  [AZT301.005] AKS Command Invoke
-  [AZT301.001] RunCommand
-  [AZT301] Virtual Machine Scripting
-  [AZT301.004] Compute Gallery Application
-  [AZT301.003] Desired State Configuration
-  [AZT301.007] Serial Console
-  [AZT301.006] Vmss Run Command
-  [AZT301.002] CustomScriptExtension
-  [AZT302.002] Automation Account Runbook RunAs Account
-  [AZT302.003] Automation Account Runbook Managed Identity
-  [AZT302] Serverless Scripting
-  [AZT302.004] Function Application
-  [AZT302.001] Automation Account Runbook Hybrid Worker Group
-  [AZT303] Managed Device Scripting


# Get ATRM technique description by id

In [5]:
atrm_id = "AZT303"
technique = mitre_attack_data.get_object_by_attack_id(attack_id=atrm_id, stix_type="attack-pattern") 

print(f"ATRM technique with ID = {atrm_id}:")
print(f"\tName: {technique.name}")
print(f"\tDescription: {technique.description}")

ATRM technique with ID = AZT303:
	Name: Managed Device Scripting
	Description: Adversaries may abuse access to any managed devices in AzureAD by executing PowerShell or Python scripts on them.


# Get last commit hash

In [1]:
from git_tools import get_last_commit_hash
from constants import ATRM_PATH

print(get_last_commit_hash(ATRM_PATH))


9f05fef
