In [2]:
from constants import Mode, GET_TMFK_SOURCE
path = "../build/tmfk_attack_compatible.json"

source = GET_TMFK_SOURCE(mode=Mode.attack_compatible)
def get_technique_id(technique):
    return [r for r in technique.external_references if r.source_name == source][0].external_id

# Get all TMFK tactics 

In [3]:
from mitreattack.stix20 import MitreAttackData


mitre_attack_data = MitreAttackData(path)
tactics = mitre_attack_data.get_tactics(remove_revoked_deprecated=True)
print(f"Retrieved {len(tactics)} ATRM tactics:")
for technique in tactics:
    id = get_technique_id(technique)
    print(f"- [{id}] {technique.name}")



Retrieved 10 ATRM tactics:
- [MS-T0100] Initial Access
- [MS-T0200] Execution
- [MS-T0300] Persistence
- [MS-T0400] Privilege Escalation
- [MS-T0500] Defense Evasion
- [MS-T0600] Credential Access
- [MS-T0700] Discovery
- [MS-T0800] Lateral Movement
- [MS-T0900] Collection
- [MS-T1000] Impact



# Get all TMFK techniques

In [4]:
techniques = mitre_attack_data.get_techniques(remove_revoked_deprecated=True)
print(f"Retrieved {len(techniques)} ATRM techniques.")
for technique in techniques:
    id = get_technique_id(technique)
    print(f"-  [{id}] {technique.name}")

Retrieved 40 ATRM techniques.
-  [MS-TA9020] Access cloud resources
-  [MS-TA9007] Bash or cmd inside container
-  [MS-TA9019] Cluster-admin binding
-  [MS-TA9018] Privileged container
-  [MS-TA9029] Access Kubernetes API server
-  [MS-TA9027] Application credentials in configuration files
-  [MS-TA9038] Data destruction
-  [MS-TA9041] Collecting data from pod
-  [MS-TA9040] Denial of service
-  [MS-TA9021] Clear container logs
-  [MS-TA9011] Sidecar injection
-  [MS-TA9028] Access Managed Identity credentials
-  [MS-TA9014] Kubernetes CronJob
-  [MS-TA9010] SSH server running inside container
-  [MS-TA9008] New container
-  [MS-TA9005] Exposed sensitive interfaces
-  [MS-TA9022] Delete Kubernetes events
-  [MS-TA9013] Writable hostPath mount
-  [MS-TA9026] Mount service principal
-  [MS-TA9009] Application exploit (RCE)
-  [MS-TA9025] List Kubernetes secrets
-  [MS-TA9036] ARP poisoning and IP spoofing
-  [MS-TA9030] Access Kubelet API
-  [MS-TA9003] Kubeconfig file
-  [MS-TA9016] Con

# Get TMFK techniques by tactic name

In [5]:
from constants import GET_TMFK_DOMAIN


tactic = "execution"
techniques = mitre_attack_data.get_techniques_by_tactic(tactic_shortname=tactic, domain=GET_TMFK_DOMAIN(), remove_revoked_deprecated=True)

print(f"Retrieved {len(techniques)} ATRM {tactic} techniques.")
for technique in techniques:
    id = get_technique_id(technique)
    print(f"-  [{id}] {technique.name}")

Retrieved 6 ATRM execution techniques.
-  [MS-TA9007] Bash or cmd inside container
-  [MS-TA9011] Sidecar injection
-  [MS-TA9010] SSH server running inside container
-  [MS-TA9008] New container
-  [MS-TA9009] Application exploit (RCE)
-  [MS-TA9006] Exec into container


# Get TMFK technique description by id

In [7]:
atrm_id = "MS-TA9007"
technique = mitre_attack_data.get_object_by_attack_id(attack_id=atrm_id, stix_type="attack-pattern") 

print(f"TMFK technique with ID = {atrm_id}:")
print(f"\tName: {technique.name}")
print(f"\tDescription: {technique.description}")

TMFK technique with ID = MS-TA9007:
	Name: Bash or cmd inside container
	Description: Attackers who have permissions to run a cmd/bash script inside a container can use it to execute malicious code and compromise cluster resources.


# Get last commit hash

In [8]:
from git_tools import get_last_commit_hash
from constants import TMFK_PATH

print(get_last_commit_hash(TMFK_PATH))


b885d18
