In [1]:
import mitreattack.attackToExcel.attackToExcel as aE
import mitreattack.attackToExcel.stixToDf as sD

In [2]:
# download and parse ATT&CK STIX data
attackdata = aE.get_stix_data("enterprise-attack")
techniques_data = sD.techniquesToDf(attackdata, "enterprise-attack")

parsing techniques: 100%|██████████| 552/552 [00:15<00:00, 35.28it/s]
parsing relationships for type=technique: 100%|██████████| 10986/10986 [00:00<00:00, 81133.91it/s]


In [3]:
# show T1102 and sub-techniques of T1102
techniques_df = techniques_data["techniques"]
print(techniques_df[techniques_df["ID"].str.contains("T1102")]["name"])

537                                 Web Service
38     Web Service: Bidirectional Communication
127             Web Service: Dead Drop Resolver
340          Web Service: One-Way Communication
Name: name, dtype: object


In [5]:
# show citation data for LOLBAS Wmic reference
citations_df = techniques_data["citations"]
print(citations_df[citations_df["reference"].str.contains("LOLBAS Wmic")])

        reference                                           citation  \
1142  LOLBAS Wmic  LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2...   

                                                    url  
1142  https://lolbas-project.github.io/lolbas/Binari...  


In [15]:
# return the column labels of the dataframe
techniques_df.columns

Index(['ID', 'name', 'description', 'url', 'created', 'last modified',
       'version', 'tactics', 'detection', 'platforms', 'data sources',
       'is sub-technique', 'sub-technique of', 'contributors',
       'system requirements', 'permissions required', 'effective permissions',
       'defenses bypassed', 'impact type', 'supports remote'],
      dtype='object')

In [16]:
# return the datatypes in the dataframe
techniques_df.dtypes

ID                       object
name                     object
description              object
url                      object
created                  object
last modified            object
version                  object
tactics                  object
detection                object
platforms                object
data sources             object
is sub-technique           bool
sub-technique of         object
contributors             object
system requirements      object
permissions required     object
effective permissions    object
defenses bypassed        object
impact type              object
supports remote          object
dtype: object

In [17]:
# print a concise summary of the dataframe
techniques_df.info

<bound method DataFrame.info of             ID                                               name  \
3        T1548                  Abuse Elevation Control Mechanism   
50   T1548.002  Abuse Elevation Control Mechanism: Bypass User...   
171  T1548.004  Abuse Elevation Control Mechanism: Elevated Ex...   
444  T1548.001  Abuse Elevation Control Mechanism: Setuid and ...   
475  T1548.003  Abuse Elevation Control Mechanism: Sudo and Su...   
..         ...                                                ...   
38   T1102.002           Web Service: Bidirectional Communication   
127  T1102.001                    Web Service: Dead Drop Resolver   
340  T1102.003                 Web Service: One-Way Communication   
545      T1047                 Windows Management Instrumentation   
551      T1220                              XSL Script Processing   

                                           description  \
3    Adversaries may circumvent mechanisms designed...   
50   Adversaries may by

In [19]:
# return an int representing the number of axes/array dimensions
techniques_df.ndim

2

In [21]:
# return the first 2 rows
techniques_df.head(2)

Unnamed: 0,ID,name,description,url,created,last modified,version,tactics,detection,platforms,data sources,is sub-technique,sub-technique of,contributors,system requirements,permissions required,effective permissions,defenses bypassed,impact type,supports remote
3,T1548,Abuse Elevation Control Mechanism,Adversaries may circumvent mechanisms designed...,https://attack.mitre.org/techniques/T1548,30 January 2020,22 July 2020,1.0,"Defense Evasion, Privilege Escalation",Monitor the file system for files that have th...,"Linux, Windows, macOS","Command: Command Execution, File: File Metadat...",False,,,,"Administrator, User",,,,
50,T1548.002,Abuse Elevation Control Mechanism: Bypass User...,Adversaries may bypass UAC mechanisms to eleva...,https://attack.mitre.org/techniques/T1548/002,30 January 2020,22 July 2020,2.0,"Defense Evasion, Privilege Escalation",There are many ways to perform UAC bypasses wh...,Windows,"Command: Command Execution, Process: Process C...",True,T1548,Casey Smith; Stefan Kanthak,,"Administrator, User",Administrator,Windows User Account Control,,


In [31]:
# access a single value for a row/column label
techniques_df.at[1, 'name']

'Man-in-the-Middle: ARP Cache Poisoning'

In [33]:
# accesss a single value for a row/column pair by integer position
techniques_df.iat[1,1]

'Abuse Elevation Control Mechanism: Bypass User Account Control'

In [36]:
# whether each element in the dataframe is contained in values
techniques_df.isin({'Abuse':[0,3] })

Unnamed: 0,ID,name,description,url,created,last modified,version,tactics,detection,platforms,data sources,is sub-technique,sub-technique of,contributors,system requirements,permissions required,effective permissions,defenses bypassed,impact type,supports remote
3,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False
50,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False
171,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False
444,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False
475,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
38,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False
127,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False
340,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False
545,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False,False


In [97]:
for n in range(5):
    print(techniques_df.iat[0,n])

T1548
Abuse Elevation Control Mechanism
Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
https://attack.mitre.org/techniques/T1548
30 January 2020


In [104]:
print(techniques_df.columns[0:20])

Index(['ID', 'name', 'description', 'url', 'created', 'last modified',
       'version', 'tactics', 'detection', 'platforms', 'data sources',
       'is sub-technique', 'sub-technique of', 'contributors',
       'system requirements', 'permissions required', 'effective permissions',
       'defenses bypassed', 'impact type', 'supports remote'],
      dtype='object')


In [234]:
for i in range(552):
    if techniques_df.iat[i,19] == True:
        print(techniques_df.iat[i,0])
        print(techniques_df.iat[i,1])

T1059.001
Command and Scripting Interpreter: PowerShell
T1609
Container Administration Command
T1610
Deploy Container
T1203
Exploitation for Client Execution
T1053
Scheduled Task/Job
T1053.001
Scheduled Task/Job: At (Linux)
T1053.002
Scheduled Task/Job: At (Windows)
T1053.005
Scheduled Task/Job: Scheduled Task
T1072
Software Deployment Tools
T1569.002
System Services: Service Execution
T1047
Windows Management Instrumentation


In [192]:
for i in range(20,40):
    print(techniques_df.iat[i,7])

Persistence
Persistence
Resource Development
Resource Development
Resource Development
Resource Development
Resource Development
Resource Development
Resource Development
Reconnaissance
Reconnaissance
Reconnaissance
Command And Control
Command And Control
Command And Control
Command And Control
Command And Control
Discovery
Collection
Collection


In [172]:
print('Reconnaissance Techniques:')
for i in range(552):
    tactic = techniques_df.iat[i,7]
    if tactic == 'Reconnaissance':
        print(techniques_df.iat[i, 0])
print('------------------')

Reconnaissance Techniques:
T1595
T1595.001
T1595.002
T1592
T1592.004
T1592.003
T1592.001
T1592.002
T1589
T1589.001
T1589.002
T1589.003
T1590
T1590.002
T1590.001
T1590.005
T1590.006
T1590.004
T1590.003
T1591
T1591.002
T1591.001
T1591.003
T1591.004
T1598
T1598.002
T1598.003
T1598.001
T1597
T1597.002
T1597.001
T1596
T1596.004
T1596.001
T1596.003
T1596.005
T1596.002
T1593
T1593.002
T1593.001
T1594
------------------
Resource Development Techniques:
T1583
T1583.005
T1583.002
T1583.001
T1583.004
T1583.003
T1583.006
T1586
T1586.002
T1586.001
T1584
T1584.005
T1584.002
T1584.001
T1584.004
T1584.003
T1584.006
T1587
T1587.002
T1587.003
T1587.004
T1587.001
T1585
T1585.002
T1585.001
T1588
T1588.003
T1588.004
T1588.005
T1588.001
T1588.002
T1588.006
T1608
T1608.004
T1608.003
T1608.005
T1608.001
T1608.002
------------------


In [173]:
print('Resource Development Techniques:')
for i in range(552):
    tactic = techniques_df.iat[i,7]
    if tactic == 'Resource Development':
        print(techniques_df.iat[i, 0])
print('------------------')

Resource Development Techniques:
T1583
T1583.005
T1583.002
T1583.001
T1583.004
T1583.003
T1583.006
T1586
T1586.002
T1586.001
T1584
T1584.005
T1584.002
T1584.001
T1584.004
T1584.003
T1584.006
T1587
T1587.002
T1587.003
T1587.004
T1587.001
T1585
T1585.002
T1585.001
T1588
T1588.003
T1588.004
T1588.005
T1588.001
T1588.002
T1588.006
T1608
T1608.004
T1608.003
T1608.005
T1608.001
T1608.002
------------------


In [174]:
print('Initial Access Techniques:')
for i in range(552):
    tactic = techniques_df.iat[i,7]
    if tactic == 'Initial Access':
        print(techniques_df.iat[i, 0])
print('------------------')

Initial Access Techniques:
T1189
T1190
T1200
T1566
T1566.001
T1566.002
T1566.003
T1195
T1195.003
T1195.001
T1195.002
T1199
------------------


In [175]:
print('Execution Techniques:')
for i in range(552):
    tactic = techniques_df.iat[i,7]
    if tactic == 'Execution':
        print(techniques_df.iat[i, 0])
print('------------------')

Execution Techniques:
T1059
T1059.002
T1059.007
T1059.008
T1059.001
T1059.006
T1059.004
T1059.005
T1059.003
T1609
T1203
T1559
T1559.001
T1559.002
T1106
T1129
T1569
T1569.001
T1569.002
T1204
T1204.002
T1204.003
T1204.001
T1047
------------------


In [176]:
print('Persistence Techniques:')
for i in range(552):
    tactic = techniques_df.iat[i,7]
    if tactic == 'Persistence':
        print(techniques_df.iat[i, 0])
print('------------------')

Persistence Techniques:
T1098
T1098.003
T1098.001
T1098.002
T1098.004
T1176
T1554
T1136
T1136.003
T1136.002
T1136.001
T1525
T1137
T1137.006
T1137.001
T1137.002
T1137.003
T1137.004
T1137.005
T1505
T1505.001
T1505.002
T1505.003
------------------


In [177]:
print('Privilege Escalation Techniques:')
for i in range(552):
    tactic = techniques_df.iat[i,7]
    if tactic == 'Privilege Escalation':
        print(techniques_df.iat[i, 0])
print('------------------')

Privilege Escalation Techniques:
T1611
T1068
------------------


In [178]:
print('Defense Evasion Techniques:')
for i in range(552):
    tactic = techniques_df.iat[i,7]
    if tactic == 'Defense Evasion':
        print(techniques_df.iat[i, 0])
print('------------------')

Defense Evasion Techniques:
T1612
T1140
T1006
T1480
T1480.001
T1211
T1222
T1222.002
T1222.001
T1564
T1564.005
T1564.001
T1564.002
T1564.003
T1564.004
T1564.006
T1564.007
T1562
T1562.008
T1562.002
T1562.007
T1562.004
T1562.001
T1562.003
T1562.006
T1070
T1070.003
T1070.002
T1070.001
T1070.004
T1070.005
T1070.006
T1202
T1036
T1036.001
T1036.004
T1036.005
T1036.003
T1036.002
T1036.006
T1578
T1578.002
T1578.001
T1578.003
T1578.004
T1112
T1601
T1601.002
T1601.001
T1599
T1599.001
T1027
T1027.001
T1027.004
T1027.005
T1027.002
T1027.003
T1207
T1014
T1218
T1218.003
T1218.001
T1218.002
T1218.004
T1218.005
T1218.007
T1218.008
T1218.009
T1218.010
T1218.011
T1218.012
T1216
T1216.001
T1553
T1553.002
T1553.006
T1553.001
T1553.004
T1553.005
T1553.003
T1221
T1127
T1127.001
T1535
T1600
T1600.002
T1600.001
T1220
------------------


In [179]:
print('Credential Access Techniques:')
for i in range(552):
    tactic = techniques_df.iat[i,7]
    if tactic == 'Credential Access':
        print(techniques_df.iat[i, 0])
print('------------------')

Credential Access Techniques:
T1110
T1110.004
T1110.002
T1110.001
T1110.003
T1555
T1555.003
T1555.001
T1555.005
T1555.002
T1555.004
T1212
T1187
T1606
T1606.002
T1606.001
T1003
T1003.008
T1003.005
T1003.006
T1003.004
T1003.001
T1003.003
T1003.007
T1003.002
T1528
T1539
T1558
T1558.004
T1558.001
T1558.003
T1558.002
T1111
T1552
T1552.003
T1552.005
T1552.007
T1552.001
T1552.002
T1552.006
T1552.004
------------------


In [180]:
print('Discovery Techniques:')
for i in range(552):
    tactic = techniques_df.iat[i,7]
    if tactic == 'Discovery':
        print(techniques_df.iat[i, 0])
print('------------------')

Discovery Techniques:
T1087
T1087.004
T1087.002
T1087.003
T1087.001
T1010
T1217
T1580
T1538
T1526
T1613
T1482
T1083
T1046
T1135
T1201
T1120
T1069
T1069.003
T1069.002
T1069.001
T1057
T1012
T1018
T1518
T1518.001
T1082
T1614
T1016
T1016.001
T1049
T1033
T1007
T1124
------------------


In [181]:
print('Lateral Movement Techniques:')
for i in range(552):
    tactic = techniques_df.iat[i,7]
    if tactic == 'Lateral Movement':
        print(techniques_df.iat[i, 0])
print('------------------')

Lateral Movement Techniques:
T1210
T1534
T1570
T1563
T1563.002
T1563.001
T1021
T1021.003
T1021.001
T1021.002
T1021.004
T1021.005
T1021.006
T1080
------------------


In [182]:
print('Collection Techniques:')
for i in range(552):
    tactic = techniques_df.iat[i,7]
    if tactic == 'Collection':
        print(techniques_df.iat[i, 0])
print('------------------')

Collection Techniques:
T1560
T1560.003
T1560.002
T1560.001
T1123
T1119
T1115
T1074
T1074.001
T1074.002
T1530
T1602
T1602.002
T1602.001
T1213
T1213.001
T1213.002
T1005
T1039
T1025
T1114
T1114.003
T1114.001
T1114.002
T1185
T1113
T1125
------------------


In [193]:
print('C2 Techniques:')
for i in range(552):
    tactic = techniques_df.iat[i,7]
    if tactic == 'Command And Control':
        print(techniques_df.iat[i, 0])
print('------------------')

C2 Techniques:
T1071
T1071.004
T1071.002
T1071.003
T1071.001
T1092
T1132
T1132.002
T1132.001
T1001
T1001.001
T1001.003
T1001.002
T1568
T1568.003
T1568.002
T1568.001
T1573
T1573.002
T1573.001
T1008
T1105
T1104
T1095
T1571
T1572
T1090
T1090.004
T1090.002
T1090.001
T1090.003
T1219
T1102
T1102.002
T1102.001
T1102.003
------------------


In [184]:
print('Exfiltration Techniques:')
for i in range(552):
    tactic = techniques_df.iat[i,7]
    if tactic == 'Exfiltration':
        print(techniques_df.iat[i, 0])
print('------------------')

Exfiltration Techniques:
T1020
T1020.001
T1030
T1048
T1048.002
T1048.001
T1048.003
T1041
T1011
T1011.001
T1052
T1052.001
T1567
T1567.002
T1567.001
T1029
T1537
------------------


In [185]:
print('Impact Techniques:')
for i in range(552):
    tactic = techniques_df.iat[i,7]
    if tactic == 'Impact':
        print(techniques_df.iat[i, 0])
print('------------------')

Impact Techniques:
T1531
T1485
T1486
T1565
T1565.003
T1565.001
T1565.002
T1491
T1491.002
T1491.001
T1561
T1561.001
T1561.002
T1499
T1499.003
T1499.004
T1499.001
T1499.002
T1495
T1490
T1498
T1498.001
T1498.002
T1496
T1489
T1529
------------------


In [145]:
# analyzing tactics
attackdata02 = aE.get_stix_data("enterprise-attack")
tactics_data = sD.tacticsToDf(attackdata02, "enterprise-attack")

parsing mitigations: 100%|██████████| 14/14 [00:00<00:00, 14044.55it/s]


In [146]:
tactics_df = tactics_data["tactics"]

In [147]:
tactics_df.shape

(14, 6)

In [148]:
tactics_df.columns

Index(['ID', 'name', 'description', 'url', 'created', 'last modified'], dtype='object')

In [149]:
tactics_df.index

Int64Index([0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13], dtype='int64')

In [154]:
tactics_df.head(14)

Unnamed: 0,ID,name,description,url,created,last modified
0,TA0009,Collection,The adversary is trying to gather data of inte...,https://attack.mitre.org/tactics/TA0009,17 October 2018,19 July 2019
1,TA0011,Command and Control,The adversary is trying to communicate with co...,https://attack.mitre.org/tactics/TA0011,17 October 2018,19 July 2019
2,TA0006,Credential Access,The adversary is trying to steal account names...,https://attack.mitre.org/tactics/TA0006,17 October 2018,19 July 2019
3,TA0005,Defense Evasion,The adversary is trying to avoid being detecte...,https://attack.mitre.org/tactics/TA0005,17 October 2018,19 July 2019
4,TA0007,Discovery,The adversary is trying to figure out your env...,https://attack.mitre.org/tactics/TA0007,17 October 2018,19 July 2019
5,TA0002,Execution,The adversary is trying to run malicious code....,https://attack.mitre.org/tactics/TA0002,17 October 2018,19 July 2019
6,TA0010,Exfiltration,The adversary is trying to steal data.\n\nExfi...,https://attack.mitre.org/tactics/TA0010,17 October 2018,19 July 2019
7,TA0040,Impact,"The adversary is trying to manipulate, interru...",https://attack.mitre.org/tactics/TA0040,14 March 2019,25 July 2019
8,TA0001,Initial Access,The adversary is trying to get into your netwo...,https://attack.mitre.org/tactics/TA0001,17 October 2018,19 July 2019
9,TA0008,Lateral Movement,The adversary is trying to move through your e...,https://attack.mitre.org/tactics/TA0008,17 October 2018,19 July 2019
