# Examples

In [1]:
from mitreapi import AttackAPI
from pandas import *
from pandas.io.json import json_normalize
attack = AttackAPI()

## Attack Matrix 

The tactics and corresponding techniques are organized in a list of dictionaries. The dictionaries (aka list items)  have tactics as keys and one corresponding technique for each tactic. This allows you to format the matrix with the tactics as headers and the corresponding techniques in cells below. 

In [5]:
matrix = attack.get_matrix()
json_normalize(matrix)

Unnamed: 0,Collection,Command and Control,Credential Access,Defense Evasion,Discovery,Execution,Exfiltration,Lateral Movement,Persistence,Privilege Escalation
0,[Audio Capture],[Commonly Used Port],[Account Manipulation],[Access Token Manipulation],[Account Discovery],[AppleScript],[Automated Exfiltration],[AppleScript],[.bash_profile and .bashrc],[Access Token Manipulation]
1,[Automated Collection],[Communication Through Removable Media],[Bash History],[Binary Padding],[Application Window Discovery],[Application Shimming],[Data Compressed],[Application Deployment Software],[Accessibility Features],[Accessibility Features]
2,[Clipboard Data],[Connection Proxy],[Brute Force],[Bypass User Account Control],[File and Directory Discovery],[Command-Line Interface],[Data Encrypted],[Exploitation of Vulnerability],[AppInit DLLs],[AppInit DLLs]
3,[Data Staged],[Custom Command and Control Protocol],[Create Account],[Clear Command History],[Network Service Scanning],[Execution through API],[Data Transfer Size Limits],[Logon Scripts],[Application Shimming],[Application Shimming]
4,[Data from Local System],[Custom Cryptographic Protocol],[Credential Dumping],[Code Signing],[Network Share Discovery],[Execution through Module Load],[Exfiltration Over Alternative Protocol],[Pass the Hash],[Authentication Package],[Bypass User Account Control]
5,[Data from Network Shared Drive],[Data Encoding],[Credentials in Files],[Component Firmware],[Peripheral Device Discovery],[Graphical User Interface],[Exfiltration Over Command and Control Channel],[Pass the Ticket],[Bootkit],[DLL Injection]
6,[Data from Removable Media],[Data Obfuscation],[Exploitation of Vulnerability],[Component Object Model Hijacking],[Permission Groups Discovery],[InstallUtil],[Exfiltration Over Other Network Medium],[Remote Desktop Protocol],[Change Default File Association],[DLL Search Order Hijacking]
7,[Email Collection],[Fallback Channels],[Input Capture],[DLL Injection],[Process Discovery],[Launchctl],[Exfiltration Over Physical Medium],[Remote File Copy],[Component Firmware],[Dylib Hijacking]
8,[Input Capture],[Multi-Stage Channels],[Input Prompt],[DLL Search Order Hijacking],[Query Registry],[PowerShell],[Scheduled Transfer],[Remote Services],[Component Object Model Hijacking],[Exploitation of Vulnerability]
9,[Screen Capture],[Multiband Communication],[Keychain],[DLL Side-Loading],[Remote System Discovery],[Process Hollowing],,[Replication Through Removable Media],[Cron Job],[File System Permissions Weakness]


## Techniques

This method returns a list of dictionaries (like a json object) with each dictionary corresponding to a technique and its attributes. Here is a few of the techniques. To get all of them, just remove the [0:5].

In [3]:
techniques = attack.get_all_techniques()
df = json_normalize(techniques)
df.reindex(['Tactic', 'Technique Name','Full Text', 'ID', 'URL'], axis=1)[0:5]

Unnamed: 0,Tactic,Technique Name,Full Text,ID,URL
0,"[Execution, Lateral Movement]",[Windows Remote Management],Technique/T1028,[T1028],https://attack.mitre.org/wiki/Technique/T1028
1,[Defense Evasion],[Binary Padding],Technique/T1009,[T1009],https://attack.mitre.org/wiki/Technique/T1009
2,[Command and Control],[Fallback Channels],Technique/T1008,[T1008],https://attack.mitre.org/wiki/Technique/T1008
3,[Credential Access],[Credential Dumping],Technique/T1003,[T1003],https://attack.mitre.org/wiki/Technique/T1003
4,[Exfiltration],[Data Compressed],Technique/T1002,[T1002],https://attack.mitre.org/wiki/Technique/T1002


Below you can see all of the possible columns you can select.

In [4]:
df.columns.tolist()

['Analytic Details',
 'Bypass',
 'CAPEC ID',
 'Citation Reference',
 'Contributor',
 'Data Source',
 'Display Name',
 'Full Text',
 'ID',
 'Link Text',
 'Mitigation',
 'Platform',
 'Requires Permissions',
 'Requires System',
 'Tactic',
 'Technical Description',
 'Technique Name',
 'URL']

## Groups

This method returns a list of dictionaries (like a json object) with each dictionary corresponding to a group and its attributes. Here is a few of the groups. To get all of them, just remove the [0:5].

In [5]:
groups = attack.get_all_groups()
json_normalize(groups)[0:5]

Unnamed: 0,Alias,Description,Display Title,ID,Link Text,Name,Reference,Software,Technique,URL
0,"[Putter Panda, APT2, MSUpdater]",[[[Group/G0024|Putter Panda]] is a Chinese thr...,"Group: Putter Panda, APT2, MSUpdater",[G0024],[[[Group/G0024|Putter Panda]]],[Putter Panda],"[CrowdStrike Putter Panda, Cylance Putter Panda]","[Software: 3PARA RAT, Software: pngdowner, Sof...","[Technique/T1027, Technique/T1060, Technique/T...",https://attack.mitre.org/wiki/Group/G0024
1,[Group5],[[[Group/G0043|Group5]] is a threat group with...,Group: Group5,[G0043],[[[Group/G0043|Group5]]],[Group5],[Citizen Lab Group5],[],"[Technique/T1027, Technique/T1045, Technique/T...",https://attack.mitre.org/wiki/Group/G0043
2,[PittyTiger],[[[Group/G0011|PittyTiger]] is a threat group ...,Group: PittyTiger,[G0011],[[[Group/G0011|PittyTiger]]],[PittyTiger],"[Bizeul 2014, Villeneuve 2014]","[Software: Lurid, Enfal, Software: Mimikatz, S...",[Technique/T1078],https://attack.mitre.org/wiki/Group/G0011
3,"[Carbanak, Anunak]",[[[Group/G0008|Carbanak]] is a threat group th...,"Group: Carbanak, Anunak",[G0008],[[[Group/G0008|Carbanak]]],[Carbanak],"[Kaspersky Carbanak, Fox-It Anunak Feb 2015, G...","[Software: PsExec, Software: Mimikatz, Softwar...","[Technique/T1078, Technique/T1050, Technique/T...",https://attack.mitre.org/wiki/Group/G0008
4,"[Deep Panda, Shell Crew, WebMasters, KungFu Ki...",[[[Group/G0009|Deep Panda]] is a suspected Chi...,"Group: Deep Panda, Shell Crew, ...",[G0009],[[[Group/G0009|Deep Panda]]],[Deep Panda],"[Alperovitch 2014, ThreatConnect Anthem, RSA S...","[Software: Net, net.exe, Software: Tasklist, S...","[Technique/T1086, Technique/T1047, Technique/T...",https://attack.mitre.org/wiki/Group/G0009


## Software

This method returns a list of dictionaries (like a json object) with each dictionary corresponding to a software/tool and its attributes. Here are some of the software items. To get all of them, just remove the [0:4].

In [6]:
software = attack.get_all_software()
json_normalize(software)[0:4]

Unnamed: 0,Alias,Description,ID,Link Text,Name,Reference,Software Type,Technique
0,[Pass-The-Hash Toolkit],[[[Software/S0122|Pass-The-Hash Toolkit]] is a...,[S0122],[[[Software/S0122|Pass-The-Hash Toolkit]]],[Pass-The-Hash Toolkit],[Mandiant APT1],[Tool],[Technique/T1075]
1,[TinyZBot],[[[Software/S0004|TinyZBot]] is a bot written ...,[S0004],[[[Software/S0004|TinyZBot]]],[TinyZBot],[Cylance Cleaver],[Malware],"[Technique/T1059, Technique/T1115, Technique/T..."
2,[Cachedump],[[[Software/S0119|Cachedump]] is a publicly-av...,[S0119],[[[Software/S0119|Cachedump]]],[Cachedump],[Mandiant APT1],[Tool],[Technique/T1003]
3,"[Nidiran, Backdoor.Nidiran]",[[[Software/S0118|Nidiran]] is a custom backdo...,[S0118],[[[Software/S0118|Nidiran]]],[Nidiran],"[Symantec Suckfly March 2016, Symantec Suckfly...",[Malware],"[Technique/T1043, Technique/T1032, Technique/T..."


## Attribution

This method combines information from groups, techniques, and technique subobjects to centralize information on groups and their techniques. It returns a list of dictionaries (like a json object) with each dictionary corresponding to a group and its attributes (along with more details on their techniques). Here are some of them items. To get all of them, just remove the [0:10].

In [7]:
attribution = attack.get_attribution()
df = json_normalize(attribution)
df.reindex(['Group', 'Group Alias', 'Technique Name','Tactic', 'Description'], axis=1)[0:10]

Unnamed: 0,Group,Group Alias,Technique Name,Tactic,Description
0,[APT32],"[APT32, OceanLotus Group]",[Windows Remote Management],"[Execution, Lateral Movement]",[[[Software/S0154|Cobalt Strike]] can use <cod...
1,[Threat Group-3390],"[Threat Group-3390, TG-3390, Emissary Panda, B...",[Windows Remote Management],"[Execution, Lateral Movement]",[[[Group/G0027|Threat Group-3390]] has used Wi...
2,[Moafee],[Moafee],[Binary Padding],[Defense Evasion],[[[Group/G0002|Moafee]] has been known to empl...
3,[APT28],"[APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear...",[Binary Padding],[Defense Evasion],[A version of [[Software/S0117|XTunnel]] intro...
4,[APT28],"[APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear...",[Binary Padding],[Defense Evasion],[[[Software/S0137|CORESHELL]] contains unused ...
5,[Lotus Blossom],"[Lotus Blossom, Spring Dragon]",[Binary Padding],[Defense Evasion],[A variant of [[Software/S0082|Emissary]] appe...
6,[Deep Panda],"[Deep Panda, Shell Crew, WebMasters, KungFu Ki...",[Fallback Channels],[Command and Control],[[[Software/S0021|Derusbi]] uses a backup comm...
7,[Axiom],"[Axiom, Group 72]",[Fallback Channels],[Command and Control],[[[Software/S0021|Derusbi]] uses a backup comm...
8,[APT1],"[APT1, Comment Crew, Comment Group, Comment Pa...",[Fallback Channels],[Command and Control],[[[Software/S0017|BISCUIT]] malware contains a...
9,[APT28],"[APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear...",[Fallback Channels],[Command and Control],[[[Software/S0023|CHOPSTICK]] can switch to a ...


## All data

This method returns a list of dictionaries (like a json object) with each dictionary corresponding to either group or a technique and its attributes. This is all of the above information organized into a large flat file. To get all of the data, just remove the [0:15].

In [8]:
all_data = attack.get_all()
df = json_normalize(all_data)
df.reindex(['Tactic', 'Technique Name', 'Technique ID', 'Group', 'Group Alias', 'Platform', 'Requires System'], axis=1)[0:10]

Unnamed: 0,Tactic,Technique Name,Technique ID,Group,Group Alias,Platform,Requires System
0,"[Execution, Lateral Movement]",[Windows Remote Management],[Technique/T1028],[APT32],"[APT32, OceanLotus Group]","[Windows Server 2003, Windows Server 2008, Win...",[WinRM listener turned on and configured on re...
1,"[Execution, Lateral Movement]",[Windows Remote Management],[Technique/T1028],[Threat Group-3390],"[Threat Group-3390, TG-3390, Emissary Panda, B...","[Windows Server 2003, Windows Server 2008, Win...",[WinRM listener turned on and configured on re...
2,[Defense Evasion],[Binary Padding],[Technique/T1009],[Moafee],[Moafee],"[Windows Server 2003, Windows Server 2008, Win...",[]
3,[Defense Evasion],[Binary Padding],[Technique/T1009],[APT28],"[APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear...","[Windows Server 2003, Windows Server 2008, Win...",[]
4,[Defense Evasion],[Binary Padding],[Technique/T1009],[APT28],"[APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear...","[Windows Server 2003, Windows Server 2008, Win...",[]
5,[Defense Evasion],[Binary Padding],[Technique/T1009],[Lotus Blossom],"[Lotus Blossom, Spring Dragon]","[Windows Server 2003, Windows Server 2008, Win...",[]
6,[Command and Control],[Fallback Channels],[Technique/T1008],[Deep Panda],"[Deep Panda, Shell Crew, WebMasters, KungFu Ki...","[Windows Server 2003, Windows Server 2008, Win...",[]
7,[Command and Control],[Fallback Channels],[Technique/T1008],[Axiom],"[Axiom, Group 72]","[Windows Server 2003, Windows Server 2008, Win...",[]
8,[Command and Control],[Fallback Channels],[Technique/T1008],[APT1],"[APT1, Comment Crew, Comment Group, Comment Pa...","[Windows Server 2003, Windows Server 2008, Win...",[]
9,[Command and Control],[Fallback Channels],[Technique/T1008],[APT28],"[APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear...","[Windows Server 2003, Windows Server 2008, Win...",[]


Below you can see all of the possible columns you can select.

In [9]:
df.columns.tolist()

['Analytic Details',
 'Bypass',
 'CAPEC ID',
 'Contributor',
 'Data Source',
 'Description',
 'Group',
 'Group Alias',
 'Group ID',
 'Mitigation',
 'Platform',
 'Requires Permissions',
 'Requires System',
 'Software',
 'Tactic',
 'Technique ID',
 'Technique Name',
 'URL']

## Exporting the data

With the pandas function to_csv, you can export any of this data to a csv file. There are many other options for exporting that can be seen here: http://pandas.pydata.org/pandas-docs/version/0.20.3/api.html#id12
The output of this code can be seen in Mitre-Attack-API root folder. 

In [12]:
all_data = attack.get_all()
df = json_normalize(all_data)
df.to_csv('attack_all.csv')