# Examples

In [19]:
from mitre import AttackAPI
from pandas import *
from pandas.io.json import json_normalize
attack = AttackAPI()

## Attack Matrix 

The tactics and corresponding techniques are organized in a list of lists. You can see the 0th element in each array is the name of the tactic with the techniques corresponding to the tactic in the cells below it.

In [51]:
matrix = attack.get_matrix()
DataFrame(matrix).transpose()

Unnamed: 0,0,1,2,3,4,5,6,7,8,9
0,Command and Control,Privilege Escalation,Collection,Exfiltration,Credential Access,Lateral Movement,Defense Evasion,Execution,Persistence,Discovery
1,Fallback Channels,Startup Items,Data from Local System,Data Compressed,Credential Dumping,Windows Remote Management,Binary Padding,Windows Remote Management,Winlogon Helper DLL,System Service Discovery
2,Data Obfuscation,Setuid and Setgid,Data from Removable Media,Exfiltration Over Other Network Medium,Securityd Memory,Taint Shared Content,File System Logical Offsets,PowerShell,Re-opened Applications,File and Directory Discovery
3,Connection Proxy,Launch Daemon,Data from Network Shared Drive,Automated Exfiltration,Credentials in Files,Application Deployment Software,Rundll32,Rundll32,Startup Items,System Information Discovery
4,Communication Through Removable Media,Sudo,Audio Capture,Data Encrypted,Account Manipulation,AppleScript,Disabling Security Tools,Space after Filename,Launch Daemon,Account Discovery
5,Custom Command and Control Protocol,Bypass User Account Control,Video Capture,Data Transfer Size Limits,Private Keys,Replication Through Removable Media,Bypass User Account Control,Source,LC_LOAD_DYLIB Addition,Remote System Discovery
6,Standard Non-Application Layer Protocol,Local Port Monitor,Clipboard Data,Exfiltration Over Command and Control Channel,Keychain,Pass the Ticket,Rootkit,Launchctl,Login Item,Application Window Discovery
7,Custom Cryptographic Protocol,Accessibility Features,Email Collection,Exfiltration Over Alternative Protocol,Bash History,Remote Services,Space after Filename,AppleScript,Rc.common,Query Registry
8,Multiband Communication,Plist Modification,Screen Capture,Scheduled Transfer,Input Prompt,Logon Scripts,Plist Modification,Trap,Cron Job,System Network Configuration Discovery
9,Standard Cryptographic Protocol,Dylib Hijacking,Automated Collection,Exfiltration Over Physical Medium,Create Account,Shared Webroot,Launchctl,Process Hollowing,Windows Management Instrumentation Event Subsc...,System Owner/User Discovery


## Techniques

This method returns a list of dictionaries (like a json object) with each dictionary corresponding to a technique and its attributes. Here is a few of the techniques. To get all of them, just remove the [0:5].

In [66]:
techniques = attack.get_all_techniques()
json_normalize(techniques)[0:5]

Unnamed: 0,Analytic Details,Bypass,CAPEC ID,Citation Reference,Contributor,Data Source,Display Name,Full Text,ID,Link Text,Mitigation,Platform,Requires Permissions,Requires System,Tactic,Technical Description,Technique Name,URL
0,[Monitor use of WinRM within an environment by...,[],[],[],[],"[File monitoring, Authentication logs, Netflow...",[Windows Remote Management],Technique/T1028,[T1028],[[[Technique/T1028|Windows Remote Management]]],[Disable the WinRM service. If the service is ...,"[Windows Server 2003, Windows Server 2008, Win...","[User, Administrator]",[WinRM listener turned on and configured on re...,"[Execution, Lateral Movement]",[Windows Remote Management (WinRM) is the name...,[Windows Remote Management],https://attack.mitre.org/wiki/Technique/T1028
1,"[Depending on the method used to pad files, a ...","[Anti-virus, Signature-based detection]",[572],"[Anti-virus, Signature-based detection]",[],[],[Binary Padding],Technique/T1009,[T1009],[[[Technique/T1009|Binary Padding]]],[Identify potentially malicious software that ...,"[Windows Server 2003, Windows Server 2008, Win...",[],[],[Defense Evasion],[Some security tools inspect files with static...,[Binary Padding],https://attack.mitre.org/wiki/Technique/T1009
2,[Analyze network data for uncommon data flows ...,[],[],[],[],"[Packet capture, Netflow/Enclave netflow, Malw...",[Fallback Channels],Technique/T1008,[T1008],[[[Technique/T1008|Fallback Channels]]],[Network intrusion detection and prevention sy...,"[Windows Server 2003, Windows Server 2008, Win...",[],[],[Command and Control],[Adversaries may use fallback or alternate com...,[Fallback Channels],https://attack.mitre.org/wiki/Technique/T1008
3,[Common credential dumpers such as [[Software/...,[],[567],[],[Vincent Le Toux],"[API monitoring, Process command-line paramete...",[Credential Dumping],Technique/T1003,[T1003],[[[Technique/T1003|Credential Dumping]]],[Monitor/harden access to LSASS and SAM table ...,"[Windows Server 2003, Windows Server 2008, Win...","[Administrator, SYSTEM]",[],[Credential Access],[Credential dumping is the process of obtainin...,[Credential Dumping],https://attack.mitre.org/wiki/Technique/T1003
4,[Compression software and compressed files can...,[],[],[],[],"[File monitoring, Binary file metadata, Proces...",[Data Compressed],Technique/T1002,[T1002],[[[Technique/T1002|Data Compressed]]],"[Identify unnecessary system utilities, third-...","[Windows Server 2003, Windows Server 2008, Win...",[],[],[Exfiltration],"[An adversary may compress data (e.g., sensiti...",[Data Compressed],https://attack.mitre.org/wiki/Technique/T1002


## Groups

This method returns a list of dictionaries (like a json object) with each dictionary corresponding to a group and its attributes. Here is a few of the groups. To get all of them, just remove the [0:5].

In [53]:
groups = attack.get_all_groups()
json_normalize(groups)[0:5]

Unnamed: 0,Alias,Description,Display Title,ID,Link Text,Name,Reference,Software,Technique,URL
0,"[Putter Panda, APT2, MSUpdater]",[[[Group/G0024|Putter Panda]] is a Chinese thr...,"Group: Putter Panda, APT2, MSUpdater",[G0024],[[[Group/G0024|Putter Panda]]],[Putter Panda],"[CrowdStrike Putter Panda, Cylance Putter Panda]","[Software: 3PARA RAT, Software: pngdowner, Sof...","[Technique/T1027, Technique/T1060, Technique/T...",https://attack.mitre.org/wiki/Group/G0024
1,[Group5],[[[Group/G0043|Group5]] is a threat group with...,Group: Group5,[G0043],[[[Group/G0043|Group5]]],[Group5],[Citizen Lab Group5],[],"[Technique/T1027, Technique/T1045, Technique/T...",https://attack.mitre.org/wiki/Group/G0043
2,[PittyTiger],[[[Group/G0011|PittyTiger]] is a threat group ...,Group: PittyTiger,[G0011],[[[Group/G0011|PittyTiger]]],[PittyTiger],"[Bizeul 2014, Villeneuve 2014]","[Software: Lurid, Enfal, Software: Mimikatz, S...",[Technique/T1078],https://attack.mitre.org/wiki/Group/G0011
3,"[Carbanak, Anunak]",[[[Group/G0008|Carbanak]] is a threat group th...,"Group: Carbanak, Anunak",[G0008],[[[Group/G0008|Carbanak]]],[Carbanak],"[Kaspersky Carbanak, Fox-It Anunak Feb 2015, G...","[Software: PsExec, Software: Mimikatz, Softwar...","[Technique/T1078, Technique/T1050, Technique/T...",https://attack.mitre.org/wiki/Group/G0008
4,"[Deep Panda, Shell Crew, WebMasters, KungFu Ki...",[[[Group/G0009|Deep Panda]] is a suspected Chi...,"Group: Deep Panda, Shell Crew, ...",[G0009],[[[Group/G0009|Deep Panda]]],[Deep Panda],"[Alperovitch 2014, ThreatConnect Anthem, RSA S...","[Software: Net, net.exe, Software: Tasklist, S...","[Technique/T1086, Technique/T1047, Technique/T...",https://attack.mitre.org/wiki/Group/G0009


## Software

This method returns a list of dictionaries (like a json object) with each dictionary corresponding to a software/tool and its attributes. Here are some of the software items. To get all of them, just remove the [0:4].

In [48]:
software = attack.get_all_software()
json_normalize(software)[0:4]

Unnamed: 0,Alias,Description,ID,Link Text,Name,Reference,Software Type,Technique
0,[Pass-The-Hash Toolkit],[[[Software/S0122|Pass-The-Hash Toolkit]] is a...,[S0122],[[[Software/S0122|Pass-The-Hash Toolkit]]],[Pass-The-Hash Toolkit],[Mandiant APT1],[Tool],[Technique/T1075]
1,[TinyZBot],[[[Software/S0004|TinyZBot]] is a bot written ...,[S0004],[[[Software/S0004|TinyZBot]]],[TinyZBot],[Cylance Cleaver],[Malware],"[Technique/T1059, Technique/T1115, Technique/T..."
2,[Cachedump],[[[Software/S0119|Cachedump]] is a publicly-av...,[S0119],[[[Software/S0119|Cachedump]]],[Cachedump],[Mandiant APT1],[Tool],[Technique/T1003]
3,"[Nidiran, Backdoor.Nidiran]",[[[Software/S0118|Nidiran]] is a custom backdo...,[S0118],[[[Software/S0118|Nidiran]]],[Nidiran],"[Symantec Suckfly March 2016, Symantec Suckfly...",[Malware],"[Technique/T1043, Technique/T1032, Technique/T..."


## Attribution

This method combines information from groups, techniques, and technique subobjects to centralize information on groups and their techniques. It returns a list of dictionaries (like a json object) with each dictionary corresponding to a group and its attributes (along with more details on their techniques). Here are some of them items. To get all of them, just remove the [0:10].

In [49]:
attribution = attack.get_attribution()
json_normalize(attribution)[0:10]

Unnamed: 0,Data Source,Description,Group,Group Alias,Group ID,Tactic,Technique ID,Technique Name
0,"[File monitoring, Authentication logs, Netflow...",[[[Software/S0154|Cobalt Strike]] can use <cod...,[APT32],"[APT32, OceanLotus Group]",[G0050],"[Execution, Lateral Movement]",[Technique/T1028],[Windows Remote Management]
1,"[File monitoring, Authentication logs, Netflow...",[[[Group/G0027|Threat Group-3390]] has used Wi...,[Threat Group-3390],"[Threat Group-3390, TG-3390, Emissary Panda, B...",[G0027],"[Execution, Lateral Movement]",[Technique/T1028],[Windows Remote Management]
2,[],[[[Group/G0002|Moafee]] has been known to empl...,[Moafee],[Moafee],[G0002],[Defense Evasion],[Technique/T1009],[Binary Padding]
3,[],[A version of [[Software/S0117|XTunnel]] intro...,[APT28],"[APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear...",[G0007],[Defense Evasion],[Technique/T1009],[Binary Padding]
4,[],[[[Software/S0137|CORESHELL]] contains unused ...,[APT28],"[APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear...",[G0007],[Defense Evasion],[Technique/T1009],[Binary Padding]
5,[],[A variant of [[Software/S0082|Emissary]] appe...,[Lotus Blossom],"[Lotus Blossom, Spring Dragon]",[G0030],[Defense Evasion],[Technique/T1009],[Binary Padding]
6,"[Packet capture, Netflow/Enclave netflow, Malw...",[[[Software/S0021|Derusbi]] uses a backup comm...,[Deep Panda],"[Deep Panda, Shell Crew, WebMasters, KungFu Ki...",[G0009],[Command and Control],[Technique/T1008],[Fallback Channels]
7,"[Packet capture, Netflow/Enclave netflow, Malw...",[[[Software/S0021|Derusbi]] uses a backup comm...,[Axiom],"[Axiom, Group 72]",[G0001],[Command and Control],[Technique/T1008],[Fallback Channels]
8,"[Packet capture, Netflow/Enclave netflow, Malw...",[[[Software/S0017|BISCUIT]] malware contains a...,[APT1],"[APT1, Comment Crew, Comment Group, Comment Pa...",[G0006],[Command and Control],[Technique/T1008],[Fallback Channels]
9,"[Packet capture, Netflow/Enclave netflow, Malw...",[[[Software/S0023|CHOPSTICK]] can switch to a ...,[APT28],"[APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear...",[G0007],[Command and Control],[Technique/T1008],[Fallback Channels]


## All data

This method returns a list of dictionaries (like a json object) with each dictionary corresponding to either group or a technique and its attributes. This is all of the above information organized into a large flat file. To get all of the data, just remove the [0:15].

In [50]:
all_data = attack.get_all()
json_normalize(all_data)[0:15]

Unnamed: 0,Analytic Details,Bypass,CAPEC ID,Contributor,Data Source,Description,Group,Group Alias,Group ID,Mitigation,Platform,Requires Permissions,Requires System,Tactic,Technique ID,Technique Name,URL
0,[Monitor use of WinRM within an environment by...,[],[],[],"[File monitoring, Authentication logs, Netflow...",[[[Software/S0154|Cobalt Strike]] can use <cod...,[APT32],"[APT32, OceanLotus Group]",[G0050],[Disable the WinRM service. If the service is ...,"[Windows Server 2003, Windows Server 2008, Win...","[User, Administrator]",[WinRM listener turned on and configured on re...,"[Execution, Lateral Movement]",[Technique/T1028],[Windows Remote Management],https://attack.mitre.org/wiki/Technique/T1028
1,[Monitor use of WinRM within an environment by...,[],[],[],"[File monitoring, Authentication logs, Netflow...",[[[Group/G0027|Threat Group-3390]] has used Wi...,[Threat Group-3390],"[Threat Group-3390, TG-3390, Emissary Panda, B...",[G0027],[Disable the WinRM service. If the service is ...,"[Windows Server 2003, Windows Server 2008, Win...","[User, Administrator]",[WinRM listener turned on and configured on re...,"[Execution, Lateral Movement]",[Technique/T1028],[Windows Remote Management],https://attack.mitre.org/wiki/Technique/T1028
2,"[Depending on the method used to pad files, a ...","[Anti-virus, Signature-based detection]",[572],[],[],[[[Group/G0002|Moafee]] has been known to empl...,[Moafee],[Moafee],[G0002],[Identify potentially malicious software that ...,"[Windows Server 2003, Windows Server 2008, Win...",[],[],[Defense Evasion],[Technique/T1009],[Binary Padding],https://attack.mitre.org/wiki/Technique/T1009
3,"[Depending on the method used to pad files, a ...","[Anti-virus, Signature-based detection]",[572],[],[],[A version of [[Software/S0117|XTunnel]] intro...,[APT28],"[APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear...",[G0007],[Identify potentially malicious software that ...,"[Windows Server 2003, Windows Server 2008, Win...",[],[],[Defense Evasion],[Technique/T1009],[Binary Padding],https://attack.mitre.org/wiki/Technique/T1009
4,"[Depending on the method used to pad files, a ...","[Anti-virus, Signature-based detection]",[572],[],[],[[[Software/S0137|CORESHELL]] contains unused ...,[APT28],"[APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear...",[G0007],[Identify potentially malicious software that ...,"[Windows Server 2003, Windows Server 2008, Win...",[],[],[Defense Evasion],[Technique/T1009],[Binary Padding],https://attack.mitre.org/wiki/Technique/T1009
5,"[Depending on the method used to pad files, a ...","[Anti-virus, Signature-based detection]",[572],[],[],[A variant of [[Software/S0082|Emissary]] appe...,[Lotus Blossom],"[Lotus Blossom, Spring Dragon]",[G0030],[Identify potentially malicious software that ...,"[Windows Server 2003, Windows Server 2008, Win...",[],[],[Defense Evasion],[Technique/T1009],[Binary Padding],https://attack.mitre.org/wiki/Technique/T1009
6,[Analyze network data for uncommon data flows ...,[],[],[],"[Packet capture, Netflow/Enclave netflow, Malw...",[[[Software/S0021|Derusbi]] uses a backup comm...,[Deep Panda],"[Deep Panda, Shell Crew, WebMasters, KungFu Ki...",[G0009],[Network intrusion detection and prevention sy...,"[Windows Server 2003, Windows Server 2008, Win...",[],[],[Command and Control],[Technique/T1008],[Fallback Channels],https://attack.mitre.org/wiki/Technique/T1008
7,[Analyze network data for uncommon data flows ...,[],[],[],"[Packet capture, Netflow/Enclave netflow, Malw...",[[[Software/S0021|Derusbi]] uses a backup comm...,[Axiom],"[Axiom, Group 72]",[G0001],[Network intrusion detection and prevention sy...,"[Windows Server 2003, Windows Server 2008, Win...",[],[],[Command and Control],[Technique/T1008],[Fallback Channels],https://attack.mitre.org/wiki/Technique/T1008
8,[Analyze network data for uncommon data flows ...,[],[],[],"[Packet capture, Netflow/Enclave netflow, Malw...",[[[Software/S0017|BISCUIT]] malware contains a...,[APT1],"[APT1, Comment Crew, Comment Group, Comment Pa...",[G0006],[Network intrusion detection and prevention sy...,"[Windows Server 2003, Windows Server 2008, Win...",[],[],[Command and Control],[Technique/T1008],[Fallback Channels],https://attack.mitre.org/wiki/Technique/T1008
9,[Analyze network data for uncommon data flows ...,[],[],[],"[Packet capture, Netflow/Enclave netflow, Malw...",[[[Software/S0023|CHOPSTICK]] can switch to a ...,[APT28],"[APT28, Sednit, Sofacy, Pawn Storm, Fancy Bear...",[G0007],[Network intrusion detection and prevention sy...,"[Windows Server 2003, Windows Server 2008, Win...",[],[],[Command and Control],[Technique/T1008],[Fallback Channels],https://attack.mitre.org/wiki/Technique/T1008


## Exporting the data

With the pandas function to_csv, you can export any of this data to a csv file. There are many other options for exporting that can be seen here: http://pandas.pydata.org/pandas-docs/version/0.20.3/api.html#id12
The output of this code can be seen in Mitre-Attack-API root folder. 

In [44]:
all_data = attack.get_all()
df = json_normalize(all_data)
df.to_csv('attack_all.csv')