Skip to content

cwccie/ttp-extract

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.github/workflows
.github/workflows
 
 
src/ttp_extract
src/ttp_extract
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

ttp-extract

Extract MITRE ATT&CK TTPs from security reports, threat intelligence feeds, and incident documentation.

Problem

Security analysts spend significant time manually identifying MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) from threat reports, incident documentation, and intelligence feeds. This library automates that extraction using pattern matching and keyword-based relation extraction — no ML dependencies, no GPU required.

Features

  • Technique ID extraction — regex-based detection of T#### and T####.### patterns
  • Technique name matching — keyword lookup against a built-in knowledge base of ~50 common ATT&CK techniques
  • Behavioral indicator mapping — maps descriptive phrases (e.g., "PowerShell execution", "lateral movement via RDP") to specific technique IDs
  • Tactic identification — resolves TA#### IDs and maps techniques to their parent tactics
  • Multiple output formats — JSON, CSV, and human-readable text reports
  • CLI tool — analyze files directly from the command line
  • Lightweight — pure Python with regex-based matching, no ML/NLP dependencies

Installation

pip install ttp-extract

Or from source:

git clone https://github.com/cwccie/ttp-extract.git
cd ttp-extract
pip install -e ".[dev]"

Quick Start

Python API

from ttp_extract import TTPExtractor

extractor = TTPExtractor()

report = """
The threat actor gained initial access through spearphishing attachment (T1566.001)
emails containing macro-enabled Word documents. Upon execution, PowerShell scripts
downloaded a second-stage payload. The attacker used Mimikatz for credential dumping
from LSASS memory and moved laterally via RDP to domain controllers. Ransomware was
deployed, encrypting files and deleting shadow copies.
"""

result = extractor.extract(report, source="threat-report-2026.txt")

print(f"Found {result.count} TTPs across {len(result.tactics)} tactics")
for ttp in result.ttps:
    print(f"  [{ttp.technique_id}] {ttp.technique_name} ({ttp.confidence:.0%})")

CLI

# Analyze a threat report (text output)
ttp-extract analyze report.txt

# JSON output
ttp-extract analyze report.txt -f json

# CSV output with confidence filter
ttp-extract analyze report.txt -f csv -c 0.8

# Save to file
ttp-extract analyze report.txt -f json -o results.json

# Look up a technique
ttp-extract lookup T1059.001

# List all tactics
ttp-extract list-tactics

# List techniques filtered by tactic
ttp-extract list-techniques -t Execution

Example Output

======================================================================
MITRE ATT&CK TTP Extraction Report
======================================================================
Source: threat-report-2026.txt
Total TTPs Found: 8
Unique Techniques: 8
Tactics Covered: Initial Access, Execution, Credential Access, Lateral Movement, Impact

--------------------------------------------------
Tactic: Initial Access
--------------------------------------------------
  [T1566.001] Phishing: Spearphishing Attachment
    Confidence: 100%
    Evidence: T1566.001
    Context: ...gained initial access through spearphishing attachment (T1566.001)...

--------------------------------------------------
Tactic: Execution
--------------------------------------------------
  [T1059.001] Command and Scripting Interpreter: PowerShell
    Confidence: 75%
    Evidence: PowerShell
    Context: ...Upon execution, PowerShell scripts downloaded a second-stage...

--------------------------------------------------
Tactic: Credential Access
--------------------------------------------------
  [T1003.001] OS Credential Dumping: LSASS Memory
    Confidence: 90%
    Evidence: credential dumping from LSASS memory
    Context: ...used Mimikatz for credential dumping from LSASS memory...

--------------------------------------------------
Tactic: Impact
--------------------------------------------------
  [T1486] Data Encrypted for Impact
    Confidence: 75%
    Evidence: ransomware
    Context: ...Ransomware was deployed, encrypting files and deleting...

======================================================================

Confidence Levels

Source Confidence Description
Explicit ID (T1059) 1.0 Technique ID directly referenced in text
Known sub-technique ID 1.0 Sub-technique ID found in knowledge base
Unknown sub-technique 0.8 Valid format but not in knowledge base
Technique name match 0.85 Full technique name found in text
3+ word indicator 0.9 Multi-word behavioral phrase matched
2-word indicator 0.75 Two-word behavioral phrase matched
Single-word indicator 0.6 Single keyword matched
Unknown technique ID 0.5 Valid T#### format but unknown

Development

# Install dev dependencies
pip install -e ".[dev]"

# Run tests
pytest -v --cov=ttp_extract

# Lint
ruff check src/ tests/

License

MIT License. Copyright (c) 2026 Corey Wade.

About

Extract MITRE ATT&CK TTPs from security reports via pattern matching and relation extraction

Topics

python nlp cybersecurity ner security-automation threat-intelligence ttp mitre-attack

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages