In [3]:
import requests

MITRE_ENTERPRISE_URL = 'https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json'

def fetch_mitre_data():
    print("Fetching MITRE ATT&CK data...")
    response = requests.get(MITRE_ENTERPRISE_URL)
    response.raise_for_status()
    return response.json()

def find_ttps_by_description(keywords, data):
    results = []

    for obj in data['objects']:
        if obj.get('type') == 'attack-pattern' and not obj.get('revoked', False):
            description = obj.get('description', '').lower()

            if all(keyword in description for keyword in keywords):
                external_refs = obj.get('external_references', [])
                attack_id = next((ref['external_id'] for ref in external_refs if 'external_id' in ref), 'N/A')
                url = next((ref['url'] for ref in external_refs if 'url' in ref), 'N/A')
                results.append({
                    'name': obj.get('name'),
                    'id': attack_id,
                    'url': url,
                    'description': obj.get('description', '')
                })

    return results

def main():
    raw_input = input("Enter keyword(s) to search in TTP descriptions (comma-separated): ").strip()
    keywords = [kw.strip().lower() for kw in raw_input.split(',') if kw.strip()]

    if not keywords:
        print("No valid keywords entered.")
        return

    data = fetch_mitre_data()
    matches = find_ttps_by_description(keywords, data)

    if not matches:
        print("No matching TTP descriptions found with all keywords.")
    else:
        print(f"\nFound {len(matches)} matching TTP(s):\n")
        for match in matches:
            print(f"- {match['name']} ({match['id']})")
            print(f"  {match['url']}")
            print(f"  Description: {match['description'][:300]}...\n")

if __name__ == "__main__":
    main()


Enter keywords to search for TTPs (comma-separated):  privilege, command, cloud


Fetching MITRE ATT&CK data...

Found 417 matching TTP(s):

- Extra Window Memory Injection (T1055.011)
  https://attack.mitre.org/techniques/T1055/011

- Scheduled Task (T1053.005)
  https://attack.mitre.org/techniques/T1053/005

- Socket Filters (T1205.002)
  https://attack.mitre.org/techniques/T1205/002

- VNC (T1021.005)
  https://attack.mitre.org/techniques/T1021/005

- Windows Management Instrumentation (T1047)
  https://attack.mitre.org/techniques/T1047

- Boot or Logon Initialization Scripts (T1037)
  https://attack.mitre.org/techniques/T1037

- System Owner/User Discovery (T1033)
  https://attack.mitre.org/techniques/T1033

- Acquire Infrastructure (T1583)
  https://attack.mitre.org/techniques/T1583

- Rundll32 (T1218.011)
  https://attack.mitre.org/techniques/T1218/011

- Container and Resource Discovery (T1613)
  https://attack.mitre.org/techniques/T1613

- Serverless (T1583.007)
  https://attack.mitre.org/techniques/T1583/007

- Standard Encoding (T1132.001)
  https://attack