In [1]:
# Install mitreattack-python if not already installed
# pip install mitreattack-python

# %%
import mitreattack.attackToExcel.attackToExcel as attackToExcel
import mitreattack.attackToExcel.stixToDf as stixToDf

# Download and parse ATT&CK STIX data
attackdata = attackToExcel.get_stix_data("enterprise-attack")
techniques_data = stixToDf.techniquesToDf(attackdata, "enterprise-attack")

# Extract the techniques DataFrame
techniques_df = techniques_data["techniques"]

# Print all techniques with ID containing 'T1102'
print(techniques_df[techniques_df["ID"].str.contains("T1102")]["name"])

# Extract citations mentioning LOLBAS Wmic
citations_df = techniques_data["citations"]
print(citations_df[citations_df["reference"].str.contains("LOLBAS Wmic")])

# %%
# Print column names (for reference)
print(techniques_df.columns)

# %%
# Keep only 'ID' and 'description' columns
techniques_df = techniques_df[["ID", "description"]]

# %%
# Save to Excel
techniques_df.to_excel("techniques.xlsx", index=False)


[32m2025-06-09 01:46:24.261[0m | [1mINFO    [0m | [36mmitreattack.attackToExcel.attackToExcel[0m:[36mget_stix_data[0m:[36m69[0m - [1mDownloading ATT&CK data from github.com/mitre/cti[0m
parsing techniques: 100%|██████████| 679/679 [00:00<00:00, 1541.89it/s]
parsing relationships for type=technique: 100%|██████████| 20411/20411 [00:01<00:00, 16437.00it/s]


366                                 Web Service
497    Web Service: Bidirectional Communication
657             Web Service: Dead Drop Resolver
417          Web Service: One-Way Communication
Name: name, dtype: object
        reference                                           citation  \
1974  LOLBAS Wmic  LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2...   

                                                    url  
1974  https://lolbas-project.github.io/lolbas/Binari...  
Index(['ID', 'STIX ID', 'name', 'description', 'url', 'created',
       'last modified', 'domain', 'version', 'tactics', 'detection',
       'platforms', 'data sources', 'is sub-technique', 'sub-technique of',
       'contributors', 'impact type', 'supports remote',
       'relationship citations'],
      dtype='object')


In [2]:
pip install pandas

Collecting pandas
  Using cached pandas-2.3.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (91 kB)
Collecting pytz>=2020.1 (from pandas)
  Using cached pytz-2025.2-py2.py3-none-any.whl.metadata (22 kB)
Collecting tzdata>=2022.7 (from pandas)
  Using cached tzdata-2025.2-py2.py3-none-any.whl.metadata (1.4 kB)
Using cached pandas-2.3.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (12.0 MB)
Using cached pytz-2025.2-py2.py3-none-any.whl (509 kB)
Using cached tzdata-2025.2-py2.py3-none-any.whl (347 kB)
Installing collected packages: pytz, tzdata, pandas
Successfully installed pandas-2.3.0 pytz-2025.2 tzdata-2025.2
Note: you may need to restart the kernel to use updated packages.


In [3]:
import pandas as pd

cve = pd.read_csv("Att&ckToCveMappings.csv")
print(cve['CVE ID'].value_counts())

CVE ID
CVE-2019-13541    2
CVE-2018-11049    2
CVE-2019-10980    2
CVE-2014-6287     1
CVE-2014-6120     1
                 ..
CVE-2019-13511    1
CVE-2020-12038    1
CVE-2019-6563     1
CVE-2018-19007    1
CVE-2018-7520     1
Name: count, Length: 836, dtype: int64


In [10]:
import pandas as pd

# Load the dataset
df = pd.read_excel("cve_single_technique.xlsx")

attack


Unnamed: 0,CVE_ID,MITRE_Technique_Numbers,CVE_Description
0,CVE-2019-15243,T1059,Multiple vulnerabilities in Cisco SPA100 Serie...
1,CVE-2019-15243,T1190,Multiple vulnerabilities in Cisco SPA100 Serie...
2,CVE-2019-15243,T1078,Multiple vulnerabilities in Cisco SPA100 Serie...
3,CVE-2019-15976,T1068,Multiple vulnerabilities in the authentication...
4,CVE-2019-15976,T1059,Multiple vulnerabilities in the authentication...
...,...,...,...
1709,CVE-2018-19833,T1565.001,The owned function of a smart contract impleme...
1710,CVE-2019-13533,T855,"In Omron PLC CJ series, all versions, and Omro..."
1711,CVE-2019-13533,T842,"In Omron PLC CJ series, all versions, and Omro..."
1712,CVE-2019-10980,T873,A type confusion vulnerability may be exploite...


In [12]:
# Clean the data first
techniques = df['MITRE_Technique_Numbers'].dropna().astype(str).str.strip()

# Now count techniques
main_tech = techniques[~techniques.str.contains('.', regex=False)]
sub_tech = techniques[techniques.str.contains('.', regex=False)]

print(f"Unique main techniques: {main_tech.nunique()}")
print(f"Unique sub-techniques: {sub_tech.nunique()}")


Unique main techniques: 91
Unique sub-techniques: 46


In [16]:
df['CVE_ID'].nunique()

836