### Import Python Libraries

In [1]:
import pandas as pd
import janitor as jn

### Settings

In [3]:
pd.set_option('display.max_rows', None)
pd.set_option('display.max_columns', None)
pd.set_option('display.width', None)

### Download MITRE ATT&CK Data Set and Convert to Pandas Data Frames

In [4]:
# Download MITRE Enterprise ATT&CK DATA
url_attack = 'https://attack.mitre.org/docs/enterprise-attack-v10.1/enterprise-attack-v10.1.xlsx'
df_datasources = pd.read_excel(url_attack, sheet_name='datasources')
df_tactics = pd.read_excel(url_attack, sheet_name='tactics')
df_techniques = pd.read_excel(url_attack, sheet_name='techniques')
df_relationships = pd.read_excel(url_attack, sheet_name='relationships')
df_mitigations = pd.read_excel(url_attack, sheet_name='mitigations')
df_software = pd.read_excel(url_attack, sheet_name='software')
df_groups = pd.read_excel(url_attack, sheet_name='groups')

### Clean-up Column Names w/ Pyjanitor

In [5]:
# Clean MITRE Enterprise ATT&CK DATA
df_datasources = jn.clean_names(df_datasources)
df_tactics = jn.clean_names(df_tactics)
df_techniques = jn.clean_names(df_techniques)
df_relationships = jn.clean_names(df_relationships)
df_mitigations = jn.clean_names(df_mitigations)
df_software = jn.clean_names(df_software)
df_groups = jn.clean_names(df_groups)

### Perform Basic Exploratory Data Analysis

#### MITRE ATT&CK - Data Sources

In [7]:
df_datasources.head(3)

Unnamed: 0,name,id,description,collection_layers,platforms,created,modified,type,version,url,contributors
0,Active DNS: Domain Name,,Queried domain name system (DNS) registry data...,,,20 October 2021,,datacomponent,1.0,,
1,Active Directory,DS0026,A database and set of services that allows adm...,"Cloud Control Plane, Host","Azure AD, Windows",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0026,Center for Threat-Informed Defense (CTID)
2,Active Directory Credential Request: Active Di...,,"A user requested active directory credentials,...",,,20 October 2021,,datacomponent,1.0,,


#### MITRE ATT&CK - Tactics

In [22]:
df_tactics.head(3)

Unnamed: 0,id,name,description,url,created,last_modified
0,TA0009,Collection,The adversary is trying to gather data of inte...,https://attack.mitre.org/tactics/TA0009,17 October 2018,19 July 2019
1,TA0011,Command and Control,The adversary is trying to communicate with co...,https://attack.mitre.org/tactics/TA0011,17 October 2018,19 July 2019
2,TA0006,Credential Access,The adversary is trying to steal account names...,https://attack.mitre.org/tactics/TA0006,17 October 2018,19 July 2019


#### MITRE ATT&CK - Techniques & Sub-Techniques

In [23]:
df_techniques.head(3)

Unnamed: 0,id,name,description,url,created,last_modified,version,tactics,detection,platforms,data_sources,is_sub_technique,sub_technique_of,contributors,system_requirements,permissions_required,effective_permissions,defenses_bypassed,impact_type,supports_remote
0,T1548,Abuse Elevation Control Mechanism,Adversaries may circumvent mechanisms designed...,https://attack.mitre.org/techniques/T1548,30 January 2020,22 July 2020,1.0,"Defense Evasion, Privilege Escalation",Monitor the file system for files that have th...,"Linux, Windows, macOS","Command: Command Execution, File: File Metadat...",False,,,,"Administrator, User",,,,
1,T1548.002,Abuse Elevation Control Mechanism: Bypass User...,Adversaries may bypass UAC mechanisms to eleva...,https://attack.mitre.org/techniques/T1548/002,30 January 2020,22 July 2020,2.0,"Defense Evasion, Privilege Escalation",There are many ways to perform UAC bypasses wh...,Windows,"Command: Command Execution, Process: Process C...",True,T1548,Casey Smith; Stefan Kanthak,,"Administrator, User",Administrator,Windows User Account Control,,
2,T1548.004,Abuse Elevation Control Mechanism: Elevated Ex...,Adversaries may leverage the <code>Authorizati...,https://attack.mitre.org/techniques/T1548/004,30 January 2020,27 March 2020,1.0,"Defense Evasion, Privilege Escalation",Consider monitoring for <code>/usr/libexec/sec...,macOS,"Process: OS API Execution, Process: Process Cr...",True,T1548,"Erika Noerenberg, @gutterchurl, Carbon Black; ...",,"Administrator, User",root,,,


#### MITRE ATT&CK - Relationships

In [24]:
df_relationships.head(3)

Unnamed: 0,source_id,source_name,source_type,mapping_type,target_id,target_name,target_type,mapping_description
0,,Active DNS,datacomponent,detects,T1583,Acquire Infrastructure,technique,
1,,Active DNS,datacomponent,detects,T1584,Compromise Infrastructure,technique,
2,,Active DNS,datacomponent,detects,T1584.002,DNS Server,technique,


#### MITRE ATT&CK - Mitigations

In [13]:
df_mitigations.head(3)

Unnamed: 0,id,name,description,url,created,last_modified,version
0,M1036,Account Use Policies,Configure features related to account use like...,https://attack.mitre.org/mitigations/M1036,11 June 2019,13 June 2019,1.0
1,M1015,Active Directory Configuration,Configure Active Directory to prevent use of c...,https://attack.mitre.org/mitigations/M1015,06 June 2019,29 May 2020,1.1
2,M1049,Antivirus/Antimalware,Use signatures or heuristics to detect malicio...,https://attack.mitre.org/mitigations/M1049,11 June 2019,31 March 2020,1.1


#### MITRE ATT&CK - Software

In [14]:
df_software.head(3)

Unnamed: 0,id,name,description,url,created,last_modified,version,platforms,aliases,type,contributors
0,S0066,3PARA RAT,[3PARA RAT](https://attack.mitre.org/software/...,https://attack.mitre.org/software/S0066,31 May 2017,30 March 2020,1.1,Windows,,malware,
1,S0065,4H RAT,[4H RAT](https://attack.mitre.org/software/S00...,https://attack.mitre.org/software/S0065,31 May 2017,30 March 2020,1.1,Windows,,malware,
2,S0469,ABK,[ABK](https://attack.mitre.org/software/S0469)...,https://attack.mitre.org/software/S0469,10 June 2020,24 June 2020,1.0,Windows,,malware,


#### MITRE ATT&CK - Groups

In [26]:
df_groups.head(3)

Unnamed: 0,id,name,description,url,created,last_modified,version,contributors,associated_groups,associated_groups_citations
0,G0099,APT-C-36,[APT-C-36](https://attack.mitre.org/groups/G00...,https://attack.mitre.org/groups/G0099,05 May 2020,26 May 2021,1.1,Jose Luis Sánchez Martinez,Blind Eagle,(Citation: QiAnXin APT-C-36 Feb2019)
1,G0006,APT1,[APT1](https://attack.mitre.org/groups/G0006) ...,https://attack.mitre.org/groups/G0006,31 May 2017,26 May 2021,1.4,,"Comment Crew, Comment Group, Comment Panda","(Citation: Mandiant APT1), (Citation: Mandiant..."
2,G0005,APT12,[APT12](https://attack.mitre.org/groups/G0005)...,https://attack.mitre.org/groups/G0005,31 May 2017,30 March 2020,2.1,,"DNSCALC, DynCalc, IXESHE, Numbered Panda","(Citation: Moran 2014), (Citation: Meyers Numb..."


#### List of Techniques for Testing Purposes

In [27]:
list_of_techniques = ['T1562.010', 'T1620', 'T1218.014', 'T1614.001', 'T1218.013']

#### Get List of Data Components Based on List of Techniques

In [39]:
df_relationships[df_relationships['target_id'].isin(list_of_techniques)  & (df_relationships["source_type"] == 'datacomponent')]

Unnamed: 0,source_id,source_name,source_type,mapping_type,target_id,target_name,target_type,mapping_description
183,,Command Execution,datacomponent,detects,T1562.010,Downgrade Attack,technique,
246,,Command Execution,datacomponent,detects,T1218.014,MMC,technique,
252,,Command Execution,datacomponent,detects,T1218.013,Mavinject,technique,
329,,Command Execution,datacomponent,detects,T1614.001,System Language Discovery,technique,
497,,File Creation,datacomponent,detects,T1218.014,MMC,technique,
843,,Module Load,datacomponent,detects,T1620,Reflective Code Loading,technique,
1149,,OS API Execution,datacomponent,detects,T1620,Reflective Code Loading,technique,
1160,,OS API Execution,datacomponent,detects,T1614.001,System Language Discovery,technique,
1256,,Process Creation,datacomponent,detects,T1562.010,Downgrade Attack,technique,
1302,,Process Creation,datacomponent,detects,T1218.014,MMC,technique,


#### Get List of Mitigations Based on List of Techniques

In [29]:
df_relationships[df_relationships['target_id'].isin(list_of_techniques) &  (df_relationships["source_type"] == 'mitigation')]

Unnamed: 0,source_id,source_name,source_type,mapping_type,target_id,target_name,target_type,mapping_description
1893,M1042,Disable or Remove Feature or Program,mitigation,mitigates,T1562.010,Downgrade Attack,technique,Consider removing previous versions of tools t...
1906,M1042,Disable or Remove Feature or Program,mitigation,mitigates,T1218.014,MMC,technique,MMC may not be necessary within a given enviro...
1908,M1042,Disable or Remove Feature or Program,mitigation,mitigates,T1218.013,Mavinject,technique,Consider removing mavinject.exe if Microsoft A...
1996,M1038,Execution Prevention,mitigation,mitigates,T1218.014,MMC,technique,Use application control configured to block ex...
2002,M1038,Execution Prevention,mitigation,mitigates,T1218.013,Mavinject,technique,Use application control configured to block ex...


### References

https://attack.mitre.org/

https://attack.mitre.org/docs/enterprise-attack-v10.1/enterprise-attack-v10.1.xlsx