MITRE ATT&CK Lookup Tool

These details have not been verified by PyPI

Project links

Homepage

Project description

                           %%%%%#########%%%%%                              
                    ###%%%%##                 &%%%                          
               (#####%%          /.. .,,,,&      .%%                        
           //((###            . ...**//((... ,     %%                       
       ***//((               (..***//((...*#,,,     %%                      
   *******                  #(#./((((#......,%#(     %                      
    *****                   @%##....#%%%%%,,%#((     %                      
      ****//                 %%%%,,%%%%%%%**/((     #                       
         *//((#*               %%,%%%%%##((((      %                        
            ((####%               ,((((((/                                  
               #####%%#,                                         **         
                   ##%%%#####                              //**             
                        %%%%#########%.          ######((/                  
                               %%%%%#%%%%%%%%%#####                         
                               
                              by Curated Intelligence

MITRE ATT&CK Lookup Tool

attack-lookup is a tool that lets you easily check what Tactic, Technique, or Sub-technique ID maps to what name, and vice versa. It can be used interactively, for batch processing, or in your own tooling.

Installation

attack-lookup can be installed from PyPI:

$ pip install attack-lookup

It can also be installed manually:

$ git clone https://github.com/curated-intel/attack-lookup.git
$ cd attack-lookup
$ python setup.py install --user

Usage

$ attack-lookup --help
usage: attack-lookup [-h] [-v VERSION] [-m {enterprise,ics,mobile}] [-O] [-i INPUT] [-o OUTPUT] [--output-mode {results,csv}]

MITRE ATT&CK Lookup Tool

optional arguments:
  -h, --help            show this help message and exit
  -v VERSION, --version VERSION
                        ATT&CK matrix version to use (default: v15)
  -m {enterprise,ics,mobile}, --matrix {enterprise,ics,mobile}
                        ATT&CK matrix to use (default: enterprise)
  -O, --offline         Run in offline mode (default: False)
  -i INPUT, --input INPUT
                        Path to input file (one lookup value per line) (default: None)
  -o OUTPUT, --output OUTPUT
                        Path to output file (default: -)
  --output-mode {results,csv}
                        Mode for output file ("result" only has the lookup results, "csv" outputs a CSV with the lookup and result values (default: results)

By default, attack-lookup uses the latest version of the Enterprise matrix. When running in Online mode, attack-lookup pulls the latest matrix from MITRE's GitHub repo. When running in Offline mode, it can use any matrix available in attack_lookup/data.

You can use attack-lookup in interactive or batch mode:

$ attack-lookup
(loading latest enterprise matrix...done)
Running attack-lookup in interactive mode, exit with (q)uit. Enter one or more values to lookup, separated by a comma.
ATT&CK> T1539
Steal Web Session Cookie
ATT&CK>

For batch mode, specify an input file, and optionally an output file/mode. By default, output will go to stdout.

$ attack-lookup -i test
(loading latest enterprise matrix...done)
Collection
T1133
Peripheral Device Discovery

$ attack-lookup -i test --output-mode=csv
(loading latest enterprise matrix...done)
TA0009,Collection
External Remote Services,T1133
T1120,Peripheral Device Discovery

$ attack-lookup -i test --output-mode=csv -o out_file
(loading latest enterprise matrix...done)
Wrote output data to out_file

If multiple mappings exist (e.g., "Domains"), attack-lookup will provide all possible values:

ATT&CK> Domains
Multiple possible values: T1583.001, T1584.001

API

You can also use attack-lookup in your own scripts.

from attack_lookup import AttackMapping

# version is ignored when running online FYSA
mapping = AttackMapping(matrix="enterprise", version="v15", offline=False)

# load the data
# this can take ~10sec
if not mapping.load_data():
    print("failed to load data")
else:
    mapping.lookup("T1574") # returns "Hijack Execution Flow"

Project details

These details have not been verified by PyPI

Project links

Homepage

Release history Release notifications | RSS feed

This version

1.0.3

Apr 25, 2024

1.0.2

May 10, 2022

1.0.1

Nov 26, 2021

1.0.0

Nov 25, 2021

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

attack_lookup-1.0.3.tar.gz (7.1 MB view details)

Uploaded Apr 25, 2024 Source

Built Distribution

attack_lookup-1.0.3-py3-none-any.whl (7.1 MB view details)

Uploaded Apr 25, 2024 Python 3

File details

Details for the file attack_lookup-1.0.3.tar.gz.

File metadata

Download URL: attack_lookup-1.0.3.tar.gz
Upload date: Apr 25, 2024
Size: 7.1 MB
Tags: Source
Uploaded using Trusted Publishing? No
Uploaded via: twine/5.0.0 CPython/3.11.8

File hashes

Hashes for attack_lookup-1.0.3.tar.gz
Algorithm	Hash digest
SHA256	`823fd40848499c12172a8e913a56481c58b79732c439c7694e476b37b21daf3a`
MD5	`519d15a05e993989841444a0bbe86930`
BLAKE2b-256	`cd0f736c2b3b21e56ba2f096b7845cba4c6a05218390bd03056d34cb8cb272ca`

See more details on using hashes here.

File details

Details for the file attack_lookup-1.0.3-py3-none-any.whl.

File metadata

Download URL: attack_lookup-1.0.3-py3-none-any.whl
Upload date: Apr 25, 2024
Size: 7.1 MB
Tags: Python 3
Uploaded using Trusted Publishing? No
Uploaded via: twine/5.0.0 CPython/3.11.8

File hashes

Hashes for attack_lookup-1.0.3-py3-none-any.whl
Algorithm	Hash digest
SHA256	`44f46fd971a63b6eb4dcd00ae38eb2d3d7e80704f1deeef3e94c870260c1aaf6`
MD5	`776399bbfa965425abfde737e694ecac`
BLAKE2b-256	`409053b142eec6fbc44eb893b45fab69062a3487ade84ab165dcc09bba02dba3`