A Python package to interact with the Mitre ATT&CK Frameworks
Project description
Welcome to pyattck's Documentation
.______ ____ ____ ___ .___________.___________. ______ __ ___
| _ \ \ \ / / / \ | | | / || |/ /
| |_) | \ \/ / / ^ \ `---| |----`---| |----`| ,----'| ' /
| ___/ \_ _/ / /_\ \ | | | | | | | <
| | | | / _____ \ | | | | | `----.| . \
| _| |__| /__/ \__\ |__| |__| \______||__|\__\
A Python package to interact with MITRE ATT&CK Frameworks
Current Version is 4.0.0
pyattck is a light-weight framework for MITRE ATT&CK Frameworks. This package extracts details from the MITRE Enterprise, PRE-ATT&CK, and Mobile Frameworks.
Features
The pyattck package retrieves all Tactics, Techniques, Actors, Malware, Tools, and Mitigations from the MITRE ATT&CK Frameworks as well as any defined relationships within the MITRE ATT&CK dataset.
In addition, Techniques, Actors, and Tools (if applicable) now have collected data from third-party resources that are accessible via properties on a technique. For more detailed information about these features, see External Datasets.
The pyattck package allows you to:
- Specify a URL or local file path for the MITRE ATT&CK Enterprise Framework json, generated dataset, and/or a config.yml file.
- Retrieve an image_logo of an actor (when available). If an image_logo isn't available, it generates an ascii_logo.
- Search the external dataset for external commands that are similar using
search_commands
. - Access data from the MITRE PRE-ATT&CK Framework
- Access data from the MITRE Mobile ATT&CK Framework
- Access subtechniques as nested objects or you can turn it off and access as normal technique
- Access compliance controls (currently NIST 800-53) related to a MITRE ATT&CK Technique
Table of Contents
Installation
You can install pyattack on OS X, Linux, or Windows. You can also install it directly from the source. To install, see the commands under the relevant operating system heading, below.
Prerequisites
The following libraries are required and installed by pyattck:
requests
pendulum>=1.2.3,<1.3
pyfiglet==0.8.post1
PyYaml>=5.4.1
Pillow==8.2.0
fire==0.3.1
macOS, Linux and Windows:
pip install pyattck
Installing from source
git clone https://github.com/swimlane/pyattck.git
cd pyattck
python setup.py install
Usage example
To use pyattck you must instantiate an Attck object. Although you can interact directly with each class, the intended use is through a Attck object:
from pyattck import Attck
attack = Attck()
By default, subtechniques
are accessible under each technique object. You can turn this behavior off by passing nested_subtechniques=False
when creating your Attck
object.
As an example, the default behavior looks like the following example:
from pyattck import Attck
attack = Attck()
for technique in attack.enterprise.techniques:
print(technique.id)
print(technique.name)
for subtechnique in technique.subtechniques:
print(subtechnique.id)
print(subtechnique.name)
You can access the following main
properties on your Attck object:
- enterprise
- preattack
- mobile
Once you specify the MITRE ATT&CK Framework, you can access additional properties.
Here are the accessible objects under the Enterprise property:
For more information on object types under the enterprise
property, see Enterprise.
Here are the accessible objects under the PreAttck property:
For more information on object types under the preattck
property, see PreAttck.
Here are the accessible objects under the Mobile property:
For more information on object types under the mobile
property, see Mobile.
Configuration
pyattck
allows you to configure if you store external data and where it is stored.
from pyattck import Attck
attck = Attck(
nested_subtechniques=True,
use_config=False,
save_config=False,
config_file_path='~/pyattck/config.yml',
data_path='~/pyattck/data',
enterprise_attck_json="https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json",
pre_attck_json="https://raw.githubusercontent.com/mitre/cti/master/pre-attack/pre-attack.json",
mobile_attck_json="https://raw.githubusercontent.com/mitre/cti/master/mobile-attack/mobile-attack.json",
nist_controls_json="https://raw.githubusercontent.com/center-for-threat-informed-defense/attack-control-framework-mappings/master/frameworks/nist800-53-r4/stix/nist800-53-r4-controls.json",
generated_attck_json="https://github.com/swimlane/pyattck/blob/master/generated_attck_data.json?raw=True",
generated_nist_json="https://github.com/swimlane/pyattck/blob/master/attck_to_nist_controls.json?raw=True",
**kwargs
)
By default, pyattck
will (now) pull the latest external data from their respective locations using HTTP GET requests. pyattck
currently pulls from the following locations:
- enterprise_attck_json="https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json"
- pre_attck_json="https://raw.githubusercontent.com/mitre/cti/master/pre-attack/pre-attack.json"
- mobile_attck_json="https://raw.githubusercontent.com/mitre/cti/master/mobile-attack/mobile-attack.json"
- nist_controls_json="https://raw.githubusercontent.com/center-for-threat-informed-defense/attack-control-framework-mappings/master/frameworks/nist800-53-r4/stix/nist800-53-r4-controls.json"
- generated_attck_json="https://github.com/swimlane/pyattck/blob/master/generated_attck_data.json?raw=True"
- generated_nist_json="https://github.com/swimlane/pyattck/blob/master/attck_to_nist_controls.json?raw=True"
You have several options when instantiating the Attck
object. As of 4.0.0
you can now specify any of the following options:
- use_config - When you specify this argument as
True
pyattck will attempt to retrieve the configuration specified in theconfig_file_path
location. If this file is corrupted or cannot be found, we will default to retrieving data from the specified*_attck_json
locations. - save_config - When you specify this argument as
True
pyattck will save the configuration file to the specified location set byconfig_file_path
. Additionally, we will save all downloaded files to thedata_path
location specified. If you have specified a local path location instead of a download URL for any of the*_attck_json
parameters we will save this location in our configuration and reference this location going forward. - config_file_path - The path to store a configuration file. Default is
~/pyattck/config.yml
- data_path - The path to store any data files downloaded to the local system. Default is
~/pyattck/data
JSON Locations
Additionally, you can specify the location for each individual *_attck_json
files by passing in either a URI or a local file path. If you have passed in a local file path, we will simply read from this file.
If you have used the default values or specified an alternative URI location to retrieve these JSON files from, you can additionally pass in **kwargs
that will be passed along to the Requests
python package when performing any HTTP requests.
Note
We understand that there are many different open-source projects being released, even on a daily basis, but we wanted to provide a straightforward Python package that allowed the user to identify known relationships between all verticals of the MITRE ATT&CK Framework.
If you are unfamiliar with the MITRE ATT&CK Framework, there are a few key components to ensure you have a firm grasp around. The first is Tactics & Techniques. When looking at the MITRE ATT&CK Framework, the Tactics are the columns and represent the different phases of an attack.
The MITRE ATT&CK Framework is NOT an all encompassing/defacto security coverage map - it is rather a FRAMEWORK and additional avenues should also be considered when assessing your security posture.
Techniques are the rows of the framework and are categorized underneath specific Tactics (columns). They are data points within the framework that provides guidance when assessing your security gaps. Additionally, (most) Techniques contain mitigation guidance in addition to information about their relationship to tools, malware, and even actors/groups that have used this technique during recorded attacks.
This means, if your organization is focused on TTPs (Tactics Techniques and Procedures) used by certain actors/groups then MITRE ATT&CK Framework is perfect for you. If you are not at this security maturing within your organization, no worries! The ATT&CK Framework still provides really good guidance in a simple and straightforward layout, but programmatically it is not straightforward--especially if you wanted to measure (or map) your security controls using the framework.
Developing and Testing
You can add features or bugs or run the code in a development environment.
-
To get a development and testing environment up and running, use this Dockerfile.
-
To use the
Dockerfile
run, cd to this repository directory and run:
docker build --force-rm -t pyattck .
- Next, run the docker container:
docker run pyattck
Running this calls the test python file in bin/test.py.
- Modify the test python file for additional testing and development.
Running the tests
Tests within this project should cover all available properties and methods. As this project grows the tests will become more robust but for now we are testing that they exist and return outputs.
Contributing
Please read CONTRIBUTING.md for details on our code of conduct, and the process for submitting pull requests to us.
Versioning
We use SemVer for versioning.
Change Log
For details on features for a specific version of pyattck
, see the CHANGELOG.md.
Authors
- Josh Rickard - Initial work - MSAdministrator
See also the list of contributors.
License
This project is licensed under the MIT License.
Acknowledgments
First of all, I would like to thank everyone who contributes to open-source projects, especially the maintainers and creators of these projects. Without them, this capability would not be possible.
This data set is generated from many different sources. As we continue to add more sources, we will continue to add them here. Again thank you to all of these projects. In no particular order, pyattck
utilizes data from the following projects:
- Mitre ATT&CK APT3 Adversary Emulation Field Manual
- Atomic Red Team (by Red Canary)
- Atomic Threat Coverage
- attck_empire (by dstepanic)
- sentinel-attack (by BlueTeamLabs)
- Litmus_test (by Kirtar22)
- nsm-attack (by oxtf)
- osquery-attck (by teoseller)
- Mitre Stockpile
- SysmonHunter (by baronpan)
- ThreatHunting-Book (by 12306Bro)
- threat_hunting_tables (by dwestgard)
- APT Groups & Operations
- C2Matrix (by @jorgeorchilles, @brysonbort, @adam_mashinchi)
- Elemental
- MalwareArchaeology - ATTACK
- Attack-Technique-Dataset
.. toctree::
:titlesonly:
configuration
pyattck/attck
dataset/dataset
enterprise/enterprise
preattck/preattck
mobile/mobileattck
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file pyattck-dev-4.0.2.tar.gz
.
File metadata
- Download URL: pyattck-dev-4.0.2.tar.gz
- Upload date:
- Size: 916.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.4.1 importlib_metadata/4.0.1 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.60.0 CPython/3.6.5
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | dfca40bb49b98897a9964d04579c747f3ccd8ac9e18f5353d067f728d7c503b4 |
|
MD5 | 5ed02e7c82efbbc33c2928ffc2cd08a3 |
|
BLAKE2b-256 | 7515b6d1560748cb1dab955badb2a7e0142c010ee4f530d7cf352c449f2ac10f |
File details
Details for the file pyattck_dev-4.0.2-py3-none-any.whl
.
File metadata
- Download URL: pyattck_dev-4.0.2-py3-none-any.whl
- Upload date:
- Size: 937.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.4.1 importlib_metadata/4.0.1 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.60.0 CPython/3.6.5
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 7ccfd5617c30d579526ab055834b6967355d494f951c4537362ffe905103f4e0 |
|
MD5 | c54df4558243ce859fc5eb8cd5c9b580 |
|
BLAKE2b-256 | 0b4baaf2bcd6cee8b7389329f8217a04b7bed14b13dc0e80ff0898f3eab7ded2 |