Skip to main content

A Python package to interact with the Mitre ATT&CK Frameworks

Project description

pyattck

Welcome to pyattck's Documentation

    .______   ____    ____  ___   .___________.___________.  ______  __  ___
    |   _  \  \   \  /   / /   \  |           |           | /      ||  |/  /
    |  |_)  |  \   \/   / /  ^  \ `---|  |----`---|  |----`|  ,----'|  '  /
    |   ___/    \_    _/ /  /_\  \    |  |        |  |     |  |     |    <
    |  |          |  |  /  _____  \   |  |        |  |     |  `----.|  .  \
    | _|          |__| /__/     \__\  |__|        |__|      \______||__|\__\

A Python package to interact with MITRE ATT&CK Frameworks

pyattck is a light-weight framework for MITRE ATT&CK Frameworks. This package extracts details from the MITRE Enterprise, PRE-ATT&CK, and Mobile Frameworks.

Features

The pyattck package retrieves all Tactics, Techniques, Actors, Malware, Tools, and Mitigations from the MITRE ATT&CK Frameworks as well as any defined relationships within the MITRE ATT&CK dataset. In addition, Techniques, Actors, and Tools (if applicable) now have collected data from third-party resources that are accessible via properties on a technique. For more detailed information about these features, see External Datasets.

The pyattck package allows you to:

  • Update or sync the external datasets by calling the update() method on an Attck object. By default it checks for updates every 30 days.
  • Specify a local file path for the MITRE ATT&CK Enterprise Framework json, generated dataset, and/or a config.yml file.
  • Retrieve an image_logo of an actor (when available). If an image_logo isn't available, it generates an ascii_logo.
  • Search the external dataset for external commands that are similar using search_commands.
  • Access data from the MITRE PRE-ATT&CK Framework
  • Access data from the MITRE Mobile ATT&CK Framework

Installation

You can install pyattack on OS X, Linux, or Windows. You can also install it directly from the source. To install, see the commands under the relevant operating system heading, below.

Prerequisites

The following libraries are required and installed by pyattck:

requests
pendulum>=1.2.3,<1.3
pyfiglet==0.8.post1
PyYaml>=5.0
Pillow==7.1.2
fire==0.3.1

OS X & Linux:

pip install pyattck

Windows:

pip install pyattck

Installing from source

git clone git@github.com:swimlane/pyattck.git
cd pyattck
python setup.py install

Usage example

To use pyattck you must instantiate an Attck object. Although you can interact directly with each class, the intended use is through a Attck object:

from pyattck import Attck

attack = Attck()

By default, subtechniques are accessible under each technique object. You can turn this behavior off by passing nested_subtechniques=False when creating your Attck object.

As an example, the default behavior looks like the following example:

from pyattck import Attck

attack = Attck()

for technique in attack.enterprise.techniques:
    print(technique.id)
    print(technique.name)
    for subtechnique in technique.subtechniques:
        print(subtechnique.id)
        print(subtechnique.name)

You can access the following main properties on your Attck object:

  • enterprise
  • preattack
  • mobile

Once you specify the MITRE ATT&CK Framework, you can access additional properties.

Here are the accessible objects under the Enterprise property:

For more information on object types under the enterprise property, see Enterprise.

Here are the accessible objects under the PreAttck property:

For more information on object types under the preattck property, see PreAttck.

Here are the accessible objects under the Mobile property:

For more information on object types under the mobile property, see Mobile.

Note

We understand that there are many different open-source projects being released, even on a daily basis, but we wanted to provide a straightforward Python package that allowed the user to identify known relationships between all verticals of the MITRE ATT&CK Framework.

If you are unfamiliar with the MITRE ATT&CK Framework, there are a few key components to ensure you have a firm grasp around. The first is Tactics & Techniques. When looking at the MITRE ATT&CK Framework, the Tactics are the columns and represent the different phases of an attack.

The MITRE ATT&CK Framework is NOT an all encompassing/defacto security coverage map - it is rather a FRAMEWORK and additional avenues should also be considered when assessing your security posture.

Techniques are the rows of the framework and are categorized underneath specific Tactics (columns). They are data points within the framework that provides guidance when assessing your security gaps. Additionally, (most) Techniques contain mitigation guidance in addition to information about their relationship to tools, malware, and even actors/groups that have used this technique during recorded attacks.

This means, if your organization is focused on TTPs (Tactics Techniques and Procedures) used by certain actors/groups then MITRE ATT&CK Framework is perfect for you. If you are not at this security maturing within your organization, no worries! The ATT&CK Framework still provides really good guidance in a simple and straightforward layout, but programmatically it is not straightforward--especially if you wanted to measure (or map) your security controls using the framework.

Developing and Testing

You can add features or bugs or run the code in a development environment.

  1. To get a development and testing environment up and running, use this Dockerfile.

  2. To use the Dockerfile run, cd to this repository directory and run:

docker build --force-rm -t pyattck .
  1. Next, run the docker container:
docker run pyattck

Running this calls the test python file in bin/test.py.

  1. Modify the test python file for additional testing and development.

Running the tests

Tests within this project should cover all available properties and methods. As this project grows the tests will become more robust but for now we are testing that they exist and return outputs.

Contributing

Please read CONTRIBUTING.md for details on our code of conduct, and the process for submitting pull requests to us.

Versioning

We use SemVer for versioning.

Change Log

For details on features for a specific version of pyattck, see the CHANGELOG.md.

Authors

See also the list of contributors.

License

This project is licensed under the MIT License.

Acknowledgments

First of all, I would like to thank everyone who contributes to open-source projects, especially the maintainers and creators of these projects. Without them, this capability would not be possible.

This data set is generated from many different sources. As we continue to add more sources, we will continue to add them here. Again thank you to all of these projects. In no particular order, pyattck utilizes data from the following projects:

.. toctree::
   :titlesonly:

   pyattck/attck
   dataset/dataset
   enterprise/enterprise
   preattck/preattck
   mobile/mobileattck

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pyattck-2.1.1.tar.gz (916.6 kB view details)

Uploaded Source

Built Distributions

pyattck-2.1.1-py3.7.egg (998.0 kB view details)

Uploaded Source

pyattck-2.1.1-py3-none-any.whl (935.0 kB view details)

Uploaded Python 3

pyattck-2.1.1-py2-none-any.whl (935.0 kB view details)

Uploaded Python 2

File details

Details for the file pyattck-2.1.1.tar.gz.

File metadata

  • Download URL: pyattck-2.1.1.tar.gz
  • Upload date:
  • Size: 916.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.2.0 pkginfo/1.6.0 requests/2.24.0 setuptools/50.3.0 requests-toolbelt/0.9.1 tqdm/4.51.0 CPython/3.8.6

File hashes

Hashes for pyattck-2.1.1.tar.gz
Algorithm Hash digest
SHA256 264e998713b3b4281ba57d26c6ff860dcf19ac669bfdcce3e1b8dcaacecd10af
MD5 ff60353d6f7c52dbac07b457119063d3
BLAKE2b-256 c108b4c5c1f149e898d19becd73333da4f213a4621d10bd328fa8cafbd7df702

See more details on using hashes here.

File details

Details for the file pyattck-2.1.1-py3.7.egg.

File metadata

  • Download URL: pyattck-2.1.1-py3.7.egg
  • Upload date:
  • Size: 998.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.2.0 pkginfo/1.6.0 requests/2.24.0 setuptools/50.3.0 requests-toolbelt/0.9.1 tqdm/4.51.0 CPython/3.8.6

File hashes

Hashes for pyattck-2.1.1-py3.7.egg
Algorithm Hash digest
SHA256 38c97702bf82efd34df983bac557203a0aaecb18d975338551bae1cd19939e6a
MD5 5372784db840e247b358f104b92c0e4a
BLAKE2b-256 f6af180ddb8e996158579a70292af9744b0c8f366208861d31f1f36e872e773d

See more details on using hashes here.

File details

Details for the file pyattck-2.1.1-py3-none-any.whl.

File metadata

  • Download URL: pyattck-2.1.1-py3-none-any.whl
  • Upload date:
  • Size: 935.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.2.0 pkginfo/1.6.0 requests/2.24.0 setuptools/50.3.0 requests-toolbelt/0.9.1 tqdm/4.51.0 CPython/3.8.6

File hashes

Hashes for pyattck-2.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 7bfed619af4c94510a3d083a5a102e58c63fede6402b3ad02e2137e47d1c6c3e
MD5 1491d37e9ad094e7bdffab2c9122f363
BLAKE2b-256 e7ecf22c62119699abbc2be928a12430e45a9f107fc221a7868a8354a24aa494

See more details on using hashes here.

File details

Details for the file pyattck-2.1.1-py2-none-any.whl.

File metadata

  • Download URL: pyattck-2.1.1-py2-none-any.whl
  • Upload date:
  • Size: 935.0 kB
  • Tags: Python 2
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.2.0 pkginfo/1.6.0 requests/2.24.0 setuptools/50.3.0 requests-toolbelt/0.9.1 tqdm/4.51.0 CPython/3.8.6

File hashes

Hashes for pyattck-2.1.1-py2-none-any.whl
Algorithm Hash digest
SHA256 8c4d61fca791738655e05c9fb443a155f6a70186339cb2001d8e172f98eb6954
MD5 2b30537642542fe1bb05ef84bc748200
BLAKE2b-256 897fa699e7dee45442e8adba1bb66f5d4e573268531bce9fb93131fbc6fd3b3f

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page