tessl/pypi-mitreattack-python
MITRE ATT&CK python library for accessing, querying, and manipulating ATT&CK threat intelligence data.
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-mitreattack-python@5.1.00
# MITRE ATT&CK Python Library
1
2
A comprehensive Python library for accessing, querying, and manipulating MITRE ATT&CK threat intelligence data. This library provides programmatic access to the ATT&CK framework in STIX 2.0 format, enabling security researchers, analysts, and developers to integrate ATT&CK knowledge into their security tools, threat hunting workflows, and defensive strategies.
3
4
## Package Information
5
6
- **Package Name**: mitreattack-python
7
- **Language**: Python
8
- **Installation**: `pip install mitreattack-python`
9
- **Requirements**: Python >=3.11,<4.0
10
11
## Core Imports
12
13
```python
14
import mitreattack
15
```
16
17
For specific functionality:
18
19
```python
20
from mitreattack.stix20 import MitreAttackData
21
from mitreattack import attackToExcel, collections, navlayers
22
```
23
24
## Basic Usage
25
26
```python
27
from mitreattack.stix20 import MitreAttackData
28
from mitreattack.attackToExcel import get_stix_data
29
30
# Load Enterprise ATT&CK data
31
data_store = get_stix_data("enterprise-attack")
32
attack_data = MitreAttackData(src=data_store)
33
34
# Get all techniques
35
techniques = attack_data.get_techniques()
36
print(f"Found {len(techniques)} techniques")
37
38
# Get specific technique by ATT&CK ID
39
technique = attack_data.get_object_by_attack_id("T1055")
40
print(f"Technique: {attack_data.get_name(technique)}")
41
42
# Get all groups and their techniques
43
groups = attack_data.get_groups()
44
for group in groups[:3]: # First 3 groups
45
group_name = attack_data.get_name(group)
46
group_techniques = attack_data.get_techniques_used_by_group(group)
47
print(f"{group_name}: {len(group_techniques)} techniques")
48
```
49
50
## Architecture
51
52
The library is organized into several key modules:
53
54
- **STIX20 Data Access**: Core `MitreAttackData` class providing 90+ query methods for filtering and relationship mapping
55
- **Excel Export**: Convert ATT&CK data to structured spreadsheets with customizable formatting
56
- **Navigation Layers**: Create and manipulate ATT&CK Navigator layer files for visualization
57
- **Collections**: Manage ATT&CK Collections and generate documentation
58
- **Version Management**: Download specific ATT&CK releases and compare versions
59
- **CLI Tools**: 7 command-line utilities for common workflows
60
61
## Capabilities
62
63
### STIX 2.0 Data Access and Querying
64
65
Core functionality for loading, querying, and analyzing MITRE ATT&CK data using the STIX 2.0 format. Provides comprehensive access to all ATT&CK objects and their relationships through 90+ specialized methods.
66
67
```python { .api }
68
class MitreAttackData:
69
def __init__(self, stix_filepath_or_url: str = None, stix_version: str = "2.0"): ...
70
def get_techniques(self, remove_revoked_deprecated: bool = True) -> List: ...
71
def get_groups(self, remove_revoked_deprecated: bool = True) -> List: ...
72
def get_software(self, remove_revoked_deprecated: bool = True) -> List: ...
73
def get_object_by_attack_id(self, attack_id: str) -> dict: ...
74
def get_techniques_used_by_group(self, group_stix) -> List: ...
75
```
76
77
[STIX 2.0 Data Access](./stix20-data-access.md)
78
79
### Excel Export and Data Conversion
80
81
Convert ATT&CK STIX data into structured Excel spreadsheets with multiple worksheets for different object types. Includes pandas DataFrame operations and customizable output formatting.
82
83
```python { .api }
84
def get_stix_data(domain: str, version: str = None, remote: bool = None, stix_file: str = None) -> dict: ...
85
def build_dataframes(src: dict, domain: str) -> dict: ...
86
def write_excel(dataframes: dict, domain: str, version: str = None, output_dir: str = ".") -> None: ...
87
def export() -> None: ...
88
```
89
90
[Excel Export](./excel-export.md)
91
92
### ATT&CK Navigator Layers
93
94
Create, manipulate, and export ATT&CK Navigator layer files for data visualization. Supports layer generation, SVG export, Excel export, and programmatic layer manipulation.
95
96
```python { .api }
97
class Layer:
98
def __init__(self, name: str = "", description: str = ""): ...
99
def from_file(self, filepath: str): ...
100
def to_file(self, filepath: str): ...
101
def to_excel(self, path: str, **kwargs): ...
102
def to_svg(self, path: str, **kwargs): ...
103
104
class OverviewLayerGenerator:
105
def generate_overview_layers(self, data: MitreAttackData): ...
106
```
107
108
[Navigation Layers](./navigation-layers.md)
109
110
### Collections Management
111
112
Tools for working with ATT&CK Collections, converting between collection formats, and generating documentation from collection data.
113
114
```python { .api }
115
class CollectionToIndex:
116
def convert(self, collection_file: str, output_file: str): ...
117
118
class IndexToMarkdown:
119
def convert(self, index_file: str, output_file: str): ...
120
```
121
122
[Collections](./collections.md)
123
124
### Version Management and Data Download
125
126
Download specific ATT&CK releases, manage version information, and compare different ATT&CK versions for change analysis.
127
128
```python { .api }
129
def download_stix(stix_version: str, domain: str, download_dir: str, release: str, known_hash: str): ...
130
def download_domains(domains: List[str], download_dir: str, all_versions: bool, stix_version: str): ...
131
def get_attack_version(domain: str, stix_version: str = "2.0", stix_file: str = None, stix_content: str = None) -> str: ...
132
```
133
134
[Version Management](./version-management.md)
135
136
### Version Comparison and Diff Analysis
137
138
Compare different versions of ATT&CK data and generate detailed changelog reports showing additions, modifications, and removals between releases.
139
140
```python { .api }
141
class DiffStix:
142
def __init__(self, old_data: dict, new_data: dict): ...
143
def generate_changelog(self) -> dict: ...
144
def export_changelog(self, output_file: str): ...
145
```
146
147
[Version Comparison](./version-comparison.md)
148
149
### Command Line Interface
150
151
Seven CLI tools for common ATT&CK data workflows including Excel export, layer generation, collection management, and data download.
152
153
```bash
154
# Export ATT&CK data to Excel
155
attackToExcel_cli --domain enterprise-attack --output ./output
156
157
# Generate Navigator layers
158
layerGenerator_cli --data-source enterprise-attack --output ./layers
159
160
# Download ATT&CK STIX data
161
download_attack_stix --domains enterprise-attack mobile-attack --version 2.1
162
```
163
164
[Command Line Tools](./cli-tools.md)
165
166
## Constants and Utilities
167
168
### Framework Constants
169
170
```python { .api }
171
MITRE_ATTACK_ID_SOURCE_NAMES: List[str] # Valid ATT&CK ID source names
172
MITRE_ATTACK_DOMAIN_STRINGS: List[str] # Valid domain strings
173
PLATFORMS_LOOKUP: Dict[str, List[str]] # Domain to platforms mapping
174
```
175
176
### Release Information
177
178
```python { .api }
179
LATEST_VERSION: str = "17.1" # Current ATT&CK version
180
STIX20: Dict[str, str] # SHA256 hashes for STIX 2.0 releases
181
STIX21: Dict[str, str] # SHA256 hashes for STIX 2.1 releases
182
```