tessl/pypi-mitreattack-python
MITRE ATT&CK python library for accessing, querying, and manipulating ATT&CK threat intelligence data.
—
Pending
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Pending
The risk profile of this skill
index.mddocs/
MITRE ATT&CK Python Library
A comprehensive Python library for accessing, querying, and manipulating MITRE ATT&CK threat intelligence data. This library provides programmatic access to the ATT&CK framework in STIX 2.0 format, enabling security researchers, analysts, and developers to integrate ATT&CK knowledge into their security tools, threat hunting workflows, and defensive strategies.
Package Information
- Package Name: mitreattack-python
- Language: Python
- Installation:
pip install mitreattack-python - Requirements: Python >=3.11,<4.0
Core Imports
import mitreattackFor specific functionality:
from mitreattack.stix20 import MitreAttackData
from mitreattack import attackToExcel, collections, navlayersBasic Usage
from mitreattack.stix20 import MitreAttackData
from mitreattack.attackToExcel import get_stix_data
# Load Enterprise ATT&CK data
data_store = get_stix_data("enterprise-attack")
attack_data = MitreAttackData(src=data_store)
# Get all techniques
techniques = attack_data.get_techniques()
print(f"Found {len(techniques)} techniques")
# Get specific technique by ATT&CK ID
technique = attack_data.get_object_by_attack_id("T1055")
print(f"Technique: {attack_data.get_name(technique)}")
# Get all groups and their techniques
groups = attack_data.get_groups()
for group in groups[:3]: # First 3 groups
group_name = attack_data.get_name(group)
group_techniques = attack_data.get_techniques_used_by_group(group)
print(f"{group_name}: {len(group_techniques)} techniques")Architecture
The library is organized into several key modules:
- STIX20 Data Access: Core
MitreAttackDataclass providing 90+ query methods for filtering and relationship mapping - Excel Export: Convert ATT&CK data to structured spreadsheets with customizable formatting
- Navigation Layers: Create and manipulate ATT&CK Navigator layer files for visualization
- Collections: Manage ATT&CK Collections and generate documentation
- Version Management: Download specific ATT&CK releases and compare versions
- CLI Tools: 7 command-line utilities for common workflows
Capabilities
STIX 2.0 Data Access and Querying
Core functionality for loading, querying, and analyzing MITRE ATT&CK data using the STIX 2.0 format. Provides comprehensive access to all ATT&CK objects and their relationships through 90+ specialized methods.
class MitreAttackData:
def __init__(self, stix_filepath_or_url: str = None, stix_version: str = "2.0"): ...
def get_techniques(self, remove_revoked_deprecated: bool = True) -> List: ...
def get_groups(self, remove_revoked_deprecated: bool = True) -> List: ...
def get_software(self, remove_revoked_deprecated: bool = True) -> List: ...
def get_object_by_attack_id(self, attack_id: str) -> dict: ...
def get_techniques_used_by_group(self, group_stix) -> List: ...Excel Export and Data Conversion
Convert ATT&CK STIX data into structured Excel spreadsheets with multiple worksheets for different object types. Includes pandas DataFrame operations and customizable output formatting.
def get_stix_data(domain: str, version: str = None, remote: bool = None, stix_file: str = None) -> dict: ...
def build_dataframes(src: dict, domain: str) -> dict: ...
def write_excel(dataframes: dict, domain: str, version: str = None, output_dir: str = ".") -> None: ...
def export() -> None: ...ATT&CK Navigator Layers
Create, manipulate, and export ATT&CK Navigator layer files for data visualization. Supports layer generation, SVG export, Excel export, and programmatic layer manipulation.
class Layer:
def __init__(self, name: str = "", description: str = ""): ...
def from_file(self, filepath: str): ...
def to_file(self, filepath: str): ...
def to_excel(self, path: str, **kwargs): ...
def to_svg(self, path: str, **kwargs): ...
class OverviewLayerGenerator:
def generate_overview_layers(self, data: MitreAttackData): ...Collections Management
Tools for working with ATT&CK Collections, converting between collection formats, and generating documentation from collection data.
class CollectionToIndex:
def convert(self, collection_file: str, output_file: str): ...
class IndexToMarkdown:
def convert(self, index_file: str, output_file: str): ...Version Management and Data Download
Download specific ATT&CK releases, manage version information, and compare different ATT&CK versions for change analysis.
def download_stix(stix_version: str, domain: str, download_dir: str, release: str, known_hash: str): ...
def download_domains(domains: List[str], download_dir: str, all_versions: bool, stix_version: str): ...
def get_attack_version(domain: str, stix_version: str = "2.0", stix_file: str = None, stix_content: str = None) -> str: ...Version Comparison and Diff Analysis
Compare different versions of ATT&CK data and generate detailed changelog reports showing additions, modifications, and removals between releases.
class DiffStix:
def __init__(self, old_data: dict, new_data: dict): ...
def generate_changelog(self) -> dict: ...
def export_changelog(self, output_file: str): ...Command Line Interface
Seven CLI tools for common ATT&CK data workflows including Excel export, layer generation, collection management, and data download.
# Export ATT&CK data to Excel
attackToExcel_cli --domain enterprise-attack --output ./output
# Generate Navigator layers
layerGenerator_cli --data-source enterprise-attack --output ./layers
# Download ATT&CK STIX data
download_attack_stix --domains enterprise-attack mobile-attack --version 2.1Constants and Utilities
Framework Constants
MITRE_ATTACK_ID_SOURCE_NAMES: List[str] # Valid ATT&CK ID source names
MITRE_ATTACK_DOMAIN_STRINGS: List[str] # Valid domain strings
PLATFORMS_LOOKUP: Dict[str, List[str]] # Domain to platforms mappingRelease Information
LATEST_VERSION: str = "17.1" # Current ATT&CK version
STIX20: Dict[str, str] # SHA256 hashes for STIX 2.0 releases
STIX21: Dict[str, str] # SHA256 hashes for STIX 2.1 releases