CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/pypi-mitreattack-python

MITRE ATT&CK python library for accessing, querying, and manipulating ATT&CK threat intelligence data.

Pending
Overview
Eval results
Files

cli-tools.mddocs/

Command Line Interface Tools

Seven CLI tools for common ATT&CK data workflows including Excel export, layer generation, collection management, and data download. These command-line utilities provide direct access to the library's functionality without requiring Python programming, enabling integration into automated workflows and data processing pipelines.

Available CLI Commands

1. attackToExcel_cli

Convert ATT&CK STIX data to Excel spreadsheets with multiple worksheets.

attackToExcel_cli [OPTIONS]

Options:

  • -domain DOMAIN - ATT&CK domain to export (enterprise-attack, mobile-attack, ics-attack)
  • -version VERSION - Specific ATT&CK version to export (e.g., "14.1")
  • -output OUTPUT_DIR - Directory to save Excel file (default: current directory)
  • -stix-file FILE - Use local STIX file instead of downloading
  • -remote URL - Remote URL of an ATT&CK workbench server
  • -help - Show help message

Examples:

# Export latest Enterprise ATT&CK
attackToExcel_cli -domain enterprise-attack -output ./exports/

# Export specific version  
attackToExcel_cli -domain enterprise-attack -version 14.1 -output ./v14_exports/

# Export from local file
attackToExcel_cli -stix-file ./my-attack-data.json -output ./local_exports/

# Export from remote workbench
attackToExcel_cli -domain enterprise-attack -remote http://localhost:3000 -output ./remote_exports/

2. layerExporter_cli

Export ATT&CK Navigator layers to different formats (SVG, Excel).

layerExporter_cli [OPTIONS]

Options:

  • --input INPUT_FILE - Input layer JSON file
  • --output OUTPUT_FILE - Output file path
  • --format FORMAT - Output format (svg, excel, xlsx)
  • --config CONFIG_FILE - Configuration file for export settings
  • --width WIDTH - SVG width in pixels (default: 1200)
  • --height HEIGHT - SVG height in pixels (default: 800)
  • --font-size SIZE - Font size for SVG text (default: 12)
  • --template TEMPLATE - Excel template to use
  • --help - Show help message

Examples:

# Export layer to SVG
layerExporter_cli --input my_layer.json --format svg --output my_layer.svg

# Export to Excel with custom template
layerExporter_cli --input threat_layer.json --format excel --template detailed --output threat_analysis.xlsx

# Custom SVG dimensions
layerExporter_cli --input layer.json --format svg --width 1600 --height 1000 --output large_layer.svg

3. layerGenerator_cli

Generate ATT&CK Navigator layers from data analysis.

layerGenerator_cli [OPTIONS]

Options:

  • --data-source SOURCE - ATT&CK data source (enterprise-attack, mobile-attack, ics-attack)
  • --output OUTPUT_DIR - Directory to save generated layers
  • --type TYPE - Layer type (overview, usage, detection, custom)
  • --groups GROUPS - Filter by specific group IDs (comma-separated)
  • --software SOFTWARE - Filter by specific software IDs (comma-separated)
  • --platforms PLATFORMS - Filter by platforms (comma-separated)
  • --version VERSION - ATT&CK version to use
  • --config CONFIG_FILE - Configuration file for layer generation
  • --colormap COLORMAP - Color mapping scheme (red-blue, heat, custom)
  • --help - Show help message

Examples:

# Generate overview layers
layerGenerator_cli --data-source enterprise-attack --type overview --output ./overview_layers/

# Generate usage layers for specific groups
layerGenerator_cli --data-source enterprise-attack --type usage --groups G0016,G0028 --output ./group_layers/

# Generate detection coverage layers
layerGenerator_cli --data-source enterprise-attack --type detection --output ./detection_layers/

# Custom layer with platform filtering
layerGenerator_cli --data-source enterprise-attack --platforms Windows --colormap heat --output ./windows_layers/

4. indexToMarkdown_cli

Convert ATT&CK collection indices to Markdown documentation.

indexToMarkdown_cli [OPTIONS]

Options:

  • --input INPUT_FILE - Input collection index JSON file
  • --output OUTPUT_FILE - Output Markdown file path
  • --template TEMPLATE - Markdown template to use (default, detailed, summary)
  • --include-relationships - Include relationship mappings in output
  • --include-metadata - Include collection metadata
  • --sections SECTIONS - Specific sections to include (comma-separated)
  • --format FORMAT - Output format variant (github, html, plain)
  • --help - Show help message

Examples:

# Basic conversion
indexToMarkdown_cli --input collection_index.json --output collection_report.md

# Detailed report with relationships
indexToMarkdown_cli --input index.json --output detailed_report.md --template detailed --include-relationships

# Custom sections only
indexToMarkdown_cli --input index.json --output summary.md --sections overview,techniques,groups

5. collectionToIndex_cli

Convert ATT&CK Collections to index format for processing.

collectionToIndex_cli [OPTIONS]

Options:

  • --input INPUT_FILE - Input ATT&CK Collection JSON file
  • --output OUTPUT_FILE - Output index JSON file path
  • --validate - Validate collection format before conversion
  • --include-metadata - Include extended metadata in index
  • --filter-types TYPES - Filter by object types (comma-separated)
  • --sort-by FIELD - Sort objects by field (name, id, created, modified)
  • --help - Show help message

Examples:

# Basic conversion with validation
collectionToIndex_cli --input apt29_collection.json --output apt29_index.json --validate

# Filter specific object types
collectionToIndex_cli --input collection.json --output filtered_index.json --filter-types attack-pattern,intrusion-set

# Sort by creation date
collectionToIndex_cli --input collection.json --output sorted_index.json --sort-by created

6. diff_stix

Compare ATT&CK versions and generate change reports.

diff_stix [OPTIONS]

Options:

  • --old OLD_FILE - Older version STIX file path
  • --new NEW_FILE - Newer version STIX file path
  • --output OUTPUT_FILE - Output changelog file path
  • --format FORMAT - Output format (json, markdown, html, text)
  • --filter TYPE - Filter by object type (attack-pattern, intrusion-set, etc.)
  • --summary-only - Generate summary statistics only
  • --include-relationships - Include relationship changes
  • --verbose - Verbose output with detailed changes
  • --help - Show help message

Examples:

# Basic version comparison
diff_stix --old v14.1.json --new v15.0.json --output changelog.json

# Markdown changelog
diff_stix --old old_version.json --new new_version.json --format markdown --output changes.md

# Filter by techniques only
diff_stix --old v1.json --new v2.json --filter attack-pattern --output technique_changes.json

# Summary statistics only
diff_stix --old v1.json --new v2.json --summary-only --output summary.json

7. download_attack_stix

Download ATT&CK STIX data from official sources.

download_attack_stix [OPTIONS]

Options:

  • --domains DOMAINS - Domains to download (comma-separated)
  • --versions VERSIONS - Specific versions to download (comma-separated)
  • --stix-version VERSION - STIX format version (2.0, 2.1)
  • --output OUTPUT_DIR - Directory to save downloaded files
  • --latest - Download latest versions only
  • --all-versions - Download all available versions
  • --verify-hashes - Verify file integrity with SHA256 hashes
  • --force - Overwrite existing files
  • --quiet - Suppress progress output
  • --help - Show help message

Examples:

# Interactive mode (prompts for selections)
download_attack_stix

# Download latest versions of all domains
download_attack_stix --domains enterprise-attack,mobile-attack,ics-attack --latest

# Download specific versions
download_attack_stix --domains enterprise-attack --versions 14.1,15.0,15.1 --stix-version 2.1

# Download to specific directory with verification
download_attack_stix --domains enterprise-attack --latest --output ./attack_data/ --verify-hashes

# Download all historical versions (Enterprise only)
download_attack_stix --domains enterprise-attack --all-versions --output ./historical/

Batch Processing Examples

Complete ATT&CK Analysis Workflow

#!/bin/bash
# Complete workflow: download, convert, analyze, and visualize

# Set up directories
mkdir -p data exports layers reports

# Download latest ATT&CK data
download_attack_stix --domains enterprise-attack,mobile-attack --latest --output data/ --verify-hashes

# Convert to Excel for analysis
attackToExcel_cli -domain enterprise-attack -output exports/
attackToExcel_cli -domain mobile-attack -output exports/

# Generate visualization layers
layerGenerator_cli --data-source enterprise-attack --type overview --output layers/overview/
layerGenerator_cli --data-source enterprise-attack --type usage --groups G0016,G0028,G0032 --output layers/groups/

# Export layers to SVG for presentations
for layer in layers/overview/*.json; do
    base_name=$(basename "$layer" .json)
    layerExporter_cli --input "$layer" --format svg --output "exports/${base_name}.svg"
done

echo "ATT&CK analysis workflow complete!"

Version Comparison Pipeline

#!/bin/bash
# Compare multiple ATT&CK versions and generate reports

versions=("13.1" "14.0" "14.1" "15.0" "15.1")
domain="enterprise-attack"

# Download all versions
for version in "${versions[@]}"; do
    download_attack_stix --domains $domain --versions $version --output data/versions/
done

# Compare consecutive versions
for ((i=0; i<${#versions[@]}-1; i++)); do
    old_version=${versions[$i]}
    new_version=${versions[$((i+1))]}
    
    old_file="data/versions/${domain}-v${old_version}.json"
    new_file="data/versions/${domain}-v${new_version}.json"
    
    # Generate JSON changelog
    diff_stix --old "$old_file" --new "$new_file" --output "reports/${old_version}_to_${new_version}.json"
    
    # Generate Markdown report
    diff_stix --old "$old_file" --new "$new_file" --format markdown --output "reports/${old_version}_to_${new_version}.md"
    
    echo "Compared $old_version -> $new_version"
done

echo "Version comparison pipeline complete!"

Collection Processing Workflow

#!/bin/bash
# Process multiple ATT&CK Collections

collections_dir="collections"
output_dir="processed_collections"

mkdir -p "$output_dir"/{indices,reports}

# Process each collection file
for collection in "$collections_dir"/*.json; do
    base_name=$(basename "$collection" .json)
    
    echo "Processing collection: $base_name"
    
    # Convert to index
    collectionToIndex_cli --input "$collection" --output "$output_dir/indices/${base_name}_index.json" --validate
    
    # Generate markdown report
    indexToMarkdown_cli --input "$output_dir/indices/${base_name}_index.json" --output "$output_dir/reports/${base_name}_report.md" --include-relationships
    
    echo "Processed: $base_name"
done

echo "Collection processing complete!"

Multi-Domain Export Pipeline

#!/bin/bash
# Export all ATT&CK domains in multiple formats

domains=("enterprise-attack" "mobile-attack" "ics-attack")
formats=("excel" "layers")

for domain in "${domains[@]}"; do
    echo "Processing domain: $domain"
    
    # Create domain-specific directories
    mkdir -p "exports/$domain"/{excel,layers,svg}
    
    # Export to Excel
    attackToExcel_cli -domain "$domain" -output "exports/$domain/excel/"
    
    # Generate overview layers
    layerGenerator_cli --data-source "$domain" --type overview --output "exports/$domain/layers/"
    
    # Convert layers to SVG
    for layer in "exports/$domain/layers/"*.json; do
        if [ -f "$layer" ]; then
            base_name=$(basename "$layer" .json)
            layerExporter_cli --input "$layer" --format svg --output "exports/$domain/svg/${base_name}.svg"
        fi
    done
    
    echo "Completed: $domain"
done

echo "Multi-domain export complete!"

Integration with Other Tools

Using with CI/CD Pipelines

# GitHub Actions example
name: ATT&CK Data Analysis
on:
  schedule:
    - cron: '0 0 * * 0'  # Weekly
  workflow_dispatch:

jobs:
  analyze-attack-data:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Setup Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.11'
      
      - name: Install mitreattack-python
        run: pip install mitreattack-python
      
      - name: Download latest ATT&CK data
        run: download_attack_stix --domains enterprise-attack --latest --output data/
      
      - name: Generate Excel reports
        run: attackToExcel_cli -domain enterprise-attack -output reports/
      
      - name: Generate visualization layers
        run: layerGenerator_cli --data-source enterprise-attack --type overview --output layers/
      
      - name: Upload artifacts
        uses: actions/upload-artifact@v3
        with:
          name: attack-analysis
          path: |
            reports/
            layers/

Using with Jupyter Notebooks

# In Jupyter notebook cell
import subprocess

# Download data
subprocess.run([
    "download_attack_stix", 
    "--domains", "enterprise-attack", 
    "--latest", 
    "--output", "./notebook_data/"
])

# Generate layers for analysis
subprocess.run([
    "layerGenerator_cli",
    "--data-source", "enterprise-attack",
    "--type", "overview", 
    "--output", "./notebook_layers/"
])

print("Data prepared for notebook analysis")

Install with Tessl CLI

npx tessl i tessl/pypi-mitreattack-python

docs

cli-tools.md

collections.md

excel-export.md

index.md

navigation-layers.md

stix20-data-access.md

version-comparison.md

version-management.md

tile.json