CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/pypi-mitreattack-python

MITRE ATT&CK python library for accessing, querying, and manipulating ATT&CK threat intelligence data.

Pending
Overview
Eval results
Files

stix20-data-access.mddocs/

STIX 2.0 Data Access and Querying

Core functionality for loading, querying, and analyzing MITRE ATT&CK data using the STIX 2.0 format. The MitreAttackData class provides comprehensive access to all ATT&CK objects and their relationships through 90+ specialized methods for filtering, searching, and relationship mapping.

Capabilities

Data Loading and Initialization

Load ATT&CK data from various sources including local files, URLs, or default datasets.

class MitreAttackData:
    def __init__(self, stix_filepath: str | None = None, src: stix2.MemoryStore | None = None):
        """
        Central class for querying, analyzing, and mapping relationships between STIX 2.0 objects in the MITRE ATT&CK framework.
        
        Args:
            stix_filepath (str | None, optional): Filepath to a STIX 2.0 bundle. Mutually exclusive with src.
            src (stix2.MemoryStore | None, optional): A STIX 2.0 bundle already loaded into memory. Mutually exclusive with stix_filepath.
            
        Raises:
            TypeError: If neither or both of stix_filepath and src are provided, or if stix_filepath is not a string.
        """

Usage example:

from mitreattack.stix20 import MitreAttackData
from mitreattack.attackToExcel import get_stix_data

# Method 1: Load data first, then create MitreAttackData
data_store = get_stix_data("enterprise-attack")
attack_data = MitreAttackData(src=data_store)

# Method 2: Load from local file
attack_data = MitreAttackData(stix_filepath="/path/to/enterprise-attack.json")

# Method 3: Load specific version
data_store = get_stix_data("enterprise-attack", version="14.1")
attack_data = MitreAttackData(src=data_store)

Object Retrieval by Type

Get all objects of specific ATT&CK types with optional filtering.

def get_matrices(self, remove_revoked_deprecated: bool = False) -> list[Matrix]:
    """Retrieve all matrix objects."""

def get_tactics(self, remove_revoked_deprecated: bool = False) -> list[Tactic]:
    """Retrieve all tactic objects."""

def get_techniques(self, include_subtechniques: bool = True, remove_revoked_deprecated: bool = False) -> list[Technique]:
    """Retrieve all technique objects."""

def get_subtechniques(self, remove_revoked_deprecated: bool = False) -> list[Technique]:
    """Retrieve all sub-technique objects."""

def get_mitigations(self, remove_revoked_deprecated: bool = False) -> list[Mitigation]:
    """Retrieve all mitigation objects."""

def get_groups(self, remove_revoked_deprecated: bool = False) -> list[Group]:
    """Retrieve all group objects."""

def get_software(self, remove_revoked_deprecated: bool = False) -> list[Software]:
    """Retrieve all software objects."""

def get_campaigns(self, remove_revoked_deprecated: bool = False) -> list[Campaign]:
    """Retrieve all campaign objects."""

def get_assets(self, remove_revoked_deprecated: bool = False) -> list[Asset]:
    """Retrieve all asset objects."""

def get_datasources(self, remove_revoked_deprecated: bool = False) -> list[DataSource]:
    """Retrieve all data source objects."""

def get_datacomponents(self, remove_revoked_deprecated: bool = False) -> list[DataComponent]:
    """Retrieve all data component objects."""

Generic Object Queries

Query objects by type, content, name, or other criteria.

def get_objects_by_type(self, stix_type: str, remove_revoked_deprecated: bool = False) -> list[AttackStixObject]:
    """Retrieve objects by STIX type."""

def get_objects_by_content(self, content: str, object_type: str | None = None, remove_revoked_deprecated: bool = False) -> list[AttackStixObject]:
    """Retrieve objects by the content of their description (case insensitive)."""

def get_objects_by_name(self, name: str, stix_type: str) -> list[AttackStixObject]:
    """Retrieve objects by name (case sensitive)."""

def get_objects_created_after(self, timestamp: str, remove_revoked_deprecated: bool = False) -> list[AttackStixObject]:
    """Retrieve objects which have been created after a given time."""

def get_objects_modified_after(self, date: str, remove_revoked_deprecated: bool = False) -> list[AttackStixObject]:
    """Retrieve objects which have been modified after a given time."""

Platform and Tactic Filtering

Filter techniques by platform or tactic associations.

def get_techniques_by_platform(self, platform: str, remove_revoked_deprecated: bool = False) -> list[Technique]:
    """Retrieve techniques under a specific platform."""

def get_techniques_by_tactic(self, tactic_shortname: str, domain: str, remove_revoked_deprecated: bool = False) -> list[Technique]:
    """Retrieve techniques by tactic."""

def get_tactics_by_technique(self, stix_id: str) -> list[Tactic]:
    """Retrieve the list of tactics within a particular technique."""

def get_tactics_by_matrix(self) -> dict[str, list[Tactic]]:
    """Retrieve the structured list of tactics within each matrix."""

ID and Metadata Operations

Access objects by their identifiers and extract metadata.

def get_object_by_stix_id(self, stix_id: str) -> AttackStixObject:
    """Retrieve a single object by STIX ID."""

def get_object_by_attack_id(self, attack_id: str, stix_type: str) -> AttackStixObject | None:
    """Retrieve a single object by its ATT&CK ID."""

def get_attack_id(self, stix_id: str) -> str | None:
    """Get the object's ATT&CK ID."""

def get_stix_type(self, stix_id: str) -> str:
    """Get the object's STIX type."""

def get_name(self, stix_id: str) -> str | None:
    """Get the object's name."""

Group-Software Relationships

Map relationships between threat groups and software tools.

def get_all_software_used_by_all_groups(self) -> RelationshipMapT[Software]:
    """Retrieve all software used by all groups."""

def get_software_used_by_group(self, group_stix_id: str) -> list[RelationshipEntry[Software]]:
    """Get all software used by a group."""

def get_all_groups_using_all_software(self) -> RelationshipMapT[Group]:
    """Get all groups using all software."""

def get_groups_using_software(self, software_stix_id: str) -> list[RelationshipEntry[Group]]:
    """Get all groups using a software."""

Group-Technique Relationships

Map relationships between threat groups and attack techniques.

def get_all_techniques_used_by_all_groups(self) -> RelationshipMapT[Technique]:
    """Get all techniques used by all groups."""

def get_techniques_used_by_group(self, group_stix_id: str) -> list[RelationshipEntry[Technique]]:
    """Get all techniques used by a group."""

def get_all_groups_using_all_techniques(self) -> RelationshipMapT[Group]:
    """Get all groups using all techniques."""

def get_groups_using_technique(self, technique_stix_id: str) -> list[RelationshipEntry[Group]]:
    """Get all groups using a technique."""

Software-Technique Relationships

Map relationships between software tools and attack techniques.

def get_all_techniques_used_by_all_software(self) -> RelationshipMapT[Technique]:
    """Get all techniques used by all software."""

def get_techniques_used_by_software(self, software_stix_id: str) -> list[RelationshipEntry[Technique]]:
    """Get all techniques used by a software."""

def get_all_software_using_all_techniques(self) -> RelationshipMapT[Software]:
    """Get all software using all techniques."""

def get_software_using_technique(self, technique_stix_id: str) -> list[RelationshipEntry[Software]]:
    """Get all software using a technique."""

Mitigation Relationships

Map relationships between techniques and their mitigations.

def get_all_techniques_mitigated_by_all_mitigations(self) -> RelationshipMapT[Technique]:
    """Get all techniques mitigated by all mitigations."""

def get_techniques_mitigated_by_mitigation(self, mitigation_stix_id: str) -> list[RelationshipEntry[Technique]]:
    """Get all techniques being mitigated by a mitigation."""

def get_all_mitigations_mitigating_all_techniques(self) -> RelationshipMapT[Mitigation]:
    """Get all mitigations mitigating all techniques."""

def get_mitigations_mitigating_technique(self, technique_stix_id: str) -> list[RelationshipEntry[Mitigation]]:
    """Get all mitigations mitigating a technique."""

Detection Relationships

Map relationships between techniques and data sources/components that can detect them.

def get_all_techniques_detected_by_all_datacomponents(self) -> RelationshipMapT[Technique]:
    """Get all techniques detected by all data components."""

def get_techniques_detected_by_datacomponent(self, datacomponent_stix_id: str) -> list[RelationshipEntry[Technique]]:
    """Get all techniques detected by a data component."""

def get_all_datacomponents_detecting_all_techniques(self) -> RelationshipMapT[DataComponent]:
    """Get all data components detecting all techniques."""

def get_datacomponents_detecting_technique(self, technique_stix_id: str) -> list[RelationshipEntry[DataComponent]]:
    """Get all data components detecting a technique."""

Campaign Relationships

Map relationships between campaigns and techniques/software.

def get_all_techniques_used_by_all_campaigns(self) -> RelationshipMapT[Technique]:
    """Get all techniques used by all campaigns."""

def get_techniques_used_by_campaign(self, campaign_stix_id: str) -> list[RelationshipEntry[Technique]]:
    """Get all techniques used by a campaign."""

def get_all_campaigns_using_all_techniques(self) -> RelationshipMapT[Campaign]:
    """Get all campaigns using all techniques."""

def get_campaigns_using_technique(self, technique_stix_id: str) -> list[RelationshipEntry[Campaign]]:
    """Get all campaigns using a technique."""

def get_all_software_used_by_all_campaigns(self) -> RelationshipMapT[Software]:
    """Get all software used by all campaigns."""

def get_software_used_by_campaign(self, campaign_stix_id: str) -> list[RelationshipEntry[Software]]:
    """Get all software used by a campaign."""

def get_all_campaigns_using_all_software(self) -> RelationshipMapT[Campaign]:
    """Get all campaigns using all software."""

def get_campaigns_using_software(self, software_stix_id: str) -> list[RelationshipEntry[Campaign]]:
    """Get all campaigns using a software."""

def get_all_groups_attributing_to_all_campaigns(self) -> RelationshipMapT[Group]:
    """Get all groups attributing to all campaigns."""

def get_groups_attributing_to_campaign(self, campaign_stix_id: str) -> list[RelationshipEntry[Group]]:
    """Get all groups attributing to a campaign."""

def get_all_campaigns_attributed_to_all_groups(self) -> RelationshipMapT[Campaign]:
    """Get all campaigns attributed to all groups."""

def get_campaigns_attributed_to_group(self, group_stix_id: str) -> list[RelationshipEntry[Campaign]]:
    """Get all campaigns attributed to a group."""

Subtechnique and Asset Relationships

Map relationships between techniques and subtechniques, and techniques and assets.

def get_all_parent_techniques_of_all_subtechniques(self) -> RelationshipMapT[Technique]:
    """Get all parent techniques of all sub-techniques."""

def get_parent_technique_of_subtechnique(self, subtechnique_stix_id: str) -> list[RelationshipEntry[Technique]]:
    """Get the parent technique of a sub-technique."""

def get_all_subtechniques_of_all_techniques(self) -> RelationshipMapT[Technique]:
    """Get all subtechniques of all parent techniques."""

def get_subtechniques_of_technique(self, technique_stix_id: str) -> list[RelationshipEntry[Technique]]:
    """Get all subtechniques of a technique."""

def get_all_techniques_targeting_all_assets(self) -> RelationshipMapT[Technique]:
    """Get all techniques targeting all assets."""

def get_techniques_targeting_asset(self, asset_stix_id: str) -> list[RelationshipEntry[Technique]]:
    """Get all techniques targeting an asset."""

def get_all_assets_targeted_by_all_techniques(self) -> RelationshipMapT[Asset]:
    """Get all assets targeted by all techniques."""

def get_assets_targeted_by_technique(self, technique_stix_id: str) -> list[RelationshipEntry[Asset]]:
    """Get all assets targeted by a technique."""

Alias-Based Retrieval

Find objects by their known aliases.

def get_groups_by_alias(self, alias: str) -> list[Group]:
    """Retrieve the groups corresponding to a given alias (case sensitive)."""

def get_campaigns_by_alias(self, alias: str) -> list[Campaign]:
    """Retrieve the campaigns corresponding to a given alias (case sensitive)."""

def get_software_by_alias(self, alias: str) -> list[Software]:
    """Retrieve the software corresponding to a given alias (case sensitive)."""

Utility and Helper Methods

Additional utility methods for object handling.

def remove_revoked_deprecated(self, stix_objects: list[T]) -> list[T]:
    """Remove revoked or deprecated objects from queries made to the data source."""

def get_procedure_examples_by_technique(self, stix_id: str) -> list[Relationship]:
    """Retrieve the list of procedure examples by technique."""

def get_techniques_used_by_group_software(self, group_stix_id: str) -> list[Technique]:
    """Get techniques used by a group's software (indirect technique usage)."""

def get_revoking_object(self, revoked_stix_id: str = "") -> AttackStixObject | None:
    """Given the STIX ID of a revoked object, retrieve the STIX object that replaced it."""

@staticmethod
def get_field(obj, field, default=None) -> Any:
    """Get a field from a dict or object."""

def print_stix_object(self, obj: AttackStixObject, pretty: bool = True) -> None:
    """Print a STIX object."""

Types and Custom STIX Objects

The library defines custom STIX objects and types for ATT&CK-specific data types.

# Type Definitions
AttackStixObject = Union[CustomStixObject, stix2.v20.sdo._DomainObject]

Technique = stix2.v20.sdo.AttackPattern
Malware = stix2.v20.sdo.Malware
Tool = stix2.v20.sdo.Tool
Software = Malware | Tool
Group = stix2.v20.sdo.IntrusionSet
Campaign = stix2.v20.sdo.Campaign
Mitigation = stix2.v20.sdo.CourseOfAction
Relationship = stix2.v20.sro.Relationship

class RelationshipEntry(TypedDict, Generic[T]):
    """Represents a relationship entry mapping an object to its relationships."""
    object: T
    relationships: list[Relationship]

RelationshipMapT = dict[str, list[RelationshipEntry[T]]]

# Custom STIX Objects
class Asset:
    """Custom STIX object for ATT&CK Assets."""

class DataComponent:
    """Custom STIX object for ATT&CK Data Components."""

class DataSource:
    """Custom STIX object for ATT&CK Data Sources."""

class Matrix:
    """Custom STIX object for ATT&CK Matrices."""

class Tactic:
    """Custom STIX object for ATT&CK Tactics."""

class StixObjectFactory:
    """Factory for creating custom STIX objects."""
    @staticmethod
    def create_object(stix_type: str, **kwargs) -> object:
        """Create custom STIX object of specified type."""

Usage Examples

Basic Querying

from mitreattack.stix20 import MitreAttackData

# Initialize data
attack_data = MitreAttackData("enterprise-attack")

# Get all techniques and print count
techniques = attack_data.get_techniques()
print(f"Total techniques: {len(techniques)}")

# Find specific technique
process_injection = attack_data.get_object_by_attack_id("T1055")
print(f"Technique: {attack_data.get_name(process_injection)}")

# Get techniques for Windows platform
windows_techniques = attack_data.get_techniques_by_platform("Windows")
print(f"Windows techniques: {len(windows_techniques)}")

Relationship Analysis

# Analyze group capabilities
groups = attack_data.get_groups()
for group in groups[:5]:  # First 5 groups
    group_name = attack_data.get_name(group)
    group_techniques = attack_data.get_techniques_used_by_group(group)
    group_software = attack_data.get_software_used_by_group(group)
    
    print(f"{group_name}:")
    print(f"  Techniques: {len(group_techniques)}")
    print(f"  Software: {len(group_software)}")

# Find detection coverage
detection_mapping = attack_data.get_all_datacomponents_detecting_all_techniques()
covered_techniques = len(detection_mapping)
total_techniques = len(attack_data.get_techniques())
print(f"Detection coverage: {covered_techniques}/{total_techniques} techniques")

Install with Tessl CLI

npx tessl i tessl/pypi-mitreattack-python

docs

cli-tools.md

collections.md

excel-export.md

index.md

navigation-layers.md

stix20-data-access.md

version-comparison.md

version-management.md

tile.json