Welcome to pyattck's Documentation

    .______   ____    ____  ___   .___________.___________.  ______  __  ___
    |   _  \  \   \  /   / /   \  |           |           | /      ||  |/  /
    |  |_)  |  \   \/   / /  ^  \ `---|  |----`---|  |----`|  ,----'|  '  /
    |   ___/    \_    _/ /  /_\  \    |  |        |  |     |  |     |    <
    |  |          |  |  /  _____  \   |  |        |  |     |  `----.|  .  \
    | _|          |__| /__/     \__\  |__|        |__|      \______||__|\__\

A Python package to interact with MITRE ATT&CK Frameworks

Current Version is 7.1.1

pyattck is a light-weight framework for MITRE ATT&CK Frameworks. This package extracts details from the MITRE Enterprise, PRE-ATT&CK, Mobile, and ICS Frameworks.

Why?

pyattck assist organizations and individuals with accessing MITRE ATT&CK Framework(s) in a programmatic way. Meaning, you can access all defined actors, malwares, mitigations, tactics, techniques, and tools defined by the Enterprise, Mobile, Pre-Attck, and ICS frameworks via a command-line utility or embedding into your own code base.

There are many reasons why you would want to access this data in an automated (scripted/coded) way but a few examples are:

• Generate reports with additional details about a technique (or any object defined in the framework)
• A build pipeline of detection rules with additional MITRE ATT&CK details for categorization
• Quickly searching for specific details about a technique without navigating a web page

There are other benefits that pyattck provide as well which includes the ability to provide additional contextual data. You can find more information about this data here but the basics are that pyattck utilizes multiple open-source repositories to gather additional contextual data like commands used to execute a technique, country and other details about a malicious actor, other variants of malware similar to a defined tool/malware, etc.

This additional context is what makes pyattck truly powerful and enables people to build more robust testing and validation of their detection rules, validates testing assumptions, etc. Truly there are countless ways that pyattck could be utilized to help blue, red, and purple teams defend organizations (and themselves).

Features

The pyattck package retrieves all Tactics, Techniques, Actors, Malware, Tools, and Mitigations from the MITRE ATT&CK Frameworks as well as any defined relationships within the MITRE ATT&CK dataset (including sub-techniques).

In addition, Techniques, Actors, and Tools (if applicable) now have collected data from third-party resources that are accessible via different properties. For more detailed information about these features, see External Datasets.

The pyattck package allows you to:

• Specify a URL or local file path for the MITRE ATT&CK Enterprise Framework json, generated dataset, and/or a config.yml file.
• Access data from the MITRE PRE-ATT&CK Framework
• Access data from the MITRE Mobile ATT&CK Framework
• Access data from the MITRE ICS ATT&CK Framework
• Access sub-techniques as nested objects or you can turn it off and access as normal technique
• Access compliance controls (currently NIST 800-53 v5) related to a MITRE ATT&CK Technique
• pyattck now utilizes structured data models. More information can be found at pyattck-data
• Run an interactive console menu system to access pyattck data

Table of Contents

1. Installation
2. Usage Example
3. Configuration
4. Notes

Installation

You can install pyattck on OS X, Linux, or Windows. You can also install it directly from the source. To install, see the commands under the relevant operating system heading, below.

macOS, Linux and Windows:

pip install pyattck

Installing from source

git clone https://github.com/swimlane/pyattck.git
cd pyattck
python setup.py install

Usage example

To use pyattck you must instantiate an Attck object. Although you can interact directly with each class, the intended use is through a Attck object:

from pyattck import Attck

attack = Attck()

By default, sub-techniques are accessible under each technique object. You can turn this behavior off by passing nested_techniques=False when creating your Attck object.

As an example, the default behavior looks like the following example:

from pyattck import Attck

attack = Attck()

for technique in attack.enterprise.techniques:
    print(technique.id)
    print(technique.name)
    for subtechnique in technique.techniques:
        print(subtechnique.id)
        print(subtechnique.name)

You can access the following main properties on your Attck object:

• enterprise
• preattack
• mobile
• ics

Once you specify the MITRE ATT&CK Framework, you can access additional properties.

Here are the accessible objects under the Enterprise property:

• actors
• controls
• malwares
• mitigations
• tactics
• techniques
• tools

For more information on object types under the enterprise property, see Enterprise.

Here are the accessible objects under the PreAttck property:

• actors
• tactics
• techniques

For more information on object types under the preattck property, see PreAttck.

Here are the accessible objects under the Mobile property:

• actors
• malwares
• mitigations
• tactics
• techniques
• tools

For more information on object types under the mobile property, see Mobile.

Here are the accessible objects under the ICS property:

• controls
• malwares
• mitigations
• tactics
• techniques

For more information on object types under the ics property, see ICS.

Interactive Menu Usage

To utilize the new interactive menu system within pyattck, you must set interactive to True. By doing so, it will launch the interactive console menu system.

Using a script your can launch this by running:

from pyattck import Attck

Attck(interactive=True)

Or you can also run interactive mode on the command line:

pyattck --interactive

Checkout a gif example below:

Configuration

pyattck allows you to configure if you store external data and where it is stored.

from pyattck import Attck

attck = Attck(
    nested_techniques=True,
    use_config=False,
    save_config=False,
    config_file_path='~/pyattck/config.yml',
    data_path='~/pyattck/data',
    enterprise_attck_json="https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_enterprise_attck_v1.json",
    pre_attck_json="https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_pre_attck_v1.json",
    mobile_attck_json="https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_mobile_attck_v1.json,
    ics_attck_json="https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_ics_attck_v1.json",
    nist_controls_json="https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_nist_controls_v1.json",
    generated_nist_json="https://swimlane-pyattck.s3.us-west-2.amazonaws.com/attck_to_nist_controls.json",
    **kwargs
)

By default, pyattck will (now) pull the latest external data from their respective locations using HTTP GET requests. pyattck currently pulls from the following locations:

• enterprise_attck_json="https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_enterprise_attck_v1.json"
• pre_attck_json="https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_pre_attck_v1.json"
• mobile_attck_json="https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_mobile_attck_v1.json"
• ics_attck_json="https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_ics_attck_v1.json"
• nist_controls_json="https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_nist_controls_v1.json"
• generated_nist_json="https://swimlane-pyattck.s3.us-west-2.amazonaws.com/attck_to_nist_controls.json"

You have several options when instantiating the Attck object. As of 4.0.0 you can now specify any of the following options:

• use_config - When you specify this argument as True pyattck will attempt to retrieve the configuration specified in the config_file_path location. If this file is corrupted or cannot be found, we will default to retrieving data from the specified *_attck_json locations.
• save_config - When you specify this argument as True pyattck will save the configuration file to the specified location set by config_file_path. Additionally, we will save all downloaded files to the data_path location specified. If you have specified a local path location instead of a download URL for any of the *_attck_json parameters we will save this location in our configuration and reference this location going forward.
• config_file_path - The path to store a configuration file. Default is ~/pyattck/config.yml
• data_path - The path to store any data files downloaded to the local system. Default is ~/pyattck/data

JSON Locations

Additionally, you can specify the location for each individua