ATTACKDomain

The ATTACKDomain object provides a simple interface for loading and interacting with a single domain within the ATT&CK framework.

Initialization

We provide two methods of loading the ATTACKDomain object, either from a local repository through load(), or by downloading the ATTACKDomain object from a remote repository using download(). The recommended way of initializing an ATTACKDomain object is through load() as this assures that your project works with a consistent version of the MITRE ATT&CK framework and avoids repeated downloading of the CTI sources.

Example

# Import ATT&CK
from py_attack import ATTACKDomain

# Load from local repository - recommended
domain = ATTACKDomain.load(
    path   = "path/to/local/cti/enterprise-attack/enterprise-attack.json",
    domain = 'enterprise',
)

# Download from online source
domain = ATTACKDomain.download(
    url    = "https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json",
    domain = 'enterprise',
)

Getters

You can retrieve a specific MITRE ATT&CK concept according to its identifier (see format) or UUID.

Example

# Import ATT&CK
from py_attack import ATTACKDomain

# Load from local repository - recommended
domain = ATTACKDomain.load(
    path   = "path/to/local/cti/enterprise-attack/enterprise-attack.json",
    domain = 'enterprise',
)

# Get technique using ID T1087
technique = domain['T1087']
technique = domain.get('T1087')

Iterators

Rather than retrieving a concept via one of the DomainGetter methods, you can also iterate over various concepts. A domain within the MITRE ATT&CK framework consists of the following concepts: matrices, tactics, techniques, sub_techniques, groups, software, procedures, relationships and mitigations,. All of these are easily accessible via the following iterator properties:

Example

# Import ATT&CK
from py_attack import ATTACKDomain

# Load from local repository - recommended
domain = ATTACKDomain.load(
    path   = "path/to/local/cti/enterprise-attack/enterprise-attack.json",
    domain = 'enterprise',
)

# Iterate over different concepts
for concept in domain.concepts:
    ...
for matrices in domain.matrices:
    ...
for tactics in domain.tactics:
    ...
for techniques in domain.techniques:
    ...
for sub_techniques in domain.sub_techniques:
    ...
for groups in domain.groups:
    ...
for software in domain.software:
    ...
for procedures in domain.procedures:
    ...
for relationships in domain.relationships:
    ...
for mitigations in domain.mitigations:
    ...

Graph

All concepts within the ATTACKDomain have defined relations between them. E.g., groups use techniques to achieve tactics using specific software. These concepts and relations can therefore be modeled in a graph provided by the graph property.

Because all these concepts are related, we provide a method to find concepts that are (in)directly related to a given concept:

Example

# Import ATT&CK
from py_attack import ATTACKDomain

# Load from local repository - recommended
domain = ATTACKDomain.load(
    path   = "path/to/local/cti/enterprise-attack/enterprise-attack.json",
    domain = 'enterprise',
)

# Get domain graph
graph = domain.graph

# Get concepts related to given ID T1087
related = domain.related_concepts('T1087')