• Stars
    star
    276
  • Rank 149,319 (Top 3 %)
  • Language
    Python
  • License
    Other
  • Created over 3 years ago
  • Updated 9 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

STIX data representing MITRE ATT&CK

ATT&CKยฎ STIX Data

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

This repository contains the MITRE ATT&CK dataset represented in STIX 2.1 JSON collections. If you are looking for STIX 2.0 JSON representing ATT&CK, please see our MITRE/CTI GitHub repository which contains the same dataset but in STIX 2.0 and without the collections features provided on this repository.

Repository Structure

.
โ”œโ”€ enterprise-attack โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™ [1] Collection folder for Enterprise
โ”‚   โ”œโ”€ enterprise-attack.json โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™ [2] Most recent Enterprise release
โ”‚   โ”œโ”€ enterprise-attack-9.0.json โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™ [3] Enterprise ATT&CK v9.0 collection
โ”‚   โ””โ”€ [other releases of Enterprise ATT&CK]
โ”œโ”€ mobile-attack
โ”‚   โ””โ”€ [Mobile ATT&CK releases]
โ”œโ”€ ics-attack
โ”‚   โ””โ”€ [ATT&CK for ICS releases]
โ”œโ”€ index.json โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™ [4] Collection index JSON
โ””โ”€ index.md โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™โˆ™ [5] Collection index markdown

[1] Each domain of ATT&CK (Enterprise, Mobile and ICS) is represented as a series of STIX 2.1 collection bundles representing the individual releases of the dataset, organized within the collection folders.

[2] Each domain includes a STIX 2.1 collection bundle without version markings which will always match the most recent release of the dataset.

[3] Each STIX bundle in the collection folders represents a specific release of the collection. Learn more in our collections document.

[4] The collection index JSON lists the contents of this repository in a machine-readable format. Learn more in our collections document.

[5] The collection index markdown lists the contents of this repository in a human-readable format.

Supporting Documentation

STIX

Structured Threat Information Expression (STIXโ„ข) is a language and serialization format used to exchange cyber threat intelligence (CTI).

STIX enables organizations to share CTI with one another in a consistent and machine readable manner, allowing security communities to better understand what computer-based attacks they are most likely to see and to anticipate and/or respond to those attacks faster and more effectively.

STIX is designed to improve many different capabilities, such as collaborative threat analysis, automated threat exchange, automated detection and response, and more.

Collections

Collections are sets of related ATT&CK objects, and may be used to represent specific releases of a dataset such as โ€œEnterprise ATT&CK v9.0โ€ or any other set of objects one may want to share with someone else.

Each ATT&CK release on this repository is itself a collection. A full list of collections on this repository can be found in index.md.

Collection Indexes

Collection indexes are organized lists of collections intended to ease their distribution to data consumers. Collection indexes track individual releases of given collections (e.g Enterprise v7, Enterprise v8, Enterprise v9) and allow applications such as the ATT&CK Workbench to check if new releases have been published. Collection indexes are represented as JSON objects.

The ATT&CK collection index for the contents of this repository is index.json, with a human-readable representation available in index.md.

Usage

The Usage document includes documentation of the ATT&CK data model as well as code examples for accessing and querying this content with cti-python-stix2. Additional information and tooling for maintaining the data in this repository is available in the util folder.

Notice

Copyright 2020-2021 The MITRE Corporation. Approved for public release. Case number 19-3504.

This project makes use of ATT&CKยฎ

ATT&CK Terms of Use

More Repositories

1

attack-navigator

Web app that provides basic navigation and annotation of ATT&CK matrices
TypeScript
1,983
star
2

car

Cyber Analytics Repository
Python
889
star
3

attack-scripts

Scripts and a (future) library to improve users' interactions with the ATT&CK content
Python
570
star
4

bzar

A set of Zeek scripts to detect ATT&CK techniques.
Zeek
522
star
5

attack-arsenal

A collection of red team and adversary emulation resources developed and released by MITRE.
PowerShell
475
star
6

attack-website

MITRE ATT&CK Website
HTML
451
star
7

attack-datasources

This content is analysis and research of the data sources currently listed in ATT&CK.
Jupyter Notebook
395
star
8

mitreattack-python

A python module for working with ATT&CK
Python
360
star
9

tram

Threat Report ATT&CKโ„ข Mapping (TRAM) is a tool to aid analyst in mapping finished reports to ATT&CK.
JavaScript
345
star
10

joystick

Joystick is a tool that gives you the ability to transform the ATT&CK Evaluations data into concise views that brings forward the nuances in the results.
Python
64
star
11

attack-evals

ATT&CK Evaluations website (DEPRECATED)
HTML
58
star
12

evals_caldera

A CALDERA plugin for ATT&CK Evaluations Round 1
PowerShell
32
star
13

attack-datasources-stix-beta

Mock STIX data demonstrating the new data source representation
16
star
14

attack-workbench-taxii-server

An application allowing users to explore, create, annotate, and share extensions of the MITRE ATT&CKยฎ knowledge base. This repository contains a TAXII 2.1 API integration for the ATT&CK Workbench application.
TypeScript
9
star
15

attack-archives

Previous ATT&CK releases as seen at https://attack.mitre.org/resources/previous-versions/
HTML
7
star
16

attack-workbench-deployment

1
star