• Stars
    star
    468
  • Rank 93,767 (Top 2 %)
  • Language
    Python
  • License
    MIT License
  • Created almost 6 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A Python package to interact with the Mitre ATT&CK Framework

pyattck

Welcome to pyattck's Documentation

    .______   ____    ____  ___   .___________.___________.  ______  __  ___
    |   _  \  \   \  /   / /   \  |           |           | /      ||  |/  /
    |  |_)  |  \   \/   / /  ^  \ `---|  |----`---|  |----`|  ,----'|  '  /
    |   ___/    \_    _/ /  /_\  \    |  |        |  |     |  |     |    <
    |  |          |  |  /  _____  \   |  |        |  |     |  `----.|  .  \
    | _|          |__| /__/     \__\  |__|        |__|      \______||__|\__\

A Python package to interact with MITRE ATT&CK Frameworks

Current Version is 7.1.1

pyattck is a light-weight framework for MITRE ATT&CK Frameworks. This package extracts details from the MITRE Enterprise, PRE-ATT&CK, Mobile, and ICS Frameworks.

Why?

pyattck assist organizations and individuals with accessing MITRE ATT&CK Framework(s) in a programmatic way. Meaning, you can access all defined actors, malwares, mitigations, tactics, techniques, and tools defined by the Enterprise, Mobile, Pre-Attck, and ICS frameworks via a command-line utility or embedding into your own code base.

There are many reasons why you would want to access this data in an automated (scripted/coded) way but a few examples are:

  • Generate reports with additional details about a technique (or any object defined in the framework)
  • A build pipeline of detection rules with additional MITRE ATT&CK details for categorization
  • Quickly searching for specific details about a technique without navigating a web page

There are other benefits that pyattck provide as well which includes the ability to provide additional contextual data. You can find more information about this data here but the basics are that pyattck utilizes multiple open-source repositories to gather additional contextual data like commands used to execute a technique, country and other details about a malicious actor, other variants of malware similar to a defined tool/malware, etc.

This additional context is what makes pyattck truly powerful and enables people to build more robust testing and validation of their detection rules, validates testing assumptions, etc. Truly there are countless ways that pyattck could be utilized to help blue, red, and purple teams defend organizations (and themselves).

Features

The pyattck package retrieves all Tactics, Techniques, Actors, Malware, Tools, and Mitigations from the MITRE ATT&CK Frameworks as well as any defined relationships within the MITRE ATT&CK dataset (including sub-techniques).

In addition, Techniques, Actors, and Tools (if applicable) now have collected data from third-party resources that are accessible via different properties. For more detailed information about these features, see External Datasets.

The pyattck package allows you to:

  • Specify a URL or local file path for the MITRE ATT&CK Enterprise Framework json, generated dataset, and/or a config.yml file.
  • Access data from the MITRE PRE-ATT&CK Framework
  • Access data from the MITRE Mobile ATT&CK Framework
  • Access data from the MITRE ICS ATT&CK Framework
  • Access sub-techniques as nested objects or you can turn it off and access as normal technique
  • Access compliance controls (currently NIST 800-53 v5) related to a MITRE ATT&CK Technique
  • pyattck now utilizes structured data models. More information can be found at pyattck-data
  • Run an interactive console menu system to access pyattck data

Table of Contents

  1. Installation
  2. Usage Example
  3. Configuration
  4. Notes

Installation

You can install pyattck on OS X, Linux, or Windows. You can also install it directly from the source. To install, see the commands under the relevant operating system heading, below.

macOS, Linux and Windows:

pip install pyattck

Installing from source

git clone https://github.com/swimlane/pyattck.git
cd pyattck
python setup.py install

Usage example

To use pyattck you must instantiate an Attck object. Although you can interact directly with each class, the intended use is through a Attck object:

from pyattck import Attck

attack = Attck()

By default, sub-techniques are accessible under each technique object. You can turn this behavior off by passing nested_techniques=False when creating your Attck object.

As an example, the default behavior looks like the following example:

from pyattck import Attck

attack = Attck()

for technique in attack.enterprise.techniques:
    print(technique.id)
    print(technique.name)
    for subtechnique in technique.techniques:
        print(subtechnique.id)
        print(subtechnique.name)

You can access the following main properties on your Attck object:

  • enterprise
  • preattack
  • mobile
  • ics

Once you specify the MITRE ATT&CK Framework, you can access additional properties.

Here are the accessible objects under the Enterprise property:

For more information on object types under the enterprise property, see Enterprise.

Here are the accessible objects under the PreAttck property:

For more information on object types under the preattck property, see PreAttck.

Here are the accessible objects under the Mobile property:

For more information on object types under the mobile property, see Mobile.

Here are the accessible objects under the ICS property:

For more information on object types under the ics property, see ICS.

Interactive Menu Usage

To utilize the new interactive menu system within pyattck, you must set interactive to True. By doing so, it will launch the interactive console menu system.

Using a script your can launch this by running:

from pyattck import Attck

Attck(interactive=True)

Or you can also run interactive mode on the command line:

pyattck --interactive

Checkout a gif example below:

Configuration

pyattck allows you to configure if you store external data and where it is stored.

from pyattck import Attck

attck = Attck(
    nested_techniques=True,
    use_config=False,
    save_config=False,
    config_file_path='~/pyattck/config.yml',
    data_path='~/pyattck/data',
    enterprise_attck_json="https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_enterprise_attck_v1.json",
    pre_attck_json="https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_pre_attck_v1.json",
    mobile_attck_json="https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_mobile_attck_v1.json,
    ics_attck_json="https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_ics_attck_v1.json",
    nist_controls_json="https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_nist_controls_v1.json",
    generated_nist_json="https://swimlane-pyattck.s3.us-west-2.amazonaws.com/attck_to_nist_controls.json",
    **kwargs
)

By default, pyattck will (now) pull the latest external data from their respective locations using HTTP GET requests. pyattck currently pulls from the following locations:

You have several options when instantiating the Attck object. As of 4.0.0 you can now specify any of the following options:

  • use_config - When you specify this argument as True pyattck will attempt to retrieve the configuration specified in the config_file_path location. If this file is corrupted or cannot be found, we will default to retrieving data from the specified *_attck_json locations.
  • save_config - When you specify this argument as True pyattck will save the configuration file to the specified location set by config_file_path. Additionally, we will save all downloaded files to the data_path location specified. If you have specified a local path location instead of a download URL for any of the *_attck_json parameters we will save this location in our configuration and reference this location going forward.
  • config_file_path - The path to store a configuration file. Default is ~/pyattck/config.yml
  • data_path - The path to store any data files downloaded to the local system. Default is ~/pyattck/data

JSON Locations

Additionally, you can specify the location for each individual *_attck_json files by passing in either a URI or a local file path. If you have passed in a local file path, we will simply read from this file.

If you have used the default values or specified an alternative URI location to retrieve these JSON files from, you can additionally pass in **kwargs that will be passed along to the Requests python package when performing any HTTP requests.

Note

We understand that there are many different open-source projects being released, even on a daily basis, but we wanted to provide a straightforward Python package that allowed the user to identify known relationships between all verticals of the MITRE ATT&CK Framework.

If you are unfamiliar with the MITRE ATT&CK Framework, there are a few key components to ensure you have a firm grasp around. The first is Tactics & Techniques. When looking at the MITRE ATT&CK Framework, the Tactics are the columns and represent the different phases of an attack.

The MITRE ATT&CK Framework is NOT an all encompassing/defacto security coverage map - it is rather a FRAMEWORK and additional avenues should also be considered when assessing your security posture.

Techniques are the rows of the framework and are categorized underneath specific Tactics (columns). They are data points within the framework that provides guidance when assessing your security gaps. Additionally, (most) Techniques contain mitigation guidance in addition to information about their relationship to tools, malware, and even actors/groups that have used this technique during recorded attacks.

This means, if your organization is focused on TTPs (Tactics Techniques and Procedures) used by certain actors/groups then MITRE ATT&CK Framework is perfect for you. If you are not at this security maturing within your organization, no worries! The ATT&CK Framework still provides really good guidance in a simple and straightforward layout, but programmatically it is not straightforward--especially if you wanted to measure (or map) your security controls using the framework.

Developing and Testing

You can add features or bugs or run the code in a development environment.

  1. To get a development and testing environment up and running, use this Dockerfile.

  2. To use the Dockerfile run, cd to this repository directory and run:

docker build --force-rm -t pyattck .
  1. Next, run the docker container:
docker run pyattck

Running this calls the test python file in bin/test.py.

  1. Modify the test python file for additional testing and development.

Running the tests

Tests within this project should cover all available properties and methods. As this project grows the tests will become more robust but for now we are testing that they exist and return outputs.

Contributing

Please read CONTRIBUTING.md for details on our code of conduct, and the process for submitting pull requests to us.

Versioning

We use SemVer for versioning.

Change Log

For details on features for a specific version of pyattck, see the CHANGELOG.md.

Authors

See also the list of contributors.

License

This project is licensed under the MIT License.

Acknowledgments

First of all, I would like to thank everyone who contributes to open-source projects, especially the maintainers and creators of these projects. Without them, this capability would not be possible.

This data set is generated from many different sources. As we continue to add more sources, we will continue to add them here. Again thank you to all of these projects. In no particular order, pyattck utilizes data from the following projects:

.. toctree::
   :titlesonly:

   configuration
   pyattck/attck
   Dataset <https://github.com/swimlane/pyattck-data>
   Data Models <https://github.com/swimlane/pyattck-data>
   enterprise/enterprise
   preattck/preattck
   mobile/mobileattck
   ics/icsattck

More Repositories

1

ngx-datatable

✨ A feature-rich yet lightweight data-table crafted for Angular
TypeScript
4,625
star
2

ngx-charts

📊 Declarative Charting Framework for Angular
TypeScript
4,285
star
3

ngx-graph

Graph visualization library for angular
TypeScript
927
star
4

ngx-ui

🚀 Style and Component Library for Angular
TypeScript
705
star
5

angular-data-table

A feature-rich but lightweight ES6 AngularJS Data Table crafted for large data sets!
JavaScript
577
star
6

ngx-dnd

🕶 Drag, Drop and Sorting Library for Angular2 and beyond!
TypeScript
574
star
7

node-microservice-demo

✨ Example project for Micro-services w/ Node + TypeScript + Express + Swagger + Docker
TypeScript
446
star
8

angular-model-factory

angular-model-factory makes working with RESTful APIs in AngularJS easy!
JavaScript
230
star
9

angular1-systemjs-seed

AngularJS 1.x + SystemJS Seed
JavaScript
210
star
10

elk-tls-docker

This repository contains code to create a ELK stack with certificates & security enabled using docker-compose
Python
183
star
11

soc-faker

A python package for use in generating fake data for SOC and security automation.
Python
158
star
12

atomic-operator

A Python package is used to execute Atomic Red Team tests (Atomics) across multiple operating system environments.
Python
136
star
13

trafficlight

🚦 Flexible NodeJS Routing Decorators for API Routing
TypeScript
73
star
14

mongtype

🚀 MongoDB Repository Pattern for Node written in TypeScript
TypeScript
65
star
15

ng1-ng4-webpack-lazy-uirouter

😁 Angular1 + Angular4 + Webpack2 + UI-Router + Lazy Loading + Babel
JavaScript
55
star
16

DocSPA

A documentation SPA in Angular.
TypeScript
46
star
17

coconspirators

📞 Microservice framework for RabbitMQ written in TypeScript
TypeScript
43
star
18

systemjs-route-bundler

SystemJS Route-Driven Bundler
JavaScript
41
star
19

PSAttck

PSAttck is a light-weight framework for the MITRE ATT&CK Framework.
PowerShell
38
star
20

trawl

A utility to trawl phishing domains and attempt to identify phishing kits as well as other malicious activity
Python
36
star
21

pyews

A Python package to interact with the both on-premises and Office 365 Exchange Web Services
Python
32
star
22

swimlane-python

🐍 Official Python client for the Swimlane API
Python
32
star
23

ngx-cron

🕒 User-friendly cron input...
TypeScript
32
star
24

qswag

Fast & Light Swagger generator for .NET Core
C#
28
star
25

ngx-charts-builder

🚀 Chart Builder for ngx-charts!
TypeScript
26
star
26

graphish

A Python package to search & delete messages from mailboxes in Office 365 using Microsoft Graph API
Python
25
star
27

makobot

🚨 Slack bot for cyber-security phishing
Python
21
star
28

el-segundo

💩 I don't always do dirty checking, but when I do, I use El Segundo.
JavaScript
20
star
29

python-office365

💼 Office 365 REST API wrapper. Strongly typed.
Python
19
star
30

swagger-changelog

Generate a changelog between two versions of a swagger spec
JavaScript
17
star
31

pyattck-data

This repository contains generated contextual data utilized by pyattck.
Python
17
star
32

cy-mockapi

Easily mock your REST API in Cypress using fixtures
TypeScript
16
star
33

CLAW

A packer utility to create and capture DFIR Image for use AWS & Azure
Shell
14
star
34

PSCVSS

A Windows PowerShell & PowerShell Core Module to calculate a CVSS3 Score based on a Vector string
PowerShell
12
star
35

pkgdrop

Easy deployment of ES modules without external connection needed at runtime
TypeScript
12
star
36

deepdive-domain-data

This repository contains data related to coronavirus & COVID-19 based domains identified by Swimlane's DeepDive research team
Python
11
star
37

ng-context-menu

Originally ianwalter/ng-context-menu
JavaScript
11
star
38

ngx-charts-dashboard

TypeScript
10
star
39

cy-dom-diff

Allows matching chunks of DOM against HTML; including dynamic content.
TypeScript
9
star
40

gulp-dotnet

GulpJS plugin for DOTNET Core that builds, starts and updates
JavaScript
7
star
41

obfuscator

🗝 Obfuscate values based on JSON Schemas
TypeScript
6
star
42

swinger

Swagger aggregation for microservices
TypeScript
5
star
43

lint-rules

A collection of lint rules used in Swimlane Development Projects 📏🐼
4
star
44

rql-to-mongo

TypeScript
4
star
45

ews-builder

A Python package to build EWS SOAP request bodies from EWS WSDL
Python
3
star
46

atomic-operator-runner

A Python package used to run code remotely.
Python
3
star
47

blog-resources

This repository contains examples and references used by Swimlane Security Research Engineering
PowerShell
3
star
48

attck

This repository contains documentation for pyattck & PSAttck
JavaScript
2
star
49

prettier-config-swimlane

💄 Prettier configuration used in Swimlane projects.
JavaScript
2
star
50

R4T4

Roslyn code dom provider for T4 templates
C#
2
star
51

swimlane-learnupon

A python package for interacting with the LearnUpon LMS
Python
2
star
52

pyattck-data-models

A Python package containing data models for pyattck
Python
2
star
53

sw_sixgill_darkfeed

Python
2
star
54

turbine-environment-validator

Turbine Environment Validator
Python
1
star
55

sw_sixgill_dve_enrich

Python
1
star
56

swimmy

Swimmy is a Slack bot to interact with a Swimlane instance
Python
1
star
57

rabbitmq-docker

1
star
58

splunkapi3

Splunk API for Python 3.5
Python
1
star
59

docspa-starter

TypeScript
1
star
60

orient-client

Swimlane fork of OrientDB Client
C#
1
star
61

docker-login-tag-push-action

Github action for republishing docker image to a different repository,
1
star
62

prettier-setup

💅 A CLI tool for adding Prettier to projects.
JavaScript
1
star
63

sw_sixgill_dvefeed_ingestion

Python
1
star
64

sla_calculator

A python module that will calculate the sla time based on working hours and holidays.
Python
1
star
65

sw_sixgill_actionable_alerts

Python
1
star
66

swimlane-environment-validator

Python
1
star
67

techpubs-knowledgecenter

HTML
1
star
68

eslint-config

Rules for eslint used in Swimlane's Javascript (etc) development.
JavaScript
1
star