The MITRE ATT&CK JSON file is a flat JSON structure which is difficult to parse. To parse this JSON file, there are several different approaches but the type key is the, well, key!
The types within this JSON are the following (as well as the common wording used for this type):
- attack-pattern (Techniques)
- relationship (This is a unique type that contains relationships between types)
- course-of-action (Mitigations)
- identity (unused)
- intrusion-set (Actors or Groups)
- malware (Malware)
- tool (Tools)
- x-mitre-tactic (Tactics)
- x-mitre-matrix (MITRE ATT&CK MATRIX)(unused)
- marking-definition (unused)
An example of getting all techniques in PowerShell:
$test = Invoke-RestMethod -Uri 'https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json'
$test.objects.foreach({ $_ | Where-Object { $_.type -eq 'attack-pattern' } })An example of getting all techniques in Python:
import requests
response = requests.get('https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json').json()
for item in response['objects]:
if 'type' in item:
if 'attack-pattern' in item['type']:
print(item)These are the tricky ones and give you access to which techniques an actor uses or what tools belong to a specific technique.
The main thing to understand about the the relationship type is that there is a source_ref and a target_ref key and value within that JSON object.
These two keys reference a match the id field of the other types (e.g. actors, techniques, etc.)
So my approach, and a suggested approach from @IISResetMe was the following approach:
- Get all relationship object types
- Add the
source_refandtarget_refto a list/array if they are not already in the array/list. - Use this list when you want to check if an object has a known relationship mapped within ATT&CK.
import requests
response = requests.get('https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json').json()
relationship_list = []
for item in response['objects]:
if 'type' in item:
if item['type'] == 'relationship:
source_id = item['source_ref']
target_id = item['target_ref']
if source_id not in relationship_list:
relationship_list[source_id] = []
relationship_list[source_id].append(target_id)
if target_id not in relationship_list:
relationship_list[target_id] = []
relationship_list[target_id].append(source_id)
print(relationship_list)$ATTCKJSON = Invoke-RestMethod -Uri 'https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json'
$relationshipObj = @{}
$ATTCKJSON.objects.Where{$_.type -eq 'relationship'}.ForEach{
$sourceID = $_.source_ref
$targetID = $_.target_ref
if(-not $relationshipObj.ContainsKey($sourceID)){
$relationshipObj[$sourceID] = @()
}
$relationshipObj[$sourceID] += $targetID
if(-not $relationshipObj.ContainsKey($targetID)){
$relationshipObj[$targetID] = @()
}
$relationshipObj[$targetID] += $sourceID
}
Write-Host $relationshipObjimport requests
response = requests.get('https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json').json()
single_technique = None
return_list = []
item_dict = {}
for item in self.response['objects]:
if 'type' in item:
# GETTING A SPECIFIC TECHNIQUE WITH POWERSHELL IN THE NME ATTRIBUTE
if item['type'] == 'attack-pattern':
if 'powershell' in item['name']:
single_technique = item
# Getting all actor items/objects
if item['type'] == 'intrusion-set':
item_dict[item['id']] = item
# this is not normally how I would approach this but it's a demo time.
# Now lets find are single_technique ID value in our list of actors
for item in self.response['objects]:
if 'type' in item:
try:
for item in relationship_list[single_technique['id']]:
if item in item_dict:
return_list.append(item_dict[item])
except:
pass
print(return_list)I know this can seem complex but if you have any questions let me know. :)