thomaspatzke · December 17, 2019 00:10
diff --git a/mitre_attack_oneliners.sh b/mitre_attack_oneliners.sh
 # Requires: curl, jq

 # Download MITRE ATT&CK data from GitHub repository
 curl -o enterprise-attack.json https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json

 # List all ATT&CK object types
 jq -r '[ .objects[].type ] | unique | .[]' enterprise-attack.json

 # List all ATT&CK technique identifiers
 jq -r '[ .objects[] | select(.type == "attack-pattern") | .external_references[] | select(.source_name == "mitre-attack") | .external_id ] | sort | .[]' enterprise-attack.json

 # List all software identifiers
 jq -r '[ .objects[] | select(.type == "tool" or .type == "malware") | .external_references[] | select(.source_name == "mitre-attack") | .external_id ] | sort | .[]' enterprise-attack.json

 # List all attacker group identifiers
 jq -r '[ .objects[] | select(.type == "intrusion-set") | .external_references[] | select(.source_name == "mitre-attack") | .external_id ] | sort | .[]' enterprise-attack.json
	# Requires: curl, jq

	# Download MITRE ATT&CK data from GitHub repository
	curl -o enterprise-attack.json https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json

	# List all ATT&CK object types
	jq -r '[ .objects[].type ] \| unique \| .[]' enterprise-attack.json

	# List all ATT&CK technique identifiers
	jq -r '[ .objects[] \| select(.type == "attack-pattern") \| .external_references[] \| select(.source_name == "mitre-attack") \| .external_id ] \| sort \| .[]' enterprise-attack.json

	# List all software identifiers
	jq -r '[ .objects[] \| select(.type == "tool" or .type == "malware") \| .external_references[] \| select(.source_name == "mitre-attack") \| .external_id ] \| sort \| .[]' enterprise-attack.json

	# List all attacker group identifiers
	jq -r '[ .objects[] \| select(.type == "intrusion-set") \| .external_references[] \| select(.source_name == "mitre-attack") \| .external_id ] \| sort \| .[]' enterprise-attack.json