Anthropic-Cybersecurity-Skills/skills/analyzing-threat-actor-ttps-with-mitre-attack/references/api-reference.md

API Reference: Threat Actor TTP Analysis with MITRE ATT&CK

ATT&CK STIX Data

Download

curl -o enterprise-attack.json   https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json

STIX Object Types

Type	Description
attack-pattern	Techniques and sub-techniques
intrusion-set	Threat actor groups
relationship	Links (group "uses" technique)
malware	Malware families
tool	Legitimate tools abused

mitreattack-python

Installation

pip install mitreattack-python

Query Techniques

from mitreattack.stix20 import MitreAttackData
attack = MitreAttackData("enterprise-attack.json")

# Get all techniques
techniques = attack.get_techniques()

# Get group techniques
group = attack.get_group_by_alias("APT29")
techs = attack.get_techniques_used_by_group(group.id)

Get Technique Mitigations

mitigations = attack.get_mitigations_mitigating_technique(technique.id)
for m in mitigations:
    print(m.name, m.description)

ATT&CK Navigator Layer Format

Technique Entry

{
  "techniqueID": "T1566.001",
  "tactic": "initial-access",
  "color": "#ff6666",
  "score": 100,
  "comment": "Spearphishing Attachment",
  "enabled": true
}

ATT&CK Tactic IDs

Tactic	ID
Reconnaissance	TA0043
Resource Development	TA0042
Initial Access	TA0001
Execution	TA0002
Persistence	TA0003
Privilege Escalation	TA0004
Defense Evasion	TA0005
Credential Access	TA0006
Discovery	TA0007
Lateral Movement	TA0008
Collection	TA0009
Command and Control	TA0011
Exfiltration	TA0010
Impact	TA0040

TAXII Server Access

from stix2 import TAXIICollectionSource, Filter
from taxii2client.v20 import Collection

collection = Collection(
    "https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/"
)
src = TAXIICollectionSource(collection)
groups = src.query([Filter("type", "=", "intrusion-set")])