Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
MITRE ATT&CK oneliners
# Requires: curl, jq
# Download MITRE ATT&CK data from GitHub repository
curl -o enterprise-attack.json https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json
# List all ATT&CK object types
jq -r '[ .objects[].type ] | unique | .[]' enterprise-attack.json
# List all ATT&CK technique identifiers
jq -r '[ .objects[] | select(.type == "attack-pattern") | .external_references[] | select(.source_name == "mitre-attack") | .external_id ] | sort | .[]' enterprise-attack.json
# List all software identifiers
jq -r '[ .objects[] | select(.type == "tool" or .type == "malware") | .external_references[] | select(.source_name == "mitre-attack") | .external_id ] | sort | .[]' enterprise-attack.json
# List all attacker group identifiers
jq -r '[ .objects[] | select(.type == "intrusion-set") | .external_references[] | select(.source_name == "mitre-attack") | .external_id ] | sort | .[]' enterprise-attack.json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.