Skip to content

Instantly share code, notes, and snippets.

@thomaspatzke
Created December 17, 2019 00:10
Show Gist options
  • Save thomaspatzke/ec6d00bbd001be73a4f4576ff90ff7e2 to your computer and use it in GitHub Desktop.
Save thomaspatzke/ec6d00bbd001be73a4f4576ff90ff7e2 to your computer and use it in GitHub Desktop.
MITRE ATT&CK oneliners
# Requires: curl, jq
# Download MITRE ATT&CK data from GitHub repository
curl -o enterprise-attack.json https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json
# List all ATT&CK object types
jq -r '[ .objects[].type ] | unique | .[]' enterprise-attack.json
# List all ATT&CK technique identifiers
jq -r '[ .objects[] | select(.type == "attack-pattern") | .external_references[] | select(.source_name == "mitre-attack") | .external_id ] | sort | .[]' enterprise-attack.json
# List all software identifiers
jq -r '[ .objects[] | select(.type == "tool" or .type == "malware") | .external_references[] | select(.source_name == "mitre-attack") | .external_id ] | sort | .[]' enterprise-attack.json
# List all attacker group identifiers
jq -r '[ .objects[] | select(.type == "intrusion-set") | .external_references[] | select(.source_name == "mitre-attack") | .external_id ] | sort | .[]' enterprise-attack.json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment