Last active
April 28, 2022 21:44
-
-
Save vysecurity/0a1da5b070e121c85ace3be9a30aa5c0 to your computer and use it in GitHub Desktop.
Get MITRE ATT&CK Framework Techniques by Group in CSV
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from stix2 import FileSystemSource | |
| from stix2 import Filter | |
| from stix2.utils import get_type_from_id | |
| fs = FileSystemSource('./enterprise-attack') | |
| def get_group_by_alias(src): | |
| return src.query([ | |
| Filter('type', '=', 'intrusion-set'), | |
| ]) | |
| def get_techniques_by_group_software(src, group_stix_id): | |
| # get the malware, tools that the group uses | |
| group_uses = [ | |
| r for r in src.relationships(group_stix_id, 'uses', source_only=True) | |
| if get_type_from_id(r.target_ref) in ['malware', 'tool'] | |
| ] | |
| # get the technique stix ids that the malware, tools use | |
| software_uses = src.query([ | |
| Filter('type', '=', 'relationship'), | |
| Filter('relationship_type', '=', 'uses'), | |
| Filter('source_ref', 'in', [r.source_ref for r in group_uses]) | |
| ]) | |
| #get the techniques themselves | |
| return src.query([ | |
| Filter('type', '=', 'attack-pattern'), | |
| Filter('id', 'in', [r.target_ref for r in software_uses]) | |
| ]) | |
| groups = get_group_by_alias(fs) | |
| for group in groups: | |
| techniques = get_techniques_by_group_software(fs, group) | |
| for technique in techniques: | |
| print group['name'] + "," + technique['name'] | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment