MITRE ATT&CK Lookup Tool
attack-lookup is a tool that lets you easily check what Tactic, Technique, or Sub-technique ID maps to what name, and vice versa. It can be used interactively, for batch processing, or in your own tooling.
Installation
attack-lookup can be installed from PyPi:
$ pip install attack-lookup
It can also be installed manually:
$ git clone https://github.com/curated-intel/attack-lookup.git
$ cd attack-lookup
$ python setup.py install --user
Usage
$ attack-lookup --help
usage: attack-lookup [-h] [-v VERSION] [-m {enterprise,ics,mobile}] [-O] [-i INPUT] [-o OUTPUT] [--output-mode {results,csv}]
MITRE ATT&CK Lookup Tool
optional arguments:
-h, --help show this help message and exit
-v VERSION, --version VERSION
ATT&CK matrix version to use (default: v10.1)
-m {enterprise,ics,mobile}, --matrix {enterprise,ics,mobile}
ATT&CK matrix to use (default: enterprise)
-O, --offline Run in offline mode (default: False)
-i INPUT, --input INPUT
Path to input file (one lookup value per line) (default: None)
-o OUTPUT, --output OUTPUT
Path to output file (default: -)
--output-mode {results,csv}
Mode for output file ("result" only has the lookup results, "csv" outputs a CSV with the lookup and result values (default: results)
By default, attack-lookup uses the latest version of the Enterprise matrix. When running in Online mode, attack-lookup pulls the latest matrix from MITRE's GitHub repo. When running in Offline mode, it can use any matrix available in attack_lookup/data.
You can use attack-lookup in interactive or batch mode:
$ attack-lookup
(loading latest enterprise matrix...done)
Running attack-lookup in interactive mode, exit with (q)uit
ATT&CK> T1539
Steal Web Session Cookie
ATT&CK>
For batch mode, specify an input file, and optionally an output file/mode. By default, output will go to stdout.
$ attack-lookup -i test
(loading latest enterprise matrix...done)
Collection
T1133
Peripheral Device Discovery
$ attack-lookup -i test --output-mode=csv
(loading latest enterprise matrix...done)
TA0009,Collection
External Remote Services,T1133
T1120,Peripheral Device Discovery
$ attack-lookup -i test --output-mode=csv -o out_file
(loading latest enterprise matrix...done)
Wrote output data to out_file
If multiple mappings exist (e.g., "Domains"), attack-lookup will provide all possible values:
ATT&CK> Domains
Multiple possible values: T1583.001, T1584.001
API
You can also use attack-lookup in your own scripts.
from attack_lookup import AttackMapping
# version is ignored when running online FYSA
mapping = AttackMapping(matrix="enterprise", version="v10.1", offline=False)
# load the data
# this can take ~10sec
if not mapping.load_data():
print("failed to load data")
else:
mapping.lookup("T1574") # returns "Hijack Execution Flow"
4 Sep 23, 2021
3 Dec 10, 2021
7 Dec 2, 2021
7 Mar 25, 2022
9 Sep 30, 2022
8 Dec 23, 2022
10 Apr 29, 2022
4 Dec 8, 2022
63 Jan 6, 2023
2 Jan 29, 2022
4 Jan 04, 2022
25 Nov 28, 2022
3 Nov 06, 2021
1 Oct 03, 2022
2 Sep 01, 2022
0 Feb 24, 2022
1 Dec 31, 2021
4 Dec 11, 2021
3 Aug 10, 2022
3 Aug 06, 2022
1 Nov 12, 2021
153 Jan 04, 2023
3 Jun 06, 2021
0 Mar 24, 2022
2 Oct 08, 2021
8 Nov 01, 2021
4 Sep 24, 2021
1 Mar 31, 2022