MITRE ATT&CK Lookup Tool
attack-lookup is a tool that lets you easily check what Tactic, Technique, or Sub-technique ID maps to what name, and vice versa. It can be used interactively, for batch processing, or in your own tooling.
Installation
attack-lookup can be installed from PyPi:
$ pip install attack-lookup
It can also be installed manually:
$ git clone https://github.com/curated-intel/attack-lookup.git
$ cd attack-lookup
$ python setup.py install --user
Usage
$ attack-lookup --help
usage: attack-lookup [-h] [-v VERSION] [-m {enterprise,ics,mobile}] [-O] [-i INPUT] [-o OUTPUT] [--output-mode {results,csv}]
MITRE ATT&CK Lookup Tool
optional arguments:
-h, --help show this help message and exit
-v VERSION, --version VERSION
ATT&CK matrix version to use (default: v10.1)
-m {enterprise,ics,mobile}, --matrix {enterprise,ics,mobile}
ATT&CK matrix to use (default: enterprise)
-O, --offline Run in offline mode (default: False)
-i INPUT, --input INPUT
Path to input file (one lookup value per line) (default: None)
-o OUTPUT, --output OUTPUT
Path to output file (default: -)
--output-mode {results,csv}
Mode for output file ("result" only has the lookup results, "csv" outputs a CSV with the lookup and result values (default: results)
By default, attack-lookup uses the latest version of the Enterprise matrix. When running in Online mode, attack-lookup pulls the latest matrix from MITRE's GitHub repo. When running in Offline mode, it can use any matrix available in attack_lookup/data.
You can use attack-lookup in interactive or batch mode:
$ attack-lookup
(loading latest enterprise matrix...done)
Running attack-lookup in interactive mode, exit with (q)uit
ATT&CK> T1539
Steal Web Session Cookie
ATT&CK>
For batch mode, specify an input file, and optionally an output file/mode. By default, output will go to stdout.
$ attack-lookup -i test
(loading latest enterprise matrix...done)
Collection
T1133
Peripheral Device Discovery
$ attack-lookup -i test --output-mode=csv
(loading latest enterprise matrix...done)
TA0009,Collection
External Remote Services,T1133
T1120,Peripheral Device Discovery
$ attack-lookup -i test --output-mode=csv -o out_file
(loading latest enterprise matrix...done)
Wrote output data to out_file
If multiple mappings exist (e.g., "Domains"), attack-lookup will provide all possible values:
ATT&CK> Domains
Multiple possible values: T1583.001, T1584.001
API
You can also use attack-lookup in your own scripts.
from attack_lookup import AttackMapping
# version is ignored when running online FYSA
mapping = AttackMapping(matrix="enterprise", version="v10.1", offline=False)
# load the data
# this can take ~10sec
if not mapping.load_data():
print("failed to load data")
else:
mapping.lookup("T1574") # returns "Hijack Execution Flow"
4 Sep 23, 2021
3 Dec 10, 2021
7 Dec 2, 2021
7 Mar 25, 2022
9 Sep 30, 2022
8 Dec 23, 2022
10 Apr 29, 2022
4 Dec 8, 2022
63 Jan 6, 2023
8 Jul 17, 2022
2 Nov 11, 2021
1 Oct 04, 2022
6 Aug 26, 2022
9 Feb 10, 2022
3 Feb 16, 2022
2 Apr 20, 2022
9 Jun 08, 2022
8 Jul 24, 2022
2 Oct 29, 2021
4 Aug 05, 2022
36 Dec 14, 2022
12 Jan 08, 2023
191 Dec 30, 2022
12 Sep 07, 2022
37 Jan 07, 2023
2.1k Dec 30, 2022
105 Jan 02, 2023
6 Sep 09, 2021