# Filtering and Looking Up STIX Objects in ATT&CK
------------------

## Import ATTACK API Client

In [1]:
from attackcti import attack_client

## Import Extra Libraries

In [2]:
from pandas import *

import logging
logging.getLogger('taxii2client').setLevel(logging.CRITICAL)

## Initialize ATT&CK Client Variable

In [3]:
lift = attack_client()

## Get Technique by Name (TAXII)
You can use a custom method in the attack_client class to get a technique across all the matrices by its name. It is case sensitive.

In [4]:
technique_name = lift.get_technique_by_name('Rundll32')

In [5]:
technique_name

[AttackPattern(type='attack-pattern', id='attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2020-01-23T18:03:46.248Z', modified='2021-10-14T21:45:53.057Z', name='Rundll32', description='Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: <code>rundll32.exe {DLLname, DLLfunction}</code>).\n\nRundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file als

## Get Data Sources from All Techniques (TAXII)
* You can also get all the data sources available in ATT&CK
* Currently the only techniques with data sources are the ones in Enterprise ATT&CK.

In [6]:
data_sources = lift.get_data_sources()

In [7]:
len(data_sources)

38

In [8]:
for ds in data_sources:
    print(ds['name'])

Internet Scan
Certificate
Domain Name
Volume
Group
Cluster
Logon Session
Network Share
Container
Active Directory
Driver
Instance
Network Traffic
File
Firewall
Persona
Cloud Service
Named Pipe
Service
Windows Registry
Command
Snapshot
Module
Sensor Health
Application Log
Script
Cloud Storage
Drive
Kernel
Pod
Process
Scheduled Job
Web Credential
Malware Repository
User Account
WMI
Image
Firmware


## Get Any STIX Object by ID (TAXII)
* You can get any STIX object by its id across all the matrices. It is case sensitive.
* You can use the following STIX Object Types:
  * attack-pattern >  techniques
  * course-of-action > mitigations
  * intrusion-set > groups
  * malware
  * tool

In [9]:
object_by_id = lift.get_object_by_attack_id('attack-pattern', 'T1103')

In [10]:
object_by_id

[AttackPattern(type='attack-pattern', id='attack-pattern--317fefa6-46c7-4062-adb6-2008cf6bcb41', created='2017-05-31T21:31:15.409Z', modified='2020-11-10T18:29:30.379Z', name='AppInit DLLs', revoked=True, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1103', external_id='T1103'), ExternalReference(source_name='Elastic Process Injection July 2017', description='Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.', url='https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process'), ExternalReference(source_name='AppInit Registry', description='Microsoft. (2006, October). Working with the AppInit_DLLs registry value. Retrieved July 15, 2015.', url='https://support.microsoft.com/en-us/kb/197571'), ExternalReference(source_name='AppInit Secure Boot', descript

## Get Any Group by Alias (TAXII)
You can get any Group by its Alias property across all the matrices. It is case sensitive.

In [11]:
group_name = lift.get_group_by_alias('Cozy Bear')

In [12]:
group_name

[IntrusionSet(type='intrusion-set', id='intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2017-05-31T21:31:52.748Z', modified='2021-10-16T00:59:58.792Z', name='APT29', description="[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://attack.mitre.org/groups/G0016) reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021)\n\nIn April 2021, the US and UK governments attributed the

## Get Relationships by Any Object (TAXII)
* You can get available relationships defined in ATT&CK of type **uses** and **mitigates** for specific objects across all the matrices.

In [13]:
groups = lift.get_groups()
one_group = groups[0]
relationships = lift.get_relationships_by_object(one_group)

In [14]:
relationships[0]

Relationship(type='relationship', id='relationship--6bbd0299-4e8b-4d31-83c4-c690e43294c0', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-10-15T18:47:18.472Z', modified='2021-10-15T18:47:18.472Z', relationship_type='uses', description='[TeamTNT](https://attack.mitre.org/groups/G0139) has searched for unsecured SSH keys.(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Trend Micro TeamTNT)', source_ref='intrusion-set--35d1b3be-49d4-42f1-aaa6-ef159c880bca', target_ref='attack-pattern--60b508a1-6a5e-46b1-821a-9f7b78752abf', revoked=False, external_references=[ExternalReference(source_name='Cado Security TeamTNT Worm August 2020', description='Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021.', url='https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/'), ExternalReference(source_name='Trend Micro TeamTNT', description='Fiser, D. 

## Get All Techniques with Mitigations (TAXII)
The difference with this function and **get_techniques()** is that **get_techniques_mitigated_by_mitigation** returns techniques that have mitigations mapped to them.

In [15]:
techniques_mitigated = lift.get_techniques_mitigated_by_mitigations()

In [16]:
len(techniques_mitigated)

661

In [17]:
techniques_mitigated[0]

AttackPattern(type='attack-pattern', id='attack-pattern--b22e5153-ac28-4cc6-865c-2054e36285cb', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-10-12T20:02:31.866Z', modified='2021-10-16T01:50:40.276Z', name='Resource Forking', description='Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(

## Get Techniques Used by Software (TAXII)
This the function returns information about a specific software STIX object.

In [18]:
all_software = lift.get_software()
one_software = all_software[0]
software_techniques = lift.get_techniques_used_by_software(one_software)

In [19]:
software_techniques[0]

AttackPattern(type='attack-pattern', id='attack-pattern--4eb28bed-d11a-4641-9863-c2ac017d910a', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2020-02-21T20:46:36.688Z', modified='2021-10-19T13:37:30.534Z', name='Disable Windows Event Logging', description='Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.\n\nThe EventLog service maintains event logs from various system components and applications.(Citation: EventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc

## Get Techniques Used by Group (TAXII)
If you do not provide the name of a specific **Group** (Case Sensitive), the function returns information about all the groups available across all the matrices.

In [20]:
groups = lift.get_groups()
one_group = groups[0]
group_techniques = lift.get_techniques_used_by_group(one_group)

In [21]:
group_techniques[0]

AttackPattern(type='attack-pattern', id='attack-pattern--0470e792-32f8-46b0-a351-652bc35e9336', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-03-31T14:26:00.848Z', modified='2021-04-12T18:22:05.737Z', name='Container and Resource Discovery', description='Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.\n\nThese resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.(Citation: Docker API)(Citation: Kubernetes API) In Docker, logs may leak information about the environment, such as the environment’s configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary’s next steps in the environment, such as ho

## Get Software Used by Group (TAXII)
You can retrieve every software (malware or tool) mapped to a specific Group STIX object

In [22]:
groups = lift.get_groups()
one_group = groups[0]
group_software = lift.get_software_used_by_group(one_group)

In [23]:
group_software[0]

Malware(type='malware', id='malware--40a1b8ec-7295-416c-a6b1-68181d86f120', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-04-07T18:07:47.604Z', modified='2021-10-16T01:49:39.189Z', name='Hildegard', description='[Hildegard](https://attack.mitre.org/software/S0601) is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind [Hildegard](https://attack.mitre.org/software/S0601). (Citation: Unit 42 Hildegard Malware)', revoked=False, labels=['malware'], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0601', external_id='S0601'), ExternalReference(source_name='Unit 42 Hildegard Malware', description='Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.', url='https://unit42.paloalt