Exploring MITRE ATT&CK v12 Campaigns#

Reference: https://github.com/OTRF/ATTACK-Python-Client/pull/62

Import ATTACK API Client#

from attackcti import attack_client

Import Extra Libraries#

import logging
logging.getLogger('taxii2client').setLevel(logging.CRITICAL)

Initialize ATT&CK Client Variable#

lift = attack_client()

Get Enterprise Techniques#

enterprise_campaigns = lift.get_enterprise_campaigns()
len(enterprise_campaigns)

13

print(enterprise_campaigns[0])

{"type": "campaign", "id": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2022-09-29T20:00:38.136Z", "modified": "2022-09-30T21:05:22.490Z", "name": "Operation Dust Storm", "description": "[Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.(Citation: Cylance Dust Storm)\n\n[Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.(Citation: Cylance Dust Storm)", "aliases": ["Operation Dust Storm"], "first_seen": "2010-01-01T07:00:00Z", "last_seen": "2016-02-01T06:00:00Z", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/campaigns/C0016", "external_id": "C0016"}, {"source_name": "Cylance Dust Storm", "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.0.0", "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack", "enterprise-attack"], "x_mitre_first_seen_citation": "(Citation: Cylance Dust Storm)", "x_mitre_last_seen_citation": "(Citation: Cylance Dust Storm)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0"}

Get Mobile Campaigns#

mobile_campaigns = lift.get_mobile_campaigns()
len(mobile_campaigns)

1

print(mobile_campaigns[0])

{"type": "campaign", "id": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2022-09-29T20:00:38.136Z", "modified": "2022-09-30T21:05:22.490Z", "name": "Operation Dust Storm", "description": "[Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.(Citation: Cylance Dust Storm)\n\n[Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.(Citation: Cylance Dust Storm)", "aliases": ["Operation Dust Storm"], "first_seen": "2010-01-01T07:00:00Z", "last_seen": "2016-02-01T06:00:00Z", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/campaigns/C0016", "external_id": "C0016"}, {"source_name": "Cylance Dust Storm", "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.0.0", "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack", "enterprise-attack"], "x_mitre_first_seen_citation": "(Citation: Cylance Dust Storm)", "x_mitre_last_seen_citation": "(Citation: Cylance Dust Storm)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0"}

Get All Campaigns#

all_campaigns = lift.get_campaigns()
len(all_campaigns)

13

Get Campaign by Alias#

lift.get_campaign_by_alias(campaign_alias="C0015")

[Campaign(type='campaign', id='campaign--78068e68-4124-4243-b6f4-76e4e5be8a06', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2022-09-29T16:42:29.364Z', modified='2022-09-29T20:37:46.689Z', name='C0015', description='[C0015](https://attack.mitre.org/campaigns/C0015) was a ransomware intrusion during which the unidentified attackers used [Bazar](https://attack.mitre.org/software/S0534), [Cobalt Strike](https://attack.mitre.org/software/S0154), and [Conti](https://attack.mitre.org/software/S0575), along with other tools, over a 5 day period. Security researchers assessed the actors likely used the widely-circulated [Conti](https://attack.mitre.org/software/S0575) ransomware playbook based on the observed pattern of activity and operator errors.(Citation: DFIR Conti Bazar Nov 2021)', aliases=['C0015'], first_seen='2021-08-01T05:00:00Z', last_seen='2021-08-01T05:00:00Z', revoked=False, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/campaigns/C0015', external_id='C0015'), ExternalReference(source_name='DFIR Conti Bazar Nov 2021', description='DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.', url='https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_attack_spec_version='3.0.0', x_mitre_contributors=['Matt Brenton, Zurich Insurance Group'], x_mitre_deprecated=False, x_mitre_domains=['enterprise-attack'], x_mitre_first_seen_citation='(Citation: DFIR Conti Bazar Nov 2021)', x_mitre_last_seen_citation='(Citation: DFIR Conti Bazar Nov 2021)', x_mitre_modified_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', x_mitre_version='1.0')]

Get Campaigns Since#

campaigns_since = lift.get_campaigns_since_time(timestamp="2017-01-31T13:49:53.935Z")
len(campaigns_since)

14

Get Campaign By Object ID#

lift.get_object_by_attack_id("campaign", "C0001")

[Campaign(type='campaign', id='campaign--26d9ebae-de59-427f-ae9a-349456bae4b1', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2022-09-07T13:40:09.750Z', modified='2022-09-21T15:15:43.055Z', name='Frankenstein', description="[Frankenstein](https://attack.mitre.org/campaigns/C0001) was described by security researchers as a highly-targeted campaign conducted by moderately sophisticated and highly resourceful threat actors in early 2019. The unidentified actors primarily relied on open source tools, including [Empire](https://attack.mitre.org/software/S0363). The campaign name refers to the actors' ability to piece together several unrelated open-source tool components.(Citation: Talos Frankenstein June 2019)", aliases=['Frankenstein'], first_seen='2019-01-01T06:00:00Z', last_seen='2019-04-01T05:00:00Z', revoked=False, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/campaigns/C0001', external_id='C0001'), ExternalReference(source_name='Talos Frankenstein June 2019', description="Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.", url='https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_attack_spec_version='3.0.0', x_mitre_deprecated=False, x_mitre_domains=['enterprise-attack'], x_mitre_first_seen_citation='(Citation: Talos Frankenstein June 2019)', x_mitre_last_seen_citation='(Citation: Talos Frankenstein June 2019)', x_mitre_modified_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', x_mitre_version='1.0')]