Exporting ATT&CK Group Navigator Layers

Get Relationship STIX Objects - (Manual)


I believe it is important to understand the code behind the main functions available in the Python library attackcti. I highly recommend to first read the docs I put together about cti-taxii-client and cti-python-stix2 libraries. Those two summarize several of the concepts that I had to read to understand how to perform a simple query against ATT&CK’s TAXII server

Import STIX and TAXII Libraries

from stix2 import TAXIICollectionSource, Filter, CompositeDataSource
from taxii2client.v20 import Collection

Set ATT&CK TAXII Collection ID Variables

The public ATT&CK TAXII instance has three main collections (Enterprise, Pre and Mobile). Every collection has an ID which attackcti uses to retrieve ATT&CK STIX objects from all those matrices.

ATTACK_STIX_COLLECTIONS = "https://cti-taxii.mitre.org/stix/collections/"
ENTERPRISE_ATTACK = "95ecc380-afe9-11e4-9b6c-751b66dd541e"
PRE_ATTACK = "062767bd-02d2-4b72-84ba-56caef0f8658"
MOBILE_ATTACK = "2f669986-b40b-4423-b720-4396ca6a462b"
ICS_ATTACK = "02c3ef24-9cd4-48f3-a99f-b74ce24f1d34"

Initialize TAXII Collection Sources

According to STIX2 docs, the TAXIICollectionSource API provides an interface for searching/retrieving STIX objects from a local/remote TAXII Collection endpoint. In our case, we are pointing to our ATT&CK TAXII Collection instances (https://cti-taxii.mitre.org/stix/collections/)

ENTERPRISE_COLLECTION = Collection(ATTACK_STIX_COLLECTIONS + ENTERPRISE_ATTACK + "/")
TC_ENTERPRISE_SOURCE = TAXIICollectionSource(ENTERPRISE_COLLECTION)
PRE_COLLECTION = Collection(ATTACK_STIX_COLLECTIONS + PRE_ATTACK + "/")
TC_PRE_SOURCE = TAXIICollectionSource(PRE_COLLECTION)
MOBILE_COLLECTION = Collection(ATTACK_STIX_COLLECTIONS + MOBILE_ATTACK + "/")
TC_MOBILE_SOURCE = TAXIICollectionSource(MOBILE_COLLECTION)
ICS_COLLECTION = Collection(ATTACK_STIX_COLLECTIONS + ICS_ATTACK + "/")
TC_ICS_SOURCE = TAXIICollectionSource(ICS_COLLECTION)

Initialize a Composite Data Source

According to STIX2 docs, a user can have a single CompositeDataSource as an interface to a set of DataSources. When an API call is made to the CompositeDataSource, it is delegated to each of the (real) DataSources that are attached to it. In our case, we have three TAXIICollection sources (Enterprise, PRE and Mobile) as defined in our previous step. Therefore, we can use the CompositeDataSource class and the add_data_sources method to attach every ATT&CK TAXIICollection source and be able to query all of them at the same time.

COMPOSITE_DS = CompositeDataSource()
COMPOSITE_DS.add_data_sources([TC_ENTERPRISE_SOURCE, TC_PRE_SOURCE, TC_MOBILE_SOURCE, TC_ICS_SOURCE])

Retrieve all relationships

Now that we can query all the ATT&CK TAXIICollection sources at once, we can use the query method and a set of filters to retrieve STIX objects of type relationship

rels = COMPOSITE_DS.query(Filter("type", "=", "relationship"))
rels[0]
Relationship(type='relationship', id='relationship--fbe555c3-5c7b-44e7-a48f-293bdae9de0c', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-04-27T15:46:45.720Z', modified='2021-04-27T15:46:45.720Z', relationship_type='uses', description="[AppleJeus](https://attack.mitre.org/software/S0584)'s spearphishing links required user interaction to navigate to the malicious website.(Citation: CISA AppleJeus Feb 2021)", source_ref='malware--e2d34c63-6f5a-41f5-86a2-e2380f27f858', target_ref='attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9', external_references=[ExternalReference(source_name='CISA AppleJeus Feb 2021', description='Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.', url='https://us-cert.cisa.gov/ncas/alerts/aa21-048a')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'])

Retrieve all relationships from an specific STIX object

What if you want to be very specific and get relationships from a specific STIX objects? You can use the relationships method from the CompositeDataSource class to retrieve relationships involving a given STIX object.

from attackcti import attack_client
lift = attack_client()

groups = lift.get_groups()
groups = lift.remove_revoked(groups)

rels = COMPOSITE_DS.relationships(groups[0], 'uses', source_only=True)
rels[0]
Relationship(type='relationship', id='relationship--12e483aa-14a0-41ea-b6fd-7ced3590472b', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-04-14T14:05:51.798Z', modified='2021-04-14T14:05:51.798Z', relationship_type='uses', description='(Citation: Check Point Rocket Kitten)', source_ref='intrusion-set--fa19de15-6169-428d-9cd6-3ca3d56075b7', target_ref='tool--fbd727ea-c0dc-42a9-8448-9e12962d1ab5', external_references=[ExternalReference(source_name='Check Point Rocket Kitten', description='Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.', url='https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'])

Get Relationship STIX Objects - (Automatic)


Retrieve all relationships

from attackcti import attack_client
lift = attack_client()
%time all_relationships = lift.get_relationships()
CPU times: user 2.93 s, sys: 59.7 ms, total: 2.99 s
Wall time: 5.01 s
all_relationships[0]
Relationship(type='relationship', id='relationship--fbe555c3-5c7b-44e7-a48f-293bdae9de0c', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-04-27T15:46:45.720Z', modified='2021-04-27T15:46:45.720Z', relationship_type='uses', description="[AppleJeus](https://attack.mitre.org/software/S0584)'s spearphishing links required user interaction to navigate to the malicious website.(Citation: CISA AppleJeus Feb 2021)", source_ref='malware--e2d34c63-6f5a-41f5-86a2-e2380f27f858', target_ref='attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9', external_references=[ExternalReference(source_name='CISA AppleJeus Feb 2021', description='Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.', url='https://us-cert.cisa.gov/ncas/alerts/aa21-048a')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'])

Retrieve all relationships from an specific STIX object

groups = lift.get_groups()
groups = lift.remove_revoked(groups)
%time group_relationships = lift.get_relationships_by_object(groups[0])
CPU times: user 375 ms, sys: 59.6 ms, total: 434 ms
Wall time: 4.07 s
group_relationships[0]
Relationship(type='relationship', id='relationship--12e483aa-14a0-41ea-b6fd-7ced3590472b', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-04-14T14:05:51.798Z', modified='2021-04-14T14:05:51.798Z', relationship_type='uses', description='(Citation: Check Point Rocket Kitten)', source_ref='intrusion-set--fa19de15-6169-428d-9cd6-3ca3d56075b7', target_ref='tool--fbd727ea-c0dc-42a9-8448-9e12962d1ab5', external_references=[ExternalReference(source_name='Check Point Rocket Kitten', description='Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.', url='https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'])

Retrive Techniques used by one Group - (Manual)


In this case we want relationship objects that have target_ref values of type attack-pattern. Following the manual code I shared above, and the results from the get_relationships_by_object() function, you can simply query the ATT&CK Enterprise TAXIICollection source with the filter below

filter_objects = [
  Filter('type', '=', 'attack-pattern'),
  Filter('id', '=', [r.target_ref for r in group_relationships])
]
techniques_used = TC_ENTERPRISE_SOURCE.query(filter_objects)
techniques_used[0]
AttackPattern(type='attack-pattern', id='attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2020-03-11T14:49:36.954Z', modified='2020-03-11T14:55:56.177Z', name='Malicious File', description="An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.\n\nAdversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) on the file to increase the likelihood that a user will open it.\n\nWhile [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).", kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1204/002', external_id='T1204.002')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_data_sources=['Process: Process Creation', 'File: File Creation'], x_mitre_detection="Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain initial access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).", x_mitre_is_subtechnique=True, x_mitre_permissions_required=['User'], x_mitre_platforms=['Linux', 'macOS', 'Windows'], x_mitre_version='1.0')

Retrive Techniques used by one Group - (Automatic)


from attackcti import attack_client
lift = attack_client()
groups = lift.get_groups()
groups = lift.remove_revoked(groups)
group_techniques = lift.get_techniques_used_by_group(groups[0])
group_techniques[0]
AttackPattern(type='attack-pattern', id='attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2020-03-11T14:49:36.954Z', modified='2020-03-11T14:55:56.177Z', name='Malicious File', description="An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.\n\nAdversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) on the file to increase the likelihood that a user will open it.\n\nWhile [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).", kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1204/002', external_id='T1204.002')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_data_sources=['Process: Process Creation', 'File: File Creation'], x_mitre_detection="Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain initial access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).", x_mitre_is_subtechnique=True, x_mitre_permissions_required=['User'], x_mitre_platforms=['Linux', 'macOS', 'Windows'], x_mitre_version='1.0')

Retrive all Techniques used by all Groups - (Manual)


You can apply the same get_techniques_used_by_group() function, but against all the groups STIX objects that the get_groups() function retrieves. You can do a simple for loop over more than 90 groups. However, it takes longer than what I would like it to take. Therefore, I decided to go a different route and started testing some code.

Get all groups and techniques

from attackcti import attack_client
lift = attack_client()
groups = lift.get_groups()
techniques = lift.get_techniques()
techniques = lift.remove_revoked(techniques)

Filter Group objects using techniques

from stix2.utils import get_type_from_id
group_relationships = []
for rel in all_relationships:
    if get_type_from_id(rel.source_ref) == 'intrusion-set'\
    and get_type_from_id(rel.target_ref) == 'attack-pattern':
        group_relationships.append(rel)
len(group_relationships)
print(group_relationships[0])
{
    "type": "relationship",
    "id": "relationship--435c288d-1e10-4610-bf41-531390e5a650",
    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
    "created": "2021-04-25T23:26:10.590Z",
    "modified": "2021-04-25T23:26:10.590Z",
    "relationship_type": "uses",
    "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) has used JavaScript files to execute its [POWERSTATS](https://attack.mitre.org/software/S0223) payload.(Citation: ClearSky MuddyWater Nov 2018)(Citation: FireEye MuddyWater Mar 2018)",
    "source_ref": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
    "target_ref": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
    "external_references": [
        {
            "source_name": "ClearSky MuddyWater Nov 2018",
            "description": "ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.",
            "url": "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf"
        },
        {
            "source_name": "FireEye MuddyWater Mar 2018",
            "description": "Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.",
            "url": "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html"
        }
    ],
    "object_marking_refs": [
        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
    ]
}

Match Group -> Relationships Intrusion-set ID

Then, I just take all the group_relationships I got, and look for the specific intrusion-set (Group) id in the groups STIX objects. Once there is a match, I create new fields on the intrusion-set (Group) STIX object to add additional information about the attack-pattern (Technique) in the relationship object. The most important additional metadata is the target_ref field which points to the specific attack-pattern (Technique) id involving the group. The results are then added to a new list named group_techniques_ref .

import json
group_techniques_ref = []
for g in groups:
    for rel in group_relationships:
        if g['id'] == rel['source_ref']:
            gs = json.loads(g.serialize())
            gs
            gs['technique_ref'] = rel['target_ref']
            gs['relationship_description'] = rel['description']
            gs['relationship_id'] = rel['id']
            group_techniques_ref.append(gs)

Match Attack-patterns -> Intrusion-set object ID

I apply the same concept as before, and just loop through all the attack-pattern objects and look for the specific attack-pattern id in the initial relationships STIX objects. Once there is a match, I add additional information from the attack-pattern itself to the python dictionaries in the group_techniques_ref list. The results then get added to a new list named groups_use_techniques.

groups_use_techniques = []
for gt in group_techniques_ref:
    for t in techniques:
        if gt['technique_ref'] == t['id']:
            tactic_list = list()
            for phase in t['kill_chain_phases']:
                tactic_list.append(phase['phase_name'])
                gt['technique'] = t['name']
                gt['technique_description'] = t['description']
                gt['tactic'] = tactic_list
                gt['technique_id'] = t['external_references'][0]['external_id']
                gt['matrix'] =  t['external_references'][0]['source_name']
                if 'x_mitre_platforms' in t.keys():
                    gt['platform'] = t['x_mitre_platforms']
                if 'x_mitre_data_sources' in t.keys():
                    gt['data_sources'] = t['x_mitre_data_sources']
                if 'x_mitre_permissions_required' in t.keys():
                    gt['permissions_required'] = t['x_mitre_permissions_required']
                if 'x_mitre_effective_permissions' in t.keys():
                    gt['effective_permissions'] = t['x_mitre_effective_permissions']
                groups_use_techniques.append(gt)
groups_use_techniques[0]
{'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'external_references': [{'external_id': 'G0130',
   'source_name': 'mitre-attack',
   'url': 'https://attack.mitre.org/groups/G0130'},
  {'source_name': 'Operation Woolen-Goldfish',
   'description': 'Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between Ajax Security Team and the campaign Operation Woolen-Goldfish.(Citation: Check Point Rocket Kitten)(Citation: TrendMicro Operation Woolen Goldfish March 2015)'},
  {'source_name': 'AjaxTM',
   'description': '(Citation: FireEye Operation Saffron Rose 2013)'},
  {'source_name': 'Rocket Kitten',
   'description': 'Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between Ajax Security Team and Rocket Kitten.(Citation: Check Point Rocket Kitten)(Citation: IranThreats Kittens Dec 2017)'},
  {'source_name': 'Flying Kitten',
   'description': '(Citation: CrowdStrike Flying Kitten )'},
  {'source_name': 'Operation Saffron Rose',
   'description': '(Citation: FireEye Operation Saffron Rose 2013)'},
  {'source_name': 'FireEye Operation Saffron Rose 2013',
   'url': 'https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf',
   'description': 'Villeneuve, N. et al.. (2013). OPERATION SAFFRON ROSE . Retrieved May 28, 2020.'},
  {'source_name': 'Check Point Rocket Kitten',
   'url': 'https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf',
   'description': 'Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.'},
  {'source_name': 'TrendMicro Operation Woolen Goldfish March 2015',
   'url': 'https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf',
   'description': 'Cedric Pernet, Kenney Lu. (2015, March 19). Operation Woolen-Goldfish - When Kittens Go phishing. Retrieved April 21, 2021.'},
  {'source_name': 'IranThreats Kittens Dec 2017',
   'url': 'https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/',
   'description': 'Iran Threats . (2017, December 5). Flying Kitten to Rocket Kitten, A Case of Ambiguity and Shared Code. Retrieved May 28, 2020.'},
  {'source_name': 'CrowdStrike Flying Kitten ',
   'url': 'https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/',
   'description': 'Dahl, M.. (2014, May 13). Cat Scratch Fever: CrowdStrike Tracks Newly Reported Iranian Actor as FLYING KITTEN. Retrieved May 27, 2020.'}],
 'description': '[Ajax Security Team](https://attack.mitre.org/groups/G0130) is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 [Ajax Security Team](https://attack.mitre.org/groups/G0130) transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.(Citation: FireEye Operation Saffron Rose 2013)',
 'name': 'Ajax Security Team',
 'type': 'intrusion-set',
 'id': 'intrusion-set--fa19de15-6169-428d-9cd6-3ca3d56075b7',
 'aliases': ['Ajax Security Team',
  'Operation Woolen-Goldfish',
  'AjaxTM',
  'Rocket Kitten',
  'Flying Kitten',
  'Operation Saffron Rose'],
 'modified': '2021-04-22T20:13:14.377Z',
 'created': '2021-04-14T13:17:43.941Z',
 'x_mitre_version': '1.0',
 'technique_ref': 'attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8',
 'relationship_description': '[Ajax Security Team](https://attack.mitre.org/groups/G0130) has used FireMalv custom-developed malware, which collected passwords from the Firefox browser storage.(Citation: Check Point Rocket Kitten)',
 'relationship_id': 'relationship--ac196369-5b5b-4e71-805a-3f64f150b1e2',
 'technique': 'Credentials from Web Browsers',
 'technique_description': "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.\n\nFor example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, <code>AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data</code> and executing a SQL query: <code>SELECT action_url, username_value, password_value FROM logins;</code>. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function <code>CryptUnprotectData</code>, which uses the victim’s cached logon credentials as the decryption key. (Citation: Microsoft CryptUnprotectData April 2018)\n \nAdversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the [Windows Credential Manager](https://attack.mitre.org/techniques/T1555/004).\n\nAdversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)\n\nAfter acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).",
 'tactic': ['credential-access'],
 'technique_id': 'T1555.003',
 'matrix': 'mitre-attack',
 'platform': ['Linux', 'macOS', 'Windows'],
 'data_sources': ['File: File Access',
  'Command: Command Execution',
  'Process: OS API Execution',
  'Process: Process Access'],
 'permissions_required': ['User']}

Retrive all Techniques used by all Groups - (Automatic)


from attackcti import attack_client
lift = attack_client()
%time techniques_used = lift.get_techniques_used_by_all_groups()
CPU times: user 7.09 s, sys: 140 ms, total: 7.23 s
Wall time: 11.3 s
len(techniques_used)
2512
techniques_used[0]
{'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'external_references': [{'external_id': 'G0130',
   'source_name': 'mitre-attack',
   'url': 'https://attack.mitre.org/groups/G0130'},
  {'source_name': 'Operation Woolen-Goldfish',
   'description': 'Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between Ajax Security Team and the campaign Operation Woolen-Goldfish.(Citation: Check Point Rocket Kitten)(Citation: TrendMicro Operation Woolen Goldfish March 2015)'},
  {'source_name': 'AjaxTM',
   'description': '(Citation: FireEye Operation Saffron Rose 2013)'},
  {'source_name': 'Rocket Kitten',
   'description': 'Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between Ajax Security Team and Rocket Kitten.(Citation: Check Point Rocket Kitten)(Citation: IranThreats Kittens Dec 2017)'},
  {'source_name': 'Flying Kitten',
   'description': '(Citation: CrowdStrike Flying Kitten )'},
  {'source_name': 'Operation Saffron Rose',
   'description': '(Citation: FireEye Operation Saffron Rose 2013)'},
  {'source_name': 'FireEye Operation Saffron Rose 2013',
   'url': 'https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf',
   'description': 'Villeneuve, N. et al.. (2013). OPERATION SAFFRON ROSE . Retrieved May 28, 2020.'},
  {'source_name': 'Check Point Rocket Kitten',
   'url': 'https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf',
   'description': 'Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.'},
  {'source_name': 'TrendMicro Operation Woolen Goldfish March 2015',
   'url': 'https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf',
   'description': 'Cedric Pernet, Kenney Lu. (2015, March 19). Operation Woolen-Goldfish - When Kittens Go phishing. Retrieved April 21, 2021.'},
  {'source_name': 'IranThreats Kittens Dec 2017',
   'url': 'https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/',
   'description': 'Iran Threats . (2017, December 5). Flying Kitten to Rocket Kitten, A Case of Ambiguity and Shared Code. Retrieved May 28, 2020.'},
  {'source_name': 'CrowdStrike Flying Kitten ',
   'url': 'https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/',
   'description': 'Dahl, M.. (2014, May 13). Cat Scratch Fever: CrowdStrike Tracks Newly Reported Iranian Actor as FLYING KITTEN. Retrieved May 27, 2020.'}],
 'description': '[Ajax Security Team](https://attack.mitre.org/groups/G0130) is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 [Ajax Security Team](https://attack.mitre.org/groups/G0130) transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.(Citation: FireEye Operation Saffron Rose 2013)',
 'name': 'Ajax Security Team',
 'type': 'intrusion-set',
 'id': 'intrusion-set--fa19de15-6169-428d-9cd6-3ca3d56075b7',
 'aliases': ['Ajax Security Team',
  'Operation Woolen-Goldfish',
  'AjaxTM',
  'Rocket Kitten',
  'Flying Kitten',
  'Operation Saffron Rose'],
 'modified': '2021-04-22T20:13:14.377Z',
 'created': '2021-04-14T13:17:43.941Z',
 'x_mitre_version': '1.0',
 'technique_ref': 'attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8',
 'relationship_description': '[Ajax Security Team](https://attack.mitre.org/groups/G0130) has used FireMalv custom-developed malware, which collected passwords from the Firefox browser storage.(Citation: Check Point Rocket Kitten)',
 'relationship_id': 'relationship--ac196369-5b5b-4e71-805a-3f64f150b1e2',
 'revoked': False,
 'technique': 'Credentials from Web Browsers',
 'technique_description': "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.\n\nFor example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, <code>AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data</code> and executing a SQL query: <code>SELECT action_url, username_value, password_value FROM logins;</code>. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function <code>CryptUnprotectData</code>, which uses the victim’s cached logon credentials as the decryption key. (Citation: Microsoft CryptUnprotectData April 2018)\n \nAdversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the [Windows Credential Manager](https://attack.mitre.org/techniques/T1555/004).\n\nAdversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)\n\nAfter acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).",
 'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='credential-access')],
 'technique_id': 'T1555.003',
 'matrix': 'mitre-attack',
 'platform': ['Linux', 'macOS', 'Windows'],
 'data_sources': ['File: File Access',
  'Command: Command Execution',
  'Process: OS API Execution',
  'Process: Process Access'],
 'permissions_required': ['User']}

Create Navigator Group Layer Files - (Manual)


Create a list of group dictionaries

To make things easier, I create a list of dictionaries where each group name is the main key and the value is a list where I append every single technique involving that group. I get that information from the get_techniques_used_by_all_groups() results.

groups = lift.get_groups()
groups = lift.remove_revoked(groups)
groups_list = []
for g in groups:
    group_dict = dict()
    group_dict[g['name']] = []
    groups_list.append(group_dict)
groups_list[89]
{'Lazarus Group': []}

Group techniques by group

We can then use the output of the get_techniques_used_by_all_groups() function and start appending techniques to the dictionaries with the key name that matches the group name being involved with each technique.

for group in groups_list:
    for group_name,techniques_list in group.items():
        for gut in techniques_used:
            if group_name == gut['name']:
                technique_dict = dict()
                technique_dict['techniqueId'] = gut['technique_id']
                technique_dict['techniqueName'] = gut['technique']
                technique_dict['comment'] = gut['relationship_description']
                technique_dict['tactic'] = gut['tactic']
                technique_dict['group_id'] = gut['external_references'][0]['external_id']
                techniques_list.append(technique_dict)
groups_list[89]
{'Lazarus Group': [{'techniqueId': 'T1036.005',
   'techniqueName': 'Match Legitimate Name or Location',
   'comment': "[Lazarus Group](https://attack.mitre.org/groups/G0032) has renamed the [TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) main executable to disguise itself as Microsoft's narrator.(Citation: CISA MAR-10288834-2.v1  TAINTEDSCRIBE MAY 2020)",
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1583.006',
   'techniqueName': 'Web Services',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) has hosted malicious downloads on Github.(Citation: CISA AppleJeus Feb 2021)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1588.004',
   'techniqueName': 'Digital Certificates',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) has obtained SSL certificates for their C2 domains.(Citation: CISA AppleJeus Feb 2021)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1587.001',
   'techniqueName': 'Malware',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) has developed several custom malware for use in operations.(Citation: CISA AppleJeus Feb 2021)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1583.001',
   'techniqueName': 'Domains',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) has acquired infrastructure related to their campaigns to act as distribution points and C2 channels.(Citation: CISA AppleJeus Feb 2021)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1218.005',
   'techniqueName': 'Mshta',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) has used mshta.exe to run malicious scripts and download programs.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1059.001',
   'techniqueName': 'PowerShell',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) has used Powershell to download malicious payloads.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1059.005',
   'techniqueName': 'Visual Basic',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) has used VBScript to gather information about a victim machine. (Citation: F-Secure Lazarus Cryptocurrency Aug 2020)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1027.002',
   'techniqueName': 'Software Packing',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) has used Themida to pack at least two separate backdoor implants.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1036.004',
   'techniqueName': 'Masquerade Task or Service',
   'comment': 'A [Lazarus Group](https://attack.mitre.org/groups/G0032) custom backdoor implant included a custom PE loader named "Security Package" that was added into the lsass.exe process via registry key.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020) ',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1112',
   'techniqueName': 'Modify Registry',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) has modified registry keys using the reg windows utility for its custom backdoor implants.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1547.005',
   'techniqueName': 'Security Support Provider',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) has rebooted victim machines to establish persistence by installing a SSP DLL.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'),
    KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1566.003',
   'techniqueName': 'Spearphishing via Service',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) has used fake job advertisements sent via LinkedIn to spearphish victims.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020) ',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1571',
   'techniqueName': 'Non-Standard Port',
   'comment': 'Some [Lazarus Group](https://attack.mitre.org/groups/G0032) malware uses a list of ordered port numbers to choose a port for C2 traffic, creating port-protocol mismatches.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1560.003',
   'techniqueName': 'Archive via Custom Method',
   'comment': 'A [Lazarus Group](https://attack.mitre.org/groups/G0032) malware sample encrypts data using a simple byte based XOR operation prior to exfiltration.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='collection')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1491.001',
   'techniqueName': 'Internal Defacement',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) replaced the background wallpaper of systems with a threatening image after rendering the system unbootable with a [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002)(Citation: Kaspersky Lazarus Under The Hood Blog 2017)(Citation: Novetta Blockbuster Destructive Malware)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='impact')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1562.004',
   'techniqueName': 'Disable or Modify System Firewall',
   'comment': 'Various [Lazarus Group](https://attack.mitre.org/groups/G0032) malware modifies the Windows firewall to allow incoming connections or disable it entirely using [netsh](https://attack.mitre.org/software/S0108). (Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster Tools)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1001.003',
   'techniqueName': 'Protocol Impersonation',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, evading SSL man-in-the-middle decryption attacks.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee GhostSecret)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1059.003',
   'techniqueName': 'Windows Command Shell',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) malware uses cmd.exe to execute commands on victims.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: US-CERT SHARPKNOT June 2018)(Citation: F-Secure Lazarus Cryptocurrency Aug 2020) A Destover-like variant used by [Lazarus Group](https://attack.mitre.org/groups/G0032) uses a batch file mechanism to delete its binaries from the system.(Citation: McAfee GhostSecret)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1529',
   'techniqueName': 'System Shutdown/Reboot',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) has rebooted systems after destroying files and wiping the MBR on infected systems.(Citation: US-CERT SHARPKNOT June 2018)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='impact')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1496',
   'techniqueName': 'Resource Hijacking',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) has subset groups like Bluenoroff who have used cryptocurrency mining software on victim machines.(Citation: Kaspersky Lazarus Under The Hood Blog 2017)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='impact')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1485',
   'techniqueName': 'Data Destruction',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) has used a custom secure delete function to overwrite file contents with data from heap memory.(Citation: Novetta Blockbuster)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='impact')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1561.001',
   'techniqueName': 'Disk Content Wipe',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) has used malware like WhiskeyAlfa to overwrite the first 64MB of every drive with a mix of static and random buffers. A similar process is then used to wipe content in logical drives and, finally, attempt to wipe every byte of every sector on every drive. WhiskeyBravo can be used to overwrite the first 4.9MB of physical drives. WhiskeyDelta can overwrite the first 132MB or 1.5MB of each drive with random data from heap memory.(Citation: Novetta Blockbuster Destructive Malware)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='impact')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1561.002',
   'techniqueName': 'Disk Structure Wipe',
   'comment': "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware SHARPKNOT overwrites and deletes the Master Boot Record (MBR) on the victim's machine and has possessed MBR wiper malware since at least 2009.(Citation: US-CERT SHARPKNOT June 2018)(Citation: Novetta Blockbuster)",
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='impact')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1489',
   'techniqueName': 'Service Stop',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) has stopped the MSExchangeIS service to render Exchange contents inaccessible to users.(Citation: Novetta Blockbuster Destructive Malware)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='impact')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1189',
   'techniqueName': 'Drive-by Compromise',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) delivered [RATANKBA](https://attack.mitre.org/software/S0241) to victims via a compromised legitimate website.(Citation: RATANKBA)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1124',
   'techniqueName': 'System Time Discovery',
   'comment': 'A Destover-like implant used by [Lazarus Group](https://attack.mitre.org/groups/G0032) can obtain the current system time and send it to the C2 server.(Citation: McAfee GhostSecret)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1218.001',
   'techniqueName': 'Compiled HTML File',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) has used CHM files to move concealed payloads.(Citation: Kaspersky Lazarus Under The Hood APR 2017)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1566.001',
   'techniqueName': 'Spearphishing Attachment',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) has targeted victims with spearphishing emails containing malicious Microsoft Word documents.(Citation: McAfee Bankshot)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1003.001',
   'techniqueName': 'LSASS Memory',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) leveraged [Mimikatz](https://attack.mitre.org/software/S0002) to extract Windows Credentials of currently logged-in users and steals passwords stored in browsers.(Citation: Lazarus KillDisk) [Lazarus Group](https://attack.mitre.org/groups/G0032) has also used a custom version [Mimikatz](https://attack.mitre.org/software/S0002) to capture credentials.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020) ',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='credential-access')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1203',
   'techniqueName': 'Exploitation for Client Execution',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) has exploited Adobe Flash vulnerability CVE-2018-4878 for execution.(Citation: McAfee Bankshot)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1204.002',
   'techniqueName': 'Malicious File',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) has attempted to get users to launch a malicious Microsoft Word attachment delivered via a spearphishing email.(Citation: McAfee Bankshot)(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1071.001',
   'techniqueName': 'Web Protocols',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) malware has conducted C2 over HTTP and HTTPS.(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1055.001',
   'techniqueName': 'Dynamic-link Library Injection',
   'comment': 'A [Lazarus Group](https://attack.mitre.org/groups/G0032) malware sample performs reflective DLL injection.(Citation: McAfee Lazarus Resurfaces Feb 2018)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion'),
    KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1564.001',
   'techniqueName': 'Hidden Files and Directories',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) has used a VBA Macro to set its file attributes to System and Hidden and has named files with a dot prefix to hide them from the Finder application.(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1547.009',
   'techniqueName': 'Shortcut Modification',
   'comment': 'A [Lazarus Group](https://attack.mitre.org/groups/G0032) malware sample adds persistence on the system by creating a shortcut in the user’s Startup folder.(Citation: McAfee Lazarus Resurfaces Feb 2018)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'),
    KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1132.001',
   'techniqueName': 'Standard Encoding',
   'comment': 'A [Lazarus Group](https://attack.mitre.org/groups/G0032) malware sample encodes data with base64.(Citation: McAfee Lazarus Resurfaces Feb 2018)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1090.002',
   'techniqueName': 'External Proxy',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) uses multiple proxies to obfuscate network traffic from victims.(Citation: US-CERT FALLCHILL Nov 2017)(Citation: TrendMicro macOS Dacls May 2020)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1134.002',
   'techniqueName': 'Create Process with Token',
   'comment': "[Lazarus Group](https://attack.mitre.org/groups/G0032) keylogger KiloAlfa obtains user tokens from interactive sessions to execute itself with API call <code>CreateProcessAsUserA</code> under that user's context.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Tools)",
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion'),
    KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1033',
   'techniqueName': 'System Owner/User Discovery',
   'comment': 'Various [Lazarus Group](https://attack.mitre.org/groups/G0032) malware enumerates logged-on users.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: SentinelOne Lazarus macOS July 2020)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1065',
   'techniqueName': 'Uncommonly Used Port',
   'comment': 'Some [Lazarus Group](https://attack.mitre.org/groups/G0032) malware uses a list of ordered port numbers to choose a port for C2 traffic, which includes uncommonly used ports such as 995, 1816, 465, 1521, 3306, and many others.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)',
   'tactic': [],
   'group_id': 'G0032'},
  {'techniqueId': 'T1542.003',
   'techniqueName': 'Bootkit',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) malware WhiskeyAlfa-Three modifies sector 0 of the Master Boot Record (MBR) to ensure that the malware will persist even if a victim machine shuts down.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'),
    KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1047',
   'techniqueName': 'Windows Management Instrumentation',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) malware SierraAlfa uses the Windows Management Instrumentation Command-line application wmic to start itself on a target system during lateral movement.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1021.001',
   'techniqueName': 'Remote Desktop Protocol',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) malware SierraCharlie uses RDP for propagation.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='lateral-movement')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1048.003',
   'techniqueName': 'Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) malware SierraBravo-Two generates an email message via SMTP containing information about newly infected victims.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='exfiltration')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1043',
   'techniqueName': 'Commonly Used Port',
   'comment': 'Some [Lazarus Group](https://attack.mitre.org/groups/G0032) malware uses a list of ordered port numbers to choose a port for C2 traffic, which includes commonly used ports such as 443, 53, 80, 25, and 8080.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1005',
   'techniqueName': 'Data from Local System',
   'comment': "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware IndiaIndia saves information gathered about the victim to a file that is uploaded to one of its 10 C2 servers. [Lazarus Group](https://attack.mitre.org/groups/G0032) malware RomeoDelta copies specified directories from the victim's machine, then archives and encrypts the directories before uploading to its C2 server.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs) [Lazarus Group](https://attack.mitre.org/groups/G0032) has used wevtutil to export Window security event logs.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020) ",
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='collection')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1110.003',
   'techniqueName': 'Password Spraying',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='credential-access')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1008',
   'techniqueName': 'Fallback Channels',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) malware SierraAlfa sends data to one of the hard-coded C2 servers chosen at random, and if the transmission fails, chooses a new C2 server to attempt the transmission again.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1021.002',
   'techniqueName': 'SMB/Windows Admin Shares',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) malware SierraAlfa accesses the <code>ADMIN$</code> share via SMB to conduct lateral movement.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='lateral-movement')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1074.001',
   'techniqueName': 'Local Data Staging',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='collection')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1547.001',
   'techniqueName': 'Registry Run Keys / Startup Folder',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) malware attempts to maintain persistence by saving itself in the Start menu folder or by adding a Registry Run key.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'),
    KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1056.001',
   'techniqueName': 'Keylogging',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) malware KiloAlfa contains keylogging functionality.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Tools)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='collection'),
    KillChainPhase(kill_chain_name='mitre-attack', phase_name='credential-access')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1560',
   'techniqueName': 'Archive Collected Data',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) malware RomeoDelta archives specified directories in .zip format, encrypts the .zip file, and uploads it to its C2 server. (Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='collection')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1041',
   'techniqueName': 'Exfiltration Over C2 Channel',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) malware IndiaIndia saves information gathered about the victim to a file that is uploaded to one of its 10 C2 servers. Another [Lazarus Group](https://attack.mitre.org/groups/G0032) malware sample also performs exfiltration over the C2 channel.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee Lazarus Resurfaces Feb 2018)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='exfiltration')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1026',
   'techniqueName': 'Multiband Communication',
   'comment': 'Some [Lazarus Group](https://attack.mitre.org/groups/G0032) malware uses multiple channels for C2, such as RomeoWhiskey-Two, which consists of a RAT channel that parses data in datagram form and a Proxy channel that forms virtual point-to-point sessions.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1562.001',
   'techniqueName': 'Disable or Modify Tools',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, [Lazarus Group](https://attack.mitre.org/groups/G0032) malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster Tools)(Citation: US-CERT SHARPKNOT June 2018). During a 2019 intrusion, [Lazarus Group](https://attack.mitre.org/groups/G0032) disabled Windows Defender and Credential Guard as some of their first actions on host.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020) ',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1016',
   'techniqueName': 'System Network Configuration Discovery',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) malware IndiaIndia obtains and sends to its C2 server information about the first network interface card’s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1010',
   'techniqueName': 'Application Window Discovery',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) malware IndiaIndia obtains and sends to its C2 server the title of the window for each running process. The KilaAlfa keylogger also reports the title of the window in the foreground.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster Tools)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1057',
   'techniqueName': 'Process Discovery',
   'comment': 'Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families gather a list of running processes on a victim system and send it to their C2 server. A Destover-like variant used by [Lazarus Group](https://attack.mitre.org/groups/G0032) also gathers process times.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee GhostSecret)(Citation: TrendMicro macOS Dacls May 2020)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1012',
   'techniqueName': 'Query Registry',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another [Lazarus Group](https://attack.mitre.org/groups/G0032) malware sample checks for the presence of the following Registry key:<code>HKEY_CURRENT_USER\\Software\\Bitcoin\\Bitcoin-Qt</code>.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee Lazarus Resurfaces Feb 2018)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1560.002',
   'techniqueName': 'Archive via Library',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server.(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='collection')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1105',
   'techniqueName': 'Ingress Tool Transfer',
   'comment': 'Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families are capable of downloading and executing binaries from its C2 server.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1083',
   'techniqueName': 'File and Directory Discovery',
   'comment': 'Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware samples use a common function to identify target files by their extension. [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families can also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives.(Citation: Novetta Blockbuster)(Citation: McAfee GhostSecret)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1573.001',
   'techniqueName': 'Symmetric Cryptography',
   'comment': 'Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another [Lazarus Group](https://attack.mitre.org/groups/G0032) malware sample XORs C2 traffic. Other [Lazarus Group](https://attack.mitre.org/groups/G0032) malware uses Caracachs encryption to encrypt C2 payloads.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee GhostSecret)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1070.004',
   'techniqueName': 'File Deletion',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) malware deletes files in various ways, including "suicide scripts" to delete malware binaries from the victim. [Lazarus Group](https://attack.mitre.org/groups/G0032) also uses secure file deletion to delete files from the victim.(Citation: Novetta Blockbuster)(Citation: McAfee GhostSecret)(Citation: F-Secure Lazarus Cryptocurrency Aug 2020) ',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1098',
   'techniqueName': 'Account Manipulation',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1543.003',
   'techniqueName': 'Windows Service',
   'comment': 'Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families install themselves as new services on victims.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'),
    KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1082',
   'techniqueName': 'System Information Discovery',
   'comment': 'Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by [Lazarus Group](https://attack.mitre.org/groups/G0032) also collects disk space information and sends it to its C2 server.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee GhostSecret).',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1070.006',
   'techniqueName': 'Timestomp',
   'comment': 'Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee GhostSecret)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')],
   'group_id': 'G0032'},
  {'techniqueId': 'T1027',
   'techniqueName': 'Obfuscated Files or Information',
   'comment': '[Lazarus Group](https://attack.mitre.org/groups/G0032) malware uses multiple types of encryption and encoding in its malware files, including AES, Caracachs, RC4, basic XOR with constant 0xA7, and other techniques.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: TrendMicro macOS Dacls May 2020)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')],
   'group_id': 'G0032'},
  {'techniqueId': 'T0865',
   'techniqueName': 'Spearphishing Attachment',
   'comment': '[Lazarus Group](https://collaborate.mitre.org/attackics/index.php/Group/G0008) has been observed targeting organizations using spearphishing documents with embedded malicious payloads.(Citation: Novetta Blockbuster) Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company.(Citation: Dragos Mar 2018)',
   'tactic': [KillChainPhase(kill_chain_name='mitre-ics-attack', phase_name='initial-access-ics')],
   'group_id': 'G0032'}]}

Run dynamic navigator layer template

import json
for group in groups_list:
    for k,v in group.items():
        if v:
            actor_layer = {
                "description": ("Enterprise techniques used by {0}, ATT&CK group {1} v1.0".format(k,v[0]['group_id'])),
                "name": ("{0} ({1})".format(k,v[0]['group_id'])),
                "domain": "mitre-enterprise",
                "version": "2.2",
                "techniques": [
                    {
                        "score": 1,
                        "techniqueID" : technique['techniqueId'],
                        "techniqueName" : technique['techniqueName'],
                        "comment": technique['comment']
                    } for technique in v
                ],
                "gradient": {
                    "colors": [
                        "#ffffff",
                        "#ff6666"
                    ],
                    "minValue": 0,
                    "maxValue": 1
                },
                "legendItems": [
                    {
                        "label": ("used by {}".format(k)),
                        "color": "#ff6666"
                    }
                ]
            }
            with open(('{0}_{1}.json'.format(k,v[0]['group_id'])), 'w') as f:
                f.write(json.dumps(actor_layer))
! ls *.json
ALLANITE_G1000.json           Indrik Spider_G0119.json
APT-C-36_G0099.json           Ke3chang_G0004.json
APT12_G0005.json              Kimsuky_G0094.json
APT16_G0023.json              Lazarus Group_G0032.json
APT17_G0025.json              Leafminer_G0077.json
APT18_G0026.json              Leviathan_G0065.json
APT19_G0073.json              Machete_G0095.json
APT1_G0006.json               Magic Hound_G0059.json
APT28_G0007.json              Moafee_G0002.json
APT29_G0016.json              Mofang_G0103.json
APT30_G0013.json              Molerats_G0021.json
APT32_G0050.json              MuddyWater_G0069.json
APT33_G0064.json              Mustang Panda_G0129.json
APT37_G0067.json              Naikon_G0019.json
APT38_G0082.json              Night Dragon_G0014.json
APT39_G0087.json              OilRig_G0049.json
APT3_G0022.json               Operation Wocao_G0116.json
APT41_G0096.json              Orangeworm_G0071.json
Ajax Security Team_G0130.json PLATINUM_G0068.json
Axiom_G0001.json              PROMETHIUM_G0056.json
BRONZE BUTLER_G0060.json      Patchwork_G0040.json
BlackOasis_G0063.json         PittyTiger_G0011.json
BlackTech_G0098.json          Poseidon Group_G0033.json
Blue Mockingbird_G0108.json   Putter Panda_G0024.json
Bouncing Golf_G0097.json      RTM_G0048.json
Carbanak_G0008.json           Rancor_G0075.json
Chimera_G0114.json            Rocke_G0106.json
Cleaver_G0003.json            Sandworm Team_G0034.json
Cobalt Group_G0080.json       Scarlet Mimic_G0029.json
CopyKittens_G0052.json        Sharpshooter_G0104.json
Dark Caracal_G0070.json       Sidewinder_G0121.json
DarkHydrus_G0079.json         Silence_G0091.json
DarkVishnya_G0105.json        Silent Librarian_G0122.json
Darkhotel_G0012.json          SilverTerrier_G0083.json
Deep Panda_G0009.json         Sowbug_G0054.json
Dragonfly 2.0_G0074.json      Stealth Falcon_G0038.json
Dragonfly_G0035.json          Stolen Pencil_G0086.json
Dust Storm_G0031.json         Strider_G0041.json
Elderwood_G0066.json          Suckfly_G0039.json
Equation_G0020.json           TA459_G0062.json
Evilnum_G0120.json            TA505_G0092.json
FIN10_G0051.json              TA551_G0127.json
FIN4_G0085.json               TEMP.Veles_G0088.json
FIN5_G0053.json               Taidoor_G0015.json
FIN6_G0037.json               The White Company_G0089.json
FIN7_G0046.json               Threat Group-1314_G0028.json
FIN8_G0061.json               Threat Group-3390_G0027.json
Fox Kitten_G0117.json         Thrip_G0076.json
Frankenstein_G0101.json       Tropic Trooper_G0081.json
GALLIUM_G0093.json            Turla_G0010.json
GCMAN_G0036.json              Volatile Cedar_G0123.json
GOLD SOUTHFIELD_G0115.json    WIRTE_G0090.json
Gallmaker_G0084.json          Whitefly_G0107.json
Gamaredon Group_G0047.json    Windigo_G0124.json
Gorgon Group_G0078.json       Windshift_G0112.json
Group5_G0043.json             Winnti Group_G0044.json
HAFNIUM_G0125.json            Wizard Spider_G0102.json
HEXANE_G1001.json             ZIRCONIUM_G0128.json
Higaisa_G0126.json            admin@338_G0018.json
Honeybee_G0072.json           menuPass_G0045.json
Inception_G0100.json

We can delete all the files with the following command.

! rm *.json

Create Navigator Group Layer Files - (Automatic)


from attackcti import attack_client
lift = attack_client()

%time lift.export_groups_navigator_layers()
CPU times: user 7.66 s, sys: 182 ms, total: 7.85 s
Wall time: 12.1 s
! ls *.json
ALLANITE_G1000.json           Indrik Spider_G0119.json
APT-C-36_G0099.json           Ke3chang_G0004.json
APT12_G0005.json              Kimsuky_G0094.json
APT16_G0023.json              Lazarus Group_G0032.json
APT17_G0025.json              Leafminer_G0077.json
APT18_G0026.json              Leviathan_G0065.json
APT19_G0073.json              Machete_G0095.json
APT1_G0006.json               Magic Hound_G0059.json
APT28_G0007.json              Moafee_G0002.json
APT29_G0016.json              Mofang_G0103.json
APT30_G0013.json              Molerats_G0021.json
APT32_G0050.json              MuddyWater_G0069.json
APT33_G0064.json              Mustang Panda_G0129.json
APT37_G0067.json              Naikon_G0019.json
APT38_G0082.json              Night Dragon_G0014.json
APT39_G0087.json              OilRig_G0049.json
APT3_G0022.json               Operation Wocao_G0116.json
APT41_G0096.json              Orangeworm_G0071.json
Ajax Security Team_G0130.json PLATINUM_G0068.json
Axiom_G0001.json              PROMETHIUM_G0056.json
BRONZE BUTLER_G0060.json      Patchwork_G0040.json
BlackOasis_G0063.json         PittyTiger_G0011.json
BlackTech_G0098.json          Poseidon Group_G0033.json
Blue Mockingbird_G0108.json   Putter Panda_G0024.json
Bouncing Golf_G0097.json      RTM_G0048.json
Carbanak_G0008.json           Rancor_G0075.json
Chimera_G0114.json            Rocke_G0106.json
Cleaver_G0003.json            Sandworm Team_G0034.json
Cobalt Group_G0080.json       Scarlet Mimic_G0029.json
CopyKittens_G0052.json        Sharpshooter_G0104.json
Dark Caracal_G0070.json       Sidewinder_G0121.json
DarkHydrus_G0079.json         Silence_G0091.json
DarkVishnya_G0105.json        Silent Librarian_G0122.json
Darkhotel_G0012.json          SilverTerrier_G0083.json
Deep Panda_G0009.json         Sowbug_G0054.json
Dragonfly 2.0_G0074.json      Stealth Falcon_G0038.json
Dragonfly_G0035.json          Stolen Pencil_G0086.json
Dust Storm_G0031.json         Strider_G0041.json
Elderwood_G0066.json          Suckfly_G0039.json
Equation_G0020.json           TA459_G0062.json
Evilnum_G0120.json            TA505_G0092.json
FIN10_G0051.json              TA551_G0127.json
FIN4_G0085.json               TEMP.Veles_G0088.json
FIN5_G0053.json               Taidoor_G0015.json
FIN6_G0037.json               The White Company_G0089.json
FIN7_G0046.json               Threat Group-1314_G0028.json
FIN8_G0061.json               Threat Group-3390_G0027.json
Fox Kitten_G0117.json         Thrip_G0076.json
Frankenstein_G0101.json       Tropic Trooper_G0081.json
GALLIUM_G0093.json            Turla_G0010.json
GCMAN_G0036.json              Volatile Cedar_G0123.json
GOLD SOUTHFIELD_G0115.json    WIRTE_G0090.json
Gallmaker_G0084.json          Whitefly_G0107.json
Gamaredon Group_G0047.json    Windigo_G0124.json
Gorgon Group_G0078.json       Windshift_G0112.json
Group5_G0043.json             Winnti Group_G0044.json
HAFNIUM_G0125.json            Wizard Spider_G0102.json
HEXANE_G1001.json             ZIRCONIUM_G0128.json
Higaisa_G0126.json            admin@338_G0018.json
Honeybee_G0072.json           menuPass_G0045.json
Inception_G0100.json

We can delete all the files with the following command.

! rm *.json