This folder contains a module for converting ATT&CK STIX data to Excel spreadsheets. It also provides a means to access ATT&CK data as Pandas DataFrames for data analysis.
Print full usage instructions:
attack-to-excel --helpExample execution:
attack-to-excel from-stixBuild a excel files corresponding to a specific domain and version of ATT&CK:
attack-to-excel from-stix --domain mobile-attack --version v5.0Build Excel files for all ATT&CK domains from a release. If local STIX files
are missing under attack-releases/stix-2.0/v19.0, they are downloaded
temporarily for the export:
attack-to-excel from-release --version v19.0To persist release STIX files before exporting, use download_attack_stix:
download_attack_stix -v 19.0
attack-to-excel from-release --version v19.0Build Excel files for selected ATT&CK domains from a release:
attack-to-excel from-release --version v19.0 --domains mobile-attack --domains ics-attackattack-to-excel refuses to run when generated output directories already
contain Excel files. Pass --overwrite to from-stix or from-release to
replace existing Excel files. Pass -v or --verbose to show debug logs,
including sheet-level write messages.
Example execution targeting a specific domain and version:
import mitreattack.attackToExcel.attackToExcel as attackToExcel
attackToExcel.export("mobile-attack", "v5.0", "/path/to/export/folder")Example execution targeting all release domains:
import mitreattack.attackToExcel.attackToExcel as attackToExcel
attackToExcel.export_release(version="v19.0", output_dir="output")attackToExcel provides the means by which to convert/extract the ATT&CK STIX data to Excel spreadsheets. A brief overview of the available methods follows.
| method name | arguments | usage |
|---|---|---|
| get_stix_data | domain: the domain of ATT&CK to fetch data from version: optional parameter indicating which version to fetch data from (such as "v8.1"). If omitted retrieves the most recent version of ATT&CK. remote: optional parameter that provides a URL of a remote ATT&CK Workbench instance to grab data from. |
Retrieves the ATT&CK STIX data for the specified version and returns it as a MemoryStore object |
| build_dataframes | src: MemoryStore or other stix2 DataSource object holding domain datadomain: domain of ATT&CK that src corresponds to |
Builds a Pandas DataFrame collection as a dictionary, with keys for each type, based on the ATT&CK data provided |
| write_excel | dataframes: pandas DataFrame dictionary (generated by build_dataframes) domain: domain of ATT&CK that dataframes corresponds to version: optional parameter indicating which version of ATT&CK is in use output_dir: optional parameter specifying output directory overwrite: optional parameter allowing existing Excel files to be replaced |
Writes out DataFrame based ATT&CK data to excel files |
| export | domain: the domain of ATT&CK to download version: optional parameter specifying which version of ATT&CK to download output_dir: optional parameter specifying output directory overwrite: optional parameter allowing existing Excel files to be replaced |
Downloads ATT&CK data from MITRE/CTI and exports it to Excel spreadsheets |
| export_release | version: optional ATT&CK release version stix_version: STIX release tree, such as "2.0" or "2.1" output_dir: parent output directory stix_base_dir: optional directory containing release STIX files domains: optional list of domains versioned_output_dir: preserve domain-version output folders overwrite: optional parameter allowing existing Excel files to be replaced |
Exports a full ATT&CK release to Excel spreadsheets, downloading missing STIX files temporarily when needed |
stixToDf provides various methods to process and manipulate the STIX data in order to create Pandas DataFrames for processing. A brief overview of these methods follows.
| method name | arguments | usage |
|---|---|---|
| techniquesToDf | src: MemoryStore or other stix2 DataSource object holding domain datadomain: domain of ATT&CK that src corresponds to |
Parses STIX techniques from the provided data and returns corresponding Pandas DataFrames. |
| tacticsToDf | src: MemoryStore or other stix2 DataSource object holding domain datadomain: domain of ATT&CK that src corresponds to |
Parses STIX tactics from the provided data and returns corresponding Pandas DataFrames. |
| softwareToDf | src: MemoryStore or other stix2 DataSource object holding domain datadomain: domain of ATT&CK that src corresponds to |
Parses STIX software from the provided data and returns corresponding Pandas DataFrames. |
| groupsToDf | src: MemoryStore or other stix2 DataSource object holding domain datadomain: domain of ATT&CK that src corresponds to |
Parses STIX groups from the provided data and returns corresponding Pandas DataFrames. |
| mitigationsToDf | src: MemoryStore or other stix2 DataSource object holding domain datadomain: domain of ATT&CK that src corresponds to |
Parses STIX mitigations from the provided data and returns corresponding Pandas DataFrames. |
| relationshipsToDf | src: MemoryStore or other stix2 DataSource object holding domain datadomain: domain of ATT&CK that src corresponds to |
Parses STIX relationships from the provided data and returns corresponding Pandas DataFrames. |
| matricesToDf | src: MemoryStore or other stix2 DataSource object holding domain datadomain: domain of ATT&CK that src corresponds to |
Parses STIX matrices from the provided data and returns a parsed matrix structure of the form [{matrix, name, description, merge, border}, ...] |
The Excel representation of the ATT&CK dataset includes both master spreadsheets, containing all object types, and individual spreadsheets for each object type. The individual type spreadsheets break out relationships (e.g procedure examples connecting groups to techniques) into separate sheets by relationship type, while the master spreadsheet includes all relationship types in a single sheet. Otherwise, the representation is identical.
A citations sheet can be used to look up the in-text citations which appear in some fields. For domains that include multiple matrices, such as Mobile ATT&CK, each matrix gets its own named sheet. Unlike the STIX dataset, objects that have been revoked or deprecated are not included in the spreadsheets.
Internally, attackToExcel stores the parsed STIX data as Pandas DataFrames. These can be retrieved for use in data analysis.
Example of accessing Pandas DataFrames:
import mitreattack.attackToExcel.attackToExcel as attackToExcel
import mitreattack.attackToExcel.stixToDf as stixToDf
# download and parse ATT&CK STIX data
attackdata = attackToExcel.get_stix_data("enterprise-attack")
techniques_data = stixToDf.techniquesToDf(attackdata, "enterprise-attack")
# show T1102 and sub-techniques of T1102
techniques_df = techniques_data["techniques"]
print(techniques_df[techniques_df["ID"].str.contains("T1102")]["name"])
# 512 Web Service
# 38 Web Service: Bidirectional Communication
# 121 Web Service: Dead Drop Resolver
# 323 Web Service: One-Way Communication
# Name: name, dtype: object
# show citation data for LOLBAS Wmic reference
citations_df = techniques_data["citations"]
print(citations_df[citations_df["reference"].str.contains("LOLBAS Wmic")])
# reference citation url
# 1010 LOLBAS Wmic LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2... https://lolbas-project.github.io/lolbas/Binari...