Working with ATT&CK | MITRE ATT&CK®

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1, shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v9/theme/favicon.ico" type='image/x-icon'> <title>Working with ATT&CK | MITRE ATT&CK®</title>  <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-glyphicon.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-tourist.css" /> <link rel="stylesheet" type="text/css" href="/versions/v9/theme/style.min.css?426cc53a"> </head> <body>  <header> <nav class='navbar navbar-expand-lg navbar-dark fixed-top'> <a class='navbar-brand' href="/versions/v9/"><img src="/versions/v9/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item"> <a href="/versions/v9/matrices/" class="nav-link" ><b>Matrices</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/tactics/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/techniques/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/mitigations/mobile/">Mobile</a> </div> </li> <li class="nav-item"> <a href="/versions/v9/groups" class="nav-link" ><b>Groups</b></a> </li> <li class="nav-item"> <a href="/versions/v9/software/" class="nav-link" ><b>Software</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/resources/">General Information</a> <a class="dropdown-item" href="/versions/v9/resources/getting-started/">Getting Started</a> <a class="dropdown-item" href="/versions/v9/resources/training/">Training</a> <a class="dropdown-item" href="/versions/v9/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v9/resources/working-with-attack/">Working with ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/updates/">Updates</a> <a class="dropdown-item" href="/resources/versions/">Versions of ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/related-projects/">Related Projects</a> </div> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/versions/v9/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <a href="/versions/v9/resources/contribute/" class="nav-link" ><b>Contribute</b></a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div class="search-icon"></div></button> </li> </ul> </div> </nav> </header>  <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v9/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v9.0" target="_blank">ATT&CK v9.0</a> which was live between April 29, 2021 and October 20, 2021. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div id='content' class="maincontent">  <div class="container"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v9/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v9/resources">Resources</a></li> <li class="breadcrumb-item">Working With ATT&CK</li> </ol> </div> <div class="container pb-3 uniform-block decorative-panels"> <div class="working-with-attack"> <h2>Accessing ATT&CK Data</h2>  <div class="decorative-panel container"> <div class="decorative-panel-header row align-items-center"> <div class="col py-4"> <h3>ATT&CK in STIX</h3> <p> Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI). The ATT&CK dataset is available in STIX 2.0 and STIX 2.1. Other presentations of this dataset, including the ATT&CK Navigator and this website, are built from the STIX data. </p> <button class="btn btn-default" id="stix-button" data-toggle="collapse" data-target="#stix-body" aria-expanded="false" aria-controls="stix-body">Learn more</button> </div> <div class="col text-right"> <img class="w-100" src="/versions/v9/theme/images/mitre-cti.png"> </div> </div> <div class="decorative-panel-body collapse pt-4" id="stix-body" aria-labelledby="stix-button"> <div class="row align-items-center"> <div class="col"> <p> STIX is a machine-readable format providing access to the ATT&CK knowledge base. It is the most granular representation of the ATT&CK data, and all other representations are derived from the STIX dataset. </p> <p>Consider using ATT&CK in STIX if you:</p> <ul> <li>Have automated workflows that need to ingest ATT&CK data.</li> <li>Are a proficient Python user seeking to save time with automation or want to perform advanced queries.</li> <li>Want your workflows to keep up-to-date with the evolving knowledge base.</li> <li>Want to extend the ATT&CK dataset with custom content, and use this custom content with ATT&CK tools.</li> </ul> <p> The ATT&CK STIX representation is most easily manipulated in Python using the <a href="https://github.com/oasis-open/cti-python-stix2#installation">stix2</a> library. However, because STIX is represented in JSON, other programming languages can easily interact with the raw content. </p> <p> The ATT&CK STIX data can be retrieved from GitHub directly, or accessed via the official ATT&CK TAXII™ server. Trusted Automated Exchange of Intelligence Information (TAXII) is an application protocol for exchanging CTI over HTTPS. The ATT&CK TAXII server provides API access to the ATT&CK STIX knowledge base. Learn more about accessing the TAXII server <a href="https://github.com/mitre/cti/blob/master/USAGE.md#access-from-the-attck-taxii-server">here</a>. </p> </div> <div class="col text-center"> <div class="card mb-4 w-75 mx-auto"> <h4 class="card-header"> ATT&CK in STIX 2.1 </h4> <div class="card-body"> <h4 class="mb-4"><a href="https://github.com/mitre-attack/attack-stix-data">Visit the repository</a></h4> <h4 class="mb-0"><a href="https://github.com/mitre-attack/attack-stix-data/blob/master/USAGE.md">Read the docs</a></h4> </div> </div> <div class="card mb-4 w-75 mx-auto"> <h4 class="card-header"> ATT&CK in STIX 2.0 </h4> <div class="card-body"> <h4 class="mb-4"><a href="https://github.com/mitre/cti">Visit the repository</a></h4> <h4 class="mb-0"><a href="https://github.com/mitre/cti/blob/master/USAGE.md">Read the docs</a></h4> </div> </div> <h4 class="mb-4"><a href="https://oasis-open.github.io/cti-documentation/stix/intro">Learn about STIX</a></h4> <h4><a href="https://oasis-open.github.io/cti-documentation/taxii/intro.html">Learn about TAXII</a></h4> </div> </div> </div> </div>  <div class="decorative-panel container"> <div class="decorative-panel-header row align-items-center"> <div class="col py-4"> <h3>ATT&CK in Excel</h3> <p> Excel spreadsheets representing the ATT&CK dataset. These spreadsheets are built from the STIX dataset and provide a more human-accessible view into the knowledge base while also supporting rudimentary querying/filtering capabilities. </p> <button class="btn btn-default" id="excel-button" data-toggle="collapse" data-target="#excel-body" aria-expanded="false" aria-controls="excel-body">Learn more</button> </div> <div class="col order-first"> <img class="w-100" src="/versions/v9/theme/images/attack-in-excel.png"> </div> </div> <div class="decorative-panel-body collapse row align-items-center pt-4" id="excel-body" aria-labelledby="excel-button"> <div class="col"> <p>Consider using ATT&CK in Excel if you:</p> <ul> <li>Want to quickly sort, filter and query the dataset in a familiar UI.</li> <li>Want to explore the contents of the dataset without having to navigate around the ATT&CK website.</li> <li>Are not comfortable enough in Python or other programming languages to work with the STIX representation.</li> </ul> <p> The Excel representation of the ATT&CK dataset includes both master spreadsheets, containing all object types, and individual spreadsheets for each object type. The individual type spreadsheets break out relationships (e.g procedure examples connecting groups to techniques) into separate sheets by relationship type, while the master spreadsheet includes all relationship types in a single sheet. Otherwise the representation is identical. </p> <p> A citations sheet can be used to look up the in-text citations which appear in some fields. For domains that include multiple matrices, such as Mobile ATT&CK, each matrix gets its own named sheet. Unlike the STIX dataset, objects that have been <i>revoked</i> or <i>deprecated</i> are not included in the spreadsheets. </p> <p> The source code for the STIX to Excel converter can be found in our <a href="https://github.com/mitre-attack/mitreattack-python">mitreattack-python pip module</a>. </p> </div> <div class="col file-list"> <ul> <li> <a href="/versions/v9/docs/enterprise-attack-v9.0/enterprise-attack-v9.0.xlsx">enterprise-attack-v9.0.xlsx</a> <ul> <li> <a href="/versions/v9/docs/enterprise-attack-v9.0/enterprise-attack-v9.0-matrices.xlsx">enterprise-attack-v9.0-matrices.xlsx</a> </li> <li> <a href="/versions/v9/docs/enterprise-attack-v9.0/enterprise-attack-v9.0-mitigations.xlsx">enterprise-attack-v9.0-mitigations.xlsx</a> </li> <li> <a href="/versions/v9/docs/enterprise-attack-v9.0/enterprise-attack-v9.0-relationships.xlsx">enterprise-attack-v9.0-relationships.xlsx</a> </li> <li> <a href="/versions/v9/docs/enterprise-attack-v9.0/enterprise-attack-v9.0-software.xlsx">enterprise-attack-v9.0-software.xlsx</a> </li> <li> <a href="/versions/v9/docs/enterprise-attack-v9.0/enterprise-attack-v9.0-groups.xlsx">enterprise-attack-v9.0-groups.xlsx</a> </li> <li> <a href="/versions/v9/docs/enterprise-attack-v9.0/enterprise-attack-v9.0-tactics.xlsx">enterprise-attack-v9.0-tactics.xlsx</a> </li> <li> <a href="/versions/v9/docs/enterprise-attack-v9.0/enterprise-attack-v9.0-techniques.xlsx">enterprise-attack-v9.0-techniques.xlsx</a> </li> </ul> </li> <li> <a href="/versions/v9/docs/mobile-attack-v9.0/mobile-attack-v9.0.xlsx">mobile-attack-v9.0.xlsx</a> <ul> <li> <a href="/versions/v9/docs/mobile-attack-v9.0/mobile-attack-v9.0-matrices.xlsx">mobile-attack-v9.0-matrices.xlsx</a> </li> <li> <a href="/versions/v9/docs/mobile-attack-v9.0/mobile-attack-v9.0-mitigations.xlsx">mobile-attack-v9.0-mitigations.xlsx</a> </li> <li> <a href="/versions/v9/docs/mobile-attack-v9.0/mobile-attack-v9.0-relationships.xlsx">mobile-attack-v9.0-relationships.xlsx</a> </li> <li> <a href="/versions/v9/docs/mobile-attack-v9.0/mobile-attack-v9.0-software.xlsx">mobile-attack-v9.0-software.xlsx</a> </li> <li> <a href="/versions/v9/docs/mobile-attack-v9.0/mobile-attack-v9.0-groups.xlsx">mobile-attack-v9.0-groups.xlsx</a> </li> <li> <a href="/versions/v9/docs/mobile-attack-v9.0/mobile-attack-v9.0-tactics.xlsx">mobile-attack-v9.0-tactics.xlsx</a> </li> <li> <a href="/versions/v9/docs/mobile-attack-v9.0/mobile-attack-v9.0-techniques.xlsx">mobile-attack-v9.0-techniques.xlsx</a> </li> </ul> </li> <li> <a href="/versions/v9/docs/ics-attack-v9.0/ics-attack-v9.0.xlsx">ics-attack-v9.0.xlsx</a> <ul> <li> <a href="/versions/v9/docs/ics-attack-v9.0/ics-attack-v9.0-matrices.xlsx">ics-attack-v9.0-matrices.xlsx</a> </li> <li> <a href="/versions/v9/docs/ics-attack-v9.0/ics-attack-v9.0-mitigations.xlsx">ics-attack-v9.0-mitigations.xlsx</a> </li> <li> <a href="/versions/v9/docs/ics-attack-v9.0/ics-attack-v9.0-relationships.xlsx">ics-attack-v9.0-relationships.xlsx</a> </li> <li> <a href="/versions/v9/docs/ics-attack-v9.0/ics-attack-v9.0-software.xlsx">ics-attack-v9.0-software.xlsx</a> </li> <li> <a href="/versions/v9/docs/ics-attack-v9.0/ics-attack-v9.0-groups.xlsx">ics-attack-v9.0-groups.xlsx</a> </li> <li> <a href="/versions/v9/docs/ics-attack-v9.0/ics-attack-v9.0-tactics.xlsx">ics-attack-v9.0-tactics.xlsx</a> </li> <li> <a href="/versions/v9/docs/ics-attack-v9.0/ics-attack-v9.0-techniques.xlsx">ics-attack-v9.0-techniques.xlsx</a> </li> </ul> </li> </ul> </div> </div> </div> <h2>Tools for working with ATT&CK</h2>  <div class="decorative-panel container"> <div class="decorative-panel-header row align-items-center"> <div class="col py-4"> <h3>ATT&CK Navigator</h3> <p> The ATT&CK Navigator is a web-based tool for annotating and exploring ATT&CK matrices. It can be used to visualize defensive coverage, red/blue team planning, the frequency of detected techniques, and more. </p> <h4><a href="https://mitre-attack.github.io/attack-navigator/">Open the application</a></h4> <h4><a href="https://github.com/mitre-attack/attack-navigator/">Visit the repository</a></h4> </div> <div class="col text-right"> <img class="w-100" src="/versions/v9/theme/images/nav-example.png"> </div> </div> </div>  <div class="decorative-panel container"> <div class="decorative-panel-header row align-items-center"> <div class="col py-4"> <h3>ATT&CK Workbench</h3> <p> The ATT&CK Workbench is an application allowing users to explore, create, annotate, and share extensions of the ATT&CK knowledge base. </p> <h4><a href="https://github.com/center-for-threat-informed-defense/attack-workbench-frontend">Visit the repository</a></h4> </div> <div class="col order-first"> <img class="w-100" src="/versions/v9/theme/images/workbench-groups-list.png"> </div> </div> </div>  <div class="decorative-panel container"> <div class="decorative-panel-header row align-items-center"> <div class="col py-4"> <h3>ATT&CK Python Utilities</h3> <p> ATT&CK provides a variety of Python tools for accessing, querying, and processing the ATT&CK dataset. These scripts can be useful utilities or serve as examples for how to work with ATT&CK programmatically. </p> <h4><a href="https://github.com/mitre-attack/mitreattack-python">Install our pip module</a></h4> <h4><a href="https://github.com/mitre-attack/attack-scripts/">Explore our standalone scripts</a></h4> </div> <div class="col text-right"> <img class="w-100" src="/versions/v9/theme/images/attack-scripts.png"> </div> </div> </div> </div> </div>  <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <footer class="footer p-3"> <div class="container-fluid"> <div class="row"> <div class="col-4 col-sm-4 col-md-3"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v9/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="col-6 col-sm-6 text-center"> <p> 漏 2015-2021, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </p> <div class="row"> <div class="col text-right"> <small> <a href="/versions/v9/resources/privacy" class="footer-link">Privacy Policy</a> </small> </div> <div class="col text-center"> <small> <a href="/versions/v9/resources/terms-of-use" class="footer-link">Terms of Use</a> </small> </div> <div class="col text-left "> <small> <a href="/versions/v9/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" title="ATT&CK content version 9.0Website version 3.3.1">ATT&CK v9.0</a> </small> </div> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col"> <div class="footer-float-right-responsive-brand"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-primary w-100">  <img src="/versions/v9/theme/images/twitter.png" class="mr-1 twitter-icon"> <b>@MITREattack</b> </a> </div> <div class=""> <a href="/versions/v9/contact" class="btn btn-primary w-100"> Contact </a> </div> </div> </div> </div> </div> </div> </footer> </div>  <script src="/versions/v9/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v9/theme/scripts/popper.min.js"></script> <script src="/versions/v9/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v9/theme/scripts/site.js"></script> <script src="/versions/v9/theme/scripts/flexsearch.es5.js"></script> <script src="/versions/v9/theme/scripts/localforage.min.js"></script> <script src="/versions/v9/theme/scripts/settings.js?6351"></script> <script src="/versions/v9/theme/scripts/search_babelized.js"></script> </body> </html>

CINXE.COM

Working with ATT&CK | MITRE ATT&CK®