This project provides a Python script to map alert signatures to MITRE ATT&CK techniques. It uses the mitreattack-python
library to fetch detailed information about MITRE ATT&CK techniques dynamically from the latest STIX data.
- Downloads and uses the latest MITRE ATT&CK STIX data.
- Maps alert signatures to MITRE ATT&CK techniques.
- Provides detailed information about matched techniques including description, platforms, tactics, and more.
- Python 3.6 or higher
- Internet connection to download the latest MITRE ATT&CK STIX data.
-
Clone the repository:
git clone https://github.com/Dan-Duran/mitre-attack-mapper.git cd mitre-attack-mapper
- This will clone the repository from GitHub and navigate into the project directory.
-
Create and activate a virtual environment:
python3 -m venv venv source venv/bin/activate
- This will create a virtual environment and activate it on Linux or Mac.
py<or python> -m venv venv source venv\Scripts\activate
- This will create a virtual environment and activate it on Windows.
-
Install the required packages:
pip install -r requirements.txt
- This will install the necessary packages listed in
requirements.txt
, including the Python library and utilities for working with MITRE ATT&CK.
- This will install the necessary packages listed in
-
Run the script:
python mitre.py
- This command starts the script.
-
Enter the alert signature when prompted:
Enter the alert signature:
- The user is prompted to input an alert signature.
-
View the detailed information about the matched MITRE ATT&CK techniques.
- The script will output the matched techniques to the console and also save them to a file in the
output
directory.
- The script will output the matched techniques to the console and also save them to a file in the
MITRE-ATTACK-MAPPER/
│
├── mitre.py Main entry point for the script
├── requirements.txt List of dependencies
├── README.md Project documentation
├── venv/ Virtual environment directory (created during installation)
└── output/ Directory for output files (will be created by the script if it doesn't exist)
STIX data is up-to-date. No download needed.
Enter the alert signature:
ATTACK [PTsecurity] log4j RCE aka Log4Shell attempt (CVE-2021-44228)
Entered Signature: attack [ptsecurity] log4j rce aka log4shell attempt (cve-2021-44228)
Matched MITRE Techniques:
Technique ID: T1210
Name: Exploit Public-Facing Application
Description: Adversaries may attempt to exploit public-facing applications.
URL: https://attack.mitre.org/techniques/T1210/
Technique ID: T1190
Name: Exploit Public-Facing Application
Description: Adversaries may attempt to exploit public-facing applications.
URL: https://attack.mitre.org/techniques/T1190/
Results written to output/result_20240531_090117.txt
We welcome contributions!
This project is licensed under the MIT License.