As a user of this library, I would like to be able to load custom data over the network as input for the functionalities of this library (e.g attackToExcel, the layer generators in #13). Currently, support for custom data is only allowed via the local argument of some of the APIs in this library, so data would need to be fetched separately, saved to a file, and then loaded from that file to be used.

Allowing data to be fetched directly using requests would allow me to integrate mitreattack-python with a local ATT&CK Workbench instance since the ATT&CK Workbench exposes a REST API endpoints for fetching the knowledge base in raw STIX.

Expected Behavior

Should be able to install this module by running pip install mitreattack-python

Actual Behavior

It doesn't get installed. When I run from mitreattack.navlayers import Layer, there is an error:

ModuleNotFoundError: No module named 'mitreattack'

Possible Solution

Make installer valid

Add the relationships micro library in the CTI Usage document to mitreattack-python as a new module.

Is your feature request related to a problem?

Currently, the bulk of the 3 minutes or so that it takes to build the Excel files for the latest version of ATT&CK is coming from the STIX query for subtechniques, as you can see from this partial pyinstrument report.

This is because the queries here and here check each subtechnique against the entire STIX2 MemoryStore.

Describe the solution you'd like

If a new MemoryStore was created above the for loop in each case holding just the subtechniques, it might vastly improve the speed of the subsequent queries.

Describe alternatives you've considered

I have considered having patience and letting it take a long time to build, but I think the above solution is slightly better :)

Additional context

No additional context.

Expected Behavior

Navlayers technique and layer classes should not error out when setting their metadata property.

Actual Behavior

Navlayers technique and layer classes fail when setting the metadata property.
Their metadata setter check for Metadata and MetaDiv are incorrect.

See Metadata and MetaDiv classes: Link
See Navlayers Technique metadata setter: Link
See Navlayers Layer metadata setter: Link

Steps to Reproduce the Problem

1. Python 3

from mitreattack import navlayers

layerA = navlayers.Layer(init_data={'name': "Layer A", 'domain':"enterprise-attack"})
layer_technique = navlayers.Technique(tID="T1003")
layer_technique.metadata = [navlayers.Metadata(name="Metadata", value="1"), navlayers.MetaDiv(active=True)]

Error:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/me/.local/share/virtualenvs/test-XrAZKEUD/lib/python3.8/site-packages/mitreattack/navlayers/core/technique.py", line 107, in metadata
    if "divider" in entry:
TypeError: argument of type 'Metadata' is not iterable

Possible Solution

1. Check if metadata entries in the list are either Metadata or MetaDiv objects.
   Change technique.py line 107 to 110:

try:
    for entry in metadata:
        if isinstance(entry, Metadata) or isinstance(entry, MetaDiv):
            self.__metadata.append(entry)
        else:
            pass  # Object in the list was not of Metadata or MetaDiv classes

2. Unsure why, but the current version of the code duplicates Metadata and MetaDiv objects, so if that's still the way to go:

try:
    for entry in metadata:
        if isinstance(entry, MetaDiv):
            self.__metadata.append(MetaDiv(entry.state))
        elif isinstance(entry, Metadata):
            self.__metadata.append(Metadata(entry.name, entry.value))
        else:
            pass  # Object in the list was not of Metadata or MetaDiv classes

Expected Behavior

While I was trying to generate an svg from json, I had some techniques disabled in my json file
they are expected to be hidden and not appear in the final svg but that's not how it's working so far

Actual Behavior

with the default configuration, it's showing the disabled techniques as well, also platforms and legend are not appearing in the final svg

Solution Suggestions

Possibly an issue in here or maybe here

My layer json file

https://gist.github.com/azkasadaf/e3c6e90b6099b3d1a105fbb443771150

As a user, I want to be able to easily create usage layers (as implemented in #13/#9) for all of the groups, software, or mitigations in the dataset.

While reasonably easy to run the existing UsageGenerator over a series of object names, building that feature into the library would save effort for users who want to build a full set of layers representing for the ATT&CK knowledge base.

This improvement should include:

• An API that returns a set of Layer objects (either in an array, or in a map of name/ATT&CK-ID/STIX-ID -> Layer)
• A CLI which writes the set of layer files into a folder
• Both methods should take the object type (group, software, mitigation) as a parameter.

I tried to load a layer json file made recently from the att&ck navigator as available online.

This yielded warnings about using a file with version 4.2 whilst the tool is only able to handle files up to version 4.1.

I believe version 4.2 of the navigator is older than the latest release of this tool. Hence I would have expected this tool to handle the latest version.

A plausible alternative for me would be to have access to an older version of the navigator, presuming the older version still contains the newest Mitre Att&ck matrix.

Expected Behavior

The attackToExcel module produces Excel files that have datasources information for the ICS domain.

Actual Behavior

The ICS datasources are not found in the Excel files right now.

Steps to Reproduce the Problem

1. Run the attackToExcel module
2. Look at Excel files for ICS

Possible Solution

Update this if statement to include the ICS domain

Expected Behavior

I'm having trouble working with navlayers the error occurs when specifying taxii as source source='taxii'

for example working with LayerGeneratorcli or UsageLayerGenerator expected behaviour is getting a .json file as an output

But running the following command:

Actual Behavior

layerGenerator_cli --domain enterprise --source taxii --mapped-to S0065 --output generated_layer.json

i get this error message instead

[taxii2client.v20] [WARNING ] [2022-07-01 16:28:30,170] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:30,171] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:30,665] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:30,665] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:31,135] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:31,135] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:31,668] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:31,668] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:32,137] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:32,137] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:32,982] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:32,982] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:34,222] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:34,222] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:34,686] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:34,687] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:35,149] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:35,149] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:35,650] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:35,650] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:36,165] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:36,165] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:36,668] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:36,668] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:37,956] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:37,956] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:38,439] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:38,440] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:38,900] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:38,900] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:48,018] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:48,034] TAXII Server Response with different amount of objects! Setting per_request=719
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:57,566] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-07-01 16:28:57,583] TAXII Server Response with different amount of objects! Setting per_request=719
[taxii2client.v20] [WARNING ] [2022-07-01 16:29:05,951] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-07-01 16:29:05,993] TAXII Server Response with different amount of objects! Setting per_request=719
[taxii2client.v20] [WARNING ] [2022-07-01 16:29:12,649] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-07-01 16:29:12,664] TAXII Server Response with different amount of objects! Setting per_request=719
Traceback (most recent call last):
  File "C:\Users\Ala\AppData\Local\Programs\Python\Python310\lib\runpy.py", line 196, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "C:\Users\Ala\AppData\Local\Programs\Python\Python310\lib\runpy.py", line 86, in _run_code
    exec(code, run_globals)
  File "C:\Users\Ala\Mitre\mitreattack-python\navlayers\Scripts\layerGenerator_cli.exe\__main__.py", line 7, in <module>
  File "C:\Users\Ala\Mitre\mitreattack-python\navlayers\lib\site-packages\mitreattack\navlayers\layerGenerator_cli.py", line 40, in main
    ug = UsageLayerGenerator(source=args.source, domain=args.domain, resource=args.resource)
  File "C:\Users\Ala\Mitre\mitreattack-python\navlayers\lib\site-packages\mitreattack\navlayers\generators\usage_generator.py", line 28, in __init__
    self.matrix_handle = MatrixGen(source, resource)
  File "C:\Users\Ala\Mitre\mitreattack-python\navlayers\lib\site-packages\mitreattack\navlayers\exporters\matrix_gen.py", line 151, in __init__
    self._build_matrix()
  File "C:\Users\Ala\Mitre\mitreattack-python\navlayers\lib\site-packages\mitreattack\navlayers\exporters\matrix_gen.py", line 377, in _build_matrix
    techs, subtechs = self._get_technique_listing(tac.name.lower().replace(' ', '-'), domain)
  File "C:\Users\Ala\Mitre\mitreattack-python\navlayers\lib\site-packages\mitreattack\navlayers\exporters\matrix_gen.py", line 200, in _get_technique_listing
    tid = [t['external_id'] for t in entry['external_references'] if 'attack' in t['source_name']]
  File "C:\Users\Ala\Mitre\mitreattack-python\navlayers\lib\site-packages\mitreattack\navlayers\exporters\matrix_gen.py", line 200, in <listcomp>
    tid = [t['external_id'] for t in entry['external_references'] if 'attack' in t['source_name']]
  File "C:\Users\Ala\Mitre\mitreattack-python\navlayers\lib\site-packages\stix2\base.py", line 251, in __getitem__
    return self._inner[key]
KeyError: 'external_id'

Steps to Reproduce the Problem

1. for me calling taxii as source anywhere in navlayers causes this ( ToExcel, ToSvg matrix_gen ...)

Possible Solution

A workaround could be working with local stix data but this is not an actual solution. It's basically specifying (source='local',resource='stix_file.json').

Plz note that this is my first time working with mitreattack-python so if i'm making a rookie mistake here i would really appreciate your help

Expected Behavior

No error while importing a layer from ATT&CK Navigator
The zipped layer is here for reference : layer.zip

Actual Behavior

An error is raised, and the layer is not loaded :

[Layer] - AttributeError encountered ['#ff6666ff' is not in web format. Need 3 or 6 hex digit.]. Unable to load.
[Layer] - Full Traceback - Traceback (most recent call last):
  File "C:\Python310\lib\site-packages\mitreattack\navlayers\core\layer.py", line 97, in _build
    self.__layer._linker(key, self._data[key])
  File "C:\Python310\lib\site-packages\mitreattack\navlayers\core\layerobj.py", line 446, in _linker
    self.gradient = data
  File "C:\Python310\lib\site-packages\mitreattack\navlayers\core\layerobj.py", line 221, in gradient
    self.__gradient = Gradient(gradient['colors'], gradient['minValue'], gradient['maxValue'])
  File "C:\Python310\lib\site-packages\mitreattack\navlayers\core\gradient.py", line 20, in __init__
    self.maxValue = maxValue
  File "C:\Python310\lib\site-packages\mitreattack\navlayers\core\gradient.py", line 52, in maxValue
    self._compute_curve()
  File "C:\Python310\lib\site-packages\mitreattack\navlayers\core\gradient.py", line 64, in _compute_curve
    s_c = colour.Color(self.colors[index-1])
  File "C:\Python310\lib\site-packages\colour.py", line 988, in __init__
    self.web = color if color else 'black'
  File "C:\Python310\lib\site-packages\colour.py", line 1006, in __setattr__
    fc(value)
  File "C:\Python310\lib\site-packages\colour.py", line 1084, in set_web
    self.hex = web2hex(value)
  File "C:\Python310\lib\site-packages\colour.py", line 670, in web2hex
    raise AttributeError(
AttributeError: '#ff6666ff' is not in web format. Need 3 or 6 hex digit.

Steps to Reproduce the Problem

1. Go to https://mitre-attack.github.io/attack-navigator/

2. Create an empty enterprise layer

3. Download the layer into layer.json

4. Load the layer using Python

   from mitreattack.navlayers.core.layer import Layer
   
   test = Layer()
   test.from_file("layer.json")

5. Observe the console output

Expected Behavior

The attackToExcel module produces Excel files that have Tactic names in the Tactic column on Technique worksheets.

Actual Behavior

The attackToExcel module produces Excel files that have Tactic names that are oddly figured out in the Tactic column on Technique worksheets. The problematic logic can be found here

Steps to Reproduce the Problem

1. Run the attackToExcel module
2. Look at Excel files

Possible Solution

Instead of attempting to title() case the string, replacing dashes with spaces, just go look up the Tactic STIX object it is referencing and use it's name field.

Expected Behavior

I would expect to be able to import the module with no issues.

Actual Behavior

the module fails to import for the following reasons:
[Errno 13] Permission denied: '/.stixmarx'

This is on a linux box. I have create a docket image with the following: mitreattack-python,pandas,pyattck,bs4,colour,openpyxl,stix2,taxii2-client,numpy,drawSvg,Pillow,tqdm,xlsxwriter,tabulate,stix2-elevator

When i run the python script against this docker image i get the error where it has failed to run due to permission denied.

The test coverage as of today is as follows. It would be great to get coverage up to 80% minimum for all files of substance.

As an individual or organization seeking to share extensions of ATT&CK, I want to be able to generate a collection index from a set of input collections.

This script has already been implemented, but needs to be ported into this library. Additionally:

• The current implementation only allows a collection index to be created based on collections on the filesystem. The new implementation should also support an array of STIX 2.1 bundles as input for the collections. These bundles will need to be validated to contain an x-mitre-collection object so that non-collections are not used as input.
• The CLI of that script should be provided similarly to the CLI of the layer exporters already included in this library.

As a maintainer of ATT&CK and mitreattack-python, I want to be able to release new versions of ATT&CK without having to update the layer exporter.

Currently, the layer exporter throws errors if layer version number or platforms are not what it expects. For instance, it doesn't currently account for the PRE or Network platforms, which didn't exist as of when it was created. This can be reproduced by simply creating a new layer in the Navigator and attempting to use it with this library.

We should allow the program to execute even if the value is unexpected.

• For layer/Navigator/ATT&CK version numbers, the script should interpret unknown version numbers as if they were the current version number (but warn the user through stdout that the value may not be 100% supported).
• For platforms, the values simply should not be hard-coded.

ATT&CK Navigator allows the user to specify 8 digits gradient colors (like #ffffff00) with transparency :

I would like to set programmatically 8 digits colors with mitreattack-python too.
At the moment, if I specify 8 digits, the last two digits are ignored.

For example:

input_layer.layer.gradient.colors = ["#ffffff00", "#ff6666ff"]

outputs

    "gradient": {
        "colors": [
            "#ffffff",
            "#ff6666"
        ],

The last two digits are ignored.

Thanks

Is your feature request related to a problem?

The only problem is that the functionality is split between two different repositories and ought to be condensed into a single one.

Describe the solution you'd like

Combine the scripts from https://github.com/mitre-attack/attack-scripts/ with this repository.

Describe alternatives you've considered

Keeping both repositories adds an extra burden of maintenance. It could be done, but I think it makes the most sense to not need to check both places all the time.

Additional context

None (at this time)

As a user of ATT&CK's excel spreadsheets, I want to be able to access information about data sources and data components in that medium.

In ATT&CK v10 data sources and data components are becoming full STIX objects. See the mock data here for more information. We should update the AttackToExcel parser to convert these objects into to excel sheets.

• Both Data sources and data components should be depicted within a single sheet
• Data sources should include name, description, collection layers and platforms in addition to the generic fields like contributors, created and modified date
• Data components should include name and description in addition to the generic fields. The name of data components should be prefixed with the name of the parent data source.
• A sheet mapping techniques to data components should also be included (like the existing mapping sheets)
• The data sources field on technique sheets should be retained for backwards comparability purposes.

See the following rough example for the way both data sources and components can be contained in a single sheet:

As an individual or organization seeking to share extensions of ATT&CK, I want to be able to convert a collection index into a human-readable Markdown representation like the one seen on attack-stix-data.

This script has already been implemented, but needs to be ported into this library. A CLI should be provided similar to the existing layer exporter CLI so that users can utilize the script from the command line provided the library is installed.

Is your feature request related to a problem?

The example from the usage page we've been using takes an extremely long time to load.

Describe the solution you'd like

Just make it a little more clear (in the basic usage example) how we can not only export, but cache and import the att&ck matrix data rather than slowly loading it.

Describe alternatives you've considered

There doesn't seem to be one since the documentation only mentions an export feature, not import.

Additional context

import mitreattack.attackToExcel.attackToExcel as attackToExcel
import mitreattack.attackToExcel.stixToDf as stixToDf

# download and parse ATT&CK STIX data

# SUGGESTED ADDITION / PSEUDO CODE:
attackToExcel.export("enterprise-attack", "v8.1", "/path/to/export/folder")
# instead of:
# attackdata = attackToExcel.get_stix_data("enterprise-attack")
# allow:
attackdata = attackToExcel.get_stix_data_from( "/path/to/export/folder")
# END ADDITION

# get Pandas DataFrames for techniques, associated relationships, and citations
techniques_data = stixToDf.techniquesToDf(attackdata, "enterprise-attack") 

# show T1102 and sub-techniques of T1102
techniques_df = techniques_data["techniques"]
print(techniques_df[techniques_df["ID"].str.contains("T1102")]["name"])

And I don't really know if exporting as excel is the most efficient way to cache the data, probably not, but it seems to be the format supported. My only goal is to get the data into a DataFrame as efficiently as possible instead of having to go take a 5 minute coffee break to wait every time I restart my Jupyter kernel.

We're going to be solving this by adding some code to use Apache's Parquet to store the DataFrame efficiently, but that is not something that would make sense as a PR in a library designed for converting to Excel. That said, people shouldn't need to invent a caching solution for this, in my opinion. It would make sense to support it by default when the library takes 3-5 minutes to load into a DataFrame.

Like I said, I don't know if it really fits into the library since it's named to be an excel conversion tool, but I'm thinking something like:

attackToExcel.export_parquet("enterprise-attack", "v8.1", "/path/to/export/file")
attackdata = attackToExcel.import_parquet("/path/to/export/file")
techniques_data = stixToDf.techniquesToDf(attackdata, "enterprise-attack")

As a user, I want to be able to access matrices representing specific platforms, e.g cloud platforms, in the excel spreadsheets. Currently the spreadsheet just displays the entire domain.

In the matrices spreadsheet include the platform filtered matrices as displayed on https://attack.mitre.org/matrices/ in addition to the domain matrix.

As a user of ATT&CK in Excel, I would like to be able to access the CAPEC ID of a technique (if defined) in the output spreadsheets or DataFrames. CAPEC IDs are not currently tracked by attackToExcel, although similar fields such as MTC IDs are.

As a user of ATT&CK, I want to be able to easily create layer files showing things like group technique usage from STIX data.

Create scripts that parse the contents of a STIX bundle or the TAXII server to create layer files. An API should be able to provide Layer instances, and a CLI should be able to write desired layer files to disk.

The following generators should be created. They should ideally resemble the layers on the ATT&CK Website.

Usage by individual objects:

• Group technique usage for each/a specific group, where score is 1 if used and 0 otherwise, and comment is the usage description.
• Same as above, but for software
• Same as above, but for mitigations

Overviews for each type of object:

• Groups using each technique, where score is the number of using groups and comment is a comma separated list of using groups
• Same as above, but for software
• Same as above, but for mitigations

Expected Behavior

The AttackToExcel functionality would produce matrices with sub-techniques that are filtered appropriately in the resultant matrices Excel file.

Actual Behavior

All sub-techniques are displayed regardless of whether they correspond with an existent platform or not.

Steps to Reproduce the Problem

1. Follow the instructions listed in the attackToExcel README

Possible Solution

Introduce a filter logic mechanism in the matricesToDf function that handles filtering sub-techniques from platforms

Expected Behavior

A navigation layer object should be created when passing a name and a domain to mitreattack.navlayers.layer

Actual Behavior

The program errors out since in the init method uses self.__data (double underscore), but the rest of the code uses self._data (single underscore)

Steps to Reproduce the Problem

Follow example 2 of https://github.com/mitre-attack/mitreattack-python/tree/master/mitreattack/navlayers/core#creating-layers-programmatically

1. Init a navigation layer with a name and a domain

import mitreattack.navlayers as navlayers

layer_example = navlayers.Layer(name="example", domain="enterprise-attack")

Traceback (most recent call last):
  File "/Users/me/test/test.py", line 3, in test
    layer_example = navlayers.Layer(name="example", domain="enterprise-attack")
  File "/Users/me/.local/share/virtualenvs/test-XrAZKEUD/lib/python3.8/site-packages/mitreattack/navlayers/core/layer.py", line 19, in __init__
    self._build()
  File "/Users/me/.local/share/virtualenvs/test-XrAZKEUD/lib/python3.8/site-packages/mitreattack/navlayers/core/layer.py", line 82, in _build
    self.__layer = _LayerObj(self._data['name'],  self._data['domain'])
AttributeError: 'Layer' object has no attribute '_data'

Possible Solution

Change self.__data (double underscore) to self._data (single underscore).

The Layers module documents how to import and export layers to local JSON. However, it does not document how a user could create a Layer(), and then programatically set and modify the properties of the layer. We should add a short tutorial of this to the Layer module documentation. It should include:

• Modifying filter properties
• Setting the gradient colors and upper and lower bounds
• Appending items to the legend
• Adding metadata
• Editing techniques
  • Setting score, comment, color, and metadata on an existing technique
  • Adding a new technique

As a user of this library, I want to be able to generate layer files representing the mappings from data sources to techniques just like I already can for group->technique mappings.

Hi i'm getting a 502 error trying to access https://cti-taxii.mitre.org/taxii/.

I'm working with navlayers and specifying source='taxii' .

Expected Behavior

AttackToExcel produces a file where the tactics column on the techniques sheet has the appropriate Tactic name for the Technique.

Actual Behavior

For techniques that are part of the Command and Control Tactic, it is presented as "Command And Control" with a capitalized "And".

Steps to Reproduce the Problem

1. Build the website. Ultimately it calls the mitreattack python library here
2. When the Techniques are parsed, their STIX Kill Chain Phases are manipulated here to strip hyphens and title case them.

Possible Solution

One approach may be to use an exception list of words that won't be title cased, as per this short article: https://www.kite.com/python/answers/how-to-titlecase-a-string-in-python. Or we could manually check if the tactic is in our specific list of pre-defined tactics.

Hi there.. is there a possibility to add support for MITRE's Malware Behavior Catalog (MBC) in addition to the TTPs? the official (as of now) MBC description can be found here.

thank you!

Expected Behavior

ToSvg Generates an SVG File from a layer

Actual Behavior

OSError when generating the SVG File

Traceback (most recent call last):
  File "/home/jrogers/wksp/project/src/project_file.py", line 279, in <module>
    test = GenerateMarkDown(
  File "/home/jrogers/wksp/project/src/project_file.py", line 74, in __init__
    self.generate_attack()
  File "/home/jrogers/wksp/project/src/project_file.py", line 262, in generate_attack
    attack_data.export_layer()
  File "/home/jrogers/wksp/project/src/attack_utils.py", line 76, in export_layer
    svg.to_svg(self.layer, filepath=os.path.join(self.output_path, 'enterprise-attack.svg'))
  File "/home/jrogers/anaconda3/envs/project/lib/python3.10/site-packages/mitreattack/navlayers/exporters/to_svg.py", line 464, in to_svg
    d = self.raw_handle.export(showName=sName, showID=sID, sort=sort, scores=scores,
  File "/home/jrogers/anaconda3/envs/project/lib/python3.10/site-packages/mitreattack/navlayers/exporters/svg_templates.py", line 262, in export
    d, presence, overlay = self._build_headers(lhandle.name, config, lhandle.domain,
  File "/home/jrogers/anaconda3/envs/project/lib/python3.10/site-packages/mitreattack/navlayers/exporters/svg_templates.py", line 90, in _build_headers
    g = SVG_HeaderBlock().build(height=header_height, width=header_width, label='about',
  File "/home/jrogers/anaconda3/envs/project/lib/python3.10/site-packages/mitreattack/navlayers/exporters/svg_objects.py", line 264, in build
    rect2 = HeaderRect(_getstringwidth(label, config.font, 12), _getstringheight(label, config.font, 12),
  File "/home/jrogers/anaconda3/envs/project/lib/python3.10/site-packages/mitreattack/navlayers/exporters/svg_objects.py", line 42, in _getstringwidth
    font = ImageFont.truetype('{}/fonts/{}.ttf'.format(os.path.sep.join(__file__.split(os.path.sep)[:-1]), font),
  File "/home/jrogers/anaconda3/envs/project/lib/python3.10/site-packages/PIL/ImageFont.py", line 878, in truetype
    return freetype(font)
  File "/home/jrogers/anaconda3/envs/project/lib/python3.10/site-packages/PIL/ImageFont.py", line 875, in freetype
    return FreeTypeFont(font, size, index, encoding, layout_engine)
  File "/home/jrogers/anaconda3/envs/project/lib/python3.10/site-packages/PIL/ImageFont.py", line 226, in __init__
    self.font = core.getfont(
OSError: cannot open resource

Steps to Reproduce the Problem

Requirements:

• Ubuntu 22.04

• Anaconda Python

  1. Install mitreattack-python as per README
  2. Attempt to export a layer using the to_svg function
  3. Get OSError

Possible Solution

• fonts folder appears to be missing from mitreattack/navlayers/exporters when installed using pip on an anaconda install (possibly on all installs)
• copy fonts folder from repo to mitreattack/navlayers/exporters

At the moment, the only citations referenced in ATT&CKToExcel's generated sheets are the ones present on the actual ATT&CK Objects themselves. The website has more of these, which are contained in relationships that relate to each object. We should provide these additional citations/references in the generated excel sheets.

Expected Behavior

On PyPi there is version 1.5.7 of this package, but the releases on GitHub has the latest at 1.5.6. Did something go amiss here?

Is your feature request related to a problem?

The tests take anywhere from 3-8 hours to complete.

Describe the solution you'd like

Reduce the amount of HTTP queries that the test modules send to the TAXII server. Theoretically, the TAXII server only needs to be queried by one of the tests (once) to validate that this argparser option works as intended.

Describe alternatives you've considered

If duplicate objects need to be retrieved multiple times, consider caching responses locally and/or retrieving the target STIX objects from the mitre/cti JSON source files.

Additional context

pyinstrument was used to validate that approx. 15% (3880s) of the total pytest runtime duration (24800s) of the tests were consumed by TAXII queries.

Is your feature request related to a problem?

No, but for background, I've rolled custom STIX and Navigator layer generation scripts for use with an ATT&CK Navigator fork.

Describe the solution you'd like

My "to-stix" Python script includes the definition of ATT&CK stix2.v20 classes for the creation of tactics and matrices. Would it be useful to have these classes as a utility in this repository for broader use?

Describe alternatives you've considered

Looked through this repo for similar classes, but didn't find a match.

Additional context

Happy to chat about other functionality overlaps and ways to contribute back to ATT&CK.

Expected Behavior

Handle properly import / export of comments including UTF-8 characters (french accents, for example)

Actual Behavior

Non ASCII characters are scrambled.
For example, this comment : Consiste à utiliser is outputted Consiste \u00c3\u00a0 utiliser

Steps to Reproduce the Problem

1. Write by hand accents into a comment of the JSON layer file (for example: Consiste à utiliser)
2. Load the layer using the API
3. Export the layer using the API
4. Open the outputted JSON file and see the comment

Possible Solution

I solved this problem by making the following changes :

1. mitreattack-python/mitreattack/navlayers/core/layer.py

   Line 60 in c923d9e

   with open(filename, 'r') as fio:

   
   changed to

with open(filename, 'r', encoding='utf-8') as fio:

3. mitreattack-python/mitreattack/navlayers/core/layer.py

   Line 72 in c923d9e

   with open(filename, 'w') as fio:

   
   changed to

with open(filename, 'w', encoding='utf-8') as fio:

4. mitreattack-python/mitreattack/navlayers/core/layer.py

   Line 73 in c923d9e

   json.dump(self.__layer.get_dict(), fio)

   
   changed to

json.dump(self.__layer.get_dict(), fp=fio, ensure_ascii=False)

Hello,

Thanks for all the work you put into this. I am running into an issue and not sure if the problem is what I'm doing or something else.

When I try to use the CLI tool or the python examples you provide in the repo, I am generating strange looking svgs. With a json layer file that looks like this:

{
    "versions": {
        "attack": "9.1",
        "navigator": "4.2",
        "layer": "4.2"
    },
    "layout": {
        "layout": "side",
        "showName": true,
        "showID": true
    },
    "showTacticRowBackground": true,
    "tacticRowBackground": "#dddddd",
    "selectTechniquesAcrossTactics": true,
    "selectSubtechniquesWithParent": true,
    "name": "sample_layer",
    "description": "sample description",
    "domain": "enterprise-attack",
    "techniques": [
        {
            "techniqueID": "T1580",
            "score": 10
        }
    ],
    "gradient": {
        "colors": [
            "#ffffff",
            "#004f92"
        ],
        "minValue": 0,
        "maxValue": 10
    }
}

I run layerExporter_cli layer.json -m svg -o demo.svg and get an SVG that looks like the following where every column includes every technique.

I also tried python code pieced together from your examples like this

import json
from mitreattack.navlayers import Layer, ToSvg, SVGConfig

with open('layer.json', 'r') as f:
    data = json.loads(f.read())

lay = Layer()
lay.from_dict(data) ## I tried both from_file and from_dict

y = SVGConfig(width=8.5, height=11, headerHeight=1, unit="in", showSubtechniques="expanded",
                 font="sans-serif", tableBorderColor="#6B7279", showHeader=True, legendDocked=True,
                 legendX=0, legendY=0, legendWidth=2, legendHeight=1, showLegend=True, showFilters=True,
                 showAbout=True, showDomain=True, border=0.104)

t = ToSvg(domain=lay.layer.domain, source='taxii', local=None, config=y)
t.to_svg(layerInit=lay, filepath='demo2.svg')

I want to eventually convert the svg to a png and embed it somewhere, but am not sure what I am missing. Thanks!

The changelog helper currently only supports minimal information about what changed from release to release. Please add more detailed changelog functionality

Is your feature request related to a problem?

Add tacticBackground and showTacticBackground as parameter options when using SVGConfig

Describe the solution you'd like

Add tacticBackground and showTacticBackground as a supported parameter options when using SVGConfig to export a layer as an SVG.

Expected Behavior

Generate all excel files

Actual Behavior

Generates all excel files but some are empty/non-compliant

Steps to Reproduce the Problem

1. python3 attackToExcel.py -domain enterprise-attack -version v8.2 (fails)
2. python3 attackToExcel.py -domain enterprise-attack -version v11.3 (works fine)
3. python3 attackToExcel.py (works fine)

Possible Solution

n/a

As a user, I want to be able to find the full ATT&CK dataset in the excel representation.

Currently multiple domain-specific fields are missing for techniques, including "Impact Type" and "Effective Permissions". The full list can be found in the USAGE document here: https://github.com/mitre/cti/blob/master/USAGE.md#techniques

This was likely caused by the fact that those fields were not listed in the USAGE document until relatively recently.

Describe the solution you'd like

Update the navlayers module to support layer file format version 4.5.

Additional context

To load a layer file via the navlayers module:

from mitreattack.navlayers import Layer

lay = Layer()
lay.from_file("layer-version-4.5.json")

To replicate:

from mitreattack.navlayers import MatrixGen
MatrixGen(source='local', local='cti/enterprise-attack/enterprise-attack.json')

matrix_gen.py, line 123:

self.collections['enterprise'] = hd.load_from_file(local)
hd.load_from_file(local) returns None

self.collections['enterprise'] = hd
should work as per normal

https://stix2.readthedocs.io/en/latest/api/datastore/stix2.datastore.memory.html#stix2.datastore.memory.MemoryStore.load_from_file

Expected Behavior

I am using mitreattack-python version 1.5.7.

I am trying to run the following code:

from mitreattack.navlayers.exporters.to_svg import ToSvg

x = ToSvg(domain='enterprise', source='taxii', resource=None, config=None)

I expect a ToSvg object to be successfully created.

Actual Behavior

I am receiving the following warnings and error (I have tested on two separate machines, both MacOS Monterey):

[taxii2client.v20] [WARNING ] [2022-06-01 11:27:42,565] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:42,565] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:42,686] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:42,686] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:42,785] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:42,786] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:42,888] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:42,888] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:42,991] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:42,991] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:43,091] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:43,091] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:43,191] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:43,191] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:43,291] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:43,292] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:43,391] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:43,391] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:43,490] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:43,490] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:43,591] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:43,591] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:43,691] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:43,691] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:43,790] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:43,790] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:43,891] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:43,891] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:43,991] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:43,991] TAXII Server Response with different amount of objects! Setting per_request=1
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:44,490] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:44,507] TAXII Server Response with different amount of objects! Setting per_request=719
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:44,868] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:44,888] TAXII Server Response with different amount of objects! Setting per_request=719
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:45,243] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:45,261] TAXII Server Response with different amount of objects! Setting per_request=719
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:45,649] TAXII Server Response did not include 'Content-Range' header - results could be incomplete.
[taxii2client.v20] [WARNING ] [2022-06-01 11:27:45,666] TAXII Server Response with different amount of objects! Setting per_request=719
Traceback (most recent call last):
  File "/private/tmp/python/test.py", line 3, in <module>
    x = ToSvg(domain='enterprise', source='taxii', resource=None, config=None)
  File "/private/tmp/python/venv/lib/python3.10/site-packages/mitreattack/navlayers/exporters/to_svg.py", line 393, in __init__
    self.raw_handle = SvgTemplates(domain=domain, source=source, resource=resource)
  File "/private/tmp/python/venv/lib/python3.10/site-packages/mitreattack/navlayers/exporters/svg_templates.py", line 34, in __init__
    self.h = MatrixGen(source=source, resource=resource)
  File "/private/tmp/python/venv/lib/python3.10/site-packages/mitreattack/navlayers/exporters/matrix_gen.py", line 151, in __init__
    self._build_matrix()
  File "/private/tmp/python/venv/lib/python3.10/site-packages/mitreattack/navlayers/exporters/matrix_gen.py", line 377, in _build_matrix
    techs, subtechs = self._get_technique_listing(tac.name.lower().replace(' ', '-'), domain)
  File "/private/tmp/python/venv/lib/python3.10/site-packages/mitreattack/navlayers/exporters/matrix_gen.py", line 200, in _get_technique_listing
    tid = [t['external_id'] for t in entry['external_references'] if 'attack' in t['source_name']]
  File "/private/tmp/python/venv/lib/python3.10/site-packages/mitreattack/navlayers/exporters/matrix_gen.py", line 200, in <listcomp>
    tid = [t['external_id'] for t in entry['external_references'] if 'attack' in t['source_name']]
  File "/private/tmp/python/venv/lib/python3.10/site-packages/stix2/base.py", line 251, in __getitem__
    return self._inner[key]
KeyError: 'external_id'

Steps to Reproduce the Problem

1. Run code from expected behavior

Possible Solution

Unsure

As a user of mitreattack-python, I want the documentation to match the names of functions so that I can be confident that I'm invoking them correctly.

In the attackToExcel documentation, the alliteration of "data frames" is often written as DF where in the code it is Df. This section in particular is inconsistent regarding this capitalization. The capitalization should be corrected in the documentation so as not to confuse users as to which is the correct one to invoke the function -- the documentation should be updated to match the actual function names in the source code (Df).

The layerobject's _enumerate function uses the field name version. Layer format version 4 changed this to versions (it was correct as version prior to layer version 4).

As an individual or organization seeking to share a custom ATT&CK dataset, I want to be able to create a collection from a STIX bundle so that it can be imported into ATT&CK Workbench.

Create a collection-creation script which takes a STIX 2.0 or STIX 2.1 bundle as argument and outputs a new STIX 2.1 bundle containing a collection object which references the contents of the bundle.

• If the input bundle contains STIX 2.0 data, it will need to be first converted to STIX 2.1. The STIX Stepper may be able to do this.
• A CLI should also be provided so that the user can easily convert bundles on their filesystem.

This group is available on website https://attack.mitre.org/groups/

but when we tried to pull this info via this library(even with latest version 1.2.1), it's not there. Below is the code snapshot

Expected Behavior

Add a dictionary to a technique's links as follows: {"divider": true}
The typical technique link dictionary format is: {"label": "blahblah", "url": "blahblah"}

Alternatively, I found LinkDiv(active=True) as the "supported" way to implement dividers, but this adds a dictionary with key value pairs that are not recognized by v4.7.1 Navigator: {"name": "DIVIDER", "value": true}
This method does not cause an error with the Layer function.

Actual Behavior

When converting a layer dictionary to Layer using "from mitreattack.navlayers.core import Layer", there are errors saying that the divider dictionary does not contain a label (which it's not supposed to because it's a divider). Adding a label key with empty string as value does not solve the problem. Because of the error, the entire technique is not processed and is not included in the output layer.json. Error: "label is not present in link"

Steps to Reproduce the Problem

1. Manually create a layer dictionary.
2. Add a link to some technique by adding a dictionary with "label" and "url" keys to a technique's links.
3. Add a divider by adding {"divider": true} to the same technique's links.
4. Add another link to the same technique's links.
5. Try to convert the layer dictionary to Layer using "from mitreattack.navlayers.core import Layer"
6. Get error

Possible Solution

Either prevent the Layer function from erroring for dividers formatted like this: {"divider": true}
or change how LinkDiv(active=True) is reflected, from {"name": "DIVIDER", "value": true} to {"divider": true}