ATT&CK Data & Tools

Tools to Use with ATT&CK

The following tools allow users to explore, access, visualize, and query ATT&CK in different ways.

Navigator Example

ATT&CK Navigator

The ATT&CK Navigator is a web-based tool for annotating and exploring ATT&CK matrices. It can be used to visualize defensive coverage, red/blue team planning, the frequency of detected techniques, and more.

Workbench Example

ATT&CK Workbench

The ATT&CK Workbench is an application allowing users to explore, create, annotate, and share extensions of the ATT&CK knowledge base.

mitreattack-python Example

Python Utilities

ATT&CK provides a variety of Python tools for accessing, querying, and processing the ATT&CK dataset. These scripts can be useful utilities or serve as examples for how to work with ATT&CK programmatically.

Accessing ATT&CK Data

ATT&CK in STIX

Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI). The ATT&CK dataset is available in STIX 2.0 and STIX 2.1. Other presentations of this dataset, including the ATT&CK Navigator and this website, are built from the STIX data.

STIX is a machine-readable format providing access to the ATT&CK knowledge base. It is the most granular representation of the ATT&CK data, and all other representations are derived from the STIX dataset.

The ATT&CK STIX representation is most easily manipulated in Python using the stix2 library. However, because STIX is represented in JSON, other programming languages can easily interact with the raw content.

Consider using ATT&CK in STIX if you:

  • Have automated workflows that need to ingest ATT&CK data.
  • Are a proficient Python user seeking to save time with automation or want to perform advanced queries.
  • Want your workflows to keep up-to-date with the evolving knowledge base.
  • Want to extend the ATT&CK dataset with custom content, and use this custom content with ATT&CK tools.
MITRE CTI Example

TAXII 2.1

The ATT&CK STIX data can also be accessed via the official ATT&CK TAXII™ server. Trusted Automated Exchange of Intelligence Information (TAXII) is an application protocol for exchanging CTI over HTTPS. The ATT&CK TAXII server provides API access to the ATT&CK STIX knowledge base.

ATT&CK Data Model

The ATT&CK Data Model provides a standardized way to represent ATT&CK data using Zod schemas. It enables developers to parse, validate, and utilize the ATT&CK knowledge base efficiently in various formats.

ATT&CK in Excel

These spreadsheets are built from the STIX dataset and provide a more human-accessible view into the knowledge base while also supporting rudimentary querying/filtering capabilities.

The Excel representation of the ATT&CK dataset below includes both master spreadsheets, containing all object types, and individual spreadsheets for each object type. The individual type spreadsheets break out relationships (e.g procedure examples connecting groups to techniques) into separate sheets by relationship type, while the master spreadsheet includes all relationship types in a single sheet.

A citations sheet can be used to look up the in-text citations which appear in some fields. For domains that include multiple matrices, such as Mobile ATT&CK, each matrix gets its own named sheet. Unlike the STIX dataset, objects that have been revoked or deprecated are not included in the spreadsheets.

Consider using ATT&CK in Excel if you:

  • Want to quickly sort, filter and query the dataset in a familiar UI.
  • Want to explore the contents of the dataset without having to navigate around the ATT&CK website.
  • Are not comfortable enough in Python or other programming languages to work with the STIX representation.
Excel Example

Excel Spreadsheets representing the ATT&CK dataset:

STIX to Excel Converter   

This folder within the pip module contains an additional module for converting ATT&CK STIX data to Excel spreadsheets. It also provides a means to access ATT&CK data as Pandas DataFrames for data analysis.