Using the API
Almost all data in ATT&CK can be accessed using the Semantic MediaWiki Ask API. URLs targeting the API are constructed in the following pattern
/api.php?action=ask&format=<format specifier>&query=<insert query statement> where <format specifier> is a specific output format (usually
jsonfm) and <insert query statement> refers to a query that specifies the data that will be retrieved. Queries are structured as if they are targeting the Semantic MediaWiki #ask parser function
Constructing Query Statements
Queries are constructed by combining one or more page selectors with a set of display parameters. A simple selector for all techniques is
[[Category:Technique]] and a simple display parameter is
?Has display name which maps to the name of the ATT&CK Technique. To construct the query, the selector is combined with the display parameter by placing a
| symbol in between. So the combined query is
[[Category:Technique]]|?Has display name. This query will retrieve all ATT&CK techniques along with their display name. To run this we just have to URL encode the combined query and place it in the URL. The final query is:
Selectors are generally either Categories or Properties. Category selectors are always prefixed with
Category:. Relevant category selectors are
[[Category:Software]] which will select all techniques, groups, and software respectively. Properties can also be used as selectors. Notable properties are
Has display name,
Has platform however there are many other queryable properties. Using properties in selectors and display parameters is slightly different.
|Property||Example Selector||Display Parameter|
|Has display name||[[Has display name::Rootkit]]||?Has display name|
|Has ID||[[Has ID::!T1014]]||?Has ID|
|Has tactic||[[Has tactic::Execution]]||?Has tactic|
|Has platform||[[Has platform::Windows 7]]||?Has platform|
Selectors can be combined to build more specific queries. For example [[Has tactic::Privilege Escalation]][[Has tactic::Execution]] can be used to find all techniques that are used for both Privilege Escalation and Execution.
Below are some example queries.
A Specific Technique
This query matches the page with ID T1014 and returns the techniques tactics, ID, display name, and technical description.
[[Has ID::T1014]]|?Has tactic|?Has ID|?Has display name|?Has technical description|limit=9999
Listing All Techniques
This query matches all techniques and lists their tactics, ID and display name.
[[Category:Technique]]|?Has tactic|?Has ID|?Has display name|limit=9999
Listing all Groups and their Technique Usage
This query gets all groups and their usage of ATT&CK Techniques, their ID and their aliases.
[[Category:Group]]|?Has technique|?Has ID|?Has alias|limit=9999
Listing Groups that use a specific piece of software
This query matches against all the group that use a specific software (in this case "Software/S0002", Mimikatz) and return their name and ID.
[[Uses software::Software/S0002]]|?Has ID|?Has display name|limit=9999
Although these examples show output being displayed as Formatted JSON, output can be returned in many different ways by modifying the
format= keyword argument in the URL. In particular, for machine readable output, the parameter should be changed to
format=json. MediaWiki has a full list of output options.
We make our best effort to ensure enterprise is up, but don't make any guarantees on uptime and availability. For now, we caution against integrating direct API queries into a product unless it’s for non-critical periodic updates.