Using the API

From enterprise
Jump to: navigation, search


Almost all data in ATT&CK can be accessed using the Semantic MediaWiki Ask API. URLs targeting the API are constructed in the following pattern /api.php?action=ask&format=<format specifier>&query=<insert query statement> where <format specifier> is a specific output format (usually json or jsonfm) and <insert query statement> refers to a query that specifies the data that will be retrieved. Queries are structured as if they are targeting the Semantic MediaWiki #ask parser function

Constructing Query Statements

Queries are constructed by combining one or more page selectors with a set of display parameters. A simple selector for all techniques is [[Category:Technique]] and a simple display parameter is ?Has display name which maps to the name of the ATT&CK Technique. To construct the query, the selector is combined with the display parameter by placing a | symbol in between. So the combined query is [[Category:Technique]]|?Has display name. This query will retrieve all ATT&CK techniques along with their display name. To run this we just have to URL encode the combined query and place it in the URL. The final query is:

Selectors are generally either Categories or Properties. Category selectors are always prefixed with Category:. Relevant category selectors are [[Category:Technique]], [[Category:Group]] and [[Category:Software]] which will select all techniques, groups, and software respectively. Properties can also be used as selectors. Notable properties are Has display name, Has ID, Has tactic, Has platform however there are many other queryable properties. Using properties in selectors and display parameters is slightly different.

Property Example Selector Display Parameter
Has display name [[Has display name::Rootkit]]  ?Has display name
Has ID [[Has ID::!T1014]]  ?Has ID
Has tactic [[Has tactic::Execution]]  ?Has tactic
Has platform [[Has platform::Windows 7]]  ?Has platform

Selectors can be combined to build more specific queries. For example [[Has tactic::Privilege Escalation]][[Has tactic::Execution]] can be used to find all techniques that are used for both Privilege Escalation and Execution.

Example Queries

Below are some example queries.

A Specific Technique

This query matches the page with ID T1014 and returns the techniques tactics, ID, display name, and technical description.

Original query: [[Has ID::T1014]]|?Has tactic|?Has ID|?Has display name|?Has technical description|limit=9999

URL Encoded:

Listing All Techniques

This query matches all techniques and lists their tactics, ID and display name.

Original query: [[Category:Technique]]|?Has tactic|?Has ID|?Has display name|limit=9999

URL Encoded:

Listing all Groups and their Technique Usage

This query gets all groups and their usage of ATT&CK Techniques, their ID and their aliases.

Original query: [[Category:Group]]|?Has technique|?Has ID|?Has alias|limit=9999

URL Encoded:

Listing Groups that use a specific piece of software

This query matches against all the group that use a specific software (in this case "Software/S0002", Mimikatz) and return their name and ID.

Original Query: [[Uses software::Software/S0002]]|?Has ID|?Has display name|limit=9999

URL Encoded:


Although these examples show output being displayed as Formatted JSON, output can be returned in many different ways by modifying the format= keyword argument in the URL. In particular, for machine readable output, the parameter should be changed to format=json. MediaWiki has a full list of output options.


We make our best effort to ensure enterprise is up, but don't make any guarantees on uptime and availability. For now, we caution against integrating direct API queries into a product unless it’s for non-critical periodic updates.


See the ATT&CK Terms of Use.