Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enterprise ATT&CK attack-patterns missing x_mitre_is_subtechnique #197

Open
lmahoney1 opened this issue Jun 1, 2022 · 1 comment
Open

Enterprise ATT&CK attack-patterns missing x_mitre_is_subtechnique #197

lmahoney1 opened this issue Jun 1, 2022 · 1 comment

Comments

@lmahoney1
Copy link

lmahoney1 commented Jun 1, 2022
edited
Loading

Hello,

I noticed that some techniques and sub-techniques in the enterprise collection are missing the x_mitre_is_subtechnique key / flag.

I've been using the TAXII server via this URL https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/ along with the python stix2 and taxii2client libraries.

Here's the code I've been using:

from stix2 import TAXIICollectionSource, Filter, CompositeDataSource
from taxii2client.v20 import Collection

collections = {
    "enterprise_attack": "95ecc380-afe9-11e4-9b6c-751b66dd541e",
    "mobile_attack": "2f669986-b40b-4423-b720-4396ca6a462b",
    "ics-attack": "02c3ef24-9cd4-48f3-a99f-b74ce24f1d34"
}

collection = Collection(f"https://cti-taxii.mitre.org/stix/collections/{collections['enterprise_attack']}/")
src = TAXIICollectionSource(collection)

techniques = src.query([Filter('type', '=', 'attack-pattern'), Filter('x_mitre_is_subtechnique', '=', False)])

I originally noticed because 'Phishing' stopped showing up in my techniques variable.

I'm not 100% sure how the JSON in this repo works, whether it feeds into the TAXII server or not, but I noticed a similar problem in the JSON files as well. For example:

I found there are 257 attack-patterns that don't have the x_mitre_is_subtechnique key (maybe some of these are old / revoked?) and 462 that do have the key.

Is this expected? Is there a better way to filter out / identify sub-techniques?

My use case is that I want to get just the techniques without any sub-techniques.

Thanks
@galangel
Copy link

galangel commented Jun 21, 2022
edited
Loading

I also found some sub techniques without the key x_mitre_is_subtechnique.

I found out about this while updating my list of Techniques and Sub techniques.
for example: T1113 is missing it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@galangel @lmahoney1