search

mitre / cti

Cyber Threat Intelligence Repository expressed in STIX 2.0
Other
1.71k stars 410 forks source link

Enterprise ATT&CK `attack-pattern`s missing `x_mitre_is_subtechnique` #197

Open lmahoney1 opened 2 years ago

lmahoney1 commented 2 years ago

Hello,

I noticed that some techniques and sub-techniques in the enterprise collection are missing the x_mitre_is_subtechnique key / flag.

I've been using the TAXII server via this URL https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/ along with the python stix2 and taxii2client libraries.

Here's the code I've been using:

from stix2 import TAXIICollectionSource, Filter, CompositeDataSource
from taxii2client.v20 import Collection

collections = {
    "enterprise_attack": "95ecc380-afe9-11e4-9b6c-751b66dd541e",
    "mobile_attack": "2f669986-b40b-4423-b720-4396ca6a462b",
    "ics-attack": "02c3ef24-9cd4-48f3-a99f-b74ce24f1d34"
}

collection = Collection(f"https://cti-taxii.mitre.org/stix/collections/{collections['enterprise_attack']}/")
src = TAXIICollectionSource(collection)

techniques = src.query([Filter('type', '=', 'attack-pattern'), Filter('x_mitre_is_subtechnique', '=', False)])

I originally noticed because 'Phishing' stopped showing up in my techniques variable.

I'm not 100% sure how the JSON in this repo works, whether it feeds into the TAXII server or not, but I noticed a similar problem in the JSON files as well. For example:

I found there are 257 attack-patterns that don't have the x_mitre_is_subtechnique key (maybe some of these are old / revoked?) and 462 that do have the key.

Is this expected? Is there a better way to filter out / identify sub-techniques?

My use case is that I want to get just the techniques without any sub-techniques.

Thanks

galangel commented 2 years ago

I also found some sub techniques without the key x_mitre_is_subtechnique.

I found out about this while updating my list of Techniques and Sub techniques. for example: T1113 is missing it.