mitre / cti Goto Github PK

Cyber Threat Intelligence Repository expressed in STIX 2.0

License: Other

stix cti cyber-threat-intelligence attack

cti's Introduction

CTI

This repository contains the MITRE ATT&CK® and CAPEC™ datasets expressed in STIX 2.0. See USAGE or USAGE-CAPEC for information on using this content with python-stix2.

If you are looking for ATT&CK represented in STIX 2.1, please see the attack-stix-data GitHub repository. Both MITRE/CTI (this repository) and attack-stix-data will be maintained and updated with new ATT&CK releases for the foreseeable future, but the data model of attack-stix-data includes quality-of-life improvements not found on MITRE/CTI. Please see the attack-stix-data USAGE document for more information on the improved data model of that repository.

ATT&CK

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

https://attack.mitre.org

CAPEC

Understanding how the adversary operates is essential to effective cyber security. CAPEC™ helps by providing a comprehensive dictionary of known patterns of attacks employed by adversaries to exploit known weaknesses in cyber-enabled capabilities. It can be used by analysts, developers, testers, and educators to advance community understanding and enhance defenses.

Focuses on application security
Enumerates exploits against vulnerable systems
Includes social engineering / supply chain
Associated with Common Weakness Enumeration (CWE)

https://capec.mitre.org/

STIX

Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI).

STIX enables organizations to share CTI with one another in a consistent and machine readable manner, allowing security communities to better understand what computer-based attacks they are most likely to see and to anticipate and/or respond to those attacks faster and more effectively.

STIX is designed to improve many different capabilities, such as collaborative threat analysis, automated threat exchange, automated detection and response, and more.

https://oasis-open.github.io/cti-documentation/

cti's People

Contributors

Stargazers

Watchers

Forkers

threatinteltest lctrcl jjediny robincover saintx emmanvg aburan28 subzeroking dsbest gosecure igovsol trevornovak weeshlow santosomar chaser1093 noone31173 herisatry ccaballe r-net-tools threezerobravoteam ryanbreed-tp h4rry cybersme booms007 dekoder shawnbertrand evansjonathan kswitch2020 gr4ym4ntx c0010 basketwill dipsec avgirl orf53975 fam-gtfo amattoo langitio tim1512 mieitza datkk06 gladipero withrich s-nakhodchi add1ct3d hakuho rheanag malumoni larrycameron80 olafhartong therealeliteowl modulexcite awesome-attack vysecurity gvpdbish michaelhidalgo leeabc13 humbertcostas benhe119 koncybernet tjleach destroyer6662019 frbor devfoundsec pandapentest xsint limengmingx keloysiusmak sjtu2008 caca3rd peiying98 spiffohub rogue7 allant0 kyrie030609 crim3hound lazerhawk ababook sainineeraj michalgarcarz subi3wr3x jieyoujun vvx7 ntgitdude23 pipili0131 leexuan dskho walt1998 guillain w0r1dhe110 marciopocebon mbellioum freighttrust sambacha jenniffer27 3v1lw1th1n lovebair2022 zhaoshiling1017 lyastro happylaodu fierytermite

cti's Issues

update links in readme and usage documents to refer to the new ATT&CK site and remove old references to MediaWiki API

Slider project not setup for for continuous integration (Travis)

Hi Em,

You seem to be the best person to do this quickly - so we can release asap.
Could you take care of it?

redundant aliases

malware--123bd7b3-675c-4b1a-8482-c55782b20e2b has these (in Turtle not JSON notation, but you get the point):

stix:name                 "BUBBLEWRAP" ;        
mitre:aliases             "Backdoor.APT.FakeWinHTTPHelper" , "BUBBLEWRAP" .

The second alias is redundant because it's the same as name.

BTW where can I post STIX bugs? I think these should be moved to Common Properties: name aliases description

[Question] TAXII Server Usage - Pagination and added_after

Hello there,

We're implementing ingestion of MITRE ATT&CK data within our product via TAXII 2.0 and I've run into a few issues on the get objects endpoints.

As per the TAXII 2.0 specification, one should be able to do the following on a <api-root>/collections/<id>/objects/ endpoint:

Paginate response objects via a Range: items X-Y header
Filter via an added_after query string parameter given a timestamp value in the form of YYYY-MM-DDTHH:mm:ss.[s+]Z

Using the Enterprise Attack, Pre-Attack, or Mobile Attack endpoints I cannot get either of these options to work for the life of me. Are these options actually supported by the MITRE TAXII Server?

Thanks!

DragonFly like a intrustion set

I think there is a mistake here https://github.com/mitre/cti/blob/272ce2cd52a7ca4820775e7278a7af1395b44d94/ATTACK/intrusion-set/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json about DragonFly is a threat actor and no intrusion set if i read the documentation here https://stixproject.github.io/stix2.0/stixdocs/stix-v2.0-wd02.pdf.

Get Examples from cti FileSystem.

Hello.
I am new to MITRE CTI and STIX. What I can't find, is how to get examples from a particular technique. For example, if we follow this link: https://attack.mitre.org/techniques/T1214/ we can see Examples part, where Names and descriptions are provided. But I can't figure out how to get this information out of the data provided in this repository. The basic idea is to get all malware families (or APT group) names, that utilize certain attack pattern. So I can find an attack pattern, but not the examples.
Thank you.

attack-pattern json flagged as TrojanDownloader:Win32/Bumoru.A by Windows Defender

The file attack-pattern--f6fe9070-7a65-49ea-ae72-76292f42cebe.json is flagged as TrojanDownloader:Win32/Bumoru.A by Windows Defender.

The same result can be seen in virustotal:

https://www.virustotal.com/#/file/2e785f59251a393f94690cc90440a42c3d9e111c1772e81831055433ecc6c4a8/detection

Based on quick assessment, this is because in the "description" field, the string, "cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs", is present.

Consider removing this string or updating your documentation(e.g. Readme.md) so at least affected users are made aware.

Incorrect id for Initial access tactic

Hi
In cti/enterprise-attack/x-mitre-tactic/x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca.json file I would expect that id will be consistent with file name and references from mitre-matrix. Instead it has id x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6 which is not referenced anywhere.

Request leveraging Kill Chain in Attack Patterns

We are grouping attack patterns based on kill chain phase. Would it be possible for capec group of attack patterns to also implement the kill chain property?

[Enterprise STIX Objects] custom objects showing as type <class dict> rather than STIX object type

Good afternoon Team,

I was updating my python wrapper to collect information in STIX from the public TAXII server and started to do some exploring of each technology-domain. I decided to query the enterprise collection and explore the available objects in it:

Im using a Jupyter Notebook:

In [27]: from taxii2client import Collection                                                                                                                                                
In [28]: from stix2 import TAXIICollectionSource, Filter                                                                                                                                    
In [29]: ATTCK_STIX_COLLECTIONS = "https://cti-taxii.mitre.org/stix/collections/"                                                                                                           
In [30]: ENTERPRISE_ATTCK = "95ecc380-afe9-11e4-9b6c-751b66dd541e"                                                                                                                          
In [31]: ENTERPRISE_COLLECTION = Collection(ATTCK_STIX_COLLECTIONS + ENTERPRISE_ATTCK + "/")                                                                                                
In [32]: TC_ENTERPRISE_SOURCE = TAXIICollectionSource(ENTERPRISE_COLLECTION)                                                                                                                
In [33]: enterprise_objects = TC_ENTERPRISE_SOURCE.query()                                                                                                                                  
In [34]: type(enterprise_objects)                                                                                                                                                           
Out[34]: list
In [35]: enterprise_list = []                                                                                                                                                               
In [36]: for o in enterprise_objects: 
    ...:     enterprise_list.append(o['type']) 
    ...:                                                                                                                                                                               
In [37]: from collections import Counter                                                                                                                                                    
In [38]: Counter(enterprise_list)                                                                                                                                                           
Out[38]: 
Counter({'relationship': 4852,
         'course-of-action': 241,
         'attack-pattern': 244,
         'malware': 278,
         'tool': 56,
         'intrusion-set': 88,
         'x-mitre-tactic': 12,
         'x-mitre-matrix': 1,
         'identity': 1,
         'marking-definition': 1})
In [39]:

As you can see in output 38, I was able to aggregate each object and show the number of times the object is present.

Now, when I perform a loop through the enterprise available objects and inspect the type of data I am dealing with, I get STIX object types which is what I expect. However, when I inspect the type of the object x-mitre-tactic, it returns a dict type.

In [41]: for e in enterprise_objects: 
    ...:     if e['type'] == "x-mitre-tactic": 
    ...:         print(e['name']) 
    ...:         print(type(e)) 
    ...:         print("-----") 
    ...:                                                                                                                                                                                    
Impact
<class 'dict'>
-----
Credential Access
<class 'dict'>
-----
Defense Evasion
<class 'dict'>
-----
Initial Access
<class 'dict'>
-----
Command and Control
<class 'dict'>
-----
Exfiltration
<class 'dict'>
-----
Privilege Escalation
<class 'dict'>
-----
Collection
<class 'dict'>
-----
Execution
<class 'dict'>
-----
Persistence
<class 'dict'>
-----
Discovery
<class 'dict'>
-----
Lateral Movement
<class 'dict'>
-----

Is there a reason why the custom STIX objects are of type dict and not STIX?

Thank you in advance!

Software (Malware and Tool) is missing platform information

The website has Platform information for software: https://attack.mitre.org/wiki/Software/S0066

But, that property isn't being added to the structured STIX content. That should be fixed by adding an x_mitre_platforms custom property with that information.

Mobile-Attack Technique source_name different from Mobile-Attack (Malware/Tool) source_name

Good afternoon,

I was going through all data I collected with this function https://github.com/Cyb3rWard0g/ATTACK-Python-Client/blob/master/attackcti/attack_api.py#L177 and I noticed that there were 4 Matrices available to filter all my results.

What I do is I collect all the data from TAXII and make sure I parse the first object source_name value from the "external_references list or '"kill_chain_name" value from "kill_chain_phases" list if it is a technique for every single object. That helps me to filter all my results by Matrix (Enterprise, PRE or Mobile).

What I get is the following:

I see:

mitre-attack
mitre-attack-mobile
mitre-mobile-attack
mitre-pre-attack

Obviously the Mobile Matrix is named twice. I checked an example of a Mobile technique, Mobile Malware and Mobile Tool. This is what I get:

Mobile Technique: https://github.com/mitre/cti/blob/master/mobile-attack/attack-pattern/attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d.json

{
    "objects": [
        {
            "name": "Malicious SMS Message",
            "description": "An SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device. For example, Mulliner and Miller demonstrated such an attack against the iPhone in 2009 as described in  (Citation: Forbes-iPhoneSMS).\n\nAn SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser.\n\nAs described by SRLabs in  (Citation: SRLabs-SIMCard), vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages.\n\nPlatforms: Android, iOS",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-mobile-attack",
                    "phase_name": "exploit-via-cellular-network"
                }
            ],
            "external_references": [
                {
                    "url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1057",
                    "source_name": "mitre-mobile-attack",
                    "external_id": "MOB-T1057"
                },
                {
                    "description": "Andy Greenberg. (2009, July 28). How to Hijack 'Every iPhone In The World'. Retrieved December 23, 2016.",
                    "source_name": "Forbes-iPhoneSMS",
                    "url": "http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html"
                },
                {
                    "description": "SRLabs. (n.d.). SIM cards are prone to remote hacking. Retrieved December 23, 2016.",
                    "source_name": "SRLabs-SIMCard",
                    "url": "https://srlabs.de/bites/rooting-sim-cards/"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "created": "2017-10-25T14:48:08.155Z",
            "x_mitre_platforms": [
                "Android",
                "iOS"
            ],
            "x_mitre_tactic_type": [
                "Pre-Adversary Device Access"
            ],
            "id": "attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d",
            "modified": "2018-04-13T17:05:30.756Z",
            "type": "attack-pattern"
        }
    ],
    "type": "bundle",
    "id": "bundle--5d81556e-2428-4c10-bc30-41b9ce345e9a",
    "spec_version": "2.0"
}

Mobile Malware: https://github.com/mitre/cti/blob/master/mobile-attack/malware/malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1.json

{
    "objects": [
        {
            "name": "DroidJack RAT",
            "description": "Android remote access trojan (RAT) that has been observed to pose as legitimate applications including the Super Mario Run (Citation: Zscaler-SuperMarioRun) and Pokemon GO games (Citation: Proofpoint-Droidjack).\n\nAliases: DroidJack RAT",
            "external_references": [
                {
                    "url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0036",
                    "source_name": "mitre-attack-mobile",
                    "external_id": "MOB-S0036"
                },
                {
                    "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.",
                    "source_name": "Zscaler-SuperMarioRun",
                    "url": "https://www.zscaler.com/blogs/research/super-mario-run-malware-2-\u2013-droidjack-rat"
                },
                {
                    "description": "Proofpoint. (2016, July 7). DroidJack Uses Side-Load\u2026It's Super Effective! Backdoored Pokemon GO Android App Found. Retrieved January 20, 2017.",
                    "source_name": "Proofpoint-Droidjack",
                    "url": "https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "created": "2017-10-25T14:48:40.571Z",
            "x_mitre_aliases": [
                "DroidJack RAT"
            ],
            "id": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
            "modified": "2018-01-17T12:56:55.080Z",
            "labels": [
                "malware"
            ],
            "type": "malware"
        }
    ],
    "type": "bundle",
    "id": "bundle--b03d8364-5a27-477b-804a-805420f4fa2d",
    "spec_version": "2.0"
}

Mobile Tool: https://github.com/mitre/cti/blob/master/mobile-attack/tool/tool--da21929e-40c0-443d-bdf4-6b60d15448b4.json

{
    "objects": [
        {
            "name": "Xbot",
            "description": "Xbot is a family of Android malware analyzed by Palo Alto Networks (Citation: PaloAlto-Xbot) that \"tries to steal victims' banking credentials and credit card information\", \"can also remotely lock infected Android devices, encrypt the user's files in external storage (e.g., SD card), and then ask for a U.S. $100 PayPal cash card as ransom\" and \"will steal all SMS message and contact information, intercept certain SMS messages, and parse SMS messages for mTANs (Mobile Transaction Authentication Number) from banks.\"\n\nAliases: Xbot",
            "external_references": [
                {
                    "url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0014",
                    "source_name": "mitre-attack-mobile",
                    "external_id": "MOB-S0014"
                },
                {
                    "description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.",
                    "source_name": "PaloAlto-Xbot",
                    "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "created": "2017-10-25T14:48:48.609Z",
            "x_mitre_aliases": [
                "Xbot"
            ],
            "id": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4",
            "modified": "2018-01-17T12:56:55.080Z",
            "labels": [
                "tool"
            ],
            "type": "tool"
        }
    ],
    "type": "bundle",
    "id": "bundle--4479be72-eb3b-46fc-a710-d552e9934618",
    "spec_version": "2.0"
}

are they supposed to have different source_name values?? I checked Enterprise and I see source_name values matching their techniques with malware and tools. PRE-Attack does not have malware or tools stix objects so that doesn't matter. However, Mobile seems to have different values. I might be missing something. Thank you guys for your time in advance!!

Description field for Tactics?

Do you have any plans to add the description sections that are on the Wiki for each of the Tactics?

Mobile-Attack techniques missing tactic reference (kill_chain_phases/name)

The mobile-attack attack-patterns are missing the attribute for kill_chain_phases that described the associated Tactic(s) for the technique with the phase_name. It appears they went missing with the Oct 2018 updates but were previously present.

Example of previous inclusion:

            "name": "Malicious SMS Message",
            "description": "An SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device. For example, Mulliner and Miller demonstrated such an attack against the iPhone in 2009 as described in  (Citation: Forbes-iPhoneSMS).\n\nAn SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser.\n\nAs described by SRLabs in  (Citation: SRLabs-SIMCard), vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages.\n\nPlatforms: Android, iOS",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-mobile-attack",
                    "phase_name": "exploit-via-cellular-network"
                }
            ],
            "external_references": [
                {
                    "url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1057",
                    "source_name": "mitre-mobile-attack",
                    "external_id": "MOB-T1057"
                },

Relationships in USAGE.md

In USAGE.md, it states that the relationships between groups and techniques exist as "attack-pattern" uses "malware or tool" which makes the "attack-pattern" the source_ref. However, an "attack-pattern" is always the target_ref when in relationships between groups or software.

USAGE.md needs to be update to reflect this in the code samples and in the written documentation, particularly in the Get all Techniques used By a Group's Software and Get all Groups and Software that use a specific Technique sections.

Create a test enterprise attack.json file

Can someone create an enterprise attack .json file with only a couple of threats? It would make it alot easier to create unit tests.

Duplicates in course of actions

Course of actions for Capec and Enterprise ATT&CK have SDOs with same description only differing for id and name. Could the duplicates be removed?

Capec has 207 duplicates, here filter to identify them

c = fs_capec.query([Filter('id', '=', 'course-of-action--288326b3-896e-463c-b6ff-5dc65f4e77c0')]) print(len(fs_capec.query(Filter('description', '=', c[0].description)))

CAPEC attack patterns?

This is not an issue, but a feature request--do you have any plans to distribute CAPEC attack patterns in this repository?

Relationship for x-mitre-tactic SDOs?

SDOs x-mitre-tactic do not to have relationships with techniques as per, e.g., the Enterprise matrix. As well as the SDO x-mitre-matrix does not have relationships as well.

Rather than using filter based on x_mitre_shortname cannot there be custom relationships representing the different matrices?

turn external_references into Reports

See https://attack.mitre.org/wiki/Technique/T1043#References: it has 32 references.
But the corresponding JSON attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e.json has only two external_references

https://attack.mitre.org/wiki/Technique/T1043 itself
"Gardiner, J., Cova, M., Nagaraja, S. (2014, February)", which is the last one in the list

502 Bad Gateway Error

Hello,
When I run below script from this link :
https://medium.com/mitre-attack/att-ck-content-available-in-stix-2-0-via-public-taxii-2-0-server-317e5c41e214
I got 502 Server Error Bad Gateway.

from stix2 import TAXIICollectionSource 
from taxii2client import Server
# Instantiate server and get API Root
server = Server("https://cti-taxii.mitre.org/taxii/")
api_root = server.api_roots[0]

# Print name and ID of all ATT&CK technology-domains available as collections
for collection in api_root.collections:
    print(collection.title + ": " + collection.id)

Can you help me about this issue?
Thanks

Is 'Has technique object' property for 'Software' available in ATT&CK STIX Content?

Good evening Team,

Is the 'Has technique object' property available via TAXII?

For example:

Let's say I want to gather information about Software: Winnti.

If I go to https://attack.mitre.org/wiki/Software/S0141 , I can see the following:

I would like to gather the specific information/description of each technique associated with the Software:

If I were using the legacy API, I would first pull all the 'Has technique object' values and then filter them by the specific software:

"[[Has technique object::+]]|?Has technique description#-ia|?Has technique object|limit=9999"

If I look at the Property:Has technique object page and look for "Winn", I get the following:

https://attack.mitre.org/w/index.php?title=Property:Has_technique_object&limit=500&offset=2000&value=&from=&until=

Then, if I click on the eye next to the name of the software, I get to the "Hast technique object" page of the specific technique associated with Software Winnti:

This was very easy to do via the legacy API with the following line in the Invoke-ATTACKAPI:

https://github.com/Cyb3rWard0g/Invoke-ATTACKAPI/blob/master/Invoke-ATTACKAPI.ps1#L1068

However, with ATT&CK STIX content via TAXII, I cannot find those specific descriptions of techniques associated with Software (malware or tool). Is there a way available to get that information?

I was looking at the relationships and I dont know which relationships might work to gather that type of information.

Thank you in advance!

Pandas 0.23.0 - json_normalize - 'STIXdatetime' object has no attribute 'nanosecond'

Good evening Team,

I hope you guys are having a good day. I have been playing with the ATT&CK STIX content for the past week and I wanted to report an issue that I am not sure if this is an issue with Pandas or the STIX library. However, I figured it would be good to share it here first just in case I am missing something and also if anyone is having an issue when using pandas 0.23.0 (Latest Version) with ATT&CK STIX content via TAXII.

I tested ATT&CK STIX content with Pandas 0.21.0 and 0.22.0 and everything was working fine. I was getting everything fine like this:

{'contributors': 'NA',
 'data sources': [u'File monitoring',
                  u'Process monitoring',
                  u'Process command-line parameters'],
 'defense bypassed': 'NA',
 'description': u'Collected data is staged in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Data Compressed or Data Encrypted.\n\nInteractive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.\n\nDetection: Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files.\n\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: File monitoring, Process monitoring, Process command-line parameters',
 'detectable': 'NA',
 'detectable description': 'NA',
 'difficulty': 'NA',
 'difficulty description': 'NA',
 'effective permissions': 'NA',
 'matrix': u'mitre-attack',
 'network requirements': 'NA',
 'object created': '2017-05-31T21:30:58.938Z',
 'object created by ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'object id': u'attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e',
 'object marking refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'object modified': '2018-04-18T17:59:24.739Z',
 'object type': u'attack-pattern',
 'permission required': 'NA',
 'platforms': [u'Linux', u'macOS', u'Windows'],
 'references': 'NA',
 'remote support': 'NA',
 'system requirements': 'NA',
 'tactic': [u'collection'],
 'tactic type': 'NA',
 'technique': u'Data Staged',
 'technique id': u'T1074',
 'url': u'https://attack.mitre.org/wiki/Technique/T1074'}

However, when I tested it with Pandas 0.23.0, I got the following error:

---------------------------------------------------------------------------
ValueError                                Traceback (most recent call last)
~/Library/Python/3.6/lib/python/site-packages/pandas/core/dtypes/cast.py in try_datetime(v)
    913                                         require_iso8601=True,
--> 914                                         errors='raise')
    915         except ValueError:

pandas/_libs/tslib.pyx in pandas._libs.tslib.array_to_datetime()

pandas/_libs/tslib.pyx in pandas._libs.tslib.array_to_datetime()

ValueError: Tz-aware datetime.datetime cannot be converted to datetime64 unless utc=True

During handling of the above exception, another exception occurred:

AttributeError                            Traceback (most recent call last)
<ipython-input-5-e6f5fde53c7b> in <module>()
      3 print(" ")
      4 df = all_attack['techniques']
----> 5 df = json_normalize(df)
      6 df.reindex(['matrix', 'object created','tactic', 'technique', 'technique id', 'data sources'], axis=1)[0:5]

~/Library/Python/3.6/lib/python/site-packages/pandas/io/json/normalize.py in json_normalize(data, record_path, meta, meta_prefix, record_prefix, errors, sep)
    202             #       reasonably
    203             data = nested_to_record(data, sep=sep)
--> 204         return DataFrame(data)
    205     elif not isinstance(record_path, list):
    206         record_path = [record_path]

~/Library/Python/3.6/lib/python/site-packages/pandas/core/frame.py in __init__(self, data, index, columns, dtype, copy)
    385                     if is_named_tuple(data[0]) and columns is None:
    386                         columns = data[0]._fields
--> 387                     arrays, columns = _to_arrays(data, columns, dtype=dtype)
    388                     columns = _ensure_index(columns)
    389 

~/Library/Python/3.6/lib/python/site-packages/pandas/core/frame.py in _to_arrays(data, columns, coerce_float, dtype)
   7435     elif isinstance(data[0], collections.Mapping):
   7436         return _list_of_dict_to_arrays(data, columns,
-> 7437                                        coerce_float=coerce_float, dtype=dtype)
   7438     elif isinstance(data[0], Series):
   7439         return _list_of_series_to_arrays(data, columns,

~/Library/Python/3.6/lib/python/site-packages/pandas/core/frame.py in _list_of_dict_to_arrays(data, columns, coerce_float, dtype)
   7558     content = list(lib.dicts_to_array(data, list(columns)).T)
   7559     return _convert_object_array(content, columns, dtype=dtype,
-> 7560                                  coerce_float=coerce_float)
   7561 
   7562 

~/Library/Python/3.6/lib/python/site-packages/pandas/core/frame.py in _convert_object_array(content, columns, coerce_float, dtype)
   7578         return arr
   7579 
-> 7580     arrays = [convert(arr) for arr in content]
   7581 
   7582     return arrays, columns

~/Library/Python/3.6/lib/python/site-packages/pandas/core/frame.py in <listcomp>(.0)
   7578         return arr
   7579 
-> 7580     arrays = [convert(arr) for arr in content]
   7581 
   7582     return arrays, columns

~/Library/Python/3.6/lib/python/site-packages/pandas/core/frame.py in convert(arr)
   7575         if dtype != object and dtype != np.object:
   7576             arr = lib.maybe_convert_objects(arr, try_float=coerce_float)
-> 7577             arr = maybe_cast_to_datetime(arr, dtype)
   7578         return arr
   7579 

~/Library/Python/3.6/lib/python/site-packages/pandas/core/dtypes/cast.py in maybe_cast_to_datetime(value, dtype, errors)
   1086         elif not (is_array and not (issubclass(value.dtype.type, np.integer) or
   1087                                     value.dtype == np.object_)):
-> 1088             value = maybe_infer_to_datetimelike(value)
   1089 
   1090     return value

~/Library/Python/3.6/lib/python/site-packages/pandas/core/dtypes/cast.py in maybe_infer_to_datetimelike(value, convert_dates)
    948         value = try_datetime(v)
    949     elif inferred_type == 'datetime':
--> 950         value = try_datetime(v)
    951     elif inferred_type == 'timedelta':
    952         value = try_timedelta(v)

~/Library/Python/3.6/lib/python/site-packages/pandas/core/dtypes/cast.py in try_datetime(v)
    922                 from pandas import DatetimeIndex
    923 
--> 924                 values, tz = conversion.datetime_to_datetime64(v)
    925                 return DatetimeIndex(values).tz_localize(
    926                     'UTC').tz_convert(tz=tz)

pandas/_libs/tslibs/conversion.pyx in pandas._libs.tslibs.conversion.datetime_to_datetime64()

pandas/_libs/tslibs/conversion.pyx in pandas._libs.tslibs.conversion.convert_datetime_to_tsobject()

AttributeError: 'STIXdatetime' object has no attribute 'nanosecond'

The reason why at the beginning I thought it was STIX library was due to the following error message at the end:

AttributeError: 'STIXdatetime' object has no attribute 'nanosecond'

This is a very specific error in version 0.23.0 so I checked the changes to that specific definitions in pandas:

~/Library/Python/3.6/lib/python/site-packages/pandas/core/dtypes/cast.py in try_datetime(v)
    922                 from pandas import DatetimeIndex
    923 
--> 924                 values, tz = conversion.datetime_to_datetime64(v)
    925                 return DatetimeIndex(values).tz_localize(
    926                     'UTC').tz_convert(tz=tz)

** Pandas Version 0.22.0:**
https://github.com/pandas-dev/pandas/blob/0.22.x/pandas/core/dtypes/cast.py#L879

** Pandas Version 0.23.0:**
https://github.com/pandas-dev/pandas/blob/0.23.x/pandas/core/dtypes/cast.py#L908

So they added the following in version 0.23.0:
https://github.com/pandas-dev/pandas/blob/0.23.x/pandas/core/dtypes/cast.py#L920

# we might have a sequence of the same-datetimes with tz's
            # if so coerce to a DatetimeIndex; if they are not the same,
            # then these stay as object dtype, xref GH19671
            try:
                from pandas._libs.tslibs import conversion
                from pandas import DatetimeIndex

                values, tz = conversion.datetime_to_datetime64(v)
                return DatetimeIndex(values).tz_localize(
                    'UTC').tz_convert(tz=tz)
            except (ValueError, TypeError):
                pass

I checked the STIXdateTime class arguments and I dont see nanoseconds as an option
https://github.com/oasis-open/cti-python-stix2/blob/master/stix2/utils.py#L24

I am not sure if there is anything that needs to be done on the STIX library side.

I downgraded the Python3 Pandas package to 0.22.0 and it worked fine. I didnt want to start an issue in Pandas before asking you guys if this makes sense and if it is possible that nanoseconds needs to be defined as an argument for the STIXdatetime class.

I hope you all have a great weekend! No rush at all on this one. I will keep working with Pandas 0.22.0 for now. I dont need to use pandas to collect or filter the data initially. I use it for a better representation of the results after collecting everything via STIX and TAXII libraries. Therefore, if you want to close this issue since I am using an external library, I would understand. It is just that the STIXdatetime error message caught my attention and I wasnt sure if nanosecond is an standard or anything that needs to be defined on the STIX side. If not, then this issue can be close 😄

Once again guys, great job and thank you for all your help!! I hope you all have a great weekend!!!

Attribute x_mitre_data_sources missing

Hi all,

I just noticed that the x_mitre_data_sources attribute is missing in four techniques in the enterprise-attack data. This leads to an error when trying to access this attribute in every technique: 'AttackPattern' object has no attribute 'x_mitre_data_sources'

Should every technique contain the x_mitre_data_sources attribute, or is it intentional/okay if it is missing in some?

The techniques where the attribute is missing are:

attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643
Peripheral Device Discovery
attack-pattern--6fb6408c-0db3-41d9-a3a1-a32e5f16454e
Gatekeeper Bypass
attack-pattern--451a9977-d255-43c9-b431-66de80130c8c
Port Knocking
attack-pattern--6a3be63a-64c5-4678-a036-03ff8fc35300
Re-opened Applications

kill_chain_name: mitre-attack is gone

It looks like at some time the main mitre-attack stix dissapeared. The pre-mitre-attack, mobile-mitre-attack and enterprise-mitre-attacks are there however. Are the main mitre-attack stix disappearing and being replaced by mitre-enterprise-attacks? The folder used to be called ATTACK.

New relationship "malware uses attack-pattern"

In SRO id, relationship--a71256aa-a2e3-447c-ba4e-004ba4f062b2, we see the relationship "malware uses attack-pattern".
Based on STIX2 standard on attack-pattern and malware, there is only the relationship "attack-pattern uses malware" available and not the other way around. Even though "relationships are not restricted to what is listed" in the standard, it would be good to clarify the reason in this case for introducing this new relationship "malware uses attack-pattern" instead of using the already available one in "attack-pattern uses malware".

Order of Tactics?

Hello, perhaps I'm missing something, but is there a way to extract the order of the tactics (Launch, Compromise, Persistence, etc.) from the JSON or from some sort of key file? We're using it to build an automated view of the Tactics and Techniques and would like to put them in order. Thanks!

Can ATT&CK External References get Ref-ID's?

The external reference ID's you've given to the CAPEC attack patterns external references are really nice and would be very helpful in terms of naming the external reference objects in the ATT&CK STIX. Would it be possible to add "external_id": "REF-xxxx" to the ATT&CK attack patterns that currently don't have external IDs?

Are custom properties available from TAXII as a source?

Good afternoon,

When I pull information about T1163 from TAXII Server, I don't see the custom properties:

           "x_mitre_platforms": [
                "macOS"
            ],
            "x_mitre_data_sources": [
                "File monitoring",
                "Process Monitoring"
            ],
            "x_mitre_permissions_required": [
                "root"

All I get is the following:

{
    "type": "attack-pattern",
    "id": "attack-pattern--18d4ab39-12ed-4a16-9fdb-ae311bba4a0f",
    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
    "created": "2017-12-14T16:46:06.044Z",
    "modified": "2018-04-18T17:59:24.739Z",
    "name": "Rc.common",
    "description": "During the boot process, macOS executes <code>source /etc/rc.common</code>, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings, and is thus recommended to include in the start of Startup Item Scripts (Citation: Startup Items). In macOS and OS X, this is now a deprecated technique in favor of launch agents and launch daemons, but is currently still used.\n\nAdversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root user (Citation: Methods of Mac Malware Persistence).\n\nDetection: The <code>/etc/rc.common</code> file can be monitored to detect changes from the company policy. Monitor process execution resulting from the rc.common script for unusual or unknown applications or behavior.\n\nPlatforms: macOS\n\nData Sources: File monitoring, Process Monitoring\n\nPermissions Required: root",
    "kill_chain_phases": [
        {
            "kill_chain_name": "mitre-attack",
            "phase_name": "persistence"
        }
    ],
    "external_references": [
        {
            "source_name": "mitre-attack",
            "url": "https://attack.mitre.org/wiki/Technique/T1163",
            "external_id": "T1163"
        },
        {
            "source_name": "Startup Items",
            "description": "Apple. (2016, September 13). Startup Items. Retrieved July 11, 2017.",
            "url": "https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html"
        },
        {
            "source_name": "Methods of Mac Malware Persistence",
            "description": "Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.",
            "url": "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf"
        }
    ],
    "object_marking_refs": [
        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
    ]
}

According to the STIX datastore documentation, the TAXIICollectionSource Class has the property "allow_custom" set to TRUE by default.

I followed the basic example provided here: https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/attck%E2%84%A2-content-available-in-stix%E2%84%A2-20-via .

I might be missing something that I cannot get those custom arguments to show up when I pull all the techniques and try to play with them.

Thank you for all your work! 😄

CWE STIX Documents?

Are there any plans on making STIX documents for CWE?

Deprecated Attack Patterns Revoked

I noticed that attack patterns that have been deprecated, for example PRE-T1146 (cti/pre-attack/attack-pattern/attack-pattern--489a7797-01c3-4706-8cd1-ec56a9db3adc.json), aren't marked as revoked?

S0310 doesn't exist in enterprise.json?

I noticed that I wasn't seeing all of the malware objects in enterprise.json that exist on the attack mitre website, such as: https://attack.mitre.org/software/S0310/
Is there an estimated time for the next update?
Thanks!

Mitigation for T1500 has an incorrect reference to technique

Hello,
I noticed that the external reference for recently added Compile After Delivery Mitigation, points to an invalid technique.

"external_id": "T1502",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1502"

Should be:

"external_id": "T1500",
"source_name": "mitre-attack",
 "url": "https://attack.mitre.org/techniques/T1500"

Reference:
https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json

Mobile-attack is missing x_mitre_platforms for malware and tools

Hello,
the x_mitre_platforms attribute has been added, for malware and tools, to enterprise but not to mobile-attack.

In particular, there are issues, with python and stix2, in using a CompositeDataSource which include both Enterprise and Mobile attacks.

For consistency, an x_mitre_platforms attribute should also be added to mobile-attack, with empty value in case there is no such information.

Can't filter STIX2 content by type

Not sure if this is an a bug in the CTI database or with the stix2 library, but I am unable to filter on type. For whatever reason every other filter I tested was working and type is not.

>>> f1 = Filter("name", "=", ".bash_profile and .bashrc")
>>> techniques = fs.query(f1)
>>> print(techniques)
[AttackPattern(type=u'attack-pattern', id=u'attack-pattern--01df3350-ce05-4bdf-bdf8-0a919a66d4a8', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2017-12-14T16:46:06.044Z', modified='2018-10-17T00:14:20.652Z', name=u'.bash_profile and .bashrc', description=u"<code>~/.bash_profile</code> and <code>~/.bashrc</code> are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. <code>~/.bash_profile</code> is executed for login shells and <code>~/.bashrc</code> is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), <code>~/.bash_profile</code> is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, <code>~/.bashrc</code> is executed. This allows users more fine grained control over when they want certain commands executed.\n\nMac's Terminal.app is a little different in that it runs a login shell by default each time a new terminal window is opened, thus calling <code>~/.bash_profile</code> each time instead of <code>~/.bashrc</code>.\n\nThese files are meant to be written to by the local user to configure their own environment; however, adversaries can also insert code into these files to gain persistence each time a user logs in or opens a new shell  (Citation: amnesia malware).", kill_chain_phases=[KillChainPhase(kill_chain_name=u'mitre-attack', phase_name=u'persistence')], external_references=[ExternalReference(source_name=u'mitre-attack', url=u'https://attack.mitre.org/techniques/T1156', external_id=u'T1156'), ExternalReference(source_name=u'amnesia malware', description=u'Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.', url=u'https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_data_sources=[u'File monitoring', u'Process Monitoring', u'Process command-line parameters', u'Process use of network'], x_mitre_detection=u'While users may customize their <code>~/.bashrc</code> and <code>~/.bash_profile</code> files , there are only certain types of commands that typically appear in these files. Monitor for abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network when user profiles are loaded during the login process.', x_mitre_permissions_required=[u'User', u'Administrator'], x_mitre_platforms=[u'Linux', u'macOS'], x_mitre_version=u'1.0')]

>>> f1 = Filter("type", "=", "attack-pattern")
>>> techniques = fs.query(f1)
>>> print(techniques)
[]

I didn't alter the CTI data from the repo here, any idea how I can debug or fix this issue?

x_capec_consequences includes invalid STIX keys

Look at https://github.com/mitre/cti/blob/master/capec/attack-pattern/attack-pattern--01399797-59cd-414f-ac49-ad5527b75e5d.json. It has a custom property x_capec_consequences like this:

            "x_capec_consequences": {
                "Run Arbitrary Code": "Execute unauthorized code or commands"
            },

It's strange that I can't find these strings in neither of https://capec.mitre.org/data/definitions/86.html,
http://cwe.mitre.org/data/definitions/80.html

Or see attack-pattern--04deaae2-bcbd-46a5-9610-00591a72184e

      "x_capec_consequences": {
        "Attackers can disrupt or deny mobile technology communications and operations.": "DoS: resource consumption (other)",
        "Attackers can inject false data into data or signaling system data flows of communications and operations, or re-route data flows or signaling data for the purpose of further data intercept and capture.": "Modify application data"
      },

STIX does not allow keys to be random strings with spaces (and this prevents conversion to JSONLD). So you should format it eg something like this:

      "x_capec_consequences": [
        {
          "name": "DoS: resource consumption (other)",
          "description": "Attackers can disrupt or deny mobile technology communications and operations."
        },
        {
          "name": "Modify application data",
          "description": "Attackers can inject false data into data or signaling system data flows of communications and operations, or re-route data flows or signaling data for the purpose of further data intercept and capture."
        }
      },

Or if these don't vary with the CAPEC attack, maybe define this as a kill_chain and move the name/description to reference data.

Public issue tracking?

I think it would be helpful to use a Github issue tracker (like this one) to track requested changes, questions, submission, issues with the ATT&CK framework.

Some mitigation url are broken

Hi,
There some course-of-action(mitigation) that has an incorrect reference link.
for example:
https://attack.mitre.org/mitigations/T1012

And there are some more.

Quick questions about Json

Hey ATT&CK,

I have a few quick questions.
I am rebuiding a set of powershell cmdlets to explore the awesome data you got there...
Started looking at STIX and TAXII and that python library...
then I saw you had it all exported in json right here.
Perfect for what I have in mind (and less work).

Anyways, was wondering how often this json data will be generated/updated?

Also, looking at attack-pattern/course-of-action can't seem to find the 'detection' info as avail on wiki.
Was wondering if it would be possible to add this (quite valuable piece of info),
maybe as an x_mitre property in the course-of-action objects.

Thanks anyways for awesome stuff.

Request to enhance the JSON "name" formatting

Hi there, our tool is ingesting and storing ATT&CK enterprise-attack.json along with the Unit42 Adversary Playbook campaign STIX reports. You have previously synchronized the "id" field of Attack Patterns (so helpful!) but what is happening now is that Unit42 names their Attack Patterns like "name": "T1060: Registry Run Keys / Startup Folder" where in ATT&CK that would be "name": "Registry Run Keys / Startup Folder". Since we are use a linked-node graph to link everything together, I end up with two "name" fields which makes it difficult in the UI to display the name.

In my user testing, people almost always prefer the version that has both the number and the name in it, as we quickly get used to the numbers and it helps when sorting lists, too. I'm requesting that the name field be modified to use the "technique-number colon space technique name" format that Unit42 uses in ATT&CK.

Thank you!

Mitigation for T1033 has an incorrect reference to technique

Analyzing an enterprise object, I noticed a mistake on "external_references" node in this JSON file.

...
{
  "external_id": "T1482",
  "source_name": "mitre-attack",
  "url": "https://attack.mitre.org/techniques/T1482"
}
...
"name": "System Owner/User Discovery Mitigation",
...

Reading mitigation text on attack.mitre.org for T1482 Domain Trust Discovery and T1033 System Owner/User Discovery, I suppose that should be:

{
  "external_id": "T1033",
  "source_name": "mitre-attack",
  "url": "https://attack.mitre.org/techniques/T1033"
}

The STIX 2.0 spec does not show "modified" as a property for Sightings, but the example does.

http://docs.oasis-open.org/cti/stix/v2.0/cs01/part2-stix-objects/stix-v2.0-cs01-part2-stix-objects.html#_Toc496714343
see Section 3.2

APT28 had different intrusion ID's for mobile vs old attack

In the mobile attack, the intrusion set is intrusion-set--97685862-7ea4-40e8-a420-6bffc2292c1e for APT28. However, the original ATTACK has a different intrusion set ID.

If they are both APT 28, then they should be the exact same data.

Use of x_ properties and non x_ properties ?

Looking at the following:

https://github.com/mitre/cti/blob/master/enterprise-attack/x-mitre-tactic/x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263.json#L23

What is the history of having a custom object but still carry in x_ properties? There seems to be mix of the usage between having x_ props and non-x_ props for a custom object. So looking to get the logic so I can map https://github.com/StephenOTT/STIX-Java to support the parsing of the att&ck patterns.

thanks

Multiple Source Names for the Same Thing (Mobile Attack)

I'm parsing the JSON files of the attack, pre-attack, and mobile-attack data and part of my parsing I'm extracting the external_id from the external_references field.

While I'm only interested in the IDs from you guys, so I have hard coded the source name that I am interested in, and in the case of mobile attack I noticed that there are two source names for MITRE, both mitre-mobile-attack and mitre-attack-mobile.

So to get everything, I'm checking for both of those, is there a difference between the two?

ATT&CK API

I'm trying to use the ATT&CK API and pull all information related to each group, pretty much pull this info: https://attack.mitre.org/wiki/Special:Browse/:Group-2FG0006 down through the API. Using a query like this: [[Category:Group]]|?Has technique|?Has description|?Has ID|?Has alias|limit=9999 it pulls down most of the info but when trying to add either |?Uses software, |?Has software, |?Has software object. I feel like I'm missing some syntax somewhere.

Identities and Markings across datasets

Would it make sense to use a single Identity and MarkingDefinition across the four datasets since the have the same information? Currently we have:

CAPEC
- identity--31f421d4-bb36-4dbf-9dfc-c116a91de14b
- marking-definition--b345b2a9-b539-4d88-8a9a-1ebcc9f77507
Enterprise ATT&CK, Mobile ATT&CK, Pre ATT&CK
- identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168

simplejson.errors.JSONDecodeError: Unterminated string

Good afternoon Team,

I was testing the libraries again, and they have been working fine, but around 30 mins ago I started to get the following message at the Query method from the TAXIICollectionSource class:

>>> from stix2 import TAXIICollectionSource, Filter
>>> from taxii2client import Server, Collection
>>> 
>>> enterprise_stix_objects = {}
>>> collection = Collection("https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/")
>>> tc_source = TAXIICollectionSource(collection , allow_custom=True)
>>> 
>>> enterprise_stix_objects['techniques'] = tc_source.query(Filter("type", "=", "attack-pattern"))
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Library/Python/2.7/site-packages/stix2/datastore/taxii.py", line 229, in query
    all_data = self.collection.get_objects(**taxii_filters_dict)["objects"]
  File "/Library/Python/2.7/site-packages/taxii2client/__init__.py", line 442, in get_objects
    params=query_params)
  File "/Library/Python/2.7/site-packages/taxii2client/__init__.py", line 816, in get
    return resp.json()
  File "/Library/Python/2.7/site-packages/requests/models.py", line 892, in json
    return complexjson.loads(self.text, **kwargs)
  File "/Library/Python/2.7/site-packages/simplejson/__init__.py", line 517, in loads
    return _default_decoder.decode(s)
  File "/Library/Python/2.7/site-packages/simplejson/decoder.py", line 370, in decode
    obj, end = self.raw_decode(s)
  File "/Library/Python/2.7/site-packages/simplejson/decoder.py", line 400, in raw_decode
    return self.scan_once(s, idx=_w(s, idx).end())
  File "/Library/Python/2.7/site-packages/simplejson/scanner.py", line 79, in scan_once
    return _scan_once(string, idx)
  File "/Library/Python/2.7/site-packages/simplejson/scanner.py", line 45, in _scan_once
    _scan_once, object_hook, object_pairs_hook, memo)
  File "/Library/Python/2.7/site-packages/simplejson/decoder.py", line 194, in JSONObject
    value, end = scan_once(s, end)
  File "/Library/Python/2.7/site-packages/simplejson/scanner.py", line 47, in _scan_once
    return parse_array((string, idx + 1), _scan_once)
  File "/Library/Python/2.7/site-packages/simplejson/decoder.py", line 250, in JSONArray
    value, end = scan_once(s, end)
  File "/Library/Python/2.7/site-packages/simplejson/scanner.py", line 45, in _scan_once
    _scan_once, object_hook, object_pairs_hook, memo)
  File "/Library/Python/2.7/site-packages/simplejson/decoder.py", line 194, in JSONObject
    value, end = scan_once(s, end)
  File "/Library/Python/2.7/site-packages/simplejson/scanner.py", line 42, in _scan_once
    return parse_string(string, idx + 1, encoding, strict)
  File "/Library/Python/2.7/site-packages/simplejson/decoder.py", line 69, in py_scanstring
    "Unterminated string starting at", s, begin)
simplejson.errors.JSONDecodeError: Unterminated string starting at: line 1 column 64600 (char 64599)
>>>

I wonder if anything changed ??

CAPEC STIX Documents are all Separate Documents

Are there plans on merging the CAPEC STIX documents in a way similar to the ATT&CK STIX?

[Question] Is there a way to query data source without dowloading it?

From here I understand that in order to query MITRE matrix I need to download enterprise-attack data source (for instance). But how can I query the matrix without downloading anything?