The attack_layer_builder
is a Python script specifically designed to augment the capabilities of threat intelligence analysts working within the MITRE ATT&CK framework. Its primary function is to facilitate the creation of "layer" files for the MITRE ATT&CK Navigator, a critical tool for visualizing and analyzing cyber threats.
The script was designed for its ability to handle technique IDs in two convenient ways: either imported via a CSV file or manually input by the user. This flexibility allows analysts to work with data in the format most accessible to them. Once the technique IDs are entered, users can assign custom scores to each, reflecting their significance or impact based on the specific context of their analysis.
Ultimately, attack_layer_builder
serves as a bridge between raw threat data and the visual, interactive platform of the ATT&CK Navigator. By streamlining this process, the script not only saves valuable time but also enhances the overall efficacy and clarity of threat intelligence assessments.
This script supports version 14 (default) of the MITRE ATT&CK framework, with an option to select earlier versions between 4 and 14. Users can input their desired version when prompted. Remember that only layers of the same domain and version can be merged, if you plan to use the "Create Layer from Other Layers" option in Navigator.
- Generate ATT&CK Navigator layer JSON files using technique IDs from a CSV file or manual input.
- CSV scanning: Automatically identifies and imports valid MITRE ATT&CK technique IDs from any part of the CSV file, offering greater flexibility and convenience.
- Assign custom scores to each technique, reflecting their relevance or impact.
- User-friendly command-line interface, enhanced with Tkinter GUI for file operations.
- Technique ID validation ensures input conforms to the MITRE ATT&CK format.
- Error handling for CSV and JSON file operations.
- Logging of key actions and errors for better tracking and debugging.
- Default version setting for the ATT&CK Navigator, enhancing usability.
- Python 3.x
- Tkinter library (usually included with Python)
Clone the repository to your local machine using the following command:
git clone https://github.com/markmackensen/attack_layer_builder.git
Navigate to the script directory:
cd attack_layer_builder
Run the script using Python:
python attack_layer_builder.py
Follow the prompts to input technique IDs and score. The script automatically scans entire CSV files for valid technique IDs, eliminating the need for prior formatting. It also supports manual input for technique IDs. After generating the JSON output, a file dialog allows you to save the result as a .json file, ready for upload to the ATT&CK Navigator.
This section illustrates the process of selecting a CSV file, from the initial prompt to saving the generated JSON file.
Figure 1: The initial prompt asking for the version of MITRE ATT&CK Navigator.
Figure 2: Prompt to choose between CSV file upload or manual technique ID input.
Figure 3: Dialog window for selecting a CSV file.
Figure 4: Prompt for entering a score after selecting a CSV file.
Figure 5: "Save As" dialog window for saving the generated JSON file.
Figure 6: Confirmation message displaying successful save and prompt to exit.
This section shows the process when manually entering technique IDs and assigning a score.
Figure 7: Manual entry of technique IDs.
Figure 8: Prompt for entering a score for manually entered technique IDs.
This section highlights examples of error messages for invalid inputs.
Figure 9: Error message displayed for invalid technique IDs.
Figure 10: Error message displayed for invalid MITRE ATT&CK Navigator version input.
Figure 11: Error message displayed for invalid score input.
Contributions are welcome! Before creating a pull request or issue, please check for existing issues or enhancement requests. If you have a suggestion that would make this better, please fork the repo and create a pull request, or open a new issue with the appropriate tag. Don't forget to give the project a star! Thanks again!
This project is licensed under the MIT License - see the LICENSE file for details.
Thanks to the MITRE Corporation for the ATT&CK framework. This project is not affiliated with or endorsed by MITRE.
For any queries or issues, please open an issue on the GitHub repository issue tracker.
I'm always open to interesting conversations and opportunities. Let's connect!