2 releases (1 stable)
Uses new Rust 2024
| 1.0.0 | Feb 3, 2026 |
|---|---|
| 0.1.0 | Feb 3, 2026 |
#748 in Text processing
32KB
616 lines
attack-data
CLI tool to query MITRE ATT&CK data.
Features
- Query Techniques, Groups, Malware, Tools, Tactics, Campaigns, and more by ID
- Search across all ATT&CK data by keyword
- Supports both ATT&CK IDs (T1055) and STIX IDs (attack-pattern--uuid)
- All data embedded in binary (no external files needed at runtime)
- Auto-downloads ATT&CK database on first build
Build
cargo build --release
On first build, attack.json is automatically downloaded from the MITRE CTI repository.
Following file is downloaded: https://github.com/mitre/cti/blob/master/enterprise-attack/enterprise-attack.json
That file is split and embedded inside the executable. So no internet access is used while using the app, only during build.
Usage
# Get technique by ID
attack-data get T1055
# Get sub-technique
attack-data get T1055.011
# Get group
attack-data get G0119
# Get tool/malware
attack-data get S0039
# Get tactic
attack-data get TA0006
# Get campaign
attack-data get C0027
# Get by STIX ID (technique)
attack-data get attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d
# Get by STIX ID (group)
attack-data get intrusion-set--01e28736-2ffc-455b-9880-ed4d1407ae07
Output is JSON:
{
"type": "attack-pattern",
"id": "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"name": "Process Injection",
"description": "Adversaries may inject code into processes...",
...
}
Search
Search across all ATT&CK data by keyword (case-insensitive):
# Search for "injection"
attack-data search injection
# Limit to top 5 results (sorted by match count)
attack-data search injection --limit 5
# Limit matching lines shown per result (default: 10)
attack-data search injection -L 3
Example output:
T1055 - Process Injection (24 matches)
12: "name": "Process ▐Injection▌",
45: ... may ▐inject▌ code into processes ...
45: ... DLL ▐injection▌ is commonly performed ...
... and 21 more
G0096 - APT41 (18 matches)
34: ... known to ▐inject▌ malicious code ...
Found 42 matches in 4498 files (showing top 2)
Options:
| Flag | Description |
|---|---|
-l, --limit <N> |
Max number of IDs to return |
-L, --line-limit <N> |
Max matching lines per ID (default: 10) |
Output behavior:
- Results sorted by match count (most matches first)
- Short lines (≤100 chars) shown in full with highlighted matches
- Long lines (>100 chars) show 5 words before/after each match
- Multiple matches in one line shown as separate entries (same line number)
Supported ID Types
ATT&CK IDs
| Prefix | Type | Example |
|---|---|---|
| T | Technique | T1055 |
| T.nnn | Sub-technique | T1055.011 |
| G | Group | G0119 |
| S | Malware/Tool | S0039 |
| TA | Tactic | TA0006 |
| C | Campaign | C0027 |
| AN | Analytic | AN0110 |
| DS | Data Source | DS0014 |
| DC | Data Component | DC0084 |
| DET | Detection Strategy | DET0237 |
STIX IDs
STIX IDs follow the format type--uuid:
| Type | Example |
|---|---|
| attack-pattern | attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d |
| intrusion-set | intrusion-set--01e28736-2ffc-455b-9880-ed4d1407ae07 |
| malware | malware--a7881f21-e978-4fe4-af56-92c9416a2616 |
| tool | tool--03342581-f790-4f03-ba41-e82e67392e23 |
| campaign | campaign--df74f7ad-b10d-431c-9f1d-a2bc18dadefa |
| course-of-action | course-of-action--00d7d21b-69d6-4797-88a2-c86f3fc97651 |
| x-mitre-tactic | x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263 |
Data Source
ATT&CK data from MITRE ATT&CK via the MITRE CTI repository.
License
The code in this project is licensed under the MIT or Apache 2.0 license.
All contributions, code and documentation, to this project will be similarly licensed.
ATT&CK data is provided by MITRE. See ATT&CK Terms of Use.
Dependencies
~1.5–6MB
~98K SLoC