Installing the command-line executable

Assuming you have Rust/Cargo installed, run this command in a terminal:

cargo install attack-data

It will make the attack-data command available in your PATH if you've allowed the PATH to be modified when installing Rust. cargo uninstall attack-data uninstalls.

Back to the crate overview.

Readme

attack-data

CLI tool to query MITRE ATT&CK data.

Features

Query Techniques, Groups, Malware, Tools, Tactics, Campaigns, and more by ID
Search across all ATT&CK data by keyword
Supports both ATT&CK IDs (T1055) and STIX IDs (attack-pattern--uuid)
All data embedded in binary (no external files needed at runtime)
Auto-downloads ATT&CK database on first build

Build

cargo build --release

On first build, attack.json is automatically downloaded from the MITRE CTI repository. Following file is downloaded: https://github.com/mitre/cti/blob/master/enterprise-attack/enterprise-attack.json

That file is split and embedded inside the executable. So no internet access is used while using the app, only during build.

Usage

# Get technique by ID
attack-data get T1055

# Get sub-technique
attack-data get T1055.011

# Get group
attack-data get G0119

# Get tool/malware
attack-data get S0039

# Get tactic
attack-data get TA0006

# Get campaign
attack-data get C0027

# Get by STIX ID (technique)
attack-data get attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d

# Get by STIX ID (group)
attack-data get intrusion-set--01e28736-2ffc-455b-9880-ed4d1407ae07

Output is JSON:

{
  "type": "attack-pattern",
  "id": "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
  "name": "Process Injection",
  "description": "Adversaries may inject code into processes...",
  ...
}

Search

Search across all ATT&CK data by keyword (case-insensitive):

# Search for "injection"
attack-data search injection

# Limit to top 5 results (sorted by match count)
attack-data search injection --limit 5

# Limit matching lines shown per result (default: 10)
attack-data search injection -L 3

Example output:

T1055 - Process Injection (24 matches)
  12: "name": "Process ▐Injection▌",
  45: ... may ▐inject▌ code into processes ...
  45: ... DLL ▐injection▌ is commonly performed ...
  ... and 21 more

G0096 - APT41 (18 matches)
  34: ... known to ▐inject▌ malicious code ...

Found 42 matches in 4498 files (showing top 2)

Options:

Flag	Description
`-l, --limit <N>`	Max number of IDs to return
`-L, --line-limit <N>`	Max matching lines per ID (default: 10)

Output behavior:

Results sorted by match count (most matches first)
Short lines (≤100 chars) shown in full with highlighted matches
Long lines (>100 chars) show 5 words before/after each match
Multiple matches in one line shown as separate entries (same line number)

Supported ID Types

ATT&CK IDs

Prefix	Type	Example
T	Technique	T1055
T.nnn	Sub-technique	T1055.011
G	Group	G0119
S	Malware/Tool	S0039
TA	Tactic	TA0006
C	Campaign	C0027
AN	Analytic	AN0110
DS	Data Source	DS0014
DC	Data Component	DC0084
DET	Detection Strategy	DET0237

STIX IDs

STIX IDs follow the format type--uuid:

Type	Example
attack-pattern	`attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d`
intrusion-set	`intrusion-set--01e28736-2ffc-455b-9880-ed4d1407ae07`
malware	`malware--a7881f21-e978-4fe4-af56-92c9416a2616`
tool	`tool--03342581-f790-4f03-ba41-e82e67392e23`
campaign	`campaign--df74f7ad-b10d-431c-9f1d-a2bc18dadefa`
course-of-action	`course-of-action--00d7d21b-69d6-4797-88a2-c86f3fc97651`
x-mitre-tactic	`x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263`

Data Source

ATT&CK data from MITRE ATT&CK via the MITRE CTI repository.

License

The code in this project is licensed under the MIT or Apache 2.0 license.

All contributions, code and documentation, to this project will be similarly licensed.

ATT&CK data is provided by MITRE. See ATT&CK Terms of Use.