get_groups_all.py

import os
from stix2 import MemoryStore
from stix2 import Filter
from pprint import pprint

'''
Get ATT&CK STIX data for a given domain and version
'''

def get_attack_version(domain, version):
    ms = MemoryStore()
    ms.load_from_file(os.path.join(domain, f"{domain}-{version}.json"))
    return ms

'''
Remove any revoked or deprecated objects from the data source
'''

def remove_revoked_deprecated(stix_objects):
    return list(
        filter(
            lambda x: x.get("x_mitre_deprecated", False) is False and x.get("revoked", False) is False,
            stix_objects
        )
    )

'''
Get all groups (as STIX objects)
'''

def get_all_groups(dataset):
    return dataset.query([
        Filter("type", "=", "intrusion-set")
    ])


# Define the dataset
dataset = get_attack_version("enterprise-attack", "12.1")

# Retrieve all groups as STIX objects
groups_stix_objects = remove_revoked_deprecated(get_all_groups(dataset))

# Display the result
pprint(groups_stix_objects)


'''
Sample output:

[IntrusionSet(type='intrusion-set', id='intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2017-05-31T21:32:03.807Z', modified='2022-08-23T15:30:44.196Z', name='Lazarus Group', description='[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Korean Cyber Groups September 2019) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups, such as [Andariel](https://attack.mitre.org/groups/G0138), [APT37](https://attack.mitre.org/groups/G0067), [APT38](https://attack.mitre.org/groups/G0082), and [Kimsuky](https://attack.mitre.org/groups/G0094).   ', aliases=['Lazarus Group', 'Labyrinth Chollima', 'HIDDEN COBRA', 'Guardians of Peace', 'ZINC', 'NICKEL ACADEMY'], revoked=False, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/groups/G0032', external_id='G0032'), ExternalReference(source_name='Labyrinth Chollima', description='(Citation: CrowdStrike Labyrinth Chollima Feb 2022)'), ExternalReference(source_name='ZINC', description='(Citation: Microsoft ZINC disruption Dec 2017)'), ExternalReference(source_name='Lazarus Group', description='(Citation: Novetta Blockbuster)'), ExternalReference(source_name='NICKEL ACADEMY', description='(Citation: Secureworks NICKEL ACADEMY Dec 2017)'), ExternalReference(source_name='Guardians of Peace', description='(Citation: US-CERT HIDDEN COBRA June 2017)'), ExternalReference(source_name='CrowdStrike Labyrinth Chollima Feb 2022', description='CrowdStrike. (2022, February 1). CrowdStrike Adversary Labyrinth Chollima. Retrieved February 1, 2022.', url='https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/'), ExternalReference(source_name='Novetta Blockbuster', description='Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.', url='https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf'), ExternalReference(source_name='Secureworks NICKEL ACADEMY Dec 2017', description='Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017.', url='https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing'), ExternalReference(source_name='Microsoft ZINC disruption Dec 2017', description='Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017.', url='https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/'), ExternalReference(source_name='HIDDEN COBRA', description='The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: US-CERT HOPLIGHT Apr 2019)'), ExternalReference(source_name='Treasury North Korean Cyber Groups September 2019', description='US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021.', url='https://home.treasury.gov/news/press-releases/sm774'), ExternalReference(source_name='US-CERT HIDDEN COBRA June 2017', description='US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure. Retrieved July 13, 2017.', url='https://www.us-cert.gov/ncas/alerts/TA17-164A'), ExternalReference(source_name='US-CERT HOPLIGHT Apr 2019', description='US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.', url='https://www.us-cert.gov/ncas/analysis-reports/AR19-100A')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_attack_spec_version='2.1.0', x_mitre_contributors=['Kyaw Pyiyt Htet, @KyawPyiytHtet', 'Dragos  Threat  Intelligence'], x_mitre_deprecated=False, x_mitre_domains=['enterprise-attack', 'ics-attack'], x_mitre_modified_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', x_mitre_version='3.1'),
 IntrusionSet(type='intrusion-set', id='intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2018-04-18T17:59:24.739Z', modified='2022-10-17T12:43:55.847Z', name='MuddyWater', description="[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, [MuddyWater](https://attack.mitre.org/groups/G0069) has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)", aliases=['MuddyWater', 'Earth Vetala', 'MERCURY', 'Static Kitten', 'Seedworm', 'TEMP.Zagros'], revoked=False, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/groups/G0069', external_id='G0069'), ExternalReference(source_name='MERCURY', description='(Citation: Anomali Static Kitten February 2021)'), ExternalReference(source_name='Static Kitten', description='(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)'), ExternalReference(source_name='TEMP.Zagros', description='(Citation: FireEye MuddyWater Mar 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)'), ExternalReference(source_name='Seedworm', description='(Citation: Symantec MuddyWater Dec 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)'), ExternalReference(source_name='Earth Vetala', description='(Citation: Trend Micro Muddy Water March 2021)'), ExternalReference(source_name='MuddyWater', description='(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)'), ExternalReference(source_name='ClearSky MuddyWater Nov 2018', description='ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.', url='https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf'), ExternalReference(source_name='ClearSky MuddyWater June 2019', description='ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020.', url='https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf'), ExternalReference(source_name='CYBERCOM Iranian Intel Cyber January 2022', description='Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.', url='https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/'), ExternalReference(source_name='DHS CISA AA22-055A MuddyWater February 2022', description='FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.', url='https://www.cisa.gov/uscert/ncas/alerts/aa22-055a'), ExternalReference(source_name='Unit 42 MuddyWater Nov 2017', description='Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.', url='https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/'), ExternalReference(source_name='Talos MuddyWater Jan 2022', description='Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.', url='https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html'), ExternalReference(source_name='Anomali Static Kitten February 2021', description='Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.', url='https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies'), ExternalReference(source_name='Trend Micro Muddy Water March 2021', description='Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.', url='https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html'), ExternalReference(source_name='Reaqta MuddyWater November 2017', description='Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.', url='https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/'), ExternalReference(source_name='FireEye MuddyWater Mar 2018', description='Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.', url='https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html'), ExternalReference(source_name='Symantec MuddyWater Dec 2018', description='Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.', url='https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_attack_spec_version='2.1.0', x_mitre_contributors=['Ozer Sarilar, @ozersarilar, STM', 'Daniyal Naeem, BT Security'], x_mitre_deprecated=False, x_mitre_domains=['enterprise-attack'], x_mitre_modified_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', x_mitre_version='4.0'),
...
]
'''