Hey folks!

I tend to use MITRE ATT&CK and the associated tools a ton to help customers and colleagues understand our adversaries. A big part of that is reading and digesting research blogs, threat notices, and public post mortems on how a campaign was waged or an activity group behaves. If we’re lucky, they use ATT&CK to help enrich that report! Sure, ATT&Ck itself has a ton of groups, campaigns, and software already mapped, but there are many multiples more out on the internet that we might need to incorporate. In prior years, I parsed those sources by hand to roll my own Navigator layers.

Well, I built this simple Python script with some troubleshooting help from my good buddy Claude to save me a ton of time in parsing blogs, threat reports, and other research that had embedded ATT&CK tactics and techniques/sub-techniques embedded into them. Doing this lets me build pre-scored Navigator JSONs that I can rapidly deploy for gap analysis efforts in seconds, vs. the sometimes hour-long efforts for larger, more complex activity groups. It isn’t pretty, but wow does it make this process a whole lot easier!

Here it is: https://github.com/mjmcphee/attack_parser

And if you want to see how it works, check out this short video on YouTube:

I hope you find this useful, and please let me know what you think of the tool! And by all means: star it, fork it, and use it!