mitre-attack-mcp

Overview

The mitre-attack-mcp server provides comprehensive access to the MITRE ATT&CK knowledge base through a well-structured set of API tools. It offers functionality for querying malware, threat actors, and techniques, as well as tools for comparing techniques used by different entities. The server can automatically generate visual ATT&CK Navigator layers, which is particularly useful for threat analysis and visualizing adversary tactics.

Try asking AI

After installing, here are 4 things you can ask your AI assistant:

• query_attack_data

  Query detailed information about MITRE ATT&CK tactics, techniques, or malware

  Try:Tell me about the technique T1059.001Try:What malware is associated with APT29?Try:Describe the 'Initial Access' tactics
• get_threat_actor_info

  Retrieve information about specific threat actors in the MITRE ATT&CK database

  Try:Show me information about Lazarus GroupTry:What techniques does APT28 commonly use?Try:List all known threat actors
• analyze_technique_overlap

  Compare techniques used by different threat actors or malware families

  Try:Which techniques do both APT29 and APT28 have in common?Try:Show me overlapping techniques between Conficker and WannaCryTry:Compare the technique sets of two different threat actors
• generate_attack_navigator_layer

  Create an ATT&CK Navigator layer visualization for threat actors or malware

  Try:Generate a Navigator layer for APT29's techniquesTry:Create a layer showing all techniques used by Conti ransomwareTry:Build a visualization of MITRE ATT&CK techniques for threat actor analysis
• get_malware_info

  Retrieve detailed information about specific malware in the MITRE ATT&CK database

  Try:Tell me about WannaCry malwareTry:What techniques are associated with Emotet?Try:Show all malware families in the database
• find_campaign_overlaps

  Identify campaign overlaps between different threat actors or malware families

  Try:Show me campaign overlaps between APT29 and APT28Try:Identify common campaigns between different ransomware gangsTry:Find overlapping attack campaigns involving both state-sponsored and criminal threat actors
• get_technique_details

  Get comprehensive details about a specific MITRE ATT&CK technique

  Try:Give me details about technique T1059Try:Show all sub-techniques for T1190Try:Describe the permissions required for technique T1059.001
• get_tactics_info

  Retrieve information about MITRE ATT&CK tactics

  Try:List all MITRE ATT&CK tacticsTry:Show techniques related to the 'Defense Evasion' tacticTry:What tactics are commonly used by ransomware?
• map_techniques_to_threat_actors

  Map which threat actors use specific techniques in the MITRE ATT&CK database

  Try:Which threat actors use technique T1059?Try:Show me all actors that employ lateral movement techniquesTry:List threat actors associated with credential access techniques
• get_malware_techniques

  Get techniques associated with specific malware families

  Try:What techniques does NotPetya use?Try:Show all techniques associated with TrickBot malwareTry:List common techniques used by ransomware families
• search_attack_database

  Search the MITRE ATT&CK database for relevant entries using keywords

  Try:Search for techniques related to 'password spraying'Try:Find entries about 'living off the land' techniquesTry:Search for MITRE ATT&CK entries about supply chain attacks
• get_attack_matrix

  Retrieve the complete MITRE ATT&CK matrix structure

  Try:Show me the full ATT&CK matrixTry:What techniques are in the 'Execution' tactic?Try:List all techniques in the MITRE ATT&CK enterprise matrix

Note: Tool names inferred from the README's description of features and use cases. The README mentions '50+ Tools for MITRE ATT&CK Querying' but doesn't provide explicit tool names or signatures, only describing functionality. Tools were created

Comparable tools

Installation

pipx install git+https://github.com/stoyky/mitre-attack-mcp

{
  "mcpServers": {
    "mitre-attack": {
      "command": "mitre-attack-mcp",
      "args": []
    }
  }
}

FAQ

Where does the server store the MITRE data by default?

By default, the MCP server stores MITRE-related data in the current user's default cache directory. You can specify a custom data directory using the --data-dir argument in the configuration.

What version of Python is required to run this server?

The README doesn't specify a Python version requirement, but since it installs via PipX and depends on mitreattack-python, Python 3.7 or higher should be compatible.

Compare mitre-attack-mcp with