🚧
Special privileges required
Threat Actors and Campaigns are only available to users with the Google Threat Intelligence (Google TI) Enterprise or Enterprise Plus licenses.

Returns a list of MITRE tactics with their correspondent techniques (TTPs) that are associated with the Threat Actor, Campaign,Malware family, Software or Toolkit, or IoC Collection as follows:

{
    "data":
    {
        "tactics": \<_list of dictionaries_> the list of associated tactics.
        [
            "id": \<_string_> the MITRE tactic identifier.
            "name": \<_string_> the name of the tactic.
            "link": \<_string_> the link to the tactic's MITRE webpage.
            "description": \<_string_> the description of the tactic.
            "techniques": \<_list of dictionaries_> the list of associated techniques that belong to the tactic and are associated with the threat.
                [
                    {
                        "id": \<_string_> the MITRE technique identifier.
                        "name": \<_string_> the name of the technique.
                        "link": \<_string_> the link to the technique's MITRE webpage.
                        "description": \<_string_> the description of the technique.
                        "source": \<_list of strings_> whether the technique association comes from the IoCs related to the threat object (seen_in_iocs) or is intrinsic to it (operational).
                        "context_attribute": \<_dictionary_> the date when the technique was associated with the threat.
                        {
                            "timestamp": \<_integer_> (UTC timestamp).
                        }
                    }
                ]
        ]
    }
}

Example response

{
    "data":
    {
        "tactics":
        [
            "id": "TA0005",
                "name": "Defense Evasion",
                "link": "https://attack.mitre.org/tactics/TA0005/",
                "description": "The adversary is trying to avoid being detected.\n\nDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses. ",
                "techniques":
                [
                    {
                        "id": "T1564",
                        "name": "Hide Artifacts",
                        "link": "https://attack.mitre.org/techniques/T1564/",
                        "description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.\nAdversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.",
                        "source":
                        [
                            "operational"
                        ],
                        "context_attribute":
                        {
                            "timestamp": 1732728093
                        }
                    }
                ]
        ]
    }
}

Filters

Available filters for MITRE tree:

mitre_namespace: to get only the tactics and techniques based on MITRE namespace matrix as enterprise (by default), mobile and ics. E.g.: mitre_namespace:mobile.
ttp_source: to specify the origin of the TTPs you want to see in the results as operational (manually linked to the threat object by analysts), seen_in_iocs (automatically matched during the sandbox detonation of the object's related files) and all (by default - both sources) E.g.: ttp_source:seen_in_iocs.

Examples

Get the mobile MITRE tree from files behavior associated with a threat actor.

import requests

object_id = "threat-actor--bcaaad6f-0597-4b89-b69b-84a6be2b7bc3"
filters = "ttp_source:seen_in_iocs mitre_namespace:mobile"
url = f"https://www.virustotal.com/api/v3/collections/{object_id}/mitre_tree?filter={filters}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)

Get the operational MITRE TTPs from a malware or toolkit.

import requests

object_id = "malware--350aa703-7750-5e07-997b-476375955828"
filters = "ttp_source:operational"
url = f"https://www.virustotal.com/api/v3/collections/{object_id}/mitre_tree?filter={filters}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)

Get the default MITRE tree associated with a campaign.

import requests

object_id = "campaign--24f96f40-b2fa-512c-b1da-2f22a949d12d"
url = f"https://www.virustotal.com/api/v3/collections/{object_id}/mitre_tree"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)

Get the default MITRE tree associated with a IoC collection.

import requests

object_id = "alienvault_64edfc5ab93abb1407070292"
url = f"https://www.virustotal.com/api/v3/collections/{object_id}/mitre_tree"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)

200200

400400