API Reference

Get MITRE tactics and techniques associated with a threat

get https://www.virustotal.com/api/v3/collections//mitre_tree

🚧

Special privileges required

Threat Actors and Campaigns are only available to users with the Google Threat Intelligence (Google TI) Enterprise or Enterprise Plus licenses.

Returns a list of MITRE tactics with their correspondent techniques that are associated with the Threat Actor, Campaign,Malware family, Software or Toolkit, or IoC Collection as follows:

{
    "data":
    {
        "tactics": \<_list of dictionaries_> the list of associated tactics.
        [
            "id": \<_string_> the MITRE tactic identifier.
            "name": \<_string_> the name of the tactic.
            "link": \<_string_> the link to the tactic's MITRE webpage.
            "description": \<_string_> the description of the tactic.
            "techniques": \<_list of dictionaries_> the list of associated techniques that belong to the tactic and are associated with the threat.
                [
                    {
                        "id": \<_string_> the MITRE technique identifier.
                        "name": \<_string_> the name of the technique.
                        "link": \<_string_> the link to the technique's MITRE webpage.
                        "description": \<_string_> the description of the technique.
                        "source": \<_list of strings_> whether the technique association comes from the IoCs related to the threat object (seen_in_iocs) or is intrinsic to it (operational).
                        "context_attribute": \<_dictionary_> the date when the technique was associated with the threat.
                        {
                            "timestamp": \<_integer_> (UTC timestamp).
                        }
                    }
                ]
        ]
    }
}

Example

{
    "data":
    {
        "tactics":
        [
            "id": "TA0005",
                "name": "Defense Evasion",
                "link": "https://attack.mitre.org/tactics/TA0005/",
                "description": "The adversary is trying to avoid being detected.\n\nDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses. ",
                "techniques":
                [
                    {
                        "id": "T1564",
                        "name": "Hide Artifacts",
                        "link": "https://attack.mitre.org/techniques/T1564/",
                        "description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.\nAdversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.",
                        "source":
                        [
                            "operational"
                        ],
                        "context_attribute":
                        {
                            "timestamp": 1732728093
                        }
                    }
                ]
        ]
    }
}
Language
Click Try It! to start a request and see the response here!