🚧
Special privileges required
Vulnerability Intelligence is only available to users with the Google Threat Intelligence (Google TI) Enterprise or Enterprise Plus licenses.

Returns a list of MITRE tactics with their correspondent techniques that are associated with the Vulnerability as follows:

{
    "data":
    {
        "tactics": \<_list of dictionaries_> the list of associated tactics.
        [
            "id": \<_string_> the MITRE tactic identifier.
            "name": \<_string_> the name of the tactic.
            "link": \<_string_> the link to the tactic's MITRE webpage.
            "description": \<_string_> the description of the tactic.
            "techniques": \<_list of dictionaries_> the list of associated techniques that belong to the tactic and are associated with the vulnerability.
                [
                    {
                        "id": \<_string_> the MITRE technique identifier.
                        "name": \<_string_> the name of the technique.
                        "link": \<_string_> the link to the technique's MITRE webpage.
                        "description": \<_string_> the description of the technique.
                        "source": \<_list of strings_> whether the technique association comes from the IoCs related to the vulnerability object (seen_in_iocs) or is intrinsic to it (operational).
                        "context_attribute": \<_dictionary_> the date when the technique was associated with the vulnerability.
                        {
                            "timestamp": \<_integer_> (UTC timestamp).
                        }
                    }
                ]
        ]
    }
}

Example response

{
    "data":
    {
        "tactics":
        [
            "id": "TA0005",
                "name": "Defense Evasion",
                "link": "https://attack.mitre.org/tactics/TA0005/",
                "description": "The adversary is trying to avoid being detected.\n\nDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses. ",
                "techniques":
                [
                    {
                        "id": "T1564",
                        "name": "Hide Artifacts",
                        "link": "https://attack.mitre.org/techniques/T1564/",
                        "description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.\nAdversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.",
                        "source":
                        [
                            "operational"
                        ],
                        "context_attribute":
                        {
                            "timestamp": 1732728093
                        }
                    }
                ]
        ]
    }
}

Filters

Available filters for MITRE tree of a Vulnerability:

mitre_namespace: to get only the tactics and techniques based on MITRE namespace matrix as enterprise (by default), mobile and ics. E.g.: mitre_namespace:mobile.
ttp_source: to specify the origin of the TTPs you want to see in the results as operational (manually linked to the object by analysts), seen_in_iocs (automatically matched during the sandbox detonation of the Vulnerability's related files) and all (by default - both sources). E.g.: ttp_source:seen_in_iocs.

Examples

Get the enterprise MITRE TTPs of files associated with a vulnerability.

import requests

object_id = "vulnerability--cve-2022-30190"
filters = "mitre_namespace:enterprise ttp_source:seen_in_iocs"
url = f"https://www.virustotal.com/api/v3/collections/{object_id}/mitre_tree?filter={filters}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)