A command-line Python tool that allows you to search for threat actors tracked by MITRE ATT&CK, automatically fetches their ATT&CK Navigator information, and displays their techniques grouped by tactic (e.g., Execution, Persistence, Lateral Movement).
- π Search any known MITRE threat actor by name or alias (e.g.,
FIN10,APT1,TA505) - π§ Automatically resolves and fetches the correct ATT&CK Group ID (e.g.,
G0051) - π Generates a Navigator link to visualize the threat actorβs techniques in the ATT&CK Navigator
- π§° Displays all techniques used by the actor, grouped by kill chain phase
- π§Ή Optional filtering by tactic (e.g., only show
ExecutionorPersistenceTTPs) - π Organized and readable console output
- β Uses official MITRE STIX data from github.com/mitre/cti
- Python 3.7+
- Requests
pip install requestspython threat_actor_navigator.pypython threat_actor_navigator.py
Enter a Threat Actor name (e.g., FIN10): fin10
β Found Group ID: G0051
π ATT&CK Navigator Link:
https://mitre-attack.github.io/attack-navigator//#layerURL=https://attack.mitre.org/groups/G0051/G0051-enterprise-layer.json
(Optional) Filter by tactic (e.g., Execution). Press Enter to show all:
π Techniques used by FIN10 (G0051):
=== Execution ===
πΉ T1059.001 - PowerShell
π FIN10 uses PowerShell for execution and persistence via PowerShell Empire.
=== Persistence ===
πΉ T1547.001 - Registry Run Key
π FIN10 has added registry Run keys to establish persistence.
...This project pulls live data from:
- MITRE ATT&CK STIX (enterprise-attack.json)
- MITRE ATT&CK Navigator
Note: This project is open-source under no license. MITRE ATT&CK data is used under the terms of their license.