docs.rs failed to build get-mitre-0.1.2
Please check the build logs for more information.
See Builds for ideas on how to fix a failed build, or Metadata for how to configure docs.rs builds.
If you believe this is docs.rs' fault, open an issue.
Please check the build logs for more information.
See Builds for ideas on how to fix a failed build, or Metadata for how to configure docs.rs builds.
If you believe this is docs.rs' fault, open an issue.
Tyr - get-mitre
Installation
cargo install get-mitre
Purpose
This command line utility explore the list of Mitre Att&ck according its id.
Initialisation
You must initialize the Mitre Att&ck database first. This database will be installed into you <home_directory>/.tyr directory. If this directory doesn't exist it will be created automatically.
From a console run the following command first to test your internet connection:
$ get-mitre check
Check mitre domain: Enterprise
Test: https://attack.mitre.org/docs/attack-excel-files/v18.1/enterprise-attack/enterprise-attack-v18.1.xlsx... valid
Check mitre domain: ICS
Test: https://attack.mitre.org/docs/attack-excel-files/v18.1/ics-attack/ics-attack-v18.1.xlsx... valid
Check mitre domain: Mobile
Test: https://attack.mitre.org/docs/attack-excel-files/v18.1/mobile-attack/mobile-attack-v18.1.xlsx... valid
This command test the availability of each CSV file that will be used for your internal database.
Afterward, run the following command:
$ get-mitre refresh
Successfully created MITRE 'tactic' table
Successfully created MITRE 'relationship' table
Successfully created MITRE 'detectionstrategy' table
Successfully created MITRE 'analytic' table
Successfully created MITRE 'technique' table
Successfully created MITRE 'datacomponent' table
Successfully created MITRE 'mitigation' table
Successfully created MITRE 'citation' table
Successfully created MITRE 'software' table
Successfully created MITRE 'asset' table
Successfully created MITRE 'campaign' table
Successfully created MITRE 'groups' table
Source file downloaded successfully: enterprise-attack-v18.1.xlsx
Progress 'techniques': 692/692 - 100.00%
Progress 'tactics': 15/15 - 100.00%
Progress 'software': 785/785 - 100.00%
Progress 'groups': 173/173 - 100.00%
Progress 'campaigns': 53/53 - 100.00%
Progress 'mitigations': 45/45 - 100.00%
No importer for sheet: Enterprise ATT&CK matrix
Progress 'relationships': 19432/19432 - 100.00%
Progress 'datacomponents': 107/107 - 100.00%
Progress 'analytics': 1740/1740 - 100.00%
Progress 'detectionstrategies': 692/692 - 100.00%
Progress 'citations': 4247/4247 - 100.00%
Operation completed successfully: enterprise-attack-v18.1.xlsx
Source file downloaded successfully: ics-attack-v18.1.xlsx
Progress 'techniques': 84/84 - 100.00%
Progress 'tactics': 13/13 - 100.00%
Progress 'software': 24/24 - 100.00%
Progress 'groups': 15/15 - 100.00%
Progress 'campaigns': 8/8 - 100.00%
Progress 'assets': 19/19 - 100.00%
Progress 'mitigations': 53/53 - 100.00%
No importer for sheet: matrix
Progress 'relationships': 1372/1372 - 100.00%
Progress 'datacomponents': 37/37 - 100.00%
Progress 'analytics': 83/83 - 100.00%
Progress 'detectionstrategies': 84/84 - 100.00%
Progress 'citations': 387/387 - 100.00%
Operation completed successfully: ics-attack-v18.1.xlsx
Source file downloaded successfully: mobile-attack-v18.1.xlsx
Progress 'techniques': 125/125 - 100.00%
Progress 'tactics': 13/13 - 100.00%
Progress 'software': 123/123 - 100.00%
Progress 'groups': 18/18 - 100.00%
Progress 'campaigns': 4/4 - 100.00%
Progress 'mitigations': 14/14 - 100.00%
No importer for sheet: Mobile ATT&CK matrix
Progress 'relationships': 1713/1713 - 100.00%
Progress 'datacomponents': 18/18 - 100.00%
Progress 'analytics': 212/212 - 100.00%
Progress 'detectionstrategies': 125/125 - 100.00%
Progress 'citations': 403/403 - 100.00%
Operation completed successfully: mobile-attack-v18.1.xlsx
Each archive file is downloaded and injected into your local sqlite database.
You're ready to go !
Additional checking
You can check your local database with the following command:
$ get-capec check --db
Mitre 'groups' table... Ok (176 records)
Mitre 'datacomponent' table... Ok (119 records)
Mitre 'mitigation' table... Ok (108 records)
Mitre 'tactic' table... Ok (38 records)
Mitre 'technique' table... Ok (898 records)
Mitre 'analytic' table... Ok (2032 records)
Mitre 'asset' table... Ok (18 records)
Mitre 'citation' table... Ok (4715 records)
Mitre 'detectionstrategy' table... Ok (898 records)
Mitre 'campaign' table... Ok (55 records)
Mitre 'relationship' table... Ok (22489 records)
Mitre 'software' table... Ok (910 records)
If you have no database, you'll get this status:
$ get-mitre check --db`
No 'detectionstrategy' table
No 'analytic' table
No 'tactic' table
No 'datacomponent' table
No 'campaign' table
No 'groups' table
No 'asset' table
No 'relationship' table
No 'technique' table
No 'citation' table
No 'software' table
No 'mitigation' table
Explore
To explore a Mitre Att&ck description:
$ get-mitre 1562.003`
[ MITRE - T1562.003 ]
[ Summary - T1562.003 ]
- Name: Impair Defenses: Impair Command History Logging
- Url: https://attack.mitre.org/techniques/T1562/003
- Created: 21 February 2020
- Modified: 24 October 2025
- Version: 2.3
[ Platforms ]
- ESXi
- Linux
- Network Devices
- Windows
- macOS
[ Domains ]
- Enterprise
[ Description ]
- Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
On Linux and macOS, command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user's home directory called <code>~/.bash_history</code>. The <code>HISTCONTROL</code> environment variable keeps track of what should be saved by the <code>history</code> command and eventually into the <code>~/.bash_history</code> file when a user logs out. <code>HISTCONTROL</code> does not exist by default on macOS, but can be set by the user and will be respected. The `HISTFILE` environment variable is also used in some ESXi systems.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)
Adversaries may clear the history environment variable (<code>unset HISTFILE</code>) or set the command history size to zero (<code>export HISTFILESIZE=0</code>) to prevent logging of commands. Additionally, <code>HISTCONTROL</code> can be configured to ignore commands that start with a space by simply setting it to "ignorespace". <code>HISTCONTROL</code> can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.
On Windows systems, the <code>PSReadLine</code> module tracks commands used in all PowerShell sessions and writes them to a file (<code>$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt</code> by default). Adversaries may change where these logs are saved using <code>Set-PSReadLineOption -HistorySavePath {File Path}</code>. This will cause <code>ConsoleHost_history.txt</code> to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command <code>Set-PSReadlineOption -HistorySaveStyle SaveNothing</code>.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)
Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to disable historical command logging (e.g. <code>no logging</code>).
[ Mitre ]
- Sub-techniques: T1562
- Impact: Unknown
- MTC ID: Unknown
[ Tactics ]
- Type: Unknown
- List:
- Defense Evasion
[ Citations ]
- CCCS ArcaneDoor 2024
- CISA AA20-239A BeagleBoyz August 2020
- CISA Medusa Group Medusa Ransomware March 2025
- Cisco ArcaneDoor 2024
- GitHub SILENTTRINITY Modules July 2019
- Google Cloud Threat Intelligence ESXi VIBs 2022
- Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023
- Hunt Sea Turtle 2024
- Juniper RedPenguin MAR 2025
- Mandiant UNC3886 Juniper Routers MAR 2025
- Sandfly BPFDoor 2022
- Securing bash history
[ Relationships ]
- Campaign: C0046, C0056
- Detectionstrategy: DET0563
- Group: G0082, G1041, G1048, G1051
- Mitigation: M1028, M1039
- Software: S0692, S1161, S1186, S1217
These ids can be exploited with the get-capec command.
More details
To get more details for a mitre's id you must use this command first:
$ [ MITRE - T1562.003 ]
[ Relationships by target ]
[ Campaign ]
- Source id: C0046
- Mapping type: uses
- Target type: technique
- Created: 06 January 2025
- Modified: 16 April 2025
[ Description ]
- [ArcaneDoor](https://attack.mitre.org/campaigns/C0046 included disabling logging on targeted Cisco ASA appliances. Cisco ArcaneDoor 2024 CCCS ArcaneDoor 2024
[ Campaign ]
- Source id: C0056
- Mapping type: uses
- Target type: technique
- Created: 27 June 2025
- Modified: 30 June 2025
[ Description ]
- During [RedPenguin](https://attack.mitre.org/campaigns/C0056, [UNC3886](https://attack.mitre.org/groups/G1048 used malware to clear the `HISTFILE` environmental vaiable and to inject into Junos OS processes to inhibit logging. Mandiant UNC3886 Juniper Routers MAR 2025 Juniper RedPenguin MAR 2025
[ Detectionstrategy ]
- Source id: DET0563
- Mapping type: detects
- Target type: technique
- Created: 21 October 2025
- Modified: 21 October 2025
[ Description ]
- Unknown
[ Group ]
- Source id: G0082
- Mapping type: uses
- Target type: technique
- Created: 29 September 2021
- Modified: 28 April 2025
[ Description ]
- [APT38](https://attack.mitre.org/groups/G0082 has prepended a space to all of their terminal commands to operate without leaving traces in the HISTCONTROL environment. CISA AA20-239A BeagleBoyz August 2020
[ Group ]
- Source id: G1041
- Mapping type: uses
- Target type: technique
- Created: 20 November 2024
- Modified: 16 April 2025
[ Description ]
- [Sea Turtle](https://attack.mitre.org/groups/G1041 unset the Bash and MySQL history files on victim systems. Hunt Sea Turtle 2024
[ Group ]
- Source id: G1048
- Mapping type: uses
- Target type: technique
- Created: 04 June 2025
- Modified: 04 June 2025
[ Description ]
- [UNC3886](https://attack.mitre.org/groups/G1048 has tampered with and disabled logging services on targeted systems. Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023
[ Group ]
- Source id: G1051
- Mapping type: uses
- Target type: technique
- Created: 16 October 2025
- Modified: 21 October 2025
[ Description ]
- [Medusa Group](https://attack.mitre.org/groups/G1051 has removed PowerShell command history through the use of the PSReadLine module by running the PowerShell command `Remove-Item (Get-PSReadlineOption.HistorySavePath`. CISA Medusa Group Medusa Ransomware March 2025
[ Mitigation ]
- Source id: M1028
- Mapping type: mitigates
- Target type: technique
- Created: 15 October 2020
- Modified: 28 April 2025
[ Description ]
- Make sure that the <code>HISTCONTROL</code> environment variable is set to “ignoredups” instead of “ignoreboth” or “ignorespace”.
[ Mitigation ]
- Source id: M1039
- Mapping type: mitigates
- Target type: technique
- Created: 15 October 2020
- Modified: 28 April 2025
[ Description ]
- Prevent users from changing the <code>HISTCONTROL</code>, <code>HISTFILE</code>, and <code>HISTFILESIZE</code> environment variables. Securing bash history
[ Software ]
- Source id: S0692
- Mapping type: uses
- Target type: technique
- Created: 29 March 2022
- Modified: 28 April 2025
[ Description ]
- [SILENTTRINITY](https://attack.mitre.org/software/S0692 can bypass ScriptBlock logging to execute unmanaged PowerShell code from memory. GitHub SILENTTRINITY Modules July 2019
[ Software ]
- Source id: S1161
- Mapping type: uses
- Target type: technique
- Created: 23 September 2024
- Modified: 16 April 2025
[ Description ]
- [BPFDoor](https://attack.mitre.org/software/S1161 sets the `MYSQL_HISTFILE` and `HISTFILE` to `/dev/null` preventing the shell and MySQL from logging history in `/proc/<PID>/environ`. Sandfly BPFDoor 2022
[ Software ]
- Source id: S1186
- Mapping type: uses
- Target type: technique
- Created: 06 January 2025
- Modified: 16 April 2025
[ Description ]
- [Line Dancer](https://attack.mitre.org/software/S1186 can disable syslog on compromised devices. Cisco ArcaneDoor 2024
[ Software ]
- Source id: S1217
- Mapping type: uses
- Target type: technique
- Created: 02 June 2025
- Modified: 02 June 2025
[ Description ]
- [VIRTUALPITA](https://attack.mitre.org/software/S1217 can impair logging by setting the `HISTFILE` environmental variable to `0` and stopping the `vmsyslogd` service. Google Cloud Threat Intelligence ESXi VIBs 2022
[ Relationships by source ]
No relationship found
With these elements you can have more details again for each section with some commands option (see get-mire help). For example, to known more details about the list of softwares, use the following command:
$ get-mitre 1562.003 -l softwares`
[ MITRE - T1562.003 ]
[ Softwares - S0692 ]
- Name: SILENTTRINITY
- Url: https://attack.mitre.org/software/S0692
- Created: 23 March 2022
- Modified: 30 April 2025
- Version: 1.1
- Type: tool
[ Domains ]
- Enterprise
[ Description ]
- [SILENTTRINITY](https://attack.mitre.org/software/S0692) is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. [SILENTTRINITY](https://attack.mitre.org/software/S0692) was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.(Citation: GitHub SILENTTRINITY March 2022)(Citation: Security Affairs SILENTTRINITY July 2019)
[ Platforms ]
- Windows
[ Aliases ]
- Unknown
[ Citations ]
- GitHub SILENTTRINITY March 2022
- GitHub SILENTTRINITY Modules July 2019
- Github_SILENTTRINITY
- Security Affairs SILENTTRINITY July 2019
[ Contributors ]
- Daniel Acevedo
- ARMADO
[ Softwares - S1161 ]
- Name: BPFDoor
- Url: https://attack.mitre.org/software/S1161
- Created: 20 September 2024
- Modified: 03 January 2025
- Version: 1.1
- Type: malware
[ Domains ]
- Enterprise
[ Description ]
- [BPFDoor](https://attack.mitre.org/software/S1161) is a Linux based passive long-term backdoor used by China-based threat actors. First seen in 2021, [BPFDoor](https://attack.mitre.org/software/S1161) is named after its usage of Berkley Packet Filter (BPF) to execute single task instructions. [BPFDoor](https://attack.mitre.org/software/S1161) supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP and can start local or reverse shells that bypass firewalls using iptables.(Citation: Sandfly BPFDoor 2022)(Citation: Deep Instinct BPFDoor 2023)
[ Platforms ]
- Linux
[ Aliases ]
- Backdoor.Linux.BPFDOOR
- Backdoor.Solaris.BPFDOOR.ZAJE
- JustForFun
[ Citations ]
- Deep Instinct BPFDoor 2023
- Sandfly BPFDoor 2022
[ Contributors ]
- Unknown
[ Softwares - S1186 ]
- Name: Line Dancer
- Url: https://attack.mitre.org/software/S1186
- Created: 06 January 2025
- Modified: 15 April 2025
- Version: 1.0
- Type: malware
[ Domains ]
- Enterprise
[ Description ]
- [Line Dancer](https://attack.mitre.org/software/S1186) is a memory-only Lua-based shellcode loader associated with the [ArcaneDoor](https://attack.mitre.org/campaigns/C0046) campaign. [Line Dancer](https://attack.mitre.org/software/S1186) allows an adversary to upload and execute arbitrary shellcode on victim devices.(Citation: Cisco ArcaneDoor 2024)(Citation: CCCS ArcaneDoor 2024)
[ Platforms ]
- Network Devices
[ Aliases ]
- Unknown
[ Citations ]
- CCCS ArcaneDoor 2024
- Cisco ArcaneDoor 2024
[ Contributors ]
- Unknown
[ Softwares - S1217 ]
- Name: VIRTUALPITA
- Url: https://attack.mitre.org/software/S1217
- Created: 02 June 2025
- Modified: 03 June 2025
- Version: 1.0
- Type: malware
[ Domains ]
- Enterprise
[ Description ]
- [VIRTUALPITA](https://attack.mitre.org/software/S1217) is a passive backdoor with ESXi and Linux vCenter variants capable of command execution, file transfer, and starting and stopping processes. [VIRTUALPITA](https://attack.mitre.org/software/S1217) has been in use since at least 2022 including by [UNC3886](https://attack.mitre.org/groups/G1048) who leveraged malicious vSphere Installation Bundles (VIBs) for install on ESXi hypervisors.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)
[ Platforms ]
- ESXi
- Linux
[ Aliases ]
- Unknown
[ Citations ]
- Google Cloud Threat Intelligence ESXi VIBs 2022
- Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023
- Mandiant Fortinet Zero Day
[ Contributors ]
- Unknown
Other
To explore all options run get-mitre help
Authors and acknowledgment
Help will be appreciated. All tools will be developed with rust technology.
License
This project is under MIT license.
Project status
This project is under development and all contributions are welcome.
These tools are provided without any guaranties.