atomic-red-team-gs/atomic_red_team/tests/test_attack_api.py

import json

from atomic_red_team.attack_api import Attack


def test_techniques_by_tactic_filters_platform_revoked_and_deprecated(tmp_path):
    attack_file = tmp_path / "enterprise-attack.json"
    attack_file.write_text(
        json.dumps(
            {
                "type": "bundle",
                "id": "bundle--11111111-1111-4111-8111-111111111111",
                "spec_version": "2.0",
                "objects": [
                    {
                        "type": "attack-pattern",
                        "id": "attack-pattern--11111111-1111-4111-8111-111111111111",
                        "created": "2024-01-01T00:00:00.000Z",
                        "modified": "2024-01-01T00:00:00.000Z",
                        "name": "Allowed Technique",
                        "external_references": [
                            {"source_name": "mitre-attack", "external_id": "T1001"}
                        ],
                        "x_mitre_platforms": ["Windows"],
                        "kill_chain_phases": [
                            {
                                "kill_chain_name": "mitre-attack",
                                "phase_name": "execution",
                            }
                        ],
                    },
                    {
                        "type": "attack-pattern",
                        "id": "attack-pattern--22222222-2222-4222-8222-222222222222",
                        "created": "2024-01-01T00:00:00.000Z",
                        "modified": "2024-01-01T00:00:00.000Z",
                        "name": "Wrong Platform",
                        "external_references": [
                            {"source_name": "mitre-attack", "external_id": "T1002"}
                        ],
                        "x_mitre_platforms": ["Linux"],
                        "kill_chain_phases": [
                            {
                                "kill_chain_name": "mitre-attack",
                                "phase_name": "execution",
                            }
                        ],
                    },
                    {
                        "type": "attack-pattern",
                        "id": "attack-pattern--33333333-3333-4333-8333-333333333333",
                        "created": "2024-01-01T00:00:00.000Z",
                        "modified": "2024-01-01T00:00:00.000Z",
                        "name": "Revoked Technique",
                        "external_references": [
                            {"source_name": "mitre-attack", "external_id": "T1003"}
                        ],
                        "x_mitre_platforms": ["Windows"],
                        "revoked": True,
                        "kill_chain_phases": [
                            {
                                "kill_chain_name": "mitre-attack",
                                "phase_name": "execution",
                            }
                        ],
                    },
                ],
            }
        )
    )

    attack = Attack(attack_file)

    assert attack.technique_info("t1001")["name"] == "Allowed Technique"
    assert attack.techniques_by_tactic("windows")["execution"] == [
        attack.technique_info("T1001")
    ]