MITRE ATT&CK Lookup Tool

attack-lookup is a tool that lets you easily check what Tactic, Technique, or Sub-technique ID maps to what name, and vice versa. It can be used interactively, for batch processing, or in your own tooling.


attack-lookup can be installed from PyPi:

$ pip install attack-lookup

It can also be installed manually:

$ git clone
$ cd attack-lookup
$ python install --user


$ attack-lookup --help
usage: attack-lookup [-h] [-v VERSION] [-m {enterprise,ics,mobile}] [-O] [-i INPUT] [-o OUTPUT] [--output-mode {results,csv}]

MITRE ATT&CK Lookup Tool

optional arguments:
  -h, --help            show this help message and exit
  -v VERSION, --version VERSION
                        ATT&CK matrix version to use (default: v10.1)
  -m {enterprise,ics,mobile}, --matrix {enterprise,ics,mobile}
                        ATT&CK matrix to use (default: enterprise)
  -O, --offline         Run in offline mode (default: False)
  -i INPUT, --input INPUT
                        Path to input file (one lookup value per line) (default: None)
  -o OUTPUT, --output OUTPUT
                        Path to output file (default: -)
  --output-mode {results,csv}
                        Mode for output file ("result" only has the lookup results, "csv" outputs a CSV with the lookup and result values (default: results)

By default, attack-lookup uses the latest version of the Enterprise matrix. When running in Online mode, attack-lookup pulls the latest matrix from MITRE's GitHub repo. When running in Offline mode, it can use any matrix available in attack_lookup/data.

You can use attack-lookup in interactive or batch mode:

$ attack-lookup
(loading latest enterprise matrix...done)
Running attack-lookup in interactive mode, exit with (q)uit
ATT&CK> T1539
Steal Web Session Cookie

For batch mode, specify an input file, and optionally an output file/mode. By default, output will go to stdout.

$ attack-lookup -i test
(loading latest enterprise matrix...done)
Peripheral Device Discovery

$ attack-lookup -i test --output-mode=csv
(loading latest enterprise matrix...done)
External Remote Services,T1133
T1120,Peripheral Device Discovery

$ attack-lookup -i test --output-mode=csv -o out_file
(loading latest enterprise matrix...done)
Wrote output data to out_file

If multiple mappings exist (e.g., "Domains"), attack-lookup will provide all possible values:

ATT&CK> Domains
Multiple possible values: T1583.001, T1584.001


You can also use attack-lookup in your own scripts.

from attack_lookup import AttackMapping # version is ignored when running online FYSAmapping = AttackMapping(matrix="enterprise", version="v10.1", offline=False) # load the data# this can take ~10secif not mapping.load_data(): print("failed to load data") else: mapping.lookup("T1574") # returns "Hijack Execution Flow"

GitHub - curated-intel/attack-lookup at
MITRE ATT&CK Lookup Tool. Contribute to curated-intel/attack-lookup development by creating an account on GitHub.