What is Mitre Attack Mcp

MITRE ATT&CK MCP Server is a Model-Context Protocol server that provides tools for querying the MITRE ATT&CK knowledge base and analyzing threat actors.

Use cases

Use cases include analyzing threat actor behaviors, comparing techniques used by different malware families, and generating visual representations of threat techniques for better situational awareness.

How to use

To use the server, configure it with Claude AI Desktop by adding the server details to the Claude Desktop config file. Ensure the MITRE ATT&CK data path is specified, and the server will automatically download the latest data files if needed.

Key features

Key features include over 50 tools for querying the MITRE ATT&CK knowledge base, automatic generation of ATT&CK Navigator layers, threat actor and malware attribution analysis, and technique overlap analysis between different threat actors or malware families.

Where to use

MITRE ATT&CK MCP can be used in cybersecurity, threat intelligence, and incident response fields to enhance understanding of threat actors and their techniques.

MITRE ATT&CK MCP Server

A Model-Context Protocol server for the MITRE ATT&CK knowledge base

Key Features • Installation • How To Use • Use Cases • Credits

Key Features

• 50+ Tools for MITRE ATT&CK Querying
  • Comprehensive access to the MITRE ATT&CK knowledge base through structured API tools
• Automatic ATT&CK Navigator Layer Generation
  • Generate visual representations of techniques used by threat actors
• Threat Actor and Malware Attribution
  • Query relationships between malware, threat actors, and techniques
• Technique Overlap Analysis
  • Compare techniques used by different threat actors or malware families

Installation

To clone and run this server, you’ll need Git and Python installed on your computer. From your command line:

# Clone this repository
$ git clone https://github.com/stoyky/mitre-attack-mcp

# Go into the repository
$ cd mitre-attack-mcp

# Install dependencies
$ pip install -r requirements.txt

# OR install the most important dependencies manually

$ pip install mcp
$ pip install mitreattack-python

How To Use

Configure with Claude AI Desktop

Add the following to your Claude Desktop config file, typically found at:

C:\Users\[YourUsername]\AppData\Roaming\Claude\claude_desktop_config.json
# or
C:\Users\[YourUsername]\AppData\Local\AnthropicClaude\claude_desktop_config.json

{
  "mcpServers": {
    "mitre-attack": {
      "command": "python",
      "args": [
        "PATH/TO/mitre-attack-mcp-server.py",
        "PATH/TO/mitre-attack-data"
      ]
    }
  }
}

Note
The second argument is the path where MITRE ATT&CK data will be stored. The server automatically downloads the latest data files if needed.

Changelog

• v1.0.0 - Initial release
• V1.0.1 - Improved robustness of layer metadata generation and error handling in layer generation function

Use Cases

• Query for detailed information about specific malware, tactics, or techniques
• Discover relationships between threat actors and their tools
• Generate visual ATT&CK Navigator layers for threat analysis
• Find campaign overlaps between different threat actors
• Identify common techniques used by multiple malware families

Please see my blog for more information and examples.

Credits

• MITRE ATT&CK - Knowledge base of adversary tactics and techniques
• MITRE ATT&CK Python - Python library to interact with the knowledge base
• ATT&CK Navigator - Tool for visualizing ATT&CK matrices
• Anthropic - Developers of the Model-Context Protocol

Created by Remy Jaspers