MITRE ATT&CK MCP Server

A Model Context Protocol (MCP) server that provides access to the MITRE ATT&CK knowledge base for threat intelligence and security research. Query techniques, tactics, threat groups, malware, tools, mitigations, and data sources with zero configuration and no external API keys required.

Features

• Complete MITRE ATT&CK knowledge base access (Enterprise domain)
• STIX 2.1 format data from the official mitre/cti GitHub repository
• Automatic download and local caching with 24-hour TTL
• Offline fallback capability
• 7 specialized tools for different query types
• Full-text search across all ATT&CK objects
• No API keys or external CLI tools required
• Input validation and security checks

Tools

The server exposes seven tools for different types of ATT&CK queries:

| Tool | Description | |------|-------------| | attack_technique | Look up ATT&CK technique by ID — description, tactics, platforms, detection, mitigations | | attack_search | Full-text search across ATT&CK techniques, tactics, groups, software | | attack_tactic | List all techniques under an ATT&CK tactic (e.g., Initial Access, Persistence) | | attack_group | Look up threat group (APT28, Lazarus) — techniques used, software, references | | attack_software | Look up malware/tool — associated techniques, groups that use it | | attack_mitigations | List mitigations for a specific ATT&CK technique | | attack_datasources | List data sources and detection components for a technique |

Tool Details

attack_technique

Look up a specific ATT&CK technique by its ID (e.g., T1059, T1059.001). Returns the technique's description, associated tactics, affected platforms, detection methods, and available mitigations.

Input Schema:

{
  "technique_id": "string (required)"
}

Parameters:

• technique_id (string, required): ATT&CK technique ID matching pattern T\d{4}(\.\d{3})?
  • Examples: T1059 (Command and Scripting Interpreter), T1059.001 (PowerShell)

Example Request:

{
  "technique_id": "T1059"
}

Example Output:

{
  "technique_id": "T1059",
  "found": true,
  "name": "Command and Scripting Interpreter",
  "description": "Adversaries may abuse command and script interpreters to execute commands...",
  "tactics": [
    "execution"
  ],
  "platforms": [
    "Linux",
    "macOS",
    "Windows",
    "Cloud"
  ],
  "detection": "Monitor for unexpected processes spawning from the command and scripting interpreter...",
  "is_subtechnique": false,
  "data_sources": [
    "Process: Process Creation",
    "Process: Process Metadata",
    "Command: Command Execution"
  ],
  "mitigations": [
    {
      "id": "M1036",
      "name": "Audit",
      "description": "Perform audits on account handling, user rights management..."
    },
    {
      "id": "M1038",
      "name": "Execution Prevention",
      "description": "Block execution of scripting language interpreters..."
    }
  ],
  "url": "https://attack.mitre.org/techniques/T1059/"
}

attack_search

Full-text search across techniques, tactics, threat groups, and software. Searches the name, description, and ID fields of all ATT&CK objects.

Input Schema:

{
  "query": "string (required, 1-200 chars)",
  "max_results": "integer (default: 20, range: 1-100)"
}

Parameters:

• query (string, required): Search text (1-200 characters)
• max_results (integer, default 20): Maximum results to return (1-100)

Example Request:

{
  "query": "Cobalt Strike",
  "max_results": 10
}

Example Output:

{
  "query": "Cobalt Strike",
  "total_results": 3,
  "showing": 3,
  "results": [
    {
      "type": "tool",
      "id": "S0154",
      "name": "Cobalt Strike",
      "description": "Cobalt Strike is a legitimate penetration testing tool that has also been widely used by adversaries...",
      "url": "https://attack.mitre.org/software/S0154/"
    },
    {
      "type": "technique",
      "id": "T1021.001",
      "name": "Remote Services: RDP",
      "description": "Adversaries may use Valid Accounts over RDP... which Cobalt Strike can facilitate...",
      "url": "https://attack.mitre.org/techniques/T1021/001/"
    },
    {
      "type": "group",
      "id": "G0101",
      "name": "Wizard Spider",
      "description": "Wizard Spider is a sophisticated eCrime group known for Ryuk ransomware deployments...",
      "url": "https://attack.mitre.org/groups/G0101/"
    }
  ]
}

attack_tactic

List all techniques mapped to a specific ATT&CK tactic. Accepts either the tactic ID (e.g., TA0001) or shortname (e.g., "initial-access").

Input Schema:

{
  "tactic_id": "string (required)"
}

Parameters:

• tactic_id (string, required): Tactic ID or shortname
  • Tactic IDs: TA0001-TA0043
  • Shortnames: initial-access, persistence, privilege-escalation, defense-evasion, credential-access, discovery, lateral-movement, collection, exfiltration, command-and-control, impact, etc.

Example Request:

{
  "tactic_id": "initial-access"
}

Example Output:

{
  "tactic_id": "TA0001",
  "found": true,
  "name": "Initial Access",
  "shortname": "initial-access",
  "description": "The adversary is trying to get into your network...",
  "technique_count": 18,
  "techniques": [
    {
      "id": "T1189",
      "name": "Drive-by Compromise",
      "is_subtechnique": false
    },
    {
      "id": "T1195",
      "name": "Supply Chain Compromise",
      "is_subtechnique": false
    },
    {
      "id": "T1199",
      "name": "Trusted Relationship",
      "is_subtechnique": false
    }
  ],
  "url": "https://attack.mitre.org/tactics/TA0001/"
}

attack_group

Look up a threat group by its ID (e.g., G0007) or name (e.g., APT28, Lazarus). Returns the group's aliases, description, techniques used, and software.

Input Schema:

{
  "group_id": "string (required)"
}

Parameters:

• group_id (string, required): Group ID (e.g., G0007) or name (e.g., APT28, Lazarus)

Example Request:

{
  "group_id": "G0007"
}

Example Output:

{
  "group_id": "G0007",
  "found": true,
  "name": "APT28",
  "aliases": [
    "Fancy Bear",
    "STRONTIUM",
    "Pawn Storm",
    "Sednit"
  ],
  "description": "APT28 is a Russian-attributed threat group that has been active since at least 2007...",
  "techniques": [
    {
      "id": "T1583.001",
      "name": "Acquire Infrastructure: Domains"
    },
    {
      "id": "T1589.001",
      "name": "Gather Victim Identity Information: Credentials"
    },
    {
      "id": "T1566.002",
      "name": "Phishing: Spearphishing Link"
    }
  ],
  "software": [
    {
      "id": "S0223",
      "name": "Launchy"
    },
    {
      "id": "S0395",
      "name": "WellMess"
    },
    {
      "id": "S0002",
      "name": "Mimikatz"
    }
  ],
  "url": "https://attack.mitre.org/groups/G0007/"
}

attack_software

Look up a malware or tool by its ID (e.g., S0154) or name (e.g., Cobalt Strike, Mimikatz). Returns the software type, description, affected platforms, techniques it implements, and groups that use it.

Input Schema:

{
  "software_id": "string (required)"
}

Parameters:

• software_id (string, required): Software ID (e.g., S0154) or name (e.g., Cobalt Strike, Mimikatz)

Example Request:

{
  "software_id": "S0154"
}

Example Output:

{
  "software_id": "S0154",
  "found": true,
  "name": "Cobalt Strike",
  "type": "tool",
  "description": "Cobalt Strike is a legitimate commercial penetration testing tool that has been heavily weaponized by adversaries...",
  "platforms": [
    "Windows"
  ],
  "aliases": [
    "Beacon"
  ],
  "techniques": [
    {
      "id": "T1005",
      "name": "Data Staged: Local System"
    },
    {
      "id": "T1040",
      "name": "Network Sniffing"
    },
    {
      "id": "T1021.001",
      "name": "Remote Services: RDP"
    },
    {
      "id": "T1569.002",
      "name": "System Services: Service Execution"
    }
  ],
  "groups": [
    {
      "id": "G0101",
      "name": "Wizard Spider"
    },
    {
      "id": "G0135",
      "name": "FIN10"
    },
    {
      "id": "G0089",
      "name": "Wizard Spider"
    }
  ],
  "url": "https://attack.mitre.org/software/S0154/"
}

attack_mitigations

List all mitigations (courses of action) available for a specific technique. Shows how to defend against a technique and guidance on implementing each mitigation.

Input Schema:

{
  "technique_id": "string (required)"
}

Parameters:

• technique_id (string, required): ATT&CK technique ID (e.g., T1059, T1059.001)

Example Request:

{
  "technique_id": "T1078.003"
}

Example Output:

{
  "technique_id": "T1078.003",
  "technique_name": "Valid Accounts: Cloud Accounts",
  "mitigation_count": 3,
  "mitigations": [
    {
      "id": "M1015",
      "name": "Active Directory Configuration",
      "description": "Configure Active Directory to prevent use of the default Administrator account...",
      "relationship_description": "Enforce strong password policies and multi-factor authentication...",
      "url": "https://attack.mitre.org/mitigations/M1015/"
    },
    {
      "id": "M1032",
      "name": "Multi-factor Authentication",
      "description": "Use multi-factor authentication (MFA) to prevent valid accounts from being compromised...",
      "relationship_description": "Enforce multi-factor authentication for cloud account access...",
      "url": "https://attack.mitre.org/mitigations/M1032/"
    },
    {
      "id": "M1027",
      "name": "Password Policies",
      "description": "Set and enforce secure password policies for accounts...",
      "relationship_description": "Enforce strong password policies for cloud accounts...",
      "url": "https://attack.mitre.org/mitigations/M1027/"
    }
  ]
}

attack_datasources

List the data sources and detection components available for detecting a specific technique. Provides guidance on what to monitor and what detection systems can help identify the technique.

Input Schema:

{
  "technique_id": "string (required)"
}

Parameters:

• technique_id (string, required): ATT&CK technique ID (e.g., T1059, T1059.001)

Example Request:

{
  "technique_id": "T1059.001"
}

Example Output:

{
  "technique_id": "T1059.001",
  "technique_name": "Command and Scripting Interpreter: PowerShell",
  "detection_guidance": "Monitor command-line invocations of powershell.exe with scriptblock logging enabled...",
  "data_sources": [
    {
      "data_source": "Process",
      "component": "Process Creation"
    },
    {
      "data_source": "Process",
      "component": "Process Metadata"
    },
    {
      "data_source": "Command",
      "component": "Command Execution"
    },
    {
      "data_source": "Script",
      "component": "Script Execution"
    }
  ],
  "detection_components": [
    {
      "name": "PowerShell Logs",
      "description": "Monitor Windows Event Log: Security 4688 for powershell.exe with suspicious arguments..."
    },
    {
      "name": "EDR/XDR Solutions",
      "description": "Monitor for script execution with obfuscation patterns..."
    }
  ]
}

Data Source

The server uses the MITRE ATT&CK knowledge base in STIX 2.1 format, downloaded from the official mitre/cti GitHub repository.

Data Download and Caching:

• Source: https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json
• Cache Location: ~/.cache/mcp-mitre-attack/enterprise-attack.json
• Cache TTL: 24 hours (automatically refreshes)
• Offline Fallback: If the download fails, the server will use a cached copy even if it's stale

The server automatically:

1. Checks for a cached copy on startup
2. Uses the cache if it's less than 24 hours old and online connectivity is available
3. Downloads fresh data from GitHub if the cache is stale
4. Falls back to cached data if the download fails (offline mode)
5. Indexes all objects in memory for fast lookups

No manual data management is required.

Installation

Prerequisites

• Bun 1.0 or later
• Node.js 18+ (if using Node.js instead of Bun)

Install Steps

1. Clone the repository:

git clone https://github.com/modularintelligence/mi-mcp-servers.git
cd mcp-servers/mitre-attack

2. Install dependencies:

bun install

3. Build the server:

bun run build

The compiled server will be available at dist/index.js.

No External Requirements

This server requires no external API keys, CLI tools, or configuration files. It operates entirely locally once built.

Usage

Running the Server

Start the server with:

bun run src/index.ts

Or run the compiled version:

bun run dist/index.js

The server uses stdio transport and will output MCP protocol messages to stdout.

Claude Desktop Integration

Add the following to your Claude Desktop configuration file:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "mitre-attack": {
      "command": "bun",
      "args": ["/Users/YOUR_USERNAME/path/to/mcp-servers/mitre-attack/src/index.ts"],
      "env": {}
    }
  }
}

Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "mitre-attack": {
      "command": "bun",
      "args": ["C:\\path\\to\\mcp-servers\\mitre-attack\\src\\index.ts"],
      "env": {}
    }
  }
}

Linux: ~/.config/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "mitre-attack": {
      "command": "bun",
      "args": ["/home/YOUR_USERNAME/path/to/mcp-servers/mitre-attack/src/index.ts"],
      "env": {}
    }
  }
}

Claude Code MCP Settings

Add to your Claude Code MCP settings (if using local MCP server mode):

{
  "mcpServers": {
    "mitre-attack": {
      "command": "bun",
      "args": ["/absolute/path/to/mcp-servers/mitre-attack/src/index.ts"]
    }
  }
}

Example Queries

Once integrated, you can ask Claude:

• "What is the MITRE ATT&CK ID for command injection and what are the mitigations?"
• "List all techniques in the Persistence tactic"
• "Tell me about APT28 and what techniques they use"
• "How can I detect PowerShell command execution?"
• "Search for ransomware tools"

Claude will automatically invoke the appropriate tools and provide detailed responses.

Security

Input Validation

All user inputs are validated before processing:

ID Validation:

• Maximum length: 100 characters
• Required (non-empty)
• Alphanumeric format with optional dots, hyphens, underscores, and spaces

Search Query Validation:

• Maximum length: 200 characters
• Required (non-empty)

Technique ID Format:

• Must match pattern: T\d{4}(\.\d{3})?
• Examples: T1059, T1059.001

Result Limits:

• Search results capped at 100 maximum
• Default limit: 20 results

Data Integrity

• All external data is loaded from the official MITRE GitHub repository
• Data is validated against STIX 2.1 schema
• Revoked and deprecated items are automatically filtered out
• In-memory indexes are built from authoritative sources

No External API Keys

This server requires no API keys, tokens, or authentication. All data is publicly available from MITRE's official GitHub repository.

Architecture

Key Components

• attack-data.ts: Handles data loading, caching, indexing, and retrieval
• tools/*.ts: Individual tool implementations
• schemas.ts: Zod validation schemas for all input parameters
• security.ts: Input validation functions
• types.ts: TypeScript interfaces for STIX objects and ATT&CK concepts

Indexing Strategy

The server builds multiple in-memory indexes for fast lookup:

• Technique index (by ID and name)
• Tactic index (by ID and shortname)
• Group index (by ID, name, and aliases)
• Software index (by ID and name)
• Mitigation index (by ID)
• Data source index (by name)
• Name index (global name lookup)
• Relationship indexes (by source and target)

This allows sub-millisecond lookups for any ATT&CK object.

Troubleshooting

Server fails to start

Check that Bun is properly installed and accessible:

bun --version

No data downloaded

If the server can't download data from GitHub, check your internet connection. The server will use cached data if available.

Tool not found errors

Ensure you're using the exact tool names: attack_technique, attack_search, attack_tactic, attack_group, attack_software, attack_mitigations, attack_datasources.

Invalid ID errors

Verify your input:

• Technique IDs must match pattern T\d{4}(\.\d{3})?
• Tactic IDs use format TA0001-TA0043 or shortnames like "initial-access"
• Group/Software IDs use format G0001/S0001 or full names

License

MIT License. See the LICENSE file in the repository for details.

References

• MITRE ATT&CK Framework
• MITRE CTI GitHub Repository
• STIX 2.1 Specification
• Model Context Protocol