https://github.com/dobin/ttpextractor
Extract the Procedures (TTP) from CTI reports
https://github.com/dobin/ttpextractor
Last synced: 11 months ago
JSON representation
Extract the Procedures (TTP) from CTI reports
- Host: GitHub
- URL: https://github.com/dobin/ttpextractor
- Owner: dobin
- License: mit
- Created: 2025-03-15T13:31:32.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2025-06-17T12:22:31.000Z (about 1 year ago)
- Last Synced: 2025-06-17T13:31:51.384Z (about 1 year ago)
- Language: Python
- Homepage: https://ttpextractor.r00ted.ch
- Size: 82 KB
- Stars: 6
- Watchers: 1
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# ttpExtractor
Uses LLM to extract TTP's from CTI report PDFs.
With focus on the P (Procedures). As in, what the threat actors were actually doing.
For RedTeamers seeking to imitate TAs.
Live at [ttpextractor.r00ted.ch](https://ttpextractor.r00ted.ch)
This project is more a experiment and playground, and not a reasonable
application.
It analyzes it in three ways:
* ChatGPT 4o, paged
* Google Gemini 2.0, unpaged
* Google Gemini 2.5, unpaged
## Install
```
$ pip install -r requirements.txt
```
## Commandline
```
$ export OPENAI_API_KEY="..."
$ export GEMINI_API_KEY="..."
$ cp ttp-test.pdf input/
$ python ./ttpextractor.py ttp-test.pdf
```
Result:
```
$ ls output/ttp-test.pdf/
ttp-test.pdf_0_chunk.txt
ttp-test.pdf_0_response.txt
ttp-test.pdf_1_chunk.txt
ttp-test.pdf_1_response.txt
...
```
## Start Web UI
```
$ export OPENAI_API_KEY="..."
$ export UPLOAD_PW="..."
$ python ./web.py
```
Open `http://localhost:5000`.