Maps threat actor TTPs to MITRE ATT&CK framework using Python libraries, generates ATT&CK Navigator heatmaps, identifies detection gaps, and creates reports linking IOCs to Enterprise/Mobile/ICS techniques.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
MITRE ATT&CK 是基于真实世界观察的全球可访问的对手战术、技术和过程(TTP)知识库。本技能涵盖系统性地将威胁行为者行为映射到 ATT&CK 框架、使用 ATT&CK Navigator 构建技术覆盖热力图、识别检测差距,以及生成将观察到的 IOC 关联到 Enterprise、Mobile 和 ICS 矩阵中特定对手技术的可执行情报报告。
Maps threat actor TTPs to MITRE ATT&CK framework, builds coverage heatmaps with Navigator, identifies detection gaps, and generates reports linking IOCs to techniques.
Maps threat actor TTPs to MITRE ATT&CK framework, builds Navigator heatmaps, identifies detection gaps, and generates reports linking IOCs to techniques for incident analysis.
Analyzes APT groups' TTPs using MITRE ATT&CK Navigator and Python to generate layered heatmaps for detection gap analysis and threat-informed defense.
Share bugs, ideas, or general feedback.
MITRE ATT&CK 是基于真实世界观察的全球可访问的对手战术、技术和过程(TTP)知识库。本技能涵盖系统性地将威胁行为者行为映射到 ATT&CK 框架、使用 ATT&CK Navigator 构建技术覆盖热力图、识别检测差距,以及生成将观察到的 IOC 关联到 Enterprise、Mobile 和 ICS 矩阵中特定对手技术的可执行情报报告。
mitreattack-python、attackcti、stix2 库ATT&CK Enterprise 矩阵将对手行为组织为 14 个战术("为什么"),其下包含技术("如何做")和子技术(具体实现)。每个技术都关联了数据源、检测方法、缓解措施,以及来自已观察威胁组织的真实过程示例。
ATT&CK 收录了超过 140 个威胁组织(如 APT28、APT29、Lazarus Group、FIN7),记录了其技术使用情况。每个组织画像包含别名、目标行业、关联攻击活动、所用软件,以及含过程级详情的技术映射。
ATT&CK Navigator 是用于创建自定义 ATT&CK 矩阵可视化的 Web 工具。分析人员创建层(JSON 文件),用分数、颜色、注释和元数据标注技术,以可视化威胁行为者覆盖范围、检测能力或风险评估。
from attackcti import attack_client
import json
# 初始化 ATT&CK 客户端(查询 MITRE TAXII 服务器)
lift = attack_client()
# 获取所有 Enterprise 技术
enterprise_techniques = lift.get_enterprise_techniques()
print(f"Total Enterprise techniques: {len(enterprise_techniques)}")
# 获取所有威胁组织
groups = lift.get_groups()
print(f"Total threat groups: {len(groups)}")
# 按名称获取特定组织
apt29 = [g for g in groups if 'APT29' in g.get('name', '')]
if apt29:
group = apt29[0]
print(f"Group: {group['name']}")
print(f"Aliases: {group.get('aliases', [])}")
print(f"Description: {group.get('description', '')[:200]}")
from attackcti import attack_client
lift = attack_client()
# 获取 APT29 使用的技术
apt29_techniques = lift.get_techniques_used_by_group("G0016") # APT29 组织 ID
technique_map = {}
for entry in apt29_techniques:
tech_id = entry.get("external_references", [{}])[0].get("external_id", "")
tech_name = entry.get("name", "")
description = entry.get("description", "")
tactic_refs = [
phase.get("phase_name", "")
for phase in entry.get("kill_chain_phases", [])
]
technique_map[tech_id] = {
"name": tech_name,
"tactics": tactic_refs,
"description": description[:300],
}
print(f"\nAPT29 uses {len(technique_map)} techniques:")
for tid, info in sorted(technique_map.items()):
print(f" {tid}: {info['name']} [{', '.join(info['tactics'])}]")
import json
def create_navigator_layer(group_name, technique_map, description=""):
"""为威胁组织生成 ATT&CK Navigator 层 JSON。"""
techniques_list = []
for tech_id, info in technique_map.items():
techniques_list.append({
"techniqueID": tech_id,
"tactic": info["tactics"][0] if info["tactics"] else "",
"color": "#ff6666", # 红色表示已观察到的技术
"comment": info["description"][:200],
"enabled": True,
"score": 100,
"metadata": [
{"name": "group", "value": group_name},
],
})
layer = {
"name": f"{group_name} TTP Coverage",
"versions": {
"attack": "16.1",
"navigator": "5.1.0",
"layer": "4.5",
},
"domain": "enterprise-attack",
"description": description or f"Techniques attributed to {group_name}",
"filters": {"platforms": ["Windows", "Linux", "macOS", "Cloud"]},
"sorting": 0,
"layout": {
"layout": "side",
"aggregateFunction": "average",
"showID": True,
"showName": True,
"showAggregateScores": False,
"countUnscored": False,
},
"hideDisabled": False,
"techniques": techniques_list,
"gradient": {
"colors": ["#ffffff", "#ff6666"],
"minValue": 0,
"maxValue": 100,
},
"legendItems": [
{"label": "Observed technique", "color": "#ff6666"},
{"label": "Not observed", "color": "#ffffff"},
],
"showTacticRowBackground": True,
"tacticRowBackground": "#dddddd",
"selectTechniquesAcrossTactics": True,
"selectSubtechniquesWithParent": False,
"selectVisibleTechniques": False,
}
return layer
# 生成并保存层
layer = create_navigator_layer("APT29", technique_map, "APT29 (Cozy Bear) TTP analysis")
with open("apt29_navigator_layer.json", "w") as f:
json.dump(layer, f, indent=2)
print("[+] Navigator layer saved to apt29_navigator_layer.json")
from attackcti import attack_client
lift = attack_client()
# 获取所有含数据源的技术
all_techniques = lift.get_enterprise_techniques()
# 构建数据源覆盖图谱
data_source_coverage = {}
for tech in all_techniques:
tech_id = tech.get("external_references", [{}])[0].get("external_id", "")
data_sources = tech.get("x_mitre_data_sources", [])
for ds in data_sources:
if ds not in data_source_coverage:
data_source_coverage[ds] = []
data_source_coverage[ds].append(tech_id)
# 将威胁行为者技术与现有检测对比
detected_techniques = {"T1059", "T1071", "T1566"} # 示例:您能检测到的技术
actor_techniques = set(technique_map.keys())
covered = actor_techniques.intersection(detected_techniques)
gaps = actor_techniques - detected_techniques
print(f"\n=== APT29 检测差距分析 ===")
print(f"行为者技术总数: {len(actor_techniques)}")
print(f"已检测: {len(covered)} ({len(covered)/len(actor_techniques)*100:.0f}%)")
print(f"差距: {len(gaps)} ({len(gaps)/len(actor_techniques)*100:.0f}%)")
print(f"\n未检测技术:")
for tech_id in sorted(gaps):
if tech_id in technique_map:
print(f" {tech_id}: {technique_map[tech_id]['name']}")
from attackcti import attack_client
lift = attack_client()
# 比较多个组织的技术
groups_to_compare = {
"G0016": "APT29",
"G0007": "APT28",
"G0032": "Lazarus Group",
}
group_techniques = {}
for gid, gname in groups_to_compare.items():
techs = lift.get_techniques_used_by_group(gid)
tech_ids = set()
for t in techs:
tid = t.get("external_references", [{}])[0].get("external_id", "")
if tid:
tech_ids.add(tid)
group_techniques[gname] = tech_ids
# 查找共同和独特技术
all_groups = list(group_techniques.keys())
common_to_all = set.intersection(*group_techniques.values())
print(f"\n所有 {len(all_groups)} 个组织共同的技术: {len(common_to_all)} 个")
for tid in sorted(common_to_all):
print(f" {tid}")
for gname, techs in group_techniques.items():
unique = techs - set.union(*[t for n, t in group_techniques.items() if n != gname])
print(f"\n{gname} 独有技术: {len(unique)} 个")