analyzing-threat-actor-ttps-with-mitre-navigator

Solid

Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework using the ATT&CK Navigator and attackcti Python library. The analyst queries STIX/TAXII data for group-technique associations, generates Navigator layer files for visualization, and compares defensive coverage against adversary profiles. Activates for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor profiling, or MITRE technique coverage analysis.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 97/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
77
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Analyzing Threat Actor TTPs with MITRE Navigator ## Overview The MITRE ATT&CK Navigator is a web application for annotating and visualizing ATT&CK matrices. Combined with the attackcti Python library (which queries ATT&CK STIX data via TAXII), analysts can programmatically generate Navigator layer files mapping specific threat group TTPs, compare multiple groups, and assess detection coverage gaps against known adversaries. ## When to Use - When investigating security incidents that require analyzing threat actor ttps with mitre navigator - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Python 3.8+ with attackcti and stix2 libraries installed - MITRE ATT&CK Navigator (web UI or local instance) - Understanding of STIX 2.1 objects and relationships ## Steps 1. Query ATT&CK STIX data for target threat group using attackcti 2. Extract techniques associated with the group via STIX relationships 3. Generate ATT&CK Navigator layer JSON with technique annotations 4. Overlay detection coverage to identify gaps 5. Export layer for team review and defensive planning ## Expected Output ```json { "name": "APT29 TTPs", "domain": "enterprise-attack", "techniques": [ {"techniqueID": "T1566.001", "score": 1, "comment": "Spearphishing Attachment"}, {"techniqueID": "T1059.001", "s...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

analyzing-apt-group-with-mitre-navigator

Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-threat-actor-ttps-with-mitre-attack

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor beh

12,642 Updated today
mukul975
AI & Automation Featured

implementing-threat-modeling-with-mitre-attack

Implements threat modeling using the MITRE ATT&CK framework to map adversary TTPs against organizational assets, assess detection coverage gaps, and prioritize defensive investments. Use when SOC teams need to align detection engineering with threat landscape, conduct threat assessments for new environments, or justify security tool procurement.

12,642 Updated today
mukul975
AI & Automation Solid

mitre-attck-skill

MITRE ATT&CK framework mapping and analysis

1,034 Updated today
a5c-ai
AI & Automation Featured

mapping-mitre-attack-techniques

Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.

12,642 Updated today
mukul975