analyzing-threat-actor-ttps-with-mitre-navigator
$
npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/analyzing-threat-actor-ttps-with-mitre-navigatorMap advanced threat group TTPs to MITRE ATT&CK using Navigator for gap analysis.
- Assesses defensive coverage gaps by comparing known adversary profiles.
- Integrates with STIX/TAXII data sources and the attackcti Python library.
- Activates when requests involve APT TTP mapping or technique coverage analysis.
- Generates downloadable MITRE ATT&CK Navigator layer files for visualization.
SKILL.md
.github/skills/analyzing-threat-actor-ttps-with-mitre-navigatorView on GitHub ↗
---
name: analyzing-threat-actor-ttps-with-mitre-navigator
description: >
Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to
the MITRE ATT&CK framework using the ATT&CK Navigator and attackcti Python library. The
analyst queries STIX/TAXII data for group-technique associations, generates Navigator layer
files for visualization, and compares defensive coverage against adversary profiles.
Activates for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor
profiling, or MITRE technique coverage analysis.
domain: cybersecurity
subdomain: threat-intelligence
tags: [mitre-attack, navigator, threat-intelligence, apt, ttp-mapping, stix, attackcti]
version: "1.0"
author: mahipal
license: Apache-2.0
---
# Analyzing Threat Actor TTPs with MITRE Navigator
## Overview
The MITRE ATT&CK Navigator is a web application for annotating and visualizing ATT&CK matrices.
Combined with the attackcti Python library (which queries ATT&CK STIX data via TAXII), analysts
can programmatically generate Navigator layer files mapping specific threat group TTPs, compare
multiple groups, and assess detection coverage gaps against known adversaries.
## When to Use
- When investigating security incidents that require analyzing threat actor ttps with mitre navigator
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Python 3.8+ with attackcti and stix2 libraries installed
- MITRE ATT&CK Navigator (web UI or local instance)
- Understanding of STIX 2.1 objects and relationships
## Steps
1. Query ATT&CK STIX data for target threat group using attackcti
2. Extract techniques associated with the group via STIX relationships
3. Generate ATT&CK Navigator layer JSON with technique annotations
4. Overlay detection coverage to identify gaps
5. Export layer for team review and defensive planning
## Expected Output
```json
{
"name": "APT29 TTPs",
"domain": "enterprise-attack",
"techniques": [
{"techniqueID": "T1566.001", "score": 1, "comment": "Spearphishing Attachment"},
{"techniqueID": "T1059.001", "score": 1, "comment": "PowerShell"}
]
}
```
More from mukul975/Anthropic-Cybersecurity-Skills
- acquiring-disk-image-with-dd-and-dcflddCreate forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
- analyzing-active-directory-acl-abuseDetect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
- analyzing-android-malware-with-apktoolPerform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
- analyzing-api-gateway-access-logs>
- analyzing-apt-group-with-mitre-navigatorAnalyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
- analyzing-azure-activity-logs-for-threats>
- analyzing-bootkit-and-rootkit-samples>
- analyzing-browser-forensics-with-hindsightAnalyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
- analyzing-campaign-attribution-evidenceCampaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
- analyzing-certificate-transparency-for-phishingMonitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.