- Home
- Skills
- Copyleftdev
- Sk1llz
- Mitre Attack
mitre-attack_skill
- Python
3
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill copyleftdev/sk1llz --skill mitre-attack- SKILL.md16.9 KB
Overview
This skill applies the MITRE ATT&CK framework to threat intelligence, detection engineering, and coverage assessment. It provides a consistent taxonomy of adversary tactics, techniques, and procedures (TTPs) and tools to map detections, prioritize gaps, and generate ATT&CK Navigator layers. Use it to turn behavioral threat knowledge into measurable detection outcomes.
How this skill works
The skill models ATT&CK entities (tactics, techniques, sub-techniques, detections, and threat groups) and tracks coverage per technique. It ingests ATT&CK data, associates detection rules with technique IDs, recalculates coverage levels, and produces Navigator-compatible layer JSON. It also ranks gaps by adversary usage and available telemetry to prioritize detection work.
When to use it
- Mapping existing detections to ATT&CK technique IDs
- Assessing coverage across tactics and identifying detection gaps
- Prioritizing new detection development based on threat relevance
- Building ATT&CK-aligned hunting hypotheses and Sigma rules
- Communicating detection posture to leadership using Navigator visualizations
Best practices
- Always reference canonical ATT&CK technique IDs in alerts and documentation
- Map detections at the most specific level (include sub-techniques) where telemetry allows
- Favor behavioral detections and data-source-first designs over brittle signatures
- Validate and track false-positive rates; update coverage level after validation
- Continuously refresh ATT&CK data and re-evaluate coverage as techniques evolve
Example use cases
- Run a periodic coverage assessment to produce an ATT&CK Navigator layer for SOC reporting
- Ingest SIEM/EDR rules, map them to techniques, and compute prioritized detection gaps
- Create Sigma rules and detection templates tied to high-priority techniques for a targeted threat group
- Use technique prioritization to focus engineering resources where telemetry exists and adversaries use techniques most
- Track multiple threat groups and compute technique overlap to inform intelligence-driven detection
FAQ
Prioritize techniques used frequently by relevant threat groups, where required data sources are already available, and those that support high-impact tactics like Initial Access or Credential Access.
What telemetry is required to map a technique?
Map techniques to explicit data sources (process creation, network flow, auth logs, memory access, etc.). If your telemetry does not cover the technique’s data sources, mark it as a detection gap and plan to onboard the necessary logs.