- Home
- Skills
- Tsale
- Awesome Dfir Skills
- Analysing Attack Skill
analysing-attack-skill_skill
- Python
250
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill tsale/awesome-dfir-skills --skill analysing-attack-skill- SKILL.md5.6 KB
Overview
This skill analyses MITRE ATT&CK tactics, techniques, and sub-techniques to support threat detection, threat modeling, and cyber threat intelligence. It provides curated, version-aware references and searchable indexes tuned for rapid mapping to ATT&CK v18.1. Use it to produce consistent, repeatable mappings from raw detections, CTI reports, or analyst hypotheses to ATT&CK IDs. It focuses on accuracy, granularity, and defensible technique selection.
How this skill works
The skill inspects detection logic, CTI report content, logs, and procedure descriptions to identify candidate tactics and techniques. It uses token-efficient keyword indexes and a technique list to match keywords, IDs, and platform context, then recommends the most specific technique or sub-technique. It also highlights commonly missed indicators, technique pairings, and version changelog items to avoid mis-mapping.
When to use it
- Mapping alerts or SIEM detections to ATT&CK for incident response or enrichment
- Reviewing CTI reports, malware analysis notes, or threat actor procedures
- Validating that detection logic covers relevant tactics and sub-techniques
- Performing risk assessments or threat modeling against enterprise telemetry
- Auditing historical reports to align with ATT&CK v18.1 changes
Best practices
- Read source material end-to-end, including appendices, screenshots, and IOCs before mapping
- Search broadly with keyword indexes, then validate candidate IDs in the technique list
- Map to the most specific sub-technique possible; avoid generic technique-only mappings when details exist
- Consider attacker intent and the procedural context, not just single artifacts or strings
- Perform a second, independent review to catch missed techniques and validate assumptions
Example use cases
- Turn a detection rule into an ATT&CK mapping to guide mitigation priorities
- Extract techniques from a CTI report and produce an indicator-to-technique table for analysts
- Audit an alert set to find gaps where tactics are not being detected
- Translate malware behavior logs into ATT&CK narrative for executive reporting
- Update legacy mappings after reviewing the ATT&CK v18.1 changelog to address renamed or deprecated items
FAQ
Map the technique where the observed procedure best matches attacker intent and context. Document alternative applicable tactics and justify your primary choice.
What if a report implies but does not explicitly state a technique?
Avoid inferring techniques without supporting evidence. Note hypotheses separately and mark them as unconfirmed; re-evaluate when additional data becomes available.