analysing-attack-skill_skill

This skill helps analysts map Mitre ATT&CK tactics and techniques to detections and threat models, enabling precise risk insights.
  • Python

250

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill tsale/awesome-dfir-skills --skill analysing-attack-skill

  • SKILL.md5.6 KB

Overview

This skill analyses MITRE ATT&CK tactics, techniques, and sub-techniques to support threat detection, threat modeling, and cyber threat intelligence. It provides curated, version-aware references and searchable indexes tuned for rapid mapping to ATT&CK v18.1. Use it to produce consistent, repeatable mappings from raw detections, CTI reports, or analyst hypotheses to ATT&CK IDs. It focuses on accuracy, granularity, and defensible technique selection.

How this skill works

The skill inspects detection logic, CTI report content, logs, and procedure descriptions to identify candidate tactics and techniques. It uses token-efficient keyword indexes and a technique list to match keywords, IDs, and platform context, then recommends the most specific technique or sub-technique. It also highlights commonly missed indicators, technique pairings, and version changelog items to avoid mis-mapping.

When to use it

  • Mapping alerts or SIEM detections to ATT&CK for incident response or enrichment
  • Reviewing CTI reports, malware analysis notes, or threat actor procedures
  • Validating that detection logic covers relevant tactics and sub-techniques
  • Performing risk assessments or threat modeling against enterprise telemetry
  • Auditing historical reports to align with ATT&CK v18.1 changes

Best practices

  • Read source material end-to-end, including appendices, screenshots, and IOCs before mapping
  • Search broadly with keyword indexes, then validate candidate IDs in the technique list
  • Map to the most specific sub-technique possible; avoid generic technique-only mappings when details exist
  • Consider attacker intent and the procedural context, not just single artifacts or strings
  • Perform a second, independent review to catch missed techniques and validate assumptions

Example use cases

  • Turn a detection rule into an ATT&CK mapping to guide mitigation priorities
  • Extract techniques from a CTI report and produce an indicator-to-technique table for analysts
  • Audit an alert set to find gaps where tactics are not being detected
  • Translate malware behavior logs into ATT&CK narrative for executive reporting
  • Update legacy mappings after reviewing the ATT&CK v18.1 changelog to address renamed or deprecated items

FAQ

Map the technique where the observed procedure best matches attacker intent and context. Document alternative applicable tactics and justify your primary choice.

What if a report implies but does not explicitly state a technique?

Avoid inferring techniques without supporting evidence. Note hypotheses separately and mark them as unconfirmed; re-evaluate when additional data becomes available.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational