analyzing-apt-group-with-mitre-navigator

使用 MITRE ATT&CK Navigator 分析高级持续性威胁(APT)组织的技术手法,创建对手 TTP 的分层热力图,用于检测差距分析和威胁导向防御。

9 stars

Best use case

analyzing-apt-group-with-mitre-navigator is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

使用 MITRE ATT&CK Navigator 分析高级持续性威胁(APT)组织的技术手法,创建对手 TTP 的分层热力图,用于检测差距分析和威胁导向防御。

Teams using analyzing-apt-group-with-mitre-navigator should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/analyzing-apt-group-with-mitre-navigator/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/analyzing-apt-group-with-mitre-navigator/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/analyzing-apt-group-with-mitre-navigator/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How analyzing-apt-group-with-mitre-navigator Compares

Feature / Agentanalyzing-apt-group-with-mitre-navigatorStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

使用 MITRE ATT&CK Navigator 分析高级持续性威胁(APT)组织的技术手法,创建对手 TTP 的分层热力图,用于检测差距分析和威胁导向防御。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 使用 MITRE ATT&CK Navigator 分析 APT 组织

## 概述

MITRE ATT&CK Navigator 是一款基于 Web 的工具,用于标注和探索 ATT&CK 矩阵,使分析人员能够可视化威胁行为者(Threat Actor)的技术覆盖情况、比较多个 APT 组织、识别检测差距,并构建威胁导向防御策略。本技能涵盖通过编程方式查询 ATT&CK 数据、将 APT 组织的 TTP 映射到 Navigator 层、创建多层叠加进行差距分析,以及为检测工程团队生成可执行情报报告。

## 前置条件

- Python 3.9+,安装 `attackcti`、`mitreattack-python`、`stix2`、`requests` 库
- ATT&CK Navigator (https://mitre-attack.github.io/attack-navigator/) 或本地部署版本
- 了解 ATT&CK Enterprise 矩阵:14 个战术、200+ 个技术及子技术
- 访问威胁情报报告或 MISP/OpenCTI 获取威胁行为者数据
- 熟悉 STIX 2.1 的 Intrusion Set 和 Attack Pattern 对象

## 核心概念

### ATT&CK Navigator 层

Navigator 层是 JSON 文件,用于为 ATT&CK 技术添加分数、颜色、注释和元数据标注。每个层可以代表单个 APT 组织的技术使用情况、检测能力图谱或组合叠加层。4.5 版本层格式支持 enterprise-attack、mobile-attack 和 ics-attack 域,并可按平台(Windows、Linux、macOS、Cloud、Azure AD、Office 365、SaaS)进行过滤。

### ATT&CK 中的 APT 组织画像

ATT&CK 收录了超过 140 个威胁组织及其记录在案的技术使用情况。每个组织画像包含别名、目标行业、关联攻击活动、所用软件及技术映射(含过程级详情)。组织通过 G 代码标识(如 APT29 为 G0016,APT28 为 G0007,Lazarus Group 为 G0032)。

### 多层分析

Navigator 支持同时加载多个层,使分析人员能够将威胁行为者的 TTP 叠加到检测覆盖范围上以识别差距,比较多个 APT 组织以发现值得优先处理的共同技术,并追踪技术覆盖随时间的变化。

## 实践步骤

### 步骤 1:查询 APT 组织的 ATT&CK 数据

```python
from attackcti import attack_client
import json

lift = attack_client()

# 获取所有威胁组织
groups = lift.get_groups()
print(f"Total ATT&CK groups: {len(groups)}")

# 查找 APT29(Cozy Bear / Midnight Blizzard)
apt29 = next((g for g in groups if g.get('name') == 'APT29'), None)
if apt29:
    print(f"Group: {apt29['name']}")
    print(f"Aliases: {apt29.get('aliases', [])}")
    print(f"Description: {apt29.get('description', '')[:300]}")

# 获取 APT29(G0016)使用的技术
techniques = lift.get_techniques_used_by_group("G0016")
print(f"APT29 uses {len(techniques)} techniques")

technique_map = {}
for tech in techniques:
    tech_id = ""
    for ref in tech.get("external_references", []):
        if ref.get("source_name") == "mitre-attack":
            tech_id = ref.get("external_id", "")
            break
    if tech_id:
        tactics = [p.get("phase_name", "") for p in tech.get("kill_chain_phases", [])]
        technique_map[tech_id] = {
            "name": tech.get("name", ""),
            "tactics": tactics,
            "description": tech.get("description", "")[:500],
            "platforms": tech.get("x_mitre_platforms", []),
            "data_sources": tech.get("x_mitre_data_sources", []),
        }
```

### 步骤 2:生成 Navigator 层 JSON

```python
def create_navigator_layer(group_name, technique_map, color="#ff6666"):
    techniques_list = []
    for tech_id, info in technique_map.items():
        for tactic in info["tactics"]:
            techniques_list.append({
                "techniqueID": tech_id,
                "tactic": tactic,
                "color": color,
                "comment": info["name"],
                "enabled": True,
                "score": 100,
                "metadata": [
                    {"name": "group", "value": group_name},
                    {"name": "platforms", "value": ", ".join(info["platforms"])},
                ],
            })

    layer = {
        "name": f"{group_name} TTP Coverage",
        "versions": {"attack": "16.1", "navigator": "5.1.0", "layer": "4.5"},
        "domain": "enterprise-attack",
        "description": f"Techniques attributed to {group_name}",
        "filters": {
            "platforms": ["Linux", "macOS", "Windows", "Cloud",
                          "Azure AD", "Office 365", "SaaS", "Google Workspace"]
        },
        "sorting": 0,
        "layout": {
            "layout": "side", "aggregateFunction": "average",
            "showID": True, "showName": True,
            "showAggregateScores": False, "countUnscored": False,
        },
        "hideDisabled": False,
        "techniques": techniques_list,
        "gradient": {"colors": ["#ffffff", color], "minValue": 0, "maxValue": 100},
        "legendItems": [
            {"label": f"Used by {group_name}", "color": color},
            {"label": "Not observed", "color": "#ffffff"},
        ],
        "showTacticRowBackground": True,
        "tacticRowBackground": "#dddddd",
        "selectTechniquesAcrossTactics": True,
        "selectSubtechniquesWithParent": False,
        "selectVisibleTechniques": False,
    }
    return layer

layer = create_navigator_layer("APT29", technique_map)
with open("apt29_layer.json", "w") as f:
    json.dump(layer, f, indent=2)
print("[+] Layer saved: apt29_layer.json")
```

### 步骤 3:比较多个 APT 组织

```python
groups_to_compare = {"G0016": "APT29", "G0007": "APT28", "G0032": "Lazarus Group"}
group_techniques = {}

for gid, gname in groups_to_compare.items():
    techs = lift.get_techniques_used_by_group(gid)
    tech_ids = set()
    for t in techs:
        for ref in t.get("external_references", []):
            if ref.get("source_name") == "mitre-attack":
                tech_ids.add(ref.get("external_id", ""))
    group_techniques[gname] = tech_ids

common_to_all = set.intersection(*group_techniques.values())
print(f"Techniques common to all groups: {len(common_to_all)}")
for tid in sorted(common_to_all):
    print(f"  {tid}")

for gname, techs in group_techniques.items():
    others = set.union(*[t for n, t in group_techniques.items() if n != gname])
    unique = techs - others
    print(f"\nUnique to {gname}: {len(unique)} techniques")
```

### 步骤 4:使用层叠加进行检测差距分析

```python
# 定义当前检测能力
detected_techniques = {
    "T1059", "T1059.001", "T1071", "T1071.001", "T1566", "T1566.001",
    "T1547", "T1547.001", "T1053", "T1053.005", "T1078", "T1027",
}

actor_techniques = set(technique_map.keys())
covered = actor_techniques.intersection(detected_techniques)
gaps = actor_techniques - detected_techniques

print(f"=== Detection Gap Analysis for APT29 ===")
print(f"Actor techniques: {len(actor_techniques)}")
print(f"Detected: {len(covered)} ({len(covered)/len(actor_techniques)*100:.0f}%)")
print(f"Gaps: {len(gaps)} ({len(gaps)/len(actor_techniques)*100:.0f}%)")

# 创建差距层(红色=未检测,绿色=已检测)
gap_techniques = []
for tech_id in actor_techniques:
    info = technique_map.get(tech_id, {})
    for tactic in info.get("tactics", [""]):
        color = "#66ff66" if tech_id in detected_techniques else "#ff3333"
        gap_techniques.append({
            "techniqueID": tech_id,
            "tactic": tactic,
            "color": color,
            "comment": f"{'DETECTED' if tech_id in detected_techniques else 'GAP'}: {info.get('name', '')}",
            "enabled": True,
            "score": 100 if tech_id in detected_techniques else 0,
        })

gap_layer = {
    "name": "APT29 Detection Gap Analysis",
    "versions": {"attack": "16.1", "navigator": "5.1.0", "layer": "4.5"},
    "domain": "enterprise-attack",
    "description": "Green = detected, Red = gap",
    "techniques": gap_techniques,
    "gradient": {"colors": ["#ff3333", "#66ff66"], "minValue": 0, "maxValue": 100},
    "legendItems": [
        {"label": "Detected", "color": "#66ff66"},
        {"label": "Detection Gap", "color": "#ff3333"},
    ],
}
with open("apt29_gap_layer.json", "w") as f:
    json.dump(gap_layer, f, indent=2)
```

### 步骤 5:战术分类分析

```python
from collections import defaultdict

tactic_breakdown = defaultdict(list)
for tech_id, info in technique_map.items():
    for tactic in info["tactics"]:
        tactic_breakdown[tactic].append({"id": tech_id, "name": info["name"]})

tactic_order = [
    "reconnaissance", "resource-development", "initial-access",
    "execution", "persistence", "privilege-escalation",
    "defense-evasion", "credential-access", "discovery",
    "lateral-movement", "collection", "command-and-control",
    "exfiltration", "impact",
]

print("\n=== APT29 Tactic Breakdown ===")
for tactic in tactic_order:
    techs = tactic_breakdown.get(tactic, [])
    if techs:
        print(f"\n{tactic.upper()} ({len(techs)} techniques):")
        for t in techs:
            print(f"  {t['id']}: {t['name']}")
```

## 验收标准

- 成功通过 TAXII 服务器查询 ATT&CK 数据
- APT 组织已映射到所有记录在案的技术及过程示例
- Navigator 层 JSON 在 ATT&CK Navigator 中验证通过并正确渲染
- 多层叠加显示威胁行为者与检测覆盖情况的对比
- 检测差距分析识别出未监控的技术并提供数据源建议
- 跨组织比较揭示共同和独特的 TTP
- 输出结果可供检测工程优先级排序使用

## 参考资料

- [MITRE ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/)
- [ATT&CK Groups](https://attack.mitre.org/groups/)
- [attackcti Python Library](https://github.com/OTRF/ATTACK-Python-Client)
- [Navigator Layer Format v4.5](https://github.com/mitre-attack/attack-navigator/blob/master/layers/LAYERFORMATv4_5.md)
- [CISA Best Practices for MITRE ATT&CK Mapping](https://www.cisa.gov/sites/default/files/2023-01/Best%20Practices%20for%20MITRE%20ATTCK%20Mapping.pdf)
- [Picus: Leverage MITRE ATT&CK for Threat Intelligence](https://www.picussecurity.com/how-to-leverage-the-mitre-attack-framework-for-threat-intelligence)

Related Skills

profiling-threat-actor-groups

9
from killvxk/cybersecurity-skills-zh

通过聚合 TTP 文档、历史活动数据、工具指纹和来自多个情报源的归因指标,为 APT 组织、犯罪组织和黑客活动组织开发全面的威胁行为者画像。适用于就行业特定威胁向管理层汇报、更新威胁模型假设,或针对特定对手优先部署防御控制措施。当涉及 MITRE ATT&CK 组织、Mandiant APT 画像、CrowdStrike 对手命名或行业特定威胁简报时激活。

mapping-mitre-attack-techniques

9
from killvxk/cybersecurity-skills-zh

将观察到的对手行为、安全告警和检测规则映射到 MITRE ATT&CK 技术和子技术,以量化检测覆盖率并指导控制优先级。当构建基于 ATT&CK 的覆盖热图、为 SIEM 告警标记技术 ID、将安全控制与对手攻击手册对齐,或向高层报告威胁暴露时使用。适用于涉及 ATT&CK Navigator、Sigma 规则、MITRE D3FEND 或覆盖缺口分析的请求。

implementing-threat-modeling-with-mitre-attack

9
from killvxk/cybersecurity-skills-zh

使用 MITRE ATT&CK 框架实施威胁建模,将对手 TTP 映射到组织资产, 评估检测覆盖缺口,并优化防御投资。 适用于 SOC 团队需要将检测工程与威胁态势对齐、对新环境开展威胁评估, 或为安全工具采购提供决策依据时。

implementing-mitre-attack-coverage-mapping

9
from killvxk/cybersecurity-skills-zh

实施 MITRE ATT&CK 覆盖率映射,以识别检测空白、优先排序规则开发,并衡量 SOC 检测成熟度与对手技术的匹配程度。

analyzing-windows-shellbag-artifacts

9
from killvxk/cybersecurity-skills-zh

分析 Windows ShellBag 注册表取证痕迹,使用 SBECmd 和 ShellBags Explorer 重建文件夹浏览活动,检测对可移动介质和网络共享的访问,并在删除后仍能确认用户与目录的交互行为。

analyzing-windows-registry-for-artifacts

9
from killvxk/cybersecurity-skills-zh

提取并分析 Windows 注册表配置单元,以发现用户活动、已安装软件、自启动条目及系统入侵证据。

analyzing-windows-prefetch-with-python

9
from killvxk/cybersecurity-skills-zh

使用 windowsprefetch Python 库解析 Windows Prefetch 文件,重建应用程序执行历史,检测重命名或伪装的二进制文件,并识别可疑的程序执行模式。

analyzing-windows-lnk-files-for-artifacts

9
from killvxk/cybersecurity-skills-zh

解析 Windows LNK 快捷方式文件,提取目标路径、时间戳、卷信息和机器标识符,用于取证时间线重建。

analyzing-windows-event-logs-in-splunk

9
from killvxk/cybersecurity-skills-zh

在 Splunk 中分析 Windows Security、System 和 Sysmon 事件日志,使用映射到 MITRE ATT&CK 技术的 SPL 查询检测身份验证攻击、权限提升(Privilege Escalation)、持久化(Persistence)机制和横向移动 (Lateral Movement)。适用于 SOC 分析师调查基于 Windows 的威胁、构建检测查询,或对 Windows 终端和域控制器执行取证时间线分析。

analyzing-windows-amcache-artifacts

9
from killvxk/cybersecurity-skills-zh

解析并分析 Windows Amcache.hve 注册表配置单元(Registry Hive),提取程序执行证据、文件元数据、 SHA-1 哈希及设备连接历史,用于数字取证(Digital Forensics)和事件响应(Incident Response)调查。

analyzing-web-server-logs-for-intrusion

9
from killvxk/cybersecurity-skills-zh

解析 Apache 和 Nginx 访问日志,检测 SQL 注入(SQL Injection)尝试、本地文件包含(Local File Inclusion)、 目录遍历(Directory Traversal)、Web 扫描器指纹及暴力破解(Brute Force)模式。 使用基于正则表达式的模式匹配对照 OWASP 攻击签名、GeoIP 富化进行来源溯源, 以及针对请求频率和响应大小异常值的统计异常检测。

analyzing-usb-device-connection-history

9
from killvxk/cybersecurity-skills-zh

从 Windows 注册表、事件日志和 setupapi 日志调查 USB 设备连接历史,以追踪可移动存储设备的使用情况和潜在的数据外泄行为。