building-attack-pattern-library-from-cti-reports

从网络威胁情报报告中提取和归类攻击模式,构建基于 STIX 的结构化库,映射到 MITRE ATT&CK,用于检测工程和以威胁为导向的防御。

9 stars

Best use case

building-attack-pattern-library-from-cti-reports is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

从网络威胁情报报告中提取和归类攻击模式,构建基于 STIX 的结构化库,映射到 MITRE ATT&CK,用于检测工程和以威胁为导向的防御。

Teams using building-attack-pattern-library-from-cti-reports should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/building-attack-pattern-library-from-cti-reports/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/building-attack-pattern-library-from-cti-reports/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/building-attack-pattern-library-from-cti-reports/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How building-attack-pattern-library-from-cti-reports Compares

Feature / Agentbuilding-attack-pattern-library-from-cti-reportsStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

从网络威胁情报报告中提取和归类攻击模式,构建基于 STIX 的结构化库,映射到 MITRE ATT&CK,用于检测工程和以威胁为导向的防御。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 从 CTI 报告构建攻击模式库

## 概述

来自 Mandiant、CrowdStrike、Talos 和 Microsoft 等厂商的网络威胁情报(CTI)报告包含对手行为的详细描述,这些描述可以被提取、规范化并归入结构化攻击模式库。本技能涵盖解析 CTI 报告以提取对手技术、将行为映射到 MITRE ATT&CK 技术 ID、创建 STIX 2.1 攻击模式对象、构建按战术/技术和威胁行为者索引的可搜索库,以及从已记录模式生成检测规则模板。

## 前置条件

- Python 3.9+,安装 `stix2`、`mitreattack-python`、`spacy`、`requests` 库
- CTI 报告集合(PDF、HTML 或文本格式)
- MITRE ATT&CK STIX 数据(本地或通过 TAXII)
- 了解 ATT&CK 技术结构和命名规范
- 熟悉检测工程概念(Sigma、YARA)

## 核心概念

### 攻击模式提取

CTI 报告以自然语言描述对手行为。提取过程包括:识别映射到 ATT&CK 技术的动词和技术术语、识别工具名称和恶意软件家族、识别基础设施指标,以及将行为序列映射到攻击链(Kill Chain 阶段)。

### STIX 2.1 攻击模式对象

STIX 将攻击模式定义为结构化域对象(SDO),描述威胁行为者尝试攻陷目标的方式。每个模式通过外部引用链接到 ATT&CK,包含 Kill Chain 阶段(战术),并可关联到入侵集合、恶意软件和工具对象。

### 检测规则生成

提取的攻击模式为检测工程提供依据:为 Sigma 规则创建提供具体过程示例、为关联规则提供行为序列、为 YARA 和 Snort 规则提供 IOC 模式,以及识别遥测数据缺口所需的数据源要求。

## 实践步骤

### 步骤 1:解析 CTI 报告并提取行为

```python
import re
import json
from collections import defaultdict

class CTIReportParser:
    """解析 CTI 报告以提取对手行为。"""

    BEHAVIOR_INDICATORS = [
        "used", "executed", "deployed", "leveraged", "exploited",
        "established", "created", "modified", "downloaded", "uploaded",
        "exfiltrated", "injected", "enumerated", "spawned", "dropped",
        "persisted", "escalated", "moved laterally", "collected",
        "encrypted", "compressed", "encoded", "obfuscated",
    ]

    TOOL_PATTERNS = [
        r'\b(Cobalt Strike|Mimikatz|PsExec|BloodHound|Rubeus|Impacket)\b',
        r'\b(PowerShell|cmd\.exe|WMI|WMIC|certutil|bitsadmin)\b',
        r'\b(Metasploit|Empire|Covenant|Sliver|Brute Ratel)\b',
        r'\b(Lazagne|SharpHound|ADFind|Sharphound|Invoke-Obfuscation)\b',
    ]

    TECHNIQUE_KEYWORDS = {
        "spearphishing": "T1566",
        "phishing attachment": "T1566.001",
        "phishing link": "T1566.002",
        "powershell": "T1059.001",
        "command line": "T1059.003",
        "scheduled task": "T1053.005",
        "registry run key": "T1547.001",
        "process injection": "T1055",
        "dll side-loading": "T1574.002",
        "credential dumping": "T1003",
        "lsass": "T1003.001",
        "kerberoasting": "T1558.003",
        "pass the hash": "T1550.002",
        "remote desktop": "T1021.001",
        "smb": "T1021.002",
        "winrm": "T1021.006",
        "data staging": "T1074",
        "exfiltration over c2": "T1041",
        "dns tunneling": "T1071.004",
        "web shell": "T1505.003",
    }

    def parse_report(self, text, report_metadata=None):
        """解析 CTI 报告并提取行为。"""
        sentences = re.split(r'[.!?]\s+', text)
        behaviors = []

        for sentence in sentences:
            sentence_lower = sentence.lower()
            # 检查行为指示词
            for indicator in self.BEHAVIOR_INDICATORS:
                if indicator in sentence_lower:
                    behavior = {
                        "sentence": sentence.strip(),
                        "action": indicator,
                        "tools": self._extract_tools(sentence),
                        "technique_hints": self._match_techniques(sentence_lower),
                    }
                    if behavior["technique_hints"]:
                        behaviors.append(behavior)
                    break

        print(f"[+] 从报告中提取到 {len(behaviors)} 个行为指标")
        return behaviors

    def _extract_tools(self, text):
        """从文本中提取工具/恶意软件名称。"""
        tools = set()
        for pattern in self.TOOL_PATTERNS:
            matches = re.findall(pattern, text, re.IGNORECASE)
            tools.update(matches)
        return list(tools)

    def _match_techniques(self, text):
        """将文本匹配到 ATT&CK 技术提示。"""
        matches = []
        for keyword, tech_id in self.TECHNIQUE_KEYWORDS.items():
            if keyword in text:
                matches.append({"keyword": keyword, "technique_id": tech_id})
        return matches

parser = CTIReportParser()
sample_report = """
The threat actor used spearphishing attachments with macro-enabled documents to
gain initial access. Once inside, they executed PowerShell scripts to download
additional tooling. The actor leveraged Mimikatz to dump credentials from LSASS
memory. They then used pass the hash techniques for lateral movement via SMB
to multiple systems. Data was staged in a compressed archive and exfiltrated
over the existing C2 channel. The actor established persistence through
scheduled tasks and registry run keys.
"""
behaviors = parser.parse_report(sample_report)
```

### 步骤 2:将行为映射到 ATT&CK 技术

```python
from attackcti import attack_client

class ATTACKMapper:
    def __init__(self):
        self.lift = attack_client()
        self.techniques = {}
        self._load_techniques()

    def _load_techniques(self):
        """加载所有 ATT&CK 技术用于映射。"""
        all_techs = self.lift.get_enterprise_techniques()
        for tech in all_techs:
            tech_id = ""
            for ref in tech.get("external_references", []):
                if ref.get("source_name") == "mitre-attack":
                    tech_id = ref.get("external_id", "")
                    break
            if tech_id:
                self.techniques[tech_id] = {
                    "name": tech.get("name", ""),
                    "description": tech.get("description", "")[:500],
                    "tactics": [p.get("phase_name") for p in tech.get("kill_chain_phases", [])],
                    "platforms": tech.get("x_mitre_platforms", []),
                    "data_sources": tech.get("x_mitre_data_sources", []),
                }
        print(f"[+] 已加载 {len(self.techniques)} 个 ATT&CK 技术")

    def map_behaviors(self, behaviors):
        """将提取的行为映射到 ATT&CK 技术。"""
        mapped = []
        for behavior in behaviors:
            for hint in behavior.get("technique_hints", []):
                tech_id = hint["technique_id"]
                if tech_id in self.techniques:
                    tech_info = self.techniques[tech_id]
                    mapped.append({
                        "technique_id": tech_id,
                        "technique_name": tech_info["name"],
                        "tactics": tech_info["tactics"],
                        "source_sentence": behavior["sentence"],
                        "tools_observed": behavior["tools"],
                        "keyword_matched": hint["keyword"],
                        "data_sources": tech_info["data_sources"],
                    })
        print(f"[+] 已将 {len(mapped)} 个行为映射到 ATT&CK 技术")
        return mapped

mapper = ATTACKMapper()
mapped_behaviors = mapper.map_behaviors(behaviors)
```

### 步骤 3:创建 STIX 2.1 攻击模式库

```python
from stix2 import AttackPattern, Relationship, Bundle, TLP_GREEN
from datetime import datetime

class AttackPatternLibrary:
    def __init__(self):
        self.patterns = []
        self.relationships = []

    def add_pattern_from_mapping(self, mapping, report_source="CTI Report"):
        """从映射的行为创建 STIX 攻击模式。"""
        pattern = AttackPattern(
            name=mapping["technique_name"],
            description=f"观察到的行为: {mapping['source_sentence']}\n\n"
                        f"工具: {', '.join(mapping['tools_observed']) or '未识别'}\n"
                        f"来源: {report_source}",
            external_references=[{
                "source_name": "mitre-attack",
                "external_id": mapping["technique_id"],
                "url": f"https://attack.mitre.org/techniques/{mapping['technique_id'].replace('.', '/')}/",
            }],
            kill_chain_phases=[{
                "kill_chain_name": "mitre-attack",
                "phase_name": tactic,
            } for tactic in mapping["tactics"]],
            object_marking_refs=[TLP_GREEN],
        )
        self.patterns.append(pattern)
        return pattern

    def build_library(self, mapped_behaviors, report_source="CTI Report"):
        """从映射构建完整攻击模式库。"""
        seen_techniques = set()
        for mapping in mapped_behaviors:
            tech_id = mapping["technique_id"]
            if tech_id not in seen_techniques:
                self.add_pattern_from_mapping(mapping, report_source)
                seen_techniques.add(tech_id)

        bundle = Bundle(objects=self.patterns + self.relationships)
        print(f"[+] 库构建完成: {len(self.patterns)} 个攻击模式")
        return bundle

    def export_library(self, output_file="attack_pattern_library.json"):
        bundle = Bundle(objects=self.patterns + self.relationships)
        with open(output_file, "w") as f:
            f.write(bundle.serialize(pretty=True))
        print(f"[+] 库已导出到 {output_file}")

    def generate_detection_templates(self, mapped_behaviors):
        """从攻击模式生成 Sigma 规则模板。"""
        templates = []
        for mapping in mapped_behaviors:
            template = {
                "title": f"检测: {mapping['technique_name']} ({mapping['technique_id']})",
                "status": "experimental",
                "description": f"基于 CTI 报告观察结果检测 {mapping['technique_name']}",
                "references": [
                    f"https://attack.mitre.org/techniques/{mapping['technique_id'].replace('.', '/')}/",
                ],
                "tags": [
                    f"attack.{mapping['tactics'][0]}" if mapping['tactics'] else "attack.unknown",
                    f"attack.{mapping['technique_id'].lower()}",
                ],
                "data_sources": mapping.get("data_sources", []),
                "observed_tools": mapping.get("tools_observed", []),
                "source_context": mapping["source_sentence"],
            }
            templates.append(template)

        with open("detection_templates.json", "w") as f:
            json.dump(templates, f, indent=2)
        print(f"[+] 已生成 {len(templates)} 个检测模板")
        return templates

library = AttackPatternLibrary()
bundle = library.build_library(mapped_behaviors, "Sample CTI Report")
library.export_library()
templates = library.generate_detection_templates(mapped_behaviors)
```

## 验收标准

- CTI 报告已解析并提取行为指标
- 行为已映射到对应置信度的 ATT&CK 技术
- STIX 2.1 攻击模式对象已创建并包含正确引用
- 库支持按战术、技术和威胁行为者进行搜索
- 已从已记录模式生成检测模板
- 库可作为 STIX bundle 导出并共享

## 参考资料

- [MITRE ATT&CK](https://attack.mitre.org/)
- [STIX 2.1 Attack Pattern SDO](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_axjijf603msy)
- [CISA: Best Practices for ATT&CK Mapping](https://www.cisa.gov/sites/default/files/2023-01/Best%20Practices%20for%20MITRE%20ATTCK%20Mapping.pdf)
- [attackcti Python Library](https://github.com/OTRF/ATTACK-Python-Client)
- [Sigma Rules Project](https://github.com/SigmaHQ/sigma)
- [MITRE ATT&CK STIX Data](https://github.com/mitre/cti)

Related Skills

recovering-from-ransomware-attack

9
from killvxk/cybersecurity-skills-zh

按照 NIST 和 CISA 框架执行结构化勒索软件事件恢复,包括环境隔离、取证证据保全、 干净基础设施重建、从已验证备份优先还原系统、凭据重置,以及针对再感染的验证。 涵盖 Active Directory 恢复、数据库还原和按依赖顺序重建应用栈。

performing-web-cache-poisoning-attack

9
from killvxk/cybersecurity-skills-zh

在授权安全测试期间,通过未纳入缓存键的头部和参数毒化缓存响应,利用 Web 缓存机制向其他用户投递恶意内容。

performing-web-cache-deception-attack

9
from killvxk/cybersecurity-skills-zh

通过利用 CDN 缓存层与源服务器之间的路径规范化差异,执行 Web 缓存欺骗攻击,从而缓存并获取敏感的已认证内容。

performing-vlan-hopping-attack

9
from killvxk/cybersecurity-skills-zh

在授权环境中使用交换机欺骗(Switch Spoofing)和双标签(Double Tagging)技术模拟 VLAN 跳转攻击, 测试 VLAN 分段有效性,并验证交换机端口安全配置对二层旁路攻击的抵御能力。

performing-supply-chain-attack-simulation

9
from killvxk/cybersecurity-skills-zh

模拟和检测软件供应链攻击,包括通过 Levenshtein 距离检测域名抢注(Typosquatting)、针对私有注册表的依赖混淆(Dependency Confusion)测试、使用 pip 进行包哈希验证,以及使用 pip-audit 扫描已知漏洞。

performing-ssl-stripping-attack

9
from killvxk/cybersecurity-skills-zh

在授权环境中使用 sslstrip、Bettercap 和 mitmproxy 模拟 SSL 剥离(SSL Stripping)攻击, 测试 HSTS 强制执行、证书验证以及保护用户免受加密连接降级攻击的 HTTPS 升级机制。

performing-packet-injection-attack

9
from killvxk/cybersecurity-skills-zh

在授权安全评估中使用 Scapy、hping3 和 Nemesis 构造并注入自定义网络数据包, 测试防火墙规则、IDS 检测、协议处理能力以及网络协议栈对畸形和伪造流量的抵御能力。

performing-kerberoasting-attack

9
from killvxk/cybersecurity-skills-zh

Kerberoasting 是一种后渗透技术,通过为设置了服务主体名称(SPN)的账户请求 Kerberos TGS 票据来针对活动目录中的服务账户。这些票据用服务账户的 NTLM 哈希加密,允许在不产生登录失败事件的情况下进行离线暴力破解。

performing-jwt-none-algorithm-attack

9
from killvxk/cybersecurity-skills-zh

通过操纵 JSON Web Token 中的 alg 头部字段,执行并测试 JWT None 算法攻击,以绕过签名验证。

performing-http-parameter-pollution-attack

9
from killvxk/cybersecurity-skills-zh

执行 HTTP 参数污染(HPP)攻击,通过注入由前端和后端系统以不同方式处理的重复参数,绕过输入验证、WAF 规则和安全控制。

performing-graphql-depth-limit-attack

9
from killvxk/cybersecurity-skills-zh

使用深度嵌套递归查询执行和测试 GraphQL 深度限制攻击,以识别 GraphQL API 中的拒绝服务(DoS)漏洞。

performing-csrf-attack-simulation

9
from killvxk/cybersecurity-skills-zh

在授权安全评估中,通过构造利用已认证用户会话的伪造请求,测试 Web 应用程序的跨站请求伪造(CSRF)漏洞。