Skill UI

This skill provides a systematic methodology for mapping real-world threat actor Tactics, Techniques, and Procedures (TTPs) to the globally recognized MITRE ATT&CK framework. Users learn how to leverage tools like ATT&CK Navigator and Python libraries (e.g., attackcti, stix2) to analyze security incidents, visualize technical coverage heatmaps, identify critical detection gaps, and generate actionable intelligence reports linking observed Indicators of Compromise (IOCs) to specific adversary techniques across various platforms (Enterprise, Mobile, ICS).

This tool helps security analysts map Advanced Persistent Threat (APT) group tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework. By utilizing the ATT&CK Navigator and the attackcti Python library, users can query STIX/TAXII data to visualize threat profiles, assess detection coverage gaps, and guide defensive planning for complex cyber incidents.

A comprehensive toolkit using Splunk's SPL language to analyze Windows Security, System, and Sysmon event logs. It maps advanced detection queries to specific MITRE ATT&CK techniques, enabling SOC analysts to investigate authentication attacks (e.g., brute force, password spraying), detect privilege escalation, locate persistence mechanisms, and trace lateral movement for detailed forensic timeline analysis.

This skill automates the process of parsing Cyber Threat Intelligence (CTI) reports to extract adversary behaviors. It maps these behaviors to MITRE ATT&CK techniques and structures them as STIX 2.1 Attack Pattern objects. The resulting library supports detection engineering by generating rule templates (Sigma, YARA) for proactive defense and threat-informed security control implementation.

This guide outlines a comprehensive threat hunting methodology for detecting adversary lateral movement within a network environment. It utilizes Splunk SPL queries against rich Windows event data, including authentication logs (4624, 4625), SMB traffic, and Sysmon telemetry. By correlating source-to-destination activity and identifying unusual logon types (RDP, WinRM, SMB), users can proactively track an attacker's path after initial system compromise, fulfilling MITRE ATT&CK T1021 techniques.

This skill provides a structured approach to detecting Pass-the-Ticket (PtT) attacks, a severe credential theft technique utilizing stolen Kerberos tickets (TGT/TGS). It involves analyzing Windows Security Event IDs (4768, 4769, 4771) within SIEM platforms like Splunk or Elastic. Use cases include incident response, building advanced threat hunting queries, and validating security monitoring coverage against MITRE ATT&CK techniques.

A comprehensive guide and set of detection rules for identifying OS credential dumping techniques (MITRE T1003). It leverages EDR telemetry, Sysmon process access monitoring, and Windows security event correlation to detect attacks targeting LSASS memory, SAM databases, and NTDS.dit files. Essential for proactive threat hunting and incident response.

Breach and Attack Simulation (BAS) provides an automated, continuous method for validating the effectiveness of security controls (EDR, SIEM, NGFW, etc.). By safely emulating real-world attack techniques mapped to the MITRE ATT&CK framework, BAS helps organizations proactively identify security gaps and measure control maturity across the entire kill chain. It moves beyond point-in-time testing to provide an ongoing security posture assessment.

This methodology provides SOC teams with an adversary-centric framework to evaluate security detection capabilities against the MITRE ATT&CK framework. By systematically mapping existing SIEM rules and data sources, users can identify critical detection gaps, prioritize rule development efforts, and measure the overall maturity of their security operations center (SOC) defenses over time.

This skill guides Security Operations Center (SOC) teams through structured threat modeling using the MITRE ATT&CK framework. It enables mapping adversary Tactics, Techniques, and Procedures (TTPs) against organizational assets to identify critical detection coverage gaps, prioritize defensive investments, and improve overall security posture. Ideal for risk assessment, purple teaming, and compliance planning.

This skill maps observed adversary behaviors, security alerts, and detection rules to the MITRE ATT&CK framework. It is essential for quantifying detection coverage, building ATT&CK heatmaps, tagging SIEM alerts, and prioritizing security controls based on known threat actor playbooks. Use it for comprehensive gap analysis and risk reporting.

This skill detects advanced lateral movement techniques used by attackers after initial compromise, mapping them to MITRE ATT&CK TA0008. It correlates multiple data sources, including Windows event logs (4624, 4769), Sysmon telemetry, network flow data, and endpoint logs, to identify suspicious activities like Pass-the-Hash, PsExec, WMI exploitation, RDP pivoting, and SMB spreading.