creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
757f1c8eae4e288d20f7dfde7f7a42a4d30cffc7
Anthropic-Cybersecurity-Skills/skills/profiling-threat-actor-groups/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

68 lines
2.2 KiB
Markdown
Raw Blame History

# API Reference: Threat Actor Profiling Agent
## Overview
Builds threat actor profiles from MITRE ATT&CK STIX data using the stix2 MemoryStore. Queries intrusion-set objects for TTPs, software, and relationships, enabling group comparison and tactic mapping.
## Dependencies
| Package | Version | Purpose |
|---------|---------|---------|
| stix2 | >= 3.0 | STIX 2.1 object store and filtering |
| requests | >= 2.28 | ATT&CK STIX data download |
## Data Source
MITRE ATT&CK Enterprise STIX bundle from `https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json`. Cached locally at `/tmp/enterprise-attack.json`.
## Core Functions
### `load_attack_data(cache_path)`
Downloads and caches ATT&CK STIX data into a stix2 MemoryStore.
- **Returns**: `MemoryStore` instance
### `list_threat_groups(src)`
Lists all intrusion-set objects with name, aliases, and description.
- **Returns**: `list[dict]` sorted by name
### `get_group_profile(src, group_name)`
Full profile: description, aliases, techniques with ATT&CK IDs, software (malware/tools), external references.
- **Search**: Exact match on name, then fuzzy match on name and aliases
- **Returns**: `dict` with techniques, software, references
### `get_group_techniques_by_tactic(src, group_name)`
Organizes a group's techniques by ATT&CK tactic (kill chain phase).
- **Returns**: `dict` with tactics mapped to technique lists
### `compare_groups(src, group_names)`
Compares multiple groups: shared techniques, technique counts, software counts.
- **Returns**: `dict` with `shared_techniques` and per-group statistics
## STIX Object Types Queried
| Type | ATT&CK Concept |
|------|----------------|
| intrusion-set | Threat actor group |
| attack-pattern | ATT&CK technique |
| malware | Malware family |
| tool | Legitimate tool used by attacker |
| relationship | Links between groups, techniques, software |
## Usage
```bash
python agent.py APT29
python agent.py "Lazarus Group"
```
## Example Output Fields
```json
{
"name": "APT29",
"aliases": ["NOBELIUM", "Cozy Bear", "The Dukes"],
"techniques": [{"name": "Phishing", "technique_id": "T1566"}],
"software": [{"name": "Cobalt Strike", "type": "tool"}]
}
```
Reference in New Issue View Git Blame Copy Permalink