mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-13 06:34:57 +03:00
mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
98 lines
2.5 KiB
Markdown
98 lines
2.5 KiB
Markdown
# API Reference: MITRE ATT&CK Navigator APT Analysis
|
|
|
|
## ATT&CK Navigator Layer Format
|
|
|
|
### Layer JSON Structure
|
|
```json
|
|
{
|
|
"name": "APT29 - TTPs",
|
|
"versions": {"attack": "14", "navigator": "4.9.1", "layer": "4.5"},
|
|
"domain": "enterprise-attack",
|
|
"techniques": [
|
|
{
|
|
"techniqueID": "T1566.001",
|
|
"tactic": "initial-access",
|
|
"color": "#ff6666",
|
|
"score": 100,
|
|
"comment": "Used by APT29",
|
|
"enabled": true
|
|
}
|
|
],
|
|
"gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 100}
|
|
}
|
|
```
|
|
|
|
## ATT&CK STIX Data Access
|
|
|
|
### Download Enterprise ATT&CK Bundle
|
|
```bash
|
|
curl -o enterprise-attack.json \
|
|
https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json
|
|
```
|
|
|
|
### STIX Object Types
|
|
| Type | Description |
|
|
|------|-------------|
|
|
| `intrusion-set` | APT groups / threat actors |
|
|
| `attack-pattern` | Techniques and sub-techniques |
|
|
| `relationship` | Links groups to techniques (`uses`) |
|
|
| `malware` | Malware families |
|
|
| `tool` | Legitimate tools used by adversaries |
|
|
|
|
## mitreattack-python Library
|
|
|
|
### Installation
|
|
```bash
|
|
pip install mitreattack-python
|
|
```
|
|
|
|
### Query Group Techniques
|
|
```python
|
|
from mitreattack.stix20 import MitreAttackData
|
|
|
|
attack = MitreAttackData("enterprise-attack.json")
|
|
groups = attack.get_groups()
|
|
for g in groups:
|
|
techs = attack.get_techniques_used_by_group(g)
|
|
print(f"{g.name}: {len(techs)} techniques")
|
|
```
|
|
|
|
### Get Technique Details
|
|
```python
|
|
technique = attack.get_object_by_attack_id("T1566.001", "attack-pattern")
|
|
print(technique.name) # Spearphishing Attachment
|
|
print(technique.x_mitre_platforms) # ['Windows', 'macOS', 'Linux']
|
|
```
|
|
|
|
## Navigator CLI (attack-navigator)
|
|
|
|
### Export Layer to SVG
|
|
```bash
|
|
npx attack-navigator-export \
|
|
--layer layer.json \
|
|
--output output.svg \
|
|
--theme dark
|
|
```
|
|
|
|
## ATT&CK API (TAXII)
|
|
```python
|
|
from stix2 import TAXIICollectionSource, Filter
|
|
from taxii2client.v20 import Collection
|
|
|
|
collection = Collection(
|
|
"https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/"
|
|
)
|
|
tc_source = TAXIICollectionSource(collection)
|
|
groups = tc_source.query([Filter("type", "=", "intrusion-set")])
|
|
```
|
|
|
|
## Key APT Groups Reference
|
|
| ID | Name | Known Aliases |
|
|
|----|------|--------------|
|
|
| G0016 | APT29 | Cozy Bear, The Dukes, NOBELIUM |
|
|
| G0007 | APT28 | Fancy Bear, Sofacy, Strontium |
|
|
| G0022 | APT3 | Gothic Panda, UPS |
|
|
| G0032 | Lazarus Group | HIDDEN COBRA, Zinc |
|
|
| G0074 | Dragonfly 2.0 | Energetic Bear, Berserk Bear |
|
|
| G0010 | Turla | Waterbug, Venomous Bear |
|