// Analyse Mitre ATT&CK tactics, techniques and sub-techniques. Use when performing analysis of threat detections, threat models, security risks or cyber threat intelligence
Apply the NATO Admiralty System (AJP-2.1) to assess source reliability and information credibility in cyber threat intelligence, OSINT, and breach analysis. Use this skill whenever you need to evaluate a CTI report, breach claim, dark web forum post, threat actor advertisement, vendor blog, social media intel claim, leaked database listing, or any source plus information pair where trust matters. Trigger phrases include "assess this source", "rate this report", "is this breach real", "evaluate credibility", "source assessment", "should I trust this claim", "admiralty rating", "A1 to F6", and any review of CTI or OSINT material where you need to decide how much weight to give it. Use proactively when the user shares a breach post, threat actor claim, or vendor report and asks for analysis, even if they do not explicitly mention the Admiralty System. Also use when teaching, building courseware, or producing a training example around source evaluation.
Build structured threat actor profiles using the 5W1H framework and the Diamond Model. Use this skill whenever the user wants to profile a threat actor, create a TA report, analyze an APT group, build an adversary profile, assess threat actor capability, map TTPs to MITRE ATT&CK for a specific group, or produce any intelligence deliverable about a threat actor. Also trigger when the user mentions threat actor names (e.g. APT29, Lazarus, FIN7), asks about victimology, modus operandi, or wants to structure threat intelligence around an adversary. This skill applies to both internal tracking profiles and incident-driven analytical deliverables.
Help users write, validate, and troubleshoot osquery SQL queries using provided osquery table schemas as the authoritative source.
Professional malware analysis workflow for PE executables and suspicious files. Triggers on file uploads with requests like "analyze this malware", "analyze this sample", "what does this executable do", "check this file for malware", or any request to examine suspicious files. Performs static analysis, threat intelligence triage, behavioral inference, and produces analyst-grade reports with reasoned conclusions.
Create a targeted intrusion timeline for a Windows incident using whatever artifacts are available (event logs, EDR, SIEM exports, triage notes).
Hypothesis-driven hunt plan for suspicious PowerShell, plus query snippets for common telemetry.
| name | analysing-attack |
| description | Analyse Mitre ATT&CK tactics, techniques and sub-techniques. Use when performing analysis of threat detections, threat models, security risks or cyber threat intelligence |
This document provides best practices and resources for use when mapping ATT&CK tactics and techniques to threat detections, threat models, security risks or cyber threat intelligence.
Contains information on v18.1 (latest) version of Mitre ATT&CK
Resources folder contains LLM optimised and token-efficient content. Read whole file for broad context or grep or glob for specfic keywords or IDs. Use index files for quick reference keyword searches.
Tactics are abreviated: REC=Reconnaissance, RD=Resource Development, IA=Initial Access, EX=Execution, PE=Persistence, PRV=Privilege Escalation, DE=Defense Evasion, CA=Credential Access, DIS=Discovery, LM=Lateral Movement, COL=Collection, C2=Command and Control, EXF=Exfiltration, IMP=Impact
By keyword (recommended for discovery):
grep -i "cron\|bash\|/proc/\|cryptocurrency" resources/attack_keywords.idx
By technique ID (for validation):
grep "T1053" resources/attack_techniques.md
By tactic abbreviation (find all persistance techniques):
grep "PE" resources/attack_techniques.md
ATT&CK Technique Keyword Index: Index file for quick keyword searching to identify suitable ATT&CK IDs for further research. Sorted alphabetically and fomatted as keyword:technique_ids (comma seperated when multiple). See -> resources/attack_keywords.idx
ATT&CK Technique List: Markdown table containing ATT&CK ID, name, keywords, description and platforms. Sorted by ID. Use when researching techniques, valdiating IDs, searching for up-to-date descriptions or filtering by platform. See -> resources/attack_techniques.md
ATT&CK Version Changelog: Reference for v15->v18.1 changes including deprecated techniques, renamed platforms, and the v18 detection model overhaul. Use when analysing older reports or understanding structural changes. See -> resources/attack_version_changelog.md
Use your judgment alongside these guidelines to generate high-quality ATT&CK analysis.
-windowstyle hidden|-w hidden -> T1564.003 Hidden Window
-encodedcommand|-enc|base64 -> T1027.010 Command Obfuscation
-noprofile|-ep bypass -> T1059.001 PowerShell
Encoded payload delivered -> T1027.013 Encrypted/Encoded File Decoded at runtime -> T1140 Deobfuscate/Decode
RDP connection|.rdp file -> T1021.001 Remote Desktop Protocol
Clipboard redirect -> T1115 Clipboard Data
Drive mapping|attached drives -> T1039 Data from Network Shared Drive
Auth redirect|intercept -> T1557 Adversary-in-the-Middle
DDNS|dynamic DNS|No-IP|FreeDNS -> T1568.002 Domain Generation + T1583.006 Web Services Typosquat|lookalike domain -> T1583.001 Domains Compromised server -> T1584.004 Server
SSH tunnel|port forward -> T1572 Protocol Tunneling Downloaded|fetched payload -> T1105 Ingress Tool Transfer Over port 80/443 -> T1071.001 Web Protocols
Masqueraded|posed as|impersonated -> T1656 Impersonation Spoofed|mimicked|fake page -> T1036.005 Match Legitimate Name Credential harvest|fake login -> T1598.003 Spearphishing Link (Recon)
T1566 Spearphishing -> check T1204 User Execution T1027 Obfuscation -> check T1140 Deobfuscation T1053 Scheduled Task -> check T1059 Interpreter T1021.001 RDP -> check T1115, T1039, T1557 T1059.001 PowerShell -> check T1564.003 Hidden Window
"downloads and executes" -> T1105 + T1059 "persistence via task" -> T1053 + T1059 "C2 over HTTPS" -> T1071.001 + T1573.002 "compromised infrastructure" -> T1584.004 "redirects traffic" -> T1572 or T1090 "harvests credentials via fake page" -> T1598.003 (Recon tactic)