Asi analyzing-threat-actor-ttps-with-mitre-navigator
install
source · Clone the upstream repo
git clone https://github.com/plurigrid/asi
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/plurigrid/asi "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/asi/skills/analyzing-threat-actor-ttps-with-mitre-navigator" ~/.claude/skills/plurigrid-asi-analyzing-threat-actor-ttps-with-mitre-navigator && rm -rf "$T"
manifest:
plugins/asi/skills/analyzing-threat-actor-ttps-with-mitre-navigator/SKILL.mdsource content
Analyzing Threat Actor TTPs with MITRE Navigator
Overview
The MITRE ATT&CK Navigator is a web application for annotating and visualizing ATT&CK matrices. Combined with the attackcti Python library (which queries ATT&CK STIX data via TAXII), analysts can programmatically generate Navigator layer files mapping specific threat group TTPs, compare multiple groups, and assess detection coverage gaps against known adversaries.
When to Use
- When investigating security incidents that require analyzing threat actor ttps with mitre navigator
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
Prerequisites
- Python 3.8+ with attackcti and stix2 libraries installed
- MITRE ATT&CK Navigator (web UI or local instance)
- Understanding of STIX 2.1 objects and relationships
Steps
- Query ATT&CK STIX data for target threat group using attackcti
- Extract techniques associated with the group via STIX relationships
- Generate ATT&CK Navigator layer JSON with technique annotations
- Overlay detection coverage to identify gaps
- Export layer for team review and defensive planning
Expected Output
{ "name": "APT29 TTPs", "domain": "enterprise-attack", "techniques": [ {"techniqueID": "T1566.001", "score": 1, "comment": "Spearphishing Attachment"}, {"techniqueID": "T1059.001", "score": 1, "comment": "PowerShell"} ] }