npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
When to Use
Use this skill when:
- Conducting post-incident analysis to determine how far an adversary progressed through an attack sequence
- Designing layered defensive controls with the goal of interrupting attacks at the earliest possible phase
- Producing threat intelligence reports that communicate attack progression to non-technical stakeholders
Do not use this skill as a standalone framework — combine with MITRE ATT&CK for technique-level granularity beyond what the 7-phase kill chain provides.
Prerequisites
- Complete incident timeline with forensic artifacts mapped to specific adversary actions
- MITRE ATT&CK Enterprise matrix for technique-level mapping within each kill chain phase
- Access to threat intelligence on the suspected adversary group's typical kill chain progression
- Post-incident report or IR timeline from responding team
Workflow
Step 1: Map Observed Actions to Kill Chain Phases
The Lockheed Martin Cyber Kill Chain consists of seven phases. Map all observed adversary actions:
Phase 1 - Reconnaissance: Adversary gathers target information before attack.
- Indicators: DNS queries from adversary IP, LinkedIn scraping, job posting analysis, Shodan scans of organization infrastructure
Phase 2 - Weaponization: Adversary creates attack tool (malware + exploit).
- Indicators: Malware compilation timestamps, exploit document metadata, builder artifacts in malware samples
Phase 3 - Delivery: Adversary transmits weapon to target.
- Indicators: Phishing emails, malicious attachments, drive-by downloads, USB drops, supply chain compromise
Phase 4 - Exploitation: Adversary exploits vulnerability to execute code.
- Indicators: CVE exploitation events in application/OS logs, memory corruption artifacts, shellcode execution
Phase 5 - Installation: Adversary establishes persistence on target.
- Indicators: New scheduled tasks, registry run keys, service installation, web shells, bootkits
Phase 6 - Command & Control (C2): Adversary communicates with compromised system.
- Indicators: Beaconing traffic (regular intervals), DNS tunneling, HTTPS to uncommon domains, C2 framework signatures (Cobalt Strike, Sliver)
Phase 7 - Actions on Objectives: Adversary achieves goals.
- Indicators: Data staging/exfiltration, lateral movement, ransomware execution, destructive activity
Step 2: Identify Phase Completion and Detection Points
Create a phase matrix for the incident:
Phase 1: Recon → Completed (undetected)
Phase 2: Weaponize → Completed (undetected — pre-attack)
Phase 3: Delivery → Completed; phishing email bypassed SEG
Phase 4: Exploit → Completed; CVE-2023-23397 exploited
Phase 5: Install → DETECTED: EDR flagged scheduled task creation (attack stalled here)
Phase 6: C2 → Not achieved (installation blocked)
Phase 7: Objectives → Not achievedFor each phase completed without detection, document the defensive control gap.
Step 3: Map to MITRE ATT&CK for Technique Detail
Each kill chain phase maps to multiple ATT&CK tactics:
- Delivery → Initial Access (TA0001)
- Exploitation → Execution (TA0002)
- Installation → Persistence (TA0003), Privilege Escalation (TA0004)
- C2 → Command and Control (TA0011)
- Actions on Objectives → Exfiltration (TA0010), Impact (TA0040)
Within each phase, enumerate specific ATT&CK techniques observed and map to existing detections.
Step 4: Identify Courses of Action per Phase
For each phase, document applicable defensive courses of action (COAs):
- Detect COA: What detection would alert on adversary activity in this phase?
- Deny COA: What control would prevent the adversary from completing this phase?
- Disrupt COA: What control would interrupt the adversary mid-phase?
- Degrade COA: What control would reduce the adversary's effectiveness in this phase?
- Deceive COA: What deception (honeypots, canary tokens) would expose activity in this phase?
- Destroy COA: What active defense capability would neutralize adversary infrastructure?
Step 5: Produce Kill Chain Analysis Report
Structure findings as:
- Attack narrative (timeline of phases)
- Phase-by-phase analysis with evidence
- Detection point analysis (what worked, what failed)
- Defensive recommendation per phase prioritized by cost/effectiveness
- Control improvement roadmap
Key Concepts
| Term | Definition |
|---|---|
| Kill Chain | Sequential model of adversary intrusion phases; breaking any link theoretically stops the attack |
| Courses of Action (COA) | Defensive responses mapped to each kill chain phase: detect, deny, disrupt, degrade, deceive, destroy |
| Beaconing | Regular, periodic C2 check-in pattern from compromised host to adversary server; detectable by frequency analysis |
| Phase Completion | Adversary successfully finishes a kill chain phase and progresses to the next; defense-in-depth aims to prevent this |
| Intelligence Gain/Loss | Analysis of whether detecting at Phase 5 (vs. Phase 3) reduced intelligence about adversary capabilities or intent |
Tools & Systems
- MITRE ATT&CK Navigator: Overlay kill chain phases with ATT&CK technique coverage for integrated analysis
- Elastic Security EQL: Event Query Language for querying multi-phase attack sequences in Elastic SIEM
- Splunk ES: Timeline visualization and correlation searches for kill chain phase sequencing
- MISP: Kill chain tagging via galaxy clusters for structured incident event documentation
Common Pitfalls
- Linear assumption: Adversaries don't always progress linearly — they may skip phases (weaponization already complete from previous campaign) or loop back (re-establish C2 after detection).
- Ignoring Phases 1 and 2: Reconnaissance and weaponization occur before the defender has visibility. Intelligence about these phases requires external sources (OSINT, threat intelligence).
- Missing insider threats: The kill chain was designed for external adversaries. Insider threats may skip directly to Phase 7 without traversing earlier phases.
- Confusing with ATT&CK tactics: The 7-phase kill chain and 14 ATT&CK tactics are complementary but not directly equivalent. Maintain distinction to prevent analytic confusion.
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md2.7 KB
API Reference: Cyber Kill Chain Analysis Tools
Lockheed Martin Cyber Kill Chain Phases
| Phase | Name | MITRE ATT&CK Tactic |
|---|---|---|
| 1 | Reconnaissance | TA0043 Reconnaissance |
| 2 | Weaponization | TA0042 Resource Development |
| 3 | Delivery | TA0001 Initial Access |
| 4 | Exploitation | TA0002 Execution |
| 5 | Installation | TA0003 Persistence, TA0004 Privilege Escalation |
| 6 | Command & Control | TA0011 Command and Control |
| 7 | Actions on Objectives | TA0010 Exfiltration, TA0040 Impact |
Courses of Action (COA) Matrix
| COA | Description |
|---|---|
| Detect | Alert on adversary activity |
| Deny | Prevent phase completion |
| Disrupt | Interrupt adversary mid-phase |
| Degrade | Reduce adversary effectiveness |
| Deceive | Expose activity via deception |
| Destroy | Neutralize adversary infrastructure |
MITRE ATT&CK Navigator
JSON Layer Format
{
"name": "Kill Chain Coverage",
"versions": {"navigator": "4.8", "layer": "4.4", "attack": "13"},
"domain": "enterprise-attack",
"techniques": [
{"techniqueID": "T1566", "color": "#ff6666", "comment": "Phase 3: Delivery"}
]
}CLI Usage
# Export layer via ATT&CK Navigator API
curl -X POST https://mitre-attack.github.io/attack-navigator/api/layers \
-d @layer.json -o coverage_map.svgSplunk - Kill Chain Phase Queries
Phase 3 Detection (Delivery)
index=email sourcetype=exchange action=delivered
| eval has_macro=if(match(attachment, "\.(docm|xlsm|pptm)$"), 1, 0)
| where has_macro=1
| stats count by sender, subject, attachmentPhase 6 Detection (C2)
index=proxy OR index=firewall
| stats count AS connections, dc(dest) AS unique_dests by src_ip
| where connections > 100 AND unique_dests < 3
| sort - connectionsElastic Security EQL
Multi-Phase Detection
sequence by host.name with maxspan=1h
[process where event.action == "start" and process.name == "WINWORD.EXE"]
[process where event.action == "start" and process.parent.name == "WINWORD.EXE"]
[network where destination.port == 443 and not destination.ip in ("known_good")]MISP - Kill Chain Tagging
Galaxy Cluster Tags
misp-galaxy:kill-chain="reconnaissance"
misp-galaxy:kill-chain="delivery"
misp-galaxy:kill-chain="exploitation"
misp-galaxy:kill-chain="installation"
misp-galaxy:kill-chain="command-and-control"
misp-galaxy:kill-chain="actions-on-objectives"PyMISP Event Tagging
from pymisp import PyMISP, MISPEvent
misp = PyMISP("https://misp.example.com", "API_KEY")
event = MISPEvent()
event.add_tag("kill-chain:delivery")
event.add_tag("mitre-attack-pattern:T1566 - Phishing")
misp.update_event(event)Scripts 1
agent.py10.2 KB
#!/usr/bin/env python3
"""Cyber Kill Chain analysis agent for mapping incidents to Lockheed Martin kill chain phases."""
import datetime
KILL_CHAIN_PHASES = {
1: {
"name": "Reconnaissance",
"description": "Adversary gathers target information",
"indicators": [
"DNS queries from adversary IP",
"LinkedIn/social media scraping",
"Shodan/Censys scans of infrastructure",
"Job posting analysis for technology stack",
"WHOIS lookups on organization domains",
],
"mitre_tactics": ["TA0043 - Reconnaissance"],
"coas": {
"detect": "Monitor for anomalous DNS lookups and port scans from single sources",
"deny": "Limit public-facing information, restrict DNS zone transfers",
"disrupt": "Block scanning IPs at perimeter firewall",
"degrade": "Return honeypot responses to recon probes",
"deceive": "Deploy decoy infrastructure and fake employee profiles",
},
},
2: {
"name": "Weaponization",
"description": "Adversary creates attack tool (malware + exploit)",
"indicators": [
"Malware compilation timestamps",
"Exploit document metadata",
"Builder tool artifacts in samples",
"Reused infrastructure from previous campaigns",
],
"mitre_tactics": ["TA0042 - Resource Development"],
"coas": {
"detect": "Threat intelligence on adversary tooling and TTPs",
"deny": "Patch vulnerabilities targeted by known exploit kits",
"disrupt": "N/A (occurs outside defender visibility)",
"degrade": "Application hardening reduces exploit reliability",
"deceive": "Share deceptive vulnerability information",
},
},
3: {
"name": "Delivery",
"description": "Adversary transmits weapon to target",
"indicators": [
"Phishing emails with malicious attachments",
"Drive-by download URLs",
"USB device insertion events",
"Supply chain compromise artifacts",
"Watering hole website modifications",
],
"mitre_tactics": ["TA0001 - Initial Access"],
"coas": {
"detect": "Email security gateway alerts, proxy URL filtering alerts",
"deny": "Block malicious attachments, URL filtering, USB device control",
"disrupt": "Quarantine suspicious emails before delivery",
"degrade": "Sandbox detonation of attachments delays delivery",
"deceive": "Canary documents in email attachments",
},
},
4: {
"name": "Exploitation",
"description": "Adversary exploits vulnerability to execute code",
"indicators": [
"CVE exploitation in application logs",
"Memory corruption crash dumps",
"Shellcode execution artifacts",
"Exploit kit landing page access",
],
"mitre_tactics": ["TA0002 - Execution"],
"coas": {
"detect": "EDR behavioral detection, exploit guard alerts",
"deny": "Patch management, application whitelisting",
"disrupt": "ASLR, DEP, CFG memory protections",
"degrade": "Sandboxed application execution (Protected View)",
"deceive": "Honeypot applications with fake vulnerabilities",
},
},
5: {
"name": "Installation",
"description": "Adversary establishes persistence on target",
"indicators": [
"New scheduled tasks or services",
"Registry Run key modifications",
"Web shell deployment",
"Startup folder additions",
"DLL search-order hijacking",
],
"mitre_tactics": ["TA0003 - Persistence", "TA0004 - Privilege Escalation"],
"coas": {
"detect": "Sysmon EventID 11/12/13, EDR persistence monitoring",
"deny": "Application whitelisting, UAC enforcement",
"disrupt": "Real-time file integrity monitoring alerts",
"degrade": "Restrict write access to system directories",
"deceive": "Canary registry keys and file system canaries",
},
},
6: {
"name": "Command & Control",
"description": "Adversary communicates with compromised system",
"indicators": [
"Beaconing traffic at regular intervals",
"DNS tunneling (high entropy subdomain queries)",
"HTTPS to newly registered domains",
"Known C2 framework signatures",
],
"mitre_tactics": ["TA0011 - Command and Control"],
"coas": {
"detect": "Network beacon analysis, JA3 fingerprinting, DNS monitoring",
"deny": "DNS sinkholing, firewall egress filtering",
"disrupt": "TLS inspection to identify C2 in encrypted traffic",
"degrade": "Rate-limit suspicious outbound connections",
"deceive": "C2 interception and response manipulation",
},
},
7: {
"name": "Actions on Objectives",
"description": "Adversary achieves mission goals",
"indicators": [
"Data staging and exfiltration",
"Lateral movement to additional systems",
"Ransomware encryption activity",
"Destructive operations (wiper malware)",
"Credential dumping (LSASS access)",
],
"mitre_tactics": ["TA0010 - Exfiltration", "TA0040 - Impact"],
"coas": {
"detect": "DLP alerts, anomalous data transfers, UEBA",
"deny": "Network segmentation, data classification controls",
"disrupt": "Isolate compromised systems, kill C2 connections",
"degrade": "Encrypt sensitive data at rest (attacker gets ciphertext)",
"deceive": "Canary files and honeytoken credentials",
},
},
}
def map_event_to_phase(event_description):
"""Map an incident event description to the most likely kill chain phase."""
event_lower = event_description.lower()
keyword_phase_map = {
1: ["recon", "scan", "enumerat", "shodan", "whois", "dns lookup"],
2: ["weaponiz", "builder", "compile", "payload creat"],
3: ["phish", "email", "deliver", "download", "usb", "attachment", "watering hole"],
4: ["exploit", "cve-", "buffer overflow", "shellcode", "rce"],
5: ["persist", "scheduled task", "registry", "run key", "service install",
"web shell", "backdoor", "startup"],
6: ["beacon", "c2", "c&c", "command and control", "callback", "dns tunnel"],
7: ["exfiltrat", "lateral", "ransomware", "encrypt", "data stag", "credential dump",
"mimikatz", "wiper"],
}
scores = {phase: 0 for phase in range(1, 8)}
for phase, keywords in keyword_phase_map.items():
for kw in keywords:
if kw in event_lower:
scores[phase] += 1
best_phase = max(scores, key=scores.get)
if scores[best_phase] == 0:
return None
return best_phase
def analyze_incident(events):
"""Analyze a list of incident events and map to kill chain phases."""
analysis = {phase: {"events": [], "detected": False, "completed": False}
for phase in range(1, 8)}
for event in events:
phase = map_event_to_phase(event.get("description", ""))
if phase:
analysis[phase]["events"].append(event)
analysis[phase]["completed"] = True
if event.get("detected", False):
analysis[phase]["detected"] = True
return analysis
def generate_report(analysis):
"""Generate a kill chain analysis report."""
report_lines = [
"CYBER KILL CHAIN ANALYSIS REPORT",
"=" * 50,
f"Generated: {datetime.datetime.utcnow().isoformat()}Z",
"",
]
deepest_phase = 0
detection_phase = None
for phase_num in range(1, 8):
phase_data = analysis[phase_num]
phase_info = KILL_CHAIN_PHASES[phase_num]
if phase_data["completed"]:
deepest_phase = phase_num
if phase_data["detected"] and detection_phase is None:
detection_phase = phase_num
status = "COMPLETED" if phase_data["completed"] else "NOT REACHED"
if phase_data["detected"]:
status += " (DETECTED)"
report_lines.append(f"Phase {phase_num}: {phase_info['name']} -> {status}")
for evt in phase_data["events"]:
report_lines.append(f" - {evt.get('description', 'N/A')}")
report_lines.extend([
"",
f"Deepest phase reached: {deepest_phase} ({KILL_CHAIN_PHASES.get(deepest_phase, {}).get('name', 'N/A')})",
f"First detection at phase: {detection_phase or 'None'}",
"",
"RECOMMENDED COURSES OF ACTION:",
])
for phase_num in range(1, deepest_phase + 1):
phase_info = KILL_CHAIN_PHASES[phase_num]
report_lines.append(f"\n Phase {phase_num} - {phase_info['name']}:")
for coa_type, coa_desc in phase_info["coas"].items():
report_lines.append(f" {coa_type.upper()}: {coa_desc}")
return "\n".join(report_lines)
if __name__ == "__main__":
print("=" * 60)
print("Cyber Kill Chain Analysis Agent")
print("Lockheed Martin framework mapping with MITRE ATT&CK integration")
print("=" * 60)
# Demo incident events
demo_events = [
{"description": "Shodan scans detected from 203.0.113.50 targeting web servers",
"timestamp": "2025-09-10T08:00:00Z", "detected": False},
{"description": "Phishing email with malicious .docm attachment delivered to 5 users",
"timestamp": "2025-09-11T09:15:00Z", "detected": False},
{"description": "CVE-2023-23397 exploitation detected in Outlook process crash",
"timestamp": "2025-09-11T09:20:00Z", "detected": False},
{"description": "Scheduled task created for persistence by malware dropper",
"timestamp": "2025-09-11T09:25:00Z", "detected": True},
{"description": "C2 beacon detected to 185.220.101.42 on port 443",
"timestamp": "2025-09-11T09:30:00Z", "detected": True},
]
print("\n[*] Analyzing demo incident events...")
analysis = analyze_incident(demo_events)
report = generate_report(analysis)
print(f"\n{report}")