50fa79407d
Some checks are pending
CI — CoM Config Validation / Validate JSON Configs (push) Waiting to run
CI — CoM Config Validation / Validate YAML Configs (push) Waiting to run
CI — CoM Config Validation / Lint Shell Scripts (push) Waiting to run
CI — CoM Config Validation / Secret Detection (push) Waiting to run
CI — CoM Config Validation / Lint Markdown (push) Waiting to run
CI — CoM Config Validation / Validate CODEOWNERS (push) Waiting to run
Public, sanitized mirror of an AI orchestration command center: agents, skills, MCP servers, slash-command workflows. All infrastructure identifiers, hostnames, mesh IPs/subnets, repo paths, maintainer identity, and hardware fleet specifics scrubbed to <placeholders>; session debug logs and host-specific memory removed. No live credentials. Verified clean by automated leak sweep. See SANITIZATION.md. churchofmalware.org . authorized research only
5.4 KiB
5.4 KiB
| name | description | version | author | tags | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Threat Hunting & IOC Analysis | IOC extraction, threat intelligence correlation, MITRE ATT&CK mapping, and hunt hypothesis generation | 1.0.0 | Masriyan |
|
🎯 Threat Hunting & IOC Analysis
Overview
This skill enables Claude to assist threat hunters with proactive threat detection, IOC extraction and analysis, MITRE ATT&CK framework mapping, hunt hypothesis generation, and threat intelligence correlation. It bridges the gap between raw threat data and actionable hunting queries.
Prerequisites
Required
- Python 3.8+
requests,pyyaml,jinja2
Optional
- MISP — Threat intelligence sharing platform
- OpenCTI — Threat intelligence platform
- YARA — Pattern matching
- Sigma — Generic detection rules
- SIEM access (Splunk, Elastic, QRadar, Sentinel)
pip install requests pyyaml stix2 taxii2-client
Core Capabilities
1. IOC Extraction & Analysis
Extract and validate indicators of compromise from any text source:
When the user asks to extract IOCs:
- Parse input text for indicators (reports, logs, emails, articles)
- Extract all indicator types:
- Network: IPv4/IPv6 addresses, domains, URLs, email addresses
- File: MD5, SHA1, SHA256, SSDeep hashes, filenames
- Host: Registry keys, mutex names, service names, file paths
- Other: CVE IDs, MITRE technique IDs, Bitcoin addresses
- Validate and defang extracted indicators
- Deduplicate and categorize results
- Enrich with threat intelligence lookups
- Score indicators by confidence and relevance
- Output in STIX, CSV, JSON, or MISP-compatible format
2. MITRE ATT&CK Mapping
Map threat behaviors to the ATT&CK framework:
When the user asks to map to ATT&CK:
- Analyze the threat description, behavior, or TTPs
- Map each behavior to specific ATT&CK techniques
- Identify the tactics (why) and techniques (how)
- Provide sub-technique precision where possible
- Link to ATT&CK Navigator layer export
- Suggest detection opportunities for each technique
- Identify gaps in detection coverage
3. Hunt Hypothesis Generation
Create structured hunt hypotheses:
When the user asks to generate hunt hypotheses:
- Analyze the threat landscape relevant to the organization
- Consider known adversary TTPs and recent threat intel
- Generate hypotheses following the format:
- Hypothesis: What are we looking for?
- Rationale: Why do we think this might be present?
- Data Sources: What logs/data do we need?
- Detection Logic: How do we find it?
- ATT&CK Mapping: Which techniques does this cover?
- Success Criteria: How do we know if we found it?
- Prioritize hypotheses by likelihood and impact
- Generate corresponding SIEM queries
4. Threat Intelligence Correlation
Correlate IOCs and behaviors across multiple sources:
When the user asks to correlate threat intel:
- Cross-reference IOCs across threat feeds
- Identify common infrastructure between campaigns
- Map IOCs to known threat actor groups
- Determine the likely malware family
- Assess the threat's relevance to the organization
- Generate a threat assessment report
- Recommend defensive actions
5. Detection Rule Generation
Create detection rules from threat intelligence:
When the user asks to create detection rules:
- Analyze the threat behavior or IOCs
- Generate Sigma rules for platform-agnostic detection
- Convert to SIEM-specific queries (Splunk SPL, KQL, EQL)
- Create YARA rules for file-based detection
- Generate Snort/Suricata rules for network detection
- Test rules against sample data
- Document false positive considerations
Usage Instructions
Example Prompts
> Extract all IOCs from this threat intelligence report
> Map these TTPs to MITRE ATT&CK and suggest detection queries
> Generate hunt hypotheses for detecting APT29 in our Windows environment
> Create Sigma detection rules for this lateral movement technique
> Correlate these IOCs with known threat actor campaigns
> Build a Splunk query to hunt for T1053.005 (Scheduled Task)
Script Reference
ioc_extractor.py
python scripts/ioc_extractor.py --input threat_report.txt --output iocs.json
python scripts/ioc_extractor.py --input report.pdf --format stix --output iocs.stix.json
python scripts/ioc_extractor.py --input email.eml --defang --output iocs.csv
mitre_mapper.py
python scripts/mitre_mapper.py --input techniques.txt --output attack_map.json
python scripts/mitre_mapper.py --technique T1059.001 --detection-query splunk
Integration Guide
Chaining with Other Skills
- ← Malware Analysis (05): Receive IOCs from malware analysis
- ← Incident Response (07): Receive artifacts from IR for hunting
- → Log Analysis (12): Feed hunting queries to SIEM
- → Blue Team Defense (15): Generate detection rules
- → CSOC Automation (11): Automate response to hunting findings