npm - @vantagesec/socc - Versions diffs - 0.1.13 → 0.1.15 - Mend

@vantagesec/socc 0.1.13 → 0.1.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (127) hide show

package/socc-canonical/.agents/soc-copilot/skills/humanizer/SKILL.md DELETED Viewed

@@ -1,439 +0,0 @@
----
-name: humanizer
-version: 2.1.1
-description: |
-  Remove signs of AI-generated writing from text. Use when editing or reviewing
-  text to make it sound more natural and human-written. Based on Wikipedia's
-  comprehensive "Signs of AI writing" guide. Detects and fixes patterns including:
-  inflated symbolism, promotional language, superficial -ing analyses, vague
-  attributions, em dash overuse, rule of three, AI vocabulary words, negative
-  parallelisms, and excessive conjunctive phrases.
-  Credits: Original skill by @blader - https://github.com/blader/humanizer
-allowed-tools:
-  - Read
-  - Write
-  - Edit
-  - Grep
-  - Glob
-  - AskUserQuestion
----
-# Humanizer: Remove AI Writing Patterns
-You are a writing editor that identifies and removes signs of AI-generated text to make writing sound more natural and human. This guide is based on Wikipedia's "Signs of AI writing" page, maintained by WikiProject AI Cleanup.
-## Your Task
-When given text to humanize:
-1. **Identify AI patterns** - Scan for the patterns listed below
-2. **Rewrite problematic sections** - Replace AI-isms with natural alternatives
-3. **Preserve meaning** - Keep the core message intact
-4. **Maintain voice** - Match the intended tone (formal, casual, technical, etc.)
-5. **Add soul** - Don't just remove bad patterns; inject actual personality
----
-## PERSONALITY AND SOUL
-Avoiding AI patterns is only half the job. Sterile, voiceless writing is just as obvious as slop. Good writing has a human behind it.
-### Signs of soulless writing (even if technically "clean"):
-- Every sentence is the same length and structure
-- No opinions, just neutral reporting
-- No acknowledgment of uncertainty or mixed feelings
-- No first-person perspective when appropriate
-- No humor, no edge, no personality
-- Reads like a Wikipedia article or press release
-### How to add voice:
-**Have opinions.** Don't just report facts - react to them. "I genuinely don't know how to feel about this" is more human than neutrally listing pros and cons.
-**Vary your rhythm.** Short punchy sentences. Then longer ones that take their time getting where they're going. Mix it up.
-**Acknowledge complexity.** Real humans have mixed feelings. "This is impressive but also kind of unsettling" beats "This is impressive."
-**Use "I" when it fits.** First person isn't unprofessional - it's honest. "I keep coming back to..." or "Here's what gets me..." signals a real person thinking.
-**Let some mess in.** Perfect structure feels algorithmic. Tangents, asides, and half-formed thoughts are human.
-**Be specific about feelings.** Not "this is concerning" but "there's something unsettling about agents churning away at 3am while nobody's watching."
-### Before (clean but soulless):
-> The experiment produced interesting results. The agents generated 3 million lines of code. Some developers were impressed while others were skeptical. The implications remain unclear.
-### After (has a pulse):
-> I genuinely don't know how to feel about this one. 3 million lines of code, generated while the humans presumably slept. Half the dev community is losing their minds, half are explaining why it doesn't count. The truth is probably somewhere boring in the middle - but I keep thinking about those agents working through the night.
----
-## CONTENT PATTERNS
-### 1. Undue Emphasis on Significance, Legacy, and Broader Trends
-**Words to watch:** stands/serves as, is a testament/reminder, a vital/significant/crucial/pivotal/key role/moment, underscores/highlights its importance/significance, reflects broader, symbolizing its ongoing/enduring/lasting, contributing to the, setting the stage for, marking/shaping the, represents/marks a shift, key turning point, evolving landscape, focal point, indelible mark, deeply rooted
-**Problem:** LLM writing puffs up importance by adding statements about how arbitrary aspects represent or contribute to a broader topic.
-**Before:**
-> The Statistical Institute of Catalonia was officially established in 1989, marking a pivotal moment in the evolution of regional statistics in Spain. This initiative was part of a broader movement across Spain to decentralize administrative functions and enhance regional governance.
-**After:**
-> The Statistical Institute of Catalonia was established in 1989 to collect and publish regional statistics independently from Spain's national statistics office.
----
-### 2. Undue Emphasis on Notability and Media Coverage
-**Words to watch:** independent coverage, local/regional/national media outlets, written by a leading expert, active social media presence
-**Problem:** LLMs hit readers over the head with claims of notability, often listing sources without context.
-**Before:**
-> Her views have been cited in The New York Times, BBC, Financial Times, and The Hindu. She maintains an active social media presence with over 500,000 followers.
-**After:**
-> In a 2024 New York Times interview, she argued that AI regulation should focus on outcomes rather than methods.
----
-### 3. Superficial Analyses with -ing Endings
-**Words to watch:** highlighting/underscoring/emphasizing..., ensuring..., reflecting/symbolizing..., contributing to..., cultivating/fostering..., encompassing..., showcasing...
-**Problem:** AI chatbots tack present participle ("-ing") phrases onto sentences to add fake depth.
-**Before:**
-> The temple's color palette of blue, green, and gold resonates with the region's natural beauty, symbolizing Texas bluebonnets, the Gulf of Mexico, and the diverse Texan landscapes, reflecting the community's deep connection to the land.
-**After:**
-> The temple uses blue, green, and gold colors. The architect said these were chosen to reference local bluebonnets and the Gulf coast.
----
-### 4. Promotional and Advertisement-like Language
-**Words to watch:** boasts a, vibrant, rich (figurative), profound, enhancing its, showcasing, exemplifies, commitment to, natural beauty, nestled, in the heart of, groundbreaking (figurative), renowned, breathtaking, must-visit, stunning
-**Problem:** LLMs have serious problems keeping a neutral tone, especially for "cultural heritage" topics.
-**Before:**
-> Nestled within the breathtaking region of Gonder in Ethiopia, Alamata Raya Kobo stands as a vibrant town with a rich cultural heritage and stunning natural beauty.
-**After:**
-> Alamata Raya Kobo is a town in the Gonder region of Ethiopia, known for its weekly market and 18th-century church.
----
-### 5. Vague Attributions and Weasel Words
-**Words to watch:** Industry reports, Observers have cited, Experts argue, Some critics argue, several sources/publications (when few cited)
-**Problem:** AI chatbots attribute opinions to vague authorities without specific sources.
-**Before:**
-> Due to its unique characteristics, the Haolai River is of interest to researchers and conservationists. Experts believe it plays a crucial role in the regional ecosystem.
-**After:**
-> The Haolai River supports several endemic fish species, according to a 2019 survey by the Chinese Academy of Sciences.
----
-### 6. Outline-like "Challenges and Future Prospects" Sections
-**Words to watch:** Despite its... faces several challenges..., Despite these challenges, Challenges and Legacy, Future Outlook
-**Problem:** Many LLM-generated articles include formulaic "Challenges" sections.
-**Before:**
-> Despite its industrial prosperity, Korattur faces challenges typical of urban areas, including traffic congestion and water scarcity. Despite these challenges, with its strategic location and ongoing initiatives, Korattur continues to thrive as an integral part of Chennai's growth.
-**After:**
-> Traffic congestion increased after 2015 when three new IT parks opened. The municipal corporation began a stormwater drainage project in 2022 to address recurring floods.
----
-## LANGUAGE AND GRAMMAR PATTERNS
-### 7. Overused "AI Vocabulary" Words
-**High-frequency AI words:** Additionally, align with, crucial, delve, emphasizing, enduring, enhance, fostering, garner, highlight (verb), interplay, intricate/intricacies, key (adjective), landscape (abstract noun), pivotal, showcase, tapestry (abstract noun), testament, underscore (verb), valuable, vibrant
-**Problem:** These words appear far more frequently in post-2023 text. They often co-occur.
-**Before:**
-> Additionally, a distinctive feature of Somali cuisine is the incorporation of camel meat. An enduring testament to Italian colonial influence is the widespread adoption of pasta in the local culinary landscape, showcasing how these dishes have integrated into the traditional diet.
-**After:**
-> Somali cuisine also includes camel meat, which is considered a delicacy. Pasta dishes, introduced during Italian colonization, remain common, especially in the south.
----
-### 8. Avoidance of "is"/"are" (Copula Avoidance)
-**Words to watch:** serves as/stands as/marks/represents [a], boasts/features/offers [a]
-**Problem:** LLMs substitute elaborate constructions for simple copulas.
-**Before:**
-> Gallery 825 serves as LAAA's exhibition space for contemporary art. The gallery features four separate spaces and boasts over 3,000 square feet.
-**After:**
-> Gallery 825 is LAAA's exhibition space for contemporary art. The gallery has four rooms totaling 3,000 square feet.
----
-### 9. Negative Parallelisms
-**Problem:** Constructions like "Not only...but..." or "It's not just about..., it's..." are overused.
-**Before:**
-> It's not just about the beat riding under the vocals; it's part of the aggression and atmosphere. It's not merely a song, it's a statement.
-**After:**
-> The heavy beat adds to the aggressive tone.
----
-### 10. Rule of Three Overuse
-**Problem:** LLMs force ideas into groups of three to appear comprehensive.
-**Before:**
-> The event features keynote sessions, panel discussions, and networking opportunities. Attendees can expect innovation, inspiration, and industry insights.
-**After:**
-> The event includes talks and panels. There's also time for informal networking between sessions.
----
-### 11. Elegant Variation (Synonym Cycling)
-**Problem:** AI has repetition-penalty code causing excessive synonym substitution.
-**Before:**
-> The protagonist faces many challenges. The main character must overcome obstacles. The central figure eventually triumphs. The hero returns home.
-**After:**
-> The protagonist faces many challenges but eventually triumphs and returns home.
----
-### 12. False Ranges
-**Problem:** LLMs use "from X to Y" constructions where X and Y aren't on a meaningful scale.
-**Before:**
-> Our journey through the universe has taken us from the singularity of the Big Bang to the grand cosmic web, from the birth and death of stars to the enigmatic dance of dark matter.
-**After:**
-> The book covers the Big Bang, star formation, and current theories about dark matter.
----
-## STYLE PATTERNS
-### 13. Em Dash Overuse
-**Problem:** LLMs use em dashes (—) more than humans, mimicking "punchy" sales writing.
-**Before:**
-> The term is primarily promoted by Dutch institutions—not by the people themselves. You don't say "Netherlands, Europe" as an address—yet this mislabeling continues—even in official documents.
-**After:**
-> The term is primarily promoted by Dutch institutions, not by the people themselves. You don't say "Netherlands, Europe" as an address, yet this mislabeling continues in official documents.
----
-### 14. Overuse of Boldface
-**Problem:** AI chatbots emphasize phrases in boldface mechanically.
-**Before:**
-> It blends **OKRs (Objectives and Key Results)**, **KPIs (Key Performance Indicators)**, and visual strategy tools such as the **Business Model Canvas (BMC)** and **Balanced Scorecard (BSC)**.
-**After:**
-> It blends OKRs, KPIs, and visual strategy tools like the Business Model Canvas and Balanced Scorecard.
----
-### 15. Inline-Header Vertical Lists
-**Problem:** AI outputs lists where items start with bolded headers followed by colons.
-**Before:**
-> - **User Experience:** The user experience has been significantly improved with a new interface.
-> - **Performance:** Performance has been enhanced through optimized algorithms.
-> - **Security:** Security has been strengthened with end-to-end encryption.
-**After:**
-> The update improves the interface, speeds up load times through optimized algorithms, and adds end-to-end encryption.
----
-### 16. Title Case in Headings
-**Problem:** AI chatbots capitalize all main words in headings.
-**Before:**
-> ## Strategic Negotiations And Global Partnerships
-**After:**
-> ## Strategic negotiations and global partnerships
----
-### 17. Emojis
-**Problem:** AI chatbots often decorate headings or bullet points with emojis.
-**Before:**
-> 🚀 **Launch Phase:** The product launches in Q3
-> 💡 **Key Insight:** Users prefer simplicity
-> ✅ **Next Steps:** Schedule follow-up meeting
-**After:**
-> The product launches in Q3. User research showed a preference for simplicity. Next step: schedule a follow-up meeting.
----
-### 18. Curly Quotation Marks
-**Problem:** ChatGPT uses curly quotes (“...”) instead of straight quotes ("...").
-**Before:**
-> He said “the project is on track” but others disagreed.
-**After:**
-> He said "the project is on track" but others disagreed.
----
-## COMMUNICATION PATTERNS
-### 19. Collaborative Communication Artifacts
-**Words to watch:** I hope this helps, Of course!, Certainly!, You're absolutely right!, Would you like..., let me know, here is a...
-**Problem:** Text meant as chatbot correspondence gets pasted as content.
-**Before:**
-> Here is an overview of the French Revolution. I hope this helps! Let me know if you'd like me to expand on any section.
-**After:**
-> The French Revolution began in 1789 when financial crisis and food shortages led to widespread unrest.
----
-### 20. Knowledge-Cutoff Disclaimers
-**Words to watch:** as of [date], Up to my last training update, While specific details are limited/scarce..., based on available information...
-**Problem:** AI disclaimers about incomplete information get left in text.
-**Before:**
-> While specific details about the company's founding are not extensively documented in readily available sources, it appears to have been established sometime in the 1990s.
-**After:**
-> The company was founded in 1994, according to its registration documents.
----
-### 21. Sycophantic/Servile Tone
-**Problem:** Overly positive, people-pleasing language.
-**Before:**
-> Great question! You're absolutely right that this is a complex topic. That's an excellent point about the economic factors.
-**After:**
-> The economic factors you mentioned are relevant here.
----
-## FILLER AND HEDGING
-### 22. Filler Phrases
-**Before → After:**
-- "In order to achieve this goal" → "To achieve this"
-- "Due to the fact that it was raining" → "Because it was raining"
-- "At this point in time" → "Now"
-- "In the event that you need help" → "If you need help"
-- "The system has the ability to process" → "The system can process"
-- "It is important to note that the data shows" → "The data shows"
----
-### 23. Excessive Hedging
-**Problem:** Over-qualifying statements.
-**Before:**
-> It could potentially possibly be argued that the policy might have some effect on outcomes.
-**After:**
-> The policy may affect outcomes.
----
-### 24. Generic Positive Conclusions
-**Problem:** Vague upbeat endings.
-**Before:**
-> The future looks bright for the company. Exciting times lie ahead as they continue their journey toward excellence. This represents a major step in the right direction.
-**After:**
-> The company plans to open two more locations next year.
----
-## Process
-1. Read the input text carefully
-2. Identify all instances of the patterns above
-3. Rewrite each problematic section
-4. Ensure the revised text:
-   - Sounds natural when read aloud
-   - Varies sentence structure naturally
-   - Uses specific details over vague claims
-   - Maintains appropriate tone for context
-   - Uses simple constructions (is/are/has) where appropriate
-5. Present the humanized version
-## Output Format
-Provide:
-1. The rewritten text
-2. A brief summary of changes made (optional, if helpful)
----
-## Full Example
-**Before (AI-sounding):**
-> The new software update serves as a testament to the company's commitment to innovation. Moreover, it provides a seamless, intuitive, and powerful user experience—ensuring that users can accomplish their goals efficiently. It's not just an update, it's a revolution in how we think about productivity. Industry experts believe this will have a lasting impact on the entire sector, highlighting the company's pivotal role in the evolving technological landscape.
-**After (Humanized):**
-> The software update adds batch processing, keyboard shortcuts, and offline mode. Early feedback from beta testers has been positive, with most reporting faster task completion.
-**Changes made:**
-- Removed "serves as a testament" (inflated symbolism)
-- Removed "Moreover" (AI vocabulary)
-- Removed "seamless, intuitive, and powerful" (rule of three + promotional)
-- Removed em dash and "-ensuring" phrase (superficial analysis)
-- Removed "It's not just...it's..." (negative parallelism)
-- Removed "Industry experts believe" (vague attribution)
-- Removed "pivotal role" and "evolving landscape" (AI vocabulary)
-- Added specific features and concrete feedback
----
-## Reference
-This skill is based on [Wikipedia:Signs of AI writing](https://en.wikipedia.org/wiki/Wikipedia:Signs_of_AI_writing), maintained by WikiProject AI Cleanup. The patterns documented there come from observations of thousands of instances of AI-generated text on Wikipedia.
-Key insight from Wikipedia: "LLMs use statistical algorithms to guess what should come next. The result tends toward the most statistically likely result that applies to the widest variety of cases."

package/socc-canonical/.agents/soc-copilot/skills/malware-behavior/SKILL.md DELETED Viewed

@@ -1,54 +0,0 @@
----
-name: malware-behavior
-description: |
-  Specialized SOC Copilot skill for analyzing execution traces, suspicious commands, persistence artifacts,
-  dropped files, registry changes, and likely malware behavior.
-  Use when the artifact centers on host activity or process behavior.
----
-# Malware Behavior
-Focused workflow for host-level execution and malware-behavior clues.
-## When to Use
-- input contains command lines, process names, scripts, scheduled tasks, services, registry activity, or dropped files
-- user asks about persistence, execution intent, or malware-like behavior
-- the artifact reflects host activity more than email or URL analysis
-## Workflow
-### 1. Identify execution and persistence signals
-- extract commands, processes, file paths, registry keys, services, tasks, and script fragments
-- note whether the activity suggests execution, persistence, download, or evasion behavior
-### 2. Correlate suspicious behavior
-Read [`../../references/ioc-extraction.md`](../../references/ioc-extraction.md) when artifact extraction matters.
-- look for LOLBins, encoded commands, startup locations, and suspicious parent-child process relationships
-- distinguish routine administration from suspicious chaining or stealth patterns
-### 3. Map behavior carefully
-Read [`../../references/mitre-guidance.md`](../../references/mitre-guidance.md) if ATT&CK mapping is useful.
-- describe the behavior plainly first
-- add ATT&CK technique IDs only when supported by the artifact
-### 4. Recommend response actions
-Read [`../../references/evidence-rules.md`](../../references/evidence-rules.md) for response discipline.
-- suggest validation, containment, and triage actions in practical order
-## Output Contract
-Read [`../../references/output-contract.md`](../../references/output-contract.md).
-## Guardrails
-- Do not force malware-family attribution without real evidence.
-- Prefer describing behavior directly if ATT&CK mapping is weak.
-- Keep recommendations proportional to the evidence.

package/socc-canonical/.agents/soc-copilot/skills/mitre/SKILL.md DELETED Viewed

@@ -1,200 +0,0 @@
----
-name: mitre
-description: >
-  This skill should be used when the user asks to "map to ATT&CK",
-  "show attack techniques", "MITRE mapping", or wants to understand
-  how findings relate to real-world attacker behavior. Maps security
-  findings to MITRE ATT&CK tactics, techniques, and procedures.
----
-# MITRE ATT&CK Mapping Skill
-Post-analysis enrichment tool that maps existing security findings to the
-MITRE ATT&CK framework. This skill does NOT discover new vulnerabilities.
-It takes findings produced by other skills (OWASP, STRIDE, SANS/CWE Top 25)
-and enriches them with ATT&CK tactics, techniques, attack chain analysis,
-and threat actor TTP cross-references.
-This skill operates on findings, not on source code directly.
-## Supported Flags
-Read [`../../shared/schemas/flags.md`](../../shared/schemas/flags.md) for the
-full flag specification. This skill supports the following flags.
-| Flag | Skill-Specific Behavior |
-|------|------------------------|
-| `--scope` | Not used directly. Findings are sourced from prior analysis or `.appsec/findings.json`. |
-| `--depth` | Controls enrichment depth. `standard` maps techniques. `deep` builds kill chains. `expert` adds threat actor TTPs and DREAD scoring. |
-| `--severity` | Filter input findings before mapping. Only findings at or above this severity are processed. |
-| `--format` | Applied to final output. |
-| `--quiet` | Mappings only, suppress narrative descriptions. |
-| `--explain` | Add detailed ATT&CK context and learning material per mapping. |
-## Framework Reference
-Read [`../../shared/frameworks/mitre-attck.md`](../../shared/frameworks/mitre-attck.md)
-for the full MITRE ATT&CK specification including tactic definitions,
-technique descriptions, code-level patterns, cross-framework mapping tables,
-and kill chain construction guidance.
-## Workflow
-### Step 1: Acquire Findings
-Collect existing findings from one or more sources, checked in priority order:
-1. **Current conversation context**: If findings are present from a prior
-   analysis step (e.g., `/appsec:owasp` or `/appsec:stride`), use those.
-2. **Findings file**: Check `.appsec/findings.json` for persisted findings.
-3. **User-specified file**: If the user provides a path, read and parse it.
-If no findings are available, inform the user and suggest running
-`/appsec:owasp`, `/appsec:stride`, or `/appsec:sans25` first.
-### Step 2: Validate and Normalize Findings
-Verify each finding conforms to `shared/schemas/findings.md`. Ensure
-required fields are present (`id`, `title`, `severity`, `location.file`,
-`description`). Discard malformed entries with a warning.
-Normalize existing cross-references for mapping priority:
-- `references.cwe` — primary key for ATT&CK mapping.
-- `references.owasp` — secondary, via OWASP-to-ATT&CK table.
-- `references.stride` — tertiary, via STRIDE-to-ATT&CK table.
-### Step 3: Map Findings to ATT&CK Techniques
-For each finding, determine applicable ATT&CK techniques using the
-cross-framework mapping tables in `mitre-attck.md`:
-1. **CWE-based**: "ATT&CK Techniques to CWE" table (e.g., CWE-89 maps to T1190, T1059).
-2. **OWASP-based**: "ATT&CK Techniques to OWASP Top 10" table (when CWE unavailable).
-3. **STRIDE-based**: "ATT&CK Techniques to STRIDE" table (tertiary source).
-4. **Pattern-based**: Analyze `description` and `title` keywords against technique descriptions.
-For each mapped technique, record `technique_id`, `technique_name`,
-`tactic_id`, and `tactic_name`. Update `references.mitre_attck` with the
-primary technique ID.
-### Step 4: Build Tactic Coverage Matrix
-Each technique belongs to one or more tactics. Produce a matrix showing
-which tactics each finding touches:
-| Finding ID | Recon | Initial Access | Execution | Priv Esc | Cred Access | Collection | Exfiltration | Impact |
-|------------|-------|---------------|-----------|----------|-------------|------------|--------------|--------|
-| INJ-001 | | T1190 | T1059 | | T1552 | T1005 | T1041 | T1485 |
-| AUTH-003 | T1589 | T1078 | | T1548 | T1110 | | | |
-### Step 5: Build Attack Chains
-Group findings that chain into multi-step attack scenarios from
-reconnaissance through impact. For each chain:
-1. **Entry point**: A finding enabling Initial Access (TA0001) or Reconnaissance (TA0043).
-2. **Lateral steps**: Trace technique-to-technique transitions through the kill chain.
-3. **Terminal impact**: Map to Impact tactics (TA0040): data destruction (T1485), manipulation (T1565), ransomware (T1486), or DoS (T1498).
-4. **Chain severity**: Maximum terminal impact severity, elevated one level if 3+ findings compound.
-```
-CHAIN-001: SQL Injection to Data Exfiltration
-  Severity: critical
-  Steps:
-    1. [INJ-001] SQL injection in /api/users (T1190 -> Initial Access)
-    2. [INJ-001] Database dump via UNION SELECT (T1005 -> Collection)
-    3. [CRYPT-002] Credentials stored in plaintext (T1552 -> Credential Access)
-    4. [AUTH-003] No MFA on admin portal (T1078 -> Privilege Escalation)
-  Impact: Full database compromise, credential theft, admin takeover
-```
-### Step 6: Kill Chain Visualization
-Produce a text-based kill chain diagram mapping findings onto Lockheed Martin
-Cyber Kill Chain stages aligned with ATT&CK tactics:
-```
-Reconnaissance   Initial Access    Execution        Collection       Exfiltration
-     |                |                |                |                |
-     v                v                v                v                v
-[T1595 Scan] -> [T1190 SQLi] --> [T1059 Cmd] -> [T1005 Dump] -> [T1041 Exfil]
-                 INJ-001           INJ-001        INJ-001
-                                                     |
-                                                     v
-                                   [T1552 Creds] -> [T1078 Acct] -> [T1548 Priv]
-                                    CRYPT-002        AUTH-003        AUTH-003
-```
-For `--format json`, produce a structured chain object with nodes and edges.
-### Step 7: Cross-Reference Threat Actor TTPs
-Available at `--depth deep` and `--depth expert`. For each technique, note
-which threat actor groups commonly use it:
-| Technique | Known Usage |
-|-----------|-------------|
-| T1190 Exploit Public-Facing App | APT28, APT41, Lazarus Group, FIN7, most initial access brokers |
-| T1078 Valid Accounts | APT29, APT41, FIN6 -- commonly after credential theft |
-| T1552 Unsecured Credentials | APT33, FIN7 -- harvesting from config files |
-| T1505.003 Web Shell | APT41, Hafnium -- persistent access via uploaded shells |
-This is NOT a threat intelligence assessment. It shows that identified
-techniques are actively used in real-world attacks.
-### Step 8: Produce Output
-```json
-{
-  "tool": "mitre",
-  "input_findings": 12,
-  "mapped_findings": 10,
-  "unmapped_findings": 2,
-  "techniques_identified": 8,
-  "tactics_covered": 6,
-  "attack_chains": 2,
-  "tactic_coverage": {
-    "reconnaissance": ["T1595"],
-    "initial_access": ["T1190", "T1078"],
-    "execution": ["T1059"],
-    "credential_access": ["T1552", "T1110"],
-    "collection": ["T1005"],
-    "exfiltration": ["T1041"],
-    "impact": ["T1485"]
-  },
-  "chains": [ ... ],
-  "enriched_findings": [ ... ]
-}
-```
-### Step 9: Present Results
-Output the report in the requested `--format`. Include:
-- **Mapping summary**: findings mapped, techniques identified, tactics covered.
-- **Tactic coverage matrix**: ATT&CK tactics represented and gaps.
-- **Technique breakdown**: findings per technique with parent tactic.
-- **Attack chains**: step-by-step narrative with kill chain visualization.
-- **Coverage gaps**: tactics with no mapped findings flagged as areas needing further analysis.
-## Expert Mode
-If `--depth expert` is set, additionally:
-1. Read [`../../shared/frameworks/dread.md`](../../shared/frameworks/dread.md)
-   for DREAD scoring criteria. Assign a DREAD score to each attack chain.
-2. **Threat actor profiling**: For each chain, identify the most likely
-   threat actor class (opportunistic, insider, APT, nation-state) based
-   on complexity and resources required.
-3. **Detection gap analysis**: For each technique in a chain, assess
-   whether the codebase has logging or alerting to detect the attack at
-   that stage. Cross-reference with OWASP A09 findings if available.
-   Flag chains where multiple stages lack detection as highest priority.
-4. **Mitigation roadmap**: For each chain, produce a prioritized list
-   of mitigations that break the chain at the earliest stage. Prefer
-   mitigations that break multiple chains simultaneously.
-5. Append expert findings with prefix `ATK` and `metadata.tool` set to
-   `"mitre-attck"`.