Skip to content

adnankokni/mitre-attack-mapping

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

36 Commits
detections
detections
 
 
navigator
navigator
 
 
scenarios
scenarios
 
 
techniques
techniques
 
 
threat-actors
threat-actors
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

⚔️ MITRE ATT&CK Mapping Project — SOC Analyst Portfolio

MITRE Status Techniques Scenarios License

A professional MITRE ATT&CK mapping project demonstrating how a SOC analyst maps real-world attack scenarios to specific adversary tactics and techniques, builds detection rules, and analyses threat actor TTPs.

🎯 What This Project Demonstrates

  • Mapping real attack chains to MITRE ATT&CK tactics and techniques
  • Building detection rules (Sigma + Wazuh) for specific techniques
  • Analysing known APT group TTPs (APT28, Lazarus Group)
  • Using the ATT&CK Navigator to visualise coverage
  • Understanding the full adversary kill chain

📁 Repository Structure

mitre-attack-mapping/
├── scenarios/              # Attack scenarios with full MITRE mapping
│   ├── ransomware-attack.md
│   ├── phishing-campaign.md
│   ├── lateral-movement.md
│   └── apt-simulation.md
├── techniques/             # Deep-dive on individual techniques
│   ├── T1566-phishing.md
│   ├── T1078-valid-accounts.md
│   ├── T1110-brute-force.md
│   └── T1486-data-encrypted.md
├── detections/             # Detection rules per technique
│   ├── sigma-rules/
│   └── wazuh-rules/
├── navigator/              # ATT&CK Navigator layer files
│   └── attack-layer.json
└── threat-actors/          # Known APT TTP analysis
    ├── APT28.md
    └── Lazarus-Group.md

⚔️ Attack Scenarios Mapped

Scenario Techniques Mapped Tactics Covered
Ransomware Attack Chain 11 Initial Access → Impact
Phishing Campaign 7 Reconnaissance → Persistence
Lateral Movement 8 Discovery → Collection
APT Simulation 14 Full Kill Chain

🗺️ ATT&CK Navigator Heatmap

The navigator/attack-layer.json file can be loaded directly into the MITRE ATT&CK Navigator to visualise all mapped techniques.

Colour coding:

  • 🔴 Red — Confirmed technique observed
  • 🟠 Orange — Suspected/likely technique
  • 🟢 Green — Detection rule exists

🔍 Detection Rules Built

Rule Technique Type Severity
Encoded PowerShell T1059.001 Sigma + Wazuh High
SSH Brute Force T1110 Sigma + Wazuh Medium
New User Created T1136 Wazuh Medium
Shadow Copy Deletion T1490 Wazuh Critical
Sudo Escalation T1548.003 Wazuh High

🕵️ Threat Actors Analysed

Actor Origin Motivation Key Techniques
APT28 Russia Espionage T1566, T1071, T1003
Lazarus Group North Korea Financial/Espionage T1486, T1041, T1059

🧠 Key Skills Demonstrated

  • MITRE ATT&CK framework (v14) — Enterprise matrix
  • Adversary TTP analysis and kill chain mapping
  • Sigma rule writing for cross-platform detection
  • Wazuh SIEM rule development with MITRE tagging
  • ATT&CK Navigator usage and layer creation
  • Threat actor profiling and TTP documentation

🔗 Related Portfolio Projects

📚 References

Part of my SOC Analyst portfolio. All scenarios are based on publicly documented attacks and used for educational purposes only.

About

MITRE ATT&CK technique mapping for real attack scenarios — SOC analyst portfolio

Topics

cybersecurity blueteam mitre-attack threat-detection security-operations soc-analyst ttp-mapping

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors