Mapping attack indicators to adversary techniques without any external libraries
When I started studying for SOC analyst roles, I kept running into the same gap: I could identify that something was malicious, but I couldn't systematically connect it to where it sat in an attacker's kill chain. That's exactly what MITRE ATT&CK solves and exactly why I built this tool.
The Problem
Security logs are noisy. A single incident can generate hundreds of events failed logins, encoded PowerShell commands, outbound beacons, lateral movement attempts. The challenge isn't detecting that something happened. It's answering what stage of the attack is this? How severe? What else might be coming next?
That's the job of ATT&CK mapping. And doing it manually during an incident is slow and error-prone.
What I Built
The MITRE ATT&CK Threat Mapping Dashboard is a Python CLI tool that takes any input a log file, raw text, or a built-in attack scenario and maps it to MITRE ATT&CK tactics and techniques automatically.
Here's what it produces:
Kill chain visualization : a live view of which of the 14 ATT&CK tactics are active
35+ technique mappings across all tactic stages
Severity ratings — CRITICAL / HIGH / MEDIUM / LOW per technique
JSON export — machine-readable output for SIEM integration (Splunk, Elastic, Sentinel)
And the entire thing runs on Python's standard library — re, json, argparse, collections. No pip installs. No dependencies. Just clone and run.
How It Works
The core of the tool is a technique signature database. Each ATT&CK technique (T-number, name, tactic, severity, description) is paired with a set of regex patterns — keywords and indicators that suggest that technique is present.
When you pass input to the tool, it runs every signature against the text and returns matches with their tactic context and severity.
pythonpython3 mitre_mapper.py --scenario ransomware
python3 mitre_mapper.py --file /var/log/auth.log
python3 mitre_mapper.py --text "mimikatz powershell encoded cobalt strike"
python3 mitre_mapper.py --scenario apt --output report.json
The kill chain output makes it immediately clear which attack stages are active:
▶ Credential Access ██ T1110, T1003
▶ Lateral Movement █ T1021
▶ Command and Control █ T1071
▶ Impact █ T1486
A blank stage means no indicators detected. A filled stage means something matched — and you can drill into exactly what.
ATT&CK Coverage
The tool covers all 14 Enterprise ATT&CK tactics:
TacticSample TechniquesInitial AccessPhishing, Valid Accounts, Remote ServicesExecutionPowerShell, Scheduled Tasks, User ExecutionPersistenceAutostart, Web Shells, Account CreationCredential AccessMimikatz, Brute Force, MITMLateral MovementEternalBlue, SMB, Remote ServicesImpactRansomware, Data Destruction, Service Stop
...and 9 more tactics with full technique coverage.
The Three Built-in Scenarios
I added three pre-built attack scenarios so you can see the tool in action without needing a live log file:
Ransomware — maps credential dumping, encryption, C2 beaconing, and lateral movement. Produces 10 technique matches across 9 tactics.
APT (Advanced Persistent Threat) — simulates a nation-state style intrusion with reconnaissance, spearphishing, privilege escalation, and long-term persistence.
Web Attack — covers SQL injection, web shell deployment, reverse shell activity, and data exfiltration via HTTP.
Each scenario is designed to reflect real-world attack patterns documented in MITRE's threat actor profiles.
Why This Matters for SOC Work
This project directly mirrors what analysts do during triage:
Threat hunting — you paste a suspicious log snippet and immediately see which ATT&CK techniques are present, instead of manually cross-referencing the framework.
Incident response — when an incident is active, the kill chain view tells you what stage the attacker is at and what's likely coming next.
SOC triage — severity ratings (CRITICAL down to LOW) let you prioritize which detections need immediate attention vs. monitoring.
Purple team exercises — red team operators can map their own activity to ATT&CK and hand it to blue team as a detection coverage checklist.
SIEM integration — the JSON export flag (--output report.json) produces structured output that feeds directly into Splunk, Elastic, or Sentinel pipelines.
What I Learned
Building this forced me to actually read the ATT&CK framework in depth — not just know it exists, but understand how tactics relate to each other sequentially, how techniques nest under tactics, and how real-world indicators map to T-numbers.
The regex-based approach also taught me something practical: most ATT&CK indicators in logs aren't subtle. mimikatz, encoded command, your files have been encrypted — attackers leave fingerprints. The skill is knowing where to look and what it means when you find it.
Try It Yourself
GitHub: github.com/SankethSubhas/mitre-attack-threat-mapper
bashgit clone https://github.com/SankethSubhas/mitre-attack-threat-mapper.git
cd mitre-attack-threat-mapper
python3 mitre_mapper.py --scenario apt
All 8 of my open-source cybersecurity tools are on my portfolio at sankethsubhas.pages.dev
Top comments (0)