← Back to Projects

ATT&CK Heatmap

Python CLI that ingests live threat feeds, maps malware activity to MITRE ATT&CK techniques, checks Sigma and mthcht detection-list coverage, queries D3FEND for countermeasure suggestions, and outputs a prioritized gap report plus an ATT&CK Navigator layer.

Threat IntelligenceMITRE ATT&CKSigmaPythonCTISOCD3FENDCISA KEV
View on GitHub

Overview

What it does

Threat feeds give you hashes, URLs, IPs, and malware names. Useful, but they leave a practical question open: which ATT&CK techniques are showing up in the data, and do your detections cover them?

ATT&CK Heatmap closes that gap in one CLI run. It pulls current feed data, maps malware families to ATT&CK techniques, checks coverage across Sigma rules and detection lists, and writes two files:

$ python main.py --feeds feodo malwarebazaar --kev --detection-lists --d3fend

outputs/gaps.md
outputs/layer.json

gaps.md gives a ranked view of uncovered techniques with source-feed context, priority labels, detection-list attribution, and D3FEND countermeasure suggestions. layer.json loads directly into ATT&CK Navigator.

Pipeline

Live feeds (ThreatFox, Feodo, MalwareBazaar, URLhaus, YARAify)
    + CISA KEV (ATT&CK IDs direct from CTID mapping)
    + optional VirusTotal enrichment
         ↓
ATT&CK Mapper (malware family → technique IDs via STIX)
         ↓
Coverage diff:
  Sigma rules (sigma/rules/**/*.yml)
  + mthcht detection lists (15 curated lists, no API key)
         ↓
TIE ranking + D3FEND countermeasure lookup
         ↓
outputs/gaps.md          outputs/layer.json
(ranked gap report       (Navigator heatmap)
 with D3FEND section)

Feature status

FeatureStatus
ThreatFox live feedLive
Feodo Tracker C2 blocklistLive
MalwareBazaar feedLive
URLhaus feedLive
YARAify feedLive
CISA KEV feed (flag --kev)Live
mitreattack-python STIX mapperLive
Sigma rule coverage loaderLive
mthcht detection lists (flag --detection-lists)Live
MITRE D3FEND countermeasures (flag --d3fend)Live
ATT&CK Navigator JSON outputLive
Rich CLI outputLive
VirusTotal enrichmentLive
CTID-derived gap rankingLive
ATT&CK v18 AN-series analyticsLive

CISA KEV feed

CISA's Known Exploited Vulnerabilities catalogue is public and requires no API key. The feed carries ATT&CK technique IDs from the CTID KEV-ATT&CK mapping, so KEV entries bypass the STIX family-lookup step and contribute technique IDs directly to the active set.

This adds a different signal than malware family feeds. CVE-2021-44228 (Log4Shell) maps to T1190. CVE-2017-0144 (EternalBlue) maps to T1210. Those techniques may or may not appear from ThreatFox on any given day — having a second authoritative source helps fill that gap.

mthcht detection lists

Sigma rules cover what your rule set includes. The --detection-lists flag fetches 15 curated lists from mthcht/awesome-lists and maps each one to its ATT&CK techniques: suspicious named pipes, LOLDrivers hashes, HijackLibs DLL paths, ransomware extensions, offensive tool keywords, and more.

The covered-techniques table in gaps.md gains a "Detection Source" column so you can see at a glance whether a technique is covered by a Sigma rule, a detection list, or both.

D3FEND countermeasures

For each top gap technique, the --d3fend flag queries the public MITRE D3FEND API and adds a countermeasures section to gaps.md. The output tells you not just "T1071 is uncovered" but which defensive techniques address it, linked directly to the D3FEND knowledge base. D3FEND covers 309 ATT&CK techniques mapped to 3,109 countermeasures.

Design decisions

Stateless CLI, not a platform. Runs on demand or on a schedule. No database, no frontend.

Two coverage layers. Sigma rules cover what you have written. Detection lists cover what the security community has catalogued. Both matter; neither replaces the other.

CISA KEV as a direct-technique feed. KEVs do not carry malware family names, so the STIX mapper would fail on them. The pipeline has a separate path: entries that already carry technique IDs skip the mapper entirely.

D3FEND as triage support, not a prescription. The countermeasures in the report are suggestions. Some will already be in place. The value is having the answer in the same document as the gap, so you do not have to cross-reference the D3FEND site manually for every uncovered technique.

Artifact-first output. The markdown report is readable in GitHub and includes everything needed for a review. The Navigator layer is ready to open without any extra steps.

Objectives

  • Pull current malware and infrastructure data from live threat feeds
  • Map observed malware families to MITRE ATT&CK techniques
  • Ingest CISA KEV entries with their ATT&CK mappings directly — no family lookup needed
  • Compare observed techniques against Sigma rules and mthcht detection lists to surface blind spots
  • Suggest MITRE D3FEND countermeasures for the top uncovered techniques
  • Prioritize gaps and export artifacts that are ready to open or share

Tools Used

Python 3.11mitreattack-pythonThreatFox API (abuse.ch)Feodo Tracker (abuse.ch)MalwareBazaarURLhausYARAifyCISA KEV + CTID ATT&CK mappingmthcht/awesome-lists detection listsVirusTotal API v3MITRE D3FEND APISigmaHQATT&CK NavigatorRich CLI

Methodology

  1. Built a modular feed ingestion layer for ThreatFox, Feodo, MalwareBazaar, URLhaus, and YARAify
  2. Added CISA KEV as a direct-technique feed: entries carry ATT&CK IDs from the CTID KEV-ATT&CK mapping and bypass the STIX mapper
  3. Used mitreattack-python with the ATT&CK STIX bundle to map malware families to technique IDs
  4. Added optional VirusTotal enrichment for IOCs missing malware-family context
  5. Loaded Sigma coverage by scanning attack.tXXXX tags across local rule directories
  6. Added a second coverage layer from 15 mthcht/awesome-lists detection lists (named pipes, LOLDrivers, HijackLibs, ransomware extensions, and more)
  7. Queried the public MITRE D3FEND API for countermeasures covering top gap techniques
  8. Ranked uncovered techniques with a CTID-derived relevance score and exported a Navigator layer plus Markdown report

MITRE ATT&CK Mapping

TechniqueTacticDescription
T1071 - Application Layer ProtocolCommand and ControlCommonly active in Feodo C2 blocklist feed — frequently uncovered by Sigma
T1055 - Process InjectionDefense Evasion, Privilege EscalationMapped from ThreatFox malware families via ATT&CK STIX bundle
T1059 - Command and Scripting InterpreterExecutionHigh-frequency active technique across live feeds
T1190 - Exploit Public-Facing ApplicationInitial AccessContributed by CISA KEV entries (Log4Shell, EternalBlue, and others)
T1486 - Data Encrypted for ImpactImpactSurfaced by mthcht ransomware extensions and ransom note detection lists

Key Findings

  • Current threat feeds can be turned into a practical ATT&CK coverage check instead of a pile of disconnected IOCs
  • CISA KEV adds a government-authoritative signal that complements malware family feeds — different techniques surface depending on the source
  • mthcht detection lists cover techniques that local Sigma libraries often miss, particularly around ransomware behavior and BYOVD
  • D3FEND countermeasure output makes the gap report actionable — each uncovered technique links to specific defensive techniques rather than just a gap label
  • A stateless CLI is enough for this workflow; no database or web app needed