A methodology and tooling for analyzing DFIR (Digital Forensics and Incident Response) reports and mapping observed threat actor activities to the MITRE ATT&CK framework.
Prerequisite: This project assumes you already have opencode installed and running with web fetch capabilities enabled.
This project provides:
- A systematic methodology for mapping DFIR reports to MITRE ATT&CK techniques
- Scripts to sync and maintain local MITRE ATT&CK data
- Example analyses demonstrating the methodology in practice
mitre-report/
├── ATTACK/ # MITRE ATT&CK data synchronization
│ ├── sync_mitre.py # Python script to fetch MITRE data
│ ├── update.sh # Bash wrapper for sync script
│ ├── requirements.txt # Python dependencies
│ └── data/ # Local MITRE ATT&CK data (generated on first run)
├── examples/ # Example analyses
│ ├── EXAMPLE-PROMPT.md # Example prompts to trigger analysis
│ └── reports/ # Source report storage
│ ├── activemq_lockbit_analysis.md
│ ├── lunar_spider_analysis.md
│ ├── lynx_ransomware_analysis.md
│ └── qilin_ransomware_mitre_analysis.md
├── ATTACK_REPORT_METHOD.md # Detailed analysis methodology
└── LICENSE
cd ATTACK
./update.shThis creates a Python virtual environment, installs dependencies, and fetches the latest MITRE ATT&CK CTI data.
ls ATTACK/data/attack-pattern/You should see directories for each attack pattern (e.g., attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c/).
- Identify a DFIR report URL (e.g. from thedfirreport.com)
- Start opencode with web fetch enabled from inside the root project folder
- Use one of the example prompts to trigger an analysis`
- Review examples in
examples/for reference
- Review examples in
Using the instructions in ATTACK_REPORT_METHOD.md, produce a report for:
- https://thedfirreport.com/2025/12/17/cats-got-your-files-lynx-ransomware/
- Fetchs the report using opencode's web fetch capability
- Extract key activities from each attack phase:
- Initial Access, Execution, Persistence, Privilege Escalation
- Defense Evasion, Credential Access, Discovery
- Lateral Movement, Command and Control, Impact
- Map to MITRE techniques using the local data in
ATTACK/data/ - Document evidence with specific IOCs, commands, and event IDs
- Generate output following the template in
ATTACK_REPORT_METHOD.md
| Activity | Technique ID | Technique Name |
|---|---|---|
| Exploit public-facing app | T1190 | Exploit Public-Facing Application |
| Command shell execution | T1059.003 | Windows Command Shell |
| PowerShell execution | T1059.001 | PowerShell |
| LSASS dumping | T1003.001 | OS Credential Dumping: LSASS Memory |
| RDP lateral movement | T1021.001 | Remote Desktop Protocol |
| SMB lateral movement | T1021.002 | SMB/Windows Admin Shares |
| Clear event logs | T1070.001 | Clear Windows Event Logs |
| Disable antivirus | T1562.001 | Disable or Modify Tools |
| Ransomware encryption | T1486 | Data Encrypted for Impact |
| Remote access software | T1219 | Remote Access Software |
See ATTACK_REPORT_METHOD.md for the complete technique mapping table.
See the examples/reports directory for completed analyses:
- activemq_lockbit_analysis.md - Apache ActiveMQ CVE-2023-46604 exploitation
- lunar_spider_analysis.md - Lunar Spider threat actor campaign
- lynx_ransomware_analysis.md - Lynx ransomware attack chain
- qilin_ransomware_mitre_analysis.md - Qilin ransomware EDR analysis
The complete step-by-step methodology is documented in ATTACK_REPORT_METHOD.md, including:
- Report parsing guidelines
- Technique mapping process
- Output format templates
- Detection opportunities
- Diamond Model analysis
- Best practices and tips
cd ATTACK
./update.shFetches the latest MITRE CTI data and regenerates the local data files.
See LICENSE file for details.
When adding new analyses:
- Follow the output format in
ATTACK_REPORT_METHOD.md - Include specific evidence from source reports (commands, hashes, event IDs)
- Verify technique mappings against MITRE framework data
- Document uncertainty where mappings are assessed rather than confirmed
- Include sub-techniques when applicable (e.g., T1059.003 not just T1059)