AgentSkillsCN

attack-flow

根据攻击描述或事件报告,生成符合 SITF 标准的攻击流程 JSON 文件。适用于分析供应链攻击、安全漏洞或各类安全事件时使用。

SKILL.md
--- frontmatter
name: attack-flow
description: Generate SITF-compliant attack flow JSON files from attack descriptions or incident reports. Use when analyzing supply chain attacks, breaches, or security incidents.
argument-hint: <attack-name> [websearch|url]
tools: Read, Grep, Glob, WebSearch, WebFetch, Write, Bash

Attack Flow Generator

Generate SITF-compliant attack flow JSON files from attack descriptions or incident reports.

Usage

code
/attack-flow <attack-name> [source]
  • attack-name: Identifier for the attack (e.g., "s1ngularity", "solarwinds")
  • source: URL, "websearch" for auto-research, or omit to use conversation context

Arguments: $ARGUMENTS

Instructions

When this skill is invoked:

Phase 1: Research

  1. If source is "websearch" or a URL, gather attack details:

    • Attack timeline and phases
    • Entry point and initial access method
    • Lateral movement and persistence techniques
    • Data exfiltration or impact
    • Affected components (CI/CD, VCS, Registry, Endpoint, Production)
  2. If source is omitted, use context from the current conversation.

Phase 2: Technique Mapping

  1. Read techniques.json to get the full technique library.

  2. For each attack step, find the best matching technique:

    • Match by action semantics, not surface keywords
    • Example: Uploading stolen data to repos → T-V003 (Secret Exfiltration), NOT T-V008 (Malicious Hosting)
    • Example: Accessing VCS with stolen creds → T-V001 must come BEFORE any VCS actions
  3. If no matching technique exists:

    • Create a placeholder node with "type": "technique-gap"
    • Include suggested technique metadata in the data field
    • Note in output that /technique-proposal should be run for gaps

Phase 3: Layout Calculation

Apply these layout rules:

Rule 1: Component Layout (Left-to-Right by Attack Flow)

  • Order components by their sequence in the attack chain, not by standard SITF order
  • If attack flows CI/CD → Registry → Endpoint → VCS, layout left-to-right accordingly
  • Minimum horizontal gap between components: 80-100px
  • Component x-positions: Use increments of ~300px starting from x=0

Rule 2: Technique Ordering (Top-to-Bottom)

  • Primary: Order techniques by their sequence in the attack flow
  • Secondary: Within same attack step, order by stage (Initial Access → Discovery → Post-Compromise)
  • Vertical gap between techniques: ~130-150px
  • First technique starts at y = component.y + 80

Rule 3: Technique-Component Alignment

  • Every technique node MUST be visually positioned within its parent component
  • Calculate x-position: component.x + 30
  • Validate technique.data.component matches parent component.data.componentId

Rule 4: Component Sizing

  • Height = (technique_count × 150) + 120 (padding)
  • Width = 230-250px

Rule 5: Edge Connections

  • Connect source.bottom → target.top for vertical flows within component
  • Connect source.right → target.left for cross-component flows
  • Add labels for significant transitions ("Second wave", etc.)
  • Use "type": "smoothstep" for all edges

Phase 4: JSON Generation

Generate the attack flow JSON with this structure:

json
{
  "metadata": {
    "name": "Attack Name",
    "created": "ISO-8601 timestamp",
    "version": "1.0",
    "framework": "SITF",
    "description": "Brief attack description"
  },
  "nodes": [
    // Entry points, components, techniques, exit points
  ],
  "edges": [
    // Connections between nodes
  ]
}

Node types:

  • entryPoint: Attack entry (Phishing, Vulnerability Exploit, Stolen Credentials, etc.)
  • component: SITF component container (endpoint, vcs, cicd, registry, production)
  • technique: Attack technique from techniques.json
  • technique-gap: Placeholder for missing technique (flag for /technique-proposal)
  • exitPoint: Attack outcome (Future Breach, Persistence, Secondary Supply Chain Attack, etc.)

Phase 5: Validation

Run this checklist before outputting:

code
[ ] Valid JSON structure (parse test passes)
[ ] Required fields present: metadata.{name,created,version,framework}, nodes[], edges[]
[ ] All node IDs are unique
[ ] All edge source/target reference valid node IDs
[ ] All techniques positioned within their component boundaries (x/y validation)
[ ] Techniques ordered by attack flow sequence
[ ] Initial Access techniques appear first when order is ambiguous
[ ] All technique IDs exist in techniques.json OR flagged as technique-gap
[ ] Exit points connected to terminal techniques
[ ] No orphaned nodes (every non-entry node has incoming edge)

Phase 6: Output

  1. Write the JSON file to sample-flows/<attack-name>.json
  2. Validate the JSON with Python: python3 -c "import json; json.load(open('file'))"
  3. Provide a summary table of the attack flow
  4. If any technique-gaps exist, list them and recommend running /technique-proposal

Example

code
/attack-flow s1ngularity websearch

This will:

  1. Search for s1ngularity attack details
  2. Map attack steps to SITF techniques
  3. Generate sample-flows/s1ngularity.json
  4. Output attack flow summary