Scope fix: remove mitre_attack from 24 non-incident-response skills, use sub-techniques

- Removed mitre_attack from digital-forensics, cloud-security, malware-analysis,
  endpoint-security, threat-hunting, ransomware-defense, phishing-defense, and
  security-operations subdomain skills (out of PR scope per issue #1)
- Applied sub-technique IDs where appropriate (T1566.001, T1003.001, etc.)
- Only incident-response and soc-operations skills retain mappings

skills/analyzing-malware-persistence-with-autoruns/SKILL.md

@@ -4,7 +4,6 @@ description: Use Sysinternals Autoruns to systematically identify and analyze ma
 domain: cybersecurity
 subdomain: malware-analysis
 tags: [autoruns, persistence, malware-analysis, sysinternals, windows, registry, startup, incident-response]
-mitre_attack: ["T1547", "T1053", "T1543", "T1574"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0

skills/analyzing-memory-dumps-with-volatility/SKILL.md

@@ -9,7 +9,6 @@ description: >
 domain: cybersecurity
 subdomain: malware-analysis
 tags: [malware, memory-forensics, Volatility, RAM-analysis, incident-response]
-mitre_attack: ["T1003", "T1055", "T1620", "T1574"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0

skills/analyzing-persistence-mechanisms-in-linux/SKILL.md

@@ -4,7 +4,6 @@ description: Detect and analyze Linux persistence mechanisms including crontab e
 domain: cybersecurity
 subdomain: threat-hunting
 tags: [linux-persistence, crontab, systemd, ld-preload, auditd, threat-hunting, incident-response]
-mitre_attack: ["T1053", "T1543", "T1574", "T1546"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0

skills/analyzing-windows-prefetch-with-python/SKILL.md

@@ -4,7 +4,6 @@ description: Parse Windows Prefetch files using the windowsprefetch Python libra
 domain: cybersecurity
 subdomain: digital-forensics
 tags: [digital-forensics, windows, prefetch, execution-history, incident-response, malware-analysis]
-mitre_attack: ["T1059", "T1204", "T1036", "T1070.004"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0

skills/building-phishing-reporting-button-workflow/SKILL.md

@@ -4,7 +4,6 @@ description: Implement a phishing report button in email clients with automated
 domain: cybersecurity
 subdomain: phishing-defense
 tags: [phishing-reporting, email-security, incident-response, security-awareness, outlook, microsoft-365, soar]
-mitre_attack: ["T1566", "T1204", "T1534"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0

skills/deploying-osquery-for-endpoint-monitoring/SKILL.md

@@ -9,7 +9,6 @@ description: >
 domain: cybersecurity
 subdomain: endpoint-security
 tags: [endpoint, osquery, endpoint-monitoring, threat-hunting, fleet-management]
-mitre_attack: ["T1547", "T1053", "T1543", "T1059"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0

skills/detecting-aws-guardduty-findings-automation/SKILL.md

@@ -4,7 +4,6 @@ description: Automate AWS GuardDuty threat detection findings processing using E
 domain: cybersecurity
 subdomain: cloud-security
 tags: [aws, guardduty, eventbridge, lambda, threat-detection, automation, incident-response, siem]
-mitre_attack: ["T1078", "T1537", "T1580"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0

skills/detecting-compromised-cloud-credentials/SKILL.md

@@ -8,7 +8,6 @@ description: >
 domain: cybersecurity
 subdomain: cloud-security
 tags: [cloud-security, credential-compromise, threat-detection, guardduty, incident-response, anomaly-detection]
-mitre_attack: ["T1078", "T1528", "T1550"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0

skills/detecting-ransomware-precursors-in-network/SKILL.md

@@ -11,7 +11,6 @@ description: >
 domain: cybersecurity
 subdomain: ransomware-defense
 tags: [ransomware, detection, network-security, incident-response, defense]
-mitre_attack: ["T1486", "T1490", "T1489", "T1021", "T1570"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0

skills/extracting-credentials-from-memory-dump/SKILL.md

@@ -4,7 +4,6 @@ description: Extract cached credentials, password hashes, Kerberos tickets, and
 domain: cybersecurity
 subdomain: digital-forensics
 tags: [forensics, credential-extraction, memory-forensics, volatility, mimikatz, password-hashes, incident-response]
-mitre_attack: ["T1003", "T1558", "T1550"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0

skills/extracting-windows-event-logs-artifacts/SKILL.md

@@ -4,7 +4,6 @@ description: Extract, parse, and analyze Windows Event Logs (EVTX) using Chainsa
 domain: cybersecurity
 subdomain: digital-forensics
 tags: [forensics, windows-event-logs, evtx, chainsaw, hayabusa, sigma-rules, incident-response]
-mitre_attack: ["T1070", "T1059", "T1547"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0

skills/implementing-endpoint-detection-with-wazuh/SKILL.md

@@ -4,7 +4,6 @@ description: Deploy and configure Wazuh SIEM/XDR for endpoint detection includin
 domain: cybersecurity
 subdomain: security-operations
 tags: [siem, xdr, wazuh, endpoint-detection, custom-rules, incident-response]
-mitre_attack: ["T1547", "T1053", "T1059", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0

skills/implementing-ransomware-backup-strategy/SKILL.md

@@ -11,7 +11,6 @@ description: >
 domain: cybersecurity
 subdomain: ransomware-defense
 tags: [ransomware, backup, incident-response, defense, recovery, immutable-storage]
-mitre_attack: ["T1486", "T1490", "T1489"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0

skills/implementing-soar-playbook-for-phishing/SKILL.md

@@ -4,7 +4,6 @@ description: Automate phishing incident response using Splunk SOAR REST API to c
 domain: cybersecurity
 subdomain: security-operations
 tags: [soar, splunk-phantom, phishing, incident-response]
-mitre_attack: ["T1566", "T1204", "T1534", "T1598"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0

skills/investigating-phishing-email-incident/SKILL.md

@@ -8,7 +8,7 @@ description: >
 domain: cybersecurity
 subdomain: soc-operations
 tags: [soc, phishing, incident-response, email-security, splunk, defender, sandbox]
-mitre_attack: ["T1566", "T1204", "T1534", "T1598"]
+mitre_attack: ["T1566.001", "T1566.002", "T1204.001", "T1598.003"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0

skills/investigating-ransomware-attack-artifacts/SKILL.md

@@ -4,7 +4,6 @@ description: Identify, collect, and analyze ransomware attack artifacts to deter
 domain: cybersecurity
 subdomain: digital-forensics
 tags: [forensics, ransomware, malware-analysis, incident-response, encryption-recovery, evidence-collection]
-mitre_attack: ["T1486", "T1490", "T1489", "T1570"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0

skills/performing-cloud-forensics-investigation/SKILL.md

@@ -4,7 +4,6 @@ description: Conduct forensic investigations in cloud environments by collecting
 domain: cybersecurity
 subdomain: digital-forensics
 tags: [forensics, cloud-forensics, aws, azure, gcp, incident-response, log-analysis]
-mitre_attack: ["T1078", "T1537", "T1580"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0

skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md

@@ -4,7 +4,6 @@ description: Perform forensic investigation of AWS environments using CloudTrail
 domain: cybersecurity
 subdomain: cloud-security
 tags: [cloud-security, aws, cloudtrail, forensics, incident-response, dfir, boto3, s3]
-mitre_attack: ["T1078", "T1098", "T1537", "T1562"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0

skills/performing-malware-hash-enrichment-with-virustotal/SKILL.md

@@ -4,7 +4,6 @@ description: Enrich malware file hashes using the VirusTotal API to retrieve det
 domain: cybersecurity
 subdomain: threat-intelligence
 tags: [virustotal, malware-analysis, hash-enrichment, ioc, threat-intelligence, triage, api, detection]
-mitre_attack: ["T1190", "T1059", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0

skills/performing-malware-persistence-investigation/SKILL.md

@@ -4,7 +4,6 @@ description: Systematically investigate all persistence mechanisms on Windows an
 domain: cybersecurity
 subdomain: digital-forensics
 tags: [forensics, malware-persistence, autoruns, registry, scheduled-tasks, rootkit-detection, incident-response]
-mitre_attack: ["T1547", "T1053", "T1543", "T1574"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0

skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md

@@ -4,7 +4,6 @@ description: Analyze memory dumps using Volatility3 plugins to detect injected c
 domain: cybersecurity
 subdomain: malware-analysis
 tags: [memory-forensics, volatility3, malware-analysis, incident-response, process-injection, rootkit-detection, dfir]
-mitre_attack: ["T1003", "T1055", "T1620"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0

skills/performing-memory-forensics-with-volatility3/SKILL.md

@@ -4,7 +4,6 @@ description: Analyze volatile memory dumps using Volatility 3 to extract running
 domain: cybersecurity
 subdomain: digital-forensics
 tags: [forensics, memory-forensics, volatility, ram-analysis, malware-detection, incident-response]
-mitre_attack: ["T1003", "T1055", "T1620", "T1574"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0

skills/performing-ransomware-tabletop-exercise/SKILL.md

@@ -11,7 +11,6 @@ description: >
 domain: cybersecurity
 subdomain: ransomware-defense
 tags: [ransomware, incident-response, tabletop-exercise, defense, preparedness]
-mitre_attack: ["T1486", "T1490", "T1489", "T1021", "T1570"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0

skills/recovering-from-ransomware-attack/SKILL.md

@@ -11,7 +11,6 @@ description: >
 domain: cybersecurity
 subdomain: ransomware-defense
 tags: [ransomware, recovery, incident-response, backup, defense]
-mitre_attack: ["T1486", "T1490", "T1489"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0