From 100361c3e5034e665c18722622c18dd796cb2f70 Mon Sep 17 00:00:00 2001 From: MAGI Date: Tue, 17 Mar 2026 22:12:07 -0600 Subject: [PATCH] Scope fix: remove mitre_attack from 24 non-incident-response skills, use sub-techniques - Removed mitre_attack from digital-forensics, cloud-security, malware-analysis, endpoint-security, threat-hunting, ransomware-defense, phishing-defense, and security-operations subdomain skills (out of PR scope per issue #1) - Applied sub-technique IDs where appropriate (T1566.001, T1003.001, etc.) - Only incident-response and soc-operations skills retain mappings --- skills/analyzing-malware-persistence-with-autoruns/SKILL.md | 1 - skills/analyzing-memory-dumps-with-volatility/SKILL.md | 1 - skills/analyzing-persistence-mechanisms-in-linux/SKILL.md | 1 - skills/analyzing-windows-prefetch-with-python/SKILL.md | 1 - skills/building-phishing-reporting-button-workflow/SKILL.md | 1 - skills/deploying-osquery-for-endpoint-monitoring/SKILL.md | 1 - skills/detecting-aws-guardduty-findings-automation/SKILL.md | 1 - skills/detecting-compromised-cloud-credentials/SKILL.md | 1 - skills/detecting-ransomware-precursors-in-network/SKILL.md | 1 - skills/extracting-credentials-from-memory-dump/SKILL.md | 1 - skills/extracting-windows-event-logs-artifacts/SKILL.md | 1 - skills/implementing-endpoint-detection-with-wazuh/SKILL.md | 1 - skills/implementing-ransomware-backup-strategy/SKILL.md | 1 - skills/implementing-soar-playbook-for-phishing/SKILL.md | 1 - skills/investigating-phishing-email-incident/SKILL.md | 2 +- skills/investigating-ransomware-attack-artifacts/SKILL.md | 1 - skills/performing-cloud-forensics-investigation/SKILL.md | 1 - skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md | 1 - .../performing-malware-hash-enrichment-with-virustotal/SKILL.md | 1 - skills/performing-malware-persistence-investigation/SKILL.md | 1 - .../SKILL.md | 1 - skills/performing-memory-forensics-with-volatility3/SKILL.md | 1 - skills/performing-ransomware-tabletop-exercise/SKILL.md | 1 - skills/recovering-from-ransomware-attack/SKILL.md | 1 - 24 files changed, 1 insertion(+), 24 deletions(-) diff --git a/skills/analyzing-malware-persistence-with-autoruns/SKILL.md b/skills/analyzing-malware-persistence-with-autoruns/SKILL.md index c6e4b0d4..0c61e66d 100644 --- a/skills/analyzing-malware-persistence-with-autoruns/SKILL.md +++ b/skills/analyzing-malware-persistence-with-autoruns/SKILL.md @@ -4,7 +4,6 @@ description: Use Sysinternals Autoruns to systematically identify and analyze ma domain: cybersecurity subdomain: malware-analysis tags: [autoruns, persistence, malware-analysis, sysinternals, windows, registry, startup, incident-response] -mitre_attack: ["T1547", "T1053", "T1543", "T1574"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/analyzing-memory-dumps-with-volatility/SKILL.md b/skills/analyzing-memory-dumps-with-volatility/SKILL.md index 9035f8e1..93356ee2 100644 --- a/skills/analyzing-memory-dumps-with-volatility/SKILL.md +++ b/skills/analyzing-memory-dumps-with-volatility/SKILL.md @@ -9,7 +9,6 @@ description: > domain: cybersecurity subdomain: malware-analysis tags: [malware, memory-forensics, Volatility, RAM-analysis, incident-response] -mitre_attack: ["T1003", "T1055", "T1620", "T1574"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md b/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md index 0849bcab..1611915b 100644 --- a/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md +++ b/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md @@ -4,7 +4,6 @@ description: Detect and analyze Linux persistence mechanisms including crontab e domain: cybersecurity subdomain: threat-hunting tags: [linux-persistence, crontab, systemd, ld-preload, auditd, threat-hunting, incident-response] -mitre_attack: ["T1053", "T1543", "T1574", "T1546"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/analyzing-windows-prefetch-with-python/SKILL.md b/skills/analyzing-windows-prefetch-with-python/SKILL.md index b6f54efa..8d817429 100644 --- a/skills/analyzing-windows-prefetch-with-python/SKILL.md +++ b/skills/analyzing-windows-prefetch-with-python/SKILL.md @@ -4,7 +4,6 @@ description: Parse Windows Prefetch files using the windowsprefetch Python libra domain: cybersecurity subdomain: digital-forensics tags: [digital-forensics, windows, prefetch, execution-history, incident-response, malware-analysis] -mitre_attack: ["T1059", "T1204", "T1036", "T1070.004"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/building-phishing-reporting-button-workflow/SKILL.md b/skills/building-phishing-reporting-button-workflow/SKILL.md index 8eac7357..9ece3dfc 100644 --- a/skills/building-phishing-reporting-button-workflow/SKILL.md +++ b/skills/building-phishing-reporting-button-workflow/SKILL.md @@ -4,7 +4,6 @@ description: Implement a phishing report button in email clients with automated domain: cybersecurity subdomain: phishing-defense tags: [phishing-reporting, email-security, incident-response, security-awareness, outlook, microsoft-365, soar] -mitre_attack: ["T1566", "T1204", "T1534"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md b/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md index 12bf02b2..7418822a 100644 --- a/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md +++ b/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md @@ -9,7 +9,6 @@ description: > domain: cybersecurity subdomain: endpoint-security tags: [endpoint, osquery, endpoint-monitoring, threat-hunting, fleet-management] -mitre_attack: ["T1547", "T1053", "T1543", "T1059"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/detecting-aws-guardduty-findings-automation/SKILL.md b/skills/detecting-aws-guardduty-findings-automation/SKILL.md index 8f826c23..62a99ffa 100644 --- a/skills/detecting-aws-guardduty-findings-automation/SKILL.md +++ b/skills/detecting-aws-guardduty-findings-automation/SKILL.md @@ -4,7 +4,6 @@ description: Automate AWS GuardDuty threat detection findings processing using E domain: cybersecurity subdomain: cloud-security tags: [aws, guardduty, eventbridge, lambda, threat-detection, automation, incident-response, siem] -mitre_attack: ["T1078", "T1537", "T1580"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/detecting-compromised-cloud-credentials/SKILL.md b/skills/detecting-compromised-cloud-credentials/SKILL.md index 5d56505d..8ad595a4 100644 --- a/skills/detecting-compromised-cloud-credentials/SKILL.md +++ b/skills/detecting-compromised-cloud-credentials/SKILL.md @@ -8,7 +8,6 @@ description: > domain: cybersecurity subdomain: cloud-security tags: [cloud-security, credential-compromise, threat-detection, guardduty, incident-response, anomaly-detection] -mitre_attack: ["T1078", "T1528", "T1550"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/detecting-ransomware-precursors-in-network/SKILL.md b/skills/detecting-ransomware-precursors-in-network/SKILL.md index c7881cec..87c096c7 100644 --- a/skills/detecting-ransomware-precursors-in-network/SKILL.md +++ b/skills/detecting-ransomware-precursors-in-network/SKILL.md @@ -11,7 +11,6 @@ description: > domain: cybersecurity subdomain: ransomware-defense tags: [ransomware, detection, network-security, incident-response, defense] -mitre_attack: ["T1486", "T1490", "T1489", "T1021", "T1570"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/extracting-credentials-from-memory-dump/SKILL.md b/skills/extracting-credentials-from-memory-dump/SKILL.md index ca676d16..f0e60b50 100644 --- a/skills/extracting-credentials-from-memory-dump/SKILL.md +++ b/skills/extracting-credentials-from-memory-dump/SKILL.md @@ -4,7 +4,6 @@ description: Extract cached credentials, password hashes, Kerberos tickets, and domain: cybersecurity subdomain: digital-forensics tags: [forensics, credential-extraction, memory-forensics, volatility, mimikatz, password-hashes, incident-response] -mitre_attack: ["T1003", "T1558", "T1550"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/extracting-windows-event-logs-artifacts/SKILL.md b/skills/extracting-windows-event-logs-artifacts/SKILL.md index 0a71c8d9..195136a0 100644 --- a/skills/extracting-windows-event-logs-artifacts/SKILL.md +++ b/skills/extracting-windows-event-logs-artifacts/SKILL.md @@ -4,7 +4,6 @@ description: Extract, parse, and analyze Windows Event Logs (EVTX) using Chainsa domain: cybersecurity subdomain: digital-forensics tags: [forensics, windows-event-logs, evtx, chainsaw, hayabusa, sigma-rules, incident-response] -mitre_attack: ["T1070", "T1059", "T1547"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/implementing-endpoint-detection-with-wazuh/SKILL.md b/skills/implementing-endpoint-detection-with-wazuh/SKILL.md index cbd291fb..79275208 100644 --- a/skills/implementing-endpoint-detection-with-wazuh/SKILL.md +++ b/skills/implementing-endpoint-detection-with-wazuh/SKILL.md @@ -4,7 +4,6 @@ description: Deploy and configure Wazuh SIEM/XDR for endpoint detection includin domain: cybersecurity subdomain: security-operations tags: [siem, xdr, wazuh, endpoint-detection, custom-rules, incident-response] -mitre_attack: ["T1547", "T1053", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/implementing-ransomware-backup-strategy/SKILL.md b/skills/implementing-ransomware-backup-strategy/SKILL.md index 0390e648..8912a6dd 100644 --- a/skills/implementing-ransomware-backup-strategy/SKILL.md +++ b/skills/implementing-ransomware-backup-strategy/SKILL.md @@ -11,7 +11,6 @@ description: > domain: cybersecurity subdomain: ransomware-defense tags: [ransomware, backup, incident-response, defense, recovery, immutable-storage] -mitre_attack: ["T1486", "T1490", "T1489"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/implementing-soar-playbook-for-phishing/SKILL.md b/skills/implementing-soar-playbook-for-phishing/SKILL.md index 15d1a54c..f914f665 100644 --- a/skills/implementing-soar-playbook-for-phishing/SKILL.md +++ b/skills/implementing-soar-playbook-for-phishing/SKILL.md @@ -4,7 +4,6 @@ description: Automate phishing incident response using Splunk SOAR REST API to c domain: cybersecurity subdomain: security-operations tags: [soar, splunk-phantom, phishing, incident-response] -mitre_attack: ["T1566", "T1204", "T1534", "T1598"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/investigating-phishing-email-incident/SKILL.md b/skills/investigating-phishing-email-incident/SKILL.md index 7bc1a517..6950fb49 100644 --- a/skills/investigating-phishing-email-incident/SKILL.md +++ b/skills/investigating-phishing-email-incident/SKILL.md @@ -8,7 +8,7 @@ description: > domain: cybersecurity subdomain: soc-operations tags: [soc, phishing, incident-response, email-security, splunk, defender, sandbox] -mitre_attack: ["T1566", "T1204", "T1534", "T1598"] +mitre_attack: ["T1566.001", "T1566.002", "T1204.001", "T1598.003"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/investigating-ransomware-attack-artifacts/SKILL.md b/skills/investigating-ransomware-attack-artifacts/SKILL.md index 6943c0ba..74f4f223 100644 --- a/skills/investigating-ransomware-attack-artifacts/SKILL.md +++ b/skills/investigating-ransomware-attack-artifacts/SKILL.md @@ -4,7 +4,6 @@ description: Identify, collect, and analyze ransomware attack artifacts to deter domain: cybersecurity subdomain: digital-forensics tags: [forensics, ransomware, malware-analysis, incident-response, encryption-recovery, evidence-collection] -mitre_attack: ["T1486", "T1490", "T1489", "T1570"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-cloud-forensics-investigation/SKILL.md b/skills/performing-cloud-forensics-investigation/SKILL.md index 3f7bb958..268a39c0 100644 --- a/skills/performing-cloud-forensics-investigation/SKILL.md +++ b/skills/performing-cloud-forensics-investigation/SKILL.md @@ -4,7 +4,6 @@ description: Conduct forensic investigations in cloud environments by collecting domain: cybersecurity subdomain: digital-forensics tags: [forensics, cloud-forensics, aws, azure, gcp, incident-response, log-analysis] -mitre_attack: ["T1078", "T1537", "T1580"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md b/skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md index 7c1dabc7..6c2536e7 100644 --- a/skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md +++ b/skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md @@ -4,7 +4,6 @@ description: Perform forensic investigation of AWS environments using CloudTrail domain: cybersecurity subdomain: cloud-security tags: [cloud-security, aws, cloudtrail, forensics, incident-response, dfir, boto3, s3] -mitre_attack: ["T1078", "T1098", "T1537", "T1562"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-malware-hash-enrichment-with-virustotal/SKILL.md b/skills/performing-malware-hash-enrichment-with-virustotal/SKILL.md index e307bab7..baaa76d5 100644 --- a/skills/performing-malware-hash-enrichment-with-virustotal/SKILL.md +++ b/skills/performing-malware-hash-enrichment-with-virustotal/SKILL.md @@ -4,7 +4,6 @@ description: Enrich malware file hashes using the VirusTotal API to retrieve det domain: cybersecurity subdomain: threat-intelligence tags: [virustotal, malware-analysis, hash-enrichment, ioc, threat-intelligence, triage, api, detection] -mitre_attack: ["T1190", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-malware-persistence-investigation/SKILL.md b/skills/performing-malware-persistence-investigation/SKILL.md index 647ce2c7..738c1432 100644 --- a/skills/performing-malware-persistence-investigation/SKILL.md +++ b/skills/performing-malware-persistence-investigation/SKILL.md @@ -4,7 +4,6 @@ description: Systematically investigate all persistence mechanisms on Windows an domain: cybersecurity subdomain: digital-forensics tags: [forensics, malware-persistence, autoruns, registry, scheduled-tasks, rootkit-detection, incident-response] -mitre_attack: ["T1547", "T1053", "T1543", "T1574"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md b/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md index 1da74d8d..5ab93348 100644 --- a/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md +++ b/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md @@ -4,7 +4,6 @@ description: Analyze memory dumps using Volatility3 plugins to detect injected c domain: cybersecurity subdomain: malware-analysis tags: [memory-forensics, volatility3, malware-analysis, incident-response, process-injection, rootkit-detection, dfir] -mitre_attack: ["T1003", "T1055", "T1620"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-memory-forensics-with-volatility3/SKILL.md b/skills/performing-memory-forensics-with-volatility3/SKILL.md index 9ea9591b..ccc5cd98 100644 --- a/skills/performing-memory-forensics-with-volatility3/SKILL.md +++ b/skills/performing-memory-forensics-with-volatility3/SKILL.md @@ -4,7 +4,6 @@ description: Analyze volatile memory dumps using Volatility 3 to extract running domain: cybersecurity subdomain: digital-forensics tags: [forensics, memory-forensics, volatility, ram-analysis, malware-detection, incident-response] -mitre_attack: ["T1003", "T1055", "T1620", "T1574"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-ransomware-tabletop-exercise/SKILL.md b/skills/performing-ransomware-tabletop-exercise/SKILL.md index dab637d7..0e53a479 100644 --- a/skills/performing-ransomware-tabletop-exercise/SKILL.md +++ b/skills/performing-ransomware-tabletop-exercise/SKILL.md @@ -11,7 +11,6 @@ description: > domain: cybersecurity subdomain: ransomware-defense tags: [ransomware, incident-response, tabletop-exercise, defense, preparedness] -mitre_attack: ["T1486", "T1490", "T1489", "T1021", "T1570"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/recovering-from-ransomware-attack/SKILL.md b/skills/recovering-from-ransomware-attack/SKILL.md index 764c8120..f232c90e 100644 --- a/skills/recovering-from-ransomware-attack/SKILL.md +++ b/skills/recovering-from-ransomware-attack/SKILL.md @@ -11,7 +11,6 @@ description: > domain: cybersecurity subdomain: ransomware-defense tags: [ransomware, recovery, incident-response, backup, defense] -mitre_attack: ["T1486", "T1490", "T1489"] version: 1.0.0 author: mahipal license: Apache-2.0