From 15d53bd09bf521539bbe45d56e9cf5a0d37217be Mon Sep 17 00:00:00 2001 From: MAGI Date: Wed, 18 Mar 2026 10:39:19 -0600 Subject: [PATCH] Fix MITRE ATT&CK mappings per CodeRabbit review: align techniques to skill content - analyzing-malware-persistence-with-autoruns: add persistence techniques T1547, T1053, T1543, T1546 - analyzing-memory-dumps-with-volatility: add memory forensics techniques T1055, T1003, T1059, T1620 - analyzing-persistence-mechanisms-in-linux: add Linux-specific sub-techniques T1053.003, T1543.002, T1574.006, T1546.004 - analyzing-windows-prefetch-with-python: add execution techniques T1059, T1204, T1036 - building-incident-response-dashboard: remove misaligned mitre_attack (dashboard is a visibility tool) - building-phishing-reporting-button-workflow: add phishing techniques T1566, T1204, T1534 - deobfuscating-powershell-obfuscated-malware: add PowerShell/obfuscation techniques T1059.001, T1027, T1140 --- skills/analyzing-malware-persistence-with-autoruns/SKILL.md | 1 + skills/analyzing-memory-dumps-with-volatility/SKILL.md | 1 + skills/analyzing-persistence-mechanisms-in-linux/SKILL.md | 1 + skills/analyzing-windows-prefetch-with-python/SKILL.md | 1 + skills/building-incident-response-dashboard/SKILL.md | 1 - skills/building-phishing-reporting-button-workflow/SKILL.md | 1 + skills/deobfuscating-powershell-obfuscated-malware/SKILL.md | 1 + 7 files changed, 6 insertions(+), 1 deletion(-) diff --git a/skills/analyzing-malware-persistence-with-autoruns/SKILL.md b/skills/analyzing-malware-persistence-with-autoruns/SKILL.md index 0c61e66d..29e03be7 100644 --- a/skills/analyzing-malware-persistence-with-autoruns/SKILL.md +++ b/skills/analyzing-malware-persistence-with-autoruns/SKILL.md @@ -4,6 +4,7 @@ description: Use Sysinternals Autoruns to systematically identify and analyze ma domain: cybersecurity subdomain: malware-analysis tags: [autoruns, persistence, malware-analysis, sysinternals, windows, registry, startup, incident-response] +mitre_attack: ["T1547", "T1053", "T1543", "T1546"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/analyzing-memory-dumps-with-volatility/SKILL.md b/skills/analyzing-memory-dumps-with-volatility/SKILL.md index 93356ee2..8681274a 100644 --- a/skills/analyzing-memory-dumps-with-volatility/SKILL.md +++ b/skills/analyzing-memory-dumps-with-volatility/SKILL.md @@ -9,6 +9,7 @@ description: > domain: cybersecurity subdomain: malware-analysis tags: [malware, memory-forensics, Volatility, RAM-analysis, incident-response] +mitre_attack: ["T1055", "T1003", "T1059", "T1620"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md b/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md index 1611915b..5d24a33c 100644 --- a/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md +++ b/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md @@ -4,6 +4,7 @@ description: Detect and analyze Linux persistence mechanisms including crontab e domain: cybersecurity subdomain: threat-hunting tags: [linux-persistence, crontab, systemd, ld-preload, auditd, threat-hunting, incident-response] +mitre_attack: ["T1053.003", "T1543.002", "T1574.006", "T1546.004"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/analyzing-windows-prefetch-with-python/SKILL.md b/skills/analyzing-windows-prefetch-with-python/SKILL.md index 8d817429..2d15cb1b 100644 --- a/skills/analyzing-windows-prefetch-with-python/SKILL.md +++ b/skills/analyzing-windows-prefetch-with-python/SKILL.md @@ -4,6 +4,7 @@ description: Parse Windows Prefetch files using the windowsprefetch Python libra domain: cybersecurity subdomain: digital-forensics tags: [digital-forensics, windows, prefetch, execution-history, incident-response, malware-analysis] +mitre_attack: ["T1059", "T1204", "T1036"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/building-incident-response-dashboard/SKILL.md b/skills/building-incident-response-dashboard/SKILL.md index 999413a5..78d0cb1c 100644 --- a/skills/building-incident-response-dashboard/SKILL.md +++ b/skills/building-incident-response-dashboard/SKILL.md @@ -8,7 +8,6 @@ description: > domain: cybersecurity subdomain: soc-operations tags: [soc, dashboard, incident-response, splunk, visualization, situational-awareness, metrics] -mitre_attack: ["T1190", "T1566", "T1486"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/building-phishing-reporting-button-workflow/SKILL.md b/skills/building-phishing-reporting-button-workflow/SKILL.md index 9ece3dfc..8eac7357 100644 --- a/skills/building-phishing-reporting-button-workflow/SKILL.md +++ b/skills/building-phishing-reporting-button-workflow/SKILL.md @@ -4,6 +4,7 @@ description: Implement a phishing report button in email clients with automated domain: cybersecurity subdomain: phishing-defense tags: [phishing-reporting, email-security, incident-response, security-awareness, outlook, microsoft-365, soar] +mitre_attack: ["T1566", "T1204", "T1534"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md b/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md index bdd42af2..e218178b 100644 --- a/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md +++ b/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md @@ -4,6 +4,7 @@ description: Systematically deobfuscate multi-layer PowerShell malware using AST domain: cybersecurity subdomain: malware-analysis tags: [powershell, deobfuscation, malware-analysis, scripting, obfuscation, ast-analysis, incident-response] +mitre_attack: ["T1059.001", "T1027", "T1140"] version: "1.0" author: mahipal license: Apache-2.0