Merge pull request #26 from juliosuas/add-mitre-attack-incident-response

Add MITRE ATT&CK IDs to incident response skills (fixes #1)
2026-06-10 13:14:55 +03:00 · 2026-04-03 02:30:23 -04:00
parent a7f577b482 84b4699e59
commit 1cf19ded90
37 changed files with 37 additions and 0 deletions
@@ -4,6 +4,7 @@ description: Use Sysinternals Autoruns to systematically identify and analyze ma
 domain: cybersecurity
 subdomain: malware-analysis
 tags: [autoruns, persistence, malware-analysis, sysinternals, windows, registry, startup, incident-response]
+mitre_attack: ["T1547", "T1053", "T1543", "T1546"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -9,6 +9,7 @@ description: >
 domain: cybersecurity
 subdomain: malware-analysis
 tags: [malware, memory-forensics, Volatility, RAM-analysis, incident-response]
+mitre_attack: ["T1055", "T1003", "T1059", "T1620"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -10,6 +10,7 @@ description: >
 domain: cybersecurity
 subdomain: incident-response
 tags: [network-forensics, PCAP-analysis, Wireshark, Zeek, traffic-analysis]
+mitre_attack: ["T1071", "T1095", "T1573", "T1572"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Detect and analyze Linux persistence mechanisms including crontab e
 domain: cybersecurity
 subdomain: threat-hunting
 tags: [linux-persistence, crontab, systemd, ld-preload, auditd, threat-hunting, incident-response]
+mitre_attack: ["T1053.003", "T1543.002", "T1574.006", "T1546.004"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -10,6 +10,7 @@ description: >
 domain: cybersecurity
 subdomain: incident-response
 tags: [splunk, SPL, SIEM, log-analysis, security-monitoring]
+mitre_attack: ["T1070", "T1562", "T1059"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Parse Windows Prefetch files using the windowsprefetch Python libra
 domain: cybersecurity
 subdomain: digital-forensics
 tags: [digital-forensics, windows, prefetch, execution-history, incident-response, malware-analysis]
+mitre_attack: ["T1059", "T1204", "T1036"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -10,6 +10,7 @@ description: >
 domain: cybersecurity
 subdomain: incident-response
 tags: [IR-playbook, runbook, NIST-800-61, SOAR-integration, response-procedures]
+mitre_attack: ["T1190", "T1566", "T1078"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Build collaborative forensic incident timelines using Timesketch to
 domain: cybersecurity
 subdomain: incident-response
 tags: [timesketch, timeline-analysis, forensic-timeline, plaso, dfir, incident-investigation, collaborative-forensics]
+mitre_attack: ["T1070", "T1059", "T1053"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Build structured communication templates for malware incidents incl
 domain: cybersecurity
 subdomain: incident-response
 tags: [incident-communication, malware-response, stakeholder-notification, crisis-communication, executive-briefing, regulatory-disclosure]
+mitre_attack: ["T1566", "T1204", "T1027"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Implement a phishing report button in email clients with automated
 domain: cybersecurity
 subdomain: phishing-defense
 tags: [phishing-reporting, email-security, incident-response, security-awareness, outlook, microsoft-365, soar]
+mitre_attack: ["T1566", "T1204", "T1534"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -8,6 +8,7 @@ description: >
 domain: cybersecurity
 subdomain: soc-operations
 tags: [soc, ransomware, incident-response, playbook, nist, mitre-attack, containment]
+mitre_attack: ["T1486", "T1490", "T1489", "T1570"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -10,6 +10,7 @@ description: >
 domain: cybersecurity
 subdomain: incident-response
 tags: [IOC-collection, threat-indicators, STIX-TAXII, MISP, threat-intelligence-sharing]
+mitre_attack: ["T1071", "T1059", "T1547", "T1053"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Collect volatile forensic evidence from a compromised system follow
 domain: cybersecurity
 subdomain: incident-response
 tags: [incident-response, dfir, forensics, volatile-evidence, memory-forensics, chain-of-custody]
+mitre_attack: ["T1003", "T1055", "T1059", "T1547"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -9,6 +9,7 @@ description: >
 domain: cybersecurity
 subdomain: incident-response
 tags: [cloud-IR, AWS-forensics, Azure-incident-response, GCP-security, identity-containment]
+mitre_attack: ["T1078", "T1537", "T1580", "T1525"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -10,6 +10,7 @@ description: >
 domain: cybersecurity
 subdomain: incident-response
 tags: [malware-response, malware-analysis, eradication, endpoint-remediation, MITRE-ATT&CK]
+mitre_attack: ["T1204", "T1027", "T1055", "T1059", "T1486"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -10,6 +10,7 @@ description: >
 domain: cybersecurity
 subdomain: incident-response
 tags: [memory-forensics, volatility, RAM-analysis, process-injection, DFIR]
+mitre_attack: ["T1003", "T1055", "T1620", "T1574"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -10,6 +10,7 @@ description: >
 domain: cybersecurity
 subdomain: incident-response
 tags: [phishing-response, email-security, credential-compromise, email-header-analysis, mailbox-remediation]
+mitre_attack: ["T1566", "T1204", "T1534", "T1598"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Facilitate structured post-incident reviews to identify root causes
 domain: cybersecurity
 subdomain: incident-response
 tags: [incident-response, lessons-learned, post-incident, after-action-review, process-improvement]
+mitre_attack: ["T1190", "T1566", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -10,6 +10,7 @@ description: >
 domain: cybersecurity
 subdomain: incident-response
 tags: [breach-containment, lateral-movement, network-isolation, credential-revocation, live-response]
+mitre_attack: ["T1021", "T1570", "T1210", "T1072"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Systematically deobfuscate multi-layer PowerShell malware using AST
 domain: cybersecurity
 subdomain: malware-analysis
 tags: [powershell, deobfuscation, malware-analysis, scripting, obfuscation, ast-analysis, incident-response]
+mitre_attack: ["T1059.001", "T1027", "T1140"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -9,6 +9,7 @@ description: >
 domain: cybersecurity
 subdomain: endpoint-security
 tags: [endpoint, osquery, endpoint-monitoring, threat-hunting, fleet-management]
+mitre_attack: ["T1547", "T1049", "T1620", "T1053.003", "T1548.001", "T1552"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Detect compromised O365 and Google Workspace email accounts by anal
 domain: cybersecurity
 subdomain: incident-response
 tags: [email-compromise, office365, microsoft-graph, bec, inbox-rules, sign-in-analysis, account-takeover]
+mitre_attack: ["T1114", "T1566", "T1078", "T1534"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Systematically remove malware, backdoors, and attacker persistence
 domain: cybersecurity
 subdomain: incident-response
 tags: [incident-response, eradication, malware-removal, persistence, dfir]
+mitre_attack: ["T1547", "T1053", "T1543", "T1574"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Extract cached credentials, password hashes, Kerberos tickets, and
 domain: cybersecurity
 subdomain: digital-forensics
 tags: [forensics, credential-extraction, memory-forensics, volatility, mimikatz, password-hashes, incident-response]
+mitre_attack: ["T1003", "T1558", "T1552"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -8,6 +8,7 @@ description: >
 domain: cybersecurity
 subdomain: soc-operations
 tags: [soc, soar, phantom, splunk-soar, automation, playbook, orchestration, incident-response]
+mitre_attack: ["T1566", "T1059", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Implement automated incident response playbooks in Cortex XSOAR to
 domain: cybersecurity
 subdomain: soc-operations
 tags: [xsoar, soar, palo-alto, playbook, automation, incident-response, orchestration, cortex]
+mitre_attack: ["T1566", "T1204", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Deploy and configure Velociraptor for scalable endpoint forensic ar
 domain: cybersecurity
 subdomain: incident-response
 tags: [velociraptor, dfir, endpoint-collection, vql, forensic-artifacts, rapid7, threat-hunting, incident-response]
+mitre_attack: ["T1059", "T1003", "T1070", "T1547"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -8,6 +8,7 @@ description: >
 domain: cybersecurity
 subdomain: soc-operations
 tags: [soc, phishing, incident-response, email-security, splunk, defender, sandbox]
+mitre_attack: ["T1566.001", "T1566.002", "T1204.001", "T1598.003"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Investigate Active Directory compromise by analyzing authentication
 domain: cybersecurity
 subdomain: incident-response
 tags: [active-directory, compromise-investigation, identity-forensics, kerberos, lateral-movement, dfir, ntds-dit, golden-ticket]
+mitre_attack: ["T1003", "T1558", "T1021", "T1078", "T1484"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Execute cloud-native incident containment across AWS, Azure, and GC
 domain: cybersecurity
 subdomain: incident-response
 tags: [cloud-security, incident-containment, aws, azure, gcp, cloud-forensics, credential-revocation, network-isolation]
+mitre_attack: ["T1078", "T1537", "T1580", "T1525", "T1098"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -10,6 +10,7 @@ description: >
 domain: cybersecurity
 subdomain: incident-response
 tags: [disk-forensics, forensic-imaging, evidence-acquisition, file-recovery, chain-of-custody]
+mitre_attack: ["T1070", "T1027", "T1036", "T1564"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -10,6 +10,7 @@ description: >
 domain: cybersecurity
 subdomain: incident-response
 tags: [insider-threat, user-behavior-analytics, data-exfiltration, privilege-misuse, DFIR]
+mitre_attack: ["T1078", "T1048", "T1567", "T1114"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Systematically investigate all persistence mechanisms on Windows an
 domain: cybersecurity
 subdomain: digital-forensics
 tags: [forensics, malware-persistence, autoruns, registry, scheduled-tasks, rootkit-detection, incident-response]
+mitre_attack: ["T1547.001", "T1053.005", "T1543.003", "T1546.003", "T1574"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -10,6 +10,7 @@ description: >
 domain: cybersecurity
 subdomain: incident-response
 tags: [ransomware, encryption-recovery, backup-restoration, ransom-negotiation, CISA-guidance]
+mitre_attack: ["T1486", "T1490", "T1489", "T1021", "T1570"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -8,6 +8,7 @@ description: >
 domain: cybersecurity
 subdomain: soc-operations
 tags: [soc, tabletop, exercise, incident-response, training, nist, playbook-validation]
+mitre_attack: ["T1566", "T1486", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Classify and prioritize security incidents using structured IR play
 domain: cybersecurity
 subdomain: incident-response
 tags: [incident-response, triage, playbook, severity-classification, soc]
+mitre_attack: ["T1190", "T1566", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -10,6 +10,7 @@ description: >
 domain: cybersecurity
 subdomain: incident-response
 tags: [incident-triage, NIST-800-61, SANS-PICERL, severity-classification, SOC-operations]
+mitre_attack: ["T1190", "T1566", "T1078", "T1059"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0