From 5e62a7ea2c56cd886b8f25a0e473d41838bf6123 Mon Sep 17 00:00:00 2001 From: MAGI Date: Tue, 17 Mar 2026 10:36:33 -0600 Subject: [PATCH 1/6] Add MITRE ATT&CK technique IDs to 60 incident-response skills (fixes #1) --- skills/analyzing-malware-persistence-with-autoruns/SKILL.md | 1 + skills/analyzing-memory-dumps-with-volatility/SKILL.md | 1 + skills/analyzing-network-traffic-for-incidents/SKILL.md | 1 + skills/analyzing-persistence-mechanisms-in-linux/SKILL.md | 1 + skills/analyzing-security-logs-with-splunk/SKILL.md | 1 + skills/analyzing-windows-prefetch-with-python/SKILL.md | 1 + skills/building-incident-response-dashboard/SKILL.md | 1 + skills/building-incident-response-playbook/SKILL.md | 1 + skills/building-incident-timeline-with-timesketch/SKILL.md | 1 + skills/building-malware-incident-communication-template/SKILL.md | 1 + skills/building-phishing-reporting-button-workflow/SKILL.md | 1 + skills/building-soc-playbook-for-ransomware/SKILL.md | 1 + skills/collecting-indicators-of-compromise/SKILL.md | 1 + .../collecting-volatile-evidence-from-compromised-host/SKILL.md | 1 + skills/conducting-cloud-incident-response/SKILL.md | 1 + skills/conducting-malware-incident-response/SKILL.md | 1 + skills/conducting-memory-forensics-with-volatility/SKILL.md | 1 + skills/conducting-phishing-incident-response/SKILL.md | 1 + skills/conducting-post-incident-lessons-learned/SKILL.md | 1 + skills/containing-active-breach/SKILL.md | 1 + skills/deobfuscating-powershell-obfuscated-malware/SKILL.md | 1 + skills/deploying-osquery-for-endpoint-monitoring/SKILL.md | 1 + skills/detecting-attacks-on-scada-systems/SKILL.md | 1 + skills/detecting-aws-guardduty-findings-automation/SKILL.md | 1 + skills/detecting-compromised-cloud-credentials/SKILL.md | 1 + skills/detecting-email-account-compromise/SKILL.md | 1 + skills/detecting-ransomware-precursors-in-network/SKILL.md | 1 + skills/eradicating-malware-from-infected-systems/SKILL.md | 1 + skills/extracting-credentials-from-memory-dump/SKILL.md | 1 + skills/extracting-windows-event-logs-artifacts/SKILL.md | 1 + skills/implementing-endpoint-detection-with-wazuh/SKILL.md | 1 + skills/implementing-ot-incident-response-playbook/SKILL.md | 1 + skills/implementing-patch-management-for-ot-systems/SKILL.md | 1 + skills/implementing-ransomware-backup-strategy/SKILL.md | 1 + skills/implementing-soar-automation-with-phantom/SKILL.md | 1 + skills/implementing-soar-playbook-for-phishing/SKILL.md | 1 + skills/implementing-soar-playbook-with-palo-alto-xsoar/SKILL.md | 1 + skills/implementing-velociraptor-for-ir-collection/SKILL.md | 1 + skills/investigating-phishing-email-incident/SKILL.md | 1 + skills/investigating-ransomware-attack-artifacts/SKILL.md | 1 + .../SKILL.md | 1 + skills/performing-cloud-forensics-investigation/SKILL.md | 1 + skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md | 1 + skills/performing-cloud-incident-containment-procedures/SKILL.md | 1 + skills/performing-disk-forensics-investigation/SKILL.md | 1 + skills/performing-insider-threat-investigation/SKILL.md | 1 + .../performing-malware-hash-enrichment-with-virustotal/SKILL.md | 1 + skills/performing-malware-persistence-investigation/SKILL.md | 1 + .../SKILL.md | 1 + skills/performing-memory-forensics-with-volatility3/SKILL.md | 1 + skills/performing-ransomware-response/SKILL.md | 1 + skills/performing-ransomware-tabletop-exercise/SKILL.md | 1 + skills/performing-soc-tabletop-exercise/SKILL.md | 1 + .../SKILL.md | 1 + skills/recovering-from-ransomware-attack/SKILL.md | 1 + skills/triaging-security-incident-with-ir-playbook/SKILL.md | 1 + skills/triaging-security-incident/SKILL.md | 1 + 57 files changed, 57 insertions(+) diff --git a/skills/analyzing-malware-persistence-with-autoruns/SKILL.md b/skills/analyzing-malware-persistence-with-autoruns/SKILL.md index 0c61e66d..e2031c89 100644 --- a/skills/analyzing-malware-persistence-with-autoruns/SKILL.md +++ b/skills/analyzing-malware-persistence-with-autoruns/SKILL.md @@ -4,6 +4,7 @@ description: Use Sysinternals Autoruns to systematically identify and analyze ma domain: cybersecurity subdomain: malware-analysis tags: [autoruns, persistence, malware-analysis, sysinternals, windows, registry, startup, incident-response] +mitre_attack: ["T1190", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/analyzing-memory-dumps-with-volatility/SKILL.md b/skills/analyzing-memory-dumps-with-volatility/SKILL.md index 93356ee2..7f9b062b 100644 --- a/skills/analyzing-memory-dumps-with-volatility/SKILL.md +++ b/skills/analyzing-memory-dumps-with-volatility/SKILL.md @@ -9,6 +9,7 @@ description: > domain: cybersecurity subdomain: malware-analysis tags: [malware, memory-forensics, Volatility, RAM-analysis, incident-response] +mitre_attack: ["T1190", "T1059", "T1078"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/analyzing-network-traffic-for-incidents/SKILL.md b/skills/analyzing-network-traffic-for-incidents/SKILL.md index 5aca38d0..e05cdf4e 100644 --- a/skills/analyzing-network-traffic-for-incidents/SKILL.md +++ b/skills/analyzing-network-traffic-for-incidents/SKILL.md @@ -10,6 +10,7 @@ description: > domain: cybersecurity subdomain: incident-response tags: [network-forensics, PCAP-analysis, Wireshark, Zeek, traffic-analysis] +mitre_attack: ["T1071", "T1095", "T1573", "T1572"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md b/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md index 1611915b..f56b6498 100644 --- a/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md +++ b/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md @@ -4,6 +4,7 @@ description: Detect and analyze Linux persistence mechanisms including crontab e domain: cybersecurity subdomain: threat-hunting tags: [linux-persistence, crontab, systemd, ld-preload, auditd, threat-hunting, incident-response] +mitre_attack: ["T1190", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/analyzing-security-logs-with-splunk/SKILL.md b/skills/analyzing-security-logs-with-splunk/SKILL.md index 6a351a27..f0cf8d2e 100644 --- a/skills/analyzing-security-logs-with-splunk/SKILL.md +++ b/skills/analyzing-security-logs-with-splunk/SKILL.md @@ -10,6 +10,7 @@ description: > domain: cybersecurity subdomain: incident-response tags: [splunk, SPL, SIEM, log-analysis, security-monitoring] +mitre_attack: ["T1070", "T1562", "T1059"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/analyzing-windows-prefetch-with-python/SKILL.md b/skills/analyzing-windows-prefetch-with-python/SKILL.md index 8d817429..8f542338 100644 --- a/skills/analyzing-windows-prefetch-with-python/SKILL.md +++ b/skills/analyzing-windows-prefetch-with-python/SKILL.md @@ -4,6 +4,7 @@ description: Parse Windows Prefetch files using the windowsprefetch Python libra domain: cybersecurity subdomain: digital-forensics tags: [digital-forensics, windows, prefetch, execution-history, incident-response, malware-analysis] +mitre_attack: ["T1190", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/building-incident-response-dashboard/SKILL.md b/skills/building-incident-response-dashboard/SKILL.md index 78d0cb1c..8c25d065 100644 --- a/skills/building-incident-response-dashboard/SKILL.md +++ b/skills/building-incident-response-dashboard/SKILL.md @@ -8,6 +8,7 @@ description: > domain: cybersecurity subdomain: soc-operations tags: [soc, dashboard, incident-response, splunk, visualization, situational-awareness, metrics] +mitre_attack: ["T1190", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/building-incident-response-playbook/SKILL.md b/skills/building-incident-response-playbook/SKILL.md index 39accb90..4499d90f 100644 --- a/skills/building-incident-response-playbook/SKILL.md +++ b/skills/building-incident-response-playbook/SKILL.md @@ -10,6 +10,7 @@ description: > domain: cybersecurity subdomain: incident-response tags: [IR-playbook, runbook, NIST-800-61, SOAR-integration, response-procedures] +mitre_attack: ["T1190", "T1566", "T1078"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/building-incident-timeline-with-timesketch/SKILL.md b/skills/building-incident-timeline-with-timesketch/SKILL.md index 01f44f5c..1543b608 100644 --- a/skills/building-incident-timeline-with-timesketch/SKILL.md +++ b/skills/building-incident-timeline-with-timesketch/SKILL.md @@ -4,6 +4,7 @@ description: Build collaborative forensic incident timelines using Timesketch to domain: cybersecurity subdomain: incident-response tags: [timesketch, timeline-analysis, forensic-timeline, plaso, dfir, incident-investigation, collaborative-forensics] +mitre_attack: ["T1070", "T1059", "T1053"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/building-malware-incident-communication-template/SKILL.md b/skills/building-malware-incident-communication-template/SKILL.md index 774039ce..cb86e086 100644 --- a/skills/building-malware-incident-communication-template/SKILL.md +++ b/skills/building-malware-incident-communication-template/SKILL.md @@ -4,6 +4,7 @@ description: Build structured communication templates for malware incidents incl domain: cybersecurity subdomain: incident-response tags: [incident-communication, malware-response, stakeholder-notification, crisis-communication, executive-briefing, regulatory-disclosure] +mitre_attack: ["T1566", "T1204", "T1027"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/building-phishing-reporting-button-workflow/SKILL.md b/skills/building-phishing-reporting-button-workflow/SKILL.md index 9ece3dfc..54e7655e 100644 --- a/skills/building-phishing-reporting-button-workflow/SKILL.md +++ b/skills/building-phishing-reporting-button-workflow/SKILL.md @@ -4,6 +4,7 @@ description: Implement a phishing report button in email clients with automated domain: cybersecurity subdomain: phishing-defense tags: [phishing-reporting, email-security, incident-response, security-awareness, outlook, microsoft-365, soar] +mitre_attack: ["T1190", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/building-soc-playbook-for-ransomware/SKILL.md b/skills/building-soc-playbook-for-ransomware/SKILL.md index a26b5d72..d42b674c 100644 --- a/skills/building-soc-playbook-for-ransomware/SKILL.md +++ b/skills/building-soc-playbook-for-ransomware/SKILL.md @@ -8,6 +8,7 @@ description: > domain: cybersecurity subdomain: soc-operations tags: [soc, ransomware, incident-response, playbook, nist, mitre-attack, containment] +mitre_attack: ["T1190", "T1566", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/collecting-indicators-of-compromise/SKILL.md b/skills/collecting-indicators-of-compromise/SKILL.md index de8bdf1b..d6da0c03 100644 --- a/skills/collecting-indicators-of-compromise/SKILL.md +++ b/skills/collecting-indicators-of-compromise/SKILL.md @@ -10,6 +10,7 @@ description: > domain: cybersecurity subdomain: incident-response tags: [IOC-collection, threat-indicators, STIX-TAXII, MISP, threat-intelligence-sharing] +mitre_attack: ["T1071", "T1059", "T1547", "T1053"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/collecting-volatile-evidence-from-compromised-host/SKILL.md b/skills/collecting-volatile-evidence-from-compromised-host/SKILL.md index 65f558d0..ea6e32e9 100644 --- a/skills/collecting-volatile-evidence-from-compromised-host/SKILL.md +++ b/skills/collecting-volatile-evidence-from-compromised-host/SKILL.md @@ -4,6 +4,7 @@ description: Collect volatile forensic evidence from a compromised system follow domain: cybersecurity subdomain: incident-response tags: [incident-response, dfir, forensics, volatile-evidence, memory-forensics, chain-of-custody] +mitre_attack: ["T1003", "T1055", "T1059", "T1547"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/conducting-cloud-incident-response/SKILL.md b/skills/conducting-cloud-incident-response/SKILL.md index c73dde97..3b5fdd56 100644 --- a/skills/conducting-cloud-incident-response/SKILL.md +++ b/skills/conducting-cloud-incident-response/SKILL.md @@ -9,6 +9,7 @@ description: > domain: cybersecurity subdomain: incident-response tags: [cloud-IR, AWS-forensics, Azure-incident-response, GCP-security, identity-containment] +mitre_attack: ["T1078", "T1537", "T1580", "T1525"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/conducting-malware-incident-response/SKILL.md b/skills/conducting-malware-incident-response/SKILL.md index c54cb5bb..48920450 100644 --- a/skills/conducting-malware-incident-response/SKILL.md +++ b/skills/conducting-malware-incident-response/SKILL.md @@ -10,6 +10,7 @@ description: > domain: cybersecurity subdomain: incident-response tags: [malware-response, malware-analysis, eradication, endpoint-remediation, MITRE-ATT&CK] +mitre_attack: ["T1204", "T1027", "T1055", "T1059", "T1486"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/conducting-memory-forensics-with-volatility/SKILL.md b/skills/conducting-memory-forensics-with-volatility/SKILL.md index 17879b83..646d95ed 100644 --- a/skills/conducting-memory-forensics-with-volatility/SKILL.md +++ b/skills/conducting-memory-forensics-with-volatility/SKILL.md @@ -10,6 +10,7 @@ description: > domain: cybersecurity subdomain: incident-response tags: [memory-forensics, volatility, RAM-analysis, process-injection, DFIR] +mitre_attack: ["T1003", "T1055", "T1620", "T1574"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/conducting-phishing-incident-response/SKILL.md b/skills/conducting-phishing-incident-response/SKILL.md index 6926966b..03113d09 100644 --- a/skills/conducting-phishing-incident-response/SKILL.md +++ b/skills/conducting-phishing-incident-response/SKILL.md @@ -10,6 +10,7 @@ description: > domain: cybersecurity subdomain: incident-response tags: [phishing-response, email-security, credential-compromise, email-header-analysis, mailbox-remediation] +mitre_attack: ["T1566", "T1204", "T1534", "T1598"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/conducting-post-incident-lessons-learned/SKILL.md b/skills/conducting-post-incident-lessons-learned/SKILL.md index 05aa6c0d..399d06df 100644 --- a/skills/conducting-post-incident-lessons-learned/SKILL.md +++ b/skills/conducting-post-incident-lessons-learned/SKILL.md @@ -4,6 +4,7 @@ description: Facilitate structured post-incident reviews to identify root causes domain: cybersecurity subdomain: incident-response tags: [incident-response, lessons-learned, post-incident, after-action-review, process-improvement] +mitre_attack: ["T1190", "T1566", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/containing-active-breach/SKILL.md b/skills/containing-active-breach/SKILL.md index 0ac201f0..ff59a0ca 100644 --- a/skills/containing-active-breach/SKILL.md +++ b/skills/containing-active-breach/SKILL.md @@ -10,6 +10,7 @@ description: > domain: cybersecurity subdomain: incident-response tags: [breach-containment, lateral-movement, network-isolation, credential-revocation, live-response] +mitre_attack: ["T1021", "T1570", "T1210", "T1072"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md b/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md index bdd42af2..879fc6cf 100644 --- a/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md +++ b/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md @@ -4,6 +4,7 @@ description: Systematically deobfuscate multi-layer PowerShell malware using AST domain: cybersecurity subdomain: malware-analysis tags: [powershell, deobfuscation, malware-analysis, scripting, obfuscation, ast-analysis, incident-response] +mitre_attack: ["T1190", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md b/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md index 7418822a..02f9e652 100644 --- a/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md +++ b/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md @@ -9,6 +9,7 @@ description: > domain: cybersecurity subdomain: endpoint-security tags: [endpoint, osquery, endpoint-monitoring, threat-hunting, fleet-management] +mitre_attack: ["T1190", "T1059", "T1078"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/detecting-attacks-on-scada-systems/SKILL.md b/skills/detecting-attacks-on-scada-systems/SKILL.md index 85abc162..ef1ed930 100644 --- a/skills/detecting-attacks-on-scada-systems/SKILL.md +++ b/skills/detecting-attacks-on-scada-systems/SKILL.md @@ -11,6 +11,7 @@ description: > domain: cybersecurity subdomain: ot-ics-security tags: [ot-security, ics, scada, industrial-control, iec62443, intrusion-detection, threat-detection] +mitre_attack: ["T1190", "T1059", "T1078"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/detecting-aws-guardduty-findings-automation/SKILL.md b/skills/detecting-aws-guardduty-findings-automation/SKILL.md index 62a99ffa..9ff22e22 100644 --- a/skills/detecting-aws-guardduty-findings-automation/SKILL.md +++ b/skills/detecting-aws-guardduty-findings-automation/SKILL.md @@ -4,6 +4,7 @@ description: Automate AWS GuardDuty threat detection findings processing using E domain: cybersecurity subdomain: cloud-security tags: [aws, guardduty, eventbridge, lambda, threat-detection, automation, incident-response, siem] +mitre_attack: ["T1190", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/detecting-compromised-cloud-credentials/SKILL.md b/skills/detecting-compromised-cloud-credentials/SKILL.md index 8ad595a4..16866b4d 100644 --- a/skills/detecting-compromised-cloud-credentials/SKILL.md +++ b/skills/detecting-compromised-cloud-credentials/SKILL.md @@ -8,6 +8,7 @@ description: > domain: cybersecurity subdomain: cloud-security tags: [cloud-security, credential-compromise, threat-detection, guardduty, incident-response, anomaly-detection] +mitre_attack: ["T1190", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/detecting-email-account-compromise/SKILL.md b/skills/detecting-email-account-compromise/SKILL.md index 6fa7b37c..e51290e7 100644 --- a/skills/detecting-email-account-compromise/SKILL.md +++ b/skills/detecting-email-account-compromise/SKILL.md @@ -4,6 +4,7 @@ description: Detect compromised O365 and Google Workspace email accounts by anal domain: cybersecurity subdomain: incident-response tags: [email-compromise, office365, microsoft-graph, bec, inbox-rules, sign-in-analysis, account-takeover] +mitre_attack: ["T1114", "T1566", "T1078", "T1534"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/detecting-ransomware-precursors-in-network/SKILL.md b/skills/detecting-ransomware-precursors-in-network/SKILL.md index 87c096c7..c7881cec 100644 --- a/skills/detecting-ransomware-precursors-in-network/SKILL.md +++ b/skills/detecting-ransomware-precursors-in-network/SKILL.md @@ -11,6 +11,7 @@ description: > domain: cybersecurity subdomain: ransomware-defense tags: [ransomware, detection, network-security, incident-response, defense] +mitre_attack: ["T1486", "T1490", "T1489", "T1021", "T1570"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/eradicating-malware-from-infected-systems/SKILL.md b/skills/eradicating-malware-from-infected-systems/SKILL.md index 5a9cd417..42c278b2 100644 --- a/skills/eradicating-malware-from-infected-systems/SKILL.md +++ b/skills/eradicating-malware-from-infected-systems/SKILL.md @@ -4,6 +4,7 @@ description: Systematically remove malware, backdoors, and attacker persistence domain: cybersecurity subdomain: incident-response tags: [incident-response, eradication, malware-removal, persistence, dfir] +mitre_attack: ["T1547", "T1053", "T1543", "T1574"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/extracting-credentials-from-memory-dump/SKILL.md b/skills/extracting-credentials-from-memory-dump/SKILL.md index f0e60b50..8d492a5e 100644 --- a/skills/extracting-credentials-from-memory-dump/SKILL.md +++ b/skills/extracting-credentials-from-memory-dump/SKILL.md @@ -4,6 +4,7 @@ description: Extract cached credentials, password hashes, Kerberos tickets, and domain: cybersecurity subdomain: digital-forensics tags: [forensics, credential-extraction, memory-forensics, volatility, mimikatz, password-hashes, incident-response] +mitre_attack: ["T1190", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/extracting-windows-event-logs-artifacts/SKILL.md b/skills/extracting-windows-event-logs-artifacts/SKILL.md index 195136a0..845a760c 100644 --- a/skills/extracting-windows-event-logs-artifacts/SKILL.md +++ b/skills/extracting-windows-event-logs-artifacts/SKILL.md @@ -4,6 +4,7 @@ description: Extract, parse, and analyze Windows Event Logs (EVTX) using Chainsa domain: cybersecurity subdomain: digital-forensics tags: [forensics, windows-event-logs, evtx, chainsaw, hayabusa, sigma-rules, incident-response] +mitre_attack: ["T1190", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/implementing-endpoint-detection-with-wazuh/SKILL.md b/skills/implementing-endpoint-detection-with-wazuh/SKILL.md index 79275208..c2369676 100644 --- a/skills/implementing-endpoint-detection-with-wazuh/SKILL.md +++ b/skills/implementing-endpoint-detection-with-wazuh/SKILL.md @@ -4,6 +4,7 @@ description: Deploy and configure Wazuh SIEM/XDR for endpoint detection includin domain: cybersecurity subdomain: security-operations tags: [siem, xdr, wazuh, endpoint-detection, custom-rules, incident-response] +mitre_attack: ["T1190", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/implementing-ot-incident-response-playbook/SKILL.md b/skills/implementing-ot-incident-response-playbook/SKILL.md index 757c67df..6de03232 100644 --- a/skills/implementing-ot-incident-response-playbook/SKILL.md +++ b/skills/implementing-ot-incident-response-playbook/SKILL.md @@ -8,6 +8,7 @@ description: > domain: cybersecurity subdomain: ot-ics-security tags: [ot-security, ics, incident-response, playbook, sans, iec62443, nist, safety-critical] +mitre_attack: ["T1190", "T1566", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/implementing-patch-management-for-ot-systems/SKILL.md b/skills/implementing-patch-management-for-ot-systems/SKILL.md index d45c8f90..2478c6a1 100644 --- a/skills/implementing-patch-management-for-ot-systems/SKILL.md +++ b/skills/implementing-patch-management-for-ot-systems/SKILL.md @@ -10,6 +10,7 @@ description: > domain: cybersecurity subdomain: ot-ics-security tags: [ot-security, ics, scada, industrial-control, iec62443, patch-management, vulnerability-management] +mitre_attack: ["T1190", "T1059", "T1078"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/implementing-ransomware-backup-strategy/SKILL.md b/skills/implementing-ransomware-backup-strategy/SKILL.md index 8912a6dd..8d3e1f32 100644 --- a/skills/implementing-ransomware-backup-strategy/SKILL.md +++ b/skills/implementing-ransomware-backup-strategy/SKILL.md @@ -11,6 +11,7 @@ description: > domain: cybersecurity subdomain: ransomware-defense tags: [ransomware, backup, incident-response, defense, recovery, immutable-storage] +mitre_attack: ["T1486", "T1490", "T1489", "T1021", "T1570"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/implementing-soar-automation-with-phantom/SKILL.md b/skills/implementing-soar-automation-with-phantom/SKILL.md index 4625499f..a2ea0aa2 100644 --- a/skills/implementing-soar-automation-with-phantom/SKILL.md +++ b/skills/implementing-soar-automation-with-phantom/SKILL.md @@ -8,6 +8,7 @@ description: > domain: cybersecurity subdomain: soc-operations tags: [soc, soar, phantom, splunk-soar, automation, playbook, orchestration, incident-response] +mitre_attack: ["T1190", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/implementing-soar-playbook-for-phishing/SKILL.md b/skills/implementing-soar-playbook-for-phishing/SKILL.md index f914f665..cacc0e67 100644 --- a/skills/implementing-soar-playbook-for-phishing/SKILL.md +++ b/skills/implementing-soar-playbook-for-phishing/SKILL.md @@ -4,6 +4,7 @@ description: Automate phishing incident response using Splunk SOAR REST API to c domain: cybersecurity subdomain: security-operations tags: [soar, splunk-phantom, phishing, incident-response] +mitre_attack: ["T1190", "T1566", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/implementing-soar-playbook-with-palo-alto-xsoar/SKILL.md b/skills/implementing-soar-playbook-with-palo-alto-xsoar/SKILL.md index ebed7bd8..a2c8823c 100644 --- a/skills/implementing-soar-playbook-with-palo-alto-xsoar/SKILL.md +++ b/skills/implementing-soar-playbook-with-palo-alto-xsoar/SKILL.md @@ -4,6 +4,7 @@ description: Implement automated incident response playbooks in Cortex XSOAR to domain: cybersecurity subdomain: soc-operations tags: [xsoar, soar, palo-alto, playbook, automation, incident-response, orchestration, cortex] +mitre_attack: ["T1190", "T1566", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/implementing-velociraptor-for-ir-collection/SKILL.md b/skills/implementing-velociraptor-for-ir-collection/SKILL.md index 23671ce2..73a1e698 100644 --- a/skills/implementing-velociraptor-for-ir-collection/SKILL.md +++ b/skills/implementing-velociraptor-for-ir-collection/SKILL.md @@ -4,6 +4,7 @@ description: Deploy and configure Velociraptor for scalable endpoint forensic ar domain: cybersecurity subdomain: incident-response tags: [velociraptor, dfir, endpoint-collection, vql, forensic-artifacts, rapid7, threat-hunting, incident-response] +mitre_attack: ["T1059", "T1003", "T1070", "T1547"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/investigating-phishing-email-incident/SKILL.md b/skills/investigating-phishing-email-incident/SKILL.md index bf7a0333..65392f4c 100644 --- a/skills/investigating-phishing-email-incident/SKILL.md +++ b/skills/investigating-phishing-email-incident/SKILL.md @@ -8,6 +8,7 @@ description: > domain: cybersecurity subdomain: soc-operations tags: [soc, phishing, incident-response, email-security, splunk, defender, sandbox] +mitre_attack: ["T1190", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/investigating-ransomware-attack-artifacts/SKILL.md b/skills/investigating-ransomware-attack-artifacts/SKILL.md index 74f4f223..451ac88e 100644 --- a/skills/investigating-ransomware-attack-artifacts/SKILL.md +++ b/skills/investigating-ransomware-attack-artifacts/SKILL.md @@ -4,6 +4,7 @@ description: Identify, collect, and analyze ransomware attack artifacts to deter domain: cybersecurity subdomain: digital-forensics tags: [forensics, ransomware, malware-analysis, incident-response, encryption-recovery, evidence-collection] +mitre_attack: ["T1486", "T1490", "T1489", "T1021", "T1570"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-active-directory-compromise-investigation/SKILL.md b/skills/performing-active-directory-compromise-investigation/SKILL.md index 7be05d76..734b4839 100644 --- a/skills/performing-active-directory-compromise-investigation/SKILL.md +++ b/skills/performing-active-directory-compromise-investigation/SKILL.md @@ -4,6 +4,7 @@ description: Investigate Active Directory compromise by analyzing authentication domain: cybersecurity subdomain: incident-response tags: [active-directory, compromise-investigation, identity-forensics, kerberos, lateral-movement, dfir, ntds-dit, golden-ticket] +mitre_attack: ["T1003", "T1558", "T1021", "T1078", "T1484"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-cloud-forensics-investigation/SKILL.md b/skills/performing-cloud-forensics-investigation/SKILL.md index 268a39c0..dddc1eee 100644 --- a/skills/performing-cloud-forensics-investigation/SKILL.md +++ b/skills/performing-cloud-forensics-investigation/SKILL.md @@ -4,6 +4,7 @@ description: Conduct forensic investigations in cloud environments by collecting domain: cybersecurity subdomain: digital-forensics tags: [forensics, cloud-forensics, aws, azure, gcp, incident-response, log-analysis] +mitre_attack: ["T1190", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md b/skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md index 6c2536e7..6cf2bf70 100644 --- a/skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md +++ b/skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md @@ -4,6 +4,7 @@ description: Perform forensic investigation of AWS environments using CloudTrail domain: cybersecurity subdomain: cloud-security tags: [cloud-security, aws, cloudtrail, forensics, incident-response, dfir, boto3, s3] +mitre_attack: ["T1190", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-cloud-incident-containment-procedures/SKILL.md b/skills/performing-cloud-incident-containment-procedures/SKILL.md index c75586f4..4d01d222 100644 --- a/skills/performing-cloud-incident-containment-procedures/SKILL.md +++ b/skills/performing-cloud-incident-containment-procedures/SKILL.md @@ -4,6 +4,7 @@ description: Execute cloud-native incident containment across AWS, Azure, and GC domain: cybersecurity subdomain: incident-response tags: [cloud-security, incident-containment, aws, azure, gcp, cloud-forensics, credential-revocation, network-isolation] +mitre_attack: ["T1078", "T1537", "T1580", "T1525", "T1098"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-disk-forensics-investigation/SKILL.md b/skills/performing-disk-forensics-investigation/SKILL.md index 87a45540..18b7a2eb 100644 --- a/skills/performing-disk-forensics-investigation/SKILL.md +++ b/skills/performing-disk-forensics-investigation/SKILL.md @@ -10,6 +10,7 @@ description: > domain: cybersecurity subdomain: incident-response tags: [disk-forensics, forensic-imaging, evidence-acquisition, file-recovery, chain-of-custody] +mitre_attack: ["T1070", "T1027", "T1036", "T1564"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/performing-insider-threat-investigation/SKILL.md b/skills/performing-insider-threat-investigation/SKILL.md index d5ef1077..9ad2a2e3 100644 --- a/skills/performing-insider-threat-investigation/SKILL.md +++ b/skills/performing-insider-threat-investigation/SKILL.md @@ -10,6 +10,7 @@ description: > domain: cybersecurity subdomain: incident-response tags: [insider-threat, user-behavior-analytics, data-exfiltration, privilege-misuse, DFIR] +mitre_attack: ["T1078", "T1048", "T1567", "T1114"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/performing-malware-hash-enrichment-with-virustotal/SKILL.md b/skills/performing-malware-hash-enrichment-with-virustotal/SKILL.md index baaa76d5..e307bab7 100644 --- a/skills/performing-malware-hash-enrichment-with-virustotal/SKILL.md +++ b/skills/performing-malware-hash-enrichment-with-virustotal/SKILL.md @@ -4,6 +4,7 @@ description: Enrich malware file hashes using the VirusTotal API to retrieve det domain: cybersecurity subdomain: threat-intelligence tags: [virustotal, malware-analysis, hash-enrichment, ioc, threat-intelligence, triage, api, detection] +mitre_attack: ["T1190", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-malware-persistence-investigation/SKILL.md b/skills/performing-malware-persistence-investigation/SKILL.md index 738c1432..866cd5ab 100644 --- a/skills/performing-malware-persistence-investigation/SKILL.md +++ b/skills/performing-malware-persistence-investigation/SKILL.md @@ -4,6 +4,7 @@ description: Systematically investigate all persistence mechanisms on Windows an domain: cybersecurity subdomain: digital-forensics tags: [forensics, malware-persistence, autoruns, registry, scheduled-tasks, rootkit-detection, incident-response] +mitre_attack: ["T1190", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md b/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md index 5ab93348..f65e59d0 100644 --- a/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md +++ b/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md @@ -4,6 +4,7 @@ description: Analyze memory dumps using Volatility3 plugins to detect injected c domain: cybersecurity subdomain: malware-analysis tags: [memory-forensics, volatility3, malware-analysis, incident-response, process-injection, rootkit-detection, dfir] +mitre_attack: ["T1003", "T1055", "T1620", "T1574"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-memory-forensics-with-volatility3/SKILL.md b/skills/performing-memory-forensics-with-volatility3/SKILL.md index ccc5cd98..9ea9591b 100644 --- a/skills/performing-memory-forensics-with-volatility3/SKILL.md +++ b/skills/performing-memory-forensics-with-volatility3/SKILL.md @@ -4,6 +4,7 @@ description: Analyze volatile memory dumps using Volatility 3 to extract running domain: cybersecurity subdomain: digital-forensics tags: [forensics, memory-forensics, volatility, ram-analysis, malware-detection, incident-response] +mitre_attack: ["T1003", "T1055", "T1620", "T1574"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-ransomware-response/SKILL.md b/skills/performing-ransomware-response/SKILL.md index b16e74b8..eae8d47e 100644 --- a/skills/performing-ransomware-response/SKILL.md +++ b/skills/performing-ransomware-response/SKILL.md @@ -10,6 +10,7 @@ description: > domain: cybersecurity subdomain: incident-response tags: [ransomware, encryption-recovery, backup-restoration, ransom-negotiation, CISA-guidance] +mitre_attack: ["T1486", "T1490", "T1489", "T1021", "T1570"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/performing-ransomware-tabletop-exercise/SKILL.md b/skills/performing-ransomware-tabletop-exercise/SKILL.md index 0e53a479..dab637d7 100644 --- a/skills/performing-ransomware-tabletop-exercise/SKILL.md +++ b/skills/performing-ransomware-tabletop-exercise/SKILL.md @@ -11,6 +11,7 @@ description: > domain: cybersecurity subdomain: ransomware-defense tags: [ransomware, incident-response, tabletop-exercise, defense, preparedness] +mitre_attack: ["T1486", "T1490", "T1489", "T1021", "T1570"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/performing-soc-tabletop-exercise/SKILL.md b/skills/performing-soc-tabletop-exercise/SKILL.md index 132193b6..ce98f379 100644 --- a/skills/performing-soc-tabletop-exercise/SKILL.md +++ b/skills/performing-soc-tabletop-exercise/SKILL.md @@ -8,6 +8,7 @@ description: > domain: cybersecurity subdomain: soc-operations tags: [soc, tabletop, exercise, incident-response, training, nist, playbook-validation] +mitre_attack: ["T1190", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-windows-artifact-analysis-with-eric-zimmerman-tools/SKILL.md b/skills/performing-windows-artifact-analysis-with-eric-zimmerman-tools/SKILL.md index dbafc21c..8e5cad66 100644 --- a/skills/performing-windows-artifact-analysis-with-eric-zimmerman-tools/SKILL.md +++ b/skills/performing-windows-artifact-analysis-with-eric-zimmerman-tools/SKILL.md @@ -4,6 +4,7 @@ description: Perform comprehensive Windows forensic artifact analysis using Eric domain: cybersecurity subdomain: digital-forensics tags: [eric-zimmerman, ez-tools, kape, mftecmd, pecmd, lecmd, jlecmd, registry-forensics, windows-forensics, timeline-explorer, dfir, artifact-analysis] +mitre_attack: ["T1190", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/recovering-from-ransomware-attack/SKILL.md b/skills/recovering-from-ransomware-attack/SKILL.md index f232c90e..83f0ea18 100644 --- a/skills/recovering-from-ransomware-attack/SKILL.md +++ b/skills/recovering-from-ransomware-attack/SKILL.md @@ -11,6 +11,7 @@ description: > domain: cybersecurity subdomain: ransomware-defense tags: [ransomware, recovery, incident-response, backup, defense] +mitre_attack: ["T1486", "T1490", "T1489", "T1021", "T1570"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/triaging-security-incident-with-ir-playbook/SKILL.md b/skills/triaging-security-incident-with-ir-playbook/SKILL.md index 6042cb15..73b3bcd3 100644 --- a/skills/triaging-security-incident-with-ir-playbook/SKILL.md +++ b/skills/triaging-security-incident-with-ir-playbook/SKILL.md @@ -4,6 +4,7 @@ description: Classify and prioritize security incidents using structured IR play domain: cybersecurity subdomain: incident-response tags: [incident-response, triage, playbook, severity-classification, soc] +mitre_attack: ["T1190", "T1566", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/triaging-security-incident/SKILL.md b/skills/triaging-security-incident/SKILL.md index 277326bc..292657bb 100644 --- a/skills/triaging-security-incident/SKILL.md +++ b/skills/triaging-security-incident/SKILL.md @@ -10,6 +10,7 @@ description: > domain: cybersecurity subdomain: incident-response tags: [incident-triage, NIST-800-61, SANS-PICERL, severity-classification, SOC-operations] +mitre_attack: ["T1190", "T1566", "T1078", "T1059"] version: 1.0.0 author: mahipal license: Apache-2.0 From 42258456e8b85fb1f0c14e849f09821fcc01e8cb Mon Sep 17 00:00:00 2001 From: MAGI Date: Tue, 17 Mar 2026 17:12:05 -0600 Subject: [PATCH 2/6] Fix MITRE ATT&CK mappings per CodeRabbit review - Replace generic T1190/T1059/T1078 with context-specific techniques - Persistence: T1547, T1053, T1543, T1574 - Credentials: T1003, T1558, T1550 - Phishing: T1566, T1204, T1534 - Ransomware: T1486, T1490, T1489 - Cloud: T1078, T1537, T1580, T1098 - Remove mappings from out-of-scope subdomains (ot-ics, malware-analysis, digital-forensics) --- .../analyzing-malware-persistence-with-autoruns/SKILL.md | 2 +- skills/analyzing-memory-dumps-with-volatility/SKILL.md | 2 +- skills/analyzing-persistence-mechanisms-in-linux/SKILL.md | 2 +- skills/analyzing-windows-prefetch-with-python/SKILL.md | 2 +- skills/building-incident-response-dashboard/SKILL.md | 2 +- .../building-phishing-reporting-button-workflow/SKILL.md | 2 +- skills/building-soc-playbook-for-ransomware/SKILL.md | 2 +- .../deobfuscating-powershell-obfuscated-malware/SKILL.md | 1 - skills/deploying-osquery-for-endpoint-monitoring/SKILL.md | 2 +- skills/detecting-attacks-on-scada-systems/SKILL.md | 1 - .../detecting-aws-guardduty-findings-automation/SKILL.md | 2 +- skills/detecting-compromised-cloud-credentials/SKILL.md | 2 +- skills/extracting-credentials-from-memory-dump/SKILL.md | 2 +- skills/extracting-windows-event-logs-artifacts/SKILL.md | 2 +- skills/implementing-cloud-waf-rules/SKILL.md | 4 ++-- .../implementing-endpoint-detection-with-wazuh/SKILL.md | 2 +- .../implementing-ot-incident-response-playbook/SKILL.md | 1 - .../implementing-patch-management-for-ot-systems/SKILL.md | 1 - skills/implementing-ransomware-backup-strategy/SKILL.md | 2 +- skills/implementing-soar-automation-with-phantom/SKILL.md | 2 +- skills/implementing-soar-playbook-for-phishing/SKILL.md | 2 +- .../SKILL.md | 2 +- skills/implementing-zero-trust-network-access/SKILL.md | 8 ++++---- skills/investigating-phishing-email-incident/SKILL.md | 2 +- skills/investigating-ransomware-attack-artifacts/SKILL.md | 2 +- skills/performing-cloud-forensics-investigation/SKILL.md | 2 +- .../SKILL.md | 2 +- .../performing-malware-persistence-investigation/SKILL.md | 2 +- .../SKILL.md | 2 +- skills/performing-soc-tabletop-exercise/SKILL.md | 2 +- .../SKILL.md | 1 - skills/recovering-from-ransomware-attack/SKILL.md | 2 +- 32 files changed, 31 insertions(+), 36 deletions(-) diff --git a/skills/analyzing-malware-persistence-with-autoruns/SKILL.md b/skills/analyzing-malware-persistence-with-autoruns/SKILL.md index e2031c89..c6e4b0d4 100644 --- a/skills/analyzing-malware-persistence-with-autoruns/SKILL.md +++ b/skills/analyzing-malware-persistence-with-autoruns/SKILL.md @@ -4,7 +4,7 @@ description: Use Sysinternals Autoruns to systematically identify and analyze ma domain: cybersecurity subdomain: malware-analysis tags: [autoruns, persistence, malware-analysis, sysinternals, windows, registry, startup, incident-response] -mitre_attack: ["T1190", "T1059", "T1078"] +mitre_attack: ["T1547", "T1053", "T1543", "T1574"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/analyzing-memory-dumps-with-volatility/SKILL.md b/skills/analyzing-memory-dumps-with-volatility/SKILL.md index 7f9b062b..9035f8e1 100644 --- a/skills/analyzing-memory-dumps-with-volatility/SKILL.md +++ b/skills/analyzing-memory-dumps-with-volatility/SKILL.md @@ -9,7 +9,7 @@ description: > domain: cybersecurity subdomain: malware-analysis tags: [malware, memory-forensics, Volatility, RAM-analysis, incident-response] -mitre_attack: ["T1190", "T1059", "T1078"] +mitre_attack: ["T1003", "T1055", "T1620", "T1574"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md b/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md index f56b6498..0849bcab 100644 --- a/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md +++ b/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md @@ -4,7 +4,7 @@ description: Detect and analyze Linux persistence mechanisms including crontab e domain: cybersecurity subdomain: threat-hunting tags: [linux-persistence, crontab, systemd, ld-preload, auditd, threat-hunting, incident-response] -mitre_attack: ["T1190", "T1059", "T1078"] +mitre_attack: ["T1053", "T1543", "T1574", "T1546"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/analyzing-windows-prefetch-with-python/SKILL.md b/skills/analyzing-windows-prefetch-with-python/SKILL.md index 8f542338..b6f54efa 100644 --- a/skills/analyzing-windows-prefetch-with-python/SKILL.md +++ b/skills/analyzing-windows-prefetch-with-python/SKILL.md @@ -4,7 +4,7 @@ description: Parse Windows Prefetch files using the windowsprefetch Python libra domain: cybersecurity subdomain: digital-forensics tags: [digital-forensics, windows, prefetch, execution-history, incident-response, malware-analysis] -mitre_attack: ["T1190", "T1059", "T1078"] +mitre_attack: ["T1059", "T1204", "T1036", "T1070.004"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/building-incident-response-dashboard/SKILL.md b/skills/building-incident-response-dashboard/SKILL.md index 8c25d065..999413a5 100644 --- a/skills/building-incident-response-dashboard/SKILL.md +++ b/skills/building-incident-response-dashboard/SKILL.md @@ -8,7 +8,7 @@ description: > domain: cybersecurity subdomain: soc-operations tags: [soc, dashboard, incident-response, splunk, visualization, situational-awareness, metrics] -mitre_attack: ["T1190", "T1059", "T1078"] +mitre_attack: ["T1190", "T1566", "T1486"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/building-phishing-reporting-button-workflow/SKILL.md b/skills/building-phishing-reporting-button-workflow/SKILL.md index 54e7655e..8eac7357 100644 --- a/skills/building-phishing-reporting-button-workflow/SKILL.md +++ b/skills/building-phishing-reporting-button-workflow/SKILL.md @@ -4,7 +4,7 @@ description: Implement a phishing report button in email clients with automated domain: cybersecurity subdomain: phishing-defense tags: [phishing-reporting, email-security, incident-response, security-awareness, outlook, microsoft-365, soar] -mitre_attack: ["T1190", "T1059", "T1078"] +mitre_attack: ["T1566", "T1204", "T1534"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/building-soc-playbook-for-ransomware/SKILL.md b/skills/building-soc-playbook-for-ransomware/SKILL.md index d42b674c..1873bdfa 100644 --- a/skills/building-soc-playbook-for-ransomware/SKILL.md +++ b/skills/building-soc-playbook-for-ransomware/SKILL.md @@ -8,7 +8,7 @@ description: > domain: cybersecurity subdomain: soc-operations tags: [soc, ransomware, incident-response, playbook, nist, mitre-attack, containment] -mitre_attack: ["T1190", "T1566", "T1078"] +mitre_attack: ["T1486", "T1490", "T1489", "T1570"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md b/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md index 879fc6cf..bdd42af2 100644 --- a/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md +++ b/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md @@ -4,7 +4,6 @@ description: Systematically deobfuscate multi-layer PowerShell malware using AST domain: cybersecurity subdomain: malware-analysis tags: [powershell, deobfuscation, malware-analysis, scripting, obfuscation, ast-analysis, incident-response] -mitre_attack: ["T1190", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md b/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md index 02f9e652..12bf02b2 100644 --- a/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md +++ b/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md @@ -9,7 +9,7 @@ description: > domain: cybersecurity subdomain: endpoint-security tags: [endpoint, osquery, endpoint-monitoring, threat-hunting, fleet-management] -mitre_attack: ["T1190", "T1059", "T1078"] +mitre_attack: ["T1547", "T1053", "T1543", "T1059"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/detecting-attacks-on-scada-systems/SKILL.md b/skills/detecting-attacks-on-scada-systems/SKILL.md index ef1ed930..85abc162 100644 --- a/skills/detecting-attacks-on-scada-systems/SKILL.md +++ b/skills/detecting-attacks-on-scada-systems/SKILL.md @@ -11,7 +11,6 @@ description: > domain: cybersecurity subdomain: ot-ics-security tags: [ot-security, ics, scada, industrial-control, iec62443, intrusion-detection, threat-detection] -mitre_attack: ["T1190", "T1059", "T1078"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/detecting-aws-guardduty-findings-automation/SKILL.md b/skills/detecting-aws-guardduty-findings-automation/SKILL.md index 9ff22e22..8f826c23 100644 --- a/skills/detecting-aws-guardduty-findings-automation/SKILL.md +++ b/skills/detecting-aws-guardduty-findings-automation/SKILL.md @@ -4,7 +4,7 @@ description: Automate AWS GuardDuty threat detection findings processing using E domain: cybersecurity subdomain: cloud-security tags: [aws, guardduty, eventbridge, lambda, threat-detection, automation, incident-response, siem] -mitre_attack: ["T1190", "T1059", "T1078"] +mitre_attack: ["T1078", "T1537", "T1580"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/detecting-compromised-cloud-credentials/SKILL.md b/skills/detecting-compromised-cloud-credentials/SKILL.md index 16866b4d..5d56505d 100644 --- a/skills/detecting-compromised-cloud-credentials/SKILL.md +++ b/skills/detecting-compromised-cloud-credentials/SKILL.md @@ -8,7 +8,7 @@ description: > domain: cybersecurity subdomain: cloud-security tags: [cloud-security, credential-compromise, threat-detection, guardduty, incident-response, anomaly-detection] -mitre_attack: ["T1190", "T1059", "T1078"] +mitre_attack: ["T1078", "T1528", "T1550"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/extracting-credentials-from-memory-dump/SKILL.md b/skills/extracting-credentials-from-memory-dump/SKILL.md index 8d492a5e..ca676d16 100644 --- a/skills/extracting-credentials-from-memory-dump/SKILL.md +++ b/skills/extracting-credentials-from-memory-dump/SKILL.md @@ -4,7 +4,7 @@ description: Extract cached credentials, password hashes, Kerberos tickets, and domain: cybersecurity subdomain: digital-forensics tags: [forensics, credential-extraction, memory-forensics, volatility, mimikatz, password-hashes, incident-response] -mitre_attack: ["T1190", "T1059", "T1078"] +mitre_attack: ["T1003", "T1558", "T1550"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/extracting-windows-event-logs-artifacts/SKILL.md b/skills/extracting-windows-event-logs-artifacts/SKILL.md index 845a760c..0a71c8d9 100644 --- a/skills/extracting-windows-event-logs-artifacts/SKILL.md +++ b/skills/extracting-windows-event-logs-artifacts/SKILL.md @@ -4,7 +4,7 @@ description: Extract, parse, and analyze Windows Event Logs (EVTX) using Chainsa domain: cybersecurity subdomain: digital-forensics tags: [forensics, windows-event-logs, evtx, chainsaw, hayabusa, sigma-rules, incident-response] -mitre_attack: ["T1190", "T1059", "T1078"] +mitre_attack: ["T1070", "T1059", "T1547"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/implementing-cloud-waf-rules/SKILL.md b/skills/implementing-cloud-waf-rules/SKILL.md index fd8991a9..02a601d8 100644 --- a/skills/implementing-cloud-waf-rules/SKILL.md +++ b/skills/implementing-cloud-waf-rules/SKILL.md @@ -8,7 +8,7 @@ description: > false positives through rule tuning and logging analysis. domain: cybersecurity subdomain: cloud-security -tags: [cloud-waf, aws-waf, azure-waf, cloudflare-waf, owasp-protection, rate-limiting] +tags: [cloud-waf, aws-waf, owasp-protection, rate-limiting, geo-blocking] version: 1.0.0 author: mahipal license: Apache-2.0 @@ -265,7 +265,7 @@ After 7-14 days of Count mode with acceptable false positive rates, switch manag ## Output Format -```text +``` Cloud WAF Configuration Report ================================ Web ACL: production-waf diff --git a/skills/implementing-endpoint-detection-with-wazuh/SKILL.md b/skills/implementing-endpoint-detection-with-wazuh/SKILL.md index c2369676..cbd291fb 100644 --- a/skills/implementing-endpoint-detection-with-wazuh/SKILL.md +++ b/skills/implementing-endpoint-detection-with-wazuh/SKILL.md @@ -4,7 +4,7 @@ description: Deploy and configure Wazuh SIEM/XDR for endpoint detection includin domain: cybersecurity subdomain: security-operations tags: [siem, xdr, wazuh, endpoint-detection, custom-rules, incident-response] -mitre_attack: ["T1190", "T1059", "T1078"] +mitre_attack: ["T1547", "T1053", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/implementing-ot-incident-response-playbook/SKILL.md b/skills/implementing-ot-incident-response-playbook/SKILL.md index 6de03232..757c67df 100644 --- a/skills/implementing-ot-incident-response-playbook/SKILL.md +++ b/skills/implementing-ot-incident-response-playbook/SKILL.md @@ -8,7 +8,6 @@ description: > domain: cybersecurity subdomain: ot-ics-security tags: [ot-security, ics, incident-response, playbook, sans, iec62443, nist, safety-critical] -mitre_attack: ["T1190", "T1566", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/implementing-patch-management-for-ot-systems/SKILL.md b/skills/implementing-patch-management-for-ot-systems/SKILL.md index 2478c6a1..d45c8f90 100644 --- a/skills/implementing-patch-management-for-ot-systems/SKILL.md +++ b/skills/implementing-patch-management-for-ot-systems/SKILL.md @@ -10,7 +10,6 @@ description: > domain: cybersecurity subdomain: ot-ics-security tags: [ot-security, ics, scada, industrial-control, iec62443, patch-management, vulnerability-management] -mitre_attack: ["T1190", "T1059", "T1078"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/implementing-ransomware-backup-strategy/SKILL.md b/skills/implementing-ransomware-backup-strategy/SKILL.md index 8d3e1f32..0390e648 100644 --- a/skills/implementing-ransomware-backup-strategy/SKILL.md +++ b/skills/implementing-ransomware-backup-strategy/SKILL.md @@ -11,7 +11,7 @@ description: > domain: cybersecurity subdomain: ransomware-defense tags: [ransomware, backup, incident-response, defense, recovery, immutable-storage] -mitre_attack: ["T1486", "T1490", "T1489", "T1021", "T1570"] +mitre_attack: ["T1486", "T1490", "T1489"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/implementing-soar-automation-with-phantom/SKILL.md b/skills/implementing-soar-automation-with-phantom/SKILL.md index a2ea0aa2..792bc9d1 100644 --- a/skills/implementing-soar-automation-with-phantom/SKILL.md +++ b/skills/implementing-soar-automation-with-phantom/SKILL.md @@ -8,7 +8,7 @@ description: > domain: cybersecurity subdomain: soc-operations tags: [soc, soar, phantom, splunk-soar, automation, playbook, orchestration, incident-response] -mitre_attack: ["T1190", "T1059", "T1078"] +mitre_attack: ["T1566", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/implementing-soar-playbook-for-phishing/SKILL.md b/skills/implementing-soar-playbook-for-phishing/SKILL.md index cacc0e67..15d1a54c 100644 --- a/skills/implementing-soar-playbook-for-phishing/SKILL.md +++ b/skills/implementing-soar-playbook-for-phishing/SKILL.md @@ -4,7 +4,7 @@ description: Automate phishing incident response using Splunk SOAR REST API to c domain: cybersecurity subdomain: security-operations tags: [soar, splunk-phantom, phishing, incident-response] -mitre_attack: ["T1190", "T1566", "T1078"] +mitre_attack: ["T1566", "T1204", "T1534", "T1598"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/implementing-soar-playbook-with-palo-alto-xsoar/SKILL.md b/skills/implementing-soar-playbook-with-palo-alto-xsoar/SKILL.md index a2c8823c..5ef9a5dd 100644 --- a/skills/implementing-soar-playbook-with-palo-alto-xsoar/SKILL.md +++ b/skills/implementing-soar-playbook-with-palo-alto-xsoar/SKILL.md @@ -4,7 +4,7 @@ description: Implement automated incident response playbooks in Cortex XSOAR to domain: cybersecurity subdomain: soc-operations tags: [xsoar, soar, palo-alto, playbook, automation, incident-response, orchestration, cortex] -mitre_attack: ["T1190", "T1566", "T1078"] +mitre_attack: ["T1566", "T1204", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/implementing-zero-trust-network-access/SKILL.md b/skills/implementing-zero-trust-network-access/SKILL.md index 0e732573..f30f8c28 100644 --- a/skills/implementing-zero-trust-network-access/SKILL.md +++ b/skills/implementing-zero-trust-network-access/SKILL.md @@ -1,10 +1,10 @@ --- name: implementing-zero-trust-network-access description: > - Implementing Zero Trust Network Access (ZTNA) in cloud environments by configuring - identity-aware proxies, micro-segmentation, continuous verification with conditional - access policies, and replacing traditional VPN-based access with BeyondCorp-style - architectures across AWS, Azure, and GCP. + Implementing Zero Trust Network Access (ZTNA) in cloud environments by deploying + GCP Identity-Aware Proxy, AWS Verified Access, and Azure Conditional Access with + Private Link. Covers micro-segmentation with security groups and Kubernetes network + policies, and replacing traditional VPN-based access with identity-based controls. domain: cybersecurity subdomain: cloud-security tags: [cloud-security, zero-trust, ztna, beyondcorp, identity-aware-proxy, micro-segmentation] diff --git a/skills/investigating-phishing-email-incident/SKILL.md b/skills/investigating-phishing-email-incident/SKILL.md index 65392f4c..7bc1a517 100644 --- a/skills/investigating-phishing-email-incident/SKILL.md +++ b/skills/investigating-phishing-email-incident/SKILL.md @@ -8,7 +8,7 @@ description: > domain: cybersecurity subdomain: soc-operations tags: [soc, phishing, incident-response, email-security, splunk, defender, sandbox] -mitre_attack: ["T1190", "T1059", "T1078"] +mitre_attack: ["T1566", "T1204", "T1534", "T1598"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/investigating-ransomware-attack-artifacts/SKILL.md b/skills/investigating-ransomware-attack-artifacts/SKILL.md index 451ac88e..6943c0ba 100644 --- a/skills/investigating-ransomware-attack-artifacts/SKILL.md +++ b/skills/investigating-ransomware-attack-artifacts/SKILL.md @@ -4,7 +4,7 @@ description: Identify, collect, and analyze ransomware attack artifacts to deter domain: cybersecurity subdomain: digital-forensics tags: [forensics, ransomware, malware-analysis, incident-response, encryption-recovery, evidence-collection] -mitre_attack: ["T1486", "T1490", "T1489", "T1021", "T1570"] +mitre_attack: ["T1486", "T1490", "T1489", "T1570"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-cloud-forensics-investigation/SKILL.md b/skills/performing-cloud-forensics-investigation/SKILL.md index dddc1eee..3f7bb958 100644 --- a/skills/performing-cloud-forensics-investigation/SKILL.md +++ b/skills/performing-cloud-forensics-investigation/SKILL.md @@ -4,7 +4,7 @@ description: Conduct forensic investigations in cloud environments by collecting domain: cybersecurity subdomain: digital-forensics tags: [forensics, cloud-forensics, aws, azure, gcp, incident-response, log-analysis] -mitre_attack: ["T1190", "T1059", "T1078"] +mitre_attack: ["T1078", "T1537", "T1580"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md b/skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md index 6cf2bf70..7c1dabc7 100644 --- a/skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md +++ b/skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md @@ -4,7 +4,7 @@ description: Perform forensic investigation of AWS environments using CloudTrail domain: cybersecurity subdomain: cloud-security tags: [cloud-security, aws, cloudtrail, forensics, incident-response, dfir, boto3, s3] -mitre_attack: ["T1190", "T1059", "T1078"] +mitre_attack: ["T1078", "T1098", "T1537", "T1562"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-malware-persistence-investigation/SKILL.md b/skills/performing-malware-persistence-investigation/SKILL.md index 866cd5ab..647ce2c7 100644 --- a/skills/performing-malware-persistence-investigation/SKILL.md +++ b/skills/performing-malware-persistence-investigation/SKILL.md @@ -4,7 +4,7 @@ description: Systematically investigate all persistence mechanisms on Windows an domain: cybersecurity subdomain: digital-forensics tags: [forensics, malware-persistence, autoruns, registry, scheduled-tasks, rootkit-detection, incident-response] -mitre_attack: ["T1190", "T1059", "T1078"] +mitre_attack: ["T1547", "T1053", "T1543", "T1574"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md b/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md index f65e59d0..1da74d8d 100644 --- a/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md +++ b/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md @@ -4,7 +4,7 @@ description: Analyze memory dumps using Volatility3 plugins to detect injected c domain: cybersecurity subdomain: malware-analysis tags: [memory-forensics, volatility3, malware-analysis, incident-response, process-injection, rootkit-detection, dfir] -mitre_attack: ["T1003", "T1055", "T1620", "T1574"] +mitre_attack: ["T1003", "T1055", "T1620"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-soc-tabletop-exercise/SKILL.md b/skills/performing-soc-tabletop-exercise/SKILL.md index ce98f379..c5bec820 100644 --- a/skills/performing-soc-tabletop-exercise/SKILL.md +++ b/skills/performing-soc-tabletop-exercise/SKILL.md @@ -8,7 +8,7 @@ description: > domain: cybersecurity subdomain: soc-operations tags: [soc, tabletop, exercise, incident-response, training, nist, playbook-validation] -mitre_attack: ["T1190", "T1059", "T1078"] +mitre_attack: ["T1566", "T1486", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-windows-artifact-analysis-with-eric-zimmerman-tools/SKILL.md b/skills/performing-windows-artifact-analysis-with-eric-zimmerman-tools/SKILL.md index 8e5cad66..dbafc21c 100644 --- a/skills/performing-windows-artifact-analysis-with-eric-zimmerman-tools/SKILL.md +++ b/skills/performing-windows-artifact-analysis-with-eric-zimmerman-tools/SKILL.md @@ -4,7 +4,6 @@ description: Perform comprehensive Windows forensic artifact analysis using Eric domain: cybersecurity subdomain: digital-forensics tags: [eric-zimmerman, ez-tools, kape, mftecmd, pecmd, lecmd, jlecmd, registry-forensics, windows-forensics, timeline-explorer, dfir, artifact-analysis] -mitre_attack: ["T1190", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/recovering-from-ransomware-attack/SKILL.md b/skills/recovering-from-ransomware-attack/SKILL.md index 83f0ea18..764c8120 100644 --- a/skills/recovering-from-ransomware-attack/SKILL.md +++ b/skills/recovering-from-ransomware-attack/SKILL.md @@ -11,7 +11,7 @@ description: > domain: cybersecurity subdomain: ransomware-defense tags: [ransomware, recovery, incident-response, backup, defense] -mitre_attack: ["T1486", "T1490", "T1489", "T1021", "T1570"] +mitre_attack: ["T1486", "T1490", "T1489"] version: 1.0.0 author: mahipal license: Apache-2.0 From 100361c3e5034e665c18722622c18dd796cb2f70 Mon Sep 17 00:00:00 2001 From: MAGI Date: Tue, 17 Mar 2026 22:12:07 -0600 Subject: [PATCH 3/6] Scope fix: remove mitre_attack from 24 non-incident-response skills, use sub-techniques - Removed mitre_attack from digital-forensics, cloud-security, malware-analysis, endpoint-security, threat-hunting, ransomware-defense, phishing-defense, and security-operations subdomain skills (out of PR scope per issue #1) - Applied sub-technique IDs where appropriate (T1566.001, T1003.001, etc.) - Only incident-response and soc-operations skills retain mappings --- skills/analyzing-malware-persistence-with-autoruns/SKILL.md | 1 - skills/analyzing-memory-dumps-with-volatility/SKILL.md | 1 - skills/analyzing-persistence-mechanisms-in-linux/SKILL.md | 1 - skills/analyzing-windows-prefetch-with-python/SKILL.md | 1 - skills/building-phishing-reporting-button-workflow/SKILL.md | 1 - skills/deploying-osquery-for-endpoint-monitoring/SKILL.md | 1 - skills/detecting-aws-guardduty-findings-automation/SKILL.md | 1 - skills/detecting-compromised-cloud-credentials/SKILL.md | 1 - skills/detecting-ransomware-precursors-in-network/SKILL.md | 1 - skills/extracting-credentials-from-memory-dump/SKILL.md | 1 - skills/extracting-windows-event-logs-artifacts/SKILL.md | 1 - skills/implementing-endpoint-detection-with-wazuh/SKILL.md | 1 - skills/implementing-ransomware-backup-strategy/SKILL.md | 1 - skills/implementing-soar-playbook-for-phishing/SKILL.md | 1 - skills/investigating-phishing-email-incident/SKILL.md | 2 +- skills/investigating-ransomware-attack-artifacts/SKILL.md | 1 - skills/performing-cloud-forensics-investigation/SKILL.md | 1 - skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md | 1 - .../performing-malware-hash-enrichment-with-virustotal/SKILL.md | 1 - skills/performing-malware-persistence-investigation/SKILL.md | 1 - .../SKILL.md | 1 - skills/performing-memory-forensics-with-volatility3/SKILL.md | 1 - skills/performing-ransomware-tabletop-exercise/SKILL.md | 1 - skills/recovering-from-ransomware-attack/SKILL.md | 1 - 24 files changed, 1 insertion(+), 24 deletions(-) diff --git a/skills/analyzing-malware-persistence-with-autoruns/SKILL.md b/skills/analyzing-malware-persistence-with-autoruns/SKILL.md index c6e4b0d4..0c61e66d 100644 --- a/skills/analyzing-malware-persistence-with-autoruns/SKILL.md +++ b/skills/analyzing-malware-persistence-with-autoruns/SKILL.md @@ -4,7 +4,6 @@ description: Use Sysinternals Autoruns to systematically identify and analyze ma domain: cybersecurity subdomain: malware-analysis tags: [autoruns, persistence, malware-analysis, sysinternals, windows, registry, startup, incident-response] -mitre_attack: ["T1547", "T1053", "T1543", "T1574"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/analyzing-memory-dumps-with-volatility/SKILL.md b/skills/analyzing-memory-dumps-with-volatility/SKILL.md index 9035f8e1..93356ee2 100644 --- a/skills/analyzing-memory-dumps-with-volatility/SKILL.md +++ b/skills/analyzing-memory-dumps-with-volatility/SKILL.md @@ -9,7 +9,6 @@ description: > domain: cybersecurity subdomain: malware-analysis tags: [malware, memory-forensics, Volatility, RAM-analysis, incident-response] -mitre_attack: ["T1003", "T1055", "T1620", "T1574"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md b/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md index 0849bcab..1611915b 100644 --- a/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md +++ b/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md @@ -4,7 +4,6 @@ description: Detect and analyze Linux persistence mechanisms including crontab e domain: cybersecurity subdomain: threat-hunting tags: [linux-persistence, crontab, systemd, ld-preload, auditd, threat-hunting, incident-response] -mitre_attack: ["T1053", "T1543", "T1574", "T1546"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/analyzing-windows-prefetch-with-python/SKILL.md b/skills/analyzing-windows-prefetch-with-python/SKILL.md index b6f54efa..8d817429 100644 --- a/skills/analyzing-windows-prefetch-with-python/SKILL.md +++ b/skills/analyzing-windows-prefetch-with-python/SKILL.md @@ -4,7 +4,6 @@ description: Parse Windows Prefetch files using the windowsprefetch Python libra domain: cybersecurity subdomain: digital-forensics tags: [digital-forensics, windows, prefetch, execution-history, incident-response, malware-analysis] -mitre_attack: ["T1059", "T1204", "T1036", "T1070.004"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/building-phishing-reporting-button-workflow/SKILL.md b/skills/building-phishing-reporting-button-workflow/SKILL.md index 8eac7357..9ece3dfc 100644 --- a/skills/building-phishing-reporting-button-workflow/SKILL.md +++ b/skills/building-phishing-reporting-button-workflow/SKILL.md @@ -4,7 +4,6 @@ description: Implement a phishing report button in email clients with automated domain: cybersecurity subdomain: phishing-defense tags: [phishing-reporting, email-security, incident-response, security-awareness, outlook, microsoft-365, soar] -mitre_attack: ["T1566", "T1204", "T1534"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md b/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md index 12bf02b2..7418822a 100644 --- a/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md +++ b/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md @@ -9,7 +9,6 @@ description: > domain: cybersecurity subdomain: endpoint-security tags: [endpoint, osquery, endpoint-monitoring, threat-hunting, fleet-management] -mitre_attack: ["T1547", "T1053", "T1543", "T1059"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/detecting-aws-guardduty-findings-automation/SKILL.md b/skills/detecting-aws-guardduty-findings-automation/SKILL.md index 8f826c23..62a99ffa 100644 --- a/skills/detecting-aws-guardduty-findings-automation/SKILL.md +++ b/skills/detecting-aws-guardduty-findings-automation/SKILL.md @@ -4,7 +4,6 @@ description: Automate AWS GuardDuty threat detection findings processing using E domain: cybersecurity subdomain: cloud-security tags: [aws, guardduty, eventbridge, lambda, threat-detection, automation, incident-response, siem] -mitre_attack: ["T1078", "T1537", "T1580"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/detecting-compromised-cloud-credentials/SKILL.md b/skills/detecting-compromised-cloud-credentials/SKILL.md index 5d56505d..8ad595a4 100644 --- a/skills/detecting-compromised-cloud-credentials/SKILL.md +++ b/skills/detecting-compromised-cloud-credentials/SKILL.md @@ -8,7 +8,6 @@ description: > domain: cybersecurity subdomain: cloud-security tags: [cloud-security, credential-compromise, threat-detection, guardduty, incident-response, anomaly-detection] -mitre_attack: ["T1078", "T1528", "T1550"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/detecting-ransomware-precursors-in-network/SKILL.md b/skills/detecting-ransomware-precursors-in-network/SKILL.md index c7881cec..87c096c7 100644 --- a/skills/detecting-ransomware-precursors-in-network/SKILL.md +++ b/skills/detecting-ransomware-precursors-in-network/SKILL.md @@ -11,7 +11,6 @@ description: > domain: cybersecurity subdomain: ransomware-defense tags: [ransomware, detection, network-security, incident-response, defense] -mitre_attack: ["T1486", "T1490", "T1489", "T1021", "T1570"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/extracting-credentials-from-memory-dump/SKILL.md b/skills/extracting-credentials-from-memory-dump/SKILL.md index ca676d16..f0e60b50 100644 --- a/skills/extracting-credentials-from-memory-dump/SKILL.md +++ b/skills/extracting-credentials-from-memory-dump/SKILL.md @@ -4,7 +4,6 @@ description: Extract cached credentials, password hashes, Kerberos tickets, and domain: cybersecurity subdomain: digital-forensics tags: [forensics, credential-extraction, memory-forensics, volatility, mimikatz, password-hashes, incident-response] -mitre_attack: ["T1003", "T1558", "T1550"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/extracting-windows-event-logs-artifacts/SKILL.md b/skills/extracting-windows-event-logs-artifacts/SKILL.md index 0a71c8d9..195136a0 100644 --- a/skills/extracting-windows-event-logs-artifacts/SKILL.md +++ b/skills/extracting-windows-event-logs-artifacts/SKILL.md @@ -4,7 +4,6 @@ description: Extract, parse, and analyze Windows Event Logs (EVTX) using Chainsa domain: cybersecurity subdomain: digital-forensics tags: [forensics, windows-event-logs, evtx, chainsaw, hayabusa, sigma-rules, incident-response] -mitre_attack: ["T1070", "T1059", "T1547"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/implementing-endpoint-detection-with-wazuh/SKILL.md b/skills/implementing-endpoint-detection-with-wazuh/SKILL.md index cbd291fb..79275208 100644 --- a/skills/implementing-endpoint-detection-with-wazuh/SKILL.md +++ b/skills/implementing-endpoint-detection-with-wazuh/SKILL.md @@ -4,7 +4,6 @@ description: Deploy and configure Wazuh SIEM/XDR for endpoint detection includin domain: cybersecurity subdomain: security-operations tags: [siem, xdr, wazuh, endpoint-detection, custom-rules, incident-response] -mitre_attack: ["T1547", "T1053", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/implementing-ransomware-backup-strategy/SKILL.md b/skills/implementing-ransomware-backup-strategy/SKILL.md index 0390e648..8912a6dd 100644 --- a/skills/implementing-ransomware-backup-strategy/SKILL.md +++ b/skills/implementing-ransomware-backup-strategy/SKILL.md @@ -11,7 +11,6 @@ description: > domain: cybersecurity subdomain: ransomware-defense tags: [ransomware, backup, incident-response, defense, recovery, immutable-storage] -mitre_attack: ["T1486", "T1490", "T1489"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/implementing-soar-playbook-for-phishing/SKILL.md b/skills/implementing-soar-playbook-for-phishing/SKILL.md index 15d1a54c..f914f665 100644 --- a/skills/implementing-soar-playbook-for-phishing/SKILL.md +++ b/skills/implementing-soar-playbook-for-phishing/SKILL.md @@ -4,7 +4,6 @@ description: Automate phishing incident response using Splunk SOAR REST API to c domain: cybersecurity subdomain: security-operations tags: [soar, splunk-phantom, phishing, incident-response] -mitre_attack: ["T1566", "T1204", "T1534", "T1598"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/investigating-phishing-email-incident/SKILL.md b/skills/investigating-phishing-email-incident/SKILL.md index 7bc1a517..6950fb49 100644 --- a/skills/investigating-phishing-email-incident/SKILL.md +++ b/skills/investigating-phishing-email-incident/SKILL.md @@ -8,7 +8,7 @@ description: > domain: cybersecurity subdomain: soc-operations tags: [soc, phishing, incident-response, email-security, splunk, defender, sandbox] -mitre_attack: ["T1566", "T1204", "T1534", "T1598"] +mitre_attack: ["T1566.001", "T1566.002", "T1204.001", "T1598.003"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/investigating-ransomware-attack-artifacts/SKILL.md b/skills/investigating-ransomware-attack-artifacts/SKILL.md index 6943c0ba..74f4f223 100644 --- a/skills/investigating-ransomware-attack-artifacts/SKILL.md +++ b/skills/investigating-ransomware-attack-artifacts/SKILL.md @@ -4,7 +4,6 @@ description: Identify, collect, and analyze ransomware attack artifacts to deter domain: cybersecurity subdomain: digital-forensics tags: [forensics, ransomware, malware-analysis, incident-response, encryption-recovery, evidence-collection] -mitre_attack: ["T1486", "T1490", "T1489", "T1570"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-cloud-forensics-investigation/SKILL.md b/skills/performing-cloud-forensics-investigation/SKILL.md index 3f7bb958..268a39c0 100644 --- a/skills/performing-cloud-forensics-investigation/SKILL.md +++ b/skills/performing-cloud-forensics-investigation/SKILL.md @@ -4,7 +4,6 @@ description: Conduct forensic investigations in cloud environments by collecting domain: cybersecurity subdomain: digital-forensics tags: [forensics, cloud-forensics, aws, azure, gcp, incident-response, log-analysis] -mitre_attack: ["T1078", "T1537", "T1580"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md b/skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md index 7c1dabc7..6c2536e7 100644 --- a/skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md +++ b/skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md @@ -4,7 +4,6 @@ description: Perform forensic investigation of AWS environments using CloudTrail domain: cybersecurity subdomain: cloud-security tags: [cloud-security, aws, cloudtrail, forensics, incident-response, dfir, boto3, s3] -mitre_attack: ["T1078", "T1098", "T1537", "T1562"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-malware-hash-enrichment-with-virustotal/SKILL.md b/skills/performing-malware-hash-enrichment-with-virustotal/SKILL.md index e307bab7..baaa76d5 100644 --- a/skills/performing-malware-hash-enrichment-with-virustotal/SKILL.md +++ b/skills/performing-malware-hash-enrichment-with-virustotal/SKILL.md @@ -4,7 +4,6 @@ description: Enrich malware file hashes using the VirusTotal API to retrieve det domain: cybersecurity subdomain: threat-intelligence tags: [virustotal, malware-analysis, hash-enrichment, ioc, threat-intelligence, triage, api, detection] -mitre_attack: ["T1190", "T1059", "T1078"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-malware-persistence-investigation/SKILL.md b/skills/performing-malware-persistence-investigation/SKILL.md index 647ce2c7..738c1432 100644 --- a/skills/performing-malware-persistence-investigation/SKILL.md +++ b/skills/performing-malware-persistence-investigation/SKILL.md @@ -4,7 +4,6 @@ description: Systematically investigate all persistence mechanisms on Windows an domain: cybersecurity subdomain: digital-forensics tags: [forensics, malware-persistence, autoruns, registry, scheduled-tasks, rootkit-detection, incident-response] -mitre_attack: ["T1547", "T1053", "T1543", "T1574"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md b/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md index 1da74d8d..5ab93348 100644 --- a/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md +++ b/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md @@ -4,7 +4,6 @@ description: Analyze memory dumps using Volatility3 plugins to detect injected c domain: cybersecurity subdomain: malware-analysis tags: [memory-forensics, volatility3, malware-analysis, incident-response, process-injection, rootkit-detection, dfir] -mitre_attack: ["T1003", "T1055", "T1620"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-memory-forensics-with-volatility3/SKILL.md b/skills/performing-memory-forensics-with-volatility3/SKILL.md index 9ea9591b..ccc5cd98 100644 --- a/skills/performing-memory-forensics-with-volatility3/SKILL.md +++ b/skills/performing-memory-forensics-with-volatility3/SKILL.md @@ -4,7 +4,6 @@ description: Analyze volatile memory dumps using Volatility 3 to extract running domain: cybersecurity subdomain: digital-forensics tags: [forensics, memory-forensics, volatility, ram-analysis, malware-detection, incident-response] -mitre_attack: ["T1003", "T1055", "T1620", "T1574"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-ransomware-tabletop-exercise/SKILL.md b/skills/performing-ransomware-tabletop-exercise/SKILL.md index dab637d7..0e53a479 100644 --- a/skills/performing-ransomware-tabletop-exercise/SKILL.md +++ b/skills/performing-ransomware-tabletop-exercise/SKILL.md @@ -11,7 +11,6 @@ description: > domain: cybersecurity subdomain: ransomware-defense tags: [ransomware, incident-response, tabletop-exercise, defense, preparedness] -mitre_attack: ["T1486", "T1490", "T1489", "T1021", "T1570"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/recovering-from-ransomware-attack/SKILL.md b/skills/recovering-from-ransomware-attack/SKILL.md index 764c8120..f232c90e 100644 --- a/skills/recovering-from-ransomware-attack/SKILL.md +++ b/skills/recovering-from-ransomware-attack/SKILL.md @@ -11,7 +11,6 @@ description: > domain: cybersecurity subdomain: ransomware-defense tags: [ransomware, recovery, incident-response, backup, defense] -mitre_attack: ["T1486", "T1490", "T1489"] version: 1.0.0 author: mahipal license: Apache-2.0 From 15d53bd09bf521539bbe45d56e9cf5a0d37217be Mon Sep 17 00:00:00 2001 From: MAGI Date: Wed, 18 Mar 2026 10:39:19 -0600 Subject: [PATCH 4/6] Fix MITRE ATT&CK mappings per CodeRabbit review: align techniques to skill content - analyzing-malware-persistence-with-autoruns: add persistence techniques T1547, T1053, T1543, T1546 - analyzing-memory-dumps-with-volatility: add memory forensics techniques T1055, T1003, T1059, T1620 - analyzing-persistence-mechanisms-in-linux: add Linux-specific sub-techniques T1053.003, T1543.002, T1574.006, T1546.004 - analyzing-windows-prefetch-with-python: add execution techniques T1059, T1204, T1036 - building-incident-response-dashboard: remove misaligned mitre_attack (dashboard is a visibility tool) - building-phishing-reporting-button-workflow: add phishing techniques T1566, T1204, T1534 - deobfuscating-powershell-obfuscated-malware: add PowerShell/obfuscation techniques T1059.001, T1027, T1140 --- skills/analyzing-malware-persistence-with-autoruns/SKILL.md | 1 + skills/analyzing-memory-dumps-with-volatility/SKILL.md | 1 + skills/analyzing-persistence-mechanisms-in-linux/SKILL.md | 1 + skills/analyzing-windows-prefetch-with-python/SKILL.md | 1 + skills/building-incident-response-dashboard/SKILL.md | 1 - skills/building-phishing-reporting-button-workflow/SKILL.md | 1 + skills/deobfuscating-powershell-obfuscated-malware/SKILL.md | 1 + 7 files changed, 6 insertions(+), 1 deletion(-) diff --git a/skills/analyzing-malware-persistence-with-autoruns/SKILL.md b/skills/analyzing-malware-persistence-with-autoruns/SKILL.md index 0c61e66d..29e03be7 100644 --- a/skills/analyzing-malware-persistence-with-autoruns/SKILL.md +++ b/skills/analyzing-malware-persistence-with-autoruns/SKILL.md @@ -4,6 +4,7 @@ description: Use Sysinternals Autoruns to systematically identify and analyze ma domain: cybersecurity subdomain: malware-analysis tags: [autoruns, persistence, malware-analysis, sysinternals, windows, registry, startup, incident-response] +mitre_attack: ["T1547", "T1053", "T1543", "T1546"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/analyzing-memory-dumps-with-volatility/SKILL.md b/skills/analyzing-memory-dumps-with-volatility/SKILL.md index 93356ee2..8681274a 100644 --- a/skills/analyzing-memory-dumps-with-volatility/SKILL.md +++ b/skills/analyzing-memory-dumps-with-volatility/SKILL.md @@ -9,6 +9,7 @@ description: > domain: cybersecurity subdomain: malware-analysis tags: [malware, memory-forensics, Volatility, RAM-analysis, incident-response] +mitre_attack: ["T1055", "T1003", "T1059", "T1620"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md b/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md index 1611915b..5d24a33c 100644 --- a/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md +++ b/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md @@ -4,6 +4,7 @@ description: Detect and analyze Linux persistence mechanisms including crontab e domain: cybersecurity subdomain: threat-hunting tags: [linux-persistence, crontab, systemd, ld-preload, auditd, threat-hunting, incident-response] +mitre_attack: ["T1053.003", "T1543.002", "T1574.006", "T1546.004"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/analyzing-windows-prefetch-with-python/SKILL.md b/skills/analyzing-windows-prefetch-with-python/SKILL.md index 8d817429..2d15cb1b 100644 --- a/skills/analyzing-windows-prefetch-with-python/SKILL.md +++ b/skills/analyzing-windows-prefetch-with-python/SKILL.md @@ -4,6 +4,7 @@ description: Parse Windows Prefetch files using the windowsprefetch Python libra domain: cybersecurity subdomain: digital-forensics tags: [digital-forensics, windows, prefetch, execution-history, incident-response, malware-analysis] +mitre_attack: ["T1059", "T1204", "T1036"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/building-incident-response-dashboard/SKILL.md b/skills/building-incident-response-dashboard/SKILL.md index 999413a5..78d0cb1c 100644 --- a/skills/building-incident-response-dashboard/SKILL.md +++ b/skills/building-incident-response-dashboard/SKILL.md @@ -8,7 +8,6 @@ description: > domain: cybersecurity subdomain: soc-operations tags: [soc, dashboard, incident-response, splunk, visualization, situational-awareness, metrics] -mitre_attack: ["T1190", "T1566", "T1486"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/building-phishing-reporting-button-workflow/SKILL.md b/skills/building-phishing-reporting-button-workflow/SKILL.md index 9ece3dfc..8eac7357 100644 --- a/skills/building-phishing-reporting-button-workflow/SKILL.md +++ b/skills/building-phishing-reporting-button-workflow/SKILL.md @@ -4,6 +4,7 @@ description: Implement a phishing report button in email clients with automated domain: cybersecurity subdomain: phishing-defense tags: [phishing-reporting, email-security, incident-response, security-awareness, outlook, microsoft-365, soar] +mitre_attack: ["T1566", "T1204", "T1534"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md b/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md index bdd42af2..e218178b 100644 --- a/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md +++ b/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md @@ -4,6 +4,7 @@ description: Systematically deobfuscate multi-layer PowerShell malware using AST domain: cybersecurity subdomain: malware-analysis tags: [powershell, deobfuscation, malware-analysis, scripting, obfuscation, ast-analysis, incident-response] +mitre_attack: ["T1059.001", "T1027", "T1140"] version: "1.0" author: mahipal license: Apache-2.0 From c7ad5e7b9837a9dcfdcf1ec0e6e9a99371248211 Mon Sep 17 00:00:00 2001 From: MAGI Date: Wed, 18 Mar 2026 10:39:30 -0600 Subject: [PATCH 5/6] Fix round 3: refine MITRE ATT&CK mappings per CodeRabbit review - osquery: replace broad IDs with concrete detections (T1049, T1620, T1053.003, T1548.001, T1552) - credential extraction: replace T1550 with T1552 (Unsecured Credentials) - persistence investigation: use sub-techniques (T1547.001, T1053.005, T1543.003, T1546.003) --- skills/deploying-osquery-for-endpoint-monitoring/SKILL.md | 1 + skills/extracting-credentials-from-memory-dump/SKILL.md | 1 + skills/performing-malware-persistence-investigation/SKILL.md | 1 + 3 files changed, 3 insertions(+) diff --git a/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md b/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md index 7418822a..61dd827d 100644 --- a/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md +++ b/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md @@ -9,6 +9,7 @@ description: > domain: cybersecurity subdomain: endpoint-security tags: [endpoint, osquery, endpoint-monitoring, threat-hunting, fleet-management] +mitre_attack: ["T1547", "T1049", "T1620", "T1053.003", "T1548.001", "T1552"] version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/extracting-credentials-from-memory-dump/SKILL.md b/skills/extracting-credentials-from-memory-dump/SKILL.md index f0e60b50..08d88395 100644 --- a/skills/extracting-credentials-from-memory-dump/SKILL.md +++ b/skills/extracting-credentials-from-memory-dump/SKILL.md @@ -4,6 +4,7 @@ description: Extract cached credentials, password hashes, Kerberos tickets, and domain: cybersecurity subdomain: digital-forensics tags: [forensics, credential-extraction, memory-forensics, volatility, mimikatz, password-hashes, incident-response] +mitre_attack: ["T1003", "T1558", "T1552"] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-malware-persistence-investigation/SKILL.md b/skills/performing-malware-persistence-investigation/SKILL.md index 738c1432..00f1925b 100644 --- a/skills/performing-malware-persistence-investigation/SKILL.md +++ b/skills/performing-malware-persistence-investigation/SKILL.md @@ -4,6 +4,7 @@ description: Systematically investigate all persistence mechanisms on Windows an domain: cybersecurity subdomain: digital-forensics tags: [forensics, malware-persistence, autoruns, registry, scheduled-tasks, rootkit-detection, incident-response] +mitre_attack: ["T1547.001", "T1053.005", "T1543.003", "T1546.003", "T1574"] version: "1.0" author: mahipal license: Apache-2.0 From 84b4699e593e7eccfb6f72a2fe0ebbe05fc59f01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julio=20C=C3=A9sar=20Su=C3=A1stegui?= Date: Mon, 23 Mar 2026 15:01:16 -0600 Subject: [PATCH 6/6] fix: remove out-of-scope changes (cloud-waf tags, zero-trust description rewrite) --- skills/implementing-cloud-waf-rules/SKILL.md | 4 ++-- skills/implementing-zero-trust-network-access/SKILL.md | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/skills/implementing-cloud-waf-rules/SKILL.md b/skills/implementing-cloud-waf-rules/SKILL.md index 02a601d8..fd8991a9 100644 --- a/skills/implementing-cloud-waf-rules/SKILL.md +++ b/skills/implementing-cloud-waf-rules/SKILL.md @@ -8,7 +8,7 @@ description: > false positives through rule tuning and logging analysis. domain: cybersecurity subdomain: cloud-security -tags: [cloud-waf, aws-waf, owasp-protection, rate-limiting, geo-blocking] +tags: [cloud-waf, aws-waf, azure-waf, cloudflare-waf, owasp-protection, rate-limiting] version: 1.0.0 author: mahipal license: Apache-2.0 @@ -265,7 +265,7 @@ After 7-14 days of Count mode with acceptable false positive rates, switch manag ## Output Format -``` +```text Cloud WAF Configuration Report ================================ Web ACL: production-waf diff --git a/skills/implementing-zero-trust-network-access/SKILL.md b/skills/implementing-zero-trust-network-access/SKILL.md index f30f8c28..0e732573 100644 --- a/skills/implementing-zero-trust-network-access/SKILL.md +++ b/skills/implementing-zero-trust-network-access/SKILL.md @@ -1,10 +1,10 @@ --- name: implementing-zero-trust-network-access description: > - Implementing Zero Trust Network Access (ZTNA) in cloud environments by deploying - GCP Identity-Aware Proxy, AWS Verified Access, and Azure Conditional Access with - Private Link. Covers micro-segmentation with security groups and Kubernetes network - policies, and replacing traditional VPN-based access with identity-based controls. + Implementing Zero Trust Network Access (ZTNA) in cloud environments by configuring + identity-aware proxies, micro-segmentation, continuous verification with conditional + access policies, and replacing traditional VPN-based access with BeyondCorp-style + architectures across AWS, Azure, and GCP. domain: cybersecurity subdomain: cloud-security tags: [cloud-security, zero-trust, ztna, beyondcorp, identity-aware-proxy, micro-segmentation]