Add MITRE ATT&CK technique IDs to 60 incident-response skills (fixes #1)

2026-06-11 13:44:56 +03:00 · 2026-03-17 10:36:33 -06:00
parent 0fbcbdf8dd
commit 5e62a7ea2c
57 changed files with 57 additions and 0 deletions
@@ -4,6 +4,7 @@ description: Use Sysinternals Autoruns to systematically identify and analyze ma
 domain: cybersecurity
 subdomain: malware-analysis
 tags: [autoruns, persistence, malware-analysis, sysinternals, windows, registry, startup, incident-response]
+mitre_attack: ["T1190", "T1059", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -9,6 +9,7 @@ description: >
 domain: cybersecurity
 subdomain: malware-analysis
 tags: [malware, memory-forensics, Volatility, RAM-analysis, incident-response]
+mitre_attack: ["T1190", "T1059", "T1078"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -10,6 +10,7 @@ description: >
 domain: cybersecurity
 subdomain: incident-response
 tags: [network-forensics, PCAP-analysis, Wireshark, Zeek, traffic-analysis]
+mitre_attack: ["T1071", "T1095", "T1573", "T1572"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Detect and analyze Linux persistence mechanisms including crontab e
 domain: cybersecurity
 subdomain: threat-hunting
 tags: [linux-persistence, crontab, systemd, ld-preload, auditd, threat-hunting, incident-response]
+mitre_attack: ["T1190", "T1059", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -10,6 +10,7 @@ description: >
 domain: cybersecurity
 subdomain: incident-response
 tags: [splunk, SPL, SIEM, log-analysis, security-monitoring]
+mitre_attack: ["T1070", "T1562", "T1059"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Parse Windows Prefetch files using the windowsprefetch Python libra
 domain: cybersecurity
 subdomain: digital-forensics
 tags: [digital-forensics, windows, prefetch, execution-history, incident-response, malware-analysis]
+mitre_attack: ["T1190", "T1059", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -8,6 +8,7 @@ description: >
 domain: cybersecurity
 subdomain: soc-operations
 tags: [soc, dashboard, incident-response, splunk, visualization, situational-awareness, metrics]
+mitre_attack: ["T1190", "T1059", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -10,6 +10,7 @@ description: >
 domain: cybersecurity
 subdomain: incident-response
 tags: [IR-playbook, runbook, NIST-800-61, SOAR-integration, response-procedures]
+mitre_attack: ["T1190", "T1566", "T1078"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Build collaborative forensic incident timelines using Timesketch to
 domain: cybersecurity
 subdomain: incident-response
 tags: [timesketch, timeline-analysis, forensic-timeline, plaso, dfir, incident-investigation, collaborative-forensics]
+mitre_attack: ["T1070", "T1059", "T1053"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Build structured communication templates for malware incidents incl
 domain: cybersecurity
 subdomain: incident-response
 tags: [incident-communication, malware-response, stakeholder-notification, crisis-communication, executive-briefing, regulatory-disclosure]
+mitre_attack: ["T1566", "T1204", "T1027"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Implement a phishing report button in email clients with automated
 domain: cybersecurity
 subdomain: phishing-defense
 tags: [phishing-reporting, email-security, incident-response, security-awareness, outlook, microsoft-365, soar]
+mitre_attack: ["T1190", "T1059", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -8,6 +8,7 @@ description: >
 domain: cybersecurity
 subdomain: soc-operations
 tags: [soc, ransomware, incident-response, playbook, nist, mitre-attack, containment]
+mitre_attack: ["T1190", "T1566", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -10,6 +10,7 @@ description: >
 domain: cybersecurity
 subdomain: incident-response
 tags: [IOC-collection, threat-indicators, STIX-TAXII, MISP, threat-intelligence-sharing]
+mitre_attack: ["T1071", "T1059", "T1547", "T1053"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Collect volatile forensic evidence from a compromised system follow
 domain: cybersecurity
 subdomain: incident-response
 tags: [incident-response, dfir, forensics, volatile-evidence, memory-forensics, chain-of-custody]
+mitre_attack: ["T1003", "T1055", "T1059", "T1547"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -9,6 +9,7 @@ description: >
 domain: cybersecurity
 subdomain: incident-response
 tags: [cloud-IR, AWS-forensics, Azure-incident-response, GCP-security, identity-containment]
+mitre_attack: ["T1078", "T1537", "T1580", "T1525"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -10,6 +10,7 @@ description: >
 domain: cybersecurity
 subdomain: incident-response
 tags: [malware-response, malware-analysis, eradication, endpoint-remediation, MITRE-ATT&CK]
+mitre_attack: ["T1204", "T1027", "T1055", "T1059", "T1486"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -10,6 +10,7 @@ description: >
 domain: cybersecurity
 subdomain: incident-response
 tags: [memory-forensics, volatility, RAM-analysis, process-injection, DFIR]
+mitre_attack: ["T1003", "T1055", "T1620", "T1574"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -10,6 +10,7 @@ description: >
 domain: cybersecurity
 subdomain: incident-response
 tags: [phishing-response, email-security, credential-compromise, email-header-analysis, mailbox-remediation]
+mitre_attack: ["T1566", "T1204", "T1534", "T1598"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Facilitate structured post-incident reviews to identify root causes
 domain: cybersecurity
 subdomain: incident-response
 tags: [incident-response, lessons-learned, post-incident, after-action-review, process-improvement]
+mitre_attack: ["T1190", "T1566", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -10,6 +10,7 @@ description: >
 domain: cybersecurity
 subdomain: incident-response
 tags: [breach-containment, lateral-movement, network-isolation, credential-revocation, live-response]
+mitre_attack: ["T1021", "T1570", "T1210", "T1072"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Systematically deobfuscate multi-layer PowerShell malware using AST
 domain: cybersecurity
 subdomain: malware-analysis
 tags: [powershell, deobfuscation, malware-analysis, scripting, obfuscation, ast-analysis, incident-response]
+mitre_attack: ["T1190", "T1059", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -9,6 +9,7 @@ description: >
 domain: cybersecurity
 subdomain: endpoint-security
 tags: [endpoint, osquery, endpoint-monitoring, threat-hunting, fleet-management]
+mitre_attack: ["T1190", "T1059", "T1078"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -11,6 +11,7 @@ description: >
 domain: cybersecurity
 subdomain: ot-ics-security
 tags: [ot-security, ics, scada, industrial-control, iec62443, intrusion-detection, threat-detection]
+mitre_attack: ["T1190", "T1059", "T1078"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Automate AWS GuardDuty threat detection findings processing using E
 domain: cybersecurity
 subdomain: cloud-security
 tags: [aws, guardduty, eventbridge, lambda, threat-detection, automation, incident-response, siem]
+mitre_attack: ["T1190", "T1059", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -8,6 +8,7 @@ description: >
 domain: cybersecurity
 subdomain: cloud-security
 tags: [cloud-security, credential-compromise, threat-detection, guardduty, incident-response, anomaly-detection]
+mitre_attack: ["T1190", "T1059", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Detect compromised O365 and Google Workspace email accounts by anal
 domain: cybersecurity
 subdomain: incident-response
 tags: [email-compromise, office365, microsoft-graph, bec, inbox-rules, sign-in-analysis, account-takeover]
+mitre_attack: ["T1114", "T1566", "T1078", "T1534"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -11,6 +11,7 @@ description: >
 domain: cybersecurity
 subdomain: ransomware-defense
 tags: [ransomware, detection, network-security, incident-response, defense]
+mitre_attack: ["T1486", "T1490", "T1489", "T1021", "T1570"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Systematically remove malware, backdoors, and attacker persistence
 domain: cybersecurity
 subdomain: incident-response
 tags: [incident-response, eradication, malware-removal, persistence, dfir]
+mitre_attack: ["T1547", "T1053", "T1543", "T1574"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Extract cached credentials, password hashes, Kerberos tickets, and
 domain: cybersecurity
 subdomain: digital-forensics
 tags: [forensics, credential-extraction, memory-forensics, volatility, mimikatz, password-hashes, incident-response]
+mitre_attack: ["T1190", "T1059", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Extract, parse, and analyze Windows Event Logs (EVTX) using Chainsa
 domain: cybersecurity
 subdomain: digital-forensics
 tags: [forensics, windows-event-logs, evtx, chainsaw, hayabusa, sigma-rules, incident-response]
+mitre_attack: ["T1190", "T1059", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Deploy and configure Wazuh SIEM/XDR for endpoint detection includin
 domain: cybersecurity
 subdomain: security-operations
 tags: [siem, xdr, wazuh, endpoint-detection, custom-rules, incident-response]
+mitre_attack: ["T1190", "T1059", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -8,6 +8,7 @@ description: >
 domain: cybersecurity
 subdomain: ot-ics-security
 tags: [ot-security, ics, incident-response, playbook, sans, iec62443, nist, safety-critical]
+mitre_attack: ["T1190", "T1566", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -10,6 +10,7 @@ description: >
 domain: cybersecurity
 subdomain: ot-ics-security
 tags: [ot-security, ics, scada, industrial-control, iec62443, patch-management, vulnerability-management]
+mitre_attack: ["T1190", "T1059", "T1078"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -11,6 +11,7 @@ description: >
 domain: cybersecurity
 subdomain: ransomware-defense
 tags: [ransomware, backup, incident-response, defense, recovery, immutable-storage]
+mitre_attack: ["T1486", "T1490", "T1489", "T1021", "T1570"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -8,6 +8,7 @@ description: >
 domain: cybersecurity
 subdomain: soc-operations
 tags: [soc, soar, phantom, splunk-soar, automation, playbook, orchestration, incident-response]
+mitre_attack: ["T1190", "T1059", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Automate phishing incident response using Splunk SOAR REST API to c
 domain: cybersecurity
 subdomain: security-operations
 tags: [soar, splunk-phantom, phishing, incident-response]
+mitre_attack: ["T1190", "T1566", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Implement automated incident response playbooks in Cortex XSOAR to
 domain: cybersecurity
 subdomain: soc-operations
 tags: [xsoar, soar, palo-alto, playbook, automation, incident-response, orchestration, cortex]
+mitre_attack: ["T1190", "T1566", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Deploy and configure Velociraptor for scalable endpoint forensic ar
 domain: cybersecurity
 subdomain: incident-response
 tags: [velociraptor, dfir, endpoint-collection, vql, forensic-artifacts, rapid7, threat-hunting, incident-response]
+mitre_attack: ["T1059", "T1003", "T1070", "T1547"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -8,6 +8,7 @@ description: >
 domain: cybersecurity
 subdomain: soc-operations
 tags: [soc, phishing, incident-response, email-security, splunk, defender, sandbox]
+mitre_attack: ["T1190", "T1059", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Identify, collect, and analyze ransomware attack artifacts to deter
 domain: cybersecurity
 subdomain: digital-forensics
 tags: [forensics, ransomware, malware-analysis, incident-response, encryption-recovery, evidence-collection]
+mitre_attack: ["T1486", "T1490", "T1489", "T1021", "T1570"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Investigate Active Directory compromise by analyzing authentication
 domain: cybersecurity
 subdomain: incident-response
 tags: [active-directory, compromise-investigation, identity-forensics, kerberos, lateral-movement, dfir, ntds-dit, golden-ticket]
+mitre_attack: ["T1003", "T1558", "T1021", "T1078", "T1484"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Conduct forensic investigations in cloud environments by collecting
 domain: cybersecurity
 subdomain: digital-forensics
 tags: [forensics, cloud-forensics, aws, azure, gcp, incident-response, log-analysis]
+mitre_attack: ["T1190", "T1059", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Perform forensic investigation of AWS environments using CloudTrail
 domain: cybersecurity
 subdomain: cloud-security
 tags: [cloud-security, aws, cloudtrail, forensics, incident-response, dfir, boto3, s3]
+mitre_attack: ["T1190", "T1059", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Execute cloud-native incident containment across AWS, Azure, and GC
 domain: cybersecurity
 subdomain: incident-response
 tags: [cloud-security, incident-containment, aws, azure, gcp, cloud-forensics, credential-revocation, network-isolation]
+mitre_attack: ["T1078", "T1537", "T1580", "T1525", "T1098"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -10,6 +10,7 @@ description: >
 domain: cybersecurity
 subdomain: incident-response
 tags: [disk-forensics, forensic-imaging, evidence-acquisition, file-recovery, chain-of-custody]
+mitre_attack: ["T1070", "T1027", "T1036", "T1564"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -10,6 +10,7 @@ description: >
 domain: cybersecurity
 subdomain: incident-response
 tags: [insider-threat, user-behavior-analytics, data-exfiltration, privilege-misuse, DFIR]
+mitre_attack: ["T1078", "T1048", "T1567", "T1114"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Enrich malware file hashes using the VirusTotal API to retrieve det
 domain: cybersecurity
 subdomain: threat-intelligence
 tags: [virustotal, malware-analysis, hash-enrichment, ioc, threat-intelligence, triage, api, detection]
+mitre_attack: ["T1190", "T1059", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Systematically investigate all persistence mechanisms on Windows an
 domain: cybersecurity
 subdomain: digital-forensics
 tags: [forensics, malware-persistence, autoruns, registry, scheduled-tasks, rootkit-detection, incident-response]
+mitre_attack: ["T1190", "T1059", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Analyze memory dumps using Volatility3 plugins to detect injected c
 domain: cybersecurity
 subdomain: malware-analysis
 tags: [memory-forensics, volatility3, malware-analysis, incident-response, process-injection, rootkit-detection, dfir]
+mitre_attack: ["T1003", "T1055", "T1620", "T1574"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Analyze volatile memory dumps using Volatility 3 to extract running
 domain: cybersecurity
 subdomain: digital-forensics
 tags: [forensics, memory-forensics, volatility, ram-analysis, malware-detection, incident-response]
+mitre_attack: ["T1003", "T1055", "T1620", "T1574"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -10,6 +10,7 @@ description: >
 domain: cybersecurity
 subdomain: incident-response
 tags: [ransomware, encryption-recovery, backup-restoration, ransom-negotiation, CISA-guidance]
+mitre_attack: ["T1486", "T1490", "T1489", "T1021", "T1570"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -11,6 +11,7 @@ description: >
 domain: cybersecurity
 subdomain: ransomware-defense
 tags: [ransomware, incident-response, tabletop-exercise, defense, preparedness]
+mitre_attack: ["T1486", "T1490", "T1489", "T1021", "T1570"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -8,6 +8,7 @@ description: >
 domain: cybersecurity
 subdomain: soc-operations
 tags: [soc, tabletop, exercise, incident-response, training, nist, playbook-validation]
+mitre_attack: ["T1190", "T1059", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Perform comprehensive Windows forensic artifact analysis using Eric
 domain: cybersecurity
 subdomain: digital-forensics
 tags: [eric-zimmerman, ez-tools, kape, mftecmd, pecmd, lecmd, jlecmd, registry-forensics, windows-forensics, timeline-explorer, dfir, artifact-analysis]
+mitre_attack: ["T1190", "T1059", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -11,6 +11,7 @@ description: >
 domain: cybersecurity
 subdomain: ransomware-defense
 tags: [ransomware, recovery, incident-response, backup, defense]
+mitre_attack: ["T1486", "T1490", "T1489", "T1021", "T1570"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -4,6 +4,7 @@ description: Classify and prioritize security incidents using structured IR play
 domain: cybersecurity
 subdomain: incident-response
 tags: [incident-response, triage, playbook, severity-classification, soc]
+mitre_attack: ["T1190", "T1566", "T1078"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0
@@ -10,6 +10,7 @@ description: >
 domain: cybersecurity
 subdomain: incident-response
 tags: [incident-triage, NIST-800-61, SANS-PICERL, severity-classification, SOC-operations]
+mitre_attack: ["T1190", "T1566", "T1078", "T1059"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0