creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-26 03:34:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add MITRE Fight Fraud Framework (F3 v1.1) mappings to fraud-relevant skills

Browse Source 
- Add mitre_f3 frontmatter block to 94 fraud-relevant skills (phishing,
  account takeover, banking malware, BEC, identity/KYC, payment/card fraud,
  money-mule/cash-out, ransomware extortion, DFIR, threat intel)
- Map each skill to F3 v1.1 tactics + precise technique IDs, including the
  two F3-specific tactics ATT&CK lacks: Positioning (FA0001) and
  Monetization (FA0002)
- All 123 F3 v1.1 technique IDs validated against the upstream STIX bundle
  (github.com/center-for-threat-informed-defense/fight-fraud-framework):
  0 invalid IDs, 0 invalid tactics, 0 name mismatches, no placeholder IDs
- mitre_f3 kept as a separate block from mitre_attack (F3 redefines several
  ATT&CK tactics for the fraud context)
- Add docs/mitre-f3-mapping.md schema reference
- Update README: F3 as the 6th framework, dedicated F3 section + badge
This commit is contained in:
mukul975
2026-06-20 16:04:49 +02:00
parent 04450304b1
commit 886658219f
96 changed files with 2625 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+21 -7
View File
@@ -37,11 +37,11 @@
A junior analyst knows which Volatility3 plugin to run on a suspicious memory dump, which Sigma rules catch Kerberoasting, and how to scope a cloud breach across three providers. **Your AI agent doesn't — unless you give it these skills.**
This repo contains **754 structured cybersecurity skills** spanning **26 security domains**, each following the [agentskills.io](https://agentskills.io) open standard. Every skill is mapped to **five industry frameworks** — MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, MITRE D3FEND, and NIST AI RMF — making this the only open-source skills library with unified cross-framework coverage. Clone it, point your agent at it, and your next security investigation gets expert-level guidance in seconds.
This repo contains **754 structured cybersecurity skills** spanning **26 security domains**, each following the [agentskills.io](https://agentskills.io) open standard. Every skill is mapped to **six industry frameworks** — MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, MITRE D3FEND, NIST AI RMF, and the MITRE Fight Fraud Framework (F3) — making this the only open-source skills library with unified cross-framework coverage. Clone it, point your agent at it, and your next security investigation gets expert-level guidance in seconds.
## Five frameworks, one skill library
## Six frameworks, one skill library
No other open-source skills library maps every skill to all five frameworks. One skill, five compliance checkboxes.
No other open-source skills library maps every skill to all of these frameworks. One skill, six compliance checkboxes.
| Framework | Version | Scope in this repo | What it maps |
|---|---|---|---|
@@ -50,12 +50,26 @@ No other open-source skills library maps every skill to all five frameworks. On
| [MITRE ATLAS](https://atlas.mitre.org) | v5.4 | 16 tactics · 84 techniques | AI/ML adversarial threats |
| [MITRE D3FEND](https://d3fend.mitre.org) | v1.3 | 7 categories · 267 techniques | Defensive countermeasures |
| [NIST AI RMF](https://airc.nist.gov/AI_RMF) | 1.0 | 4 functions · 72 subcategories | AI risk management |
| [MITRE F3 (Fight Fraud Framework)](https://ctid.mitre.org/fraud/) | v1.1 (2026-04-09) | 8 tactics · 123 techniques · 94 fraud-relevant skills | Cyber-enabled financial fraud TTPs |
**Example — a single skill maps across all five:**
**Example — a single skill maps across all six:**
| Skill | ATT&CK | NIST CSF | ATLAS | D3FEND | AI RMF |
|---|---|---|---|---|---|
| `analyzing-network-traffic-of-malware` | T1071 | DE.CM | AML.T0047 | D3-NTA | MEASURE-2.6 |
| Skill | ATT&CK | NIST CSF | ATLAS | D3FEND | AI RMF | F3 |
|---|---|---|---|---|---|---|
| `analyzing-network-traffic-of-malware` | T1071 | DE.CM | AML.T0047 | D3-NTA | MEASURE-2.6 | — |
| `detecting-business-email-compromise` | T1566 | DE.AE | — | — | — | F1005.006 · monetization |
### 🆕 MITRE Fight Fraud Framework (F3) — 94 fraud-relevant skills
[![MITRE F3](https://img.shields.io/badge/MITRE-F3_v1.1-blue?style=flat-square)](https://ctid.mitre.org/fraud/)
The **[MITRE Fight Fraud Framework (F3)](https://ctid.mitre.org/fraud/)** was released **April 9, 2026** by MITRE's Center for Threat-Informed Defense (CTID), co-developed with JPMorganChase, Citigroup, Lloyds Banking Group, Standard Chartered, CrowdStrike, Verizon Business, FS-ISAC, and others. It is an ATT&CK-compatible TTP catalog for **cyber-enabled financial fraud** — filling the gap ATT&CK leaves after initial compromise.
F3 v1.1 adds **two fraud-specific tactics** that ATT&CK does not enumerate:
- **Positioning** (`FA0001`) — actions taken after access to collect/manipulate data and prepare the fraud (synthetic-identity seeding, account warming, beneficiary setup, SIM-swap pre-positioning, banking-session hijack).
- **Monetization** (`FA0002`) — converting stolen assets into usable funds (money-mule layering, APP fraud, crypto off-ramping, card cash-out, refund/chargeback abuse).
Fraud-specific techniques use `F1XXX` IDs (e.g. `F1005.003` Add Beneficiary, `F1025.003` Wire Transfer, `F1007` Adversary-in-the-Browser); reused ATT&CK techniques keep their `T1XXX` IDs. Mappings live in each skill's `mitre_f3:` frontmatter block — all 123 F3 v1.1 technique IDs were verified against the upstream STIX bundle. See [`docs/mitre-f3-mapping.md`](docs/mitre-f3-mapping.md) for the schema.
### MITRE ATT&CK v19.1 — 754/754 skills mapped
docs/mitre-f3-mapping.md
+93
View File
@@ -0,0 +1,93 @@
# MITRE Fight Fraud Framework (F3) — Mapping Schema
This repository maps fraud-relevant skills to the **MITRE Fight Fraud Framework (F3)**,
released April 9, 2026 by MITRE's Center for Threat-Informed Defense (CTID). F3 is an
ATT&CK-compatible TTP catalog for cyber-enabled financial fraud.
- Upstream project: <https://ctid.mitre.org/fraud/>
- Source repo: <https://github.com/center-for-threat-informed-defense/fight-fraud-framework>
- License: Apache-2.0
- Mapped version in this repo: **F3 v1.1**
## Why F3 in addition to ATT&CK
ATT&CK collapses post-compromise fraud into the single `T1657` (Financial Theft)
technique. F3 decomposes the "how a cyber intrusion becomes a financial loss" stages
into two dedicated tactics that ATT&CK does not have:
- **Positioning** (`FA0001`) — after access, collect/manipulate data and prepare the fraud.
- **Monetization** (`FA0002`) — convert stolen assets into usable funds.
So `mitre_attack` answers "how did the adversary get in / operate technically" and
`mitre_f3` answers "how did that turn into money." They are kept as **separate
frontmatter blocks** because F3 redefines several ATT&CK tactics for the fraud context.
## The 8 F3 v1.1 tactics
| Tactic slug | F3 ID | Origin |
|---|---|---|
| `reconnaissance` | TA0043 | ATT&CK (redefined) |
| `resource-development` | TA0042 | ATT&CK (redefined) |
| `initial-access` | TA0001 | ATT&CK (redefined) |
| `stealth` | TA0005 | ATT&CK (redefined) |
| `positioning` | **FA0001** | **F3-new** |
| `execution` | TA0002 | ATT&CK (redefined) |
| `monetization` | **FA0002** | **F3-new** |
| `defense-impairment` | TA0112 | ATT&CK (redefined) |
## Technique ID conventions
- **`F1XXX`** — fraud-specific techniques introduced by F3 (e.g. `F1005.003`
Account Manipulation: Add Beneficiary, `F1025.003` Electronic Funds Transfer:
Wire Transfer, `F1018` Convert to Cryptocurrency).
- **`T1XXX`** — ATT&CK techniques reused verbatim inside F3 (e.g. `T1566` Phishing,
`T1586` Compromise Accounts, `T1557` Adversary-in-the-Middle).
- Sub-techniques use ATT&CK dot notation (`F1005.003`, `T1566.002`).
Every ID used in this repo is a real, active technique present in the F3 v1.1 STIX
bundle — there are no `TBD`/placeholder IDs.
## Frontmatter schema
The `mitre_f3` block sits alongside the existing `mitre_attack` block:
```yaml
mitre_f3:
version: '1.1'
tactics:
- positioning
- monetization
techniques:
- id: F1005.003
name: 'Account Manipulation: Add Beneficiary'
tactic: positioning
source: f3 # F-prefixed = fraud-specific
- id: T1586
name: Compromise Accounts
tactic: resource-development
source: attack # T-prefixed = reused ATT&CK
```
Rules:
1. `id` must be a real F3 v1.1 technique ID.
2. `name` must match the technique's official name in the F3 catalog.
3. `tactic` must be one the technique actually lists in the catalog.
4. `source` is `f3` for `F1XXX` IDs and `attack` for `T1XXX` IDs.
## Scope
F3 mappings are applied only to **fraud-relevant skills** — phishing/social
engineering, account takeover, banking malware/stealers, BEC, identity/KYC,
payment/card fraud, money-mule/cash-out, ransomware extortion, and the cross-cutting
DFIR and threat-intelligence skills. Skills with no fraud dimension do not carry an
`mitre_f3` block.
## Regenerating / verifying the catalog
```bash
git clone --depth 1 https://github.com/center-for-threat-informed-defense/fight-fraud-framework
# technique catalog is the STIX bundle:
# fight-fraud-framework/public/f3-stix-v1.1.json
```
All `mitre_f3` IDs in this repo are validated against that bundle on every update.
skills/analyzing-certificate-transparency-for-phishing/SKILL.md
+27
View File
@@ -30,6 +30,33 @@ mitre_attack:
- T1566.002
- T1608.005
- T1596.003
mitre_f3:
version: '1.1'
tactics:
- resource-development
- reconnaissance
- initial-access
techniques:
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1593
name: Search Open Websites/Domains
tactic: reconnaissance
source: attack
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
---
# Analyzing Certificate Transparency for Phishing
skills/analyzing-email-headers-for-phishing-investigation/SKILL.md
+32
View File
@@ -26,6 +26,38 @@ mitre_attack:
- T1566.001
- T1566.002
- T1598.003
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- initial-access
- stealth
- resource-development
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
---
# Analyzing Email Headers for Phishing Investigation
skills/analyzing-indicators-of-compromise/SKILL.md
+23
View File
@@ -34,6 +34,29 @@ mitre_attack:
- T1105
- T1041
- T1567
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
- initial-access
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
---
# Analyzing Indicators of Compromise
skills/analyzing-linux-elf-malware/SKILL.md
+23
View File
@@ -29,6 +29,29 @@ mitre_attack:
- T1059.004
- T1620
- T1574.006
mitre_f3:
version: '1.1'
tactics:
- positioning
- monetization
- reconnaissance
techniques:
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
- id: T1555
name: Credentials from Password Stores
tactic: reconnaissance
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
---
# Analyzing Linux ELF Malware
skills/analyzing-ransomware-encryption-mechanisms/SKILL.md
+18
View File
@@ -28,6 +28,24 @@ mitre_attack:
- T1573.001
- T1573.002
- T1027
mitre_f3:
version: '1.1'
tactics:
- monetization
- positioning
techniques:
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
---
# Analyzing Ransomware Encryption Mechanisms
skills/analyzing-ransomware-leak-site-intelligence/SKILL.md
+22
View File
@@ -27,6 +27,28 @@ mitre_attack:
- T1486
- T1567.002
- T1591
mitre_f3:
version: '1.1'
tactics:
- monetization
- reconnaissance
techniques:
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1029
name: Gather Customer Information
tactic: reconnaissance
source: f3
- id: T1593
name: Search Open Websites/Domains
tactic: reconnaissance
source: attack
- id: F1025.003
name: 'Electronic Funds Transfer: Wire Transfer'
tactic: monetization
source: f3
---
# Analyzing Ransomware Leak Site Intelligence
skills/analyzing-ransomware-network-indicators/SKILL.md
+18
View File
@@ -33,6 +33,24 @@ mitre_attack:
- T1048
- T1567.002
- T1486
mitre_f3:
version: '1.1'
tactics:
- positioning
- monetization
techniques:
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
---
# Analyzing Ransomware Network Indicators
skills/analyzing-ransomware-payment-wallets/SKILL.md
+26
View File
@@ -28,6 +28,32 @@ nist_csf:
mitre_attack:
- T1657
- T1486
mitre_f3:
version: '1.1'
tactics:
- monetization
- stealth
techniques:
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1017
name: Conversion to Physical Monetary Instruments
tactic: monetization
source: f3
- id: F1017.001
name: 'Conversion to Physical Monetary Instruments: Cash'
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
- id: F1045
name: Structuring
tactic: stealth
source: f3
---
# Analyzing Ransomware Payment Wallets
skills/analyzing-tls-certificate-transparency-logs/SKILL.md
+27
View File
@@ -31,6 +31,33 @@ mitre_attack:
- T1566.002
- T1598.003
- T1583.006
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
- initial-access
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1593
name: Search Open Websites/Domains
tactic: reconnaissance
source: attack
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1660
name: Phishing
tactic: initial-access
source: attack
---
# Analyzing TLS Certificate Transparency Logs
skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.md
+27
View File
@@ -30,6 +30,33 @@ mitre_attack:
- T1566.002
- T1598.003
- T1583.006
mitre_f3:
version: '1.1'
tactics:
- resource-development
- reconnaissance
- initial-access
techniques:
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1593
name: Search Open Websites/Domains
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
---
# Analyzing Typosquatting Domains with DNSTwist
skills/auditing-kubernetes-cluster-rbac/SKILL.md
+23
View File
@@ -29,6 +29,29 @@ mitre_attack:
- T1611
- T1613
- T1078.004
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- defense-impairment
techniques:
- id: F1033
name: Insider Access Abuse
tactic: initial-access
source: f3
- id: F1005
name: Account Manipulation
tactic: positioning
source: f3
- id: F1005.002
name: 'Account Manipulation: Add Authorized User'
tactic: positioning
source: f3
- id: T1531
name: Account Access Removal
tactic: positioning
source: attack
---
# Auditing Kubernetes Cluster RBAC
skills/building-identity-federation-with-saml-azure-ad/SKILL.md
+26
View File
@@ -28,6 +28,32 @@ mitre_attack:
- T1484.002
- T1078.004
- T1110.003
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
techniques:
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
- id: T1110.003
name: 'Brute Force: Password Spraying'
tactic: initial-access
source: attack
- id: T1550
name: Use Alternate Authentication Material
tactic: initial-access
source: attack
- id: F1004
name: Access with Stolen Session Cookie
tactic: initial-access
source: f3
---
# Building Identity Federation with SAML Azure AD
skills/building-identity-governance-lifecycle-process/SKILL.md
+27
View File
@@ -34,6 +34,33 @@ mitre_attack:
- T1078
- T1531
- T1087
mitre_f3:
version: '1.1'
tactics:
- positioning
- defense-impairment
- initial-access
techniques:
- id: F1005
name: Account Manipulation
tactic: positioning
source: f3
- id: F1005.002
name: 'Account Manipulation: Add Authorized User'
tactic: positioning
source: f3
- id: F1033
name: Insider Access Abuse
tactic: initial-access
source: f3
- id: F1042
name: Reactivate Account
tactic: positioning
source: f3
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
---
# Building Identity Governance Lifecycle Process
skills/building-phishing-reporting-button-workflow/SKILL.md
+24
View File
@@ -19,6 +19,30 @@ mitre_attack:
- T1598.003
- T1204.001
- T1534
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
- initial-access
- stealth
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
version: '1.0'
author: mahipal
license: Apache-2.0
skills/building-ransomware-playbook-with-cisa-framework/SKILL.md
+22
View File
@@ -30,6 +30,28 @@ mitre_attack:
- T1489
- T1078
- T1021.002
mitre_f3:
version: '1.1'
tactics:
- initial-access
- monetization
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1110
name: Brute Force
tactic: initial-access
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
---
# Building Ransomware Playbook with CISA Framework
skills/building-soc-playbook-for-ransomware/SKILL.md
+22
View File
@@ -23,6 +23,28 @@ mitre_attack:
- T1489
- T1566
- T1059.001
mitre_f3:
version: '1.1'
tactics:
- initial-access
- monetization
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1110
name: Brute Force
tactic: initial-access
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
version: '1.0'
author: mahipal
license: Apache-2.0
skills/conducting-phishing-incident-response/SKILL.md
+32
View File
@@ -23,6 +23,38 @@ mitre_attack:
- T1204.001
- T1114
- T1056.003
mitre_f3:
version: '1.1'
tactics:
- initial-access
- reconnaissance
- resource-development
- positioning
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1557
name: Adversary-in-the-Middle
tactic: positioning
source: attack
- id: F1004
name: Access with Stolen Session Cookie
tactic: initial-access
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
version: 1.0.0
author: mahipal
license: Apache-2.0
skills/conducting-social-engineering-penetration-test/SKILL.md
+31
View File
@@ -35,6 +35,37 @@ mitre_attack:
- T1566.004
- T1204.001
- T1589
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- initial-access
- resource-development
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: F1029
name: Gather Customer Information
tactic: reconnaissance
source: f3
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
- id: T1557
name: Adversary-in-the-Middle
tactic: initial-access
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
---
# Conducting Social Engineering Penetration Test
skills/conducting-social-engineering-pretext-call/SKILL.md
+31
View File
@@ -38,6 +38,37 @@ mitre_attack:
- T1589
- T1591
- T1598
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- initial-access
- stealth
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: F1034
name: Interactive Voice Response Mapping
tactic: reconnaissance
source: f3
- id: F1029
name: Gather Customer Information
tactic: reconnaissance
source: f3
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
- id: F1040
name: Phone Number Spoofing
tactic: stealth
source: f3
- id: F1040.002
name: 'Phone Number Spoofing: Official Phone Number Spoofing'
tactic: stealth
source: f3
---
# Conducting Social Engineering Pretext Call
skills/conducting-spearphishing-simulation-campaign/SKILL.md
+31
View File
@@ -33,6 +33,37 @@ mitre_attack:
- T1598.002
- T1204.002
- T1204.001
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
- initial-access
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1585
name: Establish Accounts
tactic: resource-development
source: attack
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
---
# Conducting Spearphishing Simulation Campaign
skills/configuring-identity-aware-proxy-with-google-iap/SKILL.md
+22
View File
@@ -28,6 +28,28 @@ mitre_attack:
- T1078.004
- T1133
- T1021.007
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
techniques:
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: F1004
name: Access with Stolen Session Cookie
tactic: initial-access
source: f3
- id: T1550.001
name: 'Use Alternate Authentication Material: Application Access Token'
tactic: initial-access
source: attack
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
---
# Configuring Identity-Aware Proxy with Google IAP
skills/configuring-ldap-security-hardening/SKILL.md
+22
View File
@@ -26,6 +26,28 @@ mitre_attack:
- T1557.001
- T1040
- T1078.002
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
techniques:
- id: T1110.003
name: 'Brute Force: Password Spraying'
tactic: initial-access
source: attack
- id: T1110
name: Brute Force
tactic: initial-access
source: attack
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: T1557
name: Adversary-in-the-Middle
tactic: positioning
source: attack
---
# Configuring LDAP Security Hardening
skills/configuring-oauth2-authorization-flow/SKILL.md
+22
View File
@@ -28,6 +28,28 @@ mitre_attack:
- T1539
- T1606.001
- T1212
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
techniques:
- id: T1550.001
name: 'Use Alternate Authentication Material: Application Access Token'
tactic: initial-access
source: attack
- id: F1004
name: Access with Stolen Session Cookie
tactic: initial-access
source: f3
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
---
# Configuring OAuth 2.0 Authorization Flow
skills/deploying-decoy-files-for-ransomware-detection/SKILL.md
+23
View File
@@ -30,6 +30,29 @@ mitre_attack:
- T1083
- T1490
- T1485
mitre_f3:
version: '1.1'
tactics:
- monetization
- positioning
- stealth
techniques:
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1017.001
name: 'Conversion to Physical Monetary Instruments: Cash'
tactic: monetization
source: f3
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
- id: T1070
name: Indicator Removal
tactic: stealth
source: attack
---
# Deploying Decoy Files for Ransomware Detection
skills/deploying-ransomware-canary-files/SKILL.md
+17
View File
@@ -32,6 +32,23 @@ mitre_attack:
- T1083
- T1490
- T1485
mitre_f3:
version: '1.1'
tactics:
- monetization
techniques:
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1017
name: Conversion to Physical Monetary Instruments
tactic: monetization
source: f3
- id: F1025.003
name: 'Electronic Funds Transfer: Wire Transfer'
tactic: monetization
source: f3
---
# Deploying Ransomware Canary Files
skills/detecting-anomalous-authentication-patterns/SKILL.md
+26
View File
@@ -37,6 +37,32 @@ mitre_attack:
- T1110.004
- T1078
- T1021
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
techniques:
- id: T1110.004
name: 'Brute Force: Credential Stuffing'
tactic: initial-access
source: attack
- id: T1110.003
name: 'Brute Force: Password Spraying'
tactic: initial-access
source: attack
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
---
# Detecting Anomalous Authentication Patterns
skills/detecting-aws-cloudtrail-anomalies/SKILL.md
+27
View File
@@ -26,6 +26,33 @@ mitre_attack:
- T1538
- T1098.001
- T1526
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- defense-impairment
techniques:
- id: F1006.001
name: 'Account Takeover: Exposed API Key'
tactic: initial-access
source: f3
- id: T1586.003
name: 'Compromise Accounts: Cloud Accounts'
tactic: resource-development
source: attack
- id: F1005
name: Account Manipulation
tactic: positioning
source: f3
- id: F1005.002
name: 'Account Manipulation: Add Authorized User'
tactic: positioning
source: f3
- id: F1005.001
name: 'Account Manipulation: Account Linking'
tactic: defense-impairment
source: f3
---
# Detecting AWS CloudTrail Anomalies
skills/detecting-aws-credential-exposure-with-trufflehog/SKILL.md
+26
View File
@@ -27,6 +27,32 @@ mitre_attack:
- T1552
- T1078.004
- T1589.001
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- initial-access
techniques:
- id: T1593
name: Search Open Websites/Domains
tactic: reconnaissance
source: attack
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: F1006.001
name: 'Account Takeover: Exposed API Key'
tactic: initial-access
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
- id: T1550.001
name: 'Use Alternate Authentication Material: Application Access Token'
tactic: initial-access
source: attack
---
# Detecting AWS Credential Exposure with TruffleHog
skills/detecting-business-email-compromise-with-ai/SKILL.md
+32
View File
@@ -44,6 +44,38 @@ mitre_attack:
- T1114.002
- T1657
- T1078.004
mitre_f3:
version: '1.1'
tactics:
- initial-access
- stealth
- positioning
- monetization
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
- id: F1005.006
name: 'Account Manipulation: Change of Payment Details'
tactic: positioning
source: f3
- id: F1022
name: Delete Relevant Emails
tactic: stealth
source: f3
- id: F1025.003
name: 'Electronic Funds Transfer: Wire Transfer'
tactic: monetization
source: f3
---
# Detecting Business Email Compromise with AI
skills/detecting-business-email-compromise/SKILL.md
+32
View File
@@ -39,6 +39,38 @@ mitre_attack:
- T1114.002
- T1657
- T1078.004
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- monetization
- stealth
techniques:
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
- id: F1036
name: New Vendor Setup
tactic: positioning
source: f3
- id: F1005.006
name: 'Account Manipulation: Change of Payment Details'
tactic: positioning
source: f3
- id: F1025.003
name: 'Electronic Funds Transfer: Wire Transfer'
tactic: monetization
source: f3
- id: F1022
name: Delete Relevant Emails
tactic: stealth
source: f3
---
# Detecting Business Email Compromise
skills/detecting-compromised-cloud-credentials/SKILL.md
+27
View File
@@ -29,6 +29,33 @@ mitre_attack:
- T1537
- T1580
- T1003
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- defense-impairment
techniques:
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
- id: F1006.001
name: 'Account Takeover: Exposed API Key'
tactic: initial-access
source: f3
- id: T1110.004
name: 'Brute Force: Credential Stuffing'
tactic: initial-access
source: attack
- id: T1586.003
name: 'Compromise Accounts: Cloud Accounts'
tactic: resource-development
source: attack
- id: F1005
name: Account Manipulation
tactic: defense-impairment
source: f3
---
# Detecting Compromised Cloud Credentials
skills/detecting-credential-dumping-techniques/SKILL.md
+27
View File
@@ -32,6 +32,33 @@ mitre_attack:
- T1059
- T1003
- T1110
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- positioning
- initial-access
techniques:
- id: T1555
name: Credentials from Password Stores
tactic: reconnaissance
source: attack
- id: T1555.003
name: 'Credentials from Password Stores: Credentials from Web Browsers'
tactic: reconnaissance
source: attack
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
- id: T1110.002
name: 'Brute Force: Password Cracking'
tactic: initial-access
source: attack
---
# Detecting Credential Dumping Techniques
skills/detecting-cryptomining-in-cloud/SKILL.md
+23
View File
@@ -29,6 +29,29 @@ mitre_attack:
- T1537
- T1580
- T1071
mitre_f3:
version: '1.1'
tactics:
- initial-access
- resource-development
- monetization
techniques:
- id: F1006.001
name: 'Account Takeover: Exposed API Key'
tactic: initial-access
source: f3
- id: T1586.003
name: 'Compromise Accounts: Cloud Accounts'
tactic: resource-development
source: attack
- id: T1583.003
name: 'Acquire Infrastructure: Virtual Private Network or Server'
tactic: resource-development
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
---
# Detecting Cryptomining in Cloud
skills/detecting-deepfake-audio-in-vishing-attacks/SKILL.md
+28
View File
@@ -47,6 +47,34 @@ mitre_attack:
- T1059
- T1566
- T1598
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- initial-access
- stealth
- monetization
techniques:
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
- id: F1031
name: Impersonate Account Holder
tactic: initial-access
source: f3
- id: F1040
name: Phone Number Spoofing
tactic: stealth
source: f3
- id: F1034
name: Interactive Voice Response Mapping
tactic: reconnaissance
source: f3
- id: F1025.003
name: 'Electronic Funds Transfer: Wire Transfer'
tactic: monetization
source: f3
---
# Detecting Deepfake Audio in Vishing Attacks
skills/detecting-mobile-malware-behavior/SKILL.md
+27
View File
@@ -31,6 +31,33 @@ mitre_attack:
- T1036
- T1078
- T1003
mitre_f3:
version: '1.1'
tactics:
- positioning
- execution
- initial-access
techniques:
- id: T1453
name: Abuse Accessibility Features
tactic: positioning
source: attack
- id: F1003
name: Abuse SMS verification
tactic: execution
source: f3
- id: T1113
name: Screen Capture
tactic: positioning
source: attack
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
- id: F1002.001
name: 'Abuse of Public-Facing API: Mobile API Abuse'
tactic: positioning
source: f3
---
# Detecting Mobile Malware Behavior
skills/detecting-oauth-token-theft/SKILL.md
+30
View File
@@ -32,6 +32,36 @@ mitre_attack:
- T1530
- T1537
- T1580
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
techniques:
- id: F1004
name: Access with Stolen Session Cookie
tactic: initial-access
source: f3
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
- id: T1557
name: Adversary-in-the-Middle
tactic: initial-access
source: attack
- id: T1550.001
name: 'Use Alternate Authentication Material: Application Access Token'
tactic: initial-access
source: attack
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: T1185
name: Browser Session Hijacking
tactic: positioning
source: attack
---
# Detecting OAuth Token Theft
skills/detecting-qr-code-phishing-with-email-security/SKILL.md
+27
View File
@@ -33,6 +33,33 @@ mitre_attack:
- T1534
- T1036
- T1027
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
- initial-access
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
---
# Detecting QR Code Phishing with Email Security
skills/detecting-ransomware-encryption-behavior/SKILL.md
+23
View File
@@ -31,6 +31,29 @@ mitre_attack:
- T1059
- T1486
- T1490
mitre_f3:
version: '1.1'
tactics:
- monetization
- positioning
- stealth
techniques:
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1017.001
name: 'Conversion to Physical Monetary Instruments: Cash'
tactic: monetization
source: f3
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
- id: T1070
name: Indicator Removal
tactic: stealth
source: attack
---
# Detecting Ransomware Encryption Behavior
skills/detecting-ransomware-precursors-in-network/SKILL.md
+23
View File
@@ -32,6 +32,29 @@ mitre_attack:
- T1059
- T1003
- T1110
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- monetization
techniques:
- id: T1110
name: Brute Force
tactic: initial-access
source: attack
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
- id: T1650
name: Acquire Access
tactic: resource-development
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
---
# Detecting Ransomware Precursors in Network Traffic
skills/detecting-spearphishing-with-email-gateway/SKILL.md
+32
View File
@@ -26,6 +26,38 @@ mitre_attack:
- T1566.002
- T1204.001
- T1204.002
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- initial-access
- stealth
- resource-development
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
- id: F1031
name: Impersonate Account Holder
tactic: initial-access
source: f3
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
---
# Detecting Spearphishing with Email Gateway
skills/detecting-t1003-credential-dumping-with-edr/SKILL.md
+27
View File
@@ -33,6 +33,33 @@ mitre_attack:
- T1003.002
- T1003.003
- T1003.006
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- positioning
- initial-access
techniques:
- id: T1555
name: Credentials from Password Stores
tactic: reconnaissance
source: attack
- id: T1555.003
name: 'Credentials from Password Stores: Credentials from Web Browsers'
tactic: reconnaissance
source: attack
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
---
# Detecting T1003 Credential Dumping with EDR
skills/executing-phishing-simulation-campaign/SKILL.md
+32
View File
@@ -31,6 +31,38 @@ mitre_attack:
- T1059
- T1078
- T1003
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
- initial-access
- positioning
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: T1557
name: Adversary-in-the-Middle
tactic: initial-access
source: attack
- id: F1004
name: Access with Stolen Session Cookie
tactic: initial-access
source: f3
---
# Executing Phishing Simulation Campaign
skills/extracting-credentials-from-memory-dump/SKILL.md
+31
View File
@@ -18,6 +18,37 @@ mitre_attack:
- T1119
- T1070
- T1003
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- positioning
- initial-access
techniques:
- id: T1555
name: Credentials from Password Stores
tactic: reconnaissance
source: attack
- id: T1555.003
name: 'Credentials from Password Stores: Credentials from Web Browsers'
tactic: reconnaissance
source: attack
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
- id: F1006.001
name: 'Account Takeover: Exposed API Key'
tactic: initial-access
source: f3
version: '1.0'
author: mahipal
license: Apache-2.0
skills/hunting-credential-stuffing-attacks/SKILL.md
+22
View File
@@ -30,6 +30,28 @@ mitre_attack:
- T1059
- T1003
- T1110
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
techniques:
- id: T1110.004
name: 'Brute Force: Credential Stuffing'
tactic: initial-access
source: attack
- id: T1110.003
name: 'Brute Force: Password Spraying'
tactic: initial-access
source: attack
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
---
# Hunting Credential Stuffing Attacks
skills/hunting-for-spearphishing-indicators/SKILL.md
+27
View File
@@ -32,6 +32,33 @@ mitre_attack:
- T1082
- T1083
- T1566
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- initial-access
- resource-development
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1593
name: Search Open Websites/Domains
tactic: reconnaissance
source: attack
- id: F1031
name: Impersonate Account Holder
tactic: initial-access
source: f3
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
---
# Hunting For Spearphishing Indicators
skills/implementing-anti-phishing-training-program/SKILL.md
+27
View File
@@ -26,6 +26,33 @@ mitre_attack:
- T1598
- T1534
- T1036
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- initial-access
- stealth
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
- id: F1031
name: Impersonate Account Holder
tactic: initial-access
source: f3
---
# Implementing Anti-Phishing Training Program
skills/implementing-anti-ransomware-group-policy/SKILL.md
+23
View File
@@ -31,6 +31,29 @@ mitre_attack:
- T1059
- T1486
- T1490
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- monetization
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
- id: T1531
name: Account Access Removal
tactic: positioning
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
---
# Implementing Anti-Ransomware Group Policy
skills/implementing-azure-ad-privileged-identity-management/SKILL.md
+23
View File
@@ -26,6 +26,29 @@ mitre_attack:
- T1110
- T1556
- T1098
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- defense-impairment
techniques:
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: T1110.003
name: 'Brute Force: Password Spraying'
tactic: initial-access
source: attack
- id: F1005
name: Account Manipulation
tactic: positioning
source: f3
- id: F1005.002
name: 'Account Manipulation: Add Authorized User'
tactic: defense-impairment
source: f3
---
# Implementing Azure AD Privileged Identity Management
skills/implementing-browser-isolation-for-zero-trust/SKILL.md
+31
View File
@@ -33,6 +33,37 @@ mitre_attack:
- T1557
- T1071
- T1003
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- execution
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1557
name: Adversary-in-the-Middle
tactic: positioning
source: attack
- id: T1185
name: Browser Session Hijacking
tactic: positioning
source: attack
- id: F1007
name: Adversary-in-the-Browser
tactic: positioning
source: f3
- id: F1007.002
name: 'Adversary-in-the-Browser: Malicious Browser Extension'
tactic: positioning
source: f3
- id: F1007.003
name: 'Adversary-in-the-Browser: Malicious JavaScript Injection'
tactic: execution
source: f3
---
# Implementing Browser Isolation for Zero Trust
skills/implementing-delinea-secret-server-for-pam/SKILL.md
+27
View File
@@ -30,6 +30,33 @@ mitre_attack:
- T1556
- T1098
- T1003
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- initial-access
- positioning
techniques:
- id: T1555.005
name: 'Credentials from Password Stores: Password Managers'
tactic: reconnaissance
source: attack
- id: T1110
name: Brute Force
tactic: initial-access
source: attack
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
- id: F1005
name: Account Manipulation
tactic: positioning
source: f3
---
# Implementing Delinea Secret Server for PAM
skills/implementing-google-workspace-admin-security/SKILL.md
+27
View File
@@ -31,6 +31,33 @@ mitre_attack:
- T1556
- T1098
- T1566
mitre_f3:
version: '1.1'
tactics:
- initial-access
- stealth
- positioning
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
- id: T1550.001
name: 'Use Alternate Authentication Material: Application Access Token'
tactic: initial-access
source: attack
- id: F1005
name: Account Manipulation
tactic: positioning
source: f3
---
# Implementing Google Workspace Admin Security
skills/implementing-google-workspace-phishing-protection/SKILL.md
+32
View File
@@ -27,6 +27,38 @@ mitre_attack:
- T1534
- T1036
- T1027
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
- initial-access
- stealth
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
- id: F1031
name: Impersonate Account Holder
tactic: initial-access
source: f3
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
---
# Implementing Google Workspace Phishing Protection
skills/implementing-google-workspace-sso-configuration/SKILL.md
+26
View File
@@ -25,6 +25,32 @@ mitre_attack:
- T1110
- T1556
- T1098
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
techniques:
- id: T1110
name: Brute Force
tactic: initial-access
source: attack
- id: T1110.004
name: 'Brute Force: Credential Stuffing'
tactic: initial-access
source: attack
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
- id: F1004
name: Access with Stolen Session Cookie
tactic: initial-access
source: f3
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
---
# Implementing Google Workspace SSO Configuration
skills/implementing-hashicorp-vault-dynamic-secrets/SKILL.md
+32
View File
@@ -30,6 +30,38 @@ mitre_attack:
- T1556
- T1098
- T1003
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- stealth
- resource-development
techniques:
- id: F1006.001
name: 'Account Takeover: Exposed API Key'
tactic: initial-access
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
- id: T1586
name: Compromise Accounts
tactic: resource-development
source: attack
- id: T1555
name: Credentials from Password Stores
tactic: reconnaissance
source: attack
- id: F1005.004
name: 'Account Manipulation: Change Account Details'
tactic: positioning
source: f3
- id: F1033
name: Insider Access Abuse
tactic: initial-access
source: f3
---
# Implementing HashiCorp Vault Dynamic Secrets
skills/implementing-honeypot-for-ransomware-detection/SKILL.md
+28
View File
@@ -38,6 +38,34 @@ mitre_attack:
- T1059
- T1486
- T1490
mitre_f3:
version: '1.1'
tactics:
- positioning
- initial-access
- monetization
- resource-development
techniques:
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
- id: T1586
name: Compromise Accounts
tactic: resource-development
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
- id: F1033
name: Insider Access Abuse
tactic: initial-access
source: f3
---
# Implementing Honeypot for Ransomware Detection
skills/implementing-identity-governance-with-sailpoint/SKILL.md
+27
View File
@@ -26,6 +26,33 @@ mitre_attack:
- T1110
- T1556
- T1098
mitre_f3:
version: '1.1'
tactics:
- positioning
- initial-access
- defense-impairment
techniques:
- id: F1005
name: Account Manipulation
tactic: positioning
source: f3
- id: F1005.002
name: 'Account Manipulation: Add Authorized User'
tactic: positioning
source: f3
- id: F1033
name: Insider Access Abuse
tactic: initial-access
source: f3
- id: F1042
name: Reactivate Account
tactic: positioning
source: f3
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
---
# Implementing Identity Governance with SailPoint
skills/implementing-identity-verification-for-zero-trust/SKILL.md
+31
View File
@@ -31,6 +31,37 @@ mitre_attack:
- T1059
- T1566
- T1598
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- reconnaissance
techniques:
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: T1110.004
name: 'Brute Force: Credential Stuffing'
tactic: initial-access
source: attack
- id: T1111
name: Multi-Factor Authentication Interception
tactic: initial-access
source: attack
- id: T1557
name: Adversary-in-the-Middle
tactic: initial-access
source: attack
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
---
# Implementing Identity Verification for Zero Trust
skills/implementing-mimecast-targeted-attack-protection/SKILL.md
+28
View File
@@ -26,6 +26,34 @@ mitre_attack:
- T1598
- T1534
- T1036
mitre_f3:
version: '1.1'
tactics:
- initial-access
- reconnaissance
- stealth
- resource-development
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
---
# Implementing Mimecast Targeted Attack Protection
skills/implementing-pam-for-database-access/SKILL.md
+27
View File
@@ -27,6 +27,33 @@ mitre_attack:
- T1556
- T1098
- T1003
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- resource-development
techniques:
- id: T1586
name: Compromise Accounts
tactic: resource-development
source: attack
- id: T1110
name: Brute Force
tactic: initial-access
source: attack
- id: F1033
name: Insider Access Abuse
tactic: initial-access
source: f3
- id: F1005.004
name: 'Account Manipulation: Change Account Details'
tactic: positioning
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
---
# Implementing PAM for Database Access
skills/implementing-passwordless-auth-with-microsoft-entra/SKILL.md
+29
View File
@@ -30,6 +30,35 @@ mitre_attack:
- T1556
- T1098
- T1566
mitre_f3:
version: '1.1'
tactics:
- initial-access
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1557
name: Adversary-in-the-Middle
tactic: initial-access
source: attack
- id: T1110.004
name: 'Brute Force: Credential Stuffing'
tactic: initial-access
source: attack
- id: T1111
name: Multi-Factor Authentication Interception
tactic: initial-access
source: attack
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: F1004
name: Access with Stolen Session Cookie
tactic: initial-access
source: f3
---
# Implementing Passwordless Auth with Microsoft Entra
skills/implementing-privileged-access-management-with-cyberark/SKILL.md
+27
View File
@@ -26,6 +26,33 @@ mitre_attack:
- T1556
- T1098
- T1003
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- resource-development
techniques:
- id: T1586
name: Compromise Accounts
tactic: resource-development
source: attack
- id: T1110
name: Brute Force
tactic: initial-access
source: attack
- id: F1033
name: Insider Access Abuse
tactic: initial-access
source: f3
- id: F1005.002
name: 'Account Manipulation: Add Authorized User'
tactic: positioning
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
---
# Implementing Privileged Access Management with CyberArk
skills/implementing-proofpoint-email-security-gateway/SKILL.md
+32
View File
@@ -28,6 +28,38 @@ mitre_attack:
- T1534
- T1036
- T1027
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- initial-access
- stealth
- positioning
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
- id: F1029
name: Gather Customer Information
tactic: reconnaissance
source: f3
- id: F1005.006
name: 'Account Manipulation: Change of Payment Details'
tactic: positioning
source: f3
---
# Implementing Proofpoint Email Security Gateway
skills/implementing-ransomware-backup-strategy/SKILL.md
+22
View File
@@ -42,6 +42,28 @@ mitre_attack:
- T1059
- T1003
- T1110
mitre_f3:
version: '1.1'
tactics:
- positioning
- monetization
techniques:
- id: T1531
name: Account Access Removal
tactic: positioning
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
- id: F1017.001
name: 'Conversion to Physical Monetary Instruments: Cash'
tactic: monetization
source: f3
---
# Implementing Ransomware Backup Strategy
skills/implementing-ransomware-kill-switch-detection/SKILL.md
+22
View File
@@ -31,6 +31,28 @@ mitre_attack:
- T1059
- T1486
- T1490
mitre_f3:
version: '1.1'
tactics:
- positioning
- monetization
techniques:
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1017
name: Conversion to Physical Monetary Instruments
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
---
# Implementing Ransomware Kill Switch Detection
skills/implementing-saml-sso-with-okta/SKILL.md
+27
View File
@@ -27,6 +27,33 @@ mitre_attack:
- T1556
- T1098
- T1553
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- resource-development
techniques:
- id: T1586
name: Compromise Accounts
tactic: resource-development
source: attack
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
- id: F1004
name: Access with Stolen Session Cookie
tactic: initial-access
source: f3
- id: T1550.001
name: 'Use Alternate Authentication Material: Application Access Token'
tactic: initial-access
source: attack
- id: F1006.003
name: 'Account Takeover: Password Reset'
tactic: initial-access
source: f3
---
# Implementing SAML SSO with Okta
skills/implementing-scim-provisioning-with-okta/SKILL.md
+27
View File
@@ -25,6 +25,33 @@ mitre_attack:
- T1110
- T1556
- T1098
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- resource-development
techniques:
- id: T1586
name: Compromise Accounts
tactic: resource-development
source: attack
- id: F1005.002
name: 'Account Manipulation: Add Authorized User'
tactic: positioning
source: f3
- id: F1005.004
name: 'Account Manipulation: Change Account Details'
tactic: positioning
source: f3
- id: F1042
name: Reactivate Account
tactic: positioning
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
---
# Implementing SCIM Provisioning with Okta
skills/implementing-sigstore-for-software-signing/SKILL.md
+27
View File
@@ -36,6 +36,33 @@ mitre_attack:
- T1059
- T1610
- T1611
mitre_f3:
version: '1.1'
tactics:
- resource-development
- initial-access
- stealth
techniques:
- id: T1195
name: Supply Chain Compromise
tactic: initial-access
source: attack
- id: T1608
name: Stage Capabilities
tactic: resource-development
source: attack
- id: T1608.006
name: 'Stage Capabilities: SEO Poisoning'
tactic: resource-development
source: attack
- id: T1586
name: Compromise Accounts
tactic: resource-development
source: attack
- id: T1070
name: Indicator Removal
tactic: stealth
source: attack
---
# Implementing Sigstore for Software Signing
skills/implementing-soar-playbook-for-phishing/SKILL.md
+28
View File
@@ -23,6 +23,34 @@ mitre_attack:
- T1059
- T1566
- T1598
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
- initial-access
- stealth
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
---
skills/implementing-zero-trust-with-hashicorp-boundary/SKILL.md
+27
View File
@@ -28,6 +28,33 @@ mitre_attack:
- T1059
- T1003
- T1110
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- resource-development
techniques:
- id: T1586
name: Compromise Accounts
tactic: resource-development
source: attack
- id: T1110
name: Brute Force
tactic: initial-access
source: attack
- id: T1110.004
name: 'Brute Force: Credential Stuffing'
tactic: initial-access
source: attack
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
- id: F1033
name: Insider Access Abuse
tactic: initial-access
source: f3
---
# Implementing Zero Trust with HashiCorp Boundary
skills/investigating-phishing-email-incident/SKILL.md
+33
View File
@@ -23,6 +23,39 @@ mitre_attack:
- T1685.005
- T1566
- T1598
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
- initial-access
- stealth
- positioning
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
version: '1.0'
author: mahipal
license: Apache-2.0
skills/investigating-ransomware-attack-artifacts/SKILL.md
+27
View File
@@ -25,6 +25,33 @@ mitre_attack:
- T1119
- T1070
- T1486
mitre_f3:
version: '1.1'
tactics:
- initial-access
- stealth
- monetization
techniques:
- id: T1110
name: Brute Force
tactic: initial-access
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1070
name: Indicator Removal
tactic: stealth
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1017.001
name: 'Conversion to Physical Monetary Instruments: Cash'
tactic: monetization
source: f3
---
# Investigating Ransomware Attack Artifacts
skills/managing-cloud-identity-with-okta/SKILL.md
+30
View File
@@ -29,6 +29,36 @@ mitre_attack:
- T1537
- T1580
- T1566
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
techniques:
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
- id: T1110.004
name: 'Brute Force: Credential Stuffing'
tactic: initial-access
source: attack
- id: T1110.003
name: 'Brute Force: Password Spraying'
tactic: initial-access
source: attack
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
- id: T1550.001
name: 'Use Alternate Authentication Material: Application Access Token'
tactic: initial-access
source: attack
---
# Managing Cloud Identity with Okta
skills/monitoring-darkweb-sources/SKILL.md
+27
View File
@@ -41,6 +41,33 @@ mitre_attack:
- T1593
- T1589
- T1003
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
- initial-access
techniques:
- id: T1593
name: Search Open Websites/Domains
tactic: reconnaissance
source: attack
- id: T1650
name: Acquire Access
tactic: resource-development
source: attack
- id: T1555.003
name: 'Credentials from Password Stores: Credentials from Web Browsers'
tactic: reconnaissance
source: attack
- id: F1029
name: Gather Customer Information
tactic: reconnaissance
source: f3
- id: T1110.004
name: 'Brute Force: Credential Stuffing'
tactic: initial-access
source: attack
---
# Monitoring Dark Web Sources
skills/performing-access-recertification-with-saviynt/SKILL.md
+28
View File
@@ -26,6 +26,34 @@ mitre_attack:
- T1556
- T1098
- T1071
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- defense-impairment
- resource-development
techniques:
- id: T1586
name: Compromise Accounts
tactic: resource-development
source: attack
- id: F1033
name: Insider Access Abuse
tactic: initial-access
source: f3
- id: F1005
name: Account Manipulation
tactic: positioning
source: f3
- id: F1005.002
name: 'Account Manipulation: Add Authorized User'
tactic: positioning
source: f3
- id: F1005.007
name: 'Account Manipulation: Enable Account Features'
tactic: defense-impairment
source: f3
---
# Performing Access Recertification with Saviynt
skills/performing-adversary-in-the-middle-phishing-detection/SKILL.md
+30
View File
@@ -28,6 +28,36 @@ mitre_attack:
- T1534
- T1036
- T1003
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
techniques:
- id: T1557
name: Adversary-in-the-Middle
tactic: initial-access
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: F1004
name: Access with Stolen Session Cookie
tactic: initial-access
source: f3
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
- id: T1185
name: Browser Session Hijacking
tactic: positioning
source: attack
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
---
# Performing Adversary-in-the-Middle Phishing Detection
skills/performing-brand-monitoring-for-impersonation/SKILL.md
+32
View File
@@ -27,6 +27,38 @@ mitre_attack:
- T1593
- T1589
- T1566
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
- initial-access
- stealth
techniques:
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: T1583.008
name: 'Acquire Infrastructure: Malvertising'
tactic: resource-development
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1593
name: Search Open Websites/Domains
tactic: reconnaissance
source: attack
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
---
# Performing Brand Monitoring for Impersonation
skills/performing-credential-access-with-lazagne/SKILL.md
+31
View File
@@ -32,6 +32,37 @@ mitre_attack:
- T1059
- T1078
- T1021
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- positioning
- initial-access
techniques:
- id: T1555
name: Credentials from Password Stores
tactic: reconnaissance
source: attack
- id: T1555.003
name: 'Credentials from Password Stores: Credentials from Web Browsers'
tactic: reconnaissance
source: attack
- id: T1555.005
name: 'Credentials from Password Stores: Password Managers'
tactic: reconnaissance
source: attack
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
---
# Performing Credential Access with LaZagne
skills/performing-cryptographic-audit-of-application/SKILL.md
+23
View File
@@ -22,6 +22,29 @@ mitre_attack:
- T1600
- T1573
- T1553
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- initial-access
- positioning
techniques:
- id: T1557
name: Adversary-in-the-Middle
tactic: positioning
source: attack
- id: T1555
name: Credentials from Password Stores
tactic: reconnaissance
source: attack
- id: F1006.001
name: 'Account Takeover: Exposed API Key'
tactic: initial-access
source: f3
- id: F1004
name: Access with Stolen Session Cookie
tactic: initial-access
source: f3
---
# Performing Cryptographic Audit of Application
skills/performing-entitlement-review-with-sailpoint-iiq/SKILL.md
+28
View File
@@ -29,6 +29,34 @@ mitre_attack:
- T1110
- T1556
- T1098
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- defense-impairment
- resource-development
techniques:
- id: T1586
name: Compromise Accounts
tactic: resource-development
source: attack
- id: F1033
name: Insider Access Abuse
tactic: initial-access
source: f3
- id: F1005
name: Account Manipulation
tactic: positioning
source: f3
- id: F1005.002
name: 'Account Manipulation: Add Authorized User'
tactic: positioning
source: f3
- id: F1005.007
name: 'Account Manipulation: Enable Account Features'
tactic: defense-impairment
source: f3
---
# Performing Entitlement Review with SailPoint IdentityIQ
skills/performing-firmware-extraction-with-binwalk/SKILL.md
+26
View File
@@ -31,6 +31,32 @@ mitre_attack:
- T1059
- T1003
- T1110
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- initial-access
techniques:
- id: T1555
name: Credentials from Password Stores
tactic: reconnaissance
source: attack
- id: F1029
name: Gather Customer Information
tactic: reconnaissance
source: f3
- id: T1110.001
name: 'Brute Force: Password Guessing'
tactic: initial-access
source: attack
- id: F1006.001
name: 'Account Takeover: Exposed API Key'
tactic: initial-access
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
---
# Performing Firmware Extraction with Binwalk
skills/performing-initial-access-with-evilginx3/SKILL.md
+35
View File
@@ -32,6 +32,41 @@ mitre_attack:
- T1059
- T1078
- T1003
mitre_f3:
version: '1.1'
tactics:
- resource-development
- initial-access
- positioning
techniques:
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1557
name: Adversary-in-the-Middle
tactic: initial-access
source: attack
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
- id: T1111
name: Multi-Factor Authentication Interception
tactic: initial-access
source: attack
- id: F1004
name: Access with Stolen Session Cookie
tactic: initial-access
source: f3
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
---
# Performing Initial Access with EvilGinx3
skills/performing-oauth-scope-minimization-review/SKILL.md
+31
View File
@@ -29,6 +29,37 @@ mitre_attack:
- T1110
- T1556
- T1098
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- stealth
techniques:
- id: T1550.001
name: 'Use Alternate Authentication Material: Application Access Token'
tactic: initial-access
source: attack
- id: F1006.001
name: 'Account Takeover: Exposed API Key'
tactic: initial-access
source: f3
- id: F1004
name: Access with Stolen Session Cookie
tactic: initial-access
source: f3
- id: F1005.001
name: 'Account Manipulation: Account Linking'
tactic: positioning
source: f3
- id: T1539
name: Steal Web Session Cookie
tactic: positioning
source: attack
- id: F1023
name: Device Fingerprint Spoofing
tactic: stealth
source: f3
---
# Performing OAuth Scope Minimization Review
skills/performing-paste-site-monitoring-for-credentials/SKILL.md
+31
View File
@@ -27,6 +27,37 @@ mitre_attack:
- T1593
- T1589
- T1003
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
- initial-access
techniques:
- id: T1593
name: Search Open Websites/Domains
tactic: reconnaissance
source: attack
- id: T1593.002
name: 'Search Open Websites/Domains: Search Engines'
tactic: reconnaissance
source: attack
- id: T1650
name: Acquire Access
tactic: resource-development
source: attack
- id: T1555.003
name: 'Credentials from Password Stores: Credentials from Web Browsers'
tactic: reconnaissance
source: attack
- id: T1110.004
name: 'Brute Force: Credential Stuffing'
tactic: initial-access
source: attack
- id: F1029
name: Gather Customer Information
tactic: reconnaissance
source: f3
---
# Performing Paste Site Monitoring for Credentials
skills/performing-phishing-simulation-with-gophish/SKILL.md
+31
View File
@@ -26,6 +26,37 @@ mitre_attack:
- T1598
- T1534
- T1036
mitre_f3:
version: '1.1'
tactics:
- resource-development
- initial-access
- reconnaissance
techniques:
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: T1557
name: Adversary-in-the-Middle
tactic: initial-access
source: attack
- id: F1031
name: Impersonate Account Holder
tactic: initial-access
source: f3
---
# Performing Phishing Simulation with GoPhish
skills/performing-ransomware-response/SKILL.md
+27
View File
@@ -22,6 +22,33 @@ mitre_attack:
- T1070
- T1078
- T1489
mitre_f3:
version: '1.1'
tactics:
- monetization
- stealth
- initial-access
techniques:
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1017
name: Conversion to Physical Monetary Instruments
tactic: monetization
source: f3
- id: F1025.003
name: 'Electronic Funds Transfer: Wire Transfer'
tactic: monetization
source: f3
- id: T1070
name: Indicator Removal
tactic: stealth
source: attack
- id: F1006
name: Account Takeover
tactic: initial-access
source: f3
version: 1.0.0
author: mahipal
license: Apache-2.0
skills/performing-ransomware-tabletop-exercise/SKILL.md
+22
View File
@@ -31,6 +31,28 @@ mitre_attack:
- T1059
- T1486
- T1490
mitre_f3:
version: '1.1'
tactics:
- positioning
- monetization
techniques:
- id: T1531
name: Account Access Removal
tactic: positioning
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
- id: F1017.001
name: 'Conversion to Physical Monetary Instruments: Cash'
tactic: monetization
source: f3
---
# Performing Ransomware Tabletop Exercise
skills/performing-red-team-phishing-with-gophish/SKILL.md
+27
View File
@@ -28,6 +28,33 @@ mitre_attack:
- T1059
- T1003
- T1110
mitre_f3:
version: '1.1'
tactics:
- resource-development
- reconnaissance
- initial-access
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
---
skills/performing-service-account-credential-rotation/SKILL.md
+27
View File
@@ -26,6 +26,33 @@ mitre_attack:
- T1556
- T1098
- T1003
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
- stealth
techniques:
- id: F1006.001
name: 'Account Takeover: Exposed API Key'
tactic: initial-access
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
- id: T1110
name: Brute Force
tactic: initial-access
source: attack
- id: F1005
name: Account Manipulation
tactic: positioning
source: f3
- id: F1023
name: Device Fingerprint Spoofing
tactic: stealth
source: f3
---
# Performing Service Account Credential Rotation
skills/recovering-from-ransomware-attack/SKILL.md
+23
View File
@@ -31,6 +31,29 @@ mitre_attack:
- T1059
- T1003
- T1110
mitre_f3:
version: '1.1'
tactics:
- positioning
- monetization
- defense-impairment
techniques:
- id: T1531
name: Account Access Removal
tactic: positioning
source: attack
- id: F1005
name: Account Manipulation
tactic: defense-impairment
source: f3
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
---
# Recovering from Ransomware Attack
skills/reverse-engineering-ransomware-encryption-routine/SKILL.md
+18
View File
@@ -34,6 +34,24 @@ mitre_attack:
- T1140
- T1497
- T1486
mitre_f3:
version: '1.1'
tactics:
- monetization
- positioning
techniques:
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
---
# Reverse Engineering Ransomware Encryption Routine
skills/securing-aws-iam-permissions/SKILL.md
+26
View File
@@ -28,6 +28,32 @@ mitre_attack:
- T1537
- T1580
- T1003
mitre_f3:
version: '1.1'
tactics:
- initial-access
- positioning
techniques:
- id: F1006.001
name: 'Account Takeover: Exposed API Key'
tactic: initial-access
source: f3
- id: F1006.002
name: 'Account Takeover: Exposed Login Credential'
tactic: initial-access
source: f3
- id: T1550.001
name: 'Use Alternate Authentication Material: Application Access Token'
tactic: initial-access
source: attack
- id: T1110.003
name: 'Brute Force: Password Spraying'
tactic: initial-access
source: attack
- id: F1005.004
name: 'Account Manipulation: Change Account Details'
tactic: positioning
source: f3
---
# Securing AWS IAM Permissions
skills/testing-ransomware-recovery-procedures/SKILL.md
+22
View File
@@ -27,6 +27,28 @@ mitre_attack:
- T1070
- T1078
- T1489
mitre_f3:
version: '1.1'
tactics:
- positioning
- monetization
techniques:
- id: T1531
name: Account Access Removal
tactic: positioning
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
- id: F1017.001
name: 'Conversion to Physical Monetary Instruments: Cash'
tactic: monetization
source: f3
---
# Testing Ransomware Recovery Procedures
skills/tracking-threat-actor-infrastructure/SKILL.md
+30
View File
@@ -29,6 +29,36 @@ mitre_attack:
- T1593
- T1589
- T1566
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
techniques:
- id: T1593
name: Search Open Websites/Domains
tactic: reconnaissance
source: attack
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: T1583.008
name: 'Acquire Infrastructure: Malvertising'
tactic: resource-development
source: attack
- id: T1583.003
name: 'Acquire Infrastructure: Virtual Private Network or Server'
tactic: resource-development
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1608.006
name: 'Stage Capabilities: SEO Poisoning'
tactic: resource-development
source: attack
---
# Tracking Threat Actor Infrastructure
skills/validating-backup-integrity-for-recovery/SKILL.md
+22
View File
@@ -26,6 +26,28 @@ mitre_attack:
- T1070
- T1078
- T1489
mitre_f3:
version: '1.1'
tactics:
- positioning
- monetization
techniques:
- id: T1531
name: Account Access Removal
tactic: positioning
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
- id: F1017.001
name: 'Conversion to Physical Monetary Instruments: Cash'
tactic: monetization
source: f3
---
# Validating Backup Integrity for Recovery