diff --git a/README.md b/README.md index b0e34955..c085d55f 100644 --- a/README.md +++ b/README.md @@ -37,11 +37,11 @@ A junior analyst knows which Volatility3 plugin to run on a suspicious memory dump, which Sigma rules catch Kerberoasting, and how to scope a cloud breach across three providers. **Your AI agent doesn't — unless you give it these skills.** -This repo contains **754 structured cybersecurity skills** spanning **26 security domains**, each following the [agentskills.io](https://agentskills.io) open standard. Every skill is mapped to **five industry frameworks** — MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, MITRE D3FEND, and NIST AI RMF — making this the only open-source skills library with unified cross-framework coverage. Clone it, point your agent at it, and your next security investigation gets expert-level guidance in seconds. +This repo contains **754 structured cybersecurity skills** spanning **26 security domains**, each following the [agentskills.io](https://agentskills.io) open standard. Every skill is mapped to **six industry frameworks** — MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, MITRE D3FEND, NIST AI RMF, and the MITRE Fight Fraud Framework (F3) — making this the only open-source skills library with unified cross-framework coverage. Clone it, point your agent at it, and your next security investigation gets expert-level guidance in seconds. -## Five frameworks, one skill library +## Six frameworks, one skill library -No other open-source skills library maps every skill to all five frameworks. One skill, five compliance checkboxes. +No other open-source skills library maps every skill to all of these frameworks. One skill, six compliance checkboxes. | Framework | Version | Scope in this repo | What it maps | |---|---|---|---| @@ -50,12 +50,26 @@ No other open-source skills library maps every skill to all five frameworks. On | [MITRE ATLAS](https://atlas.mitre.org) | v5.4 | 16 tactics · 84 techniques | AI/ML adversarial threats | | [MITRE D3FEND](https://d3fend.mitre.org) | v1.3 | 7 categories · 267 techniques | Defensive countermeasures | | [NIST AI RMF](https://airc.nist.gov/AI_RMF) | 1.0 | 4 functions · 72 subcategories | AI risk management | +| [MITRE F3 (Fight Fraud Framework)](https://ctid.mitre.org/fraud/) | v1.1 (2026-04-09) | 8 tactics · 123 techniques · 94 fraud-relevant skills | Cyber-enabled financial fraud TTPs | -**Example — a single skill maps across all five:** +**Example — a single skill maps across all six:** -| Skill | ATT&CK | NIST CSF | ATLAS | D3FEND | AI RMF | -|---|---|---|---|---|---| -| `analyzing-network-traffic-of-malware` | T1071 | DE.CM | AML.T0047 | D3-NTA | MEASURE-2.6 | +| Skill | ATT&CK | NIST CSF | ATLAS | D3FEND | AI RMF | F3 | +|---|---|---|---|---|---|---| +| `analyzing-network-traffic-of-malware` | T1071 | DE.CM | AML.T0047 | D3-NTA | MEASURE-2.6 | — | +| `detecting-business-email-compromise` | T1566 | DE.AE | — | — | — | F1005.006 · monetization | + +### 🆕 MITRE Fight Fraud Framework (F3) — 94 fraud-relevant skills + +[![MITRE F3](https://img.shields.io/badge/MITRE-F3_v1.1-blue?style=flat-square)](https://ctid.mitre.org/fraud/) + +The **[MITRE Fight Fraud Framework (F3)](https://ctid.mitre.org/fraud/)** was released **April 9, 2026** by MITRE's Center for Threat-Informed Defense (CTID), co-developed with JPMorganChase, Citigroup, Lloyds Banking Group, Standard Chartered, CrowdStrike, Verizon Business, FS-ISAC, and others. It is an ATT&CK-compatible TTP catalog for **cyber-enabled financial fraud** — filling the gap ATT&CK leaves after initial compromise. + +F3 v1.1 adds **two fraud-specific tactics** that ATT&CK does not enumerate: +- **Positioning** (`FA0001`) — actions taken after access to collect/manipulate data and prepare the fraud (synthetic-identity seeding, account warming, beneficiary setup, SIM-swap pre-positioning, banking-session hijack). +- **Monetization** (`FA0002`) — converting stolen assets into usable funds (money-mule layering, APP fraud, crypto off-ramping, card cash-out, refund/chargeback abuse). + +Fraud-specific techniques use `F1XXX` IDs (e.g. `F1005.003` Add Beneficiary, `F1025.003` Wire Transfer, `F1007` Adversary-in-the-Browser); reused ATT&CK techniques keep their `T1XXX` IDs. Mappings live in each skill's `mitre_f3:` frontmatter block — all 123 F3 v1.1 technique IDs were verified against the upstream STIX bundle. See [`docs/mitre-f3-mapping.md`](docs/mitre-f3-mapping.md) for the schema. ### MITRE ATT&CK v19.1 — 754/754 skills mapped diff --git a/docs/mitre-f3-mapping.md b/docs/mitre-f3-mapping.md new file mode 100644 index 00000000..57ec2080 --- /dev/null +++ b/docs/mitre-f3-mapping.md @@ -0,0 +1,93 @@ +# MITRE Fight Fraud Framework (F3) — Mapping Schema + +This repository maps fraud-relevant skills to the **MITRE Fight Fraud Framework (F3)**, +released April 9, 2026 by MITRE's Center for Threat-Informed Defense (CTID). F3 is an +ATT&CK-compatible TTP catalog for cyber-enabled financial fraud. + +- Upstream project: +- Source repo: +- License: Apache-2.0 +- Mapped version in this repo: **F3 v1.1** + +## Why F3 in addition to ATT&CK + +ATT&CK collapses post-compromise fraud into the single `T1657` (Financial Theft) +technique. F3 decomposes the "how a cyber intrusion becomes a financial loss" stages +into two dedicated tactics that ATT&CK does not have: + +- **Positioning** (`FA0001`) — after access, collect/manipulate data and prepare the fraud. +- **Monetization** (`FA0002`) — convert stolen assets into usable funds. + +So `mitre_attack` answers "how did the adversary get in / operate technically" and +`mitre_f3` answers "how did that turn into money." They are kept as **separate +frontmatter blocks** because F3 redefines several ATT&CK tactics for the fraud context. + +## The 8 F3 v1.1 tactics + +| Tactic slug | F3 ID | Origin | +|---|---|---| +| `reconnaissance` | TA0043 | ATT&CK (redefined) | +| `resource-development` | TA0042 | ATT&CK (redefined) | +| `initial-access` | TA0001 | ATT&CK (redefined) | +| `stealth` | TA0005 | ATT&CK (redefined) | +| `positioning` | **FA0001** | **F3-new** | +| `execution` | TA0002 | ATT&CK (redefined) | +| `monetization` | **FA0002** | **F3-new** | +| `defense-impairment` | TA0112 | ATT&CK (redefined) | + +## Technique ID conventions + +- **`F1XXX`** — fraud-specific techniques introduced by F3 (e.g. `F1005.003` + Account Manipulation: Add Beneficiary, `F1025.003` Electronic Funds Transfer: + Wire Transfer, `F1018` Convert to Cryptocurrency). +- **`T1XXX`** — ATT&CK techniques reused verbatim inside F3 (e.g. `T1566` Phishing, + `T1586` Compromise Accounts, `T1557` Adversary-in-the-Middle). +- Sub-techniques use ATT&CK dot notation (`F1005.003`, `T1566.002`). + +Every ID used in this repo is a real, active technique present in the F3 v1.1 STIX +bundle — there are no `TBD`/placeholder IDs. + +## Frontmatter schema + +The `mitre_f3` block sits alongside the existing `mitre_attack` block: + +```yaml +mitre_f3: + version: '1.1' + tactics: + - positioning + - monetization + techniques: + - id: F1005.003 + name: 'Account Manipulation: Add Beneficiary' + tactic: positioning + source: f3 # F-prefixed = fraud-specific + - id: T1586 + name: Compromise Accounts + tactic: resource-development + source: attack # T-prefixed = reused ATT&CK +``` + +Rules: +1. `id` must be a real F3 v1.1 technique ID. +2. `name` must match the technique's official name in the F3 catalog. +3. `tactic` must be one the technique actually lists in the catalog. +4. `source` is `f3` for `F1XXX` IDs and `attack` for `T1XXX` IDs. + +## Scope + +F3 mappings are applied only to **fraud-relevant skills** — phishing/social +engineering, account takeover, banking malware/stealers, BEC, identity/KYC, +payment/card fraud, money-mule/cash-out, ransomware extortion, and the cross-cutting +DFIR and threat-intelligence skills. Skills with no fraud dimension do not carry an +`mitre_f3` block. + +## Regenerating / verifying the catalog + +```bash +git clone --depth 1 https://github.com/center-for-threat-informed-defense/fight-fraud-framework +# technique catalog is the STIX bundle: +# fight-fraud-framework/public/f3-stix-v1.1.json +``` + +All `mitre_f3` IDs in this repo are validated against that bundle on every update. diff --git a/skills/analyzing-certificate-transparency-for-phishing/SKILL.md b/skills/analyzing-certificate-transparency-for-phishing/SKILL.md index ebb206a6..1764180e 100644 --- a/skills/analyzing-certificate-transparency-for-phishing/SKILL.md +++ b/skills/analyzing-certificate-transparency-for-phishing/SKILL.md @@ -30,6 +30,33 @@ mitre_attack: - T1566.002 - T1608.005 - T1596.003 +mitre_f3: + version: '1.1' + tactics: + - resource-development + - reconnaissance + - initial-access + techniques: + - id: T1583.001 + name: 'Acquire Infrastructure: Domains' + tactic: resource-development + source: attack + - id: F1020.002 + name: 'Create Fake Materials: Fake Website' + tactic: resource-development + source: f3 + - id: T1593 + name: Search Open Websites/Domains + tactic: reconnaissance + source: attack + - id: T1598 + name: Phishing for Information + tactic: reconnaissance + source: attack + - id: T1660 + name: Phishing + tactic: initial-access + source: attack --- # Analyzing Certificate Transparency for Phishing diff --git a/skills/analyzing-email-headers-for-phishing-investigation/SKILL.md b/skills/analyzing-email-headers-for-phishing-investigation/SKILL.md index 7c6e9d3a..37497ee6 100644 --- a/skills/analyzing-email-headers-for-phishing-investigation/SKILL.md +++ b/skills/analyzing-email-headers-for-phishing-investigation/SKILL.md @@ -26,6 +26,38 @@ mitre_attack: - T1566.001 - T1566.002 - T1598.003 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - initial-access + - stealth + - resource-development + techniques: + - id: T1598 + name: Phishing for Information + tactic: reconnaissance + source: attack + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: T1672 + name: Email Spoofing + tactic: stealth + source: attack + - id: F1032 + name: Impersonate Official + tactic: initial-access + source: f3 + - id: T1583.001 + name: 'Acquire Infrastructure: Domains' + tactic: resource-development + source: attack + - id: F1020.002 + name: 'Create Fake Materials: Fake Website' + tactic: resource-development + source: f3 --- # Analyzing Email Headers for Phishing Investigation diff --git a/skills/analyzing-indicators-of-compromise/SKILL.md b/skills/analyzing-indicators-of-compromise/SKILL.md index 31ff4145..697437a2 100644 --- a/skills/analyzing-indicators-of-compromise/SKILL.md +++ b/skills/analyzing-indicators-of-compromise/SKILL.md @@ -34,6 +34,29 @@ mitre_attack: - T1105 - T1041 - T1567 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - resource-development + - initial-access + techniques: + - id: T1598 + name: Phishing for Information + tactic: reconnaissance + source: attack + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: T1583.001 + name: 'Acquire Infrastructure: Domains' + tactic: resource-development + source: attack + - id: F1020.002 + name: 'Create Fake Materials: Fake Website' + tactic: resource-development + source: f3 --- # Analyzing Indicators of Compromise diff --git a/skills/analyzing-linux-elf-malware/SKILL.md b/skills/analyzing-linux-elf-malware/SKILL.md index 40eacef1..87b1ced8 100644 --- a/skills/analyzing-linux-elf-malware/SKILL.md +++ b/skills/analyzing-linux-elf-malware/SKILL.md @@ -29,6 +29,29 @@ mitre_attack: - T1059.004 - T1620 - T1574.006 +mitre_f3: + version: '1.1' + tactics: + - positioning + - monetization + - reconnaissance + techniques: + - id: T1219 + name: Remote Access Tools + tactic: positioning + source: attack + - id: T1555 + name: Credentials from Password Stores + tactic: reconnaissance + source: attack + - id: F1018 + name: Convert to Cryptocurrency + tactic: monetization + source: f3 + - id: F1047 + name: Transfer of funds + tactic: monetization + source: f3 --- # Analyzing Linux ELF Malware diff --git a/skills/analyzing-ransomware-encryption-mechanisms/SKILL.md b/skills/analyzing-ransomware-encryption-mechanisms/SKILL.md index 1992cdc6..8f4baae8 100644 --- a/skills/analyzing-ransomware-encryption-mechanisms/SKILL.md +++ b/skills/analyzing-ransomware-encryption-mechanisms/SKILL.md @@ -28,6 +28,24 @@ mitre_attack: - T1573.001 - T1573.002 - T1027 +mitre_f3: + version: '1.1' + tactics: + - monetization + - positioning + techniques: + - id: F1018 + name: Convert to Cryptocurrency + tactic: monetization + source: f3 + - id: F1047 + name: Transfer of funds + tactic: monetization + source: f3 + - id: T1219 + name: Remote Access Tools + tactic: positioning + source: attack --- # Analyzing Ransomware Encryption Mechanisms diff --git a/skills/analyzing-ransomware-leak-site-intelligence/SKILL.md b/skills/analyzing-ransomware-leak-site-intelligence/SKILL.md index f9ef423f..b15d69f9 100644 --- a/skills/analyzing-ransomware-leak-site-intelligence/SKILL.md +++ b/skills/analyzing-ransomware-leak-site-intelligence/SKILL.md @@ -27,6 +27,28 @@ mitre_attack: - T1486 - T1567.002 - T1591 +mitre_f3: + version: '1.1' + tactics: + - monetization + - reconnaissance + techniques: + - id: F1018 + name: Convert to Cryptocurrency + tactic: monetization + source: f3 + - id: F1029 + name: Gather Customer Information + tactic: reconnaissance + source: f3 + - id: T1593 + name: Search Open Websites/Domains + tactic: reconnaissance + source: attack + - id: F1025.003 + name: 'Electronic Funds Transfer: Wire Transfer' + tactic: monetization + source: f3 --- # Analyzing Ransomware Leak Site Intelligence diff --git a/skills/analyzing-ransomware-network-indicators/SKILL.md b/skills/analyzing-ransomware-network-indicators/SKILL.md index 8bef4e4a..08804fb1 100644 --- a/skills/analyzing-ransomware-network-indicators/SKILL.md +++ b/skills/analyzing-ransomware-network-indicators/SKILL.md @@ -33,6 +33,24 @@ mitre_attack: - T1048 - T1567.002 - T1486 +mitre_f3: + version: '1.1' + tactics: + - positioning + - monetization + techniques: + - id: T1219 + name: Remote Access Tools + tactic: positioning + source: attack + - id: F1018 + name: Convert to Cryptocurrency + tactic: monetization + source: f3 + - id: F1047 + name: Transfer of funds + tactic: monetization + source: f3 --- # Analyzing Ransomware Network Indicators diff --git a/skills/analyzing-ransomware-payment-wallets/SKILL.md b/skills/analyzing-ransomware-payment-wallets/SKILL.md index f3f35d66..c536fff8 100644 --- a/skills/analyzing-ransomware-payment-wallets/SKILL.md +++ b/skills/analyzing-ransomware-payment-wallets/SKILL.md @@ -28,6 +28,32 @@ nist_csf: mitre_attack: - T1657 - T1486 +mitre_f3: + version: '1.1' + tactics: + - monetization + - stealth + techniques: + - id: F1018 + name: Convert to Cryptocurrency + tactic: monetization + source: f3 + - id: F1017 + name: Conversion to Physical Monetary Instruments + tactic: monetization + source: f3 + - id: F1017.001 + name: 'Conversion to Physical Monetary Instruments: Cash' + tactic: monetization + source: f3 + - id: F1047 + name: Transfer of funds + tactic: monetization + source: f3 + - id: F1045 + name: Structuring + tactic: stealth + source: f3 --- # Analyzing Ransomware Payment Wallets diff --git a/skills/analyzing-tls-certificate-transparency-logs/SKILL.md b/skills/analyzing-tls-certificate-transparency-logs/SKILL.md index 84f2daa4..037b83ea 100644 --- a/skills/analyzing-tls-certificate-transparency-logs/SKILL.md +++ b/skills/analyzing-tls-certificate-transparency-logs/SKILL.md @@ -31,6 +31,33 @@ mitre_attack: - T1566.002 - T1598.003 - T1583.006 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - resource-development + - initial-access + techniques: + - id: T1598 + name: Phishing for Information + tactic: reconnaissance + source: attack + - id: T1593 + name: Search Open Websites/Domains + tactic: reconnaissance + source: attack + - id: T1583.001 + name: 'Acquire Infrastructure: Domains' + tactic: resource-development + source: attack + - id: F1020.002 + name: 'Create Fake Materials: Fake Website' + tactic: resource-development + source: f3 + - id: T1660 + name: Phishing + tactic: initial-access + source: attack --- # Analyzing TLS Certificate Transparency Logs diff --git a/skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.md b/skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.md index d3fbc6dc..7c4b5908 100644 --- a/skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.md +++ b/skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.md @@ -30,6 +30,33 @@ mitre_attack: - T1566.002 - T1598.003 - T1583.006 +mitre_f3: + version: '1.1' + tactics: + - resource-development + - reconnaissance + - initial-access + techniques: + - id: T1583.001 + name: 'Acquire Infrastructure: Domains' + tactic: resource-development + source: attack + - id: F1020.002 + name: 'Create Fake Materials: Fake Website' + tactic: resource-development + source: f3 + - id: T1598 + name: Phishing for Information + tactic: reconnaissance + source: attack + - id: T1593 + name: Search Open Websites/Domains + tactic: reconnaissance + source: attack + - id: T1660 + name: Phishing + tactic: initial-access + source: attack --- # Analyzing Typosquatting Domains with DNSTwist diff --git a/skills/auditing-kubernetes-cluster-rbac/SKILL.md b/skills/auditing-kubernetes-cluster-rbac/SKILL.md index aaa7b397..6f58370b 100644 --- a/skills/auditing-kubernetes-cluster-rbac/SKILL.md +++ b/skills/auditing-kubernetes-cluster-rbac/SKILL.md @@ -29,6 +29,29 @@ mitre_attack: - T1611 - T1613 - T1078.004 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + - defense-impairment + techniques: + - id: F1033 + name: Insider Access Abuse + tactic: initial-access + source: f3 + - id: F1005 + name: Account Manipulation + tactic: positioning + source: f3 + - id: F1005.002 + name: 'Account Manipulation: Add Authorized User' + tactic: positioning + source: f3 + - id: T1531 + name: Account Access Removal + tactic: positioning + source: attack --- # Auditing Kubernetes Cluster RBAC diff --git a/skills/building-identity-federation-with-saml-azure-ad/SKILL.md b/skills/building-identity-federation-with-saml-azure-ad/SKILL.md index f04bf5aa..83e7c52a 100644 --- a/skills/building-identity-federation-with-saml-azure-ad/SKILL.md +++ b/skills/building-identity-federation-with-saml-azure-ad/SKILL.md @@ -28,6 +28,32 @@ mitre_attack: - T1484.002 - T1078.004 - T1110.003 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + techniques: + - id: F1006 + name: Account Takeover + tactic: initial-access + source: f3 + - id: F1006.002 + name: 'Account Takeover: Exposed Login Credential' + tactic: initial-access + source: f3 + - id: T1110.003 + name: 'Brute Force: Password Spraying' + tactic: initial-access + source: attack + - id: T1550 + name: Use Alternate Authentication Material + tactic: initial-access + source: attack + - id: F1004 + name: Access with Stolen Session Cookie + tactic: initial-access + source: f3 --- # Building Identity Federation with SAML Azure AD diff --git a/skills/building-identity-governance-lifecycle-process/SKILL.md b/skills/building-identity-governance-lifecycle-process/SKILL.md index 0f0da8e9..57fe191a 100644 --- a/skills/building-identity-governance-lifecycle-process/SKILL.md +++ b/skills/building-identity-governance-lifecycle-process/SKILL.md @@ -34,6 +34,33 @@ mitre_attack: - T1078 - T1531 - T1087 +mitre_f3: + version: '1.1' + tactics: + - positioning + - defense-impairment + - initial-access + techniques: + - id: F1005 + name: Account Manipulation + tactic: positioning + source: f3 + - id: F1005.002 + name: 'Account Manipulation: Add Authorized User' + tactic: positioning + source: f3 + - id: F1033 + name: Insider Access Abuse + tactic: initial-access + source: f3 + - id: F1042 + name: Reactivate Account + tactic: positioning + source: f3 + - id: F1006 + name: Account Takeover + tactic: initial-access + source: f3 --- # Building Identity Governance Lifecycle Process diff --git a/skills/building-phishing-reporting-button-workflow/SKILL.md b/skills/building-phishing-reporting-button-workflow/SKILL.md index 17add0eb..ba1a1f17 100644 --- a/skills/building-phishing-reporting-button-workflow/SKILL.md +++ b/skills/building-phishing-reporting-button-workflow/SKILL.md @@ -19,6 +19,30 @@ mitre_attack: - T1598.003 - T1204.001 - T1534 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - resource-development + - initial-access + - stealth + techniques: + - id: T1598 + name: Phishing for Information + tactic: reconnaissance + source: attack + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: T1672 + name: Email Spoofing + tactic: stealth + source: attack + - id: F1020.002 + name: 'Create Fake Materials: Fake Website' + tactic: resource-development + source: f3 version: '1.0' author: mahipal license: Apache-2.0 diff --git a/skills/building-ransomware-playbook-with-cisa-framework/SKILL.md b/skills/building-ransomware-playbook-with-cisa-framework/SKILL.md index 4014ac11..cedc1c94 100644 --- a/skills/building-ransomware-playbook-with-cisa-framework/SKILL.md +++ b/skills/building-ransomware-playbook-with-cisa-framework/SKILL.md @@ -30,6 +30,28 @@ mitre_attack: - T1489 - T1078 - T1021.002 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - monetization + techniques: + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: T1110 + name: Brute Force + tactic: initial-access + source: attack + - id: F1018 + name: Convert to Cryptocurrency + tactic: monetization + source: f3 + - id: F1047 + name: Transfer of funds + tactic: monetization + source: f3 --- # Building Ransomware Playbook with CISA Framework diff --git a/skills/building-soc-playbook-for-ransomware/SKILL.md b/skills/building-soc-playbook-for-ransomware/SKILL.md index 5083a4d1..83a2f72c 100644 --- a/skills/building-soc-playbook-for-ransomware/SKILL.md +++ b/skills/building-soc-playbook-for-ransomware/SKILL.md @@ -23,6 +23,28 @@ mitre_attack: - T1489 - T1566 - T1059.001 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - monetization + techniques: + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: T1110 + name: Brute Force + tactic: initial-access + source: attack + - id: F1018 + name: Convert to Cryptocurrency + tactic: monetization + source: f3 + - id: F1047 + name: Transfer of funds + tactic: monetization + source: f3 version: '1.0' author: mahipal license: Apache-2.0 diff --git a/skills/conducting-phishing-incident-response/SKILL.md b/skills/conducting-phishing-incident-response/SKILL.md index aa3bed93..2025620d 100644 --- a/skills/conducting-phishing-incident-response/SKILL.md +++ b/skills/conducting-phishing-incident-response/SKILL.md @@ -23,6 +23,38 @@ mitre_attack: - T1204.001 - T1114 - T1056.003 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - reconnaissance + - resource-development + - positioning + techniques: + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: T1598 + name: Phishing for Information + tactic: reconnaissance + source: attack + - id: F1020.002 + name: 'Create Fake Materials: Fake Website' + tactic: resource-development + source: f3 + - id: T1557 + name: Adversary-in-the-Middle + tactic: positioning + source: attack + - id: F1004 + name: Access with Stolen Session Cookie + tactic: initial-access + source: f3 + - id: F1006.002 + name: 'Account Takeover: Exposed Login Credential' + tactic: initial-access + source: f3 version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/conducting-social-engineering-penetration-test/SKILL.md b/skills/conducting-social-engineering-penetration-test/SKILL.md index d97d876a..24f08dd6 100644 --- a/skills/conducting-social-engineering-penetration-test/SKILL.md +++ b/skills/conducting-social-engineering-penetration-test/SKILL.md @@ -35,6 +35,37 @@ mitre_attack: - T1566.004 - T1204.001 - T1589 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - initial-access + - resource-development + techniques: + - id: T1598 + name: Phishing for Information + tactic: reconnaissance + source: attack + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: F1029 + name: Gather Customer Information + tactic: reconnaissance + source: f3 + - id: F1032 + name: Impersonate Official + tactic: initial-access + source: f3 + - id: T1557 + name: Adversary-in-the-Middle + tactic: initial-access + source: attack + - id: F1020.002 + name: 'Create Fake Materials: Fake Website' + tactic: resource-development + source: f3 --- # Conducting Social Engineering Penetration Test diff --git a/skills/conducting-social-engineering-pretext-call/SKILL.md b/skills/conducting-social-engineering-pretext-call/SKILL.md index b05d7efa..a3c9d726 100644 --- a/skills/conducting-social-engineering-pretext-call/SKILL.md +++ b/skills/conducting-social-engineering-pretext-call/SKILL.md @@ -38,6 +38,37 @@ mitre_attack: - T1589 - T1591 - T1598 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - initial-access + - stealth + techniques: + - id: T1598 + name: Phishing for Information + tactic: reconnaissance + source: attack + - id: F1034 + name: Interactive Voice Response Mapping + tactic: reconnaissance + source: f3 + - id: F1029 + name: Gather Customer Information + tactic: reconnaissance + source: f3 + - id: F1032 + name: Impersonate Official + tactic: initial-access + source: f3 + - id: F1040 + name: Phone Number Spoofing + tactic: stealth + source: f3 + - id: F1040.002 + name: 'Phone Number Spoofing: Official Phone Number Spoofing' + tactic: stealth + source: f3 --- # Conducting Social Engineering Pretext Call diff --git a/skills/conducting-spearphishing-simulation-campaign/SKILL.md b/skills/conducting-spearphishing-simulation-campaign/SKILL.md index ed21910a..d70e1f2f 100644 --- a/skills/conducting-spearphishing-simulation-campaign/SKILL.md +++ b/skills/conducting-spearphishing-simulation-campaign/SKILL.md @@ -33,6 +33,37 @@ mitre_attack: - T1598.002 - T1204.002 - T1204.001 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - resource-development + - initial-access + techniques: + - id: T1598 + name: Phishing for Information + tactic: reconnaissance + source: attack + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: T1583.001 + name: 'Acquire Infrastructure: Domains' + tactic: resource-development + source: attack + - id: F1020.002 + name: 'Create Fake Materials: Fake Website' + tactic: resource-development + source: f3 + - id: T1585 + name: Establish Accounts + tactic: resource-development + source: attack + - id: F1006.002 + name: 'Account Takeover: Exposed Login Credential' + tactic: initial-access + source: f3 --- # Conducting Spearphishing Simulation Campaign diff --git a/skills/configuring-identity-aware-proxy-with-google-iap/SKILL.md b/skills/configuring-identity-aware-proxy-with-google-iap/SKILL.md index c9ac81e4..0134be1d 100644 --- a/skills/configuring-identity-aware-proxy-with-google-iap/SKILL.md +++ b/skills/configuring-identity-aware-proxy-with-google-iap/SKILL.md @@ -28,6 +28,28 @@ mitre_attack: - T1078.004 - T1133 - T1021.007 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + techniques: + - id: F1006 + name: Account Takeover + tactic: initial-access + source: f3 + - id: F1004 + name: Access with Stolen Session Cookie + tactic: initial-access + source: f3 + - id: T1550.001 + name: 'Use Alternate Authentication Material: Application Access Token' + tactic: initial-access + source: attack + - id: T1539 + name: Steal Web Session Cookie + tactic: positioning + source: attack --- # Configuring Identity-Aware Proxy with Google IAP diff --git a/skills/configuring-ldap-security-hardening/SKILL.md b/skills/configuring-ldap-security-hardening/SKILL.md index f0c51887..c5e25858 100644 --- a/skills/configuring-ldap-security-hardening/SKILL.md +++ b/skills/configuring-ldap-security-hardening/SKILL.md @@ -26,6 +26,28 @@ mitre_attack: - T1557.001 - T1040 - T1078.002 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + techniques: + - id: T1110.003 + name: 'Brute Force: Password Spraying' + tactic: initial-access + source: attack + - id: T1110 + name: Brute Force + tactic: initial-access + source: attack + - id: F1006 + name: Account Takeover + tactic: initial-access + source: f3 + - id: T1557 + name: Adversary-in-the-Middle + tactic: positioning + source: attack --- # Configuring LDAP Security Hardening diff --git a/skills/configuring-oauth2-authorization-flow/SKILL.md b/skills/configuring-oauth2-authorization-flow/SKILL.md index 4cee0df4..1e917c91 100644 --- a/skills/configuring-oauth2-authorization-flow/SKILL.md +++ b/skills/configuring-oauth2-authorization-flow/SKILL.md @@ -28,6 +28,28 @@ mitre_attack: - T1539 - T1606.001 - T1212 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + techniques: + - id: T1550.001 + name: 'Use Alternate Authentication Material: Application Access Token' + tactic: initial-access + source: attack + - id: F1004 + name: Access with Stolen Session Cookie + tactic: initial-access + source: f3 + - id: F1006 + name: Account Takeover + tactic: initial-access + source: f3 + - id: T1539 + name: Steal Web Session Cookie + tactic: positioning + source: attack --- # Configuring OAuth 2.0 Authorization Flow diff --git a/skills/deploying-decoy-files-for-ransomware-detection/SKILL.md b/skills/deploying-decoy-files-for-ransomware-detection/SKILL.md index 82ef8499..afbb6153 100644 --- a/skills/deploying-decoy-files-for-ransomware-detection/SKILL.md +++ b/skills/deploying-decoy-files-for-ransomware-detection/SKILL.md @@ -30,6 +30,29 @@ mitre_attack: - T1083 - T1490 - T1485 +mitre_f3: + version: '1.1' + tactics: + - monetization + - positioning + - stealth + techniques: + - id: F1018 + name: Convert to Cryptocurrency + tactic: monetization + source: f3 + - id: F1017.001 + name: 'Conversion to Physical Monetary Instruments: Cash' + tactic: monetization + source: f3 + - id: T1219 + name: Remote Access Tools + tactic: positioning + source: attack + - id: T1070 + name: Indicator Removal + tactic: stealth + source: attack --- # Deploying Decoy Files for Ransomware Detection diff --git a/skills/deploying-ransomware-canary-files/SKILL.md b/skills/deploying-ransomware-canary-files/SKILL.md index 14b1bf05..c8974f5c 100644 --- a/skills/deploying-ransomware-canary-files/SKILL.md +++ b/skills/deploying-ransomware-canary-files/SKILL.md @@ -32,6 +32,23 @@ mitre_attack: - T1083 - T1490 - T1485 +mitre_f3: + version: '1.1' + tactics: + - monetization + techniques: + - id: F1018 + name: Convert to Cryptocurrency + tactic: monetization + source: f3 + - id: F1017 + name: Conversion to Physical Monetary Instruments + tactic: monetization + source: f3 + - id: F1025.003 + name: 'Electronic Funds Transfer: Wire Transfer' + tactic: monetization + source: f3 --- # Deploying Ransomware Canary Files diff --git a/skills/detecting-anomalous-authentication-patterns/SKILL.md b/skills/detecting-anomalous-authentication-patterns/SKILL.md index ec7c98ae..b9f6b8a8 100644 --- a/skills/detecting-anomalous-authentication-patterns/SKILL.md +++ b/skills/detecting-anomalous-authentication-patterns/SKILL.md @@ -37,6 +37,32 @@ mitre_attack: - T1110.004 - T1078 - T1021 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + techniques: + - id: T1110.004 + name: 'Brute Force: Credential Stuffing' + tactic: initial-access + source: attack + - id: T1110.003 + name: 'Brute Force: Password Spraying' + tactic: initial-access + source: attack + - id: F1006 + name: Account Takeover + tactic: initial-access + source: f3 + - id: F1006.002 + name: 'Account Takeover: Exposed Login Credential' + tactic: initial-access + source: f3 + - id: T1539 + name: Steal Web Session Cookie + tactic: positioning + source: attack --- # Detecting Anomalous Authentication Patterns diff --git a/skills/detecting-aws-cloudtrail-anomalies/SKILL.md b/skills/detecting-aws-cloudtrail-anomalies/SKILL.md index 995d9adc..e29b2e26 100644 --- a/skills/detecting-aws-cloudtrail-anomalies/SKILL.md +++ b/skills/detecting-aws-cloudtrail-anomalies/SKILL.md @@ -26,6 +26,33 @@ mitre_attack: - T1538 - T1098.001 - T1526 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + - defense-impairment + techniques: + - id: F1006.001 + name: 'Account Takeover: Exposed API Key' + tactic: initial-access + source: f3 + - id: T1586.003 + name: 'Compromise Accounts: Cloud Accounts' + tactic: resource-development + source: attack + - id: F1005 + name: Account Manipulation + tactic: positioning + source: f3 + - id: F1005.002 + name: 'Account Manipulation: Add Authorized User' + tactic: positioning + source: f3 + - id: F1005.001 + name: 'Account Manipulation: Account Linking' + tactic: defense-impairment + source: f3 --- # Detecting AWS CloudTrail Anomalies diff --git a/skills/detecting-aws-credential-exposure-with-trufflehog/SKILL.md b/skills/detecting-aws-credential-exposure-with-trufflehog/SKILL.md index 4dbc10c9..efefdf76 100644 --- a/skills/detecting-aws-credential-exposure-with-trufflehog/SKILL.md +++ b/skills/detecting-aws-credential-exposure-with-trufflehog/SKILL.md @@ -27,6 +27,32 @@ mitre_attack: - T1552 - T1078.004 - T1589.001 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - initial-access + techniques: + - id: T1593 + name: Search Open Websites/Domains + tactic: reconnaissance + source: attack + - id: F1006 + name: Account Takeover + tactic: initial-access + source: f3 + - id: F1006.001 + name: 'Account Takeover: Exposed API Key' + tactic: initial-access + source: f3 + - id: F1006.002 + name: 'Account Takeover: Exposed Login Credential' + tactic: initial-access + source: f3 + - id: T1550.001 + name: 'Use Alternate Authentication Material: Application Access Token' + tactic: initial-access + source: attack --- # Detecting AWS Credential Exposure with TruffleHog diff --git a/skills/detecting-business-email-compromise-with-ai/SKILL.md b/skills/detecting-business-email-compromise-with-ai/SKILL.md index 610275fb..457636a4 100644 --- a/skills/detecting-business-email-compromise-with-ai/SKILL.md +++ b/skills/detecting-business-email-compromise-with-ai/SKILL.md @@ -44,6 +44,38 @@ mitre_attack: - T1114.002 - T1657 - T1078.004 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - stealth + - positioning + - monetization + techniques: + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: T1672 + name: Email Spoofing + tactic: stealth + source: attack + - id: F1032 + name: Impersonate Official + tactic: initial-access + source: f3 + - id: F1005.006 + name: 'Account Manipulation: Change of Payment Details' + tactic: positioning + source: f3 + - id: F1022 + name: Delete Relevant Emails + tactic: stealth + source: f3 + - id: F1025.003 + name: 'Electronic Funds Transfer: Wire Transfer' + tactic: monetization + source: f3 --- # Detecting Business Email Compromise with AI diff --git a/skills/detecting-business-email-compromise/SKILL.md b/skills/detecting-business-email-compromise/SKILL.md index 7d38f6df..f5381ddd 100644 --- a/skills/detecting-business-email-compromise/SKILL.md +++ b/skills/detecting-business-email-compromise/SKILL.md @@ -39,6 +39,38 @@ mitre_attack: - T1114.002 - T1657 - T1078.004 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + - monetization + - stealth + techniques: + - id: T1672 + name: Email Spoofing + tactic: stealth + source: attack + - id: F1032 + name: Impersonate Official + tactic: initial-access + source: f3 + - id: F1036 + name: New Vendor Setup + tactic: positioning + source: f3 + - id: F1005.006 + name: 'Account Manipulation: Change of Payment Details' + tactic: positioning + source: f3 + - id: F1025.003 + name: 'Electronic Funds Transfer: Wire Transfer' + tactic: monetization + source: f3 + - id: F1022 + name: Delete Relevant Emails + tactic: stealth + source: f3 --- # Detecting Business Email Compromise diff --git a/skills/detecting-compromised-cloud-credentials/SKILL.md b/skills/detecting-compromised-cloud-credentials/SKILL.md index a1f71ea1..870a857a 100644 --- a/skills/detecting-compromised-cloud-credentials/SKILL.md +++ b/skills/detecting-compromised-cloud-credentials/SKILL.md @@ -29,6 +29,33 @@ mitre_attack: - T1537 - T1580 - T1003 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + - defense-impairment + techniques: + - id: F1006.002 + name: 'Account Takeover: Exposed Login Credential' + tactic: initial-access + source: f3 + - id: F1006.001 + name: 'Account Takeover: Exposed API Key' + tactic: initial-access + source: f3 + - id: T1110.004 + name: 'Brute Force: Credential Stuffing' + tactic: initial-access + source: attack + - id: T1586.003 + name: 'Compromise Accounts: Cloud Accounts' + tactic: resource-development + source: attack + - id: F1005 + name: Account Manipulation + tactic: defense-impairment + source: f3 --- # Detecting Compromised Cloud Credentials diff --git a/skills/detecting-credential-dumping-techniques/SKILL.md b/skills/detecting-credential-dumping-techniques/SKILL.md index a5e25678..89d8c8c0 100644 --- a/skills/detecting-credential-dumping-techniques/SKILL.md +++ b/skills/detecting-credential-dumping-techniques/SKILL.md @@ -32,6 +32,33 @@ mitre_attack: - T1059 - T1003 - T1110 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - positioning + - initial-access + techniques: + - id: T1555 + name: Credentials from Password Stores + tactic: reconnaissance + source: attack + - id: T1555.003 + name: 'Credentials from Password Stores: Credentials from Web Browsers' + tactic: reconnaissance + source: attack + - id: T1539 + name: Steal Web Session Cookie + tactic: positioning + source: attack + - id: F1006.002 + name: 'Account Takeover: Exposed Login Credential' + tactic: initial-access + source: f3 + - id: T1110.002 + name: 'Brute Force: Password Cracking' + tactic: initial-access + source: attack --- # Detecting Credential Dumping Techniques diff --git a/skills/detecting-cryptomining-in-cloud/SKILL.md b/skills/detecting-cryptomining-in-cloud/SKILL.md index 9bf661bf..bbaa7a5f 100644 --- a/skills/detecting-cryptomining-in-cloud/SKILL.md +++ b/skills/detecting-cryptomining-in-cloud/SKILL.md @@ -29,6 +29,29 @@ mitre_attack: - T1537 - T1580 - T1071 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - resource-development + - monetization + techniques: + - id: F1006.001 + name: 'Account Takeover: Exposed API Key' + tactic: initial-access + source: f3 + - id: T1586.003 + name: 'Compromise Accounts: Cloud Accounts' + tactic: resource-development + source: attack + - id: T1583.003 + name: 'Acquire Infrastructure: Virtual Private Network or Server' + tactic: resource-development + source: attack + - id: F1018 + name: Convert to Cryptocurrency + tactic: monetization + source: f3 --- # Detecting Cryptomining in Cloud diff --git a/skills/detecting-deepfake-audio-in-vishing-attacks/SKILL.md b/skills/detecting-deepfake-audio-in-vishing-attacks/SKILL.md index 4d1e75e4..bbc1fb3c 100644 --- a/skills/detecting-deepfake-audio-in-vishing-attacks/SKILL.md +++ b/skills/detecting-deepfake-audio-in-vishing-attacks/SKILL.md @@ -47,6 +47,34 @@ mitre_attack: - T1059 - T1566 - T1598 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - initial-access + - stealth + - monetization + techniques: + - id: F1032 + name: Impersonate Official + tactic: initial-access + source: f3 + - id: F1031 + name: Impersonate Account Holder + tactic: initial-access + source: f3 + - id: F1040 + name: Phone Number Spoofing + tactic: stealth + source: f3 + - id: F1034 + name: Interactive Voice Response Mapping + tactic: reconnaissance + source: f3 + - id: F1025.003 + name: 'Electronic Funds Transfer: Wire Transfer' + tactic: monetization + source: f3 --- # Detecting Deepfake Audio in Vishing Attacks diff --git a/skills/detecting-mobile-malware-behavior/SKILL.md b/skills/detecting-mobile-malware-behavior/SKILL.md index ad1a699a..c2d13d24 100644 --- a/skills/detecting-mobile-malware-behavior/SKILL.md +++ b/skills/detecting-mobile-malware-behavior/SKILL.md @@ -31,6 +31,33 @@ mitre_attack: - T1036 - T1078 - T1003 +mitre_f3: + version: '1.1' + tactics: + - positioning + - execution + - initial-access + techniques: + - id: T1453 + name: Abuse Accessibility Features + tactic: positioning + source: attack + - id: F1003 + name: Abuse SMS verification + tactic: execution + source: f3 + - id: T1113 + name: Screen Capture + tactic: positioning + source: attack + - id: T1219 + name: Remote Access Tools + tactic: positioning + source: attack + - id: F1002.001 + name: 'Abuse of Public-Facing API: Mobile API Abuse' + tactic: positioning + source: f3 --- # Detecting Mobile Malware Behavior diff --git a/skills/detecting-oauth-token-theft/SKILL.md b/skills/detecting-oauth-token-theft/SKILL.md index 0d895a8e..d1faab82 100644 --- a/skills/detecting-oauth-token-theft/SKILL.md +++ b/skills/detecting-oauth-token-theft/SKILL.md @@ -32,6 +32,36 @@ mitre_attack: - T1530 - T1537 - T1580 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + techniques: + - id: F1004 + name: Access with Stolen Session Cookie + tactic: initial-access + source: f3 + - id: T1539 + name: Steal Web Session Cookie + tactic: positioning + source: attack + - id: T1557 + name: Adversary-in-the-Middle + tactic: initial-access + source: attack + - id: T1550.001 + name: 'Use Alternate Authentication Material: Application Access Token' + tactic: initial-access + source: attack + - id: F1006 + name: Account Takeover + tactic: initial-access + source: f3 + - id: T1185 + name: Browser Session Hijacking + tactic: positioning + source: attack --- # Detecting OAuth Token Theft diff --git a/skills/detecting-qr-code-phishing-with-email-security/SKILL.md b/skills/detecting-qr-code-phishing-with-email-security/SKILL.md index 14a2461c..3b40adf3 100644 --- a/skills/detecting-qr-code-phishing-with-email-security/SKILL.md +++ b/skills/detecting-qr-code-phishing-with-email-security/SKILL.md @@ -33,6 +33,33 @@ mitre_attack: - T1534 - T1036 - T1027 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - resource-development + - initial-access + techniques: + - id: T1598 + name: Phishing for Information + tactic: reconnaissance + source: attack + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: F1020.002 + name: 'Create Fake Materials: Fake Website' + tactic: resource-development + source: f3 + - id: T1583.001 + name: 'Acquire Infrastructure: Domains' + tactic: resource-development + source: attack + - id: F1006.002 + name: 'Account Takeover: Exposed Login Credential' + tactic: initial-access + source: f3 --- # Detecting QR Code Phishing with Email Security diff --git a/skills/detecting-ransomware-encryption-behavior/SKILL.md b/skills/detecting-ransomware-encryption-behavior/SKILL.md index 3825a882..73178fa6 100644 --- a/skills/detecting-ransomware-encryption-behavior/SKILL.md +++ b/skills/detecting-ransomware-encryption-behavior/SKILL.md @@ -31,6 +31,29 @@ mitre_attack: - T1059 - T1486 - T1490 +mitre_f3: + version: '1.1' + tactics: + - monetization + - positioning + - stealth + techniques: + - id: F1018 + name: Convert to Cryptocurrency + tactic: monetization + source: f3 + - id: F1017.001 + name: 'Conversion to Physical Monetary Instruments: Cash' + tactic: monetization + source: f3 + - id: T1219 + name: Remote Access Tools + tactic: positioning + source: attack + - id: T1070 + name: Indicator Removal + tactic: stealth + source: attack --- # Detecting Ransomware Encryption Behavior diff --git a/skills/detecting-ransomware-precursors-in-network/SKILL.md b/skills/detecting-ransomware-precursors-in-network/SKILL.md index d1b23d10..a5b88d31 100644 --- a/skills/detecting-ransomware-precursors-in-network/SKILL.md +++ b/skills/detecting-ransomware-precursors-in-network/SKILL.md @@ -32,6 +32,29 @@ mitre_attack: - T1059 - T1003 - T1110 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + - monetization + techniques: + - id: T1110 + name: Brute Force + tactic: initial-access + source: attack + - id: T1219 + name: Remote Access Tools + tactic: positioning + source: attack + - id: T1650 + name: Acquire Access + tactic: resource-development + source: attack + - id: F1018 + name: Convert to Cryptocurrency + tactic: monetization + source: f3 --- # Detecting Ransomware Precursors in Network Traffic diff --git a/skills/detecting-spearphishing-with-email-gateway/SKILL.md b/skills/detecting-spearphishing-with-email-gateway/SKILL.md index 0d13f28b..7f7815e4 100644 --- a/skills/detecting-spearphishing-with-email-gateway/SKILL.md +++ b/skills/detecting-spearphishing-with-email-gateway/SKILL.md @@ -26,6 +26,38 @@ mitre_attack: - T1566.002 - T1204.001 - T1204.002 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - initial-access + - stealth + - resource-development + techniques: + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: T1598 + name: Phishing for Information + tactic: reconnaissance + source: attack + - id: T1672 + name: Email Spoofing + tactic: stealth + source: attack + - id: F1032 + name: Impersonate Official + tactic: initial-access + source: f3 + - id: F1031 + name: Impersonate Account Holder + tactic: initial-access + source: f3 + - id: F1020.002 + name: 'Create Fake Materials: Fake Website' + tactic: resource-development + source: f3 --- # Detecting Spearphishing with Email Gateway diff --git a/skills/detecting-t1003-credential-dumping-with-edr/SKILL.md b/skills/detecting-t1003-credential-dumping-with-edr/SKILL.md index 45727df0..5d24218d 100644 --- a/skills/detecting-t1003-credential-dumping-with-edr/SKILL.md +++ b/skills/detecting-t1003-credential-dumping-with-edr/SKILL.md @@ -33,6 +33,33 @@ mitre_attack: - T1003.002 - T1003.003 - T1003.006 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - positioning + - initial-access + techniques: + - id: T1555 + name: Credentials from Password Stores + tactic: reconnaissance + source: attack + - id: T1555.003 + name: 'Credentials from Password Stores: Credentials from Web Browsers' + tactic: reconnaissance + source: attack + - id: T1539 + name: Steal Web Session Cookie + tactic: positioning + source: attack + - id: F1006 + name: Account Takeover + tactic: initial-access + source: f3 + - id: F1006.002 + name: 'Account Takeover: Exposed Login Credential' + tactic: initial-access + source: f3 --- # Detecting T1003 Credential Dumping with EDR diff --git a/skills/executing-phishing-simulation-campaign/SKILL.md b/skills/executing-phishing-simulation-campaign/SKILL.md index 315372aa..49eb8b33 100644 --- a/skills/executing-phishing-simulation-campaign/SKILL.md +++ b/skills/executing-phishing-simulation-campaign/SKILL.md @@ -31,6 +31,38 @@ mitre_attack: - T1059 - T1078 - T1003 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - resource-development + - initial-access + - positioning + techniques: + - id: T1598 + name: Phishing for Information + tactic: reconnaissance + source: attack + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: F1020.002 + name: 'Create Fake Materials: Fake Website' + tactic: resource-development + source: f3 + - id: T1583.001 + name: 'Acquire Infrastructure: Domains' + tactic: resource-development + source: attack + - id: T1557 + name: Adversary-in-the-Middle + tactic: initial-access + source: attack + - id: F1004 + name: Access with Stolen Session Cookie + tactic: initial-access + source: f3 --- # Executing Phishing Simulation Campaign diff --git a/skills/extracting-credentials-from-memory-dump/SKILL.md b/skills/extracting-credentials-from-memory-dump/SKILL.md index af9bc133..d817d809 100644 --- a/skills/extracting-credentials-from-memory-dump/SKILL.md +++ b/skills/extracting-credentials-from-memory-dump/SKILL.md @@ -18,6 +18,37 @@ mitre_attack: - T1119 - T1070 - T1003 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - positioning + - initial-access + techniques: + - id: T1555 + name: Credentials from Password Stores + tactic: reconnaissance + source: attack + - id: T1555.003 + name: 'Credentials from Password Stores: Credentials from Web Browsers' + tactic: reconnaissance + source: attack + - id: T1539 + name: Steal Web Session Cookie + tactic: positioning + source: attack + - id: F1006 + name: Account Takeover + tactic: initial-access + source: f3 + - id: F1006.002 + name: 'Account Takeover: Exposed Login Credential' + tactic: initial-access + source: f3 + - id: F1006.001 + name: 'Account Takeover: Exposed API Key' + tactic: initial-access + source: f3 version: '1.0' author: mahipal license: Apache-2.0 diff --git a/skills/hunting-credential-stuffing-attacks/SKILL.md b/skills/hunting-credential-stuffing-attacks/SKILL.md index dd312678..6438b1f6 100644 --- a/skills/hunting-credential-stuffing-attacks/SKILL.md +++ b/skills/hunting-credential-stuffing-attacks/SKILL.md @@ -30,6 +30,28 @@ mitre_attack: - T1059 - T1003 - T1110 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + techniques: + - id: T1110.004 + name: 'Brute Force: Credential Stuffing' + tactic: initial-access + source: attack + - id: T1110.003 + name: 'Brute Force: Password Spraying' + tactic: initial-access + source: attack + - id: F1006.002 + name: 'Account Takeover: Exposed Login Credential' + tactic: initial-access + source: f3 + - id: F1006 + name: Account Takeover + tactic: initial-access + source: f3 --- # Hunting Credential Stuffing Attacks diff --git a/skills/hunting-for-spearphishing-indicators/SKILL.md b/skills/hunting-for-spearphishing-indicators/SKILL.md index aebab0b3..413dd6c5 100644 --- a/skills/hunting-for-spearphishing-indicators/SKILL.md +++ b/skills/hunting-for-spearphishing-indicators/SKILL.md @@ -32,6 +32,33 @@ mitre_attack: - T1082 - T1083 - T1566 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - initial-access + - resource-development + techniques: + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: T1598 + name: Phishing for Information + tactic: reconnaissance + source: attack + - id: T1593 + name: Search Open Websites/Domains + tactic: reconnaissance + source: attack + - id: F1031 + name: Impersonate Account Holder + tactic: initial-access + source: f3 + - id: F1020.002 + name: 'Create Fake Materials: Fake Website' + tactic: resource-development + source: f3 --- # Hunting For Spearphishing Indicators diff --git a/skills/implementing-anti-phishing-training-program/SKILL.md b/skills/implementing-anti-phishing-training-program/SKILL.md index bdc52274..ead3d4bf 100644 --- a/skills/implementing-anti-phishing-training-program/SKILL.md +++ b/skills/implementing-anti-phishing-training-program/SKILL.md @@ -26,6 +26,33 @@ mitre_attack: - T1598 - T1534 - T1036 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - initial-access + - stealth + techniques: + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: T1598 + name: Phishing for Information + tactic: reconnaissance + source: attack + - id: T1672 + name: Email Spoofing + tactic: stealth + source: attack + - id: F1032 + name: Impersonate Official + tactic: initial-access + source: f3 + - id: F1031 + name: Impersonate Account Holder + tactic: initial-access + source: f3 --- # Implementing Anti-Phishing Training Program diff --git a/skills/implementing-anti-ransomware-group-policy/SKILL.md b/skills/implementing-anti-ransomware-group-policy/SKILL.md index a5697268..408b1c4f 100644 --- a/skills/implementing-anti-ransomware-group-policy/SKILL.md +++ b/skills/implementing-anti-ransomware-group-policy/SKILL.md @@ -31,6 +31,29 @@ mitre_attack: - T1059 - T1486 - T1490 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + - monetization + techniques: + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: T1219 + name: Remote Access Tools + tactic: positioning + source: attack + - id: T1531 + name: Account Access Removal + tactic: positioning + source: attack + - id: F1018 + name: Convert to Cryptocurrency + tactic: monetization + source: f3 --- # Implementing Anti-Ransomware Group Policy diff --git a/skills/implementing-azure-ad-privileged-identity-management/SKILL.md b/skills/implementing-azure-ad-privileged-identity-management/SKILL.md index f3376b46..5618a5e1 100644 --- a/skills/implementing-azure-ad-privileged-identity-management/SKILL.md +++ b/skills/implementing-azure-ad-privileged-identity-management/SKILL.md @@ -26,6 +26,29 @@ mitre_attack: - T1110 - T1556 - T1098 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + - defense-impairment + techniques: + - id: F1006 + name: Account Takeover + tactic: initial-access + source: f3 + - id: T1110.003 + name: 'Brute Force: Password Spraying' + tactic: initial-access + source: attack + - id: F1005 + name: Account Manipulation + tactic: positioning + source: f3 + - id: F1005.002 + name: 'Account Manipulation: Add Authorized User' + tactic: defense-impairment + source: f3 --- # Implementing Azure AD Privileged Identity Management diff --git a/skills/implementing-browser-isolation-for-zero-trust/SKILL.md b/skills/implementing-browser-isolation-for-zero-trust/SKILL.md index 4ed46c2e..921a75b8 100644 --- a/skills/implementing-browser-isolation-for-zero-trust/SKILL.md +++ b/skills/implementing-browser-isolation-for-zero-trust/SKILL.md @@ -33,6 +33,37 @@ mitre_attack: - T1557 - T1071 - T1003 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + - execution + techniques: + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: T1557 + name: Adversary-in-the-Middle + tactic: positioning + source: attack + - id: T1185 + name: Browser Session Hijacking + tactic: positioning + source: attack + - id: F1007 + name: Adversary-in-the-Browser + tactic: positioning + source: f3 + - id: F1007.002 + name: 'Adversary-in-the-Browser: Malicious Browser Extension' + tactic: positioning + source: f3 + - id: F1007.003 + name: 'Adversary-in-the-Browser: Malicious JavaScript Injection' + tactic: execution + source: f3 --- # Implementing Browser Isolation for Zero Trust diff --git a/skills/implementing-delinea-secret-server-for-pam/SKILL.md b/skills/implementing-delinea-secret-server-for-pam/SKILL.md index 4def8adb..4297f74c 100644 --- a/skills/implementing-delinea-secret-server-for-pam/SKILL.md +++ b/skills/implementing-delinea-secret-server-for-pam/SKILL.md @@ -30,6 +30,33 @@ mitre_attack: - T1556 - T1098 - T1003 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - initial-access + - positioning + techniques: + - id: T1555.005 + name: 'Credentials from Password Stores: Password Managers' + tactic: reconnaissance + source: attack + - id: T1110 + name: Brute Force + tactic: initial-access + source: attack + - id: F1006 + name: Account Takeover + tactic: initial-access + source: f3 + - id: F1006.002 + name: 'Account Takeover: Exposed Login Credential' + tactic: initial-access + source: f3 + - id: F1005 + name: Account Manipulation + tactic: positioning + source: f3 --- # Implementing Delinea Secret Server for PAM diff --git a/skills/implementing-google-workspace-admin-security/SKILL.md b/skills/implementing-google-workspace-admin-security/SKILL.md index 4cc783b2..ce9a0182 100644 --- a/skills/implementing-google-workspace-admin-security/SKILL.md +++ b/skills/implementing-google-workspace-admin-security/SKILL.md @@ -31,6 +31,33 @@ mitre_attack: - T1556 - T1098 - T1566 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - stealth + - positioning + techniques: + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: F1006 + name: Account Takeover + tactic: initial-access + source: f3 + - id: T1672 + name: Email Spoofing + tactic: stealth + source: attack + - id: T1550.001 + name: 'Use Alternate Authentication Material: Application Access Token' + tactic: initial-access + source: attack + - id: F1005 + name: Account Manipulation + tactic: positioning + source: f3 --- # Implementing Google Workspace Admin Security diff --git a/skills/implementing-google-workspace-phishing-protection/SKILL.md b/skills/implementing-google-workspace-phishing-protection/SKILL.md index ce03fff4..8e8032a6 100644 --- a/skills/implementing-google-workspace-phishing-protection/SKILL.md +++ b/skills/implementing-google-workspace-phishing-protection/SKILL.md @@ -27,6 +27,38 @@ mitre_attack: - T1534 - T1036 - T1027 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - resource-development + - initial-access + - stealth + techniques: + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: T1598 + name: Phishing for Information + tactic: reconnaissance + source: attack + - id: T1672 + name: Email Spoofing + tactic: stealth + source: attack + - id: F1032 + name: Impersonate Official + tactic: initial-access + source: f3 + - id: F1031 + name: Impersonate Account Holder + tactic: initial-access + source: f3 + - id: F1020.002 + name: 'Create Fake Materials: Fake Website' + tactic: resource-development + source: f3 --- # Implementing Google Workspace Phishing Protection diff --git a/skills/implementing-google-workspace-sso-configuration/SKILL.md b/skills/implementing-google-workspace-sso-configuration/SKILL.md index 16b047eb..fb2aea2c 100644 --- a/skills/implementing-google-workspace-sso-configuration/SKILL.md +++ b/skills/implementing-google-workspace-sso-configuration/SKILL.md @@ -25,6 +25,32 @@ mitre_attack: - T1110 - T1556 - T1098 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + techniques: + - id: T1110 + name: Brute Force + tactic: initial-access + source: attack + - id: T1110.004 + name: 'Brute Force: Credential Stuffing' + tactic: initial-access + source: attack + - id: T1539 + name: Steal Web Session Cookie + tactic: positioning + source: attack + - id: F1004 + name: Access with Stolen Session Cookie + tactic: initial-access + source: f3 + - id: F1006 + name: Account Takeover + tactic: initial-access + source: f3 --- # Implementing Google Workspace SSO Configuration diff --git a/skills/implementing-hashicorp-vault-dynamic-secrets/SKILL.md b/skills/implementing-hashicorp-vault-dynamic-secrets/SKILL.md index 12df662b..ac0b979b 100644 --- a/skills/implementing-hashicorp-vault-dynamic-secrets/SKILL.md +++ b/skills/implementing-hashicorp-vault-dynamic-secrets/SKILL.md @@ -30,6 +30,38 @@ mitre_attack: - T1556 - T1098 - T1003 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + - stealth + - resource-development + techniques: + - id: F1006.001 + name: 'Account Takeover: Exposed API Key' + tactic: initial-access + source: f3 + - id: F1006.002 + name: 'Account Takeover: Exposed Login Credential' + tactic: initial-access + source: f3 + - id: T1586 + name: Compromise Accounts + tactic: resource-development + source: attack + - id: T1555 + name: Credentials from Password Stores + tactic: reconnaissance + source: attack + - id: F1005.004 + name: 'Account Manipulation: Change Account Details' + tactic: positioning + source: f3 + - id: F1033 + name: Insider Access Abuse + tactic: initial-access + source: f3 --- # Implementing HashiCorp Vault Dynamic Secrets diff --git a/skills/implementing-honeypot-for-ransomware-detection/SKILL.md b/skills/implementing-honeypot-for-ransomware-detection/SKILL.md index 4d06a5fd..5cf88bf7 100644 --- a/skills/implementing-honeypot-for-ransomware-detection/SKILL.md +++ b/skills/implementing-honeypot-for-ransomware-detection/SKILL.md @@ -38,6 +38,34 @@ mitre_attack: - T1059 - T1486 - T1490 +mitre_f3: + version: '1.1' + tactics: + - positioning + - initial-access + - monetization + - resource-development + techniques: + - id: T1219 + name: Remote Access Tools + tactic: positioning + source: attack + - id: T1586 + name: Compromise Accounts + tactic: resource-development + source: attack + - id: F1018 + name: Convert to Cryptocurrency + tactic: monetization + source: f3 + - id: F1047 + name: Transfer of funds + tactic: monetization + source: f3 + - id: F1033 + name: Insider Access Abuse + tactic: initial-access + source: f3 --- # Implementing Honeypot for Ransomware Detection diff --git a/skills/implementing-identity-governance-with-sailpoint/SKILL.md b/skills/implementing-identity-governance-with-sailpoint/SKILL.md index 0000e450..3f55a1f5 100644 --- a/skills/implementing-identity-governance-with-sailpoint/SKILL.md +++ b/skills/implementing-identity-governance-with-sailpoint/SKILL.md @@ -26,6 +26,33 @@ mitre_attack: - T1110 - T1556 - T1098 +mitre_f3: + version: '1.1' + tactics: + - positioning + - initial-access + - defense-impairment + techniques: + - id: F1005 + name: Account Manipulation + tactic: positioning + source: f3 + - id: F1005.002 + name: 'Account Manipulation: Add Authorized User' + tactic: positioning + source: f3 + - id: F1033 + name: Insider Access Abuse + tactic: initial-access + source: f3 + - id: F1042 + name: Reactivate Account + tactic: positioning + source: f3 + - id: F1006 + name: Account Takeover + tactic: initial-access + source: f3 --- # Implementing Identity Governance with SailPoint diff --git a/skills/implementing-identity-verification-for-zero-trust/SKILL.md b/skills/implementing-identity-verification-for-zero-trust/SKILL.md index c9ebb5ed..48db5f68 100644 --- a/skills/implementing-identity-verification-for-zero-trust/SKILL.md +++ b/skills/implementing-identity-verification-for-zero-trust/SKILL.md @@ -31,6 +31,37 @@ mitre_attack: - T1059 - T1566 - T1598 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + - reconnaissance + techniques: + - id: F1006 + name: Account Takeover + tactic: initial-access + source: f3 + - id: T1110.004 + name: 'Brute Force: Credential Stuffing' + tactic: initial-access + source: attack + - id: T1111 + name: Multi-Factor Authentication Interception + tactic: initial-access + source: attack + - id: T1557 + name: Adversary-in-the-Middle + tactic: initial-access + source: attack + - id: T1539 + name: Steal Web Session Cookie + tactic: positioning + source: attack + - id: T1598 + name: Phishing for Information + tactic: reconnaissance + source: attack --- # Implementing Identity Verification for Zero Trust diff --git a/skills/implementing-mimecast-targeted-attack-protection/SKILL.md b/skills/implementing-mimecast-targeted-attack-protection/SKILL.md index 8bc864eb..a77f8978 100644 --- a/skills/implementing-mimecast-targeted-attack-protection/SKILL.md +++ b/skills/implementing-mimecast-targeted-attack-protection/SKILL.md @@ -26,6 +26,34 @@ mitre_attack: - T1598 - T1534 - T1036 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - reconnaissance + - stealth + - resource-development + techniques: + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: T1598 + name: Phishing for Information + tactic: reconnaissance + source: attack + - id: T1672 + name: Email Spoofing + tactic: stealth + source: attack + - id: F1032 + name: Impersonate Official + tactic: initial-access + source: f3 + - id: F1020.002 + name: 'Create Fake Materials: Fake Website' + tactic: resource-development + source: f3 --- # Implementing Mimecast Targeted Attack Protection diff --git a/skills/implementing-pam-for-database-access/SKILL.md b/skills/implementing-pam-for-database-access/SKILL.md index a6894698..99b4fd3c 100644 --- a/skills/implementing-pam-for-database-access/SKILL.md +++ b/skills/implementing-pam-for-database-access/SKILL.md @@ -27,6 +27,33 @@ mitre_attack: - T1556 - T1098 - T1003 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + - resource-development + techniques: + - id: T1586 + name: Compromise Accounts + tactic: resource-development + source: attack + - id: T1110 + name: Brute Force + tactic: initial-access + source: attack + - id: F1033 + name: Insider Access Abuse + tactic: initial-access + source: f3 + - id: F1005.004 + name: 'Account Manipulation: Change Account Details' + tactic: positioning + source: f3 + - id: F1006.002 + name: 'Account Takeover: Exposed Login Credential' + tactic: initial-access + source: f3 --- # Implementing PAM for Database Access diff --git a/skills/implementing-passwordless-auth-with-microsoft-entra/SKILL.md b/skills/implementing-passwordless-auth-with-microsoft-entra/SKILL.md index 710d0749..03fa6eb0 100644 --- a/skills/implementing-passwordless-auth-with-microsoft-entra/SKILL.md +++ b/skills/implementing-passwordless-auth-with-microsoft-entra/SKILL.md @@ -30,6 +30,35 @@ mitre_attack: - T1556 - T1098 - T1566 +mitre_f3: + version: '1.1' + tactics: + - initial-access + techniques: + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: T1557 + name: Adversary-in-the-Middle + tactic: initial-access + source: attack + - id: T1110.004 + name: 'Brute Force: Credential Stuffing' + tactic: initial-access + source: attack + - id: T1111 + name: Multi-Factor Authentication Interception + tactic: initial-access + source: attack + - id: F1006 + name: Account Takeover + tactic: initial-access + source: f3 + - id: F1004 + name: Access with Stolen Session Cookie + tactic: initial-access + source: f3 --- # Implementing Passwordless Auth with Microsoft Entra diff --git a/skills/implementing-privileged-access-management-with-cyberark/SKILL.md b/skills/implementing-privileged-access-management-with-cyberark/SKILL.md index b827296e..8c7cdfbe 100644 --- a/skills/implementing-privileged-access-management-with-cyberark/SKILL.md +++ b/skills/implementing-privileged-access-management-with-cyberark/SKILL.md @@ -26,6 +26,33 @@ mitre_attack: - T1556 - T1098 - T1003 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + - resource-development + techniques: + - id: T1586 + name: Compromise Accounts + tactic: resource-development + source: attack + - id: T1110 + name: Brute Force + tactic: initial-access + source: attack + - id: F1033 + name: Insider Access Abuse + tactic: initial-access + source: f3 + - id: F1005.002 + name: 'Account Manipulation: Add Authorized User' + tactic: positioning + source: f3 + - id: F1006.002 + name: 'Account Takeover: Exposed Login Credential' + tactic: initial-access + source: f3 --- # Implementing Privileged Access Management with CyberArk diff --git a/skills/implementing-proofpoint-email-security-gateway/SKILL.md b/skills/implementing-proofpoint-email-security-gateway/SKILL.md index f3948257..da52aed9 100644 --- a/skills/implementing-proofpoint-email-security-gateway/SKILL.md +++ b/skills/implementing-proofpoint-email-security-gateway/SKILL.md @@ -28,6 +28,38 @@ mitre_attack: - T1534 - T1036 - T1027 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - initial-access + - stealth + - positioning + techniques: + - id: T1598 + name: Phishing for Information + tactic: reconnaissance + source: attack + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: T1672 + name: Email Spoofing + tactic: stealth + source: attack + - id: F1032 + name: Impersonate Official + tactic: initial-access + source: f3 + - id: F1029 + name: Gather Customer Information + tactic: reconnaissance + source: f3 + - id: F1005.006 + name: 'Account Manipulation: Change of Payment Details' + tactic: positioning + source: f3 --- # Implementing Proofpoint Email Security Gateway diff --git a/skills/implementing-ransomware-backup-strategy/SKILL.md b/skills/implementing-ransomware-backup-strategy/SKILL.md index 5e7ce514..ef7036b7 100644 --- a/skills/implementing-ransomware-backup-strategy/SKILL.md +++ b/skills/implementing-ransomware-backup-strategy/SKILL.md @@ -42,6 +42,28 @@ mitre_attack: - T1059 - T1003 - T1110 +mitre_f3: + version: '1.1' + tactics: + - positioning + - monetization + techniques: + - id: T1531 + name: Account Access Removal + tactic: positioning + source: attack + - id: F1018 + name: Convert to Cryptocurrency + tactic: monetization + source: f3 + - id: F1047 + name: Transfer of funds + tactic: monetization + source: f3 + - id: F1017.001 + name: 'Conversion to Physical Monetary Instruments: Cash' + tactic: monetization + source: f3 --- # Implementing Ransomware Backup Strategy diff --git a/skills/implementing-ransomware-kill-switch-detection/SKILL.md b/skills/implementing-ransomware-kill-switch-detection/SKILL.md index af986540..5befb56e 100644 --- a/skills/implementing-ransomware-kill-switch-detection/SKILL.md +++ b/skills/implementing-ransomware-kill-switch-detection/SKILL.md @@ -31,6 +31,28 @@ mitre_attack: - T1059 - T1486 - T1490 +mitre_f3: + version: '1.1' + tactics: + - positioning + - monetization + techniques: + - id: T1219 + name: Remote Access Tools + tactic: positioning + source: attack + - id: F1018 + name: Convert to Cryptocurrency + tactic: monetization + source: f3 + - id: F1017 + name: Conversion to Physical Monetary Instruments + tactic: monetization + source: f3 + - id: F1047 + name: Transfer of funds + tactic: monetization + source: f3 --- # Implementing Ransomware Kill Switch Detection diff --git a/skills/implementing-saml-sso-with-okta/SKILL.md b/skills/implementing-saml-sso-with-okta/SKILL.md index 81b42c99..aabec15f 100644 --- a/skills/implementing-saml-sso-with-okta/SKILL.md +++ b/skills/implementing-saml-sso-with-okta/SKILL.md @@ -27,6 +27,33 @@ mitre_attack: - T1556 - T1098 - T1553 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + - resource-development + techniques: + - id: T1586 + name: Compromise Accounts + tactic: resource-development + source: attack + - id: T1539 + name: Steal Web Session Cookie + tactic: positioning + source: attack + - id: F1004 + name: Access with Stolen Session Cookie + tactic: initial-access + source: f3 + - id: T1550.001 + name: 'Use Alternate Authentication Material: Application Access Token' + tactic: initial-access + source: attack + - id: F1006.003 + name: 'Account Takeover: Password Reset' + tactic: initial-access + source: f3 --- # Implementing SAML SSO with Okta diff --git a/skills/implementing-scim-provisioning-with-okta/SKILL.md b/skills/implementing-scim-provisioning-with-okta/SKILL.md index 6855aef0..91289aaa 100644 --- a/skills/implementing-scim-provisioning-with-okta/SKILL.md +++ b/skills/implementing-scim-provisioning-with-okta/SKILL.md @@ -25,6 +25,33 @@ mitre_attack: - T1110 - T1556 - T1098 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + - resource-development + techniques: + - id: T1586 + name: Compromise Accounts + tactic: resource-development + source: attack + - id: F1005.002 + name: 'Account Manipulation: Add Authorized User' + tactic: positioning + source: f3 + - id: F1005.004 + name: 'Account Manipulation: Change Account Details' + tactic: positioning + source: f3 + - id: F1042 + name: Reactivate Account + tactic: positioning + source: f3 + - id: F1006.002 + name: 'Account Takeover: Exposed Login Credential' + tactic: initial-access + source: f3 --- # Implementing SCIM Provisioning with Okta diff --git a/skills/implementing-sigstore-for-software-signing/SKILL.md b/skills/implementing-sigstore-for-software-signing/SKILL.md index a328221c..85d5fca8 100644 --- a/skills/implementing-sigstore-for-software-signing/SKILL.md +++ b/skills/implementing-sigstore-for-software-signing/SKILL.md @@ -36,6 +36,33 @@ mitre_attack: - T1059 - T1610 - T1611 +mitre_f3: + version: '1.1' + tactics: + - resource-development + - initial-access + - stealth + techniques: + - id: T1195 + name: Supply Chain Compromise + tactic: initial-access + source: attack + - id: T1608 + name: Stage Capabilities + tactic: resource-development + source: attack + - id: T1608.006 + name: 'Stage Capabilities: SEO Poisoning' + tactic: resource-development + source: attack + - id: T1586 + name: Compromise Accounts + tactic: resource-development + source: attack + - id: T1070 + name: Indicator Removal + tactic: stealth + source: attack --- # Implementing Sigstore for Software Signing diff --git a/skills/implementing-soar-playbook-for-phishing/SKILL.md b/skills/implementing-soar-playbook-for-phishing/SKILL.md index fdaae961..a5ee8521 100644 --- a/skills/implementing-soar-playbook-for-phishing/SKILL.md +++ b/skills/implementing-soar-playbook-for-phishing/SKILL.md @@ -23,6 +23,34 @@ mitre_attack: - T1059 - T1566 - T1598 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - resource-development + - initial-access + - stealth + techniques: + - id: T1598 + name: Phishing for Information + tactic: reconnaissance + source: attack + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: T1672 + name: Email Spoofing + tactic: stealth + source: attack + - id: F1020.002 + name: 'Create Fake Materials: Fake Website' + tactic: resource-development + source: f3 + - id: F1032 + name: Impersonate Official + tactic: initial-access + source: f3 --- diff --git a/skills/implementing-zero-trust-with-hashicorp-boundary/SKILL.md b/skills/implementing-zero-trust-with-hashicorp-boundary/SKILL.md index bdb56208..8a8887a7 100644 --- a/skills/implementing-zero-trust-with-hashicorp-boundary/SKILL.md +++ b/skills/implementing-zero-trust-with-hashicorp-boundary/SKILL.md @@ -28,6 +28,33 @@ mitre_attack: - T1059 - T1003 - T1110 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + - resource-development + techniques: + - id: T1586 + name: Compromise Accounts + tactic: resource-development + source: attack + - id: T1110 + name: Brute Force + tactic: initial-access + source: attack + - id: T1110.004 + name: 'Brute Force: Credential Stuffing' + tactic: initial-access + source: attack + - id: T1219 + name: Remote Access Tools + tactic: positioning + source: attack + - id: F1033 + name: Insider Access Abuse + tactic: initial-access + source: f3 --- # Implementing Zero Trust with HashiCorp Boundary diff --git a/skills/investigating-phishing-email-incident/SKILL.md b/skills/investigating-phishing-email-incident/SKILL.md index c3da70bf..2d25c503 100644 --- a/skills/investigating-phishing-email-incident/SKILL.md +++ b/skills/investigating-phishing-email-incident/SKILL.md @@ -23,6 +23,39 @@ mitre_attack: - T1685.005 - T1566 - T1598 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - resource-development + - initial-access + - stealth + - positioning + techniques: + - id: T1598 + name: Phishing for Information + tactic: reconnaissance + source: attack + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: T1672 + name: Email Spoofing + tactic: stealth + source: attack + - id: F1020.002 + name: 'Create Fake Materials: Fake Website' + tactic: resource-development + source: f3 + - id: T1539 + name: Steal Web Session Cookie + tactic: positioning + source: attack + - id: F1006.002 + name: 'Account Takeover: Exposed Login Credential' + tactic: initial-access + source: f3 version: '1.0' author: mahipal license: Apache-2.0 diff --git a/skills/investigating-ransomware-attack-artifacts/SKILL.md b/skills/investigating-ransomware-attack-artifacts/SKILL.md index a49be4e9..6928b843 100644 --- a/skills/investigating-ransomware-attack-artifacts/SKILL.md +++ b/skills/investigating-ransomware-attack-artifacts/SKILL.md @@ -25,6 +25,33 @@ mitre_attack: - T1119 - T1070 - T1486 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - stealth + - monetization + techniques: + - id: T1110 + name: Brute Force + tactic: initial-access + source: attack + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: T1070 + name: Indicator Removal + tactic: stealth + source: attack + - id: F1018 + name: Convert to Cryptocurrency + tactic: monetization + source: f3 + - id: F1017.001 + name: 'Conversion to Physical Monetary Instruments: Cash' + tactic: monetization + source: f3 --- # Investigating Ransomware Attack Artifacts diff --git a/skills/managing-cloud-identity-with-okta/SKILL.md b/skills/managing-cloud-identity-with-okta/SKILL.md index 7ff64339..1b54e78f 100644 --- a/skills/managing-cloud-identity-with-okta/SKILL.md +++ b/skills/managing-cloud-identity-with-okta/SKILL.md @@ -29,6 +29,36 @@ mitre_attack: - T1537 - T1580 - T1566 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + techniques: + - id: F1006 + name: Account Takeover + tactic: initial-access + source: f3 + - id: F1006.002 + name: 'Account Takeover: Exposed Login Credential' + tactic: initial-access + source: f3 + - id: T1110.004 + name: 'Brute Force: Credential Stuffing' + tactic: initial-access + source: attack + - id: T1110.003 + name: 'Brute Force: Password Spraying' + tactic: initial-access + source: attack + - id: T1539 + name: Steal Web Session Cookie + tactic: positioning + source: attack + - id: T1550.001 + name: 'Use Alternate Authentication Material: Application Access Token' + tactic: initial-access + source: attack --- # Managing Cloud Identity with Okta diff --git a/skills/monitoring-darkweb-sources/SKILL.md b/skills/monitoring-darkweb-sources/SKILL.md index cc421c1c..fbc62063 100644 --- a/skills/monitoring-darkweb-sources/SKILL.md +++ b/skills/monitoring-darkweb-sources/SKILL.md @@ -41,6 +41,33 @@ mitre_attack: - T1593 - T1589 - T1003 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - resource-development + - initial-access + techniques: + - id: T1593 + name: Search Open Websites/Domains + tactic: reconnaissance + source: attack + - id: T1650 + name: Acquire Access + tactic: resource-development + source: attack + - id: T1555.003 + name: 'Credentials from Password Stores: Credentials from Web Browsers' + tactic: reconnaissance + source: attack + - id: F1029 + name: Gather Customer Information + tactic: reconnaissance + source: f3 + - id: T1110.004 + name: 'Brute Force: Credential Stuffing' + tactic: initial-access + source: attack --- # Monitoring Dark Web Sources diff --git a/skills/performing-access-recertification-with-saviynt/SKILL.md b/skills/performing-access-recertification-with-saviynt/SKILL.md index aae8e3d6..11038f5d 100644 --- a/skills/performing-access-recertification-with-saviynt/SKILL.md +++ b/skills/performing-access-recertification-with-saviynt/SKILL.md @@ -26,6 +26,34 @@ mitre_attack: - T1556 - T1098 - T1071 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + - defense-impairment + - resource-development + techniques: + - id: T1586 + name: Compromise Accounts + tactic: resource-development + source: attack + - id: F1033 + name: Insider Access Abuse + tactic: initial-access + source: f3 + - id: F1005 + name: Account Manipulation + tactic: positioning + source: f3 + - id: F1005.002 + name: 'Account Manipulation: Add Authorized User' + tactic: positioning + source: f3 + - id: F1005.007 + name: 'Account Manipulation: Enable Account Features' + tactic: defense-impairment + source: f3 --- # Performing Access Recertification with Saviynt diff --git a/skills/performing-adversary-in-the-middle-phishing-detection/SKILL.md b/skills/performing-adversary-in-the-middle-phishing-detection/SKILL.md index d589e8bf..51f4b6d1 100644 --- a/skills/performing-adversary-in-the-middle-phishing-detection/SKILL.md +++ b/skills/performing-adversary-in-the-middle-phishing-detection/SKILL.md @@ -28,6 +28,36 @@ mitre_attack: - T1534 - T1036 - T1003 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + techniques: + - id: T1557 + name: Adversary-in-the-Middle + tactic: initial-access + source: attack + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: F1004 + name: Access with Stolen Session Cookie + tactic: initial-access + source: f3 + - id: T1539 + name: Steal Web Session Cookie + tactic: positioning + source: attack + - id: T1185 + name: Browser Session Hijacking + tactic: positioning + source: attack + - id: F1006 + name: Account Takeover + tactic: initial-access + source: f3 --- # Performing Adversary-in-the-Middle Phishing Detection diff --git a/skills/performing-brand-monitoring-for-impersonation/SKILL.md b/skills/performing-brand-monitoring-for-impersonation/SKILL.md index a770e886..333c21a1 100644 --- a/skills/performing-brand-monitoring-for-impersonation/SKILL.md +++ b/skills/performing-brand-monitoring-for-impersonation/SKILL.md @@ -27,6 +27,38 @@ mitre_attack: - T1593 - T1589 - T1566 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - resource-development + - initial-access + - stealth + techniques: + - id: T1583.001 + name: 'Acquire Infrastructure: Domains' + tactic: resource-development + source: attack + - id: T1583.008 + name: 'Acquire Infrastructure: Malvertising' + tactic: resource-development + source: attack + - id: F1020.002 + name: 'Create Fake Materials: Fake Website' + tactic: resource-development + source: f3 + - id: T1593 + name: Search Open Websites/Domains + tactic: reconnaissance + source: attack + - id: F1032 + name: Impersonate Official + tactic: initial-access + source: f3 + - id: T1672 + name: Email Spoofing + tactic: stealth + source: attack --- # Performing Brand Monitoring for Impersonation diff --git a/skills/performing-credential-access-with-lazagne/SKILL.md b/skills/performing-credential-access-with-lazagne/SKILL.md index b70dc12f..bee56cf3 100644 --- a/skills/performing-credential-access-with-lazagne/SKILL.md +++ b/skills/performing-credential-access-with-lazagne/SKILL.md @@ -32,6 +32,37 @@ mitre_attack: - T1059 - T1078 - T1021 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - positioning + - initial-access + techniques: + - id: T1555 + name: Credentials from Password Stores + tactic: reconnaissance + source: attack + - id: T1555.003 + name: 'Credentials from Password Stores: Credentials from Web Browsers' + tactic: reconnaissance + source: attack + - id: T1555.005 + name: 'Credentials from Password Stores: Password Managers' + tactic: reconnaissance + source: attack + - id: T1539 + name: Steal Web Session Cookie + tactic: positioning + source: attack + - id: F1006.002 + name: 'Account Takeover: Exposed Login Credential' + tactic: initial-access + source: f3 + - id: F1006 + name: Account Takeover + tactic: initial-access + source: f3 --- # Performing Credential Access with LaZagne diff --git a/skills/performing-cryptographic-audit-of-application/SKILL.md b/skills/performing-cryptographic-audit-of-application/SKILL.md index 8a3e1c1c..2c011a22 100644 --- a/skills/performing-cryptographic-audit-of-application/SKILL.md +++ b/skills/performing-cryptographic-audit-of-application/SKILL.md @@ -22,6 +22,29 @@ mitre_attack: - T1600 - T1573 - T1553 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - initial-access + - positioning + techniques: + - id: T1557 + name: Adversary-in-the-Middle + tactic: positioning + source: attack + - id: T1555 + name: Credentials from Password Stores + tactic: reconnaissance + source: attack + - id: F1006.001 + name: 'Account Takeover: Exposed API Key' + tactic: initial-access + source: f3 + - id: F1004 + name: Access with Stolen Session Cookie + tactic: initial-access + source: f3 --- # Performing Cryptographic Audit of Application diff --git a/skills/performing-entitlement-review-with-sailpoint-iiq/SKILL.md b/skills/performing-entitlement-review-with-sailpoint-iiq/SKILL.md index ea8af51b..e242f3cd 100644 --- a/skills/performing-entitlement-review-with-sailpoint-iiq/SKILL.md +++ b/skills/performing-entitlement-review-with-sailpoint-iiq/SKILL.md @@ -29,6 +29,34 @@ mitre_attack: - T1110 - T1556 - T1098 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + - defense-impairment + - resource-development + techniques: + - id: T1586 + name: Compromise Accounts + tactic: resource-development + source: attack + - id: F1033 + name: Insider Access Abuse + tactic: initial-access + source: f3 + - id: F1005 + name: Account Manipulation + tactic: positioning + source: f3 + - id: F1005.002 + name: 'Account Manipulation: Add Authorized User' + tactic: positioning + source: f3 + - id: F1005.007 + name: 'Account Manipulation: Enable Account Features' + tactic: defense-impairment + source: f3 --- # Performing Entitlement Review with SailPoint IdentityIQ diff --git a/skills/performing-firmware-extraction-with-binwalk/SKILL.md b/skills/performing-firmware-extraction-with-binwalk/SKILL.md index 3497bba8..5904e440 100644 --- a/skills/performing-firmware-extraction-with-binwalk/SKILL.md +++ b/skills/performing-firmware-extraction-with-binwalk/SKILL.md @@ -31,6 +31,32 @@ mitre_attack: - T1059 - T1003 - T1110 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - initial-access + techniques: + - id: T1555 + name: Credentials from Password Stores + tactic: reconnaissance + source: attack + - id: F1029 + name: Gather Customer Information + tactic: reconnaissance + source: f3 + - id: T1110.001 + name: 'Brute Force: Password Guessing' + tactic: initial-access + source: attack + - id: F1006.001 + name: 'Account Takeover: Exposed API Key' + tactic: initial-access + source: f3 + - id: F1006.002 + name: 'Account Takeover: Exposed Login Credential' + tactic: initial-access + source: f3 --- # Performing Firmware Extraction with Binwalk diff --git a/skills/performing-initial-access-with-evilginx3/SKILL.md b/skills/performing-initial-access-with-evilginx3/SKILL.md index 420cf307..8d6168fb 100644 --- a/skills/performing-initial-access-with-evilginx3/SKILL.md +++ b/skills/performing-initial-access-with-evilginx3/SKILL.md @@ -32,6 +32,41 @@ mitre_attack: - T1059 - T1078 - T1003 +mitre_f3: + version: '1.1' + tactics: + - resource-development + - initial-access + - positioning + techniques: + - id: T1583.001 + name: 'Acquire Infrastructure: Domains' + tactic: resource-development + source: attack + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: T1557 + name: Adversary-in-the-Middle + tactic: initial-access + source: attack + - id: T1539 + name: Steal Web Session Cookie + tactic: positioning + source: attack + - id: T1111 + name: Multi-Factor Authentication Interception + tactic: initial-access + source: attack + - id: F1004 + name: Access with Stolen Session Cookie + tactic: initial-access + source: f3 + - id: F1006 + name: Account Takeover + tactic: initial-access + source: f3 --- # Performing Initial Access with EvilGinx3 diff --git a/skills/performing-oauth-scope-minimization-review/SKILL.md b/skills/performing-oauth-scope-minimization-review/SKILL.md index fcdd7707..11eba5b9 100644 --- a/skills/performing-oauth-scope-minimization-review/SKILL.md +++ b/skills/performing-oauth-scope-minimization-review/SKILL.md @@ -29,6 +29,37 @@ mitre_attack: - T1110 - T1556 - T1098 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + - stealth + techniques: + - id: T1550.001 + name: 'Use Alternate Authentication Material: Application Access Token' + tactic: initial-access + source: attack + - id: F1006.001 + name: 'Account Takeover: Exposed API Key' + tactic: initial-access + source: f3 + - id: F1004 + name: Access with Stolen Session Cookie + tactic: initial-access + source: f3 + - id: F1005.001 + name: 'Account Manipulation: Account Linking' + tactic: positioning + source: f3 + - id: T1539 + name: Steal Web Session Cookie + tactic: positioning + source: attack + - id: F1023 + name: Device Fingerprint Spoofing + tactic: stealth + source: f3 --- # Performing OAuth Scope Minimization Review diff --git a/skills/performing-paste-site-monitoring-for-credentials/SKILL.md b/skills/performing-paste-site-monitoring-for-credentials/SKILL.md index acdc8cdb..93a0bb82 100644 --- a/skills/performing-paste-site-monitoring-for-credentials/SKILL.md +++ b/skills/performing-paste-site-monitoring-for-credentials/SKILL.md @@ -27,6 +27,37 @@ mitre_attack: - T1593 - T1589 - T1003 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - resource-development + - initial-access + techniques: + - id: T1593 + name: Search Open Websites/Domains + tactic: reconnaissance + source: attack + - id: T1593.002 + name: 'Search Open Websites/Domains: Search Engines' + tactic: reconnaissance + source: attack + - id: T1650 + name: Acquire Access + tactic: resource-development + source: attack + - id: T1555.003 + name: 'Credentials from Password Stores: Credentials from Web Browsers' + tactic: reconnaissance + source: attack + - id: T1110.004 + name: 'Brute Force: Credential Stuffing' + tactic: initial-access + source: attack + - id: F1029 + name: Gather Customer Information + tactic: reconnaissance + source: f3 --- # Performing Paste Site Monitoring for Credentials diff --git a/skills/performing-phishing-simulation-with-gophish/SKILL.md b/skills/performing-phishing-simulation-with-gophish/SKILL.md index 9529ab93..a80041d5 100644 --- a/skills/performing-phishing-simulation-with-gophish/SKILL.md +++ b/skills/performing-phishing-simulation-with-gophish/SKILL.md @@ -26,6 +26,37 @@ mitre_attack: - T1598 - T1534 - T1036 +mitre_f3: + version: '1.1' + tactics: + - resource-development + - initial-access + - reconnaissance + techniques: + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: T1598 + name: Phishing for Information + tactic: reconnaissance + source: attack + - id: F1020.002 + name: 'Create Fake Materials: Fake Website' + tactic: resource-development + source: f3 + - id: T1583.001 + name: 'Acquire Infrastructure: Domains' + tactic: resource-development + source: attack + - id: T1557 + name: Adversary-in-the-Middle + tactic: initial-access + source: attack + - id: F1031 + name: Impersonate Account Holder + tactic: initial-access + source: f3 --- # Performing Phishing Simulation with GoPhish diff --git a/skills/performing-ransomware-response/SKILL.md b/skills/performing-ransomware-response/SKILL.md index 1789280f..efbbe421 100644 --- a/skills/performing-ransomware-response/SKILL.md +++ b/skills/performing-ransomware-response/SKILL.md @@ -22,6 +22,33 @@ mitre_attack: - T1070 - T1078 - T1489 +mitre_f3: + version: '1.1' + tactics: + - monetization + - stealth + - initial-access + techniques: + - id: F1018 + name: Convert to Cryptocurrency + tactic: monetization + source: f3 + - id: F1017 + name: Conversion to Physical Monetary Instruments + tactic: monetization + source: f3 + - id: F1025.003 + name: 'Electronic Funds Transfer: Wire Transfer' + tactic: monetization + source: f3 + - id: T1070 + name: Indicator Removal + tactic: stealth + source: attack + - id: F1006 + name: Account Takeover + tactic: initial-access + source: f3 version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/performing-ransomware-tabletop-exercise/SKILL.md b/skills/performing-ransomware-tabletop-exercise/SKILL.md index a7021e8f..de648b95 100644 --- a/skills/performing-ransomware-tabletop-exercise/SKILL.md +++ b/skills/performing-ransomware-tabletop-exercise/SKILL.md @@ -31,6 +31,28 @@ mitre_attack: - T1059 - T1486 - T1490 +mitre_f3: + version: '1.1' + tactics: + - positioning + - monetization + techniques: + - id: T1531 + name: Account Access Removal + tactic: positioning + source: attack + - id: F1018 + name: Convert to Cryptocurrency + tactic: monetization + source: f3 + - id: F1047 + name: Transfer of funds + tactic: monetization + source: f3 + - id: F1017.001 + name: 'Conversion to Physical Monetary Instruments: Cash' + tactic: monetization + source: f3 --- # Performing Ransomware Tabletop Exercise diff --git a/skills/performing-red-team-phishing-with-gophish/SKILL.md b/skills/performing-red-team-phishing-with-gophish/SKILL.md index 03817ffd..e96d66c3 100644 --- a/skills/performing-red-team-phishing-with-gophish/SKILL.md +++ b/skills/performing-red-team-phishing-with-gophish/SKILL.md @@ -28,6 +28,33 @@ mitre_attack: - T1059 - T1003 - T1110 +mitre_f3: + version: '1.1' + tactics: + - resource-development + - reconnaissance + - initial-access + techniques: + - id: T1598 + name: Phishing for Information + tactic: reconnaissance + source: attack + - id: T1660 + name: Phishing + tactic: initial-access + source: attack + - id: F1020.002 + name: 'Create Fake Materials: Fake Website' + tactic: resource-development + source: f3 + - id: T1583.001 + name: 'Acquire Infrastructure: Domains' + tactic: resource-development + source: attack + - id: F1006.002 + name: 'Account Takeover: Exposed Login Credential' + tactic: initial-access + source: f3 --- diff --git a/skills/performing-service-account-credential-rotation/SKILL.md b/skills/performing-service-account-credential-rotation/SKILL.md index c4ad4988..eb39279b 100644 --- a/skills/performing-service-account-credential-rotation/SKILL.md +++ b/skills/performing-service-account-credential-rotation/SKILL.md @@ -26,6 +26,33 @@ mitre_attack: - T1556 - T1098 - T1003 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + - stealth + techniques: + - id: F1006.001 + name: 'Account Takeover: Exposed API Key' + tactic: initial-access + source: f3 + - id: F1006.002 + name: 'Account Takeover: Exposed Login Credential' + tactic: initial-access + source: f3 + - id: T1110 + name: Brute Force + tactic: initial-access + source: attack + - id: F1005 + name: Account Manipulation + tactic: positioning + source: f3 + - id: F1023 + name: Device Fingerprint Spoofing + tactic: stealth + source: f3 --- # Performing Service Account Credential Rotation diff --git a/skills/recovering-from-ransomware-attack/SKILL.md b/skills/recovering-from-ransomware-attack/SKILL.md index 5d8efe85..ddc6c01c 100644 --- a/skills/recovering-from-ransomware-attack/SKILL.md +++ b/skills/recovering-from-ransomware-attack/SKILL.md @@ -31,6 +31,29 @@ mitre_attack: - T1059 - T1003 - T1110 +mitre_f3: + version: '1.1' + tactics: + - positioning + - monetization + - defense-impairment + techniques: + - id: T1531 + name: Account Access Removal + tactic: positioning + source: attack + - id: F1005 + name: Account Manipulation + tactic: defense-impairment + source: f3 + - id: F1018 + name: Convert to Cryptocurrency + tactic: monetization + source: f3 + - id: T1219 + name: Remote Access Tools + tactic: positioning + source: attack --- # Recovering from Ransomware Attack diff --git a/skills/reverse-engineering-ransomware-encryption-routine/SKILL.md b/skills/reverse-engineering-ransomware-encryption-routine/SKILL.md index c13dc2f4..d78acc23 100644 --- a/skills/reverse-engineering-ransomware-encryption-routine/SKILL.md +++ b/skills/reverse-engineering-ransomware-encryption-routine/SKILL.md @@ -34,6 +34,24 @@ mitre_attack: - T1140 - T1497 - T1486 +mitre_f3: + version: '1.1' + tactics: + - monetization + - positioning + techniques: + - id: F1018 + name: Convert to Cryptocurrency + tactic: monetization + source: f3 + - id: F1047 + name: Transfer of funds + tactic: monetization + source: f3 + - id: T1219 + name: Remote Access Tools + tactic: positioning + source: attack --- # Reverse Engineering Ransomware Encryption Routine diff --git a/skills/securing-aws-iam-permissions/SKILL.md b/skills/securing-aws-iam-permissions/SKILL.md index 8cd9de8c..3cefdd1e 100644 --- a/skills/securing-aws-iam-permissions/SKILL.md +++ b/skills/securing-aws-iam-permissions/SKILL.md @@ -28,6 +28,32 @@ mitre_attack: - T1537 - T1580 - T1003 +mitre_f3: + version: '1.1' + tactics: + - initial-access + - positioning + techniques: + - id: F1006.001 + name: 'Account Takeover: Exposed API Key' + tactic: initial-access + source: f3 + - id: F1006.002 + name: 'Account Takeover: Exposed Login Credential' + tactic: initial-access + source: f3 + - id: T1550.001 + name: 'Use Alternate Authentication Material: Application Access Token' + tactic: initial-access + source: attack + - id: T1110.003 + name: 'Brute Force: Password Spraying' + tactic: initial-access + source: attack + - id: F1005.004 + name: 'Account Manipulation: Change Account Details' + tactic: positioning + source: f3 --- # Securing AWS IAM Permissions diff --git a/skills/testing-ransomware-recovery-procedures/SKILL.md b/skills/testing-ransomware-recovery-procedures/SKILL.md index 16247dda..20ff123b 100644 --- a/skills/testing-ransomware-recovery-procedures/SKILL.md +++ b/skills/testing-ransomware-recovery-procedures/SKILL.md @@ -27,6 +27,28 @@ mitre_attack: - T1070 - T1078 - T1489 +mitre_f3: + version: '1.1' + tactics: + - positioning + - monetization + techniques: + - id: T1531 + name: Account Access Removal + tactic: positioning + source: attack + - id: F1018 + name: Convert to Cryptocurrency + tactic: monetization + source: f3 + - id: F1047 + name: Transfer of funds + tactic: monetization + source: f3 + - id: F1017.001 + name: 'Conversion to Physical Monetary Instruments: Cash' + tactic: monetization + source: f3 --- # Testing Ransomware Recovery Procedures diff --git a/skills/tracking-threat-actor-infrastructure/SKILL.md b/skills/tracking-threat-actor-infrastructure/SKILL.md index c321fa1b..3ba48ec1 100644 --- a/skills/tracking-threat-actor-infrastructure/SKILL.md +++ b/skills/tracking-threat-actor-infrastructure/SKILL.md @@ -29,6 +29,36 @@ mitre_attack: - T1593 - T1589 - T1566 +mitre_f3: + version: '1.1' + tactics: + - reconnaissance + - resource-development + techniques: + - id: T1593 + name: Search Open Websites/Domains + tactic: reconnaissance + source: attack + - id: T1583.001 + name: 'Acquire Infrastructure: Domains' + tactic: resource-development + source: attack + - id: T1583.008 + name: 'Acquire Infrastructure: Malvertising' + tactic: resource-development + source: attack + - id: T1583.003 + name: 'Acquire Infrastructure: Virtual Private Network or Server' + tactic: resource-development + source: attack + - id: F1020.002 + name: 'Create Fake Materials: Fake Website' + tactic: resource-development + source: f3 + - id: T1608.006 + name: 'Stage Capabilities: SEO Poisoning' + tactic: resource-development + source: attack --- # Tracking Threat Actor Infrastructure diff --git a/skills/validating-backup-integrity-for-recovery/SKILL.md b/skills/validating-backup-integrity-for-recovery/SKILL.md index b27a9807..62e14089 100644 --- a/skills/validating-backup-integrity-for-recovery/SKILL.md +++ b/skills/validating-backup-integrity-for-recovery/SKILL.md @@ -26,6 +26,28 @@ mitre_attack: - T1070 - T1078 - T1489 +mitre_f3: + version: '1.1' + tactics: + - positioning + - monetization + techniques: + - id: T1531 + name: Account Access Removal + tactic: positioning + source: attack + - id: F1018 + name: Convert to Cryptocurrency + tactic: monetization + source: f3 + - id: F1047 + name: Transfer of funds + tactic: monetization + source: f3 + - id: F1017.001 + name: 'Conversion to Physical Monetary Instruments: Cash' + tactic: monetization + source: f3 --- # Validating Backup Integrity for Recovery