Fix round 3: refine MITRE ATT&CK mappings per CodeRabbit review

- osquery: replace broad IDs with concrete detections (T1049, T1620, T1053.003, T1548.001, T1552)
- credential extraction: replace T1550 with T1552 (Unsecured Credentials)
- persistence investigation: use sub-techniques (T1547.001, T1053.005, T1543.003, T1546.003)

skills/deploying-osquery-for-endpoint-monitoring/SKILL.md

@@ -9,6 +9,7 @@ description: >
 domain: cybersecurity
 subdomain: endpoint-security
 tags: [endpoint, osquery, endpoint-monitoring, threat-hunting, fleet-management]
+mitre_attack: ["T1547", "T1049", "T1620", "T1053.003", "T1548.001", "T1552"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0

skills/extracting-credentials-from-memory-dump/SKILL.md

@@ -4,6 +4,7 @@ description: Extract cached credentials, password hashes, Kerberos tickets, and
 domain: cybersecurity
 subdomain: digital-forensics
 tags: [forensics, credential-extraction, memory-forensics, volatility, mimikatz, password-hashes, incident-response]
+mitre_attack: ["T1003", "T1558", "T1552"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0

skills/performing-malware-persistence-investigation/SKILL.md

@@ -4,6 +4,7 @@ description: Systematically investigate all persistence mechanisms on Windows an
 domain: cybersecurity
 subdomain: digital-forensics
 tags: [forensics, malware-persistence, autoruns, registry, scheduled-tasks, rootkit-detection, incident-response]
+mitre_attack: ["T1547.001", "T1053.005", "T1543.003", "T1546.003", "T1574"]
 version: "1.0"
 author: mahipal
 license: Apache-2.0