Fix round 3: refine MITRE ATT&CK mappings per CodeRabbit review

- osquery: replace broad IDs with concrete detections (T1049, T1620, T1053.003, T1548.001, T1552)
- credential extraction: replace T1550 with T1552 (Unsecured Credentials)
- persistence investigation: use sub-techniques (T1547.001, T1053.005, T1543.003, T1546.003)
This commit is contained in:
MAGI
2026-03-18 10:39:30 -06:00
committed by Julio César Suástegui
parent 15d53bd09b
commit c7ad5e7b98
3 changed files with 3 additions and 0 deletions
@@ -4,6 +4,7 @@ description: Extract cached credentials, password hashes, Kerberos tickets, and
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, credential-extraction, memory-forensics, volatility, mimikatz, password-hashes, incident-response]
mitre_attack: ["T1003", "T1558", "T1552"]
version: "1.0"
author: mahipal
license: Apache-2.0