diff --git a/README.md b/README.md index f26e45fb..b0e34955 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,7 @@ No other open-source skills library maps every skill to all five frameworks. On | Framework | Version | Scope in this repo | What it maps | |---|---|---|---| -| [MITRE ATT&CK](https://attack.mitre.org) | v18 | 14 tactics · 200+ techniques | Adversary behaviors and TTPs | +| [MITRE ATT&CK](https://attack.mitre.org) | v19.1 | 15 tactics · 286 techniques | Adversary behaviors and TTPs | | [NIST CSF 2.0](https://www.nist.gov/cyberframework) | 2.0 | 6 functions · 22 categories | Organizational security posture | | [MITRE ATLAS](https://atlas.mitre.org) | v5.4 | 16 tactics · 84 techniques | AI/ML adversarial threats | | [MITRE D3FEND](https://d3fend.mitre.org) | v1.3 | 7 categories · 267 techniques | Defensive countermeasures | @@ -57,6 +57,28 @@ No other open-source skills library maps every skill to all five frameworks. On |---|---|---|---|---|---| | `analyzing-network-traffic-of-malware` | T1071 | DE.CM | AML.T0047 | D3-NTA | MEASURE-2.6 | +### MITRE ATT&CK v19.1 — 754/754 skills mapped + +Every skill carries a `mitre_attack` frontmatter list validated against **MITRE ATT&CK v19.1** (the latest release) using the official `mitreattack-python` library — 286 distinct techniques across all 15 Enterprise tactics, plus ICS and Mobile techniques where relevant. Zero revoked or deprecated IDs. v19.1's restructured Defense Evasion (now split into **Stealth** and **Defense Impairment**) is reflected below. + +| Tactic | ID | Skills | +|--------|----|--------| +| Reconnaissance | TA0043 | 103 | +| Resource Development | TA0042 | 22 | +| Initial Access | TA0001 | 467 | +| Execution | TA0002 | 350 | +| Persistence | TA0003 | 444 | +| Privilege Escalation | TA0004 | 464 | +| Stealth | TA0005 | 442 | +| Defense Impairment | TA0112 | 92 | +| Credential Access | TA0006 | 202 | +| Discovery | TA0007 | 237 | +| Lateral Movement | TA0008 | 68 | +| Collection | TA0009 | 172 | +| Command and Control | TA0011 | 123 | +| Exfiltration | TA0010 | 82 | +| Impact | TA0040 | 50 | + ## Quick start ```bash diff --git a/skills/acquiring-disk-image-with-dd-and-dcfldd/SKILL.md b/skills/acquiring-disk-image-with-dd-and-dcfldd/SKILL.md index d3d17300..ac25ed4f 100644 --- a/skills/acquiring-disk-image-with-dd-and-dcfldd/SKILL.md +++ b/skills/acquiring-disk-image-with-dd-and-dcfldd/SKILL.md @@ -1,7 +1,7 @@ --- name: acquiring-disk-image-with-dd-and-dcfldd -description: Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through - hash verification. +description: Create forensically sound bit-for-bit disk images using dd and dcfldd + while preserving evidence integrity through hash verification. domain: cybersecurity subdomain: digital-forensics tags: @@ -19,6 +19,11 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1006 +- T1005 +- T1025 +- T1074.001 --- # Acquiring Disk Image with dd and dcfldd diff --git a/skills/analyzing-active-directory-acl-abuse/SKILL.md b/skills/analyzing-active-directory-acl-abuse/SKILL.md index 8deab1e8..3d37ec63 100644 --- a/skills/analyzing-active-directory-acl-abuse/SKILL.md +++ b/skills/analyzing-active-directory-acl-abuse/SKILL.md @@ -1,7 +1,7 @@ --- name: analyzing-active-directory-acl-abuse -description: Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and - WriteOwner abuse paths +description: Detect dangerous ACL misconfigurations in Active Directory using ldap3 + to identify GenericAll, WriteDACL, and WriteOwner abuse paths domain: cybersecurity subdomain: identity-security tags: @@ -16,6 +16,12 @@ nist_csf: - PR.AA-01 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1098 +- T1098.007 +- T1484.001 +- T1222.001 +- T1078.002 --- diff --git a/skills/analyzing-android-malware-with-apktool/SKILL.md b/skills/analyzing-android-malware-with-apktool/SKILL.md index 1bb9a19e..1995a74b 100644 --- a/skills/analyzing-android-malware-with-apktool/SKILL.md +++ b/skills/analyzing-android-malware-with-apktool/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-android-malware-with-apktool -description: Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source - recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection. +description: Perform static analysis of Android APK malware samples using apktool + for decompilation, jadx for Java source recovery, and androguard for permission + analysis, manifest inspection, and suspicious API call detection. domain: cybersecurity subdomain: malware-analysis tags: @@ -21,6 +22,12 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1406 +- T1407 +- T1626.001 +- T1655.001 +- T1521.001 --- # Analyzing Android Malware with Apktool diff --git a/skills/analyzing-api-gateway-access-logs/SKILL.md b/skills/analyzing-api-gateway-access-logs/SKILL.md index 24c08d00..f234db70 100644 --- a/skills/analyzing-api-gateway-access-logs/SKILL.md +++ b/skills/analyzing-api-gateway-access-logs/SKILL.md @@ -1,17 +1,22 @@ --- name: analyzing-api-gateway-access-logs -description: 'Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass, - credential scanning, and injection attempts. Uses pandas for statistical analysis of request patterns and anomaly detection. +description: 'Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect + BOLA/IDOR attacks, rate limit bypass, credential scanning, and injection attempts. + Uses pandas for statistical analysis of request patterns and anomaly detection. Use when investigating API abuse or building API-specific threat detection rules. ' domain: cybersecurity subdomain: security-operations tags: -- analyzing -- api -- gateway -- access +- api-security +- access-log-analysis +- aws-api-gateway +- kong +- nginx +- bola-detection +- rate-limit-bypass +- security-operations version: '1.0' author: mahipal license: Apache-2.0 @@ -20,6 +25,11 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1190 +- T1110.004 +- T1078.004 +- T1119 --- # Analyzing API Gateway Access Logs diff --git a/skills/analyzing-apt-group-with-mitre-navigator/SKILL.md b/skills/analyzing-apt-group-with-mitre-navigator/SKILL.md index 9e5bfab2..304c19f1 100644 --- a/skills/analyzing-apt-group-with-mitre-navigator/SKILL.md +++ b/skills/analyzing-apt-group-with-mitre-navigator/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-apt-group-with-mitre-navigator -description: Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps - of adversary TTPs for detection gap analysis and threat-informed defense. +description: Analyze advanced persistent threat (APT) group techniques using MITRE + ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap + analysis and threat-informed defense. domain: cybersecurity subdomain: threat-intelligence tags: @@ -27,6 +28,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1059.001 +- T1071.001 +- T1003.001 +- T1486 +- T1547.001 --- # Analyzing APT Group with MITRE ATT&CK Navigator diff --git a/skills/analyzing-azure-activity-logs-for-threats/SKILL.md b/skills/analyzing-azure-activity-logs-for-threats/SKILL.md index 10e795be..14d9dee5 100644 --- a/skills/analyzing-azure-activity-logs-for-threats/SKILL.md +++ b/skills/analyzing-azure-activity-logs-for-threats/SKILL.md @@ -1,8 +1,9 @@ --- name: analyzing-azure-activity-logs-for-threats -description: 'Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative - operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in - Azure environments. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections. +description: 'Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query + to detect suspicious administrative operations, impossible travel, privilege escalation, + and resource modifications. Builds KQL queries for threat hunting in Azure environments. + Use when investigating suspicious Azure tenant activity or building cloud SIEM detections. ' domain: cybersecurity @@ -22,6 +23,12 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1078.004 +- T1098.003 +- T1538 +- T1556.009 +- T1580 --- # Analyzing Azure Activity Logs for Threats diff --git a/skills/analyzing-bootkit-and-rootkit-samples/SKILL.md b/skills/analyzing-bootkit-and-rootkit-samples/SKILL.md index d8f381e3..938a9d43 100644 --- a/skills/analyzing-bootkit-and-rootkit-samples/SKILL.md +++ b/skills/analyzing-bootkit-and-rootkit-samples/SKILL.md @@ -1,9 +1,11 @@ --- name: analyzing-bootkit-and-rootkit-samples -description: 'Analyzes bootkit and advanced rootkit malware that infects the Master Boot Record (MBR), Volume Boot Record - (VBR), or UEFI firmware to gain persistence below the operating system. Covers boot sector analysis, UEFI module inspection, - and anti-rootkit detection techniques. Activates for requests involving bootkit analysis, MBR malware investigation, UEFI - persistence analysis, or pre-OS malware detection. +description: 'Analyzes bootkit and advanced rootkit malware that infects the Master + Boot Record (MBR), Volume Boot Record (VBR), or UEFI firmware to gain persistence + below the operating system. Covers boot sector analysis, UEFI module inspection, + and anti-rootkit detection techniques. Activates for requests involving bootkit + analysis, MBR malware investigation, UEFI persistence analysis, or pre-OS malware + detection. ' domain: cybersecurity @@ -22,6 +24,12 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1542.003 +- T1542.001 +- T1542.002 +- T1014 +- T1547.006 --- # Analyzing Bootkit and Rootkit Samples diff --git a/skills/analyzing-browser-forensics-with-hindsight/SKILL.md b/skills/analyzing-browser-forensics-with-hindsight/SKILL.md index b6a94001..894030cb 100644 --- a/skills/analyzing-browser-forensics-with-hindsight/SKILL.md +++ b/skills/analyzing-browser-forensics-with-hindsight/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-browser-forensics-with-hindsight -description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached - content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation. +description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing + history, downloads, cookies, cached content, autofill data, saved passwords, and + browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation. domain: cybersecurity subdomain: digital-forensics tags: @@ -23,6 +24,11 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1217 +- T1539 +- T1555.003 +- T1185 --- # Analyzing Browser Forensics with Hindsight diff --git a/skills/analyzing-campaign-attribution-evidence/SKILL.md b/skills/analyzing-campaign-attribution-evidence/SKILL.md index da9756cf..fb84e08b 100644 --- a/skills/analyzing-campaign-attribution-evidence/SKILL.md +++ b/skills/analyzing-campaign-attribution-evidence/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-campaign-attribution-evidence -description: Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or - group is responsible for a cyber operation. This skill covers collecting and weighting attr +description: Campaign attribution analysis involves systematically evaluating evidence + to determine which threat actor or group is responsible for a cyber operation. This + skill covers collecting and weighting attr domain: cybersecurity subdomain: threat-intelligence tags: @@ -20,6 +21,11 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1587.001 +- T1583.001 +- T1588.002 +- T1071.001 --- # Analyzing Campaign Attribution Evidence diff --git a/skills/analyzing-certificate-transparency-for-phishing/SKILL.md b/skills/analyzing-certificate-transparency-for-phishing/SKILL.md index 0ae31579..ebb206a6 100644 --- a/skills/analyzing-certificate-transparency-for-phishing/SKILL.md +++ b/skills/analyzing-certificate-transparency-for-phishing/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-certificate-transparency-for-phishing -description: Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, - and unauthorized certificate issuance targeting your organization. +description: Monitor Certificate Transparency logs using crt.sh and Certstream to + detect phishing domains, lookalike certificates, and unauthorized certificate issuance + targeting your organization. domain: cybersecurity subdomain: threat-intelligence tags: @@ -23,6 +24,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1583.001 +- T1583.004 +- T1566.002 +- T1608.005 +- T1596.003 --- # Analyzing Certificate Transparency for Phishing diff --git a/skills/analyzing-cloud-storage-access-patterns/SKILL.md b/skills/analyzing-cloud-storage-access-patterns/SKILL.md index a6149876..69fdd06f 100644 --- a/skills/analyzing-cloud-storage-access-patterns/SKILL.md +++ b/skills/analyzing-cloud-storage-access-patterns/SKILL.md @@ -1,15 +1,20 @@ --- name: analyzing-cloud-storage-access-patterns -description: Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS - audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API - calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection. +description: Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage + by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics. + Identifies after-hours bulk downloads, access from new IP addresses, unusual API + calls (GetObject spikes), and potential data exfiltration using statistical baselines + and time-series anomaly detection. domain: cybersecurity subdomain: cloud-security tags: -- analyzing -- cloud -- storage -- access +- cloud-security +- aws-s3 +- gcs +- azure-blob-storage +- cloudtrail +- data-access-anomaly +- exfiltration-detection version: '1.0' author: mahipal license: Apache-2.0 @@ -25,6 +30,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1530 +- T1567.002 +- T1619 +- T1078.004 +- T1048 --- diff --git a/skills/analyzing-cobalt-strike-beacon-configuration/SKILL.md b/skills/analyzing-cobalt-strike-beacon-configuration/SKILL.md index ebc4c113..7fe3355e 100644 --- a/skills/analyzing-cobalt-strike-beacon-configuration/SKILL.md +++ b/skills/analyzing-cobalt-strike-beacon-configuration/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-cobalt-strike-beacon-configuration -description: Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure, - malleable profiles, and operator tradecraft. +description: Extract and analyze Cobalt Strike beacon configuration from PE files + and memory dumps to identify C2 infrastructure, malleable profiles, and operator + tradecraft. domain: cybersecurity subdomain: malware-analysis tags: @@ -20,6 +21,12 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1071.001 +- T1573.001 +- T1090.004 +- T1105 +- T1027 --- # Analyzing Cobalt Strike Beacon Configuration diff --git a/skills/analyzing-cobaltstrike-malleable-c2-profiles/SKILL.md b/skills/analyzing-cobaltstrike-malleable-c2-profiles/SKILL.md index 31f10c07..a177d016 100644 --- a/skills/analyzing-cobaltstrike-malleable-c2-profiles/SKILL.md +++ b/skills/analyzing-cobaltstrike-malleable-c2-profiles/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-cobaltstrike-malleable-c2-profiles -description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract - C2 indicators, detect evasion techniques, and generate network detection signatures. +description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike + and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate + network detection signatures. domain: cybersecurity subdomain: malware-analysis tags: @@ -20,6 +21,12 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1071.001 +- T1573.002 +- T1001.003 +- T1090.004 +- T1102 --- # Analyzing CobaltStrike Malleable C2 Profiles diff --git a/skills/analyzing-command-and-control-communication/SKILL.md b/skills/analyzing-command-and-control-communication/SKILL.md index 351cf7be..97a4b4d7 100644 --- a/skills/analyzing-command-and-control-communication/SKILL.md +++ b/skills/analyzing-command-and-control-communication/SKILL.md @@ -1,9 +1,10 @@ --- name: analyzing-command-and-control-communication -description: 'Analyzes malware command-and-control (C2) communication protocols to understand beacon patterns, command structures, - data encoding, and infrastructure. Covers HTTP, HTTPS, DNS, and custom protocol C2 analysis for detection development and - threat intelligence. Activates for requests involving C2 analysis, beacon detection, C2 protocol reverse engineering, or - command-and-control infrastructure mapping. +description: 'Analyzes malware command-and-control (C2) communication protocols to + understand beacon patterns, command structures, data encoding, and infrastructure. + Covers HTTP, HTTPS, DNS, and custom protocol C2 analysis for detection development + and threat intelligence. Activates for requests involving C2 analysis, beacon detection, + C2 protocol reverse engineering, or command-and-control infrastructure mapping. ' domain: cybersecurity @@ -22,6 +23,12 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1071.001 +- T1573 +- T1571 +- T1008 +- T1095 --- # Analyzing Command-and-Control Communication diff --git a/skills/analyzing-cyber-kill-chain/SKILL.md b/skills/analyzing-cyber-kill-chain/SKILL.md index a399df03..e310ebaf 100644 --- a/skills/analyzing-cyber-kill-chain/SKILL.md +++ b/skills/analyzing-cyber-kill-chain/SKILL.md @@ -1,10 +1,12 @@ --- name: analyzing-cyber-kill-chain -description: 'Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify which phases - an adversary has completed, where defenses succeeded or failed, and what controls would have interrupted the attack at earlier - phases. Use when conducting post-incident analysis, building prevention-focused security controls, or mapping detection - gaps to kill chain phases. Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping, - or Lockheed Martin kill chain framework. +description: 'Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain + framework to identify which phases an adversary has completed, where defenses succeeded + or failed, and what controls would have interrupted the attack at earlier phases. + Use when conducting post-incident analysis, building prevention-focused security + controls, or mapping detection gaps to kill chain phases. Activates for requests + involving kill chain analysis, intrusion kill chain, attack phase mapping, or Lockheed + Martin kill chain framework. ' domain: cybersecurity @@ -24,6 +26,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1566.001 +- T1190 +- T1547.001 +- T1071.001 +- T1486 --- # Analyzing Cyber Kill Chain diff --git a/skills/analyzing-disk-image-with-autopsy/SKILL.md b/skills/analyzing-disk-image-with-autopsy/SKILL.md index 56b6641d..46896962 100644 --- a/skills/analyzing-disk-image-with-autopsy/SKILL.md +++ b/skills/analyzing-disk-image-with-autopsy/SKILL.md @@ -1,7 +1,7 @@ --- name: analyzing-disk-image-with-autopsy -description: Perform comprehensive forensic analysis of disk images using Autopsy to recover files, examine artifacts, and - build investigation timelines. +description: Perform comprehensive forensic analysis of disk images using Autopsy + to recover files, examine artifacts, and build investigation timelines. domain: cybersecurity subdomain: digital-forensics tags: @@ -19,6 +19,11 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1005 +- T1074.001 +- T1070.004 +- T1083 --- # Analyzing Disk Image with Autopsy diff --git a/skills/analyzing-dns-logs-for-exfiltration/SKILL.md b/skills/analyzing-dns-logs-for-exfiltration/SKILL.md index 83a08910..bbd02a79 100644 --- a/skills/analyzing-dns-logs-for-exfiltration/SKILL.md +++ b/skills/analyzing-dns-logs-for-exfiltration/SKILL.md @@ -1,8 +1,9 @@ --- name: analyzing-dns-logs-for-exfiltration -description: 'Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication, and covert - C2 channels using entropy analysis, query volume anomalies, and subdomain length detection in SIEM platforms. Use when SOC - teams need to identify DNS-based threats that bypass traditional network security controls. +description: 'Analyzes DNS query logs to detect data exfiltration via DNS tunneling, + DGA domain communication, and covert C2 channels using entropy analysis, query volume + anomalies, and subdomain length detection in SIEM platforms. Use when SOC teams + need to identify DNS-based threats that bypass traditional network security controls. ' domain: cybersecurity @@ -28,6 +29,10 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1048.003 +- T1071.004 +- T1567 --- # Analyzing DNS Logs for Exfiltration diff --git a/skills/analyzing-docker-container-forensics/SKILL.md b/skills/analyzing-docker-container-forensics/SKILL.md index d76d9543..b2ecb878 100644 --- a/skills/analyzing-docker-container-forensics/SKILL.md +++ b/skills/analyzing-docker-container-forensics/SKILL.md @@ -1,7 +1,7 @@ --- name: analyzing-docker-container-forensics -description: Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to - identify malicious activity and evidence. +description: Investigate compromised Docker containers by analyzing images, layers, + volumes, logs, and runtime artifacts to identify malicious activity and evidence. domain: cybersecurity subdomain: digital-forensics tags: @@ -19,6 +19,11 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1610 +- T1611 +- T1613 +- T1612 --- # Analyzing Docker Container Forensics diff --git a/skills/analyzing-email-headers-for-phishing-investigation/SKILL.md b/skills/analyzing-email-headers-for-phishing-investigation/SKILL.md index 32b98c2e..7c6e9d3a 100644 --- a/skills/analyzing-email-headers-for-phishing-investigation/SKILL.md +++ b/skills/analyzing-email-headers-for-phishing-investigation/SKILL.md @@ -1,7 +1,7 @@ --- name: analyzing-email-headers-for-phishing-investigation -description: Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify - spoofing through SPF, DKIM, and DMARC validation. +description: Parse and analyze email headers to trace the origin of phishing emails, + verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation. domain: cybersecurity subdomain: digital-forensics tags: @@ -22,6 +22,10 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1566.001 +- T1566.002 +- T1598.003 --- # Analyzing Email Headers for Phishing Investigation diff --git a/skills/analyzing-ethereum-smart-contract-vulnerabilities/SKILL.md b/skills/analyzing-ethereum-smart-contract-vulnerabilities/SKILL.md index a94a14ad..e26a36cf 100644 --- a/skills/analyzing-ethereum-smart-contract-vulnerabilities/SKILL.md +++ b/skills/analyzing-ethereum-smart-contract-vulnerabilities/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-ethereum-smart-contract-vulnerabilities -description: Perform static and symbolic analysis of Solidity smart contracts using Slither and Mythril to detect reentrancy, - integer overflow, access control, and other vulnerability classes before deployment to Ethereum mainnet. +description: Perform static and symbolic analysis of Solidity smart contracts using + Slither and Mythril to detect reentrancy, integer overflow, access control, and + other vulnerability classes before deployment to Ethereum mainnet. domain: cybersecurity subdomain: blockchain-security tags: @@ -20,6 +21,9 @@ nist_csf: - PR.DS-01 - PR.DS-02 - ID.RA-01 +mitre_attack: +- T1190 +- T1059 --- # Analyzing Ethereum Smart Contract Vulnerabilities diff --git a/skills/analyzing-golang-malware-with-ghidra/SKILL.md b/skills/analyzing-golang-malware-with-ghidra/SKILL.md index 99fb9892..6ad7c72e 100644 --- a/skills/analyzing-golang-malware-with-ghidra/SKILL.md +++ b/skills/analyzing-golang-malware-with-ghidra/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-golang-malware-with-ghidra -description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction, - and type reconstruction in stripped Go binaries. +description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts + for function recovery, string extraction, and type reconstruction in stripped Go + binaries. domain: cybersecurity subdomain: malware-analysis tags: @@ -20,6 +21,11 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1027 +- T1620 +- T1140 +- T1059 --- # Analyzing Golang Malware with Ghidra diff --git a/skills/analyzing-heap-spray-exploitation/SKILL.md b/skills/analyzing-heap-spray-exploitation/SKILL.md index 5cc78234..59c21cc8 100644 --- a/skills/analyzing-heap-spray-exploitation/SKILL.md +++ b/skills/analyzing-heap-spray-exploitation/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-heap-spray-exploitation -description: Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns, - shellcode landing zones, and suspicious large allocations in process virtual address space. +description: Detect and analyze heap spray attacks in memory dumps using Volatility3 + plugins to identify NOP sled patterns, shellcode landing zones, and suspicious large + allocations in process virtual address space. domain: cybersecurity subdomain: malware-analysis tags: @@ -18,6 +19,10 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1203 +- T1059.007 +- T1106 --- # Analyzing Heap Spray Exploitation diff --git a/skills/analyzing-indicators-of-compromise/SKILL.md b/skills/analyzing-indicators-of-compromise/SKILL.md index 3539430f..31ff4145 100644 --- a/skills/analyzing-indicators-of-compromise/SKILL.md +++ b/skills/analyzing-indicators-of-compromise/SKILL.md @@ -1,9 +1,11 @@ --- name: analyzing-indicators-of-compromise -description: 'Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs, and email artifacts - to determine maliciousness confidence, campaign attribution, and blocking priority. Use when triaging IOCs from phishing - emails, security alerts, or external threat feeds; enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist - decisions. Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines. +description: 'Analyzes indicators of compromise (IOCs) including IP addresses, domains, + file hashes, URLs, and email artifacts to determine maliciousness confidence, campaign + attribution, and blocking priority. Use when triaging IOCs from phishing emails, + security alerts, or external threat feeds; enriching raw IOCs with multi-source + intelligence; or making block/monitor/whitelist decisions. Activates for requests + involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines. ' domain: cybersecurity @@ -27,6 +29,11 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1071 +- T1105 +- T1041 +- T1567 --- # Analyzing Indicators of Compromise diff --git a/skills/analyzing-ios-app-security-with-objection/SKILL.md b/skills/analyzing-ios-app-security-with-objection/SKILL.md index 3378a13a..b361a1af 100644 --- a/skills/analyzing-ios-app-security-with-objection/SKILL.md +++ b/skills/analyzing-ios-app-security-with-objection/SKILL.md @@ -28,6 +28,11 @@ nist_csf: - PR.AA-05 - ID.RA-01 - DE.CM-09 +mitre_attack: +- T1635 +- T1414 +- T1417.001 +- T1409 --- # Analyzing iOS App Security with Objection diff --git a/skills/analyzing-kubernetes-audit-logs/SKILL.md b/skills/analyzing-kubernetes-audit-logs/SKILL.md index c8b26fa4..25582ea1 100644 --- a/skills/analyzing-kubernetes-audit-logs/SKILL.md +++ b/skills/analyzing-kubernetes-audit-logs/SKILL.md @@ -1,17 +1,21 @@ --- name: analyzing-kubernetes-audit-logs -description: 'Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret access, RBAC modifications, - privileged pod creation, and anonymous API access. Builds threat detection rules from audit event patterns. Use when investigating +description: 'Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, + secret access, RBAC modifications, privileged pod creation, and anonymous API access. + Builds threat detection rules from audit event patterns. Use when investigating Kubernetes cluster compromise or building k8s-specific SIEM detection rules. ' domain: cybersecurity subdomain: container-security tags: -- analyzing -- kubernetes -- audit -- logs +- kubernetes-security +- container-security +- audit-log-analysis +- rbac +- privilege-escalation +- k8s-api-server +- threat-detection version: '1.0' author: mahipal license: Apache-2.0 @@ -20,6 +24,11 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1613 +- T1078 +- T1552.007 --- # Analyzing Kubernetes Audit Logs diff --git a/skills/analyzing-linux-audit-logs-for-intrusion/SKILL.md b/skills/analyzing-linux-audit-logs-for-intrusion/SKILL.md index 6fb404c9..eba379ed 100644 --- a/skills/analyzing-linux-audit-logs-for-intrusion/SKILL.md +++ b/skills/analyzing-linux-audit-logs-for-intrusion/SKILL.md @@ -1,9 +1,11 @@ --- name: analyzing-linux-audit-logs-for-intrusion -description: 'Uses the Linux Audit framework (auditd) with ausearch and aureport utilities to detect intrusion attempts, unauthorized - access, privilege escalation, and suspicious system activity. Covers audit rule configuration, log querying, timeline reconstruction, - and integration with SIEM platforms. Activates for requests involving auditd analysis, Linux audit log investigation, ausearch - queries, aureport summaries, or host-based intrusion detection on Linux. +description: 'Uses the Linux Audit framework (auditd) with ausearch and aureport utilities + to detect intrusion attempts, unauthorized access, privilege escalation, and suspicious + system activity. Covers audit rule configuration, log querying, timeline reconstruction, + and integration with SIEM platforms. Activates for requests involving auditd analysis, + Linux audit log investigation, ausearch queries, aureport summaries, or host-based + intrusion detection on Linux. ' domain: cybersecurity @@ -24,6 +26,11 @@ nist_csf: - RS.MA-02 - RS.AN-03 - RC.RP-01 +mitre_attack: +- T1059.004 +- T1070 +- T1548.003 +- T1543.002 --- # Analyzing Linux Audit Logs for Intrusion diff --git a/skills/analyzing-linux-elf-malware/SKILL.md b/skills/analyzing-linux-elf-malware/SKILL.md index 66f0f45d..40eacef1 100644 --- a/skills/analyzing-linux-elf-malware/SKILL.md +++ b/skills/analyzing-linux-elf-malware/SKILL.md @@ -1,9 +1,11 @@ --- name: analyzing-linux-elf-malware -description: 'Analyzes malicious Linux ELF (Executable and Linkable Format) binaries including botnets, cryptominers, ransomware, - and rootkits targeting Linux servers, containers, and cloud infrastructure. Covers static analysis, dynamic tracing, and - reverse engineering of x86_64 and ARM ELF samples. Activates for requests involving Linux malware analysis, ELF binary investigation, - Linux server compromise assessment, or container malware analysis. +description: 'Analyzes malicious Linux ELF (Executable and Linkable Format) binaries + including botnets, cryptominers, ransomware, and rootkits targeting Linux servers, + containers, and cloud infrastructure. Covers static analysis, dynamic tracing, and + reverse engineering of x86_64 and ARM ELF samples. Activates for requests involving + Linux malware analysis, ELF binary investigation, Linux server compromise assessment, + or container malware analysis. ' domain: cybersecurity @@ -22,6 +24,11 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1027 +- T1059.004 +- T1620 +- T1574.006 --- # Analyzing Linux ELF Malware diff --git a/skills/analyzing-linux-kernel-rootkits/SKILL.md b/skills/analyzing-linux-kernel-rootkits/SKILL.md index 6b893306..7419d393 100644 --- a/skills/analyzing-linux-kernel-rootkits/SKILL.md +++ b/skills/analyzing-linux-kernel-rootkits/SKILL.md @@ -1,8 +1,9 @@ --- name: analyzing-linux-kernel-rootkits -description: Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules), - rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and - tampered system structures. +description: Detect kernel-level rootkits in Linux memory dumps using Volatility3 + linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning, + and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel + modules, and tampered system structures. domain: cybersecurity subdomain: digital-forensics tags: @@ -22,6 +23,10 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1014 +- T1547.006 +- T1564.001 --- # Analyzing Linux Kernel Rootkits diff --git a/skills/analyzing-linux-system-artifacts/SKILL.md b/skills/analyzing-linux-system-artifacts/SKILL.md index 1bff8d23..761fb2bb 100644 --- a/skills/analyzing-linux-system-artifacts/SKILL.md +++ b/skills/analyzing-linux-system-artifacts/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-linux-system-artifacts -description: Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover - evidence of compromise or unauthorized activity. +description: Examine Linux system artifacts including auth logs, cron jobs, shell + history, and system configuration to uncover evidence of compromise or unauthorized + activity. domain: cybersecurity subdomain: digital-forensics tags: @@ -19,6 +20,11 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1070 +- T1059.004 +- T1543.002 +- T1053.003 --- # Analyzing Linux System Artifacts diff --git a/skills/analyzing-lnk-file-and-jump-list-artifacts/SKILL.md b/skills/analyzing-lnk-file-and-jump-list-artifacts/SKILL.md index aced390b..2f4a62e8 100644 --- a/skills/analyzing-lnk-file-and-jump-list-artifacts/SKILL.md +++ b/skills/analyzing-lnk-file-and-jump-list-artifacts/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-lnk-file-and-jump-list-artifacts -description: Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution, - and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format. +description: Analyze Windows LNK shortcut files and Jump List artifacts to establish + evidence of file access, program execution, and user activity using LECmd, JLECmd, + and manual binary parsing of the Shell Link Binary format. domain: cybersecurity subdomain: digital-forensics tags: @@ -23,6 +24,10 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1547.009 +- T1204.002 +- T1059.001 --- # Analyzing LNK File and Jump List Artifacts diff --git a/skills/analyzing-macro-malware-in-office-documents/SKILL.md b/skills/analyzing-macro-malware-in-office-documents/SKILL.md index 0dd25e3b..f23cefa3 100644 --- a/skills/analyzing-macro-malware-in-office-documents/SKILL.md +++ b/skills/analyzing-macro-malware-in-office-documents/SKILL.md @@ -1,9 +1,10 @@ --- name: analyzing-macro-malware-in-office-documents -description: 'Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint) to identify download - cradles, payload execution, persistence mechanisms, and anti-analysis techniques. Uses olevba, oledump, and VBA deobfuscation - to extract the attack chain. Activates for requests involving Office macro analysis, VBA malware investigation, maldoc analysis, - or document-based threat examination. +description: 'Analyzes malicious VBA macros embedded in Microsoft Office documents + (Word, Excel, PowerPoint) to identify download cradles, payload execution, persistence + mechanisms, and anti-analysis techniques. Uses olevba, oledump, and VBA deobfuscation + to extract the attack chain. Activates for requests involving Office macro analysis, + VBA malware investigation, maldoc analysis, or document-based threat examination. ' domain: cybersecurity @@ -31,6 +32,11 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1137.001 +- T1204.002 +- T1059.005 +- T1027 --- # Analyzing Macro Malware in Office Documents diff --git a/skills/analyzing-malicious-pdf-with-peepdf/SKILL.md b/skills/analyzing-malicious-pdf-with-peepdf/SKILL.md index ec9d087d..e0450e15 100644 --- a/skills/analyzing-malicious-pdf-with-peepdf/SKILL.md +++ b/skills/analyzing-malicious-pdf-with-peepdf/SKILL.md @@ -1,7 +1,7 @@ --- name: analyzing-malicious-pdf-with-peepdf -description: Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript, - shellcode, and suspicious objects. +description: Perform static analysis of malicious PDF documents using peepdf, pdfid, + and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects. domain: cybersecurity subdomain: malware-analysis tags: @@ -21,6 +21,11 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1204.002 +- T1059.007 +- T1027 +- T1106 --- # Analyzing Malicious PDF with peepdf diff --git a/skills/analyzing-malicious-url-with-urlscan/SKILL.md b/skills/analyzing-malicious-url-with-urlscan/SKILL.md index 22a27e5b..5279d15f 100644 --- a/skills/analyzing-malicious-url-with-urlscan/SKILL.md +++ b/skills/analyzing-malicious-url-with-urlscan/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-malicious-url-with-urlscan -description: URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, - HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat +description: URLScan.io is a free service for scanning and analyzing suspicious URLs. + It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and + network connections of web pages in an isolat domain: cybersecurity subdomain: phishing-defense tags: @@ -22,6 +23,10 @@ nist_csf: - DE.CM-09 - RS.CO-02 - DE.AE-02 +mitre_attack: +- T1566.002 +- T1204.001 +- T1598.003 --- # Analyzing Malicious URL with URLScan diff --git a/skills/analyzing-malware-behavior-with-cuckoo-sandbox/SKILL.md b/skills/analyzing-malware-behavior-with-cuckoo-sandbox/SKILL.md index 243de4ca..f62df425 100644 --- a/skills/analyzing-malware-behavior-with-cuckoo-sandbox/SKILL.md +++ b/skills/analyzing-malware-behavior-with-cuckoo-sandbox/SKILL.md @@ -1,9 +1,10 @@ --- name: analyzing-malware-behavior-with-cuckoo-sandbox -description: 'Executes malware samples in Cuckoo Sandbox to observe runtime behavior including process creation, file system - modifications, registry changes, network communications, and API calls. Generates comprehensive behavioral reports for malware - classification and IOC extraction. Activates for requests involving dynamic malware analysis, sandbox detonation, behavioral - analysis, or automated malware execution. +description: 'Executes malware samples in Cuckoo Sandbox to observe runtime behavior + including process creation, file system modifications, registry changes, network + communications, and API calls. Generates comprehensive behavioral reports for malware + classification and IOC extraction. Activates for requests involving dynamic malware + analysis, sandbox detonation, behavioral analysis, or automated malware execution. ' domain: cybersecurity @@ -22,6 +23,11 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1497 +- T1055 +- T1071 +- T1027 --- # Analyzing Malware Behavior with Cuckoo Sandbox diff --git a/skills/analyzing-malware-family-relationships-with-malpedia/SKILL.md b/skills/analyzing-malware-family-relationships-with-malpedia/SKILL.md index 91e72103..bd4a4ec3 100644 --- a/skills/analyzing-malware-family-relationships-with-malpedia/SKILL.md +++ b/skills/analyzing-malware-family-relationships-with-malpedia/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-malware-family-relationships-with-malpedia -description: Use the Malpedia platform and API to research malware family relationships, track variant evolution, link families - to threat actors, and integrate YARA rules for detection across malware lineages. +description: Use the Malpedia platform and API to research malware family relationships, + track variant evolution, link families to threat actors, and integrate YARA rules + for detection across malware lineages. domain: cybersecurity subdomain: threat-intelligence tags: @@ -21,6 +22,10 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1587.001 +- T1027 +- T1071 --- # Analyzing Malware Family Relationships with Malpedia diff --git a/skills/analyzing-malware-persistence-with-autoruns/SKILL.md b/skills/analyzing-malware-persistence-with-autoruns/SKILL.md index 30a4e5cd..312b4a62 100644 --- a/skills/analyzing-malware-persistence-with-autoruns/SKILL.md +++ b/skills/analyzing-malware-persistence-with-autoruns/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-malware-persistence-with-autoruns -description: Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry - keys, scheduled tasks, services, drivers, and startup locations on Windows systems. +description: Use Sysinternals Autoruns to systematically identify and analyze malware + persistence mechanisms across registry keys, scheduled tasks, services, drivers, + and startup locations on Windows systems. domain: cybersecurity subdomain: malware-analysis tags: @@ -14,10 +15,11 @@ tags: - startup - incident-response mitre_attack: -- T1547 -- T1053 -- T1543 -- T1546 +- T1547.001 +- T1543.003 +- T1053.005 +- T1574.001 +- T1037.001 version: '1.0' author: mahipal license: Apache-2.0 diff --git a/skills/analyzing-malware-sandbox-evasion-techniques/SKILL.md b/skills/analyzing-malware-sandbox-evasion-techniques/SKILL.md index fcfc4527..7e571c51 100644 --- a/skills/analyzing-malware-sandbox-evasion-techniques/SKILL.md +++ b/skills/analyzing-malware-sandbox-evasion-techniques/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-malware-sandbox-evasion-techniques -description: Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction - detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports +description: Detect sandbox evasion techniques in malware samples by analyzing timing + checks, VM artifact queries, user interaction detection, and sleep inflation patterns + from Cuckoo/AnyRun behavioral reports domain: cybersecurity subdomain: malware-analysis tags: @@ -26,6 +27,11 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1497.001 +- T1497.003 +- T1480 +- T1027.002 --- # Analyzing Malware Sandbox Evasion Techniques diff --git a/skills/analyzing-memory-forensics-with-lime-and-volatility/SKILL.md b/skills/analyzing-memory-forensics-with-lime-and-volatility/SKILL.md index 65304380..be8d8960 100644 --- a/skills/analyzing-memory-forensics-with-lime-and-volatility/SKILL.md +++ b/skills/analyzing-memory-forensics-with-lime-and-volatility/SKILL.md @@ -1,8 +1,10 @@ --- name: analyzing-memory-forensics-with-lime-and-volatility -description: 'Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module and analysis with Volatility - 3 framework. Extracts process lists, network connections, bash history, loaded kernel modules, and injected code from Linux - memory images. Use when performing incident response on compromised Linux systems. +description: 'Performs Linux memory acquisition using LiME (Linux Memory Extractor) + kernel module and analysis with Volatility 3 framework. Extracts process lists, + network connections, bash history, loaded kernel modules, and injected code from + Linux memory images. Use when performing incident response on compromised Linux + systems. ' domain: cybersecurity @@ -22,6 +24,11 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1055 +- T1003.001 +- T1620 +- T1564.001 --- # Analyzing Memory Forensics with LiME and Volatility diff --git a/skills/analyzing-mft-for-deleted-file-recovery/SKILL.md b/skills/analyzing-mft-for-deleted-file-recovery/SKILL.md index 77b527e6..9d962184 100644 --- a/skills/analyzing-mft-for-deleted-file-recovery/SKILL.md +++ b/skills/analyzing-mft-for-deleted-file-recovery/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-mft-for-deleted-file-recovery -description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record - entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics. +description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content + of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack + space using MFTECmd, analyzeMFT, and X-Ways Forensics. domain: cybersecurity subdomain: digital-forensics tags: @@ -23,6 +24,10 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1070.004 +- T1070.006 +- T1005 --- # Analyzing MFT for Deleted File Recovery diff --git a/skills/analyzing-network-covert-channels-in-malware/SKILL.md b/skills/analyzing-network-covert-channels-in-malware/SKILL.md index e4fb5204..029c6cb0 100644 --- a/skills/analyzing-network-covert-channels-in-malware/SKILL.md +++ b/skills/analyzing-network-covert-channels-in-malware/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-network-covert-channels-in-malware -description: Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration, - steganographic HTTP, and protocol abuse for C2 and data exfiltration. +description: Detect and analyze covert communication channels used by malware including + DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse for C2 + and data exfiltration. domain: cybersecurity subdomain: malware-analysis tags: @@ -26,6 +27,11 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1071.001 +- T1095 +- T1572 +- T1001 --- # Analyzing Network Covert Channels in Malware diff --git a/skills/analyzing-network-flow-data-with-netflow/SKILL.md b/skills/analyzing-network-flow-data-with-netflow/SKILL.md index 3a1ca033..f105ad81 100644 --- a/skills/analyzing-network-flow-data-with-netflow/SKILL.md +++ b/skills/analyzing-network-flow-data-with-netflow/SKILL.md @@ -1,8 +1,10 @@ --- name: analyzing-network-flow-data-with-netflow -description: Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data exfiltration, and C2 beaconing - patterns. Uses the Python netflow library to decode flow records, builds traffic baselines, and applies statistical analysis - to identify flows with abnormal byte counts, connection durations, and periodic timing patterns. +description: Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port + scanning, data exfiltration, and C2 beaconing patterns. Uses the Python netflow + library to decode flow records, builds traffic baselines, and applies statistical + analysis to identify flows with abnormal byte counts, connection durations, and + periodic timing patterns. domain: cybersecurity subdomain: network-security tags: @@ -18,6 +20,11 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1071 +- T1048 +- T1046 +- T1095 --- diff --git a/skills/analyzing-network-packets-with-scapy/SKILL.md b/skills/analyzing-network-packets-with-scapy/SKILL.md index c3c40999..74b5158f 100644 --- a/skills/analyzing-network-packets-with-scapy/SKILL.md +++ b/skills/analyzing-network-packets-with-scapy/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-network-packets-with-scapy -description: Craft, send, sniff, and dissect network packets using Scapy for protocol analysis, network reconnaissance, and - traffic anomaly detection in authorized security testing +description: Craft, send, sniff, and dissect network packets using Scapy for protocol + analysis, network reconnaissance, and traffic anomaly detection in authorized security + testing domain: cybersecurity subdomain: network-security tags: @@ -19,6 +20,11 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1040 +- T1071 +- T1046 +- T1557 --- # Analyzing Network Packets with Scapy diff --git a/skills/analyzing-network-traffic-of-malware/SKILL.md b/skills/analyzing-network-traffic-of-malware/SKILL.md index eb8838b6..e0a27ca2 100644 --- a/skills/analyzing-network-traffic-of-malware/SKILL.md +++ b/skills/analyzing-network-traffic-of-malware/SKILL.md @@ -1,9 +1,10 @@ --- name: analyzing-network-traffic-of-malware -description: 'Analyzes network traffic generated by malware during sandbox execution or live incident response to identify - C2 protocols, data exfiltration channels, payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata. - Activates for requests involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or network-based - malware detection. +description: 'Analyzes network traffic generated by malware during sandbox execution + or live incident response to identify C2 protocols, data exfiltration channels, + payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata. + Activates for requests involving malware network analysis, C2 traffic decoding, + malware PCAP analysis, or network-based malware detection. ' domain: cybersecurity @@ -22,6 +23,11 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1071.001 +- T1571 +- T1573 +- T1095 --- # Analyzing Network Traffic of Malware diff --git a/skills/analyzing-network-traffic-with-wireshark/SKILL.md b/skills/analyzing-network-traffic-with-wireshark/SKILL.md index 4d5f3590..561f3745 100644 --- a/skills/analyzing-network-traffic-with-wireshark/SKILL.md +++ b/skills/analyzing-network-traffic-with-wireshark/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-network-traffic-with-wireshark -description: 'Captures and analyzes network packet data using Wireshark and tshark to identify malicious traffic patterns, - diagnose protocol issues, extract artifacts, and support incident response investigations on authorized network segments. +description: 'Captures and analyzes network packet data using Wireshark and tshark + to identify malicious traffic patterns, diagnose protocol issues, extract artifacts, + and support incident response investigations on authorized network segments. ' domain: cybersecurity @@ -20,6 +21,11 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1040 +- T1071 +- T1557 +- T1046 --- # Analyzing Network Traffic with Wireshark diff --git a/skills/analyzing-office365-audit-logs-for-compromise/SKILL.md b/skills/analyzing-office365-audit-logs-for-compromise/SKILL.md index a57ecc26..7998e994 100644 --- a/skills/analyzing-office365-audit-logs-for-compromise/SKILL.md +++ b/skills/analyzing-office365-audit-logs-for-compromise/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-office365-audit-logs-for-compromise -description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation, - suspicious OAuth app grants, and other indicators of account compromise. +description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect + email forwarding rule creation, inbox delegation, suspicious OAuth app grants, and + other indicators of account compromise. domain: cybersecurity subdomain: cloud-security tags: @@ -20,6 +21,11 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1114.002 +- T1098.002 +- T1556.006 +- T1078.004 --- # Analyzing Office 365 Audit Logs for Compromise diff --git a/skills/analyzing-outlook-pst-for-email-forensics/SKILL.md b/skills/analyzing-outlook-pst-for-email-forensics/SKILL.md index 9b734054..a958ad42 100644 --- a/skills/analyzing-outlook-pst-for-email-forensics/SKILL.md +++ b/skills/analyzing-outlook-pst-for-email-forensics/SKILL.md @@ -1,8 +1,9 @@ --- name: analyzing-outlook-pst-for-email-forensics -description: Analyze Microsoft Outlook PST and OST files for email forensic evidence including message content, headers, attachments, - deleted items, and metadata using libpff, pst-utils, and forensic email analysis tools for legal investigations and incident - response. +description: Analyze Microsoft Outlook PST and OST files for email forensic evidence + including message content, headers, attachments, deleted items, and metadata using + libpff, pst-utils, and forensic email analysis tools for legal investigations and + incident response. domain: cybersecurity subdomain: digital-forensics tags: @@ -28,6 +29,10 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1114.001 +- T1564.008 +- T1070.008 --- # Analyzing Outlook PST for Email Forensics diff --git a/skills/analyzing-packed-malware-with-upx-unpacker/SKILL.md b/skills/analyzing-packed-malware-with-upx-unpacker/SKILL.md index 3ac87bab..8e8862b2 100644 --- a/skills/analyzing-packed-malware-with-upx-unpacker/SKILL.md +++ b/skills/analyzing-packed-malware-with-upx-unpacker/SKILL.md @@ -1,8 +1,10 @@ --- name: analyzing-packed-malware-with-upx-unpacker -description: 'Identifies and unpacks UPX-packed and other packed malware samples to expose the original executable code for - static analysis. Covers both standard UPX unpacking and handling modified UPX headers that prevent automated decompression. - Activates for requests involving malware unpacking, UPX decompression, packer removal, or preparing packed samples for analysis. +description: 'Identifies and unpacks UPX-packed and other packed malware samples to + expose the original executable code for static analysis. Covers both standard UPX + unpacking and handling modified UPX headers that prevent automated decompression. + Activates for requests involving malware unpacking, UPX decompression, packer removal, + or preparing packed samples for analysis. ' domain: cybersecurity @@ -21,6 +23,10 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1027.002 +- T1140 +- T1620 --- # Analyzing Packed Malware with UPX Unpacker diff --git a/skills/analyzing-pdf-malware-with-pdfid/SKILL.md b/skills/analyzing-pdf-malware-with-pdfid/SKILL.md index 8335d56a..da2cea6a 100644 --- a/skills/analyzing-pdf-malware-with-pdfid/SKILL.md +++ b/skills/analyzing-pdf-malware-with-pdfid/SKILL.md @@ -1,9 +1,10 @@ --- name: analyzing-pdf-malware-with-pdfid -description: 'Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to identify embedded JavaScript, shellcode, - exploits, and suspicious objects without opening the document. Determines the attack vector and extracts embedded payloads - for further analysis. Activates for requests involving PDF malware analysis, malicious document analysis, PDF exploit investigation, - or suspicious attachment triage. +description: 'Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to + identify embedded JavaScript, shellcode, exploits, and suspicious objects without + opening the document. Determines the attack vector and extracts embedded payloads + for further analysis. Activates for requests involving PDF malware analysis, malicious + document analysis, PDF exploit investigation, or suspicious attachment triage. ' domain: cybersecurity @@ -22,6 +23,11 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1204.002 +- T1566.001 +- T1059.007 +- T1027 --- # Analyzing PDF Malware with PDFiD diff --git a/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md b/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md index 25c4439e..62e79ff6 100644 --- a/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md +++ b/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-persistence-mechanisms-in-linux -description: Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD - hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring +description: Detect and analyze Linux persistence mechanisms including crontab entries, + systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys + backdoors using auditd and file integrity monitoring domain: cybersecurity subdomain: threat-hunting tags: @@ -17,6 +18,7 @@ mitre_attack: - T1543.002 - T1574.006 - T1546.004 +- T1098.004 version: '1.0' author: mahipal license: Apache-2.0 diff --git a/skills/analyzing-powershell-empire-artifacts/SKILL.md b/skills/analyzing-powershell-empire-artifacts/SKILL.md index d9011ae1..20ff7b21 100644 --- a/skills/analyzing-powershell-empire-artifacts/SKILL.md +++ b/skills/analyzing-powershell-empire-artifacts/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-powershell-empire-artifacts -description: Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns, - default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events. +description: Detect PowerShell Empire framework artifacts in Windows event logs by + identifying Base64 encoded launcher patterns, default user agents, staging URL structures, + stager IOCs, and known Empire module signatures in Script Block Logging events. domain: cybersecurity subdomain: threat-hunting tags: @@ -32,6 +33,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1059.001 +- T1071.001 +- T1003.001 +- T1558.003 +- T1027.010 --- # Analyzing PowerShell Empire Artifacts diff --git a/skills/analyzing-powershell-script-block-logging/SKILL.md b/skills/analyzing-powershell-script-block-logging/SKILL.md index 15a7ce4f..466e0335 100644 --- a/skills/analyzing-powershell-script-block-logging/SKILL.md +++ b/skills/analyzing-powershell-script-block-logging/SKILL.md @@ -1,8 +1,10 @@ --- name: analyzing-powershell-script-block-logging -description: Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded - payloads, and living-off-the-land techniques. Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy - analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts. +description: Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX + files to detect obfuscated commands, encoded payloads, and living-off-the-land techniques. + Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy + analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse, + download cradles, and AMSI bypass attempts. domain: cybersecurity subdomain: security-operations tags: @@ -20,6 +22,11 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1059.001 +- T1027.010 +- T1140 +- T1105 --- diff --git a/skills/analyzing-prefetch-files-for-execution-history/SKILL.md b/skills/analyzing-prefetch-files-for-execution-history/SKILL.md index 598b18c5..d165f666 100644 --- a/skills/analyzing-prefetch-files-for-execution-history/SKILL.md +++ b/skills/analyzing-prefetch-files-for-execution-history/SKILL.md @@ -1,7 +1,7 @@ --- name: analyzing-prefetch-files-for-execution-history -description: Parse Windows Prefetch files to determine program execution history including run counts, timestamps, and referenced - files for forensic investigation. +description: Parse Windows Prefetch files to determine program execution history including + run counts, timestamps, and referenced files for forensic investigation. domain: cybersecurity subdomain: digital-forensics tags: @@ -19,6 +19,11 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1059.001 +- T1003.001 +- T1021.002 +- T1567.002 --- # Analyzing Prefetch Files for Execution History diff --git a/skills/analyzing-ransomware-encryption-mechanisms/SKILL.md b/skills/analyzing-ransomware-encryption-mechanisms/SKILL.md index 065662ea..1992cdc6 100644 --- a/skills/analyzing-ransomware-encryption-mechanisms/SKILL.md +++ b/skills/analyzing-ransomware-encryption-mechanisms/SKILL.md @@ -1,9 +1,10 @@ --- name: analyzing-ransomware-encryption-mechanisms -description: 'Analyzes encryption algorithms, key management, and file encryption routines used by ransomware families to - assess decryption feasibility, identify implementation weaknesses, and support recovery efforts. Covers AES, RSA, ChaCha20, - and hybrid encryption schemes. Activates for requests involving ransomware cryptanalysis, encryption analysis, key recovery - assessment, or ransomware decryption feasibility. +description: 'Analyzes encryption algorithms, key management, and file encryption + routines used by ransomware families to assess decryption feasibility, identify + implementation weaknesses, and support recovery efforts. Covers AES, RSA, ChaCha20, + and hybrid encryption schemes. Activates for requests involving ransomware cryptanalysis, + encryption analysis, key recovery assessment, or ransomware decryption feasibility. ' domain: cybersecurity @@ -22,6 +23,11 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1486 +- T1573.001 +- T1573.002 +- T1027 --- # Analyzing Ransomware Encryption Mechanisms diff --git a/skills/analyzing-ransomware-leak-site-intelligence/SKILL.md b/skills/analyzing-ransomware-leak-site-intelligence/SKILL.md index 48c14a20..f9ef423f 100644 --- a/skills/analyzing-ransomware-leak-site-intelligence/SKILL.md +++ b/skills/analyzing-ransomware-leak-site-intelligence/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-ransomware-leak-site-intelligence -description: Monitor and analyze ransomware group data leak sites (DLS) to track victim postings, extract threat intelligence - on group tactics, and assess sector-specific ransomware risk for proactive defense. +description: Monitor and analyze ransomware group data leak sites (DLS) to track victim + postings, extract threat intelligence on group tactics, and assess sector-specific + ransomware risk for proactive defense. domain: cybersecurity subdomain: threat-intelligence tags: @@ -10,7 +11,7 @@ tags: - data-leak - extortion - threat-intelligence -- monitoring +- leak-site-monitoring - dls - victim-tracking version: '1.0' @@ -21,6 +22,11 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1657 +- T1486 +- T1567.002 +- T1591 --- # Analyzing Ransomware Leak Site Intelligence diff --git a/skills/analyzing-ransomware-network-indicators/SKILL.md b/skills/analyzing-ransomware-network-indicators/SKILL.md index 7bb600ea..8bef4e4a 100644 --- a/skills/analyzing-ransomware-network-indicators/SKILL.md +++ b/skills/analyzing-ransomware-network-indicators/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-ransomware-network-indicators -description: Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration - flows, and encryption key exchange via Zeek conn.log and NetFlow analysis +description: Identify ransomware network indicators including C2 beaconing patterns, + TOR exit node connections, data exfiltration flows, and encryption key exchange + via Zeek conn.log and NetFlow analysis domain: cybersecurity subdomain: threat-hunting tags: @@ -26,6 +27,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1071.001 +- T1573 +- T1048 +- T1567.002 +- T1486 --- # Analyzing Ransomware Network Indicators diff --git a/skills/analyzing-ransomware-payment-wallets/SKILL.md b/skills/analyzing-ransomware-payment-wallets/SKILL.md index eace7d62..f3f35d66 100644 --- a/skills/analyzing-ransomware-payment-wallets/SKILL.md +++ b/skills/analyzing-ransomware-payment-wallets/SKILL.md @@ -1,9 +1,11 @@ --- name: analyzing-ransomware-payment-wallets -description: 'Traces ransomware cryptocurrency payment flows using blockchain analysis tools such as Chainalysis Reactor, - WalletExplorer, and blockchain.com APIs. Identifies wallet clusters, tracks fund movement through mixers and exchanges, - and supports law enforcement attribution. Activates for requests involving ransomware payment tracing, bitcoin wallet analysis, - cryptocurrency forensics, or blockchain intelligence gathering. +description: 'Traces ransomware cryptocurrency payment flows using blockchain analysis + tools such as Chainalysis Reactor, WalletExplorer, and blockchain.com APIs. Identifies + wallet clusters, tracks fund movement through mixers and exchanges, and supports + law enforcement attribution. Activates for requests involving ransomware payment + tracing, bitcoin wallet analysis, cryptocurrency forensics, or blockchain intelligence + gathering. ' domain: cybersecurity @@ -23,6 +25,9 @@ nist_csf: - RS.MA-01 - RC.RP-01 - PR.IR-01 +mitre_attack: +- T1657 +- T1486 --- # Analyzing Ransomware Payment Wallets diff --git a/skills/analyzing-sbom-for-supply-chain-vulnerabilities/SKILL.md b/skills/analyzing-sbom-for-supply-chain-vulnerabilities/SKILL.md index 9f76c210..cb110b8f 100644 --- a/skills/analyzing-sbom-for-supply-chain-vulnerabilities/SKILL.md +++ b/skills/analyzing-sbom-for-supply-chain-vulnerabilities/SKILL.md @@ -1,9 +1,11 @@ --- name: analyzing-sbom-for-supply-chain-vulnerabilities -description: 'Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats to identify supply chain vulnerabilities - by correlating components against the NVD CVE database via the NVD 2.0 API. Builds dependency graphs, calculates risk scores, - identifies transitive vulnerability paths, and generates compliance reports. Activates for requests involving SBOM analysis, - software composition analysis, supply chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing, +description: 'Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON + formats to identify supply chain vulnerabilities by correlating components against + the NVD CVE database via the NVD 2.0 API. Builds dependency graphs, calculates risk + scores, identifies transitive vulnerability paths, and generates compliance reports. + Activates for requests involving SBOM analysis, software composition analysis, supply + chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing, or CVE correlation. ' @@ -36,6 +38,11 @@ nist_csf: - GV.SC-03 - GV.SC-06 - GV.SC-07 +mitre_attack: +- T1195.001 +- T1195.002 +- T1554 +- T1190 --- # Analyzing SBOM for Supply Chain Vulnerabilities diff --git a/skills/analyzing-security-logs-with-splunk/SKILL.md b/skills/analyzing-security-logs-with-splunk/SKILL.md index f96f5291..e2e08617 100644 --- a/skills/analyzing-security-logs-with-splunk/SKILL.md +++ b/skills/analyzing-security-logs-with-splunk/SKILL.md @@ -1,9 +1,11 @@ --- name: analyzing-security-logs-with-splunk -description: 'Leverages Splunk Enterprise Security and SPL (Search Processing Language) to investigate security incidents - through log correlation, timeline reconstruction, and anomaly detection. Covers Windows event logs, firewall logs, proxy - logs, and authentication data analysis. Activates for requests involving Splunk investigation, SPL queries, SIEM log analysis, - security event correlation, or log-based incident investigation. +description: 'Leverages Splunk Enterprise Security and SPL (Search Processing Language) + to investigate security incidents through log correlation, timeline reconstruction, + and anomaly detection. Covers Windows event logs, firewall logs, proxy logs, and + authentication data analysis. Activates for requests involving Splunk investigation, + SPL queries, SIEM log analysis, security event correlation, or log-based incident + investigation. ' domain: cybersecurity @@ -15,9 +17,11 @@ tags: - log-analysis - security-monitoring mitre_attack: -- T1070 -- T1562 -- T1059 +- T1110 +- T1550.002 +- T1021.001 +- T1059.001 +- T1003.001 version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/analyzing-slack-space-and-file-system-artifacts/SKILL.md b/skills/analyzing-slack-space-and-file-system-artifacts/SKILL.md index 8955ba9f..70fe7733 100644 --- a/skills/analyzing-slack-space-and-file-system-artifacts/SKILL.md +++ b/skills/analyzing-slack-space-and-file-system-artifacts/SKILL.md @@ -1,7 +1,7 @@ --- name: analyzing-slack-space-and-file-system-artifacts -description: Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data - and reconstruct file activity on NTFS volumes. +description: Examine file system slack space, MFT entries, USN journal, and alternate + data streams to recover hidden data and reconstruct file activity on NTFS volumes. domain: cybersecurity subdomain: digital-forensics tags: @@ -20,6 +20,12 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1070.006 +- T1564.004 +- T1070.004 +- T1005 +- T1006 --- # Analyzing Slack Space and File System Artifacts diff --git a/skills/analyzing-supply-chain-malware-artifacts/SKILL.md b/skills/analyzing-supply-chain-malware-artifacts/SKILL.md index b92ecfeb..d3790d72 100644 --- a/skills/analyzing-supply-chain-malware-artifacts/SKILL.md +++ b/skills/analyzing-supply-chain-malware-artifacts/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-supply-chain-malware-artifacts -description: Investigate supply chain attack artifacts including trojanized software updates, compromised build pipelines, - and sideloaded dependencies to identify intrusion vectors and scope of compromise. +description: Investigate supply chain attack artifacts including trojanized software + updates, compromised build pipelines, and sideloaded dependencies to identify intrusion + vectors and scope of compromise. domain: cybersecurity subdomain: malware-analysis tags: @@ -33,6 +34,12 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1195.002 +- T1195.001 +- T1554 +- T1553.002 +- T1027 --- # Analyzing Supply Chain Malware Artifacts diff --git a/skills/analyzing-threat-actor-ttps-with-mitre-attack/SKILL.md b/skills/analyzing-threat-actor-ttps-with-mitre-attack/SKILL.md index 8bd984b2..b563d1d6 100644 --- a/skills/analyzing-threat-actor-ttps-with-mitre-attack/SKILL.md +++ b/skills/analyzing-threat-actor-ttps-with-mitre-attack/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-threat-actor-ttps-with-mitre-attack -description: MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) - based on real-world observations. This skill covers systematically mapping threat actor beh +description: MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, + techniques, and procedures (TTPs) based on real-world observations. This skill covers + systematically mapping threat actor beh domain: cybersecurity subdomain: threat-intelligence tags: @@ -26,6 +27,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1566.001 +- T1059.001 +- T1071.001 +- T1547.001 +- T1053.005 --- # Analyzing Threat Actor TTPs with MITRE ATT&CK diff --git a/skills/analyzing-threat-actor-ttps-with-mitre-navigator/SKILL.md b/skills/analyzing-threat-actor-ttps-with-mitre-navigator/SKILL.md index 36f709b7..b4574c1c 100644 --- a/skills/analyzing-threat-actor-ttps-with-mitre-navigator/SKILL.md +++ b/skills/analyzing-threat-actor-ttps-with-mitre-navigator/SKILL.md @@ -1,9 +1,11 @@ --- name: analyzing-threat-actor-ttps-with-mitre-navigator -description: 'Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework - using the ATT&CK Navigator and attackcti Python library. The analyst queries STIX/TAXII data for group-technique associations, - generates Navigator layer files for visualization, and compares defensive coverage against adversary profiles. Activates - for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor profiling, or MITRE technique coverage analysis. +description: 'Map advanced persistent threat (APT) group tactics, techniques, and + procedures (TTPs) to the MITRE ATT&CK framework using the ATT&CK Navigator and attackcti + Python library. The analyst queries STIX/TAXII data for group-technique associations, + generates Navigator layer files for visualization, and compares defensive coverage + against adversary profiles. Activates for requests involving APT TTP mapping, ATT&CK + Navigator layers, threat actor profiling, or MITRE technique coverage analysis. ' domain: cybersecurity @@ -38,6 +40,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1566.001 +- T1059.001 +- T1071.001 +- T1547.001 +- T1053.005 --- # Analyzing Threat Actor TTPs with MITRE Navigator diff --git a/skills/analyzing-threat-intelligence-feeds/SKILL.md b/skills/analyzing-threat-intelligence-feeds/SKILL.md index 92ddf296..c77d88f5 100644 --- a/skills/analyzing-threat-intelligence-feeds/SKILL.md +++ b/skills/analyzing-threat-intelligence-feeds/SKILL.md @@ -1,9 +1,11 @@ --- name: analyzing-threat-intelligence-feeds -description: 'Analyzes structured and unstructured threat intelligence feeds to extract actionable indicators, adversary tactics, - and campaign context. Use when ingesting commercial or open-source CTI feeds, evaluating feed quality, normalizing data - into STIX 2.1 format, or enriching existing IOCs with campaign attribution. Activates for requests involving ThreatConnect, - Recorded Future, Mandiant Advantage, MISP, AlienVault OTX, or automated feed aggregation pipelines. +description: 'Analyzes structured and unstructured threat intelligence feeds to extract + actionable indicators, adversary tactics, and campaign context. Use when ingesting + commercial or open-source CTI feeds, evaluating feed quality, normalizing data into + STIX 2.1 format, or enriching existing IOCs with campaign attribution. Activates + for requests involving ThreatConnect, Recorded Future, Mandiant Advantage, MISP, + AlienVault OTX, or automated feed aggregation pipelines. ' domain: cybersecurity @@ -26,6 +28,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1071.001 +- T1566 +- T1568 +- T1583.001 +- T1102 --- # Analyzing Threat Intelligence Feeds diff --git a/skills/analyzing-threat-landscape-with-misp/SKILL.md b/skills/analyzing-threat-landscape-with-misp/SKILL.md index 84948c4c..ee160313 100644 --- a/skills/analyzing-threat-landscape-with-misp/SKILL.md +++ b/skills/analyzing-threat-landscape-with-misp/SKILL.md @@ -1,16 +1,19 @@ --- name: analyzing-threat-landscape-with-misp -description: Analyze the threat landscape using MISP (Malware Information Sharing Platform) by querying event statistics, - attribute distributions, threat actor galaxy clusters, and tag trends over time. Uses PyMISP to pull event data, compute - IOC type breakdowns, identify top threat actors and malware families, and generate threat landscape reports with temporal - trends. +description: Analyze the threat landscape using MISP (Malware Information Sharing + Platform) by querying event statistics, attribute distributions, threat actor galaxy + clusters, and tag trends over time. Uses PyMISP to pull event data, compute IOC + type breakdowns, identify top threat actors and malware families, and generate threat + landscape reports with temporal trends. domain: cybersecurity subdomain: threat-intelligence tags: -- analyzing -- threat -- landscape -- with +- threat-intelligence +- misp +- threat-landscape +- ioc-analysis +- cti +- threat-sharing version: '1.0' author: mahipal license: Apache-2.0 @@ -25,6 +28,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1566 +- T1071.001 +- T1568 +- T1583.001 +- T1102 --- diff --git a/skills/analyzing-tls-certificate-transparency-logs/SKILL.md b/skills/analyzing-tls-certificate-transparency-logs/SKILL.md index 4208a7c1..84f2daa4 100644 --- a/skills/analyzing-tls-certificate-transparency-logs/SKILL.md +++ b/skills/analyzing-tls-certificate-transparency-logs/SKILL.md @@ -1,17 +1,20 @@ --- name: analyzing-tls-certificate-transparency-logs -description: 'Queries Certificate Transparency logs via crt.sh and pycrtsh to detect phishing domains, unauthorized certificate - issuance, and shadow IT. Monitors newly issued certificates for typosquatting and brand impersonation using Levenshtein +description: 'Queries Certificate Transparency logs via crt.sh and pycrtsh to detect + phishing domains, unauthorized certificate issuance, and shadow IT. Monitors newly + issued certificates for typosquatting and brand impersonation using Levenshtein distance. Use for proactive phishing domain detection and certificate monitoring. ' domain: cybersecurity subdomain: security-operations tags: -- analyzing -- tls -- certificate -- transparency +- certificate-transparency +- ct-logs +- crt-sh +- phishing-detection +- tls-monitoring +- security-operations version: '1.0' author: mahipal license: Apache-2.0 @@ -23,6 +26,11 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1583.001 +- T1566.002 +- T1598.003 +- T1583.006 --- # Analyzing TLS Certificate Transparency Logs diff --git a/skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.md b/skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.md index d0e49ec7..d3fbc6dc 100644 --- a/skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.md +++ b/skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-typosquatting-domains-with-dnstwist -description: Detect typosquatting, homograph phishing, and brand impersonation domains using dnstwist to generate domain permutations - and identify registered lookalike domains targeting your organization. +description: Detect typosquatting, homograph phishing, and brand impersonation domains + using dnstwist to generate domain permutations and identify registered lookalike + domains targeting your organization. domain: cybersecurity subdomain: threat-intelligence tags: @@ -24,6 +25,11 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1583.001 +- T1566.002 +- T1598.003 +- T1583.006 --- # Analyzing Typosquatting Domains with DNSTwist diff --git a/skills/analyzing-uefi-bootkit-persistence/SKILL.md b/skills/analyzing-uefi-bootkit-persistence/SKILL.md index 4007870f..7cff1b3e 100644 --- a/skills/analyzing-uefi-bootkit-persistence/SKILL.md +++ b/skills/analyzing-uefi-bootkit-persistence/SKILL.md @@ -1,10 +1,12 @@ --- name: analyzing-uefi-bootkit-persistence -description: 'Analyzes UEFI bootkit persistence mechanisms including firmware implants in SPI flash, EFI System Partition - (ESP) modifications, Secure Boot bypass techniques, and UEFI variable manipulation. Covers detection of known bootkit families - (BlackLotus, LoJax, MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection, chipsec-based firmware - integrity verification, and Secure Boot configuration auditing. Activates for requests involving UEFI malware analysis, - firmware persistence investigation, boot chain integrity verification, or Secure Boot bypass detection. +description: 'Analyzes UEFI bootkit persistence mechanisms including firmware implants + in SPI flash, EFI System Partition (ESP) modifications, Secure Boot bypass techniques, + and UEFI variable manipulation. Covers detection of known bootkit families (BlackLotus, + LoJax, MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection, + chipsec-based firmware integrity verification, and Secure Boot configuration auditing. + Activates for requests involving UEFI malware analysis, firmware persistence investigation, + boot chain integrity verification, or Secure Boot bypass detection. ' domain: cybersecurity @@ -30,6 +32,12 @@ nist_csf: - ID.RA-01 - PR.PS-01 - PR.PS-02 +mitre_attack: +- T1542.001 +- T1542.003 +- T1553.006 +- T1542 +- T1014 --- # Analyzing UEFI Bootkit Persistence diff --git a/skills/analyzing-usb-device-connection-history/SKILL.md b/skills/analyzing-usb-device-connection-history/SKILL.md index a59cf30b..3c14be18 100644 --- a/skills/analyzing-usb-device-connection-history/SKILL.md +++ b/skills/analyzing-usb-device-connection-history/SKILL.md @@ -1,7 +1,7 @@ --- name: analyzing-usb-device-connection-history -description: Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable - media usage and potential data exfiltration. +description: Investigate USB device connection history from Windows registry, event + logs, and setupapi logs to track removable media usage and potential data exfiltration. domain: cybersecurity subdomain: digital-forensics tags: @@ -19,6 +19,12 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1052.001 +- T1025 +- T1091 +- T1005 +- T1074.001 --- # Analyzing USB Device Connection History diff --git a/skills/analyzing-web-server-logs-for-intrusion/SKILL.md b/skills/analyzing-web-server-logs-for-intrusion/SKILL.md index 7ad71dcb..7627989e 100644 --- a/skills/analyzing-web-server-logs-for-intrusion/SKILL.md +++ b/skills/analyzing-web-server-logs-for-intrusion/SKILL.md @@ -1,15 +1,20 @@ --- name: analyzing-web-server-logs-for-intrusion -description: Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal, - web scanner fingerprints, and brute-force patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP - enrichment for source attribution, and statistical anomaly detection for request frequency and response size outliers. +description: Parse Apache and Nginx access logs to detect SQL injection attempts, + local file inclusion, directory traversal, web scanner fingerprints, and brute-force + patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP + enrichment for source attribution, and statistical anomaly detection for request + frequency and response size outliers. domain: cybersecurity subdomain: security-operations tags: -- analyzing -- web -- server -- logs +- web-log-analysis +- apache-logs +- nginx-logs +- sql-injection-detection +- lfi-detection +- directory-traversal +- intrusion-detection version: '1.0' author: mahipal license: Apache-2.0 @@ -18,6 +23,12 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1190 +- T1059.007 +- T1110 +- T1595.002 +- T1505.003 --- diff --git a/skills/analyzing-windows-amcache-artifacts/SKILL.md b/skills/analyzing-windows-amcache-artifacts/SKILL.md index 0e3faca7..18ece13c 100644 --- a/skills/analyzing-windows-amcache-artifacts/SKILL.md +++ b/skills/analyzing-windows-amcache-artifacts/SKILL.md @@ -1,9 +1,12 @@ --- name: analyzing-windows-amcache-artifacts -description: 'Parses and analyzes the Windows Amcache.hve registry hive to extract evidence of program execution, application - installation, and driver loading for digital forensics investigations. Uses Eric Zimmerman''s AmcacheParser and Timeline - Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and timeline reconstruction. Activates for requests - involving Amcache forensics, program execution evidence, Windows artifact analysis, or application compatibility cache investigation. +description: 'Parses and analyzes the Windows Amcache.hve registry hive to extract + evidence of program execution, application installation, and driver loading for + digital forensics investigations. Uses Eric Zimmerman''s AmcacheParser and Timeline + Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and + timeline reconstruction. Activates for requests involving Amcache forensics, program + execution evidence, Windows artifact analysis, or application compatibility cache + investigation. ' domain: cybersecurity @@ -24,6 +27,12 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1070.004 +- T1070.006 +- T1036.005 +- T1014 +- T1005 --- # Analyzing Windows Amcache Artifacts diff --git a/skills/analyzing-windows-event-logs-in-splunk/SKILL.md b/skills/analyzing-windows-event-logs-in-splunk/SKILL.md index 4eca7231..9375af9f 100644 --- a/skills/analyzing-windows-event-logs-in-splunk/SKILL.md +++ b/skills/analyzing-windows-event-logs-in-splunk/SKILL.md @@ -1,9 +1,10 @@ --- name: analyzing-windows-event-logs-in-splunk -description: 'Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, privilege - escalation, persistence mechanisms, and lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC - analysts need to investigate Windows-based threats, build detection queries, or perform forensic timeline analysis of Windows - endpoints and domain controllers. +description: 'Analyzes Windows Security, System, and Sysmon event logs in Splunk to + detect authentication attacks, privilege escalation, persistence mechanisms, and + lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC + analysts need to investigate Windows-based threats, build detection queries, or + perform forensic timeline analysis of Windows endpoints and domain controllers. ' domain: cybersecurity @@ -30,6 +31,13 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1110 +- T1053.005 +- T1547.001 +- T1021.002 +- T1558.003 +- T1003.006 --- # Analyzing Windows Event Logs in Splunk diff --git a/skills/analyzing-windows-lnk-files-for-artifacts/SKILL.md b/skills/analyzing-windows-lnk-files-for-artifacts/SKILL.md index a05221fe..de40ae44 100644 --- a/skills/analyzing-windows-lnk-files-for-artifacts/SKILL.md +++ b/skills/analyzing-windows-lnk-files-for-artifacts/SKILL.md @@ -1,7 +1,7 @@ --- name: analyzing-windows-lnk-files-for-artifacts -description: Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers - for forensic timeline reconstruction. +description: Parse Windows LNK shortcut files to extract target paths, timestamps, + volume information, and machine identifiers for forensic timeline reconstruction. domain: cybersecurity subdomain: digital-forensics tags: @@ -19,6 +19,12 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1547.001 +- T1204.002 +- T1005 +- T1025 +- T1074.001 --- # Analyzing Windows LNK Files for Artifacts diff --git a/skills/analyzing-windows-prefetch-with-python/SKILL.md b/skills/analyzing-windows-prefetch-with-python/SKILL.md index 57764f0e..a2fc9940 100644 --- a/skills/analyzing-windows-prefetch-with-python/SKILL.md +++ b/skills/analyzing-windows-prefetch-with-python/SKILL.md @@ -1,7 +1,8 @@ --- name: analyzing-windows-prefetch-with-python -description: Parse Windows Prefetch files using the windowsprefetch Python library to reconstruct application execution history, - detect renamed or masquerading binaries, and identify suspicious program execution patterns. +description: Parse Windows Prefetch files using the windowsprefetch Python library + to reconstruct application execution history, detect renamed or masquerading binaries, + and identify suspicious program execution patterns. domain: cybersecurity subdomain: digital-forensics tags: @@ -12,9 +13,11 @@ tags: - incident-response - malware-analysis mitre_attack: -- T1059 -- T1204 -- T1036 +- T1036.005 +- T1070.004 +- T1070 +- T1003.001 +- T1057 version: '1.0' author: mahipal license: Apache-2.0 diff --git a/skills/analyzing-windows-registry-for-artifacts/SKILL.md b/skills/analyzing-windows-registry-for-artifacts/SKILL.md index 1030b1c7..19d13e5a 100644 --- a/skills/analyzing-windows-registry-for-artifacts/SKILL.md +++ b/skills/analyzing-windows-registry-for-artifacts/SKILL.md @@ -1,7 +1,7 @@ --- name: analyzing-windows-registry-for-artifacts -description: Extract and analyze Windows Registry hives to uncover user activity, installed software, autostart entries, and - evidence of system compromise. +description: Extract and analyze Windows Registry hives to uncover user activity, + installed software, autostart entries, and evidence of system compromise. domain: cybersecurity subdomain: digital-forensics tags: @@ -19,6 +19,12 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1012 +- T1547.001 +- T1112 +- T1003.002 +- T1025 --- # Analyzing Windows Registry for Artifacts diff --git a/skills/analyzing-windows-shellbag-artifacts/SKILL.md b/skills/analyzing-windows-shellbag-artifacts/SKILL.md index 65801f7a..689b5a82 100644 --- a/skills/analyzing-windows-shellbag-artifacts/SKILL.md +++ b/skills/analyzing-windows-shellbag-artifacts/SKILL.md @@ -1,8 +1,8 @@ --- name: analyzing-windows-shellbag-artifacts -description: Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable - media and network shares, and establish user interaction with directories even after deletion using SBECmd and ShellBags - Explorer. +description: Analyze Windows Shellbag registry artifacts to reconstruct folder browsing + activity, detect access to removable media and network shares, and establish user + interaction with directories even after deletion using SBECmd and ShellBags Explorer. domain: cybersecurity subdomain: digital-forensics tags: @@ -24,6 +24,12 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1083 +- T1074.001 +- T1135 +- T1025 +- T1070.004 --- # Analyzing Windows Shellbag Artifacts diff --git a/skills/auditing-aws-s3-bucket-permissions/SKILL.md b/skills/auditing-aws-s3-bucket-permissions/SKILL.md index 842ca1a6..c9bd24ff 100644 --- a/skills/auditing-aws-s3-bucket-permissions/SKILL.md +++ b/skills/auditing-aws-s3-bucket-permissions/SKILL.md @@ -1,7 +1,8 @@ --- name: auditing-aws-s3-bucket-permissions -description: 'Systematically audit AWS S3 bucket permissions to identify publicly accessible buckets, overly permissive ACLs, - misconfigured bucket policies, and missing encryption settings using AWS CLI, S3audit, and Prowler to enforce least-privilege +description: 'Systematically audit AWS S3 bucket permissions to identify publicly + accessible buckets, overly permissive ACLs, misconfigured bucket policies, and missing + encryption settings using AWS CLI, S3audit, and Prowler to enforce least-privilege data access controls. ' @@ -22,6 +23,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1530 +- T1619 +- T1078.004 +- T1537 +- T1567.002 --- # Auditing AWS S3 Bucket Permissions diff --git a/skills/auditing-azure-active-directory-configuration/SKILL.md b/skills/auditing-azure-active-directory-configuration/SKILL.md index 77a2605c..e7d22ff7 100644 --- a/skills/auditing-azure-active-directory-configuration/SKILL.md +++ b/skills/auditing-azure-active-directory-configuration/SKILL.md @@ -1,7 +1,8 @@ --- name: auditing-azure-active-directory-configuration -description: 'Auditing Microsoft Entra ID (Azure Active Directory) configuration to identify risky authentication policies, - overly permissive role assignments, stale accounts, conditional access gaps, and guest user risks using AzureAD PowerShell, +description: 'Auditing Microsoft Entra ID (Azure Active Directory) configuration to + identify risky authentication policies, overly permissive role assignments, stale + accounts, conditional access gaps, and guest user risks using AzureAD PowerShell, Microsoft Graph API, and ScoutSuite. ' @@ -22,6 +23,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1098.003 +- T1556.006 +- T1069.003 +- T1526 --- # Auditing Azure Active Directory Configuration diff --git a/skills/auditing-cloud-with-cis-benchmarks/SKILL.md b/skills/auditing-cloud-with-cis-benchmarks/SKILL.md index a333f28a..fccbe6ca 100644 --- a/skills/auditing-cloud-with-cis-benchmarks/SKILL.md +++ b/skills/auditing-cloud-with-cis-benchmarks/SKILL.md @@ -1,9 +1,10 @@ --- name: auditing-cloud-with-cis-benchmarks -description: 'This skill details how to conduct cloud security audits using Center for Internet Security benchmarks for AWS, - Azure, and GCP. It covers interpreting CIS Foundations Benchmark controls, running automated assessments with tools like - Prowler and ScoutSuite, remediating failed controls, and maintaining continuous compliance monitoring against CIS v5 for - AWS, v4 for Azure, and v4 for GCP. +description: 'This skill details how to conduct cloud security audits using Center + for Internet Security benchmarks for AWS, Azure, and GCP. It covers interpreting + CIS Foundations Benchmark controls, running automated assessments with tools like + Prowler and ScoutSuite, remediating failed controls, and maintaining continuous + compliance monitoring against CIS v5 for AWS, v4 for Azure, and v4 for GCP. ' domain: cybersecurity @@ -26,6 +27,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1098.003 +- T1685.002 +- T1580 --- # Auditing Cloud with CIS Benchmarks diff --git a/skills/auditing-gcp-iam-permissions/SKILL.md b/skills/auditing-gcp-iam-permissions/SKILL.md index 6b99af34..4ff6e42a 100644 --- a/skills/auditing-gcp-iam-permissions/SKILL.md +++ b/skills/auditing-gcp-iam-permissions/SKILL.md @@ -1,7 +1,8 @@ --- name: auditing-gcp-iam-permissions -description: 'Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings, primitive role usage, - service account key proliferation, and cross-project access risks using gcloud CLI, Policy Analyzer, and IAM Recommender. +description: 'Auditing Google Cloud Platform IAM permissions to identify overly permissive + bindings, primitive role usage, service account key proliferation, and cross-project + access risks using gcloud CLI, Policy Analyzer, and IAM Recommender. ' domain: cybersecurity @@ -21,6 +22,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1098.003 +- T1528 +- T1548.005 +- T1580 --- # Auditing GCP IAM Permissions diff --git a/skills/auditing-kubernetes-cluster-rbac/SKILL.md b/skills/auditing-kubernetes-cluster-rbac/SKILL.md index 0fee07e4..aaa7b397 100644 --- a/skills/auditing-kubernetes-cluster-rbac/SKILL.md +++ b/skills/auditing-kubernetes-cluster-rbac/SKILL.md @@ -1,7 +1,8 @@ --- name: auditing-kubernetes-cluster-rbac -description: 'Auditing Kubernetes cluster RBAC configurations to identify overly permissive roles, wildcard permissions, dangerous - ClusterRoleBindings, service account abuse, and privilege escalation paths using kubectl, rbac-tool, KubiScan, and Kubeaudit. +description: 'Auditing Kubernetes cluster RBAC configurations to identify overly permissive + roles, wildcard permissions, dangerous ClusterRoleBindings, service account abuse, + and privilege escalation paths using kubectl, rbac-tool, KubiScan, and Kubeaudit. ' domain: cybersecurity @@ -22,6 +23,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1098.006 +- T1552.007 +- T1611 +- T1613 +- T1078.004 --- # Auditing Kubernetes Cluster RBAC diff --git a/skills/auditing-terraform-infrastructure-for-security/SKILL.md b/skills/auditing-terraform-infrastructure-for-security/SKILL.md index 4a2f56bd..642f3b90 100644 --- a/skills/auditing-terraform-infrastructure-for-security/SKILL.md +++ b/skills/auditing-terraform-infrastructure-for-security/SKILL.md @@ -1,7 +1,8 @@ --- name: auditing-terraform-infrastructure-for-security -description: 'Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov, tfsec, Terrascan, and - OPA/Rego policies to detect overly permissive IAM policies, public resource exposure, missing encryption, and insecure defaults +description: 'Auditing Terraform infrastructure-as-code for security misconfigurations + using Checkov, tfsec, Terrascan, and OPA/Rego policies to detect overly permissive + IAM policies, public resource exposure, missing encryption, and insecure defaults before cloud deployment. ' @@ -22,6 +23,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1190 +- T1552.001 +- T1580 --- # Auditing Terraform Infrastructure for Security diff --git a/skills/auditing-tls-certificate-transparency-logs/SKILL.md b/skills/auditing-tls-certificate-transparency-logs/SKILL.md index ab5e29e4..a5cb7b2a 100644 --- a/skills/auditing-tls-certificate-transparency-logs/SKILL.md +++ b/skills/auditing-tls-certificate-transparency-logs/SKILL.md @@ -1,10 +1,12 @@ --- name: auditing-tls-certificate-transparency-logs -description: 'Monitors Certificate Transparency (CT) logs to detect unauthorized certificate issuance, discover subdomains - via CT data, and alert on suspicious certificate activity for owned domains. Uses the crt.sh API and direct CT log querying - based on RFC 6962 to build continuous monitoring pipelines that catch rogue certificates, track CA behavior, and map the - external attack surface. Activates for requests involving certificate transparency monitoring, CT log auditing, subdomain - discovery via certificates, or certificate issuance alerting. +description: 'Monitors Certificate Transparency (CT) logs to detect unauthorized certificate + issuance, discover subdomains via CT data, and alert on suspicious certificate activity + for owned domains. Uses the crt.sh API and direct CT log querying based on RFC 6962 + to build continuous monitoring pipelines that catch rogue certificates, track CA + behavior, and map the external attack surface. Activates for requests involving + certificate transparency monitoring, CT log auditing, subdomain discovery via certificates, + or certificate issuance alerting. ' domain: cybersecurity @@ -24,6 +26,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1596.003 +- T1583.001 +- T1587.003 +- T1593 +- T1566.002 --- # Auditing TLS Certificate Transparency Logs diff --git a/skills/automating-ioc-enrichment/SKILL.md b/skills/automating-ioc-enrichment/SKILL.md index 1bad03f1..36ad427b 100644 --- a/skills/automating-ioc-enrichment/SKILL.md +++ b/skills/automating-ioc-enrichment/SKILL.md @@ -1,10 +1,12 @@ --- name: automating-ioc-enrichment -description: 'Automates the enrichment of raw indicators of compromise with multi-source threat intelligence context using - SOAR platforms, Python pipelines, or TIP playbooks to reduce analyst triage time and standardize enrichment outputs. Use - when building automated enrichment workflows integrated with SIEM alerts, email submission pipelines, or bulk IOC processing - from threat feeds. Activates for requests involving SOAR enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment - pipelines, or automated IOC processing. +description: 'Automates the enrichment of raw indicators of compromise with multi-source + threat intelligence context using SOAR platforms, Python pipelines, or TIP playbooks + to reduce analyst triage time and standardize enrichment outputs. Use when building + automated enrichment workflows integrated with SIEM alerts, email submission pipelines, + or bulk IOC processing from threat feeds. Activates for requests involving SOAR + enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment pipelines, or + automated IOC processing. ' domain: cybersecurity @@ -27,6 +29,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1071.001 +- T1583.001 +- T1588.001 +- T1590.005 +- T1596 --- # Automating IOC Enrichment diff --git a/skills/building-adversary-infrastructure-tracking-system/SKILL.md b/skills/building-adversary-infrastructure-tracking-system/SKILL.md index 6f8d4c61..fd388106 100644 --- a/skills/building-adversary-infrastructure-tracking-system/SKILL.md +++ b/skills/building-adversary-infrastructure-tracking-system/SKILL.md @@ -1,7 +1,8 @@ --- name: building-adversary-infrastructure-tracking-system -description: Build an automated system to track adversary infrastructure using passive DNS, certificate transparency, WHOIS - data, and IP enrichment to map and monitor threat actor command-and-control networks. +description: Build an automated system to track adversary infrastructure using passive + DNS, certificate transparency, WHOIS data, and IP enrichment to map and monitor + threat actor command-and-control networks. domain: cybersecurity subdomain: threat-intelligence tags: @@ -21,6 +22,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1583.001 +- T1583.004 +- T1596.001 +- T1590.002 +- T1071.001 --- # Building Adversary Infrastructure Tracking System diff --git a/skills/building-attack-pattern-library-from-cti-reports/SKILL.md b/skills/building-attack-pattern-library-from-cti-reports/SKILL.md index ad5af9ae..1178faee 100644 --- a/skills/building-attack-pattern-library-from-cti-reports/SKILL.md +++ b/skills/building-attack-pattern-library-from-cti-reports/SKILL.md @@ -1,7 +1,8 @@ --- name: building-attack-pattern-library-from-cti-reports -description: Extract and catalog attack patterns from cyber threat intelligence reports into a structured STIX-based library - mapped to MITRE ATT&CK for detection engineering and threat-informed defense. +description: Extract and catalog attack patterns from cyber threat intelligence reports + into a structured STIX-based library mapped to MITRE ATT&CK for detection engineering + and threat-informed defense. domain: cybersecurity subdomain: threat-intelligence tags: @@ -27,6 +28,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1566.001 +- T1059.001 +- T1003.001 +- T1558.003 +- T1550.002 --- # Building Attack Pattern Library from CTI Reports diff --git a/skills/building-automated-malware-submission-pipeline/SKILL.md b/skills/building-automated-malware-submission-pipeline/SKILL.md index 91b062a7..a426ad07 100644 --- a/skills/building-automated-malware-submission-pipeline/SKILL.md +++ b/skills/building-automated-malware-submission-pipeline/SKILL.md @@ -1,8 +1,10 @@ --- name: building-automated-malware-submission-pipeline -description: 'Builds an automated malware submission and analysis pipeline that collects suspicious files from endpoints and - email gateways, submits them to sandbox environments and multi-engine scanners, and generates verdicts with IOCs for SIEM - integration. Use when SOC teams need to scale malware analysis beyond manual sandbox submissions for high-volume alert triage. +description: 'Builds an automated malware submission and analysis pipeline that collects + suspicious files from endpoints and email gateways, submits them to sandbox environments + and multi-engine scanners, and generates verdicts with IOCs for SIEM integration. + Use when SOC teams need to scale malware analysis beyond manual sandbox submissions + for high-volume alert triage. ' domain: cybersecurity @@ -24,6 +26,12 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1204.002 +- T1566.001 +- T1027 +- T1055 +- T1497 --- # Building Automated Malware Submission Pipeline diff --git a/skills/building-c2-infrastructure-with-sliver-framework/SKILL.md b/skills/building-c2-infrastructure-with-sliver-framework/SKILL.md index 590a9c35..e287786f 100644 --- a/skills/building-c2-infrastructure-with-sliver-framework/SKILL.md +++ b/skills/building-c2-infrastructure-with-sliver-framework/SKILL.md @@ -1,7 +1,8 @@ --- name: building-c2-infrastructure-with-sliver-framework -description: Build and configure a resilient command-and-control infrastructure using BishopFox's Sliver C2 framework with - redirectors, HTTPS listeners, and multi-operator support for authorized red team engagements. +description: Build and configure a resilient command-and-control infrastructure using + BishopFox's Sliver C2 framework with redirectors, HTTPS listeners, and multi-operator + support for authorized red team engagements. domain: cybersecurity subdomain: red-teaming tags: @@ -25,6 +26,13 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1071.001 +- T1071.004 +- T1573.002 +- T1090.002 +- T1105 +- T1572 --- # Building C2 Infrastructure with Sliver Framework diff --git a/skills/building-cloud-siem-with-sentinel/SKILL.md b/skills/building-cloud-siem-with-sentinel/SKILL.md index 878c242b..090dd168 100644 --- a/skills/building-cloud-siem-with-sentinel/SKILL.md +++ b/skills/building-cloud-siem-with-sentinel/SKILL.md @@ -1,9 +1,10 @@ --- name: building-cloud-siem-with-sentinel -description: 'This skill covers deploying Microsoft Sentinel as a cloud-native SIEM and SOAR platform for centralized security - operations. It details configuring data connectors for multi-cloud log ingestion, writing KQL detection queries, building - automated response playbooks with Logic Apps, and leveraging the Sentinel data lake for petabyte-scale threat hunting across - AWS, Azure, and GCP security telemetry. +description: 'This skill covers deploying Microsoft Sentinel as a cloud-native SIEM + and SOAR platform for centralized security operations. It details configuring data + connectors for multi-cloud log ingestion, writing KQL detection queries, building + automated response playbooks with Logic Apps, and leveraging the Sentinel data lake + for petabyte-scale threat hunting across AWS, Azure, and GCP security telemetry. ' domain: cybersecurity @@ -30,6 +31,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1548.005 +- T1485 +- T1530 +- T1021.007 --- # Building Cloud SIEM with Sentinel diff --git a/skills/building-detection-rule-with-splunk-spl/SKILL.md b/skills/building-detection-rule-with-splunk-spl/SKILL.md index d8aeb8c0..149e67be 100644 --- a/skills/building-detection-rule-with-splunk-spl/SKILL.md +++ b/skills/building-detection-rule-with-splunk-spl/SKILL.md @@ -1,7 +1,7 @@ --- name: building-detection-rule-with-splunk-spl -description: Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify - security threats in SOC environments. +description: Build effective detection rules using Splunk Search Processing Language + (SPL) correlation searches to identify security threats in SOC environments. domain: cybersecurity subdomain: soc-operations tags: @@ -27,6 +27,13 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1059.001 +- T1003.001 +- T1021.002 +- T1110.003 +- T1053.005 +- T1048 --- # Building Detection Rules with Splunk SPL diff --git a/skills/building-detection-rules-with-sigma/SKILL.md b/skills/building-detection-rules-with-sigma/SKILL.md index 967cd29d..aecf44f4 100644 --- a/skills/building-detection-rules-with-sigma/SKILL.md +++ b/skills/building-detection-rules-with-sigma/SKILL.md @@ -1,9 +1,10 @@ --- name: building-detection-rules-with-sigma -description: 'Builds vendor-agnostic detection rules using the Sigma rule format for threat detection across SIEM platforms - including Splunk, Elastic, and Microsoft Sentinel. Use when creating portable detection logic from threat intelligence, - mapping rules to MITRE ATT&CK techniques, or converting community Sigma rules into platform-specific queries using sigmac - or pySigma backends. +description: 'Builds vendor-agnostic detection rules using the Sigma rule format for + threat detection across SIEM platforms including Splunk, Elastic, and Microsoft + Sentinel. Use when creating portable detection logic from threat intelligence, mapping + rules to MITRE ATT&CK techniques, or converting community Sigma rules into platform-specific + queries using sigmac or pySigma backends. ' domain: cybersecurity @@ -31,6 +32,12 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1059.001 +- T1003.001 +- T1055 +- T1053.005 +- T1547.001 --- # Building Detection Rules with Sigma diff --git a/skills/building-devsecops-pipeline-with-gitlab-ci/SKILL.md b/skills/building-devsecops-pipeline-with-gitlab-ci/SKILL.md index fb68be4f..7c47b85f 100644 --- a/skills/building-devsecops-pipeline-with-gitlab-ci/SKILL.md +++ b/skills/building-devsecops-pipeline-with-gitlab-ci/SKILL.md @@ -1,7 +1,7 @@ --- name: building-devsecops-pipeline-with-gitlab-ci -description: Design and implement a comprehensive DevSecOps pipeline in GitLab CI/CD integrating SAST, DAST, container scanning, - dependency scanning, and secret detection. +description: Design and implement a comprehensive DevSecOps pipeline in GitLab CI/CD + integrating SAST, DAST, container scanning, dependency scanning, and secret detection. domain: cybersecurity subdomain: devsecops tags: @@ -21,6 +21,12 @@ nist_csf: - GV.SC-07 - ID.IM-04 - PR.PS-04 +mitre_attack: +- T1195.001 +- T1195.002 +- T1552.001 +- T1190 +- T1610 --- # Building DevSecOps Pipeline with GitLab CI diff --git a/skills/building-identity-federation-with-saml-azure-ad/SKILL.md b/skills/building-identity-federation-with-saml-azure-ad/SKILL.md index b5708454..f04bf5aa 100644 --- a/skills/building-identity-federation-with-saml-azure-ad/SKILL.md +++ b/skills/building-identity-federation-with-saml-azure-ad/SKILL.md @@ -1,7 +1,8 @@ --- name: building-identity-federation-with-saml-azure-ad -description: Establish SAML 2.0 identity federation between on-premises Active Directory and Azure AD (Microsoft Entra ID) - for seamless cross-domain authentication and SSO to cloud applications. +description: Establish SAML 2.0 identity federation between on-premises Active Directory + and Azure AD (Microsoft Entra ID) for seamless cross-domain authentication and SSO + to cloud applications. domain: cybersecurity subdomain: identity-access-management tags: @@ -21,6 +22,12 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1606.002 +- T1556.007 +- T1484.002 +- T1078.004 +- T1110.003 --- # Building Identity Federation with SAML Azure AD diff --git a/skills/building-identity-governance-lifecycle-process/SKILL.md b/skills/building-identity-governance-lifecycle-process/SKILL.md index 9567cb7a..0f0da8e9 100644 --- a/skills/building-identity-governance-lifecycle-process/SKILL.md +++ b/skills/building-identity-governance-lifecycle-process/SKILL.md @@ -1,9 +1,10 @@ --- name: building-identity-governance-lifecycle-process -description: 'Builds comprehensive identity governance and lifecycle management processes including joiner-mover-leaver automation, - role mining, access request workflows, periodic recertification, and orphaned account remediation using IGA platforms. Activates - for requests involving identity lifecycle management, JML processes, role-based access provisioning, or identity governance - program design. +description: 'Builds comprehensive identity governance and lifecycle management processes + including joiner-mover-leaver automation, role mining, access request workflows, + periodic recertification, and orphaned account remediation using IGA platforms. + Activates for requests involving identity lifecycle management, JML processes, role-based + access provisioning, or identity governance program design. ' domain: cybersecurity @@ -27,6 +28,12 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1098 +- T1136 +- T1078 +- T1531 +- T1087 --- # Building Identity Governance Lifecycle Process diff --git a/skills/building-incident-response-dashboard/SKILL.md b/skills/building-incident-response-dashboard/SKILL.md index 7274a250..bc50de02 100644 --- a/skills/building-incident-response-dashboard/SKILL.md +++ b/skills/building-incident-response-dashboard/SKILL.md @@ -1,8 +1,10 @@ --- name: building-incident-response-dashboard -description: 'Builds real-time incident response dashboards in Splunk, Elastic, or Grafana to provide SOC analysts and leadership - with situational awareness during active incidents, tracking affected systems, containment status, IOC spread, and response - timeline. Use when IR teams need unified visibility during incident coordination and post-incident reporting. +description: 'Builds real-time incident response dashboards in Splunk, Elastic, or + Grafana to provide SOC analysts and leadership with situational awareness during + active incidents, tracking affected systems, containment status, IOC spread, and + response timeline. Use when IR teams need unified visibility during incident coordination + and post-incident reporting. ' domain: cybersecurity @@ -23,6 +25,12 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1486 +- T1071.001 +- T1021.002 +- T1041 +- T1566 --- # Building Incident Response Dashboard diff --git a/skills/building-incident-response-playbook/SKILL.md b/skills/building-incident-response-playbook/SKILL.md index 9ec4b972..8cb31305 100644 --- a/skills/building-incident-response-playbook/SKILL.md +++ b/skills/building-incident-response-playbook/SKILL.md @@ -1,9 +1,11 @@ --- name: building-incident-response-playbook -description: 'Designs and documents structured incident response playbooks that define step-by-step procedures for specific - incident types aligned with NIST SP 800-61r3 and SANS PICERL frameworks. Covers playbook structure, decision trees, escalation - criteria, RACI matrices, and integration with SOAR platforms. Activates for requests involving IR playbook creation, incident - response procedure documentation, response runbook development, or SOAR playbook design. +description: 'Designs and documents structured incident response playbooks that define + step-by-step procedures for specific incident types aligned with NIST SP 800-61r3 + and SANS PICERL frameworks. Covers playbook structure, decision trees, escalation + criteria, RACI matrices, and integration with SOAR platforms. Activates for requests + involving IR playbook creation, incident response procedure documentation, response + runbook development, or SOAR playbook design. ' domain: cybersecurity @@ -15,8 +17,10 @@ tags: - SOAR-integration - response-procedures mitre_attack: -- T1190 +- T1486 - T1566 +- T1190 +- T1041 - T1078 version: 1.0.0 author: mahipal diff --git a/skills/building-incident-timeline-with-timesketch/SKILL.md b/skills/building-incident-timeline-with-timesketch/SKILL.md index f89f01ef..948ba59d 100644 --- a/skills/building-incident-timeline-with-timesketch/SKILL.md +++ b/skills/building-incident-timeline-with-timesketch/SKILL.md @@ -1,7 +1,8 @@ --- name: building-incident-timeline-with-timesketch -description: Build collaborative forensic incident timelines using Timesketch to ingest, normalize, and analyze multi-source - event data for attack chain reconstruction and investigation documentation. +description: Build collaborative forensic incident timelines using Timesketch to ingest, + normalize, and analyze multi-source event data for attack chain reconstruction and + investigation documentation. domain: cybersecurity subdomain: incident-response tags: @@ -13,9 +14,11 @@ tags: - incident-investigation - collaborative-forensics mitre_attack: -- T1070 -- T1059 -- T1053 +- T1059.001 +- T1021.002 +- T1547.001 +- T1053.005 +- T1070.006 version: '1.0' author: mahipal license: Apache-2.0 diff --git a/skills/building-ioc-defanging-and-sharing-pipeline/SKILL.md b/skills/building-ioc-defanging-and-sharing-pipeline/SKILL.md index 91fc4350..4f58594d 100644 --- a/skills/building-ioc-defanging-and-sharing-pipeline/SKILL.md +++ b/skills/building-ioc-defanging-and-sharing-pipeline/SKILL.md @@ -1,7 +1,8 @@ --- name: building-ioc-defanging-and-sharing-pipeline -description: Build an automated pipeline to defang indicators of compromise (URLs, IPs, domains, emails) for safe sharing - and distribute them in STIX format through TAXII feeds and threat intelligence platforms. +description: Build an automated pipeline to defang indicators of compromise (URLs, + IPs, domains, emails) for safe sharing and distribute them in STIX format through + TAXII feeds and threat intelligence platforms. domain: cybersecurity subdomain: threat-intelligence tags: @@ -21,6 +22,11 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1071.001 +- T1583.001 +- T1105 +- T1566.002 --- # Building IOC Defanging and Sharing Pipeline diff --git a/skills/building-ioc-enrichment-pipeline-with-opencti/SKILL.md b/skills/building-ioc-enrichment-pipeline-with-opencti/SKILL.md index fab7a67a..098c8573 100644 --- a/skills/building-ioc-enrichment-pipeline-with-opencti/SKILL.md +++ b/skills/building-ioc-enrichment-pipeline-with-opencti/SKILL.md @@ -1,7 +1,8 @@ --- name: building-ioc-enrichment-pipeline-with-opencti -description: OpenCTI is an open-source platform for managing cyber threat intelligence knowledge, built on STIX 2.1 as its - native data model. This skill covers building an automated IOC enrichment pipeline using O +description: OpenCTI is an open-source platform for managing cyber threat intelligence + knowledge, built on STIX 2.1 as its native data model. This skill covers building + an automated IOC enrichment pipeline using O domain: cybersecurity subdomain: threat-intelligence tags: @@ -21,6 +22,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1071.001 +- T1583.001 +- T1105 +- T1590.005 +- T1588.001 --- # Building IOC Enrichment Pipeline with OpenCTI diff --git a/skills/building-malware-incident-communication-template/SKILL.md b/skills/building-malware-incident-communication-template/SKILL.md index 7c5a3d00..13a0f505 100644 --- a/skills/building-malware-incident-communication-template/SKILL.md +++ b/skills/building-malware-incident-communication-template/SKILL.md @@ -1,7 +1,8 @@ --- name: building-malware-incident-communication-template -description: Build structured communication templates for malware incidents including stakeholder notifications, executive - briefings, technical advisories, and regulatory disclosures with severity-based escalation procedures. +description: Build structured communication templates for malware incidents including + stakeholder notifications, executive briefings, technical advisories, and regulatory + disclosures with severity-based escalation procedures. domain: cybersecurity subdomain: incident-response tags: @@ -12,9 +13,11 @@ tags: - executive-briefing - regulatory-disclosure mitre_attack: +- T1486 +- T1490 +- T1657 +- T1041 - T1566 -- T1204 -- T1027 version: '1.0' author: mahipal license: Apache-2.0 diff --git a/skills/building-patch-tuesday-response-process/SKILL.md b/skills/building-patch-tuesday-response-process/SKILL.md index 96488e6a..edfa858d 100644 --- a/skills/building-patch-tuesday-response-process/SKILL.md +++ b/skills/building-patch-tuesday-response-process/SKILL.md @@ -1,7 +1,7 @@ --- name: building-patch-tuesday-response-process -description: Establish a structured operational process to triage, test, and deploy Microsoft Patch Tuesday security updates - within risk-based remediation SLAs. +description: Establish a structured operational process to triage, test, and deploy + Microsoft Patch Tuesday security updates within risk-based remediation SLAs. domain: cybersecurity subdomain: vulnerability-management tags: @@ -20,6 +20,12 @@ nist_csf: - ID.RA-02 - ID.IM-02 - ID.RA-06 +mitre_attack: +- T1190 +- T1203 +- T1068 +- T1210 +- T1588.006 --- # Building Patch Tuesday Response Process diff --git a/skills/building-phishing-reporting-button-workflow/SKILL.md b/skills/building-phishing-reporting-button-workflow/SKILL.md index e2260b0f..17add0eb 100644 --- a/skills/building-phishing-reporting-button-workflow/SKILL.md +++ b/skills/building-phishing-reporting-button-workflow/SKILL.md @@ -1,7 +1,8 @@ --- name: building-phishing-reporting-button-workflow -description: Implement a phishing report button in email clients with automated triage workflow that analyzes user-reported - suspicious emails and provides feedback to reporters. +description: Implement a phishing report button in email clients with automated triage + workflow that analyzes user-reported suspicious emails and provides feedback to + reporters. domain: cybersecurity subdomain: phishing-defense tags: @@ -13,8 +14,10 @@ tags: - microsoft-365 - soar mitre_attack: -- T1566 -- T1204 +- T1566.001 +- T1566.002 +- T1598.003 +- T1204.001 - T1534 version: '1.0' author: mahipal diff --git a/skills/building-ransomware-playbook-with-cisa-framework/SKILL.md b/skills/building-ransomware-playbook-with-cisa-framework/SKILL.md index ae25fb3b..4014ac11 100644 --- a/skills/building-ransomware-playbook-with-cisa-framework/SKILL.md +++ b/skills/building-ransomware-playbook-with-cisa-framework/SKILL.md @@ -1,9 +1,10 @@ --- name: building-ransomware-playbook-with-cisa-framework -description: 'Builds a structured ransomware incident response playbook aligned with the CISA StopRansomware Guide and NIST - Cybersecurity Framework. Covers preparation, detection, containment, eradication, recovery, and post-incident phases with - actionable checklists. Activates for requests involving ransomware response planning, CISA compliance, incident response - playbook creation, or ransomware preparedness assessment. +description: 'Builds a structured ransomware incident response playbook aligned with + the CISA StopRansomware Guide and NIST Cybersecurity Framework. Covers preparation, + detection, containment, eradication, recovery, and post-incident phases with actionable + checklists. Activates for requests involving ransomware response planning, CISA + compliance, incident response playbook creation, or ransomware preparedness assessment. ' domain: cybersecurity @@ -23,6 +24,12 @@ nist_csf: - RS.MA-01 - RC.RP-01 - PR.IR-01 +mitre_attack: +- T1486 +- T1490 +- T1489 +- T1078 +- T1021.002 --- # Building Ransomware Playbook with CISA Framework diff --git a/skills/building-red-team-c2-infrastructure-with-havoc/SKILL.md b/skills/building-red-team-c2-infrastructure-with-havoc/SKILL.md index cf021ae4..755a5427 100644 --- a/skills/building-red-team-c2-infrastructure-with-havoc/SKILL.md +++ b/skills/building-red-team-c2-infrastructure-with-havoc/SKILL.md @@ -1,7 +1,7 @@ --- name: building-red-team-c2-infrastructure-with-havoc -description: Deploy and configure the Havoc C2 framework with teamserver, HTTPS listeners, redirectors, and Demon agents for - authorized red team operations. +description: Deploy and configure the Havoc C2 framework with teamserver, HTTPS listeners, + redirectors, and Demon agents for authorized red team operations. domain: cybersecurity subdomain: red-teaming tags: @@ -28,6 +28,13 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1071.001 +- T1573.002 +- T1583.001 +- T1090.002 +- T1105 +- T1055 --- # Building Red Team C2 Infrastructure with Havoc diff --git a/skills/building-role-mining-for-rbac-optimization/SKILL.md b/skills/building-role-mining-for-rbac-optimization/SKILL.md index 0f2ad092..f1bcc3d7 100644 --- a/skills/building-role-mining-for-rbac-optimization/SKILL.md +++ b/skills/building-role-mining-for-rbac-optimization/SKILL.md @@ -1,7 +1,8 @@ --- name: building-role-mining-for-rbac-optimization -description: Apply bottom-up and top-down role mining techniques to discover optimal RBAC roles from existing user-permission - assignments, reducing role explosion and enforcing least privilege. +description: Apply bottom-up and top-down role mining techniques to discover optimal + RBAC roles from existing user-permission assignments, reducing role explosion and + enforcing least privilege. domain: cybersecurity subdomain: identity-access-management tags: @@ -19,6 +20,10 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078 +- T1098 +- T1069 --- # Building Role Mining for RBAC Optimization diff --git a/skills/building-soc-escalation-matrix/SKILL.md b/skills/building-soc-escalation-matrix/SKILL.md index 6f06c3a0..63794042 100644 --- a/skills/building-soc-escalation-matrix/SKILL.md +++ b/skills/building-soc-escalation-matrix/SKILL.md @@ -1,7 +1,7 @@ --- name: building-soc-escalation-matrix -description: Build a structured SOC escalation matrix defining severity tiers, response SLAs, escalation paths, and notification - procedures for security incidents. +description: Build a structured SOC escalation matrix defining severity tiers, response + SLAs, escalation paths, and notification procedures for security incidents. domain: cybersecurity subdomain: soc-operations tags: @@ -20,6 +20,10 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1078 +- T1071 +- T1041 --- # Building SOC Escalation Matrix diff --git a/skills/building-soc-metrics-and-kpi-tracking/SKILL.md b/skills/building-soc-metrics-and-kpi-tracking/SKILL.md index 496309e8..0f828b09 100644 --- a/skills/building-soc-metrics-and-kpi-tracking/SKILL.md +++ b/skills/building-soc-metrics-and-kpi-tracking/SKILL.md @@ -1,8 +1,10 @@ --- name: building-soc-metrics-and-kpi-tracking -description: 'Builds SOC performance metrics and KPI tracking dashboards measuring Mean Time to Detect (MTTD), Mean Time to - Respond (MTTR), alert quality ratios, analyst productivity, and detection coverage using SIEM data. Use when SOC leadership - needs operational visibility, continuous improvement tracking, or executive-level reporting on security operations effectiveness. +description: 'Builds SOC performance metrics and KPI tracking dashboards measuring + Mean Time to Detect (MTTD), Mean Time to Respond (MTTR), alert quality ratios, analyst + productivity, and detection coverage using SIEM data. Use when SOC leadership needs + operational visibility, continuous improvement tracking, or executive-level reporting + on security operations effectiveness. ' domain: cybersecurity @@ -32,6 +34,9 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1078 +- T1071 --- # Building SOC Metrics and KPI Tracking diff --git a/skills/building-soc-playbook-for-ransomware/SKILL.md b/skills/building-soc-playbook-for-ransomware/SKILL.md index b5522c9d..5083a4d1 100644 --- a/skills/building-soc-playbook-for-ransomware/SKILL.md +++ b/skills/building-soc-playbook-for-ransomware/SKILL.md @@ -1,8 +1,10 @@ --- name: building-soc-playbook-for-ransomware -description: 'Builds a structured SOC incident response playbook for ransomware attacks covering detection, containment, eradication, - and recovery phases with specific SIEM queries, isolation procedures, and decision trees. Use when SOC teams need formalized - response procedures for ransomware incidents aligned to NIST SP 800-61 and MITRE ATT&CK ransomware techniques. +description: 'Builds a structured SOC incident response playbook for ransomware attacks + covering detection, containment, eradication, and recovery phases with specific + SIEM queries, isolation procedures, and decision trees. Use when SOC teams need + formalized response procedures for ransomware incidents aligned to NIST SP 800-61 + and MITRE ATT&CK ransomware techniques. ' domain: cybersecurity @@ -19,7 +21,8 @@ mitre_attack: - T1486 - T1490 - T1489 -- T1570 +- T1566 +- T1059.001 version: '1.0' author: mahipal license: Apache-2.0 diff --git a/skills/building-threat-actor-profile-from-osint/SKILL.md b/skills/building-threat-actor-profile-from-osint/SKILL.md index 5c37d1a3..cabc8d16 100644 --- a/skills/building-threat-actor-profile-from-osint/SKILL.md +++ b/skills/building-threat-actor-profile-from-osint/SKILL.md @@ -1,13 +1,14 @@ --- name: building-threat-actor-profile-from-osint -description: Build comprehensive threat actor profiles using open-source intelligence (OSINT) techniques to document adversary - motivations, capabilities, infrastructure, and TTPs for proactive defense. +description: Build comprehensive threat actor profiles using open-source intelligence + (OSINT) techniques to document adversary motivations, capabilities, infrastructure, + and TTPs for proactive defense. domain: cybersecurity subdomain: threat-intelligence tags: - osint - threat-actor -- profiling +- threat-actor-profiling - maltego - spiderfoot - attribution @@ -21,6 +22,11 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1589 +- T1593 +- T1590 --- # Building Threat Actor Profile from OSINT diff --git a/skills/building-threat-feed-aggregation-with-misp/SKILL.md b/skills/building-threat-feed-aggregation-with-misp/SKILL.md index 3f84bfce..8c2e721f 100644 --- a/skills/building-threat-feed-aggregation-with-misp/SKILL.md +++ b/skills/building-threat-feed-aggregation-with-misp/SKILL.md @@ -1,7 +1,8 @@ --- name: building-threat-feed-aggregation-with-misp -description: Deploy MISP (Malware Information Sharing Platform) to aggregate, correlate, and distribute threat intelligence - feeds from multiple sources for centralized IOC management and automated SIEM integration. +description: Deploy MISP (Malware Information Sharing Platform) to aggregate, correlate, + and distribute threat intelligence feeds from multiple sources for centralized IOC + management and automated SIEM integration. domain: cybersecurity subdomain: threat-intelligence tags: @@ -21,6 +22,10 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1071 +- T1105 +- T1588.001 --- # Building Threat Feed Aggregation with MISP diff --git a/skills/building-threat-hunt-hypothesis-framework/SKILL.md b/skills/building-threat-hunt-hypothesis-framework/SKILL.md index 337da7e0..d8a20711 100644 --- a/skills/building-threat-hunt-hypothesis-framework/SKILL.md +++ b/skills/building-threat-hunt-hypothesis-framework/SKILL.md @@ -1,7 +1,7 @@ --- name: building-threat-hunt-hypothesis-framework -description: Build a systematic threat hunt hypothesis framework that transforms threat intelligence, attack patterns, and - environmental data into testable hunting hypotheses. +description: Build a systematic threat hunt hypothesis framework that transforms threat + intelligence, attack patterns, and environmental data into testable hunting hypotheses. domain: cybersecurity subdomain: threat-hunting tags: @@ -19,6 +19,11 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1071 +- T1059.001 +- T1055 +- T1547 --- # Building Threat Hunt Hypothesis Framework diff --git a/skills/building-threat-intelligence-enrichment-in-splunk/SKILL.md b/skills/building-threat-intelligence-enrichment-in-splunk/SKILL.md index 2af0ab91..7053ff5c 100644 --- a/skills/building-threat-intelligence-enrichment-in-splunk/SKILL.md +++ b/skills/building-threat-intelligence-enrichment-in-splunk/SKILL.md @@ -1,7 +1,7 @@ --- name: building-threat-intelligence-enrichment-in-splunk -description: Build automated threat intelligence enrichment pipelines in Splunk Enterprise Security using lookup tables, modular - inputs, and the Threat Intelligence Framework. +description: Build automated threat intelligence enrichment pipelines in Splunk Enterprise + Security using lookup tables, modular inputs, and the Threat Intelligence Framework. domain: cybersecurity subdomain: soc-operations tags: @@ -21,6 +21,10 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1071 +- T1105 +- T1041 --- # Building Threat Intelligence Enrichment in Splunk diff --git a/skills/building-threat-intelligence-feed-integration/SKILL.md b/skills/building-threat-intelligence-feed-integration/SKILL.md index 72aa58fa..ea5a19f9 100644 --- a/skills/building-threat-intelligence-feed-integration/SKILL.md +++ b/skills/building-threat-intelligence-feed-integration/SKILL.md @@ -1,9 +1,10 @@ --- name: building-threat-intelligence-feed-integration -description: 'Builds automated threat intelligence feed integration pipelines connecting STIX/TAXII feeds, open-source threat - intel, and commercial TI platforms into SIEM and security tools for real-time IOC matching and alerting. Use when SOC teams - need to operationalize threat intelligence by automating feed ingestion, normalization, scoring, and distribution to detection - systems. +description: 'Builds automated threat intelligence feed integration pipelines connecting + STIX/TAXII feeds, open-source threat intel, and commercial TI platforms into SIEM + and security tools for real-time IOC matching and alerting. Use when SOC teams need + to operationalize threat intelligence by automating feed ingestion, normalization, + scoring, and distribution to detection systems. ' domain: cybersecurity @@ -25,6 +26,10 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1071 +- T1105 +- T1588.001 --- # Building Threat Intelligence Feed Integration diff --git a/skills/building-threat-intelligence-platform/SKILL.md b/skills/building-threat-intelligence-platform/SKILL.md index 7120416f..af11b38e 100644 --- a/skills/building-threat-intelligence-platform/SKILL.md +++ b/skills/building-threat-intelligence-platform/SKILL.md @@ -1,7 +1,8 @@ --- name: building-threat-intelligence-platform -description: Building a Threat Intelligence Platform (TIP) involves deploying and integrating multiple CTI tools into a unified - system for collecting, analyzing, enriching, and disseminating threat intelligence. T +description: Building a Threat Intelligence Platform (TIP) involves deploying and + integrating multiple CTI tools into a unified system for collecting, analyzing, + enriching, and disseminating threat intelligence. T domain: cybersecurity subdomain: threat-intelligence tags: @@ -21,6 +22,10 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1071 +- T1588.001 +- T1591 --- # Building Threat Intelligence Platform diff --git a/skills/building-vulnerability-aging-and-sla-tracking/SKILL.md b/skills/building-vulnerability-aging-and-sla-tracking/SKILL.md index 3e9e81db..29ad97ee 100644 --- a/skills/building-vulnerability-aging-and-sla-tracking/SKILL.md +++ b/skills/building-vulnerability-aging-and-sla-tracking/SKILL.md @@ -1,7 +1,7 @@ --- name: building-vulnerability-aging-and-sla-tracking -description: Implement a vulnerability aging dashboard and SLA tracking system to measure remediation performance against - severity-based timelines and drive accountability. +description: Implement a vulnerability aging dashboard and SLA tracking system to + measure remediation performance against severity-based timelines and drive accountability. domain: cybersecurity subdomain: vulnerability-management tags: @@ -20,6 +20,10 @@ nist_csf: - ID.RA-02 - ID.IM-02 - ID.RA-06 +mitre_attack: +- T1190 +- T1203 +- T1068 --- # Building Vulnerability Aging and SLA Tracking diff --git a/skills/building-vulnerability-dashboard-with-defectdojo/SKILL.md b/skills/building-vulnerability-dashboard-with-defectdojo/SKILL.md index d0fa290a..01ac7964 100644 --- a/skills/building-vulnerability-dashboard-with-defectdojo/SKILL.md +++ b/skills/building-vulnerability-dashboard-with-defectdojo/SKILL.md @@ -1,7 +1,7 @@ --- name: building-vulnerability-dashboard-with-defectdojo -description: Deploy DefectDojo as a centralized vulnerability management dashboard with scanner integrations, deduplication, - metrics tracking, and Jira ticketing workflows. +description: Deploy DefectDojo as a centralized vulnerability management dashboard + with scanner integrations, deduplication, metrics tracking, and Jira ticketing workflows. domain: cybersecurity subdomain: vulnerability-management tags: @@ -20,6 +20,10 @@ nist_csf: - ID.RA-02 - ID.IM-02 - ID.RA-06 +mitre_attack: +- T1190 +- T1203 +- T1068 --- # Building Vulnerability Dashboard with DefectDojo diff --git a/skills/building-vulnerability-exception-tracking-system/SKILL.md b/skills/building-vulnerability-exception-tracking-system/SKILL.md index c3b640fe..a02a0e02 100644 --- a/skills/building-vulnerability-exception-tracking-system/SKILL.md +++ b/skills/building-vulnerability-exception-tracking-system/SKILL.md @@ -1,7 +1,7 @@ --- name: building-vulnerability-exception-tracking-system -description: Build a vulnerability exception and risk acceptance tracking system with approval workflows, compensating controls - documentation, and expiration management. +description: Build a vulnerability exception and risk acceptance tracking system with + approval workflows, compensating controls documentation, and expiration management. domain: cybersecurity subdomain: vulnerability-management tags: @@ -19,6 +19,9 @@ nist_csf: - ID.RA-02 - ID.IM-02 - ID.RA-06 +mitre_attack: +- T1190 +- T1068 --- # Building Vulnerability Exception Tracking System diff --git a/skills/building-vulnerability-scanning-workflow/SKILL.md b/skills/building-vulnerability-scanning-workflow/SKILL.md index 740a2080..482e5400 100644 --- a/skills/building-vulnerability-scanning-workflow/SKILL.md +++ b/skills/building-vulnerability-scanning-workflow/SKILL.md @@ -1,9 +1,10 @@ --- name: building-vulnerability-scanning-workflow -description: 'Builds a structured vulnerability scanning workflow using tools like Nessus, Qualys, and OpenVAS to discover, - prioritize, and track remediation of security vulnerabilities across infrastructure. Use when SOC teams need to establish - recurring vulnerability assessment processes, integrate scan results with SIEM alerting, and build remediation tracking - dashboards. +description: 'Builds a structured vulnerability scanning workflow using tools like + Nessus, Qualys, and OpenVAS to discover, prioritize, and track remediation of security + vulnerabilities across infrastructure. Use when SOC teams need to establish recurring + vulnerability assessment processes, integrate scan results with SIEM alerting, and + build remediation tracking dashboards. ' domain: cybersecurity @@ -25,6 +26,10 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1595.002 +- T1190 +- T1046 --- # Building Vulnerability Scanning Workflow diff --git a/skills/bypassing-authentication-with-forced-browsing/SKILL.md b/skills/bypassing-authentication-with-forced-browsing/SKILL.md index c6e4666d..03a75d24 100644 --- a/skills/bypassing-authentication-with-forced-browsing/SKILL.md +++ b/skills/bypassing-authentication-with-forced-browsing/SKILL.md @@ -1,7 +1,8 @@ --- name: bypassing-authentication-with-forced-browsing -description: Discovering and accessing unprotected pages, APIs, and administrative interfaces by enumerating URLs and bypassing - authentication controls during authorized security assessments. +description: Discovering and accessing unprotected pages, APIs, and administrative + interfaces by enumerating URLs and bypassing authentication controls during authorized + security assessments. domain: cybersecurity subdomain: web-application-security tags: @@ -19,6 +20,10 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1083 +- T1087 --- # Bypassing Authentication with Forced Browsing diff --git a/skills/collecting-indicators-of-compromise/SKILL.md b/skills/collecting-indicators-of-compromise/SKILL.md index 13a7b4d6..fa6bce97 100644 --- a/skills/collecting-indicators-of-compromise/SKILL.md +++ b/skills/collecting-indicators-of-compromise/SKILL.md @@ -1,9 +1,11 @@ --- name: collecting-indicators-of-compromise -description: 'Systematically collects, categorizes, and distributes indicators of compromise (IOCs) during and after security - incidents to enable detection, blocking, and threat intelligence sharing. Covers network, host, email, and behavioral indicators - using STIX/TAXII formats and threat intelligence platforms. Activates for requests involving IOC collection, indicator extraction, - threat indicator sharing, compromise indicators, STIX export, or IOC enrichment. +description: 'Systematically collects, categorizes, and distributes indicators of + compromise (IOCs) during and after security incidents to enable detection, blocking, + and threat intelligence sharing. Covers network, host, email, and behavioral indicators + using STIX/TAXII formats and threat intelligence platforms. Activates for requests + involving IOC collection, indicator extraction, threat indicator sharing, compromise + indicators, STIX export, or IOC enrichment. ' domain: cybersecurity @@ -15,10 +17,12 @@ tags: - MISP - threat-intelligence-sharing mitre_attack: -- T1071 -- T1059 -- T1547 -- T1053 +- T1071.001 +- T1071.004 +- T1053.005 +- T1547.001 +- T1059.001 +- T1041 version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/collecting-open-source-intelligence/SKILL.md b/skills/collecting-open-source-intelligence/SKILL.md index 1c71fd26..d66cd45a 100644 --- a/skills/collecting-open-source-intelligence/SKILL.md +++ b/skills/collecting-open-source-intelligence/SKILL.md @@ -1,10 +1,12 @@ --- name: collecting-open-source-intelligence -description: 'Collects and synthesizes open-source intelligence (OSINT) about threat actors, malicious infrastructure, and - attack campaigns using publicly available data sources, passive reconnaissance tools, and dark web monitoring. Use when - investigating external threat actor infrastructure, performing pre-engagement reconnaissance for authorized red team assessments, - or enriching CTI reports with publicly available adversary context. Activates for requests involving Maltego, Shodan, OSINT - framework, SpiderFoot, or infrastructure reconnaissance. +description: 'Collects and synthesizes open-source intelligence (OSINT) about threat + actors, malicious infrastructure, and attack campaigns using publicly available + data sources, passive reconnaissance tools, and dark web monitoring. Use when investigating + external threat actor infrastructure, performing pre-engagement reconnaissance for + authorized red team assessments, or enriching CTI reports with publicly available + adversary context. Activates for requests involving Maltego, Shodan, OSINT framework, + SpiderFoot, or infrastructure reconnaissance. ' domain: cybersecurity @@ -26,6 +28,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1593.001 +- T1589.002 +- T1596.002 +- T1590 +- T1596.001 --- # Collecting Open-Source Intelligence diff --git a/skills/collecting-threat-intelligence-with-misp/SKILL.md b/skills/collecting-threat-intelligence-with-misp/SKILL.md index 767e377a..7a2e2c99 100644 --- a/skills/collecting-threat-intelligence-with-misp/SKILL.md +++ b/skills/collecting-threat-intelligence-with-misp/SKILL.md @@ -1,7 +1,8 @@ --- name: collecting-threat-intelligence-with-misp -description: MISP (Malware Information Sharing Platform) is an open-source threat intelligence platform for gathering, sharing, - storing, and correlating Indicators of Compromise (IOCs) of targeted attacks, threat +description: MISP (Malware Information Sharing Platform) is an open-source threat + intelligence platform for gathering, sharing, storing, and correlating Indicators + of Compromise (IOCs) of targeted attacks, threat domain: cybersecurity subdomain: threat-intelligence tags: @@ -21,6 +22,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1071.001 +- T1588.001 +- T1583.001 +- T1566.001 +- T1587.001 --- # Collecting Threat Intelligence with MISP diff --git a/skills/collecting-volatile-evidence-from-compromised-host/SKILL.md b/skills/collecting-volatile-evidence-from-compromised-host/SKILL.md index c6999433..13ee6bc4 100644 --- a/skills/collecting-volatile-evidence-from-compromised-host/SKILL.md +++ b/skills/collecting-volatile-evidence-from-compromised-host/SKILL.md @@ -1,7 +1,8 @@ --- name: collecting-volatile-evidence-from-compromised-host -description: Collect volatile forensic evidence from a compromised system following order of volatility, preserving memory, - network connections, processes, and system state before they are lost. +description: Collect volatile forensic evidence from a compromised system following + order of volatility, preserving memory, network connections, processes, and system + state before they are lost. domain: cybersecurity subdomain: incident-response tags: @@ -12,10 +13,11 @@ tags: - memory-forensics - chain-of-custody mitre_attack: -- T1003 -- T1055 -- T1059 -- T1547 +- T1059.001 +- T1057 +- T1049 +- T1003.001 +- T1543.003 version: '1.0' author: mahipal license: Apache-2.0 diff --git a/skills/conducting-api-security-testing/SKILL.md b/skills/conducting-api-security-testing/SKILL.md index 4a709f07..f8a34a1c 100644 --- a/skills/conducting-api-security-testing/SKILL.md +++ b/skills/conducting-api-security-testing/SKILL.md @@ -1,10 +1,12 @@ --- name: conducting-api-security-testing -description: 'Conducts security testing of REST, GraphQL, and gRPC APIs to identify vulnerabilities in authentication, authorization, - rate limiting, input validation, and business logic. The tester uses the OWASP API Security Top 10 as the testing framework, - combining Burp Suite interception with Postman collections and custom scripts to test endpoint security at every privilege - level. Activates for requests involving API security testing, REST API pentest, GraphQL security assessment, or API vulnerability - testing. +description: 'Conducts security testing of REST, GraphQL, and gRPC APIs to identify + vulnerabilities in authentication, authorization, rate limiting, input validation, + and business logic. The tester uses the OWASP API Security Top 10 as the testing + framework, combining Burp Suite interception with Postman collections and custom + scripts to test endpoint security at every privilege level. Activates for requests + involving API security testing, REST API pentest, GraphQL security assessment, or + API vulnerability testing. ' domain: cybersecurity @@ -23,6 +25,12 @@ nist_csf: - ID.RA-06 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1190 +- T1213 +- T1552.001 +- T1078 +- T1071.001 --- # Conducting API Security Testing diff --git a/skills/conducting-cloud-penetration-testing/SKILL.md b/skills/conducting-cloud-penetration-testing/SKILL.md index 7acefcb6..bbfa41df 100644 --- a/skills/conducting-cloud-penetration-testing/SKILL.md +++ b/skills/conducting-cloud-penetration-testing/SKILL.md @@ -1,9 +1,11 @@ --- name: conducting-cloud-penetration-testing -description: 'This skill outlines methodologies for performing authorized penetration testing against AWS, Azure, and GCP - cloud environments. It covers understanding the shared responsibility model for testing scope, leveraging cloud-specific - attack tools like Pacu and ScoutSuite, exploiting IAM misconfigurations, testing for SSRF to cloud metadata services, and - reporting findings aligned to MITRE ATT&CK Cloud matrix. +description: 'This skill outlines methodologies for performing authorized penetration + testing against AWS, Azure, and GCP cloud environments. It covers understanding + the shared responsibility model for testing scope, leveraging cloud-specific attack + tools like Pacu and ScoutSuite, exploiting IAM misconfigurations, testing for SSRF + to cloud metadata services, and reporting findings aligned to MITRE ATT&CK Cloud + matrix. ' domain: cybersecurity @@ -36,6 +38,11 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1580 +- T1530 +- T1538 --- # Conducting Cloud Penetration Testing diff --git a/skills/conducting-domain-persistence-with-dcsync/SKILL.md b/skills/conducting-domain-persistence-with-dcsync/SKILL.md index bf859019..1c84ad5d 100644 --- a/skills/conducting-domain-persistence-with-dcsync/SKILL.md +++ b/skills/conducting-domain-persistence-with-dcsync/SKILL.md @@ -1,7 +1,8 @@ --- name: conducting-domain-persistence-with-dcsync -description: Perform DCSync attacks to replicate Active Directory credentials and establish domain persistence by extracting - KRBTGT, Domain Admin, and service account hashes for Golden Ticket creation. +description: Perform DCSync attacks to replicate Active Directory credentials and + establish domain persistence by extracting KRBTGT, Domain Admin, and service account + hashes for Golden Ticket creation. domain: cybersecurity subdomain: red-teaming tags: @@ -25,6 +26,10 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1003.006 +- T1207 +- T1098 --- # Conducting Domain Persistence with DCSync diff --git a/skills/conducting-external-reconnaissance-with-osint/SKILL.md b/skills/conducting-external-reconnaissance-with-osint/SKILL.md index 0eba2196..e92c6c8f 100644 --- a/skills/conducting-external-reconnaissance-with-osint/SKILL.md +++ b/skills/conducting-external-reconnaissance-with-osint/SKILL.md @@ -1,10 +1,12 @@ --- name: conducting-external-reconnaissance-with-osint -description: 'Conducts external reconnaissance using Open Source Intelligence (OSINT) techniques to map an organization''s - external attack surface without directly interacting with target systems. The tester gathers information from public sources - including DNS records, certificate transparency logs, search engines, social media, code repositories, and data breach databases - to build a comprehensive target profile. Activates for requests involving OSINT reconnaissance, external footprinting, attack - surface mapping, or passive information gathering. +description: 'Conducts external reconnaissance using Open Source Intelligence (OSINT) + techniques to map an organization''s external attack surface without directly interacting + with target systems. The tester gathers information from public sources including + DNS records, certificate transparency logs, search engines, social media, code repositories, + and data breach databases to build a comprehensive target profile. Activates for + requests involving OSINT reconnaissance, external footprinting, attack surface mapping, + or passive information gathering. ' domain: cybersecurity @@ -23,6 +25,11 @@ nist_csf: - ID.RA-06 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1592 +- T1589 +- T1590 --- # Conducting External Reconnaissance with OSINT diff --git a/skills/conducting-external-reconnaissance-with-osint/scripts/agent.py b/skills/conducting-external-reconnaissance-with-osint/scripts/agent.py index 918bc29c..e9f59c26 100644 --- a/skills/conducting-external-reconnaissance-with-osint/scripts/agent.py +++ b/skills/conducting-external-reconnaissance-with-osint/scripts/agent.py @@ -84,16 +84,38 @@ def check_email_security(domain): return email_security -def search_breach_data(email_domain): - """Search Have I Been Pwned for breached accounts (requires API key).""" - url = f"https://haveibeenpwned.com/api/v3/breachedaccount/{email_domain}" - headers = {"hibp-api-key": "PLACEHOLDER", "user-agent": "OSINT-Agent"} +def search_breach_data(account, api_key): + """Search Have I Been Pwned v3 for breaches affecting an account. + + Requires a paid HIBP API key passed in the `hibp-api-key` header. The v3 + breachedaccount endpoint returns 200 with a breach list, 404 when the + account has no breaches, 401 for a missing/invalid key, and 429 on rate + limiting (Retry-After header indicates the back-off in seconds). + """ + if not api_key: + logger.warning("HIBP API key not provided; skipping breach lookup") + return [] + url = f"https://haveibeenpwned.com/api/v3/breachedaccount/{account}" + headers = {"hibp-api-key": api_key, "user-agent": "OSINT-Recon-Agent"} + params = {"truncateResponse": "false"} try: - resp = requests.get(url, headers=headers, timeout=10) + resp = requests.get(url, headers=headers, params=params, timeout=15) if resp.status_code == 200: - return resp.json() - except requests.RequestException: - pass + breaches = resp.json() + logger.info("HIBP: %d breach(es) for %s", len(breaches), account) + return breaches + if resp.status_code == 404: + logger.info("HIBP: no breaches found for %s", account) + return [] + if resp.status_code == 401: + logger.error("HIBP: unauthorized - invalid or missing API key") + elif resp.status_code == 429: + logger.error("HIBP: rate limited, retry after %s seconds", + resp.headers.get("Retry-After", "unknown")) + else: + logger.error("HIBP: unexpected status %d", resp.status_code) + except requests.RequestException as e: + logger.error("HIBP request failed: %s", e) return [] @@ -142,7 +164,8 @@ def search_github_leaks(domain, github_token=None): return all_results -def generate_recon_report(domain, subdomains, dns, shodan_hosts, email_sec, technologies, github_leaks): +def generate_recon_report(domain, subdomains, dns, shodan_hosts, email_sec, + technologies, github_leaks, breaches): """Generate external reconnaissance report.""" report = { "target": domain, @@ -153,9 +176,11 @@ def generate_recon_report(domain, subdomains, dns, shodan_hosts, email_sec, tech "email_security": email_sec, "web_technologies": technologies, "github_leaks": github_leaks, + "breaches": {"count": len(breaches), "list": breaches}, } print(f"RECON REPORT - {domain}") - print(f"Subdomains: {len(subdomains)}, Shodan hosts: {len(shodan_hosts)}, GitHub leaks: {len(github_leaks)}") + print(f"Subdomains: {len(subdomains)}, Shodan hosts: {len(shodan_hosts)}, " + f"GitHub leaks: {len(github_leaks)}, Breaches: {len(breaches)}") return report @@ -165,6 +190,10 @@ def main(): parser.add_argument("--org", help="Organization name for Shodan search") parser.add_argument("--shodan-key", help="Shodan API key") parser.add_argument("--github-token", help="GitHub token for code search") + parser.add_argument("--hibp-key", help="Have I Been Pwned API key " + "(falls back to HIBP_API_KEY env var)") + parser.add_argument("--breach-account", help="Account/email to check " + "against Have I Been Pwned breaches") parser.add_argument("--output", default="recon_report.json") args = parser.parse_args() @@ -179,8 +208,14 @@ def main(): github_leaks = search_github_leaks(args.domain, args.github_token) if args.github_token else [] + breaches = [] + if args.breach_account: + hibp_key = args.hibp_key or os.environ.get("HIBP_API_KEY") + breaches = search_breach_data(args.breach_account, hibp_key) + report = generate_recon_report( - args.domain, subdomains, dns, shodan_hosts, email_sec, technologies, github_leaks + args.domain, subdomains, dns, shodan_hosts, email_sec, + technologies, github_leaks, breaches ) with open(args.output, "w") as f: json.dump(report, f, indent=2) diff --git a/skills/conducting-full-scope-red-team-engagement/SKILL.md b/skills/conducting-full-scope-red-team-engagement/SKILL.md index 4bf5f4e6..a1d80965 100644 --- a/skills/conducting-full-scope-red-team-engagement/SKILL.md +++ b/skills/conducting-full-scope-red-team-engagement/SKILL.md @@ -1,7 +1,8 @@ --- name: conducting-full-scope-red-team-engagement -description: Plan and execute a comprehensive red team engagement covering reconnaissance through post-exploitation using - MITRE ATT&CK-aligned TTPs to evaluate an organization's detection and response capabilities. +description: Plan and execute a comprehensive red team engagement covering reconnaissance + through post-exploitation using MITRE ATT&CK-aligned TTPs to evaluate an organization's + detection and response capabilities. domain: cybersecurity subdomain: red-teaming tags: @@ -25,6 +26,11 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1566.001 +- T1059.001 +- T1078 +- T1071.001 --- # Conducting Full-Scope Red Team Engagement diff --git a/skills/conducting-internal-network-penetration-test/SKILL.md b/skills/conducting-internal-network-penetration-test/SKILL.md index 2e5723bb..fd955c65 100644 --- a/skills/conducting-internal-network-penetration-test/SKILL.md +++ b/skills/conducting-internal-network-penetration-test/SKILL.md @@ -1,7 +1,8 @@ --- name: conducting-internal-network-penetration-test -description: Execute an internal network penetration test simulating an insider threat or post-breach attacker to identify - lateral movement paths, privilege escalation vectors, and sensitive data exposure within the corporate network. +description: Execute an internal network penetration test simulating an insider threat + or post-breach attacker to identify lateral movement paths, privilege escalation + vectors, and sensitive data exposure within the corporate network. domain: cybersecurity subdomain: penetration-testing tags: @@ -26,6 +27,11 @@ nist_csf: - ID.RA-06 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1046 +- T1018 +- T1021 +- T1210 --- # Conducting Internal Network Penetration Test diff --git a/skills/conducting-internal-reconnaissance-with-bloodhound-ce/SKILL.md b/skills/conducting-internal-reconnaissance-with-bloodhound-ce/SKILL.md index b2249ae8..9c614413 100644 --- a/skills/conducting-internal-reconnaissance-with-bloodhound-ce/SKILL.md +++ b/skills/conducting-internal-reconnaissance-with-bloodhound-ce/SKILL.md @@ -1,7 +1,8 @@ --- name: conducting-internal-reconnaissance-with-bloodhound-ce -description: Conduct internal Active Directory reconnaissance using BloodHound Community Edition to map attack paths, identify - privilege escalation chains, and discover misconfigurations in domain environments. +description: Conduct internal Active Directory reconnaissance using BloodHound Community + Edition to map attack paths, identify privilege escalation chains, and discover + misconfigurations in domain environments. domain: cybersecurity subdomain: red-teaming tags: @@ -25,6 +26,11 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1087.002 +- T1069.002 +- T1482 +- T1018 --- # Conducting Internal Reconnaissance with BloodHound CE diff --git a/skills/conducting-man-in-the-middle-attack-simulation/SKILL.md b/skills/conducting-man-in-the-middle-attack-simulation/SKILL.md index 2849f269..0a25370a 100644 --- a/skills/conducting-man-in-the-middle-attack-simulation/SKILL.md +++ b/skills/conducting-man-in-the-middle-attack-simulation/SKILL.md @@ -1,7 +1,8 @@ --- name: conducting-man-in-the-middle-attack-simulation -description: 'Simulates man-in-the-middle attacks using Ettercap, mitmproxy, and Bettercap in authorized environments to intercept, - analyze, and modify network traffic for testing encryption enforcement, certificate validation, and detection capabilities. +description: 'Simulates man-in-the-middle attacks using Ettercap, mitmproxy, and Bettercap + in authorized environments to intercept, analyze, and modify network traffic for + testing encryption enforcement, certificate validation, and detection capabilities. ' domain: cybersecurity @@ -20,6 +21,10 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1557.001 +- T1557.002 +- T1040 --- # Conducting Man-in-the-Middle Attack Simulation diff --git a/skills/conducting-memory-forensics-with-volatility/SKILL.md b/skills/conducting-memory-forensics-with-volatility/SKILL.md index d00fbcf4..f288488c 100644 --- a/skills/conducting-memory-forensics-with-volatility/SKILL.md +++ b/skills/conducting-memory-forensics-with-volatility/SKILL.md @@ -1,9 +1,11 @@ --- name: conducting-memory-forensics-with-volatility -description: 'Performs memory forensics analysis using Volatility 3 to extract evidence of malware execution, process injection, - network connections, and credential theft from RAM dumps captured during incident response. Covers memory acquisition, process - analysis, DLL inspection, and malware detection. Activates for requests involving memory forensics, RAM analysis, Volatility - framework, memory dump investigation, volatile evidence analysis, or live memory acquisition. +description: 'Performs memory forensics analysis using Volatility 3 to extract evidence + of malware execution, process injection, network connections, and credential theft + from RAM dumps captured during incident response. Covers memory acquisition, process + analysis, DLL inspection, and malware detection. Activates for requests involving + memory forensics, RAM analysis, Volatility framework, memory dump investigation, + volatile evidence analysis, or live memory acquisition. ' domain: cybersecurity @@ -15,10 +17,11 @@ tags: - process-injection - DFIR mitre_attack: -- T1003 - T1055 +- T1003.001 +- T1014 +- T1059.001 - T1620 -- T1574 version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/conducting-mobile-app-penetration-test/SKILL.md b/skills/conducting-mobile-app-penetration-test/SKILL.md index f38b08c0..6a9ae4a2 100644 --- a/skills/conducting-mobile-app-penetration-test/SKILL.md +++ b/skills/conducting-mobile-app-penetration-test/SKILL.md @@ -1,10 +1,12 @@ --- name: conducting-mobile-app-penetration-test -description: 'Conducts penetration testing of iOS and Android mobile applications following the OWASP Mobile Application Security - Testing Guide (MASTG) to identify vulnerabilities in data storage, network communication, authentication, cryptography, - and platform-specific security controls. The tester performs static analysis of application binaries, dynamic analysis at - runtime, and API security testing to evaluate the complete mobile attack surface. Activates for requests involving mobile - app pentest, iOS security assessment, Android security testing, or OWASP MASTG assessment. +description: 'Conducts penetration testing of iOS and Android mobile applications + following the OWASP Mobile Application Security Testing Guide (MASTG) to identify + vulnerabilities in data storage, network communication, authentication, cryptography, + and platform-specific security controls. The tester performs static analysis of + application binaries, dynamic analysis at runtime, and API security testing to evaluate + the complete mobile attack surface. Activates for requests involving mobile app + pentest, iOS security assessment, Android security testing, or OWASP MASTG assessment. ' domain: cybersecurity @@ -31,6 +33,13 @@ nist_csf: - ID.RA-06 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1426 +- T1409 +- T1521.003 +- T1633 +- T1417 +- T1422 --- # Conducting Mobile App Penetration Test diff --git a/skills/conducting-network-penetration-test/SKILL.md b/skills/conducting-network-penetration-test/SKILL.md index b5213e01..e0b942a1 100644 --- a/skills/conducting-network-penetration-test/SKILL.md +++ b/skills/conducting-network-penetration-test/SKILL.md @@ -1,9 +1,11 @@ --- name: conducting-network-penetration-test -description: 'Conducts comprehensive network penetration tests against authorized target environments by performing host discovery, - port scanning, service enumeration, vulnerability identification, and controlled exploitation to assess the security posture - of network infrastructure. The tester follows PTES methodology from reconnaissance through post-exploitation and reporting. - Activates for requests involving network pentest, infrastructure security assessment, internal network testing, or external +description: 'Conducts comprehensive network penetration tests against authorized + target environments by performing host discovery, port scanning, service enumeration, + vulnerability identification, and controlled exploitation to assess the security + posture of network infrastructure. The tester follows PTES methodology from reconnaissance + through post-exploitation and reporting. Activates for requests involving network + pentest, infrastructure security assessment, internal network testing, or external perimeter testing. ' @@ -23,6 +25,13 @@ nist_csf: - ID.RA-06 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1046 +- T1595.002 +- T1190 +- T1210 +- T1021 +- T1078 --- # Conducting Network Penetration Test diff --git a/skills/conducting-pass-the-ticket-attack/SKILL.md b/skills/conducting-pass-the-ticket-attack/SKILL.md index bd7aceb9..71ed0e51 100644 --- a/skills/conducting-pass-the-ticket-attack/SKILL.md +++ b/skills/conducting-pass-the-ticket-attack/SKILL.md @@ -1,7 +1,8 @@ --- name: conducting-pass-the-ticket-attack -description: Pass-the-Ticket (PtT) is a lateral movement technique that uses stolen Kerberos tickets (TGT or TGS) to authenticate - to services without knowing the user's password. By extracting Kerberos tickets fro +description: Pass-the-Ticket (PtT) is a lateral movement technique that uses stolen + Kerberos tickets (TGT or TGS) to authenticate to services without knowing the user's + password. By extracting Kerberos tickets fro domain: cybersecurity subdomain: red-teaming tags: @@ -26,6 +27,10 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1550.003 +- T1558.003 +- T1078 --- # Conducting Pass-the-Ticket Attack diff --git a/skills/conducting-phishing-incident-response/SKILL.md b/skills/conducting-phishing-incident-response/SKILL.md index 184705b7..aa3bed93 100644 --- a/skills/conducting-phishing-incident-response/SKILL.md +++ b/skills/conducting-phishing-incident-response/SKILL.md @@ -1,9 +1,11 @@ --- name: conducting-phishing-incident-response -description: 'Responds to phishing incidents by analyzing reported emails, extracting indicators, assessing credential compromise, - quarantining malicious messages across the organization, and remediating affected accounts. Covers email header analysis, - URL/attachment sandboxing, and mailbox-wide purge operations. Activates for requests involving phishing response, email - incident, credential phishing, spear phishing investigation, or phishing remediation. +description: 'Responds to phishing incidents by analyzing reported emails, extracting + indicators, assessing credential compromise, quarantining malicious messages across + the organization, and remediating affected accounts. Covers email header analysis, + URL/attachment sandboxing, and mailbox-wide purge operations. Activates for requests + involving phishing response, email incident, credential phishing, spear phishing + investigation, or phishing remediation. ' domain: cybersecurity @@ -15,10 +17,12 @@ tags: - email-header-analysis - mailbox-remediation mitre_attack: -- T1566 -- T1204 -- T1534 -- T1598 +- T1566.001 +- T1566.002 +- T1204.002 +- T1204.001 +- T1114 +- T1056.003 version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/conducting-post-incident-lessons-learned/SKILL.md b/skills/conducting-post-incident-lessons-learned/SKILL.md index ac5a94d3..43f327c4 100644 --- a/skills/conducting-post-incident-lessons-learned/SKILL.md +++ b/skills/conducting-post-incident-lessons-learned/SKILL.md @@ -1,7 +1,8 @@ --- name: conducting-post-incident-lessons-learned -description: Facilitate structured post-incident reviews to identify root causes, document what worked and failed, and produce - actionable recommendations to improve future incident response. +description: Facilitate structured post-incident reviews to identify root causes, + document what worked and failed, and produce actionable recommendations to improve + future incident response. domain: cybersecurity subdomain: incident-response tags: @@ -11,8 +12,9 @@ tags: - after-action-review - process-improvement mitre_attack: -- T1190 - T1566 +- T1486 +- T1059 - T1078 version: '1.0' author: mahipal diff --git a/skills/conducting-social-engineering-penetration-test/SKILL.md b/skills/conducting-social-engineering-penetration-test/SKILL.md index 54b446f6..d97d876a 100644 --- a/skills/conducting-social-engineering-penetration-test/SKILL.md +++ b/skills/conducting-social-engineering-penetration-test/SKILL.md @@ -1,7 +1,8 @@ --- name: conducting-social-engineering-penetration-test -description: Design and execute a social engineering penetration test including phishing, vishing, smishing, and physical - pretexting campaigns to measure human security resilience and identify training gaps. +description: Design and execute a social engineering penetration test including phishing, + vishing, smishing, and physical pretexting campaigns to measure human security resilience + and identify training gaps. domain: cybersecurity subdomain: penetration-testing tags: @@ -28,6 +29,12 @@ nist_csf: - ID.RA-06 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1566 +- T1598 +- T1566.004 +- T1204.001 +- T1589 --- # Conducting Social Engineering Penetration Test diff --git a/skills/conducting-social-engineering-pretext-call/SKILL.md b/skills/conducting-social-engineering-pretext-call/SKILL.md index b1f530ee..b05d7efa 100644 --- a/skills/conducting-social-engineering-pretext-call/SKILL.md +++ b/skills/conducting-social-engineering-pretext-call/SKILL.md @@ -1,7 +1,8 @@ --- name: conducting-social-engineering-pretext-call -description: Plan and execute authorized vishing (voice phishing) pretext calls to assess employee susceptibility to social - engineering and evaluate security awareness controls. +description: Plan and execute authorized vishing (voice phishing) pretext calls to + assess employee susceptibility to social engineering and evaluate security awareness + controls. domain: cybersecurity subdomain: red-teaming tags: @@ -31,6 +32,12 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1598.004 +- T1566.004 +- T1589 +- T1591 +- T1598 --- # Conducting Social Engineering Pretext Call diff --git a/skills/conducting-spearphishing-simulation-campaign/SKILL.md b/skills/conducting-spearphishing-simulation-campaign/SKILL.md index fa668935..ed21910a 100644 --- a/skills/conducting-spearphishing-simulation-campaign/SKILL.md +++ b/skills/conducting-spearphishing-simulation-campaign/SKILL.md @@ -1,7 +1,8 @@ --- name: conducting-spearphishing-simulation-campaign -description: Spearphishing simulation is a targeted social engineering attack vector used by red teams to gain initial access. - Unlike broad phishing campaigns, spearphishing uses OSINT-derived intelligence to craf +description: Spearphishing simulation is a targeted social engineering attack vector + used by red teams to gain initial access. Unlike broad phishing campaigns, spearphishing + uses OSINT-derived intelligence to craf domain: cybersecurity subdomain: red-teaming tags: @@ -25,6 +26,13 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1566.001 +- T1566.002 +- T1598.003 +- T1598.002 +- T1204.002 +- T1204.001 --- # Conducting Spearphishing Simulation Campaign diff --git a/skills/conducting-wireless-network-penetration-test/SKILL.md b/skills/conducting-wireless-network-penetration-test/SKILL.md index 1823b734..4df0b3c9 100644 --- a/skills/conducting-wireless-network-penetration-test/SKILL.md +++ b/skills/conducting-wireless-network-penetration-test/SKILL.md @@ -1,9 +1,11 @@ --- name: conducting-wireless-network-penetration-test -description: 'Conducts authorized wireless network penetration tests to assess the security of WiFi infrastructure by testing - for weak encryption protocols, captive portal bypasses, evil twin attacks, WPA2/WPA3 handshake capture, rogue access point - detection, and client-side attacks. The tester evaluates wireless authentication, network segmentation, and the effectiveness - of wireless intrusion detection systems. Activates for requests involving wireless pentest, WiFi security assessment, WPA2/WPA3 +description: 'Conducts authorized wireless network penetration tests to assess the + security of WiFi infrastructure by testing for weak encryption protocols, captive + portal bypasses, evil twin attacks, WPA2/WPA3 handshake capture, rogue access point + detection, and client-side attacks. The tester evaluates wireless authentication, + network segmentation, and the effectiveness of wireless intrusion detection systems. + Activates for requests involving wireless pentest, WiFi security assessment, WPA2/WPA3 testing, or rogue access point detection. ' @@ -23,6 +25,12 @@ nist_csf: - ID.RA-06 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1557.004 +- T1040 +- T1110.002 +- T1557 +- T1669 --- # Conducting Wireless Network Penetration Test diff --git a/skills/configuring-active-directory-tiered-model/SKILL.md b/skills/configuring-active-directory-tiered-model/SKILL.md index e65ff928..a077cbbc 100644 --- a/skills/configuring-active-directory-tiered-model/SKILL.md +++ b/skills/configuring-active-directory-tiered-model/SKILL.md @@ -1,7 +1,8 @@ --- name: configuring-active-directory-tiered-model -description: Implement Microsoft's Enhanced Security Admin Environment (ESAE) tiered administration model for Active Directory. - Covers Tier 0/1/2 separation, privileged access workstations (PAWs), administrative f +description: Implement Microsoft's Enhanced Security Admin Environment (ESAE) tiered + administration model for Active Directory. Covers Tier 0/1/2 separation, privileged + access workstations (PAWs), administrative f domain: cybersecurity subdomain: identity-access-management tags: @@ -20,6 +21,12 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078.002 +- T1550.002 +- T1550.003 +- T1003.001 +- T1021 --- # Configuring Active Directory Tiered Model diff --git a/skills/configuring-aws-verified-access-for-ztna/SKILL.md b/skills/configuring-aws-verified-access-for-ztna/SKILL.md index c63d09a8..b845c988 100644 --- a/skills/configuring-aws-verified-access-for-ztna/SKILL.md +++ b/skills/configuring-aws-verified-access-for-ztna/SKILL.md @@ -1,7 +1,8 @@ --- name: configuring-aws-verified-access-for-ztna -description: Configure AWS Verified Access to provide VPN-less zero trust network access to internal applications using identity - and device posture verification with Cedar policy language. +description: Configure AWS Verified Access to provide VPN-less zero trust network + access to internal applications using identity and device posture verification with + Cedar policy language. domain: cybersecurity subdomain: zero-trust-architecture tags: @@ -22,6 +23,10 @@ nist_csf: - PR.AA-05 - PR.IR-01 - GV.PO-01 +mitre_attack: +- T1078.004 +- T1133 +- T1021.007 --- # Configuring AWS Verified Access for ZTNA diff --git a/skills/configuring-certificate-authority-with-openssl/SKILL.md b/skills/configuring-certificate-authority-with-openssl/SKILL.md index d3435013..ea04c418 100644 --- a/skills/configuring-certificate-authority-with-openssl/SKILL.md +++ b/skills/configuring-certificate-authority-with-openssl/SKILL.md @@ -1,7 +1,8 @@ --- name: configuring-certificate-authority-with-openssl -description: A Certificate Authority (CA) is the trust anchor in a PKI hierarchy, responsible for issuing, signing, and revoking - digital certificates. This skill covers building a two-tier CA hierarchy (Root CA + +description: A Certificate Authority (CA) is the trust anchor in a PKI hierarchy, + responsible for issuing, signing, and revoking digital certificates. This skill + covers building a two-tier CA hierarchy (Root CA + domain: cybersecurity subdomain: cryptography tags: @@ -17,6 +18,11 @@ nist_csf: - PR.DS-01 - PR.DS-02 - PR.DS-10 +mitre_attack: +- T1649 +- T1553.004 +- T1557 +- T1587.003 --- # Configuring Certificate Authority with OpenSSL diff --git a/skills/configuring-host-based-intrusion-detection/SKILL.md b/skills/configuring-host-based-intrusion-detection/SKILL.md index ea98eaa0..d80d8438 100644 --- a/skills/configuring-host-based-intrusion-detection/SKILL.md +++ b/skills/configuring-host-based-intrusion-detection/SKILL.md @@ -1,9 +1,11 @@ --- name: configuring-host-based-intrusion-detection -description: 'Configures host-based intrusion detection systems (HIDS) to monitor endpoint file integrity, system calls, and - configuration changes for security violations. Use when deploying OSSEC, Wazuh, or AIDE for endpoint monitoring, building - file integrity monitoring (FIM) policies, or meeting compliance requirements for change detection. Activates for requests - involving HIDS configuration, file integrity monitoring, OSSEC/Wazuh deployment, or host-based detection. +description: 'Configures host-based intrusion detection systems (HIDS) to monitor + endpoint file integrity, system calls, and configuration changes for security violations. + Use when deploying OSSEC, Wazuh, or AIDE for endpoint monitoring, building file + integrity monitoring (FIM) policies, or meeting compliance requirements for change + detection. Activates for requests involving HIDS configuration, file integrity monitoring, + OSSEC/Wazuh deployment, or host-based detection. ' domain: cybersecurity @@ -23,6 +25,12 @@ nist_csf: - PR.PS-02 - DE.CM-01 - PR.IR-01 +mitre_attack: +- T1059 +- T1543 +- T1547 +- T1070 +- T1055 --- # Configuring Host-Based Intrusion Detection diff --git a/skills/configuring-hsm-for-key-storage/SKILL.md b/skills/configuring-hsm-for-key-storage/SKILL.md index 1f03cf26..9ae04955 100644 --- a/skills/configuring-hsm-for-key-storage/SKILL.md +++ b/skills/configuring-hsm-for-key-storage/SKILL.md @@ -1,7 +1,8 @@ --- name: configuring-hsm-for-key-storage -description: Hardware Security Modules (HSMs) are tamper-resistant physical devices that safeguard cryptographic keys and - perform cryptographic operations in a hardened environment. Keys stored in an HSM never lea +description: Hardware Security Modules (HSMs) are tamper-resistant physical devices + that safeguard cryptographic keys and perform cryptographic operations in a hardened + environment. Keys stored in an HSM never lea domain: cybersecurity subdomain: cryptography tags: @@ -25,6 +26,10 @@ nist_csf: - PR.DS-01 - PR.DS-02 - PR.DS-10 +mitre_attack: +- T1552.004 +- T1555 +- T1078 --- # Configuring HSM for Key Storage diff --git a/skills/configuring-identity-aware-proxy-with-google-iap/SKILL.md b/skills/configuring-identity-aware-proxy-with-google-iap/SKILL.md index e464229f..c9ac81e4 100644 --- a/skills/configuring-identity-aware-proxy-with-google-iap/SKILL.md +++ b/skills/configuring-identity-aware-proxy-with-google-iap/SKILL.md @@ -1,8 +1,9 @@ --- name: configuring-identity-aware-proxy-with-google-iap -description: 'Configuring Google Cloud Identity-Aware Proxy (IAP) to enforce per-request identity verification for Compute - Engine, App Engine, Cloud Run, and GKE services using access levels, context-aware policies, and programmatic access with - service accounts. +description: 'Configuring Google Cloud Identity-Aware Proxy (IAP) to enforce per-request + identity verification for Compute Engine, App Engine, Cloud Run, and GKE services + using access levels, context-aware policies, and programmatic access with service + accounts. ' domain: cybersecurity @@ -23,6 +24,10 @@ nist_csf: - PR.AA-05 - PR.IR-01 - GV.PO-01 +mitre_attack: +- T1078.004 +- T1133 +- T1021.007 --- # Configuring Identity-Aware Proxy with Google IAP diff --git a/skills/configuring-ldap-security-hardening/SKILL.md b/skills/configuring-ldap-security-hardening/SKILL.md index e330fd6b..f0c51887 100644 --- a/skills/configuring-ldap-security-hardening/SKILL.md +++ b/skills/configuring-ldap-security-hardening/SKILL.md @@ -1,7 +1,8 @@ --- name: configuring-ldap-security-hardening -description: Harden LDAP directory services against common attacks including credential harvesting, LDAP injection, anonymous - binding, and channel binding bypass. Covers LDAPS enforcement, channel binding, LDAP si +description: Harden LDAP directory services against common attacks including credential + harvesting, LDAP injection, anonymous binding, and channel binding bypass. Covers + LDAPS enforcement, channel binding, LDAP si domain: cybersecurity subdomain: identity-access-management tags: @@ -19,6 +20,12 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1087.002 +- T1110.003 +- T1557.001 +- T1040 +- T1078.002 --- # Configuring LDAP Security Hardening diff --git a/skills/configuring-microsegmentation-for-zero-trust/SKILL.md b/skills/configuring-microsegmentation-for-zero-trust/SKILL.md index 0cb9cf51..6b430e1a 100644 --- a/skills/configuring-microsegmentation-for-zero-trust/SKILL.md +++ b/skills/configuring-microsegmentation-for-zero-trust/SKILL.md @@ -1,7 +1,8 @@ --- name: configuring-microsegmentation-for-zero-trust -description: Configure microsegmentation policies to enforce least-privilege workload-to-workload access using tools like - VMware NSX, Illumio, and Calico, preventing lateral movement in zero trust architectures. +description: Configure microsegmentation policies to enforce least-privilege workload-to-workload + access using tools like VMware NSX, Illumio, and Calico, preventing lateral movement + in zero trust architectures. domain: cybersecurity subdomain: zero-trust-architecture tags: @@ -18,6 +19,12 @@ nist_csf: - PR.AA-05 - PR.IR-01 - GV.PO-01 +mitre_attack: +- T1021 +- T1210 +- T1570 +- T1046 +- T1018 --- # Configuring Microsegmentation for Zero Trust diff --git a/skills/configuring-multi-factor-authentication-with-duo/SKILL.md b/skills/configuring-multi-factor-authentication-with-duo/SKILL.md index 0d75cfcd..ee66787b 100644 --- a/skills/configuring-multi-factor-authentication-with-duo/SKILL.md +++ b/skills/configuring-multi-factor-authentication-with-duo/SKILL.md @@ -1,7 +1,8 @@ --- name: configuring-multi-factor-authentication-with-duo -description: Deploy Cisco Duo multi-factor authentication across enterprise applications, VPN, RDP, and SSH access points. - This skill covers Duo integration methods, adaptive authentication policies, device trust +description: Deploy Cisco Duo multi-factor authentication across enterprise applications, + VPN, RDP, and SSH access points. This skill covers Duo integration methods, adaptive + authentication policies, device trust domain: cybersecurity subdomain: identity-access-management tags: @@ -20,6 +21,12 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1621 +- T1110.004 +- T1110.003 +- T1078 +- T1556.006 --- # Configuring Multi-Factor Authentication with Duo diff --git a/skills/configuring-network-segmentation-with-vlans/SKILL.md b/skills/configuring-network-segmentation-with-vlans/SKILL.md index 7a9e22c4..e9f9210c 100644 --- a/skills/configuring-network-segmentation-with-vlans/SKILL.md +++ b/skills/configuring-network-segmentation-with-vlans/SKILL.md @@ -1,8 +1,8 @@ --- name: configuring-network-segmentation-with-vlans -description: 'Designs and implements VLAN-based network segmentation on managed switches to isolate network zones, enforce - access control between segments, and reduce the attack surface by limiting lateral movement paths in enterprise network - environments. +description: 'Designs and implements VLAN-based network segmentation on managed switches + to isolate network zones, enforce access control between segments, and reduce the + attack surface by limiting lateral movement paths in enterprise network environments. ' domain: cybersecurity @@ -21,6 +21,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557.002 +- T1021 +- T1018 --- # Configuring Network Segmentation with VLANs diff --git a/skills/configuring-oauth2-authorization-flow/SKILL.md b/skills/configuring-oauth2-authorization-flow/SKILL.md index 76a01e9a..4cee0df4 100644 --- a/skills/configuring-oauth2-authorization-flow/SKILL.md +++ b/skills/configuring-oauth2-authorization-flow/SKILL.md @@ -1,7 +1,8 @@ --- name: configuring-oauth2-authorization-flow -description: Configure secure OAuth 2.0 authorization flows including Authorization Code with PKCE, Client Credentials, and - Device Authorization Grant. This skill covers flow selection, PKCE implementation, token +description: Configure secure OAuth 2.0 authorization flows including Authorization + Code with PKCE, Client Credentials, and Device Authorization Grant. This skill covers + flow selection, PKCE implementation, token domain: cybersecurity subdomain: identity-access-management tags: @@ -21,6 +22,12 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1528 +- T1550.001 +- T1539 +- T1606.001 +- T1212 --- # Configuring OAuth 2.0 Authorization Flow diff --git a/skills/configuring-pfsense-firewall-rules/SKILL.md b/skills/configuring-pfsense-firewall-rules/SKILL.md index 07677f50..12147657 100644 --- a/skills/configuring-pfsense-firewall-rules/SKILL.md +++ b/skills/configuring-pfsense-firewall-rules/SKILL.md @@ -1,7 +1,8 @@ --- name: configuring-pfsense-firewall-rules -description: 'Configures pfSense firewall rules, NAT policies, VPN tunnels, and traffic shaping to enforce network segmentation, - control traffic flow, and protect internal network zones in enterprise and small-to-medium business environments. +description: 'Configures pfSense firewall rules, NAT policies, VPN tunnels, and traffic + shaping to enforce network segmentation, control traffic flow, and protect internal + network zones in enterprise and small-to-medium business environments. ' domain: cybersecurity @@ -20,6 +21,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1071.001 +- T1095 +- T1572 +- T1571 +- T1041 --- # Configuring pfSense Firewall Rules diff --git a/skills/configuring-snort-ids-for-intrusion-detection/SKILL.md b/skills/configuring-snort-ids-for-intrusion-detection/SKILL.md index de021859..bdf94a43 100644 --- a/skills/configuring-snort-ids-for-intrusion-detection/SKILL.md +++ b/skills/configuring-snort-ids-for-intrusion-detection/SKILL.md @@ -1,7 +1,8 @@ --- name: configuring-snort-ids-for-intrusion-detection -description: 'Installs, configures, and tunes Snort 3 intrusion detection system to monitor network traffic for malicious - activity using custom and community rulesets, preprocessors, and alert output plugins on authorized network segments. +description: 'Installs, configures, and tunes Snort 3 intrusion detection system to + monitor network traffic for malicious activity using custom and community rulesets, + preprocessors, and alert output plugins on authorized network segments. ' domain: cybersecurity @@ -20,6 +21,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1071.001 +- T1572 +- T1210 +- T1048 --- # Configuring Snort IDS for Intrusion Detection diff --git a/skills/configuring-suricata-for-network-monitoring/SKILL.md b/skills/configuring-suricata-for-network-monitoring/SKILL.md index 2e915bb7..013591d2 100644 --- a/skills/configuring-suricata-for-network-monitoring/SKILL.md +++ b/skills/configuring-suricata-for-network-monitoring/SKILL.md @@ -1,7 +1,8 @@ --- name: configuring-suricata-for-network-monitoring -description: 'Deploys and configures Suricata IDS/IPS with Emerging Threats rulesets, EVE JSON logging, and custom rules for - real-time network traffic inspection, threat detection, and integration with SIEM platforms for centralized security monitoring. +description: 'Deploys and configures Suricata IDS/IPS with Emerging Threats rulesets, + EVE JSON logging, and custom rules for real-time network traffic inspection, threat + detection, and integration with SIEM platforms for centralized security monitoring. ' domain: cybersecurity @@ -20,6 +21,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1071.001 +- T1572 +- T1048 +- T1573.001 --- # Configuring Suricata for Network Monitoring diff --git a/skills/configuring-tls-1-3-for-secure-communications/SKILL.md b/skills/configuring-tls-1-3-for-secure-communications/SKILL.md index 48a2e110..17e8b2ed 100644 --- a/skills/configuring-tls-1-3-for-secure-communications/SKILL.md +++ b/skills/configuring-tls-1-3-for-secure-communications/SKILL.md @@ -1,7 +1,8 @@ --- name: configuring-tls-1-3-for-secure-communications -description: TLS 1.3 (RFC 8446) is the latest version of the Transport Layer Security protocol, providing significant improvements - over TLS 1.2 in both security and performance. It reduces handshake latency to 1-R +description: TLS 1.3 (RFC 8446) is the latest version of the Transport Layer Security + protocol, providing significant improvements over TLS 1.2 in both security and performance. + It reduces handshake latency to 1-R domain: cybersecurity subdomain: cryptography tags: @@ -17,6 +18,12 @@ nist_csf: - PR.DS-01 - PR.DS-02 - PR.DS-10 +mitre_attack: +- T1557 +- T1040 +- T1573.002 +- T1539 +- T1556.004 --- # Configuring TLS 1.3 for Secure Communications diff --git a/skills/configuring-windows-defender-advanced-settings/SKILL.md b/skills/configuring-windows-defender-advanced-settings/SKILL.md index 19cf6850..c24f484f 100644 --- a/skills/configuring-windows-defender-advanced-settings/SKILL.md +++ b/skills/configuring-windows-defender-advanced-settings/SKILL.md @@ -1,10 +1,11 @@ --- name: configuring-windows-defender-advanced-settings -description: 'Configures Microsoft Defender for Endpoint (MDE) advanced protection settings including attack surface reduction - rules, controlled folder access, network protection, and exploit protection. Use when hardening Windows endpoints beyond - default Defender settings, deploying enterprise-grade endpoint protection, or meeting compliance requirements for advanced - malware defense. Activates for requests involving Windows Defender configuration, ASR rules, MDE tuning, or Microsoft endpoint - security. +description: 'Configures Microsoft Defender for Endpoint (MDE) advanced protection + settings including attack surface reduction rules, controlled folder access, network + protection, and exploit protection. Use when hardening Windows endpoints beyond + default Defender settings, deploying enterprise-grade endpoint protection, or meeting + compliance requirements for advanced malware defense. Activates for requests involving + Windows Defender configuration, ASR rules, MDE tuning, or Microsoft endpoint security. ' domain: cybersecurity @@ -24,6 +25,12 @@ nist_csf: - PR.PS-02 - DE.CM-01 - PR.IR-01 +mitre_attack: +- T1685 +- T1204.002 +- T1059.001 +- T1055 +- T1547.001 --- # Configuring Windows Defender Advanced Settings diff --git a/skills/configuring-windows-event-logging-for-detection/SKILL.md b/skills/configuring-windows-event-logging-for-detection/SKILL.md index 095f926e..681ef113 100644 --- a/skills/configuring-windows-event-logging-for-detection/SKILL.md +++ b/skills/configuring-windows-event-logging-for-detection/SKILL.md @@ -1,9 +1,11 @@ --- name: configuring-windows-event-logging-for-detection -description: 'Configures Windows Event Logging with advanced audit policies to generate high-fidelity security events for - threat detection and forensic investigation. Use when enabling audit policies for logon events, process creation, privilege - use, and object access to feed SIEM detection rules. Activates for requests involving Windows audit policy, event log configuration, - security logging, or detection-oriented logging. +description: 'Configures Windows Event Logging with advanced audit policies to generate + high-fidelity security events for threat detection and forensic investigation. Use + when enabling audit policies for logon events, process creation, privilege use, + and object access to feed SIEM detection rules. Activates for requests involving + Windows audit policy, event log configuration, security logging, or detection-oriented + logging. ' domain: cybersecurity @@ -22,6 +24,12 @@ nist_csf: - PR.PS-02 - DE.CM-01 - PR.IR-01 +mitre_attack: +- T1685.005 +- T1059.001 +- T1053.005 +- T1047 +- T1543.003 --- # Configuring Windows Event Logging for Detection diff --git a/skills/configuring-zscaler-private-access-for-ztna/SKILL.md b/skills/configuring-zscaler-private-access-for-ztna/SKILL.md index 9cd61d10..ccf18c8e 100644 --- a/skills/configuring-zscaler-private-access-for-ztna/SKILL.md +++ b/skills/configuring-zscaler-private-access-for-ztna/SKILL.md @@ -1,8 +1,9 @@ --- name: configuring-zscaler-private-access-for-ztna -description: 'Configuring Zscaler Private Access (ZPA) to replace traditional VPN with zero trust network access by deploying - App Connectors, defining application segments, configuring access policies based on user identity and device posture, and - integrating with IdPs. +description: 'Configuring Zscaler Private Access (ZPA) to replace traditional VPN + with zero trust network access by deploying App Connectors, defining application + segments, configuring access policies based on user identity and device posture, + and integrating with IdPs. ' domain: cybersecurity @@ -23,6 +24,12 @@ nist_csf: - PR.AA-05 - PR.IR-01 - GV.PO-01 +mitre_attack: +- T1133 +- T1078 +- T1021 +- T1219 +- T1190 --- # Configuring Zscaler Private Access for ZTNA diff --git a/skills/containing-active-breach/SKILL.md b/skills/containing-active-breach/SKILL.md index 42a51df4..9b939c2c 100644 --- a/skills/containing-active-breach/SKILL.md +++ b/skills/containing-active-breach/SKILL.md @@ -1,9 +1,11 @@ --- name: containing-active-breach -description: 'Executes containment strategies to stop active adversary operations and prevent lateral movement during a confirmed - security breach. Implements short-term and long-term containment using network segmentation, endpoint isolation, credential - revocation, and access control modifications. Activates for requests involving breach containment, lateral movement prevention, - network isolation, active threat containment, or live incident response. +description: 'Executes containment strategies to stop active adversary operations + and prevent lateral movement during a confirmed security breach. Implements short-term + and long-term containment using network segmentation, endpoint isolation, credential + revocation, and access control modifications. Activates for requests involving breach + containment, lateral movement prevention, network isolation, active threat containment, + or live incident response. ' domain: cybersecurity @@ -15,10 +17,11 @@ tags: - credential-revocation - live-response mitre_attack: -- T1021 +- T1486 +- T1021.002 +- T1078 +- T1071.001 - T1570 -- T1210 -- T1072 version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/correlating-security-events-in-qradar/SKILL.md b/skills/correlating-security-events-in-qradar/SKILL.md index cfbae8d6..d3d96ae9 100644 --- a/skills/correlating-security-events-in-qradar/SKILL.md +++ b/skills/correlating-security-events-in-qradar/SKILL.md @@ -1,8 +1,10 @@ --- name: correlating-security-events-in-qradar -description: 'Correlates security events in IBM QRadar SIEM using AQL (Ariel Query Language), custom rules, building blocks, - and offense management to detect multi-stage attacks across network, endpoint, and application log sources. Use when SOC - analysts need to investigate QRadar offenses, build correlation rules, or tune detection logic for reducing false positives. +description: 'Correlates security events in IBM QRadar SIEM using AQL (Ariel Query + Language), custom rules, building blocks, and offense management to detect multi-stage + attacks across network, endpoint, and application log sources. Use when SOC analysts + need to investigate QRadar offenses, build correlation rules, or tune detection + logic for reducing false positives. ' domain: cybersecurity @@ -23,6 +25,12 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1078 +- T1110.003 +- T1021 +- T1071.001 +- T1041 --- # Correlating Security Events in QRadar diff --git a/skills/correlating-threat-campaigns/SKILL.md b/skills/correlating-threat-campaigns/SKILL.md index e0baf2ef..cad20d11 100644 --- a/skills/correlating-threat-campaigns/SKILL.md +++ b/skills/correlating-threat-campaigns/SKILL.md @@ -1,9 +1,11 @@ --- name: correlating-threat-campaigns -description: 'Correlates disparate security incidents, IOCs, and adversary behaviors across time and organizations to identify - unified threat campaigns, attribute them to common threat actors, and extract shared indicators for improved detection. - Use when multiple incidents exhibit overlapping indicators, when sector-wide attack campaigns require cross-organizational - analysis, or when building campaign-level intelligence products. Activates for requests involving campaign analysis, incident +description: 'Correlates disparate security incidents, IOCs, and adversary behaviors + across time and organizations to identify unified threat campaigns, attribute them + to common threat actors, and extract shared indicators for improved detection. Use + when multiple incidents exhibit overlapping indicators, when sector-wide attack + campaigns require cross-organizational analysis, or when building campaign-level + intelligence products. Activates for requests involving campaign analysis, incident clustering, cross-organizational IOC correlation, or MISP correlation engine. ' @@ -26,6 +28,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1566 +- T1071.001 +- T1587.001 +- T1583.001 +- T1588.002 --- # Correlating Threat Campaigns diff --git a/skills/deobfuscating-javascript-malware/SKILL.md b/skills/deobfuscating-javascript-malware/SKILL.md index b253577d..70a522da 100644 --- a/skills/deobfuscating-javascript-malware/SKILL.md +++ b/skills/deobfuscating-javascript-malware/SKILL.md @@ -1,9 +1,10 @@ --- name: deobfuscating-javascript-malware -description: 'Deobfuscates malicious JavaScript code used in web-based attacks, phishing pages, and dropper scripts by reversing - encoding layers, eval chains, string manipulation, and control flow obfuscation to reveal the original malicious logic. - Activates for requests involving JavaScript malware analysis, script deobfuscation, web skimmer analysis, or obfuscated - dropper investigation. +description: 'Deobfuscates malicious JavaScript code used in web-based attacks, phishing + pages, and dropper scripts by reversing encoding layers, eval chains, string manipulation, + and control flow obfuscation to reveal the original malicious logic. Activates for + requests involving JavaScript malware analysis, script deobfuscation, web skimmer + analysis, or obfuscated dropper investigation. ' domain: cybersecurity @@ -22,6 +23,12 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1027 +- T1027.010 +- T1140 +- T1059.007 +- T1027.006 --- # Deobfuscating JavaScript Malware diff --git a/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md b/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md index e64db0c5..98326af7 100644 --- a/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md +++ b/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md @@ -1,7 +1,8 @@ --- name: deobfuscating-powershell-obfuscated-malware -description: Systematically deobfuscate multi-layer PowerShell malware using AST analysis, dynamic tracing, and tools like - PSDecode and PowerDecode to reveal hidden payloads and C2 infrastructure. +description: Systematically deobfuscate multi-layer PowerShell malware using AST analysis, + dynamic tracing, and tools like PSDecode and PowerDecode to reveal hidden payloads + and C2 infrastructure. domain: cybersecurity subdomain: malware-analysis tags: @@ -14,8 +15,10 @@ tags: - incident-response mitre_attack: - T1059.001 -- T1027 +- T1027.010 - T1140 +- T1027 +- T1620 version: '1.0' author: mahipal license: Apache-2.0 diff --git a/skills/deploying-active-directory-honeytokens/SKILL.md b/skills/deploying-active-directory-honeytokens/SKILL.md index 47167a56..e317355b 100644 --- a/skills/deploying-active-directory-honeytokens/SKILL.md +++ b/skills/deploying-active-directory-honeytokens/SKILL.md @@ -1,9 +1,10 @@ --- name: deploying-active-directory-honeytokens -description: 'Deploys deception-based honeytokens in Active Directory including fake privileged accounts with AdminCount=1, - fake SPNs for Kerberoasting detection (honeyroasting), decoy GPOs with cpassword traps, and fake BloodHound paths. Monitors - Windows Security Event IDs 4769, 4625, 4662, 5136 for honeytoken interaction. Use when implementing AD deception defenses - for detecting lateral movement, credential theft, and reconnaissance. +description: 'Deploys deception-based honeytokens in Active Directory including fake + privileged accounts with AdminCount=1, fake SPNs for Kerberoasting detection (honeyroasting), + decoy GPOs with cpassword traps, and fake BloodHound paths. Monitors Windows Security + Event IDs 4769, 4625, 4662, 5136 for honeytoken interaction. Use when implementing + AD deception defenses for detecting lateral movement, credential theft, and reconnaissance. ' domain: cybersecurity @@ -23,6 +24,12 @@ nist_csf: - DE.CM-01 - DE.AE-06 - PR.IR-01 +mitre_attack: +- T1558.003 +- T1558.004 +- T1110.003 +- T1003.006 +- T1552.006 --- # Deploying Active Directory Honeytokens diff --git a/skills/deploying-cloudflare-access-for-zero-trust/SKILL.md b/skills/deploying-cloudflare-access-for-zero-trust/SKILL.md index 9502b4ed..34a6d7e3 100644 --- a/skills/deploying-cloudflare-access-for-zero-trust/SKILL.md +++ b/skills/deploying-cloudflare-access-for-zero-trust/SKILL.md @@ -1,7 +1,8 @@ --- name: deploying-cloudflare-access-for-zero-trust -description: 'Deploying Cloudflare Access with Cloudflare Tunnel to provide zero trust access to self-hosted and private applications, - configuring identity-aware access policies, device posture checks, and WARP client enrollment for VPN replacement. +description: 'Deploying Cloudflare Access with Cloudflare Tunnel to provide zero trust + access to self-hosted and private applications, configuring identity-aware access + policies, device posture checks, and WARP client enrollment for VPN replacement. ' domain: cybersecurity @@ -31,6 +32,11 @@ nist_csf: - PR.AA-05 - PR.IR-01 - GV.PO-01 +mitre_attack: +- T1133 +- T1078 +- T1190 +- T1021 --- # Deploying Cloudflare Access for Zero Trust diff --git a/skills/deploying-decoy-files-for-ransomware-detection/SKILL.md b/skills/deploying-decoy-files-for-ransomware-detection/SKILL.md index a9e37384..82ef8499 100644 --- a/skills/deploying-decoy-files-for-ransomware-detection/SKILL.md +++ b/skills/deploying-decoy-files-for-ransomware-detection/SKILL.md @@ -1,9 +1,11 @@ --- name: deploying-decoy-files-for-ransomware-detection -description: 'Deploys canary files (honeytokens) across file systems to detect ransomware encryption activity in real time. - Uses strategically placed decoy documents monitored via file integrity monitoring or OS-level watchdogs to trigger alerts - when ransomware modifies or encrypts them. Activates for requests involving ransomware canary deployment, honeyfile setup, - deception-based ransomware detection, or file integrity monitoring for encryption. +description: 'Deploys canary files (honeytokens) across file systems to detect ransomware + encryption activity in real time. Uses strategically placed decoy documents monitored + via file integrity monitoring or OS-level watchdogs to trigger alerts when ransomware + modifies or encrypts them. Activates for requests involving ransomware canary deployment, + honeyfile setup, deception-based ransomware detection, or file integrity monitoring + for encryption. ' domain: cybersecurity @@ -23,6 +25,11 @@ nist_csf: - RS.MA-01 - RC.RP-01 - PR.IR-01 +mitre_attack: +- T1486 +- T1083 +- T1490 +- T1485 --- # Deploying Decoy Files for Ransomware Detection diff --git a/skills/deploying-edr-agent-with-crowdstrike/SKILL.md b/skills/deploying-edr-agent-with-crowdstrike/SKILL.md index c88c93da..c76d9485 100644 --- a/skills/deploying-edr-agent-with-crowdstrike/SKILL.md +++ b/skills/deploying-edr-agent-with-crowdstrike/SKILL.md @@ -1,9 +1,11 @@ --- name: deploying-edr-agent-with-crowdstrike -description: 'Deploys and configures CrowdStrike Falcon EDR agents across enterprise endpoints to enable real-time threat - detection, behavioral analysis, and automated response. Use when onboarding endpoints to EDR coverage, configuring detection - policies, or integrating Falcon telemetry with SIEM platforms. Activates for requests involving CrowdStrike deployment, - Falcon sensor installation, EDR policy configuration, or endpoint detection and response. +description: 'Deploys and configures CrowdStrike Falcon EDR agents across enterprise + endpoints to enable real-time threat detection, behavioral analysis, and automated + response. Use when onboarding endpoints to EDR coverage, configuring detection policies, + or integrating Falcon telemetry with SIEM platforms. Activates for requests involving + CrowdStrike deployment, Falcon sensor installation, EDR policy configuration, or + endpoint detection and response. ' domain: cybersecurity @@ -33,6 +35,12 @@ nist_csf: - PR.PS-02 - DE.CM-01 - PR.IR-01 +mitre_attack: +- T1003.001 +- T1055 +- T1059.001 +- T1486 +- T1071.001 --- # Deploying EDR Agent with CrowdStrike diff --git a/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md b/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md index 096b8190..c9662808 100644 --- a/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md +++ b/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md @@ -1,9 +1,11 @@ --- name: deploying-osquery-for-endpoint-monitoring -description: 'Deploys and configures osquery for real-time endpoint monitoring using SQL-based queries to inspect running - processes, open ports, installed software, and system configuration. Use when building visibility into endpoint state, threat - hunting across fleet, or implementing compliance monitoring. Activates for requests involving osquery deployment, endpoint - visibility, fleet management, or SQL-based endpoint querying. +description: 'Deploys and configures osquery for real-time endpoint monitoring using + SQL-based queries to inspect running processes, open ports, installed software, + and system configuration. Use when building visibility into endpoint state, threat + hunting across fleet, or implementing compliance monitoring. Activates for requests + involving osquery deployment, endpoint visibility, fleet management, or SQL-based + endpoint querying. ' domain: cybersecurity @@ -15,12 +17,11 @@ tags: - threat-hunting - fleet-management mitre_attack: -- T1547 -- T1049 -- T1620 -- T1053.003 -- T1548.001 -- T1552 +- T1547.001 +- T1053.005 +- T1543.003 +- T1057 +- T1071.001 version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/deploying-palo-alto-prisma-access-zero-trust/SKILL.md b/skills/deploying-palo-alto-prisma-access-zero-trust/SKILL.md index bc1d7e0b..ed2496ad 100644 --- a/skills/deploying-palo-alto-prisma-access-zero-trust/SKILL.md +++ b/skills/deploying-palo-alto-prisma-access-zero-trust/SKILL.md @@ -1,7 +1,8 @@ --- name: deploying-palo-alto-prisma-access-zero-trust -description: 'Deploying Palo Alto Networks Prisma Access for SASE-based zero trust network access using GlobalProtect agents, - ZTNA Connectors, security policy enforcement, and integration with Strata Cloud Manager for unified security management. +description: 'Deploying Palo Alto Networks Prisma Access for SASE-based zero trust + network access using GlobalProtect agents, ZTNA Connectors, security policy enforcement, + and integration with Strata Cloud Manager for unified security management. ' domain: cybersecurity @@ -26,6 +27,11 @@ nist_csf: - PR.AA-05 - PR.IR-01 - GV.PO-01 +mitre_attack: +- T1133 +- T1078 +- T1071.001 +- T1572 --- # Deploying Palo Alto Prisma Access Zero Trust diff --git a/skills/deploying-ransomware-canary-files/SKILL.md b/skills/deploying-ransomware-canary-files/SKILL.md index dcb034e5..14b1bf05 100644 --- a/skills/deploying-ransomware-canary-files/SKILL.md +++ b/skills/deploying-ransomware-canary-files/SKILL.md @@ -1,10 +1,12 @@ --- name: deploying-ransomware-canary-files -description: 'Deploys and monitors ransomware canary files across critical directories using Python''s watchdog library for - real-time filesystem event detection. Places strategically named decoy files that mimic high-value targets (financial records, - credentials, database exports) in locations ransomware typically enumerates first. Monitors for any read, modify, rename, - or delete operations on canary files and triggers immediate alerts via email, Slack webhook, or syslog when interaction - is detected, providing early warning before full encryption begins. +description: 'Deploys and monitors ransomware canary files across critical directories + using Python''s watchdog library for real-time filesystem event detection. Places + strategically named decoy files that mimic high-value targets (financial records, + credentials, database exports) in locations ransomware typically enumerates first. + Monitors for any read, modify, rename, or delete operations on canary files and + triggers immediate alerts via email, Slack webhook, or syslog when interaction is + detected, providing early warning before full encryption begins. ' domain: cybersecurity @@ -25,6 +27,11 @@ nist_csf: - RS.MA-01 - RC.RP-01 - PR.IR-01 +mitre_attack: +- T1486 +- T1083 +- T1490 +- T1485 --- # Deploying Ransomware Canary Files diff --git a/skills/deploying-software-defined-perimeter/SKILL.md b/skills/deploying-software-defined-perimeter/SKILL.md index 55522b97..ca7f1109 100644 --- a/skills/deploying-software-defined-perimeter/SKILL.md +++ b/skills/deploying-software-defined-perimeter/SKILL.md @@ -1,7 +1,8 @@ --- name: deploying-software-defined-perimeter -description: Deploy a Software-Defined Perimeter using the CSA v2.0 specification with Single Packet Authorization, mutual - TLS, and SDP controller/gateway configuration to enforce zero trust network access. +description: Deploy a Software-Defined Perimeter using the CSA v2.0 specification + with Single Packet Authorization, mutual TLS, and SDP controller/gateway configuration + to enforce zero trust network access. domain: cybersecurity subdomain: zero-trust-architecture tags: @@ -18,6 +19,12 @@ nist_csf: - PR.AA-05 - PR.IR-01 - GV.PO-01 +mitre_attack: +- T1133 +- T1078 +- T1021 +- T1046 +- T1190 --- # Deploying Software-Defined Perimeter diff --git a/skills/deploying-tailscale-for-zero-trust-vpn/SKILL.md b/skills/deploying-tailscale-for-zero-trust-vpn/SKILL.md index 5a3cca73..33af1c90 100644 --- a/skills/deploying-tailscale-for-zero-trust-vpn/SKILL.md +++ b/skills/deploying-tailscale-for-zero-trust-vpn/SKILL.md @@ -1,7 +1,8 @@ --- name: deploying-tailscale-for-zero-trust-vpn -description: Deploy and configure Tailscale as a WireGuard-based zero trust mesh VPN with identity-aware access controls, - ACLs, and exit nodes for secure peer-to-peer connectivity. +description: Deploy and configure Tailscale as a WireGuard-based zero trust mesh VPN + with identity-aware access controls, ACLs, and exit nodes for secure peer-to-peer + connectivity. domain: cybersecurity subdomain: zero-trust-architecture tags: @@ -22,6 +23,11 @@ nist_csf: - PR.AA-05 - PR.IR-01 - GV.PO-01 +mitre_attack: +- T1133 +- T1078 +- T1021 +- T1572 --- # Deploying Tailscale for Zero Trust VPN diff --git a/skills/detecting-ai-model-prompt-injection-attacks/SKILL.md b/skills/detecting-ai-model-prompt-injection-attacks/SKILL.md index 2e5ce83c..bcd9759f 100644 --- a/skills/detecting-ai-model-prompt-injection-attacks/SKILL.md +++ b/skills/detecting-ai-model-prompt-injection-attacks/SKILL.md @@ -1,12 +1,15 @@ --- name: detecting-ai-model-prompt-injection-attacks -description: 'Detects prompt injection attacks targeting LLM-based applications using a multi-layered defense combining regex - pattern matching for known attack signatures, heuristic scoring for structural anomalies, and transformer-based classification - with DeBERTa models. The detector analyzes user inputs before they reach the LLM, flagging direct injections (system prompt - overrides, role-play escapes, instruction hijacking) and indirect injections (encoded payloads, multi-language obfuscation, - delimiter-based escapes). Based on the OWASP LLM Top 10 (LLM01:2025 Prompt Injection) and Simon Willison''s prompt injection - taxonomy. Activates for requests involving prompt injection detection, LLM input sanitization, AI security scanning, or - prompt attack classification. +description: 'Detects prompt injection attacks targeting LLM-based applications using + a multi-layered defense combining regex pattern matching for known attack signatures, + heuristic scoring for structural anomalies, and transformer-based classification + with DeBERTa models. The detector analyzes user inputs before they reach the LLM, + flagging direct injections (system prompt overrides, role-play escapes, instruction + hijacking) and indirect injections (encoded payloads, multi-language obfuscation, + delimiter-based escapes). Based on the OWASP LLM Top 10 (LLM01:2025 Prompt Injection) + and Simon Willison''s prompt injection taxonomy. Activates for requests involving + prompt injection detection, LLM input sanitization, AI security scanning, or prompt + attack classification. ' domain: cybersecurity @@ -43,6 +46,12 @@ nist_csf: - ID.RA-01 - PR.PS-01 - DE.AE-02 +mitre_attack: +- T1659 +- T1566 +- T1204 +- T1588.007 +- T1565 --- # Detecting AI Model Prompt Injection Attacks diff --git a/skills/detecting-anomalies-in-industrial-control-systems/SKILL.md b/skills/detecting-anomalies-in-industrial-control-systems/SKILL.md index cf83d155..50636e81 100644 --- a/skills/detecting-anomalies-in-industrial-control-systems/SKILL.md +++ b/skills/detecting-anomalies-in-industrial-control-systems/SKILL.md @@ -1,9 +1,11 @@ --- name: detecting-anomalies-in-industrial-control-systems -description: 'This skill covers deploying anomaly detection systems for industrial control environments using machine learning - models trained on OT network baselines, physics-based process models, and behavioral analysis of industrial protocol communications. - It addresses building normal behavior profiles for SCADA polling patterns, detecting deviations in Modbus/DNP3/OPC UA traffic, - identifying rogue devices, and correlating network anomalies with physical process data from historians. +description: 'This skill covers deploying anomaly detection systems for industrial + control environments using machine learning models trained on OT network baselines, + physics-based process models, and behavioral analysis of industrial protocol communications. + It addresses building normal behavior profiles for SCADA polling patterns, detecting + deviations in Modbus/DNP3/OPC UA traffic, identifying rogue devices, and correlating + network anomalies with physical process data from historians. ' domain: cybersecurity @@ -31,6 +33,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T0836 +- T0831 +- T0832 +- T0814 +- T0801 --- # Detecting Anomalies in Industrial Control Systems diff --git a/skills/detecting-anomalous-authentication-patterns/SKILL.md b/skills/detecting-anomalous-authentication-patterns/SKILL.md index 4be269e7..ec7c98ae 100644 --- a/skills/detecting-anomalous-authentication-patterns/SKILL.md +++ b/skills/detecting-anomalous-authentication-patterns/SKILL.md @@ -1,9 +1,10 @@ --- name: detecting-anomalous-authentication-patterns -description: 'Detects anomalous authentication patterns using UEBA analytics, statistical baselines, and machine learning - models to identify impossible travel, credential stuffing, brute force, password spraying, and compromised account behaviors - across authentication logs. Activates for requests involving authentication anomaly detection, login behavior analysis, - UEBA implementation, or suspicious sign-in investigation. +description: 'Detects anomalous authentication patterns using UEBA analytics, statistical + baselines, and machine learning models to identify impossible travel, credential + stuffing, brute force, password spraying, and compromised account behaviors across + authentication logs. Activates for requests involving authentication anomaly detection, + login behavior analysis, UEBA implementation, or suspicious sign-in investigation. ' domain: cybersecurity @@ -30,6 +31,12 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1110 +- T1110.003 +- T1110.004 +- T1078 +- T1021 --- # Detecting Anomalous Authentication Patterns diff --git a/skills/detecting-api-enumeration-attacks/SKILL.md b/skills/detecting-api-enumeration-attacks/SKILL.md index 36abc865..3d957301 100644 --- a/skills/detecting-api-enumeration-attacks/SKILL.md +++ b/skills/detecting-api-enumeration-attacks/SKILL.md @@ -1,7 +1,7 @@ --- name: detecting-api-enumeration-attacks -description: Detect and prevent API enumeration attacks including BOLA and IDOR exploitation by monitoring sequential identifier - access patterns and authorization failures. +description: Detect and prevent API enumeration attacks including BOLA and IDOR exploitation + by monitoring sequential identifier access patterns and authorization failures. domain: cybersecurity subdomain: api-security tags: @@ -21,6 +21,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1595 +- T1595.002 +- T1046 +- T1190 +- T1087 --- # Detecting API Enumeration Attacks diff --git a/skills/detecting-arp-poisoning-in-network-traffic/SKILL.md b/skills/detecting-arp-poisoning-in-network-traffic/SKILL.md index 73e1b4f5..fb128c6d 100644 --- a/skills/detecting-arp-poisoning-in-network-traffic/SKILL.md +++ b/skills/detecting-arp-poisoning-in-network-traffic/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-arp-poisoning-in-network-traffic -description: Detect and prevent ARP spoofing attacks using ARPWatch, Dynamic ARP Inspection, Wireshark analysis, and custom - monitoring scripts to protect against man-in-the-middle interception. +description: Detect and prevent ARP spoofing attacks using ARPWatch, Dynamic ARP Inspection, + Wireshark analysis, and custom monitoring scripts to protect against man-in-the-middle + interception. domain: cybersecurity subdomain: network-security tags: @@ -21,6 +22,11 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1557.002 +- T1557 +- T1040 +- T1200 --- # Detecting ARP Poisoning in Network Traffic diff --git a/skills/detecting-attacks-on-historian-servers/SKILL.md b/skills/detecting-attacks-on-historian-servers/SKILL.md index 239b4147..3cba3996 100644 --- a/skills/detecting-attacks-on-historian-servers/SKILL.md +++ b/skills/detecting-attacks-on-historian-servers/SKILL.md @@ -1,8 +1,9 @@ --- name: detecting-attacks-on-historian-servers -description: 'Detect cyber attacks targeting OT historian servers (OSIsoft PI, Ignition, Wonderware) that sit at the IT/OT - boundary and serve as pivot points for lateral movement between enterprise and control networks, including data manipulation, - unauthorized queries, and exploitation of historian-specific vulnerabilities. +description: 'Detect cyber attacks targeting OT historian servers (OSIsoft PI, Ignition, + Wonderware) that sit at the IT/OT boundary and serve as pivot points for lateral + movement between enterprise and control networks, including data manipulation, unauthorized + queries, and exploitation of historian-specific vulnerabilities. ' domain: cybersecurity @@ -24,6 +25,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T0811 +- T0882 +- T0888 +- T0846 +- T0859 --- # Detecting Attacks on Historian Servers diff --git a/skills/detecting-attacks-on-scada-systems/SKILL.md b/skills/detecting-attacks-on-scada-systems/SKILL.md index 21cccc14..c188572e 100644 --- a/skills/detecting-attacks-on-scada-systems/SKILL.md +++ b/skills/detecting-attacks-on-scada-systems/SKILL.md @@ -1,10 +1,12 @@ --- name: detecting-attacks-on-scada-systems -description: 'This skill covers detecting cyber attacks targeting Supervisory Control and Data Acquisition (SCADA) systems - including man-in-the-middle attacks on industrial protocols, unauthorized command injection into PLCs, HMI compromise, historian - data manipulation, and denial-of-service against control system communications. It leverages OT-specific intrusion detection - systems, industrial protocol anomaly detection, and process data analytics to identify attacks that traditional IT security - tools miss. +description: 'This skill covers detecting cyber attacks targeting Supervisory Control + and Data Acquisition (SCADA) systems including man-in-the-middle attacks on industrial + protocols, unauthorized command injection into PLCs, HMI compromise, historian data + manipulation, and denial-of-service against control system communications. It leverages + OT-specific intrusion detection systems, industrial protocol anomaly detection, + and process data analytics to identify attacks that traditional IT security tools + miss. ' domain: cybersecurity @@ -33,6 +35,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T0846 +- T0836 +- T0831 +- T0814 +- T0832 --- # Detecting Attacks on SCADA Systems diff --git a/skills/detecting-aws-cloudtrail-anomalies/SKILL.md b/skills/detecting-aws-cloudtrail-anomalies/SKILL.md index 5494c894..995d9adc 100644 --- a/skills/detecting-aws-cloudtrail-anomalies/SKILL.md +++ b/skills/detecting-aws-cloudtrail-anomalies/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-aws-cloudtrail-anomalies -description: Detect unusual API call patterns in AWS CloudTrail logs using boto3, statistical baselining, and behavioral analysis - to identify credential compromise, privilege escalation, and unauthorized resource access. +description: Detect unusual API call patterns in AWS CloudTrail logs using boto3, + statistical baselining, and behavioral analysis to identify credential compromise, + privilege escalation, and unauthorized resource access. domain: cybersecurity subdomain: cloud-security tags: @@ -19,6 +20,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1580 +- T1538 +- T1098.001 +- T1526 --- # Detecting AWS CloudTrail Anomalies diff --git a/skills/detecting-aws-credential-exposure-with-trufflehog/SKILL.md b/skills/detecting-aws-credential-exposure-with-trufflehog/SKILL.md index 1f1a8232..4dbc10c9 100644 --- a/skills/detecting-aws-credential-exposure-with-trufflehog/SKILL.md +++ b/skills/detecting-aws-credential-exposure-with-trufflehog/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-aws-credential-exposure-with-trufflehog -description: 'Detecting exposed AWS credentials in source code repositories, CI/CD pipelines, and configuration files using - TruffleHog, git-secrets, and AWS-native detection mechanisms to prevent credential theft and unauthorized account access. +description: 'Detecting exposed AWS credentials in source code repositories, CI/CD + pipelines, and configuration files using TruffleHog, git-secrets, and AWS-native + detection mechanisms to prevent credential theft and unauthorized account access. ' domain: cybersecurity @@ -21,6 +22,11 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1552.001 +- T1552 +- T1078.004 +- T1589.001 --- # Detecting AWS Credential Exposure with TruffleHog diff --git a/skills/detecting-aws-guardduty-findings-automation/SKILL.md b/skills/detecting-aws-guardduty-findings-automation/SKILL.md index fa0e9c96..aa845410 100644 --- a/skills/detecting-aws-guardduty-findings-automation/SKILL.md +++ b/skills/detecting-aws-guardduty-findings-automation/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-aws-guardduty-findings-automation -description: Automate AWS GuardDuty threat detection findings processing using EventBridge and Lambda to enable real-time - incident response, automatic quarantine of compromised resources, and security notification workflows. +description: Automate AWS GuardDuty threat detection findings processing using EventBridge + and Lambda to enable real-time incident response, automatic quarantine of compromised + resources, and security notification workflows. domain: cybersecurity subdomain: cloud-security tags: @@ -21,6 +22,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1496 +- T1580 +- T1530 +- T1110 --- # Detecting AWS GuardDuty Findings Automation diff --git a/skills/detecting-aws-iam-privilege-escalation/SKILL.md b/skills/detecting-aws-iam-privilege-escalation/SKILL.md index fd814431..35cc6a7a 100644 --- a/skills/detecting-aws-iam-privilege-escalation/SKILL.md +++ b/skills/detecting-aws-iam-privilege-escalation/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-aws-iam-privilege-escalation -description: Detect AWS IAM privilege escalation paths using boto3 and Cloudsplaining policy analysis to identify overly permissive - policies, dangerous permission combinations, and least-privilege violations +description: Detect AWS IAM privilege escalation paths using boto3 and Cloudsplaining + policy analysis to identify overly permissive policies, dangerous permission combinations, + and least-privilege violations domain: cybersecurity subdomain: cloud-security tags: @@ -20,6 +21,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1098.001 +- T1098.003 +- T1078.004 +- T1548.005 +- T1484 --- # Detecting AWS IAM Privilege Escalation diff --git a/skills/detecting-azure-lateral-movement/SKILL.md b/skills/detecting-azure-lateral-movement/SKILL.md index 7441d218..1374ed7d 100644 --- a/skills/detecting-azure-lateral-movement/SKILL.md +++ b/skills/detecting-azure-lateral-movement/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-azure-lateral-movement -description: Detect lateral movement in Azure AD/Entra ID environments using Microsoft Graph API audit logs, Azure Sentinel - KQL hunting queries, and sign-in anomaly correlation to identify privilege escalation, token theft, and cross-tenant pivoting. +description: Detect lateral movement in Azure AD/Entra ID environments using Microsoft + Graph API audit logs, Azure Sentinel KQL hunting queries, and sign-in anomaly correlation + to identify privilege escalation, token theft, and cross-tenant pivoting. domain: cybersecurity subdomain: cloud-security tags: @@ -21,6 +22,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1550.001 +- T1021.007 +- T1098.003 +- T1528 --- # Detecting Azure Lateral Movement diff --git a/skills/detecting-azure-service-principal-abuse/SKILL.md b/skills/detecting-azure-service-principal-abuse/SKILL.md index e3422a5e..f014f2a1 100644 --- a/skills/detecting-azure-service-principal-abuse/SKILL.md +++ b/skills/detecting-azure-service-principal-abuse/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-azure-service-principal-abuse -description: Detect and investigate Azure service principal abuse including privilege escalation, credential compromise, admin - consent bypass, and unauthorized enumeration in Microsoft Entra ID environments. +description: Detect and investigate Azure service principal abuse including privilege + escalation, credential compromise, admin consent bypass, and unauthorized enumeration + in Microsoft Entra ID environments. domain: cybersecurity subdomain: cloud-security tags: @@ -27,6 +28,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1098.001 +- T1528 +- T1550.001 +- T1098.003 --- # Detecting Azure Service Principal Abuse diff --git a/skills/detecting-azure-storage-account-misconfigurations/SKILL.md b/skills/detecting-azure-storage-account-misconfigurations/SKILL.md index 672b5f2f..f9b62efd 100644 --- a/skills/detecting-azure-storage-account-misconfigurations/SKILL.md +++ b/skills/detecting-azure-storage-account-misconfigurations/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-azure-storage-account-misconfigurations -description: Audit Azure Blob and ADLS storage accounts for public access exposure, weak or long-lived SAS tokens, missing - encryption at rest, disabled HTTPS-only traffic, and outdated TLS versions using the azure-mgmt-storage Python SDK. +description: Audit Azure Blob and ADLS storage accounts for public access exposure, + weak or long-lived SAS tokens, missing encryption at rest, disabled HTTPS-only traffic, + and outdated TLS versions using the azure-mgmt-storage Python SDK. domain: cybersecurity subdomain: cloud-security tags: @@ -30,6 +31,11 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1530 +- T1078.004 +- T1619 +- T1580 --- # Detecting Azure Storage Account Misconfigurations diff --git a/skills/detecting-beaconing-patterns-with-zeek/SKILL.md b/skills/detecting-beaconing-patterns-with-zeek/SKILL.md index 60b34359..33f59118 100644 --- a/skills/detecting-beaconing-patterns-with-zeek/SKILL.md +++ b/skills/detecting-beaconing-patterns-with-zeek/SKILL.md @@ -1,17 +1,22 @@ --- name: detecting-beaconing-patterns-with-zeek -description: 'Performs statistical analysis of Zeek conn.log connection intervals to detect C2 beaconing patterns. Uses the - ZAT library to load Zeek logs into Pandas DataFrames, calculates inter-arrival time standard deviation, and flags periodic - connections with low jitter. Use when hunting for command-and-control callbacks in network data. +description: 'Performs statistical analysis of Zeek conn.log connection intervals + to detect C2 beaconing patterns. Uses the ZAT library to load Zeek logs into Pandas + DataFrames, calculates inter-arrival time standard deviation, and flags periodic + connections with low jitter. Use when hunting for command-and-control callbacks + in network data. ' domain: cybersecurity subdomain: security-operations tags: -- detecting -- beaconing -- patterns -- with +- network-security +- zeek +- c2-beaconing +- conn-log-analysis +- zat +- threat-hunting +- statistical-analysis version: '1.0' author: mahipal license: Apache-2.0 @@ -20,6 +25,12 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1071.001 +- T1071.004 +- T1573 +- T1008 +- T1095 --- # Detecting Beaconing Patterns with Zeek diff --git a/skills/detecting-bluetooth-low-energy-attacks/SKILL.md b/skills/detecting-bluetooth-low-energy-attacks/SKILL.md index bb5ff148..9e9e0a2b 100644 --- a/skills/detecting-bluetooth-low-energy-attacks/SKILL.md +++ b/skills/detecting-bluetooth-low-energy-attacks/SKILL.md @@ -1,10 +1,13 @@ --- name: detecting-bluetooth-low-energy-attacks -description: 'Detects and analyzes Bluetooth Low Energy (BLE) security attacks including sniffing, replay attacks, GATT enumeration - abuse, and Man-in-the-Middle interception. Uses Ubertooth One and nRF52840 sniffers for packet capture, the bleak Python - library for GATT service enumeration, and crackle for BLE encryption cracking. Use when assessing IoT device BLE security, - monitoring for BLE-based attacks on wireless infrastructure, or performing authorized BLE penetration testing. Activates - for requests involving BLE security assessment, Ubertooth sniffing, GATT enumeration, or BLE replay detection. +description: 'Detects and analyzes Bluetooth Low Energy (BLE) security attacks including + sniffing, replay attacks, GATT enumeration abuse, and Man-in-the-Middle interception. + Uses Ubertooth One and nRF52840 sniffers for packet capture, the bleak Python library + for GATT service enumeration, and crackle for BLE encryption cracking. Use when + assessing IoT device BLE security, monitoring for BLE-based attacks on wireless + infrastructure, or performing authorized BLE penetration testing. Activates for + requests involving BLE security assessment, Ubertooth sniffing, GATT enumeration, + or BLE replay detection. ' domain: cybersecurity @@ -25,6 +28,11 @@ nist_csf: - PR.IR-01 - DE.CM-01 - ID.AM-03 +mitre_attack: +- T1011.001 +- T1557 +- T1040 +- T1200 --- # Detecting Bluetooth Low Energy Attacks diff --git a/skills/detecting-broken-object-property-level-authorization/SKILL.md b/skills/detecting-broken-object-property-level-authorization/SKILL.md index f1fa796e..a95e7b7f 100644 --- a/skills/detecting-broken-object-property-level-authorization/SKILL.md +++ b/skills/detecting-broken-object-property-level-authorization/SKILL.md @@ -1,7 +1,7 @@ --- name: detecting-broken-object-property-level-authorization -description: Detect and test for OWASP API3:2023 Broken Object Property Level Authorization vulnerabilities including excessive - data exposure and mass assignment attacks. +description: Detect and test for OWASP API3:2023 Broken Object Property Level Authorization + vulnerabilities including excessive data exposure and mass assignment attacks. domain: cybersecurity subdomain: api-security tags: @@ -21,6 +21,10 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1213 +- T1212 --- # Detecting Broken Object Property Level Authorization diff --git a/skills/detecting-business-email-compromise-with-ai/SKILL.md b/skills/detecting-business-email-compromise-with-ai/SKILL.md index c64c02f8..610275fb 100644 --- a/skills/detecting-business-email-compromise-with-ai/SKILL.md +++ b/skills/detecting-business-email-compromise-with-ai/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-business-email-compromise-with-ai -description: Deploy AI and NLP-powered detection systems to identify business email compromise attacks by analyzing writing - style, behavioral patterns, and contextual anomalies that evade traditional rule-based filters. +description: Deploy AI and NLP-powered detection systems to identify business email + compromise attacks by analyzing writing style, behavioral patterns, and contextual + anomalies that evade traditional rule-based filters. domain: cybersecurity subdomain: phishing-defense tags: @@ -37,6 +38,12 @@ nist_csf: - DE.CM-09 - RS.CO-02 - DE.AE-02 +mitre_attack: +- T1566.002 +- T1534 +- T1114.002 +- T1657 +- T1078.004 --- # Detecting Business Email Compromise with AI diff --git a/skills/detecting-business-email-compromise/SKILL.md b/skills/detecting-business-email-compromise/SKILL.md index 71d06a9d..7d38f6df 100644 --- a/skills/detecting-business-email-compromise/SKILL.md +++ b/skills/detecting-business-email-compromise/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-business-email-compromise -description: Business Email Compromise (BEC) is a sophisticated fraud scheme where attackers impersonate executives, vendors, - or trusted partners to trick employees into transferring funds, sharing sensitive data, +description: Business Email Compromise (BEC) is a sophisticated fraud scheme where + attackers impersonate executives, vendors, or trusted partners to trick employees + into transferring funds, sharing sensitive data, domain: cybersecurity subdomain: phishing-defense tags: @@ -32,6 +33,12 @@ nist_csf: - DE.CM-09 - RS.CO-02 - DE.AE-02 +mitre_attack: +- T1566.002 +- T1534 +- T1114.002 +- T1657 +- T1078.004 --- # Detecting Business Email Compromise diff --git a/skills/detecting-cloud-threats-with-guardduty/SKILL.md b/skills/detecting-cloud-threats-with-guardduty/SKILL.md index f92f165b..b7d7ed91 100644 --- a/skills/detecting-cloud-threats-with-guardduty/SKILL.md +++ b/skills/detecting-cloud-threats-with-guardduty/SKILL.md @@ -1,8 +1,10 @@ --- name: detecting-cloud-threats-with-guardduty -description: 'This skill teaches security teams how to deploy and operationalize Amazon GuardDuty for continuous threat detection - across AWS accounts and workloads. It covers enabling protection plans for S3, EKS, EC2 runtime monitoring, and Lambda, - interpreting finding severity levels, and building automated response workflows using EventBridge and Lambda. +description: 'This skill teaches security teams how to deploy and operationalize Amazon + GuardDuty for continuous threat detection across AWS accounts and workloads. It + covers enabling protection plans for S3, EKS, EC2 runtime monitoring, and Lambda, + interpreting finding severity levels, and building automated response workflows + using EventBridge and Lambda. ' domain: cybersecurity @@ -21,6 +23,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T1071 --- # Detecting Cloud Threats with GuardDuty diff --git a/skills/detecting-command-and-control-over-dns/SKILL.md b/skills/detecting-command-and-control-over-dns/SKILL.md index c971f55b..5ea03970 100644 --- a/skills/detecting-command-and-control-over-dns/SKILL.md +++ b/skills/detecting-command-and-control-over-dns/SKILL.md @@ -1,10 +1,13 @@ --- name: detecting-command-and-control-over-dns -description: 'Detects command-and-control (C2) communications tunneled through DNS protocol including DNS tunneling tools - (Iodine, dnscat2, dns2tcp, Cobalt Strike DNS beacon), domain generation algorithms (DGA), encoded payload delivery via TXT/CNAME - records, and DNS beaconing patterns. Covers Shannon entropy analysis of query subdomains, statistical anomaly detection, - ML-based DGA classification, passive DNS correlation, and Zeek/Suricata signature development. Activates for requests involving - DNS-based C2 detection, DNS tunnel identification, suspicious DNS traffic investigation, or DGA domain classification. +description: 'Detects command-and-control (C2) communications tunneled through DNS + protocol including DNS tunneling tools (Iodine, dnscat2, dns2tcp, Cobalt Strike + DNS beacon), domain generation algorithms (DGA), encoded payload delivery via TXT/CNAME + records, and DNS beaconing patterns. Covers Shannon entropy analysis of query subdomains, + statistical anomaly detection, ML-based DGA classification, passive DNS correlation, + and Zeek/Suricata signature development. Activates for requests involving DNS-based + C2 detection, DNS tunnel identification, suspicious DNS traffic investigation, or + DGA domain classification. ' domain: cybersecurity @@ -24,6 +27,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 +- T1095 --- # Detecting Command and Control Over DNS diff --git a/skills/detecting-compromised-cloud-credentials/SKILL.md b/skills/detecting-compromised-cloud-credentials/SKILL.md index fb169d5c..a1f71ea1 100644 --- a/skills/detecting-compromised-cloud-credentials/SKILL.md +++ b/skills/detecting-compromised-cloud-credentials/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-compromised-cloud-credentials -description: 'Detecting compromised cloud credentials across AWS, Azure, and GCP by analyzing anomalous API activity, impossible - travel patterns, unauthorized resource provisioning, and credential abuse indicators using GuardDuty, Defender for Identity, +description: 'Detecting compromised cloud credentials across AWS, Azure, and GCP by + analyzing anomalous API activity, impossible travel patterns, unauthorized resource + provisioning, and credential abuse indicators using GuardDuty, Defender for Identity, and SCC Event Threat Detection. ' @@ -22,6 +23,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T1003 --- # Detecting Compromised Cloud Credentials diff --git a/skills/detecting-container-drift-at-runtime/SKILL.md b/skills/detecting-container-drift-at-runtime/SKILL.md index 3bd0f07b..6198cb19 100644 --- a/skills/detecting-container-drift-at-runtime/SKILL.md +++ b/skills/detecting-container-drift-at-runtime/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-container-drift-at-runtime -description: Detect unauthorized modifications to running containers by monitoring for binary execution drift, file system - changes, and configuration deviations from the original container image. +description: Detect unauthorized modifications to running containers by monitoring + for binary execution drift, file system changes, and configuration deviations from + the original container image. domain: cybersecurity subdomain: container-security tags: @@ -21,6 +22,11 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 --- # Detecting Container Drift at Runtime diff --git a/skills/detecting-container-escape-attempts/SKILL.md b/skills/detecting-container-escape-attempts/SKILL.md index 52ae34db..158119f4 100644 --- a/skills/detecting-container-escape-attempts/SKILL.md +++ b/skills/detecting-container-escape-attempts/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-container-escape-attempts -description: Container escape is a critical attack technique where an adversary breaks out of container isolation to access - the host system or other containers. Detection involves monitoring for escape indicators +description: Container escape is a critical attack technique where an adversary breaks + out of container isolation to access the host system or other containers. Detection + involves monitoring for escape indicators domain: cybersecurity subdomain: container-security tags: @@ -25,6 +26,11 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 --- # Detecting Container Escape Attempts diff --git a/skills/detecting-container-escape-with-falco-rules/SKILL.md b/skills/detecting-container-escape-with-falco-rules/SKILL.md index f3284bd7..1918733e 100644 --- a/skills/detecting-container-escape-with-falco-rules/SKILL.md +++ b/skills/detecting-container-escape-with-falco-rules/SKILL.md @@ -1,7 +1,7 @@ --- name: detecting-container-escape-with-falco-rules -description: Detect container escape attempts in real-time using Falco runtime security rules that monitor syscalls, file - access, and privilege escalation. +description: Detect container escape attempts in real-time using Falco runtime security + rules that monitor syscalls, file access, and privilege escalation. domain: cybersecurity subdomain: container-security tags: @@ -25,6 +25,12 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 +- T1068 --- # Detecting Container Escape with Falco Rules diff --git a/skills/detecting-credential-dumping-techniques/SKILL.md b/skills/detecting-credential-dumping-techniques/SKILL.md index f7add208..a5e25678 100644 --- a/skills/detecting-credential-dumping-techniques/SKILL.md +++ b/skills/detecting-credential-dumping-techniques/SKILL.md @@ -1,7 +1,7 @@ --- name: detecting-credential-dumping-techniques -description: Detect LSASS credential dumping, SAM database extraction, and NTDS.dit theft using Sysmon Event ID 10, Windows - Security logs, and SIEM correlation rules +description: Detect LSASS credential dumping, SAM database extraction, and NTDS.dit + theft using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules domain: cybersecurity subdomain: threat-detection tags: @@ -26,6 +26,12 @@ nist_csf: - DE.AE-02 - DE.AE-06 - ID.RA-05 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1003 +- T1110 --- # Detecting Credential Dumping Techniques diff --git a/skills/detecting-cryptomining-in-cloud/SKILL.md b/skills/detecting-cryptomining-in-cloud/SKILL.md index 5325525f..9bf661bf 100644 --- a/skills/detecting-cryptomining-in-cloud/SKILL.md +++ b/skills/detecting-cryptomining-in-cloud/SKILL.md @@ -1,9 +1,10 @@ --- name: detecting-cryptomining-in-cloud -description: 'This skill teaches security teams how to detect and respond to unauthorized cryptocurrency mining operations - in cloud environments. It covers identifying cryptomining indicators through compute usage anomalies, network traffic patterns - to mining pools, GuardDuty CryptoCurrency findings, and runtime process monitoring on EC2, ECS, EKS, and Azure Automation - workloads. +description: 'This skill teaches security teams how to detect and respond to unauthorized + cryptocurrency mining operations in cloud environments. It covers identifying cryptomining + indicators through compute usage anomalies, network traffic patterns to mining pools, + GuardDuty CryptoCurrency findings, and runtime process monitoring on EC2, ECS, EKS, + and Azure Automation workloads. ' domain: cybersecurity @@ -22,6 +23,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T1071 --- # Detecting Cryptomining in Cloud diff --git a/skills/detecting-dcsync-attack-in-active-directory/SKILL.md b/skills/detecting-dcsync-attack-in-active-directory/SKILL.md index 940ac3c8..fed2fd89 100644 --- a/skills/detecting-dcsync-attack-in-active-directory/SKILL.md +++ b/skills/detecting-dcsync-attack-in-active-directory/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-dcsync-attack-in-active-directory -description: Detect DCSync attacks where adversaries abuse Active Directory replication privileges to extract password hashes - by monitoring for non-domain-controller accounts requesting directory replication via DsGetNCChanges. +description: Detect DCSync attacks where adversaries abuse Active Directory replication + privileges to extract password hashes by monitoring for non-domain-controller accounts + requesting directory replication via DsGetNCChanges. domain: cybersecurity subdomain: threat-hunting tags: @@ -26,6 +27,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1003 --- # Detecting DCSync Attack in Active Directory diff --git a/skills/detecting-deepfake-audio-in-vishing-attacks/SKILL.md b/skills/detecting-deepfake-audio-in-vishing-attacks/SKILL.md index 974a73e5..4d1e75e4 100644 --- a/skills/detecting-deepfake-audio-in-vishing-attacks/SKILL.md +++ b/skills/detecting-deepfake-audio-in-vishing-attacks/SKILL.md @@ -1,10 +1,11 @@ --- name: detecting-deepfake-audio-in-vishing-attacks -description: 'Detects AI-generated deepfake audio used in voice phishing (vishing) attacks by extracting spectral features - (MFCC, spectral centroid, spectral contrast, zero-crossing rate) and classifying samples with machine learning models. Supports - batch analysis of audio files, generates confidence scores, and produces forensic reports. Activates for requests involving - deepfake voice detection, vishing investigation, AI-generated speech analysis, voice cloning detection, or audio authenticity - verification. +description: 'Detects AI-generated deepfake audio used in voice phishing (vishing) + attacks by extracting spectral features (MFCC, spectral centroid, spectral contrast, + zero-crossing rate) and classifying samples with machine learning models. Supports + batch analysis of audio files, generates confidence scores, and produces forensic + reports. Activates for requests involving deepfake voice detection, vishing investigation, + AI-generated speech analysis, voice cloning detection, or audio authenticity verification. ' domain: cybersecurity @@ -40,6 +41,12 @@ nist_csf: - PR.AT-01 - DE.CM-09 - RS.CO-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1566 +- T1598 --- # Detecting Deepfake Audio in Vishing Attacks diff --git a/skills/detecting-dll-sideloading-attacks/SKILL.md b/skills/detecting-dll-sideloading-attacks/SKILL.md index 59b2c429..accccada 100644 --- a/skills/detecting-dll-sideloading-attacks/SKILL.md +++ b/skills/detecting-dll-sideloading-attacks/SKILL.md @@ -1,7 +1,7 @@ --- name: detecting-dll-sideloading-attacks -description: Detect DLL side-loading attacks where adversaries place malicious DLLs alongside legitimate applications to hijack - execution flow for defense evasion. +description: Detect DLL side-loading attacks where adversaries place malicious DLLs + alongside legitimate applications to hijack execution flow for defense evasion. domain: cybersecurity subdomain: threat-hunting tags: @@ -26,6 +26,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1027 --- # Detecting DLL Sideloading Attacks diff --git a/skills/detecting-dnp3-protocol-anomalies/SKILL.md b/skills/detecting-dnp3-protocol-anomalies/SKILL.md index 0be16d05..6a046c95 100644 --- a/skills/detecting-dnp3-protocol-anomalies/SKILL.md +++ b/skills/detecting-dnp3-protocol-anomalies/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-dnp3-protocol-anomalies -description: 'Detect anomalies in DNP3 (Distributed Network Protocol 3) communications used in SCADA systems by monitoring - for unauthorized control commands, firmware update attempts, protocol violations, and deviations from baseline traffic patterns +description: 'Detect anomalies in DNP3 (Distributed Network Protocol 3) communications + used in SCADA systems by monitoring for unauthorized control commands, firmware + update attempts, protocol violations, and deviations from baseline traffic patterns using deep packet inspection and machine learning approaches. ' @@ -31,6 +32,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T0816 +- T0836 --- # Detecting DNP3 Protocol Anomalies diff --git a/skills/detecting-dns-exfiltration-with-dns-query-analysis/SKILL.md b/skills/detecting-dns-exfiltration-with-dns-query-analysis/SKILL.md index 2d35d261..a551d7e0 100644 --- a/skills/detecting-dns-exfiltration-with-dns-query-analysis/SKILL.md +++ b/skills/detecting-dns-exfiltration-with-dns-query-analysis/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-dns-exfiltration-with-dns-query-analysis -description: Detect data exfiltration through DNS tunneling by analyzing query entropy, subdomain length, query volume, TXT - record abuse, and response payload sizes using passive DNS monitoring. +description: Detect data exfiltration through DNS tunneling by analyzing query entropy, + subdomain length, query volume, TXT record abuse, and response payload sizes using + passive DNS monitoring. domain: cybersecurity subdomain: network-security tags: @@ -22,6 +23,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 +- T1048 --- # Detecting DNS Exfiltration with DNS Query Analysis diff --git a/skills/detecting-email-account-compromise/SKILL.md b/skills/detecting-email-account-compromise/SKILL.md index 7d8a9783..abe85892 100644 --- a/skills/detecting-email-account-compromise/SKILL.md +++ b/skills/detecting-email-account-compromise/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-email-account-compromise -description: Detect compromised O365 and Google Workspace email accounts by analyzing inbox rule creation, suspicious sign-in - locations, mail forwarding rules, and unusual API access patterns via Microsoft Graph and audit logs. +description: Detect compromised O365 and Google Workspace email accounts by analyzing + inbox rule creation, suspicious sign-in locations, mail forwarding rules, and unusual + API access patterns via Microsoft Graph and audit logs. domain: cybersecurity subdomain: incident-response tags: @@ -13,10 +14,11 @@ tags: - sign-in-analysis - account-takeover mitre_attack: -- T1114 -- T1566 +- T1486 +- T1490 +- T1070 - T1078 -- T1534 +- T1566 version: '1.0' author: mahipal license: Apache-2.0 diff --git a/skills/detecting-email-forwarding-rules-attack/SKILL.md b/skills/detecting-email-forwarding-rules-attack/SKILL.md index f8c77b24..eb525613 100644 --- a/skills/detecting-email-forwarding-rules-attack/SKILL.md +++ b/skills/detecting-email-forwarding-rules-attack/SKILL.md @@ -1,7 +1,7 @@ --- name: detecting-email-forwarding-rules-attack -description: Detect malicious email forwarding rules created by adversaries to maintain persistent access to email communications - for intelligence collection and BEC attacks. +description: Detect malicious email forwarding rules created by adversaries to maintain + persistent access to email communications for intelligence collection and BEC attacks. domain: cybersecurity subdomain: threat-hunting tags: @@ -26,6 +26,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1547 --- # Detecting Email Forwarding Rules Attack diff --git a/skills/detecting-evasion-techniques-in-endpoint-logs/SKILL.md b/skills/detecting-evasion-techniques-in-endpoint-logs/SKILL.md index 2baf70cc..3dd6eb24 100644 --- a/skills/detecting-evasion-techniques-in-endpoint-logs/SKILL.md +++ b/skills/detecting-evasion-techniques-in-endpoint-logs/SKILL.md @@ -1,9 +1,11 @@ --- name: detecting-evasion-techniques-in-endpoint-logs -description: 'Detects defense evasion techniques used by adversaries in endpoint logs including log tampering, timestomping, - process injection, and security tool disabling. Use when investigating suspicious endpoint behavior, building detection - rules for evasion tactics, or conducting threat hunting for stealthy adversary activity. Activates for requests involving - evasion detection, defense evasion analysis, log tampering detection, or MITRE ATT&CK TA0005. +description: 'Detects defense evasion techniques used by adversaries in endpoint logs + including log tampering, timestomping, process injection, and security tool disabling. + Use when investigating suspicious endpoint behavior, building detection rules for + evasion tactics, or conducting threat hunting for stealthy adversary activity. Activates + for requests involving evasion detection, defense evasion analysis, log tampering + detection, or MITRE ATT&CK TA0005. ' domain: cybersecurity @@ -29,6 +31,12 @@ nist_csf: - PR.PS-02 - DE.CM-01 - PR.IR-01 +mitre_attack: +- T1055 +- T1547 +- T1059 +- T1036 +- T1027 --- # Detecting Evasion Techniques in Endpoint Logs diff --git a/skills/detecting-exfiltration-over-dns-with-zeek/SKILL.md b/skills/detecting-exfiltration-over-dns-with-zeek/SKILL.md index ddb38f2c..7943235e 100644 --- a/skills/detecting-exfiltration-over-dns-with-zeek/SKILL.md +++ b/skills/detecting-exfiltration-over-dns-with-zeek/SKILL.md @@ -1,7 +1,7 @@ --- name: detecting-exfiltration-over-dns-with-zeek -description: Detect DNS-based data exfiltration by analyzing Zeek dns.log for high-entropy subdomains and anomalous query - patterns +description: Detect DNS-based data exfiltration by analyzing Zeek dns.log for high-entropy + subdomains and anomalous query patterns domain: cybersecurity subdomain: network-security tags: @@ -17,6 +17,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 +- T1048 --- diff --git a/skills/detecting-fileless-attacks-on-endpoints/SKILL.md b/skills/detecting-fileless-attacks-on-endpoints/SKILL.md index 6327b89a..2fa53e85 100644 --- a/skills/detecting-fileless-attacks-on-endpoints/SKILL.md +++ b/skills/detecting-fileless-attacks-on-endpoints/SKILL.md @@ -1,9 +1,11 @@ --- name: detecting-fileless-attacks-on-endpoints -description: 'Detects fileless malware and in-memory attacks that execute entirely in RAM without writing persistent files - to disk, evading traditional antivirus. Use when building detections for PowerShell-based attacks, reflective DLL injection, - WMI persistence, and registry-resident malware. Activates for requests involving fileless malware detection, in-memory attacks, - PowerShell exploitation, or living-off-the-land techniques. +description: 'Detects fileless malware and in-memory attacks that execute entirely + in RAM without writing persistent files to disk, evading traditional antivirus. + Use when building detections for PowerShell-based attacks, reflective DLL injection, + WMI persistence, and registry-resident malware. Activates for requests involving + fileless malware detection, in-memory attacks, PowerShell exploitation, or living-off-the-land + techniques. ' domain: cybersecurity @@ -22,6 +24,12 @@ nist_csf: - PR.PS-02 - DE.CM-01 - PR.IR-01 +mitre_attack: +- T1055 +- T1547 +- T1059 +- T1036 +- T1053 --- # Detecting Fileless Attacks on Endpoints diff --git a/skills/detecting-fileless-malware-techniques/SKILL.md b/skills/detecting-fileless-malware-techniques/SKILL.md index 5ec83a61..df48fa41 100644 --- a/skills/detecting-fileless-malware-techniques/SKILL.md +++ b/skills/detecting-fileless-malware-techniques/SKILL.md @@ -1,9 +1,10 @@ --- name: detecting-fileless-malware-techniques -description: 'Detects and analyzes fileless malware that operates entirely in memory using PowerShell, WMI, .NET reflection, - registry-resident payloads, and living-off-the-land binaries (LOLBins) without writing traditional executable files to disk. - Activates for requests involving fileless threat detection, in-memory malware investigation, LOLBin abuse analysis, or WMI - persistence examination. +description: 'Detects and analyzes fileless malware that operates entirely in memory + using PowerShell, WMI, .NET reflection, registry-resident payloads, and living-off-the-land + binaries (LOLBins) without writing traditional executable files to disk. Activates + for requests involving fileless threat detection, in-memory malware investigation, + LOLBin abuse analysis, or WMI persistence examination. ' domain: cybersecurity @@ -28,6 +29,12 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1027 +- T1055 +- T1140 +- T1497 +- T1547 --- # Detecting Fileless Malware Techniques diff --git a/skills/detecting-golden-ticket-attacks-in-kerberos-logs/SKILL.md b/skills/detecting-golden-ticket-attacks-in-kerberos-logs/SKILL.md index ad37369e..d1293358 100644 --- a/skills/detecting-golden-ticket-attacks-in-kerberos-logs/SKILL.md +++ b/skills/detecting-golden-ticket-attacks-in-kerberos-logs/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-golden-ticket-attacks-in-kerberos-logs -description: Detect Golden Ticket attacks in Active Directory by analyzing Kerberos TGT anomalies including mismatched encryption - types, impossible ticket lifetimes, non-existent accounts, and forged PAC signatures in domain controller event logs. +description: Detect Golden Ticket attacks in Active Directory by analyzing Kerberos + TGT anomalies including mismatched encryption types, impossible ticket lifetimes, + non-existent accounts, and forged PAC signatures in domain controller event logs. domain: cybersecurity subdomain: threat-hunting tags: @@ -19,6 +20,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1003 --- # Detecting Golden Ticket Attacks in Kerberos Logs diff --git a/skills/detecting-golden-ticket-forgery/SKILL.md b/skills/detecting-golden-ticket-forgery/SKILL.md index d79e0da8..a5c21ccf 100644 --- a/skills/detecting-golden-ticket-forgery/SKILL.md +++ b/skills/detecting-golden-ticket-forgery/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-golden-ticket-forgery -description: Detect Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769 for RC4 encryption downgrades (0x17), - abnormal ticket lifetimes, and krbtgt account anomalies in Splunk and Elastic SIEM +description: Detect Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769 + for RC4 encryption downgrades (0x17), abnormal ticket lifetimes, and krbtgt account + anomalies in Splunk and Elastic SIEM domain: cybersecurity subdomain: threat-detection tags: @@ -26,6 +27,12 @@ nist_csf: - DE.AE-02 - DE.AE-06 - ID.RA-05 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1003 +- T1110 --- # Detecting Golden Ticket Forgery diff --git a/skills/detecting-insider-data-exfiltration-via-dlp/SKILL.md b/skills/detecting-insider-data-exfiltration-via-dlp/SKILL.md index 59f7a931..f99062d8 100644 --- a/skills/detecting-insider-data-exfiltration-via-dlp/SKILL.md +++ b/skills/detecting-insider-data-exfiltration-via-dlp/SKILL.md @@ -1,17 +1,21 @@ --- name: detecting-insider-data-exfiltration-via-dlp -description: 'Detects insider data exfiltration by analyzing DLP policy violations, file access patterns, upload volume anomalies, - and off-hours activity in endpoint and cloud logs. Uses pandas for behavioral analytics and statistical baselines. Use when - investigating insider threats or building user behavior analytics for data loss prevention. +description: 'Detects insider data exfiltration by analyzing DLP policy violations, + file access patterns, upload volume anomalies, and off-hours activity in endpoint + and cloud logs. Uses pandas for behavioral analytics and statistical baselines. + Use when investigating insider threats or building user behavior analytics for data + loss prevention. ' domain: cybersecurity subdomain: security-operations tags: -- detecting -- insider -- data -- exfiltration +- insider-threat +- data-loss-prevention +- dlp +- exfiltration-detection +- ueba +- security-operations version: '1.0' author: mahipal license: Apache-2.0 @@ -20,6 +24,12 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1048 +- T1041 --- # Detecting Insider Data Exfiltration via DLP diff --git a/skills/detecting-insider-threat-behaviors/SKILL.md b/skills/detecting-insider-threat-behaviors/SKILL.md index 9c0b7d59..b856312b 100644 --- a/skills/detecting-insider-threat-behaviors/SKILL.md +++ b/skills/detecting-insider-threat-behaviors/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-insider-threat-behaviors -description: Detect insider threat behavioral indicators including unusual data access, off-hours activity, mass file downloads, - privilege abuse, and resignation-correlated data theft. +description: Detect insider threat behavioral indicators including unusual data access, + off-hours activity, mass file downloads, privilege abuse, and resignation-correlated + data theft. domain: cybersecurity subdomain: threat-hunting tags: @@ -25,6 +26,11 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 --- # Detecting Insider Threat Behaviors diff --git a/skills/detecting-insider-threat-with-ueba/SKILL.md b/skills/detecting-insider-threat-with-ueba/SKILL.md index d92f5a7d..b6c0ff11 100644 --- a/skills/detecting-insider-threat-with-ueba/SKILL.md +++ b/skills/detecting-insider-threat-with-ueba/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-insider-threat-with-ueba -description: Implement User and Entity Behavior Analytics using Elasticsearch/OpenSearch to build behavioral baselines, calculate - anomaly scores, perform peer group analysis, and detect insider threat indicators such as data exfiltration, privilege abuse, +description: Implement User and Entity Behavior Analytics using Elasticsearch/OpenSearch + to build behavioral baselines, calculate anomaly scores, perform peer group analysis, + and detect insider threat indicators such as data exfiltration, privilege abuse, and unauthorized access patterns. domain: cybersecurity subdomain: threat-detection @@ -21,6 +22,12 @@ nist_csf: - DE.AE-02 - DE.AE-06 - ID.RA-05 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1048 +- T1041 --- # Detecting Insider Threat with UEBA diff --git a/skills/detecting-kerberoasting-attacks/SKILL.md b/skills/detecting-kerberoasting-attacks/SKILL.md index 915ae45a..ee1493f1 100644 --- a/skills/detecting-kerberoasting-attacks/SKILL.md +++ b/skills/detecting-kerberoasting-attacks/SKILL.md @@ -1,7 +1,7 @@ --- name: detecting-kerberoasting-attacks -description: Detect Kerberoasting attacks by monitoring for anomalous Kerberos TGS requests targeting service accounts with - SPNs for offline password cracking. +description: Detect Kerberoasting attacks by monitoring for anomalous Kerberos TGS + requests targeting service accounts with SPNs for offline password cracking. domain: cybersecurity subdomain: threat-hunting tags: @@ -26,6 +26,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1003 --- # Detecting Kerberoasting Attacks diff --git a/skills/detecting-lateral-movement-in-network/SKILL.md b/skills/detecting-lateral-movement-in-network/SKILL.md index b744560b..5c8d0325 100644 --- a/skills/detecting-lateral-movement-in-network/SKILL.md +++ b/skills/detecting-lateral-movement-in-network/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-lateral-movement-in-network -description: 'Identifies lateral movement techniques in enterprise networks by analyzing authentication logs, network flows, - SMB traffic, and RDP sessions using Zeek, Velociraptor, and SIEM correlation rules to detect attackers moving between systems. +description: 'Identifies lateral movement techniques in enterprise networks by analyzing + authentication logs, network flows, SMB traffic, and RDP sessions using Zeek, Velociraptor, + and SIEM correlation rules to detect attackers moving between systems. ' domain: cybersecurity @@ -26,6 +27,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 +- T1021 --- # Detecting Lateral Movement in Network diff --git a/skills/detecting-lateral-movement-with-splunk/SKILL.md b/skills/detecting-lateral-movement-with-splunk/SKILL.md index 32a2c66e..77aa43bf 100644 --- a/skills/detecting-lateral-movement-with-splunk/SKILL.md +++ b/skills/detecting-lateral-movement-with-splunk/SKILL.md @@ -1,7 +1,7 @@ --- name: detecting-lateral-movement-with-splunk -description: Detect adversary lateral movement across networks using Splunk SPL queries against Windows authentication logs, - SMB traffic, and remote service abuse. +description: Detect adversary lateral movement across networks using Splunk SPL queries + against Windows authentication logs, SMB traffic, and remote service abuse. domain: cybersecurity subdomain: threat-hunting tags: @@ -26,6 +26,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1021 --- # Detecting Lateral Movement with Splunk diff --git a/skills/detecting-lateral-movement-with-zeek/SKILL.md b/skills/detecting-lateral-movement-with-zeek/SKILL.md index 4890cf6c..cda613c0 100644 --- a/skills/detecting-lateral-movement-with-zeek/SKILL.md +++ b/skills/detecting-lateral-movement-with-zeek/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-lateral-movement-with-zeek -description: 'Detect lateral movement in network traffic using Zeek (formerly Bro) log analysis. Parses conn.log, smb_mapping.log, - smb_files.log, dce_rpc.log, kerberos.log, and ntlm.log to identify SMB file transfers, NTLM account spray activity, remote +description: 'Detect lateral movement in network traffic using Zeek (formerly Bro) + log analysis. Parses conn.log, smb_mapping.log, smb_files.log, dce_rpc.log, kerberos.log, + and ntlm.log to identify SMB file transfers, NTLM account spray activity, remote service execution, and anomalous internal connections. ' @@ -22,6 +23,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 +- T1021 --- # Detecting Lateral Movement with Zeek diff --git a/skills/detecting-living-off-the-land-attacks/SKILL.md b/skills/detecting-living-off-the-land-attacks/SKILL.md index 1a4de25c..19e38bad 100644 --- a/skills/detecting-living-off-the-land-attacks/SKILL.md +++ b/skills/detecting-living-off-the-land-attacks/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-living-off-the-land-attacks -description: 'Detect abuse of legitimate Windows binaries (LOLBins) used for living off the land attacks. Monitors process - creation, command-line arguments, and parent-child relationships to identify suspicious LOLBin execution patterns. +description: 'Detect abuse of legitimate Windows binaries (LOLBins) used for living + off the land attacks. Monitors process creation, command-line arguments, and parent-child + relationships to identify suspicious LOLBin execution patterns. ' domain: cybersecurity @@ -25,6 +26,10 @@ nist_csf: - DE.AE-02 - DE.AE-06 - ID.RA-05 +mitre_attack: +- T1078 +- T1190 +- T1059 --- # Detecting Living Off the Land Attacks diff --git a/skills/detecting-living-off-the-land-with-lolbas/SKILL.md b/skills/detecting-living-off-the-land-with-lolbas/SKILL.md index 8ed709c7..a999395d 100644 --- a/skills/detecting-living-off-the-land-with-lolbas/SKILL.md +++ b/skills/detecting-living-off-the-land-with-lolbas/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-living-off-the-land-with-lolbas -description: Detect Living Off the Land Binaries (LOLBins/LOLBAS) abuse including certutil, regsvr32, mshta, and rundll32 - via process telemetry, Sigma rules, and parent-child process analysis +description: Detect Living Off the Land Binaries (LOLBins/LOLBAS) abuse including + certutil, regsvr32, mshta, and rundll32 via process telemetry, Sigma rules, and + parent-child process analysis domain: cybersecurity subdomain: threat-detection tags: @@ -26,6 +27,10 @@ nist_csf: - DE.AE-02 - DE.AE-06 - ID.RA-05 +mitre_attack: +- T1078 +- T1190 +- T1059 --- # Detecting Living Off the Land with LOLBAS diff --git a/skills/detecting-malicious-scheduled-tasks-with-sysmon/SKILL.md b/skills/detecting-malicious-scheduled-tasks-with-sysmon/SKILL.md index d979bc33..c989ebfe 100644 --- a/skills/detecting-malicious-scheduled-tasks-with-sysmon/SKILL.md +++ b/skills/detecting-malicious-scheduled-tasks-with-sysmon/SKILL.md @@ -1,10 +1,12 @@ --- name: detecting-malicious-scheduled-tasks-with-sysmon -description: 'Detect malicious scheduled task creation and modification using Sysmon Event IDs 1 (Process Create for schtasks.exe), - 11 (File Create for task XML), and Windows Security Event 4698/4702. The analyst correlates task creation with suspicious - parent processes, public directory paths, and encoded command arguments to identify persistence and lateral movement via - scheduled tasks. Activates for requests involving scheduled task detection, Sysmon persistence hunting, or T1053.005 Scheduled - Task/Job analysis. +description: 'Detect malicious scheduled task creation and modification using Sysmon + Event IDs 1 (Process Create for schtasks.exe), 11 (File Create for task XML), and + Windows Security Event 4698/4702. The analyst correlates task creation with suspicious + parent processes, public directory paths, and encoded command arguments to identify + persistence and lateral movement via scheduled tasks. Activates for requests involving + scheduled task detection, Sysmon persistence hunting, or T1053.005 Scheduled Task/Job + analysis. ' domain: cybersecurity @@ -30,6 +32,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1021 --- # Detecting Malicious Scheduled Tasks with Sysmon diff --git a/skills/detecting-mimikatz-execution-patterns/SKILL.md b/skills/detecting-mimikatz-execution-patterns/SKILL.md index c428c8cd..48637490 100644 --- a/skills/detecting-mimikatz-execution-patterns/SKILL.md +++ b/skills/detecting-mimikatz-execution-patterns/SKILL.md @@ -1,7 +1,7 @@ --- name: detecting-mimikatz-execution-patterns -description: Detect Mimikatz execution through command-line patterns, LSASS access signatures, binary indicators, and in-memory - detection of known modules. +description: Detect Mimikatz execution through command-line patterns, LSASS access + signatures, binary indicators, and in-memory detection of known modules. domain: cybersecurity subdomain: threat-hunting tags: @@ -26,6 +26,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1003 --- # Detecting Mimikatz Execution Patterns diff --git a/skills/detecting-misconfigured-azure-storage/SKILL.md b/skills/detecting-misconfigured-azure-storage/SKILL.md index 6ef3e8ef..e304afda 100644 --- a/skills/detecting-misconfigured-azure-storage/SKILL.md +++ b/skills/detecting-misconfigured-azure-storage/SKILL.md @@ -1,8 +1,9 @@ --- name: detecting-misconfigured-azure-storage -description: 'Detecting misconfigured Azure Storage accounts including publicly accessible blob containers, missing encryption - settings, overly permissive SAS tokens, disabled logging, and network access violations using Azure CLI, PowerShell, and - Microsoft Defender for Storage. +description: 'Detecting misconfigured Azure Storage accounts including publicly accessible + blob containers, missing encryption settings, overly permissive SAS tokens, disabled + logging, and network access violations using Azure CLI, PowerShell, and Microsoft + Defender for Storage. ' domain: cybersecurity @@ -30,6 +31,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T1610 --- # Detecting Misconfigured Azure Storage diff --git a/skills/detecting-mobile-malware-behavior/SKILL.md b/skills/detecting-mobile-malware-behavior/SKILL.md index 3d9839de..ad1a699a 100644 --- a/skills/detecting-mobile-malware-behavior/SKILL.md +++ b/skills/detecting-mobile-malware-behavior/SKILL.md @@ -1,9 +1,11 @@ --- name: detecting-mobile-malware-behavior -description: 'Detects and analyzes malicious behavior in mobile applications through behavioral analysis, permission abuse - detection, network traffic monitoring, and dynamic instrumentation. Use when analyzing suspicious mobile applications for - data exfiltration, command-and-control communication, credential stealing, SMS interception, or other malware indicators. - Activates for requests involving mobile malware analysis, app behavior monitoring, trojan detection, or suspicious app investigation. +description: 'Detects and analyzes malicious behavior in mobile applications through + behavioral analysis, permission abuse detection, network traffic monitoring, and + dynamic instrumentation. Use when analyzing suspicious mobile applications for data + exfiltration, command-and-control communication, credential stealing, SMS interception, + or other malware indicators. Activates for requests involving mobile malware analysis, + app behavior monitoring, trojan detection, or suspicious app investigation. ' domain: cybersecurity @@ -23,6 +25,12 @@ nist_csf: - PR.AA-05 - ID.RA-01 - DE.CM-09 +mitre_attack: +- T1059 +- T1056 +- T1036 +- T1078 +- T1003 --- # Detecting Mobile Malware Behavior diff --git a/skills/detecting-modbus-command-injection-attacks/SKILL.md b/skills/detecting-modbus-command-injection-attacks/SKILL.md index 43411614..114cb432 100644 --- a/skills/detecting-modbus-command-injection-attacks/SKILL.md +++ b/skills/detecting-modbus-command-injection-attacks/SKILL.md @@ -1,8 +1,9 @@ --- name: detecting-modbus-command-injection-attacks -description: 'Detect command injection attacks against Modbus TCP/RTU protocol in ICS environments by monitoring for unauthorized - write operations, anomalous function codes, malformed frames, and deviations from established communication baselines using - ICS-aware IDS and protocol deep packet inspection. +description: 'Detect command injection attacks against Modbus TCP/RTU protocol in + ICS environments by monitoring for unauthorized write operations, anomalous function + codes, malformed frames, and deviations from established communication baselines + using ICS-aware IDS and protocol deep packet inspection. ' domain: cybersecurity @@ -24,6 +25,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1055 +- T0816 --- # Detecting Modbus Command Injection Attacks diff --git a/skills/detecting-modbus-protocol-anomalies/SKILL.md b/skills/detecting-modbus-protocol-anomalies/SKILL.md index e4549ceb..6dabb5d5 100644 --- a/skills/detecting-modbus-protocol-anomalies/SKILL.md +++ b/skills/detecting-modbus-protocol-anomalies/SKILL.md @@ -1,9 +1,11 @@ --- name: detecting-modbus-protocol-anomalies -description: 'This skill covers detecting anomalies in Modbus/TCP and Modbus RTU communications in industrial control systems. - It addresses function code monitoring, register range validation, timing analysis, unauthorized client detection, and deep - packet inspection for malformed Modbus frames. The skill leverages Zeek with Modbus protocol analyzers, Suricata IDS with - OT rules, and custom Python-based detection using Markov chain models for normal Modbus transaction sequences. +description: 'This skill covers detecting anomalies in Modbus/TCP and Modbus RTU communications + in industrial control systems. It addresses function code monitoring, register range + validation, timing analysis, unauthorized client detection, and deep packet inspection + for malformed Modbus frames. The skill leverages Zeek with Modbus protocol analyzers, + Suricata IDS with OT rules, and custom Python-based detection using Markov chain + models for normal Modbus transaction sequences. ' domain: cybersecurity @@ -32,6 +34,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T0816 +- T0836 --- # Detecting Modbus Protocol Anomalies diff --git a/skills/detecting-network-anomalies-with-zeek/SKILL.md b/skills/detecting-network-anomalies-with-zeek/SKILL.md index eae3ede5..ace22f94 100644 --- a/skills/detecting-network-anomalies-with-zeek/SKILL.md +++ b/skills/detecting-network-anomalies-with-zeek/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-network-anomalies-with-zeek -description: 'Deploys and configures Zeek (formerly Bro) network security monitor to passively analyze network traffic, generate - structured logs, detect anomalous behavior, and create custom detection scripts for threat hunting and incident response. +description: 'Deploys and configures Zeek (formerly Bro) network security monitor + to passively analyze network traffic, generate structured logs, detect anomalous + behavior, and create custom detection scripts for threat hunting and incident response. ' domain: cybersecurity @@ -20,6 +21,11 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 --- # Detecting Network Anomalies with Zeek diff --git a/skills/detecting-network-scanning-with-ids-signatures/SKILL.md b/skills/detecting-network-scanning-with-ids-signatures/SKILL.md index 076425b0..3c3041b0 100644 --- a/skills/detecting-network-scanning-with-ids-signatures/SKILL.md +++ b/skills/detecting-network-scanning-with-ids-signatures/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-network-scanning-with-ids-signatures -description: Detect network reconnaissance and port scanning using Suricata and Snort IDS signatures, threshold-based detection - rules, and traffic anomaly analysis to identify Nmap, Masscan, and custom scanning activity. +description: Detect network reconnaissance and port scanning using Suricata and Snort + IDS signatures, threshold-based detection rules, and traffic anomaly analysis to + identify Nmap, Masscan, and custom scanning activity. domain: cybersecurity subdomain: network-security tags: @@ -22,6 +23,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 +- T1595 --- # Detecting Network Scanning with IDS Signatures diff --git a/skills/detecting-ntlm-relay-with-event-correlation/SKILL.md b/skills/detecting-ntlm-relay-with-event-correlation/SKILL.md index 1074c409..9e9a4d9b 100644 --- a/skills/detecting-ntlm-relay-with-event-correlation/SKILL.md +++ b/skills/detecting-ntlm-relay-with-event-correlation/SKILL.md @@ -1,8 +1,9 @@ --- name: detecting-ntlm-relay-with-event-correlation -description: 'Detect NTLM relay attacks through Windows Security Event correlation by analyzing Event 4624 LogonType 3 for - IP-to-hostname mismatches, identifying Responder/LLMNR poisoning artifacts, auditing SMB and LDAP signing enforcement across - the domain, and detecting NTLM downgrade attacks from NTLMv2 to NTLMv1 using event log analysis. +description: 'Detect NTLM relay attacks through Windows Security Event correlation + by analyzing Event 4624 LogonType 3 for IP-to-hostname mismatches, identifying Responder/LLMNR + poisoning artifacts, auditing SMB and LDAP signing enforcement across the domain, + and detecting NTLM downgrade attacks from NTLMv2 to NTLMv1 using event log analysis. ' domain: cybersecurity @@ -43,6 +44,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1069 --- # Detecting NTLM Relay with Event Correlation diff --git a/skills/detecting-oauth-token-theft/SKILL.md b/skills/detecting-oauth-token-theft/SKILL.md index c7d37b91..0d895a8e 100644 --- a/skills/detecting-oauth-token-theft/SKILL.md +++ b/skills/detecting-oauth-token-theft/SKILL.md @@ -1,9 +1,11 @@ --- name: detecting-oauth-token-theft -description: 'Detects and responds to OAuth token theft and replay attacks in cloud environments, focusing on Microsoft Entra - ID (Azure AD) token protection, conditional access policies, and sign-in anomaly detection. Covers access token theft, refresh - token replay, Primary Refresh Token (PRT) abuse, and pass-the-cookie attacks. Activates for requests involving OAuth token - theft detection, token replay prevention, Azure AD conditional access token protection, or cloud identity attack investigation. +description: 'Detects and responds to OAuth token theft and replay attacks in cloud + environments, focusing on Microsoft Entra ID (Azure AD) token protection, conditional + access policies, and sign-in anomaly detection. Covers access token theft, refresh + token replay, Primary Refresh Token (PRT) abuse, and pass-the-cookie attacks. Activates + for requests involving OAuth token theft detection, token replay prevention, Azure + AD conditional access token protection, or cloud identity attack investigation. ' domain: cybersecurity @@ -25,6 +27,11 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 --- # Detecting OAuth Token Theft diff --git a/skills/detecting-pass-the-hash-attacks/SKILL.md b/skills/detecting-pass-the-hash-attacks/SKILL.md index 321c00f7..bdb790fd 100644 --- a/skills/detecting-pass-the-hash-attacks/SKILL.md +++ b/skills/detecting-pass-the-hash-attacks/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-pass-the-hash-attacks -description: Detect Pass-the-Hash attacks by analyzing NTLM authentication patterns, identifying Type 3 logons with NTLM where - Kerberos is expected, and correlating with credential dumping. +description: Detect Pass-the-Hash attacks by analyzing NTLM authentication patterns, + identifying Type 3 logons with NTLM where Kerberos is expected, and correlating + with credential dumping. domain: cybersecurity subdomain: threat-hunting tags: @@ -25,6 +26,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1003 --- # Detecting Pass The Hash Attacks diff --git a/skills/detecting-pass-the-ticket-attacks/SKILL.md b/skills/detecting-pass-the-ticket-attacks/SKILL.md index d6bfd407..cdaec04a 100644 --- a/skills/detecting-pass-the-ticket-attacks/SKILL.md +++ b/skills/detecting-pass-the-ticket-attacks/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-pass-the-ticket-attacks -description: Detect Kerberos Pass-the-Ticket (PtT) attacks by analyzing Windows Event IDs 4768, 4769, and 4771 for anomalous - ticket usage patterns in Splunk and Elastic SIEM +description: Detect Kerberos Pass-the-Ticket (PtT) attacks by analyzing Windows Event + IDs 4768, 4769, and 4771 for anomalous ticket usage patterns in Splunk and Elastic + SIEM domain: cybersecurity subdomain: threat-detection tags: @@ -26,6 +27,12 @@ nist_csf: - DE.AE-02 - DE.AE-06 - ID.RA-05 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1003 +- T1110 --- # Detecting Pass-the-Ticket Attacks diff --git a/skills/detecting-port-scanning-with-fail2ban/SKILL.md b/skills/detecting-port-scanning-with-fail2ban/SKILL.md index a335fa69..331c0761 100644 --- a/skills/detecting-port-scanning-with-fail2ban/SKILL.md +++ b/skills/detecting-port-scanning-with-fail2ban/SKILL.md @@ -1,8 +1,8 @@ --- name: detecting-port-scanning-with-fail2ban -description: 'Configures Fail2ban with custom filters and actions to detect port scanning activity, SSH brute force attempts, - and network reconnaissance, automatically banning offending IP addresses and alerting security teams to suspicious network - probing. +description: 'Configures Fail2ban with custom filters and actions to detect port scanning + activity, SSH brute force attempts, and network reconnaissance, automatically banning + offending IP addresses and alerting security teams to suspicious network probing. ' domain: cybersecurity @@ -21,6 +21,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 +- T1595 --- # Detecting Port Scanning with Fail2ban diff --git a/skills/detecting-privilege-escalation-attempts/SKILL.md b/skills/detecting-privilege-escalation-attempts/SKILL.md index 059a6027..d52b969a 100644 --- a/skills/detecting-privilege-escalation-attempts/SKILL.md +++ b/skills/detecting-privilege-escalation-attempts/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-privilege-escalation-attempts -description: Detect privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel - exploits, and sudo/doas abuse across Windows and Linux. +description: Detect privilege escalation attempts including token manipulation, UAC + bypass, unquoted service paths, kernel exploits, and sudo/doas abuse across Windows + and Linux. domain: cybersecurity subdomain: threat-hunting tags: @@ -25,6 +26,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1068 --- # Detecting Privilege Escalation Attempts diff --git a/skills/detecting-privilege-escalation-in-kubernetes-pods/SKILL.md b/skills/detecting-privilege-escalation-in-kubernetes-pods/SKILL.md index 7ce5d093..91af3cd1 100644 --- a/skills/detecting-privilege-escalation-in-kubernetes-pods/SKILL.md +++ b/skills/detecting-privilege-escalation-in-kubernetes-pods/SKILL.md @@ -1,7 +1,7 @@ --- name: detecting-privilege-escalation-in-kubernetes-pods -description: Detect and prevent privilege escalation in Kubernetes pods by monitoring security contexts, capabilities, and - syscall patterns with Falco and OPA policies. +description: Detect and prevent privilege escalation in Kubernetes pods by monitoring + security contexts, capabilities, and syscall patterns with Falco and OPA policies. domain: cybersecurity subdomain: container-security tags: @@ -25,6 +25,12 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 +- T1068 --- # Detecting Privilege Escalation in Kubernetes Pods diff --git a/skills/detecting-process-hollowing-technique/SKILL.md b/skills/detecting-process-hollowing-technique/SKILL.md index 66311d85..4c2cb366 100644 --- a/skills/detecting-process-hollowing-technique/SKILL.md +++ b/skills/detecting-process-hollowing-technique/SKILL.md @@ -1,7 +1,7 @@ --- name: detecting-process-hollowing-technique -description: Detect process hollowing (T1055.012) by analyzing memory-mapped sections, hollowed process indicators, and parent-child - process anomalies in EDR telemetry. +description: Detect process hollowing (T1055.012) by analyzing memory-mapped sections, + hollowed process indicators, and parent-child process anomalies in EDR telemetry. domain: cybersecurity subdomain: threat-hunting tags: @@ -26,6 +26,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1055 --- # Detecting Process Hollowing Technique diff --git a/skills/detecting-process-injection-techniques/SKILL.md b/skills/detecting-process-injection-techniques/SKILL.md index 7f3a4a83..3f8dee60 100644 --- a/skills/detecting-process-injection-techniques/SKILL.md +++ b/skills/detecting-process-injection-techniques/SKILL.md @@ -1,9 +1,10 @@ --- name: detecting-process-injection-techniques -description: 'Detects and analyzes process injection techniques used by malware including classic DLL injection, process hollowing, - APC injection, thread hijacking, and reflective loading. Uses memory forensics, API monitoring, and behavioral analysis - to identify injection artifacts. Activates for requests involving process injection detection, code injection analysis, - hollowed process investigation, or in-memory threat detection. +description: 'Detects and analyzes process injection techniques used by malware including + classic DLL injection, process hollowing, APC injection, thread hijacking, and reflective + loading. Uses memory forensics, API monitoring, and behavioral analysis to identify + injection artifacts. Activates for requests involving process injection detection, + code injection analysis, hollowed process investigation, or in-memory threat detection. ' domain: cybersecurity @@ -28,6 +29,12 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1027 +- T1055 +- T1140 +- T1497 +- T1070 --- # Detecting Process Injection Techniques diff --git a/skills/detecting-qr-code-phishing-with-email-security/SKILL.md b/skills/detecting-qr-code-phishing-with-email-security/SKILL.md index 60cfe926..14a2461c 100644 --- a/skills/detecting-qr-code-phishing-with-email-security/SKILL.md +++ b/skills/detecting-qr-code-phishing-with-email-security/SKILL.md @@ -1,7 +1,7 @@ --- name: detecting-qr-code-phishing-with-email-security -description: Detect and prevent QR code phishing (quishing) attacks that bypass traditional email security by embedding malicious - URLs in QR code images within emails. +description: Detect and prevent QR code phishing (quishing) attacks that bypass traditional + email security by embedding malicious URLs in QR code images within emails. domain: cybersecurity subdomain: phishing-defense tags: @@ -27,6 +27,12 @@ nist_csf: - DE.CM-09 - RS.CO-02 - DE.AE-02 +mitre_attack: +- T1566 +- T1598 +- T1534 +- T1036 +- T1027 --- # Detecting QR Code Phishing with Email Security diff --git a/skills/detecting-ransomware-encryption-behavior/SKILL.md b/skills/detecting-ransomware-encryption-behavior/SKILL.md index a1247bc6..3825a882 100644 --- a/skills/detecting-ransomware-encryption-behavior/SKILL.md +++ b/skills/detecting-ransomware-encryption-behavior/SKILL.md @@ -1,9 +1,11 @@ --- name: detecting-ransomware-encryption-behavior -description: 'Detects ransomware encryption activity in real time using entropy analysis, file system I/O monitoring, and - behavioral heuristics. Identifies mass file modification patterns, abnormal entropy spikes in written data, and suspicious - process behavior characteristic of ransomware encryption routines. Activates for requests involving ransomware behavioral - detection, entropy-based file monitoring, I/O anomaly detection, or real-time encryption activity alerting. +description: 'Detects ransomware encryption activity in real time using entropy analysis, + file system I/O monitoring, and behavioral heuristics. Identifies mass file modification + patterns, abnormal entropy spikes in written data, and suspicious process behavior + characteristic of ransomware encryption routines. Activates for requests involving + ransomware behavioral detection, entropy-based file monitoring, I/O anomaly detection, + or real-time encryption activity alerting. ' domain: cybersecurity @@ -23,6 +25,12 @@ nist_csf: - RS.MA-01 - RC.RP-01 - PR.IR-01 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1486 +- T1490 --- # Detecting Ransomware Encryption Behavior diff --git a/skills/detecting-ransomware-precursors-in-network/SKILL.md b/skills/detecting-ransomware-precursors-in-network/SKILL.md index b299fe66..d1b23d10 100644 --- a/skills/detecting-ransomware-precursors-in-network/SKILL.md +++ b/skills/detecting-ransomware-precursors-in-network/SKILL.md @@ -1,10 +1,13 @@ --- name: detecting-ransomware-precursors-in-network -description: 'Detects early-stage ransomware indicators in network traffic before encryption begins, including initial access - broker activity, command-and-control beaconing, credential harvesting, reconnaissance scanning, and staging behavior. Uses - network detection tools (Zeek, Suricata, Arkime), SIEM correlation rules, and threat intelligence feeds to identify ransomware - precursor patterns such as Cobalt Strike beacons, Mimikatz network signatures, and RDP brute-force attempts. Activates for - requests involving pre-ransomware detection, network-based ransomware indicators, or early warning ransomware monitoring. +description: 'Detects early-stage ransomware indicators in network traffic before + encryption begins, including initial access broker activity, command-and-control + beaconing, credential harvesting, reconnaissance scanning, and staging behavior. + Uses network detection tools (Zeek, Suricata, Arkime), SIEM correlation rules, and + threat intelligence feeds to identify ransomware precursor patterns such as Cobalt + Strike beacons, Mimikatz network signatures, and RDP brute-force attempts. Activates + for requests involving pre-ransomware detection, network-based ransomware indicators, + or early warning ransomware monitoring. ' domain: cybersecurity @@ -23,6 +26,12 @@ nist_csf: - RS.MA-01 - RC.RP-01 - PR.IR-01 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1003 +- T1110 --- # Detecting Ransomware Precursors in Network Traffic diff --git a/skills/detecting-rdp-brute-force-attacks/SKILL.md b/skills/detecting-rdp-brute-force-attacks/SKILL.md index 9388d27b..12922442 100644 --- a/skills/detecting-rdp-brute-force-attacks/SKILL.md +++ b/skills/detecting-rdp-brute-force-attacks/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-rdp-brute-force-attacks -description: Detect RDP brute force attacks by analyzing Windows Security Event Logs for failed authentication patterns (Event - ID 4625), successful logons after failures (Event ID 4624), NLA failures, and source IP frequency analysis. +description: Detect RDP brute force attacks by analyzing Windows Security Event Logs + for failed authentication patterns (Event ID 4625), successful logons after failures + (Event ID 4624), NLA failures, and source IP frequency analysis. domain: cybersecurity subdomain: threat-detection tags: @@ -19,6 +20,11 @@ nist_csf: - DE.AE-02 - DE.AE-06 - ID.RA-05 +mitre_attack: +- T1021.001 +- T1110.001 +- T1110.003 +- T1078 --- # Detecting RDP Brute Force Attacks diff --git a/skills/detecting-rootkit-activity/SKILL.md b/skills/detecting-rootkit-activity/SKILL.md index ebefb8fa..b31fc16f 100644 --- a/skills/detecting-rootkit-activity/SKILL.md +++ b/skills/detecting-rootkit-activity/SKILL.md @@ -1,9 +1,10 @@ --- name: detecting-rootkit-activity -description: 'Detects rootkit presence on compromised systems by identifying hidden processes, hooked system calls, modified - kernel structures, hidden files, and covert network connections using memory forensics, cross-view detection, and integrity - checking techniques. Activates for requests involving rootkit detection, hidden process discovery, kernel integrity checking, - or system call hook analysis. +description: 'Detects rootkit presence on compromised systems by identifying hidden + processes, hooked system calls, modified kernel structures, hidden files, and covert + network connections using memory forensics, cross-view detection, and integrity + checking techniques. Activates for requests involving rootkit detection, hidden + process discovery, kernel integrity checking, or system call hook analysis. ' domain: cybersecurity @@ -22,6 +23,11 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1014 +- T1547.006 +- T1564.001 +- T1574.006 --- # Detecting Rootkit Activity diff --git a/skills/detecting-s3-data-exfiltration-attempts/SKILL.md b/skills/detecting-s3-data-exfiltration-attempts/SKILL.md index 6f9e3fdb..7871d9a5 100644 --- a/skills/detecting-s3-data-exfiltration-attempts/SKILL.md +++ b/skills/detecting-s3-data-exfiltration-attempts/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-s3-data-exfiltration-attempts -description: 'Detecting data exfiltration attempts from AWS S3 buckets by analyzing CloudTrail S3 data events, VPC Flow Logs, - GuardDuty findings, Amazon Macie alerts, and S3 access patterns to identify unauthorized bulk downloads and cross-account +description: 'Detecting data exfiltration attempts from AWS S3 buckets by analyzing + CloudTrail S3 data events, VPC Flow Logs, GuardDuty findings, Amazon Macie alerts, + and S3 access patterns to identify unauthorized bulk downloads and cross-account data transfers. ' @@ -23,6 +24,11 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1530 +- T1567.002 +- T1537 +- T1119 --- # Detecting S3 Data Exfiltration Attempts diff --git a/skills/detecting-serverless-function-injection/SKILL.md b/skills/detecting-serverless-function-injection/SKILL.md index 3439e68f..f37522e6 100644 --- a/skills/detecting-serverless-function-injection/SKILL.md +++ b/skills/detecting-serverless-function-injection/SKILL.md @@ -1,12 +1,14 @@ --- name: detecting-serverless-function-injection -description: 'Detects and prevents code injection attacks targeting serverless functions (AWS Lambda, Azure Functions, Google - Cloud Functions) through event source poisoning, malicious layer injection, runtime command execution, and IAM privilege - escalation via function modification. The analyst combines static analysis of function code, CloudTrail event correlation, - runtime behavior monitoring, and IAM policy auditing to identify injection vectors across the expanded serverless attack - surface including API Gateway, S3, SQS, DynamoDB Streams, and CloudWatch event triggers. Activates for requests involving - Lambda security assessment, serverless injection detection, function event poisoning analysis, or serverless privilege escalation - investigation. +description: 'Detects and prevents code injection attacks targeting serverless functions + (AWS Lambda, Azure Functions, Google Cloud Functions) through event source poisoning, + malicious layer injection, runtime command execution, and IAM privilege escalation + via function modification. The analyst combines static analysis of function code, + CloudTrail event correlation, runtime behavior monitoring, and IAM policy auditing + to identify injection vectors across the expanded serverless attack surface including + API Gateway, S3, SQS, DynamoDB Streams, and CloudWatch event triggers. Activates + for requests involving Lambda security assessment, serverless injection detection, + function event poisoning analysis, or serverless privilege escalation investigation. ' domain: cybersecurity @@ -26,6 +28,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1190 +- T1059 +- T1648 +- T1078.004 +- T1068 --- # Detecting Serverless Function Injection diff --git a/skills/detecting-service-account-abuse/SKILL.md b/skills/detecting-service-account-abuse/SKILL.md index 5be7a213..6b7b7af4 100644 --- a/skills/detecting-service-account-abuse/SKILL.md +++ b/skills/detecting-service-account-abuse/SKILL.md @@ -1,7 +1,7 @@ --- name: detecting-service-account-abuse -description: Detect abuse of service accounts through anomalous interactive logons, privilege escalation, lateral movement, - and unauthorized access patterns. +description: Detect abuse of service accounts through anomalous interactive logons, + privilege escalation, lateral movement, and unauthorized access patterns. domain: cybersecurity subdomain: threat-hunting tags: @@ -25,6 +25,11 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1078.002 +- T1021.001 +- T1098.001 +- T1550.002 --- # Detecting Service Account Abuse diff --git a/skills/detecting-shadow-api-endpoints/SKILL.md b/skills/detecting-shadow-api-endpoints/SKILL.md index ec26cede..986111da 100644 --- a/skills/detecting-shadow-api-endpoints/SKILL.md +++ b/skills/detecting-shadow-api-endpoints/SKILL.md @@ -1,7 +1,7 @@ --- name: detecting-shadow-api-endpoints -description: Discover and inventory shadow API endpoints that operate outside documented specifications using traffic analysis, - code scanning, and API discovery platforms. +description: Discover and inventory shadow API endpoints that operate outside documented + specifications using traffic analysis, code scanning, and API discovery platforms. domain: cybersecurity subdomain: api-security tags: @@ -21,6 +21,11 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1133 +- T1526 +- T1213 --- # Detecting Shadow API Endpoints diff --git a/skills/detecting-shadow-it-cloud-usage/SKILL.md b/skills/detecting-shadow-it-cloud-usage/SKILL.md index cbef89af..7560a5a9 100644 --- a/skills/detecting-shadow-it-cloud-usage/SKILL.md +++ b/skills/detecting-shadow-it-cloud-usage/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-shadow-it-cloud-usage -description: Detect unauthorized SaaS and cloud service usage (shadow IT) by analyzing proxy logs, DNS query logs, and netflow - data using Python pandas for traffic pattern analysis and domain classification. +description: Detect unauthorized SaaS and cloud service usage (shadow IT) by analyzing + proxy logs, DNS query logs, and netflow data using Python pandas for traffic pattern + analysis and domain classification. domain: cybersecurity subdomain: cloud-security tags: @@ -20,6 +21,11 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1567.002 +- T1526 +- T1078.004 +- T1213 --- # Detecting Shadow IT Cloud Usage diff --git a/skills/detecting-spearphishing-with-email-gateway/SKILL.md b/skills/detecting-spearphishing-with-email-gateway/SKILL.md index 5fcafd1b..0d13f28b 100644 --- a/skills/detecting-spearphishing-with-email-gateway/SKILL.md +++ b/skills/detecting-spearphishing-with-email-gateway/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-spearphishing-with-email-gateway -description: Spearphishing targets specific individuals using personalized, researched content that bypasses generic spam - filters. Email security gateways (SEGs) like Microsoft Defender for Office 365, Proofpoint, +description: Spearphishing targets specific individuals using personalized, researched + content that bypasses generic spam filters. Email security gateways (SEGs) like + Microsoft Defender for Office 365, Proofpoint, domain: cybersecurity subdomain: phishing-defense tags: @@ -20,6 +21,11 @@ nist_csf: - DE.CM-09 - RS.CO-02 - DE.AE-02 +mitre_attack: +- T1566.001 +- T1566.002 +- T1204.001 +- T1204.002 --- # Detecting Spearphishing with Email Gateway diff --git a/skills/detecting-sql-injection-via-waf-logs/SKILL.md b/skills/detecting-sql-injection-via-waf-logs/SKILL.md index 8effd305..627aa9d9 100644 --- a/skills/detecting-sql-injection-via-waf-logs/SKILL.md +++ b/skills/detecting-sql-injection-via-waf-logs/SKILL.md @@ -1,15 +1,19 @@ --- name: detecting-sql-injection-via-waf-logs -description: Analyze WAF (ModSecurity/AWS WAF/Cloudflare) logs to detect SQL injection attack campaigns. Parses ModSecurity - audit logs and JSON WAF event logs to identify SQLi patterns (UNION SELECT, OR 1=1, SLEEP(), BENCHMARK()), tracks attack - sources, correlates multi-stage injection attempts, and generates incident reports with OWASP classification. +description: Analyze WAF (ModSecurity/AWS WAF/Cloudflare) logs to detect SQL injection + attack campaigns. Parses ModSecurity audit logs and JSON WAF event logs to identify + SQLi patterns (UNION SELECT, OR 1=1, SLEEP(), BENCHMARK()), tracks attack sources, + correlates multi-stage injection attempts, and generates incident reports with OWASP + classification. domain: cybersecurity subdomain: security-operations tags: -- detecting -- sql -- injection -- via +- waf-log-analysis +- sql-injection-detection +- modsecurity +- aws-waf +- cloudflare-waf +- web-application-security version: '1.0' author: mahipal license: Apache-2.0 @@ -18,6 +22,10 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1190 +- T1505.003 +- T1059.007 --- diff --git a/skills/detecting-stuxnet-style-attacks/SKILL.md b/skills/detecting-stuxnet-style-attacks/SKILL.md index e5164c5f..127f8b90 100644 --- a/skills/detecting-stuxnet-style-attacks/SKILL.md +++ b/skills/detecting-stuxnet-style-attacks/SKILL.md @@ -1,9 +1,11 @@ --- name: detecting-stuxnet-style-attacks -description: 'This skill covers detecting sophisticated cyber-physical attacks that follow the Stuxnet attack pattern of modifying - PLC logic while spoofing sensor readings to hide the manipulation from operators. It addresses PLC logic integrity monitoring, - physics-based process anomaly detection, engineering workstation compromise indicators, USB-borne attack vectors, and multi-stage - attack chain detection spanning IT-to-OT lateral movement through to process manipulation. +description: 'This skill covers detecting sophisticated cyber-physical attacks that + follow the Stuxnet attack pattern of modifying PLC logic while spoofing sensor readings + to hide the manipulation from operators. It addresses PLC logic integrity monitoring, + physics-based process anomaly detection, engineering workstation compromise indicators, + USB-borne attack vectors, and multi-stage attack chain detection spanning IT-to-OT + lateral movement through to process manipulation. ' domain: cybersecurity @@ -25,6 +27,11 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T0853 +- T0831 +- T0809 +- T0807 --- # Detecting Stuxnet-Style Attacks diff --git a/skills/detecting-supply-chain-attacks-in-ci-cd/SKILL.md b/skills/detecting-supply-chain-attacks-in-ci-cd/SKILL.md index cc57632e..b0ac8eb0 100644 --- a/skills/detecting-supply-chain-attacks-in-ci-cd/SKILL.md +++ b/skills/detecting-supply-chain-attacks-in-ci-cd/SKILL.md @@ -1,17 +1,20 @@ --- name: detecting-supply-chain-attacks-in-ci-cd -description: 'Scans GitHub Actions workflows and CI/CD pipeline configurations for supply chain attack vectors including unpinned - actions, script injection via expressions, dependency confusion, and secrets exposure. Uses PyGithub and YAML parsing for - automated audit. Use when hardening CI/CD pipelines or investigating compromised build systems. +description: 'Scans GitHub Actions workflows and CI/CD pipeline configurations for + supply chain attack vectors including unpinned actions, script injection via expressions, + dependency confusion, and secrets exposure. Uses PyGithub and YAML parsing for automated + audit. Use when hardening CI/CD pipelines or investigating compromised build systems. ' domain: cybersecurity subdomain: security-operations tags: -- detecting -- supply -- chain -- attacks +- supply-chain-security +- ci-cd-security +- github-actions +- pipeline-security +- dependency-pinning +- devsecops version: '1.0' author: mahipal license: Apache-2.0 @@ -27,6 +30,11 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1195.002 +- T1195.001 +- T1199 +- T1554 --- # Detecting Supply Chain Attacks in CI/CD diff --git a/skills/detecting-suspicious-oauth-application-consent/SKILL.md b/skills/detecting-suspicious-oauth-application-consent/SKILL.md index d31561fe..b8b3a128 100644 --- a/skills/detecting-suspicious-oauth-application-consent/SKILL.md +++ b/skills/detecting-suspicious-oauth-application-consent/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-suspicious-oauth-application-consent -description: Detect risky OAuth application consent grants in Azure AD / Microsoft Entra ID using Microsoft Graph API, audit - logs, and permission analysis to identify illicit consent grant attacks. +description: Detect risky OAuth application consent grants in Azure AD / Microsoft + Entra ID using Microsoft Graph API, audit logs, and permission analysis to identify + illicit consent grant attacks. domain: cybersecurity subdomain: cloud-security tags: @@ -20,6 +21,11 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1528 +- T1550.001 +- T1098.001 +- T1566.002 --- # Detecting Suspicious OAuth Application Consent diff --git a/skills/detecting-suspicious-powershell-execution/SKILL.md b/skills/detecting-suspicious-powershell-execution/SKILL.md index 4051c1a7..809e747a 100644 --- a/skills/detecting-suspicious-powershell-execution/SKILL.md +++ b/skills/detecting-suspicious-powershell-execution/SKILL.md @@ -1,7 +1,7 @@ --- name: detecting-suspicious-powershell-execution -description: Detect suspicious PowerShell execution patterns including encoded commands, download cradles, AMSI bypass attempts, - and constrained language mode evasion. +description: Detect suspicious PowerShell execution patterns including encoded commands, + download cradles, AMSI bypass attempts, and constrained language mode evasion. domain: cybersecurity subdomain: threat-hunting tags: @@ -26,6 +26,11 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1059.001 +- T1027.010 +- T1620 +- T1105 --- # Detecting Suspicious Powershell Execution diff --git a/skills/detecting-t1003-credential-dumping-with-edr/SKILL.md b/skills/detecting-t1003-credential-dumping-with-edr/SKILL.md index 8a67f86a..45727df0 100644 --- a/skills/detecting-t1003-credential-dumping-with-edr/SKILL.md +++ b/skills/detecting-t1003-credential-dumping-with-edr/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-t1003-credential-dumping-with-edr -description: Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials - using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation. +description: Detect OS credential dumping techniques targeting LSASS memory, SAM database, + NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, + and Windows security event correlation. domain: cybersecurity subdomain: threat-hunting tags: @@ -27,6 +28,11 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1003.001 +- T1003.002 +- T1003.003 +- T1003.006 --- # Detecting T1003 Credential Dumping with EDR diff --git a/skills/detecting-t1055-process-injection-with-sysmon/SKILL.md b/skills/detecting-t1055-process-injection-with-sysmon/SKILL.md index 8e4ca740..b9c2e909 100644 --- a/skills/detecting-t1055-process-injection-with-sysmon/SKILL.md +++ b/skills/detecting-t1055-process-injection-with-sysmon/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-t1055-process-injection-with-sysmon -description: Detect process injection techniques (T1055) including classic DLL injection, process hollowing, and APC injection - by analyzing Sysmon events for cross-process memory operations, remote thread creation, and anomalous DLL loading patterns. +description: Detect process injection techniques (T1055) including classic DLL injection, + process hollowing, and APC injection by analyzing Sysmon events for cross-process + memory operations, remote thread creation, and anomalous DLL loading patterns. domain: cybersecurity subdomain: threat-hunting tags: @@ -26,6 +27,11 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1055.001 +- T1055.002 +- T1055.003 +- T1055.012 --- # Detecting T1055 Process Injection with Sysmon diff --git a/skills/detecting-t1548-abuse-elevation-control-mechanism/SKILL.md b/skills/detecting-t1548-abuse-elevation-control-mechanism/SKILL.md index 69003258..f15e246d 100644 --- a/skills/detecting-t1548-abuse-elevation-control-mechanism/SKILL.md +++ b/skills/detecting-t1548-abuse-elevation-control-mechanism/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-t1548-abuse-elevation-control-mechanism -description: Detect abuse of elevation control mechanisms including UAC bypass, sudo exploitation, and setuid/setgid manipulation - by monitoring registry modifications, process elevation flags, and unusual parent-child process relationships. +description: Detect abuse of elevation control mechanisms including UAC bypass, sudo + exploitation, and setuid/setgid manipulation by monitoring registry modifications, + process elevation flags, and unusual parent-child process relationships. domain: cybersecurity subdomain: threat-hunting tags: @@ -25,6 +26,11 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1548.002 +- T1548.001 +- T1548.003 +- T1548.004 --- # Detecting T1548 Abuse Elevation Control Mechanism diff --git a/skills/detecting-typosquatting-packages-in-npm-pypi/SKILL.md b/skills/detecting-typosquatting-packages-in-npm-pypi/SKILL.md index ef544105..569b7d6f 100644 --- a/skills/detecting-typosquatting-packages-in-npm-pypi/SKILL.md +++ b/skills/detecting-typosquatting-packages-in-npm-pypi/SKILL.md @@ -1,11 +1,14 @@ --- name: detecting-typosquatting-packages-in-npm-pypi -description: 'Detects typosquatting attacks in npm and PyPI package registries by analyzing package name similarity using - Levenshtein distance and other string metrics, examining publish date heuristics to identify recently created packages mimicking - established ones, and flagging download count anomalies where suspicious packages have disproportionately low usage compared - to their legitimate targets. The analyst queries the PyPI JSON API and npm registry API to gather package metadata for automated - comparison. Activates for requests involving package typosquatting detection, dependency confusion analysis, malicious package - identification, or software supply chain threat hunting in package registries. +description: 'Detects typosquatting attacks in npm and PyPI package registries by + analyzing package name similarity using Levenshtein distance and other string metrics, + examining publish date heuristics to identify recently created packages mimicking + established ones, and flagging download count anomalies where suspicious packages + have disproportionately low usage compared to their legitimate targets. The analyst + queries the PyPI JSON API and npm registry API to gather package metadata for automated + comparison. Activates for requests involving package typosquatting detection, dependency + confusion analysis, malicious package identification, or software supply chain threat + hunting in package registries. ' domain: cybersecurity @@ -27,6 +30,11 @@ nist_csf: - GV.SC-03 - GV.SC-06 - GV.SC-07 +mitre_attack: +- T1195.001 +- T1195.002 +- T1608.001 +- T1554 --- # Detecting Typosquatting Packages in npm and PyPI diff --git a/skills/detecting-wmi-persistence/SKILL.md b/skills/detecting-wmi-persistence/SKILL.md index 206745e6..1ce586e1 100644 --- a/skills/detecting-wmi-persistence/SKILL.md +++ b/skills/detecting-wmi-persistence/SKILL.md @@ -1,7 +1,8 @@ --- name: detecting-wmi-persistence -description: Detect WMI event subscription persistence by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter, - EventConsumer, and FilterToConsumerBinding creation. +description: Detect WMI event subscription persistence by analyzing Sysmon Event IDs + 19, 20, and 21 for malicious EventFilter, EventConsumer, and FilterToConsumerBinding + creation. domain: cybersecurity subdomain: threat-hunting tags: @@ -27,6 +28,10 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1546.003 +- T1047 +- T1059.001 --- # Detecting WMI Persistence diff --git a/skills/eradicating-malware-from-infected-systems/SKILL.md b/skills/eradicating-malware-from-infected-systems/SKILL.md index 69dd461d..9d7ed4b7 100644 --- a/skills/eradicating-malware-from-infected-systems/SKILL.md +++ b/skills/eradicating-malware-from-infected-systems/SKILL.md @@ -1,7 +1,7 @@ --- name: eradicating-malware-from-infected-systems -description: Systematically remove malware, backdoors, and attacker persistence mechanisms from infected systems while ensuring - complete eradication and preventing re-infection. +description: Systematically remove malware, backdoors, and attacker persistence mechanisms + from infected systems while ensuring complete eradication and preventing re-infection. domain: cybersecurity subdomain: incident-response tags: @@ -11,10 +11,11 @@ tags: - persistence - dfir mitre_attack: +- T1486 +- T1490 +- T1070 +- T1078 - T1547 -- T1053 -- T1543 -- T1574 version: '1.0' author: mahipal license: Apache-2.0 diff --git a/skills/evaluating-threat-intelligence-platforms/SKILL.md b/skills/evaluating-threat-intelligence-platforms/SKILL.md index 0124d599..9b7aff0c 100644 --- a/skills/evaluating-threat-intelligence-platforms/SKILL.md +++ b/skills/evaluating-threat-intelligence-platforms/SKILL.md @@ -1,9 +1,12 @@ --- name: evaluating-threat-intelligence-platforms -description: 'Evaluates and selects Threat Intelligence Platform (TIP) products based on organizational requirements including - feed integration capability, STIX/TAXII support, workflow automation, analyst interface, and total cost of ownership. Use - when conducting a TIP procurement, migrating between TIP solutions, or assessing whether the current TIP meets program maturity - requirements. Activates for requests involving ThreatConnect, MISP, OpenCTI, Anomali, EclecticIQ, or TIP procurement decisions. +description: 'Evaluates and selects Threat Intelligence Platform (TIP) products based + on organizational requirements including feed integration capability, STIX/TAXII + support, workflow automation, analyst interface, and total cost of ownership. Use + when conducting a TIP procurement, migrating between TIP solutions, or assessing + whether the current TIP meets program maturity requirements. Activates for requests + involving ThreatConnect, MISP, OpenCTI, Anomali, EclecticIQ, or TIP procurement + decisions. ' domain: cybersecurity @@ -26,6 +29,11 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1592 +- T1593 +- T1589 --- # Evaluating Threat Intelligence Platforms diff --git a/skills/executing-active-directory-attack-simulation/SKILL.md b/skills/executing-active-directory-attack-simulation/SKILL.md index 0fe535af..4bc4a6f4 100644 --- a/skills/executing-active-directory-attack-simulation/SKILL.md +++ b/skills/executing-active-directory-attack-simulation/SKILL.md @@ -1,10 +1,12 @@ --- name: executing-active-directory-attack-simulation -description: 'Executes authorized attack simulations against Active Directory environments to identify misconfigurations, - weak credentials, dangerous privilege paths, and exploitable trust relationships that could lead to domain compromise. The - tester uses BloodHound for attack path analysis, Mimikatz for credential extraction, and Impacket for protocol-level attacks - including Kerberoasting, AS-REP Roasting, and delegation abuse. Activates for requests involving Active Directory pentest, - AD attack simulation, domain compromise testing, or Kerberos attack assessment. +description: 'Executes authorized attack simulations against Active Directory environments + to identify misconfigurations, weak credentials, dangerous privilege paths, and + exploitable trust relationships that could lead to domain compromise. The tester + uses BloodHound for attack path analysis, Mimikatz for credential extraction, and + Impacket for protocol-level attacks including Kerberoasting, AS-REP Roasting, and + delegation abuse. Activates for requests involving Active Directory pentest, AD + attack simulation, domain compromise testing, or Kerberos attack assessment. ' domain: cybersecurity @@ -29,6 +31,12 @@ nist_csf: - ID.RA-06 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1003 --- # Executing Active Directory Attack Simulation diff --git a/skills/executing-phishing-simulation-campaign/SKILL.md b/skills/executing-phishing-simulation-campaign/SKILL.md index 4f7b33b4..315372aa 100644 --- a/skills/executing-phishing-simulation-campaign/SKILL.md +++ b/skills/executing-phishing-simulation-campaign/SKILL.md @@ -1,10 +1,12 @@ --- name: executing-phishing-simulation-campaign -description: 'Executes authorized phishing simulation campaigns to assess an organization''s susceptibility to email-based - social engineering attacks. The tester designs realistic phishing scenarios, builds credential harvesting infrastructure, - sends targeted phishing emails, and tracks open rates, click-through rates, and credential submission rates to measure human - security awareness. Activates for requests involving phishing simulation, social engineering assessment, email security - testing, or security awareness measurement. +description: 'Executes authorized phishing simulation campaigns to assess an organization''s + susceptibility to email-based social engineering attacks. The tester designs realistic + phishing scenarios, builds credential harvesting infrastructure, sends targeted + phishing emails, and tracks open rates, click-through rates, and credential submission + rates to measure human security awareness. Activates for requests involving phishing + simulation, social engineering assessment, email security testing, or security awareness + measurement. ' domain: cybersecurity @@ -23,6 +25,12 @@ nist_csf: - ID.RA-06 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1003 --- # Executing Phishing Simulation Campaign diff --git a/skills/executing-red-team-engagement-planning/SKILL.md b/skills/executing-red-team-engagement-planning/SKILL.md index 6e9af11f..8719daf1 100644 --- a/skills/executing-red-team-engagement-planning/SKILL.md +++ b/skills/executing-red-team-engagement-planning/SKILL.md @@ -1,7 +1,8 @@ --- name: executing-red-team-engagement-planning -description: Red team engagement planning is the foundational phase that defines scope, objectives, rules of engagement (ROE), - threat model selection, and operational timelines before any offensive testing begins. +description: Red team engagement planning is the foundational phase that defines scope, + objectives, rules of engagement (ROE), threat model selection, and operational timelines + before any offensive testing begins. domain: cybersecurity subdomain: red-teaming tags: @@ -19,6 +20,11 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 --- # Executing Red Team Engagement Planning diff --git a/skills/executing-red-team-exercise/SKILL.md b/skills/executing-red-team-exercise/SKILL.md index 653eb2dc..f9852310 100644 --- a/skills/executing-red-team-exercise/SKILL.md +++ b/skills/executing-red-team-exercise/SKILL.md @@ -1,11 +1,13 @@ --- name: executing-red-team-exercise -description: 'Executes comprehensive red team exercises that simulate real-world adversary operations against an organization''s - people, processes, and technology. The red team operates with stealth as a primary objective, employing the full attack - lifecycle from initial reconnaissance through objective completion while testing the organization''s detection and response - capabilities. This differs from penetration testing by focusing on adversary emulation rather than vulnerability identification. - Activates for requests involving red team exercise, adversary simulation, adversary emulation, or full-scope offensive security - assessment. +description: 'Executes comprehensive red team exercises that simulate real-world adversary + operations against an organization''s people, processes, and technology. The red + team operates with stealth as a primary objective, employing the full attack lifecycle + from initial reconnaissance through objective completion while testing the organization''s + detection and response capabilities. This differs from penetration testing by focusing + on adversary emulation rather than vulnerability identification. Activates for requests + involving red team exercise, adversary simulation, adversary emulation, or full-scope + offensive security assessment. ' domain: cybersecurity @@ -30,6 +32,12 @@ nist_csf: - ID.RA-06 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1592 --- # Executing Red Team Exercise diff --git a/skills/exploiting-active-directory-certificate-services-esc1/SKILL.md b/skills/exploiting-active-directory-certificate-services-esc1/SKILL.md index b3590920..ac96f4f8 100644 --- a/skills/exploiting-active-directory-certificate-services-esc1/SKILL.md +++ b/skills/exploiting-active-directory-certificate-services-esc1/SKILL.md @@ -1,7 +1,8 @@ --- name: exploiting-active-directory-certificate-services-esc1 -description: Exploit misconfigured Active Directory Certificate Services (AD CS) ESC1 vulnerability to request certificates - as high-privileged users and escalate domain privileges during authorized red team assessments. +description: Exploit misconfigured Active Directory Certificate Services (AD CS) ESC1 + vulnerability to request certificates as high-privileged users and escalate domain + privileges during authorized red team assessments. domain: cybersecurity subdomain: red-teaming tags: @@ -25,6 +26,12 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1068 --- # Exploiting Active Directory Certificate Services ESC1 diff --git a/skills/exploiting-active-directory-with-bloodhound/SKILL.md b/skills/exploiting-active-directory-with-bloodhound/SKILL.md index 1c69282d..c8a71be2 100644 --- a/skills/exploiting-active-directory-with-bloodhound/SKILL.md +++ b/skills/exploiting-active-directory-with-bloodhound/SKILL.md @@ -1,7 +1,8 @@ --- name: exploiting-active-directory-with-bloodhound -description: BloodHound is a graph-based Active Directory reconnaissance tool that uses graph theory to reveal hidden and - unintended relationships within AD environments. Red teams use BloodHound to identify attac +description: BloodHound is a graph-based Active Directory reconnaissance tool that + uses graph theory to reveal hidden and unintended relationships within AD environments. + Red teams use BloodHound to identify attac domain: cybersecurity subdomain: red-teaming tags: @@ -25,6 +26,12 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1592 --- # Exploiting Active Directory with BloodHound diff --git a/skills/exploiting-api-injection-vulnerabilities/SKILL.md b/skills/exploiting-api-injection-vulnerabilities/SKILL.md index cf5a5bbd..5feb5473 100644 --- a/skills/exploiting-api-injection-vulnerabilities/SKILL.md +++ b/skills/exploiting-api-injection-vulnerabilities/SKILL.md @@ -1,10 +1,12 @@ --- name: exploiting-api-injection-vulnerabilities -description: 'Tests APIs for injection vulnerabilities including SQL injection, NoSQL injection, OS command injection, LDAP - injection, and Server-Side Request Forgery (SSRF) through API parameters, headers, and request bodies. The tester crafts - malicious payloads targeting different backend technologies and injection contexts to extract data, execute commands, or - access internal services. Maps to OWASP API8:2023 Security Misconfiguration and API7:2023 SSRF. Activates for requests involving - API injection testing, SQLi in APIs, NoSQL injection, SSRF testing, or API input validation assessment. +description: 'Tests APIs for injection vulnerabilities including SQL injection, NoSQL + injection, OS command injection, LDAP injection, and Server-Side Request Forgery + (SSRF) through API parameters, headers, and request bodies. The tester crafts malicious + payloads targeting different backend technologies and injection contexts to extract + data, execute commands, or access internal services. Maps to OWASP API8:2023 Security + Misconfiguration and API7:2023 SSRF. Activates for requests involving API injection + testing, SQLi in APIs, NoSQL injection, SSRF testing, or API input validation assessment. ' domain: cybersecurity @@ -25,6 +27,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1552.001 +- T1055 +- T1059 --- # Exploiting API Injection Vulnerabilities diff --git a/skills/exploiting-bgp-hijacking-vulnerabilities/SKILL.md b/skills/exploiting-bgp-hijacking-vulnerabilities/SKILL.md index bbd7fe8c..98013c58 100644 --- a/skills/exploiting-bgp-hijacking-vulnerabilities/SKILL.md +++ b/skills/exploiting-bgp-hijacking-vulnerabilities/SKILL.md @@ -1,7 +1,8 @@ --- name: exploiting-bgp-hijacking-vulnerabilities -description: 'Analyzes and simulates BGP hijacking scenarios in authorized lab environments to assess route origin validation, - RPKI deployment, and BGP monitoring defenses against prefix hijacking and route leak attacks on internet routing infrastructure. +description: 'Analyzes and simulates BGP hijacking scenarios in authorized lab environments + to assess route origin validation, RPKI deployment, and BGP monitoring defenses + against prefix hijacking and route leak attacks on internet routing infrastructure. ' domain: cybersecurity @@ -20,6 +21,11 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 --- # Exploiting BGP Hijacking Vulnerabilities diff --git a/skills/exploiting-broken-function-level-authorization/SKILL.md b/skills/exploiting-broken-function-level-authorization/SKILL.md index d97c5a0c..946dbcb7 100644 --- a/skills/exploiting-broken-function-level-authorization/SKILL.md +++ b/skills/exploiting-broken-function-level-authorization/SKILL.md @@ -1,9 +1,11 @@ --- name: exploiting-broken-function-level-authorization -description: 'Tests APIs for Broken Function Level Authorization (BFLA) vulnerabilities where regular users can invoke administrative - functions or access privileged API endpoints by directly calling them. The tester identifies admin and privileged endpoints, - then attempts to access them with regular user credentials by manipulating HTTP methods, URL paths, and request parameters. - Maps to OWASP API5:2023 Broken Function Level Authorization. Activates for requests involving BFLA testing, admin endpoint +description: 'Tests APIs for Broken Function Level Authorization (BFLA) vulnerabilities + where regular users can invoke administrative functions or access privileged API + endpoints by directly calling them. The tester identifies admin and privileged endpoints, + then attempts to access them with regular user credentials by manipulating HTTP + methods, URL paths, and request parameters. Maps to OWASP API5:2023 Broken Function + Level Authorization. Activates for requests involving BFLA testing, admin endpoint bypass, function-level access control testing, or API privilege escalation. ' @@ -24,6 +26,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1552.001 +- T1068 +- T1548 --- # Exploiting Broken Function Level Authorization diff --git a/skills/exploiting-broken-link-hijacking/SKILL.md b/skills/exploiting-broken-link-hijacking/SKILL.md index 3000a0ab..683436e7 100644 --- a/skills/exploiting-broken-link-hijacking/SKILL.md +++ b/skills/exploiting-broken-link-hijacking/SKILL.md @@ -1,7 +1,8 @@ --- name: exploiting-broken-link-hijacking -description: Discover and exploit broken link hijacking vulnerabilities by identifying references to expired domains, decommissioned - cloud resources, and dead external services that can be claimed by an attacker. +description: Discover and exploit broken link hijacking vulnerabilities by identifying + references to expired domains, decommissioned cloud resources, and dead external + services that can be claimed by an attacker. domain: cybersecurity subdomain: web-application-security tags: @@ -20,6 +21,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1195 --- # Exploiting Broken Link Hijacking diff --git a/skills/exploiting-constrained-delegation-abuse/SKILL.md b/skills/exploiting-constrained-delegation-abuse/SKILL.md index 435c0ed6..ac4dabb8 100644 --- a/skills/exploiting-constrained-delegation-abuse/SKILL.md +++ b/skills/exploiting-constrained-delegation-abuse/SKILL.md @@ -1,7 +1,8 @@ --- name: exploiting-constrained-delegation-abuse -description: Exploit Kerberos Constrained Delegation misconfigurations in Active Directory to impersonate privileged users - via S4U2self and S4U2proxy extensions for lateral movement and privilege escalation. +description: Exploit Kerberos Constrained Delegation misconfigurations in Active Directory + to impersonate privileged users via S4U2self and S4U2proxy extensions for lateral + movement and privilege escalation. domain: cybersecurity subdomain: red-teaming tags: @@ -25,6 +26,12 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1021 --- # Exploiting Constrained Delegation Abuse diff --git a/skills/exploiting-deeplink-vulnerabilities/SKILL.md b/skills/exploiting-deeplink-vulnerabilities/SKILL.md index e1cd9982..f3eaff17 100644 --- a/skills/exploiting-deeplink-vulnerabilities/SKILL.md +++ b/skills/exploiting-deeplink-vulnerabilities/SKILL.md @@ -1,9 +1,11 @@ --- name: exploiting-deeplink-vulnerabilities -description: 'Tests and exploits deep link (URL scheme and App Link) vulnerabilities in Android and iOS mobile applications - to identify unauthorized access, data injection, intent hijacking, and redirect manipulation. Use when assessing mobile - app attack surface through custom URI schemes, Android App Links, iOS Universal Links, or intent-based navigation. Activates - for requests involving deep link security testing, URL scheme exploitation, mobile intent abuse, or link hijacking. +description: 'Tests and exploits deep link (URL scheme and App Link) vulnerabilities + in Android and iOS mobile applications to identify unauthorized access, data injection, + intent hijacking, and redirect manipulation. Use when assessing mobile app attack + surface through custom URI schemes, Android App Links, iOS Universal Links, or intent-based + navigation. Activates for requests involving deep link security testing, URL scheme + exploitation, mobile intent abuse, or link hijacking. ' domain: cybersecurity @@ -23,6 +25,12 @@ nist_csf: - PR.AA-05 - ID.RA-01 - DE.CM-09 +mitre_attack: +- T1059 +- T1056 +- T1036 +- T1078 +- T1055 --- # Exploiting Deep Link Vulnerabilities diff --git a/skills/exploiting-excessive-data-exposure-in-api/SKILL.md b/skills/exploiting-excessive-data-exposure-in-api/SKILL.md index 14ac2eeb..6231fead 100644 --- a/skills/exploiting-excessive-data-exposure-in-api/SKILL.md +++ b/skills/exploiting-excessive-data-exposure-in-api/SKILL.md @@ -1,10 +1,12 @@ --- name: exploiting-excessive-data-exposure-in-api -description: 'Tests APIs for excessive data exposure where endpoints return more data than the client application needs, relying - on the frontend to filter sensitive fields. The tester intercepts API responses and analyzes them for leaked PII, internal - identifiers, debug information, or sensitive business data that the UI does not display but the API transmits. This maps - to OWASP API3:2023 Broken Object Property Level Authorization. Activates for requests involving API data leakage testing, - excessive data exposure, response filtering bypass, or API over-fetching. +description: 'Tests APIs for excessive data exposure where endpoints return more data + than the client application needs, relying on the frontend to filter sensitive fields. + The tester intercepts API responses and analyzes them for leaked PII, internal identifiers, + debug information, or sensitive business data that the UI does not display but the + API transmits. This maps to OWASP API3:2023 Broken Object Property Level Authorization. + Activates for requests involving API data leakage testing, excessive data exposure, + response filtering bypass, or API over-fetching. ' domain: cybersecurity @@ -23,6 +25,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1552.001 +- T1027 +- T1070 --- # Exploiting Excessive Data Exposure in API diff --git a/skills/exploiting-http-request-smuggling/SKILL.md b/skills/exploiting-http-request-smuggling/SKILL.md index 4084d536..6507b221 100644 --- a/skills/exploiting-http-request-smuggling/SKILL.md +++ b/skills/exploiting-http-request-smuggling/SKILL.md @@ -1,7 +1,8 @@ --- name: exploiting-http-request-smuggling -description: Detecting and exploiting HTTP request smuggling vulnerabilities caused by Content-Length and Transfer-Encoding - parsing discrepancies between front-end and back-end servers. +description: Detecting and exploiting HTTP request smuggling vulnerabilities caused + by Content-Length and Transfer-Encoding parsing discrepancies between front-end + and back-end servers. domain: cybersecurity subdomain: web-application-security tags: @@ -19,6 +20,11 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 --- # Exploiting HTTP Request Smuggling diff --git a/skills/exploiting-idor-vulnerabilities/SKILL.md b/skills/exploiting-idor-vulnerabilities/SKILL.md index 2b49c0db..1f8f136d 100644 --- a/skills/exploiting-idor-vulnerabilities/SKILL.md +++ b/skills/exploiting-idor-vulnerabilities/SKILL.md @@ -1,7 +1,8 @@ --- name: exploiting-idor-vulnerabilities -description: Identifying and exploiting Insecure Direct Object Reference vulnerabilities to access unauthorized resources - by manipulating object identifiers in API requests and URLs. +description: Identifying and exploiting Insecure Direct Object Reference vulnerabilities + to access unauthorized resources by manipulating object identifiers in API requests + and URLs. domain: cybersecurity subdomain: web-application-security tags: @@ -19,6 +20,11 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 --- # Exploiting IDOR Vulnerabilities diff --git a/skills/exploiting-insecure-data-storage-in-mobile/SKILL.md b/skills/exploiting-insecure-data-storage-in-mobile/SKILL.md index c89cae43..adc03a59 100644 --- a/skills/exploiting-insecure-data-storage-in-mobile/SKILL.md +++ b/skills/exploiting-insecure-data-storage-in-mobile/SKILL.md @@ -1,9 +1,11 @@ --- name: exploiting-insecure-data-storage-in-mobile -description: 'Identifies and exploits insecure local data storage vulnerabilities in Android and iOS mobile applications including - unencrypted databases, world-readable files, insecure SharedPreferences, plaintext credential storage, and improper keychain/keystore - usage. Use when performing mobile penetration testing focused on OWASP M9 (Insecure Data Storage) or assessing compliance - with MASVS-STORAGE requirements. Activates for requests involving mobile data storage security, local storage exploitation, +description: 'Identifies and exploits insecure local data storage vulnerabilities + in Android and iOS mobile applications including unencrypted databases, world-readable + files, insecure SharedPreferences, plaintext credential storage, and improper keychain/keystore + usage. Use when performing mobile penetration testing focused on OWASP M9 (Insecure + Data Storage) or assessing compliance with MASVS-STORAGE requirements. Activates + for requests involving mobile data storage security, local storage exploitation, SharedPreferences analysis, or mobile data leakage assessment. ' @@ -32,6 +34,12 @@ nist_csf: - PR.AA-05 - ID.RA-01 - DE.CM-09 +mitre_attack: +- T1059 +- T1056 +- T1036 +- T1078 +- T1003 --- # Exploiting Insecure Data Storage in Mobile diff --git a/skills/exploiting-insecure-deserialization/SKILL.md b/skills/exploiting-insecure-deserialization/SKILL.md index fcc317ac..8061e0c5 100644 --- a/skills/exploiting-insecure-deserialization/SKILL.md +++ b/skills/exploiting-insecure-deserialization/SKILL.md @@ -1,7 +1,8 @@ --- name: exploiting-insecure-deserialization -description: Identifying and exploiting insecure deserialization vulnerabilities in Java, PHP, Python, and .NET applications - to achieve remote code execution during authorized penetration tests. +description: Identifying and exploiting insecure deserialization vulnerabilities in + Java, PHP, Python, and .NET applications to achieve remote code execution during + authorized penetration tests. domain: cybersecurity subdomain: web-application-security tags: @@ -19,6 +20,11 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 --- # Exploiting Insecure Deserialization diff --git a/skills/exploiting-ipv6-vulnerabilities/SKILL.md b/skills/exploiting-ipv6-vulnerabilities/SKILL.md index 613498f8..8511380e 100644 --- a/skills/exploiting-ipv6-vulnerabilities/SKILL.md +++ b/skills/exploiting-ipv6-vulnerabilities/SKILL.md @@ -1,7 +1,8 @@ --- name: exploiting-ipv6-vulnerabilities -description: 'Identifies and exploits IPv6-specific vulnerabilities including SLAAC spoofing, Router Advertisement flooding, - and IPv6 tunneling during authorized assessments to test dual-stack security controls and IPv6-aware network defenses. +description: 'Identifies and exploits IPv6-specific vulnerabilities including SLAAC + spoofing, Router Advertisement flooding, and IPv6 tunneling during authorized assessments + to test dual-stack security controls and IPv6-aware network defenses. ' domain: cybersecurity @@ -20,6 +21,11 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 --- # Exploiting IPv6 Vulnerabilities diff --git a/skills/exploiting-jwt-algorithm-confusion-attack/SKILL.md b/skills/exploiting-jwt-algorithm-confusion-attack/SKILL.md index 80131050..34cfbe66 100644 --- a/skills/exploiting-jwt-algorithm-confusion-attack/SKILL.md +++ b/skills/exploiting-jwt-algorithm-confusion-attack/SKILL.md @@ -1,10 +1,12 @@ --- name: exploiting-jwt-algorithm-confusion-attack -description: 'Exploits JWT algorithm confusion vulnerabilities where the server''s token verification library accepts the - algorithm specified in the JWT header rather than enforcing a fixed algorithm. The tester manipulates the alg header to - switch from RS256 to HS256 (using the RSA public key as the HMAC secret), sets alg to none to bypass signature verification, - or exploits kid/jku/x5u header injection to supply attacker-controlled keys. Activates for requests involving JWT algorithm - confusion, alg none attack, key confusion attack, or JWT signature bypass. +description: 'Exploits JWT algorithm confusion vulnerabilities where the server''s + token verification library accepts the algorithm specified in the JWT header rather + than enforcing a fixed algorithm. The tester manipulates the alg header to switch + from RS256 to HS256 (using the RSA public key as the HMAC secret), sets alg to none + to bypass signature verification, or exploits kid/jku/x5u header injection to supply + attacker-controlled keys. Activates for requests involving JWT algorithm confusion, + alg none attack, key confusion attack, or JWT signature bypass. ' domain: cybersecurity @@ -23,6 +25,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1552.001 +- T1055 +- T1059 --- # Exploiting JWT Algorithm Confusion Attack diff --git a/skills/exploiting-kerberoasting-with-impacket/SKILL.md b/skills/exploiting-kerberoasting-with-impacket/SKILL.md index 92102fa3..a23bba7c 100644 --- a/skills/exploiting-kerberoasting-with-impacket/SKILL.md +++ b/skills/exploiting-kerberoasting-with-impacket/SKILL.md @@ -1,7 +1,7 @@ --- name: exploiting-kerberoasting-with-impacket -description: Perform Kerberoasting attacks using Impacket's GetUserSPNs to extract and crack Kerberos TGS tickets for Active - Directory service accounts. +description: Perform Kerberoasting attacks using Impacket's GetUserSPNs to extract + and crack Kerberos TGS tickets for Active Directory service accounts. domain: cybersecurity subdomain: red-teaming tags: @@ -25,6 +25,12 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1003 --- # Exploiting Kerberoasting with Impacket diff --git a/skills/exploiting-mass-assignment-in-rest-apis/SKILL.md b/skills/exploiting-mass-assignment-in-rest-apis/SKILL.md index e7f87679..eaa4e08b 100644 --- a/skills/exploiting-mass-assignment-in-rest-apis/SKILL.md +++ b/skills/exploiting-mass-assignment-in-rest-apis/SKILL.md @@ -1,7 +1,8 @@ --- name: exploiting-mass-assignment-in-rest-apis -description: Discover and exploit mass assignment vulnerabilities in REST APIs to escalate privileges, modify restricted fields, - and bypass authorization controls by injecting unexpected parameters in API requests. +description: Discover and exploit mass assignment vulnerabilities in REST APIs to + escalate privileges, modify restricted fields, and bypass authorization controls + by injecting unexpected parameters in API requests. domain: cybersecurity subdomain: web-application-security tags: @@ -20,6 +21,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1068 --- # Exploiting Mass Assignment in REST APIs diff --git a/skills/exploiting-ms17-010-eternalblue-vulnerability/SKILL.md b/skills/exploiting-ms17-010-eternalblue-vulnerability/SKILL.md index 8e7d5061..18f56bbc 100644 --- a/skills/exploiting-ms17-010-eternalblue-vulnerability/SKILL.md +++ b/skills/exploiting-ms17-010-eternalblue-vulnerability/SKILL.md @@ -1,7 +1,8 @@ --- name: exploiting-ms17-010-eternalblue-vulnerability -description: MS17-010 (EternalBlue) is a critical vulnerability in Microsoft's SMBv1 implementation that allows remote code - execution. Originally discovered by the NSA and leaked by the Shadow Brokers in 2017, it +description: MS17-010 (EternalBlue) is a critical vulnerability in Microsoft's SMBv1 + implementation that allows remote code execution. Originally discovered by the NSA + and leaked by the Shadow Brokers in 2017, it domain: cybersecurity subdomain: red-teaming tags: @@ -26,6 +27,11 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 --- # Exploiting MS17-010 EternalBlue Vulnerability diff --git a/skills/exploiting-nopac-cve-2021-42278-42287/SKILL.md b/skills/exploiting-nopac-cve-2021-42278-42287/SKILL.md index a847a3f6..3e59e40c 100644 --- a/skills/exploiting-nopac-cve-2021-42278-42287/SKILL.md +++ b/skills/exploiting-nopac-cve-2021-42278-42287/SKILL.md @@ -1,7 +1,8 @@ --- name: exploiting-nopac-cve-2021-42278-42287 -description: Exploit the noPac vulnerability chain (CVE-2021-42278 sAMAccountName spoofing and CVE-2021-42287 KDC PAC confusion) - to escalate from standard domain user to Domain Admin in Active Directory environments. +description: Exploit the noPac vulnerability chain (CVE-2021-42278 sAMAccountName + spoofing and CVE-2021-42287 KDC PAC confusion) to escalate from standard domain + user to Domain Admin in Active Directory environments. domain: cybersecurity subdomain: red-teaming tags: @@ -25,6 +26,12 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1068 --- # Exploiting noPac (CVE-2021-42278 / CVE-2021-42287) diff --git a/skills/exploiting-nosql-injection-vulnerabilities/SKILL.md b/skills/exploiting-nosql-injection-vulnerabilities/SKILL.md index 99de35bf..05d31b4e 100644 --- a/skills/exploiting-nosql-injection-vulnerabilities/SKILL.md +++ b/skills/exploiting-nosql-injection-vulnerabilities/SKILL.md @@ -1,7 +1,8 @@ --- name: exploiting-nosql-injection-vulnerabilities -description: Detect and exploit NoSQL injection vulnerabilities in MongoDB, CouchDB, and other NoSQL databases to demonstrate - authentication bypass, data extraction, and unauthorized access risks. +description: Detect and exploit NoSQL injection vulnerabilities in MongoDB, CouchDB, + and other NoSQL databases to demonstrate authentication bypass, data extraction, + and unauthorized access risks. domain: cybersecurity subdomain: web-application-security tags: @@ -20,6 +21,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1055 --- # Exploiting NoSQL Injection Vulnerabilities diff --git a/skills/exploiting-oauth-misconfiguration/SKILL.md b/skills/exploiting-oauth-misconfiguration/SKILL.md index b964a7d2..10e82ec8 100644 --- a/skills/exploiting-oauth-misconfiguration/SKILL.md +++ b/skills/exploiting-oauth-misconfiguration/SKILL.md @@ -1,7 +1,8 @@ --- name: exploiting-oauth-misconfiguration -description: Identifying and exploiting OAuth 2.0 and OpenID Connect misconfigurations including redirect URI manipulation, - token leakage, and authorization code theft during security assessments. +description: Identifying and exploiting OAuth 2.0 and OpenID Connect misconfigurations + including redirect URI manipulation, token leakage, and authorization code theft + during security assessments. domain: cybersecurity subdomain: web-application-security tags: @@ -19,6 +20,11 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 --- # Exploiting OAuth Misconfiguration diff --git a/skills/exploiting-prototype-pollution-in-javascript/SKILL.md b/skills/exploiting-prototype-pollution-in-javascript/SKILL.md index 63325228..02b462bc 100644 --- a/skills/exploiting-prototype-pollution-in-javascript/SKILL.md +++ b/skills/exploiting-prototype-pollution-in-javascript/SKILL.md @@ -1,7 +1,8 @@ --- name: exploiting-prototype-pollution-in-javascript -description: Detect and exploit JavaScript prototype pollution vulnerabilities on both client-side and server-side applications - to achieve XSS, RCE, and authentication bypass through property injection. +description: Detect and exploit JavaScript prototype pollution vulnerabilities on + both client-side and server-side applications to achieve XSS, RCE, and authentication + bypass through property injection. domain: cybersecurity subdomain: web-application-security tags: @@ -21,6 +22,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1055 --- # Exploiting Prototype Pollution in JavaScript diff --git a/skills/exploiting-race-condition-vulnerabilities/SKILL.md b/skills/exploiting-race-condition-vulnerabilities/SKILL.md index 9eb611dc..0ac1641b 100644 --- a/skills/exploiting-race-condition-vulnerabilities/SKILL.md +++ b/skills/exploiting-race-condition-vulnerabilities/SKILL.md @@ -1,7 +1,8 @@ --- name: exploiting-race-condition-vulnerabilities -description: Detect and exploit race condition vulnerabilities in web applications using Turbo Intruder's single-packet attack - technique to bypass rate limits, duplicate transactions, and exploit time-of-check-to-time-of-use flaws. +description: Detect and exploit race condition vulnerabilities in web applications + using Turbo Intruder's single-packet attack technique to bypass rate limits, duplicate + transactions, and exploit time-of-check-to-time-of-use flaws. domain: cybersecurity subdomain: web-application-security tags: @@ -20,6 +21,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1027 --- # Exploiting Race Condition Vulnerabilities diff --git a/skills/exploiting-server-side-request-forgery/SKILL.md b/skills/exploiting-server-side-request-forgery/SKILL.md index a391c067..32e3e4f8 100644 --- a/skills/exploiting-server-side-request-forgery/SKILL.md +++ b/skills/exploiting-server-side-request-forgery/SKILL.md @@ -1,7 +1,7 @@ --- name: exploiting-server-side-request-forgery -description: Identifying and exploiting SSRF vulnerabilities to access internal services, cloud metadata, and restricted network - resources during authorized penetration tests. +description: Identifying and exploiting SSRF vulnerabilities to access internal services, + cloud metadata, and restricted network resources during authorized penetration tests. domain: cybersecurity subdomain: web-application-security tags: @@ -19,6 +19,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1078.004 --- # Exploiting Server-Side Request Forgery diff --git a/skills/exploiting-smb-vulnerabilities-with-metasploit/SKILL.md b/skills/exploiting-smb-vulnerabilities-with-metasploit/SKILL.md index b448f83e..c70915d9 100644 --- a/skills/exploiting-smb-vulnerabilities-with-metasploit/SKILL.md +++ b/skills/exploiting-smb-vulnerabilities-with-metasploit/SKILL.md @@ -1,7 +1,8 @@ --- name: exploiting-smb-vulnerabilities-with-metasploit -description: 'Identifies and exploits SMB protocol vulnerabilities using Metasploit Framework during authorized penetration - tests to demonstrate risks from unpatched Windows systems, misconfigured shares, and weak authentication in enterprise networks. +description: 'Identifies and exploits SMB protocol vulnerabilities using Metasploit + Framework during authorized penetration tests to demonstrate risks from unpatched + Windows systems, misconfigured shares, and weak authentication in enterprise networks. ' domain: cybersecurity @@ -20,6 +21,11 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 --- # Exploiting SMB Vulnerabilities with Metasploit diff --git a/skills/exploiting-sql-injection-vulnerabilities/SKILL.md b/skills/exploiting-sql-injection-vulnerabilities/SKILL.md index 7443429e..72c7444b 100644 --- a/skills/exploiting-sql-injection-vulnerabilities/SKILL.md +++ b/skills/exploiting-sql-injection-vulnerabilities/SKILL.md @@ -1,10 +1,13 @@ --- name: exploiting-sql-injection-vulnerabilities -description: 'Identifies and exploits SQL injection vulnerabilities in web applications during authorized penetration tests - using manual techniques and automated tools like sqlmap. The tester detects injection points through error-based, union-based, - blind boolean, and time-based blind techniques across all major database engines (MySQL, PostgreSQL, MSSQL, Oracle) to demonstrate - data extraction, authentication bypass, and potential remote code execution. Activates for requests involving SQL injection - testing, SQLi exploitation, database security assessment, or injection vulnerability verification. +description: 'Identifies and exploits SQL injection vulnerabilities in web applications + during authorized penetration tests using manual techniques and automated tools + like sqlmap. The tester detects injection points through error-based, union-based, + blind boolean, and time-based blind techniques across all major database engines + (MySQL, PostgreSQL, MSSQL, Oracle) to demonstrate data extraction, authentication + bypass, and potential remote code execution. Activates for requests involving SQL + injection testing, SQLi exploitation, database security assessment, or injection + vulnerability verification. ' domain: cybersecurity @@ -23,6 +26,12 @@ nist_csf: - ID.RA-06 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1055 --- # Exploiting SQL Injection Vulnerabilities diff --git a/skills/exploiting-sql-injection-with-sqlmap/SKILL.md b/skills/exploiting-sql-injection-with-sqlmap/SKILL.md index 92124979..1e5088ee 100644 --- a/skills/exploiting-sql-injection-with-sqlmap/SKILL.md +++ b/skills/exploiting-sql-injection-with-sqlmap/SKILL.md @@ -1,7 +1,7 @@ --- name: exploiting-sql-injection-with-sqlmap -description: Detecting and exploiting SQL injection vulnerabilities using sqlmap to extract database contents during authorized - penetration tests. +description: Detecting and exploiting SQL injection vulnerabilities using sqlmap to + extract database contents during authorized penetration tests. domain: cybersecurity subdomain: web-application-security tags: @@ -19,6 +19,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1055 --- # Exploiting SQL Injection with sqlmap diff --git a/skills/exploiting-template-injection-vulnerabilities/SKILL.md b/skills/exploiting-template-injection-vulnerabilities/SKILL.md index b137c7e7..1e6d0cea 100644 --- a/skills/exploiting-template-injection-vulnerabilities/SKILL.md +++ b/skills/exploiting-template-injection-vulnerabilities/SKILL.md @@ -1,7 +1,8 @@ --- name: exploiting-template-injection-vulnerabilities -description: Detecting and exploiting Server-Side Template Injection (SSTI) vulnerabilities across Jinja2, Twig, Freemarker, - and other template engines to achieve remote code execution. +description: Detecting and exploiting Server-Side Template Injection (SSTI) vulnerabilities + across Jinja2, Twig, Freemarker, and other template engines to achieve remote code + execution. domain: cybersecurity subdomain: web-application-security tags: @@ -19,6 +20,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1055 --- # Exploiting Template Injection Vulnerabilities diff --git a/skills/exploiting-type-juggling-vulnerabilities/SKILL.md b/skills/exploiting-type-juggling-vulnerabilities/SKILL.md index 04b438f9..6eac147f 100644 --- a/skills/exploiting-type-juggling-vulnerabilities/SKILL.md +++ b/skills/exploiting-type-juggling-vulnerabilities/SKILL.md @@ -1,7 +1,8 @@ --- name: exploiting-type-juggling-vulnerabilities -description: Exploit PHP type juggling vulnerabilities caused by loose comparison operators to bypass authentication, circumvent - hash verification, and manipulate application logic through type coercion attacks. +description: Exploit PHP type juggling vulnerabilities caused by loose comparison + operators to bypass authentication, circumvent hash verification, and manipulate + application logic through type coercion attacks. domain: cybersecurity subdomain: web-application-security tags: @@ -20,6 +21,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1027 --- # Exploiting Type Juggling Vulnerabilities diff --git a/skills/exploiting-vulnerabilities-with-metasploit-framework/SKILL.md b/skills/exploiting-vulnerabilities-with-metasploit-framework/SKILL.md index 078a5df3..58015e98 100644 --- a/skills/exploiting-vulnerabilities-with-metasploit-framework/SKILL.md +++ b/skills/exploiting-vulnerabilities-with-metasploit-framework/SKILL.md @@ -1,7 +1,8 @@ --- name: exploiting-vulnerabilities-with-metasploit-framework -description: The Metasploit Framework is the world's most widely used penetration testing platform, maintained by Rapid7. - It contains over 2,300 exploits, 1,200 auxiliary modules, and 400 post-exploitation modules +description: The Metasploit Framework is the world's most widely used penetration + testing platform, maintained by Rapid7. It contains over 2,300 exploits, 1,200 auxiliary + modules, and 400 post-exploitation modules domain: cybersecurity subdomain: vulnerability-management tags: @@ -19,6 +20,10 @@ nist_csf: - ID.RA-02 - ID.IM-02 - ID.RA-06 +mitre_attack: +- T1190 +- T1203 +- T1068 --- # Exploiting Vulnerabilities with Metasploit Framework diff --git a/skills/exploiting-websocket-vulnerabilities/SKILL.md b/skills/exploiting-websocket-vulnerabilities/SKILL.md index 0b625906..5e07355c 100644 --- a/skills/exploiting-websocket-vulnerabilities/SKILL.md +++ b/skills/exploiting-websocket-vulnerabilities/SKILL.md @@ -1,7 +1,8 @@ --- name: exploiting-websocket-vulnerabilities -description: Testing WebSocket implementations for authentication bypass, cross-site hijacking, injection attacks, and insecure - message handling during authorized security assessments. +description: Testing WebSocket implementations for authentication bypass, cross-site + hijacking, injection attacks, and insecure message handling during authorized security + assessments. domain: cybersecurity subdomain: web-application-security tags: @@ -19,6 +20,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1055 --- # Exploiting WebSocket Vulnerabilities diff --git a/skills/exploiting-zerologon-vulnerability-cve-2020-1472/SKILL.md b/skills/exploiting-zerologon-vulnerability-cve-2020-1472/SKILL.md index 73de0300..1090f5c1 100644 --- a/skills/exploiting-zerologon-vulnerability-cve-2020-1472/SKILL.md +++ b/skills/exploiting-zerologon-vulnerability-cve-2020-1472/SKILL.md @@ -1,7 +1,8 @@ --- name: exploiting-zerologon-vulnerability-cve-2020-1472 -description: Exploit the Zerologon vulnerability (CVE-2020-1472) in the Netlogon Remote Protocol to achieve domain controller - compromise by resetting the machine account password to empty. +description: Exploit the Zerologon vulnerability (CVE-2020-1472) in the Netlogon Remote + Protocol to achieve domain controller compromise by resetting the machine account + password to empty. domain: cybersecurity subdomain: red-teaming tags: @@ -25,6 +26,12 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1068 --- # Exploiting Zerologon Vulnerability (CVE-2020-1472) diff --git a/skills/extracting-browser-history-artifacts/SKILL.md b/skills/extracting-browser-history-artifacts/SKILL.md index 354505b1..0136542e 100644 --- a/skills/extracting-browser-history-artifacts/SKILL.md +++ b/skills/extracting-browser-history-artifacts/SKILL.md @@ -1,7 +1,7 @@ --- name: extracting-browser-history-artifacts -description: Extract and analyze browser history, cookies, cache, downloads, and bookmarks from Chrome, Firefox, and Edge - for forensic evidence of user web activity. +description: Extract and analyze browser history, cookies, cache, downloads, and bookmarks + from Chrome, Firefox, and Edge for forensic evidence of user web activity. domain: cybersecurity subdomain: digital-forensics tags: @@ -20,6 +20,12 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1005 +- T1074 +- T1119 +- T1070 +- T1059 --- # Extracting Browser History Artifacts diff --git a/skills/extracting-config-from-agent-tesla-rat/SKILL.md b/skills/extracting-config-from-agent-tesla-rat/SKILL.md index c933783a..766f06d4 100644 --- a/skills/extracting-config-from-agent-tesla-rat/SKILL.md +++ b/skills/extracting-config-from-agent-tesla-rat/SKILL.md @@ -1,7 +1,8 @@ --- name: extracting-config-from-agent-tesla-rat -description: Extract embedded configuration from Agent Tesla RAT samples including SMTP/FTP/Telegram exfiltration credentials, - keylogger settings, and C2 endpoints using .NET decompilation and memory analysis. +description: Extract embedded configuration from Agent Tesla RAT samples including + SMTP/FTP/Telegram exfiltration credentials, keylogger settings, and C2 endpoints + using .NET decompilation and memory analysis. domain: cybersecurity subdomain: malware-analysis tags: @@ -28,6 +29,12 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1027 +- T1055 +- T1140 +- T1497 +- T1003 --- # Extracting Config from Agent Tesla RAT diff --git a/skills/extracting-credentials-from-memory-dump/SKILL.md b/skills/extracting-credentials-from-memory-dump/SKILL.md index d2c54ae1..af9bc133 100644 --- a/skills/extracting-credentials-from-memory-dump/SKILL.md +++ b/skills/extracting-credentials-from-memory-dump/SKILL.md @@ -1,7 +1,7 @@ --- name: extracting-credentials-from-memory-dump -description: Extract cached credentials, password hashes, Kerberos tickets, and authentication tokens from memory dumps using - Volatility and Mimikatz for forensic investigation. +description: Extract cached credentials, password hashes, Kerberos tickets, and authentication + tokens from memory dumps using Volatility and Mimikatz for forensic investigation. domain: cybersecurity subdomain: digital-forensics tags: @@ -13,9 +13,11 @@ tags: - password-hashes - incident-response mitre_attack: +- T1005 +- T1074 +- T1119 +- T1070 - T1003 -- T1558 -- T1552 version: '1.0' author: mahipal license: Apache-2.0 diff --git a/skills/extracting-iocs-from-malware-samples/SKILL.md b/skills/extracting-iocs-from-malware-samples/SKILL.md index eb3481e1..632c7e38 100644 --- a/skills/extracting-iocs-from-malware-samples/SKILL.md +++ b/skills/extracting-iocs-from-malware-samples/SKILL.md @@ -1,9 +1,11 @@ --- name: extracting-iocs-from-malware-samples -description: 'Extracts indicators of compromise (IOCs) from malware samples including file hashes, network indicators (IPs, - domains, URLs), host artifacts (file paths, registry keys, mutexes), and behavioral patterns for threat intelligence sharing - and detection rule creation. Activates for requests involving IOC extraction, threat indicator harvesting, malware indicator - collection, or building detection content from samples. +description: 'Extracts indicators of compromise (IOCs) from malware samples including + file hashes, network indicators (IPs, domains, URLs), host artifacts (file paths, + registry keys, mutexes), and behavioral patterns for threat intelligence sharing + and detection rule creation. Activates for requests involving IOC extraction, threat + indicator harvesting, malware indicator collection, or building detection content + from samples. ' domain: cybersecurity @@ -22,6 +24,11 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1027 +- T1055 +- T1140 +- T1497 --- # Extracting IOCs from Malware Samples diff --git a/skills/extracting-memory-artifacts-with-rekall/SKILL.md b/skills/extracting-memory-artifacts-with-rekall/SKILL.md index 346b620c..d700136a 100644 --- a/skills/extracting-memory-artifacts-with-rekall/SKILL.md +++ b/skills/extracting-memory-artifacts-with-rekall/SKILL.md @@ -1,17 +1,21 @@ --- name: extracting-memory-artifacts-with-rekall -description: 'Uses Rekall memory forensics framework to analyze memory dumps for process hollowing, injected code via VAD - anomalies, hidden processes, and rootkit detection. Applies plugins like pslist, psscan, vadinfo, malfind, and dlllist to - extract forensic artifacts from Windows memory images. Use during incident response memory analysis. +description: 'Uses Rekall memory forensics framework to analyze memory dumps for process + hollowing, injected code via VAD anomalies, hidden processes, and rootkit detection. + Applies plugins like pslist, psscan, vadinfo, malfind, and dlllist to extract forensic + artifacts from Windows memory images. Use during incident response memory analysis. ' domain: cybersecurity subdomain: security-operations tags: -- extracting -- memory -- artifacts -- with +- memory-forensics +- rekall +- process-hollowing +- code-injection +- vad-analysis +- incident-response +- security-operations version: '1.0' author: mahipal license: Apache-2.0 @@ -20,6 +24,12 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1055 +- T1005 --- # Extracting Memory Artifacts with Rekall diff --git a/skills/extracting-windows-event-logs-artifacts/SKILL.md b/skills/extracting-windows-event-logs-artifacts/SKILL.md index d828a68f..35dd61a1 100644 --- a/skills/extracting-windows-event-logs-artifacts/SKILL.md +++ b/skills/extracting-windows-event-logs-artifacts/SKILL.md @@ -1,7 +1,7 @@ --- name: extracting-windows-event-logs-artifacts -description: Extract, parse, and analyze Windows Event Logs (EVTX) using Chainsaw, Hayabusa, and EvtxECmd to detect lateral - movement, persistence, and privilege escalation. +description: Extract, parse, and analyze Windows Event Logs (EVTX) using Chainsaw, + Hayabusa, and EvtxECmd to detect lateral movement, persistence, and privilege escalation. domain: cybersecurity subdomain: digital-forensics tags: @@ -20,6 +20,12 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1005 +- T1074 +- T1119 +- T1070 +- T1021 --- # Extracting Windows Event Logs Artifacts diff --git a/skills/generating-threat-intelligence-reports/SKILL.md b/skills/generating-threat-intelligence-reports/SKILL.md index b3f7a7f0..21562da4 100644 --- a/skills/generating-threat-intelligence-reports/SKILL.md +++ b/skills/generating-threat-intelligence-reports/SKILL.md @@ -1,10 +1,12 @@ --- name: generating-threat-intelligence-reports -description: 'Generates structured cyber threat intelligence reports at strategic, operational, and tactical levels tailored - to specific audiences including executives, security operations teams, and technical analysts. Use when producing finished - intelligence products from raw collection data, creating sector threat briefings, or delivering post-incident intelligence - assessments. Activates for requests involving CTI report writing, threat briefings, intelligence products, finished intelligence, - or executive security reporting. +description: 'Generates structured cyber threat intelligence reports at strategic, + operational, and tactical levels tailored to specific audiences including executives, + security operations teams, and technical analysts. Use when producing finished intelligence + products from raw collection data, creating sector threat briefings, or delivering + post-incident intelligence assessments. Activates for requests involving CTI report + writing, threat briefings, intelligence products, finished intelligence, or executive + security reporting. ' domain: cybersecurity @@ -25,6 +27,11 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1592 +- T1593 +- T1589 --- # Generating Threat Intelligence Reports diff --git a/skills/hardening-docker-containers-for-production/SKILL.md b/skills/hardening-docker-containers-for-production/SKILL.md index cf50f3d7..63ef441d 100644 --- a/skills/hardening-docker-containers-for-production/SKILL.md +++ b/skills/hardening-docker-containers-for-production/SKILL.md @@ -1,7 +1,8 @@ --- name: hardening-docker-containers-for-production -description: Hardening Docker containers for production involves applying security best practices aligned with CIS Docker - Benchmark v1.8.0 to minimize attack surface, prevent privilege escalation, and enforce leas +description: Hardening Docker containers for production involves applying security + best practices aligned with CIS Docker Benchmark v1.8.0 to minimize attack surface, + prevent privilege escalation, and enforce leas domain: cybersecurity subdomain: container-security tags: @@ -18,6 +19,12 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 +- T1068 --- # Hardening Docker Containers for Production diff --git a/skills/hardening-docker-daemon-configuration/SKILL.md b/skills/hardening-docker-daemon-configuration/SKILL.md index fe852950..f7af6bb8 100644 --- a/skills/hardening-docker-daemon-configuration/SKILL.md +++ b/skills/hardening-docker-daemon-configuration/SKILL.md @@ -1,7 +1,7 @@ --- name: hardening-docker-daemon-configuration -description: Harden the Docker daemon by configuring daemon.json with user namespace remapping, TLS authentication, rootless - mode, and CIS benchmark controls. +description: Harden the Docker daemon by configuring daemon.json with user namespace + remapping, TLS authentication, rootless mode, and CIS benchmark controls. domain: cybersecurity subdomain: container-security tags: @@ -19,6 +19,12 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 +- T1553 --- # Hardening Docker Daemon Configuration diff --git a/skills/hardening-linux-endpoint-with-cis-benchmark/SKILL.md b/skills/hardening-linux-endpoint-with-cis-benchmark/SKILL.md index 0fbe5d77..6d0b344f 100644 --- a/skills/hardening-linux-endpoint-with-cis-benchmark/SKILL.md +++ b/skills/hardening-linux-endpoint-with-cis-benchmark/SKILL.md @@ -1,9 +1,11 @@ --- name: hardening-linux-endpoint-with-cis-benchmark -description: 'Hardens Linux endpoints using CIS Benchmark recommendations for Ubuntu, RHEL, and CentOS to reduce attack surface, - enforce security baselines, and meet compliance requirements. Use when deploying new Linux servers, remediating audit findings, - or establishing security baselines for Linux infrastructure. Activates for requests involving Linux hardening, CIS benchmarks - for Linux, server security baselines, or Linux configuration compliance. +description: 'Hardens Linux endpoints using CIS Benchmark recommendations for Ubuntu, + RHEL, and CentOS to reduce attack surface, enforce security baselines, and meet + compliance requirements. Use when deploying new Linux servers, remediating audit + findings, or establishing security baselines for Linux infrastructure. Activates + for requests involving Linux hardening, CIS benchmarks for Linux, server security + baselines, or Linux configuration compliance. ' domain: cybersecurity @@ -23,6 +25,11 @@ nist_csf: - PR.PS-02 - DE.CM-01 - PR.IR-01 +mitre_attack: +- T1055 +- T1547 +- T1059 +- T1036 --- # Hardening Linux Endpoint with CIS Benchmark diff --git a/skills/hardening-windows-endpoint-with-cis-benchmark/SKILL.md b/skills/hardening-windows-endpoint-with-cis-benchmark/SKILL.md index 27d0a7d0..7a0051bb 100644 --- a/skills/hardening-windows-endpoint-with-cis-benchmark/SKILL.md +++ b/skills/hardening-windows-endpoint-with-cis-benchmark/SKILL.md @@ -1,9 +1,11 @@ --- name: hardening-windows-endpoint-with-cis-benchmark -description: 'Hardens Windows endpoints using CIS (Center for Internet Security) Benchmark recommendations to reduce attack - surface, enforce security baselines, and meet compliance requirements. Use when deploying new Windows workstations or servers, - remediating audit findings, or establishing organization-wide security baselines. Activates for requests involving Windows - hardening, CIS benchmarks, GPO security baselines, or endpoint configuration compliance. +description: 'Hardens Windows endpoints using CIS (Center for Internet Security) Benchmark + recommendations to reduce attack surface, enforce security baselines, and meet compliance + requirements. Use when deploying new Windows workstations or servers, remediating + audit findings, or establishing organization-wide security baselines. Activates + for requests involving Windows hardening, CIS benchmarks, GPO security baselines, + or endpoint configuration compliance. ' domain: cybersecurity @@ -23,6 +25,11 @@ nist_csf: - PR.PS-02 - DE.CM-01 - PR.IR-01 +mitre_attack: +- T1055 +- T1547 +- T1059 +- T1036 --- # Hardening Windows Endpoint with CIS Benchmark diff --git a/skills/hunting-advanced-persistent-threats/SKILL.md b/skills/hunting-advanced-persistent-threats/SKILL.md index e89d09d0..55ba27c3 100644 --- a/skills/hunting-advanced-persistent-threats/SKILL.md +++ b/skills/hunting-advanced-persistent-threats/SKILL.md @@ -1,9 +1,11 @@ --- name: hunting-advanced-persistent-threats -description: 'Proactively hunts for Advanced Persistent Threat (APT) activity within enterprise environments using hypothesis-driven - searches across endpoint telemetry, network logs, and memory artifacts. Use when conducting scheduled threat hunting cycles, - investigating anomalous behavior flagged by UEBA, or validating that known APT TTPs are not present in the environment. - Activates for requests involving MITRE ATT&CK, Velociraptor, osquery, Zeek, or threat hunting playbooks. +description: 'Proactively hunts for Advanced Persistent Threat (APT) activity within + enterprise environments using hypothesis-driven searches across endpoint telemetry, + network logs, and memory artifacts. Use when conducting scheduled threat hunting + cycles, investigating anomalous behavior flagged by UEBA, or validating that known + APT TTPs are not present in the environment. Activates for requests involving MITRE + ATT&CK, Velociraptor, osquery, Zeek, or threat hunting playbooks. ' domain: cybersecurity @@ -32,6 +34,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1592 +- T1593 +- T1589 +- T1005 --- # Hunting Advanced Persistent Threats diff --git a/skills/hunting-credential-stuffing-attacks/SKILL.md b/skills/hunting-credential-stuffing-attacks/SKILL.md index afdc17b2..dd312678 100644 --- a/skills/hunting-credential-stuffing-attacks/SKILL.md +++ b/skills/hunting-credential-stuffing-attacks/SKILL.md @@ -1,17 +1,21 @@ --- name: hunting-credential-stuffing-attacks -description: 'Detects credential stuffing attacks by analyzing authentication logs for login velocity anomalies, ASN diversity, - password spray patterns, and geographic distribution of failed logins. Uses statistical analysis on Splunk or raw log data. - Use when investigating account takeover campaigns or building detection rules for auth abuse. +description: 'Detects credential stuffing attacks by analyzing authentication logs + for login velocity anomalies, ASN diversity, password spray patterns, and geographic + distribution of failed logins. Uses statistical analysis on Splunk or raw log data. + Use when investigating account takeover campaigns or building detection rules for + auth abuse. ' domain: cybersecurity subdomain: security-operations tags: -- hunting -- credential -- stuffing -- attacks +- credential-stuffing +- authentication-logs +- login-anomaly +- asn-analysis +- threat-hunting +- account-takeover version: '1.0' author: mahipal license: Apache-2.0 @@ -20,6 +24,12 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1003 +- T1110 --- # Hunting Credential Stuffing Attacks diff --git a/skills/hunting-for-anomalous-powershell-execution/SKILL.md b/skills/hunting-for-anomalous-powershell-execution/SKILL.md index 5f7c60a2..a47bc06f 100644 --- a/skills/hunting-for-anomalous-powershell-execution/SKILL.md +++ b/skills/hunting-for-anomalous-powershell-execution/SKILL.md @@ -1,9 +1,11 @@ --- name: hunting-for-anomalous-powershell-execution -description: 'Hunt for malicious PowerShell activity by analyzing Script Block Logging (Event 4104), Module Logging (Event - 4103), and process creation events. The analyst parses Windows Event Log EVTX files to detect obfuscated commands, AMSI - bypass attempts, encoded payloads, credential dumping keywords, and suspicious download cradles. Activates for requests - involving PowerShell threat hunting, script block analysis, encoded command detection, or AMSI bypass identification. +description: 'Hunt for malicious PowerShell activity by analyzing Script Block Logging + (Event 4104), Module Logging (Event 4103), and process creation events. The analyst + parses Windows Event Log EVTX files to detect obfuscated commands, AMSI bypass attempts, + encoded payloads, credential dumping keywords, and suspicious download cradles. + Activates for requests involving PowerShell threat hunting, script block analysis, + encoded command detection, or AMSI bypass identification. ' domain: cybersecurity @@ -24,6 +26,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1003 --- # Hunting for Anomalous PowerShell Execution diff --git a/skills/hunting-for-beaconing-with-frequency-analysis/SKILL.md b/skills/hunting-for-beaconing-with-frequency-analysis/SKILL.md index 45f254a0..073e764c 100644 --- a/skills/hunting-for-beaconing-with-frequency-analysis/SKILL.md +++ b/skills/hunting-for-beaconing-with-frequency-analysis/SKILL.md @@ -1,7 +1,8 @@ --- name: hunting-for-beaconing-with-frequency-analysis -description: Identify command-and-control beaconing patterns in network traffic by applying statistical frequency analysis, - jitter calculation, and coefficient of variation scoring to detect periodic callbacks from compromised endpoints. +description: Identify command-and-control beaconing patterns in network traffic by + applying statistical frequency analysis, jitter calculation, and coefficient of + variation scoring to detect periodic callbacks from compromised endpoints. domain: cybersecurity subdomain: threat-hunting tags: @@ -27,6 +28,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1071 --- # Hunting for Beaconing with Frequency Analysis diff --git a/skills/hunting-for-cobalt-strike-beacons/SKILL.md b/skills/hunting-for-cobalt-strike-beacons/SKILL.md index 2a607f72..8857d770 100644 --- a/skills/hunting-for-cobalt-strike-beacons/SKILL.md +++ b/skills/hunting-for-cobalt-strike-beacons/SKILL.md @@ -1,7 +1,8 @@ --- name: hunting-for-cobalt-strike-beacons -description: Detect Cobalt Strike beacon network activity using default TLS certificate signatures (serial 8BB00EE), JA3/JA3S/JARM - fingerprints, HTTP C2 profile pattern matching, beacon jitter analysis, and named pipe detection via Zeek, Suricata, and +description: Detect Cobalt Strike beacon network activity using default TLS certificate + signatures (serial 8BB00EE), JA3/JA3S/JARM fingerprints, HTTP C2 profile pattern + matching, beacon jitter analysis, and named pipe detection via Zeek, Suricata, and Python PCAP analysis. domain: cybersecurity subdomain: threat-hunting @@ -23,6 +24,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1071 --- # Hunting for Cobalt Strike Beacons diff --git a/skills/hunting-for-command-and-control-beaconing/SKILL.md b/skills/hunting-for-command-and-control-beaconing/SKILL.md index 5ebebbd9..a288b48c 100644 --- a/skills/hunting-for-command-and-control-beaconing/SKILL.md +++ b/skills/hunting-for-command-and-control-beaconing/SKILL.md @@ -1,7 +1,8 @@ --- name: hunting-for-command-and-control-beaconing -description: Detect C2 beaconing patterns in network traffic using frequency analysis, jitter detection, and domain reputation - to identify compromised endpoints communicating with adversary infrastructure. +description: Detect C2 beaconing patterns in network traffic using frequency analysis, + jitter detection, and domain reputation to identify compromised endpoints communicating + with adversary infrastructure. domain: cybersecurity subdomain: threat-hunting tags: @@ -25,6 +26,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1071 --- # Hunting for Command and Control Beaconing diff --git a/skills/hunting-for-data-exfiltration-indicators/SKILL.md b/skills/hunting-for-data-exfiltration-indicators/SKILL.md index 99e71e15..3c14b836 100644 --- a/skills/hunting-for-data-exfiltration-indicators/SKILL.md +++ b/skills/hunting-for-data-exfiltration-indicators/SKILL.md @@ -1,7 +1,8 @@ --- name: hunting-for-data-exfiltration-indicators -description: Hunt for data exfiltration through network traffic analysis, detecting unusual data flows, DNS tunneling, cloud - storage uploads, and encrypted channel abuse. +description: Hunt for data exfiltration through network traffic analysis, detecting + unusual data flows, DNS tunneling, cloud storage uploads, and encrypted channel + abuse. domain: cybersecurity subdomain: threat-hunting tags: @@ -32,6 +33,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1048 --- # Hunting for Data Exfiltration Indicators diff --git a/skills/hunting-for-data-staging-before-exfiltration/SKILL.md b/skills/hunting-for-data-staging-before-exfiltration/SKILL.md index 16a2ce6f..0f0f5df6 100644 --- a/skills/hunting-for-data-staging-before-exfiltration/SKILL.md +++ b/skills/hunting-for-data-staging-before-exfiltration/SKILL.md @@ -1,7 +1,8 @@ --- name: hunting-for-data-staging-before-exfiltration -description: Detect data staging activity before exfiltration by monitoring for archive creation with 7-Zip/RAR, unusual temp - folder access, large file consolidation, and staging directory patterns via EDR and process telemetry +description: Detect data staging activity before exfiltration by monitoring for archive + creation with 7-Zip/RAR, unusual temp folder access, large file consolidation, and + staging directory patterns via EDR and process telemetry domain: cybersecurity subdomain: threat-hunting tags: @@ -26,6 +27,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1048 --- # Hunting for Data Staging Before Exfiltration diff --git a/skills/hunting-for-dcom-lateral-movement/SKILL.md b/skills/hunting-for-dcom-lateral-movement/SKILL.md index 708dcecb..8b9df4a8 100644 --- a/skills/hunting-for-dcom-lateral-movement/SKILL.md +++ b/skills/hunting-for-dcom-lateral-movement/SKILL.md @@ -1,8 +1,9 @@ --- name: hunting-for-dcom-lateral-movement -description: 'Hunt for DCOM-based lateral movement by detecting abuse of MMC20.Application, ShellBrowserWindow, and ShellWindows - COM objects through Sysmon Event ID 1 (process creation) and Event ID 3 (network connection) correlation, WMI event analysis, - RPC endpoint mapper traffic on port 135, and DCOM-specific parent-child process relationships. +description: 'Hunt for DCOM-based lateral movement by detecting abuse of MMC20.Application, + ShellBrowserWindow, and ShellWindows COM objects through Sysmon Event ID 1 (process + creation) and Event ID 3 (network connection) correlation, WMI event analysis, RPC + endpoint mapper traffic on port 135, and DCOM-specific parent-child process relationships. ' domain: cybersecurity @@ -33,6 +34,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1021 --- # Hunting for DCOM Lateral Movement diff --git a/skills/hunting-for-dcsync-attacks/SKILL.md b/skills/hunting-for-dcsync-attacks/SKILL.md index a8362571..8d13f0b2 100644 --- a/skills/hunting-for-dcsync-attacks/SKILL.md +++ b/skills/hunting-for-dcsync-attacks/SKILL.md @@ -1,7 +1,7 @@ --- name: hunting-for-dcsync-attacks -description: Detect DCSync attacks by analyzing Windows Event ID 4662 for unauthorized DS-Replication-Get-Changes requests - from non-domain-controller accounts. +description: Detect DCSync attacks by analyzing Windows Event ID 4662 for unauthorized + DS-Replication-Get-Changes requests from non-domain-controller accounts. domain: cybersecurity subdomain: threat-hunting tags: @@ -27,6 +27,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1003 --- # Hunting for DCSync Attacks diff --git a/skills/hunting-for-defense-evasion-via-timestomping/SKILL.md b/skills/hunting-for-defense-evasion-via-timestomping/SKILL.md index 037d2d17..a4746b5f 100644 --- a/skills/hunting-for-defense-evasion-via-timestomping/SKILL.md +++ b/skills/hunting-for-defense-evasion-via-timestomping/SKILL.md @@ -1,8 +1,8 @@ --- name: hunting-for-defense-evasion-via-timestomping -description: 'Detect NTFS timestamp manipulation (MITRE T1070.006) by comparing $STANDARD_INFORMATION vs $FILE_NAME timestamps - in the MFT. Uses analyzeMFT and Python to identify files with anomalous temporal patterns indicating anti-forensic timestomping - activity. +description: 'Detect NTFS timestamp manipulation (MITRE T1070.006) by comparing $STANDARD_INFORMATION + vs $FILE_NAME timestamps in the MFT. Uses analyzeMFT and Python to identify files + with anomalous temporal patterns indicating anti-forensic timestomping activity. ' domain: cybersecurity @@ -26,6 +26,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1027 --- # Hunting for Defense Evasion via Timestomping diff --git a/skills/hunting-for-dns-based-persistence/SKILL.md b/skills/hunting-for-dns-based-persistence/SKILL.md index 391f18f3..67faaa86 100644 --- a/skills/hunting-for-dns-based-persistence/SKILL.md +++ b/skills/hunting-for-dns-based-persistence/SKILL.md @@ -1,7 +1,8 @@ --- name: hunting-for-dns-based-persistence -description: Hunt for DNS-based persistence mechanisms including DNS hijacking, dangling CNAME records, wildcard DNS abuse, - and unauthorized zone modifications using passive DNS databases, SecurityTrails API, and DNS audit log analysis. +description: Hunt for DNS-based persistence mechanisms including DNS hijacking, dangling + CNAME records, wildcard DNS abuse, and unauthorized zone modifications using passive + DNS databases, SecurityTrails API, and DNS audit log analysis. domain: cybersecurity subdomain: threat-hunting tags: @@ -20,6 +21,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1547 --- # Hunting for DNS-based Persistence diff --git a/skills/hunting-for-dns-tunneling-with-zeek/SKILL.md b/skills/hunting-for-dns-tunneling-with-zeek/SKILL.md index 94f45cac..3972d107 100644 --- a/skills/hunting-for-dns-tunneling-with-zeek/SKILL.md +++ b/skills/hunting-for-dns-tunneling-with-zeek/SKILL.md @@ -1,7 +1,8 @@ --- name: hunting-for-dns-tunneling-with-zeek -description: Detect DNS tunneling and data exfiltration by analyzing Zeek dns.log for high-entropy subdomain queries, excessive - query volume, long query lengths, and unusual DNS record types indicating covert channel communication. +description: Detect DNS tunneling and data exfiltration by analyzing Zeek dns.log + for high-entropy subdomain queries, excessive query volume, long query lengths, + and unusual DNS record types indicating covert channel communication. domain: cybersecurity subdomain: threat-hunting tags: @@ -26,6 +27,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1048 --- # Hunting for DNS Tunneling with Zeek diff --git a/skills/hunting-for-domain-fronting-c2-traffic/SKILL.md b/skills/hunting-for-domain-fronting-c2-traffic/SKILL.md index f1124df9..99ea2aee 100644 --- a/skills/hunting-for-domain-fronting-c2-traffic/SKILL.md +++ b/skills/hunting-for-domain-fronting-c2-traffic/SKILL.md @@ -1,7 +1,8 @@ --- name: hunting-for-domain-fronting-c2-traffic -description: Detect domain fronting C2 traffic by analyzing SNI vs HTTP Host header mismatches in proxy logs and TLS certificate - discrepancies using pyOpenSSL for certificate inspection +description: Detect domain fronting C2 traffic by analyzing SNI vs HTTP Host header + mismatches in proxy logs and TLS certificate discrepancies using pyOpenSSL for certificate + inspection domain: cybersecurity subdomain: threat-hunting tags: @@ -26,6 +27,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1071 --- # Hunting for Domain Fronting C2 Traffic diff --git a/skills/hunting-for-lateral-movement-via-wmi/SKILL.md b/skills/hunting-for-lateral-movement-via-wmi/SKILL.md index 8aa4ed08..b8b0cf9b 100644 --- a/skills/hunting-for-lateral-movement-via-wmi/SKILL.md +++ b/skills/hunting-for-lateral-movement-via-wmi/SKILL.md @@ -1,7 +1,8 @@ --- name: hunting-for-lateral-movement-via-wmi -description: Detect WMI-based lateral movement by analyzing Windows Event ID 4688 process creation and Sysmon Event ID 1 for - WmiPrvSE.exe child process patterns, remote process execution, and WMI event subscription persistence. +description: Detect WMI-based lateral movement by analyzing Windows Event ID 4688 + process creation and Sysmon Event ID 1 for WmiPrvSE.exe child process patterns, + remote process execution, and WMI event subscription persistence. domain: cybersecurity subdomain: threat-hunting tags: @@ -19,6 +20,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1021 --- # Hunting for Lateral Movement via WMI diff --git a/skills/hunting-for-living-off-the-cloud-techniques/SKILL.md b/skills/hunting-for-living-off-the-cloud-techniques/SKILL.md index 7717584c..0b0eae5b 100644 --- a/skills/hunting-for-living-off-the-cloud-techniques/SKILL.md +++ b/skills/hunting-for-living-off-the-cloud-techniques/SKILL.md @@ -1,7 +1,7 @@ --- name: hunting-for-living-off-the-cloud-techniques -description: Hunt for adversary abuse of legitimate cloud services for C2, data staging, and exfiltration including abuse - of Azure, AWS, GCP services, and SaaS platforms. +description: Hunt for adversary abuse of legitimate cloud services for C2, data staging, + and exfiltration including abuse of Azure, AWS, GCP services, and SaaS platforms. domain: cybersecurity subdomain: threat-hunting tags: @@ -26,6 +26,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1048 --- # Hunting For Living Off The Cloud Techniques diff --git a/skills/hunting-for-living-off-the-land-binaries/SKILL.md b/skills/hunting-for-living-off-the-land-binaries/SKILL.md index d13312ac..21f66595 100644 --- a/skills/hunting-for-living-off-the-land-binaries/SKILL.md +++ b/skills/hunting-for-living-off-the-land-binaries/SKILL.md @@ -1,7 +1,7 @@ --- name: hunting-for-living-off-the-land-binaries -description: Proactively hunt for adversary abuse of legitimate system binaries (LOLBins) to execute malicious payloads while - evading detection. +description: Proactively hunt for adversary abuse of legitimate system binaries (LOLBins) + to execute malicious payloads while evading detection. domain: cybersecurity subdomain: threat-hunting tags: @@ -26,6 +26,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1027 --- # Hunting for Living-off-the-Land Binaries (LOLBins) diff --git a/skills/hunting-for-lolbins-execution-in-endpoint-logs/SKILL.md b/skills/hunting-for-lolbins-execution-in-endpoint-logs/SKILL.md index 08e1c2ab..745d0b7f 100644 --- a/skills/hunting-for-lolbins-execution-in-endpoint-logs/SKILL.md +++ b/skills/hunting-for-lolbins-execution-in-endpoint-logs/SKILL.md @@ -1,7 +1,8 @@ --- name: hunting-for-lolbins-execution-in-endpoint-logs -description: Hunt for adversary abuse of Living Off the Land Binaries (LOLBins) by analyzing endpoint process creation logs - for suspicious execution patterns of legitimate Windows system binaries used for malicious purposes. +description: Hunt for adversary abuse of Living Off the Land Binaries (LOLBins) by + analyzing endpoint process creation logs for suspicious execution patterns of legitimate + Windows system binaries used for malicious purposes. domain: cybersecurity subdomain: threat-hunting tags: @@ -26,6 +27,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1027 --- # Hunting for LOLBins Execution in Endpoint Logs diff --git a/skills/hunting-for-ntlm-relay-attacks/SKILL.md b/skills/hunting-for-ntlm-relay-attacks/SKILL.md index 80d78aa8..f86bae30 100644 --- a/skills/hunting-for-ntlm-relay-attacks/SKILL.md +++ b/skills/hunting-for-ntlm-relay-attacks/SKILL.md @@ -1,7 +1,8 @@ --- name: hunting-for-ntlm-relay-attacks -description: Detect NTLM relay attacks by analyzing Windows Event 4624 logon type 3 with NTLMSSP authentication, identifying - IP-to-hostname mismatches, Responder traffic signatures, SMB signing status, and suspicious authentication patterns across +description: Detect NTLM relay attacks by analyzing Windows Event 4624 logon type + 3 with NTLMSSP authentication, identifying IP-to-hostname mismatches, Responder + traffic signatures, SMB signing status, and suspicious authentication patterns across the domain. domain: cybersecurity subdomain: threat-hunting @@ -29,6 +30,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1003 --- # Hunting for NTLM Relay Attacks diff --git a/skills/hunting-for-persistence-mechanisms-in-windows/SKILL.md b/skills/hunting-for-persistence-mechanisms-in-windows/SKILL.md index 4409057c..0898f32e 100644 --- a/skills/hunting-for-persistence-mechanisms-in-windows/SKILL.md +++ b/skills/hunting-for-persistence-mechanisms-in-windows/SKILL.md @@ -1,7 +1,7 @@ --- name: hunting-for-persistence-mechanisms-in-windows -description: Systematically hunt for adversary persistence mechanisms across Windows endpoints including registry, services, - startup folders, and WMI subscriptions. +description: Systematically hunt for adversary persistence mechanisms across Windows + endpoints including registry, services, startup folders, and WMI subscriptions. domain: cybersecurity subdomain: threat-hunting tags: @@ -26,6 +26,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1547 --- # Hunting for Persistence Mechanisms in Windows diff --git a/skills/hunting-for-persistence-via-wmi-subscriptions/SKILL.md b/skills/hunting-for-persistence-via-wmi-subscriptions/SKILL.md index 109cc3df..e96390eb 100644 --- a/skills/hunting-for-persistence-via-wmi-subscriptions/SKILL.md +++ b/skills/hunting-for-persistence-via-wmi-subscriptions/SKILL.md @@ -1,7 +1,8 @@ --- name: hunting-for-persistence-via-wmi-subscriptions -description: Hunt for adversary persistence through Windows Management Instrumentation event subscriptions by monitoring WMI - consumer, filter, and binding creation events that execute malicious code triggered by system events. +description: Hunt for adversary persistence through Windows Management Instrumentation + event subscriptions by monitoring WMI consumer, filter, and binding creation events + that execute malicious code triggered by system events. domain: cybersecurity subdomain: threat-hunting tags: @@ -25,6 +26,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1547 --- # Hunting for Persistence via WMI Subscriptions diff --git a/skills/hunting-for-process-injection-techniques/SKILL.md b/skills/hunting-for-process-injection-techniques/SKILL.md index 30c2ec3a..bee9005a 100644 --- a/skills/hunting-for-process-injection-techniques/SKILL.md +++ b/skills/hunting-for-process-injection-techniques/SKILL.md @@ -1,7 +1,8 @@ --- name: hunting-for-process-injection-techniques -description: Detect process injection techniques (T1055) including CreateRemoteThread, process hollowing, and DLL injection - via Sysmon Event IDs 8 and 10 and EDR process telemetry +description: Detect process injection techniques (T1055) including CreateRemoteThread, + process hollowing, and DLL injection via Sysmon Event IDs 8 and 10 and EDR process + telemetry domain: cybersecurity subdomain: threat-hunting tags: @@ -26,6 +27,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1055 --- # Hunting for Process Injection Techniques diff --git a/skills/hunting-for-registry-persistence-mechanisms/SKILL.md b/skills/hunting-for-registry-persistence-mechanisms/SKILL.md index a03e453a..1e820307 100644 --- a/skills/hunting-for-registry-persistence-mechanisms/SKILL.md +++ b/skills/hunting-for-registry-persistence-mechanisms/SKILL.md @@ -1,7 +1,7 @@ --- name: hunting-for-registry-persistence-mechanisms -description: Hunt for registry-based persistence mechanisms including Run keys, Winlogon modifications, IFEO injection, and - COM hijacking in Windows environments. +description: Hunt for registry-based persistence mechanisms including Run keys, Winlogon + modifications, IFEO injection, and COM hijacking in Windows environments. domain: cybersecurity subdomain: threat-hunting tags: @@ -26,6 +26,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1547 --- # Hunting For Registry Persistence Mechanisms diff --git a/skills/hunting-for-registry-run-key-persistence/SKILL.md b/skills/hunting-for-registry-run-key-persistence/SKILL.md index 09853c53..b82ead5a 100644 --- a/skills/hunting-for-registry-run-key-persistence/SKILL.md +++ b/skills/hunting-for-registry-run-key-persistence/SKILL.md @@ -1,7 +1,7 @@ --- name: hunting-for-registry-run-key-persistence -description: Detect MITRE ATT&CK T1547.001 registry Run key persistence by analyzing Sysmon Event ID 13 logs and registry - queries to identify malicious auto-start entries. +description: Detect MITRE ATT&CK T1547.001 registry Run key persistence by analyzing + Sysmon Event ID 13 logs and registry queries to identify malicious auto-start entries. domain: cybersecurity subdomain: threat-hunting tags: @@ -26,6 +26,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1547 --- # Hunting for Registry Run Key Persistence diff --git a/skills/hunting-for-scheduled-task-persistence/SKILL.md b/skills/hunting-for-scheduled-task-persistence/SKILL.md index 03b4ed2a..6207dc43 100644 --- a/skills/hunting-for-scheduled-task-persistence/SKILL.md +++ b/skills/hunting-for-scheduled-task-persistence/SKILL.md @@ -1,7 +1,7 @@ --- name: hunting-for-scheduled-task-persistence -description: Hunt for adversary persistence via Windows Scheduled Tasks by analyzing task creation events, suspicious task - actions, and unusual scheduling patterns. +description: Hunt for adversary persistence via Windows Scheduled Tasks by analyzing + task creation events, suspicious task actions, and unusual scheduling patterns. domain: cybersecurity subdomain: threat-hunting tags: @@ -25,6 +25,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1547 --- # Hunting For Scheduled Task Persistence diff --git a/skills/hunting-for-shadow-copy-deletion/SKILL.md b/skills/hunting-for-shadow-copy-deletion/SKILL.md index 5ab658aa..0d914834 100644 --- a/skills/hunting-for-shadow-copy-deletion/SKILL.md +++ b/skills/hunting-for-shadow-copy-deletion/SKILL.md @@ -1,7 +1,8 @@ --- name: hunting-for-shadow-copy-deletion -description: Hunt for Volume Shadow Copy deletion activity that indicates ransomware preparation or anti-forensics by monitoring - vssadmin, wmic, and PowerShell shadow copy commands. +description: Hunt for Volume Shadow Copy deletion activity that indicates ransomware + preparation or anti-forensics by monitoring vssadmin, wmic, and PowerShell shadow + copy commands. domain: cybersecurity subdomain: threat-hunting tags: @@ -26,6 +27,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1486 --- # Hunting For Shadow Copy Deletion diff --git a/skills/hunting-for-spearphishing-indicators/SKILL.md b/skills/hunting-for-spearphishing-indicators/SKILL.md index a713f683..aebab0b3 100644 --- a/skills/hunting-for-spearphishing-indicators/SKILL.md +++ b/skills/hunting-for-spearphishing-indicators/SKILL.md @@ -1,7 +1,7 @@ --- name: hunting-for-spearphishing-indicators -description: Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect - targeted email attacks. +description: Hunt for spearphishing campaign indicators across email logs, endpoint + telemetry, and network data to detect targeted email attacks. domain: cybersecurity subdomain: threat-hunting tags: @@ -26,6 +26,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1566 --- # Hunting For Spearphishing Indicators diff --git a/skills/hunting-for-startup-folder-persistence/SKILL.md b/skills/hunting-for-startup-folder-persistence/SKILL.md index 7f3ff518..4c857a7c 100644 --- a/skills/hunting-for-startup-folder-persistence/SKILL.md +++ b/skills/hunting-for-startup-folder-persistence/SKILL.md @@ -1,7 +1,8 @@ --- name: hunting-for-startup-folder-persistence -description: Detect T1547.001 startup folder persistence by monitoring Windows startup directories for suspicious file creation, - analyzing autoruns entries, and using Python watchdog for real-time filesystem monitoring. +description: Detect T1547.001 startup folder persistence by monitoring Windows startup + directories for suspicious file creation, analyzing autoruns entries, and using + Python watchdog for real-time filesystem monitoring. domain: cybersecurity subdomain: threat-hunting tags: @@ -26,6 +27,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1547 --- # Hunting for Startup Folder Persistence diff --git a/skills/hunting-for-supply-chain-compromise/SKILL.md b/skills/hunting-for-supply-chain-compromise/SKILL.md index 4fc2ae2c..1d7977ea 100644 --- a/skills/hunting-for-supply-chain-compromise/SKILL.md +++ b/skills/hunting-for-supply-chain-compromise/SKILL.md @@ -1,7 +1,8 @@ --- name: hunting-for-supply-chain-compromise -description: Hunt for supply chain compromise indicators including trojanized software updates, compromised dependencies, - unauthorized code modifications, and tampered build artifacts. +description: Hunt for supply chain compromise indicators including trojanized software + updates, compromised dependencies, unauthorized code modifications, and tampered + build artifacts. domain: cybersecurity subdomain: threat-hunting tags: @@ -25,6 +26,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1195 --- # Hunting For Supply Chain Compromise diff --git a/skills/hunting-for-suspicious-scheduled-tasks/SKILL.md b/skills/hunting-for-suspicious-scheduled-tasks/SKILL.md index baa25c83..755a4f59 100644 --- a/skills/hunting-for-suspicious-scheduled-tasks/SKILL.md +++ b/skills/hunting-for-suspicious-scheduled-tasks/SKILL.md @@ -1,7 +1,8 @@ --- name: hunting-for-suspicious-scheduled-tasks -description: Hunt for adversary persistence and execution via Windows scheduled tasks by analyzing task creation events, suspicious - task properties, and unusual execution patterns that indicate T1053.005 abuse. +description: Hunt for adversary persistence and execution via Windows scheduled tasks + by analyzing task creation events, suspicious task properties, and unusual execution + patterns that indicate T1053.005 abuse. domain: cybersecurity subdomain: threat-hunting tags: @@ -19,6 +20,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1547 --- # Hunting for Suspicious Scheduled Tasks diff --git a/skills/hunting-for-t1098-account-manipulation/SKILL.md b/skills/hunting-for-t1098-account-manipulation/SKILL.md index e6e2ec68..ecd12994 100644 --- a/skills/hunting-for-t1098-account-manipulation/SKILL.md +++ b/skills/hunting-for-t1098-account-manipulation/SKILL.md @@ -1,7 +1,8 @@ --- name: hunting-for-t1098-account-manipulation -description: Hunt for MITRE ATT&CK T1098 account manipulation including shadow admin creation, SID history injection, group - membership changes, and credential modifications using Windows Security Event Logs. +description: Hunt for MITRE ATT&CK T1098 account manipulation including shadow admin + creation, SID history injection, group membership changes, and credential modifications + using Windows Security Event Logs. domain: cybersecurity subdomain: threat-hunting tags: @@ -25,6 +26,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1003 --- # Hunting for T1098 Account Manipulation diff --git a/skills/hunting-for-unusual-network-connections/SKILL.md b/skills/hunting-for-unusual-network-connections/SKILL.md index 6f8b73f2..bb907add 100644 --- a/skills/hunting-for-unusual-network-connections/SKILL.md +++ b/skills/hunting-for-unusual-network-connections/SKILL.md @@ -1,7 +1,8 @@ --- name: hunting-for-unusual-network-connections -description: Hunt for unusual network connections by analyzing outbound traffic patterns, rare destinations, non-standard - ports, and anomalous connection frequencies from endpoints. +description: Hunt for unusual network connections by analyzing outbound traffic patterns, + rare destinations, non-standard ports, and anomalous connection frequencies from + endpoints. domain: cybersecurity subdomain: threat-hunting tags: @@ -25,6 +26,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1071 --- # Hunting For Unusual Network Connections diff --git a/skills/hunting-for-unusual-service-installations/SKILL.md b/skills/hunting-for-unusual-service-installations/SKILL.md index e8dce4e2..7963128c 100644 --- a/skills/hunting-for-unusual-service-installations/SKILL.md +++ b/skills/hunting-for-unusual-service-installations/SKILL.md @@ -1,7 +1,8 @@ --- name: hunting-for-unusual-service-installations -description: Detect suspicious Windows service installations (MITRE ATT&CK T1543.003) by parsing System event logs for Event - ID 7045, analyzing service binary paths, and identifying indicators of persistence mechanisms. +description: Detect suspicious Windows service installations (MITRE ATT&CK T1543.003) + by parsing System event logs for Event ID 7045, analyzing service binary paths, + and identifying indicators of persistence mechanisms. domain: cybersecurity subdomain: threat-hunting tags: @@ -26,6 +27,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1547 --- # Hunting for Unusual Service Installations diff --git a/skills/hunting-for-webshell-activity/SKILL.md b/skills/hunting-for-webshell-activity/SKILL.md index 1126f80e..2b607be9 100644 --- a/skills/hunting-for-webshell-activity/SKILL.md +++ b/skills/hunting-for-webshell-activity/SKILL.md @@ -1,7 +1,8 @@ --- name: hunting-for-webshell-activity -description: Hunt for web shell deployments on internet-facing servers by analyzing file creation in web directories, suspicious - process spawning from web servers, and anomalous HTTP patterns. +description: Hunt for web shell deployments on internet-facing servers by analyzing + file creation in web directories, suspicious process spawning from web servers, + and anomalous HTTP patterns. domain: cybersecurity subdomain: threat-hunting tags: @@ -26,6 +27,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1547 --- # Hunting For Webshell Activity diff --git a/skills/implementing-aes-encryption-for-data-at-rest/SKILL.md b/skills/implementing-aes-encryption-for-data-at-rest/SKILL.md index a4c9be21..e88ce985 100644 --- a/skills/implementing-aes-encryption-for-data-at-rest/SKILL.md +++ b/skills/implementing-aes-encryption-for-data-at-rest/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-aes-encryption-for-data-at-rest -description: AES (Advanced Encryption Standard) is a symmetric block cipher standardized by NIST (FIPS 197) used to protect - classified and sensitive data. This skill covers implementing AES-256 encryption in GCM m +description: AES (Advanced Encryption Standard) is a symmetric block cipher standardized + by NIST (FIPS 197) used to protect classified and sensitive data. This skill covers + implementing AES-256 encryption in GCM m domain: cybersecurity subdomain: cryptography tags: @@ -17,6 +18,11 @@ nist_csf: - PR.DS-01 - PR.DS-02 - PR.DS-10 +mitre_attack: +- T1600 +- T1573 +- T1553 +- T1486 --- # Implementing AES Encryption for Data at Rest diff --git a/skills/implementing-alert-fatigue-reduction/SKILL.md b/skills/implementing-alert-fatigue-reduction/SKILL.md index 313d1ec3..54f91ce4 100644 --- a/skills/implementing-alert-fatigue-reduction/SKILL.md +++ b/skills/implementing-alert-fatigue-reduction/SKILL.md @@ -1,8 +1,10 @@ --- name: implementing-alert-fatigue-reduction -description: 'Implements strategies to reduce SOC alert fatigue by tuning detection rules, consolidating duplicate alerts, - implementing risk-based alerting, and measuring alert quality metrics to maintain analyst effectiveness and prevent critical - alert dismissal. Use when SOC teams face overwhelming alert volumes, high false positive rates, or declining analyst performance. +description: 'Implements strategies to reduce SOC alert fatigue by tuning detection + rules, consolidating duplicate alerts, implementing risk-based alerting, and measuring + alert quality metrics to maintain analyst effectiveness and prevent critical alert + dismissal. Use when SOC teams face overwhelming alert volumes, high false positive + rates, or declining analyst performance. ' domain: cybersecurity @@ -23,6 +25,12 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1078 +- T1685.002 +- T1685.005 +- T1566 +- T0816 --- # Implementing Alert Fatigue Reduction diff --git a/skills/implementing-anti-phishing-training-program/SKILL.md b/skills/implementing-anti-phishing-training-program/SKILL.md index bd8d38e0..bdc52274 100644 --- a/skills/implementing-anti-phishing-training-program/SKILL.md +++ b/skills/implementing-anti-phishing-training-program/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-anti-phishing-training-program -description: Security awareness training is the human layer of phishing defense. An effective anti-phishing training program - combines regular simulations, interactive learning modules, metric tracking, and positiv +description: Security awareness training is the human layer of phishing defense. An + effective anti-phishing training program combines regular simulations, interactive + learning modules, metric tracking, and positiv domain: cybersecurity subdomain: phishing-defense tags: @@ -20,6 +21,11 @@ nist_csf: - DE.CM-09 - RS.CO-02 - DE.AE-02 +mitre_attack: +- T1566 +- T1598 +- T1534 +- T1036 --- # Implementing Anti-Phishing Training Program diff --git a/skills/implementing-anti-ransomware-group-policy/SKILL.md b/skills/implementing-anti-ransomware-group-policy/SKILL.md index 058385ea..a5697268 100644 --- a/skills/implementing-anti-ransomware-group-policy/SKILL.md +++ b/skills/implementing-anti-ransomware-group-policy/SKILL.md @@ -1,9 +1,11 @@ --- name: implementing-anti-ransomware-group-policy -description: 'Configures Windows Group Policy Objects (GPO) to prevent ransomware execution and limit its spread. Implements - AppLocker rules, Software Restriction Policies, Controlled Folder Access, attack surface reduction rules, and network protection - settings. Activates for requests involving Windows GPO hardening against ransomware, AppLocker configuration, Controlled - Folder Access setup, or endpoint protection via Group Policy. +description: 'Configures Windows Group Policy Objects (GPO) to prevent ransomware + execution and limit its spread. Implements AppLocker rules, Software Restriction + Policies, Controlled Folder Access, attack surface reduction rules, and network + protection settings. Activates for requests involving Windows GPO hardening against + ransomware, AppLocker configuration, Controlled Folder Access setup, or endpoint + protection via Group Policy. ' domain: cybersecurity @@ -23,6 +25,12 @@ nist_csf: - RS.MA-01 - RC.RP-01 - PR.IR-01 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1486 +- T1490 --- # Implementing Anti-Ransomware Group Policy diff --git a/skills/implementing-api-abuse-detection-with-rate-limiting/SKILL.md b/skills/implementing-api-abuse-detection-with-rate-limiting/SKILL.md index 9748a2be..826c8435 100644 --- a/skills/implementing-api-abuse-detection-with-rate-limiting/SKILL.md +++ b/skills/implementing-api-abuse-detection-with-rate-limiting/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-api-abuse-detection-with-rate-limiting -description: Implement API abuse detection using token bucket, sliding window, and adaptive rate limiting algorithms to prevent - DDoS, brute force, and credential stuffing attacks. +description: Implement API abuse detection using token bucket, sliding window, and + adaptive rate limiting algorithms to prevent DDoS, brute force, and credential stuffing + attacks. domain: cybersecurity subdomain: api-security tags: @@ -21,6 +22,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1552.001 +- T1003 +- T1110 --- # Implementing API Abuse Detection with Rate Limiting diff --git a/skills/implementing-api-gateway-security-controls/SKILL.md b/skills/implementing-api-gateway-security-controls/SKILL.md index 180cd89e..2d4699d3 100644 --- a/skills/implementing-api-gateway-security-controls/SKILL.md +++ b/skills/implementing-api-gateway-security-controls/SKILL.md @@ -1,10 +1,12 @@ --- name: implementing-api-gateway-security-controls -description: 'Implements security controls at the API gateway layer including authentication enforcement, rate limiting, request - validation, IP allowlisting, TLS termination, and threat protection. The engineer configures API gateways (Kong, AWS API - Gateway, Azure APIM, Apigee) to act as a centralized security enforcement point that validates, throttles, and monitors - all API traffic before it reaches backend services. Activates for requests involving API gateway security, API management - security, gateway authentication, or centralized API protection. +description: 'Implements security controls at the API gateway layer including authentication + enforcement, rate limiting, request validation, IP allowlisting, TLS termination, + and threat protection. The engineer configures API gateways (Kong, AWS API Gateway, + Azure APIM, Apigee) to act as a centralized security enforcement point that validates, + throttles, and monitors all API traffic before it reaches backend services. Activates + for requests involving API gateway security, API management security, gateway authentication, + or centralized API protection. ' domain: cybersecurity @@ -24,6 +26,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1552.001 +- T1078.004 +- T1530 --- # Implementing API Gateway Security Controls diff --git a/skills/implementing-api-key-security-controls/SKILL.md b/skills/implementing-api-key-security-controls/SKILL.md index eb90aa02..f08ddedb 100644 --- a/skills/implementing-api-key-security-controls/SKILL.md +++ b/skills/implementing-api-key-security-controls/SKILL.md @@ -1,9 +1,11 @@ --- name: implementing-api-key-security-controls -description: 'Implements secure API key generation, storage, rotation, and revocation controls to protect API authentication - credentials from leakage, brute force, and abuse. The engineer designs API key formats with sufficient entropy, implements - secure hashing for storage, enforces per-key scoping and rate limiting, monitors for leaked keys in public repositories, - and builds key rotation workflows. Activates for requests involving API key management, API key security, key rotation policy, +description: 'Implements secure API key generation, storage, rotation, and revocation + controls to protect API authentication credentials from leakage, brute force, and + abuse. The engineer designs API key formats with sufficient entropy, implements + secure hashing for storage, enforces per-key scoping and rate limiting, monitors + for leaked keys in public repositories, and builds key rotation workflows. Activates + for requests involving API key management, API key security, key rotation policy, or API credential protection. ' @@ -31,6 +33,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1552.001 +- T1003 +- T1110 --- # Implementing API Key Security Controls diff --git a/skills/implementing-api-rate-limiting-and-throttling/SKILL.md b/skills/implementing-api-rate-limiting-and-throttling/SKILL.md index 26e40be7..b097555c 100644 --- a/skills/implementing-api-rate-limiting-and-throttling/SKILL.md +++ b/skills/implementing-api-rate-limiting-and-throttling/SKILL.md @@ -1,9 +1,11 @@ --- name: implementing-api-rate-limiting-and-throttling -description: 'Implements API rate limiting and throttling controls using token bucket, sliding window, and fixed window algorithms - to protect against brute force attacks, credential stuffing, resource exhaustion, and API abuse. The engineer configures - per-user, per-IP, and per-endpoint rate limits using Redis-backed counters, API gateway plugins, or application middleware, - and implements proper HTTP 429 responses with Retry-After headers. Activates for requests involving rate limiting implementation, +description: 'Implements API rate limiting and throttling controls using token bucket, + sliding window, and fixed window algorithms to protect against brute force attacks, + credential stuffing, resource exhaustion, and API abuse. The engineer configures + per-user, per-IP, and per-endpoint rate limits using Redis-backed counters, API + gateway plugins, or application middleware, and implements proper HTTP 429 responses + with Retry-After headers. Activates for requests involving rate limiting implementation, API throttling setup, request quota management, or API abuse prevention. ' @@ -24,6 +26,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1552.001 +- T1003 +- T1110 --- # Implementing API Rate Limiting and Throttling diff --git a/skills/implementing-api-schema-validation-security/SKILL.md b/skills/implementing-api-schema-validation-security/SKILL.md index 3bbf02ba..74ed5e03 100644 --- a/skills/implementing-api-schema-validation-security/SKILL.md +++ b/skills/implementing-api-schema-validation-security/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-api-schema-validation-security -description: Implement API schema validation using OpenAPI specifications and JSON Schema to enforce input/output contracts - and prevent injection, data exposure, and mass assignment attacks. +description: Implement API schema validation using OpenAPI specifications and JSON + Schema to enforce input/output contracts and prevent injection, data exposure, and + mass assignment attacks. domain: cybersecurity subdomain: api-security tags: @@ -21,6 +22,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1552.001 +- T1055 +- T1059 --- # Implementing API Schema Validation Security diff --git a/skills/implementing-api-security-posture-management/SKILL.md b/skills/implementing-api-security-posture-management/SKILL.md index a7000ab3..ac5545d3 100644 --- a/skills/implementing-api-security-posture-management/SKILL.md +++ b/skills/implementing-api-security-posture-management/SKILL.md @@ -1,7 +1,7 @@ --- name: implementing-api-security-posture-management -description: Implement API Security Posture Management to continuously discover, classify, and score APIs based on risk while - enforcing security policies across the API lifecycle. +description: Implement API Security Posture Management to continuously discover, classify, + and score APIs based on risk while enforcing security policies across the API lifecycle. domain: cybersecurity subdomain: api-security tags: @@ -21,6 +21,10 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1552.001 --- # Implementing API Security Posture Management diff --git a/skills/implementing-api-security-testing-with-42crunch/SKILL.md b/skills/implementing-api-security-testing-with-42crunch/SKILL.md index fe76dd48..76095ef6 100644 --- a/skills/implementing-api-security-testing-with-42crunch/SKILL.md +++ b/skills/implementing-api-security-testing-with-42crunch/SKILL.md @@ -1,7 +1,7 @@ --- name: implementing-api-security-testing-with-42crunch -description: Implement comprehensive API security testing using the 42Crunch platform to perform static audit and dynamic - conformance scanning of OpenAPI specifications. +description: Implement comprehensive API security testing using the 42Crunch platform + to perform static audit and dynamic conformance scanning of OpenAPI specifications. domain: cybersecurity subdomain: api-security tags: @@ -22,6 +22,10 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1552.001 --- # Implementing API Security Testing with 42Crunch diff --git a/skills/implementing-api-threat-protection-with-apigee/SKILL.md b/skills/implementing-api-threat-protection-with-apigee/SKILL.md index 5fb81178..3d98c967 100644 --- a/skills/implementing-api-threat-protection-with-apigee/SKILL.md +++ b/skills/implementing-api-threat-protection-with-apigee/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-api-threat-protection-with-apigee -description: Implement API threat protection using Google Apigee policies including JSON/XML threat protection, OAuth 2.0, - SpikeArrest, and Advanced API Security for OWASP Top 10 defense. +description: Implement API threat protection using Google Apigee policies including + JSON/XML threat protection, OAuth 2.0, SpikeArrest, and Advanced API Security for + OWASP Top 10 defense. domain: cybersecurity subdomain: api-security tags: @@ -22,6 +23,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1552.001 +- T1078.004 +- T1530 --- # Implementing API Threat Protection with Apigee diff --git a/skills/implementing-application-whitelisting-with-applocker/SKILL.md b/skills/implementing-application-whitelisting-with-applocker/SKILL.md index 203c9130..6a4eef24 100644 --- a/skills/implementing-application-whitelisting-with-applocker/SKILL.md +++ b/skills/implementing-application-whitelisting-with-applocker/SKILL.md @@ -1,9 +1,11 @@ --- name: implementing-application-whitelisting-with-applocker -description: 'Implements application whitelisting using Windows AppLocker to restrict unauthorized software execution on endpoints, - reducing attack surface from malware, unauthorized tools, and shadow IT. Use when enforcing application control policies, - meeting compliance requirements for software restriction, or preventing execution of unsigned or untrusted binaries. Activates - for requests involving AppLocker, application whitelisting, software restriction, or executable control. +description: 'Implements application whitelisting using Windows AppLocker to restrict + unauthorized software execution on endpoints, reducing attack surface from malware, + unauthorized tools, and shadow IT. Use when enforcing application control policies, + meeting compliance requirements for software restriction, or preventing execution + of unsigned or untrusted binaries. Activates for requests involving AppLocker, application + whitelisting, software restriction, or executable control. ' domain: cybersecurity @@ -22,6 +24,12 @@ nist_csf: - PR.PS-02 - DE.CM-01 - PR.IR-01 +mitre_attack: +- T1055 +- T1547 +- T1059 +- T1036 +- T1027 --- # Implementing Application Whitelisting with AppLocker diff --git a/skills/implementing-aqua-security-for-container-scanning/SKILL.md b/skills/implementing-aqua-security-for-container-scanning/SKILL.md index 941ba882..d3bb9a69 100644 --- a/skills/implementing-aqua-security-for-container-scanning/SKILL.md +++ b/skills/implementing-aqua-security-for-container-scanning/SKILL.md @@ -1,7 +1,7 @@ --- name: implementing-aqua-security-for-container-scanning -description: Deploy Aqua Security's Trivy scanner to detect vulnerabilities, misconfigurations, secrets, and license issues - in container images across CI/CD pipelines and registries. +description: Deploy Aqua Security's Trivy scanner to detect vulnerabilities, misconfigurations, + secrets, and license issues in container images across CI/CD pipelines and registries. domain: cybersecurity subdomain: devsecops tags: @@ -20,6 +20,12 @@ nist_csf: - GV.SC-07 - ID.IM-04 - PR.PS-04 +mitre_attack: +- T1195 +- T1554 +- T1059.004 +- T1610 +- T1611 --- # Implementing Aqua Security for Container Scanning diff --git a/skills/implementing-attack-path-analysis-with-xm-cyber/SKILL.md b/skills/implementing-attack-path-analysis-with-xm-cyber/SKILL.md index df1e5ac1..b09873e7 100644 --- a/skills/implementing-attack-path-analysis-with-xm-cyber/SKILL.md +++ b/skills/implementing-attack-path-analysis-with-xm-cyber/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-attack-path-analysis-with-xm-cyber -description: Deploy XM Cyber's continuous exposure management platform to map attack paths, identify choke points, and prioritize - the 2% of exposures that threaten critical assets. +description: Deploy XM Cyber's continuous exposure management platform to map attack + paths, identify choke points, and prioritize the 2% of exposures that threaten critical + assets. domain: cybersecurity subdomain: vulnerability-management tags: @@ -20,6 +21,10 @@ nist_csf: - ID.RA-02 - ID.IM-02 - ID.RA-06 +mitre_attack: +- T1190 +- T1203 +- T1068 --- # Implementing Attack Path Analysis with XM Cyber diff --git a/skills/implementing-attack-surface-management/SKILL.md b/skills/implementing-attack-surface-management/SKILL.md index 2a0db0c5..c10dc16c 100644 --- a/skills/implementing-attack-surface-management/SKILL.md +++ b/skills/implementing-attack-surface-management/SKILL.md @@ -1,9 +1,11 @@ --- name: implementing-attack-surface-management -description: 'Implements external attack surface management (EASM) using Shodan, Censys, and ProjectDiscovery tools (subfinder, - httpx, nuclei) for asset discovery, subdomain enumeration, service fingerprinting, and exposure scoring. Includes a weighted - risk scoring algorithm based on OWASP attack surface analysis methodology and the Relative Attack Surface Quotient (RSQ). - Use when building continuous ASM programs or performing external reconnaissance for security assessments. +description: 'Implements external attack surface management (EASM) using Shodan, Censys, + and ProjectDiscovery tools (subfinder, httpx, nuclei) for asset discovery, subdomain + enumeration, service fingerprinting, and exposure scoring. Includes a weighted risk + scoring algorithm based on OWASP attack surface analysis methodology and the Relative + Attack Surface Quotient (RSQ). Use when building continuous ASM programs or performing + external reconnaissance for security assessments. ' domain: cybersecurity @@ -23,6 +25,12 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1595 +- T1592 --- # Implementing Attack Surface Management diff --git a/skills/implementing-attack-surface-management/references/api-reference.md b/skills/implementing-attack-surface-management/references/api-reference.md new file mode 100644 index 00000000..fec8a100 --- /dev/null +++ b/skills/implementing-attack-surface-management/references/api-reference.md @@ -0,0 +1,197 @@ +# Attack Surface Management Tooling API Reference + +This skill combines several external attack-surface tools. This reference documents the APIs/SDKs/CLIs for each: **Shodan**, **Censys**, and the **ProjectDiscovery** suite (`subfinder`, `httpx`, `nuclei`). + +--- + +## 1. Shodan + +### Authentication +Single API key, passed to the SDK constructor or `key` query parameter. Get it from the account page (https://account.shodan.io). The key encodes your plan and query credits. + +```python +import shodan +api = shodan.Shodan("YOUR_SHODAN_API_KEY") +``` +REST base URL: `https://api.shodan.io`. Key is sent as `?key=YOUR_KEY`. + +### Key Methods / Endpoints +| SDK method | REST endpoint | Description | Parameters | +|---|---|---|---| +| `api.host(ip)` | `GET /shodan/host/{ip}` | All services/banners for one IP | `ip`, `history`, `minify` | +| `api.search(query)` | `GET /shodan/host/search` | Search the banner index | `query`, `page`, `facets`, `minify` | +| `api.count(query)` | `GET /shodan/host/count` | Result count + facets, **no query credits** | `query`, `facets` | +| `api.search_cursor(query)` | — | Generator that auto-paginates all results | `query`, `minify` | +| `api.scan(ips)` | `POST /shodan/scan` | Request on-demand scan of IPs/netblocks | `ips` | +| `api.dns.resolve(hosts)` | `GET /dns/resolve` | Hostname → IP | `hostnames` | +| `api.dns.reverse(ips)` | `GET /dns/reverse` | IP → hostname | `ips` | +| `api.info()` | `GET /api-info` | Remaining query/scan credits, plan | — | +| `api.exploits.search(q)` | (Exploits API) | Search Exploit DB / CVE / Metasploit | `query`, `facets` | + +Search filters used in `query`: `org:`, `hostname:`, `net:`, `port:`, `ssl.cert.subject.cn:`, `ssl:`, `product:`, `vuln:`, `country:`, `http.title:`. + +### Python SDK +```python +# pip install shodan +import shodan +api = shodan.Shodan("YOUR_SHODAN_API_KEY") + +# Cheap count first (no query credit consumed) +print(api.count('org:"Example Corp"')["total"]) + +# Full search with vuln extraction +for svc in api.search('org:"Example Corp"')["matches"]: + print(svc["ip_str"], svc["port"], svc.get("product")) + for cve in svc.get("vulns", []): + print(" ", cve) + +# Per-host deep lookup +host = api.host("93.184.216.34") +print(host["ports"], host.get("vulns", [])) +``` + +### Common Response Fields +`matches[]` items: `ip_str`, `port`, `transport`, `product`, `version`, `hostnames`, `org`, `isp`, `location` (`country_code`, `city`), `data` (raw banner), `vulns` (list of CVE IDs), `ssl`, `http`, `timestamp`. + +### Rate Limits +- **1 request/second** is the hard REST API rate limit across the account (the SDK paces `search_cursor`). +- **Query credits**: 1 query credit is deducted per 100 results/pages of search (or per page of domain info). Every credit yields up to 100 results. **IP lookups (`host()`) and `count()` do NOT consume query credits.** Shodan Membership = 100 query credits/month; paid API plans range from 10,000 up to unlimited. Credits reset at the start of each month. +- **Scan credits**: separate monthly budget consumed by `api.scan()` — 1 scan credit per host requested. + +### Error Codes +`401` invalid API key · `403` access denied / plan lacks feature · `429` rate-limit or out of credits · `404` IP not found in index. SDK raises `shodan.APIError` with the message. + +### Resources +- API docs: https://developer.shodan.io/api +- Python lib: https://shodan.readthedocs.io +- Search filters: https://www.shodan.io/search/filters + +--- + +## 2. Censys (Platform API) + +### Authentication +Censys Platform uses a **Personal Access Token (PAT)** plus an **Organization ID** (the legacy Search API used an API ID + Secret with HTTP Basic auth). Configure via env vars `CENSYS_API_ID` / `CENSYS_API_SECRET` (legacy) or the Platform token. Credentials from https://platform.censys.io. + +```python +from censys.search import CensysHosts # legacy search SDK +hosts = CensysHosts() # reads CENSYS_API_ID / CENSYS_API_SECRET from env +``` + +### Key Methods / Endpoints +| SDK | Description | Parameters | +|---|---|---| +| `CensysHosts().search(query)` | Search the hosts dataset (returns a paginated query object) | `query`, `per_page`, `pages`, `fields`, `sort` | +| `CensysHosts().view(ip)` | Full record for one host | `ip`, `at_time` | +| `CensysHosts().aggregate(query, field)` | Faceted aggregation/report | `query`, `field`, `num_buckets` | +| `CensysCerts().search(query)` | Search the certificates dataset | `query`, `per_page`, `pages` | +| `CensysCerts().view(fingerprint)` | Full cert record | `fingerprint` (SHA-256) | + +Query language (Censys Query Language / CenQL) examples: `services.tls.certificates.leaf_data.subject.common_name: example.com`, `services.port: 443`, `services.service_name: HTTP`, `location.country: "United States"`. + +### Python SDK +```python +# pip install censys +from censys.search import CensysHosts, CensysCerts + +hosts = CensysHosts() +for page in hosts.search( + "services.tls.certificates.leaf_data.subject.common_name: example.com", + per_page=100, pages=2): + for host in page: + print(host["ip"]) + for s in host.get("services", []): + print(" ", s["port"], s.get("service_name")) + +certs = CensysCerts() +for page in certs.search("parsed.names: example.com"): + for c in page: + print(c["fingerprint_sha256"]) +``` + +### Common Response Fields +Host: `ip`, `services[]` (`port`, `service_name`, `transport_protocol`, `software`, `tls`), `location`, `autonomous_system`, `dns`, `operating_system`. +Cert: `fingerprint_sha256`, `parsed.names`, `parsed.subject`, `parsed.issuer`, `parsed.validity`. + +### Rate Limits +Tiered by plan. Free/community tier is limited (low queries/month and a modest requests-per-second cap); paid Platform tiers raise both. `429 Too Many Requests` when exceeded — the SDK backs off and retries. + +### Error Codes +`401` bad credentials · `403` plan restriction · `404` not found · `422` malformed query · `429` rate limit. + +### Resources +- Platform docs: https://docs.censys.com/ +- Python SDK: https://censys-python.readthedocs.io +- CenQL reference: https://docs.censys.com/docs/censys-query-language + +--- + +## 3. ProjectDiscovery Suite (CLI tools) + +These are Go CLI tools, not REST APIs. They read stdin / files and write JSON. (ProjectDiscovery Cloud / `pdcp` offers a hosted API with an `PDCP_API_KEY`, but the core engines run locally and need no key.) + +### Installation +```bash +go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest +go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest +go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest +``` + +### subfinder — passive subdomain enumeration +| Flag | Purpose | +|---|---| +| `-d ` | Target domain | +| `-dL ` | List of domains | +| `-all` | Use all sources (some need API keys in `~/.config/subfinder/provider-config.yaml`) | +| `-recursive` | Recursive enumeration | +| `-o ` / `-oJ` | Output file / JSON lines | +| `-silent` | Only output subdomains | +Provider keys (Shodan, Censys, VirusTotal, SecurityTrails, etc.) go in the provider config to expand passive sources. + +### httpx — HTTP probing / fingerprinting +| Flag | Purpose | +|---|---| +| `-sc` | Status code | +| `-cl` | Content length | +| `-ct` | Content type | +| `-title` | Page title | +| `-tech-detect` | Wappalyzer tech fingerprint | +| `-favicon` / `-hash sha256` | Favicon hash / body hash | +| `-jarm` | JARM TLS fingerprint | +| `-cdn` / `-cname` | CDN + CNAME detection | +| `-json` / `-o` | JSON output / file | +| `-rl ` | Rate limit (requests/sec) | + +### nuclei — template-based vulnerability scanning +| Flag | Purpose | +|---|---| +| `-u ` / `-l ` | Target(s) | +| `-t ` | Specific template(s) | +| `-tags ` | Filter by tag (`cve,misconfig,exposure,panel`) | +| `-severity ` | `critical,high,medium,low,info` | +| `-ut` / `-update-templates` | Update the template store | +| `-rl ` / `-c ` | Rate limit / concurrency | +| `-o` / `-json` / `-jsonl` | Output | + +### Pipeline example +```bash +subfinder -d example.com -all -silent \ + | httpx -silent -tech-detect -json -o live.json +cat live.json | jq -r '.url' \ + | nuclei -severity critical,high -tags cve,exposure -jsonl -o findings.jsonl +``` + +### Rate Limits +No vendor-imposed API rate limit for local execution — you control load with `-rl` (requests/sec) and `-c` (concurrency). Respect target scope/authorization and any provider key limits (Shodan 1 req/s, Censys/SecurityTrails monthly quotas) consumed via subfinder's passive sources. + +### Resources +- subfinder: https://github.com/projectdiscovery/subfinder +- httpx: https://github.com/projectdiscovery/httpx +- nuclei: https://github.com/projectdiscovery/nuclei +- nuclei templates: https://github.com/projectdiscovery/nuclei-templates +- ProjectDiscovery docs: https://docs.projectdiscovery.io/ + +--- + +## Scoring Methodology Note +The skill's exposure score derives from OWASP Attack Surface Analysis and the Relative Attack Surface Quotient (RSQ), weighting open management ports, CVSS-scored known vulns, software age, internet exposure, and data sensitivity. None of these scoring inputs require an external API beyond the discovery data gathered above (Shodan `vulns`, nuclei CVE matches, httpx tech-detect). diff --git a/skills/implementing-aws-config-rules-for-compliance/SKILL.md b/skills/implementing-aws-config-rules-for-compliance/SKILL.md index fe256b44..c1f025e9 100644 --- a/skills/implementing-aws-config-rules-for-compliance/SKILL.md +++ b/skills/implementing-aws-config-rules-for-compliance/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-aws-config-rules-for-compliance -description: 'Implementing AWS Config rules for continuous compliance monitoring of AWS resources, deploying managed and custom - rules aligned to CIS and PCI DSS frameworks, configuring automatic remediation with SSM Automation, and aggregating compliance +description: 'Implementing AWS Config rules for continuous compliance monitoring of + AWS resources, deploying managed and custom rules aligned to CIS and PCI DSS frameworks, + configuring automatic remediation with SSM Automation, and aggregating compliance data across accounts. ' @@ -22,6 +23,11 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 --- # Implementing AWS Config Rules for Compliance diff --git a/skills/implementing-aws-iam-permission-boundaries/SKILL.md b/skills/implementing-aws-iam-permission-boundaries/SKILL.md index 3063cb92..5d6f69cd 100644 --- a/skills/implementing-aws-iam-permission-boundaries/SKILL.md +++ b/skills/implementing-aws-iam-permission-boundaries/SKILL.md @@ -1,7 +1,7 @@ --- name: implementing-aws-iam-permission-boundaries -description: Configure IAM permission boundaries in AWS to delegate role creation to developers while enforcing maximum privilege - limits set by the security team. +description: Configure IAM permission boundaries in AWS to delegate role creation + to developers while enforcing maximum privilege limits set by the security team. domain: cybersecurity subdomain: identity-access-management tags: @@ -19,6 +19,12 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078 +- T1110 +- T1556 +- T1098 +- T1078.004 --- # Implementing AWS IAM Permission Boundaries diff --git a/skills/implementing-aws-macie-for-data-classification/SKILL.md b/skills/implementing-aws-macie-for-data-classification/SKILL.md index 7236194a..2be30af1 100644 --- a/skills/implementing-aws-macie-for-data-classification/SKILL.md +++ b/skills/implementing-aws-macie-for-data-classification/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-aws-macie-for-data-classification -description: Implement Amazon Macie to automatically discover, classify, and protect sensitive data in S3 buckets using machine - learning and pattern matching for PII, financial data, and credentials detection. +description: Implement Amazon Macie to automatically discover, classify, and protect + sensitive data in S3 buckets using machine learning and pattern matching for PII, + financial data, and credentials detection. domain: cybersecurity subdomain: cloud-security tags: @@ -30,6 +31,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T1003 --- # Implementing AWS Macie for Data Classification diff --git a/skills/implementing-aws-nitro-enclave-security/SKILL.md b/skills/implementing-aws-nitro-enclave-security/SKILL.md index 616e576f..ec3da200 100644 --- a/skills/implementing-aws-nitro-enclave-security/SKILL.md +++ b/skills/implementing-aws-nitro-enclave-security/SKILL.md @@ -1,11 +1,13 @@ --- name: implementing-aws-nitro-enclave-security -description: 'Implements AWS Nitro Enclave-based confidential computing environments with cryptographic attestation, KMS policy - integration using PCR-based condition keys, and secure vsock communication channels. The practitioner builds enclave images, - configures attestation-aware KMS policies, validates attestation documents against the AWS Nitro PKI root of trust, and - establishes isolated computation pipelines for processing sensitive data such as PII, cryptographic keys, and healthcare - records. Activates for requests involving Nitro Enclave setup, enclave attestation validation, confidential computing on - AWS, or KMS enclave policy configuration. +description: 'Implements AWS Nitro Enclave-based confidential computing environments + with cryptographic attestation, KMS policy integration using PCR-based condition + keys, and secure vsock communication channels. The practitioner builds enclave images, + configures attestation-aware KMS policies, validates attestation documents against + the AWS Nitro PKI root of trust, and establishes isolated computation pipelines + for processing sensitive data such as PII, cryptographic keys, and healthcare records. + Activates for requests involving Nitro Enclave setup, enclave attestation validation, + confidential computing on AWS, or KMS enclave policy configuration. ' domain: cybersecurity @@ -26,6 +28,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T0816 --- # Implementing AWS Nitro Enclave Security diff --git a/skills/implementing-aws-security-hub-compliance/SKILL.md b/skills/implementing-aws-security-hub-compliance/SKILL.md index 680974d7..f773999b 100644 --- a/skills/implementing-aws-security-hub-compliance/SKILL.md +++ b/skills/implementing-aws-security-hub-compliance/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-aws-security-hub-compliance -description: 'Implementing AWS Security Hub to aggregate security findings across AWS accounts, enable compliance standards - like CIS AWS Foundations and PCI DSS, configure automated remediation with EventBridge and Lambda, and create custom security +description: 'Implementing AWS Security Hub to aggregate security findings across + AWS accounts, enable compliance standards like CIS AWS Foundations and PCI DSS, + configure automated remediation with EventBridge and Lambda, and create custom security insights for organizational risk management. ' @@ -22,6 +23,11 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 --- # Implementing AWS Security Hub Compliance diff --git a/skills/implementing-aws-security-hub/SKILL.md b/skills/implementing-aws-security-hub/SKILL.md index 01e2e7f1..46d90ae6 100644 --- a/skills/implementing-aws-security-hub/SKILL.md +++ b/skills/implementing-aws-security-hub/SKILL.md @@ -1,9 +1,10 @@ --- name: implementing-aws-security-hub -description: 'This skill covers deploying AWS Security Hub as a centralized cloud security posture management platform that - aggregates findings from GuardDuty, Inspector, Macie, and third-party tools. It details enabling security standards like - CIS AWS Foundations Benchmark, configuring automated remediation, and building executive dashboards for compliance tracking - across multi-account AWS organizations. +description: 'This skill covers deploying AWS Security Hub as a centralized cloud + security posture management platform that aggregates findings from GuardDuty, Inspector, + Macie, and third-party tools. It details enabling security standards like CIS AWS + Foundations Benchmark, configuring automated remediation, and building executive + dashboards for compliance tracking across multi-account AWS organizations. ' domain: cybersecurity @@ -22,6 +23,11 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 --- # Implementing AWS Security Hub diff --git a/skills/implementing-azure-ad-privileged-identity-management/SKILL.md b/skills/implementing-azure-ad-privileged-identity-management/SKILL.md index 1b6f6b61..f3376b46 100644 --- a/skills/implementing-azure-ad-privileged-identity-management/SKILL.md +++ b/skills/implementing-azure-ad-privileged-identity-management/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-azure-ad-privileged-identity-management -description: Configure Microsoft Entra Privileged Identity Management to enforce just-in-time role activation, approval workflows, - and access reviews for Azure AD privileged roles. +description: Configure Microsoft Entra Privileged Identity Management to enforce just-in-time + role activation, approval workflows, and access reviews for Azure AD privileged + roles. domain: cybersecurity subdomain: identity-access-management tags: @@ -20,6 +21,11 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078 +- T1110 +- T1556 +- T1098 --- # Implementing Azure AD Privileged Identity Management diff --git a/skills/implementing-azure-defender-for-cloud/SKILL.md b/skills/implementing-azure-defender-for-cloud/SKILL.md index 5fe6fbde..360d65de 100644 --- a/skills/implementing-azure-defender-for-cloud/SKILL.md +++ b/skills/implementing-azure-defender-for-cloud/SKILL.md @@ -1,8 +1,9 @@ --- name: implementing-azure-defender-for-cloud -description: 'Implementing Microsoft Defender for Cloud to enable cloud security posture management, workload protection across - VMs, containers, databases, and storage, configure security recommendations, and set up adaptive security controls with - automated remediation. +description: 'Implementing Microsoft Defender for Cloud to enable cloud security posture + management, workload protection across VMs, containers, databases, and storage, + configure security recommendations, and set up adaptive security controls with automated + remediation. ' domain: cybersecurity @@ -30,6 +31,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T1610 --- # Implementing Azure Defender for Cloud diff --git a/skills/implementing-beyondcorp-zero-trust-access-model/SKILL.md b/skills/implementing-beyondcorp-zero-trust-access-model/SKILL.md index c89c0a95..c4c746f4 100644 --- a/skills/implementing-beyondcorp-zero-trust-access-model/SKILL.md +++ b/skills/implementing-beyondcorp-zero-trust-access-model/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-beyondcorp-zero-trust-access-model -description: 'Implementing Google''s BeyondCorp zero trust access model to eliminate implicit trust from the network perimeter, - enforce identity-aware access controls using IAP, Access Context Manager, and Chrome Enterprise Premium for VPN-less secure +description: 'Implementing Google''s BeyondCorp zero trust access model to eliminate + implicit trust from the network perimeter, enforce identity-aware access controls + using IAP, Access Context Manager, and Chrome Enterprise Premium for VPN-less secure application access. ' @@ -23,6 +24,12 @@ nist_csf: - PR.AA-05 - PR.IR-01 - GV.PO-01 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1078.004 +- T1530 --- # Implementing BeyondCorp Zero Trust Access Model diff --git a/skills/implementing-bgp-security-with-rpki/SKILL.md b/skills/implementing-bgp-security-with-rpki/SKILL.md index 131cbb3e..caac9ca5 100644 --- a/skills/implementing-bgp-security-with-rpki/SKILL.md +++ b/skills/implementing-bgp-security-with-rpki/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-bgp-security-with-rpki -description: Implement BGP route origin validation using RPKI with Route Origin Authorizations, RPKI-to-Router protocol, and - ROV policies on Cisco and Juniper routers to prevent route hijacking. +description: Implement BGP route origin validation using RPKI with Route Origin Authorizations, + RPKI-to-Router protocol, and ROV policies on Cisco and Juniper routers to prevent + route hijacking. domain: cybersecurity subdomain: network-security tags: @@ -22,6 +23,11 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 --- # Implementing BGP Security with RPKI diff --git a/skills/implementing-browser-isolation-for-zero-trust/SKILL.md b/skills/implementing-browser-isolation-for-zero-trust/SKILL.md index f1ce2157..4ed46c2e 100644 --- a/skills/implementing-browser-isolation-for-zero-trust/SKILL.md +++ b/skills/implementing-browser-isolation-for-zero-trust/SKILL.md @@ -1,10 +1,12 @@ --- name: implementing-browser-isolation-for-zero-trust -description: 'Deploys remote browser isolation (RBI) as a core component of a Zero Trust architecture. Implements isolation - policies with URL categorization and risk-based routing, content disarming and reconstruction (CDR) for file sanitization, - data loss prevention controls within isolated sessions, and integration with Secure Web Gateway and ZTNA platforms. Based - on Cloudflare Browser Isolation, Menlo Security, and Zscaler RBI approaches. Use when hardening web access against zero-day - exploits, phishing, credential theft, and browser-based data exfiltration. +description: 'Deploys remote browser isolation (RBI) as a core component of a Zero + Trust architecture. Implements isolation policies with URL categorization and risk-based + routing, content disarming and reconstruction (CDR) for file sanitization, data + loss prevention controls within isolated sessions, and integration with Secure Web + Gateway and ZTNA platforms. Based on Cloudflare Browser Isolation, Menlo Security, + and Zscaler RBI approaches. Use when hardening web access against zero-day exploits, + phishing, credential theft, and browser-based data exfiltration. ' domain: cybersecurity @@ -25,6 +27,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 +- T1003 --- # Implementing Browser Isolation for Zero Trust diff --git a/skills/implementing-canary-tokens-for-network-intrusion/SKILL.md b/skills/implementing-canary-tokens-for-network-intrusion/SKILL.md index bf937c9f..00ba580d 100644 --- a/skills/implementing-canary-tokens-for-network-intrusion/SKILL.md +++ b/skills/implementing-canary-tokens-for-network-intrusion/SKILL.md @@ -1,9 +1,11 @@ --- name: implementing-canary-tokens-for-network-intrusion -description: 'Deploys DNS, HTTP, and AWS API key canary tokens across network infrastructure to detect unauthorized access - and lateral movement. Integrates with webhook alerting (Slack, Teams, email, generic HTTP) for real-time intrusion notifications. - Provides automated token generation, placement strategies, and monitoring for enterprise network environments. Use when - building deception-based network intrusion detection with Canarytokens.org and Thinkst Canary platforms. +description: 'Deploys DNS, HTTP, and AWS API key canary tokens across network infrastructure + to detect unauthorized access and lateral movement. Integrates with webhook alerting + (Slack, Teams, email, generic HTTP) for real-time intrusion notifications. Provides + automated token generation, placement strategies, and monitoring for enterprise + network environments. Use when building deception-based network intrusion detection + with Canarytokens.org and Thinkst Canary platforms. ' domain: cybersecurity @@ -23,6 +25,12 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1021 +- T1550 --- # Implementing Canary Tokens for Network Intrusion Detection diff --git a/skills/implementing-cisa-zero-trust-maturity-model/SKILL.md b/skills/implementing-cisa-zero-trust-maturity-model/SKILL.md index 550a606a..a537680d 100644 --- a/skills/implementing-cisa-zero-trust-maturity-model/SKILL.md +++ b/skills/implementing-cisa-zero-trust-maturity-model/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-cisa-zero-trust-maturity-model -description: Implement the CISA Zero Trust Maturity Model v2.0 across the five pillars of identity, devices, networks, applications, - and data to achieve progressive organizational zero trust maturity. +description: Implement the CISA Zero Trust Maturity Model v2.0 across the five pillars + of identity, devices, networks, applications, and data to achieve progressive organizational + zero trust maturity. domain: cybersecurity subdomain: zero-trust-architecture tags: @@ -30,6 +31,10 @@ nist_csf: - PR.AA-05 - PR.IR-01 - GV.PO-01 +mitre_attack: +- T1078 +- T1190 +- T1059 --- # Implementing CISA Zero Trust Maturity Model diff --git a/skills/implementing-cloud-dlp-for-data-protection/SKILL.md b/skills/implementing-cloud-dlp-for-data-protection/SKILL.md index c29c2ec5..934a46d0 100644 --- a/skills/implementing-cloud-dlp-for-data-protection/SKILL.md +++ b/skills/implementing-cloud-dlp-for-data-protection/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-cloud-dlp-for-data-protection -description: 'Implementing Cloud Data Loss Prevention (DLP) using Amazon Macie, Azure Information Protection, and Google Cloud - DLP API to discover, classify, and protect sensitive data across cloud storage, databases, and data pipelines. +description: 'Implementing Cloud Data Loss Prevention (DLP) using Amazon Macie, Azure + Information Protection, and Google Cloud DLP API to discover, classify, and protect + sensitive data across cloud storage, databases, and data pipelines. ' domain: cybersecurity @@ -31,6 +32,11 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 --- # Implementing Cloud DLP for Data Protection diff --git a/skills/implementing-cloud-security-posture-management/SKILL.md b/skills/implementing-cloud-security-posture-management/SKILL.md index a1b29d76..33420976 100644 --- a/skills/implementing-cloud-security-posture-management/SKILL.md +++ b/skills/implementing-cloud-security-posture-management/SKILL.md @@ -1,8 +1,9 @@ --- name: implementing-cloud-security-posture-management -description: 'Implementing Cloud Security Posture Management (CSPM) to continuously monitor multi-cloud environments for misconfigurations, - compliance violations, and security risks using Prowler, ScoutSuite, AWS Security Hub, Azure Defender, and GCP Security - Command Center. +description: 'Implementing Cloud Security Posture Management (CSPM) to continuously + monitor multi-cloud environments for misconfigurations, compliance violations, and + security risks using Prowler, ScoutSuite, AWS Security Hub, Azure Defender, and + GCP Security Command Center. ' domain: cybersecurity @@ -22,6 +23,11 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 --- # Implementing Cloud Security Posture Management diff --git a/skills/implementing-cloud-trail-log-analysis/SKILL.md b/skills/implementing-cloud-trail-log-analysis/SKILL.md index fbfc2d86..834b2d74 100644 --- a/skills/implementing-cloud-trail-log-analysis/SKILL.md +++ b/skills/implementing-cloud-trail-log-analysis/SKILL.md @@ -1,8 +1,9 @@ --- name: implementing-cloud-trail-log-analysis -description: 'Implementing AWS CloudTrail log analysis for security monitoring, threat detection, and forensic investigation - using Athena, CloudWatch Logs Insights, and SIEM integration to identify unauthorized access, privilege escalation, and - suspicious API activity. +description: 'Implementing AWS CloudTrail log analysis for security monitoring, threat + detection, and forensic investigation using Athena, CloudWatch Logs Insights, and + SIEM integration to identify unauthorized access, privilege escalation, and suspicious + API activity. ' domain: cybersecurity @@ -22,6 +23,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T1068 --- # Implementing CloudTrail Log Analysis diff --git a/skills/implementing-cloud-vulnerability-posture-management/SKILL.md b/skills/implementing-cloud-vulnerability-posture-management/SKILL.md index d8df1b0b..3c088115 100644 --- a/skills/implementing-cloud-vulnerability-posture-management/SKILL.md +++ b/skills/implementing-cloud-vulnerability-posture-management/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-cloud-vulnerability-posture-management -description: Implement Cloud Security Posture Management using AWS Security Hub, Azure Defender for Cloud, and open-source - tools like Prowler and ScoutSuite for multi-cloud vulnerability detection. +description: Implement Cloud Security Posture Management using AWS Security Hub, Azure + Defender for Cloud, and open-source tools like Prowler and ScoutSuite for multi-cloud + vulnerability detection. domain: cybersecurity subdomain: vulnerability-management tags: @@ -21,6 +22,12 @@ nist_csf: - ID.RA-02 - ID.IM-02 - ID.RA-06 +mitre_attack: +- T1190 +- T1203 +- T1068 +- T1078.004 +- T1530 --- # Implementing Cloud Vulnerability Posture Management diff --git a/skills/implementing-cloud-waf-rules/SKILL.md b/skills/implementing-cloud-waf-rules/SKILL.md index 563becc7..eb499626 100644 --- a/skills/implementing-cloud-waf-rules/SKILL.md +++ b/skills/implementing-cloud-waf-rules/SKILL.md @@ -1,9 +1,10 @@ --- name: implementing-cloud-waf-rules -description: 'This skill covers deploying and tuning Web Application Firewall rules on AWS WAF, Azure WAF, and Cloudflare - to protect cloud-hosted applications against OWASP Top 10 attacks. It details configuring managed rule sets, creating custom - rules for business logic protection, implementing rate limiting, deploying bot management, and reducing false positives - through rule tuning and logging analysis. +description: 'This skill covers deploying and tuning Web Application Firewall rules + on AWS WAF, Azure WAF, and Cloudflare to protect cloud-hosted applications against + OWASP Top 10 attacks. It details configuring managed rule sets, creating custom + rules for business logic protection, implementing rate limiting, deploying bot management, + and reducing false positives through rule tuning and logging analysis. ' domain: cybersecurity @@ -23,6 +24,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T0816 --- # Implementing Cloud WAF Rules diff --git a/skills/implementing-cloud-workload-protection/SKILL.md b/skills/implementing-cloud-workload-protection/SKILL.md index 9e1ddbcb..82596436 100644 --- a/skills/implementing-cloud-workload-protection/SKILL.md +++ b/skills/implementing-cloud-workload-protection/SKILL.md @@ -1,17 +1,20 @@ --- name: implementing-cloud-workload-protection -description: 'Implements cloud workload protection using boto3 and google-cloud APIs for runtime security monitoring, process - anomaly detection, and file integrity checking on EC2/GCE instances. Scans for cryptomining, reverse shells, and unauthorized - binaries. Use when building runtime security controls for cloud compute workloads. +description: 'Implements cloud workload protection using boto3 and google-cloud APIs + for runtime security monitoring, process anomaly detection, and file integrity checking + on EC2/GCE instances. Scans for cryptomining, reverse shells, and unauthorized binaries. + Use when building runtime security controls for cloud compute workloads. ' domain: cybersecurity subdomain: cloud-security tags: -- implementing -- cloud -- workload -- protection +- cloud-security +- cwpp +- workload-protection +- boto3 +- runtime-security +- process-anomaly-detection version: '1.0' author: mahipal license: Apache-2.0 @@ -20,6 +23,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T1071 --- # Implementing Cloud Workload Protection diff --git a/skills/implementing-code-signing-for-artifacts/SKILL.md b/skills/implementing-code-signing-for-artifacts/SKILL.md index 0c92cf0d..ada95206 100644 --- a/skills/implementing-code-signing-for-artifacts/SKILL.md +++ b/skills/implementing-code-signing-for-artifacts/SKILL.md @@ -1,8 +1,9 @@ --- name: implementing-code-signing-for-artifacts -description: 'This skill covers implementing code signing for build artifacts to ensure integrity and authenticity throughout - the software supply chain. It addresses signing binaries, packages, and containers using GPG, Sigstore, and platform-specific - signing tools, establishing trust chains, and verifying signatures in deployment pipelines. +description: 'This skill covers implementing code signing for build artifacts to ensure + integrity and authenticity throughout the software supply chain. It addresses signing + binaries, packages, and containers using GPG, Sigstore, and platform-specific signing + tools, establishing trust chains, and verifying signatures in deployment pipelines. ' domain: cybersecurity @@ -22,6 +23,12 @@ nist_csf: - GV.SC-07 - ID.IM-04 - PR.PS-04 +mitre_attack: +- T1195 +- T1554 +- T1059.004 +- T1610 +- T1611 --- # Implementing Code Signing for Artifacts diff --git a/skills/implementing-conditional-access-policies-azure-ad/SKILL.md b/skills/implementing-conditional-access-policies-azure-ad/SKILL.md index 6628c89e..cf716ad5 100644 --- a/skills/implementing-conditional-access-policies-azure-ad/SKILL.md +++ b/skills/implementing-conditional-access-policies-azure-ad/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-conditional-access-policies-azure-ad -description: Configure Microsoft Entra ID (Azure AD) Conditional Access policies for zero trust access control. Covers signal-based - policy design, device compliance requirements, risk-based authentication, named l +description: Configure Microsoft Entra ID (Azure AD) Conditional Access policies for + zero trust access control. Covers signal-based policy design, device compliance + requirements, risk-based authentication, named l domain: cybersecurity subdomain: identity-access-management tags: @@ -20,6 +21,11 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078 +- T1110 +- T1556 +- T1098 --- # Implementing Conditional Access Policies in Azure AD diff --git a/skills/implementing-conduit-security-for-ot-remote-access/SKILL.md b/skills/implementing-conduit-security-for-ot-remote-access/SKILL.md index 6748df91..4165aeb6 100644 --- a/skills/implementing-conduit-security-for-ot-remote-access/SKILL.md +++ b/skills/implementing-conduit-security-for-ot-remote-access/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-conduit-security-for-ot-remote-access -description: 'Implement secure conduit architecture for OT remote access following IEC 62443 zones and conduits model, deploying - jump servers, MFA-enabled gateways, session recording, and approval-based workflows to control vendor and engineer access +description: 'Implement secure conduit architecture for OT remote access following + IEC 62443 zones and conduits model, deploying jump servers, MFA-enabled gateways, + session recording, and approval-based workflows to control vendor and engineer access to industrial control systems without exposing OT networks directly. ' @@ -24,6 +25,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T0816 +- T0836 --- # Implementing Conduit Security for OT Remote Access diff --git a/skills/implementing-container-image-minimal-base-with-distroless/SKILL.md b/skills/implementing-container-image-minimal-base-with-distroless/SKILL.md index d0a0934c..d3b6c1f1 100644 --- a/skills/implementing-container-image-minimal-base-with-distroless/SKILL.md +++ b/skills/implementing-container-image-minimal-base-with-distroless/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-container-image-minimal-base-with-distroless -description: Reduce container attack surface by building application images on Google distroless base images that contain - only the application runtime with no shell, package manager, or unnecessary OS utilities. +description: Reduce container attack surface by building application images on Google + distroless base images that contain only the application runtime with no shell, + package manager, or unnecessary OS utilities. domain: cybersecurity subdomain: container-security tags: @@ -21,6 +22,12 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 +- T1195 --- # Implementing Container Image Minimal Base with Distroless diff --git a/skills/implementing-container-network-policies-with-calico/SKILL.md b/skills/implementing-container-network-policies-with-calico/SKILL.md index 2a359a04..1bb6d979 100644 --- a/skills/implementing-container-network-policies-with-calico/SKILL.md +++ b/skills/implementing-container-network-policies-with-calico/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-container-network-policies-with-calico -description: Enforce Kubernetes network segmentation using Calico CNI network policies and global network policies to control - pod-to-pod traffic, restrict egress, and implement zero-trust microsegmentation. +description: Enforce Kubernetes network segmentation using Calico CNI network policies + and global network policies to control pod-to-pod traffic, restrict egress, and + implement zero-trust microsegmentation. domain: cybersecurity subdomain: container-security tags: @@ -19,6 +20,11 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 --- # Implementing Container Network Policies with Calico diff --git a/skills/implementing-continuous-security-validation-with-bas/SKILL.md b/skills/implementing-continuous-security-validation-with-bas/SKILL.md index 3eac479c..448c88ef 100644 --- a/skills/implementing-continuous-security-validation-with-bas/SKILL.md +++ b/skills/implementing-continuous-security-validation-with-bas/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-continuous-security-validation-with-bas -description: Deploy Breach and Attack Simulation tools to continuously validate security control effectiveness by safely emulating - real-world attack techniques across the kill chain. +description: Deploy Breach and Attack Simulation tools to continuously validate security + control effectiveness by safely emulating real-world attack techniques across the + kill chain. domain: cybersecurity subdomain: vulnerability-management tags: @@ -27,6 +28,10 @@ nist_csf: - ID.RA-02 - ID.IM-02 - ID.RA-06 +mitre_attack: +- T1190 +- T1203 +- T1068 --- # Implementing Continuous Security Validation with BAS diff --git a/skills/implementing-data-loss-prevention-with-microsoft-purview/SKILL.md b/skills/implementing-data-loss-prevention-with-microsoft-purview/SKILL.md index 23c90687..01c54c91 100644 --- a/skills/implementing-data-loss-prevention-with-microsoft-purview/SKILL.md +++ b/skills/implementing-data-loss-prevention-with-microsoft-purview/SKILL.md @@ -1,12 +1,15 @@ --- name: implementing-data-loss-prevention-with-microsoft-purview -description: 'Implements data loss prevention policies using Microsoft Purview to protect sensitive information across Exchange - Online, SharePoint, OneDrive, Teams, endpoint devices, and Power BI. The analyst configures sensitivity labels with encryption - and content marking, creates DLP policies using built-in and custom sensitive information types with regex patterns, deploys - endpoint DLP rules to control file operations on Windows and macOS devices, and monitors policy effectiveness through Activity - Explorer and DLP alert management. Uses PowerShell cmdlets and the Microsoft Graph API for programmatic policy management. - Activates for requests involving DLP policy creation, sensitivity label configuration, data classification, endpoint data - protection, or Microsoft Purview compliance administration. +description: 'Implements data loss prevention policies using Microsoft Purview to + protect sensitive information across Exchange Online, SharePoint, OneDrive, Teams, + endpoint devices, and Power BI. The analyst configures sensitivity labels with encryption + and content marking, creates DLP policies using built-in and custom sensitive information + types with regex patterns, deploys endpoint DLP rules to control file operations + on Windows and macOS devices, and monitors policy effectiveness through Activity + Explorer and DLP alert management. Uses PowerShell cmdlets and the Microsoft Graph + API for programmatic policy management. Activates for requests involving DLP policy + creation, sensitivity label configuration, data classification, endpoint data protection, + or Microsoft Purview compliance administration. ' domain: cybersecurity @@ -26,6 +29,12 @@ nist_csf: - PR.DS-02 - PR.DS-10 - GV.PO-01 +mitre_attack: +- T1486 +- T1530 +- T1537 +- T1048 +- T1573 --- # Implementing Data Loss Prevention with Microsoft Purview diff --git a/skills/implementing-ddos-mitigation-with-cloudflare/SKILL.md b/skills/implementing-ddos-mitigation-with-cloudflare/SKILL.md index a4b07ad3..1ce395d2 100644 --- a/skills/implementing-ddos-mitigation-with-cloudflare/SKILL.md +++ b/skills/implementing-ddos-mitigation-with-cloudflare/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-ddos-mitigation-with-cloudflare -description: Configure Cloudflare DDoS protection with managed rulesets, rate limiting, WAF rules, Bot Management, and origin - protection to mitigate volumetric, protocol, and application-layer attacks. +description: Configure Cloudflare DDoS protection with managed rulesets, rate limiting, + WAF rules, Bot Management, and origin protection to mitigate volumetric, protocol, + and application-layer attacks. domain: cybersecurity subdomain: network-security tags: @@ -22,6 +23,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 +- T1078.004 --- # Implementing DDoS Mitigation with Cloudflare diff --git a/skills/implementing-deception-based-detection-with-canarytoken/SKILL.md b/skills/implementing-deception-based-detection-with-canarytoken/SKILL.md index 1c3f2eec..01aa760a 100644 --- a/skills/implementing-deception-based-detection-with-canarytoken/SKILL.md +++ b/skills/implementing-deception-based-detection-with-canarytoken/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-deception-based-detection-with-canarytoken -description: Deploy and monitor Canary Tokens via the Thinkst Canary API for deception-based breach detection using web bug - tokens, DNS tokens, document tokens, and AWS key tokens. +description: Deploy and monitor Canary Tokens via the Thinkst Canary API for deception-based + breach detection using web bug tokens, DNS tokens, document tokens, and AWS key + tokens. domain: cybersecurity subdomain: deception-technology tags: @@ -19,6 +20,12 @@ nist_csf: - DE.CM-01 - DE.AE-06 - PR.IR-01 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1078.004 +- T1530 --- # Implementing Deception-Based Detection with Canarytoken diff --git a/skills/implementing-delinea-secret-server-for-pam/SKILL.md b/skills/implementing-delinea-secret-server-for-pam/SKILL.md index eeb25e01..4def8adb 100644 --- a/skills/implementing-delinea-secret-server-for-pam/SKILL.md +++ b/skills/implementing-delinea-secret-server-for-pam/SKILL.md @@ -1,9 +1,10 @@ --- name: implementing-delinea-secret-server-for-pam -description: 'Implements Delinea Secret Server for privileged access management (PAM) including secret vault configuration, - role-based access policies, automated password rotation, session recording, and integration with Active Directory and cloud - platforms. Activates for requests involving PAM deployment, privileged credential vaulting, secret server administration, - or password rotation automation. +description: 'Implements Delinea Secret Server for privileged access management (PAM) + including secret vault configuration, role-based access policies, automated password + rotation, session recording, and integration with Active Directory and cloud platforms. + Activates for requests involving PAM deployment, privileged credential vaulting, + secret server administration, or password rotation automation. ' domain: cybersecurity @@ -23,6 +24,12 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078 +- T1110 +- T1556 +- T1098 +- T1003 --- # Implementing Delinea Secret Server for PAM diff --git a/skills/implementing-device-posture-assessment-in-zero-trust/SKILL.md b/skills/implementing-device-posture-assessment-in-zero-trust/SKILL.md index 7e933cc0..12f7fc74 100644 --- a/skills/implementing-device-posture-assessment-in-zero-trust/SKILL.md +++ b/skills/implementing-device-posture-assessment-in-zero-trust/SKILL.md @@ -1,8 +1,9 @@ --- name: implementing-device-posture-assessment-in-zero-trust -description: 'Implementing device posture assessment as a zero trust access control by integrating endpoint health signals - from CrowdStrike ZTA, Microsoft Intune, and Jamf into conditional access policies that enforce compliance before granting - resource access. +description: 'Implementing device posture assessment as a zero trust access control + by integrating endpoint health signals from CrowdStrike ZTA, Microsoft Intune, and + Jamf into conditional access policies that enforce compliance before granting resource + access. ' domain: cybersecurity @@ -23,6 +24,10 @@ nist_csf: - PR.AA-05 - PR.IR-01 - GV.PO-01 +mitre_attack: +- T1078 +- T1190 +- T1059 --- # Implementing Device Posture Assessment in Zero Trust diff --git a/skills/implementing-devsecops-security-scanning/SKILL.md b/skills/implementing-devsecops-security-scanning/SKILL.md index ebee7c9f..db601243 100644 --- a/skills/implementing-devsecops-security-scanning/SKILL.md +++ b/skills/implementing-devsecops-security-scanning/SKILL.md @@ -1,9 +1,11 @@ --- name: implementing-devsecops-security-scanning -description: 'Integrates Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software - Composition Analysis (SCA) into CI/CD pipelines using open-source tools. Covers Semgrep for SAST, Trivy for SCA and container - scanning, OWASP ZAP for DAST, and Gitleaks for secrets detection. Activates for requests involving DevSecOps pipeline setup, - automated security scanning in CI/CD, SAST/DAST/SCA integration, or shift-left security implementation. +description: 'Integrates Static Application Security Testing (SAST), Dynamic Application + Security Testing (DAST), and Software Composition Analysis (SCA) into CI/CD pipelines + using open-source tools. Covers Semgrep for SAST, Trivy for SCA and container scanning, + OWASP ZAP for DAST, and Gitleaks for secrets detection. Activates for requests involving + DevSecOps pipeline setup, automated security scanning in CI/CD, SAST/DAST/SCA integration, + or shift-left security implementation. ' domain: cybersecurity @@ -27,6 +29,12 @@ nist_csf: - PR.PS-04 - ID.RA-01 - PR.DS-10 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1610 +- T1611 --- # Implementing DevSecOps Security Scanning diff --git a/skills/implementing-diamond-model-analysis/SKILL.md b/skills/implementing-diamond-model-analysis/SKILL.md index f9f83120..4e58743e 100644 --- a/skills/implementing-diamond-model-analysis/SKILL.md +++ b/skills/implementing-diamond-model-analysis/SKILL.md @@ -1,8 +1,10 @@ --- name: implementing-diamond-model-analysis -description: The Diamond Model of Intrusion Analysis provides a structured framework for analyzing cyber intrusions by examining - four core features - Adversary, Capability, Infrastructure, and Victim. This skill covers implementing the Diamond Model - programmatically to classify and correlate intrusion events, build activity threads, and generate pivot-ready intelligence. +description: The Diamond Model of Intrusion Analysis provides a structured framework + for analyzing cyber intrusions by examining four core features - Adversary, Capability, + Infrastructure, and Victim. This skill covers implementing the Diamond Model programmatically + to classify and correlate intrusion events, build activity threads, and generate + pivot-ready intelligence. domain: cybersecurity subdomain: threat-intelligence tags: @@ -21,6 +23,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1592 +- T1593 +- T1589 +- T0816 --- # Implementing Diamond Model Analysis diff --git a/skills/implementing-digital-signatures-with-ed25519/SKILL.md b/skills/implementing-digital-signatures-with-ed25519/SKILL.md index 617041ab..6bf1269c 100644 --- a/skills/implementing-digital-signatures-with-ed25519/SKILL.md +++ b/skills/implementing-digital-signatures-with-ed25519/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-digital-signatures-with-ed25519 -description: Ed25519 is a high-performance digital signature algorithm using the Edwards curve Curve25519. It provides 128-bit - security with 64-byte signatures and 32-byte keys, offering significant advantages ove +description: Ed25519 is a high-performance digital signature algorithm using the Edwards + curve Curve25519. It provides 128-bit security with 64-byte signatures and 32-byte + keys, offering significant advantages ove domain: cybersecurity subdomain: cryptography tags: @@ -17,6 +18,10 @@ nist_csf: - PR.DS-01 - PR.DS-02 - PR.DS-10 +mitre_attack: +- T1600 +- T1573 +- T1553 --- # Implementing Digital Signatures with Ed25519 diff --git a/skills/implementing-disk-encryption-with-bitlocker/SKILL.md b/skills/implementing-disk-encryption-with-bitlocker/SKILL.md index b46f4b27..95df218f 100644 --- a/skills/implementing-disk-encryption-with-bitlocker/SKILL.md +++ b/skills/implementing-disk-encryption-with-bitlocker/SKILL.md @@ -1,9 +1,11 @@ --- name: implementing-disk-encryption-with-bitlocker -description: 'Implements full disk encryption using Microsoft BitLocker on Windows endpoints to protect data at rest from - unauthorized access in case of device loss or theft. Use when deploying encryption for compliance requirements, securing - mobile workstations, or implementing data protection controls across the enterprise. Activates for requests involving BitLocker - encryption, disk encryption, TPM configuration, or data-at-rest protection. +description: 'Implements full disk encryption using Microsoft BitLocker on Windows + endpoints to protect data at rest from unauthorized access in case of device loss + or theft. Use when deploying encryption for compliance requirements, securing mobile + workstations, or implementing data protection controls across the enterprise. Activates + for requests involving BitLocker encryption, disk encryption, TPM configuration, + or data-at-rest protection. ' domain: cybersecurity @@ -23,6 +25,12 @@ nist_csf: - PR.PS-02 - DE.CM-01 - PR.IR-01 +mitre_attack: +- T1055 +- T1547 +- T1059 +- T1036 +- T1573 --- # Implementing Disk Encryption with BitLocker diff --git a/skills/implementing-dmarc-dkim-spf-email-security/SKILL.md b/skills/implementing-dmarc-dkim-spf-email-security/SKILL.md index 8212032e..0924b9a2 100644 --- a/skills/implementing-dmarc-dkim-spf-email-security/SKILL.md +++ b/skills/implementing-dmarc-dkim-spf-email-security/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-dmarc-dkim-spf-email-security -description: SPF, DKIM, and DMARC form the three pillars of email authentication. Together they prevent domain spoofing, validate - message integrity, and define policies for handling unauthenticated mail. Proper im +description: SPF, DKIM, and DMARC form the three pillars of email authentication. + Together they prevent domain spoofing, validate message integrity, and define policies + for handling unauthenticated mail. Proper im domain: cybersecurity subdomain: phishing-defense tags: @@ -21,6 +22,11 @@ nist_csf: - DE.CM-09 - RS.CO-02 - DE.AE-02 +mitre_attack: +- T1566 +- T1598 +- T1534 +- T1036 --- # Implementing DMARC, DKIM, and SPF Email Security diff --git a/skills/implementing-dragos-platform-for-ot-monitoring/SKILL.md b/skills/implementing-dragos-platform-for-ot-monitoring/SKILL.md index 482e0527..ff81c61d 100644 --- a/skills/implementing-dragos-platform-for-ot-monitoring/SKILL.md +++ b/skills/implementing-dragos-platform-for-ot-monitoring/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-dragos-platform-for-ot-monitoring -description: 'Deploy and configure the Dragos Platform for OT network monitoring, leveraging its 600+ industrial protocol - parsers, intelligence-driven threat detection analytics, and asset visibility capabilities to protect ICS environments against +description: 'Deploy and configure the Dragos Platform for OT network monitoring, + leveraging its 600+ industrial protocol parsers, intelligence-driven threat detection + analytics, and asset visibility capabilities to protect ICS environments against threat groups like VOLTZITE, GRAPHITE, and BAUXITE. ' @@ -32,6 +33,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T0816 +- T0836 --- # Implementing Dragos Platform for OT Monitoring diff --git a/skills/implementing-ebpf-security-monitoring/SKILL.md b/skills/implementing-ebpf-security-monitoring/SKILL.md index d92af5c4..d27692ba 100644 --- a/skills/implementing-ebpf-security-monitoring/SKILL.md +++ b/skills/implementing-ebpf-security-monitoring/SKILL.md @@ -1,22 +1,23 @@ --- name: implementing-ebpf-security-monitoring -description: 'Implements eBPF-based security monitoring using Cilium Tetragon for real-time process execution tracking, network - connection observability, file access auditing, and runtime enforcement. Covers TracingPolicy CRD authoring with kprobe/tracepoint - hooks, in-kernel filtering via matchArgs/matchBinaries selectors, JSON event export, and integration with SIEM pipelines. - Use when building kernel-level runtime security observability for Linux hosts or Kubernetes clusters. +description: 'Implements eBPF-based security monitoring using Cilium Tetragon for + real-time process execution tracking, network connection observability, file access + auditing, and runtime enforcement. Covers TracingPolicy CRD authoring with kprobe/tracepoint + hooks, in-kernel filtering via matchArgs/matchBinaries selectors, JSON event export, + and integration with SIEM pipelines. Use when building kernel-level runtime security + observability for Linux hosts or Kubernetes clusters. ' domain: cybersecurity subdomain: security-operations tags: -- implementing - ebpf -- security -- monitoring - tetragon - cilium -- runtime +- runtime-security - observability +- kernel-security +- kubernetes-security version: '1.0' author: mukul975 license: Apache-2.0 @@ -33,6 +34,12 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1685.002 +- T1685.005 --- # Implementing eBPF Security Monitoring diff --git a/skills/implementing-email-sandboxing-with-proofpoint/SKILL.md b/skills/implementing-email-sandboxing-with-proofpoint/SKILL.md index 9ae7a3ea..16504256 100644 --- a/skills/implementing-email-sandboxing-with-proofpoint/SKILL.md +++ b/skills/implementing-email-sandboxing-with-proofpoint/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-email-sandboxing-with-proofpoint -description: Email sandboxing detonates suspicious attachments and URLs in isolated environments to detect zero-day malware - and evasive phishing payloads. Proofpoint Targeted Attack Protection (TAP) is an industry +description: Email sandboxing detonates suspicious attachments and URLs in isolated + environments to detect zero-day malware and evasive phishing payloads. Proofpoint + Targeted Attack Protection (TAP) is an industry domain: cybersecurity subdomain: phishing-defense tags: @@ -20,6 +21,12 @@ nist_csf: - DE.CM-09 - RS.CO-02 - DE.AE-02 +mitre_attack: +- T1566 +- T1598 +- T1534 +- T1036 +- T1027 --- # Implementing Email Sandboxing with Proofpoint diff --git a/skills/implementing-end-to-end-encryption-for-messaging/SKILL.md b/skills/implementing-end-to-end-encryption-for-messaging/SKILL.md index 040b4873..3fe4a7d9 100644 --- a/skills/implementing-end-to-end-encryption-for-messaging/SKILL.md +++ b/skills/implementing-end-to-end-encryption-for-messaging/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-end-to-end-encryption-for-messaging -description: End-to-end encryption (E2EE) ensures that only the communicating parties can read messages, with no intermediary - (including the server) able to decrypt them. This skill implements a simplified version +description: End-to-end encryption (E2EE) ensures that only the communicating parties + can read messages, with no intermediary (including the server) able to decrypt them. + This skill implements a simplified version domain: cybersecurity subdomain: cryptography tags: @@ -17,6 +18,11 @@ nist_csf: - PR.DS-01 - PR.DS-02 - PR.DS-10 +mitre_attack: +- T1600 +- T1573 +- T1553 +- T1486 --- # Implementing End-to-End Encryption for Messaging diff --git a/skills/implementing-endpoint-detection-with-wazuh/SKILL.md b/skills/implementing-endpoint-detection-with-wazuh/SKILL.md index 462b837e..6c8184ca 100644 --- a/skills/implementing-endpoint-detection-with-wazuh/SKILL.md +++ b/skills/implementing-endpoint-detection-with-wazuh/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-endpoint-detection-with-wazuh -description: Deploy and configure Wazuh SIEM/XDR for endpoint detection including agent management, custom decoder and rule - XML creation, alert querying via the Wazuh REST API, and automated response actions. +description: Deploy and configure Wazuh SIEM/XDR for endpoint detection including + agent management, custom decoder and rule XML creation, alert querying via the Wazuh + REST API, and automated response actions. domain: cybersecurity subdomain: security-operations tags: @@ -25,6 +26,12 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1685.002 +- T1685.005 --- # Implementing Endpoint Detection with Wazuh diff --git a/skills/implementing-endpoint-dlp-controls/SKILL.md b/skills/implementing-endpoint-dlp-controls/SKILL.md index 6a20a9f1..3a5c5c8f 100644 --- a/skills/implementing-endpoint-dlp-controls/SKILL.md +++ b/skills/implementing-endpoint-dlp-controls/SKILL.md @@ -1,9 +1,11 @@ --- name: implementing-endpoint-dlp-controls -description: 'Implements endpoint Data Loss Prevention (DLP) controls to detect and prevent sensitive data exfiltration through - email, USB, cloud storage, and printing. Use when deploying DLP agents, creating content inspection policies, or preventing - unauthorized data movement from endpoints. Activates for requests involving DLP, data exfiltration prevention, content inspection, - or sensitive data protection on endpoints. +description: 'Implements endpoint Data Loss Prevention (DLP) controls to detect and + prevent sensitive data exfiltration through email, USB, cloud storage, and printing. + Use when deploying DLP agents, creating content inspection policies, or preventing + unauthorized data movement from endpoints. Activates for requests involving DLP, + data exfiltration prevention, content inspection, or sensitive data protection on + endpoints. ' domain: cybersecurity @@ -31,6 +33,12 @@ nist_csf: - PR.PS-02 - DE.CM-01 - PR.IR-01 +mitre_attack: +- T1055 +- T1547 +- T1059 +- T1036 +- T1048 --- # Implementing Endpoint DLP Controls diff --git a/skills/implementing-envelope-encryption-with-aws-kms/SKILL.md b/skills/implementing-envelope-encryption-with-aws-kms/SKILL.md index 175a5d04..95cfa1da 100644 --- a/skills/implementing-envelope-encryption-with-aws-kms/SKILL.md +++ b/skills/implementing-envelope-encryption-with-aws-kms/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-envelope-encryption-with-aws-kms -description: Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself - is encrypted with a master key (KEK) managed by AWS KMS. This approach allows encrypting +description: Envelope encryption is a strategy where data is encrypted with a data + encryption key (DEK), and the DEK itself is encrypted with a master key (KEK) managed + by AWS KMS. This approach allows encrypting domain: cybersecurity subdomain: cryptography tags: @@ -18,6 +19,12 @@ nist_csf: - PR.DS-01 - PR.DS-02 - PR.DS-10 +mitre_attack: +- T1600 +- T1573 +- T1553 +- T1078.004 +- T1530 --- # Implementing Envelope Encryption with AWS KMS diff --git a/skills/implementing-epss-score-for-vulnerability-prioritization/SKILL.md b/skills/implementing-epss-score-for-vulnerability-prioritization/SKILL.md index 38115638..02dfa34e 100644 --- a/skills/implementing-epss-score-for-vulnerability-prioritization/SKILL.md +++ b/skills/implementing-epss-score-for-vulnerability-prioritization/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-epss-score-for-vulnerability-prioritization -description: Integrate FIRST's Exploit Prediction Scoring System (EPSS) API to prioritize vulnerability remediation based - on real-world exploitation probability within 30 days. +description: Integrate FIRST's Exploit Prediction Scoring System (EPSS) API to prioritize + vulnerability remediation based on real-world exploitation probability within 30 + days. domain: cybersecurity subdomain: vulnerability-management tags: @@ -20,6 +21,10 @@ nist_csf: - ID.RA-02 - ID.IM-02 - ID.RA-06 +mitre_attack: +- T1190 +- T1203 +- T1068 --- # Implementing EPSS Score for Vulnerability Prioritization diff --git a/skills/implementing-file-integrity-monitoring-with-aide/SKILL.md b/skills/implementing-file-integrity-monitoring-with-aide/SKILL.md index aee0cb59..18ad1089 100644 --- a/skills/implementing-file-integrity-monitoring-with-aide/SKILL.md +++ b/skills/implementing-file-integrity-monitoring-with-aide/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-file-integrity-monitoring-with-aide -description: Configure AIDE (Advanced Intrusion Detection Environment) for file integrity monitoring including baseline creation, - scheduled integrity checks, change detection, and alerting +description: Configure AIDE (Advanced Intrusion Detection Environment) for file integrity + monitoring including baseline creation, scheduled integrity checks, change detection, + and alerting domain: cybersecurity subdomain: endpoint-security tags: @@ -20,6 +21,11 @@ nist_csf: - PR.PS-02 - DE.CM-01 - PR.IR-01 +mitre_attack: +- T1055 +- T1547 +- T1059 +- T1036 --- # Implementing File Integrity Monitoring with AIDE diff --git a/skills/implementing-fuzz-testing-in-cicd-with-aflplusplus/SKILL.md b/skills/implementing-fuzz-testing-in-cicd-with-aflplusplus/SKILL.md index 31be3ab2..e0ab520f 100644 --- a/skills/implementing-fuzz-testing-in-cicd-with-aflplusplus/SKILL.md +++ b/skills/implementing-fuzz-testing-in-cicd-with-aflplusplus/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-fuzz-testing-in-cicd-with-aflplusplus -description: Integrate AFL++ coverage-guided fuzz testing into CI/CD pipelines to discover memory corruption, input handling, - and logic vulnerabilities in C/C++ and compiled applications. +description: Integrate AFL++ coverage-guided fuzz testing into CI/CD pipelines to + discover memory corruption, input handling, and logic vulnerabilities in C/C++ and + compiled applications. domain: cybersecurity subdomain: devsecops tags: @@ -28,6 +29,12 @@ nist_csf: - GV.SC-07 - ID.IM-04 - PR.PS-04 +mitre_attack: +- T1195 +- T1554 +- T1059.004 +- T1005 +- T1059 --- # Implementing Fuzz Testing in CI/CD with AFL++ diff --git a/skills/implementing-gcp-binary-authorization/SKILL.md b/skills/implementing-gcp-binary-authorization/SKILL.md index 35287756..3eedfe3b 100644 --- a/skills/implementing-gcp-binary-authorization/SKILL.md +++ b/skills/implementing-gcp-binary-authorization/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-gcp-binary-authorization -description: Implement GCP Binary Authorization to enforce deploy-time security controls that ensure only trusted, attested - container images are deployed to Google Kubernetes Engine and Cloud Run. +description: Implement GCP Binary Authorization to enforce deploy-time security controls + that ensure only trusted, attested container images are deployed to Google Kubernetes + Engine and Cloud Run. domain: cybersecurity subdomain: cloud-security tags: @@ -21,6 +22,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T1610 --- # Implementing GCP Binary Authorization diff --git a/skills/implementing-gcp-organization-policy-constraints/SKILL.md b/skills/implementing-gcp-organization-policy-constraints/SKILL.md index 7d1aa3dc..0e498499 100644 --- a/skills/implementing-gcp-organization-policy-constraints/SKILL.md +++ b/skills/implementing-gcp-organization-policy-constraints/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-gcp-organization-policy-constraints -description: Implement GCP Organization Policy constraints to enforce security guardrails across the entire resource hierarchy, - restricting risky configurations and ensuring compliance at organization, folder, and project levels. +description: Implement GCP Organization Policy constraints to enforce security guardrails + across the entire resource hierarchy, restricting risky configurations and ensuring + compliance at organization, folder, and project levels. domain: cybersecurity subdomain: cloud-security tags: @@ -20,6 +21,11 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 --- # Implementing GCP Organization Policy Constraints diff --git a/skills/implementing-gcp-vpc-firewall-rules/SKILL.md b/skills/implementing-gcp-vpc-firewall-rules/SKILL.md index 29551e2a..710727fe 100644 --- a/skills/implementing-gcp-vpc-firewall-rules/SKILL.md +++ b/skills/implementing-gcp-vpc-firewall-rules/SKILL.md @@ -1,8 +1,9 @@ --- name: implementing-gcp-vpc-firewall-rules -description: 'Implementing and auditing GCP VPC firewall rules to enforce network segmentation, restrict ingress and egress - traffic, apply hierarchical firewall policies across the organization, and monitor firewall rule effectiveness using VPC - Flow Logs. +description: 'Implementing and auditing GCP VPC firewall rules to enforce network + segmentation, restrict ingress and egress traffic, apply hierarchical firewall policies + across the organization, and monitor firewall rule effectiveness using VPC Flow + Logs. ' domain: cybersecurity @@ -22,6 +23,11 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 --- # Implementing GCP VPC Firewall Rules diff --git a/skills/implementing-gdpr-data-protection-controls/SKILL.md b/skills/implementing-gdpr-data-protection-controls/SKILL.md index 6abfaa7e..f3bb04c3 100644 --- a/skills/implementing-gdpr-data-protection-controls/SKILL.md +++ b/skills/implementing-gdpr-data-protection-controls/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-gdpr-data-protection-controls -description: The General Data Protection Regulation (EU) 2016/679 (GDPR) is the EU's comprehensive data protection law governing - the collection, processing, storage, and transfer of personal data. This skill cover +description: The General Data Protection Regulation (EU) 2016/679 (GDPR) is the EU's + comprehensive data protection law governing the collection, processing, storage, + and transfer of personal data. This skill cover domain: cybersecurity subdomain: compliance-governance tags: @@ -30,6 +31,10 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +mitre_attack: +- T1078 +- T1530 +- T1685.002 --- # Implementing GDPR Data Protection Controls diff --git a/skills/implementing-gdpr-data-subject-access-request/SKILL.md b/skills/implementing-gdpr-data-subject-access-request/SKILL.md index e55dc3a5..455a0a36 100644 --- a/skills/implementing-gdpr-data-subject-access-request/SKILL.md +++ b/skills/implementing-gdpr-data-subject-access-request/SKILL.md @@ -1,9 +1,11 @@ --- name: implementing-gdpr-data-subject-access-request -description: 'Automates GDPR Data Subject Access Request (DSAR) workflows including identity verification, PII discovery across - databases and files using regex and NER, data mapping, response templating per Article 15 requirements, deadline tracking, - and audit logging. Covers ICO/EDPB guidance compliance, exemption handling, and scalable batch processing. Use when building - or auditing DSAR response capabilities under GDPR/UK GDPR. +description: 'Automates GDPR Data Subject Access Request (DSAR) workflows including + identity verification, PII discovery across databases and files using regex and + NER, data mapping, response templating per Article 15 requirements, deadline tracking, + and audit logging. Covers ICO/EDPB guidance compliance, exemption handling, and + scalable batch processing. Use when building or auditing DSAR response capabilities + under GDPR/UK GDPR. ' domain: cybersecurity @@ -23,6 +25,10 @@ nist_csf: - GV.PO-01 - PR.DS-01 - GV.OC-05 +mitre_attack: +- T1078 +- T1190 +- T1059 --- # Implementing GDPR Data Subject Access Request (DSAR) Workflow diff --git a/skills/implementing-github-advanced-security-for-code-scanning/SKILL.md b/skills/implementing-github-advanced-security-for-code-scanning/SKILL.md index ca923b87..bc984501 100644 --- a/skills/implementing-github-advanced-security-for-code-scanning/SKILL.md +++ b/skills/implementing-github-advanced-security-for-code-scanning/SKILL.md @@ -1,7 +1,7 @@ --- name: implementing-github-advanced-security-for-code-scanning -description: Configure GitHub Advanced Security with CodeQL to perform automated static analysis and vulnerability detection - across repositories at enterprise scale. +description: Configure GitHub Advanced Security with CodeQL to perform automated static + analysis and vulnerability detection across repositories at enterprise scale. domain: cybersecurity subdomain: devsecops tags: @@ -20,6 +20,10 @@ nist_csf: - GV.SC-07 - ID.IM-04 - PR.PS-04 +mitre_attack: +- T1195 +- T1554 +- T1059.004 --- # Implementing GitHub Advanced Security for Code Scanning diff --git a/skills/implementing-google-workspace-admin-security/SKILL.md b/skills/implementing-google-workspace-admin-security/SKILL.md index ec60c742..4cc783b2 100644 --- a/skills/implementing-google-workspace-admin-security/SKILL.md +++ b/skills/implementing-google-workspace-admin-security/SKILL.md @@ -1,8 +1,10 @@ --- name: implementing-google-workspace-admin-security -description: 'Implements comprehensive Google Workspace security hardening including admin console configuration, phishing-resistant - MFA enforcement, DLP policies, email authentication (SPF/DKIM/DMARC), OAuth app control, and external sharing restrictions. - Activates for requests involving Google Workspace hardening, G Suite security configuration, or cloud office security administration. +description: 'Implements comprehensive Google Workspace security hardening including + admin console configuration, phishing-resistant MFA enforcement, DLP policies, email + authentication (SPF/DKIM/DMARC), OAuth app control, and external sharing restrictions. + Activates for requests involving Google Workspace hardening, G Suite security configuration, + or cloud office security administration. ' domain: cybersecurity @@ -23,6 +25,12 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078 +- T1110 +- T1556 +- T1098 +- T1566 --- # Implementing Google Workspace Admin Security diff --git a/skills/implementing-google-workspace-phishing-protection/SKILL.md b/skills/implementing-google-workspace-phishing-protection/SKILL.md index c047695d..ce03fff4 100644 --- a/skills/implementing-google-workspace-phishing-protection/SKILL.md +++ b/skills/implementing-google-workspace-phishing-protection/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-google-workspace-phishing-protection -description: Configure Google Workspace advanced phishing and malware protection settings including pre-delivery scanning, - attachment protection, spoofing detection, and Enhanced Safe Browsing. +description: Configure Google Workspace advanced phishing and malware protection settings + including pre-delivery scanning, attachment protection, spoofing detection, and + Enhanced Safe Browsing. domain: cybersecurity subdomain: phishing-defense tags: @@ -20,6 +21,12 @@ nist_csf: - DE.CM-09 - RS.CO-02 - DE.AE-02 +mitre_attack: +- T1566 +- T1598 +- T1534 +- T1036 +- T1027 --- # Implementing Google Workspace Phishing Protection diff --git a/skills/implementing-google-workspace-sso-configuration/SKILL.md b/skills/implementing-google-workspace-sso-configuration/SKILL.md index 8d3cbb63..16b047eb 100644 --- a/skills/implementing-google-workspace-sso-configuration/SKILL.md +++ b/skills/implementing-google-workspace-sso-configuration/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-google-workspace-sso-configuration -description: Configure SAML 2.0 single sign-on for Google Workspace with a third-party identity provider, enabling centralized - authentication and enforcing organization-wide access policies. +description: Configure SAML 2.0 single sign-on for Google Workspace with a third-party + identity provider, enabling centralized authentication and enforcing organization-wide + access policies. domain: cybersecurity subdomain: identity-access-management tags: @@ -19,6 +20,11 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078 +- T1110 +- T1556 +- T1098 --- # Implementing Google Workspace SSO Configuration diff --git a/skills/implementing-hardware-security-key-authentication/SKILL.md b/skills/implementing-hardware-security-key-authentication/SKILL.md index 39acaf4a..16e8e23d 100644 --- a/skills/implementing-hardware-security-key-authentication/SKILL.md +++ b/skills/implementing-hardware-security-key-authentication/SKILL.md @@ -1,10 +1,12 @@ --- name: implementing-hardware-security-key-authentication -description: 'Implements FIDO2/WebAuthn hardware security key authentication including registration ceremonies, authentication - flows, YubiKey enrollment, and passkey migration strategies. Builds a complete relying party server using the python-fido2 - library that supports cross-platform authenticators, resident key (discoverable credential) workflows, and user verification - policies. Activates for requests involving FIDO2 implementation, WebAuthn registration, hardware security key enrollment, - YubiKey integration, or passkey migration from password-based authentication. +description: 'Implements FIDO2/WebAuthn hardware security key authentication including + registration ceremonies, authentication flows, YubiKey enrollment, and passkey migration + strategies. Builds a complete relying party server using the python-fido2 library + that supports cross-platform authenticators, resident key (discoverable credential) + workflows, and user verification policies. Activates for requests involving FIDO2 + implementation, WebAuthn registration, hardware security key enrollment, YubiKey + integration, or passkey migration from password-based authentication. ' domain: cybersecurity @@ -33,6 +35,12 @@ nist_csf: - PR.AA-01 - PR.AA-02 - PR.AA-05 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1003 +- T1110 --- # Implementing Hardware Security Key Authentication diff --git a/skills/implementing-hashicorp-vault-dynamic-secrets/SKILL.md b/skills/implementing-hashicorp-vault-dynamic-secrets/SKILL.md index bd46490c..12df662b 100644 --- a/skills/implementing-hashicorp-vault-dynamic-secrets/SKILL.md +++ b/skills/implementing-hashicorp-vault-dynamic-secrets/SKILL.md @@ -1,9 +1,10 @@ --- name: implementing-hashicorp-vault-dynamic-secrets -description: 'Implements HashiCorp Vault dynamic secrets engines for database credentials, AWS IAM keys, and PKI certificates - with automatic generation, lease management, and credential rotation to eliminate static secrets in application configurations. - Activates for requests involving Vault secrets engine configuration, dynamic database credentials, ephemeral cloud credentials, - or automated secret rotation. +description: 'Implements HashiCorp Vault dynamic secrets engines for database credentials, + AWS IAM keys, and PKI certificates with automatic generation, lease management, + and credential rotation to eliminate static secrets in application configurations. + Activates for requests involving Vault secrets engine configuration, dynamic database + credentials, ephemeral cloud credentials, or automated secret rotation. ' domain: cybersecurity @@ -23,6 +24,12 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078 +- T1110 +- T1556 +- T1098 +- T1003 --- # Implementing HashiCorp Vault Dynamic Secrets diff --git a/skills/implementing-honeypot-for-ransomware-detection/SKILL.md b/skills/implementing-honeypot-for-ransomware-detection/SKILL.md index 19ce5f30..4d06a5fd 100644 --- a/skills/implementing-honeypot-for-ransomware-detection/SKILL.md +++ b/skills/implementing-honeypot-for-ransomware-detection/SKILL.md @@ -1,10 +1,12 @@ --- name: implementing-honeypot-for-ransomware-detection -description: 'Deploys canary files, honeypot shares, and decoy systems to detect ransomware activity at the earliest possible - stage. Configures canary tokens embedded in strategic file locations that trigger alerts when ransomware attempts encryption, - uses honeypot network shares that mimic high-value targets, and deploys Thinkst Canary appliances for comprehensive deception-based - detection. Activates for requests involving ransomware honeypots, canary files, deception technology for ransomware, or - early ransomware alerting. +description: 'Deploys canary files, honeypot shares, and decoy systems to detect ransomware + activity at the earliest possible stage. Configures canary tokens embedded in strategic + file locations that trigger alerts when ransomware attempts encryption, uses honeypot + network shares that mimic high-value targets, and deploys Thinkst Canary appliances + for comprehensive deception-based detection. Activates for requests involving ransomware + honeypots, canary files, deception technology for ransomware, or early ransomware + alerting. ' domain: cybersecurity @@ -30,6 +32,12 @@ nist_csf: - RS.MA-01 - RC.RP-01 - PR.IR-01 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1486 +- T1490 --- # Implementing Honeypot for Ransomware Detection diff --git a/skills/implementing-honeytokens-for-breach-detection/SKILL.md b/skills/implementing-honeytokens-for-breach-detection/SKILL.md index cd32bcae..5f80e2cc 100644 --- a/skills/implementing-honeytokens-for-breach-detection/SKILL.md +++ b/skills/implementing-honeytokens-for-breach-detection/SKILL.md @@ -1,17 +1,20 @@ --- name: implementing-honeytokens-for-breach-detection -description: 'Deploys canary tokens and honeytokens (fake AWS credentials, DNS canaries, document beacons, database records) - that trigger alerts when accessed by attackers. Uses the Canarytokens API and custom webhook integrations for breach detection. +description: 'Deploys canary tokens and honeytokens (fake AWS credentials, DNS canaries, + document beacons, database records) that trigger alerts when accessed by attackers. + Uses the Canarytokens API and custom webhook integrations for breach detection. Use when building deception-based early warning systems for intrusion detection. ' domain: cybersecurity subdomain: security-operations tags: -- implementing +- deception-technology - honeytokens -- for -- breach +- canary-tokens +- breach-detection +- dns-canary +- security-operations version: '1.0' author: mahipal license: Apache-2.0 @@ -20,6 +23,12 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1003 +- T1110 --- # Implementing Honeytokens for Breach Detection diff --git a/skills/implementing-ics-firewall-with-tofino/SKILL.md b/skills/implementing-ics-firewall-with-tofino/SKILL.md index f12cf8e9..e97affb3 100644 --- a/skills/implementing-ics-firewall-with-tofino/SKILL.md +++ b/skills/implementing-ics-firewall-with-tofino/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-ics-firewall-with-tofino -description: 'Deploy and configure Tofino industrial firewalls from Belden/Hirschmann to protect SCADA systems and PLCs using - deep packet inspection for OT protocols including Modbus, EtherNet/IP, OPC, and S7comm, enforcing granular access control +description: 'Deploy and configure Tofino industrial firewalls from Belden/Hirschmann + to protect SCADA systems and PLCs using deep packet inspection for OT protocols + including Modbus, EtherNet/IP, OPC, and S7comm, enforcing granular access control between ICS security zones. ' @@ -24,6 +25,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T0816 +- T0836 --- # Implementing ICS Firewall with Tofino diff --git a/skills/implementing-identity-governance-with-sailpoint/SKILL.md b/skills/implementing-identity-governance-with-sailpoint/SKILL.md index 2c356e42..0000e450 100644 --- a/skills/implementing-identity-governance-with-sailpoint/SKILL.md +++ b/skills/implementing-identity-governance-with-sailpoint/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-identity-governance-with-sailpoint -description: Deploy SailPoint IdentityNow or IdentityIQ for identity governance and administration. Covers identity lifecycle - management, access request workflows, certification campaigns, role mining, SOD policy +description: Deploy SailPoint IdentityNow or IdentityIQ for identity governance and + administration. Covers identity lifecycle management, access request workflows, + certification campaigns, role mining, SOD policy domain: cybersecurity subdomain: identity-access-management tags: @@ -20,6 +21,11 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078 +- T1110 +- T1556 +- T1098 --- # Implementing Identity Governance with SailPoint diff --git a/skills/implementing-identity-verification-for-zero-trust/SKILL.md b/skills/implementing-identity-verification-for-zero-trust/SKILL.md index 599294a2..c9ebb5ed 100644 --- a/skills/implementing-identity-verification-for-zero-trust/SKILL.md +++ b/skills/implementing-identity-verification-for-zero-trust/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-identity-verification-for-zero-trust -description: Implement continuous identity verification for zero trust using phishing-resistant MFA (FIDO2/WebAuthn), risk-based - conditional access, and identity governance aligned with the CISA Zero Trust Maturity Model. +description: Implement continuous identity verification for zero trust using phishing-resistant + MFA (FIDO2/WebAuthn), risk-based conditional access, and identity governance aligned + with the CISA Zero Trust Maturity Model. domain: cybersecurity subdomain: zero-trust-architecture tags: @@ -24,6 +25,12 @@ nist_csf: - PR.AA-05 - PR.IR-01 - GV.PO-01 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1566 +- T1598 --- # Implementing Identity Verification for Zero Trust diff --git a/skills/implementing-iec-62443-security-zones/SKILL.md b/skills/implementing-iec-62443-security-zones/SKILL.md index 7843dbcd..9f8903e5 100644 --- a/skills/implementing-iec-62443-security-zones/SKILL.md +++ b/skills/implementing-iec-62443-security-zones/SKILL.md @@ -1,9 +1,11 @@ --- name: implementing-iec-62443-security-zones -description: 'This skill covers designing and implementing security zones and conduits for industrial automation and control - systems (IACS) per IEC 62443-3-2. It addresses zone partitioning based on risk assessment, assigning Security Level targets - (SL-T), designing conduit security controls, implementing microsegmentation with industrial firewalls, and validating zone - architecture through traffic analysis and penetration testing against the Purdue Reference Model. +description: 'This skill covers designing and implementing security zones and conduits + for industrial automation and control systems (IACS) per IEC 62443-3-2. It addresses + zone partitioning based on risk assessment, assigning Security Level targets (SL-T), + designing conduit security controls, implementing microsegmentation with industrial + firewalls, and validating zone architecture through traffic analysis and penetration + testing against the Purdue Reference Model. ' domain: cybersecurity @@ -24,6 +26,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T0816 +- T0836 --- # Implementing IEC 62443 Security Zones diff --git a/skills/implementing-image-provenance-verification-with-cosign/SKILL.md b/skills/implementing-image-provenance-verification-with-cosign/SKILL.md index be2c131b..3f1046d4 100644 --- a/skills/implementing-image-provenance-verification-with-cosign/SKILL.md +++ b/skills/implementing-image-provenance-verification-with-cosign/SKILL.md @@ -1,7 +1,7 @@ --- name: implementing-image-provenance-verification-with-cosign -description: Sign and verify container image provenance using Sigstore Cosign with keyless OIDC-based signing, attestations, - and Kubernetes admission enforcement. +description: Sign and verify container image provenance using Sigstore Cosign with + keyless OIDC-based signing, attestations, and Kubernetes admission enforcement. domain: cybersecurity subdomain: container-security tags: @@ -20,6 +20,12 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 +- T1195 --- # Implementing Image Provenance Verification with Cosign diff --git a/skills/implementing-immutable-backup-with-restic/SKILL.md b/skills/implementing-immutable-backup-with-restic/SKILL.md index b02749fe..a5a3ca7e 100644 --- a/skills/implementing-immutable-backup-with-restic/SKILL.md +++ b/skills/implementing-immutable-backup-with-restic/SKILL.md @@ -1,9 +1,11 @@ --- name: implementing-immutable-backup-with-restic -description: 'Implements immutable backup strategy using restic with S3-compatible storage and object lock for ransomware-resistant - data protection. Automates backup creation, integrity verification via restic check --read-data, snapshot retention policy - enforcement, and restore testing. Integrates with AWS S3 Object Lock, MinIO, and Backblaze B2 for WORM (Write Once Read - Many) storage that prevents backup deletion or encryption by ransomware actors. +description: 'Implements immutable backup strategy using restic with S3-compatible + storage and object lock for ransomware-resistant data protection. Automates backup + creation, integrity verification via restic check --read-data, snapshot retention + policy enforcement, and restore testing. Integrates with AWS S3 Object Lock, MinIO, + and Backblaze B2 for WORM (Write Once Read Many) storage that prevents backup deletion + or encryption by ransomware actors. ' domain: cybersecurity @@ -33,6 +35,12 @@ nist_csf: - RS.MA-01 - RC.RP-01 - PR.IR-01 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1486 +- T1490 --- # Implementing Immutable Backup with Restic diff --git a/skills/implementing-infrastructure-as-code-security-scanning/SKILL.md b/skills/implementing-infrastructure-as-code-security-scanning/SKILL.md index 9e678ba7..06837d35 100644 --- a/skills/implementing-infrastructure-as-code-security-scanning/SKILL.md +++ b/skills/implementing-infrastructure-as-code-security-scanning/SKILL.md @@ -1,9 +1,10 @@ --- name: implementing-infrastructure-as-code-security-scanning -description: 'This skill covers implementing automated security scanning for Infrastructure as Code (IaC) templates using - tools like Checkov, tfsec, and KICS. It addresses detecting misconfigurations in Terraform, CloudFormation, Kubernetes manifests, - and Helm charts before deployment, establishing policy-based governance, and integrating IaC scanning into CI/CD pipelines - to prevent insecure cloud resource provisioning. +description: 'This skill covers implementing automated security scanning for Infrastructure + as Code (IaC) templates using tools like Checkov, tfsec, and KICS. It addresses + detecting misconfigurations in Terraform, CloudFormation, Kubernetes manifests, + and Helm charts before deployment, establishing policy-based governance, and integrating + IaC scanning into CI/CD pipelines to prevent insecure cloud resource provisioning. ' domain: cybersecurity @@ -24,6 +25,12 @@ nist_csf: - GV.SC-07 - ID.IM-04 - PR.PS-04 +mitre_attack: +- T1195 +- T1554 +- T1059.004 +- T1078.004 +- T1530 --- # Implementing Infrastructure as Code Security Scanning diff --git a/skills/implementing-iso-27001-information-security-management/SKILL.md b/skills/implementing-iso-27001-information-security-management/SKILL.md index 6c63636c..3e271f95 100644 --- a/skills/implementing-iso-27001-information-security-management/SKILL.md +++ b/skills/implementing-iso-27001-information-security-management/SKILL.md @@ -1,13 +1,30 @@ --- name: implementing-iso-27001-information-security-management -description: ISO/IEC 27001:2022 is the international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). This skill covers the complete +description: ISO/IEC 27001:2022 is the international standard for establishing, implementing, + maintaining, and continually improving an Information Security Management System + (ISMS). This skill covers the complete domain: cybersecurity subdomain: compliance-governance -tags: [compliance, governance, iso27001, isms, risk-management, certification] -nist_csf: [GV.OC-01, GV.RM-01, GV.PO-01, ID.RA-01, PR.DS-01] -version: "1.0" +tags: +- compliance +- governance +- iso27001 +- isms +- risk-management +- certification +nist_csf: +- GV.OC-01 +- GV.RM-01 +- GV.PO-01 +- ID.RA-01 +- PR.DS-01 +version: '1.0' author: mahipal license: Apache-2.0 +mitre_attack: +- T1078 +- T1530 +- T1685.002 --- # Implementing ISO 27001 Information Security Management diff --git a/skills/implementing-just-in-time-access-provisioning/SKILL.md b/skills/implementing-just-in-time-access-provisioning/SKILL.md index e8ef6fb0..a96f1e96 100644 --- a/skills/implementing-just-in-time-access-provisioning/SKILL.md +++ b/skills/implementing-just-in-time-access-provisioning/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-just-in-time-access-provisioning -description: Implement Just-In-Time (JIT) access provisioning to eliminate standing privileges by granting temporary, time-bound - access only when needed. This skill covers JIT architecture design, approval workflo +description: Implement Just-In-Time (JIT) access provisioning to eliminate standing + privileges by granting temporary, time-bound access only when needed. This skill + covers JIT architecture design, approval workflo domain: cybersecurity subdomain: identity-access-management tags: @@ -20,6 +21,11 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078 +- T1110 +- T1556 +- T1098 --- # Implementing Just-In-Time Access Provisioning diff --git a/skills/implementing-jwt-signing-and-verification/SKILL.md b/skills/implementing-jwt-signing-and-verification/SKILL.md index 2d676bd0..ccba0440 100644 --- a/skills/implementing-jwt-signing-and-verification/SKILL.md +++ b/skills/implementing-jwt-signing-and-verification/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-jwt-signing-and-verification -description: JSON Web Tokens (JWT) defined in RFC 7519 are compact, URL-safe tokens used for authentication and authorization - in web applications. This skill covers implementing secure JWT signing with HMAC-SHA256 +description: JSON Web Tokens (JWT) defined in RFC 7519 are compact, URL-safe tokens + used for authentication and authorization in web applications. This skill covers + implementing secure JWT signing with HMAC-SHA256 domain: cybersecurity subdomain: cryptography tags: @@ -17,6 +18,10 @@ nist_csf: - PR.DS-01 - PR.DS-02 - PR.DS-10 +mitre_attack: +- T1600 +- T1573 +- T1553 --- # Implementing JWT Signing and Verification diff --git a/skills/implementing-kubernetes-network-policy-with-calico/SKILL.md b/skills/implementing-kubernetes-network-policy-with-calico/SKILL.md index da9268e8..35e4b3f1 100644 --- a/skills/implementing-kubernetes-network-policy-with-calico/SKILL.md +++ b/skills/implementing-kubernetes-network-policy-with-calico/SKILL.md @@ -1,7 +1,7 @@ --- name: implementing-kubernetes-network-policy-with-calico -description: Implement Kubernetes network segmentation using Calico NetworkPolicy and GlobalNetworkPolicy for zero-trust pod-to-pod - communication. +description: Implement Kubernetes network segmentation using Calico NetworkPolicy + and GlobalNetworkPolicy for zero-trust pod-to-pod communication. domain: cybersecurity subdomain: container-security tags: @@ -19,6 +19,11 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 --- # Implementing Kubernetes Network Policy with Calico diff --git a/skills/implementing-kubernetes-pod-security-standards/SKILL.md b/skills/implementing-kubernetes-pod-security-standards/SKILL.md index 80e27433..be3fee9b 100644 --- a/skills/implementing-kubernetes-pod-security-standards/SKILL.md +++ b/skills/implementing-kubernetes-pod-security-standards/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-kubernetes-pod-security-standards -description: Pod Security Standards (PSS) define three levels of security policies -- Privileged, Baseline, and Restricted - -- enforced by the Pod Security Admission (PSA) controller built into Kubernetes 1.25+. PS +description: Pod Security Standards (PSS) define three levels of security policies + -- Privileged, Baseline, and Restricted -- enforced by the Pod Security Admission + (PSA) controller built into Kubernetes 1.25+. PS domain: cybersecurity subdomain: container-security tags: @@ -18,6 +19,11 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 --- # Implementing Kubernetes Pod Security Standards diff --git a/skills/implementing-llm-guardrails-for-security/SKILL.md b/skills/implementing-llm-guardrails-for-security/SKILL.md index 65257916..6503c603 100644 --- a/skills/implementing-llm-guardrails-for-security/SKILL.md +++ b/skills/implementing-llm-guardrails-for-security/SKILL.md @@ -1,12 +1,15 @@ --- name: implementing-llm-guardrails-for-security -description: 'Implements input and output validation guardrails for LLM-powered applications to prevent prompt injection, - data leakage, toxic content generation, and hallucinated outputs. Builds a security validation pipeline using NVIDIA NeMo - Guardrails Colang definitions, custom Python validators for PII detection and content policy enforcement, and the Guardrails - AI framework for structured output validation. The guardrails system intercepts both user inputs (blocking injection attempts, - stripping PII, enforcing topic boundaries) and model outputs (detecting hallucinations, filtering toxic content, validating - JSON schema compliance). Activates for requests involving LLM output validation, AI content filtering, guardrail implementation, - or LLM safety enforcement. +description: 'Implements input and output validation guardrails for LLM-powered applications + to prevent prompt injection, data leakage, toxic content generation, and hallucinated + outputs. Builds a security validation pipeline using NVIDIA NeMo Guardrails Colang + definitions, custom Python validators for PII detection and content policy enforcement, + and the Guardrails AI framework for structured output validation. The guardrails + system intercepts both user inputs (blocking injection attempts, stripping PII, + enforcing topic boundaries) and model outputs (detecting hallucinations, filtering + toxic content, validating JSON schema compliance). Activates for requests involving + LLM output validation, AI content filtering, guardrail implementation, or LLM safety + enforcement. ' domain: cybersecurity @@ -43,6 +46,11 @@ nist_csf: - ID.RA-01 - PR.PS-01 - DE.AE-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1055 --- # Implementing LLM Guardrails for Security diff --git a/skills/implementing-log-forwarding-with-fluentd/SKILL.md b/skills/implementing-log-forwarding-with-fluentd/SKILL.md index b9e9a380..1d7b0c17 100644 --- a/skills/implementing-log-forwarding-with-fluentd/SKILL.md +++ b/skills/implementing-log-forwarding-with-fluentd/SKILL.md @@ -1,7 +1,7 @@ --- name: implementing-log-forwarding-with-fluentd -description: Configure Fluentd and Fluent Bit for centralized log aggregation, routing, filtering, and enrichment across distributed - infrastructure +description: Configure Fluentd and Fluent Bit for centralized log aggregation, routing, + filtering, and enrichment across distributed infrastructure domain: cybersecurity subdomain: security-operations tags: @@ -20,6 +20,12 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1685.002 +- T1685.005 --- # Implementing Log Forwarding with Fluentd diff --git a/skills/implementing-log-integrity-with-blockchain/SKILL.md b/skills/implementing-log-integrity-with-blockchain/SKILL.md index 4d36a781..e44a2eec 100644 --- a/skills/implementing-log-integrity-with-blockchain/SKILL.md +++ b/skills/implementing-log-integrity-with-blockchain/SKILL.md @@ -1,16 +1,19 @@ --- name: implementing-log-integrity-with-blockchain -description: Build an append-only log integrity chain using SHA-256 hash chaining for tamper detection. Each log entry is - hashed with the previous entry's hash to create a blockchain-like structure where modifying any entry invalidates all subsequent - hashes. Implements log ingestion, chain verification, tamper detection with pinpoint identification, and periodic checkpoint - anchoring to external timestamping services. +description: Build an append-only log integrity chain using SHA-256 hash chaining + for tamper detection. Each log entry is hashed with the previous entry's hash to + create a blockchain-like structure where modifying any entry invalidates all subsequent + hashes. Implements log ingestion, chain verification, tamper detection with pinpoint + identification, and periodic checkpoint anchoring to external timestamping services. domain: cybersecurity subdomain: security-operations tags: -- implementing -- log -- integrity -- with +- log-integrity +- tamper-detection +- hash-chaining +- sha-256 +- audit-logging +- security-operations version: '1.0' author: mahipal license: Apache-2.0 @@ -19,6 +22,10 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1078 +- T1190 +- T1059 --- diff --git a/skills/implementing-memory-protection-with-dep-aslr/SKILL.md b/skills/implementing-memory-protection-with-dep-aslr/SKILL.md index 5b96b6f8..de92d4cc 100644 --- a/skills/implementing-memory-protection-with-dep-aslr/SKILL.md +++ b/skills/implementing-memory-protection-with-dep-aslr/SKILL.md @@ -1,9 +1,11 @@ --- name: implementing-memory-protection-with-dep-aslr -description: 'Implements memory protection mechanisms including DEP (Data Execution Prevention), ASLR (Address Space Layout - Randomization), CFG (Control Flow Guard), and other exploit mitigations to prevent memory corruption attacks. Use when hardening - endpoints against buffer overflow exploits, ROP chains, and code injection. Activates for requests involving memory protection, - exploit mitigation, DEP, ASLR, or CFG configuration. +description: 'Implements memory protection mechanisms including DEP (Data Execution + Prevention), ASLR (Address Space Layout Randomization), CFG (Control Flow Guard), + and other exploit mitigations to prevent memory corruption attacks. Use when hardening + endpoints against buffer overflow exploits, ROP chains, and code injection. Activates + for requests involving memory protection, exploit mitigation, DEP, ASLR, or CFG + configuration. ' domain: cybersecurity @@ -23,6 +25,12 @@ nist_csf: - PR.PS-02 - DE.CM-01 - PR.IR-01 +mitre_attack: +- T1055 +- T1547 +- T1059 +- T1036 +- T1190 --- # Implementing Memory Protection with DEP and ASLR diff --git a/skills/implementing-microsegmentation-with-guardicore/SKILL.md b/skills/implementing-microsegmentation-with-guardicore/SKILL.md index cf692c31..40e438c1 100644 --- a/skills/implementing-microsegmentation-with-guardicore/SKILL.md +++ b/skills/implementing-microsegmentation-with-guardicore/SKILL.md @@ -1,8 +1,9 @@ --- name: implementing-microsegmentation-with-guardicore -description: 'Implementing microsegmentation using Akamai Guardicore Segmentation to map application dependencies, create - granular network policies, visualize east-west traffic flows, and enforce least-privilege communication between workloads - across data centers and cloud. +description: 'Implementing microsegmentation using Akamai Guardicore Segmentation + to map application dependencies, create granular network policies, visualize east-west + traffic flows, and enforce least-privilege communication between workloads across + data centers and cloud. ' domain: cybersecurity @@ -23,6 +24,12 @@ nist_csf: - PR.AA-05 - PR.IR-01 - GV.PO-01 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1021 +- T1550 --- # Implementing Microsegmentation with Guardicore diff --git a/skills/implementing-mimecast-targeted-attack-protection/SKILL.md b/skills/implementing-mimecast-targeted-attack-protection/SKILL.md index 69fe8e29..8bc864eb 100644 --- a/skills/implementing-mimecast-targeted-attack-protection/SKILL.md +++ b/skills/implementing-mimecast-targeted-attack-protection/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-mimecast-targeted-attack-protection -description: Deploy Mimecast Targeted Threat Protection including URL Protect, Attachment Protect, Impersonation Protect, - and Internal Email Protect to defend against advanced phishing and spearphishing attacks. +description: Deploy Mimecast Targeted Threat Protection including URL Protect, Attachment + Protect, Impersonation Protect, and Internal Email Protect to defend against advanced + phishing and spearphishing attacks. domain: cybersecurity subdomain: phishing-defense tags: @@ -20,6 +21,11 @@ nist_csf: - DE.CM-09 - RS.CO-02 - DE.AE-02 +mitre_attack: +- T1566 +- T1598 +- T1534 +- T1036 --- # Implementing Mimecast Targeted Attack Protection diff --git a/skills/implementing-mitre-attack-coverage-mapping/SKILL.md b/skills/implementing-mitre-attack-coverage-mapping/SKILL.md index 6b655280..15abf132 100644 --- a/skills/implementing-mitre-attack-coverage-mapping/SKILL.md +++ b/skills/implementing-mitre-attack-coverage-mapping/SKILL.md @@ -1,7 +1,7 @@ --- name: implementing-mitre-attack-coverage-mapping -description: Implement MITRE ATT&CK coverage mapping to identify detection gaps, prioritize rule development, and measure - SOC detection maturity against adversary techniques. +description: Implement MITRE ATT&CK coverage mapping to identify detection gaps, prioritize + rule development, and measure SOC detection maturity against adversary techniques. domain: cybersecurity subdomain: soc-operations tags: @@ -33,6 +33,11 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1078 +- T1685.002 +- T1685.005 +- T1566 --- # Implementing MITRE ATT&CK Coverage Mapping diff --git a/skills/implementing-mobile-application-management/SKILL.md b/skills/implementing-mobile-application-management/SKILL.md index 95310f13..0e48772f 100644 --- a/skills/implementing-mobile-application-management/SKILL.md +++ b/skills/implementing-mobile-application-management/SKILL.md @@ -1,9 +1,11 @@ --- name: implementing-mobile-application-management -description: 'Implements Mobile Application Management (MAM) policies to protect enterprise data on managed and unmanaged - mobile devices through app-level controls including data loss prevention, selective wipe, app configuration, and containerization. - Use when securing corporate apps on BYOD devices, implementing Intune App Protection Policies, or enforcing data separation - between personal and work apps. Activates for requests involving MAM deployment, app protection policies, mobile containerization, +description: 'Implements Mobile Application Management (MAM) policies to protect enterprise + data on managed and unmanaged mobile devices through app-level controls including + data loss prevention, selective wipe, app configuration, and containerization. Use + when securing corporate apps on BYOD devices, implementing Intune App Protection + Policies, or enforcing data separation between personal and work apps. Activates + for requests involving MAM deployment, app protection policies, mobile containerization, or BYOD security. ' @@ -24,6 +26,12 @@ nist_csf: - PR.AA-05 - ID.RA-01 - DE.CM-09 +mitre_attack: +- T1059 +- T1056 +- T1036 +- T1078 +- T1610 --- # Implementing Mobile Application Management diff --git a/skills/implementing-mtls-for-zero-trust-services/SKILL.md b/skills/implementing-mtls-for-zero-trust-services/SKILL.md index 182bca4a..60bdc77b 100644 --- a/skills/implementing-mtls-for-zero-trust-services/SKILL.md +++ b/skills/implementing-mtls-for-zero-trust-services/SKILL.md @@ -1,17 +1,20 @@ --- name: implementing-mtls-for-zero-trust-services -description: 'Configures mutual TLS (mTLS) authentication between microservices using Python cryptography library for certificate - generation and ssl module for TLS verification. Validates certificate chains, checks expiration, and audits mTLS deployment - status. Use when implementing zero-trust service-to-service authentication. +description: 'Configures mutual TLS (mTLS) authentication between microservices using + Python cryptography library for certificate generation and ssl module for TLS verification. + Validates certificate chains, checks expiration, and audits mTLS deployment status. + Use when implementing zero-trust service-to-service authentication. ' domain: cybersecurity subdomain: security-operations tags: -- implementing - mtls -- for -- zero +- zero-trust +- mutual-tls +- service-authentication +- certificate-management +- microservices-security version: '1.0' author: mahipal license: Apache-2.0 @@ -20,6 +23,12 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1553 +- T1573 --- # Implementing mTLS for Zero Trust Services diff --git a/skills/implementing-nerc-cip-compliance-controls/SKILL.md b/skills/implementing-nerc-cip-compliance-controls/SKILL.md index 22dcb155..7ac34e1b 100644 --- a/skills/implementing-nerc-cip-compliance-controls/SKILL.md +++ b/skills/implementing-nerc-cip-compliance-controls/SKILL.md @@ -1,10 +1,11 @@ --- name: implementing-nerc-cip-compliance-controls -description: 'This skill covers implementing North American Electric Reliability Corporation Critical Infrastructure Protection - (NERC CIP) compliance controls for Bulk Electric System (BES) cyber systems. It addresses asset categorization (CIP-002), - electronic security perimeters (CIP-005), system security management (CIP-007), configuration management (CIP-010), supply - chain risk management (CIP-013), and the 2025 updates including mandatory MFA for remote access and expanded low-impact - asset requirements. +description: 'This skill covers implementing North American Electric Reliability Corporation + Critical Infrastructure Protection (NERC CIP) compliance controls for Bulk Electric + System (BES) cyber systems. It addresses asset categorization (CIP-002), electronic + security perimeters (CIP-005), system security management (CIP-007), configuration + management (CIP-010), supply chain risk management (CIP-013), and the 2025 updates + including mandatory MFA for remote access and expanded low-impact asset requirements. ' domain: cybersecurity @@ -26,6 +27,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1195 +- T1554 --- # Implementing NERC CIP Compliance Controls diff --git a/skills/implementing-network-access-control-with-cisco-ise/SKILL.md b/skills/implementing-network-access-control-with-cisco-ise/SKILL.md index 1fa743e7..a2abf039 100644 --- a/skills/implementing-network-access-control-with-cisco-ise/SKILL.md +++ b/skills/implementing-network-access-control-with-cisco-ise/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-network-access-control-with-cisco-ise -description: Deploy Cisco Identity Services Engine for 802.1X wired and wireless authentication, MAC Authentication Bypass, - posture assessment, and dynamic VLAN assignment for network access control. +description: Deploy Cisco Identity Services Engine for 802.1X wired and wireless authentication, + MAC Authentication Bypass, posture assessment, and dynamic VLAN assignment for network + access control. domain: cybersecurity subdomain: network-security tags: @@ -22,6 +23,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 +- T1027 --- # Implementing Network Access Control with Cisco ISE diff --git a/skills/implementing-network-access-control/SKILL.md b/skills/implementing-network-access-control/SKILL.md index 33f95492..ac31ea8d 100644 --- a/skills/implementing-network-access-control/SKILL.md +++ b/skills/implementing-network-access-control/SKILL.md @@ -1,8 +1,8 @@ --- name: implementing-network-access-control -description: 'Implements 802.1X port-based network access control using RADIUS authentication, PacketFence NAC, and switch - configurations to enforce identity-based access policies, posture assessment, and automatic VLAN assignment for authorized - devices. +description: 'Implements 802.1X port-based network access control using RADIUS authentication, + PacketFence NAC, and switch configurations to enforce identity-based access policies, + posture assessment, and automatic VLAN assignment for authorized devices. ' domain: cybersecurity @@ -21,6 +21,11 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 --- # Implementing Network Access Control diff --git a/skills/implementing-network-deception-with-honeypots/SKILL.md b/skills/implementing-network-deception-with-honeypots/SKILL.md index 3414cfa0..aab41143 100644 --- a/skills/implementing-network-deception-with-honeypots/SKILL.md +++ b/skills/implementing-network-deception-with-honeypots/SKILL.md @@ -1,7 +1,7 @@ --- name: implementing-network-deception-with-honeypots -description: Deploy and manage network honeypots using OpenCanary, T-Pot, or Cowrie to detect unauthorized access, lateral - movement, and attacker reconnaissance. +description: Deploy and manage network honeypots using OpenCanary, T-Pot, or Cowrie + to detect unauthorized access, lateral movement, and attacker reconnaissance. domain: cybersecurity subdomain: deception-technology tags: @@ -20,6 +20,12 @@ nist_csf: - DE.CM-01 - DE.AE-06 - PR.IR-01 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1021 +- T1550 --- # Implementing Network Deception with Honeypots diff --git a/skills/implementing-network-intrusion-prevention-with-suricata/SKILL.md b/skills/implementing-network-intrusion-prevention-with-suricata/SKILL.md index 5400cd8f..431c0054 100644 --- a/skills/implementing-network-intrusion-prevention-with-suricata/SKILL.md +++ b/skills/implementing-network-intrusion-prevention-with-suricata/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-network-intrusion-prevention-with-suricata -description: Deploy and configure Suricata as a network intrusion prevention system with custom rules, Emerging Threats rulesets, - and inline traffic inspection for real-time threat blocking. +description: Deploy and configure Suricata as a network intrusion prevention system + with custom rules, Emerging Threats rulesets, and inline traffic inspection for + real-time threat blocking. domain: cybersecurity subdomain: network-security tags: @@ -22,6 +23,11 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 --- # Implementing Network Intrusion Prevention with Suricata diff --git a/skills/implementing-network-policies-for-kubernetes/SKILL.md b/skills/implementing-network-policies-for-kubernetes/SKILL.md index 43d6832e..1127073b 100644 --- a/skills/implementing-network-policies-for-kubernetes/SKILL.md +++ b/skills/implementing-network-policies-for-kubernetes/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-network-policies-for-kubernetes -description: Kubernetes NetworkPolicies provide pod-level network segmentation by defining ingress and egress rules that control - traffic flow between pods, namespaces, and external endpoints. Combined with CNI plu +description: Kubernetes NetworkPolicies provide pod-level network segmentation by + defining ingress and egress rules that control traffic flow between pods, namespaces, + and external endpoints. Combined with CNI plu domain: cybersecurity subdomain: container-security tags: @@ -18,6 +19,11 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 --- # Implementing Network Policies for Kubernetes diff --git a/skills/implementing-network-segmentation-for-ot/SKILL.md b/skills/implementing-network-segmentation-for-ot/SKILL.md index 9ed6ebfd..e28f1784 100644 --- a/skills/implementing-network-segmentation-for-ot/SKILL.md +++ b/skills/implementing-network-segmentation-for-ot/SKILL.md @@ -1,9 +1,11 @@ --- name: implementing-network-segmentation-for-ot -description: 'This skill covers implementing network segmentation in Operational Technology environments using VLANs, industrial - firewalls, data diodes, and software-defined networking. It addresses the Purdue Model-based segmentation strategy, migration - from flat networks to segmented architectures without disrupting operations, configuring OT-aware firewalls with industrial - protocol deep packet inspection, and validating segmentation effectiveness through traffic analysis. +description: 'This skill covers implementing network segmentation in Operational Technology + environments using VLANs, industrial firewalls, data diodes, and software-defined + networking. It addresses the Purdue Model-based segmentation strategy, migration + from flat networks to segmented architectures without disrupting operations, configuring + OT-aware firewalls with industrial protocol deep packet inspection, and validating + segmentation effectiveness through traffic analysis. ' domain: cybersecurity @@ -24,6 +26,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T0816 +- T0836 --- # Implementing Network Segmentation for OT diff --git a/skills/implementing-network-segmentation-with-firewall-zones/SKILL.md b/skills/implementing-network-segmentation-with-firewall-zones/SKILL.md index 6fb63baa..55ad59c3 100644 --- a/skills/implementing-network-segmentation-with-firewall-zones/SKILL.md +++ b/skills/implementing-network-segmentation-with-firewall-zones/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-network-segmentation-with-firewall-zones -description: Design and implement network segmentation using firewall security zones, VLANs, ACLs, and microsegmentation policies - to restrict lateral movement and enforce least-privilege network access. +description: Design and implement network segmentation using firewall security zones, + VLANs, ACLs, and microsegmentation policies to restrict lateral movement and enforce + least-privilege network access. domain: cybersecurity subdomain: network-security tags: @@ -22,6 +23,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 +- T1021 --- # Implementing Network Segmentation with Firewall Zones diff --git a/skills/implementing-network-traffic-analysis-with-arkime/SKILL.md b/skills/implementing-network-traffic-analysis-with-arkime/SKILL.md index 9777a2e9..587dbe1a 100644 --- a/skills/implementing-network-traffic-analysis-with-arkime/SKILL.md +++ b/skills/implementing-network-traffic-analysis-with-arkime/SKILL.md @@ -1,15 +1,19 @@ --- name: implementing-network-traffic-analysis-with-arkime -description: Deploy and query Arkime (formerly Moloch) for full packet capture network traffic analysis. Uses the Arkime API - v3 to search sessions, download PCAPs, analyze connection patterns, detect beaconing behavior, and identify suspicious network - flows. Monitors DNS queries, HTTP traffic, and TLS certificate anomalies across captured traffic. +description: Deploy and query Arkime (formerly Moloch) for full packet capture network + traffic analysis. Uses the Arkime API v3 to search sessions, download PCAPs, analyze + connection patterns, detect beaconing behavior, and identify suspicious network + flows. Monitors DNS queries, HTTP traffic, and TLS certificate anomalies across + captured traffic. domain: cybersecurity subdomain: network-security tags: -- implementing -- network -- traffic -- analysis +- network-security +- arkime +- full-packet-capture +- nta +- pcap-analysis +- network-forensics version: '1.0' author: mahipal license: Apache-2.0 @@ -18,6 +22,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 +- T1095 --- diff --git a/skills/implementing-network-traffic-baselining/SKILL.md b/skills/implementing-network-traffic-baselining/SKILL.md index d013f089..da1ad6b5 100644 --- a/skills/implementing-network-traffic-baselining/SKILL.md +++ b/skills/implementing-network-traffic-baselining/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-network-traffic-baselining -description: Build network traffic baselines from NetFlow/IPFIX data using Python pandas for statistical analysis, z-score - anomaly detection, and hourly/daily traffic pattern profiling +description: Build network traffic baselines from NetFlow/IPFIX data using Python + pandas for statistical analysis, z-score anomaly detection, and hourly/daily traffic + pattern profiling domain: cybersecurity subdomain: network-security tags: @@ -20,6 +21,11 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 --- # Implementing Network Traffic Baselining diff --git a/skills/implementing-next-generation-firewall-with-palo-alto/SKILL.md b/skills/implementing-next-generation-firewall-with-palo-alto/SKILL.md index 186063e9..14e6d839 100644 --- a/skills/implementing-next-generation-firewall-with-palo-alto/SKILL.md +++ b/skills/implementing-next-generation-firewall-with-palo-alto/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-next-generation-firewall-with-palo-alto -description: Configure and deploy Palo Alto Networks next-generation firewalls with App-ID, User-ID, zone-based policies, - SSL decryption, and threat prevention profiles for enterprise network security. +description: Configure and deploy Palo Alto Networks next-generation firewalls with + App-ID, User-ID, zone-based policies, SSL decryption, and threat prevention profiles + for enterprise network security. domain: cybersecurity subdomain: network-security tags: @@ -22,6 +23,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 +- T1553 --- # Implementing Next-Generation Firewall with Palo Alto diff --git a/skills/implementing-opa-gatekeeper-for-policy-enforcement/SKILL.md b/skills/implementing-opa-gatekeeper-for-policy-enforcement/SKILL.md index 92111b2e..ce9139eb 100644 --- a/skills/implementing-opa-gatekeeper-for-policy-enforcement/SKILL.md +++ b/skills/implementing-opa-gatekeeper-for-policy-enforcement/SKILL.md @@ -1,7 +1,7 @@ --- name: implementing-opa-gatekeeper-for-policy-enforcement -description: Enforce Kubernetes admission policies using OPA Gatekeeper with ConstraintTemplates, Rego rules, and the Gatekeeper - policy library. +description: Enforce Kubernetes admission policies using OPA Gatekeeper with ConstraintTemplates, + Rego rules, and the Gatekeeper policy library. domain: cybersecurity subdomain: container-security tags: @@ -19,6 +19,11 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 --- # Implementing OPA Gatekeeper for Policy Enforcement diff --git a/skills/implementing-ot-incident-response-playbook/SKILL.md b/skills/implementing-ot-incident-response-playbook/SKILL.md index 12a0244c..23a32313 100644 --- a/skills/implementing-ot-incident-response-playbook/SKILL.md +++ b/skills/implementing-ot-incident-response-playbook/SKILL.md @@ -1,8 +1,9 @@ --- name: implementing-ot-incident-response-playbook -description: 'Develop and implement OT-specific incident response playbooks aligned with SANS PICERL framework, IEC 62443, - and NIST SP 800-82 that address unique ICS challenges including safety-critical systems, limited downtime tolerance, and - coordination between IT SOC, OT engineering, and plant operations teams. +description: 'Develop and implement OT-specific incident response playbooks aligned + with SANS PICERL framework, IEC 62443, and NIST SP 800-82 that address unique ICS + challenges including safety-critical systems, limited downtime tolerance, and coordination + between IT SOC, OT engineering, and plant operations teams. ' domain: cybersecurity @@ -24,6 +25,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T0816 +- T0836 --- # Implementing OT Incident Response Playbook diff --git a/skills/implementing-ot-network-traffic-analysis-with-nozomi/SKILL.md b/skills/implementing-ot-network-traffic-analysis-with-nozomi/SKILL.md index 0383ac70..cfa0d8ce 100644 --- a/skills/implementing-ot-network-traffic-analysis-with-nozomi/SKILL.md +++ b/skills/implementing-ot-network-traffic-analysis-with-nozomi/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-ot-network-traffic-analysis-with-nozomi -description: 'Deploy Nozomi Networks Guardian sensors for passive OT network traffic analysis to achieve comprehensive asset - visibility, real-time threat detection, and vulnerability assessment across industrial control systems without disrupting +description: 'Deploy Nozomi Networks Guardian sensors for passive OT network traffic + analysis to achieve comprehensive asset visibility, real-time threat detection, + and vulnerability assessment across industrial control systems without disrupting operations, leveraging behavioral anomaly detection and protocol-aware monitoring. ' @@ -32,6 +33,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T0816 +- T0836 --- # Implementing OT Network Traffic Analysis with Nozomi diff --git a/skills/implementing-pam-for-database-access/SKILL.md b/skills/implementing-pam-for-database-access/SKILL.md index 2c922bf5..a6894698 100644 --- a/skills/implementing-pam-for-database-access/SKILL.md +++ b/skills/implementing-pam-for-database-access/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-pam-for-database-access -description: Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. - Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia +description: Deploy privileged access management for database systems including Oracle, + SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential + vaulting, query auditing, dynamic credentia domain: cybersecurity subdomain: identity-access-management tags: @@ -20,6 +21,12 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078 +- T1110 +- T1556 +- T1098 +- T1003 --- # Implementing PAM for Database Access diff --git a/skills/implementing-passwordless-auth-with-microsoft-entra/SKILL.md b/skills/implementing-passwordless-auth-with-microsoft-entra/SKILL.md index a91783ac..710d0749 100644 --- a/skills/implementing-passwordless-auth-with-microsoft-entra/SKILL.md +++ b/skills/implementing-passwordless-auth-with-microsoft-entra/SKILL.md @@ -1,9 +1,10 @@ --- name: implementing-passwordless-auth-with-microsoft-entra -description: 'Implements passwordless authentication using Microsoft Entra ID with FIDO2 security keys, Windows Hello for - Business, Microsoft Authenticator passkeys, and certificate-based authentication to eliminate password-based attacks. Activates - for requests involving passwordless deployment, FIDO2 passkey configuration, phishing-resistant MFA, or Microsoft Entra - authentication method policies. +description: 'Implements passwordless authentication using Microsoft Entra ID with + FIDO2 security keys, Windows Hello for Business, Microsoft Authenticator passkeys, + and certificate-based authentication to eliminate password-based attacks. Activates + for requests involving passwordless deployment, FIDO2 passkey configuration, phishing-resistant + MFA, or Microsoft Entra authentication method policies. ' domain: cybersecurity @@ -23,6 +24,12 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078 +- T1110 +- T1556 +- T1098 +- T1566 --- # Implementing Passwordless Auth with Microsoft Entra diff --git a/skills/implementing-passwordless-authentication-with-fido2/SKILL.md b/skills/implementing-passwordless-authentication-with-fido2/SKILL.md index aeb4f328..80a27283 100644 --- a/skills/implementing-passwordless-authentication-with-fido2/SKILL.md +++ b/skills/implementing-passwordless-authentication-with-fido2/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-passwordless-authentication-with-fido2 -description: Deploy FIDO2/WebAuthn passwordless authentication using security keys and platform authenticators. Covers WebAuthn - API integration, FIDO2 server configuration, passkey enrollment, biometric authentica +description: Deploy FIDO2/WebAuthn passwordless authentication using security keys + and platform authenticators. Covers WebAuthn API integration, FIDO2 server configuration, + passkey enrollment, biometric authentica domain: cybersecurity subdomain: identity-access-management tags: @@ -29,6 +30,11 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078 +- T1110 +- T1556 +- T1098 --- # Implementing Passwordless Authentication with FIDO2 diff --git a/skills/implementing-patch-management-for-ot-systems/SKILL.md b/skills/implementing-patch-management-for-ot-systems/SKILL.md index 79a89796..f22cef30 100644 --- a/skills/implementing-patch-management-for-ot-systems/SKILL.md +++ b/skills/implementing-patch-management-for-ot-systems/SKILL.md @@ -1,9 +1,11 @@ --- name: implementing-patch-management-for-ot-systems -description: 'This skill covers implementing a structured patch management program for OT/ICS environments where traditional - IT patching approaches can cause process disruption or safety hazards. It addresses vendor compatibility testing, risk-based - patch prioritization, staged deployment through test environments, maintenance window coordination, rollback procedures, - and compensating controls when patches cannot be applied due to operational constraints or vendor restrictions. +description: 'This skill covers implementing a structured patch management program + for OT/ICS environments where traditional IT patching approaches can cause process + disruption or safety hazards. It addresses vendor compatibility testing, risk-based + patch prioritization, staged deployment through test environments, maintenance window + coordination, rollback procedures, and compensating controls when patches cannot + be applied due to operational constraints or vendor restrictions. ' domain: cybersecurity @@ -24,6 +26,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T0816 +- T0836 --- # Implementing Patch Management for OT Systems diff --git a/skills/implementing-patch-management-workflow/SKILL.md b/skills/implementing-patch-management-workflow/SKILL.md index 57dea667..bc021b04 100644 --- a/skills/implementing-patch-management-workflow/SKILL.md +++ b/skills/implementing-patch-management-workflow/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-patch-management-workflow -description: Patch management is the systematic process of identifying, testing, deploying, and verifying software updates - to remediate vulnerabilities across an organization's IT infrastructure. An effective patc +description: Patch management is the systematic process of identifying, testing, deploying, + and verifying software updates to remediate vulnerabilities across an organization's + IT infrastructure. An effective patc domain: cybersecurity subdomain: vulnerability-management tags: @@ -19,6 +20,10 @@ nist_csf: - ID.RA-02 - ID.IM-02 - ID.RA-06 +mitre_attack: +- T1190 +- T1203 +- T1068 --- # Implementing Patch Management Workflow diff --git a/skills/implementing-pci-dss-compliance-controls/SKILL.md b/skills/implementing-pci-dss-compliance-controls/SKILL.md index d741d117..b97144f8 100644 --- a/skills/implementing-pci-dss-compliance-controls/SKILL.md +++ b/skills/implementing-pci-dss-compliance-controls/SKILL.md @@ -1,13 +1,29 @@ --- name: implementing-pci-dss-compliance-controls -description: PCI DSS 4.0.1 establishes 12 requirements across 6 control objectives for organizations that store, process, or transmit cardholder data. With PCI DSS 3.2.1 retiring April 2024 and 51 new requirements +description: PCI DSS 4.0.1 establishes 12 requirements across 6 control objectives + for organizations that store, process, or transmit cardholder data. With PCI DSS + 3.2.1 retiring April 2024 and 51 new requirements domain: cybersecurity subdomain: compliance-governance -tags: [compliance, governance, pci-dss, payment-security, cardholder-data] -nist_csf: [GV.PO-01, PR.DS-01, PR.AA-01, DE.CM-01, ID.RA-01] -version: "1.0" +tags: +- compliance +- governance +- pci-dss +- payment-security +- cardholder-data +nist_csf: +- GV.PO-01 +- PR.DS-01 +- PR.AA-01 +- DE.CM-01 +- ID.RA-01 +version: '1.0' author: mahipal license: Apache-2.0 +mitre_attack: +- T1078 +- T1530 +- T1685.002 --- # Implementing PCI DSS Compliance Controls diff --git a/skills/implementing-pod-security-admission-controller/SKILL.md b/skills/implementing-pod-security-admission-controller/SKILL.md index dbf72ed7..c0b9b63a 100644 --- a/skills/implementing-pod-security-admission-controller/SKILL.md +++ b/skills/implementing-pod-security-admission-controller/SKILL.md @@ -1,7 +1,7 @@ --- name: implementing-pod-security-admission-controller -description: Implement Kubernetes Pod Security Admission to enforce baseline and restricted security profiles at namespace - level using built-in admission controller. +description: Implement Kubernetes Pod Security Admission to enforce baseline and restricted + security profiles at namespace level using built-in admission controller. domain: cybersecurity subdomain: container-security tags: @@ -18,6 +18,11 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 --- # Implementing Pod Security Admission Controller diff --git a/skills/implementing-policy-as-code-with-open-policy-agent/SKILL.md b/skills/implementing-policy-as-code-with-open-policy-agent/SKILL.md index f559d7ce..17189af5 100644 --- a/skills/implementing-policy-as-code-with-open-policy-agent/SKILL.md +++ b/skills/implementing-policy-as-code-with-open-policy-agent/SKILL.md @@ -1,8 +1,9 @@ --- name: implementing-policy-as-code-with-open-policy-agent -description: 'This skill covers implementing Open Policy Agent (OPA) and Gatekeeper for policy-as-code enforcement in Kubernetes - and CI/CD pipelines. It addresses writing Rego policies, deploying OPA Gatekeeper as a Kubernetes admission controller, - testing policies in development, and integrating policy evaluation into deployment pipelines. +description: 'This skill covers implementing Open Policy Agent (OPA) and Gatekeeper + for policy-as-code enforcement in Kubernetes and CI/CD pipelines. It addresses writing + Rego policies, deploying OPA Gatekeeper as a Kubernetes admission controller, testing + policies in development, and integrating policy evaluation into deployment pipelines. ' domain: cybersecurity @@ -27,6 +28,12 @@ nist_csf: - GV.SC-07 - ID.IM-04 - PR.PS-04 +mitre_attack: +- T1195 +- T1554 +- T1059.004 +- T1610 +- T1611 --- # Implementing Policy as Code with Open Policy Agent diff --git a/skills/implementing-privileged-access-management-with-cyberark/SKILL.md b/skills/implementing-privileged-access-management-with-cyberark/SKILL.md index de5c7899..b827296e 100644 --- a/skills/implementing-privileged-access-management-with-cyberark/SKILL.md +++ b/skills/implementing-privileged-access-management-with-cyberark/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-privileged-access-management-with-cyberark -description: Deploy CyberArk Privileged Access Management to discover, vault, rotate, and monitor privileged credentials across - enterprise infrastructure. This skill covers vault architecture, session isolation, c +description: Deploy CyberArk Privileged Access Management to discover, vault, rotate, + and monitor privileged credentials across enterprise infrastructure. This skill + covers vault architecture, session isolation, c domain: cybersecurity subdomain: identity-access-management tags: @@ -19,6 +20,12 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078 +- T1110 +- T1556 +- T1098 +- T1003 --- # Implementing Privileged Access Management with CyberArk diff --git a/skills/implementing-privileged-access-workstation/SKILL.md b/skills/implementing-privileged-access-workstation/SKILL.md index acd61341..448ef466 100644 --- a/skills/implementing-privileged-access-workstation/SKILL.md +++ b/skills/implementing-privileged-access-workstation/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-privileged-access-workstation -description: Design and implement Privileged Access Workstations (PAWs) with device hardening, just-in-time access, and integration - with CyberArk or BeyondTrust for secure administrative operations. +description: Design and implement Privileged Access Workstations (PAWs) with device + hardening, just-in-time access, and integration with CyberArk or BeyondTrust for + secure administrative operations. domain: cybersecurity subdomain: identity-and-access-management tags: @@ -19,6 +20,10 @@ nist_csf: - PR.AA-01 - PR.AA-02 - PR.AA-05 +mitre_attack: +- T1078 +- T1190 +- T1059 --- # Implementing Privileged Access Workstation diff --git a/skills/implementing-privileged-session-monitoring/SKILL.md b/skills/implementing-privileged-session-monitoring/SKILL.md index ec3859e3..1b7dd8d4 100644 --- a/skills/implementing-privileged-session-monitoring/SKILL.md +++ b/skills/implementing-privileged-session-monitoring/SKILL.md @@ -1,9 +1,11 @@ --- name: implementing-privileged-session-monitoring -description: 'Implements privileged session monitoring and recording using Privileged Access Management (PAM) solutions, focusing - on CyberArk Privileged Session Manager (PSM) and open-source alternatives. Covers session recording configuration, keystroke - logging, real-time monitoring, risk-based session analysis, and compliance audit trail generation. Activates for requests - involving privileged session recording, PAM session monitoring, CyberArk PSM configuration, administrator activity monitoring, +description: 'Implements privileged session monitoring and recording using Privileged + Access Management (PAM) solutions, focusing on CyberArk Privileged Session Manager + (PSM) and open-source alternatives. Covers session recording configuration, keystroke + logging, real-time monitoring, risk-based session analysis, and compliance audit + trail generation. Activates for requests involving privileged session recording, + PAM session monitoring, CyberArk PSM configuration, administrator activity monitoring, or compliance session auditing. ' @@ -25,6 +27,11 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078 +- T1110 +- T1556 +- T1098 --- # Implementing Privileged Session Monitoring diff --git a/skills/implementing-proofpoint-email-security-gateway/SKILL.md b/skills/implementing-proofpoint-email-security-gateway/SKILL.md index cbe4e841..f3948257 100644 --- a/skills/implementing-proofpoint-email-security-gateway/SKILL.md +++ b/skills/implementing-proofpoint-email-security-gateway/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-proofpoint-email-security-gateway -description: Deploy and configure Proofpoint Email Protection as a secure email gateway to detect and block phishing, malware, - BEC, and spam before messages reach user inboxes. +description: Deploy and configure Proofpoint Email Protection as a secure email gateway + to detect and block phishing, malware, BEC, and spam before messages reach user + inboxes. domain: cybersecurity subdomain: phishing-defense tags: @@ -21,6 +22,12 @@ nist_csf: - DE.CM-09 - RS.CO-02 - DE.AE-02 +mitre_attack: +- T1566 +- T1598 +- T1534 +- T1036 +- T1027 --- # Implementing Proofpoint Email Security Gateway diff --git a/skills/implementing-purdue-model-network-segmentation/SKILL.md b/skills/implementing-purdue-model-network-segmentation/SKILL.md index 5820fdac..82e785a7 100644 --- a/skills/implementing-purdue-model-network-segmentation/SKILL.md +++ b/skills/implementing-purdue-model-network-segmentation/SKILL.md @@ -1,8 +1,9 @@ --- name: implementing-purdue-model-network-segmentation -description: 'Implement network segmentation based on the Purdue Enterprise Reference Architecture (PERA) model to separate - industrial control system networks into hierarchical security zones from Level 0 physical process through Level 5 enterprise, - enforcing strict traffic control between OT and IT domains. +description: 'Implement network segmentation based on the Purdue Enterprise Reference + Architecture (PERA) model to separate industrial control system networks into hierarchical + security zones from Level 0 physical process through Level 5 enterprise, enforcing + strict traffic control between OT and IT domains. ' domain: cybersecurity @@ -24,6 +25,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T0816 +- T0836 --- # Implementing Purdue Model Network Segmentation diff --git a/skills/implementing-ransomware-backup-strategy/SKILL.md b/skills/implementing-ransomware-backup-strategy/SKILL.md index 051569f6..5e7ce514 100644 --- a/skills/implementing-ransomware-backup-strategy/SKILL.md +++ b/skills/implementing-ransomware-backup-strategy/SKILL.md @@ -1,10 +1,12 @@ --- name: implementing-ransomware-backup-strategy -description: 'Designs and implements a ransomware-resilient backup strategy following the 3-2-1-1-0 methodology (3 copies, - 2 media types, 1 offsite, 1 immutable/air-gapped, 0 errors on restore verification). Configures backup schedules aligned - to RPO/RTO requirements, implements backup credential isolation to prevent ransomware from compromising backup infrastructure, - and establishes automated restore testing. Activates for requests involving ransomware backup planning, backup resilience, - air-gapped backup design, or backup recovery point objective configuration. +description: 'Designs and implements a ransomware-resilient backup strategy following + the 3-2-1-1-0 methodology (3 copies, 2 media types, 1 offsite, 1 immutable/air-gapped, + 0 errors on restore verification). Configures backup schedules aligned to RPO/RTO + requirements, implements backup credential isolation to prevent ransomware from + compromising backup infrastructure, and establishes automated restore testing. Activates + for requests involving ransomware backup planning, backup resilience, air-gapped + backup design, or backup recovery point objective configuration. ' domain: cybersecurity @@ -34,6 +36,12 @@ nist_csf: - RS.MA-01 - RC.RP-01 - PR.IR-01 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1003 +- T1110 --- # Implementing Ransomware Backup Strategy diff --git a/skills/implementing-ransomware-kill-switch-detection/SKILL.md b/skills/implementing-ransomware-kill-switch-detection/SKILL.md index b5e75778..af986540 100644 --- a/skills/implementing-ransomware-kill-switch-detection/SKILL.md +++ b/skills/implementing-ransomware-kill-switch-detection/SKILL.md @@ -1,9 +1,11 @@ --- name: implementing-ransomware-kill-switch-detection -description: 'Detects and exploits ransomware kill switch mechanisms including mutex-based execution guards, domain-based - kill switches, and registry-based termination checks. Implements proactive mutex vaccination and kill switch domain monitoring - to prevent ransomware from executing. Activates for requests involving ransomware kill switch analysis, mutex vaccination, - WannaCry-style domain kill switches, or malware execution guard detection. +description: 'Detects and exploits ransomware kill switch mechanisms including mutex-based + execution guards, domain-based kill switches, and registry-based termination checks. + Implements proactive mutex vaccination and kill switch domain monitoring to prevent + ransomware from executing. Activates for requests involving ransomware kill switch + analysis, mutex vaccination, WannaCry-style domain kill switches, or malware execution + guard detection. ' domain: cybersecurity @@ -23,6 +25,12 @@ nist_csf: - RS.MA-01 - RC.RP-01 - PR.IR-01 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1486 +- T1490 --- # Implementing Ransomware Kill Switch Detection diff --git a/skills/implementing-rapid7-insightvm-for-scanning/SKILL.md b/skills/implementing-rapid7-insightvm-for-scanning/SKILL.md index 95c84647..6c2b9d63 100644 --- a/skills/implementing-rapid7-insightvm-for-scanning/SKILL.md +++ b/skills/implementing-rapid7-insightvm-for-scanning/SKILL.md @@ -1,7 +1,7 @@ --- name: implementing-rapid7-insightvm-for-scanning -description: Deploy and configure Rapid7 InsightVM Security Console and Scan Engines for authenticated and unauthenticated - vulnerability scanning across enterprise environments. +description: Deploy and configure Rapid7 InsightVM Security Console and Scan Engines + for authenticated and unauthenticated vulnerability scanning across enterprise environments. domain: cybersecurity subdomain: vulnerability-management tags: @@ -20,6 +20,10 @@ nist_csf: - ID.RA-02 - ID.IM-02 - ID.RA-06 +mitre_attack: +- T1190 +- T1203 +- T1068 --- # Implementing Rapid7 InsightVM for Scanning diff --git a/skills/implementing-rbac-hardening-for-kubernetes/SKILL.md b/skills/implementing-rbac-hardening-for-kubernetes/SKILL.md index b83a9733..b4dc6657 100644 --- a/skills/implementing-rbac-hardening-for-kubernetes/SKILL.md +++ b/skills/implementing-rbac-hardening-for-kubernetes/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-rbac-hardening-for-kubernetes -description: Harden Kubernetes Role-Based Access Control by implementing least-privilege policies, auditing role bindings, - eliminating cluster-admin sprawl, and integrating external identity providers. +description: Harden Kubernetes Role-Based Access Control by implementing least-privilege + policies, auditing role bindings, eliminating cluster-admin sprawl, and integrating + external identity providers. domain: cybersecurity subdomain: container-security tags: @@ -21,6 +22,11 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 --- # Implementing RBAC Hardening for Kubernetes diff --git a/skills/implementing-rsa-key-pair-management/SKILL.md b/skills/implementing-rsa-key-pair-management/SKILL.md index 38429694..3ab165fc 100644 --- a/skills/implementing-rsa-key-pair-management/SKILL.md +++ b/skills/implementing-rsa-key-pair-management/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-rsa-key-pair-management -description: RSA (Rivest-Shamir-Adleman) is the most widely deployed asymmetric cryptographic algorithm, used for digital - signatures, key exchange, and encryption. This skill covers generating, storing, rotating, +description: RSA (Rivest-Shamir-Adleman) is the most widely deployed asymmetric cryptographic + algorithm, used for digital signatures, key exchange, and encryption. This skill + covers generating, storing, rotating, domain: cybersecurity subdomain: cryptography tags: @@ -17,6 +18,11 @@ nist_csf: - PR.DS-01 - PR.DS-02 - PR.DS-10 +mitre_attack: +- T1600 +- T1573 +- T1553 +- T1486 --- # Implementing RSA Key Pair Management diff --git a/skills/implementing-runtime-application-self-protection/SKILL.md b/skills/implementing-runtime-application-self-protection/SKILL.md index 753f05fe..655d83f8 100644 --- a/skills/implementing-runtime-application-self-protection/SKILL.md +++ b/skills/implementing-runtime-application-self-protection/SKILL.md @@ -1,8 +1,8 @@ --- name: implementing-runtime-application-self-protection -description: Deploy Runtime Application Self-Protection (RASP) agents to detect and block attacks from within application - runtime, covering OpenRASP integration, attack pattern detection, and security policy configuration for Java and Python - web applications. +description: Deploy Runtime Application Self-Protection (RASP) agents to detect and + block attacks from within application runtime, covering OpenRASP integration, attack + pattern detection, and security policy configuration for Java and Python web applications. domain: cybersecurity subdomain: application-security tags: @@ -26,6 +26,11 @@ nist_csf: - PR.PS-04 - ID.RA-01 - PR.DS-10 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1059.007 --- # Implementing Runtime Application Self-Protection diff --git a/skills/implementing-runtime-security-with-tetragon/SKILL.md b/skills/implementing-runtime-security-with-tetragon/SKILL.md index b91af904..fe9e41f5 100644 --- a/skills/implementing-runtime-security-with-tetragon/SKILL.md +++ b/skills/implementing-runtime-security-with-tetragon/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-runtime-security-with-tetragon -description: Implement eBPF-based runtime security observability and enforcement in Kubernetes clusters using Cilium Tetragon - for kernel-level threat detection and policy enforcement. +description: Implement eBPF-based runtime security observability and enforcement in + Kubernetes clusters using Cilium Tetragon for kernel-level threat detection and + policy enforcement. domain: cybersecurity subdomain: container-security tags: @@ -30,6 +31,11 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 --- # Implementing Runtime Security with Tetragon diff --git a/skills/implementing-saml-sso-with-okta/SKILL.md b/skills/implementing-saml-sso-with-okta/SKILL.md index a86c83ac..81b42c99 100644 --- a/skills/implementing-saml-sso-with-okta/SKILL.md +++ b/skills/implementing-saml-sso-with-okta/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-saml-sso-with-okta -description: Implement SAML 2.0 Single Sign-On (SSO) using Okta as the Identity Provider (IdP). This skill covers end-to-end - configuration of SAML authentication flows, attribute mapping, certificate management, a +description: Implement SAML 2.0 Single Sign-On (SSO) using Okta as the Identity Provider + (IdP). This skill covers end-to-end configuration of SAML authentication flows, + attribute mapping, certificate management, a domain: cybersecurity subdomain: identity-access-management tags: @@ -20,6 +21,12 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078 +- T1110 +- T1556 +- T1098 +- T1553 --- # Implementing SAML SSO with Okta diff --git a/skills/implementing-scim-provisioning-with-okta/SKILL.md b/skills/implementing-scim-provisioning-with-okta/SKILL.md index b399e22f..6855aef0 100644 --- a/skills/implementing-scim-provisioning-with-okta/SKILL.md +++ b/skills/implementing-scim-provisioning-with-okta/SKILL.md @@ -1,6 +1,7 @@ --- name: implementing-scim-provisioning-with-okta -description: Implement automated user provisioning and deprovisioning using SCIM 2.0 protocol with Okta as the identity provider. +description: Implement automated user provisioning and deprovisioning using SCIM 2.0 + protocol with Okta as the identity provider. domain: cybersecurity subdomain: identity-access-management tags: @@ -19,6 +20,11 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078 +- T1110 +- T1556 +- T1098 --- # Implementing SCIM Provisioning with Okta diff --git a/skills/implementing-secret-scanning-with-gitleaks/SKILL.md b/skills/implementing-secret-scanning-with-gitleaks/SKILL.md index 2ea94a69..9fc3013e 100644 --- a/skills/implementing-secret-scanning-with-gitleaks/SKILL.md +++ b/skills/implementing-secret-scanning-with-gitleaks/SKILL.md @@ -1,8 +1,10 @@ --- name: implementing-secret-scanning-with-gitleaks -description: 'This skill covers implementing Gitleaks for detecting and preventing hardcoded secrets in git repositories. - It addresses configuring pre-commit hooks, CI/CD pipeline integration, custom rule authoring for organization-specific secrets, - baseline management for existing repositories, and remediation workflows for exposed credentials. +description: 'This skill covers implementing Gitleaks for detecting and preventing + hardcoded secrets in git repositories. It addresses configuring pre-commit hooks, + CI/CD pipeline integration, custom rule authoring for organization-specific secrets, + baseline management for existing repositories, and remediation workflows for exposed + credentials. ' domain: cybersecurity @@ -22,6 +24,12 @@ nist_csf: - GV.SC-07 - ID.IM-04 - PR.PS-04 +mitre_attack: +- T1195 +- T1554 +- T1059.004 +- T1003 +- T1110 --- # Implementing Secret Scanning with Gitleaks diff --git a/skills/implementing-secrets-management-with-vault/SKILL.md b/skills/implementing-secrets-management-with-vault/SKILL.md index 8a0c221c..bc91e957 100644 --- a/skills/implementing-secrets-management-with-vault/SKILL.md +++ b/skills/implementing-secrets-management-with-vault/SKILL.md @@ -1,9 +1,10 @@ --- name: implementing-secrets-management-with-vault -description: 'This skill covers deploying HashiCorp Vault for centralized secrets management across cloud environments, including - dynamic secret generation for databases and cloud providers, transit encryption, PKI certificate management, and Kubernetes - integration. It addresses eliminating hardcoded credentials from application code and CI/CD pipelines by implementing short-lived, - automatically rotated secrets. +description: 'This skill covers deploying HashiCorp Vault for centralized secrets + management across cloud environments, including dynamic secret generation for databases + and cloud providers, transit encryption, PKI certificate management, and Kubernetes + integration. It addresses eliminating hardcoded credentials from application code + and CI/CD pipelines by implementing short-lived, automatically rotated secrets. ' domain: cybersecurity @@ -22,6 +23,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T1003 --- # Implementing Secrets Management with Vault diff --git a/skills/implementing-secrets-scanning-in-ci-cd/SKILL.md b/skills/implementing-secrets-scanning-in-ci-cd/SKILL.md index 6b10fc29..bc38e8e8 100644 --- a/skills/implementing-secrets-scanning-in-ci-cd/SKILL.md +++ b/skills/implementing-secrets-scanning-in-ci-cd/SKILL.md @@ -1,6 +1,7 @@ --- name: implementing-secrets-scanning-in-ci-cd -description: Integrate gitleaks and trufflehog into CI/CD pipelines to detect leaked secrets before deployment +description: Integrate gitleaks and trufflehog into CI/CD pipelines to detect leaked + secrets before deployment domain: cybersecurity subdomain: devsecops tags: @@ -16,6 +17,10 @@ nist_csf: - GV.SC-07 - ID.IM-04 - PR.PS-04 +mitre_attack: +- T1195 +- T1554 +- T1059.004 --- diff --git a/skills/implementing-security-chaos-engineering/SKILL.md b/skills/implementing-security-chaos-engineering/SKILL.md index 29253543..5fcc676a 100644 --- a/skills/implementing-security-chaos-engineering/SKILL.md +++ b/skills/implementing-security-chaos-engineering/SKILL.md @@ -1,17 +1,20 @@ --- name: implementing-security-chaos-engineering -description: 'Implements security chaos engineering experiments that deliberately disable or degrade security controls to - verify detection and response capabilities. Tests WAF bypass, firewall rule removal, log pipeline disruption, and EDR disablement - scenarios using boto3 and subprocess. Use when validating SOC detection coverage and resilience. +description: 'Implements security chaos engineering experiments that deliberately + disable or degrade security controls to verify detection and response capabilities. + Tests WAF bypass, firewall rule removal, log pipeline disruption, and EDR disablement + scenarios using boto3 and subprocess. Use when validating SOC detection coverage + and resilience. ' domain: cybersecurity subdomain: security-operations tags: -- implementing -- security -- chaos -- engineering +- security-chaos-engineering +- detection-validation +- resilience-testing +- control-validation +- security-operations version: '1.0' author: mahipal license: Apache-2.0 @@ -28,6 +31,12 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1027 +- T1070 --- # Implementing Security Chaos Engineering diff --git a/skills/implementing-security-information-sharing-with-stix2/SKILL.md b/skills/implementing-security-information-sharing-with-stix2/SKILL.md index f76dbcb1..9e555775 100644 --- a/skills/implementing-security-information-sharing-with-stix2/SKILL.md +++ b/skills/implementing-security-information-sharing-with-stix2/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-security-information-sharing-with-stix2 -description: 'Create, validate, and share STIX 2.1 threat intelligence objects using the stix2 Python library. Covers indicators, - malware, campaigns, relationships, bundles, and TAXII 2.1 publishing. +description: 'Create, validate, and share STIX 2.1 threat intelligence objects using + the stix2 Python library. Covers indicators, malware, campaigns, relationships, + bundles, and TAXII 2.1 publishing. ' domain: cybersecurity @@ -25,6 +26,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1592 +- T1593 +- T1589 +- T1027 --- # Implementing Security Information Sharing with STIX 2.1 diff --git a/skills/implementing-security-monitoring-with-datadog/SKILL.md b/skills/implementing-security-monitoring-with-datadog/SKILL.md index ac862c7d..dfcfda77 100644 --- a/skills/implementing-security-monitoring-with-datadog/SKILL.md +++ b/skills/implementing-security-monitoring-with-datadog/SKILL.md @@ -1,16 +1,18 @@ --- name: implementing-security-monitoring-with-datadog -description: 'Implements security monitoring using Datadog Cloud SIEM, Cloud Security Management (CSM), and Workload Protection - to detect threats, enforce compliance, and respond to security events across cloud and hybrid infrastructure. Covers Agent - deployment, log source ingestion, detection rule creation, security dashboards, and automated notification workflows. Activates - for requests involving Datadog security setup, Cloud SIEM configuration, CSM threat detection, or security monitoring dashboards. +description: 'Implements security monitoring using Datadog Cloud SIEM, Cloud Security + Management (CSM), and Workload Protection to detect threats, enforce compliance, + and respond to security events across cloud and hybrid infrastructure. Covers Agent + deployment, log source ingestion, detection rule creation, security dashboards, + and automated notification workflows. Activates for requests involving Datadog security + setup, Cloud SIEM configuration, CSM threat detection, or security monitoring dashboards. ' domain: cybersecurity subdomain: security-operations tags: - siem -- monitoring +- security-monitoring - datadog - cloud-security - log-analysis @@ -37,6 +39,12 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1685.002 +- T1685.005 --- # Implementing Security Monitoring with Datadog diff --git a/skills/implementing-semgrep-for-custom-sast-rules/SKILL.md b/skills/implementing-semgrep-for-custom-sast-rules/SKILL.md index bcb0b045..2f4065b9 100644 --- a/skills/implementing-semgrep-for-custom-sast-rules/SKILL.md +++ b/skills/implementing-semgrep-for-custom-sast-rules/SKILL.md @@ -1,7 +1,7 @@ --- name: implementing-semgrep-for-custom-sast-rules -description: Write custom Semgrep SAST rules in YAML to detect application-specific vulnerabilities, enforce coding standards, - and integrate into CI/CD pipelines. +description: Write custom Semgrep SAST rules in YAML to detect application-specific + vulnerabilities, enforce coding standards, and integrate into CI/CD pipelines. domain: cybersecurity subdomain: devsecops tags: @@ -19,6 +19,10 @@ nist_csf: - GV.SC-07 - ID.IM-04 - PR.PS-04 +mitre_attack: +- T1195 +- T1554 +- T1059.004 --- # Implementing Semgrep for Custom SAST Rules diff --git a/skills/implementing-siem-correlation-rules-for-apt/SKILL.md b/skills/implementing-siem-correlation-rules-for-apt/SKILL.md index 924396b9..f1a223ce 100644 --- a/skills/implementing-siem-correlation-rules-for-apt/SKILL.md +++ b/skills/implementing-siem-correlation-rules-for-apt/SKILL.md @@ -1,16 +1,19 @@ --- name: implementing-siem-correlation-rules-for-apt -description: Write multi-event correlation rules that detect APT lateral movement by chaining Windows authentication events, - process execution telemetry, and network connection logs across hosts. Uses Splunk SPL and Sigma rule format to correlate - Event IDs 4624, 4648, 4688, and Sysmon Events 1/3 within sliding time windows to surface attack sequences invisible to single-event - detections. +description: Write multi-event correlation rules that detect APT lateral movement + by chaining Windows authentication events, process execution telemetry, and network + connection logs across hosts. Uses Splunk SPL and Sigma rule format to correlate + Event IDs 4624, 4648, 4688, and Sysmon Events 1/3 within sliding time windows to + surface attack sequences invisible to single-event detections. domain: cybersecurity subdomain: security-operations tags: -- implementing - siem -- correlation -- rules +- correlation-rules +- apt-detection +- lateral-movement +- windows-event-logs +- security-operations version: '1.0' author: mahipal license: Apache-2.0 @@ -19,6 +22,12 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1021 +- T1550 --- diff --git a/skills/implementing-siem-use-case-tuning/SKILL.md b/skills/implementing-siem-use-case-tuning/SKILL.md index bf5ae959..a5488c7c 100644 --- a/skills/implementing-siem-use-case-tuning/SKILL.md +++ b/skills/implementing-siem-use-case-tuning/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-siem-use-case-tuning -description: Tune SIEM detection rules to reduce false positives by analyzing alert volumes, creating whitelists, adjusting - thresholds, and measuring detection efficacy metrics in Splunk and Elastic +description: Tune SIEM detection rules to reduce false positives by analyzing alert + volumes, creating whitelists, adjusting thresholds, and measuring detection efficacy + metrics in Splunk and Elastic domain: cybersecurity subdomain: security-operations tags: @@ -20,6 +21,12 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1685.002 +- T1685.005 --- # Implementing SIEM Use Case Tuning diff --git a/skills/implementing-siem-use-cases-for-detection/SKILL.md b/skills/implementing-siem-use-cases-for-detection/SKILL.md index d8579754..6a3b71e2 100644 --- a/skills/implementing-siem-use-cases-for-detection/SKILL.md +++ b/skills/implementing-siem-use-cases-for-detection/SKILL.md @@ -1,8 +1,10 @@ --- name: implementing-siem-use-cases-for-detection -description: 'Implements SIEM detection use cases by designing correlation rules, threshold alerts, and behavioral analytics - mapped to MITRE ATT&CK techniques across Splunk, Elastic, and Sentinel. Use when SOC teams need to expand detection coverage, - formalize use case lifecycle management, or build a detection library aligned to organizational threat profile. +description: 'Implements SIEM detection use cases by designing correlation rules, + threshold alerts, and behavioral analytics mapped to MITRE ATT&CK techniques across + Splunk, Elastic, and Sentinel. Use when SOC teams need to expand detection coverage, + formalize use case lifecycle management, or build a detection library aligned to + organizational threat profile. ' domain: cybersecurity @@ -38,6 +40,12 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1078 +- T1685.002 +- T1685.005 +- T1566 +- T0816 --- # Implementing SIEM Use Cases for Detection diff --git a/skills/implementing-sigstore-for-software-signing/SKILL.md b/skills/implementing-sigstore-for-software-signing/SKILL.md index b95e5f8b..a328221c 100644 --- a/skills/implementing-sigstore-for-software-signing/SKILL.md +++ b/skills/implementing-sigstore-for-software-signing/SKILL.md @@ -1,10 +1,13 @@ --- name: implementing-sigstore-for-software-signing -description: 'Implements Sigstore-based software signing and verification using Cosign keyless signing, Rekor transparency - log verification, and Fulcio certificate authority integration to establish cryptographic provenance for container images, - binaries, and software artifacts. The practitioner configures OIDC-based identity binding, verifies signing events against - the Rekor transparency log, and integrates signing workflows into CI/CD pipelines. Activates for requests involving software - supply chain signing, keyless container signing, Sigstore deployment, or artifact provenance verification. +description: 'Implements Sigstore-based software signing and verification using Cosign + keyless signing, Rekor transparency log verification, and Fulcio certificate authority + integration to establish cryptographic provenance for container images, binaries, + and software artifacts. The practitioner configures OIDC-based identity binding, + verifies signing events against the Rekor transparency log, and integrates signing + workflows into CI/CD pipelines. Activates for requests involving software supply + chain signing, keyless container signing, Sigstore deployment, or artifact provenance + verification. ' domain: cybersecurity @@ -27,6 +30,12 @@ nist_csf: - GV.SC-03 - GV.SC-06 - GV.SC-07 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1610 +- T1611 --- # Implementing Sigstore for Software Signing diff --git a/skills/implementing-soar-automation-with-phantom/SKILL.md b/skills/implementing-soar-automation-with-phantom/SKILL.md index 98618559..535f4882 100644 --- a/skills/implementing-soar-automation-with-phantom/SKILL.md +++ b/skills/implementing-soar-automation-with-phantom/SKILL.md @@ -1,8 +1,10 @@ --- name: implementing-soar-automation-with-phantom -description: 'Implements Security Orchestration, Automation, and Response (SOAR) workflows using Splunk SOAR (formerly Phantom) - to automate alert triage, IOC enrichment, containment actions, and incident response playbooks. Use when SOC teams need - to reduce manual analyst work, standardize response procedures, or integrate multiple security tools into automated workflows. +description: 'Implements Security Orchestration, Automation, and Response (SOAR) workflows + using Splunk SOAR (formerly Phantom) to automate alert triage, IOC enrichment, containment + actions, and incident response playbooks. Use when SOC teams need to reduce manual + analyst work, standardize response procedures, or integrate multiple security tools + into automated workflows. ' domain: cybersecurity @@ -17,9 +19,10 @@ tags: - orchestration - incident-response mitre_attack: -- T1566 -- T1059 - T1078 +- T1685.002 +- T1685.005 +- T1566 version: '1.0' author: mahipal license: Apache-2.0 diff --git a/skills/implementing-soar-playbook-for-phishing/SKILL.md b/skills/implementing-soar-playbook-for-phishing/SKILL.md index e21be146..fdaae961 100644 --- a/skills/implementing-soar-playbook-for-phishing/SKILL.md +++ b/skills/implementing-soar-playbook-for-phishing/SKILL.md @@ -1,7 +1,7 @@ --- name: implementing-soar-playbook-for-phishing -description: Automate phishing incident response using Splunk SOAR REST API to create containers, add artifacts, and trigger - playbooks +description: Automate phishing incident response using Splunk SOAR REST API to create + containers, add artifacts, and trigger playbooks domain: cybersecurity subdomain: security-operations tags: @@ -17,6 +17,12 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1566 +- T1598 --- diff --git a/skills/implementing-soar-playbook-with-palo-alto-xsoar/SKILL.md b/skills/implementing-soar-playbook-with-palo-alto-xsoar/SKILL.md index a4ca38de..084af7f4 100644 --- a/skills/implementing-soar-playbook-with-palo-alto-xsoar/SKILL.md +++ b/skills/implementing-soar-playbook-with-palo-alto-xsoar/SKILL.md @@ -1,7 +1,7 @@ --- name: implementing-soar-playbook-with-palo-alto-xsoar -description: Implement automated incident response playbooks in Cortex XSOAR to orchestrate security workflows across SOC - tools and reduce manual response time. +description: Implement automated incident response playbooks in Cortex XSOAR to orchestrate + security workflows across SOC tools and reduce manual response time. domain: cybersecurity subdomain: soc-operations tags: @@ -14,9 +14,10 @@ tags: - orchestration - cortex mitre_attack: -- T1566 -- T1204 - T1078 +- T1685.002 +- T1685.005 +- T1566 version: '1.0' author: mahipal license: Apache-2.0 diff --git a/skills/implementing-stix-taxii-feed-integration/SKILL.md b/skills/implementing-stix-taxii-feed-integration/SKILL.md index da519e42..99e12000 100644 --- a/skills/implementing-stix-taxii-feed-integration/SKILL.md +++ b/skills/implementing-stix-taxii-feed-integration/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-stix-taxii-feed-integration -description: STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Intelligence Information) - are OASIS open standards for representing and transporting cyber threat intelligence. +description: STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated + eXchange of Intelligence Information) are OASIS open standards for representing + and transporting cyber threat intelligence. domain: cybersecurity subdomain: threat-intelligence tags: @@ -21,6 +22,11 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1592 +- T1593 +- T1589 --- # Implementing STIX/TAXII Feed Integration diff --git a/skills/implementing-supply-chain-security-with-in-toto/SKILL.md b/skills/implementing-supply-chain-security-with-in-toto/SKILL.md index b2b33720..dea89671 100644 --- a/skills/implementing-supply-chain-security-with-in-toto/SKILL.md +++ b/skills/implementing-supply-chain-security-with-in-toto/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-supply-chain-security-with-in-toto -description: Implement software supply chain integrity verification for container builds using the in-toto framework to create - cryptographically signed attestations across CI/CD pipeline steps. +description: Implement software supply chain integrity verification for container + builds using the in-toto framework to create cryptographically signed attestations + across CI/CD pipeline steps. domain: cybersecurity subdomain: container-security tags: @@ -22,6 +23,12 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 +- T1195 --- # Implementing Supply Chain Security with in-toto diff --git a/skills/implementing-syslog-centralization-with-rsyslog/SKILL.md b/skills/implementing-syslog-centralization-with-rsyslog/SKILL.md index 6fd3ec8b..a7230256 100644 --- a/skills/implementing-syslog-centralization-with-rsyslog/SKILL.md +++ b/skills/implementing-syslog-centralization-with-rsyslog/SKILL.md @@ -1,15 +1,18 @@ --- name: implementing-syslog-centralization-with-rsyslog -description: Configure rsyslog for centralized log collection with TLS encryption, custom templates, and log rotation. Generates - server and client configuration files with GnuTLS stream drivers, x509 certificate authentication, per-host log segregation, +description: Configure rsyslog for centralized log collection with TLS encryption, + custom templates, and log rotation. Generates server and client configuration files + with GnuTLS stream drivers, x509 certificate authentication, per-host log segregation, and reliable queue settings for high-availability syslog infrastructure. domain: cybersecurity subdomain: security-operations tags: -- implementing - syslog -- centralization -- with +- rsyslog +- log-centralization +- tls-encryption +- log-management +- security-operations version: '1.0' author: mahipal license: Apache-2.0 @@ -18,6 +21,12 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1573 +- T1486 --- diff --git a/skills/implementing-taxii-server-with-opentaxii/SKILL.md b/skills/implementing-taxii-server-with-opentaxii/SKILL.md index a98d9f26..1a654237 100644 --- a/skills/implementing-taxii-server-with-opentaxii/SKILL.md +++ b/skills/implementing-taxii-server-with-opentaxii/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-taxii-server-with-opentaxii -description: Deploy and configure an OpenTAXII server to share and consume STIX-formatted cyber threat intelligence using - the TAXII 2.1 protocol for automated indicator exchange between organizations. +description: Deploy and configure an OpenTAXII server to share and consume STIX-formatted + cyber threat intelligence using the TAXII 2.1 protocol for automated indicator exchange + between organizations. domain: cybersecurity subdomain: threat-intelligence tags: @@ -21,6 +22,11 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1592 +- T1593 +- T1589 --- # Implementing TAXII Server with OpenTAXII diff --git a/skills/implementing-threat-intelligence-lifecycle-management/SKILL.md b/skills/implementing-threat-intelligence-lifecycle-management/SKILL.md index abc77130..92961fa0 100644 --- a/skills/implementing-threat-intelligence-lifecycle-management/SKILL.md +++ b/skills/implementing-threat-intelligence-lifecycle-management/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-threat-intelligence-lifecycle-management -description: Implement a structured threat intelligence lifecycle encompassing planning, collection, processing, analysis, - dissemination, and feedback stages to produce actionable intelligence for organizational decision-making. +description: Implement a structured threat intelligence lifecycle encompassing planning, + collection, processing, analysis, dissemination, and feedback stages to produce + actionable intelligence for organizational decision-making. domain: cybersecurity subdomain: threat-intelligence tags: @@ -21,6 +22,11 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1592 +- T1593 +- T1589 --- # Implementing Threat Intelligence Lifecycle Management diff --git a/skills/implementing-threat-modeling-with-mitre-attack/SKILL.md b/skills/implementing-threat-modeling-with-mitre-attack/SKILL.md index bc110550..fd29df63 100644 --- a/skills/implementing-threat-modeling-with-mitre-attack/SKILL.md +++ b/skills/implementing-threat-modeling-with-mitre-attack/SKILL.md @@ -1,8 +1,10 @@ --- name: implementing-threat-modeling-with-mitre-attack -description: 'Implements threat modeling using the MITRE ATT&CK framework to map adversary TTPs against organizational assets, - assess detection coverage gaps, and prioritize defensive investments. Use when SOC teams need to align detection engineering - with threat landscape, conduct threat assessments for new environments, or justify security tool procurement. +description: 'Implements threat modeling using the MITRE ATT&CK framework to map adversary + TTPs against organizational assets, assess detection coverage gaps, and prioritize + defensive investments. Use when SOC teams need to align detection engineering with + threat landscape, conduct threat assessments for new environments, or justify security + tool procurement. ' domain: cybersecurity @@ -37,6 +39,11 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1078 +- T1685.002 +- T1685.005 +- T1566 --- # Implementing Threat Modeling with MITRE ATT&CK diff --git a/skills/implementing-ticketing-system-for-incidents/SKILL.md b/skills/implementing-ticketing-system-for-incidents/SKILL.md index bb8ba9a6..8b29b0b4 100644 --- a/skills/implementing-ticketing-system-for-incidents/SKILL.md +++ b/skills/implementing-ticketing-system-for-incidents/SKILL.md @@ -1,8 +1,10 @@ --- name: implementing-ticketing-system-for-incidents -description: 'Implements an integrated incident ticketing system connecting SIEM alerts to ServiceNow, Jira, or TheHive for - structured incident tracking, SLA management, escalation workflows, and compliance documentation. Use when SOC teams need - formalized incident lifecycle management with automated ticket creation, assignment routing, and resolution tracking. +description: 'Implements an integrated incident ticketing system connecting SIEM alerts + to ServiceNow, Jira, or TheHive for structured incident tracking, SLA management, + escalation workflows, and compliance documentation. Use when SOC teams need formalized + incident lifecycle management with automated ticket creation, assignment routing, + and resolution tracking. ' domain: cybersecurity @@ -24,6 +26,11 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1078 +- T1685.002 +- T1685.005 +- T1566 --- # Implementing Ticketing System for Incidents diff --git a/skills/implementing-usb-device-control-policy/SKILL.md b/skills/implementing-usb-device-control-policy/SKILL.md index 6bacf5a8..c55480a2 100644 --- a/skills/implementing-usb-device-control-policy/SKILL.md +++ b/skills/implementing-usb-device-control-policy/SKILL.md @@ -1,9 +1,10 @@ --- name: implementing-usb-device-control-policy -description: 'Implements USB device control policies to restrict unauthorized removable media access on endpoints, preventing - data exfiltration and malware introduction via USB devices. Use when deploying device control via Group Policy, Intune, - or EDR platforms to enforce USB restrictions. Activates for requests involving USB control, removable media policy, device - control, or data loss prevention via USB. +description: 'Implements USB device control policies to restrict unauthorized removable + media access on endpoints, preventing data exfiltration and malware introduction + via USB devices. Use when deploying device control via Group Policy, Intune, or + EDR platforms to enforce USB restrictions. Activates for requests involving USB + control, removable media policy, device control, or data loss prevention via USB. ' domain: cybersecurity @@ -22,6 +23,12 @@ nist_csf: - PR.PS-02 - DE.CM-01 - PR.IR-01 +mitre_attack: +- T1055 +- T1547 +- T1059 +- T1036 +- T1048 --- # Implementing USB Device Control Policy diff --git a/skills/implementing-velociraptor-for-ir-collection/SKILL.md b/skills/implementing-velociraptor-for-ir-collection/SKILL.md index 17d1f6f9..6670d7d1 100644 --- a/skills/implementing-velociraptor-for-ir-collection/SKILL.md +++ b/skills/implementing-velociraptor-for-ir-collection/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-velociraptor-for-ir-collection -description: Deploy and configure Velociraptor for scalable endpoint forensic artifact collection during incident response - using VQL queries, hunts, and pre-built artifact packs across Windows, Linux, and macOS environments. +description: Deploy and configure Velociraptor for scalable endpoint forensic artifact + collection during incident response using VQL queries, hunts, and pre-built artifact + packs across Windows, Linux, and macOS environments. domain: cybersecurity subdomain: incident-response tags: @@ -14,10 +15,11 @@ tags: - threat-hunting - incident-response mitre_attack: -- T1059 -- T1003 +- T1486 +- T1490 - T1070 -- T1547 +- T1078 +- T1005 version: '1.0' author: mahipal license: Apache-2.0 diff --git a/skills/implementing-vulnerability-management-with-greenbone/SKILL.md b/skills/implementing-vulnerability-management-with-greenbone/SKILL.md index 9afca65f..ac6684f7 100644 --- a/skills/implementing-vulnerability-management-with-greenbone/SKILL.md +++ b/skills/implementing-vulnerability-management-with-greenbone/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-vulnerability-management-with-greenbone -description: Deploy and operate Greenbone/OpenVAS vulnerability management using the python-gvm library to create scan targets, - execute vulnerability scans, and parse scan reports via GMP protocol. +description: Deploy and operate Greenbone/OpenVAS vulnerability management using the + python-gvm library to create scan targets, execute vulnerability scans, and parse + scan reports via GMP protocol. domain: cybersecurity subdomain: vulnerability-management tags: @@ -20,6 +21,11 @@ nist_csf: - ID.RA-02 - ID.IM-02 - ID.RA-06 +mitre_attack: +- T1190 +- T1203 +- T1068 +- T1046 --- # Implementing Vulnerability Management with Greenbone diff --git a/skills/implementing-vulnerability-remediation-sla/SKILL.md b/skills/implementing-vulnerability-remediation-sla/SKILL.md index f370ccdf..4004a6c8 100644 --- a/skills/implementing-vulnerability-remediation-sla/SKILL.md +++ b/skills/implementing-vulnerability-remediation-sla/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-vulnerability-remediation-sla -description: Vulnerability remediation SLAs define mandatory timeframes for patching or mitigating identified vulnerabilities - based on severity, asset criticality, and exploit availability. Effective SLA programs +description: Vulnerability remediation SLAs define mandatory timeframes for patching + or mitigating identified vulnerabilities based on severity, asset criticality, and + exploit availability. Effective SLA programs domain: cybersecurity subdomain: vulnerability-management tags: @@ -19,6 +20,10 @@ nist_csf: - ID.RA-02 - ID.IM-02 - ID.RA-06 +mitre_attack: +- T1190 +- T1203 +- T1068 --- # Implementing Vulnerability Remediation SLA diff --git a/skills/implementing-vulnerability-sla-breach-alerting/SKILL.md b/skills/implementing-vulnerability-sla-breach-alerting/SKILL.md index 8eb42597..9f25b71f 100644 --- a/skills/implementing-vulnerability-sla-breach-alerting/SKILL.md +++ b/skills/implementing-vulnerability-sla-breach-alerting/SKILL.md @@ -1,7 +1,7 @@ --- name: implementing-vulnerability-sla-breach-alerting -description: Build automated alerting for vulnerability remediation SLA breaches with severity-based timelines, escalation - workflows, and compliance reporting dashboards. +description: Build automated alerting for vulnerability remediation SLA breaches with + severity-based timelines, escalation workflows, and compliance reporting dashboards. domain: cybersecurity subdomain: vulnerability-management tags: @@ -20,6 +20,10 @@ nist_csf: - ID.RA-02 - ID.IM-02 - ID.RA-06 +mitre_attack: +- T1190 +- T1203 +- T1068 --- # Implementing Vulnerability SLA Breach Alerting diff --git a/skills/implementing-web-application-logging-with-modsecurity/SKILL.md b/skills/implementing-web-application-logging-with-modsecurity/SKILL.md index 44b7c500..7ba0d2cd 100644 --- a/skills/implementing-web-application-logging-with-modsecurity/SKILL.md +++ b/skills/implementing-web-application-logging-with-modsecurity/SKILL.md @@ -1,10 +1,11 @@ --- name: implementing-web-application-logging-with-modsecurity -description: 'Configure ModSecurity WAF with OWASP Core Rule Set (CRS) for web application logging, tune rules to reduce false - positives, analyze audit logs for attack detection, and implement custom SecRules for application-specific threats. The - analyst configures SecRuleEngine, SecAuditEngine, and CRS paranoia levels to balance security coverage with operational - stability. Activates for requests involving WAF configuration, ModSecurity rule tuning, web application audit logging, or - CRS deployment. +description: 'Configure ModSecurity WAF with OWASP Core Rule Set (CRS) for web application + logging, tune rules to reduce false positives, analyze audit logs for attack detection, + and implement custom SecRules for application-specific threats. The analyst configures + SecRuleEngine, SecAuditEngine, and CRS paranoia levels to balance security coverage + with operational stability. Activates for requests involving WAF configuration, + ModSecurity rule tuning, web application audit logging, or CRS deployment. ' domain: cybersecurity @@ -33,6 +34,11 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 --- # Implementing Web Application Logging with ModSecurity diff --git a/skills/implementing-zero-knowledge-proof-for-authentication/SKILL.md b/skills/implementing-zero-knowledge-proof-for-authentication/SKILL.md index 6244989c..43096957 100644 --- a/skills/implementing-zero-knowledge-proof-for-authentication/SKILL.md +++ b/skills/implementing-zero-knowledge-proof-for-authentication/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-zero-knowledge-proof-for-authentication -description: Zero-Knowledge Proofs (ZKPs) allow a prover to demonstrate knowledge of a secret (such as a password or private - key) without revealing the secret itself. This skill implements the Schnorr identificati +description: Zero-Knowledge Proofs (ZKPs) allow a prover to demonstrate knowledge + of a secret (such as a password or private key) without revealing the secret itself. + This skill implements the Schnorr identificati domain: cybersecurity subdomain: cryptography tags: @@ -17,6 +18,10 @@ nist_csf: - PR.DS-01 - PR.DS-02 - PR.DS-10 +mitre_attack: +- T1600 +- T1573 +- T1553 --- # Implementing Zero-Knowledge Proof for Authentication diff --git a/skills/implementing-zero-standing-privilege-with-cyberark/SKILL.md b/skills/implementing-zero-standing-privilege-with-cyberark/SKILL.md index 17050ace..023fc088 100644 --- a/skills/implementing-zero-standing-privilege-with-cyberark/SKILL.md +++ b/skills/implementing-zero-standing-privilege-with-cyberark/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-zero-standing-privilege-with-cyberark -description: Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using - just-in-time access with time, entitlement, and approval controls. +description: Deploy CyberArk Secure Cloud Access to eliminate standing privileges + in hybrid and multi-cloud environments using just-in-time access with time, entitlement, + and approval controls. domain: cybersecurity subdomain: identity-access-management tags: @@ -19,6 +20,12 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078 +- T1110 +- T1556 +- T1098 +- T1078.004 --- # Implementing Zero Standing Privilege with CyberArk diff --git a/skills/implementing-zero-trust-dns-with-nextdns/SKILL.md b/skills/implementing-zero-trust-dns-with-nextdns/SKILL.md index 8d79bada..782dcaf6 100644 --- a/skills/implementing-zero-trust-dns-with-nextdns/SKILL.md +++ b/skills/implementing-zero-trust-dns-with-nextdns/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-zero-trust-dns-with-nextdns -description: Implement NextDNS as a zero trust DNS filtering layer with encrypted resolution, threat intelligence blocking, - privacy protection, and organizational policy enforcement across all endpoints. +description: Implement NextDNS as a zero trust DNS filtering layer with encrypted + resolution, threat intelligence blocking, privacy protection, and organizational + policy enforcement across all endpoints. domain: cybersecurity subdomain: zero-trust-architecture tags: @@ -22,6 +23,12 @@ nist_csf: - PR.AA-05 - PR.IR-01 - GV.PO-01 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1573 +- T1486 --- # Implementing Zero Trust DNS with NextDNS diff --git a/skills/implementing-zero-trust-for-saas-applications/SKILL.md b/skills/implementing-zero-trust-for-saas-applications/SKILL.md index 42e08bf8..c621fe86 100644 --- a/skills/implementing-zero-trust-for-saas-applications/SKILL.md +++ b/skills/implementing-zero-trust-for-saas-applications/SKILL.md @@ -1,8 +1,9 @@ --- name: implementing-zero-trust-for-saas-applications -description: 'Implementing zero trust access controls for SaaS applications using CASB, SSPM, conditional access policies, - OAuth app governance, and session controls to enforce identity verification, device compliance, and data protection for - cloud-hosted services. +description: 'Implementing zero trust access controls for SaaS applications using + CASB, SSPM, conditional access policies, OAuth app governance, and session controls + to enforce identity verification, device compliance, and data protection for cloud-hosted + services. ' domain: cybersecurity @@ -23,6 +24,12 @@ nist_csf: - PR.AA-05 - PR.IR-01 - GV.PO-01 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1078.004 +- T1530 --- # Implementing Zero Trust for SaaS Applications diff --git a/skills/implementing-zero-trust-in-cloud/SKILL.md b/skills/implementing-zero-trust-in-cloud/SKILL.md index ce26d55a..cfda2a7d 100644 --- a/skills/implementing-zero-trust-in-cloud/SKILL.md +++ b/skills/implementing-zero-trust-in-cloud/SKILL.md @@ -1,9 +1,10 @@ --- name: implementing-zero-trust-in-cloud -description: 'This skill guides organizations through implementing zero trust architecture in cloud environments following - NIST SP 800-207 and Google BeyondCorp principles. It covers identity-centric access controls, micro-segmentation, continuous - verification, device trust assessment, and deploying Identity-Aware Proxy to eliminate implicit network trust in AWS, Azure, - and GCP environments. +description: 'This skill guides organizations through implementing zero trust architecture + in cloud environments following NIST SP 800-207 and Google BeyondCorp principles. + It covers identity-centric access controls, micro-segmentation, continuous verification, + device trust assessment, and deploying Identity-Aware Proxy to eliminate implicit + network trust in AWS, Azure, and GCP environments. ' domain: cybersecurity @@ -22,6 +23,11 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 --- # Implementing Zero Trust in Cloud diff --git a/skills/implementing-zero-trust-network-access-with-zscaler/SKILL.md b/skills/implementing-zero-trust-network-access-with-zscaler/SKILL.md index 8ef77342..057eada6 100644 --- a/skills/implementing-zero-trust-network-access-with-zscaler/SKILL.md +++ b/skills/implementing-zero-trust-network-access-with-zscaler/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-zero-trust-network-access-with-zscaler -description: Implement Zero Trust Network Access using Zscaler Private Access (ZPA) to replace traditional VPN with identity-based, - context-aware access to private applications through the Zscaler Zero Trust Exchange. +description: Implement Zero Trust Network Access using Zscaler Private Access (ZPA) + to replace traditional VPN with identity-based, context-aware access to private + applications through the Zscaler Zero Trust Exchange. domain: cybersecurity subdomain: zero-trust-architecture tags: @@ -18,6 +19,10 @@ nist_csf: - PR.AA-05 - PR.IR-01 - GV.PO-01 +mitre_attack: +- T1078 +- T1190 +- T1059 --- # Implementing Zero Trust Network Access with Zscaler diff --git a/skills/implementing-zero-trust-network-access/SKILL.md b/skills/implementing-zero-trust-network-access/SKILL.md index 0cd7ae39..a8816639 100644 --- a/skills/implementing-zero-trust-network-access/SKILL.md +++ b/skills/implementing-zero-trust-network-access/SKILL.md @@ -1,8 +1,9 @@ --- name: implementing-zero-trust-network-access -description: 'Implementing Zero Trust Network Access (ZTNA) in cloud environments by configuring identity-aware proxies, micro-segmentation, - continuous verification with conditional access policies, and replacing traditional VPN-based access with BeyondCorp-style - architectures across AWS, Azure, and GCP. +description: 'Implementing Zero Trust Network Access (ZTNA) in cloud environments + by configuring identity-aware proxies, micro-segmentation, continuous verification + with conditional access policies, and replacing traditional VPN-based access with + BeyondCorp-style architectures across AWS, Azure, and GCP. ' domain: cybersecurity @@ -22,6 +23,11 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 --- # Implementing Zero Trust Network Access diff --git a/skills/implementing-zero-trust-with-beyondcorp/SKILL.md b/skills/implementing-zero-trust-with-beyondcorp/SKILL.md index 8fb0c075..71ac8c27 100644 --- a/skills/implementing-zero-trust-with-beyondcorp/SKILL.md +++ b/skills/implementing-zero-trust-with-beyondcorp/SKILL.md @@ -1,8 +1,9 @@ --- name: implementing-zero-trust-with-beyondcorp -description: Deploy Google BeyondCorp Enterprise zero trust access controls using Identity-Aware Proxy (IAP), context-aware - access policies, device trust validation, and Access Context Manager to enforce identity and posture-based access to GCP - resources and internal applications. +description: Deploy Google BeyondCorp Enterprise zero trust access controls using + Identity-Aware Proxy (IAP), context-aware access policies, device trust validation, + and Access Context Manager to enforce identity and posture-based access to GCP resources + and internal applications. domain: cybersecurity subdomain: zero-trust tags: @@ -20,6 +21,12 @@ nist_csf: - PR.AA-01 - PR.AA-05 - PR.IR-01 +mitre_attack: +- T1078 +- T1550 +- T1021 +- T1556 +- T1078.004 --- # Implementing Zero Trust with BeyondCorp diff --git a/skills/implementing-zero-trust-with-hashicorp-boundary/SKILL.md b/skills/implementing-zero-trust-with-hashicorp-boundary/SKILL.md index 41bbe662..bdb56208 100644 --- a/skills/implementing-zero-trust-with-hashicorp-boundary/SKILL.md +++ b/skills/implementing-zero-trust-with-hashicorp-boundary/SKILL.md @@ -1,7 +1,8 @@ --- name: implementing-zero-trust-with-hashicorp-boundary -description: Implement HashiCorp Boundary for identity-aware zero trust infrastructure access management with dynamic credential - brokering, session recording, and Vault integration. +description: Implement HashiCorp Boundary for identity-aware zero trust infrastructure + access management with dynamic credential brokering, session recording, and Vault + integration. domain: cybersecurity subdomain: zero-trust-architecture tags: @@ -21,6 +22,12 @@ nist_csf: - PR.AA-05 - PR.IR-01 - GV.PO-01 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1003 +- T1110 --- # Implementing Zero Trust with HashiCorp Boundary diff --git a/skills/integrating-dast-with-owasp-zap-in-pipeline/SKILL.md b/skills/integrating-dast-with-owasp-zap-in-pipeline/SKILL.md index f5701d9d..f1d7d16d 100644 --- a/skills/integrating-dast-with-owasp-zap-in-pipeline/SKILL.md +++ b/skills/integrating-dast-with-owasp-zap-in-pipeline/SKILL.md @@ -1,8 +1,10 @@ --- name: integrating-dast-with-owasp-zap-in-pipeline -description: 'This skill covers integrating OWASP ZAP (Zed Attack Proxy) for Dynamic Application Security Testing in CI/CD - pipelines. It addresses configuring baseline, full, and API scans against running applications, interpreting ZAP findings, - tuning scan policies, and establishing DAST quality gates in GitHub Actions and GitLab CI. +description: 'This skill covers integrating OWASP ZAP (Zed Attack Proxy) for Dynamic + Application Security Testing in CI/CD pipelines. It addresses configuring baseline, + full, and API scans against running applications, interpreting ZAP findings, tuning + scan policies, and establishing DAST quality gates in GitHub Actions and GitLab + CI. ' domain: cybersecurity @@ -22,6 +24,10 @@ nist_csf: - GV.SC-07 - ID.IM-04 - PR.PS-04 +mitre_attack: +- T1195 +- T1554 +- T1059.004 --- # Integrating DAST with OWASP ZAP in Pipeline diff --git a/skills/integrating-sast-into-github-actions-pipeline/SKILL.md b/skills/integrating-sast-into-github-actions-pipeline/SKILL.md index 739c6a29..95f0690a 100644 --- a/skills/integrating-sast-into-github-actions-pipeline/SKILL.md +++ b/skills/integrating-sast-into-github-actions-pipeline/SKILL.md @@ -1,9 +1,10 @@ --- name: integrating-sast-into-github-actions-pipeline -description: 'This skill covers integrating Static Application Security Testing (SAST) tools—CodeQL and Semgrep—into GitHub - Actions CI/CD pipelines. It addresses configuring automated code scanning on pull requests and pushes, tuning rules to reduce - false positives, uploading SARIF results to GitHub Advanced Security, and establishing quality gates that block merges when - high-severity vulnerabilities are detected. +description: 'This skill covers integrating Static Application Security Testing (SAST) + tools—CodeQL and Semgrep—into GitHub Actions CI/CD pipelines. It addresses configuring + automated code scanning on pull requests and pushes, tuning rules to reduce false + positives, uploading SARIF results to GitHub Advanced Security, and establishing + quality gates that block merges when high-severity vulnerabilities are detected. ' domain: cybersecurity @@ -23,6 +24,10 @@ nist_csf: - GV.SC-07 - ID.IM-04 - PR.PS-04 +mitre_attack: +- T1195 +- T1554 +- T1059.004 --- # Integrating SAST into GitHub Actions Pipeline diff --git a/skills/intercepting-mobile-traffic-with-burpsuite/SKILL.md b/skills/intercepting-mobile-traffic-with-burpsuite/SKILL.md index 1cf93467..ffc20869 100644 --- a/skills/intercepting-mobile-traffic-with-burpsuite/SKILL.md +++ b/skills/intercepting-mobile-traffic-with-burpsuite/SKILL.md @@ -1,9 +1,11 @@ --- name: intercepting-mobile-traffic-with-burpsuite -description: 'Intercepts and analyzes HTTP/HTTPS traffic from mobile applications using Burp Suite proxy to identify insecure - API communications, authentication flaws, data leakage, and server-side vulnerabilities. Use when performing mobile application - penetration testing, assessing API security, or evaluating client-server communication patterns. Activates for requests - involving mobile traffic interception, Burp Suite mobile proxy, API security testing, or mobile HTTPS analysis. +description: 'Intercepts and analyzes HTTP/HTTPS traffic from mobile applications + using Burp Suite proxy to identify insecure API communications, authentication flaws, + data leakage, and server-side vulnerabilities. Use when performing mobile application + penetration testing, assessing API security, or evaluating client-server communication + patterns. Activates for requests involving mobile traffic interception, Burp Suite + mobile proxy, API security testing, or mobile HTTPS analysis. ' domain: cybersecurity @@ -23,6 +25,11 @@ nist_csf: - PR.AA-05 - ID.RA-01 - DE.CM-09 +mitre_attack: +- T1059 +- T1056 +- T1036 +- T1078 --- # Intercepting Mobile Traffic with Burp Suite diff --git a/skills/investigating-insider-threat-indicators/SKILL.md b/skills/investigating-insider-threat-indicators/SKILL.md index 73d272db..ede0b8f9 100644 --- a/skills/investigating-insider-threat-indicators/SKILL.md +++ b/skills/investigating-insider-threat-indicators/SKILL.md @@ -1,9 +1,10 @@ --- name: investigating-insider-threat-indicators -description: 'Investigates insider threat indicators including data exfiltration attempts, unauthorized access patterns, policy - violations, and pre-departure behaviors using SIEM analytics, DLP alerts, and HR data correlation. Use when SOC teams receive - insider threat referrals from HR, detect anomalous data movement by employees, or need to build investigation timelines - for potential insider threats. +description: 'Investigates insider threat indicators including data exfiltration attempts, + unauthorized access patterns, policy violations, and pre-departure behaviors using + SIEM analytics, DLP alerts, and HR data correlation. Use when SOC teams receive + insider threat referrals from HR, detect anomalous data movement by employees, or + need to build investigation timelines for potential insider threats. ' domain: cybersecurity @@ -24,6 +25,12 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1078 +- T1685.002 +- T1685.005 +- T1566 +- T1048 --- # Investigating Insider Threat Indicators diff --git a/skills/investigating-phishing-email-incident/SKILL.md b/skills/investigating-phishing-email-incident/SKILL.md index 3d088ca4..c3da70bf 100644 --- a/skills/investigating-phishing-email-incident/SKILL.md +++ b/skills/investigating-phishing-email-incident/SKILL.md @@ -1,8 +1,10 @@ --- name: investigating-phishing-email-incident -description: 'Investigates phishing email incidents from initial user report through header analysis, URL/attachment detonation, - impacted user identification, and containment actions using SOC tools like Splunk, Microsoft Defender, and sandbox analysis - platforms. Use when a reported phishing email requires full incident investigation to determine scope and impact. +description: 'Investigates phishing email incidents from initial user report through + header analysis, URL/attachment detonation, impacted user identification, and containment + actions using SOC tools like Splunk, Microsoft Defender, and sandbox analysis platforms. + Use when a reported phishing email requires full incident investigation to determine + scope and impact. ' domain: cybersecurity @@ -16,10 +18,11 @@ tags: - defender - sandbox mitre_attack: -- T1566.001 -- T1566.002 -- T1204.001 -- T1598.003 +- T1078 +- T1685.002 +- T1685.005 +- T1566 +- T1598 version: '1.0' author: mahipal license: Apache-2.0 diff --git a/skills/investigating-ransomware-attack-artifacts/SKILL.md b/skills/investigating-ransomware-attack-artifacts/SKILL.md index 92655ab3..a49be4e9 100644 --- a/skills/investigating-ransomware-attack-artifacts/SKILL.md +++ b/skills/investigating-ransomware-attack-artifacts/SKILL.md @@ -1,7 +1,7 @@ --- name: investigating-ransomware-attack-artifacts -description: Identify, collect, and analyze ransomware attack artifacts to determine the variant, initial access vector, encryption - scope, and recovery options. +description: Identify, collect, and analyze ransomware attack artifacts to determine + the variant, initial access vector, encryption scope, and recovery options. domain: cybersecurity subdomain: digital-forensics tags: @@ -19,6 +19,12 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1005 +- T1074 +- T1119 +- T1070 +- T1486 --- # Investigating Ransomware Attack Artifacts diff --git a/skills/managing-cloud-identity-with-okta/SKILL.md b/skills/managing-cloud-identity-with-okta/SKILL.md index 90af5c52..7ff64339 100644 --- a/skills/managing-cloud-identity-with-okta/SKILL.md +++ b/skills/managing-cloud-identity-with-okta/SKILL.md @@ -1,8 +1,10 @@ --- name: managing-cloud-identity-with-okta -description: 'This skill covers implementing Okta as a centralized identity provider for cloud environments, configuring SSO - integration with AWS, Azure, and GCP, deploying phishing- resistant MFA with Okta FastPass, managing lifecycle automation - for user provisioning and deprovisioning, and enforcing adaptive access policies based on device posture and risk signals. +description: 'This skill covers implementing Okta as a centralized identity provider + for cloud environments, configuring SSO integration with AWS, Azure, and GCP, deploying + phishing- resistant MFA with Okta FastPass, managing lifecycle automation for user + provisioning and deprovisioning, and enforcing adaptive access policies based on + device posture and risk signals. ' domain: cybersecurity @@ -21,6 +23,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T1566 --- # Managing Cloud Identity with Okta diff --git a/skills/managing-intelligence-lifecycle/SKILL.md b/skills/managing-intelligence-lifecycle/SKILL.md index 2a685c23..f9ca7c92 100644 --- a/skills/managing-intelligence-lifecycle/SKILL.md +++ b/skills/managing-intelligence-lifecycle/SKILL.md @@ -1,9 +1,11 @@ --- name: managing-intelligence-lifecycle -description: 'Manages the end-to-end cyber threat intelligence lifecycle from planning and direction through collection, processing, - analysis, dissemination, and feedback to ensure intelligence products meet stakeholder requirements and continuously improve. - Use when establishing or maturing a CTI program, defining intelligence requirements with business stakeholders, or building - feedback loops between intelligence consumers and producers. Activates for requests involving CTI program maturity, intelligence +description: 'Manages the end-to-end cyber threat intelligence lifecycle from planning + and direction through collection, processing, analysis, dissemination, and feedback + to ensure intelligence products meet stakeholder requirements and continuously improve. + Use when establishing or maturing a CTI program, defining intelligence requirements + with business stakeholders, or building feedback loops between intelligence consumers + and producers. Activates for requests involving CTI program maturity, intelligence requirements, PIRs, or intelligence lifecycle management. ' @@ -24,6 +26,11 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1592 +- T1593 +- T1589 --- # Managing Intelligence Lifecycle diff --git a/skills/mapping-mitre-attack-techniques/SKILL.md b/skills/mapping-mitre-attack-techniques/SKILL.md index e4f7588a..6fcf8c72 100644 --- a/skills/mapping-mitre-attack-techniques/SKILL.md +++ b/skills/mapping-mitre-attack-techniques/SKILL.md @@ -1,9 +1,11 @@ --- name: mapping-mitre-attack-techniques -description: 'Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques - to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging - SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. - Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis. +description: 'Maps observed adversary behaviors, security alerts, and detection rules + to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and + guide control prioritization. Use when building an ATT&CK-based coverage heatmap, + tagging SIEM alerts with technique IDs, aligning security controls to adversary + playbooks, or reporting threat exposure to executives. Activates for requests involving + ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis. ' domain: cybersecurity @@ -38,6 +40,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1592 +- T1593 +- T1589 +- T1685.002 --- # Mapping MITRE ATT&CK Techniques diff --git a/skills/monitoring-darkweb-sources/SKILL.md b/skills/monitoring-darkweb-sources/SKILL.md index 420ee163..cc421c1c 100644 --- a/skills/monitoring-darkweb-sources/SKILL.md +++ b/skills/monitoring-darkweb-sources/SKILL.md @@ -1,10 +1,12 @@ --- name: monitoring-darkweb-sources -description: 'Monitors dark web forums, marketplaces, paste sites, and ransomware leak sites for mentions of organizational - assets, leaked credentials, threatened attacks, and threat actor communications to provide early warning intelligence. Use - when establishing dark web monitoring coverage, investigating specific data breach claims, or enriching incident investigations - with dark web context. Activates for requests involving dark web OSINT, leak site monitoring, credential exposure, Recorded - Future dark web, or Tor hidden service intelligence. +description: 'Monitors dark web forums, marketplaces, paste sites, and ransomware + leak sites for mentions of organizational assets, leaked credentials, threatened + attacks, and threat actor communications to provide early warning intelligence. + Use when establishing dark web monitoring coverage, investigating specific data + breach claims, or enriching incident investigations with dark web context. Activates + for requests involving dark web OSINT, leak site monitoring, credential exposure, + Recorded Future dark web, or Tor hidden service intelligence. ' domain: cybersecurity @@ -33,6 +35,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1592 +- T1593 +- T1589 +- T1003 --- # Monitoring Dark Web Sources diff --git a/skills/monitoring-scada-modbus-traffic-anomalies/SKILL.md b/skills/monitoring-scada-modbus-traffic-anomalies/SKILL.md index b90e261b..cff79699 100644 --- a/skills/monitoring-scada-modbus-traffic-anomalies/SKILL.md +++ b/skills/monitoring-scada-modbus-traffic-anomalies/SKILL.md @@ -1,11 +1,13 @@ --- name: monitoring-scada-modbus-traffic-anomalies -description: 'Monitors Modbus TCP traffic on SCADA and ICS networks to detect anomalous function code usage, unauthorized - register writes, and suspicious communication patterns. The analyst uses deep packet inspection with pymodbus, Scapy, and - Zeek to baseline normal PLC/RTU communication behavior, then applies statistical and rule-based anomaly detection to identify - reconnaissance, parameter manipulation, and denial-of-service attacks targeting Modbus devices on port 502. Activates for - requests involving Modbus traffic analysis, SCADA network monitoring, ICS anomaly detection, PLC security monitoring, or - OT network threat detection. +description: 'Monitors Modbus TCP traffic on SCADA and ICS networks to detect anomalous + function code usage, unauthorized register writes, and suspicious communication + patterns. The analyst uses deep packet inspection with pymodbus, Scapy, and Zeek + to baseline normal PLC/RTU communication behavior, then applies statistical and + rule-based anomaly detection to identify reconnaissance, parameter manipulation, + and denial-of-service attacks targeting Modbus devices on port 502. Activates for + requests involving Modbus traffic analysis, SCADA network monitoring, ICS anomaly + detection, PLC security monitoring, or OT network threat detection. ' domain: cybersecurity @@ -24,6 +26,11 @@ nist_csf: - PR.IR-01 - DE.CM-01 - ID.AM-05 +mitre_attack: +- T0816 +- T0836 +- T0830 +- T1595 --- # Monitoring SCADA Modbus Traffic Anomalies diff --git a/skills/performing-access-recertification-with-saviynt/SKILL.md b/skills/performing-access-recertification-with-saviynt/SKILL.md index c2b29c07..aae8e3d6 100644 --- a/skills/performing-access-recertification-with-saviynt/SKILL.md +++ b/skills/performing-access-recertification-with-saviynt/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-access-recertification-with-saviynt -description: Configure and execute access recertification campaigns in Saviynt Enterprise Identity Cloud to validate user - entitlements, revoke excessive access, and maintain compliance with SOX, SOC2, and HIPAA. +description: Configure and execute access recertification campaigns in Saviynt Enterprise + Identity Cloud to validate user entitlements, revoke excessive access, and maintain + compliance with SOX, SOC2, and HIPAA. domain: cybersecurity subdomain: identity-access-management tags: @@ -19,6 +20,12 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078 +- T1110 +- T1556 +- T1098 +- T1071 --- # Performing Access Recertification with Saviynt diff --git a/skills/performing-access-review-and-certification/SKILL.md b/skills/performing-access-review-and-certification/SKILL.md index 5b5c982b..16c2eeeb 100644 --- a/skills/performing-access-review-and-certification/SKILL.md +++ b/skills/performing-access-review-and-certification/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-access-review-and-certification -description: Conduct systematic access reviews and certifications to ensure users have appropriate access rights aligned with - their roles. This skill covers review campaign design, reviewer selection, risk-based p +description: Conduct systematic access reviews and certifications to ensure users + have appropriate access rights aligned with their roles. This skill covers review + campaign design, reviewer selection, risk-based p domain: cybersecurity subdomain: identity-access-management tags: @@ -20,6 +21,11 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078 +- T1110 +- T1556 +- T1098 --- # Performing Access Review and Certification diff --git a/skills/performing-active-directory-bloodhound-analysis/SKILL.md b/skills/performing-active-directory-bloodhound-analysis/SKILL.md index 34fd6d82..8d01376a 100644 --- a/skills/performing-active-directory-bloodhound-analysis/SKILL.md +++ b/skills/performing-active-directory-bloodhound-analysis/SKILL.md @@ -1,7 +1,7 @@ --- name: performing-active-directory-bloodhound-analysis -description: Use BloodHound and SharpHound to enumerate Active Directory relationships and identify attack paths from compromised - users to Domain Admin. +description: Use BloodHound and SharpHound to enumerate Active Directory relationships + and identify attack paths from compromised users to Domain Admin. domain: cybersecurity subdomain: red-teaming tags: @@ -25,6 +25,12 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1068 --- # Performing Active Directory BloodHound Analysis diff --git a/skills/performing-active-directory-compromise-investigation/SKILL.md b/skills/performing-active-directory-compromise-investigation/SKILL.md index edef0d40..1311e9e7 100644 --- a/skills/performing-active-directory-compromise-investigation/SKILL.md +++ b/skills/performing-active-directory-compromise-investigation/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-active-directory-compromise-investigation -description: Investigate Active Directory compromise by analyzing authentication logs, replication metadata, Group Policy - changes, and Kerberos ticket anomalies to identify attacker persistence and lateral movement paths. +description: Investigate Active Directory compromise by analyzing authentication logs, + replication metadata, Group Policy changes, and Kerberos ticket anomalies to identify + attacker persistence and lateral movement paths. domain: cybersecurity subdomain: incident-response tags: @@ -14,11 +15,11 @@ tags: - ntds-dit - golden-ticket mitre_attack: -- T1003 -- T1558 -- T1021 +- T1486 +- T1490 +- T1070 - T1078 -- T1484 +- T1021 version: '1.0' author: mahipal license: Apache-2.0 diff --git a/skills/performing-active-directory-forest-trust-attack/SKILL.md b/skills/performing-active-directory-forest-trust-attack/SKILL.md index 6a2a66c5..5a6729f1 100644 --- a/skills/performing-active-directory-forest-trust-attack/SKILL.md +++ b/skills/performing-active-directory-forest-trust-attack/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-active-directory-forest-trust-attack -description: Enumerate and audit Active Directory forest trust relationships using impacket for SID filtering analysis, trust - key extraction, cross-forest SID history abuse detection, and inter-realm Kerberos ticket assessment. +description: Enumerate and audit Active Directory forest trust relationships using + impacket for SID filtering analysis, trust key extraction, cross-forest SID history + abuse detection, and inter-realm Kerberos ticket assessment. domain: cybersecurity subdomain: red-team tags: @@ -19,6 +20,12 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1558.003 --- # Performing Active Directory Forest Trust Attack diff --git a/skills/performing-active-directory-penetration-test/SKILL.md b/skills/performing-active-directory-penetration-test/SKILL.md index b251c5e1..2f36f02f 100644 --- a/skills/performing-active-directory-penetration-test/SKILL.md +++ b/skills/performing-active-directory-penetration-test/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-active-directory-penetration-test -description: Conduct a focused Active Directory penetration test to enumerate domain objects, discover attack paths with BloodHound, - exploit Kerberos weaknesses, escalate privileges via ADCS/DCSync, and demonstrate domain compromise. +description: Conduct a focused Active Directory penetration test to enumerate domain + objects, discover attack paths with BloodHound, exploit Kerberos weaknesses, escalate + privileges via ADCS/DCSync, and demonstrate domain compromise. domain: cybersecurity subdomain: penetration-testing tags: @@ -21,6 +22,12 @@ nist_csf: - ID.RA-06 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1068 --- # Performing Active Directory Penetration Test diff --git a/skills/performing-active-directory-vulnerability-assessment/SKILL.md b/skills/performing-active-directory-vulnerability-assessment/SKILL.md index e6d229c5..4ea9ade6 100644 --- a/skills/performing-active-directory-vulnerability-assessment/SKILL.md +++ b/skills/performing-active-directory-vulnerability-assessment/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-active-directory-vulnerability-assessment -description: Assess Active Directory security posture using PingCastle, BloodHound, and Purple Knight to identify misconfigurations, - privilege escalation paths, and attack vectors. +description: Assess Active Directory security posture using PingCastle, BloodHound, + and Purple Knight to identify misconfigurations, privilege escalation paths, and + attack vectors. domain: cybersecurity subdomain: vulnerability-management tags: @@ -27,6 +28,12 @@ nist_csf: - ID.RA-02 - ID.IM-02 - ID.RA-06 +mitre_attack: +- T1190 +- T1203 +- T1068 +- T1548 +- T1134 --- # Performing Active Directory Vulnerability Assessment diff --git a/skills/performing-adversary-in-the-middle-phishing-detection/SKILL.md b/skills/performing-adversary-in-the-middle-phishing-detection/SKILL.md index 72600c65..d589e8bf 100644 --- a/skills/performing-adversary-in-the-middle-phishing-detection/SKILL.md +++ b/skills/performing-adversary-in-the-middle-phishing-detection/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-adversary-in-the-middle-phishing-detection -description: Detect and respond to Adversary-in-the-Middle (AiTM) phishing attacks that use reverse proxy kits like EvilProxy, - Evilginx, and Tycoon 2FA to bypass MFA and steal session tokens. +description: Detect and respond to Adversary-in-the-Middle (AiTM) phishing attacks + that use reverse proxy kits like EvilProxy, Evilginx, and Tycoon 2FA to bypass MFA + and steal session tokens. domain: cybersecurity subdomain: phishing-defense tags: @@ -21,6 +22,12 @@ nist_csf: - DE.CM-09 - RS.CO-02 - DE.AE-02 +mitre_attack: +- T1566 +- T1598 +- T1534 +- T1036 +- T1003 --- # Performing Adversary-in-the-Middle Phishing Detection diff --git a/skills/performing-agentless-vulnerability-scanning/SKILL.md b/skills/performing-agentless-vulnerability-scanning/SKILL.md index e7292193..fd60f3fe 100644 --- a/skills/performing-agentless-vulnerability-scanning/SKILL.md +++ b/skills/performing-agentless-vulnerability-scanning/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-agentless-vulnerability-scanning -description: Configure and execute agentless vulnerability scanning using network protocols, cloud snapshot analysis, and - API-based discovery to assess systems without installing endpoint agents. +description: Configure and execute agentless vulnerability scanning using network + protocols, cloud snapshot analysis, and API-based discovery to assess systems without + installing endpoint agents. domain: cybersecurity subdomain: vulnerability-management tags: @@ -25,6 +26,12 @@ nist_csf: - ID.RA-02 - ID.IM-02 - ID.RA-06 +mitre_attack: +- T1190 +- T1203 +- T1068 +- T1078.004 +- T1530 --- # Performing Agentless Vulnerability Scanning diff --git a/skills/performing-ai-driven-osint-correlation/SKILL.md b/skills/performing-ai-driven-osint-correlation/SKILL.md index 2da5cbd6..52184851 100644 --- a/skills/performing-ai-driven-osint-correlation/SKILL.md +++ b/skills/performing-ai-driven-osint-correlation/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-ai-driven-osint-correlation -description: Use AI and LLM-based reasoning to correlate findings across multiple OSINT sources—username enumeration, email - lookups, social media profiles, domain records, breach databases, and dark-web mentions—into unified intelligence profiles +description: Use AI and LLM-based reasoning to correlate findings across multiple + OSINT sources—username enumeration, email lookups, social media profiles, domain + records, breach databases, and dark-web mentions—into unified intelligence profiles with confidence scoring and link analysis. domain: cybersecurity subdomain: threat-intelligence @@ -39,6 +40,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1592 +- T1593 +- T1589 +- T1595 --- # Performing AI-Driven OSINT Correlation diff --git a/skills/performing-alert-triage-with-elastic-siem/SKILL.md b/skills/performing-alert-triage-with-elastic-siem/SKILL.md index 8017ad2b..ad211d2d 100644 --- a/skills/performing-alert-triage-with-elastic-siem/SKILL.md +++ b/skills/performing-alert-triage-with-elastic-siem/SKILL.md @@ -1,7 +1,7 @@ --- name: performing-alert-triage-with-elastic-siem -description: Perform systematic alert triage in Elastic Security SIEM to rapidly classify, prioritize, and investigate security - alerts for SOC operations. +description: Perform systematic alert triage in Elastic Security SIEM to rapidly classify, + prioritize, and investigate security alerts for SOC operations. domain: cybersecurity subdomain: soc-operations tags: @@ -27,6 +27,11 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1078 +- T1685.002 +- T1685.005 +- T1566 --- # Performing Alert Triage with Elastic SIEM diff --git a/skills/performing-android-app-static-analysis-with-mobsf/SKILL.md b/skills/performing-android-app-static-analysis-with-mobsf/SKILL.md index 938ffe40..e56edb4e 100644 --- a/skills/performing-android-app-static-analysis-with-mobsf/SKILL.md +++ b/skills/performing-android-app-static-analysis-with-mobsf/SKILL.md @@ -1,9 +1,11 @@ --- name: performing-android-app-static-analysis-with-mobsf -description: 'Performs automated static analysis of Android applications using Mobile Security Framework (MobSF) to identify - hardcoded secrets, insecure permissions, vulnerable components, weak cryptography, and code-level security flaws without - executing the application. Use when assessing Android APK/AAB files for security vulnerabilities before deployment, during - penetration testing, or as part of CI/CD security gates. Activates for requests involving Android static analysis, MobSF +description: 'Performs automated static analysis of Android applications using Mobile + Security Framework (MobSF) to identify hardcoded secrets, insecure permissions, + vulnerable components, weak cryptography, and code-level security flaws without + executing the application. Use when assessing Android APK/AAB files for security + vulnerabilities before deployment, during penetration testing, or as part of CI/CD + security gates. Activates for requests involving Android static analysis, MobSF scanning, APK security assessment, or mobile application code review. ' @@ -24,6 +26,11 @@ nist_csf: - PR.AA-05 - ID.RA-01 - DE.CM-09 +mitre_attack: +- T1059 +- T1056 +- T1036 +- T1078 --- # Performing Android App Static Analysis with MobSF diff --git a/skills/performing-api-fuzzing-with-restler/SKILL.md b/skills/performing-api-fuzzing-with-restler/SKILL.md index 99a802e4..6b6b4b53 100644 --- a/skills/performing-api-fuzzing-with-restler/SKILL.md +++ b/skills/performing-api-fuzzing-with-restler/SKILL.md @@ -1,10 +1,13 @@ --- name: performing-api-fuzzing-with-restler -description: 'Uses Microsoft RESTler to perform stateful REST API fuzzing by automatically generating and executing test sequences - that exercise API endpoints, discover producer-consumer dependencies between requests, and find security and reliability - bugs. The tester compiles an OpenAPI specification into a RESTler fuzzing grammar, configures authentication, runs test/fuzz-lean/fuzz - modes, and analyzes results for 500 errors, authentication bypasses, resource leaks, and payload injection vulnerabilities. - Activates for requests involving API fuzzing, RESTler testing, stateful API testing, or automated API security scanning. +description: 'Uses Microsoft RESTler to perform stateful REST API fuzzing by automatically + generating and executing test sequences that exercise API endpoints, discover producer-consumer + dependencies between requests, and find security and reliability bugs. The tester + compiles an OpenAPI specification into a RESTler fuzzing grammar, configures authentication, + runs test/fuzz-lean/fuzz modes, and analyzes results for 500 errors, authentication + bypasses, resource leaks, and payload injection vulnerabilities. Activates for requests + involving API fuzzing, RESTler testing, stateful API testing, or automated API security + scanning. ' domain: cybersecurity @@ -24,6 +27,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1552.001 +- T1055 +- T1059 --- # Performing API Fuzzing with RESTler diff --git a/skills/performing-api-inventory-and-discovery/SKILL.md b/skills/performing-api-inventory-and-discovery/SKILL.md index d968fe44..f077972e 100644 --- a/skills/performing-api-inventory-and-discovery/SKILL.md +++ b/skills/performing-api-inventory-and-discovery/SKILL.md @@ -1,10 +1,12 @@ --- name: performing-api-inventory-and-discovery -description: 'Performs API inventory and discovery to identify all API endpoints in an organization''s environment including - documented, undocumented, shadow, zombie, and deprecated APIs. The tester uses passive traffic analysis, active scanning, - DNS enumeration, JavaScript analysis, and cloud resource inventory to build a comprehensive API catalog. Maps to OWASP API9:2023 - Improper Inventory Management. Activates for requests involving API discovery, shadow API detection, API inventory audit, - or attack surface mapping. +description: 'Performs API inventory and discovery to identify all API endpoints in + an organization''s environment including documented, undocumented, shadow, zombie, + and deprecated APIs. The tester uses passive traffic analysis, active scanning, + DNS enumeration, JavaScript analysis, and cloud resource inventory to build a comprehensive + API catalog. Maps to OWASP API9:2023 Improper Inventory Management. Activates for + requests involving API discovery, shadow API detection, API inventory audit, or + attack surface mapping. ' domain: cybersecurity @@ -24,6 +26,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1552.001 +- T1078.004 +- T1530 --- # Performing API Inventory and Discovery diff --git a/skills/performing-api-rate-limiting-bypass/SKILL.md b/skills/performing-api-rate-limiting-bypass/SKILL.md index 6681c30e..f548576b 100644 --- a/skills/performing-api-rate-limiting-bypass/SKILL.md +++ b/skills/performing-api-rate-limiting-bypass/SKILL.md @@ -1,10 +1,13 @@ --- name: performing-api-rate-limiting-bypass -description: 'Tests API rate limiting implementations for bypass vulnerabilities by manipulating request headers, IP addresses, - HTTP methods, API versions, and encoding schemes to circumvent request throttling controls. The tester identifies rate limit - headers, determines enforcement mechanisms, and attempts bypasses including X-Forwarded-For spoofing, parameter pollution, - case variation, and endpoint path manipulation. Maps to OWASP API4:2023 Unrestricted Resource Consumption. Activates for - requests involving rate limit bypass, API throttling evasion, brute force protection testing, or API abuse prevention assessment. +description: 'Tests API rate limiting implementations for bypass vulnerabilities by + manipulating request headers, IP addresses, HTTP methods, API versions, and encoding + schemes to circumvent request throttling controls. The tester identifies rate limit + headers, determines enforcement mechanisms, and attempts bypasses including X-Forwarded-For + spoofing, parameter pollution, case variation, and endpoint path manipulation. Maps + to OWASP API4:2023 Unrestricted Resource Consumption. Activates for requests involving + rate limit bypass, API throttling evasion, brute force protection testing, or API + abuse prevention assessment. ' domain: cybersecurity @@ -24,6 +27,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1552.001 +- T1027 +- T1055 --- # Performing API Rate Limiting Bypass diff --git a/skills/performing-api-security-testing-with-postman/SKILL.md b/skills/performing-api-security-testing-with-postman/SKILL.md index d4d7c989..6b0465a0 100644 --- a/skills/performing-api-security-testing-with-postman/SKILL.md +++ b/skills/performing-api-security-testing-with-postman/SKILL.md @@ -1,10 +1,12 @@ --- name: performing-api-security-testing-with-postman -description: 'Uses Postman to perform structured API security testing by building collections that test for OWASP API Security - Top 10 vulnerabilities including authentication bypass, authorization flaws, injection, and data exposure. The tester creates - environments with multiple user roles, writes test scripts for automated security validation, and integrates Postman with - OWASP ZAP and Newman for CI/CD security testing. Activates for requests involving Postman security testing, API security - collection, automated API testing, or OWASP API testing with Postman. +description: 'Uses Postman to perform structured API security testing by building + collections that test for OWASP API Security Top 10 vulnerabilities including authentication + bypass, authorization flaws, injection, and data exposure. The tester creates environments + with multiple user roles, writes test scripts for automated security validation, + and integrates Postman with OWASP ZAP and Newman for CI/CD security testing. Activates + for requests involving Postman security testing, API security collection, automated + API testing, or OWASP API testing with Postman. ' domain: cybersecurity @@ -23,6 +25,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1552.001 +- T1055 +- T1059 --- # Performing API Security Testing with Postman diff --git a/skills/performing-arp-spoofing-attack-simulation/SKILL.md b/skills/performing-arp-spoofing-attack-simulation/SKILL.md index e2fea4bd..59da79c5 100644 --- a/skills/performing-arp-spoofing-attack-simulation/SKILL.md +++ b/skills/performing-arp-spoofing-attack-simulation/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-arp-spoofing-attack-simulation -description: 'Simulates ARP spoofing attacks in authorized lab or pentest environments using arpspoof, Ettercap, and Scapy - to demonstrate man-in-the-middle risks, test network detection capabilities, and validate ARP inspection countermeasures. +description: 'Simulates ARP spoofing attacks in authorized lab or pentest environments + using arpspoof, Ettercap, and Scapy to demonstrate man-in-the-middle risks, test + network detection capabilities, and validate ARP inspection countermeasures. ' domain: cybersecurity @@ -20,6 +21,11 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 --- # Performing ARP Spoofing Attack Simulation diff --git a/skills/performing-asset-criticality-scoring-for-vulns/SKILL.md b/skills/performing-asset-criticality-scoring-for-vulns/SKILL.md index 9f45ab2d..508338b0 100644 --- a/skills/performing-asset-criticality-scoring-for-vulns/SKILL.md +++ b/skills/performing-asset-criticality-scoring-for-vulns/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-asset-criticality-scoring-for-vulns -description: Develop and apply a multi-factor asset criticality scoring model to weight vulnerability prioritization based - on business impact, data sensitivity, and operational importance. +description: Develop and apply a multi-factor asset criticality scoring model to weight + vulnerability prioritization based on business impact, data sensitivity, and operational + importance. domain: cybersecurity subdomain: vulnerability-management tags: @@ -20,6 +21,10 @@ nist_csf: - ID.RA-02 - ID.IM-02 - ID.RA-06 +mitre_attack: +- T1190 +- T1203 +- T1068 --- # Performing Asset Criticality Scoring for Vulns diff --git a/skills/performing-authenticated-scan-with-openvas/SKILL.md b/skills/performing-authenticated-scan-with-openvas/SKILL.md index 0f033a04..9bab85b3 100644 --- a/skills/performing-authenticated-scan-with-openvas/SKILL.md +++ b/skills/performing-authenticated-scan-with-openvas/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-authenticated-scan-with-openvas -description: Configure and execute authenticated vulnerability scans using OpenVAS/Greenbone Vulnerability Management with - SSH and SMB credentials for comprehensive host-level assessment. +description: Configure and execute authenticated vulnerability scans using OpenVAS/Greenbone + Vulnerability Management with SSH and SMB credentials for comprehensive host-level + assessment. domain: cybersecurity subdomain: vulnerability-management tags: @@ -20,6 +21,12 @@ nist_csf: - ID.RA-02 - ID.IM-02 - ID.RA-06 +mitre_attack: +- T1190 +- T1203 +- T1068 +- T1003 +- T1110 --- # Performing Authenticated Scan with OpenVAS diff --git a/skills/performing-authenticated-vulnerability-scan/SKILL.md b/skills/performing-authenticated-vulnerability-scan/SKILL.md index bb62304e..cc715de1 100644 --- a/skills/performing-authenticated-vulnerability-scan/SKILL.md +++ b/skills/performing-authenticated-vulnerability-scan/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-authenticated-vulnerability-scan -description: Authenticated (credentialed) vulnerability scanning uses valid system credentials to log into target hosts and - perform deep inspection of installed software, patches, configurations, and security sett +description: Authenticated (credentialed) vulnerability scanning uses valid system + credentials to log into target hosts and perform deep inspection of installed software, + patches, configurations, and security sett domain: cybersecurity subdomain: vulnerability-management tags: @@ -20,6 +21,12 @@ nist_csf: - ID.RA-02 - ID.IM-02 - ID.RA-06 +mitre_attack: +- T1190 +- T1203 +- T1068 +- T1003 +- T1110 --- # Performing Authenticated Vulnerability Scan diff --git a/skills/performing-automated-malware-analysis-with-cape/SKILL.md b/skills/performing-automated-malware-analysis-with-cape/SKILL.md index 202236d1..81afccd4 100644 --- a/skills/performing-automated-malware-analysis-with-cape/SKILL.md +++ b/skills/performing-automated-malware-analysis-with-cape/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-automated-malware-analysis-with-cape -description: Deploy and operate CAPEv2 sandbox for automated malware analysis with behavioral monitoring, payload extraction, - configuration parsing, and anti-evasion capabilities. +description: Deploy and operate CAPEv2 sandbox for automated malware analysis with + behavioral monitoring, payload extraction, configuration parsing, and anti-evasion + capabilities. domain: cybersecurity subdomain: malware-analysis tags: @@ -20,6 +21,12 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1027 +- T1055 +- T1140 +- T1497 +- T1070 --- # Performing Automated Malware Analysis with CAPE diff --git a/skills/performing-aws-account-enumeration-with-scout-suite/SKILL.md b/skills/performing-aws-account-enumeration-with-scout-suite/SKILL.md index ed563cd5..29b0167b 100644 --- a/skills/performing-aws-account-enumeration-with-scout-suite/SKILL.md +++ b/skills/performing-aws-account-enumeration-with-scout-suite/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-aws-account-enumeration-with-scout-suite -description: Perform comprehensive security posture assessment of AWS accounts using ScoutSuite to enumerate resources, identify - misconfigurations, and generate actionable security reports. +description: Perform comprehensive security posture assessment of AWS accounts using + ScoutSuite to enumerate resources, identify misconfigurations, and generate actionable + security reports. domain: cybersecurity subdomain: cloud-security tags: @@ -21,6 +22,11 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 --- # Performing AWS Account Enumeration with ScoutSuite diff --git a/skills/performing-aws-privilege-escalation-assessment/SKILL.md b/skills/performing-aws-privilege-escalation-assessment/SKILL.md index 236a0727..de6d59da 100644 --- a/skills/performing-aws-privilege-escalation-assessment/SKILL.md +++ b/skills/performing-aws-privilege-escalation-assessment/SKILL.md @@ -1,8 +1,8 @@ --- name: performing-aws-privilege-escalation-assessment -description: 'Performing authorized privilege escalation assessments in AWS environments to identify IAM misconfigurations - that allow users or roles to elevate their permissions using Pacu, CloudFox, Principal Mapper, and manual IAM policy analysis - techniques. +description: 'Performing authorized privilege escalation assessments in AWS environments + to identify IAM misconfigurations that allow users or roles to elevate their permissions + using Pacu, CloudFox, Principal Mapper, and manual IAM policy analysis techniques. ' domain: cybersecurity @@ -22,6 +22,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T1068 --- # Performing AWS Privilege Escalation Assessment diff --git a/skills/performing-bandwidth-throttling-attack-simulation/SKILL.md b/skills/performing-bandwidth-throttling-attack-simulation/SKILL.md index 601ee77f..65987ecf 100644 --- a/skills/performing-bandwidth-throttling-attack-simulation/SKILL.md +++ b/skills/performing-bandwidth-throttling-attack-simulation/SKILL.md @@ -1,7 +1,9 @@ --- name: performing-bandwidth-throttling-attack-simulation -description: 'Simulates bandwidth throttling and network degradation attacks using tc, iperf3, and Scapy in authorized environments - to test quality-of-service controls, application resilience, and network monitoring detection of traffic manipulation attacks. +description: 'Simulates bandwidth throttling and network degradation attacks using + tc, iperf3, and Scapy in authorized environments to test quality-of-service controls, + application resilience, and network monitoring detection of traffic manipulation + attacks. ' domain: cybersecurity @@ -20,6 +22,11 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 --- # Performing Bandwidth Throttling Attack Simulation diff --git a/skills/performing-binary-exploitation-analysis/SKILL.md b/skills/performing-binary-exploitation-analysis/SKILL.md index 9825fd8e..cff90b5a 100644 --- a/skills/performing-binary-exploitation-analysis/SKILL.md +++ b/skills/performing-binary-exploitation-analysis/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-binary-exploitation-analysis -description: 'Analyze binary exploitation techniques including buffer overflows and ROP chains using pwntools Python library. - Covers checksec analysis, gadget discovery with ROPgadget, and exploit development for CTF and authorized security assessments. +description: 'Analyze binary exploitation techniques including buffer overflows and + ROP chains using pwntools Python library. Covers checksec analysis, gadget discovery + with ROPgadget, and exploit development for CTF and authorized security assessments. ' domain: cybersecurity @@ -18,6 +19,10 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1078 +- T1190 +- T1059 --- # Performing Binary Exploitation Analysis diff --git a/skills/performing-blind-ssrf-exploitation/SKILL.md b/skills/performing-blind-ssrf-exploitation/SKILL.md index 96d24456..7444e8be 100644 --- a/skills/performing-blind-ssrf-exploitation/SKILL.md +++ b/skills/performing-blind-ssrf-exploitation/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-blind-ssrf-exploitation -description: Detect and exploit blind Server-Side Request Forgery vulnerabilities using out-of-band techniques, DNS interactions, - and timing analysis to access internal services and cloud metadata endpoints. +description: Detect and exploit blind Server-Side Request Forgery vulnerabilities + using out-of-band techniques, DNS interactions, and timing analysis to access internal + services and cloud metadata endpoints. domain: cybersecurity subdomain: web-application-security tags: @@ -20,6 +21,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1078.004 --- # Performing Blind SSRF Exploitation diff --git a/skills/performing-bluetooth-security-assessment/SKILL.md b/skills/performing-bluetooth-security-assessment/SKILL.md index 49222568..82b2c181 100644 --- a/skills/performing-bluetooth-security-assessment/SKILL.md +++ b/skills/performing-bluetooth-security-assessment/SKILL.md @@ -1,6 +1,7 @@ --- name: performing-bluetooth-security-assessment -description: Assess Bluetooth Low Energy device security by scanning, enumerating GATT services, and detecting vulnerabilities +description: Assess Bluetooth Low Energy device security by scanning, enumerating + GATT services, and detecting vulnerabilities domain: cybersecurity subdomain: wireless-security tags: @@ -15,6 +16,9 @@ nist_csf: - PR.IR-01 - DE.CM-01 - ID.AM-03 +mitre_attack: +- T1557 +- T1040 --- diff --git a/skills/performing-brand-monitoring-for-impersonation/SKILL.md b/skills/performing-brand-monitoring-for-impersonation/SKILL.md index c4fe4418..a770e886 100644 --- a/skills/performing-brand-monitoring-for-impersonation/SKILL.md +++ b/skills/performing-brand-monitoring-for-impersonation/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-brand-monitoring-for-impersonation -description: Monitor for brand impersonation attacks across domains, social media, mobile apps, and dark web channels to detect - phishing campaigns, fake sites, and unauthorized brand usage targeting your organization. +description: Monitor for brand impersonation attacks across domains, social media, + mobile apps, and dark web channels to detect phishing campaigns, fake sites, and + unauthorized brand usage targeting your organization. domain: cybersecurity subdomain: threat-intelligence tags: @@ -20,6 +21,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1592 +- T1593 +- T1589 +- T1566 --- # Performing Brand Monitoring for Impersonation diff --git a/skills/performing-clickjacking-attack-test/SKILL.md b/skills/performing-clickjacking-attack-test/SKILL.md index b3f10b7d..ef0958aa 100644 --- a/skills/performing-clickjacking-attack-test/SKILL.md +++ b/skills/performing-clickjacking-attack-test/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-clickjacking-attack-test -description: Testing web applications for clickjacking vulnerabilities by assessing frame embedding controls and crafting - proof-of-concept overlay attacks during authorized security assessments. +description: Testing web applications for clickjacking vulnerabilities by assessing + frame embedding controls and crafting proof-of-concept overlay attacks during authorized + security assessments. domain: cybersecurity subdomain: web-application-security tags: @@ -25,6 +26,11 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 --- # Performing Clickjacking Attack Test diff --git a/skills/performing-cloud-asset-inventory-with-cartography/SKILL.md b/skills/performing-cloud-asset-inventory-with-cartography/SKILL.md index 67e27a80..c2de2b24 100644 --- a/skills/performing-cloud-asset-inventory-with-cartography/SKILL.md +++ b/skills/performing-cloud-asset-inventory-with-cartography/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-cloud-asset-inventory-with-cartography -description: Perform comprehensive cloud asset inventory and relationship mapping using Cartography to build a Neo4j security - graph of infrastructure assets, IAM permissions, and attack paths across AWS, GCP, and Azure. +description: Perform comprehensive cloud asset inventory and relationship mapping + using Cartography to build a Neo4j security graph of infrastructure assets, IAM + permissions, and attack paths across AWS, GCP, and Azure. domain: cybersecurity subdomain: cloud-security tags: @@ -21,6 +22,11 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 --- # Performing Cloud Asset Inventory with Cartography diff --git a/skills/performing-cloud-forensics-investigation/SKILL.md b/skills/performing-cloud-forensics-investigation/SKILL.md index 5e6c0d9b..07818fc9 100644 --- a/skills/performing-cloud-forensics-investigation/SKILL.md +++ b/skills/performing-cloud-forensics-investigation/SKILL.md @@ -1,7 +1,7 @@ --- name: performing-cloud-forensics-investigation -description: Conduct forensic investigations in cloud environments by collecting and analyzing logs, snapshots, and metadata - from AWS, Azure, and GCP services. +description: Conduct forensic investigations in cloud environments by collecting and + analyzing logs, snapshots, and metadata from AWS, Azure, and GCP services. domain: cybersecurity subdomain: digital-forensics tags: @@ -20,6 +20,12 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1005 +- T1074 +- T1119 +- T1070 +- T1078.004 --- # Performing Cloud Forensics Investigation diff --git a/skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md b/skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md index 39936b4f..1db5be02 100644 --- a/skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md +++ b/skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-cloud-forensics-with-aws-cloudtrail -description: Perform forensic investigation of AWS environments using CloudTrail logs to reconstruct attacker activity, identify - compromised credentials, and analyze API call patterns. +description: Perform forensic investigation of AWS environments using CloudTrail logs + to reconstruct attacker activity, identify compromised credentials, and analyze + API call patterns. domain: cybersecurity subdomain: cloud-security tags: @@ -21,6 +22,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T1003 --- # Performing Cloud Forensics with AWS CloudTrail diff --git a/skills/performing-cloud-incident-containment-procedures/SKILL.md b/skills/performing-cloud-incident-containment-procedures/SKILL.md index 1aab7c13..3485f234 100644 --- a/skills/performing-cloud-incident-containment-procedures/SKILL.md +++ b/skills/performing-cloud-incident-containment-procedures/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-cloud-incident-containment-procedures -description: Execute cloud-native incident containment across AWS, Azure, and GCP by isolating compromised resources, revoking - credentials, preserving forensic evidence, and applying security group restrictions to prevent lateral movement. +description: Execute cloud-native incident containment across AWS, Azure, and GCP + by isolating compromised resources, revoking credentials, preserving forensic evidence, + and applying security group restrictions to prevent lateral movement. domain: cybersecurity subdomain: incident-response tags: @@ -14,11 +15,11 @@ tags: - credential-revocation - network-isolation mitre_attack: +- T1486 +- T1490 +- T1070 - T1078 -- T1537 -- T1580 -- T1525 -- T1098 +- T1021 version: '1.0' author: mahipal license: Apache-2.0 diff --git a/skills/performing-cloud-log-forensics-with-athena/SKILL.md b/skills/performing-cloud-log-forensics-with-athena/SKILL.md index 12e55636..53ca5a13 100644 --- a/skills/performing-cloud-log-forensics-with-athena/SKILL.md +++ b/skills/performing-cloud-log-forensics-with-athena/SKILL.md @@ -1,9 +1,10 @@ --- name: performing-cloud-log-forensics-with-athena -description: 'Uses AWS Athena to query CloudTrail, VPC Flow Logs, S3 access logs, and ALB logs for forensic investigation. - Covers CREATE TABLE DDL with partition projection, forensic SQL queries for detecting unauthorized access, data exfiltration, - lateral movement, and privilege escalation. Use when investigating AWS security incidents or building cloud-native forensic - workflows at scale. +description: 'Uses AWS Athena to query CloudTrail, VPC Flow Logs, S3 access logs, + and ALB logs for forensic investigation. Covers CREATE TABLE DDL with partition + projection, forensic SQL queries for detecting unauthorized access, data exfiltration, + lateral movement, and privilege escalation. Use when investigating AWS security + incidents or building cloud-native forensic workflows at scale. ' domain: cybersecurity @@ -25,6 +26,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T1021 --- # Performing Cloud Log Forensics with AWS Athena diff --git a/skills/performing-cloud-log-forensics-with-athena/references/api-reference.md b/skills/performing-cloud-log-forensics-with-athena/references/api-reference.md new file mode 100644 index 00000000..34f1c0fa --- /dev/null +++ b/skills/performing-cloud-log-forensics-with-athena/references/api-reference.md @@ -0,0 +1,183 @@ +# AWS Athena API Reference + +This reference covers the Amazon Athena API as used for cloud log forensics, primarily through the AWS SDK for Python (`boto3`) and the AWS CLI. Athena is a serverless, interactive query service that runs ANSI SQL (Trino/Presto engine) directly against data in Amazon S3. + +## Authentication + +Athena uses standard AWS authentication — there is no separate Athena API key. Credentials are resolved by the AWS SDK credential provider chain, in order: + +1. Environment variables: `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN` +2. Shared credentials file: `~/.aws/credentials` (profile via `AWS_PROFILE`) +3. Shared config file: `~/.aws/config` +4. IAM role for Amazon EC2 / ECS task role / EKS IRSA / Lambda execution role +5. SSO / `aws sso login` + +```python +import boto3 + +# Default credential chain +athena = boto3.client("athena", region_name="us-east-1") + +# Explicit profile / assumed role session +session = boto3.Session(profile_name="ir-forensics", region_name="us-east-1") +athena = session.client("athena") +``` + +Required IAM permissions for forensic querying (least privilege): + +| Action | Purpose | +|---|---| +| `athena:StartQueryExecution` | Submit a query | +| `athena:GetQueryExecution` | Poll query status | +| `athena:GetQueryResults` | Fetch result rows | +| `athena:StopQueryExecution` | Cancel a running query | +| `athena:GetWorkGroup` / `athena:ListWorkGroups` | Workgroup discovery | +| `glue:GetTable`, `glue:GetDatabase`, `glue:GetPartitions` | Read table metadata (Glue Data Catalog) | +| `s3:GetObject`, `s3:ListBucket` | Read source log data | +| `s3:PutObject`, `s3:GetObject` on the results bucket | Write/read query output | + +## Key Methods (boto3 `athena` client / Athena API) + +| Method | Description | Key Parameters | +|---|---|---| +| `start_query_execution` | Submit a SQL query (DDL or DML). Asynchronous — returns immediately. | `QueryString` (required), `QueryExecutionContext={Database, Catalog}`, `ResultConfiguration={OutputLocation, EncryptionConfiguration}`, `WorkGroup`, `ClientRequestToken` (idempotency, ≤128 chars), `ExecutionParameters` (list for `?` placeholders), `ResultReuseConfiguration` | +| `get_query_execution` | Poll a query's status, statistics, and engine details. | `QueryExecutionId` (required) | +| `get_query_results` | Retrieve result rows (paginated, max 1000 rows/page). | `QueryExecutionId` (required), `MaxResults` (1–1000), `NextToken`, `QueryResultType` | +| `stop_query_execution` | Cancel a running query. | `QueryExecutionId` (required) | +| `batch_get_query_execution` | Get details for up to 50 query IDs at once. | `QueryExecutionIds` (list, ≤50) | +| `list_query_executions` | List query IDs (most recent first). | `WorkGroup`, `MaxResults` (≤50), `NextToken` | +| `get_query_runtime_statistics` | Detailed per-stage execution stats. | `QueryExecutionId` | +| `create_work_group` / `get_work_group` | Manage workgroups (cost controls, result location, encryption). | `Name`, `Configuration` | +| `create_named_query` / `list_named_queries` | Save/list reusable saved queries. | `Name`, `Database`, `QueryString`, `WorkGroup` | +| `get_database` / `list_databases` / `list_table_metadata` | Inspect Data Catalog metadata. | `CatalogName`, `DatabaseName` | + +### `start_query_execution` parameter detail + +- `QueryString` — the SQL text. Up to 262,144 bytes (256 KB). +- `QueryExecutionContext` — `{"Database": "cloud_forensics", "Catalog": "AwsDataCatalog"}`. Sets the default database so unqualified table names resolve. +- `ResultConfiguration.OutputLocation` — `s3://aws-athena-query-results-.../` where the CSV result and metadata are written. Required unless the workgroup enforces an output location. +- `WorkGroup` — defaults to `primary`. Use a dedicated forensics workgroup to enforce encryption, a per-query data-scanned limit (`BytesScannedCutoffPerQuery`), and a fixed result location. +- `ExecutionParameters` — positional values for parameterized queries using `?` placeholders (prevents SQL injection when interpolating IOCs). +- `ResultReuseConfiguration` — `{"ResultReuseByAgeConfiguration": {"Enabled": true, "MaxAgeInMinutes": 60}}` reuses prior results to cut cost/latency. + +## Python SDK + +```python +# Installation +pip install boto3 + +import boto3 +import time + +athena = boto3.client("athena", region_name="us-east-1") + +def run_query(sql, database="cloud_forensics", + output="s3://aws-athena-query-results-acct-region/forensics/", + workgroup="forensics", params=None): + """Submit a query, poll to completion, return result rows.""" + kwargs = { + "QueryString": sql, + "QueryExecutionContext": {"Database": database}, + "ResultConfiguration": {"OutputLocation": output}, + "WorkGroup": workgroup, + } + if params: + kwargs["ExecutionParameters"] = params # for ? placeholders + + qid = athena.start_query_execution(**kwargs)["QueryExecutionId"] + + # Poll status + while True: + resp = athena.get_query_execution(QueryExecutionId=qid) + state = resp["QueryExecution"]["Status"]["State"] + if state in ("SUCCEEDED", "FAILED", "CANCELLED"): + break + time.sleep(1) + + if state != "SUCCEEDED": + reason = resp["QueryExecution"]["Status"].get("StateChangeReason", "") + raise RuntimeError(f"Query {state}: {reason}") + + # Paginate results + rows = [] + paginator = athena.get_paginator("get_query_results") + for page in paginator.paginate(QueryExecutionId=qid): + rows.extend(page["ResultSet"]["Rows"]) + return rows + +# Parameterized query — safe IOC lookup +run_query( + "SELECT eventtime, eventname, sourceipaddress " + "FROM cloudtrail_logs WHERE sourceipaddress = ? LIMIT 100", + params=["203.0.113.45"], +) +``` + +CLI equivalents: + +```bash +aws athena start-query-execution \ + --query-string "SELECT count(*) FROM cloud_forensics.cloudtrail_logs" \ + --query-execution-context Database=cloud_forensics \ + --result-configuration OutputLocation=s3://my-athena-results/ \ + --work-group forensics + +aws athena get-query-execution --query-execution-id +aws athena get-query-results --query-execution-id +``` + +## Common Response Fields + +`get_query_execution` → `QueryExecution`: + +| Field | Meaning | +|---|---| +| `QueryExecutionId` | Unique query ID | +| `Status.State` | `QUEUED` \| `RUNNING` \| `SUCCEEDED` \| `FAILED` \| `CANCELLED` | +| `Status.StateChangeReason` | Failure/cancel reason text | +| `Statistics.DataScannedInBytes` | Bytes scanned (drives cost — $5/TB scanned) | +| `Statistics.EngineExecutionTimeInMillis` | Execution time | +| `Statistics.TotalExecutionTimeInMillis` | Wall-clock including queue time | +| `ResultConfiguration.OutputLocation` | S3 path to the result CSV | + +`get_query_results` → `ResultSet.Rows` (each `Row.Data` is a list of `{"VarCharValue": ...}`); the **first row is the column header**. `ResultSetMetadata.ColumnInfo` describes column names/types. + +## Rate Limits / Service Quotas + +These are default, adjustable AWS account-level quotas (per Region): + +| Quota | Default | +|---|---| +| `StartQueryExecution` call rate (DML) | 20 calls/sec (burst), then throttled | +| `GetQueryExecution` call rate | 100 calls/sec | +| `GetQueryResults` call rate | 100 calls/sec | +| Active DML queries (running + queued) | 200 (Engine v3) | +| Active DDL queries | 20 | +| Query timeout (DML) | 30 minutes | +| DDL query timeout | 600 minutes | +| `QueryString` max size | 256 KB | +| Result page (`GetQueryResults`) | 1000 rows max | + +Throttling surfaces as `TooManyRequestsException` / `ThrottlingException`. boto3 retries these automatically with exponential backoff (adaptive retry mode recommended for high-volume forensic batch jobs). Cost is billed by **bytes scanned**, so partition pruning and columnar formats (Parquet/ORC) drastically reduce both cost and the chance of hitting the per-query data-scan cutoff. + +## Error Codes + +| Error | Meaning | +|---|---| +| `InvalidRequestException` | Malformed request / invalid parameter | +| `TooManyRequestsException` | API call rate or concurrent-query quota exceeded | +| `ThrottlingException` | Service throttling; back off and retry | +| `ResourceNotFoundException` | Workgroup, catalog, or named query not found | +| `MetadataException` | Glue Data Catalog metadata error | +| Query `FAILED` with `HIVE_BAD_DATA` | Row doesn't match table schema/SerDe | +| Query `FAILED` with `HIVE_CURSOR_ERROR` | S3 object unreadable (permissions, corrupt file) | +| Query `FAILED` with `HIVE_PARTITION_SCHEMA_MISMATCH` | Partition schema differs from table | +| `AccessDeniedException` | Missing IAM permission for Athena, Glue, or S3 | + +## Resources + +- Athena API Reference: https://docs.aws.amazon.com/athena/latest/APIReference/Welcome.html +- boto3 Athena client: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/athena.html +- Athena service quotas: https://docs.aws.amazon.com/athena/latest/ug/service-limits.html +- Querying AWS service logs (CloudTrail, VPC Flow, ALB, S3) in Athena: https://docs.aws.amazon.com/athena/latest/ug/querying-aws-service-logs.html +- Partition projection: https://docs.aws.amazon.com/athena/latest/ug/partition-projection.html diff --git a/skills/performing-cloud-native-forensics-with-falco/SKILL.md b/skills/performing-cloud-native-forensics-with-falco/SKILL.md index de922277..84f5fa0e 100644 --- a/skills/performing-cloud-native-forensics-with-falco/SKILL.md +++ b/skills/performing-cloud-native-forensics-with-falco/SKILL.md @@ -1,17 +1,21 @@ --- name: performing-cloud-native-forensics-with-falco -description: 'Uses Falco YAML rules for runtime threat detection in containers and Kubernetes, monitoring syscalls for shell - spawns, file tampering, network anomalies, and privilege escalation. Manages Falco rules via the Falco gRPC API and parses - Falco alert output. Use when building container runtime security or investigating k8s cluster compromises. +description: 'Uses Falco YAML rules for runtime threat detection in containers and + Kubernetes, monitoring syscalls for shell spawns, file tampering, network anomalies, + and privilege escalation. Manages Falco rules via the Falco gRPC API and parses + Falco alert output. Use when building container runtime security or investigating + k8s cluster compromises. ' domain: cybersecurity subdomain: cloud-security tags: -- performing -- cloud -- native -- forensics +- cloud-security +- falco +- runtime-threat-detection +- container-forensics +- kubernetes-security +- syscall-monitoring version: '1.0' author: mahipal license: Apache-2.0 @@ -20,6 +24,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T1068 --- # Performing Cloud Native Forensics with Falco diff --git a/skills/performing-cloud-native-threat-hunting-with-aws-detective/SKILL.md b/skills/performing-cloud-native-threat-hunting-with-aws-detective/SKILL.md index 5f1c71a1..3dd39c36 100644 --- a/skills/performing-cloud-native-threat-hunting-with-aws-detective/SKILL.md +++ b/skills/performing-cloud-native-threat-hunting-with-aws-detective/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-cloud-native-threat-hunting-with-aws-detective -description: Hunt for threats in AWS environments using Detective behavior graphs, entity investigation timelines, GuardDuty - finding correlation, and automated entity profiling across IAM users, EC2 instances, and IP addresses. +description: Hunt for threats in AWS environments using Detective behavior graphs, + entity investigation timelines, GuardDuty finding correlation, and automated entity + profiling across IAM users, EC2 instances, and IP addresses. domain: cybersecurity subdomain: cloud-security tags: @@ -22,6 +23,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T1071 --- # Performing Cloud-Native Threat Hunting with AWS Detective diff --git a/skills/performing-cloud-native-threat-hunting-with-aws-detective/references/api-reference.md b/skills/performing-cloud-native-threat-hunting-with-aws-detective/references/api-reference.md new file mode 100644 index 00000000..2f1dda76 --- /dev/null +++ b/skills/performing-cloud-native-threat-hunting-with-aws-detective/references/api-reference.md @@ -0,0 +1,177 @@ +# AWS Detective API Reference + +This reference covers the Amazon Detective API for cloud-native threat hunting, via the AWS SDK for Python (`boto3`) and the AWS CLI. Detective ingests CloudTrail, VPC Flow Logs, GuardDuty findings, and EKS audit logs into a **behavior graph** and exposes entity profiles, finding groups, and guided investigations. + +## Authentication + +Detective uses standard AWS IAM authentication — no separate API key. Credentials resolve through the SDK credential provider chain (environment variables, `~/.aws/credentials` profile, EC2/ECS/EKS/Lambda role, or SSO). + +```python +import boto3 + +detective = boto3.client("detective", region_name="us-east-1") +``` + +Required IAM permissions (managed policy `AmazonDetectiveFullAccess`, or least-privilege custom): + +| Action | Purpose | +|---|---| +| `detective:ListGraphs` | Discover behavior graphs | +| `detective:ListInvestigations` | List guided investigations | +| `detective:GetInvestigation` | Get an investigation's results | +| `detective:ListIndicators` | List indicators for an investigation | +| `detective:StartInvestigation` | Launch a new investigation on an entity | +| `detective:ListMembers` / `detective:GetMembers` | Multi-account graph membership | +| `guardduty:ListFindings`, `guardduty:GetFindings` | Correlate GuardDuty findings | + +**Prerequisite:** Amazon GuardDuty must be enabled and active for at least 48 hours before Detective can build a usable behavior graph. + +## Key Methods (boto3 `detective` client) + +| Method | Description | Key Parameters | +|---|---|---| +| `list_graphs` | List behavior graphs the account administers. | `MaxResults`, `NextToken` | +| `start_investigation` | Run an automated investigation on an entity over a scope window. | `GraphArn` (required), `EntityArn` (required), `ScopeStartTime`, `ScopeEndTime` | +| `get_investigation` | Retrieve an investigation's results (severity, status, scope, entity). | `GraphArn` (required), `InvestigationId` (required) | +| `list_investigations` | List investigations, filterable/sortable. | `GraphArn` (required), `FilterCriteria`, `SortCriteria`, `MaxResults`, `NextToken` | +| `list_indicators` | List indicators (TTPs, anomalies) tied to an investigation. | `GraphArn` (required), `InvestigationId` (required), `IndicatorType`, `MaxResults`, `NextToken` | +| `list_members` / `get_members` | Member accounts in the behavior graph. | `GraphArn`, `AccountIds` | +| `create_members` / `delete_members` | Invite/remove member accounts. | `GraphArn`, `Accounts` | +| `list_datasource_packages` | Optional data sources enabled (EKS audit, etc.). | `GraphArn` | +| `update_investigation_state` | Mark an investigation `ARCHIVED` / `ACTIVE`. | `GraphArn`, `InvestigationId`, `State` | + +### `list_indicators` — verified parameters + +`GraphArn` (string, required), `InvestigationId` (string, required), `IndicatorType` (string, optional filter), `NextToken` (string — pagination token; **expires after 24 hours**), `MaxResults` (integer). Valid `IndicatorType` values: + +`TTP_OBSERVED` · `IMPOSSIBLE_TRAVEL` · `FLAGGED_IP_ADDRESS` · `NEW_GEOLOCATION` · `NEW_ASO` (new autonomous system org) · `NEW_USER_AGENT` · `RELATED_FINDING` · `RELATED_FINDING_GROUP` + +### `get_investigation` — verified + +Request: `GraphArn` (the behavior graph ARN), `InvestigationId`. Response includes `CreatedTime` (UTC ISO8601, e.g. `2021-08-18T16:35:56.284Z`), `EntityArn`, `EntityType`, `GraphArn`, `InvestigationId`, `ScopeStartTime`, `ScopeEndTime`, plus severity/status/state. + +### `list_investigations` filter / sort detail + +```python +FilterCriteria = { + "Severity": {"Value": "CRITICAL"}, # INFORMATIONAL|LOW|MEDIUM|HIGH|CRITICAL + "Status": {"Value": "RUNNING"}, # RUNNING|FAILED|SUCCESSFUL + "State": {"Value": "ACTIVE"}, # ACTIVE|ARCHIVED + "EntityArn": {"Value": "arn:aws:iam::123456789012:user/suspicious"}, + "CreatedTime": {"StartInclusive": , "EndInclusive": }, +} +SortCriteria = {"Field": "SEVERITY", "SortOrder": "DESC"} # CREATED_TIME|SEVERITY|STATUS +``` + +## Python SDK + +```python +# Installation +pip install boto3 + +import boto3 + +detective = boto3.client("detective", region_name="us-east-1") + +def hunt_critical(graph_arn): + """List critical, currently-running investigations and their indicators.""" + inv = detective.list_investigations( + GraphArn=graph_arn, + FilterCriteria={ + "Severity": {"Value": "CRITICAL"}, + "Status": {"Value": "RUNNING"}, + }, + SortCriteria={"Field": "SEVERITY", "SortOrder": "DESC"}, + MaxResults=20, + ) + for d in inv.get("InvestigationDetails", []): + print(d["InvestigationId"], d["EntityArn"], d["Severity"]) + ind = detective.list_indicators( + GraphArn=graph_arn, + InvestigationId=d["InvestigationId"], + MaxResults=50, + ) + for i in ind.get("Indicators", []): + print(" ", i["IndicatorType"], i.get("IndicatorDetail")) + +# Launch a fresh investigation on a suspect IAM principal +def investigate_entity(graph_arn, entity_arn, start, end): + resp = detective.start_investigation( + GraphArn=graph_arn, + EntityArn=entity_arn, + ScopeStartTime=start, # datetime + ScopeEndTime=end, # datetime + ) + return resp["InvestigationId"] + +for g in detective.list_graphs().get("GraphList", []): + hunt_critical(g["Arn"]) +``` + +CLI equivalents: + +```bash +aws detective list-graphs --output table + +aws detective list-investigations \ + --graph-arn arn:aws:detective:us-east-1:123456789012:graph:abc \ + --filter-criteria '{"Severity":{"Value":"HIGH"}}' \ + --max-results 10 + +aws detective list-indicators \ + --graph-arn arn:aws:detective:us-east-1:123456789012:graph:abc \ + --investigation-id 000000000000000000001 --max-results 50 +``` + +## Common Response Fields + +`list_investigations` → `InvestigationDetails[]`: + +| Field | Meaning | +|---|---| +| `InvestigationId` | Unique investigation ID | +| `Severity` | `INFORMATIONAL` \| `LOW` \| `MEDIUM` \| `HIGH` \| `CRITICAL` | +| `Status` | `RUNNING` \| `FAILED` \| `SUCCESSFUL` | +| `State` | `ACTIVE` \| `ARCHIVED` | +| `EntityArn` | The entity under investigation | +| `EntityType` | `IAM_USER` \| `IAM_ROLE` (etc.) | +| `CreatedTime` | Investigation creation timestamp (UTC ISO8601) | + +`list_indicators` → `Indicators[]`: each has `IndicatorType` plus an `IndicatorDetail` union populated for the matching type (e.g. `FlaggedIpAddressDetail`, `ImpossibleTravelDetail`, `NewGeolocationDetail`, `TTPsObservedDetail` carrying MITRE ATT&CK tactic/technique). + +## Rate Limits / Service Quotas + +Detective enforces account-level, per-Region quotas (most adjustable via Service Quotas): + +| Quota | Default | +|---|---| +| Member accounts per behavior graph | 1,200 | +| Behavior graphs (administrator) per Region | 1 | +| Data retention in behavior graph | 1 year of rolling history | +| Investigation scope window | up to 1 year | +| Pagination token (`list_indicators` `NextToken`) lifetime | 24 hours | +| API request rate | Throttled per standard AWS API limits | + +Throttling returns `TooManyRequestsException`; boto3 retries with exponential backoff. There is no per-request monetary charge for the API itself — Detective is billed by **volume of log data ingested** into the behavior graph (GB/month, tiered). + +## Error Codes + +| Error | Meaning | +|---|---| +| `AccessDeniedException` | Caller lacks the required `detective:*` permission | +| `ValidationException` | Invalid parameter (bad ARN, malformed filter) | +| `ResourceNotFoundException` | Graph, investigation, or entity not found | +| `TooManyRequestsException` | API rate quota exceeded; back off and retry | +| `ConflictException` | Concurrent modification of graph membership | +| `InternalServerException` | Transient service-side error; retry | +| `ServiceQuotaExceededException` | Member/graph quota exceeded | + +## Resources + +- Detective API Reference: https://docs.aws.amazon.com/detective/latest/APIReference/Welcome.html +- `ListInvestigations`: https://docs.aws.amazon.com/detective/latest/APIReference/API_ListInvestigations.html +- `GetInvestigation`: https://docs.aws.amazon.com/detective/latest/APIReference/API_GetInvestigation.html +- `StartInvestigation`: https://docs.aws.amazon.com/detective/latest/APIReference/API_StartInvestigation.html +- boto3 `list_indicators`: https://docs.aws.amazon.com/boto3/latest/reference/services/detective/client/list_indicators.html +- boto3 Detective client: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/detective.html +- Detective + GuardDuty integration: https://docs.aws.amazon.com/detective/latest/userguide/detective-integration-guardduty.html diff --git a/skills/performing-cloud-penetration-testing-with-pacu/SKILL.md b/skills/performing-cloud-penetration-testing-with-pacu/SKILL.md index 18a6908e..57228336 100644 --- a/skills/performing-cloud-penetration-testing-with-pacu/SKILL.md +++ b/skills/performing-cloud-penetration-testing-with-pacu/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-cloud-penetration-testing-with-pacu -description: 'Performing authorized AWS penetration testing using Pacu, the open-source AWS exploitation framework, to enumerate - IAM configurations, discover privilege escalation paths, test credential harvesting, and validate security controls through +description: 'Performing authorized AWS penetration testing using Pacu, the open-source + AWS exploitation framework, to enumerate IAM configurations, discover privilege + escalation paths, test credential harvesting, and validate security controls through systematic attack simulation. ' @@ -22,6 +23,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T1068 --- # Performing Cloud Penetration Testing with Pacu diff --git a/skills/performing-cloud-storage-forensic-acquisition/SKILL.md b/skills/performing-cloud-storage-forensic-acquisition/SKILL.md index cc53e9e3..f2c13dfb 100644 --- a/skills/performing-cloud-storage-forensic-acquisition/SKILL.md +++ b/skills/performing-cloud-storage-forensic-acquisition/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-cloud-storage-forensic-acquisition -description: Perform forensic acquisition and analysis of cloud storage services including Google Drive, OneDrive, Dropbox, - and Box by collecting both API-based remote data and local sync client artifacts from endpoint devices. +description: Perform forensic acquisition and analysis of cloud storage services including + Google Drive, OneDrive, Dropbox, and Box by collecting both API-based remote data + and local sync client artifacts from endpoint devices. domain: cybersecurity subdomain: digital-forensics tags: @@ -31,6 +32,12 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1005 +- T1074 +- T1119 +- T1070 +- T1059 --- # Performing Cloud Storage Forensic Acquisition diff --git a/skills/performing-container-escape-detection/SKILL.md b/skills/performing-container-escape-detection/SKILL.md index 49c6b473..9661f7ea 100644 --- a/skills/performing-container-escape-detection/SKILL.md +++ b/skills/performing-container-escape-detection/SKILL.md @@ -1,17 +1,20 @@ --- name: performing-container-escape-detection -description: 'Detects container escape attempts by analyzing namespace configurations, privileged container checks, dangerous - capability assignments, and host path mounts using the kubernetes Python client. Identifies CVE-2022-0492 style escapes - via cgroup abuse. Use when auditing container security posture or investigating escape attempts. +description: 'Detects container escape attempts by analyzing namespace configurations, + privileged container checks, dangerous capability assignments, and host path mounts + using the kubernetes Python client. Identifies CVE-2022-0492 style escapes via cgroup + abuse. Use when auditing container security posture or investigating escape attempts. ' domain: cybersecurity subdomain: container-security tags: -- performing -- container -- escape -- detection +- container-security +- container-escape +- privileged-container +- namespace-analysis +- linux-capabilities +- threat-detection version: '1.0' author: mahipal license: Apache-2.0 @@ -20,6 +23,11 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 --- # Performing Container Escape Detection diff --git a/skills/performing-container-image-hardening/SKILL.md b/skills/performing-container-image-hardening/SKILL.md index 33e8e207..124a4401 100644 --- a/skills/performing-container-image-hardening/SKILL.md +++ b/skills/performing-container-image-hardening/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-container-image-hardening -description: 'This skill covers hardening container images by minimizing attack surface, removing unnecessary packages, implementing - multi-stage builds, configuring non-root users, and applying CIS Docker Benchmark recommendations to produce secure production-ready +description: 'This skill covers hardening container images by minimizing attack surface, + removing unnecessary packages, implementing multi-stage builds, configuring non-root + users, and applying CIS Docker Benchmark recommendations to produce secure production-ready images. ' @@ -22,6 +23,12 @@ nist_csf: - GV.SC-07 - ID.IM-04 - PR.PS-04 +mitre_attack: +- T1195 +- T1554 +- T1059.004 +- T1610 +- T1611 --- # Performing Container Image Hardening diff --git a/skills/performing-container-security-scanning-with-trivy/SKILL.md b/skills/performing-container-security-scanning-with-trivy/SKILL.md index 411932a5..f398f706 100644 --- a/skills/performing-container-security-scanning-with-trivy/SKILL.md +++ b/skills/performing-container-security-scanning-with-trivy/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-container-security-scanning-with-trivy -description: Scan container images, filesystems, and Kubernetes manifests for vulnerabilities, misconfigurations, exposed - secrets, and license compliance issues using Aqua Security Trivy with SBOM generation and CI/CD integration. +description: Scan container images, filesystems, and Kubernetes manifests for vulnerabilities, + misconfigurations, exposed secrets, and license compliance issues using Aqua Security + Trivy with SBOM generation and CI/CD integration. domain: cybersecurity subdomain: container-security tags: @@ -21,6 +22,12 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 +- T1195 --- # Performing Container Security Scanning with Trivy diff --git a/skills/performing-content-security-policy-bypass/SKILL.md b/skills/performing-content-security-policy-bypass/SKILL.md index c81ba173..8d1336c9 100644 --- a/skills/performing-content-security-policy-bypass/SKILL.md +++ b/skills/performing-content-security-policy-bypass/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-content-security-policy-bypass -description: Analyze and bypass Content Security Policy implementations to achieve cross-site scripting by exploiting misconfigurations, - JSONP endpoints, unsafe directives, and policy injection techniques. +description: Analyze and bypass Content Security Policy implementations to achieve + cross-site scripting by exploiting misconfigurations, JSONP endpoints, unsafe directives, + and policy injection techniques. domain: cybersecurity subdomain: web-application-security tags: @@ -20,6 +21,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1055 --- # Performing Content Security Policy Bypass diff --git a/skills/performing-credential-access-with-lazagne/SKILL.md b/skills/performing-credential-access-with-lazagne/SKILL.md index 251d92b9..b70dc12f 100644 --- a/skills/performing-credential-access-with-lazagne/SKILL.md +++ b/skills/performing-credential-access-with-lazagne/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-credential-access-with-lazagne -description: Extract stored credentials from compromised endpoints using the LaZagne post-exploitation tool to recover passwords - from browsers, databases, system vaults, and applications during authorized red team operations. +description: Extract stored credentials from compromised endpoints using the LaZagne + post-exploitation tool to recover passwords from browsers, databases, system vaults, + and applications during authorized red team operations. domain: cybersecurity subdomain: red-teaming tags: @@ -25,6 +26,12 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1021 --- # Performing Credential Access with LaZagne diff --git a/skills/performing-cryptographic-audit-of-application/SKILL.md b/skills/performing-cryptographic-audit-of-application/SKILL.md index 295e8ab4..8a3e1c1c 100644 --- a/skills/performing-cryptographic-audit-of-application/SKILL.md +++ b/skills/performing-cryptographic-audit-of-application/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-cryptographic-audit-of-application -description: A cryptographic audit systematically reviews an application's use of cryptographic primitives, protocols, and - key management to identify vulnerabilities such as weak algorithms, insecure modes, hardco +description: A cryptographic audit systematically reviews an application's use of + cryptographic primitives, protocols, and key management to identify vulnerabilities + such as weak algorithms, insecure modes, hardco domain: cybersecurity subdomain: cryptography tags: @@ -17,6 +18,10 @@ nist_csf: - PR.DS-01 - PR.DS-02 - PR.DS-10 +mitre_attack: +- T1600 +- T1573 +- T1553 --- # Performing Cryptographic Audit of Application diff --git a/skills/performing-csrf-attack-simulation/SKILL.md b/skills/performing-csrf-attack-simulation/SKILL.md index 521ae714..0a216cf4 100644 --- a/skills/performing-csrf-attack-simulation/SKILL.md +++ b/skills/performing-csrf-attack-simulation/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-csrf-attack-simulation -description: Testing web applications for Cross-Site Request Forgery vulnerabilities by crafting forged requests that exploit - authenticated user sessions during authorized security assessments. +description: Testing web applications for Cross-Site Request Forgery vulnerabilities + by crafting forged requests that exploit authenticated user sessions during authorized + security assessments. domain: cybersecurity subdomain: web-application-security tags: @@ -19,6 +20,11 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 --- # Performing CSRF Attack Simulation diff --git a/skills/performing-cve-prioritization-with-kev-catalog/SKILL.md b/skills/performing-cve-prioritization-with-kev-catalog/SKILL.md index 46f80df6..e2718c84 100644 --- a/skills/performing-cve-prioritization-with-kev-catalog/SKILL.md +++ b/skills/performing-cve-prioritization-with-kev-catalog/SKILL.md @@ -1,7 +1,7 @@ --- name: performing-cve-prioritization-with-kev-catalog -description: Leverage the CISA Known Exploited Vulnerabilities catalog alongside EPSS and CVSS to prioritize CVE remediation - based on real-world exploitation evidence. +description: Leverage the CISA Known Exploited Vulnerabilities catalog alongside EPSS + and CVSS to prioritize CVE remediation based on real-world exploitation evidence. domain: cybersecurity subdomain: vulnerability-management tags: @@ -28,6 +28,10 @@ nist_csf: - ID.RA-02 - ID.IM-02 - ID.RA-06 +mitre_attack: +- T1190 +- T1203 +- T1068 --- # Performing CVE Prioritization with KEV Catalog diff --git a/skills/performing-dark-web-monitoring-for-threats/SKILL.md b/skills/performing-dark-web-monitoring-for-threats/SKILL.md index 116c20ef..0c5e8857 100644 --- a/skills/performing-dark-web-monitoring-for-threats/SKILL.md +++ b/skills/performing-dark-web-monitoring-for-threats/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-dark-web-monitoring-for-threats -description: Dark web monitoring involves systematically scanning Tor hidden services, underground forums, paste sites, and - dark web marketplaces to identify threats targeting an organization, including leaked cre +description: Dark web monitoring involves systematically scanning Tor hidden services, + underground forums, paste sites, and dark web marketplaces to identify threats targeting + an organization, including leaked cre domain: cybersecurity subdomain: threat-intelligence tags: @@ -21,6 +22,11 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1592 +- T1593 +- T1589 --- # Performing Dark Web Monitoring for Threats diff --git a/skills/performing-deception-technology-deployment/SKILL.md b/skills/performing-deception-technology-deployment/SKILL.md index 6c223965..4e4f7713 100644 --- a/skills/performing-deception-technology-deployment/SKILL.md +++ b/skills/performing-deception-technology-deployment/SKILL.md @@ -1,9 +1,10 @@ --- name: performing-deception-technology-deployment -description: 'Deploys deception technology including honeypots, honeytokens, and decoy systems to detect attackers who have - bypassed perimeter defenses, providing high-fidelity alerts with near-zero false positive rates. Use when SOC teams need - early warning of lateral movement, credential abuse, or internal reconnaissance by deploying convincing traps across the - network. +description: 'Deploys deception technology including honeypots, honeytokens, and decoy + systems to detect attackers who have bypassed perimeter defenses, providing high-fidelity + alerts with near-zero false positive rates. Use when SOC teams need early warning + of lateral movement, credential abuse, or internal reconnaissance by deploying convincing + traps across the network. ' domain: cybersecurity @@ -24,6 +25,12 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1078 +- T1685.002 +- T1685.005 +- T1566 +- T1021 --- # Performing Deception Technology Deployment diff --git a/skills/performing-directory-traversal-testing/SKILL.md b/skills/performing-directory-traversal-testing/SKILL.md index d905b274..13ce5523 100644 --- a/skills/performing-directory-traversal-testing/SKILL.md +++ b/skills/performing-directory-traversal-testing/SKILL.md @@ -1,7 +1,7 @@ --- name: performing-directory-traversal-testing -description: Testing web applications for path traversal vulnerabilities that allow reading or writing arbitrary files on - the server by manipulating file path parameters. +description: Testing web applications for path traversal vulnerabilities that allow + reading or writing arbitrary files on the server by manipulating file path parameters. domain: cybersecurity subdomain: web-application-security tags: @@ -19,6 +19,11 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 --- # Performing Directory Traversal Testing diff --git a/skills/performing-disk-forensics-investigation/SKILL.md b/skills/performing-disk-forensics-investigation/SKILL.md index d9bf3301..8c9dd611 100644 --- a/skills/performing-disk-forensics-investigation/SKILL.md +++ b/skills/performing-disk-forensics-investigation/SKILL.md @@ -1,9 +1,11 @@ --- name: performing-disk-forensics-investigation -description: 'Conducts disk forensics investigations using forensic imaging, file system analysis, artifact recovery, and - timeline reconstruction to support incident response cases. Utilizes tools such as FTK Imager, Autopsy, and The Sleuth Kit - for evidence acquisition, deleted file recovery, and artifact examination. Activates for requests involving disk forensics, - hard drive analysis, forensic imaging, file recovery, evidence acquisition, or digital forensic investigation. +description: 'Conducts disk forensics investigations using forensic imaging, file + system analysis, artifact recovery, and timeline reconstruction to support incident + response cases. Utilizes tools such as FTK Imager, Autopsy, and The Sleuth Kit for + evidence acquisition, deleted file recovery, and artifact examination. Activates + for requests involving disk forensics, hard drive analysis, forensic imaging, file + recovery, evidence acquisition, or digital forensic investigation. ' domain: cybersecurity @@ -15,10 +17,11 @@ tags: - file-recovery - chain-of-custody mitre_attack: +- T1486 +- T1490 - T1070 -- T1027 -- T1036 -- T1564 +- T1078 +- T1005 version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/performing-dmarc-policy-enforcement-rollout/SKILL.md b/skills/performing-dmarc-policy-enforcement-rollout/SKILL.md index 33afab4c..d5bc3c82 100644 --- a/skills/performing-dmarc-policy-enforcement-rollout/SKILL.md +++ b/skills/performing-dmarc-policy-enforcement-rollout/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-dmarc-policy-enforcement-rollout -description: Execute a phased DMARC rollout from p=none monitoring through p=quarantine to p=reject enforcement, ensuring - all legitimate email sources are authenticated before blocking unauthorized senders. +description: Execute a phased DMARC rollout from p=none monitoring through p=quarantine + to p=reject enforcement, ensuring all legitimate email sources are authenticated + before blocking unauthorized senders. domain: cybersecurity subdomain: phishing-defense tags: @@ -21,6 +22,11 @@ nist_csf: - DE.CM-09 - RS.CO-02 - DE.AE-02 +mitre_attack: +- T1566 +- T1598 +- T1534 +- T1036 --- # Performing DMARC Policy Enforcement Rollout diff --git a/skills/performing-dns-enumeration-and-zone-transfer/SKILL.md b/skills/performing-dns-enumeration-and-zone-transfer/SKILL.md index 5f450f8e..0bef19ad 100644 --- a/skills/performing-dns-enumeration-and-zone-transfer/SKILL.md +++ b/skills/performing-dns-enumeration-and-zone-transfer/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-dns-enumeration-and-zone-transfer -description: 'Enumerates DNS records, attempts zone transfers, brute-forces subdomains, and maps DNS infrastructure during - authorized reconnaissance to identify attack surface, misconfigurations, and information disclosure in target domains. +description: 'Enumerates DNS records, attempts zone transfers, brute-forces subdomains, + and maps DNS infrastructure during authorized reconnaissance to identify attack + surface, misconfigurations, and information disclosure in target domains. ' domain: cybersecurity @@ -20,6 +21,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 +- T1595 --- # Performing DNS Enumeration and Zone Transfer diff --git a/skills/performing-dns-tunneling-detection/SKILL.md b/skills/performing-dns-tunneling-detection/SKILL.md index 15dedd7d..38511248 100644 --- a/skills/performing-dns-tunneling-detection/SKILL.md +++ b/skills/performing-dns-tunneling-detection/SKILL.md @@ -1,17 +1,21 @@ --- name: performing-dns-tunneling-detection -description: 'Detects DNS tunneling by computing Shannon entropy of DNS query names, analyzing query length distributions, - inspecting TXT record payloads, and identifying high subdomain cardinality. Uses scapy for packet capture analysis and statistical - methods to distinguish legitimate DNS from covert channels. Use when hunting for data exfiltration. +description: 'Detects DNS tunneling by computing Shannon entropy of DNS query names, + analyzing query length distributions, inspecting TXT record payloads, and identifying + high subdomain cardinality. Uses scapy for packet capture analysis and statistical + methods to distinguish legitimate DNS from covert channels. Use when hunting for + data exfiltration. ' domain: cybersecurity subdomain: security-operations tags: -- performing -- dns -- tunneling -- detection +- dns-tunneling +- exfiltration-detection +- shannon-entropy +- dns-analysis +- threat-detection +- security-operations version: '1.0' author: mahipal license: Apache-2.0 @@ -20,6 +24,12 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1048 +- T1041 --- # Performing DNS Tunneling Detection diff --git a/skills/performing-docker-bench-security-assessment/SKILL.md b/skills/performing-docker-bench-security-assessment/SKILL.md index 4b49fe13..ff40380c 100644 --- a/skills/performing-docker-bench-security-assessment/SKILL.md +++ b/skills/performing-docker-bench-security-assessment/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-docker-bench-security-assessment -description: Docker Bench for Security is an open-source script that checks dozens of common best practices around deploying - Docker containers in production. Based on the CIS Docker Benchmark, it audits host confi +description: Docker Bench for Security is an open-source script that checks dozens + of common best practices around deploying Docker containers in production. Based + on the CIS Docker Benchmark, it audits host confi domain: cybersecurity subdomain: container-security tags: @@ -18,6 +19,11 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 --- # Performing Docker Bench Security Assessment diff --git a/skills/performing-dynamic-analysis-of-android-app/SKILL.md b/skills/performing-dynamic-analysis-of-android-app/SKILL.md index b4c95f2b..e0d507dd 100644 --- a/skills/performing-dynamic-analysis-of-android-app/SKILL.md +++ b/skills/performing-dynamic-analysis-of-android-app/SKILL.md @@ -1,10 +1,12 @@ --- name: performing-dynamic-analysis-of-android-app -description: 'Performs runtime dynamic analysis of Android applications using Frida, Objection, and Android Debug Bridge to - observe application behavior during execution, intercept function calls, modify runtime values, and identify vulnerabilities - that static analysis misses. Use when testing Android apps for runtime security flaws, hooking sensitive methods, bypassing - client-side protections, or analyzing obfuscated applications. Activates for requests involving Android dynamic analysis, - runtime hooking, Frida Android instrumentation, or live app behavior analysis. +description: 'Performs runtime dynamic analysis of Android applications using Frida, + Objection, and Android Debug Bridge to observe application behavior during execution, + intercept function calls, modify runtime values, and identify vulnerabilities that + static analysis misses. Use when testing Android apps for runtime security flaws, + hooking sensitive methods, bypassing client-side protections, or analyzing obfuscated + applications. Activates for requests involving Android dynamic analysis, runtime + hooking, Frida Android instrumentation, or live app behavior analysis. ' domain: cybersecurity @@ -24,6 +26,12 @@ nist_csf: - PR.AA-05 - ID.RA-01 - DE.CM-09 +mitre_attack: +- T1059 +- T1056 +- T1036 +- T1078 +- T1027 --- # Performing Dynamic Analysis of Android App diff --git a/skills/performing-dynamic-analysis-with-any-run/SKILL.md b/skills/performing-dynamic-analysis-with-any-run/SKILL.md index d7db2822..76118f23 100644 --- a/skills/performing-dynamic-analysis-with-any-run/SKILL.md +++ b/skills/performing-dynamic-analysis-with-any-run/SKILL.md @@ -1,8 +1,10 @@ --- name: performing-dynamic-analysis-with-any-run -description: 'Performs interactive dynamic malware analysis using the ANY.RUN cloud sandbox to observe real-time execution - behavior, interact with malware prompts, and capture process trees, network traffic, and system changes. Activates for requests - involving interactive sandbox analysis, cloud-based malware detonation, real-time behavioral observation, or ANY.RUN usage. +description: 'Performs interactive dynamic malware analysis using the ANY.RUN cloud + sandbox to observe real-time execution behavior, interact with malware prompts, + and capture process trees, network traffic, and system changes. Activates for requests + involving interactive sandbox analysis, cloud-based malware detonation, real-time + behavioral observation, or ANY.RUN usage. ' domain: cybersecurity @@ -27,6 +29,12 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1027 +- T1055 +- T1140 +- T1497 +- T1591 --- # Performing Dynamic Analysis with ANY.RUN diff --git a/skills/performing-endpoint-forensics-investigation/SKILL.md b/skills/performing-endpoint-forensics-investigation/SKILL.md index 760570d3..0dd52083 100644 --- a/skills/performing-endpoint-forensics-investigation/SKILL.md +++ b/skills/performing-endpoint-forensics-investigation/SKILL.md @@ -1,9 +1,10 @@ --- name: performing-endpoint-forensics-investigation -description: 'Performs digital forensics investigation on compromised endpoints including memory acquisition, disk imaging, - artifact analysis, and timeline reconstruction. Use when investigating security incidents, collecting evidence for legal - proceedings, or analyzing endpoint compromise scope. Activates for requests involving endpoint forensics, memory analysis, - disk forensics, or incident investigation. +description: 'Performs digital forensics investigation on compromised endpoints including + memory acquisition, disk imaging, artifact analysis, and timeline reconstruction. + Use when investigating security incidents, collecting evidence for legal proceedings, + or analyzing endpoint compromise scope. Activates for requests involving endpoint + forensics, memory analysis, disk forensics, or incident investigation. ' domain: cybersecurity @@ -23,6 +24,12 @@ nist_csf: - PR.PS-02 - DE.CM-01 - PR.IR-01 +mitre_attack: +- T1055 +- T1547 +- T1059 +- T1036 +- T1005 --- # Performing Endpoint Forensics Investigation diff --git a/skills/performing-endpoint-vulnerability-remediation/SKILL.md b/skills/performing-endpoint-vulnerability-remediation/SKILL.md index 59ce660c..6c6be0c6 100644 --- a/skills/performing-endpoint-vulnerability-remediation/SKILL.md +++ b/skills/performing-endpoint-vulnerability-remediation/SKILL.md @@ -1,9 +1,11 @@ --- name: performing-endpoint-vulnerability-remediation -description: 'Performs vulnerability remediation on endpoints by prioritizing CVEs based on risk scoring, deploying patches, - applying configuration changes, and validating fixes. Use when remediating findings from vulnerability scans, responding - to critical CVE advisories, or maintaining endpoint compliance with patch management SLAs. Activates for requests involving - vulnerability remediation, CVE patching, endpoint vulnerability management, or security fix deployment. +description: 'Performs vulnerability remediation on endpoints by prioritizing CVEs + based on risk scoring, deploying patches, applying configuration changes, and validating + fixes. Use when remediating findings from vulnerability scans, responding to critical + CVE advisories, or maintaining endpoint compliance with patch management SLAs. Activates + for requests involving vulnerability remediation, CVE patching, endpoint vulnerability + management, or security fix deployment. ' domain: cybersecurity @@ -23,6 +25,11 @@ nist_csf: - PR.PS-02 - DE.CM-01 - PR.IR-01 +mitre_attack: +- T1055 +- T1547 +- T1059 +- T1036 --- # Performing Endpoint Vulnerability Remediation diff --git a/skills/performing-entitlement-review-with-sailpoint-iiq/SKILL.md b/skills/performing-entitlement-review-with-sailpoint-iiq/SKILL.md index d3a0778a..ea8af51b 100644 --- a/skills/performing-entitlement-review-with-sailpoint-iiq/SKILL.md +++ b/skills/performing-entitlement-review-with-sailpoint-iiq/SKILL.md @@ -1,9 +1,10 @@ --- name: performing-entitlement-review-with-sailpoint-iiq -description: 'Performs entitlement review and access certification campaigns using SailPoint IdentityIQ including manager - certifications, targeted entitlement reviews, role-based access validation, SOD violation remediation, and automated revocation - workflows. Activates for requests involving access reviews, entitlement certifications, SailPoint IIQ governance, or periodic - user access recertification. +description: 'Performs entitlement review and access certification campaigns using + SailPoint IdentityIQ including manager certifications, targeted entitlement reviews, + role-based access validation, SOD violation remediation, and automated revocation + workflows. Activates for requests involving access reviews, entitlement certifications, + SailPoint IIQ governance, or periodic user access recertification. ' domain: cybersecurity @@ -23,6 +24,11 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078 +- T1110 +- T1556 +- T1098 --- # Performing Entitlement Review with SailPoint IdentityIQ diff --git a/skills/performing-external-network-penetration-test/SKILL.md b/skills/performing-external-network-penetration-test/SKILL.md index 58affa0b..ecaa19a0 100644 --- a/skills/performing-external-network-penetration-test/SKILL.md +++ b/skills/performing-external-network-penetration-test/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-external-network-penetration-test -description: Conduct a comprehensive external network penetration test to identify vulnerabilities in internet-facing infrastructure - using PTES methodology, reconnaissance, scanning, exploitation, and reporting. +description: Conduct a comprehensive external network penetration test to identify + vulnerabilities in internet-facing infrastructure using PTES methodology, reconnaissance, + scanning, exploitation, and reporting. domain: cybersecurity subdomain: penetration-testing tags: @@ -22,6 +23,12 @@ nist_csf: - ID.RA-06 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1592 --- # Performing External Network Penetration Test diff --git a/skills/performing-false-positive-reduction-in-siem/SKILL.md b/skills/performing-false-positive-reduction-in-siem/SKILL.md index a01934e8..328c9fc5 100644 --- a/skills/performing-false-positive-reduction-in-siem/SKILL.md +++ b/skills/performing-false-positive-reduction-in-siem/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-false-positive-reduction-in-siem -description: Perform systematic SIEM false positive reduction through rule tuning, threshold adjustment, correlation refinement, - and threat intelligence enrichment to combat alert fatigue. +description: Perform systematic SIEM false positive reduction through rule tuning, + threshold adjustment, correlation refinement, and threat intelligence enrichment + to combat alert fatigue. domain: cybersecurity subdomain: soc-operations tags: @@ -26,6 +27,11 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1078 +- T1685.002 +- T1685.005 +- T1566 --- # Performing False Positive Reduction in SIEM diff --git a/skills/performing-file-carving-with-foremost/SKILL.md b/skills/performing-file-carving-with-foremost/SKILL.md index ec6bb857..93bf36cd 100644 --- a/skills/performing-file-carving-with-foremost/SKILL.md +++ b/skills/performing-file-carving-with-foremost/SKILL.md @@ -1,7 +1,7 @@ --- name: performing-file-carving-with-foremost -description: Recover files from disk images and unallocated space using Foremost's header-footer signature carving to extract - evidence regardless of file system state. +description: Recover files from disk images and unallocated space using Foremost's + header-footer signature carving to extract evidence regardless of file system state. domain: cybersecurity subdomain: digital-forensics tags: @@ -19,6 +19,12 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1005 +- T1074 +- T1119 +- T1070 +- T1059 --- # Performing File Carving with Foremost diff --git a/skills/performing-firmware-extraction-with-binwalk/SKILL.md b/skills/performing-firmware-extraction-with-binwalk/SKILL.md index db878244..3497bba8 100644 --- a/skills/performing-firmware-extraction-with-binwalk/SKILL.md +++ b/skills/performing-firmware-extraction-with-binwalk/SKILL.md @@ -1,10 +1,12 @@ --- name: performing-firmware-extraction-with-binwalk -description: 'Performs firmware image extraction and analysis using binwalk to identify embedded filesystems, compressed archives, - bootloaders, kernel images, and cryptographic material. Covers entropy analysis for detecting encrypted or compressed regions, - recursive extraction of nested archives, SquashFS/CramFS/JFFS2 filesystem mounting, and string analysis for credential and - configuration discovery. Activates for requests involving firmware reverse engineering, IoT device analysis, embedded system - security assessment, or router/camera firmware extraction. +description: 'Performs firmware image extraction and analysis using binwalk to identify + embedded filesystems, compressed archives, bootloaders, kernel images, and cryptographic + material. Covers entropy analysis for detecting encrypted or compressed regions, + recursive extraction of nested archives, SquashFS/CramFS/JFFS2 filesystem mounting, + and string analysis for credential and configuration discovery. Activates for requests + involving firmware reverse engineering, IoT device analysis, embedded system security + assessment, or router/camera firmware extraction. ' domain: cybersecurity @@ -23,6 +25,12 @@ nist_csf: - ID.RA-01 - PR.PS-01 - DE.AE-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1003 +- T1110 --- # Performing Firmware Extraction with Binwalk diff --git a/skills/performing-firmware-malware-analysis/SKILL.md b/skills/performing-firmware-malware-analysis/SKILL.md index baec9d0e..8b591da2 100644 --- a/skills/performing-firmware-malware-analysis/SKILL.md +++ b/skills/performing-firmware-malware-analysis/SKILL.md @@ -1,9 +1,10 @@ --- name: performing-firmware-malware-analysis -description: 'Analyzes firmware images for embedded malware, backdoors, and unauthorized modifications targeting routers, - IoT devices, UEFI/BIOS, and embedded systems. Covers firmware extraction, filesystem analysis, binary reverse engineering, - and bootkit detection. Activates for requests involving firmware security analysis, IoT malware investigation, UEFI rootkit - detection, or embedded device compromise assessment. +description: 'Analyzes firmware images for embedded malware, backdoors, and unauthorized + modifications targeting routers, IoT devices, UEFI/BIOS, and embedded systems. Covers + firmware extraction, filesystem analysis, binary reverse engineering, and bootkit + detection. Activates for requests involving firmware security analysis, IoT malware + investigation, UEFI rootkit detection, or embedded device compromise assessment. ' domain: cybersecurity @@ -22,6 +23,12 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1027 +- T1055 +- T1140 +- T1497 +- T1505.003 --- # Performing Firmware Malware Analysis diff --git a/skills/performing-fuzzing-with-aflplusplus/SKILL.md b/skills/performing-fuzzing-with-aflplusplus/SKILL.md index 433f970d..c20a0de3 100644 --- a/skills/performing-fuzzing-with-aflplusplus/SKILL.md +++ b/skills/performing-fuzzing-with-aflplusplus/SKILL.md @@ -1,10 +1,11 @@ --- name: performing-fuzzing-with-aflplusplus -description: 'Perform coverage-guided fuzzing of compiled binaries using AFL++ (American Fuzzy Lop Plus Plus) to discover - memory corruption, crashes, and security vulnerabilities. The tester instruments target binaries with afl-cc/afl-clang-fast, - manages input corpora with afl-cmin and afl-tmin, runs parallel fuzzing campaigns with afl-fuzz, and triages crashes using - CASR or GDB scripts. Activates for requests involving binary fuzzing, crash discovery, coverage-guided testing, or AFL++ - fuzzing campaigns. +description: 'Perform coverage-guided fuzzing of compiled binaries using AFL++ (American + Fuzzy Lop Plus Plus) to discover memory corruption, crashes, and security vulnerabilities. + The tester instruments target binaries with afl-cc/afl-clang-fast, manages input + corpora with afl-cmin and afl-tmin, runs parallel fuzzing campaigns with afl-fuzz, + and triages crashes using CASR or GDB scripts. Activates for requests involving + binary fuzzing, crash discovery, coverage-guided testing, or AFL++ fuzzing campaigns. ' domain: cybersecurity @@ -32,6 +33,11 @@ nist_csf: - PR.PS-04 - ID.RA-01 - PR.DS-10 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1005 --- # Performing Fuzzing with AFL++ diff --git a/skills/performing-gcp-penetration-testing-with-gcpbucketbrute/SKILL.md b/skills/performing-gcp-penetration-testing-with-gcpbucketbrute/SKILL.md index f9e9fe5d..79cc96ae 100644 --- a/skills/performing-gcp-penetration-testing-with-gcpbucketbrute/SKILL.md +++ b/skills/performing-gcp-penetration-testing-with-gcpbucketbrute/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-gcp-penetration-testing-with-gcpbucketbrute -description: Perform GCP security testing using GCPBucketBrute for storage bucket enumeration, gcloud IAM privilege escalation - path analysis, and service account permission auditing +description: Perform GCP security testing using GCPBucketBrute for storage bucket + enumeration, gcloud IAM privilege escalation path analysis, and service account + permission auditing domain: cybersecurity subdomain: cloud-security tags: @@ -27,6 +28,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T1068 --- # Performing GCP Penetration Testing with GCPBucketBrute diff --git a/skills/performing-gcp-security-assessment-with-forseti/SKILL.md b/skills/performing-gcp-security-assessment-with-forseti/SKILL.md index 387bcee4..72141ec6 100644 --- a/skills/performing-gcp-security-assessment-with-forseti/SKILL.md +++ b/skills/performing-gcp-security-assessment-with-forseti/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-gcp-security-assessment-with-forseti -description: 'Performing comprehensive security assessments of Google Cloud Platform environments using Forseti Security, - Security Command Center, and gcloud CLI to audit IAM policies, firewall rules, storage permissions, and compliance against +description: 'Performing comprehensive security assessments of Google Cloud Platform + environments using Forseti Security, Security Command Center, and gcloud CLI to + audit IAM policies, firewall rules, storage permissions, and compliance against CIS GCP Foundations Benchmark. ' @@ -32,6 +33,11 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 --- # Performing GCP Security Assessment with Forseti diff --git a/skills/performing-graphql-depth-limit-attack/SKILL.md b/skills/performing-graphql-depth-limit-attack/SKILL.md index 8a15e903..3dcf4697 100644 --- a/skills/performing-graphql-depth-limit-attack/SKILL.md +++ b/skills/performing-graphql-depth-limit-attack/SKILL.md @@ -1,7 +1,7 @@ --- name: performing-graphql-depth-limit-attack -description: Execute and test GraphQL depth limit attacks using deeply nested recursive queries to identify denial-of-service - vulnerabilities in GraphQL APIs. +description: Execute and test GraphQL depth limit attacks using deeply nested recursive + queries to identify denial-of-service vulnerabilities in GraphQL APIs. domain: cybersecurity subdomain: api-security tags: @@ -21,6 +21,10 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1552.001 --- # Performing GraphQL Depth Limit Attack diff --git a/skills/performing-graphql-introspection-attack/SKILL.md b/skills/performing-graphql-introspection-attack/SKILL.md index bbfa3eee..a11fa7d4 100644 --- a/skills/performing-graphql-introspection-attack/SKILL.md +++ b/skills/performing-graphql-introspection-attack/SKILL.md @@ -1,9 +1,11 @@ --- name: performing-graphql-introspection-attack -description: 'Performs GraphQL introspection attacks to extract the full API schema including types, queries, mutations, subscriptions, - and field definitions from GraphQL endpoints. The tester uses introspection queries to map the attack surface, identifies - sensitive fields and mutations, tests for query depth and complexity limits, and exploits GraphQL-specific vulnerabilities - including batching attacks, alias-based brute force, and nested query DoS. Activates for requests involving GraphQL security +description: 'Performs GraphQL introspection attacks to extract the full API schema + including types, queries, mutations, subscriptions, and field definitions from GraphQL + endpoints. The tester uses introspection queries to map the attack surface, identifies + sensitive fields and mutations, tests for query depth and complexity limits, and + exploits GraphQL-specific vulnerabilities including batching attacks, alias-based + brute force, and nested query DoS. Activates for requests involving GraphQL security testing, introspection attack, GraphQL enumeration, or GraphQL API penetration testing. ' @@ -23,6 +25,11 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1552.001 +- T1110 --- # Performing GraphQL Introspection Attack diff --git a/skills/performing-graphql-security-assessment/SKILL.md b/skills/performing-graphql-security-assessment/SKILL.md index c4ae018c..a4854a23 100644 --- a/skills/performing-graphql-security-assessment/SKILL.md +++ b/skills/performing-graphql-security-assessment/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-graphql-security-assessment -description: Assessing GraphQL API endpoints for introspection leaks, injection attacks, authorization flaws, and denial-of-service - vulnerabilities during authorized security tests. +description: Assessing GraphQL API endpoints for introspection leaks, injection attacks, + authorization flaws, and denial-of-service vulnerabilities during authorized security + tests. domain: cybersecurity subdomain: web-application-security tags: @@ -19,6 +20,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1055 --- # Performing GraphQL Security Assessment diff --git a/skills/performing-hardware-security-module-integration/SKILL.md b/skills/performing-hardware-security-module-integration/SKILL.md index fb5d369a..0595b1d3 100644 --- a/skills/performing-hardware-security-module-integration/SKILL.md +++ b/skills/performing-hardware-security-module-integration/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-hardware-security-module-integration -description: Integrate Hardware Security Modules (HSMs) using PKCS#11 interface for cryptographic key management, signing - operations, and secure key storage with python-pkcs11, AWS CloudHSM, and YubiHSM2. +description: Integrate Hardware Security Modules (HSMs) using PKCS#11 interface for + cryptographic key management, signing operations, and secure key storage with python-pkcs11, + AWS CloudHSM, and YubiHSM2. domain: cybersecurity subdomain: cryptography tags: @@ -27,6 +28,12 @@ nist_csf: - PR.DS-01 - PR.DS-02 - PR.DS-10 +mitre_attack: +- T1600 +- T1573 +- T1553 +- T1078.004 +- T1530 --- # Performing Hardware Security Module Integration diff --git a/skills/performing-hash-cracking-with-hashcat/SKILL.md b/skills/performing-hash-cracking-with-hashcat/SKILL.md index 5eaee1a6..06206579 100644 --- a/skills/performing-hash-cracking-with-hashcat/SKILL.md +++ b/skills/performing-hash-cracking-with-hashcat/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-hash-cracking-with-hashcat -description: Hash cracking is an essential skill for penetration testers and security auditors to evaluate password strength. - Hashcat is the world's fastest password recovery tool, supporting over 300 hash types w +description: Hash cracking is an essential skill for penetration testers and security + auditors to evaluate password strength. Hashcat is the world's fastest password + recovery tool, supporting over 300 hash types w domain: cybersecurity subdomain: cryptography tags: @@ -17,6 +18,10 @@ nist_csf: - PR.DS-01 - PR.DS-02 - PR.DS-10 +mitre_attack: +- T1600 +- T1573 +- T1553 --- # Performing Hash Cracking with Hashcat diff --git a/skills/performing-http-parameter-pollution-attack/SKILL.md b/skills/performing-http-parameter-pollution-attack/SKILL.md index 45bc07b6..5ca10291 100644 --- a/skills/performing-http-parameter-pollution-attack/SKILL.md +++ b/skills/performing-http-parameter-pollution-attack/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-http-parameter-pollution-attack -description: Execute HTTP Parameter Pollution attacks to bypass input validation, WAF rules, and security controls by injecting - duplicate parameters that are processed differently by front-end and back-end systems. +description: Execute HTTP Parameter Pollution attacks to bypass input validation, + WAF rules, and security controls by injecting duplicate parameters that are processed + differently by front-end and back-end systems. domain: cybersecurity subdomain: web-application-security tags: @@ -20,6 +21,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1055 --- # Performing HTTP Parameter Pollution Attack diff --git a/skills/performing-ics-asset-discovery-with-claroty/SKILL.md b/skills/performing-ics-asset-discovery-with-claroty/SKILL.md index 8b61c40d..90fabb46 100644 --- a/skills/performing-ics-asset-discovery-with-claroty/SKILL.md +++ b/skills/performing-ics-asset-discovery-with-claroty/SKILL.md @@ -1,8 +1,9 @@ --- name: performing-ics-asset-discovery-with-claroty -description: 'Perform comprehensive ICS/OT asset discovery using Claroty xDome platform, leveraging passive monitoring, Claroty - Edge active queries, and integration ecosystem to gain full visibility into industrial control system assets including PLCs, - RTUs, HMIs, and network infrastructure across Purdue Model levels. +description: 'Perform comprehensive ICS/OT asset discovery using Claroty xDome platform, + leveraging passive monitoring, Claroty Edge active queries, and integration ecosystem + to gain full visibility into industrial control system assets including PLCs, RTUs, + HMIs, and network infrastructure across Purdue Model levels. ' domain: cybersecurity @@ -32,6 +33,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T0816 +- T0836 --- # Performing ICS Asset Discovery with Claroty diff --git a/skills/performing-indicator-lifecycle-management/SKILL.md b/skills/performing-indicator-lifecycle-management/SKILL.md index e8dd3e6c..ada081fb 100644 --- a/skills/performing-indicator-lifecycle-management/SKILL.md +++ b/skills/performing-indicator-lifecycle-management/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-indicator-lifecycle-management -description: Indicator lifecycle management tracks IOCs from initial discovery through validation, enrichment, deployment, - monitoring, and eventual retirement. This skill covers implementing systematic processes f +description: Indicator lifecycle management tracks IOCs from initial discovery through + validation, enrichment, deployment, monitoring, and eventual retirement. This skill + covers implementing systematic processes f domain: cybersecurity subdomain: threat-intelligence tags: @@ -20,6 +21,11 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1592 +- T1593 +- T1589 --- # Performing Indicator Lifecycle Management diff --git a/skills/performing-initial-access-with-evilginx3/SKILL.md b/skills/performing-initial-access-with-evilginx3/SKILL.md index a3b0bca9..420cf307 100644 --- a/skills/performing-initial-access-with-evilginx3/SKILL.md +++ b/skills/performing-initial-access-with-evilginx3/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-initial-access-with-evilginx3 -description: Perform authorized initial access using EvilGinx3 adversary-in-the-middle phishing framework to capture session - tokens and bypass multi-factor authentication during red team engagements. +description: Perform authorized initial access using EvilGinx3 adversary-in-the-middle + phishing framework to capture session tokens and bypass multi-factor authentication + during red team engagements. domain: cybersecurity subdomain: red-teaming tags: @@ -25,6 +26,12 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1003 --- # Performing Initial Access with EvilGinx3 diff --git a/skills/performing-insider-threat-investigation/SKILL.md b/skills/performing-insider-threat-investigation/SKILL.md index e5f188c6..f57a8ae0 100644 --- a/skills/performing-insider-threat-investigation/SKILL.md +++ b/skills/performing-insider-threat-investigation/SKILL.md @@ -1,9 +1,11 @@ --- name: performing-insider-threat-investigation -description: 'Investigates insider threat incidents involving employees, contractors, or trusted partners who misuse authorized - access to steal data, sabotage systems, or violate security policies. Combines digital forensics, user behavior analytics, - and HR/legal coordination to build an evidence-based case. Activates for requests involving insider threat investigation, - employee data theft, privilege misuse, user behavior anomaly, or internal threat detection. +description: 'Investigates insider threat incidents involving employees, contractors, + or trusted partners who misuse authorized access to steal data, sabotage systems, + or violate security policies. Combines digital forensics, user behavior analytics, + and HR/legal coordination to build an evidence-based case. Activates for requests + involving insider threat investigation, employee data theft, privilege misuse, user + behavior anomaly, or internal threat detection. ' domain: cybersecurity @@ -15,10 +17,11 @@ tags: - privilege-misuse - DFIR mitre_attack: +- T1486 +- T1490 +- T1070 - T1078 - T1048 -- T1567 -- T1114 version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/performing-ioc-enrichment-automation/SKILL.md b/skills/performing-ioc-enrichment-automation/SKILL.md index 32303af6..5a36680f 100644 --- a/skills/performing-ioc-enrichment-automation/SKILL.md +++ b/skills/performing-ioc-enrichment-automation/SKILL.md @@ -1,8 +1,10 @@ --- name: performing-ioc-enrichment-automation -description: 'Automates Indicator of Compromise (IOC) enrichment by orchestrating lookups across VirusTotal, AbuseIPDB, Shodan, - MISP, and other intelligence sources to provide contextual scoring and disposition recommendations. Use when SOC analysts - need rapid multi-source enrichment of IPs, domains, URLs, and file hashes during alert triage or incident investigation. +description: 'Automates Indicator of Compromise (IOC) enrichment by orchestrating + lookups across VirusTotal, AbuseIPDB, Shodan, MISP, and other intelligence sources + to provide contextual scoring and disposition recommendations. Use when SOC analysts + need rapid multi-source enrichment of IPs, domains, URLs, and file hashes during + alert triage or incident investigation. ' domain: cybersecurity @@ -24,6 +26,11 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1078 +- T1685.002 +- T1685.005 +- T1566 --- # Performing IOC Enrichment Automation diff --git a/skills/performing-ios-app-security-assessment/SKILL.md b/skills/performing-ios-app-security-assessment/SKILL.md index c76d6d0c..3292bcec 100644 --- a/skills/performing-ios-app-security-assessment/SKILL.md +++ b/skills/performing-ios-app-security-assessment/SKILL.md @@ -1,10 +1,13 @@ --- name: performing-ios-app-security-assessment -description: 'Performs comprehensive iOS application security assessments using Frida for dynamic instrumentation, Objection - for runtime exploration, SSL pinning bypass for traffic interception, keychain extraction for credential analysis, and IPA - static analysis for binary-level review. Use when conducting authorized iOS penetration tests, evaluating mobile app security - posture against OWASP MASTG, or assessing iOS app data protection and transport security controls. Activates for requests - involving iOS app pentesting, Frida-based iOS instrumentation, mobile app SSL pinning bypass, or IPA reverse engineering. +description: 'Performs comprehensive iOS application security assessments using Frida + for dynamic instrumentation, Objection for runtime exploration, SSL pinning bypass + for traffic interception, keychain extraction for credential analysis, and IPA static + analysis for binary-level review. Use when conducting authorized iOS penetration + tests, evaluating mobile app security posture against OWASP MASTG, or assessing + iOS app data protection and transport security controls. Activates for requests + involving iOS app pentesting, Frida-based iOS instrumentation, mobile app SSL pinning + bypass, or IPA reverse engineering. ' domain: cybersecurity @@ -26,6 +29,12 @@ nist_csf: - PR.AA-05 - ID.RA-01 - DE.CM-09 +mitre_attack: +- T1059 +- T1056 +- T1036 +- T1078 +- T1003 --- # Performing iOS App Security Assessment diff --git a/skills/performing-iot-security-assessment/SKILL.md b/skills/performing-iot-security-assessment/SKILL.md index fcb5c269..a2bd9fca 100644 --- a/skills/performing-iot-security-assessment/SKILL.md +++ b/skills/performing-iot-security-assessment/SKILL.md @@ -1,9 +1,11 @@ --- name: performing-iot-security-assessment -description: 'Performs comprehensive security assessments of IoT devices and their ecosystems by testing hardware interfaces, - firmware, network communications, cloud APIs, and companion mobile applications. The tester uses firmware extraction and - analysis, hardware debugging via UART and JTAG, network protocol analysis, and runtime exploitation to identify vulnerabilities - across all layers of the IoT stack. Activates for requests involving IoT security testing, embedded device assessment, firmware +description: 'Performs comprehensive security assessments of IoT devices and their + ecosystems by testing hardware interfaces, firmware, network communications, cloud + APIs, and companion mobile applications. The tester uses firmware extraction and + analysis, hardware debugging via UART and JTAG, network protocol analysis, and runtime + exploitation to identify vulnerabilities across all layers of the IoT stack. Activates + for requests involving IoT security testing, embedded device assessment, firmware security analysis, or smart device penetration testing. ' @@ -23,6 +25,12 @@ nist_csf: - ID.RA-06 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1078.004 --- # Performing IoT Security Assessment diff --git a/skills/performing-ip-reputation-analysis-with-shodan/SKILL.md b/skills/performing-ip-reputation-analysis-with-shodan/SKILL.md index 587a6005..31f81d9f 100644 --- a/skills/performing-ip-reputation-analysis-with-shodan/SKILL.md +++ b/skills/performing-ip-reputation-analysis-with-shodan/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-ip-reputation-analysis-with-shodan -description: Analyze IP address reputation using the Shodan API to identify open ports, running services, known vulnerabilities, - and hosting context for threat intelligence enrichment and incident triage. +description: Analyze IP address reputation using the Shodan API to identify open ports, + running services, known vulnerabilities, and hosting context for threat intelligence + enrichment and incident triage. domain: cybersecurity subdomain: threat-intelligence tags: @@ -21,6 +22,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1592 +- T1593 +- T1589 +- T1595 --- # Performing IP Reputation Analysis with Shodan diff --git a/skills/performing-jwt-none-algorithm-attack/SKILL.md b/skills/performing-jwt-none-algorithm-attack/SKILL.md index f57ba279..bc7dec33 100644 --- a/skills/performing-jwt-none-algorithm-attack/SKILL.md +++ b/skills/performing-jwt-none-algorithm-attack/SKILL.md @@ -1,7 +1,7 @@ --- name: performing-jwt-none-algorithm-attack -description: Execute and test the JWT none algorithm attack to bypass signature verification by manipulating the alg header - field in JSON Web Tokens. +description: Execute and test the JWT none algorithm attack to bypass signature verification + by manipulating the alg header field in JSON Web Tokens. domain: cybersecurity subdomain: api-security tags: @@ -21,6 +21,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1552.001 +- T1027 +- T1070 --- # Performing JWT None Algorithm Attack diff --git a/skills/performing-kerberoasting-attack/SKILL.md b/skills/performing-kerberoasting-attack/SKILL.md index c9b6c666..33b6e0bc 100644 --- a/skills/performing-kerberoasting-attack/SKILL.md +++ b/skills/performing-kerberoasting-attack/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-kerberoasting-attack -description: Kerberoasting is a post-exploitation technique that targets service accounts in Active Directory by requesting - Kerberos TGS (Ticket Granting Service) tickets for accounts with Service Principal Names +description: Kerberoasting is a post-exploitation technique that targets service accounts + in Active Directory by requesting Kerberos TGS (Ticket Granting Service) tickets + for accounts with Service Principal Names domain: cybersecurity subdomain: red-teaming tags: @@ -26,6 +27,12 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1003 --- # Performing Kerberoasting Attack diff --git a/skills/performing-kubernetes-cis-benchmark-with-kube-bench/SKILL.md b/skills/performing-kubernetes-cis-benchmark-with-kube-bench/SKILL.md index 1465522e..b7eb791b 100644 --- a/skills/performing-kubernetes-cis-benchmark-with-kube-bench/SKILL.md +++ b/skills/performing-kubernetes-cis-benchmark-with-kube-bench/SKILL.md @@ -1,7 +1,7 @@ --- name: performing-kubernetes-cis-benchmark-with-kube-bench -description: Audit Kubernetes cluster security posture against CIS benchmarks using kube-bench with automated checks for control - plane, worker nodes, and RBAC. +description: Audit Kubernetes cluster security posture against CIS benchmarks using + kube-bench with automated checks for control plane, worker nodes, and RBAC. domain: cybersecurity subdomain: container-security tags: @@ -19,6 +19,11 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 --- # Performing Kubernetes CIS Benchmark with kube-bench diff --git a/skills/performing-kubernetes-etcd-security-assessment/SKILL.md b/skills/performing-kubernetes-etcd-security-assessment/SKILL.md index f68845bf..44b50d19 100644 --- a/skills/performing-kubernetes-etcd-security-assessment/SKILL.md +++ b/skills/performing-kubernetes-etcd-security-assessment/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-kubernetes-etcd-security-assessment -description: Assess the security posture of Kubernetes etcd clusters by evaluating encryption at rest, TLS configuration, - access controls, backup encryption, and network isolation. +description: Assess the security posture of Kubernetes etcd clusters by evaluating + encryption at rest, TLS configuration, access controls, backup encryption, and network + isolation. domain: cybersecurity subdomain: container-security tags: @@ -21,6 +22,12 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 +- T1573 --- # Performing Kubernetes etcd Security Assessment diff --git a/skills/performing-kubernetes-penetration-testing/SKILL.md b/skills/performing-kubernetes-penetration-testing/SKILL.md index a9c95172..69c21f9b 100644 --- a/skills/performing-kubernetes-penetration-testing/SKILL.md +++ b/skills/performing-kubernetes-penetration-testing/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-kubernetes-penetration-testing -description: Kubernetes penetration testing systematically evaluates cluster security by simulating attacker techniques against - the API server, kubelet, etcd, pods, RBAC, network policies, and secrets. Using tools +description: Kubernetes penetration testing systematically evaluates cluster security + by simulating attacker techniques against the API server, kubelet, etcd, pods, RBAC, + network policies, and secrets. Using tools domain: cybersecurity subdomain: container-security tags: @@ -18,6 +19,11 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 --- # Performing Kubernetes Penetration Testing diff --git a/skills/performing-lateral-movement-detection/SKILL.md b/skills/performing-lateral-movement-detection/SKILL.md index 3386bb54..3a82bc16 100644 --- a/skills/performing-lateral-movement-detection/SKILL.md +++ b/skills/performing-lateral-movement-detection/SKILL.md @@ -1,8 +1,9 @@ --- name: performing-lateral-movement-detection -description: 'Detects lateral movement techniques including Pass-the-Hash, PsExec, WMI execution, RDP pivoting, and SMB-based - spreading using SIEM correlation of Windows event logs, network flow data, and endpoint telemetry mapped to MITRE ATT&CK - Lateral Movement (TA0008) techniques. +description: 'Detects lateral movement techniques including Pass-the-Hash, PsExec, + WMI execution, RDP pivoting, and SMB-based spreading using SIEM correlation of Windows + event logs, network flow data, and endpoint telemetry mapped to MITRE ATT&CK Lateral + Movement (TA0008) techniques. ' domain: cybersecurity @@ -31,6 +32,12 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1078 +- T1685.002 +- T1685.005 +- T1566 +- T1021 --- # Performing Lateral Movement Detection diff --git a/skills/performing-lateral-movement-with-wmiexec/SKILL.md b/skills/performing-lateral-movement-with-wmiexec/SKILL.md index 584b9bb1..41384739 100644 --- a/skills/performing-lateral-movement-with-wmiexec/SKILL.md +++ b/skills/performing-lateral-movement-with-wmiexec/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-lateral-movement-with-wmiexec -description: Perform lateral movement across Windows networks using WMI-based remote execution techniques including Impacket - wmiexec.py, CrackMapExec, and native WMI commands for stealthy post-exploitation during red team engagements. +description: Perform lateral movement across Windows networks using WMI-based remote + execution techniques including Impacket wmiexec.py, CrackMapExec, and native WMI + commands for stealthy post-exploitation during red team engagements. domain: cybersecurity subdomain: red-teaming tags: @@ -25,6 +26,12 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1021 --- # Performing Lateral Movement with WMIExec diff --git a/skills/performing-linux-log-forensics-investigation/SKILL.md b/skills/performing-linux-log-forensics-investigation/SKILL.md index 811ae991..57035f1c 100644 --- a/skills/performing-linux-log-forensics-investigation/SKILL.md +++ b/skills/performing-linux-log-forensics-investigation/SKILL.md @@ -1,8 +1,8 @@ --- name: performing-linux-log-forensics-investigation -description: Perform forensic investigation of Linux system logs including syslog, auth.log, systemd journal, kern.log, and - application logs to reconstruct user activity, detect unauthorized access, and establish event timelines on compromised - Linux systems. +description: Perform forensic investigation of Linux system logs including syslog, + auth.log, systemd journal, kern.log, and application logs to reconstruct user activity, + detect unauthorized access, and establish event timelines on compromised Linux systems. domain: cybersecurity subdomain: digital-forensics tags: @@ -24,6 +24,12 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1005 +- T1074 +- T1119 +- T1070 +- T1059 --- # Performing Linux Log Forensics Investigation diff --git a/skills/performing-log-analysis-for-forensic-investigation/SKILL.md b/skills/performing-log-analysis-for-forensic-investigation/SKILL.md index d94602e9..dc22f1c7 100644 --- a/skills/performing-log-analysis-for-forensic-investigation/SKILL.md +++ b/skills/performing-log-analysis-for-forensic-investigation/SKILL.md @@ -1,7 +1,7 @@ --- name: performing-log-analysis-for-forensic-investigation -description: Collect, parse, and correlate system, application, and security logs to reconstruct events and establish timelines - during forensic investigations. +description: Collect, parse, and correlate system, application, and security logs + to reconstruct events and establish timelines during forensic investigations. domain: cybersecurity subdomain: digital-forensics tags: @@ -19,6 +19,12 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1005 +- T1074 +- T1119 +- T1070 +- T1685.002 --- # Performing Log Analysis for Forensic Investigation diff --git a/skills/performing-log-source-onboarding-in-siem/SKILL.md b/skills/performing-log-source-onboarding-in-siem/SKILL.md index 47531b09..2dc4eb0a 100644 --- a/skills/performing-log-source-onboarding-in-siem/SKILL.md +++ b/skills/performing-log-source-onboarding-in-siem/SKILL.md @@ -1,7 +1,7 @@ --- name: performing-log-source-onboarding-in-siem -description: Perform structured log source onboarding into SIEM platforms by configuring collectors, parsers, normalization, - and validation for complete security visibility. +description: Perform structured log source onboarding into SIEM platforms by configuring + collectors, parsers, normalization, and validation for complete security visibility. domain: cybersecurity subdomain: soc-operations tags: @@ -20,6 +20,11 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1078 +- T1685.002 +- T1685.005 +- T1566 --- # Performing Log Source Onboarding in SIEM diff --git a/skills/performing-malware-hash-enrichment-with-virustotal/SKILL.md b/skills/performing-malware-hash-enrichment-with-virustotal/SKILL.md index 3fac455b..25e1ddc3 100644 --- a/skills/performing-malware-hash-enrichment-with-virustotal/SKILL.md +++ b/skills/performing-malware-hash-enrichment-with-virustotal/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-malware-hash-enrichment-with-virustotal -description: Enrich malware file hashes using the VirusTotal API to retrieve detection rates, behavioral analysis, YARA matches, - and contextual threat intelligence for incident triage and IOC validation. +description: Enrich malware file hashes using the VirusTotal API to retrieve detection + rates, behavioral analysis, YARA matches, and contextual threat intelligence for + incident triage and IOC validation. domain: cybersecurity subdomain: threat-intelligence tags: @@ -21,6 +22,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1592 +- T1593 +- T1589 +- T1027 --- # Performing Malware Hash Enrichment with VirusTotal diff --git a/skills/performing-malware-ioc-extraction/SKILL.md b/skills/performing-malware-ioc-extraction/SKILL.md index 8c3c7576..43d274ea 100644 --- a/skills/performing-malware-ioc-extraction/SKILL.md +++ b/skills/performing-malware-ioc-extraction/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-malware-ioc-extraction -description: Malware IOC extraction is the process of analyzing malicious software to identify actionable indicators of compromise - including file hashes, network indicators (C2 domains, IP addresses, URLs), regist +description: Malware IOC extraction is the process of analyzing malicious software + to identify actionable indicators of compromise including file hashes, network indicators + (C2 domains, IP addresses, URLs), regist domain: cybersecurity subdomain: threat-intelligence tags: @@ -21,6 +22,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1592 +- T1593 +- T1589 +- T1071 --- # Performing Malware IOC Extraction diff --git a/skills/performing-malware-persistence-investigation/SKILL.md b/skills/performing-malware-persistence-investigation/SKILL.md index b2f580c6..5efe3ccf 100644 --- a/skills/performing-malware-persistence-investigation/SKILL.md +++ b/skills/performing-malware-persistence-investigation/SKILL.md @@ -1,7 +1,7 @@ --- name: performing-malware-persistence-investigation -description: Systematically investigate all persistence mechanisms on Windows and Linux systems to identify how malware survives - reboots and maintains access. +description: Systematically investigate all persistence mechanisms on Windows and + Linux systems to identify how malware survives reboots and maintains access. domain: cybersecurity subdomain: digital-forensics tags: @@ -13,11 +13,11 @@ tags: - rootkit-detection - incident-response mitre_attack: -- T1547.001 -- T1053.005 -- T1543.003 -- T1546.003 -- T1574 +- T1005 +- T1074 +- T1119 +- T1070 +- T1547 version: '1.0' author: mahipal license: Apache-2.0 diff --git a/skills/performing-malware-triage-with-yara/SKILL.md b/skills/performing-malware-triage-with-yara/SKILL.md index 1ddde8fe..9ca12d98 100644 --- a/skills/performing-malware-triage-with-yara/SKILL.md +++ b/skills/performing-malware-triage-with-yara/SKILL.md @@ -1,9 +1,11 @@ --- name: performing-malware-triage-with-yara -description: 'Performs rapid malware triage and classification using YARA rules to match file patterns, strings, byte sequences, - and structural characteristics against known malware families and suspicious indicators. Covers rule writing, scanning, - and integration with analysis pipelines. Activates for requests involving YARA rule creation, malware classification, pattern - matching, sample triage, or signature-based detection. +description: 'Performs rapid malware triage and classification using YARA rules to + match file patterns, strings, byte sequences, and structural characteristics against + known malware families and suspicious indicators. Covers rule writing, scanning, + and integration with analysis pipelines. Activates for requests involving YARA rule + creation, malware classification, pattern matching, sample triage, or signature-based + detection. ' domain: cybersecurity @@ -22,6 +24,12 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1027 +- T1055 +- T1140 +- T1497 +- T0816 --- # Performing Malware Triage with YARA diff --git a/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md b/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md index 8152bd78..cdee1406 100644 --- a/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md +++ b/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-memory-forensics-with-volatility3-plugins -description: Analyze memory dumps using Volatility3 plugins to detect injected code, rootkits, credential theft, and malware - artifacts in Windows, Linux, and macOS memory images. +description: Analyze memory dumps using Volatility3 plugins to detect injected code, + rootkits, credential theft, and malware artifacts in Windows, Linux, and macOS memory + images. domain: cybersecurity subdomain: malware-analysis tags: @@ -26,6 +27,12 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1027 +- T1055 +- T1140 +- T1497 +- T1003 --- # Performing Memory Forensics with Volatility3 Plugins diff --git a/skills/performing-memory-forensics-with-volatility3/SKILL.md b/skills/performing-memory-forensics-with-volatility3/SKILL.md index 385ff0e4..1b0be53b 100644 --- a/skills/performing-memory-forensics-with-volatility3/SKILL.md +++ b/skills/performing-memory-forensics-with-volatility3/SKILL.md @@ -1,7 +1,7 @@ --- name: performing-memory-forensics-with-volatility3 -description: Analyze volatile memory dumps using Volatility 3 to extract running processes, network connections, loaded modules, - and evidence of malicious activity. +description: Analyze volatile memory dumps using Volatility 3 to extract running processes, + network connections, loaded modules, and evidence of malicious activity. domain: cybersecurity subdomain: digital-forensics tags: @@ -19,6 +19,12 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1005 +- T1074 +- T1119 +- T1070 +- T1059 --- # Performing Memory Forensics with Volatility 3 diff --git a/skills/performing-mobile-app-certificate-pinning-bypass/SKILL.md b/skills/performing-mobile-app-certificate-pinning-bypass/SKILL.md index b8574f9b..f390cc5c 100644 --- a/skills/performing-mobile-app-certificate-pinning-bypass/SKILL.md +++ b/skills/performing-mobile-app-certificate-pinning-bypass/SKILL.md @@ -1,9 +1,11 @@ --- name: performing-mobile-app-certificate-pinning-bypass -description: 'Bypasses SSL/TLS certificate pinning implementations in Android and iOS applications to enable traffic interception - during authorized security assessments. Covers OkHttp, TrustManager, NSURLSession, and third-party pinning library bypass - techniques using Frida, Objection, and custom scripts. Activates for requests involving certificate pinning bypass, SSL - pinning defeat, mobile TLS interception, or proxy-resistant app testing. +description: 'Bypasses SSL/TLS certificate pinning implementations in Android and + iOS applications to enable traffic interception during authorized security assessments. + Covers OkHttp, TrustManager, NSURLSession, and third-party pinning library bypass + techniques using Frida, Objection, and custom scripts. Activates for requests involving + certificate pinning bypass, SSL pinning defeat, mobile TLS interception, or proxy-resistant + app testing. ' domain: cybersecurity @@ -23,6 +25,12 @@ nist_csf: - PR.AA-05 - ID.RA-01 - DE.CM-09 +mitre_attack: +- T1059 +- T1056 +- T1036 +- T1078 +- T1027 --- # Performing Mobile App Certificate Pinning Bypass diff --git a/skills/performing-mobile-device-forensics-with-cellebrite/SKILL.md b/skills/performing-mobile-device-forensics-with-cellebrite/SKILL.md index 8812125f..db969936 100644 --- a/skills/performing-mobile-device-forensics-with-cellebrite/SKILL.md +++ b/skills/performing-mobile-device-forensics-with-cellebrite/SKILL.md @@ -1,7 +1,7 @@ --- name: performing-mobile-device-forensics-with-cellebrite -description: Acquire and analyze mobile device data using Cellebrite UFED and open-source tools to extract communications, - location data, and application artifacts. +description: Acquire and analyze mobile device data using Cellebrite UFED and open-source + tools to extract communications, location data, and application artifacts. domain: cybersecurity subdomain: digital-forensics tags: @@ -19,6 +19,12 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1005 +- T1074 +- T1119 +- T1070 +- T1059 --- # Performing Mobile Device Forensics with Cellebrite diff --git a/skills/performing-network-forensics-with-wireshark/SKILL.md b/skills/performing-network-forensics-with-wireshark/SKILL.md index e8d4f302..25a4ab1a 100644 --- a/skills/performing-network-forensics-with-wireshark/SKILL.md +++ b/skills/performing-network-forensics-with-wireshark/SKILL.md @@ -1,7 +1,7 @@ --- name: performing-network-forensics-with-wireshark -description: Capture and analyze network traffic using Wireshark and tshark to reconstruct network events, extract artifacts, - and identify malicious communications. +description: Capture and analyze network traffic using Wireshark and tshark to reconstruct + network events, extract artifacts, and identify malicious communications. domain: cybersecurity subdomain: digital-forensics tags: @@ -19,6 +19,12 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1005 +- T1074 +- T1119 +- T1070 +- T1059 --- # Performing Network Forensics with Wireshark diff --git a/skills/performing-network-packet-capture-analysis/SKILL.md b/skills/performing-network-packet-capture-analysis/SKILL.md index 9d1b652c..68bf475b 100644 --- a/skills/performing-network-packet-capture-analysis/SKILL.md +++ b/skills/performing-network-packet-capture-analysis/SKILL.md @@ -1,8 +1,9 @@ --- name: performing-network-packet-capture-analysis -description: Perform forensic analysis of network packet captures (PCAP/PCAPNG) using Wireshark, tshark, and tcpdump to reconstruct - network communications, extract transferred files, identify malicious traffic, and establish evidence of data exfiltration - or command-and-control activity. +description: Perform forensic analysis of network packet captures (PCAP/PCAPNG) using + Wireshark, tshark, and tcpdump to reconstruct network communications, extract transferred + files, identify malicious traffic, and establish evidence of data exfiltration or + command-and-control activity. domain: cybersecurity subdomain: digital-forensics tags: @@ -24,6 +25,12 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1005 +- T1074 +- T1119 +- T1070 +- T1048 --- # Performing Network Packet Capture Analysis diff --git a/skills/performing-network-traffic-analysis-with-tshark/SKILL.md b/skills/performing-network-traffic-analysis-with-tshark/SKILL.md index 67ce616e..1579f9df 100644 --- a/skills/performing-network-traffic-analysis-with-tshark/SKILL.md +++ b/skills/performing-network-traffic-analysis-with-tshark/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-network-traffic-analysis-with-tshark -description: Automate network traffic analysis using tshark and pyshark for protocol statistics, suspicious flow detection, - DNS anomaly identification, and IOC extraction from PCAP files +description: Automate network traffic analysis using tshark and pyshark for protocol + statistics, suspicious flow detection, DNS anomaly identification, and IOC extraction + from PCAP files domain: cybersecurity subdomain: network-security tags: @@ -20,6 +21,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 +- T1005 --- # Performing Network Traffic Analysis with TShark diff --git a/skills/performing-network-traffic-analysis-with-zeek/SKILL.md b/skills/performing-network-traffic-analysis-with-zeek/SKILL.md index cde26865..51ac7aa8 100644 --- a/skills/performing-network-traffic-analysis-with-zeek/SKILL.md +++ b/skills/performing-network-traffic-analysis-with-zeek/SKILL.md @@ -1,7 +1,7 @@ --- name: performing-network-traffic-analysis-with-zeek -description: Deploy Zeek network security monitor to capture, parse, and analyze network traffic metadata for threat detection, - anomaly identification, and forensic investigation. +description: Deploy Zeek network security monitor to capture, parse, and analyze network + traffic metadata for threat detection, anomaly identification, and forensic investigation. domain: cybersecurity subdomain: network-security tags: @@ -22,6 +22,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 +- T1685.002 --- # Performing Network Traffic Analysis with Zeek diff --git a/skills/performing-nist-csf-maturity-assessment/SKILL.md b/skills/performing-nist-csf-maturity-assessment/SKILL.md index e782ce17..4b52f9e6 100644 --- a/skills/performing-nist-csf-maturity-assessment/SKILL.md +++ b/skills/performing-nist-csf-maturity-assessment/SKILL.md @@ -1,18 +1,32 @@ --- name: performing-nist-csf-maturity-assessment -description: >- - The NIST Cybersecurity Framework (CSF) 2.0, released in February 2024, provides a - comprehensive taxonomy for managing cybersecurity risk through six core Functions - - Govern, Identify, Protect, Detect, Respond, and Recover. This skill covers conducting - a maturity assessment against the CSF using Implementation Tiers to measure organizational - cybersecurity posture and create improvement roadmaps. +description: The NIST Cybersecurity Framework (CSF) 2.0, released in February 2024, + provides a comprehensive taxonomy for managing cybersecurity risk through six core + Functions - Govern, Identify, Protect, Detect, Respond, and Recover. This skill + covers conducting a maturity assessment against the CSF using Implementation Tiers + to measure organizational cybersecurity posture and create improvement roadmaps. domain: cybersecurity subdomain: compliance-governance -tags: [compliance, governance, nist, csf, maturity-assessment, risk-management] -nist_csf: [GV.OC-01, GV.RM-01, GV.PO-01, ID.RA-01, GV.OV-01] -version: "1.0" +tags: +- compliance +- governance +- nist +- csf +- maturity-assessment +- risk-management +nist_csf: +- GV.OC-01 +- GV.RM-01 +- GV.PO-01 +- ID.RA-01 +- GV.OV-01 +version: '1.0' author: mahipal license: Apache-2.0 +mitre_attack: +- T1078 +- T1530 +- T1685.002 --- # Performing NIST CSF Maturity Assessment diff --git a/skills/performing-oauth-scope-minimization-review/SKILL.md b/skills/performing-oauth-scope-minimization-review/SKILL.md index 72331274..fcdd7707 100644 --- a/skills/performing-oauth-scope-minimization-review/SKILL.md +++ b/skills/performing-oauth-scope-minimization-review/SKILL.md @@ -1,9 +1,10 @@ --- name: performing-oauth-scope-minimization-review -description: 'Performs OAuth 2.0 scope minimization review to identify over-permissioned third-party application integrations, - excessive API scopes, unused token grants, and risky OAuth consent patterns across identity providers and SaaS platforms. - Activates for requests involving OAuth scope audit, API permission review, third-party app risk assessment, or consent grant - minimization. +description: 'Performs OAuth 2.0 scope minimization review to identify over-permissioned + third-party application integrations, excessive API scopes, unused token grants, + and risky OAuth consent patterns across identity providers and SaaS platforms. Activates + for requests involving OAuth scope audit, API permission review, third-party app + risk assessment, or consent grant minimization. ' domain: cybersecurity @@ -23,6 +24,11 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078 +- T1110 +- T1556 +- T1098 --- # Performing OAuth Scope Minimization Review diff --git a/skills/performing-oil-gas-cybersecurity-assessment/SKILL.md b/skills/performing-oil-gas-cybersecurity-assessment/SKILL.md index 90986783..7722664d 100644 --- a/skills/performing-oil-gas-cybersecurity-assessment/SKILL.md +++ b/skills/performing-oil-gas-cybersecurity-assessment/SKILL.md @@ -1,10 +1,12 @@ --- name: performing-oil-gas-cybersecurity-assessment -description: 'This skill covers conducting cybersecurity assessments specific to oil and gas facilities including upstream - (exploration/production), midstream (pipeline/transport), and downstream (refining/distribution) operations. It addresses - SCADA systems controlling pipeline operations, DCS for refinery process control, safety instrumented systems for hazardous - processes, remote terminal units at unmanned wellhead sites, and compliance with API 1164, TSA Pipeline Security Directives, - IEC 62443, and NIST Cybersecurity Framework for critical infrastructure. +description: 'This skill covers conducting cybersecurity assessments specific to oil + and gas facilities including upstream (exploration/production), midstream (pipeline/transport), + and downstream (refining/distribution) operations. It addresses SCADA systems controlling + pipeline operations, DCS for refinery process control, safety instrumented systems + for hazardous processes, remote terminal units at unmanned wellhead sites, and compliance + with API 1164, TSA Pipeline Security Directives, IEC 62443, and NIST Cybersecurity + Framework for critical infrastructure. ' domain: cybersecurity @@ -26,6 +28,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T0816 +- T0836 --- # Performing Oil & Gas Cybersecurity Assessment diff --git a/skills/performing-open-source-intelligence-gathering/SKILL.md b/skills/performing-open-source-intelligence-gathering/SKILL.md index 84444525..1013a715 100644 --- a/skills/performing-open-source-intelligence-gathering/SKILL.md +++ b/skills/performing-open-source-intelligence-gathering/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-open-source-intelligence-gathering -description: Open Source Intelligence (OSINT) gathering is the first active phase of a red team engagement, where operators - collect publicly available information about the target organization to identify attack s +description: Open Source Intelligence (OSINT) gathering is the first active phase + of a red team engagement, where operators collect publicly available information + about the target organization to identify attack s domain: cybersecurity subdomain: red-teaming tags: @@ -19,6 +20,12 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1592 --- # Performing Open Source Intelligence Gathering diff --git a/skills/performing-osint-with-spiderfoot/SKILL.md b/skills/performing-osint-with-spiderfoot/SKILL.md index 6083f94c..23b0b8ea 100644 --- a/skills/performing-osint-with-spiderfoot/SKILL.md +++ b/skills/performing-osint-with-spiderfoot/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-osint-with-spiderfoot -description: Automate OSINT collection using SpiderFoot REST API and CLI for target profiling, module-based reconnaissance, - and structured result analysis across 200+ data sources +description: Automate OSINT collection using SpiderFoot REST API and CLI for target + profiling, module-based reconnaissance, and structured result analysis across 200+ + data sources domain: cybersecurity subdomain: threat-intelligence tags: @@ -19,6 +20,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1592 +- T1593 +- T1589 +- T1595 --- # Performing OSINT with SpiderFoot diff --git a/skills/performing-ot-network-security-assessment/SKILL.md b/skills/performing-ot-network-security-assessment/SKILL.md index 935957d5..e22d6539 100644 --- a/skills/performing-ot-network-security-assessment/SKILL.md +++ b/skills/performing-ot-network-security-assessment/SKILL.md @@ -1,10 +1,11 @@ --- name: performing-ot-network-security-assessment -description: 'This skill covers conducting comprehensive security assessments of Operational Technology (OT) networks including - SCADA systems, DCS architectures, and industrial control system communication paths. It addresses the Purdue Reference Model - layers, identifies IT/OT convergence risks, evaluates firewall rules between zones, and maps industrial protocol traffic - (Modbus, DNP3, OPC UA, EtherNet/IP) to detect misconfigurations, unauthorized connections, and attack surfaces in critical - infrastructure. +description: 'This skill covers conducting comprehensive security assessments of Operational + Technology (OT) networks including SCADA systems, DCS architectures, and industrial + control system communication paths. It addresses the Purdue Reference Model layers, + identifies IT/OT convergence risks, evaluates firewall rules between zones, and + maps industrial protocol traffic (Modbus, DNP3, OPC UA, EtherNet/IP) to detect misconfigurations, + unauthorized connections, and attack surfaces in critical infrastructure. ' domain: cybersecurity @@ -24,6 +25,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T0816 +- T0836 --- # Performing OT Network Security Assessment diff --git a/skills/performing-ot-vulnerability-assessment-with-claroty/SKILL.md b/skills/performing-ot-vulnerability-assessment-with-claroty/SKILL.md index 9c4e55da..8cda0591 100644 --- a/skills/performing-ot-vulnerability-assessment-with-claroty/SKILL.md +++ b/skills/performing-ot-vulnerability-assessment-with-claroty/SKILL.md @@ -1,9 +1,11 @@ --- name: performing-ot-vulnerability-assessment-with-claroty -description: 'This skill covers performing vulnerability assessments in OT environments using the Claroty xDome platform for - comprehensive asset discovery, risk scoring, vulnerability correlation, and remediation prioritization. It addresses passive - vulnerability identification through traffic analysis, active safe querying of OT devices, integration with CVE databases - and ICS-CERT advisories, and risk-based prioritization that accounts for operational impact and compensating controls. +description: 'This skill covers performing vulnerability assessments in OT environments + using the Claroty xDome platform for comprehensive asset discovery, risk scoring, + vulnerability correlation, and remediation prioritization. It addresses passive + vulnerability identification through traffic analysis, active safe querying of OT + devices, integration with CVE databases and ICS-CERT advisories, and risk-based + prioritization that accounts for operational impact and compensating controls. ' domain: cybersecurity @@ -24,6 +26,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T0816 +- T0836 --- # Performing OT Vulnerability Assessment with Claroty diff --git a/skills/performing-ot-vulnerability-scanning-safely/SKILL.md b/skills/performing-ot-vulnerability-scanning-safely/SKILL.md index 7a8a3a49..3eb81910 100644 --- a/skills/performing-ot-vulnerability-scanning-safely/SKILL.md +++ b/skills/performing-ot-vulnerability-scanning-safely/SKILL.md @@ -1,8 +1,9 @@ --- name: performing-ot-vulnerability-scanning-safely -description: 'Perform vulnerability scanning in OT/ICS environments safely using passive monitoring, native protocol queries, - and carefully controlled active scanning with Tenable OT Security to identify vulnerabilities without disrupting industrial - processes or crashing legacy controllers. +description: 'Perform vulnerability scanning in OT/ICS environments safely using passive + monitoring, native protocol queries, and carefully controlled active scanning with + Tenable OT Security to identify vulnerabilities without disrupting industrial processes + or crashing legacy controllers. ' domain: cybersecurity @@ -24,6 +25,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1046 +- T0816 --- # Performing OT Vulnerability Scanning Safely diff --git a/skills/performing-packet-injection-attack/SKILL.md b/skills/performing-packet-injection-attack/SKILL.md index 342ea0cc..735d3597 100644 --- a/skills/performing-packet-injection-attack/SKILL.md +++ b/skills/performing-packet-injection-attack/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-packet-injection-attack -description: 'Crafts and injects custom network packets using Scapy, hping3, and Nemesis during authorized security assessments - to test firewall rules, IDS detection, protocol handling, and network stack resilience against malformed and spoofed traffic. +description: 'Crafts and injects custom network packets using Scapy, hping3, and Nemesis + during authorized security assessments to test firewall rules, IDS detection, protocol + handling, and network stack resilience against malformed and spoofed traffic. ' domain: cybersecurity @@ -20,6 +21,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 +- T1055 --- # Performing Packet Injection Attack diff --git a/skills/performing-paste-site-monitoring-for-credentials/SKILL.md b/skills/performing-paste-site-monitoring-for-credentials/SKILL.md index c30b1146..acdc8cdb 100644 --- a/skills/performing-paste-site-monitoring-for-credentials/SKILL.md +++ b/skills/performing-paste-site-monitoring-for-credentials/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-paste-site-monitoring-for-credentials -description: Monitor paste sites like Pastebin and GitHub Gists for leaked credentials, API keys, and sensitive data dumps - using automated scraping and keyword matching to detect breaches early. +description: Monitor paste sites like Pastebin and GitHub Gists for leaked credentials, + API keys, and sensitive data dumps using automated scraping and keyword matching + to detect breaches early. domain: cybersecurity subdomain: threat-intelligence tags: @@ -20,6 +21,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1592 +- T1593 +- T1589 +- T1003 --- # Performing Paste Site Monitoring for Credentials diff --git a/skills/performing-phishing-simulation-with-gophish/SKILL.md b/skills/performing-phishing-simulation-with-gophish/SKILL.md index 122eff4c..9529ab93 100644 --- a/skills/performing-phishing-simulation-with-gophish/SKILL.md +++ b/skills/performing-phishing-simulation-with-gophish/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-phishing-simulation-with-gophish -description: GoPhish is an open-source phishing simulation framework used by security teams to conduct authorized phishing - awareness campaigns. It provides campaign management, email template creation, landing pag +description: GoPhish is an open-source phishing simulation framework used by security + teams to conduct authorized phishing awareness campaigns. It provides campaign management, + email template creation, landing pag domain: cybersecurity subdomain: phishing-defense tags: @@ -20,6 +21,11 @@ nist_csf: - DE.CM-09 - RS.CO-02 - DE.AE-02 +mitre_attack: +- T1566 +- T1598 +- T1534 +- T1036 --- # Performing Phishing Simulation with GoPhish diff --git a/skills/performing-physical-intrusion-assessment/SKILL.md b/skills/performing-physical-intrusion-assessment/SKILL.md index acc7c80a..c704cded 100644 --- a/skills/performing-physical-intrusion-assessment/SKILL.md +++ b/skills/performing-physical-intrusion-assessment/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-physical-intrusion-assessment -description: Conduct authorized physical penetration testing using tailgating, badge cloning, lock bypassing, and rogue device - deployment to evaluate facility security controls. +description: Conduct authorized physical penetration testing using tailgating, badge + cloning, lock bypassing, and rogue device deployment to evaluate facility security + controls. domain: cybersecurity subdomain: red-teaming tags: @@ -25,6 +26,12 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1027 --- # Performing Physical Intrusion Assessment diff --git a/skills/performing-plc-firmware-security-analysis/SKILL.md b/skills/performing-plc-firmware-security-analysis/SKILL.md index 8ff8ec9b..e81d7e11 100644 --- a/skills/performing-plc-firmware-security-analysis/SKILL.md +++ b/skills/performing-plc-firmware-security-analysis/SKILL.md @@ -1,9 +1,11 @@ --- name: performing-plc-firmware-security-analysis -description: 'This skill covers analyzing Programmable Logic Controller (PLC) firmware for security vulnerabilities including - hardcoded credentials, insecure update mechanisms, backdoor functions, memory corruption flaws, and undocumented debug interfaces. - It addresses firmware extraction from common PLC platforms (Siemens S7, Allen-Bradley, Schneider Modicon), static analysis - of firmware images, dynamic analysis in emulated environments, and comparison against known-good baselines to detect tampering. +description: 'This skill covers analyzing Programmable Logic Controller (PLC) firmware + for security vulnerabilities including hardcoded credentials, insecure update mechanisms, + backdoor functions, memory corruption flaws, and undocumented debug interfaces. + It addresses firmware extraction from common PLC platforms (Siemens S7, Allen-Bradley, + Schneider Modicon), static analysis of firmware images, dynamic analysis in emulated + environments, and comparison against known-good baselines to detect tampering. ' domain: cybersecurity @@ -24,6 +26,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1003 +- T1110 --- # Performing PLC Firmware Security Analysis diff --git a/skills/performing-post-quantum-cryptography-migration/SKILL.md b/skills/performing-post-quantum-cryptography-migration/SKILL.md index d67e8b4c..3262719f 100644 --- a/skills/performing-post-quantum-cryptography-migration/SKILL.md +++ b/skills/performing-post-quantum-cryptography-migration/SKILL.md @@ -1,10 +1,12 @@ --- name: performing-post-quantum-cryptography-migration -description: 'Assesses organizational readiness for post-quantum cryptography migration per NIST FIPS 203/204/205 standards. - Performs cryptographic inventory scanning to identify quantum-vulnerable algorithms (RSA, ECDH, ECDSA), evaluates hybrid - TLS configurations with X25519MLKEM768, and validates CRYSTALS-Kyber (ML-KEM) and CRYSTALS-Dilithium (ML-DSA) readiness. - Implements crypto-agility assessment using oqs-provider for OpenSSL. Use when planning or executing the transition from - classical to post-quantum cryptographic algorithms across enterprise infrastructure. +description: 'Assesses organizational readiness for post-quantum cryptography migration + per NIST FIPS 203/204/205 standards. Performs cryptographic inventory scanning to + identify quantum-vulnerable algorithms (RSA, ECDH, ECDSA), evaluates hybrid TLS + configurations with X25519MLKEM768, and validates CRYSTALS-Kyber (ML-KEM) and CRYSTALS-Dilithium + (ML-DSA) readiness. Implements crypto-agility assessment using oqs-provider for + OpenSSL. Use when planning or executing the transition from classical to post-quantum + cryptographic algorithms across enterprise infrastructure. ' domain: cybersecurity @@ -26,6 +28,11 @@ nist_csf: - PR.DS-01 - PR.DS-02 - PR.DS-10 +mitre_attack: +- T1600 +- T1573 +- T1553 +- T1040 --- # Performing Post-Quantum Cryptography Migration diff --git a/skills/performing-power-grid-cybersecurity-assessment/SKILL.md b/skills/performing-power-grid-cybersecurity-assessment/SKILL.md index 74e0b0d4..a725a1c2 100644 --- a/skills/performing-power-grid-cybersecurity-assessment/SKILL.md +++ b/skills/performing-power-grid-cybersecurity-assessment/SKILL.md @@ -1,10 +1,11 @@ --- name: performing-power-grid-cybersecurity-assessment -description: 'This skill covers conducting cybersecurity assessments of electric power grid infrastructure including generation - facilities, transmission substations, distribution systems, and energy management system (EMS) control centers. It addresses - NERC CIP compliance verification, substation automation security, IEC 61850 protocol analysis, synchrophasor (PMU) network - security, and the unique threat landscape targeting power grid operations as demonstrated by Industroyer/CrashOverride and - related attacks. +description: 'This skill covers conducting cybersecurity assessments of electric power + grid infrastructure including generation facilities, transmission substations, distribution + systems, and energy management system (EMS) control centers. It addresses NERC CIP + compliance verification, substation automation security, IEC 61850 protocol analysis, + synchrophasor (PMU) network security, and the unique threat landscape targeting + power grid operations as demonstrated by Industroyer/CrashOverride and related attacks. ' domain: cybersecurity @@ -26,6 +27,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T0816 +- T0836 --- # Performing Power Grid Cybersecurity Assessment diff --git a/skills/performing-privacy-impact-assessment/SKILL.md b/skills/performing-privacy-impact-assessment/SKILL.md index 7ab22d5e..79d141b4 100644 --- a/skills/performing-privacy-impact-assessment/SKILL.md +++ b/skills/performing-privacy-impact-assessment/SKILL.md @@ -1,9 +1,11 @@ --- name: performing-privacy-impact-assessment -description: 'Automates the Privacy Impact Assessment (PIA) workflow including data flow mapping, privacy risk scoring matrices, - GDPR Article 35 DPIA and CCPA/CPRA alignment checks, data inventory cataloging, and remediation tracking. Implements the - NIST Privacy Framework PRAM methodology and ICO DPIA guidance for systematic identification and mitigation of privacy risks - across processing activities. Use when conducting privacy assessments for new systems, evaluating regulatory compliance +description: 'Automates the Privacy Impact Assessment (PIA) workflow including data + flow mapping, privacy risk scoring matrices, GDPR Article 35 DPIA and CCPA/CPRA + alignment checks, data inventory cataloging, and remediation tracking. Implements + the NIST Privacy Framework PRAM methodology and ICO DPIA guidance for systematic + identification and mitigation of privacy risks across processing activities. Use + when conducting privacy assessments for new systems, evaluating regulatory compliance posture, or building automated privacy governance programs. ' @@ -25,6 +27,10 @@ nist_csf: - GV.PO-01 - PR.DS-01 - GV.OC-05 +mitre_attack: +- T1078 +- T1190 +- T1059 --- # Performing Privacy Impact Assessment diff --git a/skills/performing-privilege-escalation-assessment/SKILL.md b/skills/performing-privilege-escalation-assessment/SKILL.md index 58233456..017f98ab 100644 --- a/skills/performing-privilege-escalation-assessment/SKILL.md +++ b/skills/performing-privilege-escalation-assessment/SKILL.md @@ -1,10 +1,11 @@ --- name: performing-privilege-escalation-assessment -description: 'Performs privilege escalation assessments on compromised Linux and Windows systems to identify paths from low-privilege - access to root or SYSTEM-level control. The tester enumerates misconfigurations, vulnerable services, kernel exploits, SUID - binaries, unquoted service paths, and credential stores to demonstrate the full impact of an initial compromise. Activates - for requests involving privilege escalation testing, local exploitation, post-compromise escalation, or OS-level security - assessment. +description: 'Performs privilege escalation assessments on compromised Linux and Windows + systems to identify paths from low-privilege access to root or SYSTEM-level control. + The tester enumerates misconfigurations, vulnerable services, kernel exploits, SUID + binaries, unquoted service paths, and credential stores to demonstrate the full + impact of an initial compromise. Activates for requests involving privilege escalation + testing, local exploitation, post-compromise escalation, or OS-level security assessment. ' domain: cybersecurity @@ -29,6 +30,12 @@ nist_csf: - ID.RA-06 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1068 --- # Performing Privilege Escalation Assessment diff --git a/skills/performing-privilege-escalation-on-linux/SKILL.md b/skills/performing-privilege-escalation-on-linux/SKILL.md index 4d1f32a5..7928be37 100644 --- a/skills/performing-privilege-escalation-on-linux/SKILL.md +++ b/skills/performing-privilege-escalation-on-linux/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-privilege-escalation-on-linux -description: Linux privilege escalation involves elevating from a low-privilege user account to root access on a compromised - system. Red teams exploit misconfigurations, vulnerable services, kernel exploits, and w +description: Linux privilege escalation involves elevating from a low-privilege user + account to root access on a compromised system. Red teams exploit misconfigurations, + vulnerable services, kernel exploits, and w domain: cybersecurity subdomain: red-teaming tags: @@ -25,6 +26,12 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1068 --- # Performing Privilege Escalation on Linux diff --git a/skills/performing-privileged-account-access-review/SKILL.md b/skills/performing-privileged-account-access-review/SKILL.md index 3e9d95c4..209ff45b 100644 --- a/skills/performing-privileged-account-access-review/SKILL.md +++ b/skills/performing-privileged-account-access-review/SKILL.md @@ -1,7 +1,7 @@ --- name: performing-privileged-account-access-review -description: Conduct systematic reviews of privileged accounts to validate access rights, identify excessive permissions, - and enforce least privilege across PAM infrastructure. +description: Conduct systematic reviews of privileged accounts to validate access + rights, identify excessive permissions, and enforce least privilege across PAM infrastructure. domain: cybersecurity subdomain: identity-access-management tags: @@ -20,6 +20,11 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078 +- T1110 +- T1556 +- T1098 --- # Performing Privileged Account Access Review diff --git a/skills/performing-privileged-account-discovery/SKILL.md b/skills/performing-privileged-account-discovery/SKILL.md index b79bc134..5e781e14 100644 --- a/skills/performing-privileged-account-discovery/SKILL.md +++ b/skills/performing-privileged-account-discovery/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-privileged-account-discovery -description: Discover and inventory all privileged accounts across enterprise infrastructure including domain admins, local - admins, service accounts, database admins, cloud IAM roles, and application admin account +description: Discover and inventory all privileged accounts across enterprise infrastructure + including domain admins, local admins, service accounts, database admins, cloud + IAM roles, and application admin account domain: cybersecurity subdomain: identity-access-management tags: @@ -19,6 +20,12 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078 +- T1110 +- T1556 +- T1098 +- T1078.004 --- # Performing Privileged Account Discovery diff --git a/skills/performing-purple-team-atomic-testing/SKILL.md b/skills/performing-purple-team-atomic-testing/SKILL.md index 8533dab7..32ce8d02 100644 --- a/skills/performing-purple-team-atomic-testing/SKILL.md +++ b/skills/performing-purple-team-atomic-testing/SKILL.md @@ -1,10 +1,12 @@ --- name: performing-purple-team-atomic-testing -description: 'Executes Atomic Red Team tests mapped to MITRE ATT&CK techniques, performs coverage gap analysis across the - ATT&CK matrix, and runs detection validation loops to measure blue team visibility. Covers Invoke-AtomicRedTeam PowerShell - execution, ATT&CK Navigator layer generation for heatmaps, Sigma rule correlation, and continuous atomic testing pipelines. - Activates for requests involving purple team exercises, atomic test execution, ATT&CK coverage assessment, detection engineering - validation, or adversary emulation testing. +description: 'Executes Atomic Red Team tests mapped to MITRE ATT&CK techniques, performs + coverage gap analysis across the ATT&CK matrix, and runs detection validation loops + to measure blue team visibility. Covers Invoke-AtomicRedTeam PowerShell execution, + ATT&CK Navigator layer generation for heatmaps, Sigma rule correlation, and continuous + atomic testing pipelines. Activates for requests involving purple team exercises, + atomic test execution, ATT&CK coverage assessment, detection engineering validation, + or adversary emulation testing. ' domain: cybersecurity @@ -36,6 +38,10 @@ nist_csf: - ID.RA-01 - DE.AE-07 - GV.OV-02 +mitre_attack: +- T1078 +- T1190 +- T1059 --- # Performing Purple Team Atomic Testing diff --git a/skills/performing-purple-team-exercise/SKILL.md b/skills/performing-purple-team-exercise/SKILL.md index f27f91f2..05346763 100644 --- a/skills/performing-purple-team-exercise/SKILL.md +++ b/skills/performing-purple-team-exercise/SKILL.md @@ -1,9 +1,10 @@ --- name: performing-purple-team-exercise -description: 'Performs purple team exercises by coordinating red team adversary emulation with blue team detection validation - using MITRE ATT&CK-mapped attack scenarios, real-time detection testing, and collaborative gap remediation. Use when SOC - teams need to validate detection capabilities, improve analyst skills, and close detection gaps through structured offensive-defensive - collaboration. +description: 'Performs purple team exercises by coordinating red team adversary emulation + with blue team detection validation using MITRE ATT&CK-mapped attack scenarios, + real-time detection testing, and collaborative gap remediation. Use when SOC teams + need to validate detection capabilities, improve analyst skills, and close detection + gaps through structured offensive-defensive collaboration. ' domain: cybersecurity @@ -30,6 +31,11 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1078 +- T1685.002 +- T1685.005 +- T1566 --- # Performing Purple Team Exercise diff --git a/skills/performing-ransomware-response/SKILL.md b/skills/performing-ransomware-response/SKILL.md index f8524694..1789280f 100644 --- a/skills/performing-ransomware-response/SKILL.md +++ b/skills/performing-ransomware-response/SKILL.md @@ -1,9 +1,11 @@ --- name: performing-ransomware-response -description: 'Executes a structured ransomware incident response from initial detection through containment, forensic analysis, - decryption assessment, recovery, and post-incident hardening. Addresses ransom negotiation considerations, backup integrity - verification, and regulatory notification requirements. Activates for requests involving ransomware response, ransomware - recovery, crypto-ransomware, data encryption attack, ransom payment decision, or ransomware containment. +description: 'Executes a structured ransomware incident response from initial detection + through containment, forensic analysis, decryption assessment, recovery, and post-incident + hardening. Addresses ransom negotiation considerations, backup integrity verification, + and regulatory notification requirements. Activates for requests involving ransomware + response, ransomware recovery, crypto-ransomware, data encryption attack, ransom + payment decision, or ransomware containment. ' domain: cybersecurity @@ -17,9 +19,9 @@ tags: mitre_attack: - T1486 - T1490 +- T1070 +- T1078 - T1489 -- T1021 -- T1570 version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/performing-ransomware-tabletop-exercise/SKILL.md b/skills/performing-ransomware-tabletop-exercise/SKILL.md index c19fb388..a7021e8f 100644 --- a/skills/performing-ransomware-tabletop-exercise/SKILL.md +++ b/skills/performing-ransomware-tabletop-exercise/SKILL.md @@ -1,10 +1,12 @@ --- name: performing-ransomware-tabletop-exercise -description: 'Plans and facilitates tabletop exercises simulating ransomware incidents to test organizational readiness, decision-making, - and communication procedures. Designs realistic scenarios based on current ransomware threat actors (LockBit, ALPHV/BlackCat, - Cl0p), injects covering double extortion, backup destruction, and regulatory notification requirements. Evaluates participant - responses against NIST CSF and CISA guidelines. Activates for requests involving ransomware tabletop, incident response - exercise, or ransomware readiness drill. +description: 'Plans and facilitates tabletop exercises simulating ransomware incidents + to test organizational readiness, decision-making, and communication procedures. + Designs realistic scenarios based on current ransomware threat actors (LockBit, + ALPHV/BlackCat, Cl0p), injects covering double extortion, backup destruction, and + regulatory notification requirements. Evaluates participant responses against NIST + CSF and CISA guidelines. Activates for requests involving ransomware tabletop, incident + response exercise, or ransomware readiness drill. ' domain: cybersecurity @@ -23,6 +25,12 @@ nist_csf: - RS.MA-01 - RC.RP-01 - PR.IR-01 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1486 +- T1490 --- # Performing Ransomware Tabletop Exercise diff --git a/skills/performing-red-team-phishing-with-gophish/SKILL.md b/skills/performing-red-team-phishing-with-gophish/SKILL.md index 23ef1490..03817ffd 100644 --- a/skills/performing-red-team-phishing-with-gophish/SKILL.md +++ b/skills/performing-red-team-phishing-with-gophish/SKILL.md @@ -1,15 +1,19 @@ --- name: performing-red-team-phishing-with-gophish -description: Automate GoPhish phishing simulation campaigns using the Python gophish library. Creates email templates with - tracking pixels, configures SMTP sending profiles, builds target groups from CSV, launches campaigns, and analyzes results - including open rates, click rates, and credential submission statistics for security awareness assessment. +description: Automate GoPhish phishing simulation campaigns using the Python gophish + library. Creates email templates with tracking pixels, configures SMTP sending profiles, + builds target groups from CSV, launches campaigns, and analyzes results including + open rates, click rates, and credential submission statistics for security awareness + assessment. domain: cybersecurity subdomain: security-operations tags: -- performing -- red -- team -- phishing +- red-teaming +- phishing-simulation +- gophish +- social-engineering +- campaign-automation +- security-awareness version: '1.0' author: mahipal license: Apache-2.0 @@ -18,6 +22,12 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1003 +- T1110 --- diff --git a/skills/performing-red-team-with-covenant/SKILL.md b/skills/performing-red-team-with-covenant/SKILL.md index 1006343d..17a27bc4 100644 --- a/skills/performing-red-team-with-covenant/SKILL.md +++ b/skills/performing-red-team-with-covenant/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-red-team-with-covenant -description: Conduct red team operations using the Covenant C2 framework for authorized adversary simulation, including listener - setup, grunt deployment, task execution, and lateral movement tracking. +description: Conduct red team operations using the Covenant C2 framework for authorized + adversary simulation, including listener setup, grunt deployment, task execution, + and lateral movement tracking. domain: cybersecurity subdomain: red-team tags: @@ -17,6 +18,12 @@ nist_csf: - ID.RA-01 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1021 --- # Performing Red Team Operations with Covenant C2 diff --git a/skills/performing-s7comm-protocol-security-analysis/SKILL.md b/skills/performing-s7comm-protocol-security-analysis/SKILL.md index 4cbf535f..0157bcd9 100644 --- a/skills/performing-s7comm-protocol-security-analysis/SKILL.md +++ b/skills/performing-s7comm-protocol-security-analysis/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-s7comm-protocol-security-analysis -description: 'Perform security analysis of Siemens S7comm and S7CommPlus protocols used by SIMATIC S7 PLCs to identify vulnerabilities - including replay attacks, integrity bypass, unauthorized CPU stop commands, and program download manipulation exploiting +description: 'Perform security analysis of Siemens S7comm and S7CommPlus protocols + used by SIMATIC S7 PLCs to identify vulnerabilities including replay attacks, integrity + bypass, unauthorized CPU stop commands, and program download manipulation exploiting weaknesses in S7-300, S7-400, S7-1200, and S7-1500 controllers. ' @@ -24,6 +25,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1685.002 +- T1685.005 --- # Performing S7comm Protocol Security Analysis diff --git a/skills/performing-sca-dependency-scanning-with-snyk/SKILL.md b/skills/performing-sca-dependency-scanning-with-snyk/SKILL.md index c92afaa3..18401841 100644 --- a/skills/performing-sca-dependency-scanning-with-snyk/SKILL.md +++ b/skills/performing-sca-dependency-scanning-with-snyk/SKILL.md @@ -1,9 +1,10 @@ --- name: performing-sca-dependency-scanning-with-snyk -description: 'This skill covers implementing Software Composition Analysis (SCA) using Snyk to detect vulnerable open-source - dependencies in CI/CD pipelines. It addresses scanning package manifests and lockfiles, automated fix pull request generation, - license compliance checking, continuous monitoring of deployed applications, and integration with GitHub, GitLab, and Jenkins - pipelines. +description: 'This skill covers implementing Software Composition Analysis (SCA) using + Snyk to detect vulnerable open-source dependencies in CI/CD pipelines. It addresses + scanning package manifests and lockfiles, automated fix pull request generation, + license compliance checking, continuous monitoring of deployed applications, and + integration with GitHub, GitLab, and Jenkins pipelines. ' domain: cybersecurity @@ -23,6 +24,10 @@ nist_csf: - GV.SC-07 - ID.IM-04 - PR.PS-04 +mitre_attack: +- T1195 +- T1554 +- T1059.004 --- # Performing SCA Dependency Scanning with Snyk diff --git a/skills/performing-scada-hmi-security-assessment/SKILL.md b/skills/performing-scada-hmi-security-assessment/SKILL.md index 300d1a9e..afa94bd9 100644 --- a/skills/performing-scada-hmi-security-assessment/SKILL.md +++ b/skills/performing-scada-hmi-security-assessment/SKILL.md @@ -1,8 +1,9 @@ --- name: performing-scada-hmi-security-assessment -description: 'Perform security assessments of SCADA Human-Machine Interface (HMI) systems to identify vulnerabilities in web-based - HMIs, thin-client configurations, authentication mechanisms, and communication channels between HMI and PLCs, aligned with - IEC 62443 and NIST SP 800-82 guidelines. +description: 'Perform security assessments of SCADA Human-Machine Interface (HMI) + systems to identify vulnerabilities in web-based HMIs, thin-client configurations, + authentication mechanisms, and communication channels between HMI and PLCs, aligned + with IEC 62443 and NIST SP 800-82 guidelines. ' domain: cybersecurity @@ -24,6 +25,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T0816 +- T0836 --- # Performing SCADA HMI Security Assessment diff --git a/skills/performing-second-order-sql-injection/SKILL.md b/skills/performing-second-order-sql-injection/SKILL.md index 5a95871d..8be4a1f9 100644 --- a/skills/performing-second-order-sql-injection/SKILL.md +++ b/skills/performing-second-order-sql-injection/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-second-order-sql-injection -description: Detect and exploit second-order SQL injection vulnerabilities where malicious input is stored in a database and - later executed in an unsafe SQL query during a different application operation. +description: Detect and exploit second-order SQL injection vulnerabilities where malicious + input is stored in a database and later executed in an unsafe SQL query during a + different application operation. domain: cybersecurity subdomain: web-application-security tags: @@ -20,6 +21,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1055 --- # Performing Second-Order SQL Injection diff --git a/skills/performing-security-headers-audit/SKILL.md b/skills/performing-security-headers-audit/SKILL.md index 81e0bdf1..0b85cbc2 100644 --- a/skills/performing-security-headers-audit/SKILL.md +++ b/skills/performing-security-headers-audit/SKILL.md @@ -1,7 +1,7 @@ --- name: performing-security-headers-audit -description: Auditing HTTP security headers including CSP, HSTS, X-Frame-Options, and cookie attributes to identify missing - or misconfigured browser-level protections. +description: Auditing HTTP security headers including CSP, HSTS, X-Frame-Options, + and cookie attributes to identify missing or misconfigured browser-level protections. domain: cybersecurity subdomain: web-application-security tags: @@ -20,6 +20,11 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 --- # Performing Security Headers Audit diff --git a/skills/performing-serverless-function-security-review/SKILL.md b/skills/performing-serverless-function-security-review/SKILL.md index f54abac0..94aafa5c 100644 --- a/skills/performing-serverless-function-security-review/SKILL.md +++ b/skills/performing-serverless-function-security-review/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-serverless-function-security-review -description: 'Performing security reviews of serverless functions across AWS Lambda, Azure Functions, and GCP Cloud Functions - to identify overly permissive execution roles, insecure environment variables, injection vulnerabilities, and missing runtime +description: 'Performing security reviews of serverless functions across AWS Lambda, + Azure Functions, and GCP Cloud Functions to identify overly permissive execution + roles, insecure environment variables, injection vulnerabilities, and missing runtime protections. ' @@ -22,6 +23,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T1055 --- # Performing Serverless Function Security Review diff --git a/skills/performing-service-account-audit/SKILL.md b/skills/performing-service-account-audit/SKILL.md index 3e5386b8..9994eea3 100644 --- a/skills/performing-service-account-audit/SKILL.md +++ b/skills/performing-service-account-audit/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-service-account-audit -description: Audit service accounts across enterprise infrastructure to identify orphaned, over-privileged, and non-compliant - accounts. This skill covers discovery of service accounts in Active Directory, cloud pl +description: Audit service accounts across enterprise infrastructure to identify orphaned, + over-privileged, and non-compliant accounts. This skill covers discovery of service + accounts in Active Directory, cloud pl domain: cybersecurity subdomain: identity-access-management tags: @@ -19,6 +20,12 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078 +- T1110 +- T1556 +- T1098 +- T1069 --- # Performing Service Account Audit diff --git a/skills/performing-service-account-credential-rotation/SKILL.md b/skills/performing-service-account-credential-rotation/SKILL.md index 3e94fed6..c4ad4988 100644 --- a/skills/performing-service-account-credential-rotation/SKILL.md +++ b/skills/performing-service-account-credential-rotation/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-service-account-credential-rotation -description: Automate credential rotation for service accounts across Active Directory, cloud platforms, and application databases - to eliminate stale secrets and reduce compromise risk. +description: Automate credential rotation for service accounts across Active Directory, + cloud platforms, and application databases to eliminate stale secrets and reduce + compromise risk. domain: cybersecurity subdomain: identity-access-management tags: @@ -19,6 +20,12 @@ nist_csf: - PR.AA-02 - PR.AA-05 - PR.AA-06 +mitre_attack: +- T1078 +- T1110 +- T1556 +- T1098 +- T1003 --- # Performing Service Account Credential Rotation diff --git a/skills/performing-soap-web-service-security-testing/SKILL.md b/skills/performing-soap-web-service-security-testing/SKILL.md index 6ff58e76..ad4106c4 100644 --- a/skills/performing-soap-web-service-security-testing/SKILL.md +++ b/skills/performing-soap-web-service-security-testing/SKILL.md @@ -1,7 +1,7 @@ --- name: performing-soap-web-service-security-testing -description: Perform security testing of SOAP web services by analyzing WSDL definitions and testing for XML injection, XXE, - WS-Security bypass, and SOAPAction spoofing. +description: Perform security testing of SOAP web services by analyzing WSDL definitions + and testing for XML injection, XXE, WS-Security bypass, and SOAPAction spoofing. domain: cybersecurity subdomain: api-security tags: @@ -22,6 +22,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1552.001 +- T1055 +- T1059 --- # Performing SOAP Web Service Security Testing diff --git a/skills/performing-soc-tabletop-exercise/SKILL.md b/skills/performing-soc-tabletop-exercise/SKILL.md index 7f7a8e32..6009e2f2 100644 --- a/skills/performing-soc-tabletop-exercise/SKILL.md +++ b/skills/performing-soc-tabletop-exercise/SKILL.md @@ -1,9 +1,10 @@ --- name: performing-soc-tabletop-exercise -description: 'Performs tabletop exercises for SOC teams simulating security incidents through discussion-based scenarios to - test incident response procedures, communication workflows, and decision-making under pressure without impacting production - systems. Use when organizations need to validate IR playbooks, train analysts, or meet compliance requirements for incident - response testing. +description: 'Performs tabletop exercises for SOC teams simulating security incidents + through discussion-based scenarios to test incident response procedures, communication + workflows, and decision-making under pressure without impacting production systems. + Use when organizations need to validate IR playbooks, train analysts, or meet compliance + requirements for incident response testing. ' domain: cybersecurity @@ -17,9 +18,10 @@ tags: - nist - playbook-validation mitre_attack: -- T1566 -- T1486 - T1078 +- T1685.002 +- T1685.005 +- T1566 version: '1.0' author: mahipal license: Apache-2.0 diff --git a/skills/performing-soc2-type2-audit-preparation/SKILL.md b/skills/performing-soc2-type2-audit-preparation/SKILL.md index cb9b3bb7..f1f07f8e 100644 --- a/skills/performing-soc2-type2-audit-preparation/SKILL.md +++ b/skills/performing-soc2-type2-audit-preparation/SKILL.md @@ -1,22 +1,23 @@ --- name: performing-soc2-type2-audit-preparation -description: 'Automates SOC 2 Type II audit preparation including gap assessment against AICPA Trust Services Criteria (CC1-CC9), - evidence collection from cloud providers and identity systems, control testing validation, remediation tracking, and continuous - compliance monitoring. Covers all five TSC categories (Security, Availability, Processing Integrity, Confidentiality, Privacy) - with automated evidence gathering from AWS, Azure, GCP, Okta, GitHub, and Jira. Use when preparing for or maintaining SOC - 2 Type II certification. +description: 'Automates SOC 2 Type II audit preparation including gap assessment against + AICPA Trust Services Criteria (CC1-CC9), evidence collection from cloud providers + and identity systems, control testing validation, remediation tracking, and continuous + compliance monitoring. Covers all five TSC categories (Security, Availability, Processing + Integrity, Confidentiality, Privacy) with automated evidence gathering from AWS, + Azure, GCP, Okta, GitHub, and Jira. Use when preparing for or maintaining SOC 2 + Type II certification. ' domain: cybersecurity subdomain: governance-risk-compliance tags: -- performing - soc2 -- type2 -- audit -- preparation - compliance - grc +- aicpa-tsc +- audit-preparation +- governance-risk-compliance version: '1.0' author: mukul975 license: Apache-2.0 @@ -25,6 +26,12 @@ nist_csf: - GV.RM-01 - GV.PO-01 - GV.OV-01 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1071 +- T1095 --- # Performing SOC 2 Type II Audit Preparation diff --git a/skills/performing-sqlite-database-forensics/SKILL.md b/skills/performing-sqlite-database-forensics/SKILL.md index f4a6c9c4..59a8ec3a 100644 --- a/skills/performing-sqlite-database-forensics/SKILL.md +++ b/skills/performing-sqlite-database-forensics/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-sqlite-database-forensics -description: Perform forensic analysis of SQLite databases to recover deleted records from freelists and WAL files, decode - encoded timestamps, and extract evidence from browser history, messaging apps, and mobile device databases. +description: Perform forensic analysis of SQLite databases to recover deleted records + from freelists and WAL files, decode encoded timestamps, and extract evidence from + browser history, messaging apps, and mobile device databases. domain: cybersecurity subdomain: digital-forensics tags: @@ -23,6 +24,12 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1005 +- T1074 +- T1119 +- T1070 +- T1059 --- # Performing SQLite Database Forensics diff --git a/skills/performing-ssl-certificate-lifecycle-management/SKILL.md b/skills/performing-ssl-certificate-lifecycle-management/SKILL.md index 60874fe9..33ab7281 100644 --- a/skills/performing-ssl-certificate-lifecycle-management/SKILL.md +++ b/skills/performing-ssl-certificate-lifecycle-management/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-ssl-certificate-lifecycle-management -description: SSL/TLS certificate lifecycle management encompasses the full process of requesting, issuing, deploying, monitoring, - renewing, and revoking X.509 certificates. Poor certificate management is a leading +description: SSL/TLS certificate lifecycle management encompasses the full process + of requesting, issuing, deploying, monitoring, renewing, and revoking X.509 certificates. + Poor certificate management is a leading domain: cybersecurity subdomain: cryptography tags: @@ -18,6 +19,11 @@ nist_csf: - PR.DS-01 - PR.DS-02 - PR.DS-10 +mitre_attack: +- T1600 +- T1573 +- T1553 +- T1040 --- # Performing SSL Certificate Lifecycle Management diff --git a/skills/performing-ssl-stripping-attack/SKILL.md b/skills/performing-ssl-stripping-attack/SKILL.md index 83cc66e0..443f6877 100644 --- a/skills/performing-ssl-stripping-attack/SKILL.md +++ b/skills/performing-ssl-stripping-attack/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-ssl-stripping-attack -description: 'Simulates SSL stripping attacks using sslstrip, Bettercap, and mitmproxy in authorized environments to test - HSTS enforcement, certificate validation, and HTTPS upgrade mechanisms that protect users from downgrade attacks on encrypted +description: 'Simulates SSL stripping attacks using sslstrip, Bettercap, and mitmproxy + in authorized environments to test HSTS enforcement, certificate validation, and + HTTPS upgrade mechanisms that protect users from downgrade attacks on encrypted connections. ' @@ -21,6 +22,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 +- T1573 --- # Performing SSL Stripping Attack diff --git a/skills/performing-ssl-tls-inspection-configuration/SKILL.md b/skills/performing-ssl-tls-inspection-configuration/SKILL.md index 20484076..9bf32d85 100644 --- a/skills/performing-ssl-tls-inspection-configuration/SKILL.md +++ b/skills/performing-ssl-tls-inspection-configuration/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-ssl-tls-inspection-configuration -description: Configure SSL/TLS inspection on network security devices to decrypt, inspect, and re-encrypt HTTPS traffic for - threat detection while managing certificates, exemptions, and privacy compliance. +description: Configure SSL/TLS inspection on network security devices to decrypt, + inspect, and re-encrypt HTTPS traffic for threat detection while managing certificates, + exemptions, and privacy compliance. domain: cybersecurity subdomain: network-security tags: @@ -21,6 +22,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 +- T1573 --- # Performing SSL/TLS Inspection Configuration diff --git a/skills/performing-ssl-tls-security-assessment/SKILL.md b/skills/performing-ssl-tls-security-assessment/SKILL.md index 8f68b350..e6db9928 100644 --- a/skills/performing-ssl-tls-security-assessment/SKILL.md +++ b/skills/performing-ssl-tls-security-assessment/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-ssl-tls-security-assessment -description: Assess SSL/TLS server configurations using the sslyze Python library to evaluate cipher suites, certificate chains, - protocol versions, HSTS headers, and known vulnerabilities like Heartbleed and ROBOT. +description: Assess SSL/TLS server configurations using the sslyze Python library + to evaluate cipher suites, certificate chains, protocol versions, HSTS headers, + and known vulnerabilities like Heartbleed and ROBOT. domain: cybersecurity subdomain: network-security tags: @@ -20,6 +21,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 +- T1553 --- # Performing SSL/TLS Security Assessment diff --git a/skills/performing-ssrf-vulnerability-exploitation/SKILL.md b/skills/performing-ssrf-vulnerability-exploitation/SKILL.md index 63eeb708..73e107bd 100644 --- a/skills/performing-ssrf-vulnerability-exploitation/SKILL.md +++ b/skills/performing-ssrf-vulnerability-exploitation/SKILL.md @@ -1,15 +1,17 @@ --- name: performing-ssrf-vulnerability-exploitation -description: Test for Server-Side Request Forgery vulnerabilities by probing cloud metadata endpoints, internal network services, - and protocol handlers through user-controllable URL parameters. Tests AWS/GCP/Azure metadata APIs (169.254.169.254), internal - port scanning via HTTP, URL scheme bypass techniques, and DNS rebinding detection. +description: Test for Server-Side Request Forgery vulnerabilities by probing cloud + metadata endpoints, internal network services, and protocol handlers through user-controllable + URL parameters. Tests AWS/GCP/Azure metadata APIs (169.254.169.254), internal port + scanning via HTTP, URL scheme bypass techniques, and DNS rebinding detection. domain: cybersecurity subdomain: security-operations tags: -- performing - ssrf -- vulnerability -- exploitation +- web-application-security +- cloud-metadata-abuse +- vulnerability-exploitation +- penetration-testing version: '1.0' author: mahipal license: Apache-2.0 @@ -18,6 +20,12 @@ nist_csf: - RS.MA-01 - GV.OV-01 - DE.AE-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1078.004 +- T1530 --- diff --git a/skills/performing-static-malware-analysis-with-pe-studio/SKILL.md b/skills/performing-static-malware-analysis-with-pe-studio/SKILL.md index 09e9c1bd..ee2c605c 100644 --- a/skills/performing-static-malware-analysis-with-pe-studio/SKILL.md +++ b/skills/performing-static-malware-analysis-with-pe-studio/SKILL.md @@ -1,9 +1,11 @@ --- name: performing-static-malware-analysis-with-pe-studio -description: 'Performs static analysis of Windows PE (Portable Executable) malware samples using PEStudio to examine file - headers, imports, strings, resources, and indicators without executing the binary. Identifies suspicious characteristics - including packing, anti-analysis techniques, and malicious imports. Activates for requests involving static malware analysis, - PE file inspection, Windows executable analysis, or pre-execution malware triage. +description: 'Performs static analysis of Windows PE (Portable Executable) malware + samples using PEStudio to examine file headers, imports, strings, resources, and + indicators without executing the binary. Identifies suspicious characteristics including + packing, anti-analysis techniques, and malicious imports. Activates for requests + involving static malware analysis, PE file inspection, Windows executable analysis, + or pre-execution malware triage. ' domain: cybersecurity @@ -22,6 +24,12 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1027 +- T1055 +- T1140 +- T1497 +- T0816 --- # Performing Static Malware Analysis with PEStudio diff --git a/skills/performing-steganography-detection/SKILL.md b/skills/performing-steganography-detection/SKILL.md index 13934c89..6922ab14 100644 --- a/skills/performing-steganography-detection/SKILL.md +++ b/skills/performing-steganography-detection/SKILL.md @@ -1,7 +1,7 @@ --- name: performing-steganography-detection -description: Detect and extract hidden data embedded in images, audio, and other media files using steganalysis tools to uncover - covert communication channels. +description: Detect and extract hidden data embedded in images, audio, and other media + files using steganalysis tools to uncover covert communication channels. domain: cybersecurity subdomain: digital-forensics tags: @@ -19,6 +19,12 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1005 +- T1074 +- T1119 +- T1070 +- T1059 --- # Performing Steganography Detection diff --git a/skills/performing-subdomain-enumeration-with-subfinder/SKILL.md b/skills/performing-subdomain-enumeration-with-subfinder/SKILL.md index aa119117..4efe0aa1 100644 --- a/skills/performing-subdomain-enumeration-with-subfinder/SKILL.md +++ b/skills/performing-subdomain-enumeration-with-subfinder/SKILL.md @@ -1,7 +1,7 @@ --- name: performing-subdomain-enumeration-with-subfinder -description: Enumerate subdomains of target domains using ProjectDiscovery's Subfinder passive reconnaissance tool to map - the attack surface during security assessments. +description: Enumerate subdomains of target domains using ProjectDiscovery's Subfinder + passive reconnaissance tool to map the attack surface during security assessments. domain: cybersecurity subdomain: web-application-security tags: @@ -20,6 +20,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1595 --- # Performing Subdomain Enumeration with Subfinder diff --git a/skills/performing-supply-chain-attack-simulation/SKILL.md b/skills/performing-supply-chain-attack-simulation/SKILL.md index 65f1f7d0..99adc7b3 100644 --- a/skills/performing-supply-chain-attack-simulation/SKILL.md +++ b/skills/performing-supply-chain-attack-simulation/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-supply-chain-attack-simulation -description: Simulate and detect software supply chain attacks including typosquatting detection via Levenshtein distance, - dependency confusion testing against private registries, package hash verification with pip, and known vulnerability scanning +description: Simulate and detect software supply chain attacks including typosquatting + detection via Levenshtein distance, dependency confusion testing against private + registries, package hash verification with pip, and known vulnerability scanning with pip-audit. domain: cybersecurity subdomain: application-security @@ -21,6 +22,12 @@ nist_csf: - PR.PS-04 - ID.RA-01 - PR.DS-10 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1195 +- T1554 --- # Performing Supply Chain Attack Simulation diff --git a/skills/performing-thick-client-application-penetration-test/SKILL.md b/skills/performing-thick-client-application-penetration-test/SKILL.md index b1a02915..cc268b3d 100644 --- a/skills/performing-thick-client-application-penetration-test/SKILL.md +++ b/skills/performing-thick-client-application-penetration-test/SKILL.md @@ -1,8 +1,8 @@ --- name: performing-thick-client-application-penetration-test -description: Conduct a thick client application penetration test to identify insecure local storage, hardcoded credentials, - DLL hijacking, memory manipulation, and insecure API communication in desktop applications using dnSpy, Procmon, and Burp - Suite. +description: Conduct a thick client application penetration test to identify insecure + local storage, hardcoded credentials, DLL hijacking, memory manipulation, and insecure + API communication in desktop applications using dnSpy, Procmon, and Burp Suite. domain: cybersecurity subdomain: penetration-testing tags: @@ -29,6 +29,12 @@ nist_csf: - ID.RA-06 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1003 --- # Performing Thick Client Application Penetration Test diff --git a/skills/performing-threat-emulation-with-atomic-red-team/SKILL.md b/skills/performing-threat-emulation-with-atomic-red-team/SKILL.md index f3fc239d..c3147c9f 100644 --- a/skills/performing-threat-emulation-with-atomic-red-team/SKILL.md +++ b/skills/performing-threat-emulation-with-atomic-red-team/SKILL.md @@ -1,17 +1,20 @@ --- name: performing-threat-emulation-with-atomic-red-team -description: 'Executes Atomic Red Team tests for MITRE ATT&CK technique validation using the atomic-operator Python framework. - Loads test definitions from YAML atomics, runs attack simulations, and validates detection coverage. Use when testing SIEM +description: 'Executes Atomic Red Team tests for MITRE ATT&CK technique validation + using the atomic-operator Python framework. Loads test definitions from YAML atomics, + runs attack simulations, and validates detection coverage. Use when testing SIEM detection rules, validating EDR coverage, or conducting purple team exercises. ' domain: cybersecurity subdomain: threat-intelligence tags: -- performing -- threat -- emulation -- with +- threat-emulation +- atomic-red-team +- mitre-attack +- adversary-emulation +- atomic-operator +- purple-team version: '1.0' author: mahipal license: Apache-2.0 @@ -34,6 +37,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1592 +- T1593 +- T1589 +- T1685.002 --- # Performing Threat Emulation with Atomic Red Team diff --git a/skills/performing-threat-hunting-with-elastic-siem/SKILL.md b/skills/performing-threat-hunting-with-elastic-siem/SKILL.md index a1be302c..34762dd5 100644 --- a/skills/performing-threat-hunting-with-elastic-siem/SKILL.md +++ b/skills/performing-threat-hunting-with-elastic-siem/SKILL.md @@ -1,8 +1,10 @@ --- name: performing-threat-hunting-with-elastic-siem -description: 'Performs proactive threat hunting in Elastic Security SIEM using KQL/EQL queries, detection rules, and Timeline - investigation to identify threats that evade automated detection. Use when SOC teams need to hunt for specific ATT&CK techniques, - investigate anomalous behaviors, or validate detection coverage gaps using Elasticsearch and Kibana Security. +description: 'Performs proactive threat hunting in Elastic Security SIEM using KQL/EQL + queries, detection rules, and Timeline investigation to identify threats that evade + automated detection. Use when SOC teams need to hunt for specific ATT&CK techniques, + investigate anomalous behaviors, or validate detection coverage gaps using Elasticsearch + and Kibana Security. ' domain: cybersecurity @@ -38,6 +40,12 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1078 +- T1685.002 +- T1685.005 +- T1566 +- T1027 --- # Performing Threat Hunting with Elastic SIEM diff --git a/skills/performing-threat-hunting-with-yara-rules/SKILL.md b/skills/performing-threat-hunting-with-yara-rules/SKILL.md index 8abaea81..9d287bca 100644 --- a/skills/performing-threat-hunting-with-yara-rules/SKILL.md +++ b/skills/performing-threat-hunting-with-yara-rules/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-threat-hunting-with-yara-rules -description: 'Use YARA pattern-matching rules to hunt for malware, suspicious files, and indicators of compromise across filesystems - and memory dumps. Covers rule authoring, yara-python scanning, and integration with threat intel feeds. +description: 'Use YARA pattern-matching rules to hunt for malware, suspicious files, + and indicators of compromise across filesystems and memory dumps. Covers rule authoring, + yara-python scanning, and integration with threat intel feeds. ' domain: cybersecurity @@ -25,6 +26,12 @@ nist_csf: - DE.AE-02 - DE.AE-07 - ID.RA-05 +mitre_attack: +- T1046 +- T1057 +- T1082 +- T1083 +- T1005 --- # Performing Threat Hunting with YARA Rules diff --git a/skills/performing-threat-intelligence-sharing-with-misp/SKILL.md b/skills/performing-threat-intelligence-sharing-with-misp/SKILL.md index 8fc58736..e265ffdb 100644 --- a/skills/performing-threat-intelligence-sharing-with-misp/SKILL.md +++ b/skills/performing-threat-intelligence-sharing-with-misp/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-threat-intelligence-sharing-with-misp -description: Use PyMISP to create, enrich, and share threat intelligence events on a MISP platform, including IOC management, - feed integration, STIX export, and community sharing workflows. +description: Use PyMISP to create, enrich, and share threat intelligence events on + a MISP platform, including IOC management, feed integration, STIX export, and community + sharing workflows. domain: cybersecurity subdomain: threat-intelligence tags: @@ -21,6 +22,11 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1592 +- T1593 +- T1589 --- # Performing Threat Intelligence Sharing with MISP diff --git a/skills/performing-threat-landscape-assessment-for-sector/SKILL.md b/skills/performing-threat-landscape-assessment-for-sector/SKILL.md index fe15ae76..b9c6811e 100644 --- a/skills/performing-threat-landscape-assessment-for-sector/SKILL.md +++ b/skills/performing-threat-landscape-assessment-for-sector/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-threat-landscape-assessment-for-sector -description: Conduct a sector-specific threat landscape assessment by analyzing threat actor targeting patterns, common attack - vectors, and industry-specific vulnerabilities to inform organizational risk management. +description: Conduct a sector-specific threat landscape assessment by analyzing threat + actor targeting patterns, common attack vectors, and industry-specific vulnerabilities + to inform organizational risk management. domain: cybersecurity subdomain: threat-intelligence tags: @@ -26,6 +27,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1592 +- T1593 +- T1589 +- T1566 --- # Performing Threat Landscape Assessment for Sector diff --git a/skills/performing-threat-modeling-with-owasp-threat-dragon/SKILL.md b/skills/performing-threat-modeling-with-owasp-threat-dragon/SKILL.md index ac636cee..a5dcda65 100644 --- a/skills/performing-threat-modeling-with-owasp-threat-dragon/SKILL.md +++ b/skills/performing-threat-modeling-with-owasp-threat-dragon/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-threat-modeling-with-owasp-threat-dragon -description: Use OWASP Threat Dragon to create data flow diagrams, identify threats using STRIDE and LINDDUN methodologies, - and generate threat model reports for secure design review. +description: Use OWASP Threat Dragon to create data flow diagrams, identify threats + using STRIDE and LINDDUN methodologies, and generate threat model reports for secure + design review. domain: cybersecurity subdomain: devsecops tags: @@ -29,6 +30,10 @@ nist_csf: - GV.SC-07 - ID.IM-04 - PR.PS-04 +mitre_attack: +- T1195 +- T1554 +- T1059.004 --- # Performing Threat Modeling with OWASP Threat Dragon diff --git a/skills/performing-timeline-reconstruction-with-plaso/SKILL.md b/skills/performing-timeline-reconstruction-with-plaso/SKILL.md index bfecc531..c7a7ad54 100644 --- a/skills/performing-timeline-reconstruction-with-plaso/SKILL.md +++ b/skills/performing-timeline-reconstruction-with-plaso/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-timeline-reconstruction-with-plaso -description: Build comprehensive forensic super-timelines using Plaso (log2timeline) to correlate events across file systems, - logs, and artifacts into a unified chronological view. +description: Build comprehensive forensic super-timelines using Plaso (log2timeline) + to correlate events across file systems, logs, and artifacts into a unified chronological + view. domain: cybersecurity subdomain: digital-forensics tags: @@ -19,6 +20,12 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1005 +- T1074 +- T1119 +- T1070 +- T1059 --- # Performing Timeline Reconstruction with Plaso diff --git a/skills/performing-user-behavior-analytics/SKILL.md b/skills/performing-user-behavior-analytics/SKILL.md index b11143ca..a85f925d 100644 --- a/skills/performing-user-behavior-analytics/SKILL.md +++ b/skills/performing-user-behavior-analytics/SKILL.md @@ -1,9 +1,10 @@ --- name: performing-user-behavior-analytics -description: 'Performs User and Entity Behavior Analytics (UEBA) to detect anomalous user activities including impossible - travel, unusual access patterns, privilege abuse, and insider threats using SIEM-based behavioral baselines and statistical - analysis. Use when SOC teams need to identify compromised accounts or insider threats through deviation from established - behavioral norms. +description: 'Performs User and Entity Behavior Analytics (UEBA) to detect anomalous + user activities including impossible travel, unusual access patterns, privilege + abuse, and insider threats using SIEM-based behavioral baselines and statistical + analysis. Use when SOC teams need to identify compromised accounts or insider threats + through deviation from established behavioral norms. ' domain: cybersecurity @@ -24,6 +25,12 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1078 +- T1685.002 +- T1685.005 +- T1566 +- T0816 --- # Performing User Behavior Analytics diff --git a/skills/performing-vlan-hopping-attack/SKILL.md b/skills/performing-vlan-hopping-attack/SKILL.md index 8368607d..8773ea34 100644 --- a/skills/performing-vlan-hopping-attack/SKILL.md +++ b/skills/performing-vlan-hopping-attack/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-vlan-hopping-attack -description: 'Simulates VLAN hopping attacks using switch spoofing and double tagging techniques in authorized environments - to test VLAN segmentation effectiveness and validate switch port security configurations against Layer 2 bypass attacks. +description: 'Simulates VLAN hopping attacks using switch spoofing and double tagging + techniques in authorized environments to test VLAN segmentation effectiveness and + validate switch port security configurations against Layer 2 bypass attacks. ' domain: cybersecurity @@ -20,6 +21,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 +- T1027 --- # Performing VLAN Hopping Attack diff --git a/skills/performing-vulnerability-scanning-with-nessus/SKILL.md b/skills/performing-vulnerability-scanning-with-nessus/SKILL.md index 30093f55..a2838f80 100644 --- a/skills/performing-vulnerability-scanning-with-nessus/SKILL.md +++ b/skills/performing-vulnerability-scanning-with-nessus/SKILL.md @@ -1,9 +1,11 @@ --- name: performing-vulnerability-scanning-with-nessus -description: 'Performs authenticated and unauthenticated vulnerability scanning using Tenable Nessus to identify known vulnerabilities, - misconfigurations, default credentials, and missing patches across network infrastructure, servers, and applications. The - scanner correlates findings with CVE databases and CVSS scores to produce prioritized remediation guidance. Activates for - requests involving vulnerability scanning, Nessus assessment, patch compliance checking, or automated vulnerability detection. +description: 'Performs authenticated and unauthenticated vulnerability scanning using + Tenable Nessus to identify known vulnerabilities, misconfigurations, default credentials, + and missing patches across network infrastructure, servers, and applications. The + scanner correlates findings with CVE databases and CVSS scores to produce prioritized + remediation guidance. Activates for requests involving vulnerability scanning, Nessus + assessment, patch compliance checking, or automated vulnerability detection. ' domain: cybersecurity @@ -22,6 +24,12 @@ nist_csf: - ID.RA-06 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1003 --- # Performing Vulnerability Scanning with Nessus diff --git a/skills/performing-web-application-firewall-bypass/SKILL.md b/skills/performing-web-application-firewall-bypass/SKILL.md index d1628b37..b54ff882 100644 --- a/skills/performing-web-application-firewall-bypass/SKILL.md +++ b/skills/performing-web-application-firewall-bypass/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-web-application-firewall-bypass -description: Bypass Web Application Firewall protections using encoding techniques, HTTP method manipulation, parameter pollution, - and payload obfuscation to deliver SQL injection, XSS, and other attack payloads past WAF detection rules. +description: Bypass Web Application Firewall protections using encoding techniques, + HTTP method manipulation, parameter pollution, and payload obfuscation to deliver + SQL injection, XSS, and other attack payloads past WAF detection rules. domain: cybersecurity subdomain: web-application-security tags: @@ -20,6 +21,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1027 --- # Performing Web Application Firewall Bypass diff --git a/skills/performing-web-application-penetration-test/SKILL.md b/skills/performing-web-application-penetration-test/SKILL.md index 961756ff..9a0d8c94 100644 --- a/skills/performing-web-application-penetration-test/SKILL.md +++ b/skills/performing-web-application-penetration-test/SKILL.md @@ -1,10 +1,12 @@ --- name: performing-web-application-penetration-test -description: 'Performs systematic security testing of web applications following the OWASP Web Security Testing Guide (WSTG) - methodology to identify vulnerabilities in authentication, authorization, input validation, session management, and business - logic. The tester uses Burp Suite as the primary interception proxy alongside manual testing techniques to find flaws that - automated scanners miss. Activates for requests involving web app pentest, OWASP testing, application security assessment, - or web vulnerability testing. +description: 'Performs systematic security testing of web applications following the + OWASP Web Security Testing Guide (WSTG) methodology to identify vulnerabilities + in authentication, authorization, input validation, session management, and business + logic. The tester uses Burp Suite as the primary interception proxy alongside manual + testing techniques to find flaws that automated scanners miss. Activates for requests + involving web app pentest, OWASP testing, application security assessment, or web + vulnerability testing. ' domain: cybersecurity @@ -23,6 +25,11 @@ nist_csf: - ID.RA-06 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 --- # Performing Web Application Penetration Test diff --git a/skills/performing-web-application-scanning-with-nikto/SKILL.md b/skills/performing-web-application-scanning-with-nikto/SKILL.md index 2ebecd41..df179bdb 100644 --- a/skills/performing-web-application-scanning-with-nikto/SKILL.md +++ b/skills/performing-web-application-scanning-with-nikto/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-web-application-scanning-with-nikto -description: Nikto is an open-source web server and web application scanner that tests against over 7,000 potentially dangerous - files/programs, checks for outdated versions of over 1,250 servers, and identifies ve +description: Nikto is an open-source web server and web application scanner that tests + against over 7,000 potentially dangerous files/programs, checks for outdated versions + of over 1,250 servers, and identifies ve domain: cybersecurity subdomain: vulnerability-management tags: @@ -19,6 +20,10 @@ nist_csf: - ID.RA-02 - ID.IM-02 - ID.RA-06 +mitre_attack: +- T1190 +- T1203 +- T1068 --- # Performing Web Application Scanning with Nikto diff --git a/skills/performing-web-application-vulnerability-triage/SKILL.md b/skills/performing-web-application-vulnerability-triage/SKILL.md index f1040b6a..2e74ce8c 100644 --- a/skills/performing-web-application-vulnerability-triage/SKILL.md +++ b/skills/performing-web-application-vulnerability-triage/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-web-application-vulnerability-triage -description: Triage web application vulnerability findings from DAST/SAST scanners using OWASP risk rating methodology to - separate true positives from false positives and prioritize remediation. +description: Triage web application vulnerability findings from DAST/SAST scanners + using OWASP risk rating methodology to separate true positives from false positives + and prioritize remediation. domain: cybersecurity subdomain: vulnerability-management tags: @@ -22,6 +23,10 @@ nist_csf: - ID.RA-02 - ID.IM-02 - ID.RA-06 +mitre_attack: +- T1190 +- T1203 +- T1068 --- # Performing Web Application Vulnerability Triage diff --git a/skills/performing-web-cache-deception-attack/SKILL.md b/skills/performing-web-cache-deception-attack/SKILL.md index ccb45a9f..55d6b486 100644 --- a/skills/performing-web-cache-deception-attack/SKILL.md +++ b/skills/performing-web-cache-deception-attack/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-web-cache-deception-attack -description: Execute web cache deception attacks by exploiting path normalization discrepancies between CDN caching layers - and origin servers to cache and retrieve sensitive authenticated content. +description: Execute web cache deception attacks by exploiting path normalization + discrepancies between CDN caching layers and origin servers to cache and retrieve + sensitive authenticated content. domain: cybersecurity subdomain: web-application-security tags: @@ -20,6 +21,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1078.004 --- # Performing Web Cache Deception Attack diff --git a/skills/performing-web-cache-poisoning-attack/SKILL.md b/skills/performing-web-cache-poisoning-attack/SKILL.md index 62e7dd87..b4b8c53a 100644 --- a/skills/performing-web-cache-poisoning-attack/SKILL.md +++ b/skills/performing-web-cache-poisoning-attack/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-web-cache-poisoning-attack -description: Exploiting web cache mechanisms to serve malicious content to other users by poisoning cached responses through - unkeyed headers and parameters during authorized security tests. +description: Exploiting web cache mechanisms to serve malicious content to other users + by poisoning cached responses through unkeyed headers and parameters during authorized + security tests. domain: cybersecurity subdomain: web-application-security tags: @@ -19,6 +20,11 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 --- # Performing Web Cache Poisoning Attack diff --git a/skills/performing-wifi-password-cracking-with-aircrack/SKILL.md b/skills/performing-wifi-password-cracking-with-aircrack/SKILL.md index db84e7fd..1ae7080d 100644 --- a/skills/performing-wifi-password-cracking-with-aircrack/SKILL.md +++ b/skills/performing-wifi-password-cracking-with-aircrack/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-wifi-password-cracking-with-aircrack -description: 'Captures WPA/WPA2 handshakes and performs offline password cracking using aircrack-ng, hashcat, and dictionary - attacks during authorized wireless security assessments to evaluate passphrase strength and wireless network security posture. +description: 'Captures WPA/WPA2 handshakes and performs offline password cracking + using aircrack-ng, hashcat, and dictionary attacks during authorized wireless security + assessments to evaluate passphrase strength and wireless network security posture. ' domain: cybersecurity @@ -20,6 +21,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 +- T1591 --- # Performing WiFi Password Cracking with Aircrack-ng diff --git a/skills/performing-windows-artifact-analysis-with-eric-zimmerman-tools/SKILL.md b/skills/performing-windows-artifact-analysis-with-eric-zimmerman-tools/SKILL.md index c858885b..3181e1cd 100644 --- a/skills/performing-windows-artifact-analysis-with-eric-zimmerman-tools/SKILL.md +++ b/skills/performing-windows-artifact-analysis-with-eric-zimmerman-tools/SKILL.md @@ -1,8 +1,9 @@ --- name: performing-windows-artifact-analysis-with-eric-zimmerman-tools -description: Perform comprehensive Windows forensic artifact analysis using Eric Zimmerman's open-source EZ Tools suite including - KAPE, MFTECmd, PECmd, LECmd, JLECmd, and Timeline Explorer for parsing registry hives, prefetch files, event logs, and file - system metadata. +description: Perform comprehensive Windows forensic artifact analysis using Eric Zimmerman's + open-source EZ Tools suite including KAPE, MFTECmd, PECmd, LECmd, JLECmd, and Timeline + Explorer for parsing registry hives, prefetch files, event logs, and file system + metadata. domain: cybersecurity subdomain: digital-forensics tags: @@ -26,6 +27,12 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1005 +- T1074 +- T1119 +- T1070 +- T1059 --- # Performing Windows Artifact Analysis with Eric Zimmerman Tools diff --git a/skills/performing-wireless-network-penetration-test/SKILL.md b/skills/performing-wireless-network-penetration-test/SKILL.md index e82a6f8c..50cf928e 100644 --- a/skills/performing-wireless-network-penetration-test/SKILL.md +++ b/skills/performing-wireless-network-penetration-test/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-wireless-network-penetration-test -description: Execute a wireless network penetration test to assess WiFi security by capturing handshakes, cracking WPA2/WPA3 - keys, detecting rogue access points, and testing wireless segmentation using Aircrack-ng and related tools. +description: Execute a wireless network penetration test to assess WiFi security by + capturing handshakes, cracking WPA2/WPA3 keys, detecting rogue access points, and + testing wireless segmentation using Aircrack-ng and related tools. domain: cybersecurity subdomain: penetration-testing tags: @@ -22,6 +23,12 @@ nist_csf: - ID.RA-06 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1591 --- # Performing Wireless Network Penetration Test diff --git a/skills/performing-wireless-security-assessment-with-kismet/SKILL.md b/skills/performing-wireless-security-assessment-with-kismet/SKILL.md index cb4bd215..a9a1515e 100644 --- a/skills/performing-wireless-security-assessment-with-kismet/SKILL.md +++ b/skills/performing-wireless-security-assessment-with-kismet/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-wireless-security-assessment-with-kismet -description: Conduct wireless network security assessments using Kismet to detect rogue access points, hidden SSIDs, weak - encryption, and unauthorized clients through passive RF monitoring. +description: Conduct wireless network security assessments using Kismet to detect + rogue access points, hidden SSIDs, weak encryption, and unauthorized clients through + passive RF monitoring. domain: cybersecurity subdomain: network-security tags: @@ -22,6 +23,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 +- T1573 --- # Performing Wireless Security Assessment with Kismet diff --git a/skills/performing-yara-rule-development-for-detection/SKILL.md b/skills/performing-yara-rule-development-for-detection/SKILL.md index 782e7b5e..1ddc3f40 100644 --- a/skills/performing-yara-rule-development-for-detection/SKILL.md +++ b/skills/performing-yara-rule-development-for-detection/SKILL.md @@ -1,7 +1,8 @@ --- name: performing-yara-rule-development-for-detection -description: Develop precise YARA rules for malware detection by identifying unique byte patterns, strings, and behavioral - indicators in executable files while minimizing false positives. +description: Develop precise YARA rules for malware detection by identifying unique + byte patterns, strings, and behavioral indicators in executable files while minimizing + false positives. domain: cybersecurity subdomain: malware-analysis tags: @@ -20,6 +21,11 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1027 +- T1055 +- T1140 +- T1497 --- # Performing YARA Rule Development for Detection diff --git a/skills/prioritizing-vulnerabilities-with-cvss-scoring/SKILL.md b/skills/prioritizing-vulnerabilities-with-cvss-scoring/SKILL.md index f8fcf87f..91b059e7 100644 --- a/skills/prioritizing-vulnerabilities-with-cvss-scoring/SKILL.md +++ b/skills/prioritizing-vulnerabilities-with-cvss-scoring/SKILL.md @@ -1,7 +1,8 @@ --- name: prioritizing-vulnerabilities-with-cvss-scoring -description: The Common Vulnerability Scoring System (CVSS) is the industry standard framework maintained by FIRST (Forum - of Incident Response and Security Teams) for assessing vulnerability severity. CVSS v4.0 (r +description: The Common Vulnerability Scoring System (CVSS) is the industry standard + framework maintained by FIRST (Forum of Incident Response and Security Teams) for + assessing vulnerability severity. CVSS v4.0 (r domain: cybersecurity subdomain: vulnerability-management tags: @@ -19,6 +20,10 @@ nist_csf: - ID.RA-02 - ID.IM-02 - ID.RA-06 +mitre_attack: +- T1190 +- T1203 +- T1068 --- # Prioritizing Vulnerabilities with CVSS Scoring diff --git a/skills/processing-stix-taxii-feeds/SKILL.md b/skills/processing-stix-taxii-feeds/SKILL.md index 68eb7c1d..41b3fa28 100644 --- a/skills/processing-stix-taxii-feeds/SKILL.md +++ b/skills/processing-stix-taxii-feeds/SKILL.md @@ -1,9 +1,11 @@ --- name: processing-stix-taxii-feeds -description: 'Processes STIX 2.1 threat intelligence bundles delivered via TAXII 2.1 servers, normalizing objects into platform-native - schemas and routing them to appropriate consuming systems. Use when onboarding new TAXII collection endpoints, automating - bi-directional intelligence sharing with ISACs, or building pipeline validation for malformed STIX bundles. Activates for - requests involving OASIS STIX, TAXII server configuration, MISP TAXII, or Cortex XSOAR feed integrations. +description: 'Processes STIX 2.1 threat intelligence bundles delivered via TAXII 2.1 + servers, normalizing objects into platform-native schemas and routing them to appropriate + consuming systems. Use when onboarding new TAXII collection endpoints, automating + bi-directional intelligence sharing with ISACs, or building pipeline validation + for malformed STIX bundles. Activates for requests involving OASIS STIX, TAXII server + configuration, MISP TAXII, or Cortex XSOAR feed integrations. ' domain: cybersecurity @@ -25,6 +27,11 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1592 +- T1593 +- T1589 --- # Processing STIX/TAXII Feeds diff --git a/skills/profiling-threat-actor-groups/SKILL.md b/skills/profiling-threat-actor-groups/SKILL.md index 13942f97..8a556218 100644 --- a/skills/profiling-threat-actor-groups/SKILL.md +++ b/skills/profiling-threat-actor-groups/SKILL.md @@ -1,10 +1,12 @@ --- name: profiling-threat-actor-groups -description: 'Develops comprehensive threat actor profiles for APT groups, criminal organizations, and hacktivist collectives - by aggregating TTP documentation, historical campaign data, tooling fingerprints, and attribution indicators from multiple - intelligence sources. Use when briefing executives on sector-specific threats, updating threat model assumptions, or prioritizing - defensive controls against specific adversaries. Activates for requests involving MITRE ATT&CK Groups, Mandiant APT profiles, - CrowdStrike adversary naming, or sector-specific threat briefings. +description: 'Develops comprehensive threat actor profiles for APT groups, criminal + organizations, and hacktivist collectives by aggregating TTP documentation, historical + campaign data, tooling fingerprints, and attribution indicators from multiple intelligence + sources. Use when briefing executives on sector-specific threats, updating threat + model assumptions, or prioritizing defensive controls against specific adversaries. + Activates for requests involving MITRE ATT&CK Groups, Mandiant APT profiles, CrowdStrike + adversary naming, or sector-specific threat briefings. ' domain: cybersecurity @@ -26,6 +28,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1592 +- T1593 +- T1589 +- T1566 --- # Profiling Threat Actor Groups diff --git a/skills/recovering-deleted-files-with-photorec/SKILL.md b/skills/recovering-deleted-files-with-photorec/SKILL.md index 721447ab..cf9f1118 100644 --- a/skills/recovering-deleted-files-with-photorec/SKILL.md +++ b/skills/recovering-deleted-files-with-photorec/SKILL.md @@ -1,7 +1,7 @@ --- name: recovering-deleted-files-with-photorec -description: Recover deleted files from disk images and storage media using PhotoRec's file signature-based carving engine - regardless of file system damage. +description: Recover deleted files from disk images and storage media using PhotoRec's + file signature-based carving engine regardless of file system damage. domain: cybersecurity subdomain: digital-forensics tags: @@ -27,6 +27,12 @@ nist_csf: - RS.AN-03 - DE.AE-02 - RS.MA-01 +mitre_attack: +- T1005 +- T1074 +- T1119 +- T1070 +- T1059 --- # Recovering Deleted Files with PhotoRec diff --git a/skills/recovering-from-ransomware-attack/SKILL.md b/skills/recovering-from-ransomware-attack/SKILL.md index 74714639..5d8efe85 100644 --- a/skills/recovering-from-ransomware-attack/SKILL.md +++ b/skills/recovering-from-ransomware-attack/SKILL.md @@ -1,10 +1,12 @@ --- name: recovering-from-ransomware-attack -description: 'Executes structured recovery from a ransomware incident following NIST and CISA frameworks, including environment - isolation, forensic evidence preservation, clean infrastructure rebuild, prioritized system restoration from verified backups, - credential reset, and validation against re-infection. Covers Active Directory recovery, database restoration, and application - stack rebuild in dependency order. Activates for requests involving ransomware recovery, post-encryption restoration, or - disaster recovery from ransomware. +description: 'Executes structured recovery from a ransomware incident following NIST + and CISA frameworks, including environment isolation, forensic evidence preservation, + clean infrastructure rebuild, prioritized system restoration from verified backups, + credential reset, and validation against re-infection. Covers Active Directory recovery, + database restoration, and application stack rebuild in dependency order. Activates + for requests involving ransomware recovery, post-encryption restoration, or disaster + recovery from ransomware. ' domain: cybersecurity @@ -23,6 +25,12 @@ nist_csf: - RS.MA-01 - RC.RP-01 - PR.IR-01 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1003 +- T1110 --- # Recovering from Ransomware Attack diff --git a/skills/remediating-s3-bucket-misconfiguration/SKILL.md b/skills/remediating-s3-bucket-misconfiguration/SKILL.md index 794206a5..7fe68828 100644 --- a/skills/remediating-s3-bucket-misconfiguration/SKILL.md +++ b/skills/remediating-s3-bucket-misconfiguration/SKILL.md @@ -1,9 +1,10 @@ --- name: remediating-s3-bucket-misconfiguration -description: 'This skill provides step-by-step procedures for identifying and remediating Amazon S3 bucket misconfigurations - that expose sensitive data to unauthorized access. It covers enabling S3 Block Public Access at account and bucket levels, - auditing bucket policies and ACLs, enforcing encryption, configuring access logging, and deploying automated remediation - using AWS Config and Lambda. +description: 'This skill provides step-by-step procedures for identifying and remediating + Amazon S3 bucket misconfigurations that expose sensitive data to unauthorized access. + It covers enabling S3 Block Public Access at account and bucket levels, auditing + bucket policies and ACLs, enforcing encryption, configuring access logging, and + deploying automated remediation using AWS Config and Lambda. ' domain: cybersecurity @@ -22,6 +23,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T1573 --- # Remediating S3 Bucket Misconfiguration diff --git a/skills/reverse-engineering-android-malware-with-jadx/SKILL.md b/skills/reverse-engineering-android-malware-with-jadx/SKILL.md index c09ac499..79488890 100644 --- a/skills/reverse-engineering-android-malware-with-jadx/SKILL.md +++ b/skills/reverse-engineering-android-malware-with-jadx/SKILL.md @@ -1,9 +1,11 @@ --- name: reverse-engineering-android-malware-with-jadx -description: 'Reverse engineers malicious Android APK files using JADX decompiler to analyze Java/Kotlin source code, identify - malicious functionality including data theft, C2 communication, privilege escalation, and overlay attacks. Examines manifest - permissions, receivers, services, and native libraries. Activates for requests involving Android malware analysis, APK reverse - engineering, mobile malware investigation, or Android threat analysis. +description: 'Reverse engineers malicious Android APK files using JADX decompiler + to analyze Java/Kotlin source code, identify malicious functionality including data + theft, C2 communication, privilege escalation, and overlay attacks. Examines manifest + permissions, receivers, services, and native libraries. Activates for requests involving + Android malware analysis, APK reverse engineering, mobile malware investigation, + or Android threat analysis. ' domain: cybersecurity @@ -22,6 +24,12 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1027 +- T1055 +- T1140 +- T1497 +- T1068 --- # Reverse Engineering Android Malware with JADX diff --git a/skills/reverse-engineering-dotnet-malware-with-dnspy/SKILL.md b/skills/reverse-engineering-dotnet-malware-with-dnspy/SKILL.md index 9e3e2951..e0027082 100644 --- a/skills/reverse-engineering-dotnet-malware-with-dnspy/SKILL.md +++ b/skills/reverse-engineering-dotnet-malware-with-dnspy/SKILL.md @@ -1,9 +1,10 @@ --- name: reverse-engineering-dotnet-malware-with-dnspy -description: 'Reverse engineers .NET malware using dnSpy decompiler and debugger to analyze C#/VB.NET source code, identify - obfuscation techniques, extract configurations, and understand malicious functionality including stealers, RATs, and loaders. - Activates for requests involving .NET malware analysis, C# malware decompilation, managed code reverse engineering, or .NET - obfuscation analysis. +description: 'Reverse engineers .NET malware using dnSpy decompiler and debugger to + analyze C#/VB.NET source code, identify obfuscation techniques, extract configurations, + and understand malicious functionality including stealers, RATs, and loaders. Activates + for requests involving .NET malware analysis, C# malware decompilation, managed + code reverse engineering, or .NET obfuscation analysis. ' domain: cybersecurity @@ -22,6 +23,11 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1027 +- T1055 +- T1140 +- T1497 --- # Reverse Engineering .NET Malware with dnSpy diff --git a/skills/reverse-engineering-ios-app-with-frida/SKILL.md b/skills/reverse-engineering-ios-app-with-frida/SKILL.md index 89034cfb..d31752af 100644 --- a/skills/reverse-engineering-ios-app-with-frida/SKILL.md +++ b/skills/reverse-engineering-ios-app-with-frida/SKILL.md @@ -1,9 +1,11 @@ --- name: reverse-engineering-ios-app-with-frida -description: 'Reverse engineers iOS applications using Frida dynamic instrumentation to understand internal logic, extract - encryption keys, bypass security controls, and discover hidden functionality without source code access. Use when performing - authorized iOS penetration testing, analyzing proprietary protocols, understanding obfuscated logic, or extracting runtime - secrets from iOS binaries. Activates for requests involving iOS reverse engineering, Frida iOS hooking, Objective-C/Swift +description: 'Reverse engineers iOS applications using Frida dynamic instrumentation + to understand internal logic, extract encryption keys, bypass security controls, + and discover hidden functionality without source code access. Use when performing + authorized iOS penetration testing, analyzing proprietary protocols, understanding + obfuscated logic, or extracting runtime secrets from iOS binaries. Activates for + requests involving iOS reverse engineering, Frida iOS hooking, Objective-C/Swift method tracing, or iOS binary analysis. ' @@ -24,6 +26,12 @@ nist_csf: - PR.AA-05 - ID.RA-01 - DE.CM-09 +mitre_attack: +- T1059 +- T1056 +- T1036 +- T1078 +- T1573 --- # Reverse Engineering iOS App with Frida diff --git a/skills/reverse-engineering-malware-with-ghidra/SKILL.md b/skills/reverse-engineering-malware-with-ghidra/SKILL.md index 0b09addc..c67ed481 100644 --- a/skills/reverse-engineering-malware-with-ghidra/SKILL.md +++ b/skills/reverse-engineering-malware-with-ghidra/SKILL.md @@ -1,8 +1,10 @@ --- name: reverse-engineering-malware-with-ghidra -description: 'Reverse engineers malware binaries using NSA''s Ghidra disassembler and decompiler to understand internal logic, - cryptographic routines, C2 protocols, and evasion techniques at the assembly and pseudo-C level. Activates for requests - involving malware reverse engineering, disassembly analysis, decompilation, binary analysis, or understanding malware internals. +description: 'Reverse engineers malware binaries using NSA''s Ghidra disassembler + and decompiler to understand internal logic, cryptographic routines, C2 protocols, + and evasion techniques at the assembly and pseudo-C level. Activates for requests + involving malware reverse engineering, disassembly analysis, decompilation, binary + analysis, or understanding malware internals. ' domain: cybersecurity @@ -21,6 +23,12 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1027 +- T1055 +- T1140 +- T1497 +- T1070 --- # Reverse Engineering Malware with Ghidra diff --git a/skills/reverse-engineering-ransomware-encryption-routine/SKILL.md b/skills/reverse-engineering-ransomware-encryption-routine/SKILL.md index 606a2b5b..c13dc2f4 100644 --- a/skills/reverse-engineering-ransomware-encryption-routine/SKILL.md +++ b/skills/reverse-engineering-ransomware-encryption-routine/SKILL.md @@ -1,7 +1,8 @@ --- name: reverse-engineering-ransomware-encryption-routine -description: Reverse engineer ransomware encryption routines to identify cryptographic algorithms, key generation flaws, and - potential decryption opportunities using static and dynamic analysis. +description: Reverse engineer ransomware encryption routines to identify cryptographic + algorithms, key generation flaws, and potential decryption opportunities using static + and dynamic analysis. domain: cybersecurity subdomain: malware-analysis tags: @@ -27,6 +28,12 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1027 +- T1055 +- T1140 +- T1497 +- T1486 --- # Reverse Engineering Ransomware Encryption Routine diff --git a/skills/reverse-engineering-rust-malware/SKILL.md b/skills/reverse-engineering-rust-malware/SKILL.md index 35b55cd6..ab74e33c 100644 --- a/skills/reverse-engineering-rust-malware/SKILL.md +++ b/skills/reverse-engineering-rust-malware/SKILL.md @@ -1,7 +1,8 @@ --- name: reverse-engineering-rust-malware -description: Reverse engineer Rust-compiled malware using IDA Pro and Ghidra with techniques for handling non-null-terminated - strings, crate dependency extraction, and Rust-specific control flow analysis. +description: Reverse engineer Rust-compiled malware using IDA Pro and Ghidra with + techniques for handling non-null-terminated strings, crate dependency extraction, + and Rust-specific control flow analysis. domain: cybersecurity subdomain: malware-analysis tags: @@ -20,6 +21,11 @@ nist_csf: - RS.AN-03 - ID.RA-01 - DE.CM-01 +mitre_attack: +- T1027 +- T1055 +- T1140 +- T1497 --- # Reverse Engineering Rust Malware diff --git a/skills/scanning-container-images-with-grype/SKILL.md b/skills/scanning-container-images-with-grype/SKILL.md index 40d689cc..8442d042 100644 --- a/skills/scanning-container-images-with-grype/SKILL.md +++ b/skills/scanning-container-images-with-grype/SKILL.md @@ -1,7 +1,7 @@ --- name: scanning-container-images-with-grype -description: Scan container images for known vulnerabilities using Anchore Grype with SBOM-based matching and configurable - severity thresholds. +description: Scan container images for known vulnerabilities using Anchore Grype with + SBOM-based matching and configurable severity thresholds. domain: cybersecurity subdomain: container-security tags: @@ -19,6 +19,12 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 +- T1195 --- # Scanning Container Images with Grype diff --git a/skills/scanning-containers-with-trivy-in-cicd/SKILL.md b/skills/scanning-containers-with-trivy-in-cicd/SKILL.md index a9011aaa..144fcccd 100644 --- a/skills/scanning-containers-with-trivy-in-cicd/SKILL.md +++ b/skills/scanning-containers-with-trivy-in-cicd/SKILL.md @@ -1,9 +1,10 @@ --- name: scanning-containers-with-trivy-in-cicd -description: 'This skill covers integrating Aqua Security''s Trivy scanner into CI/CD pipelines for comprehensive container - image vulnerability detection. It addresses scanning Docker images for OS package and application dependency CVEs, detecting - misconfigurations in Dockerfiles, scanning filesystem and git repositories, and establishing severity-based quality gates - that block deployment of vulnerable images. +description: 'This skill covers integrating Aqua Security''s Trivy scanner into CI/CD + pipelines for comprehensive container image vulnerability detection. It addresses + scanning Docker images for OS package and application dependency CVEs, detecting + misconfigurations in Dockerfiles, scanning filesystem and git repositories, and + establishing severity-based quality gates that block deployment of vulnerable images. ' domain: cybersecurity @@ -23,6 +24,12 @@ nist_csf: - GV.SC-07 - ID.IM-04 - PR.PS-04 +mitre_attack: +- T1195 +- T1554 +- T1059.004 +- T1610 +- T1611 --- # Scanning Containers with Trivy in CI/CD diff --git a/skills/scanning-docker-images-with-trivy/SKILL.md b/skills/scanning-docker-images-with-trivy/SKILL.md index 0a1a0916..0253aa20 100644 --- a/skills/scanning-docker-images-with-trivy/SKILL.md +++ b/skills/scanning-docker-images-with-trivy/SKILL.md @@ -1,7 +1,8 @@ --- name: scanning-docker-images-with-trivy -description: Trivy is a comprehensive open-source vulnerability scanner by Aqua Security that detects vulnerabilities in OS - packages, language-specific dependencies, misconfigurations, secrets, and license violati +description: Trivy is a comprehensive open-source vulnerability scanner by Aqua Security + that detects vulnerabilities in OS packages, language-specific dependencies, misconfigurations, + secrets, and license violati domain: cybersecurity subdomain: container-security tags: @@ -18,6 +19,12 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 +- T1190 --- # Scanning Docker Images with Trivy diff --git a/skills/scanning-infrastructure-with-nessus/SKILL.md b/skills/scanning-infrastructure-with-nessus/SKILL.md index 3b685623..df5610e8 100644 --- a/skills/scanning-infrastructure-with-nessus/SKILL.md +++ b/skills/scanning-infrastructure-with-nessus/SKILL.md @@ -1,7 +1,8 @@ --- name: scanning-infrastructure-with-nessus -description: Tenable Nessus is the industry-leading vulnerability scanner used to identify security weaknesses across network - infrastructure including servers, workstations, network devices, and operating systems. +description: Tenable Nessus is the industry-leading vulnerability scanner used to + identify security weaknesses across network infrastructure including servers, workstations, + network devices, and operating systems. domain: cybersecurity subdomain: vulnerability-management tags: @@ -19,6 +20,11 @@ nist_csf: - ID.RA-02 - ID.IM-02 - ID.RA-06 +mitre_attack: +- T1190 +- T1203 +- T1068 +- T1046 --- # Scanning Infrastructure with Nessus diff --git a/skills/scanning-kubernetes-manifests-with-kubesec/SKILL.md b/skills/scanning-kubernetes-manifests-with-kubesec/SKILL.md index 52eed576..be0235e8 100644 --- a/skills/scanning-kubernetes-manifests-with-kubesec/SKILL.md +++ b/skills/scanning-kubernetes-manifests-with-kubesec/SKILL.md @@ -1,7 +1,8 @@ --- name: scanning-kubernetes-manifests-with-kubesec -description: Perform security risk analysis on Kubernetes resource manifests using Kubesec to identify misconfigurations, - privilege escalation risks, and deviations from security best practices. +description: Perform security risk analysis on Kubernetes resource manifests using + Kubesec to identify misconfigurations, privilege escalation risks, and deviations + from security best practices. domain: cybersecurity subdomain: container-security tags: @@ -21,6 +22,12 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 +- T1068 --- # Scanning Kubernetes Manifests with Kubesec diff --git a/skills/scanning-network-with-nmap-advanced/SKILL.md b/skills/scanning-network-with-nmap-advanced/SKILL.md index 9db9b8df..e074b9cc 100644 --- a/skills/scanning-network-with-nmap-advanced/SKILL.md +++ b/skills/scanning-network-with-nmap-advanced/SKILL.md @@ -1,8 +1,9 @@ --- name: scanning-network-with-nmap-advanced -description: 'Performs advanced network reconnaissance using Nmap''s scripting engine, timing controls, evasion techniques, - and output parsing to discover hosts, enumerate services, detect vulnerabilities, and fingerprint operating systems across - authorized target networks. +description: 'Performs advanced network reconnaissance using Nmap''s scripting engine, + timing controls, evasion techniques, and output parsing to discover hosts, enumerate + services, detect vulnerabilities, and fingerprint operating systems across authorized + target networks. ' domain: cybersecurity @@ -21,6 +22,12 @@ nist_csf: - DE.CM-01 - ID.AM-03 - PR.DS-02 +mitre_attack: +- T1046 +- T1040 +- T1557 +- T1071 +- T1595 --- # Scanning Network with Nmap Advanced Techniques diff --git a/skills/securing-api-gateway-with-aws-waf/SKILL.md b/skills/securing-api-gateway-with-aws-waf/SKILL.md index 26185c2f..8176864b 100644 --- a/skills/securing-api-gateway-with-aws-waf/SKILL.md +++ b/skills/securing-api-gateway-with-aws-waf/SKILL.md @@ -1,8 +1,9 @@ --- name: securing-api-gateway-with-aws-waf -description: 'Securing API Gateway endpoints with AWS WAF by configuring managed rule groups for OWASP Top 10 protection, - creating custom rate limiting rules, implementing bot control, setting up IP reputation filtering, and monitoring WAF metrics - for security effectiveness. +description: 'Securing API Gateway endpoints with AWS WAF by configuring managed rule + groups for OWASP Top 10 protection, creating custom rate limiting rules, implementing + bot control, setting up IP reputation filtering, and monitoring WAF metrics for + security effectiveness. ' domain: cybersecurity @@ -23,6 +24,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T0816 --- # Securing API Gateway with AWS WAF diff --git a/skills/securing-aws-iam-permissions/SKILL.md b/skills/securing-aws-iam-permissions/SKILL.md index 28ea78a2..8cd9de8c 100644 --- a/skills/securing-aws-iam-permissions/SKILL.md +++ b/skills/securing-aws-iam-permissions/SKILL.md @@ -1,7 +1,8 @@ --- name: securing-aws-iam-permissions -description: 'This skill guides practitioners through hardening AWS Identity and Access Management configurations to enforce - least privilege access across cloud accounts. It covers IAM policy scoping, permission boundaries, Access Analyzer integration, +description: 'This skill guides practitioners through hardening AWS Identity and Access + Management configurations to enforce least privilege access across cloud accounts. + It covers IAM policy scoping, permission boundaries, Access Analyzer integration, and credential rotation strategies to reduce the blast radius of compromised identities. ' @@ -21,6 +22,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T1003 --- # Securing AWS IAM Permissions diff --git a/skills/securing-aws-lambda-execution-roles/SKILL.md b/skills/securing-aws-lambda-execution-roles/SKILL.md index 33121936..dfda15b4 100644 --- a/skills/securing-aws-lambda-execution-roles/SKILL.md +++ b/skills/securing-aws-lambda-execution-roles/SKILL.md @@ -1,7 +1,8 @@ --- name: securing-aws-lambda-execution-roles -description: 'Securing AWS Lambda execution roles by implementing least-privilege IAM policies, applying permission boundaries, - restricting resource-based policies, using IAM Access Analyzer to validate permissions, and enforcing role scoping through +description: 'Securing AWS Lambda execution roles by implementing least-privilege + IAM policies, applying permission boundaries, restricting resource-based policies, + using IAM Access Analyzer to validate permissions, and enforcing role scoping through SCPs. ' @@ -22,6 +23,11 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 --- # Securing AWS Lambda Execution Roles diff --git a/skills/securing-azure-with-microsoft-defender/SKILL.md b/skills/securing-azure-with-microsoft-defender/SKILL.md index 17846b08..01ec90d6 100644 --- a/skills/securing-azure-with-microsoft-defender/SKILL.md +++ b/skills/securing-azure-with-microsoft-defender/SKILL.md @@ -1,9 +1,10 @@ --- name: securing-azure-with-microsoft-defender -description: 'This skill instructs security practitioners on deploying Microsoft Defender for Cloud as a cloud-native application - protection platform for Azure, multi-cloud, and hybrid environments. It covers enabling Defender plans for servers, containers, - storage, and databases, configuring security recommendations, managing Secure Score, and integrating with the unified Defender - portal for centralized threat management. +description: 'This skill instructs security practitioners on deploying Microsoft Defender + for Cloud as a cloud-native application protection platform for Azure, multi-cloud, + and hybrid environments. It covers enabling Defender plans for servers, containers, + storage, and databases, configuring security recommendations, managing Secure Score, + and integrating with the unified Defender portal for centralized threat management. ' domain: cybersecurity @@ -30,6 +31,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T1610 --- # Securing Azure with Microsoft Defender diff --git a/skills/securing-container-registry-images/SKILL.md b/skills/securing-container-registry-images/SKILL.md index 52761688..ef667ae6 100644 --- a/skills/securing-container-registry-images/SKILL.md +++ b/skills/securing-container-registry-images/SKILL.md @@ -1,8 +1,9 @@ --- name: securing-container-registry-images -description: 'Securing container registry images by implementing vulnerability scanning with Trivy and Grype, enforcing image - signing with Cosign and Sigstore, configuring registry access controls, and building CI/CD pipelines that prevent deploying - unscanned or unsigned images. +description: 'Securing container registry images by implementing vulnerability scanning + with Trivy and Grype, enforcing image signing with Cosign and Sigstore, configuring + registry access controls, and building CI/CD pipelines that prevent deploying unscanned + or unsigned images. ' domain: cybersecurity @@ -23,6 +24,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T1610 --- # Securing Container Registry Images diff --git a/skills/securing-container-registry-with-harbor/SKILL.md b/skills/securing-container-registry-with-harbor/SKILL.md index ec0c9a2c..705a54eb 100644 --- a/skills/securing-container-registry-with-harbor/SKILL.md +++ b/skills/securing-container-registry-with-harbor/SKILL.md @@ -1,7 +1,8 @@ --- name: securing-container-registry-with-harbor -description: Harbor is an open-source container registry that provides security features including vulnerability scanning - (integrated Trivy), image signing (Notary/Cosign), RBAC, content trust policies, replicatio +description: Harbor is an open-source container registry that provides security features + including vulnerability scanning (integrated Trivy), image signing (Notary/Cosign), + RBAC, content trust policies, replicatio domain: cybersecurity subdomain: container-security tags: @@ -19,6 +20,12 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 +- T1190 --- # Securing Container Registry with Harbor diff --git a/skills/securing-github-actions-workflows/SKILL.md b/skills/securing-github-actions-workflows/SKILL.md index 13ef85ca..9b7b2e61 100644 --- a/skills/securing-github-actions-workflows/SKILL.md +++ b/skills/securing-github-actions-workflows/SKILL.md @@ -1,8 +1,10 @@ --- name: securing-github-actions-workflows -description: 'This skill covers hardening GitHub Actions workflows against supply chain attacks, credential theft, and privilege - escalation. It addresses pinning actions to SHA digests, minimizing GITHUB_TOKEN permissions, protecting secrets from exfiltration, - preventing script injection in workflow expressions, and implementing required reviewers for workflow changes. +description: 'This skill covers hardening GitHub Actions workflows against supply + chain attacks, credential theft, and privilege escalation. It addresses pinning + actions to SHA digests, minimizing GITHUB_TOKEN permissions, protecting secrets + from exfiltration, preventing script injection in workflow expressions, and implementing + required reviewers for workflow changes. ' domain: cybersecurity @@ -22,6 +24,12 @@ nist_csf: - GV.SC-07 - ID.IM-04 - PR.PS-04 +mitre_attack: +- T1195 +- T1554 +- T1059.004 +- T1068 +- T1548 --- # Securing GitHub Actions Workflows diff --git a/skills/securing-helm-chart-deployments/SKILL.md b/skills/securing-helm-chart-deployments/SKILL.md index b01f7c30..1d4451bf 100644 --- a/skills/securing-helm-chart-deployments/SKILL.md +++ b/skills/securing-helm-chart-deployments/SKILL.md @@ -1,7 +1,7 @@ --- name: securing-helm-chart-deployments -description: Secure Helm chart deployments by validating chart integrity, scanning templates for misconfigurations, and enforcing - security contexts in Kubernetes releases. +description: Secure Helm chart deployments by validating chart integrity, scanning + templates for misconfigurations, and enforcing security contexts in Kubernetes releases. domain: cybersecurity subdomain: container-security tags: @@ -19,6 +19,12 @@ nist_csf: - PR.IR-01 - ID.AM-08 - DE.CM-01 +mitre_attack: +- T1610 +- T1611 +- T1609 +- T1525 +- T1195 --- # Securing Helm Chart Deployments diff --git a/skills/securing-historian-server-in-ot-environment/SKILL.md b/skills/securing-historian-server-in-ot-environment/SKILL.md index babd926d..1ffc6997 100644 --- a/skills/securing-historian-server-in-ot-environment/SKILL.md +++ b/skills/securing-historian-server-in-ot-environment/SKILL.md @@ -1,9 +1,11 @@ --- name: securing-historian-server-in-ot-environment -description: 'This skill covers hardening and securing process historian servers (OSIsoft PI, Honeywell PHD, GE Proficy, AVEVA - Historian) in OT environments. It addresses network placement across Purdue levels, access control for historian interfaces, - data replication through DMZ using data diodes or PI-to-PI connectors, SQL injection prevention in historian queries, and - integrity protection of process data used for safety analysis, regulatory reporting, and process optimization. +description: 'This skill covers hardening and securing process historian servers (OSIsoft + PI, Honeywell PHD, GE Proficy, AVEVA Historian) in OT environments. It addresses + network placement across Purdue levels, access control for historian interfaces, + data replication through DMZ using data diodes or PI-to-PI connectors, SQL injection + prevention in historian queries, and integrity protection of process data used for + safety analysis, regulatory reporting, and process optimization. ' domain: cybersecurity @@ -25,6 +27,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T1055 +- T0816 --- # Securing Historian Server in OT Environment diff --git a/skills/securing-kubernetes-on-cloud/SKILL.md b/skills/securing-kubernetes-on-cloud/SKILL.md index 141c41f8..f64bc96d 100644 --- a/skills/securing-kubernetes-on-cloud/SKILL.md +++ b/skills/securing-kubernetes-on-cloud/SKILL.md @@ -1,8 +1,10 @@ --- name: securing-kubernetes-on-cloud -description: 'This skill covers hardening managed Kubernetes clusters on EKS, AKS, and GKE by implementing Pod Security Standards, - network policies, workload identity, RBAC scoping, image admission controls, and runtime security monitoring. It addresses - cloud-specific security features including IRSA for EKS, Workload Identity for GKE, and Managed Identities for AKS. +description: 'This skill covers hardening managed Kubernetes clusters on EKS, AKS, + and GKE by implementing Pod Security Standards, network policies, workload identity, + RBAC scoping, image admission controls, and runtime security monitoring. It addresses + cloud-specific security features including IRSA for EKS, Workload Identity for GKE, + and Managed Identities for AKS. ' domain: cybersecurity @@ -22,6 +24,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T1610 --- # Securing Kubernetes on Cloud diff --git a/skills/securing-remote-access-to-ot-environment/SKILL.md b/skills/securing-remote-access-to-ot-environment/SKILL.md index eb6ac7ad..0a53e97e 100644 --- a/skills/securing-remote-access-to-ot-environment/SKILL.md +++ b/skills/securing-remote-access-to-ot-environment/SKILL.md @@ -1,9 +1,10 @@ --- name: securing-remote-access-to-ot-environment -description: 'This skill covers implementing secure remote access to OT/ICS environments for operators, engineers, and vendors - while preventing unauthorized access that could compromise industrial operations. It addresses jump server architecture, - multi-factor authentication, session recording, privileged access management, vendor remote access controls, and compliance - with IEC 62443 and NERC CIP-005 remote access requirements. +description: 'This skill covers implementing secure remote access to OT/ICS environments + for operators, engineers, and vendors while preventing unauthorized access that + could compromise industrial operations. It addresses jump server architecture, multi-factor + authentication, session recording, privileged access management, vendor remote access + controls, and compliance with IEC 62443 and NERC CIP-005 remote access requirements. ' domain: cybersecurity @@ -25,6 +26,12 @@ nist_csf: - DE.CM-01 - ID.AM-05 - GV.OC-02 +mitre_attack: +- T1078 +- T1190 +- T1059 +- T0816 +- T0836 --- # Securing Remote Access to OT Environment diff --git a/skills/securing-serverless-functions/SKILL.md b/skills/securing-serverless-functions/SKILL.md index 54ecb84e..ffb5ad5b 100644 --- a/skills/securing-serverless-functions/SKILL.md +++ b/skills/securing-serverless-functions/SKILL.md @@ -1,9 +1,10 @@ --- name: securing-serverless-functions -description: 'This skill covers security hardening for serverless compute platforms including AWS Lambda, Azure Functions, - and Google Cloud Functions. It addresses least privilege IAM roles, dependency vulnerability scanning, secrets management - integration, input validation, function URL authentication, and runtime monitoring to protect against injection attacks, - credential theft, and supply chain compromises. +description: 'This skill covers security hardening for serverless compute platforms + including AWS Lambda, Azure Functions, and Google Cloud Functions. It addresses + least privilege IAM roles, dependency vulnerability scanning, secrets management + integration, input validation, function URL authentication, and runtime monitoring + to protect against injection attacks, credential theft, and supply chain compromises. ' domain: cybersecurity @@ -22,6 +23,12 @@ nist_csf: - ID.AM-08 - GV.SC-06 - DE.CM-01 +mitre_attack: +- T1078.004 +- T1530 +- T1537 +- T1580 +- T1003 --- # Securing Serverless Functions diff --git a/skills/testing-android-intents-for-vulnerabilities/SKILL.md b/skills/testing-android-intents-for-vulnerabilities/SKILL.md index def20d83..0805b5a0 100644 --- a/skills/testing-android-intents-for-vulnerabilities/SKILL.md +++ b/skills/testing-android-intents-for-vulnerabilities/SKILL.md @@ -1,9 +1,11 @@ --- name: testing-android-intents-for-vulnerabilities -description: 'Tests Android inter-process communication (IPC) through intents for vulnerabilities including intent injection, - unauthorized component access, broadcast sniffing, pending intent hijacking, and content provider data leakage. Use when - assessing Android app attack surface through exported components, testing intent-based data flows, or evaluating IPC security. - Activates for requests involving Android intent security, IPC testing, exported component analysis, or Drozer assessment. +description: 'Tests Android inter-process communication (IPC) through intents for + vulnerabilities including intent injection, unauthorized component access, broadcast + sniffing, pending intent hijacking, and content provider data leakage. Use when + assessing Android app attack surface through exported components, testing intent-based + data flows, or evaluating IPC security. Activates for requests involving Android + intent security, IPC testing, exported component analysis, or Drozer assessment. ' domain: cybersecurity @@ -23,6 +25,12 @@ nist_csf: - PR.AA-05 - ID.RA-01 - DE.CM-09 +mitre_attack: +- T1059 +- T1056 +- T1036 +- T1078 +- T1055 --- # Testing Android Intents for Vulnerabilities diff --git a/skills/testing-api-authentication-weaknesses/SKILL.md b/skills/testing-api-authentication-weaknesses/SKILL.md index 758d1a14..a188d2ba 100644 --- a/skills/testing-api-authentication-weaknesses/SKILL.md +++ b/skills/testing-api-authentication-weaknesses/SKILL.md @@ -1,9 +1,11 @@ --- name: testing-api-authentication-weaknesses -description: 'Tests API authentication mechanisms for weaknesses including broken token validation, missing authentication - on endpoints, weak password policies, credential stuffing susceptibility, token leakage in URLs or logs, and session management - flaws. The tester evaluates JWT implementation, API key handling, OAuth flows, and session token entropy to identify authentication - bypasses. Maps to OWASP API2:2023 Broken Authentication. Activates for requests involving API authentication testing, token +description: 'Tests API authentication mechanisms for weaknesses including broken + token validation, missing authentication on endpoints, weak password policies, credential + stuffing susceptibility, token leakage in URLs or logs, and session management flaws. + The tester evaluates JWT implementation, API key handling, OAuth flows, and session + token entropy to identify authentication bypasses. Maps to OWASP API2:2023 Broken + Authentication. Activates for requests involving API authentication testing, token validation assessment, credential security testing, or API auth bypass. ' @@ -24,6 +26,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1552.001 +- T1003 +- T1110 --- # Testing API Authentication Weaknesses diff --git a/skills/testing-api-for-broken-object-level-authorization/SKILL.md b/skills/testing-api-for-broken-object-level-authorization/SKILL.md index 1462d597..ca0bcaca 100644 --- a/skills/testing-api-for-broken-object-level-authorization/SKILL.md +++ b/skills/testing-api-for-broken-object-level-authorization/SKILL.md @@ -1,11 +1,13 @@ --- name: testing-api-for-broken-object-level-authorization -description: 'Tests REST and GraphQL APIs for Broken Object Level Authorization (BOLA/IDOR) vulnerabilities where an authenticated - user can access or modify resources belonging to other users by manipulating object identifiers in API requests. The tester - intercepts API calls, identifies object ID parameters (numeric IDs, UUIDs, slugs), and systematically replaces them with - IDs belonging to other users to determine if the server enforces per-object authorization. This is OWASP API Security Top - 10 2023 risk API1. Activates for requests involving BOLA testing, IDOR in APIs, object-level authorization testing, or API - access control bypass. +description: 'Tests REST and GraphQL APIs for Broken Object Level Authorization (BOLA/IDOR) + vulnerabilities where an authenticated user can access or modify resources belonging + to other users by manipulating object identifiers in API requests. The tester intercepts + API calls, identifies object ID parameters (numeric IDs, UUIDs, slugs), and systematically + replaces them with IDs belonging to other users to determine if the server enforces + per-object authorization. This is OWASP API Security Top 10 2023 risk API1. Activates + for requests involving BOLA testing, IDOR in APIs, object-level authorization testing, + or API access control bypass. ' domain: cybersecurity @@ -25,6 +27,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1552.001 +- T1027 +- T1070 --- # Testing API for Broken Object Level Authorization diff --git a/skills/testing-api-for-mass-assignment-vulnerability/SKILL.md b/skills/testing-api-for-mass-assignment-vulnerability/SKILL.md index 5c0da325..001a8b5f 100644 --- a/skills/testing-api-for-mass-assignment-vulnerability/SKILL.md +++ b/skills/testing-api-for-mass-assignment-vulnerability/SKILL.md @@ -1,10 +1,13 @@ --- name: testing-api-for-mass-assignment-vulnerability -description: 'Tests APIs for mass assignment (auto-binding) vulnerabilities where clients can modify object properties they - should not have access to by including additional parameters in API requests. The tester identifies writable endpoints, - adds undocumented fields to request bodies (role, isAdmin, price, balance), and checks if the server binds these to the - data model without filtering. Part of OWASP API3:2023 Broken Object Property Level Authorization. Activates for requests - involving mass assignment testing, parameter binding abuse, auto-binding vulnerability, or API over-posting. +description: 'Tests APIs for mass assignment (auto-binding) vulnerabilities where + clients can modify object properties they should not have access to by including + additional parameters in API requests. The tester identifies writable endpoints, + adds undocumented fields to request bodies (role, isAdmin, price, balance), and + checks if the server binds these to the data model without filtering. Part of OWASP + API3:2023 Broken Object Property Level Authorization. Activates for requests involving + mass assignment testing, parameter binding abuse, auto-binding vulnerability, or + API over-posting. ' domain: cybersecurity @@ -23,6 +26,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1552.001 +- T0816 +- T0836 --- # Testing API for Mass Assignment Vulnerability diff --git a/skills/testing-api-security-with-owasp-top-10/SKILL.md b/skills/testing-api-security-with-owasp-top-10/SKILL.md index 3f74dead..c4ccdea0 100644 --- a/skills/testing-api-security-with-owasp-top-10/SKILL.md +++ b/skills/testing-api-security-with-owasp-top-10/SKILL.md @@ -1,7 +1,7 @@ --- name: testing-api-security-with-owasp-top-10 -description: Systematically assessing REST and GraphQL API endpoints against the OWASP API Security Top 10 risks using automated - and manual testing techniques. +description: Systematically assessing REST and GraphQL API endpoints against the OWASP + API Security Top 10 risks using automated and manual testing techniques. domain: cybersecurity subdomain: web-application-security tags: @@ -20,6 +20,11 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 --- # Testing API Security with OWASP Top 10 diff --git a/skills/testing-cors-misconfiguration/SKILL.md b/skills/testing-cors-misconfiguration/SKILL.md index b1e1adfa..c15d9554 100644 --- a/skills/testing-cors-misconfiguration/SKILL.md +++ b/skills/testing-cors-misconfiguration/SKILL.md @@ -1,7 +1,8 @@ --- name: testing-cors-misconfiguration -description: Identifying and exploiting Cross-Origin Resource Sharing misconfigurations that allow unauthorized cross-domain - data access and credential theft during security assessments. +description: Identifying and exploiting Cross-Origin Resource Sharing misconfigurations + that allow unauthorized cross-domain data access and credential theft during security + assessments. domain: cybersecurity subdomain: web-application-security tags: @@ -19,6 +20,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1003 --- # Testing CORS Misconfiguration diff --git a/skills/testing-for-broken-access-control/SKILL.md b/skills/testing-for-broken-access-control/SKILL.md index 1c1e8549..6d25e828 100644 --- a/skills/testing-for-broken-access-control/SKILL.md +++ b/skills/testing-for-broken-access-control/SKILL.md @@ -1,7 +1,8 @@ --- name: testing-for-broken-access-control -description: Systematically testing web applications for broken access control vulnerabilities including privilege escalation, - missing function-level checks, and insecure direct object references. +description: Systematically testing web applications for broken access control vulnerabilities + including privilege escalation, missing function-level checks, and insecure direct + object references. domain: cybersecurity subdomain: web-application-security tags: @@ -19,6 +20,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1068 --- # Testing for Broken Access Control diff --git a/skills/testing-for-business-logic-vulnerabilities/SKILL.md b/skills/testing-for-business-logic-vulnerabilities/SKILL.md index e785fcec..a76f079e 100644 --- a/skills/testing-for-business-logic-vulnerabilities/SKILL.md +++ b/skills/testing-for-business-logic-vulnerabilities/SKILL.md @@ -1,7 +1,8 @@ --- name: testing-for-business-logic-vulnerabilities -description: Identifying flaws in application business logic that allow price manipulation, workflow bypass, and privilege - escalation beyond what technical vulnerability scanners can detect. +description: Identifying flaws in application business logic that allow price manipulation, + workflow bypass, and privilege escalation beyond what technical vulnerability scanners + can detect. domain: cybersecurity subdomain: web-application-security tags: @@ -19,6 +20,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1068 --- # Testing for Business Logic Vulnerabilities diff --git a/skills/testing-for-email-header-injection/SKILL.md b/skills/testing-for-email-header-injection/SKILL.md index 9ad4f4ff..a7564704 100644 --- a/skills/testing-for-email-header-injection/SKILL.md +++ b/skills/testing-for-email-header-injection/SKILL.md @@ -1,7 +1,8 @@ --- name: testing-for-email-header-injection -description: Test web application email functionality for SMTP header injection vulnerabilities that allow attackers to inject - additional email headers, modify recipients, and abuse contact forms for spam relay. +description: Test web application email functionality for SMTP header injection vulnerabilities + that allow attackers to inject additional email headers, modify recipients, and + abuse contact forms for spam relay. domain: cybersecurity subdomain: web-application-security tags: @@ -20,6 +21,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1055 --- # Testing for Email Header Injection diff --git a/skills/testing-for-host-header-injection/SKILL.md b/skills/testing-for-host-header-injection/SKILL.md index 721283fd..a2056682 100644 --- a/skills/testing-for-host-header-injection/SKILL.md +++ b/skills/testing-for-host-header-injection/SKILL.md @@ -1,7 +1,8 @@ --- name: testing-for-host-header-injection -description: Test web applications for HTTP Host header injection vulnerabilities to identify password reset poisoning, web - cache poisoning, SSRF, and virtual host routing manipulation risks. +description: Test web applications for HTTP Host header injection vulnerabilities + to identify password reset poisoning, web cache poisoning, SSRF, and virtual host + routing manipulation risks. domain: cybersecurity subdomain: web-application-security tags: @@ -20,6 +21,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1055 --- # Testing for Host Header Injection diff --git a/skills/testing-for-json-web-token-vulnerabilities/SKILL.md b/skills/testing-for-json-web-token-vulnerabilities/SKILL.md index db390956..16f5dc61 100644 --- a/skills/testing-for-json-web-token-vulnerabilities/SKILL.md +++ b/skills/testing-for-json-web-token-vulnerabilities/SKILL.md @@ -1,7 +1,8 @@ --- name: testing-for-json-web-token-vulnerabilities -description: Test JWT implementations for critical vulnerabilities including algorithm confusion, none algorithm bypass, kid - parameter injection, and weak secret exploitation to achieve authentication bypass and privilege escalation. +description: Test JWT implementations for critical vulnerabilities including algorithm + confusion, none algorithm bypass, kid parameter injection, and weak secret exploitation + to achieve authentication bypass and privilege escalation. domain: cybersecurity subdomain: web-application-security tags: @@ -20,6 +21,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1068 --- # Testing for JSON Web Token Vulnerabilities diff --git a/skills/testing-for-open-redirect-vulnerabilities/SKILL.md b/skills/testing-for-open-redirect-vulnerabilities/SKILL.md index 1be439cf..ea6ba065 100644 --- a/skills/testing-for-open-redirect-vulnerabilities/SKILL.md +++ b/skills/testing-for-open-redirect-vulnerabilities/SKILL.md @@ -1,7 +1,8 @@ --- name: testing-for-open-redirect-vulnerabilities -description: Identify and test open redirect vulnerabilities in web applications by analyzing URL redirection parameters, - bypass techniques, and exploitation chains for phishing and token theft. +description: Identify and test open redirect vulnerabilities in web applications by + analyzing URL redirection parameters, bypass techniques, and exploitation chains + for phishing and token theft. domain: cybersecurity subdomain: web-application-security tags: @@ -20,6 +21,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1566 --- # Testing for Open Redirect Vulnerabilities diff --git a/skills/testing-for-sensitive-data-exposure/SKILL.md b/skills/testing-for-sensitive-data-exposure/SKILL.md index 072f6df4..460e472d 100644 --- a/skills/testing-for-sensitive-data-exposure/SKILL.md +++ b/skills/testing-for-sensitive-data-exposure/SKILL.md @@ -1,7 +1,8 @@ --- name: testing-for-sensitive-data-exposure -description: Identifying sensitive data exposure vulnerabilities including API key leakage, PII in responses, insecure storage, - and unprotected data transmission during security assessments. +description: Identifying sensitive data exposure vulnerabilities including API key + leakage, PII in responses, insecure storage, and unprotected data transmission during + security assessments. domain: cybersecurity subdomain: web-application-security tags: @@ -28,6 +29,11 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 --- # Testing for Sensitive Data Exposure diff --git a/skills/testing-for-xml-injection-vulnerabilities/SKILL.md b/skills/testing-for-xml-injection-vulnerabilities/SKILL.md index 1948f845..6412159a 100644 --- a/skills/testing-for-xml-injection-vulnerabilities/SKILL.md +++ b/skills/testing-for-xml-injection-vulnerabilities/SKILL.md @@ -1,7 +1,8 @@ --- name: testing-for-xml-injection-vulnerabilities -description: Test web applications for XML injection vulnerabilities including XXE, XPath injection, and XML entity attacks - to identify data exposure and server-side request forgery risks. +description: Test web applications for XML injection vulnerabilities including XXE, + XPath injection, and XML entity attacks to identify data exposure and server-side + request forgery risks. domain: cybersecurity subdomain: web-application-security tags: @@ -20,6 +21,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1055 --- # Testing for XML Injection Vulnerabilities diff --git a/skills/testing-for-xss-vulnerabilities-with-burpsuite/SKILL.md b/skills/testing-for-xss-vulnerabilities-with-burpsuite/SKILL.md index 89931003..007b5a93 100644 --- a/skills/testing-for-xss-vulnerabilities-with-burpsuite/SKILL.md +++ b/skills/testing-for-xss-vulnerabilities-with-burpsuite/SKILL.md @@ -1,7 +1,7 @@ --- name: testing-for-xss-vulnerabilities-with-burpsuite -description: Identifying and validating cross-site scripting vulnerabilities using Burp Suite's scanner, intruder, and repeater - tools during authorized security assessments. +description: Identifying and validating cross-site scripting vulnerabilities using + Burp Suite's scanner, intruder, and repeater tools during authorized security assessments. domain: cybersecurity subdomain: web-application-security tags: @@ -19,6 +19,11 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 --- # Testing for XSS Vulnerabilities with Burp Suite diff --git a/skills/testing-for-xss-vulnerabilities/SKILL.md b/skills/testing-for-xss-vulnerabilities/SKILL.md index 2c63f909..f13f7cc8 100644 --- a/skills/testing-for-xss-vulnerabilities/SKILL.md +++ b/skills/testing-for-xss-vulnerabilities/SKILL.md @@ -1,10 +1,12 @@ --- name: testing-for-xss-vulnerabilities -description: 'Tests web applications for Cross-Site Scripting (XSS) vulnerabilities by injecting JavaScript payloads into - reflected, stored, and DOM-based contexts to demonstrate client-side code execution, session hijacking, and user impersonation. - The tester identifies all injection points and output contexts, crafts context-appropriate payloads, and bypasses sanitization - and CSP protections. Activates for requests involving XSS testing, cross-site scripting assessment, client-side injection - testing, or JavaScript injection vulnerability testing. +description: 'Tests web applications for Cross-Site Scripting (XSS) vulnerabilities + by injecting JavaScript payloads into reflected, stored, and DOM-based contexts + to demonstrate client-side code execution, session hijacking, and user impersonation. + The tester identifies all injection points and output contexts, crafts context-appropriate + payloads, and bypasses sanitization and CSP protections. Activates for requests + involving XSS testing, cross-site scripting assessment, client-side injection testing, + or JavaScript injection vulnerability testing. ' domain: cybersecurity @@ -23,6 +25,12 @@ nist_csf: - ID.RA-06 - GV.OV-02 - DE.AE-07 +mitre_attack: +- T1595 +- T1190 +- T1059 +- T1078 +- T1055 --- # Testing for XSS Vulnerabilities diff --git a/skills/testing-for-xxe-injection-vulnerabilities/SKILL.md b/skills/testing-for-xxe-injection-vulnerabilities/SKILL.md index a6cc7b33..aaee3e06 100644 --- a/skills/testing-for-xxe-injection-vulnerabilities/SKILL.md +++ b/skills/testing-for-xxe-injection-vulnerabilities/SKILL.md @@ -1,7 +1,8 @@ --- name: testing-for-xxe-injection-vulnerabilities -description: Discovering and exploiting XML External Entity injection vulnerabilities to read server files, perform SSRF, - and exfiltrate data during authorized penetration tests. +description: Discovering and exploiting XML External Entity injection vulnerabilities + to read server files, perform SSRF, and exfiltrate data during authorized penetration + tests. domain: cybersecurity subdomain: web-application-security tags: @@ -19,6 +20,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1048 --- # Testing for XXE Injection Vulnerabilities diff --git a/skills/testing-jwt-token-security/SKILL.md b/skills/testing-jwt-token-security/SKILL.md index 9ea65311..2c2cda8f 100644 --- a/skills/testing-jwt-token-security/SKILL.md +++ b/skills/testing-jwt-token-security/SKILL.md @@ -1,7 +1,8 @@ --- name: testing-jwt-token-security -description: Assessing JSON Web Token implementations for cryptographic weaknesses, algorithm confusion attacks, and authorization - bypass vulnerabilities during security engagements. +description: Assessing JSON Web Token implementations for cryptographic weaknesses, + algorithm confusion attacks, and authorization bypass vulnerabilities during security + engagements. domain: cybersecurity subdomain: web-application-security tags: @@ -19,6 +20,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1505.003 +- T1083 +- T1027 --- # Testing JWT Token Security diff --git a/skills/testing-mobile-api-authentication/SKILL.md b/skills/testing-mobile-api-authentication/SKILL.md index aa072198..7ab0fb48 100644 --- a/skills/testing-mobile-api-authentication/SKILL.md +++ b/skills/testing-mobile-api-authentication/SKILL.md @@ -1,9 +1,11 @@ --- name: testing-mobile-api-authentication -description: 'Tests authentication and authorization mechanisms in mobile application APIs to identify broken authentication, - insecure token management, session fixation, privilege escalation, and IDOR vulnerabilities. Use when performing API security - assessments against mobile app backends, testing JWT implementations, evaluating OAuth flows, or assessing session management. - Activates for requests involving mobile API auth testing, token security assessment, OAuth mobile flow testing, or API authorization +description: 'Tests authentication and authorization mechanisms in mobile application + APIs to identify broken authentication, insecure token management, session fixation, + privilege escalation, and IDOR vulnerabilities. Use when performing API security + assessments against mobile app backends, testing JWT implementations, evaluating + OAuth flows, or assessing session management. Activates for requests involving mobile + API auth testing, token security assessment, OAuth mobile flow testing, or API authorization bypass. ' @@ -24,6 +26,12 @@ nist_csf: - PR.AA-05 - ID.RA-01 - DE.CM-09 +mitre_attack: +- T1059 +- T1056 +- T1036 +- T1078 +- T1068 --- # Testing Mobile API Authentication diff --git a/skills/testing-oauth2-implementation-flaws/SKILL.md b/skills/testing-oauth2-implementation-flaws/SKILL.md index 32a401f4..f3adac87 100644 --- a/skills/testing-oauth2-implementation-flaws/SKILL.md +++ b/skills/testing-oauth2-implementation-flaws/SKILL.md @@ -1,10 +1,12 @@ --- name: testing-oauth2-implementation-flaws -description: 'Tests OAuth 2.0 and OpenID Connect implementations for security flaws including authorization code interception, - redirect URI manipulation, CSRF in OAuth flows, token leakage, scope escalation, and PKCE bypass. The tester evaluates the - authorization server, client application, and token handling for common misconfigurations that enable account takeover or - unauthorized access. Activates for requests involving OAuth security testing, OIDC vulnerability assessment, OAuth2 redirect - bypass, or authorization code flow testing. +description: 'Tests OAuth 2.0 and OpenID Connect implementations for security flaws + including authorization code interception, redirect URI manipulation, CSRF in OAuth + flows, token leakage, scope escalation, and PKCE bypass. The tester evaluates the + authorization server, client application, and token handling for common misconfigurations + that enable account takeover or unauthorized access. Activates for requests involving + OAuth security testing, OIDC vulnerability assessment, OAuth2 redirect bypass, or + authorization code flow testing. ' domain: cybersecurity @@ -24,6 +26,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1552.001 +- T1027 +- T1070 --- # Testing OAuth2 Implementation Flaws diff --git a/skills/testing-ransomware-recovery-procedures/SKILL.md b/skills/testing-ransomware-recovery-procedures/SKILL.md index ca490385..16247dda 100644 --- a/skills/testing-ransomware-recovery-procedures/SKILL.md +++ b/skills/testing-ransomware-recovery-procedures/SKILL.md @@ -1,7 +1,8 @@ --- name: testing-ransomware-recovery-procedures -description: Test and validate ransomware recovery procedures including backup restore operations, RTO/RPO target verification, - recovery sequencing, and clean restore validation to ensure organizational resilience against destructive ransomware attacks. +description: Test and validate ransomware recovery procedures including backup restore + operations, RTO/RPO target verification, recovery sequencing, and clean restore + validation to ensure organizational resilience against destructive ransomware attacks. domain: cybersecurity subdomain: incident-response tags: @@ -20,6 +21,12 @@ nist_csf: - RS.MA-02 - RS.AN-03 - RC.RP-01 +mitre_attack: +- T1486 +- T1490 +- T1070 +- T1078 +- T1489 --- # Testing Ransomware Recovery Procedures diff --git a/skills/testing-websocket-api-security/SKILL.md b/skills/testing-websocket-api-security/SKILL.md index 422b9d5e..0ed5a6c2 100644 --- a/skills/testing-websocket-api-security/SKILL.md +++ b/skills/testing-websocket-api-security/SKILL.md @@ -1,11 +1,13 @@ --- name: testing-websocket-api-security -description: 'Tests WebSocket API implementations for security vulnerabilities including missing authentication on WebSocket - upgrade, Cross-Site WebSocket Hijacking (CSWSH), injection attacks through WebSocket messages, insufficient input validation, - denial-of-service via message flooding, and information leakage through WebSocket frames. The tester intercepts WebSocket - handshakes and messages using Burp Suite, crafts malicious payloads, and tests for authorization bypass on WebSocket channels. - Activates for requests involving WebSocket security testing, WS penetration testing, CSWSH attack, or real-time API security - assessment. +description: 'Tests WebSocket API implementations for security vulnerabilities including + missing authentication on WebSocket upgrade, Cross-Site WebSocket Hijacking (CSWSH), + injection attacks through WebSocket messages, insufficient input validation, denial-of-service + via message flooding, and information leakage through WebSocket frames. The tester + intercepts WebSocket handshakes and messages using Burp Suite, crafts malicious + payloads, and tests for authorization bypass on WebSocket channels. Activates for + requests involving WebSocket security testing, WS penetration testing, CSWSH attack, + or real-time API security assessment. ' domain: cybersecurity @@ -25,6 +27,12 @@ nist_csf: - ID.RA-01 - PR.DS-10 - DE.CM-01 +mitre_attack: +- T1190 +- T1059.007 +- T1552.001 +- T1055 +- T1059 --- # Testing WebSocket API Security diff --git a/skills/tracking-threat-actor-infrastructure/SKILL.md b/skills/tracking-threat-actor-infrastructure/SKILL.md index 34708130..c321fa1b 100644 --- a/skills/tracking-threat-actor-infrastructure/SKILL.md +++ b/skills/tracking-threat-actor-infrastructure/SKILL.md @@ -1,7 +1,8 @@ --- name: tracking-threat-actor-infrastructure -description: Threat actor infrastructure tracking involves monitoring and mapping adversary-controlled assets including command-and-control - (C2) servers, phishing domains, exploit kit hosts, bulletproof hosting, a +description: Threat actor infrastructure tracking involves monitoring and mapping + adversary-controlled assets including command-and-control (C2) servers, phishing + domains, exploit kit hosts, bulletproof hosting, a domain: cybersecurity subdomain: threat-intelligence tags: @@ -22,6 +23,12 @@ nist_csf: - ID.RA-05 - DE.CM-01 - DE.AE-02 +mitre_attack: +- T1591 +- T1592 +- T1593 +- T1589 +- T1566 --- # Tracking Threat Actor Infrastructure diff --git a/skills/triaging-security-alerts-in-splunk/SKILL.md b/skills/triaging-security-alerts-in-splunk/SKILL.md index 02ab6bc5..2ac77b7f 100644 --- a/skills/triaging-security-alerts-in-splunk/SKILL.md +++ b/skills/triaging-security-alerts-in-splunk/SKILL.md @@ -1,9 +1,10 @@ --- name: triaging-security-alerts-in-splunk -description: 'Triages security alerts in Splunk Enterprise Security by classifying severity, investigating notable events, - correlating related telemetry, and making escalation or closure decisions using SPL queries and the Incident Review dashboard. - Use when SOC analysts face queued alerts from correlation searches, need to prioritize investigation order, or must document - triage decisions for handoff to Tier 2/3 analysts. +description: 'Triages security alerts in Splunk Enterprise Security by classifying + severity, investigating notable events, correlating related telemetry, and making + escalation or closure decisions using SPL queries and the Incident Review dashboard. + Use when SOC analysts face queued alerts from correlation searches, need to prioritize + investigation order, or must document triage decisions for handoff to Tier 2/3 analysts. ' domain: cybersecurity @@ -24,6 +25,11 @@ nist_csf: - DE.AE-02 - RS.MA-01 - DE.AE-06 +mitre_attack: +- T1078 +- T1685.002 +- T1685.005 +- T1566 --- # Triaging Security Alerts in Splunk diff --git a/skills/triaging-security-incident-with-ir-playbook/SKILL.md b/skills/triaging-security-incident-with-ir-playbook/SKILL.md index 3fc39623..0c7c3c69 100644 --- a/skills/triaging-security-incident-with-ir-playbook/SKILL.md +++ b/skills/triaging-security-incident-with-ir-playbook/SKILL.md @@ -1,7 +1,8 @@ --- name: triaging-security-incident-with-ir-playbook -description: Classify and prioritize security incidents using structured IR playbooks to determine severity, assign response - teams, and initiate appropriate response procedures. +description: Classify and prioritize security incidents using structured IR playbooks + to determine severity, assign response teams, and initiate appropriate response + procedures. domain: cybersecurity subdomain: incident-response tags: @@ -11,8 +12,9 @@ tags: - severity-classification - soc mitre_attack: -- T1190 -- T1566 +- T1486 +- T1490 +- T1070 - T1078 version: '1.0' author: mahipal diff --git a/skills/triaging-security-incident/SKILL.md b/skills/triaging-security-incident/SKILL.md index 42a4b56f..86f851a0 100644 --- a/skills/triaging-security-incident/SKILL.md +++ b/skills/triaging-security-incident/SKILL.md @@ -1,9 +1,11 @@ --- name: triaging-security-incident -description: 'Performs initial triage of security incidents to determine severity, scope, and required response actions using - the NIST SP 800-61r3 and SANS PICERL frameworks. Classifies incidents by type, assigns priority based on business impact, - and routes to appropriate response teams. Activates for requests involving incident triage, security alert classification, - severity assessment, incident prioritization, or initial incident analysis. +description: 'Performs initial triage of security incidents to determine severity, + scope, and required response actions using the NIST SP 800-61r3 and SANS PICERL + frameworks. Classifies incidents by type, assigns priority based on business impact, + and routes to appropriate response teams. Activates for requests involving incident + triage, security alert classification, severity assessment, incident prioritization, + or initial incident analysis. ' domain: cybersecurity @@ -15,10 +17,10 @@ tags: - severity-classification - SOC-operations mitre_attack: -- T1190 -- T1566 +- T1486 +- T1490 +- T1070 - T1078 -- T1059 version: 1.0.0 author: mahipal license: Apache-2.0 diff --git a/skills/triaging-vulnerabilities-with-ssvc-framework/SKILL.md b/skills/triaging-vulnerabilities-with-ssvc-framework/SKILL.md index c945c775..282256fc 100644 --- a/skills/triaging-vulnerabilities-with-ssvc-framework/SKILL.md +++ b/skills/triaging-vulnerabilities-with-ssvc-framework/SKILL.md @@ -1,7 +1,8 @@ --- name: triaging-vulnerabilities-with-ssvc-framework -description: Triage and prioritize vulnerabilities using CISA's Stakeholder-Specific Vulnerability Categorization (SSVC) decision - tree framework to produce actionable remediation priorities. +description: Triage and prioritize vulnerabilities using CISA's Stakeholder-Specific + Vulnerability Categorization (SSVC) decision tree framework to produce actionable + remediation priorities. domain: cybersecurity subdomain: vulnerability-management tags: @@ -21,6 +22,10 @@ nist_csf: - ID.RA-02 - ID.IM-02 - ID.RA-06 +mitre_attack: +- T1190 +- T1203 +- T1068 --- # Triaging Vulnerabilities with SSVC Framework diff --git a/skills/validating-backup-integrity-for-recovery/SKILL.md b/skills/validating-backup-integrity-for-recovery/SKILL.md index a01bec0a..b27a9807 100644 --- a/skills/validating-backup-integrity-for-recovery/SKILL.md +++ b/skills/validating-backup-integrity-for-recovery/SKILL.md @@ -1,7 +1,8 @@ --- name: validating-backup-integrity-for-recovery -description: Validate backup integrity through cryptographic hash verification, automated restore testing, corruption detection, - and recoverability checks to ensure backups are reliable for disaster recovery and ransomware response scenarios. +description: Validate backup integrity through cryptographic hash verification, automated + restore testing, corruption detection, and recoverability checks to ensure backups + are reliable for disaster recovery and ransomware response scenarios. domain: cybersecurity subdomain: incident-response tags: @@ -19,6 +20,12 @@ nist_csf: - RS.MA-02 - RS.AN-03 - RC.RP-01 +mitre_attack: +- T1486 +- T1490 +- T1070 +- T1078 +- T1489 --- # Validating Backup Integrity for Recovery