Map all 754 skills to MITRE ATT&CK v19.1

- Add validated mitre_attack frontmatter to all 754 skills (286 distinct techniques), verified against MITRE ATT&CK v19.1 via the official mitreattack-python library: 0 revoked, deprecated, or invalid IDs - Curate precise per-skill technique IDs for forensics, malware-analysis, threat-intel, and red-team skills (e.g. DCSync -> T1003.006, Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003) - Reconcile v19.1 tactic restructuring: Defense Evasion split into Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.* family and T1070.001/.002 remapped to active equivalents (T1685.*) - Normalize word-split tags across 35 skills (remove filename-derived stopword tags, add semantic cybersecurity tags) - Add api-reference.md for 3 skills that were missing it - Update README ATT&CK section with accurate v19.1 tactic distribution
2026-06-10 13:14:55 +03:00 · 2026-06-01 12:03:35 +02:00
parent 9a588e643e
commit cb8d79e068
755 changed files with 7832 additions and 2286 deletions
@@ -45,7 +45,7 @@ No other open-source skills library maps every skill to all five frameworks.  On

 | Framework | Version | Scope in this repo | What it maps |
 |---|---|---|---|
-| [MITRE ATT&CK](https://attack.mitre.org) | v18 | 14 tactics · 200+ techniques | Adversary behaviors and TTPs |
+| [MITRE ATT&CK](https://attack.mitre.org) | v19.1 | 15 tactics · 286 techniques | Adversary behaviors and TTPs |
 | [NIST CSF 2.0](https://www.nist.gov/cyberframework) | 2.0 | 6 functions · 22 categories | Organizational security posture |
 | [MITRE ATLAS](https://atlas.mitre.org) | v5.4 | 16 tactics · 84 techniques | AI/ML adversarial threats |
 | [MITRE D3FEND](https://d3fend.mitre.org) | v1.3 | 7 categories · 267 techniques | Defensive countermeasures |
@@ -57,6 +57,28 @@ No other open-source skills library maps every skill to all five frameworks.  On
 |---|---|---|---|---|---|
 | `analyzing-network-traffic-of-malware` | T1071 | DE.CM | AML.T0047 | D3-NTA | MEASURE-2.6 |

+### MITRE ATT&CK v19.1 — 754/754 skills mapped
+
+Every skill carries a `mitre_attack` frontmatter list validated against **MITRE ATT&CK v19.1** (the latest release) using the official `mitreattack-python` library — 286 distinct techniques across all 15 Enterprise tactics, plus ICS and Mobile techniques where relevant. Zero revoked or deprecated IDs. v19.1's restructured Defense Evasion (now split into **Stealth** and **Defense Impairment**) is reflected below.
+
+| Tactic | ID | Skills |
+|--------|----|--------|
+| Reconnaissance | TA0043 | 103 |
+| Resource Development | TA0042 | 22 |
+| Initial Access | TA0001 | 467 |
+| Execution | TA0002 | 350 |
+| Persistence | TA0003 | 444 |
+| Privilege Escalation | TA0004 | 464 |
+| Stealth | TA0005 | 442 |
+| Defense Impairment | TA0112 | 92 |
+| Credential Access | TA0006 | 202 |
+| Discovery | TA0007 | 237 |
+| Lateral Movement | TA0008 | 68 |
+| Collection | TA0009 | 172 |
+| Command and Control | TA0011 | 123 |
+| Exfiltration | TA0010 | 82 |
+| Impact | TA0040 | 50 |
+
 ## Quick start

 ```bash
@@ -1,7 +1,7 @@
 ---
 name: acquiring-disk-image-with-dd-and-dcfldd
-description: Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through
-  hash verification.
+description: Create forensically sound bit-for-bit disk images using dd and dcfldd
+  while preserving evidence integrity through hash verification.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -19,6 +19,11 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1006
+- T1005
+- T1025
+- T1074.001
 ---

 # Acquiring Disk Image with dd and dcfldd
@@ -1,7 +1,7 @@
 ---
 name: analyzing-active-directory-acl-abuse
-description: Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and
-  WriteOwner abuse paths
+description: Detect dangerous ACL misconfigurations in Active Directory using ldap3
+  to identify GenericAll, WriteDACL, and WriteOwner abuse paths
 domain: cybersecurity
 subdomain: identity-security
 tags:
@@ -16,6 +16,12 @@ nist_csf:
 - PR.AA-01
 - PR.AA-05
 - PR.AA-06
+mitre_attack:
+- T1098
+- T1098.007
+- T1484.001
+- T1222.001
+- T1078.002
 ---


@@ -1,7 +1,8 @@
 ---
 name: analyzing-android-malware-with-apktool
-description: Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source
-  recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
+description: Perform static analysis of Android APK malware samples using apktool
+  for decompilation, jadx for Java source recovery, and androguard for permission
+  analysis, manifest inspection, and suspicious API call detection.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -21,6 +22,12 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1406
+- T1407
+- T1626.001
+- T1655.001
+- T1521.001
 ---

 # Analyzing Android Malware with Apktool
@@ -1,17 +1,22 @@
 ---
 name: analyzing-api-gateway-access-logs
-description: 'Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass,
-  credential scanning, and injection attempts. Uses pandas for statistical analysis of request patterns and anomaly detection.
+description: 'Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect
+  BOLA/IDOR attacks, rate limit bypass, credential scanning, and injection attempts.
+  Uses pandas for statistical analysis of request patterns and anomaly detection.
  Use when investigating API abuse or building API-specific threat detection rules.

  '
 domain: cybersecurity
 subdomain: security-operations
 tags:
- analyzing
- api
- gateway
- access
+- api-security
+- access-log-analysis
+- aws-api-gateway
+- kong
+- nginx
+- bola-detection
+- rate-limit-bypass
+- security-operations
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -20,6 +25,11 @@ nist_csf:
 - RS.MA-01
 - GV.OV-01
 - DE.AE-02
+mitre_attack:
+- T1190
+- T1110.004
+- T1078.004
+- T1119
 ---

 # Analyzing API Gateway Access Logs
@@ -1,7 +1,8 @@
 ---
 name: analyzing-apt-group-with-mitre-navigator
-description: Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps
-  of adversary TTPs for detection gap analysis and threat-informed defense.
+description: Analyze advanced persistent threat (APT) group techniques using MITRE
+  ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap
+  analysis and threat-informed defense.
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -27,6 +28,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1059.001
+- T1071.001
+- T1003.001
+- T1486
+- T1547.001
 ---
 # Analyzing APT Group with MITRE ATT&CK Navigator

@@ -1,8 +1,9 @@
 ---
 name: analyzing-azure-activity-logs-for-threats
-description: 'Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative
-  operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in
-  Azure environments. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.
+description: 'Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query
+  to detect suspicious administrative operations, impossible travel, privilege escalation,
+  and resource modifications. Builds KQL queries for threat hunting in Azure environments.
+  Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.

  '
 domain: cybersecurity
@@ -22,6 +23,12 @@ nist_csf:
 - RS.MA-01
 - GV.OV-01
 - DE.AE-02
+mitre_attack:
+- T1078.004
+- T1098.003
+- T1538
+- T1556.009
+- T1580
 ---

 # Analyzing Azure Activity Logs for Threats
@@ -1,9 +1,11 @@
 ---
 name: analyzing-bootkit-and-rootkit-samples
-description: 'Analyzes bootkit and advanced rootkit malware that infects the Master Boot Record (MBR), Volume Boot Record
-  (VBR), or UEFI firmware to gain persistence below the operating system. Covers boot sector analysis, UEFI module inspection,
-  and anti-rootkit detection techniques. Activates for requests involving bootkit analysis, MBR malware investigation, UEFI
-  persistence analysis, or pre-OS malware detection.
+description: 'Analyzes bootkit and advanced rootkit malware that infects the Master
+  Boot Record (MBR), Volume Boot Record (VBR), or UEFI firmware to gain persistence
+  below the operating system. Covers boot sector analysis, UEFI module inspection,
+  and anti-rootkit detection techniques. Activates for requests involving bootkit
+  analysis, MBR malware investigation, UEFI persistence analysis, or pre-OS malware
+  detection.

  '
 domain: cybersecurity
@@ -22,6 +24,12 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1542.003
+- T1542.001
+- T1542.002
+- T1014
+- T1547.006
 ---

 # Analyzing Bootkit and Rootkit Samples
@@ -1,7 +1,8 @@
 ---
 name: analyzing-browser-forensics-with-hindsight
-description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached
-  content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
+description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing
+  history, downloads, cookies, cached content, autofill data, saved passwords, and
+  browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -23,6 +24,11 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1217
+- T1539
+- T1555.003
+- T1185
 ---

 # Analyzing Browser Forensics with Hindsight
@@ -1,7 +1,8 @@
 ---
 name: analyzing-campaign-attribution-evidence
-description: Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or
-  group is responsible for a cyber operation. This skill covers collecting and weighting attr
+description: Campaign attribution analysis involves systematically evaluating evidence
+  to determine which threat actor or group is responsible for a cyber operation. This
+  skill covers collecting and weighting attr
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -20,6 +21,11 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1587.001
+- T1583.001
+- T1588.002
+- T1071.001
 ---
 # Analyzing Campaign Attribution Evidence

@@ -1,7 +1,8 @@
 ---
 name: analyzing-certificate-transparency-for-phishing
-description: Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates,
-  and unauthorized certificate issuance targeting your organization.
+description: Monitor Certificate Transparency logs using crt.sh and Certstream to
+  detect phishing domains, lookalike certificates, and unauthorized certificate issuance
+  targeting your organization.
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -23,6 +24,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1583.001
+- T1583.004
+- T1566.002
+- T1608.005
+- T1596.003
 ---
 # Analyzing Certificate Transparency for Phishing

@@ -1,15 +1,20 @@
 ---
 name: analyzing-cloud-storage-access-patterns
-description: Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS
-  audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API
-  calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection.
+description: Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage
+  by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics.
+  Identifies after-hours bulk downloads, access from new IP addresses, unusual API
+  calls (GetObject spikes), and potential data exfiltration using statistical baselines
+  and time-series anomaly detection.
 domain: cybersecurity
 subdomain: cloud-security
 tags:
- analyzing
- cloud
- storage
- access
+- cloud-security
+- aws-s3
+- gcs
+- azure-blob-storage
+- cloudtrail
+- data-access-anomaly
+- exfiltration-detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -25,6 +30,12 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
+mitre_attack:
+- T1530
+- T1567.002
+- T1619
+- T1078.004
+- T1048
 ---


@@ -1,7 +1,8 @@
 ---
 name: analyzing-cobalt-strike-beacon-configuration
-description: Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure,
-  malleable profiles, and operator tradecraft.
+description: Extract and analyze Cobalt Strike beacon configuration from PE files
+  and memory dumps to identify C2 infrastructure, malleable profiles, and operator
+  tradecraft.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -20,6 +21,12 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1071.001
+- T1573.001
+- T1090.004
+- T1105
+- T1027
 ---
 # Analyzing Cobalt Strike Beacon Configuration

@@ -1,7 +1,8 @@
 ---
 name: analyzing-cobaltstrike-malleable-c2-profiles
-description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract
-  C2 indicators, detect evasion techniques, and generate network detection signatures.
+description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike
+  and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate
+  network detection signatures.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -20,6 +21,12 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1071.001
+- T1573.002
+- T1001.003
+- T1090.004
+- T1102
 ---
 # Analyzing CobaltStrike Malleable C2 Profiles

@@ -1,9 +1,10 @@
 ---
 name: analyzing-command-and-control-communication
-description: 'Analyzes malware command-and-control (C2) communication protocols to understand beacon patterns, command structures,
-  data encoding, and infrastructure. Covers HTTP, HTTPS, DNS, and custom protocol C2 analysis for detection development and
-  threat intelligence. Activates for requests involving C2 analysis, beacon detection, C2 protocol reverse engineering, or
-  command-and-control infrastructure mapping.
+description: 'Analyzes malware command-and-control (C2) communication protocols to
+  understand beacon patterns, command structures, data encoding, and infrastructure.
+  Covers HTTP, HTTPS, DNS, and custom protocol C2 analysis for detection development
+  and threat intelligence. Activates for requests involving C2 analysis, beacon detection,
+  C2 protocol reverse engineering, or command-and-control infrastructure mapping.

  '
 domain: cybersecurity
@@ -22,6 +23,12 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1071.001
+- T1573
+- T1571
+- T1008
+- T1095
 ---

 # Analyzing Command-and-Control Communication
@@ -1,10 +1,12 @@
 ---
 name: analyzing-cyber-kill-chain
-description: 'Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify which phases
-  an adversary has completed, where defenses succeeded or failed, and what controls would have interrupted the attack at earlier
-  phases. Use when conducting post-incident analysis, building prevention-focused security controls, or mapping detection
-  gaps to kill chain phases. Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping,
-  or Lockheed Martin kill chain framework.
+description: 'Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain
+  framework to identify which phases an adversary has completed, where defenses succeeded
+  or failed, and what controls would have interrupted the attack at earlier phases.
+  Use when conducting post-incident analysis, building prevention-focused security
+  controls, or mapping detection gaps to kill chain phases. Activates for requests
+  involving kill chain analysis, intrusion kill chain, attack phase mapping, or Lockheed
+  Martin kill chain framework.

  '
 domain: cybersecurity
@@ -24,6 +26,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1566.001
+- T1190
+- T1547.001
+- T1071.001
+- T1486
 ---
 # Analyzing Cyber Kill Chain

@@ -1,7 +1,7 @@
 ---
 name: analyzing-disk-image-with-autopsy
-description: Perform comprehensive forensic analysis of disk images using Autopsy to recover files, examine artifacts, and
-  build investigation timelines.
+description: Perform comprehensive forensic analysis of disk images using Autopsy
+  to recover files, examine artifacts, and build investigation timelines.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -19,6 +19,11 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1005
+- T1074.001
+- T1070.004
+- T1083
 ---

 # Analyzing Disk Image with Autopsy
@@ -1,8 +1,9 @@
 ---
 name: analyzing-dns-logs-for-exfiltration
-description: 'Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication, and covert
-  C2 channels using entropy analysis, query volume anomalies, and subdomain length detection in SIEM platforms. Use when SOC
-  teams need to identify DNS-based threats that bypass traditional network security controls.
+description: 'Analyzes DNS query logs to detect data exfiltration via DNS tunneling,
+  DGA domain communication, and covert C2 channels using entropy analysis, query volume
+  anomalies, and subdomain length detection in SIEM platforms. Use when SOC teams
+  need to identify DNS-based threats that bypass traditional network security controls.

  '
 domain: cybersecurity
@@ -28,6 +29,10 @@ nist_csf:
 - DE.AE-02
 - RS.MA-01
 - DE.AE-06
+mitre_attack:
+- T1048.003
+- T1071.004
+- T1567
 ---
 # Analyzing DNS Logs for Exfiltration

@@ -1,7 +1,7 @@
 ---
 name: analyzing-docker-container-forensics
-description: Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to
-  identify malicious activity and evidence.
+description: Investigate compromised Docker containers by analyzing images, layers,
+  volumes, logs, and runtime artifacts to identify malicious activity and evidence.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -19,6 +19,11 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1610
+- T1611
+- T1613
+- T1612
 ---

 # Analyzing Docker Container Forensics
@@ -1,7 +1,7 @@
 ---
 name: analyzing-email-headers-for-phishing-investigation
-description: Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify
-  spoofing through SPF, DKIM, and DMARC validation.
+description: Parse and analyze email headers to trace the origin of phishing emails,
+  verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -22,6 +22,10 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1566.001
+- T1566.002
+- T1598.003
 ---

 # Analyzing Email Headers for Phishing Investigation
@@ -1,7 +1,8 @@
 ---
 name: analyzing-ethereum-smart-contract-vulnerabilities
-description: Perform static and symbolic analysis of Solidity smart contracts using Slither and Mythril to detect reentrancy,
-  integer overflow, access control, and other vulnerability classes before deployment to Ethereum mainnet.
+description: Perform static and symbolic analysis of Solidity smart contracts using
+  Slither and Mythril to detect reentrancy, integer overflow, access control, and
+  other vulnerability classes before deployment to Ethereum mainnet.
 domain: cybersecurity
 subdomain: blockchain-security
 tags:
@@ -20,6 +21,9 @@ nist_csf:
 - PR.DS-01
 - PR.DS-02
 - ID.RA-01
+mitre_attack:
+- T1190
+- T1059
 ---

 # Analyzing Ethereum Smart Contract Vulnerabilities
@@ -1,7 +1,8 @@
 ---
 name: analyzing-golang-malware-with-ghidra
-description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction,
-  and type reconstruction in stripped Go binaries.
+description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts
+  for function recovery, string extraction, and type reconstruction in stripped Go
+  binaries.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -20,6 +21,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1027
+- T1620
+- T1140
+- T1059
 ---
 # Analyzing Golang Malware with Ghidra

@@ -1,7 +1,8 @@
 ---
 name: analyzing-heap-spray-exploitation
-description: Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns,
-  shellcode landing zones, and suspicious large allocations in process virtual address space.
+description: Detect and analyze heap spray attacks in memory dumps using Volatility3
+  plugins to identify NOP sled patterns, shellcode landing zones, and suspicious large
+  allocations in process virtual address space.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -18,6 +19,10 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1203
+- T1059.007
+- T1106
 ---
 # Analyzing Heap Spray Exploitation

@@ -1,9 +1,11 @@
 ---
 name: analyzing-indicators-of-compromise
-description: 'Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs, and email artifacts
-  to determine maliciousness confidence, campaign attribution, and blocking priority. Use when triaging IOCs from phishing
-  emails, security alerts, or external threat feeds; enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist
-  decisions. Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.
+description: 'Analyzes indicators of compromise (IOCs) including IP addresses, domains,
+  file hashes, URLs, and email artifacts to determine maliciousness confidence, campaign
+  attribution, and blocking priority. Use when triaging IOCs from phishing emails,
+  security alerts, or external threat feeds; enriching raw IOCs with multi-source
+  intelligence; or making block/monitor/whitelist decisions. Activates for requests
+  involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.

  '
 domain: cybersecurity
@@ -27,6 +29,11 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1071
+- T1105
+- T1041
+- T1567
 ---
 # Analyzing Indicators of Compromise

@@ -28,6 +28,11 @@ nist_csf:
 - PR.AA-05
 - ID.RA-01
 - DE.CM-09
+mitre_attack:
+- T1635
+- T1414
+- T1417.001
+- T1409
 ---
 # Analyzing iOS App Security with Objection

@@ -1,17 +1,21 @@
 ---
 name: analyzing-kubernetes-audit-logs
-description: 'Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret access, RBAC modifications,
-  privileged pod creation, and anonymous API access. Builds threat detection rules from audit event patterns. Use when investigating
+description: 'Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod,
+  secret access, RBAC modifications, privileged pod creation, and anonymous API access.
+  Builds threat detection rules from audit event patterns. Use when investigating
  Kubernetes cluster compromise or building k8s-specific SIEM detection rules.

  '
 domain: cybersecurity
 subdomain: container-security
 tags:
- analyzing
- kubernetes
- audit
- logs
+- kubernetes-security
+- container-security
+- audit-log-analysis
+- rbac
+- privilege-escalation
+- k8s-api-server
+- threat-detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -20,6 +24,11 @@ nist_csf:
 - PR.IR-01
 - ID.AM-08
 - DE.CM-01
+mitre_attack:
+- T1610
+- T1613
+- T1078
+- T1552.007
 ---

 # Analyzing Kubernetes Audit Logs
@@ -1,9 +1,11 @@
 ---
 name: analyzing-linux-audit-logs-for-intrusion
-description: 'Uses the Linux Audit framework (auditd) with ausearch and aureport utilities to detect intrusion attempts, unauthorized
-  access, privilege escalation, and suspicious system activity. Covers audit rule configuration, log querying, timeline reconstruction,
-  and integration with SIEM platforms. Activates for requests involving auditd analysis, Linux audit log investigation, ausearch
-  queries, aureport summaries, or host-based intrusion detection on Linux.
+description: 'Uses the Linux Audit framework (auditd) with ausearch and aureport utilities
+  to detect intrusion attempts, unauthorized access, privilege escalation, and suspicious
+  system activity. Covers audit rule configuration, log querying, timeline reconstruction,
+  and integration with SIEM platforms. Activates for requests involving auditd analysis,
+  Linux audit log investigation, ausearch queries, aureport summaries, or host-based
+  intrusion detection on Linux.

  '
 domain: cybersecurity
@@ -24,6 +26,11 @@ nist_csf:
 - RS.MA-02
 - RS.AN-03
 - RC.RP-01
+mitre_attack:
+- T1059.004
+- T1070
+- T1548.003
+- T1543.002
 ---

 # Analyzing Linux Audit Logs for Intrusion
@@ -1,9 +1,11 @@
 ---
 name: analyzing-linux-elf-malware
-description: 'Analyzes malicious Linux ELF (Executable and Linkable Format) binaries including botnets, cryptominers, ransomware,
-  and rootkits targeting Linux servers, containers, and cloud infrastructure. Covers static analysis, dynamic tracing, and
-  reverse engineering of x86_64 and ARM ELF samples. Activates for requests involving Linux malware analysis, ELF binary investigation,
-  Linux server compromise assessment, or container malware analysis.
+description: 'Analyzes malicious Linux ELF (Executable and Linkable Format) binaries
+  including botnets, cryptominers, ransomware, and rootkits targeting Linux servers,
+  containers, and cloud infrastructure. Covers static analysis, dynamic tracing, and
+  reverse engineering of x86_64 and ARM ELF samples. Activates for requests involving
+  Linux malware analysis, ELF binary investigation, Linux server compromise assessment,
+  or container malware analysis.

  '
 domain: cybersecurity
@@ -22,6 +24,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1027
+- T1059.004
+- T1620
+- T1574.006
 ---

 # Analyzing Linux ELF Malware
@@ -1,8 +1,9 @@
 ---
 name: analyzing-linux-kernel-rootkits
-description: Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules),
-  rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and
-  tampered system structures.
+description: Detect kernel-level rootkits in Linux memory dumps using Volatility3
+  linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning,
+  and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel
+  modules, and tampered system structures.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -22,6 +23,10 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1014
+- T1547.006
+- T1564.001
 ---

 # Analyzing Linux Kernel Rootkits
@@ -1,7 +1,8 @@
 ---
 name: analyzing-linux-system-artifacts
-description: Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover
-  evidence of compromise or unauthorized activity.
+description: Examine Linux system artifacts including auth logs, cron jobs, shell
+  history, and system configuration to uncover evidence of compromise or unauthorized
+  activity.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -19,6 +20,11 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1070
+- T1059.004
+- T1543.002
+- T1053.003
 ---

 # Analyzing Linux System Artifacts
@@ -1,7 +1,8 @@
 ---
 name: analyzing-lnk-file-and-jump-list-artifacts
-description: Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution,
-  and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format.
+description: Analyze Windows LNK shortcut files and Jump List artifacts to establish
+  evidence of file access, program execution, and user activity using LECmd, JLECmd,
+  and manual binary parsing of the Shell Link Binary format.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -23,6 +24,10 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1547.009
+- T1204.002
+- T1059.001
 ---

 # Analyzing LNK File and Jump List Artifacts
@@ -1,9 +1,10 @@
 ---
 name: analyzing-macro-malware-in-office-documents
-description: 'Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint) to identify download
-  cradles, payload execution, persistence mechanisms, and anti-analysis techniques. Uses olevba, oledump, and VBA deobfuscation
-  to extract the attack chain. Activates for requests involving Office macro analysis, VBA malware investigation, maldoc analysis,
-  or document-based threat examination.
+description: 'Analyzes malicious VBA macros embedded in Microsoft Office documents
+  (Word, Excel, PowerPoint) to identify download cradles, payload execution, persistence
+  mechanisms, and anti-analysis techniques. Uses olevba, oledump, and VBA deobfuscation
+  to extract the attack chain. Activates for requests involving Office macro analysis,
+  VBA malware investigation, maldoc analysis, or document-based threat examination.

  '
 domain: cybersecurity
@@ -31,6 +32,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1137.001
+- T1204.002
+- T1059.005
+- T1027
 ---

 # Analyzing Macro Malware in Office Documents
@@ -1,7 +1,7 @@
 ---
 name: analyzing-malicious-pdf-with-peepdf
-description: Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript,
-  shellcode, and suspicious objects.
+description: Perform static analysis of malicious PDF documents using peepdf, pdfid,
+  and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -21,6 +21,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1204.002
+- T1059.007
+- T1027
+- T1106
 ---

 # Analyzing Malicious PDF with peepdf
@@ -1,7 +1,8 @@
 ---
 name: analyzing-malicious-url-with-urlscan
-description: URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content,
-  HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
+description: URLScan.io is a free service for scanning and analyzing suspicious URLs.
+  It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and
+  network connections of web pages in an isolat
 domain: cybersecurity
 subdomain: phishing-defense
 tags:
@@ -22,6 +23,10 @@ nist_csf:
 - DE.CM-09
 - RS.CO-02
 - DE.AE-02
+mitre_attack:
+- T1566.002
+- T1204.001
+- T1598.003
 ---
 # Analyzing Malicious URL with URLScan

@@ -1,9 +1,10 @@
 ---
 name: analyzing-malware-behavior-with-cuckoo-sandbox
-description: 'Executes malware samples in Cuckoo Sandbox to observe runtime behavior including process creation, file system
-  modifications, registry changes, network communications, and API calls. Generates comprehensive behavioral reports for malware
-  classification and IOC extraction. Activates for requests involving dynamic malware analysis, sandbox detonation, behavioral
-  analysis, or automated malware execution.
+description: 'Executes malware samples in Cuckoo Sandbox to observe runtime behavior
+  including process creation, file system modifications, registry changes, network
+  communications, and API calls. Generates comprehensive behavioral reports for malware
+  classification and IOC extraction. Activates for requests involving dynamic malware
+  analysis, sandbox detonation, behavioral analysis, or automated malware execution.

  '
 domain: cybersecurity
@@ -22,6 +23,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1497
+- T1055
+- T1071
+- T1027
 ---

 # Analyzing Malware Behavior with Cuckoo Sandbox
@@ -1,7 +1,8 @@
 ---
 name: analyzing-malware-family-relationships-with-malpedia
-description: Use the Malpedia platform and API to research malware family relationships, track variant evolution, link families
-  to threat actors, and integrate YARA rules for detection across malware lineages.
+description: Use the Malpedia platform and API to research malware family relationships,
+  track variant evolution, link families to threat actors, and integrate YARA rules
+  for detection across malware lineages.
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -21,6 +22,10 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1587.001
+- T1027
+- T1071
 ---
 # Analyzing Malware Family Relationships with Malpedia

@@ -1,7 +1,8 @@
 ---
 name: analyzing-malware-persistence-with-autoruns
-description: Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry
-  keys, scheduled tasks, services, drivers, and startup locations on Windows systems.
+description: Use Sysinternals Autoruns to systematically identify and analyze malware
+  persistence mechanisms across registry keys, scheduled tasks, services, drivers,
+  and startup locations on Windows systems.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -14,10 +15,11 @@ tags:
 - startup
 - incident-response
 mitre_attack:
- T1547
- T1053
- T1543
- T1546
+- T1547.001
+- T1543.003
+- T1053.005
+- T1574.001
+- T1037.001
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -1,7 +1,8 @@
 ---
 name: analyzing-malware-sandbox-evasion-techniques
-description: Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction
-  detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports
+description: Detect sandbox evasion techniques in malware samples by analyzing timing
+  checks, VM artifact queries, user interaction detection, and sleep inflation patterns
+  from Cuckoo/AnyRun behavioral reports
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -26,6 +27,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1497.001
+- T1497.003
+- T1480
+- T1027.002
 ---

 # Analyzing Malware Sandbox Evasion Techniques
@@ -1,8 +1,10 @@
 ---
 name: analyzing-memory-forensics-with-lime-and-volatility
-description: 'Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module and analysis with Volatility
-  3 framework. Extracts process lists, network connections, bash history, loaded kernel modules, and injected code from Linux
-  memory images. Use when performing incident response on compromised Linux systems.
+description: 'Performs Linux memory acquisition using LiME (Linux Memory Extractor)
+  kernel module and analysis with Volatility 3 framework. Extracts process lists,
+  network connections, bash history, loaded kernel modules, and injected code from
+  Linux memory images. Use when performing incident response on compromised Linux
+  systems.

  '
 domain: cybersecurity
@@ -22,6 +24,11 @@ nist_csf:
 - RS.MA-01
 - GV.OV-01
 - DE.AE-02
+mitre_attack:
+- T1055
+- T1003.001
+- T1620
+- T1564.001
 ---

 # Analyzing Memory Forensics with LiME and Volatility
@@ -1,7 +1,8 @@
 ---
 name: analyzing-mft-for-deleted-file-recovery
-description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record
-  entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics.
+description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content
+  of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack
+  space using MFTECmd, analyzeMFT, and X-Ways Forensics.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -23,6 +24,10 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1070.004
+- T1070.006
+- T1005
 ---

 # Analyzing MFT for Deleted File Recovery
@@ -1,7 +1,8 @@
 ---
 name: analyzing-network-covert-channels-in-malware
-description: Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration,
-  steganographic HTTP, and protocol abuse for C2 and data exfiltration.
+description: Detect and analyze covert communication channels used by malware including
+  DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse for C2
+  and data exfiltration.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -26,6 +27,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1071.001
+- T1095
+- T1572
+- T1001
 ---
 # Analyzing Network Covert Channels in Malware

@@ -1,8 +1,10 @@
 ---
 name: analyzing-network-flow-data-with-netflow
-description: Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data exfiltration, and C2 beaconing
-  patterns. Uses the Python netflow library to decode flow records, builds traffic baselines, and applies statistical analysis
-  to identify flows with abnormal byte counts, connection durations, and periodic timing patterns.
+description: Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port
+  scanning, data exfiltration, and C2 beaconing patterns. Uses the Python netflow
+  library to decode flow records, builds traffic baselines, and applies statistical
+  analysis to identify flows with abnormal byte counts, connection durations, and
+  periodic timing patterns.
 domain: cybersecurity
 subdomain: network-security
 tags:
@@ -18,6 +20,11 @@ nist_csf:
 - DE.CM-01
 - ID.AM-03
 - PR.DS-02
+mitre_attack:
+- T1071
+- T1048
+- T1046
+- T1095
 ---


@@ -1,7 +1,8 @@
 ---
 name: analyzing-network-packets-with-scapy
-description: Craft, send, sniff, and dissect network packets using Scapy for protocol analysis, network reconnaissance, and
-  traffic anomaly detection in authorized security testing
+description: Craft, send, sniff, and dissect network packets using Scapy for protocol
+  analysis, network reconnaissance, and traffic anomaly detection in authorized security
+  testing
 domain: cybersecurity
 subdomain: network-security
 tags:
@@ -19,6 +20,11 @@ nist_csf:
 - DE.CM-01
 - ID.AM-03
 - PR.DS-02
+mitre_attack:
+- T1040
+- T1071
+- T1046
+- T1557
 ---

 # Analyzing Network Packets with Scapy
@@ -1,9 +1,10 @@
 ---
 name: analyzing-network-traffic-of-malware
-description: 'Analyzes network traffic generated by malware during sandbox execution or live incident response to identify
-  C2 protocols, data exfiltration channels, payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata.
-  Activates for requests involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or network-based
-  malware detection.
+description: 'Analyzes network traffic generated by malware during sandbox execution
+  or live incident response to identify C2 protocols, data exfiltration channels,
+  payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata.
+  Activates for requests involving malware network analysis, C2 traffic decoding,
+  malware PCAP analysis, or network-based malware detection.

  '
 domain: cybersecurity
@@ -22,6 +23,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1071.001
+- T1571
+- T1573
+- T1095
 ---

 # Analyzing Network Traffic of Malware
@@ -1,7 +1,8 @@
 ---
 name: analyzing-network-traffic-with-wireshark
-description: 'Captures and analyzes network packet data using Wireshark and tshark to identify malicious traffic patterns,
-  diagnose protocol issues, extract artifacts, and support incident response investigations on authorized network segments.
+description: 'Captures and analyzes network packet data using Wireshark and tshark
+  to identify malicious traffic patterns, diagnose protocol issues, extract artifacts,
+  and support incident response investigations on authorized network segments.

  '
 domain: cybersecurity
@@ -20,6 +21,11 @@ nist_csf:
 - DE.CM-01
 - ID.AM-03
 - PR.DS-02
+mitre_attack:
+- T1040
+- T1071
+- T1557
+- T1046
 ---
 # Analyzing Network Traffic with Wireshark

@@ -1,7 +1,8 @@
 ---
 name: analyzing-office365-audit-logs-for-compromise
-description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation,
-  suspicious OAuth app grants, and other indicators of account compromise.
+description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect
+  email forwarding rule creation, inbox delegation, suspicious OAuth app grants, and
+  other indicators of account compromise.
 domain: cybersecurity
 subdomain: cloud-security
 tags:
@@ -20,6 +21,11 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
+mitre_attack:
+- T1114.002
+- T1098.002
+- T1556.006
+- T1078.004
 ---

 # Analyzing Office 365 Audit Logs for Compromise
@@ -1,8 +1,9 @@
 ---
 name: analyzing-outlook-pst-for-email-forensics
-description: Analyze Microsoft Outlook PST and OST files for email forensic evidence including message content, headers, attachments,
-  deleted items, and metadata using libpff, pst-utils, and forensic email analysis tools for legal investigations and incident
-  response.
+description: Analyze Microsoft Outlook PST and OST files for email forensic evidence
+  including message content, headers, attachments, deleted items, and metadata using
+  libpff, pst-utils, and forensic email analysis tools for legal investigations and
+  incident response.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -28,6 +29,10 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1114.001
+- T1564.008
+- T1070.008
 ---

 # Analyzing Outlook PST for Email Forensics
@@ -1,8 +1,10 @@
 ---
 name: analyzing-packed-malware-with-upx-unpacker
-description: 'Identifies and unpacks UPX-packed and other packed malware samples to expose the original executable code for
-  static analysis. Covers both standard UPX unpacking and handling modified UPX headers that prevent automated decompression.
-  Activates for requests involving malware unpacking, UPX decompression, packer removal, or preparing packed samples for analysis.
+description: 'Identifies and unpacks UPX-packed and other packed malware samples to
+  expose the original executable code for static analysis. Covers both standard UPX
+  unpacking and handling modified UPX headers that prevent automated decompression.
+  Activates for requests involving malware unpacking, UPX decompression, packer removal,
+  or preparing packed samples for analysis.

  '
 domain: cybersecurity
@@ -21,6 +23,10 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1027.002
+- T1140
+- T1620
 ---

 # Analyzing Packed Malware with UPX Unpacker
@@ -1,9 +1,10 @@
 ---
 name: analyzing-pdf-malware-with-pdfid
-description: 'Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to identify embedded JavaScript, shellcode,
-  exploits, and suspicious objects without opening the document. Determines the attack vector and extracts embedded payloads
-  for further analysis. Activates for requests involving PDF malware analysis, malicious document analysis, PDF exploit investigation,
-  or suspicious attachment triage.
+description: 'Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to
+  identify embedded JavaScript, shellcode, exploits, and suspicious objects without
+  opening the document. Determines the attack vector and extracts embedded payloads
+  for further analysis. Activates for requests involving PDF malware analysis, malicious
+  document analysis, PDF exploit investigation, or suspicious attachment triage.

  '
 domain: cybersecurity
@@ -22,6 +23,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1204.002
+- T1566.001
+- T1059.007
+- T1027
 ---

 # Analyzing PDF Malware with PDFiD
@@ -1,7 +1,8 @@
 ---
 name: analyzing-persistence-mechanisms-in-linux
-description: Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD
-  hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring
+description: Detect and analyze Linux persistence mechanisms including crontab entries,
+  systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys
+  backdoors using auditd and file integrity monitoring
 domain: cybersecurity
 subdomain: threat-hunting
 tags:
@@ -17,6 +18,7 @@ mitre_attack:
 - T1543.002
 - T1574.006
 - T1546.004
+- T1098.004
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -1,7 +1,8 @@
 ---
 name: analyzing-powershell-empire-artifacts
-description: Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns,
-  default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events.
+description: Detect PowerShell Empire framework artifacts in Windows event logs by
+  identifying Base64 encoded launcher patterns, default user agents, staging URL structures,
+  stager IOCs, and known Empire module signatures in Script Block Logging events.
 domain: cybersecurity
 subdomain: threat-hunting
 tags:
@@ -32,6 +33,12 @@ nist_csf:
 - DE.AE-02
 - DE.AE-07
 - ID.RA-05
+mitre_attack:
+- T1059.001
+- T1071.001
+- T1003.001
+- T1558.003
+- T1027.010
 ---

 # Analyzing PowerShell Empire Artifacts
@@ -1,8 +1,10 @@
 ---
 name: analyzing-powershell-script-block-logging
-description: Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded
-  payloads, and living-off-the-land techniques. Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy
-  analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.
+description: Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX
+  files to detect obfuscated commands, encoded payloads, and living-off-the-land techniques.
+  Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy
+  analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse,
+  download cradles, and AMSI bypass attempts.
 domain: cybersecurity
 subdomain: security-operations
 tags:
@@ -20,6 +22,11 @@ nist_csf:
 - RS.MA-01
 - GV.OV-01
 - DE.AE-02
+mitre_attack:
+- T1059.001
+- T1027.010
+- T1140
+- T1105
 ---


@@ -1,7 +1,7 @@
 ---
 name: analyzing-prefetch-files-for-execution-history
-description: Parse Windows Prefetch files to determine program execution history including run counts, timestamps, and referenced
-  files for forensic investigation.
+description: Parse Windows Prefetch files to determine program execution history including
+  run counts, timestamps, and referenced files for forensic investigation.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -19,6 +19,11 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1059.001
+- T1003.001
+- T1021.002
+- T1567.002
 ---

 # Analyzing Prefetch Files for Execution History
@@ -1,9 +1,10 @@
 ---
 name: analyzing-ransomware-encryption-mechanisms
-description: 'Analyzes encryption algorithms, key management, and file encryption routines used by ransomware families to
-  assess decryption feasibility, identify implementation weaknesses, and support recovery efforts. Covers AES, RSA, ChaCha20,
-  and hybrid encryption schemes. Activates for requests involving ransomware cryptanalysis, encryption analysis, key recovery
-  assessment, or ransomware decryption feasibility.
+description: 'Analyzes encryption algorithms, key management, and file encryption
+  routines used by ransomware families to assess decryption feasibility, identify
+  implementation weaknesses, and support recovery efforts. Covers AES, RSA, ChaCha20,
+  and hybrid encryption schemes. Activates for requests involving ransomware cryptanalysis,
+  encryption analysis, key recovery assessment, or ransomware decryption feasibility.

  '
 domain: cybersecurity
@@ -22,6 +23,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1486
+- T1573.001
+- T1573.002
+- T1027
 ---

 # Analyzing Ransomware Encryption Mechanisms
@@ -1,7 +1,8 @@
 ---
 name: analyzing-ransomware-leak-site-intelligence
-description: Monitor and analyze ransomware group data leak sites (DLS) to track victim postings, extract threat intelligence
-  on group tactics, and assess sector-specific ransomware risk for proactive defense.
+description: Monitor and analyze ransomware group data leak sites (DLS) to track victim
+  postings, extract threat intelligence on group tactics, and assess sector-specific
+  ransomware risk for proactive defense.
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -10,7 +11,7 @@ tags:
 - data-leak
 - extortion
 - threat-intelligence
- monitoring
+- leak-site-monitoring
 - dls
 - victim-tracking
 version: '1.0'
@@ -21,6 +22,11 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1657
+- T1486
+- T1567.002
+- T1591
 ---
 # Analyzing Ransomware Leak Site Intelligence

@@ -1,7 +1,8 @@
 ---
 name: analyzing-ransomware-network-indicators
-description: Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration
-  flows, and encryption key exchange via Zeek conn.log and NetFlow analysis
+description: Identify ransomware network indicators including C2 beaconing patterns,
+  TOR exit node connections, data exfiltration flows, and encryption key exchange
+  via Zeek conn.log and NetFlow analysis
 domain: cybersecurity
 subdomain: threat-hunting
 tags:
@@ -26,6 +27,12 @@ nist_csf:
 - DE.AE-02
 - DE.AE-07
 - ID.RA-05
+mitre_attack:
+- T1071.001
+- T1573
+- T1048
+- T1567.002
+- T1486
 ---

 # Analyzing Ransomware Network Indicators
@@ -1,9 +1,11 @@
 ---
 name: analyzing-ransomware-payment-wallets
-description: 'Traces ransomware cryptocurrency payment flows using blockchain analysis tools such as Chainalysis Reactor,
-  WalletExplorer, and blockchain.com APIs. Identifies wallet clusters, tracks fund movement through mixers and exchanges,
-  and supports law enforcement attribution. Activates for requests involving ransomware payment tracing, bitcoin wallet analysis,
-  cryptocurrency forensics, or blockchain intelligence gathering.
+description: 'Traces ransomware cryptocurrency payment flows using blockchain analysis
+  tools such as Chainalysis Reactor, WalletExplorer, and blockchain.com APIs. Identifies
+  wallet clusters, tracks fund movement through mixers and exchanges, and supports
+  law enforcement attribution. Activates for requests involving ransomware payment
+  tracing, bitcoin wallet analysis, cryptocurrency forensics, or blockchain intelligence
+  gathering.

  '
 domain: cybersecurity
@@ -23,6 +25,9 @@ nist_csf:
 - RS.MA-01
 - RC.RP-01
 - PR.IR-01
+mitre_attack:
+- T1657
+- T1486
 ---

 # Analyzing Ransomware Payment Wallets
@@ -1,9 +1,11 @@
 ---
 name: analyzing-sbom-for-supply-chain-vulnerabilities
-description: 'Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats to identify supply chain vulnerabilities
-  by correlating components against the NVD CVE database via the NVD 2.0 API. Builds dependency graphs, calculates risk scores,
-  identifies transitive vulnerability paths, and generates compliance reports. Activates for requests involving SBOM analysis,
-  software composition analysis, supply chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing,
+description: 'Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON
+  formats to identify supply chain vulnerabilities by correlating components against
+  the NVD CVE database via the NVD 2.0 API. Builds dependency graphs, calculates risk
+  scores, identifies transitive vulnerability paths, and generates compliance reports.
+  Activates for requests involving SBOM analysis, software composition analysis, supply
+  chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing,
  or CVE correlation.

  '
@@ -36,6 +38,11 @@ nist_csf:
 - GV.SC-03
 - GV.SC-06
 - GV.SC-07
+mitre_attack:
+- T1195.001
+- T1195.002
+- T1554
+- T1190
 ---

 # Analyzing SBOM for Supply Chain Vulnerabilities
@@ -1,9 +1,11 @@
 ---
 name: analyzing-security-logs-with-splunk
-description: 'Leverages Splunk Enterprise Security and SPL (Search Processing Language) to investigate security incidents
-  through log correlation, timeline reconstruction, and anomaly detection. Covers Windows event logs, firewall logs, proxy
-  logs, and authentication data analysis. Activates for requests involving Splunk investigation, SPL queries, SIEM log analysis,
-  security event correlation, or log-based incident investigation.
+description: 'Leverages Splunk Enterprise Security and SPL (Search Processing Language)
+  to investigate security incidents through log correlation, timeline reconstruction,
+  and anomaly detection. Covers Windows event logs, firewall logs, proxy logs, and
+  authentication data analysis. Activates for requests involving Splunk investigation,
+  SPL queries, SIEM log analysis, security event correlation, or log-based incident
+  investigation.

  '
 domain: cybersecurity
@@ -15,9 +17,11 @@ tags:
 - log-analysis
 - security-monitoring
 mitre_attack:
- T1070
- T1562
- T1059
+- T1110
+- T1550.002
+- T1021.001
+- T1059.001
+- T1003.001
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -1,7 +1,7 @@
 ---
 name: analyzing-slack-space-and-file-system-artifacts
-description: Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data
-  and reconstruct file activity on NTFS volumes.
+description: Examine file system slack space, MFT entries, USN journal, and alternate
+  data streams to recover hidden data and reconstruct file activity on NTFS volumes.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -20,6 +20,12 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1070.006
+- T1564.004
+- T1070.004
+- T1005
+- T1006
 ---

 # Analyzing Slack Space and File System Artifacts
@@ -1,7 +1,8 @@
 ---
 name: analyzing-supply-chain-malware-artifacts
-description: Investigate supply chain attack artifacts including trojanized software updates, compromised build pipelines,
-  and sideloaded dependencies to identify intrusion vectors and scope of compromise.
+description: Investigate supply chain attack artifacts including trojanized software
+  updates, compromised build pipelines, and sideloaded dependencies to identify intrusion
+  vectors and scope of compromise.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -33,6 +34,12 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1195.002
+- T1195.001
+- T1554
+- T1553.002
+- T1027
 ---
 # Analyzing Supply Chain Malware Artifacts

@@ -1,7 +1,8 @@
 ---
 name: analyzing-threat-actor-ttps-with-mitre-attack
-description: MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs)
-  based on real-world observations. This skill covers systematically mapping threat actor beh
+description: MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics,
+  techniques, and procedures (TTPs) based on real-world observations. This skill covers
+  systematically mapping threat actor beh
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -26,6 +27,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1566.001
+- T1059.001
+- T1071.001
+- T1547.001
+- T1053.005
 ---
 # Analyzing Threat Actor TTPs with MITRE ATT&CK

@@ -1,9 +1,11 @@
 ---
 name: analyzing-threat-actor-ttps-with-mitre-navigator
-description: 'Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework
-  using the ATT&CK Navigator and attackcti Python library. The analyst queries STIX/TAXII data for group-technique associations,
-  generates Navigator layer files for visualization, and compares defensive coverage against adversary profiles. Activates
-  for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor profiling, or MITRE technique coverage analysis.
+description: 'Map advanced persistent threat (APT) group tactics, techniques, and
+  procedures (TTPs) to the MITRE ATT&CK framework using the ATT&CK Navigator and attackcti
+  Python library. The analyst queries STIX/TAXII data for group-technique associations,
+  generates Navigator layer files for visualization, and compares defensive coverage
+  against adversary profiles. Activates for requests involving APT TTP mapping, ATT&CK
+  Navigator layers, threat actor profiling, or MITRE technique coverage analysis.

  '
 domain: cybersecurity
@@ -38,6 +40,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1566.001
+- T1059.001
+- T1071.001
+- T1547.001
+- T1053.005
 ---
 # Analyzing Threat Actor TTPs with MITRE Navigator

@@ -1,9 +1,11 @@
 ---
 name: analyzing-threat-intelligence-feeds
-description: 'Analyzes structured and unstructured threat intelligence feeds to extract actionable indicators, adversary tactics,
-  and campaign context. Use when ingesting commercial or open-source CTI feeds, evaluating feed quality, normalizing data
-  into STIX 2.1 format, or enriching existing IOCs with campaign attribution. Activates for requests involving ThreatConnect,
-  Recorded Future, Mandiant Advantage, MISP, AlienVault OTX, or automated feed aggregation pipelines.
+description: 'Analyzes structured and unstructured threat intelligence feeds to extract
+  actionable indicators, adversary tactics, and campaign context. Use when ingesting
+  commercial or open-source CTI feeds, evaluating feed quality, normalizing data into
+  STIX 2.1 format, or enriching existing IOCs with campaign attribution. Activates
+  for requests involving ThreatConnect, Recorded Future, Mandiant Advantage, MISP,
+  AlienVault OTX, or automated feed aggregation pipelines.

  '
 domain: cybersecurity
@@ -26,6 +28,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1071.001
+- T1566
+- T1568
+- T1583.001
+- T1102
 ---
 # Analyzing Threat Intelligence Feeds

@@ -1,16 +1,19 @@
 ---
 name: analyzing-threat-landscape-with-misp
-description: Analyze the threat landscape using MISP (Malware Information Sharing Platform) by querying event statistics,
-  attribute distributions, threat actor galaxy clusters, and tag trends over time. Uses PyMISP to pull event data, compute
-  IOC type breakdowns, identify top threat actors and malware families, and generate threat landscape reports with temporal
-  trends.
+description: Analyze the threat landscape using MISP (Malware Information Sharing
+  Platform) by querying event statistics, attribute distributions, threat actor galaxy
+  clusters, and tag trends over time. Uses PyMISP to pull event data, compute IOC
+  type breakdowns, identify top threat actors and malware families, and generate threat
+  landscape reports with temporal trends.
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
- analyzing
- threat
- landscape
- with
+- threat-intelligence
+- misp
+- threat-landscape
+- ioc-analysis
+- cti
+- threat-sharing
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -25,6 +28,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1566
+- T1071.001
+- T1568
+- T1583.001
+- T1102
 ---


@@ -1,17 +1,20 @@
 ---
 name: analyzing-tls-certificate-transparency-logs
-description: 'Queries Certificate Transparency logs via crt.sh and pycrtsh to detect phishing domains, unauthorized certificate
-  issuance, and shadow IT. Monitors newly issued certificates for typosquatting and brand impersonation using Levenshtein
+description: 'Queries Certificate Transparency logs via crt.sh and pycrtsh to detect
+  phishing domains, unauthorized certificate issuance, and shadow IT. Monitors newly
+  issued certificates for typosquatting and brand impersonation using Levenshtein
  distance. Use for proactive phishing domain detection and certificate monitoring.

  '
 domain: cybersecurity
 subdomain: security-operations
 tags:
- analyzing
- tls
- certificate
- transparency
+- certificate-transparency
+- ct-logs
+- crt-sh
+- phishing-detection
+- tls-monitoring
+- security-operations
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -23,6 +26,11 @@ nist_csf:
 - RS.MA-01
 - GV.OV-01
 - DE.AE-02
+mitre_attack:
+- T1583.001
+- T1566.002
+- T1598.003
+- T1583.006
 ---

 # Analyzing TLS Certificate Transparency Logs
@@ -1,7 +1,8 @@
 ---
 name: analyzing-typosquatting-domains-with-dnstwist
-description: Detect typosquatting, homograph phishing, and brand impersonation domains using dnstwist to generate domain permutations
-  and identify registered lookalike domains targeting your organization.
+description: Detect typosquatting, homograph phishing, and brand impersonation domains
+  using dnstwist to generate domain permutations and identify registered lookalike
+  domains targeting your organization.
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -24,6 +25,11 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1583.001
+- T1566.002
+- T1598.003
+- T1583.006
 ---
 # Analyzing Typosquatting Domains with DNSTwist

@@ -1,10 +1,12 @@
 ---
 name: analyzing-uefi-bootkit-persistence
-description: 'Analyzes UEFI bootkit persistence mechanisms including firmware implants in SPI flash, EFI System Partition
-  (ESP) modifications, Secure Boot bypass techniques, and UEFI variable manipulation. Covers detection of known bootkit families
-  (BlackLotus, LoJax, MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection, chipsec-based firmware
-  integrity verification, and Secure Boot configuration auditing. Activates for requests involving UEFI malware analysis,
-  firmware persistence investigation, boot chain integrity verification, or Secure Boot bypass detection.
+description: 'Analyzes UEFI bootkit persistence mechanisms including firmware implants
+  in SPI flash, EFI System Partition (ESP) modifications, Secure Boot bypass techniques,
+  and UEFI variable manipulation. Covers detection of known bootkit families (BlackLotus,
+  LoJax, MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection,
+  chipsec-based firmware integrity verification, and Secure Boot configuration auditing.
+  Activates for requests involving UEFI malware analysis, firmware persistence investigation,
+  boot chain integrity verification, or Secure Boot bypass detection.

  '
 domain: cybersecurity
@@ -30,6 +32,12 @@ nist_csf:
 - ID.RA-01
 - PR.PS-01
 - PR.PS-02
+mitre_attack:
+- T1542.001
+- T1542.003
+- T1553.006
+- T1542
+- T1014
 ---

 # Analyzing UEFI Bootkit Persistence
@@ -1,7 +1,7 @@
 ---
 name: analyzing-usb-device-connection-history
-description: Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable
-  media usage and potential data exfiltration.
+description: Investigate USB device connection history from Windows registry, event
+  logs, and setupapi logs to track removable media usage and potential data exfiltration.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -19,6 +19,12 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1052.001
+- T1025
+- T1091
+- T1005
+- T1074.001
 ---

 # Analyzing USB Device Connection History
@@ -1,15 +1,20 @@
 ---
 name: analyzing-web-server-logs-for-intrusion
-description: Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal,
-  web scanner fingerprints, and brute-force patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP
-  enrichment for source attribution, and statistical anomaly detection for request frequency and response size outliers.
+description: Parse Apache and Nginx access logs to detect SQL injection attempts,
+  local file inclusion, directory traversal, web scanner fingerprints, and brute-force
+  patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP
+  enrichment for source attribution, and statistical anomaly detection for request
+  frequency and response size outliers.
 domain: cybersecurity
 subdomain: security-operations
 tags:
- analyzing
- web
- server
- logs
+- web-log-analysis
+- apache-logs
+- nginx-logs
+- sql-injection-detection
+- lfi-detection
+- directory-traversal
+- intrusion-detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -18,6 +23,12 @@ nist_csf:
 - RS.MA-01
 - GV.OV-01
 - DE.AE-02
+mitre_attack:
+- T1190
+- T1059.007
+- T1110
+- T1595.002
+- T1505.003
 ---


@@ -1,9 +1,12 @@
 ---
 name: analyzing-windows-amcache-artifacts
-description: 'Parses and analyzes the Windows Amcache.hve registry hive to extract evidence of program execution, application
-  installation, and driver loading for digital forensics investigations. Uses Eric Zimmerman''s AmcacheParser and Timeline
-  Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and timeline reconstruction. Activates for requests
-  involving Amcache forensics, program execution evidence, Windows artifact analysis, or application compatibility cache investigation.
+description: 'Parses and analyzes the Windows Amcache.hve registry hive to extract
+  evidence of program execution, application installation, and driver loading for
+  digital forensics investigations. Uses Eric Zimmerman''s AmcacheParser and Timeline
+  Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and
+  timeline reconstruction. Activates for requests involving Amcache forensics, program
+  execution evidence, Windows artifact analysis, or application compatibility cache
+  investigation.

  '
 domain: cybersecurity
@@ -24,6 +27,12 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1070.004
+- T1070.006
+- T1036.005
+- T1014
+- T1005
 ---

 # Analyzing Windows Amcache Artifacts
@@ -1,9 +1,10 @@
 ---
 name: analyzing-windows-event-logs-in-splunk
-description: 'Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, privilege
-  escalation, persistence mechanisms, and lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC
-  analysts need to investigate Windows-based threats, build detection queries, or perform forensic timeline analysis of Windows
-  endpoints and domain controllers.
+description: 'Analyzes Windows Security, System, and Sysmon event logs in Splunk to
+  detect authentication attacks, privilege escalation, persistence mechanisms, and
+  lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC
+  analysts need to investigate Windows-based threats, build detection queries, or
+  perform forensic timeline analysis of Windows endpoints and domain controllers.

  '
 domain: cybersecurity
@@ -30,6 +31,13 @@ nist_csf:
 - DE.AE-02
 - RS.MA-01
 - DE.AE-06
+mitre_attack:
+- T1110
+- T1053.005
+- T1547.001
+- T1021.002
+- T1558.003
+- T1003.006
 ---
 # Analyzing Windows Event Logs in Splunk

@@ -1,7 +1,7 @@
 ---
 name: analyzing-windows-lnk-files-for-artifacts
-description: Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers
-  for forensic timeline reconstruction.
+description: Parse Windows LNK shortcut files to extract target paths, timestamps,
+  volume information, and machine identifiers for forensic timeline reconstruction.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -19,6 +19,12 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1547.001
+- T1204.002
+- T1005
+- T1025
+- T1074.001
 ---

 # Analyzing Windows LNK Files for Artifacts
@@ -1,7 +1,8 @@
 ---
 name: analyzing-windows-prefetch-with-python
-description: Parse Windows Prefetch files using the windowsprefetch Python library to reconstruct application execution history,
-  detect renamed or masquerading binaries, and identify suspicious program execution patterns.
+description: Parse Windows Prefetch files using the windowsprefetch Python library
+  to reconstruct application execution history, detect renamed or masquerading binaries,
+  and identify suspicious program execution patterns.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -12,9 +13,11 @@ tags:
 - incident-response
 - malware-analysis
 mitre_attack:
- T1059
- T1204
- T1036
+- T1036.005
+- T1070.004
+- T1070
+- T1003.001
+- T1057
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -1,7 +1,7 @@
 ---
 name: analyzing-windows-registry-for-artifacts
-description: Extract and analyze Windows Registry hives to uncover user activity, installed software, autostart entries, and
-  evidence of system compromise.
+description: Extract and analyze Windows Registry hives to uncover user activity,
+  installed software, autostart entries, and evidence of system compromise.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -19,6 +19,12 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1012
+- T1547.001
+- T1112
+- T1003.002
+- T1025
 ---

 # Analyzing Windows Registry for Artifacts
@@ -1,8 +1,8 @@
 ---
 name: analyzing-windows-shellbag-artifacts
-description: Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable
-  media and network shares, and establish user interaction with directories even after deletion using SBECmd and ShellBags
-  Explorer.
+description: Analyze Windows Shellbag registry artifacts to reconstruct folder browsing
+  activity, detect access to removable media and network shares, and establish user
+  interaction with directories even after deletion using SBECmd and ShellBags Explorer.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -24,6 +24,12 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1083
+- T1074.001
+- T1135
+- T1025
+- T1070.004
 ---

 # Analyzing Windows Shellbag Artifacts
@@ -1,7 +1,8 @@
 ---
 name: auditing-aws-s3-bucket-permissions
-description: 'Systematically audit AWS S3 bucket permissions to identify publicly accessible buckets, overly permissive ACLs,
-  misconfigured bucket policies, and missing encryption settings using AWS CLI, S3audit, and Prowler to enforce least-privilege
+description: 'Systematically audit AWS S3 bucket permissions to identify publicly
+  accessible buckets, overly permissive ACLs, misconfigured bucket policies, and missing
+  encryption settings using AWS CLI, S3audit, and Prowler to enforce least-privilege
  data access controls.

  '
@@ -22,6 +23,12 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
+mitre_attack:
+- T1530
+- T1619
+- T1078.004
+- T1537
+- T1567.002
 ---

 # Auditing AWS S3 Bucket Permissions
@@ -1,7 +1,8 @@
 ---
 name: auditing-azure-active-directory-configuration
-description: 'Auditing Microsoft Entra ID (Azure Active Directory) configuration to identify risky authentication policies,
-  overly permissive role assignments, stale accounts, conditional access gaps, and guest user risks using AzureAD PowerShell,
+description: 'Auditing Microsoft Entra ID (Azure Active Directory) configuration to
+  identify risky authentication policies, overly permissive role assignments, stale
+  accounts, conditional access gaps, and guest user risks using AzureAD PowerShell,
  Microsoft Graph API, and ScoutSuite.

  '
@@ -22,6 +23,12 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
+mitre_attack:
+- T1078.004
+- T1098.003
+- T1556.006
+- T1069.003
+- T1526
 ---

 # Auditing Azure Active Directory Configuration
@@ -1,9 +1,10 @@
 ---
 name: auditing-cloud-with-cis-benchmarks
-description: 'This skill details how to conduct cloud security audits using Center for Internet Security benchmarks for AWS,
-  Azure, and GCP. It covers interpreting CIS Foundations Benchmark controls, running automated assessments with tools like
-  Prowler and ScoutSuite, remediating failed controls, and maintaining continuous compliance monitoring against CIS v5 for
-  AWS, v4 for Azure, and v4 for GCP.
+description: 'This skill details how to conduct cloud security audits using Center
+  for Internet Security benchmarks for AWS, Azure, and GCP. It covers interpreting
+  CIS Foundations Benchmark controls, running automated assessments with tools like
+  Prowler and ScoutSuite, remediating failed controls, and maintaining continuous
+  compliance monitoring against CIS v5 for AWS, v4 for Azure, and v4 for GCP.

  '
 domain: cybersecurity
@@ -26,6 +27,12 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
+mitre_attack:
+- T1078.004
+- T1530
+- T1098.003
+- T1685.002
+- T1580
 ---

 # Auditing Cloud with CIS Benchmarks
@@ -1,7 +1,8 @@
 ---
 name: auditing-gcp-iam-permissions
-description: 'Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings, primitive role usage,
-  service account key proliferation, and cross-project access risks using gcloud CLI, Policy Analyzer, and IAM Recommender.
+description: 'Auditing Google Cloud Platform IAM permissions to identify overly permissive
+  bindings, primitive role usage, service account key proliferation, and cross-project
+  access risks using gcloud CLI, Policy Analyzer, and IAM Recommender.

  '
 domain: cybersecurity
@@ -21,6 +22,12 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
+mitre_attack:
+- T1078.004
+- T1098.003
+- T1528
+- T1548.005
+- T1580
 ---

 # Auditing GCP IAM Permissions
@@ -1,7 +1,8 @@
 ---
 name: auditing-kubernetes-cluster-rbac
-description: 'Auditing Kubernetes cluster RBAC configurations to identify overly permissive roles, wildcard permissions, dangerous
-  ClusterRoleBindings, service account abuse, and privilege escalation paths using kubectl, rbac-tool, KubiScan, and Kubeaudit.
+description: 'Auditing Kubernetes cluster RBAC configurations to identify overly permissive
+  roles, wildcard permissions, dangerous ClusterRoleBindings, service account abuse,
+  and privilege escalation paths using kubectl, rbac-tool, KubiScan, and Kubeaudit.

  '
 domain: cybersecurity
@@ -22,6 +23,12 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
+mitre_attack:
+- T1098.006
+- T1552.007
+- T1611
+- T1613
+- T1078.004
 ---

 # Auditing Kubernetes Cluster RBAC
@@ -1,7 +1,8 @@
 ---
 name: auditing-terraform-infrastructure-for-security
-description: 'Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov, tfsec, Terrascan, and
-  OPA/Rego policies to detect overly permissive IAM policies, public resource exposure, missing encryption, and insecure defaults
+description: 'Auditing Terraform infrastructure-as-code for security misconfigurations
+  using Checkov, tfsec, Terrascan, and OPA/Rego policies to detect overly permissive
+  IAM policies, public resource exposure, missing encryption, and insecure defaults
  before cloud deployment.

  '
@@ -22,6 +23,12 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
+mitre_attack:
+- T1078.004
+- T1530
+- T1190
+- T1552.001
+- T1580
 ---

 # Auditing Terraform Infrastructure for Security
@@ -1,10 +1,12 @@
 ---
 name: auditing-tls-certificate-transparency-logs
-description: 'Monitors Certificate Transparency (CT) logs to detect unauthorized certificate issuance, discover subdomains
-  via CT data, and alert on suspicious certificate activity for owned domains. Uses the crt.sh API and direct CT log querying
-  based on RFC 6962 to build continuous monitoring pipelines that catch rogue certificates, track CA behavior, and map the
-  external attack surface. Activates for requests involving certificate transparency monitoring, CT log auditing, subdomain
-  discovery via certificates, or certificate issuance alerting.
+description: 'Monitors Certificate Transparency (CT) logs to detect unauthorized certificate
+  issuance, discover subdomains via CT data, and alert on suspicious certificate activity
+  for owned domains. Uses the crt.sh API and direct CT log querying based on RFC 6962
+  to build continuous monitoring pipelines that catch rogue certificates, track CA
+  behavior, and map the external attack surface. Activates for requests involving
+  certificate transparency monitoring, CT log auditing, subdomain discovery via certificates,
+  or certificate issuance alerting.

  '
 domain: cybersecurity
@@ -24,6 +26,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1596.003
+- T1583.001
+- T1587.003
+- T1593
+- T1566.002
 ---
 # Auditing TLS Certificate Transparency Logs

@@ -1,10 +1,12 @@
 ---
 name: automating-ioc-enrichment
-description: 'Automates the enrichment of raw indicators of compromise with multi-source threat intelligence context using
-  SOAR platforms, Python pipelines, or TIP playbooks to reduce analyst triage time and standardize enrichment outputs. Use
-  when building automated enrichment workflows integrated with SIEM alerts, email submission pipelines, or bulk IOC processing
-  from threat feeds. Activates for requests involving SOAR enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment
-  pipelines, or automated IOC processing.
+description: 'Automates the enrichment of raw indicators of compromise with multi-source
+  threat intelligence context using SOAR platforms, Python pipelines, or TIP playbooks
+  to reduce analyst triage time and standardize enrichment outputs. Use when building
+  automated enrichment workflows integrated with SIEM alerts, email submission pipelines,
+  or bulk IOC processing from threat feeds. Activates for requests involving SOAR
+  enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment pipelines, or
+  automated IOC processing.

  '
 domain: cybersecurity
@@ -27,6 +29,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1071.001
+- T1583.001
+- T1588.001
+- T1590.005
+- T1596
 ---
 # Automating IOC Enrichment

@@ -1,7 +1,8 @@
 ---
 name: building-adversary-infrastructure-tracking-system
-description: Build an automated system to track adversary infrastructure using passive DNS, certificate transparency, WHOIS
-  data, and IP enrichment to map and monitor threat actor command-and-control networks.
+description: Build an automated system to track adversary infrastructure using passive
+  DNS, certificate transparency, WHOIS data, and IP enrichment to map and monitor
+  threat actor command-and-control networks.
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -21,6 +22,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1583.001
+- T1583.004
+- T1596.001
+- T1590.002
+- T1071.001
 ---
 # Building Adversary Infrastructure Tracking System

@@ -1,7 +1,8 @@
 ---
 name: building-attack-pattern-library-from-cti-reports
-description: Extract and catalog attack patterns from cyber threat intelligence reports into a structured STIX-based library
-  mapped to MITRE ATT&CK for detection engineering and threat-informed defense.
+description: Extract and catalog attack patterns from cyber threat intelligence reports
+  into a structured STIX-based library mapped to MITRE ATT&CK for detection engineering
+  and threat-informed defense.
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -27,6 +28,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1566.001
+- T1059.001
+- T1003.001
+- T1558.003
+- T1550.002
 ---
 # Building Attack Pattern Library from CTI Reports

@@ -1,8 +1,10 @@
 ---
 name: building-automated-malware-submission-pipeline
-description: 'Builds an automated malware submission and analysis pipeline that collects suspicious files from endpoints and
-  email gateways, submits them to sandbox environments and multi-engine scanners, and generates verdicts with IOCs for SIEM
-  integration. Use when SOC teams need to scale malware analysis beyond manual sandbox submissions for high-volume alert triage.
+description: 'Builds an automated malware submission and analysis pipeline that collects
+  suspicious files from endpoints and email gateways, submits them to sandbox environments
+  and multi-engine scanners, and generates verdicts with IOCs for SIEM integration.
+  Use when SOC teams need to scale malware analysis beyond manual sandbox submissions
+  for high-volume alert triage.

  '
 domain: cybersecurity
@@ -24,6 +26,12 @@ nist_csf:
 - DE.AE-02
 - RS.MA-01
 - DE.AE-06
+mitre_attack:
+- T1204.002
+- T1566.001
+- T1027
+- T1055
+- T1497
 ---
 # Building Automated Malware Submission Pipeline

@@ -1,7 +1,8 @@
 ---
 name: building-c2-infrastructure-with-sliver-framework
-description: Build and configure a resilient command-and-control infrastructure using BishopFox's Sliver C2 framework with
-  redirectors, HTTPS listeners, and multi-operator support for authorized red team engagements.
+description: Build and configure a resilient command-and-control infrastructure using
+  BishopFox's Sliver C2 framework with redirectors, HTTPS listeners, and multi-operator
+  support for authorized red team engagements.
 domain: cybersecurity
 subdomain: red-teaming
 tags:
@@ -25,6 +26,13 @@ nist_csf:
 - ID.RA-01
 - GV.OV-02
 - DE.AE-07
+mitre_attack:
+- T1071.001
+- T1071.004
+- T1573.002
+- T1090.002
+- T1105
+- T1572
 ---
 # Building C2 Infrastructure with Sliver Framework

@@ -1,9 +1,10 @@
 ---
 name: building-cloud-siem-with-sentinel
-description: 'This skill covers deploying Microsoft Sentinel as a cloud-native SIEM and SOAR platform for centralized security
-  operations. It details configuring data connectors for multi-cloud log ingestion, writing KQL detection queries, building
-  automated response playbooks with Logic Apps, and leveraging the Sentinel data lake for petabyte-scale threat hunting across
-  AWS, Azure, and GCP security telemetry.
+description: 'This skill covers deploying Microsoft Sentinel as a cloud-native SIEM
+  and SOAR platform for centralized security operations. It details configuring data
+  connectors for multi-cloud log ingestion, writing KQL detection queries, building
+  automated response playbooks with Logic Apps, and leveraging the Sentinel data lake
+  for petabyte-scale threat hunting across AWS, Azure, and GCP security telemetry.

  '
 domain: cybersecurity
@@ -30,6 +31,12 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
+mitre_attack:
+- T1078.004
+- T1548.005
+- T1485
+- T1530
+- T1021.007
 ---

 # Building Cloud SIEM with Sentinel
@@ -1,7 +1,7 @@
 ---
 name: building-detection-rule-with-splunk-spl
-description: Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify
-  security threats in SOC environments.
+description: Build effective detection rules using Splunk Search Processing Language
+  (SPL) correlation searches to identify security threats in SOC environments.
 domain: cybersecurity
 subdomain: soc-operations
 tags:
@@ -27,6 +27,13 @@ nist_csf:
 - DE.AE-02
 - RS.MA-01
 - DE.AE-06
+mitre_attack:
+- T1059.001
+- T1003.001
+- T1021.002
+- T1110.003
+- T1053.005
+- T1048
 ---

 # Building Detection Rules with Splunk SPL
@@ -1,9 +1,10 @@
 ---
 name: building-detection-rules-with-sigma
-description: 'Builds vendor-agnostic detection rules using the Sigma rule format for threat detection across SIEM platforms
-  including Splunk, Elastic, and Microsoft Sentinel. Use when creating portable detection logic from threat intelligence,
-  mapping rules to MITRE ATT&CK techniques, or converting community Sigma rules into platform-specific queries using sigmac
-  or pySigma backends.
+description: 'Builds vendor-agnostic detection rules using the Sigma rule format for
+  threat detection across SIEM platforms including Splunk, Elastic, and Microsoft
+  Sentinel. Use when creating portable detection logic from threat intelligence, mapping
+  rules to MITRE ATT&CK techniques, or converting community Sigma rules into platform-specific
+  queries using sigmac or pySigma backends.

  '
 domain: cybersecurity
@@ -31,6 +32,12 @@ nist_csf:
 - DE.AE-02
 - RS.MA-01
 - DE.AE-06
+mitre_attack:
+- T1059.001
+- T1003.001
+- T1055
+- T1053.005
+- T1547.001
 ---
 # Building Detection Rules with Sigma

@@ -1,7 +1,7 @@
 ---
 name: building-devsecops-pipeline-with-gitlab-ci
-description: Design and implement a comprehensive DevSecOps pipeline in GitLab CI/CD integrating SAST, DAST, container scanning,
-  dependency scanning, and secret detection.
+description: Design and implement a comprehensive DevSecOps pipeline in GitLab CI/CD
+  integrating SAST, DAST, container scanning, dependency scanning, and secret detection.
 domain: cybersecurity
 subdomain: devsecops
 tags:
@@ -21,6 +21,12 @@ nist_csf:
 - GV.SC-07
 - ID.IM-04
 - PR.PS-04
+mitre_attack:
+- T1195.001
+- T1195.002
+- T1552.001
+- T1190
+- T1610
 ---

 # Building DevSecOps Pipeline with GitLab CI
@@ -1,7 +1,8 @@
 ---
 name: building-identity-federation-with-saml-azure-ad
-description: Establish SAML 2.0 identity federation between on-premises Active Directory and Azure AD (Microsoft Entra ID)
-  for seamless cross-domain authentication and SSO to cloud applications.
+description: Establish SAML 2.0 identity federation between on-premises Active Directory
+  and Azure AD (Microsoft Entra ID) for seamless cross-domain authentication and SSO
+  to cloud applications.
 domain: cybersecurity
 subdomain: identity-access-management
 tags:
@@ -21,6 +22,12 @@ nist_csf:
 - PR.AA-02
 - PR.AA-05
 - PR.AA-06
+mitre_attack:
+- T1606.002
+- T1556.007
+- T1484.002
+- T1078.004
+- T1110.003
 ---

 # Building Identity Federation with SAML Azure AD
@@ -1,9 +1,10 @@
 ---
 name: building-identity-governance-lifecycle-process
-description: 'Builds comprehensive identity governance and lifecycle management processes including joiner-mover-leaver automation,
-  role mining, access request workflows, periodic recertification, and orphaned account remediation using IGA platforms. Activates
-  for requests involving identity lifecycle management, JML processes, role-based access provisioning, or identity governance
-  program design.
+description: 'Builds comprehensive identity governance and lifecycle management processes
+  including joiner-mover-leaver automation, role mining, access request workflows,
+  periodic recertification, and orphaned account remediation using IGA platforms.
+  Activates for requests involving identity lifecycle management, JML processes, role-based
+  access provisioning, or identity governance program design.

  '
 domain: cybersecurity
@@ -27,6 +28,12 @@ nist_csf:
 - PR.AA-02
 - PR.AA-05
 - PR.AA-06
+mitre_attack:
+- T1098
+- T1136
+- T1078
+- T1531
+- T1087
 ---

 # Building Identity Governance Lifecycle Process
@@ -1,8 +1,10 @@
 ---
 name: building-incident-response-dashboard
-description: 'Builds real-time incident response dashboards in Splunk, Elastic, or Grafana to provide SOC analysts and leadership
-  with situational awareness during active incidents, tracking affected systems, containment status, IOC spread, and response
-  timeline. Use when IR teams need unified visibility during incident coordination and post-incident reporting.
+description: 'Builds real-time incident response dashboards in Splunk, Elastic, or
+  Grafana to provide SOC analysts and leadership with situational awareness during
+  active incidents, tracking affected systems, containment status, IOC spread, and
+  response timeline. Use when IR teams need unified visibility during incident coordination
+  and post-incident reporting.

  '
 domain: cybersecurity
@@ -23,6 +25,12 @@ nist_csf:
 - DE.AE-02
 - RS.MA-01
 - DE.AE-06
+mitre_attack:
+- T1486
+- T1071.001
+- T1021.002
+- T1041
+- T1566
 ---
 # Building Incident Response Dashboard

@@ -1,9 +1,11 @@
 ---
 name: building-incident-response-playbook
-description: 'Designs and documents structured incident response playbooks that define step-by-step procedures for specific
-  incident types aligned with NIST SP 800-61r3 and SANS PICERL frameworks. Covers playbook structure, decision trees, escalation
-  criteria, RACI matrices, and integration with SOAR platforms. Activates for requests involving IR playbook creation, incident
-  response procedure documentation, response runbook development, or SOAR playbook design.
+description: 'Designs and documents structured incident response playbooks that define
+  step-by-step procedures for specific incident types aligned with NIST SP 800-61r3
+  and SANS PICERL frameworks. Covers playbook structure, decision trees, escalation
+  criteria, RACI matrices, and integration with SOAR platforms. Activates for requests
+  involving IR playbook creation, incident response procedure documentation, response
+  runbook development, or SOAR playbook design.

  '
 domain: cybersecurity
@@ -15,8 +17,10 @@ tags:
 - SOAR-integration
 - response-procedures
 mitre_attack:
- T1190
+- T1486
 - T1566
+- T1190
+- T1041
 - T1078
 version: 1.0.0
 author: mahipal
@@ -1,7 +1,8 @@
 ---
 name: building-incident-timeline-with-timesketch
-description: Build collaborative forensic incident timelines using Timesketch to ingest, normalize, and analyze multi-source
-  event data for attack chain reconstruction and investigation documentation.
+description: Build collaborative forensic incident timelines using Timesketch to ingest,
+  normalize, and analyze multi-source event data for attack chain reconstruction and
+  investigation documentation.
 domain: cybersecurity
 subdomain: incident-response
 tags:
@@ -13,9 +14,11 @@ tags:
 - incident-investigation
 - collaborative-forensics
 mitre_attack:
- T1070
- T1059
- T1053
+- T1059.001
+- T1021.002
+- T1547.001
+- T1053.005
+- T1070.006
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -1,7 +1,8 @@
 ---
 name: building-ioc-defanging-and-sharing-pipeline
-description: Build an automated pipeline to defang indicators of compromise (URLs, IPs, domains, emails) for safe sharing
-  and distribute them in STIX format through TAXII feeds and threat intelligence platforms.
+description: Build an automated pipeline to defang indicators of compromise (URLs,
+  IPs, domains, emails) for safe sharing and distribute them in STIX format through
+  TAXII feeds and threat intelligence platforms.
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -21,6 +22,11 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1071.001
+- T1583.001
+- T1105
+- T1566.002
 ---
 # Building IOC Defanging and Sharing Pipeline

@@ -1,7 +1,8 @@
 ---
 name: building-ioc-enrichment-pipeline-with-opencti
-description: OpenCTI is an open-source platform for managing cyber threat intelligence knowledge, built on STIX 2.1 as its
-  native data model. This skill covers building an automated IOC enrichment pipeline using O
+description: OpenCTI is an open-source platform for managing cyber threat intelligence
+  knowledge, built on STIX 2.1 as its native data model. This skill covers building
+  an automated IOC enrichment pipeline using O
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -21,6 +22,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1071.001
+- T1583.001
+- T1105
+- T1590.005
+- T1588.001
 ---
 # Building IOC Enrichment Pipeline with OpenCTI

@@ -1,7 +1,8 @@
 ---
 name: building-malware-incident-communication-template
-description: Build structured communication templates for malware incidents including stakeholder notifications, executive
-  briefings, technical advisories, and regulatory disclosures with severity-based escalation procedures.
+description: Build structured communication templates for malware incidents including
+  stakeholder notifications, executive briefings, technical advisories, and regulatory
+  disclosures with severity-based escalation procedures.
 domain: cybersecurity
 subdomain: incident-response
 tags:
@@ -12,9 +13,11 @@ tags:
 - executive-briefing
 - regulatory-disclosure
 mitre_attack:
+- T1486
+- T1490
+- T1657
+- T1041
 - T1566
- T1204
- T1027
 version: '1.0'
 author: mahipal
 license: Apache-2.0
--- a/Show More
+++ b/Show More