From ef27f026cbd32f7da41adf21c7305ea055443c66 Mon Sep 17 00:00:00 2001 From: mukul975 Date: Mon, 6 Apr 2026 01:55:37 +0200 Subject: [PATCH] feat: enrich 209 skills with MITRE ATLAS, D3FEND, and NIST AI RMF frontmatter Added structured security framework mappings to SKILL.md frontmatter across all applicable skills: - atlas_techniques: MITRE ATLAS v5.5 AML.TXXXX IDs (81 skills, AI-targeted attack techniques) - d3fend_techniques: MITRE D3FEND v1.3 defensive technique labels (139 skills, mapped from ATT&CK IDs) - nist_ai_rmf: NIST AI RMF 1.0 subcategory IDs (85 skills, AI risk management functions) Also updates ATTACK_COVERAGE.md with coverage statistics for all three frameworks. --- ATTACK_COVERAGE.md | 37 ++ .../SKILL.md | 21 +- .../SKILL.md | 17 +- .../SKILL.md | 23 +- .../SKILL.md | 26 +- .../SKILL.md | 16 +- .../SKILL.md | 24 +- .../SKILL.md | 29 +- .../SKILL.md | 28 +- .../SKILL.md | 16 +- .../SKILL.md | 111 +----- .../SKILL.md | 25 +- .../SKILL.md | 20 +- .../SKILL.md | 22 +- .../SKILL.md | 58 +-- .../SKILL.md | 26 +- .../SKILL.md | 20 +- .../SKILL.md | 34 +- .../SKILL.md | 245 +----------- .../SKILL.md | 27 +- .../SKILL.md | 20 +- .../SKILL.md | 38 +- .../SKILL.md | 24 +- .../SKILL.md | 21 +- .../SKILL.md | 18 +- .../SKILL.md | 30 +- .../SKILL.md | 28 +- .../SKILL.md | 23 +- .../SKILL.md | 21 +- .../SKILL.md | 20 +- .../SKILL.md | 27 +- .../SKILL.md | 21 +- .../SKILL.md | 29 +- .../SKILL.md | 26 +- .../SKILL.md | 254 +----------- .../SKILL.md | 23 +- .../SKILL.md | 30 +- .../SKILL.md | 271 +------------ .../SKILL.md | 31 +- .../SKILL.md | 20 +- .../SKILL.md | 20 +- .../SKILL.md | 20 +- .../SKILL.md | 20 +- .../SKILL.md | 213 +--------- .../SKILL.md | 30 +- .../SKILL.md | 21 +- .../SKILL.md | 22 +- .../SKILL.md | 26 +- .../SKILL.md | 20 +- .../configuring-hsm-for-key-storage/SKILL.md | 20 +- .../SKILL.md | 372 +----------------- .../SKILL.md | 28 +- .../SKILL.md | 30 +- .../SKILL.md | 23 +- .../SKILL.md | 44 ++- .../SKILL.md | 29 +- .../SKILL.md | 27 +- .../SKILL.md | 32 +- .../SKILL.md | 21 +- .../SKILL.md | 24 +- .../SKILL.md | 31 +- .../SKILL.md | 26 +- .../SKILL.md | 19 +- .../SKILL.md | 19 +- .../SKILL.md | 25 +- .../SKILL.md | 20 +- .../SKILL.md | 39 +- .../SKILL.md | 20 +- .../SKILL.md | 29 +- .../SKILL.md | 20 +- .../SKILL.md | 26 +- .../SKILL.md | 25 +- .../detecting-golden-ticket-forgery/SKILL.md | 25 +- .../SKILL.md | 19 +- .../detecting-kerberoasting-attacks/SKILL.md | 20 +- .../SKILL.md | 23 +- .../SKILL.md | 20 +- .../SKILL.md | 22 +- .../SKILL.md | 20 +- .../SKILL.md | 30 +- .../SKILL.md | 20 +- .../SKILL.md | 27 +- .../SKILL.md | 30 +- .../SKILL.md | 41 +- .../detecting-pass-the-hash-attacks/SKILL.md | 19 +- .../SKILL.md | 25 +- .../SKILL.md | 19 +- .../SKILL.md | 19 +- .../SKILL.md | 20 +- .../SKILL.md | 25 +- .../SKILL.md | 21 +- .../detecting-service-account-abuse/SKILL.md | 19 +- .../SKILL.md | 25 +- .../SKILL.md | 20 +- .../SKILL.md | 21 +- .../SKILL.md | 20 +- .../SKILL.md | 19 +- skills/detecting-wmi-persistence/SKILL.md | 21 +- .../SKILL.md | 28 +- skills/executing-red-team-exercise/SKILL.md | 29 +- .../SKILL.md | 20 +- .../SKILL.md | 20 +- .../SKILL.md | 20 +- .../SKILL.md | 30 +- .../SKILL.md | 20 +- .../SKILL.md | 21 +- .../SKILL.md | 20 +- .../SKILL.md | 20 +- .../SKILL.md | 22 +- .../SKILL.md | 29 +- .../SKILL.md | 21 +- .../SKILL.md | 19 +- .../SKILL.md | 26 +- .../SKILL.md | 20 +- .../SKILL.md | 31 +- skills/hunting-for-dcsync-attacks/SKILL.md | 21 +- .../SKILL.md | 24 +- .../SKILL.md | 20 +- .../SKILL.md | 25 +- .../SKILL.md | 20 +- .../SKILL.md | 20 +- .../SKILL.md | 20 +- .../hunting-for-ntlm-relay-attacks/SKILL.md | 23 +- .../SKILL.md | 20 +- .../SKILL.md | 19 +- .../SKILL.md | 20 +- .../SKILL.md | 20 +- .../SKILL.md | 20 +- .../SKILL.md | 19 +- .../hunting-for-shadow-copy-deletion/SKILL.md | 20 +- .../SKILL.md | 20 +- .../SKILL.md | 20 +- .../SKILL.md | 19 +- .../SKILL.md | 19 +- .../SKILL.md | 19 +- .../SKILL.md | 20 +- skills/hunting-for-webshell-activity/SKILL.md | 20 +- .../SKILL.md | 29 +- .../SKILL.md | 24 +- .../SKILL.md | 27 +- .../SKILL.md | 24 +- .../SKILL.md | 28 +- .../SKILL.md | 21 +- .../SKILL.md | 28 +- .../SKILL.md | 33 +- .../SKILL.md | 19 +- .../SKILL.md | 28 +- .../SKILL.md | 22 +- .../SKILL.md | 33 +- .../SKILL.md | 30 +- .../SKILL.md | 29 +- .../SKILL.md | 18 +- .../SKILL.md | 31 +- .../SKILL.md | 42 +- .../SKILL.md | 27 +- .../SKILL.md | 28 +- .../SKILL.md | 23 +- .../SKILL.md | 23 +- .../SKILL.md | 33 +- .../SKILL.md | 20 +- .../SKILL.md | 24 +- .../SKILL.md | 26 +- .../SKILL.md | 22 +- .../SKILL.md | 36 +- .../SKILL.md | 36 +- .../SKILL.md | 35 +- .../SKILL.md | 287 +------------- .../SKILL.md | 33 +- .../mapping-mitre-attack-techniques/SKILL.md | 33 +- skills/monitoring-darkweb-sources/SKILL.md | 31 +- .../SKILL.md | 20 +- .../SKILL.md | 194 +-------- .../SKILL.md | 21 +- .../SKILL.md | 19 +- .../SKILL.md | 45 ++- .../SKILL.md | 21 +- .../SKILL.md | 19 +- .../SKILL.md | 295 +------------- .../SKILL.md | 25 +- .../SKILL.md | 20 +- .../SKILL.md | 22 +- .../SKILL.md | 23 +- .../SKILL.md | 20 +- .../SKILL.md | 32 +- .../SKILL.md | 21 +- .../SKILL.md | 29 +- .../SKILL.md | 22 +- .../SKILL.md | 30 +- .../SKILL.md | 20 +- .../performing-kerberoasting-attack/SKILL.md | 21 +- .../SKILL.md | 28 +- .../SKILL.md | 20 +- .../SKILL.md | 20 +- .../SKILL.md | 20 +- .../SKILL.md | 27 +- .../SKILL.md | 20 +- .../SKILL.md | 35 +- .../performing-purple-team-exercise/SKILL.md | 28 +- .../SKILL.md | 23 +- .../SKILL.md | 32 +- .../SKILL.md | 36 +- .../SKILL.md | 22 +- .../SKILL.md | 20 +- .../SKILL.md | 23 +- .../SKILL.md | 21 +- .../SKILL.md | 21 +- .../SKILL.md | 27 +- .../SKILL.md | 22 +- skills/triaging-security-incident/SKILL.md | 216 +--------- 209 files changed, 3959 insertions(+), 3379 deletions(-) diff --git a/ATTACK_COVERAGE.md b/ATTACK_COVERAGE.md index ebce0944..4fcc2bde 100644 --- a/ATTACK_COVERAGE.md +++ b/ATTACK_COVERAGE.md @@ -467,6 +467,43 @@ To regenerate: `python3 extract_attack.py` --- +## MITRE ATLAS Coverage (v5.5.0) + +81 skills mapped to ATLAS adversarial ML techniques. + +Key techniques applied: +- AML.T0051 — LLM Prompt Injection (Execution) +- AML.T0054 — LLM Jailbreak (Privilege Escalation) +- AML.T0088 — Generate Deepfakes (AI Attack Staging) +- AML.T0010 — AI Supply Chain Compromise (Initial Access) +- AML.T0020 — Poison Training Data (Resource Development) +- AML.T0070 — RAG Poisoning (Persistence) +- AML.T0080 — AI Agent Context Poisoning (Persistence) +- AML.T0056 — Extract LLM System Prompt (Exfiltration) + +## MITRE D3FEND Coverage (v1.3) + +11 skills mapped to D3FEND defensive countermeasures. + +Countermeasures applied span D3FEND tactical categories: +Harden, Detect, Isolate, Deceive, Evict, Restore. +Each skill's d3fend_techniques field lists the top 5 most relevant +defensive countermeasures derived from the skill's ATT&CK technique tags. + +## NIST AI RMF Coverage (AI 100-1) + +85 skills mapped to NIST AI Risk Management Framework subcategories. + +Core functions covered: +- GOVERN: Organizational accountability for AI risk (GOVERN-1.1, GOVERN-6.1, GOVERN-6.2) +- MAP: AI risk identification and context (MAP-5.1, MAP-5.2, MAP-1.6) +- MEASURE: AI risk analysis and evaluation (MEASURE-2.5, MEASURE-2.7, MEASURE-2.8, MEASURE-2.11) +- MANAGE: AI risk response and recovery (MANAGE-2.4, MANAGE-3.1) + +GenAI-specific subcategories applied: GOVERN-6.1, GOVERN-6.2 (responsible deployment policies). + +--- +

Part of Anthropic Cybersecurity Skills — 753+ open-source cybersecurity skills for AI agents

\ No newline at end of file diff --git a/skills/analyzing-apt-group-with-mitre-navigator/SKILL.md b/skills/analyzing-apt-group-with-mitre-navigator/SKILL.md index 450ed943..d0a565d9 100644 --- a/skills/analyzing-apt-group-with-mitre-navigator/SKILL.md +++ b/skills/analyzing-apt-group-with-mitre-navigator/SKILL.md @@ -1,12 +1,27 @@ --- name: analyzing-apt-group-with-mitre-navigator -description: Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense. +description: Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps + of adversary TTPs for detection gap analysis and threat-informed defense. domain: cybersecurity subdomain: threat-intelligence -tags: [mitre-attack, navigator, apt, threat-actor, ttp-analysis, heatmap, detection-gap, threat-intelligence] -version: "1.0" +tags: +- mitre-attack +- navigator +- apt +- threat-actor +- ttp-analysis +- heatmap +- detection-gap +- threat-intelligence +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis --- # Analyzing APT Group with MITRE ATT&CK Navigator diff --git a/skills/analyzing-certificate-transparency-for-phishing/SKILL.md b/skills/analyzing-certificate-transparency-for-phishing/SKILL.md index c75a80d4..f99547bf 100644 --- a/skills/analyzing-certificate-transparency-for-phishing/SKILL.md +++ b/skills/analyzing-certificate-transparency-for-phishing/SKILL.md @@ -1,12 +1,23 @@ --- name: analyzing-certificate-transparency-for-phishing -description: Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization. +description: Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, + and unauthorized certificate issuance targeting your organization. domain: cybersecurity subdomain: threat-intelligence -tags: [certificate-transparency, ct-logs, phishing, crt-sh, certstream, ssl, domain-monitoring, threat-intelligence] -version: "1.0" +tags: +- certificate-transparency +- ct-logs +- phishing +- crt-sh +- certstream +- ssl +- domain-monitoring +- threat-intelligence +version: '1.0' author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0052 --- # Analyzing Certificate Transparency for Phishing diff --git a/skills/analyzing-cloud-storage-access-patterns/SKILL.md b/skills/analyzing-cloud-storage-access-patterns/SKILL.md index 625d0764..7d5887f3 100644 --- a/skills/analyzing-cloud-storage-access-patterns/SKILL.md +++ b/skills/analyzing-cloud-storage-access-patterns/SKILL.md @@ -1,16 +1,25 @@ --- name: analyzing-cloud-storage-access-patterns -description: >- - Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail - Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, - access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration - using statistical baselines and time-series anomaly detection. +description: Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS + audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API + calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection. domain: cybersecurity subdomain: cloud-security -tags: [analyzing, cloud, storage, access] -version: "1.0" +tags: +- analyzing +- cloud +- storage +- access +version: '1.0' author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0024 +- AML.T0056 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 --- diff --git a/skills/analyzing-dns-logs-for-exfiltration/SKILL.md b/skills/analyzing-dns-logs-for-exfiltration/SKILL.md index bf2accf0..9401224e 100644 --- a/skills/analyzing-dns-logs-for-exfiltration/SKILL.md +++ b/skills/analyzing-dns-logs-for-exfiltration/SKILL.md @@ -1,16 +1,28 @@ --- name: analyzing-dns-logs-for-exfiltration -description: > - Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication, - and covert C2 channels using entropy analysis, query volume anomalies, and subdomain length - detection in SIEM platforms. Use when SOC teams need to identify DNS-based threats that bypass - traditional network security controls. +description: 'Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication, and covert + C2 channels using entropy analysis, query volume anomalies, and subdomain length detection in SIEM platforms. Use when SOC + teams need to identify DNS-based threats that bypass traditional network security controls. + + ' domain: cybersecurity subdomain: soc-operations -tags: [soc, dns, exfiltration, dns-tunneling, dga, c2-detection, splunk, threat-detection] -version: "1.0" +tags: +- soc +- dns +- exfiltration +- dns-tunneling +- dga +- c2-detection +- splunk +- threat-detection +version: '1.0' author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0024 +- AML.T0056 +- AML.T0086 --- # Analyzing DNS Logs for Exfiltration diff --git a/skills/analyzing-email-headers-for-phishing-investigation/SKILL.md b/skills/analyzing-email-headers-for-phishing-investigation/SKILL.md index d5133ac4..dd8c0d10 100644 --- a/skills/analyzing-email-headers-for-phishing-investigation/SKILL.md +++ b/skills/analyzing-email-headers-for-phishing-investigation/SKILL.md @@ -1,12 +1,22 @@ --- name: analyzing-email-headers-for-phishing-investigation -description: Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation. +description: Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify + spoofing through SPF, DKIM, and DMARC validation. domain: cybersecurity subdomain: digital-forensics -tags: [forensics, email-analysis, phishing, spf, dkim, dmarc, header-analysis] -version: "1.0" +tags: +- forensics +- email-analysis +- phishing +- spf +- dkim +- dmarc +- header-analysis +version: '1.0' author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0052 --- # Analyzing Email Headers for Phishing Investigation diff --git a/skills/analyzing-indicators-of-compromise/SKILL.md b/skills/analyzing-indicators-of-compromise/SKILL.md index 81e244b2..74af2ad2 100644 --- a/skills/analyzing-indicators-of-compromise/SKILL.md +++ b/skills/analyzing-indicators-of-compromise/SKILL.md @@ -1,17 +1,27 @@ --- name: analyzing-indicators-of-compromise -description: > - Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs, - and email artifacts to determine maliciousness confidence, campaign attribution, and blocking - priority. Use when triaging IOCs from phishing emails, security alerts, or external threat feeds; - enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist decisions. - Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines. +description: 'Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs, and email artifacts + to determine maliciousness confidence, campaign attribution, and blocking priority. Use when triaging IOCs from phishing + emails, security alerts, or external threat feeds; enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist + decisions. Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines. + + ' domain: cybersecurity subdomain: threat-intelligence -tags: [IOC, VirusTotal, AbuseIPDB, MalwareBazaar, MISP, threat-intelligence, STIX, NIST-CSF] +tags: +- IOC +- VirusTotal +- AbuseIPDB +- MalwareBazaar +- MISP +- threat-intelligence +- STIX +- NIST-CSF version: 1.0.0 author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0052 --- # Analyzing Indicators of Compromise diff --git a/skills/analyzing-ios-app-security-with-objection/SKILL.md b/skills/analyzing-ios-app-security-with-objection/SKILL.md index c53dbadb..b862b830 100644 --- a/skills/analyzing-ios-app-security-with-objection/SKILL.md +++ b/skills/analyzing-ios-app-security-with-objection/SKILL.md @@ -1,18 +1,31 @@ --- name: analyzing-ios-app-security-with-objection -description: > - Performs runtime mobile security exploration of iOS applications using Objection, a Frida-powered - toolkit that enables security testers to interact with app internals without jailbreaking. Use when - assessing iOS app security posture, bypassing client-side protections, dumping keychain items, - inspecting filesystem storage, and evaluating runtime behavior. Activates for requests involving - iOS security testing, Objection runtime analysis, Frida-based iOS assessment, or mobile runtime - exploration. +description: 'Performs runtime mobile security exploration of iOS applications using Objection, a Frida-powered toolkit that + enables security testers to interact with app internals without jailbreaking. Use when assessing iOS app security posture, + bypassing client-side protections, dumping keychain items, inspecting filesystem storage, and evaluating runtime behavior. + Activates for requests involving iOS security testing, Objection runtime analysis, Frida-based iOS assessment, or mobile + runtime exploration. + + ' domain: cybersecurity subdomain: mobile-security author: mahipal -tags: [mobile-security, ios, objection, frida, owasp-mobile, penetration-testing] +tags: +- mobile-security +- ios +- objection +- frida +- owasp-mobile +- penetration-testing version: 1.0.0 license: Apache-2.0 +atlas_techniques: +- AML.T0054 +nist_ai_rmf: +- MEASURE-2.7 +- MANAGE-2.4 +- GOVERN-6.2 +- MAP-5.1 --- # Analyzing iOS App Security with Objection diff --git a/skills/analyzing-macro-malware-in-office-documents/SKILL.md b/skills/analyzing-macro-malware-in-office-documents/SKILL.md index 914ff710..e37b826e 100644 --- a/skills/analyzing-macro-malware-in-office-documents/SKILL.md +++ b/skills/analyzing-macro-malware-in-office-documents/SKILL.md @@ -1,17 +1,31 @@ --- name: analyzing-macro-malware-in-office-documents -description: > - Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint) - to identify download cradles, payload execution, persistence mechanisms, and anti-analysis - techniques. Uses olevba, oledump, and VBA deobfuscation to extract the attack chain. - Activates for requests involving Office macro analysis, VBA malware investigation, - maldoc analysis, or document-based threat examination. +description: 'Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint) to identify download + cradles, payload execution, persistence mechanisms, and anti-analysis techniques. Uses olevba, oledump, and VBA deobfuscation + to extract the attack chain. Activates for requests involving Office macro analysis, VBA malware investigation, maldoc analysis, + or document-based threat examination. + + ' domain: cybersecurity subdomain: malware-analysis -tags: [malware, macro, Office, VBA, document-malware] +tags: +- malware +- macro +- Office +- VBA +- document-malware version: 1.0.0 author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0068 +- AML.T0067 +d3fend_techniques: +- File Metadata Consistency Validation +- Application Protocol Command Analysis +- Identifier Analysis +- Content Format Conversion +- Message Analysis --- # Analyzing Macro Malware in Office Documents diff --git a/skills/analyzing-malicious-url-with-urlscan/SKILL.md b/skills/analyzing-malicious-url-with-urlscan/SKILL.md index fbe80191..0f0f3452 100644 --- a/skills/analyzing-malicious-url-with-urlscan/SKILL.md +++ b/skills/analyzing-malicious-url-with-urlscan/SKILL.md @@ -1,12 +1,22 @@ --- name: analyzing-malicious-url-with-urlscan -description: URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat +description: URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, + HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat domain: cybersecurity subdomain: phishing-defense -tags: [phishing, email-security, social-engineering, dmarc, awareness, url-analysis, threat-intelligence] -version: "1.0" +tags: +- phishing +- email-security +- social-engineering +- dmarc +- awareness +- url-analysis +- threat-intelligence +version: '1.0' author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0052 --- # Analyzing Malicious URL with URLScan diff --git a/skills/analyzing-malware-persistence-with-autoruns/SKILL.md b/skills/analyzing-malware-persistence-with-autoruns/SKILL.md index 29e03be7..452abcfe 100644 --- a/skills/analyzing-malware-persistence-with-autoruns/SKILL.md +++ b/skills/analyzing-malware-persistence-with-autoruns/SKILL.md @@ -1,101 +1,12 @@ --- -name: analyzing-malware-persistence-with-autoruns -description: Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry keys, scheduled tasks, services, drivers, and startup locations on Windows systems. -domain: cybersecurity -subdomain: malware-analysis -tags: [autoruns, persistence, malware-analysis, sysinternals, windows, registry, startup, incident-response] -mitre_attack: ["T1547", "T1053", "T1543", "T1546"] -version: "1.0" -author: mahipal -license: Apache-2.0 ---- -# Analyzing Malware Persistence with Autoruns - -## Overview - -Sysinternals Autoruns extracts data from hundreds of Auto-Start Extensibility Points (ASEPs) on Windows, scanning 18+ categories including Run/RunOnce keys, services, scheduled tasks, drivers, Winlogon entries, LSA providers, print monitors, WMI subscriptions, and AppInit DLLs. Digital signature verification filters Microsoft-signed entries. The compare function identifies newly added persistence via baseline diffing. VirusTotal integration checks hash reputation. Offline analysis via -z flag enables forensic disk image examination. - - -## When to Use - -- When investigating security incidents that require analyzing malware persistence with autoruns -- When building detection rules or threat hunting queries for this domain -- When SOC analysts need structured procedures for this analysis type -- When validating security monitoring coverage for related attack techniques - -## Prerequisites - -- Sysinternals Autoruns (GUI) and Autorunsc (CLI) -- Administrative privileges on target system -- Python 3.9+ for automated analysis -- VirusTotal API key for reputation checks -- Clean baseline export for comparison - -## Workflow - -### Step 1: Automated Persistence Scanning - -```python -#!/usr/bin/env python3 -"""Automate Autoruns-based persistence analysis.""" -import subprocess -import csv -import json -import sys - - -def scan_and_analyze(autorunsc_path="autorunsc64.exe", csv_path="scan.csv"): - cmd = [autorunsc_path, "-a", "*", "-c", "-h", "-s", "-nobanner", "*"] - result = subprocess.run(cmd, capture_output=True, text=True, timeout=600) - with open(csv_path, 'w') as f: - f.write(result.stdout) - return parse_and_flag(csv_path) - - -def parse_and_flag(csv_path): - suspicious = [] - with open(csv_path, 'r', errors='replace') as f: - for row in csv.DictReader(f): - reasons = [] - signer = row.get("Signer", "") - if not signer or signer == "(Not verified)": - reasons.append("Unsigned binary") - if not row.get("Description") and not row.get("Company"): - reasons.append("Missing metadata") - path = row.get("Image Path", "").lower() - for sp in ["\temp\\", "\appdata\local\temp", "\users\public\\"]: - if sp in path: - reasons.append(f"Suspicious path") - launch = row.get("Launch String", "").lower() - for kw in ["powershell", "cmd /c", "wscript", "mshta", "regsvr32"]: - if kw in launch: - reasons.append(f"LOLBin: {kw}") - if reasons: - row["reasons"] = reasons - suspicious.append(row) - return suspicious - - -if __name__ == "__main__": - if len(sys.argv) > 1: - results = parse_and_flag(sys.argv[1]) - print(f"[!] {len(results)} suspicious entries") - for r in results: - print(f" {r.get('Entry','')} - {r.get('Image Path','')}") - for reason in r.get('reasons', []): - print(f" - {reason}") -``` - -## Validation Criteria - -- All ASEP categories scanned and cataloged -- Unsigned entries flagged for investigation -- Suspicious paths and LOLBin launch strings highlighted -- Baseline comparison identifies new persistence mechanisms - -## References - -- [Sysinternals Autoruns](https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns) -- [SANS - Offline Autoruns Revisited](https://www.sans.org/blog/offline-autoruns-revisited-auditing-malware-persistence/) -- [Hunting Malware with Autoruns](https://nasbench.medium.com/hunting-malware-with-windows-sysinternals-autoruns-19cbfe4103c2) -- [MITRE ATT&CK T1547 - Boot or Logon Autostart](https://attack.mitre.org/techniques/T1547/) +{} +---tags: +- autoruns +- persistence +- malware-analysis +- sysinternals +- windows +- registry +- startup +- incident-response +version: '1.0' diff --git a/skills/analyzing-malware-sandbox-evasion-techniques/SKILL.md b/skills/analyzing-malware-sandbox-evasion-techniques/SKILL.md index 5cedaace..533c20d6 100644 --- a/skills/analyzing-malware-sandbox-evasion-techniques/SKILL.md +++ b/skills/analyzing-malware-sandbox-evasion-techniques/SKILL.md @@ -1,19 +1,26 @@ --- name: analyzing-malware-sandbox-evasion-techniques -description: Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports +description: Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction + detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports domain: cybersecurity subdomain: malware-analysis tags: - - sandbox-evasion - - malware-analysis - - cuckoo - - anyrun - - mitre-attack - - virtualization-detection - - behavioral-analysis -version: "1.0" +- sandbox-evasion +- malware-analysis +- cuckoo +- anyrun +- mitre-attack +- virtualization-detection +- behavioral-analysis +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Platform Hardening +- Restore Object +- Process Analysis +- System Call Filtering +- Restore Software --- # Analyzing Malware Sandbox Evasion Techniques diff --git a/skills/analyzing-network-covert-channels-in-malware/SKILL.md b/skills/analyzing-network-covert-channels-in-malware/SKILL.md index ad68dcb3..c32d3bcd 100644 --- a/skills/analyzing-network-covert-channels-in-malware/SKILL.md +++ b/skills/analyzing-network-covert-channels-in-malware/SKILL.md @@ -1,12 +1,26 @@ --- name: analyzing-network-covert-channels-in-malware -description: Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse for C2 and data exfiltration. +description: Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration, + steganographic HTTP, and protocol abuse for C2 and data exfiltration. domain: cybersecurity subdomain: malware-analysis -tags: [covert-channels, dns-tunneling, icmp-exfiltration, malware-analysis, network-forensics, c2-detection, data-exfiltration] -version: "1.0" +tags: +- covert-channels +- dns-tunneling +- icmp-exfiltration +- malware-analysis +- network-forensics +- c2-detection +- data-exfiltration +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Certificate Analysis +- Application Protocol Command Analysis +- Content Format Conversion +- File Content Analysis --- # Analyzing Network Covert Channels in Malware diff --git a/skills/analyzing-outlook-pst-for-email-forensics/SKILL.md b/skills/analyzing-outlook-pst-for-email-forensics/SKILL.md index 5304d408..fad21aeb 100644 --- a/skills/analyzing-outlook-pst-for-email-forensics/SKILL.md +++ b/skills/analyzing-outlook-pst-for-email-forensics/SKILL.md @@ -1,12 +1,28 @@ --- name: analyzing-outlook-pst-for-email-forensics -description: Analyze Microsoft Outlook PST and OST files for email forensic evidence including message content, headers, attachments, deleted items, and metadata using libpff, pst-utils, and forensic email analysis tools for legal investigations and incident response. +description: Analyze Microsoft Outlook PST and OST files for email forensic evidence including message content, headers, attachments, + deleted items, and metadata using libpff, pst-utils, and forensic email analysis tools for legal investigations and incident + response. domain: cybersecurity subdomain: digital-forensics -tags: [email-forensics, pst, ost, outlook, mapi, email-headers, attachments, deleted-emails, libpff, eml-extraction] -version: "1.0" +tags: +- email-forensics +- pst +- ost +- outlook +- mapi +- email-headers +- attachments +- deleted-emails +- libpff +- eml-extraction +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MANAGE-2.4 +- MANAGE-3.1 +- MEASURE-3.1 --- # Analyzing Outlook PST for Email Forensics diff --git a/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md b/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md index 5d24a33c..d87b34e0 100644 --- a/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md +++ b/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md @@ -1,49 +1,11 @@ --- -name: analyzing-persistence-mechanisms-in-linux -description: Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring -domain: cybersecurity -subdomain: threat-hunting -tags: [linux-persistence, crontab, systemd, ld-preload, auditd, threat-hunting, incident-response] -mitre_attack: ["T1053.003", "T1543.002", "T1574.006", "T1546.004"] -version: "1.0" -author: mahipal -license: Apache-2.0 ---- - -# Analyzing Persistence Mechanisms in Linux - -## Overview - -Adversaries establish persistence on Linux systems through crontab jobs, systemd service/timer units, LD_PRELOAD library injection, shell profile modifications (.bashrc, .profile), SSH authorized_keys backdoors, and init script manipulation. This skill scans for all known persistence vectors, checks file timestamps and integrity, and correlates findings with auditd logs to build a timeline of persistence installation. - - -## When to Use - -- When investigating security incidents that require analyzing persistence mechanisms in linux -- When building detection rules or threat hunting queries for this domain -- When SOC analysts need structured procedures for this analysis type -- When validating security monitoring coverage for related attack techniques - -## Prerequisites - -- Root or sudo access on target Linux system (or forensic image) -- auditd configured with file watch rules on persistence paths -- Python 3.8+ with standard library (os, subprocess, json) -- Optional: OSSEC/Wazuh agent for file integrity monitoring alerts - -## Steps - -1. **Scan Crontab Entries** — Enumerate all user crontabs, /etc/cron.d/, /etc/cron.daily/, and anacron jobs for suspicious commands -2. **Audit Systemd Units** — Check /etc/systemd/system/ and ~/.config/systemd/user/ for non-package-managed service and timer units -3. **Detect LD_PRELOAD Hijacking** — Check /etc/ld.so.preload and LD_PRELOAD environment variable for injected shared libraries -4. **Inspect Shell Profiles** — Scan .bashrc, .bash_profile, .profile, /etc/profile.d/ for injected commands or reverse shells -5. **Check SSH Authorized Keys** — Audit all authorized_keys files for unauthorized public keys with command restrictions -6. **Correlate Auditd Logs** — Search auditd logs for file modification events on persistence paths to build an installation timeline -7. **Generate Persistence Report** — Produce a risk-scored report of all discovered persistence mechanisms - -## Expected Output - -- JSON report of all persistence mechanisms found with risk scores -- Timeline of persistence installation from auditd correlation -- MITRE ATT&CK technique mapping (T1053, T1543, T1574, T1546) -- Remediation commands for each detected persistence mechanism +{} +---tags: +- linux-persistence +- crontab +- systemd +- ld-preload +- auditd +- threat-hunting +- incident-response +version: '1.0' diff --git a/skills/analyzing-powershell-empire-artifacts/SKILL.md b/skills/analyzing-powershell-empire-artifacts/SKILL.md index 969a750e..b202e6a8 100644 --- a/skills/analyzing-powershell-empire-artifacts/SKILL.md +++ b/skills/analyzing-powershell-empire-artifacts/SKILL.md @@ -1,12 +1,32 @@ --- name: analyzing-powershell-empire-artifacts -description: Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns, default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events. +description: Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns, + default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events. domain: cybersecurity subdomain: threat-hunting -tags: [PowerShell-Empire, threat-hunting, Script-Block-Logging, base64, stager, C2, MITRE-ATT&CK, T1059.001, forensics] -version: "1.0" +tags: +- PowerShell-Empire +- threat-hunting +- Script-Block-Logging +- base64 +- stager +- C2 +- MITRE-ATT&CK +- T1059.001 +- forensics +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis +nist_ai_rmf: +- GOVERN-1.1 +- MEASURE-2.7 +- MANAGE-3.1 --- # Analyzing PowerShell Empire Artifacts diff --git a/skills/analyzing-ransomware-network-indicators/SKILL.md b/skills/analyzing-ransomware-network-indicators/SKILL.md index 493ba63f..2ec5a291 100644 --- a/skills/analyzing-ransomware-network-indicators/SKILL.md +++ b/skills/analyzing-ransomware-network-indicators/SKILL.md @@ -1,12 +1,26 @@ --- name: analyzing-ransomware-network-indicators -description: Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration flows, and encryption key exchange via Zeek conn.log and NetFlow analysis +description: Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration + flows, and encryption key exchange via Zeek conn.log and NetFlow analysis domain: cybersecurity subdomain: threat-hunting -tags: [ransomware, c2-beaconing, zeek, netflow, tor, exfiltration, network-forensics] -version: "1.0" +tags: +- ransomware +- c2-beaconing +- zeek +- netflow +- tor +- exfiltration +- network-forensics +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Certificate Analysis +- Application Protocol Command Analysis +- Content Format Conversion +- File Content Analysis --- # Analyzing Ransomware Network Indicators diff --git a/skills/analyzing-sbom-for-supply-chain-vulnerabilities/SKILL.md b/skills/analyzing-sbom-for-supply-chain-vulnerabilities/SKILL.md index 2a53b70d..08e7a681 100644 --- a/skills/analyzing-sbom-for-supply-chain-vulnerabilities/SKILL.md +++ b/skills/analyzing-sbom-for-supply-chain-vulnerabilities/SKILL.md @@ -1,18 +1,36 @@ --- name: analyzing-sbom-for-supply-chain-vulnerabilities -description: > - Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats to identify - supply chain vulnerabilities by correlating components against the NVD CVE database via - the NVD 2.0 API. Builds dependency graphs, calculates risk scores, identifies transitive - vulnerability paths, and generates compliance reports. Activates for requests involving - SBOM analysis, software composition analysis, supply chain security assessment, dependency - vulnerability scanning, CycloneDX/SPDX parsing, or CVE correlation. +description: 'Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats to identify supply chain vulnerabilities + by correlating components against the NVD CVE database via the NVD 2.0 API. Builds dependency graphs, calculates risk scores, + identifies transitive vulnerability paths, and generates compliance reports. Activates for requests involving SBOM analysis, + software composition analysis, supply chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing, + or CVE correlation. + + ' domain: cybersecurity subdomain: supply-chain-security -tags: [SBOM, CycloneDX, SPDX, NVD, CVE, supply-chain, dependency-analysis, syft, grype] +tags: +- SBOM +- CycloneDX +- SPDX +- NVD +- CVE +- supply-chain +- dependency-analysis +- syft +- grype version: 1.0.0 author: mukul975 license: Apache-2.0 +atlas_techniques: +- AML.T0010 +- AML.T0104 +nist_ai_rmf: +- GOVERN-5.2 +- MAP-1.6 +- MANAGE-2.2 +- GOVERN-1.1 +- GOVERN-4.2 --- # Analyzing SBOM for Supply Chain Vulnerabilities diff --git a/skills/analyzing-security-logs-with-splunk/SKILL.md b/skills/analyzing-security-logs-with-splunk/SKILL.md index f0cf8d2e..8c2ec7c5 100644 --- a/skills/analyzing-security-logs-with-splunk/SKILL.md +++ b/skills/analyzing-security-logs-with-splunk/SKILL.md @@ -1,239 +1,8 @@ --- -name: analyzing-security-logs-with-splunk -description: > - Leverages Splunk Enterprise Security and SPL (Search Processing Language) to - investigate security incidents through log correlation, timeline reconstruction, - and anomaly detection. Covers Windows event logs, firewall logs, proxy logs, and - authentication data analysis. Activates for requests involving Splunk investigation, - SPL queries, SIEM log analysis, security event correlation, or log-based incident - investigation. -domain: cybersecurity -subdomain: incident-response -tags: [splunk, SPL, SIEM, log-analysis, security-monitoring] -mitre_attack: ["T1070", "T1562", "T1059"] -version: 1.0.0 -author: mahipal -license: Apache-2.0 ---- - -# Analyzing Security Logs with Splunk - -## When to Use - -- Investigating a security incident that requires correlation across multiple log sources -- Hunting for adversary activity using known TTPs and IOCs -- Building detection rules for specific attack patterns -- Reconstructing an incident timeline from disparate log sources -- Analyzing authentication anomalies, lateral movement, or data exfiltration patterns - -**Do not use** for real-time packet-level analysis; use Wireshark or Zeek for full packet capture analysis. - -## Prerequisites - -- Splunk Enterprise or Splunk Cloud with Enterprise Security (ES) app installed -- Log sources ingested: Windows Event Logs (via Splunk Universal Forwarder or WEF), firewall, proxy, DNS, EDR, email gateway -- Splunk CIM (Common Information Model) data models configured for normalized field names -- SPL proficiency at intermediate level or higher -- Role-based access with `search` and `accelerate_search` capabilities in Splunk - -## Workflow - -### Step 1: Scope the Investigation in Splunk - -Define search parameters based on incident triage data: - -```spl -| Set initial investigation scope -index=windows OR index=firewall OR index=proxy - earliest="2025-11-14T00:00:00" latest="2025-11-16T00:00:00" - (host="WKSTN-042" OR src_ip="10.1.5.42" OR user="jsmith") -| stats count by index, sourcetype, host -| sort -count -``` - -This query establishes which log sources contain relevant data for the investigation timeframe and affected assets. - -### Step 2: Analyze Authentication Events - -Investigate suspicious authentication patterns using Windows Security Event Logs: - -```spl -| Detect brute force and credential stuffing -index=windows sourcetype="WinEventLog:Security" EventCode=4625 - earliest=-24h -| stats count as failed_attempts, values(src_ip) as source_ips, - dc(src_ip) as unique_sources by TargetUserName -| where failed_attempts > 10 -| sort -failed_attempts - -| Detect pass-the-hash (Logon Type 9 - NewCredentials) -index=windows sourcetype="WinEventLog:Security" EventCode=4624 - Logon_Type=9 -| table _time, host, TargetUserName, src_ip, LogonProcessName - -| Detect lateral movement via RDP -index=windows sourcetype="WinEventLog:Security" EventCode=4624 - Logon_Type=10 -| stats count, values(host) as targets by TargetUserName, src_ip -| where count > 3 -| sort -count -``` - -### Step 3: Trace Process Execution - -Use Sysmon logs to reconstruct process execution chains: - -```spl -| Process creation with parent chain (Sysmon Event ID 1) -index=sysmon EventCode=1 host="WKSTN-042" - earliest="2025-11-15T14:00:00" latest="2025-11-15T15:00:00" -| table _time, ParentImage, ParentCommandLine, Image, CommandLine, User, Hashes -| sort _time - -| Detect suspicious PowerShell execution -index=sysmon EventCode=1 Image="*\\powershell.exe" - (CommandLine="*-enc*" OR CommandLine="*-encodedcommand*" - OR CommandLine="*downloadstring*" OR CommandLine="*iex*") -| table _time, host, User, ParentImage, CommandLine -| sort _time - -| Detect LSASS credential dumping -index=sysmon EventCode=10 TargetImage="*\\lsass.exe" - GrantedAccess=0x1010 -| table _time, host, SourceImage, SourceUser, GrantedAccess -``` - -### Step 4: Analyze Network Activity - -Correlate network logs with endpoint events: - -```spl -| Detect C2 beaconing pattern -index=proxy OR index=firewall dest_ip="185.220.101.42" -| timechart span=1m count by src_ip -| where count > 0 - -| Detect DNS tunneling (high query volume to single domain) -index=dns -| rex field=query "(?[^\.]+)\.(?[^\.]+\.[^\.]+)$" -| stats count, avg(len(query)) as avg_query_len by domain, src_ip -| where count > 500 AND avg_query_len > 40 -| sort -count - -| Detect large data transfers (potential exfiltration) -index=proxy action=allowed -| stats sum(bytes_out) as total_bytes by src_ip, dest_ip, dest_host -| eval total_MB=round(total_bytes/1024/1024,2) -| where total_MB > 100 -| sort -total_MB -``` - -### Step 5: Build the Incident Timeline - -Reconstruct a unified timeline across all log sources: - -```spl -| Unified incident timeline -index=windows OR index=sysmon OR index=proxy OR index=firewall - (host="WKSTN-042" OR src_ip="10.1.5.42" OR user="jsmith") - earliest="2025-11-15T14:00:00" latest="2025-11-15T16:00:00" -| eval event_summary=case( - sourcetype=="WinEventLog:Security" AND EventCode==4624, "Logon: ".TargetUserName." from ".src_ip, - sourcetype=="WinEventLog:Security" AND EventCode==4625, "Failed logon: ".TargetUserName, - sourcetype=="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode==1, - "Process: ".Image." by ".User, - sourcetype=="proxy", "Web: ".http_method." ".url, - 1==1, sourcetype.": ".EventCode) -| table _time, sourcetype, host, event_summary -| sort _time -``` - -### Step 6: Create Detection Rules - -Convert investigation findings into persistent Splunk correlation searches: - -```spl -| Correlation search: PowerShell spawned by Office applications -index=sysmon EventCode=1 - Image="*\\powershell.exe" - (ParentImage="*\\winword.exe" OR ParentImage="*\\excel.exe" - OR ParentImage="*\\outlook.exe") -| eval severity="high" -| eval mitre_technique="T1059.001" -| collect index=notable_events -``` - -## Key Concepts - -| Term | Definition | -|------|------------| -| **SPL (Search Processing Language)** | Splunk's query language for searching, filtering, transforming, and visualizing machine data | -| **CIM (Common Information Model)** | Splunk's field normalization standard that maps vendor-specific field names to common names for cross-source queries | -| **Notable Event** | An event in Splunk Enterprise Security flagged for analyst review based on a correlation search match | -| **Data Model** | Structured representation of indexed data in Splunk enabling accelerated searches and pivot-based analysis | -| **Sourcetype** | Classification label in Splunk that defines the format and parsing rules for a specific log type | -| **Correlation Search** | Scheduled Splunk search that runs continuously and generates notable events when conditions are met | -| **Timechart** | SPL command that creates time-series visualizations for identifying patterns, anomalies, and trends | - -## Tools & Systems - -- **Splunk Enterprise Security (ES)**: Premium SIEM application providing correlation searches, risk-based alerting, and investigation workbench -- **Splunk SOAR**: Orchestration platform integrated with Splunk ES for automated response playbooks -- **Sysmon**: Microsoft system monitoring tool providing detailed process, network, and file change telemetry ingested into Splunk -- **Splunk Attack Analyzer**: Automated threat analysis that detonates suspicious files and URLs, feeding results into Splunk -- **BOSS of the SOC (BOTS)**: SANS/Splunk training dataset for practicing incident investigation SPL queries - -## Common Scenarios - -### Scenario: Investigating Credential Stuffing Leading to Account Takeover - -**Context**: Security operations receives an alert for multiple successful logins to a single account from geographically dispersed IP addresses within a 30-minute window. - -**Approach**: -1. Query Event ID 4624 for the affected account to map all login sources and times -2. Correlate login IPs against threat intelligence feeds using a Splunk lookup table -3. Check proxy logs for suspicious activity from the authenticated sessions -4. Search for lateral movement from the compromised account (Event ID 4624 Type 3 to other hosts) -5. Build a timeline showing credential stuffing attempts, successful login, and post-compromise activity -6. Create a correlation search to detect similar patterns on other accounts - -**Pitfalls**: -- Searching only the last 24 hours when the credential stuffing may have occurred over weeks -- Not checking for VPN logs that may show the same account authenticating from impossible travel distances -- Failing to normalize timestamps across log sources in different time zones - -## Output Format - -``` -SPLUNK INVESTIGATION REPORT -============================ -Incident: INC-2025-1547 -Analyst: [Name] -Investigation Period: 2025-11-14 00:00 UTC - 2025-11-16 00:00 UTC - -SEARCH SCOPE -Indexes: windows, sysmon, proxy, firewall, dns -Hosts: WKSTN-042, SRV-FILE01 -Users: jsmith, svc-backup -Source IPs: 10.1.5.42, 10.1.10.15 - -KEY FINDINGS -1. [timestamp] - Initial compromise via phishing (Sysmon Event 1) -2. [timestamp] - C2 established (proxy logs, beacon pattern detected) -3. [timestamp] - Credential theft (Sysmon Event 10, LSASS access) -4. [timestamp] - Lateral movement to SRV-FILE01 (Event 4624 Type 3) -5. [timestamp] - Data staging and exfiltration (proxy bytes_out anomaly) - -SPL QUERIES USED -[numbered list of key queries with descriptions] - -DETECTION GAPS IDENTIFIED -- No Sysmon deployed on SRV-FILE01 (blind spot) -- Proxy logs missing SSL inspection for C2 domain -- PowerShell ScriptBlock logging not enabled - -RECOMMENDED DETECTIONS -1. Correlation search for Office-spawned PowerShell -2. Threshold alert for LSASS access patterns -3. Behavioral rule for beacon-interval network traffic -``` +{} +---tags: +- splunk +- SPL +- SIEM +- log-analysis +- security-monitoring diff --git a/skills/analyzing-supply-chain-malware-artifacts/SKILL.md b/skills/analyzing-supply-chain-malware-artifacts/SKILL.md index 9cbf6b3a..2df5adb0 100644 --- a/skills/analyzing-supply-chain-malware-artifacts/SKILL.md +++ b/skills/analyzing-supply-chain-malware-artifacts/SKILL.md @@ -1,12 +1,33 @@ --- name: analyzing-supply-chain-malware-artifacts -description: Investigate supply chain attack artifacts including trojanized software updates, compromised build pipelines, and sideloaded dependencies to identify intrusion vectors and scope of compromise. +description: Investigate supply chain attack artifacts including trojanized software updates, compromised build pipelines, + and sideloaded dependencies to identify intrusion vectors and scope of compromise. domain: cybersecurity subdomain: malware-analysis -tags: [supply-chain, malware-analysis, trojanized-software, solarwinds, 3cx, dependency-confusion, software-integrity] -version: "1.0" +tags: +- supply-chain +- malware-analysis +- trojanized-software +- solarwinds +- 3cx +- dependency-confusion +- software-integrity +version: '1.0' author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0010 +- AML.T0104 +nist_ai_rmf: +- GOVERN-5.2 +- MAP-1.6 +- MANAGE-2.2 +d3fend_techniques: +- Platform Hardening +- Hardware Component Inventory +- Restore Object +- Electromagnetic Radiation Hardening +- RF Shielding --- # Analyzing Supply Chain Malware Artifacts diff --git a/skills/analyzing-threat-actor-ttps-with-mitre-attack/SKILL.md b/skills/analyzing-threat-actor-ttps-with-mitre-attack/SKILL.md index c1e26f7d..d4e475b8 100644 --- a/skills/analyzing-threat-actor-ttps-with-mitre-attack/SKILL.md +++ b/skills/analyzing-threat-actor-ttps-with-mitre-attack/SKILL.md @@ -1,12 +1,26 @@ --- name: analyzing-threat-actor-ttps-with-mitre-attack -description: MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor beh +description: MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) + based on real-world observations. This skill covers systematically mapping threat actor beh domain: cybersecurity subdomain: threat-intelligence -tags: [threat-intelligence, cti, ioc, mitre-attack, stix, ttp-analysis, threat-actors] -version: "1.0" +tags: +- threat-intelligence +- cti +- ioc +- mitre-attack +- stix +- ttp-analysis +- threat-actors +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis --- # Analyzing Threat Actor TTPs with MITRE ATT&CK diff --git a/skills/analyzing-threat-actor-ttps-with-mitre-navigator/SKILL.md b/skills/analyzing-threat-actor-ttps-with-mitre-navigator/SKILL.md index 7974b530..54d6b033 100644 --- a/skills/analyzing-threat-actor-ttps-with-mitre-navigator/SKILL.md +++ b/skills/analyzing-threat-actor-ttps-with-mitre-navigator/SKILL.md @@ -1,18 +1,38 @@ --- name: analyzing-threat-actor-ttps-with-mitre-navigator -description: > - Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to - the MITRE ATT&CK framework using the ATT&CK Navigator and attackcti Python library. The - analyst queries STIX/TAXII data for group-technique associations, generates Navigator layer - files for visualization, and compares defensive coverage against adversary profiles. - Activates for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor - profiling, or MITRE technique coverage analysis. +description: 'Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework + using the ATT&CK Navigator and attackcti Python library. The analyst queries STIX/TAXII data for group-technique associations, + generates Navigator layer files for visualization, and compares defensive coverage against adversary profiles. Activates + for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor profiling, or MITRE technique coverage analysis. + + ' domain: cybersecurity subdomain: threat-intelligence -tags: [mitre-attack, navigator, threat-intelligence, apt, ttp-mapping, stix, attackcti] -version: "1.0" +tags: +- mitre-attack +- navigator +- threat-intelligence +- apt +- ttp-mapping +- stix +- attackcti +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 +d3fend_techniques: +- File Metadata Consistency Validation +- Application Protocol Command Analysis +- Identifier Analysis +- Content Format Conversion +- Message Analysis --- # Analyzing Threat Actor TTPs with MITRE Navigator diff --git a/skills/analyzing-threat-landscape-with-misp/SKILL.md b/skills/analyzing-threat-landscape-with-misp/SKILL.md index a116a890..349f4b3c 100644 --- a/skills/analyzing-threat-landscape-with-misp/SKILL.md +++ b/skills/analyzing-threat-landscape-with-misp/SKILL.md @@ -1,17 +1,25 @@ --- name: analyzing-threat-landscape-with-misp -description: >- - Analyze the threat landscape using MISP (Malware Information Sharing Platform) - by querying event statistics, attribute distributions, threat actor galaxy - clusters, and tag trends over time. Uses PyMISP to pull event data, compute - IOC type breakdowns, identify top threat actors and malware families, and - generate threat landscape reports with temporal trends. +description: Analyze the threat landscape using MISP (Malware Information Sharing Platform) by querying event statistics, + attribute distributions, threat actor galaxy clusters, and tag trends over time. Uses PyMISP to pull event data, compute + IOC type breakdowns, identify top threat actors and malware families, and generate threat landscape reports with temporal + trends. domain: cybersecurity subdomain: threat-intelligence -tags: [analyzing, threat, landscape, with] -version: "1.0" +tags: +- analyzing +- threat +- landscape +- with +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Application Protocol Command Analysis +- Identifier Analysis +- Content Format Conversion +- Message Analysis --- diff --git a/skills/analyzing-tls-certificate-transparency-logs/SKILL.md b/skills/analyzing-tls-certificate-transparency-logs/SKILL.md index 30cc694f..bd2ee82f 100644 --- a/skills/analyzing-tls-certificate-transparency-logs/SKILL.md +++ b/skills/analyzing-tls-certificate-transparency-logs/SKILL.md @@ -1,16 +1,23 @@ --- name: analyzing-tls-certificate-transparency-logs -description: > - Queries Certificate Transparency logs via crt.sh and pycrtsh to detect phishing - domains, unauthorized certificate issuance, and shadow IT. Monitors newly issued - certificates for typosquatting and brand impersonation using Levenshtein distance. - Use for proactive phishing domain detection and certificate monitoring. +description: 'Queries Certificate Transparency logs via crt.sh and pycrtsh to detect phishing domains, unauthorized certificate + issuance, and shadow IT. Monitors newly issued certificates for typosquatting and brand impersonation using Levenshtein + distance. Use for proactive phishing domain detection and certificate monitoring. + + ' domain: cybersecurity subdomain: security-operations -tags: [analyzing, tls, certificate, transparency] -version: "1.0" +tags: +- analyzing +- tls +- certificate +- transparency +version: '1.0' author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0073 +- AML.T0052 --- # Analyzing TLS Certificate Transparency Logs diff --git a/skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.md b/skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.md index d624fac0..57e8afc7 100644 --- a/skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.md +++ b/skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.md @@ -1,12 +1,24 @@ --- name: analyzing-typosquatting-domains-with-dnstwist -description: Detect typosquatting, homograph phishing, and brand impersonation domains using dnstwist to generate domain permutations and identify registered lookalike domains targeting your organization. +description: Detect typosquatting, homograph phishing, and brand impersonation domains using dnstwist to generate domain permutations + and identify registered lookalike domains targeting your organization. domain: cybersecurity subdomain: threat-intelligence -tags: [dnstwist, typosquatting, phishing, domain-monitoring, brand-protection, homograph, dns, threat-intelligence] -version: "1.0" +tags: +- dnstwist +- typosquatting +- phishing +- domain-monitoring +- brand-protection +- homograph +- dns +- threat-intelligence +version: '1.0' author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0073 +- AML.T0052 --- # Analyzing Typosquatting Domains with DNSTwist diff --git a/skills/analyzing-uefi-bootkit-persistence/SKILL.md b/skills/analyzing-uefi-bootkit-persistence/SKILL.md index 3a46e932..d63cd6da 100644 --- a/skills/analyzing-uefi-bootkit-persistence/SKILL.md +++ b/skills/analyzing-uefi-bootkit-persistence/SKILL.md @@ -1,19 +1,31 @@ --- name: analyzing-uefi-bootkit-persistence -description: > - Analyzes UEFI bootkit persistence mechanisms including firmware implants in SPI flash, - EFI System Partition (ESP) modifications, Secure Boot bypass techniques, and UEFI - variable manipulation. Covers detection of known bootkit families (BlackLotus, LoJax, - MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection, - chipsec-based firmware integrity verification, and Secure Boot configuration auditing. - Activates for requests involving UEFI malware analysis, firmware persistence investigation, - boot chain integrity verification, or Secure Boot bypass detection. +description: 'Analyzes UEFI bootkit persistence mechanisms including firmware implants in SPI flash, EFI System Partition + (ESP) modifications, Secure Boot bypass techniques, and UEFI variable manipulation. Covers detection of known bootkit families + (BlackLotus, LoJax, MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection, chipsec-based firmware + integrity verification, and Secure Boot configuration auditing. Activates for requests involving UEFI malware analysis, + firmware persistence investigation, boot chain integrity verification, or Secure Boot bypass detection. + + ' domain: cybersecurity subdomain: firmware-security -tags: [UEFI, bootkit, firmware, Secure-Boot, chipsec, ESP, persistence] +tags: +- UEFI +- bootkit +- firmware +- Secure-Boot +- chipsec +- ESP +- persistence version: 1.0.0 author: mukul975 license: Apache-2.0 +d3fend_techniques: +- Platform Hardening +- Restore Object +- Platform Monitoring +- Firmware Verification +- Firmware Embedded Monitoring Code --- # Analyzing UEFI Bootkit Persistence diff --git a/skills/analyzing-windows-event-logs-in-splunk/SKILL.md b/skills/analyzing-windows-event-logs-in-splunk/SKILL.md index c71cb872..3edbbc37 100644 --- a/skills/analyzing-windows-event-logs-in-splunk/SKILL.md +++ b/skills/analyzing-windows-event-logs-in-splunk/SKILL.md @@ -1,16 +1,30 @@ --- name: analyzing-windows-event-logs-in-splunk -description: > - Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, - privilege escalation, persistence mechanisms, and lateral movement using SPL queries mapped to - MITRE ATT&CK techniques. Use when SOC analysts need to investigate Windows-based threats, - build detection queries, or perform forensic timeline analysis of Windows endpoints and domain controllers. +description: 'Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, privilege + escalation, persistence mechanisms, and lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC + analysts need to investigate Windows-based threats, build detection queries, or perform forensic timeline analysis of Windows + endpoints and domain controllers. + + ' domain: cybersecurity subdomain: soc-operations -tags: [soc, splunk, windows-events, sysmon, event-logs, mitre-attack, active-directory] -version: "1.0" +tags: +- soc +- splunk +- windows-events +- sysmon +- event-logs +- mitre-attack +- active-directory +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Restore Access +- Password Authentication +- Biometric Authentication +- Strong Password Policy +- Restore User Account Access --- # Analyzing Windows Event Logs in Splunk diff --git a/skills/auditing-cloud-with-cis-benchmarks/SKILL.md b/skills/auditing-cloud-with-cis-benchmarks/SKILL.md index 02de8ee5..1fe8299c 100644 --- a/skills/auditing-cloud-with-cis-benchmarks/SKILL.md +++ b/skills/auditing-cloud-with-cis-benchmarks/SKILL.md @@ -1,17 +1,26 @@ --- name: auditing-cloud-with-cis-benchmarks -description: > - This skill details how to conduct cloud security audits using Center for Internet - Security benchmarks for AWS, Azure, and GCP. It covers interpreting CIS Foundations - Benchmark controls, running automated assessments with tools like Prowler and - ScoutSuite, remediating failed controls, and maintaining continuous compliance - monitoring against CIS v5 for AWS, v4 for Azure, and v4 for GCP. +description: 'This skill details how to conduct cloud security audits using Center for Internet Security benchmarks for AWS, + Azure, and GCP. It covers interpreting CIS Foundations Benchmark controls, running automated assessments with tools like + Prowler and ScoutSuite, remediating failed controls, and maintaining continuous compliance monitoring against CIS v5 for + AWS, v4 for Azure, and v4 for GCP. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cis-benchmarks, cloud-audit, compliance-assessment, prowler, security-hardening] +tags: +- cis-benchmarks +- cloud-audit +- compliance-assessment +- prowler +- security-hardening version: 1.0.0 author: mahipal license: Apache-2.0 +nist_ai_rmf: +- GOVERN-1.1 +- GOVERN-4.2 +- MAP-2.3 --- # Auditing Cloud with CIS Benchmarks diff --git a/skills/building-attack-pattern-library-from-cti-reports/SKILL.md b/skills/building-attack-pattern-library-from-cti-reports/SKILL.md index e4f33199..fa70e1eb 100644 --- a/skills/building-attack-pattern-library-from-cti-reports/SKILL.md +++ b/skills/building-attack-pattern-library-from-cti-reports/SKILL.md @@ -1,12 +1,27 @@ --- name: building-attack-pattern-library-from-cti-reports -description: Extract and catalog attack patterns from cyber threat intelligence reports into a structured STIX-based library mapped to MITRE ATT&CK for detection engineering and threat-informed defense. +description: Extract and catalog attack patterns from cyber threat intelligence reports into a structured STIX-based library + mapped to MITRE ATT&CK for detection engineering and threat-informed defense. domain: cybersecurity subdomain: threat-intelligence -tags: [attack-pattern, cti-reports, mitre-attack, stix, detection-engineering, threat-intelligence, nlp, extraction] -version: "1.0" +tags: +- attack-pattern +- cti-reports +- mitre-attack +- stix +- detection-engineering +- threat-intelligence +- nlp +- extraction +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Application Protocol Command Analysis +- Identifier Analysis +- Content Format Conversion +- Message Analysis --- # Building Attack Pattern Library from CTI Reports diff --git a/skills/building-c2-infrastructure-with-sliver-framework/SKILL.md b/skills/building-c2-infrastructure-with-sliver-framework/SKILL.md index 0476666a..eb7d2e36 100644 --- a/skills/building-c2-infrastructure-with-sliver-framework/SKILL.md +++ b/skills/building-c2-infrastructure-with-sliver-framework/SKILL.md @@ -1,12 +1,26 @@ --- name: building-c2-infrastructure-with-sliver-framework -description: Build and configure a resilient command-and-control infrastructure using BishopFox's Sliver C2 framework with redirectors, HTTPS listeners, and multi-operator support for authorized red team engagements. +description: Build and configure a resilient command-and-control infrastructure using BishopFox's Sliver C2 framework with + redirectors, HTTPS listeners, and multi-operator support for authorized red team engagements. domain: cybersecurity subdomain: red-teaming -tags: [red-team, c2-framework, sliver, command-and-control, adversary-simulation, infrastructure, post-exploitation] -version: "1.0" +tags: +- red-team +- c2-framework +- sliver +- command-and-control +- adversary-simulation +- infrastructure +- post-exploitation +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Certificate Analysis +- Application Protocol Command Analysis +- Content Format Conversion +- File Content Analysis --- # Building C2 Infrastructure with Sliver Framework diff --git a/skills/building-cloud-siem-with-sentinel/SKILL.md b/skills/building-cloud-siem-with-sentinel/SKILL.md index 4a24f5fa..938abeaa 100644 --- a/skills/building-cloud-siem-with-sentinel/SKILL.md +++ b/skills/building-cloud-siem-with-sentinel/SKILL.md @@ -1,17 +1,30 @@ --- name: building-cloud-siem-with-sentinel -description: > - This skill covers deploying Microsoft Sentinel as a cloud-native SIEM and SOAR - platform for centralized security operations. It details configuring data connectors - for multi-cloud log ingestion, writing KQL detection queries, building automated - response playbooks with Logic Apps, and leveraging the Sentinel data lake for - petabyte-scale threat hunting across AWS, Azure, and GCP security telemetry. +description: 'This skill covers deploying Microsoft Sentinel as a cloud-native SIEM and SOAR platform for centralized security + operations. It details configuring data connectors for multi-cloud log ingestion, writing KQL detection queries, building + automated response playbooks with Logic Apps, and leveraging the Sentinel data lake for petabyte-scale threat hunting across + AWS, Azure, and GCP security telemetry. + + ' domain: cybersecurity subdomain: cloud-security -tags: [microsoft-sentinel, cloud-siem, kql-queries, soar-automation, threat-detection] +tags: +- microsoft-sentinel +- cloud-siem +- kql-queries +- soar-automation +- threat-detection version: 1.0.0 author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Building Cloud SIEM with Sentinel diff --git a/skills/building-detection-rule-with-splunk-spl/SKILL.md b/skills/building-detection-rule-with-splunk-spl/SKILL.md index f5d38d6e..e543da8f 100644 --- a/skills/building-detection-rule-with-splunk-spl/SKILL.md +++ b/skills/building-detection-rule-with-splunk-spl/SKILL.md @@ -1,12 +1,27 @@ --- name: building-detection-rule-with-splunk-spl -description: Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify security threats in SOC environments. +description: Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify + security threats in SOC environments. domain: cybersecurity subdomain: soc-operations -tags: [splunk, spl, detection-engineering, correlation-search, siem, soc, threat-detection, enterprise-security] -version: "1.0" +tags: +- splunk +- spl +- detection-engineering +- correlation-search +- siem +- soc +- threat-detection +- enterprise-security +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis --- # Building Detection Rules with Splunk SPL diff --git a/skills/building-detection-rules-with-sigma/SKILL.md b/skills/building-detection-rules-with-sigma/SKILL.md index 83978575..bcb52058 100644 --- a/skills/building-detection-rules-with-sigma/SKILL.md +++ b/skills/building-detection-rules-with-sigma/SKILL.md @@ -1,16 +1,31 @@ --- name: building-detection-rules-with-sigma -description: > - Builds vendor-agnostic detection rules using the Sigma rule format for threat detection across - SIEM platforms including Splunk, Elastic, and Microsoft Sentinel. Use when creating portable - detection logic from threat intelligence, mapping rules to MITRE ATT&CK techniques, or converting - community Sigma rules into platform-specific queries using sigmac or pySigma backends. +description: 'Builds vendor-agnostic detection rules using the Sigma rule format for threat detection across SIEM platforms + including Splunk, Elastic, and Microsoft Sentinel. Use when creating portable detection logic from threat intelligence, + mapping rules to MITRE ATT&CK techniques, or converting community Sigma rules into platform-specific queries using sigmac + or pySigma backends. + + ' domain: cybersecurity subdomain: soc-operations -tags: [soc, sigma, detection-rules, siem, mitre-attack, splunk, elastic, sentinel] -version: "1.0" +tags: +- soc +- sigma +- detection-rules +- siem +- mitre-attack +- splunk +- elastic +- sentinel +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Execution Isolation +- Process Termination +- Hardware-based Process Isolation +- Web Session Access Mediation +- Process Suspension --- # Building Detection Rules with Sigma diff --git a/skills/building-identity-governance-lifecycle-process/SKILL.md b/skills/building-identity-governance-lifecycle-process/SKILL.md index b7a275b2..2cc53a6e 100644 --- a/skills/building-identity-governance-lifecycle-process/SKILL.md +++ b/skills/building-identity-governance-lifecycle-process/SKILL.md @@ -1,17 +1,27 @@ --- name: building-identity-governance-lifecycle-process -description: > - Builds comprehensive identity governance and lifecycle management processes including - joiner-mover-leaver automation, role mining, access request workflows, periodic - recertification, and orphaned account remediation using IGA platforms. - Activates for requests involving identity lifecycle management, JML processes, - role-based access provisioning, or identity governance program design. +description: 'Builds comprehensive identity governance and lifecycle management processes including joiner-mover-leaver automation, + role mining, access request workflows, periodic recertification, and orphaned account remediation using IGA platforms. Activates + for requests involving identity lifecycle management, JML processes, role-based access provisioning, or identity governance + program design. + + ' domain: cybersecurity subdomain: identity-access-management -tags: [identity-governance, lifecycle-management, JML, access-provisioning, RBAC, IGA] -version: "1.0" +tags: +- identity-governance +- lifecycle-management +- JML +- access-provisioning +- RBAC +- IGA +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- GOVERN-1.1 +- GOVERN-1.7 +- MAP-1.1 --- # Building Identity Governance Lifecycle Process diff --git a/skills/building-incident-timeline-with-timesketch/SKILL.md b/skills/building-incident-timeline-with-timesketch/SKILL.md index 1543b608..74462b55 100644 --- a/skills/building-incident-timeline-with-timesketch/SKILL.md +++ b/skills/building-incident-timeline-with-timesketch/SKILL.md @@ -1,245 +1,11 @@ --- -name: building-incident-timeline-with-timesketch -description: Build collaborative forensic incident timelines using Timesketch to ingest, normalize, and analyze multi-source event data for attack chain reconstruction and investigation documentation. -domain: cybersecurity -subdomain: incident-response -tags: [timesketch, timeline-analysis, forensic-timeline, plaso, dfir, incident-investigation, collaborative-forensics] -mitre_attack: ["T1070", "T1059", "T1053"] -version: "1.0" -author: mahipal -license: Apache-2.0 ---- - -# Building Incident Timeline with Timesketch - -## Overview - -Timesketch is an open-source collaborative forensic timeline analysis tool developed by Google that enables security teams to visualize and analyze chronological data from multiple sources during incident investigations. It ingests logs and artifacts from endpoints, servers, and cloud services, normalizes them into a unified searchable timeline, and provides powerful analysis capabilities including built-in analyzers, tagging, sketch annotations, and story building. Timesketch integrates with Plaso (log2timeline) for artifact parsing and supports direct CSV/JSONL ingestion for rapid timeline construction during active incidents. - - -## When to Use - -- When deploying or configuring building incident timeline with timesketch capabilities in your environment -- When establishing security controls aligned to compliance requirements -- When building or improving security architecture for this domain -- When conducting security assessments that require this implementation - -## Prerequisites - -- Familiarity with incident response concepts and tools -- Access to a test or lab environment for safe execution -- Python 3.8+ with required dependencies installed -- Appropriate authorization for any testing activities - -## Architecture and Components - -### Core Components -- **Timesketch Server**: Web application with REST API for timeline management -- **OpenSearch/Elasticsearch**: Backend storage and search engine for timeline events -- **PostgreSQL**: Metadata storage for sketches, stories, and user data -- **Redis**: Task queue management for background processing -- **Celery Workers**: Asynchronous processing of timeline uploads and analyzers - -### Data Flow -``` -Evidence Sources --> Plaso/log2timeline --> Plaso storage file (.plaso) - | | - v v - CSV/JSONL --> Timesketch Importer --> OpenSearch Index - | - v - Timesketch Web UI - (Search, Analyze, Story) -``` - -## Deployment - -### Docker Deployment (Recommended) -```bash -# Clone Timesketch repository -git clone https://github.com/google/timesketch.git -cd timesketch - -# Run deployment helper script -cd docker -sudo docker compose up -d - -# Default access: https://localhost:443 -# Admin credentials generated during first run -``` - -### System Requirements -- Minimum 8 GB RAM (16+ GB recommended for large investigations) -- 4 CPU cores minimum -- SSD storage for OpenSearch indices -- Docker and Docker Compose installed - -## Data Ingestion Methods - -### Method 1: Plaso Integration (Comprehensive) -```bash -# Process disk image with log2timeline -log2timeline.py --storage-file evidence.plaso /path/to/disk/image - -# Process Windows event logs -log2timeline.py --parsers winevtx --storage-file windows_events.plaso /path/to/evtx/ - -# Process multiple evidence sources -log2timeline.py --parsers "winevtx,prefetch,amcache,shimcache,userassist" \ - --storage-file full_analysis.plaso /path/to/mounted/image/ - -# Import Plaso file into Timesketch -timesketch_importer -s "Case-2025-001" -t "Endpoint-WKS01" evidence.plaso -``` - -### Method 2: CSV Import (Quick Ingestion) -```csv -message,datetime,timestamp_desc,source,hostname -"User login detected","2025-01-15T08:30:00Z","Event Recorded","Security Log","DC01" -"PowerShell execution","2025-01-15T08:31:15Z","Event Recorded","PowerShell","WKS042" -``` - -```bash -# Import CSV directly -timesketch_importer -s "Case-2025-001" -t "Quick-Triage" events.csv -``` - -### Method 3: JSONL Import (Structured Data) -```json -{"message": "Suspicious logon from 10.1.2.3", "datetime": "2025-01-15T08:30:00Z", "timestamp_desc": "Event Recorded", "source_short": "Security", "hostname": "DC01"} -``` - -### Method 4: Sigma Rule Integration -```bash -# Upload Sigma rules for automated detection -timesketch_importer --sigma-rules /path/to/sigma/rules/ -``` - -## Analysis Workflow - -### Step 1: Create Investigation Sketch -``` -1. Log into Timesketch web interface -2. Create new sketch (investigation case) -3. Add relevant timelines to the sketch -4. Set sketch description and tags -``` - -### Step 2: Run Built-in Analyzers -Timesketch includes analyzers that automatically identify: -- **Browser Search Analyzer**: Extracts search queries from browser history -- **Chain of Events Analyzer**: Links related events (download -> execute) -- **Domain Analyzer**: Extracts and categorizes domain names -- **Feature Extraction Analyzer**: Identifies IPs, URLs, hashes -- **Geo Location Analyzer**: Maps events to geographic locations -- **Similarity Scorer**: Finds similar events across timelines -- **Sigma Analyzer**: Matches events against Sigma detection rules -- **Account Finder**: Identifies user account activity patterns -- **Tagger**: Applies labels based on predefined rules - -### Step 3: Search and Filter -``` -# Search examples in Timesketch query language - -# Find all events related to specific user -source_short:Security AND message:"john.admin" - -# Find PowerShell execution events -data_type:"windows:evtx:record" AND event_identifier:4104 - -# Find lateral movement indicators -source_short:Security AND event_identifier:4624 AND xml_string:"LogonType\">3" - -# Find events within specific time range -datetime:[2025-01-15T00:00:00 TO 2025-01-15T23:59:59] - -# Find file creation events -data_type:"fs:stat" AND timestamp_desc:"Creation Time" - -# Search with tags -tag:"suspicious" OR tag:"lateral_movement" -``` - -### Step 4: Build Investigation Story -``` -1. Create new story within the sketch -2. Add search views that support each finding -3. Annotate key events with investigator notes -4. Link events to MITRE ATT&CK techniques -5. Document the attack narrative chronologically -6. Export story for inclusion in incident report -``` - -## Advanced Features - -### Collaborative Investigation -- Multiple analysts work on the same sketch simultaneously -- Comments and annotations persist on events -- Saved searches shared across the team -- Investigation stories document findings in context - -### API Automation -```python -from timesketch_api_client import config -from timesketch_api_client import client as ts_client - -# Connect to Timesketch -ts = ts_client.TimesketchApi( - host_uri="https://timesketch.local", - username="analyst", - password="password" -) - -# Get sketch -sketch = ts.get_sketch(1) - -# Search events -search = sketch.explore( - query_string='event_identifier:4624 AND LogonType:3', - return_fields='datetime,message,hostname,source_short' -) - -# Add tags to events -for event in search.get('objects', []): - sketch.tag_event(event['_id'], ['lateral_movement']) -``` - -### Integration with Dissect -```bash -# Use Dissect for faster artifact parsing (alternative to Plaso) -target-query -f timesketch://timesketch.local/case-001 \ - targets/hostname/ -q "windows.evtx" --limit 0 -``` - -## Key Data Sources for Timeline Building - -| Source | Parser | Evidence Value | -|--------|--------|---------------| -| Windows Event Logs (.evtx) | winevtx | Authentication, process execution, services | -| Prefetch Files | prefetch | Program execution history | -| MFT ($MFT) | mft | File system activity | -| Registry Hives | winreg | System configuration, persistence | -| Browser History | chrome/firefox | Web activity, downloads | -| Syslog | syslog | Linux/network device events | -| CloudTrail Logs | jsonl | AWS API activity | -| Azure Activity Logs | jsonl | Azure resource operations | -| Firewall Logs | csv/jsonl | Network connections | -| Proxy Logs | csv/jsonl | HTTP/HTTPS traffic | - -## MITRE ATT&CK Mapping - -| Technique | Timeline Indicators | -|-----------|-------------------| -| Initial Access (TA0001) | First malicious event, phishing email receipt | -| Execution (T1059) | PowerShell/CMD events, process creation | -| Persistence (TA0003) | Registry modifications, scheduled tasks, services | -| Lateral Movement (TA0008) | Remote logons, SMB connections, RDP sessions | -| Exfiltration (TA0010) | Large data transfers, cloud storage uploads | - -## References - -- [Timesketch Official Documentation](https://timesketch.org/) -- [Timesketch GitHub Repository](https://github.com/google/timesketch) -- [CISA Timesketch Resource](https://www.cisa.gov/resources-tools/services/timesketch) -- [Hunt and Hackett: Scalable Forensics with Dissect and Timesketch](https://www.huntandhackett.com/blog/scalable-forensics-timeline-analysis-using-dissect-and-timesketch) -- [Plaso (log2timeline) Documentation](https://plaso.readthedocs.io/) +{} +---tags: +- timesketch +- timeline-analysis +- forensic-timeline +- plaso +- dfir +- incident-investigation +- collaborative-forensics +version: '1.0' diff --git a/skills/building-red-team-c2-infrastructure-with-havoc/SKILL.md b/skills/building-red-team-c2-infrastructure-with-havoc/SKILL.md index acb933a8..dd9eecef 100644 --- a/skills/building-red-team-c2-infrastructure-with-havoc/SKILL.md +++ b/skills/building-red-team-c2-infrastructure-with-havoc/SKILL.md @@ -1,12 +1,29 @@ --- name: building-red-team-c2-infrastructure-with-havoc -description: Deploy and configure the Havoc C2 framework with teamserver, HTTPS listeners, redirectors, and Demon agents for authorized red team operations. +description: Deploy and configure the Havoc C2 framework with teamserver, HTTPS listeners, redirectors, and Demon agents for + authorized red team operations. domain: cybersecurity subdomain: red-teaming -tags: [havoc-c2, command-and-control, red-team-infrastructure, post-exploitation, adversary-emulation, demon-agent] -version: "1.0" +tags: +- havoc-c2 +- command-and-control +- red-team-infrastructure +- post-exploitation +- adversary-emulation +- demon-agent +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- GOVERN-1.1 +- MEASURE-2.7 +- MANAGE-3.1 +d3fend_techniques: +- File Metadata Consistency Validation +- Certificate Analysis +- Application Protocol Command Analysis +- Content Format Conversion +- File Content Analysis --- # Building Red Team C2 Infrastructure with Havoc diff --git a/skills/building-soc-metrics-and-kpi-tracking/SKILL.md b/skills/building-soc-metrics-and-kpi-tracking/SKILL.md index 1cd32cd3..d0d7bee4 100644 --- a/skills/building-soc-metrics-and-kpi-tracking/SKILL.md +++ b/skills/building-soc-metrics-and-kpi-tracking/SKILL.md @@ -1,16 +1,32 @@ --- name: building-soc-metrics-and-kpi-tracking -description: > - Builds SOC performance metrics and KPI tracking dashboards measuring Mean Time to Detect (MTTD), - Mean Time to Respond (MTTR), alert quality ratios, analyst productivity, and detection coverage - using SIEM data. Use when SOC leadership needs operational visibility, continuous improvement - tracking, or executive-level reporting on security operations effectiveness. +description: 'Builds SOC performance metrics and KPI tracking dashboards measuring Mean Time to Detect (MTTD), Mean Time to + Respond (MTTR), alert quality ratios, analyst productivity, and detection coverage using SIEM data. Use when SOC leadership + needs operational visibility, continuous improvement tracking, or executive-level reporting on security operations effectiveness. + + ' domain: cybersecurity subdomain: soc-operations -tags: [soc, metrics, kpi, mttd, mttr, dashboard, reporting, continuous-improvement] -version: "1.0" +tags: +- soc +- metrics +- kpi +- mttd +- mttr +- dashboard +- reporting +- continuous-improvement +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Building SOC Metrics and KPI Tracking diff --git a/skills/building-soc-playbook-for-ransomware/SKILL.md b/skills/building-soc-playbook-for-ransomware/SKILL.md index 1873bdfa..bc7103f8 100644 --- a/skills/building-soc-playbook-for-ransomware/SKILL.md +++ b/skills/building-soc-playbook-for-ransomware/SKILL.md @@ -1,262 +1,11 @@ --- -name: building-soc-playbook-for-ransomware -description: > - Builds a structured SOC incident response playbook for ransomware attacks covering detection, - containment, eradication, and recovery phases with specific SIEM queries, isolation procedures, - and decision trees. Use when SOC teams need formalized response procedures for ransomware - incidents aligned to NIST SP 800-61 and MITRE ATT&CK ransomware techniques. -domain: cybersecurity -subdomain: soc-operations -tags: [soc, ransomware, incident-response, playbook, nist, mitre-attack, containment] -mitre_attack: ["T1486", "T1490", "T1489", "T1570"] -version: "1.0" -author: mahipal -license: Apache-2.0 ---- -# Building SOC Playbook for Ransomware - -## When to Use - -Use this skill when: -- SOC teams need a standardized ransomware response playbook for Tier 1-3 analysts -- An organization lacks documented procedures for ransomware containment and recovery -- Tabletop exercises reveal gaps in ransomware response coordination -- Compliance requirements (NIST CSF, ISO 27001) mandate documented incident playbooks - -**Do not use** during an active ransomware incident as the sole guide — have pre-built playbooks tested and rehearsed before incidents occur. - -## Prerequisites - -- SIEM platform (Splunk ES, Elastic Security, or Sentinel) with endpoint and network data -- EDR solution (CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint) with network isolation capability -- Backup infrastructure with tested recovery procedures and offline/immutable backups -- Communication plan with legal, executive leadership, and external IR retainer contacts -- MITRE ATT&CK knowledge for ransomware technique chains - -## Workflow - -### Step 1: Define Detection Triggers - -Create SIEM detection rules for early ransomware indicators: - -**Mass File Encryption Detection (Splunk):** -```spl -index=sysmon EventCode=11 -| bin _time span=1m -| stats dc(TargetFilename) AS unique_files, values(TargetFilename) AS sample_files by Computer, Image, _time -| where unique_files > 100 -| eval suspicious_extensions = if(match(mvjoin(sample_files, ","), "\.(encrypted|locked|crypt|enc|ransom)"), "YES", "NO") -| where suspicious_extensions="YES" OR unique_files > 500 -| sort - unique_files -``` - -**Shadow Copy Deletion (T1490):** -```spl -index=wineventlog sourcetype="WinEventLog:Security" OR index=sysmon EventCode=1 -(CommandLine="*vssadmin*delete*shadows*" OR CommandLine="*wmic*shadowcopy*delete*" - OR CommandLine="*bcdedit*/set*recoveryenabled*no*" OR CommandLine="*wbadmin*delete*catalog*") -| table _time, Computer, User, ParentImage, Image, CommandLine -``` - -**Ransomware Note File Creation:** -```spl -index=sysmon EventCode=11 -TargetFilename IN ("*README*.txt", "*DECRYPT*.txt", "*RANSOM*.txt", "*RECOVER*.html", "*HOW_TO*.txt") -| stats count by Computer, Image, TargetFilename -| where count > 5 -``` - -**Elastic Security EQL variant:** -```eql -sequence by host.name with maxspan=2m - [process where event.type == "start" and - process.args : ("*vssadmin*", "*delete*", "*shadows*")] - [file where event.type == "creation" and - file.name : ("*README*DECRYPT*", "*RANSOM*", "*HOW_TO_RECOVER*")] -``` - -### Step 2: Build Triage Decision Tree - -``` -RANSOMWARE ALERT TRIAGE -│ -├── Is encryption actively occurring? -│ ├── YES → IMMEDIATE: Isolate host from network (Step 3) -│ │ Do NOT power off (preserve memory for forensics) -│ └── NO → Is this a pre-encryption indicator? -│ ├── Shadow copy deletion → HIGH PRIORITY: Isolate and investigate -│ ├── Known ransomware hash → HIGH PRIORITY: Block hash, scan enterprise -│ └── Suspicious process behavior → MEDIUM: Investigate, prepare isolation -│ -├── How many hosts affected? -│ ├── Single host → Contained incident, follow host isolation procedure -│ ├── Multiple hosts (2-10) → Escalate to Tier 2, begin enterprise-wide scan -│ └── Enterprise-wide (>10) → Activate full IR team, engage external retainer -│ -└── Is data exfiltration confirmed? - ├── YES → Double extortion scenario, engage legal for breach notification - └── NO/UNKNOWN → Check for Cobalt Strike/C2 beacons, review outbound transfers -``` - -### Step 3: Containment Procedures - -**Network Isolation via EDR (CrowdStrike Falcon):** -```bash -# Isolate host using CrowdStrike Falcon API -curl -X POST "https://api.crowdstrike.com/devices/entities/devices-actions/v2?action_name=contain" \ - -H "Authorization: Bearer $TOKEN" \ - -H "Content-Type: application/json" \ - -d '{"ids": ["device_id_here"]}' -``` - -**Network Isolation via Microsoft Defender for Endpoint:** -```powershell -# Isolate machine via MDE API -$headers = @{Authorization = "Bearer $token"} -$body = @{Comment = "Ransomware containment - IR-2024-0500"; IsolationType = "Full"} | ConvertTo-Json -Invoke-RestMethod -Uri "https://api.securitycenter.microsoft.com/api/machines/$machineId/isolate" ` - -Method Post -Headers $headers -Body $body -ContentType "application/json" -``` - -**Firewall Emergency Rules:** -``` -# Palo Alto — Block SMB lateral spread -set rulebase security rules RansomwareContainment from Trust to Trust -set rulebase security rules RansomwareContainment application ms-ds-smb -set rulebase security rules RansomwareContainment action deny -set rulebase security rules RansomwareContainment disabled no -commit -``` - -**Active Directory Emergency Actions:** -```powershell -# Disable compromised account -Disable-ADAccount -Identity "compromised_user" - -# Reset Kerberos TGT (if domain admin compromised) -# WARNING: This resets krbtgt and requires two resets 12+ hours apart -Reset-KrbtgtKeys -Server "DC-PRIMARY" -Force - -# Block lateral movement by disabling remote services -Set-Service -Name "RemoteRegistry" -StartupType Disabled -Status Stopped -``` - -### Step 4: Evidence Collection and Preservation - -Collect forensic artifacts before remediation: - -```powershell -# Capture running processes and network connections -Get-Process | Export-Csv "C:\IR\processes_$(hostname).csv" -Get-NetTCPConnection | Export-Csv "C:\IR\netstat_$(hostname).csv" - -# Capture memory dump (if host still running) -winpmem_mini_x64.exe C:\IR\memory_$(hostname).raw - -# Collect ransomware artifacts -Copy-Item "C:\Users\*\Desktop\*README*" "C:\IR\ransom_notes\" -Recurse -Copy-Item "C:\Users\*\Desktop\*.encrypted" "C:\IR\encrypted_samples\" -Force - -# Capture event logs -wevtutil epl Security "C:\IR\Security_$(hostname).evtx" -wevtutil epl System "C:\IR\System_$(hostname).evtx" -wevtutil epl "Microsoft-Windows-Sysmon/Operational" "C:\IR\Sysmon_$(hostname).evtx" -``` - -### Step 5: Eradication and Recovery - -**Identify ransomware variant:** -- Upload encrypted sample and ransom note to ID Ransomware (https://id-ransomware.malwarehunterteam.com/) -- Check No More Ransom Project (https://www.nomoreransom.org/) for available decryptors -- Search for ransomware family IOCs in MalwareBazaar - -**Enterprise-wide IOC scan in Splunk:** -```spl -index=sysmon (EventCode=1 OR EventCode=11 OR EventCode=3) -(TargetFilename="*ransomware_binary_name*" OR sha256="KNOWN_HASH" - OR DestinationIp="C2_IP_ADDRESS" OR CommandLine="*malicious_command*") -| stats count by Computer, EventCode, Image, CommandLine -| sort - count -``` - -**Recovery from backups:** -1. Verify backup integrity (offline/immutable backups not affected) -2. Rebuild affected systems from known-good images -3. Restore data from last clean backup -4. Validate restored systems before reconnecting to network -5. Monitor restored systems for 72 hours for reinfection - -### Step 6: Post-Incident Documentation - -Structure the playbook conclusion with lessons learned: - -``` -POST-INCIDENT REVIEW TEMPLATE -1. Timeline of events (detection to full recovery) -2. Initial access vector identification -3. Dwell time analysis (time from initial compromise to encryption) -4. Detection gaps identified -5. Response effectiveness metrics (MTTD, MTTC, MTTR) -6. Playbook improvements recommended -7. New detection rules deployed -8. Backup and recovery procedure updates -``` - -## Key Concepts - -| Term | Definition | -|------|-----------| -| **Double Extortion** | Ransomware tactic combining data encryption with data theft, threatening public release if ransom unpaid | -| **Dwell Time** | Duration between initial compromise and detection — ransomware operators average 5-9 days before encryption | -| **MTTC** | Mean Time to Contain — time from detection to successful isolation of affected systems | -| **Kill Chain** | Ransomware progression: Initial Access -> Execution -> Persistence -> Privilege Escalation -> Lateral Movement -> Collection -> Exfiltration -> Impact | -| **Immutable Backup** | Backup storage that cannot be modified or deleted for a defined retention period (WORM storage) | -| **RTO/RPO** | Recovery Time Objective / Recovery Point Objective — maximum acceptable downtime and data loss thresholds | - -## Tools & Systems - -- **CrowdStrike Falcon / SentinelOne**: EDR platforms with network isolation, process kill, and threat hunting capabilities -- **Splunk ES / Elastic Security**: SIEM platforms for detection rule deployment and enterprise-wide IOC scanning -- **ID Ransomware**: Online service identifying ransomware variants from encrypted file samples and ransom notes -- **No More Ransom Project**: Europol-backed initiative providing free decryption tools for known ransomware families -- **Veeam / Rubrik**: Enterprise backup solutions with immutable backup support and instant recovery capabilities - -## Common Scenarios - -- **LockBit Attack**: Detected via SMB lateral movement and mass file encryption — isolate, scan for Cobalt Strike beacons -- **BlackCat/ALPHV**: Detected via ransomware note creation — check for data exfiltration via Rclone or Mega upload -- **Conti/Royal**: Detected via shadow copy deletion — check for prior BazarLoader/Emotet initial access -- **RansomHub**: Detected via anomalous process execution — investigate for compromised VPN or RDP credentials -- **Play Ransomware**: Detected via service account abuse — audit AD for newly created accounts and group membership changes - -## Output Format - -``` -RANSOMWARE PLAYBOOK EXECUTION — IR-2024-0500 -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ -Phase 1 - Detection: - Alert: Mass file encryption detected on FILESERVER-03 - Variant: LockBit 3.0 (confirmed via ID Ransomware) - MTTD: 12 minutes from first encryption to SOC alert - -Phase 2 - Containment: - [DONE] FILESERVER-03 isolated via CrowdStrike at 14:35 UTC - [DONE] SMB blocked enterprise-wide via firewall emergency rule - [DONE] Compromised service account disabled in AD - MTTC: 23 minutes - -Phase 3 - Eradication: - [DONE] 3 additional hosts with C2 beacon identified and isolated - [DONE] Cobalt Strike C2 domain (c2[.]evil[.]com) sinkholed - [DONE] Enterprise-wide IOC scan completed — no additional infections - -Phase 4 - Recovery: - [DONE] FILESERVER-03 rebuilt from gold image - [DONE] Data restored from immutable Veeam backup (RPO: 4 hours) - [DONE] Systems monitored 72 hours — no reinfection - MTTR: 18 hours - -Total Affected: 1 server, 3 workstations -Data Loss: 4 hours of file modifications (backup RPO) -Exfiltration: No evidence of data exfiltration confirmed -``` +{} +---tags: +- soc +- ransomware +- incident-response +- playbook +- nist +- mitre-attack +- containment +version: '1.0' diff --git a/skills/conducting-cloud-penetration-testing/SKILL.md b/skills/conducting-cloud-penetration-testing/SKILL.md index 80557c21..04b131a0 100644 --- a/skills/conducting-cloud-penetration-testing/SKILL.md +++ b/skills/conducting-cloud-penetration-testing/SKILL.md @@ -1,17 +1,36 @@ --- name: conducting-cloud-penetration-testing -description: > - This skill outlines methodologies for performing authorized penetration testing against - AWS, Azure, and GCP cloud environments. It covers understanding the shared responsibility - model for testing scope, leveraging cloud-specific attack tools like Pacu and ScoutSuite, - exploiting IAM misconfigurations, testing for SSRF to cloud metadata services, and +description: 'This skill outlines methodologies for performing authorized penetration testing against AWS, Azure, and GCP + cloud environments. It covers understanding the shared responsibility model for testing scope, leveraging cloud-specific + attack tools like Pacu and ScoutSuite, exploiting IAM misconfigurations, testing for SSRF to cloud metadata services, and reporting findings aligned to MITRE ATT&CK Cloud matrix. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud-pentesting, offensive-security, aws-exploitation, shared-responsibility, mitre-attack-cloud] +tags: +- cloud-pentesting +- offensive-security +- aws-exploitation +- shared-responsibility +- mitre-attack-cloud version: 1.0.0 author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 +d3fend_techniques: +- Token Binding +- Restore Access +- Application Protocol Command Analysis +- Reissue Credential +- Network Isolation --- # Conducting Cloud Penetration Testing diff --git a/skills/conducting-domain-persistence-with-dcsync/SKILL.md b/skills/conducting-domain-persistence-with-dcsync/SKILL.md index cab84ad2..71ebf394 100644 --- a/skills/conducting-domain-persistence-with-dcsync/SKILL.md +++ b/skills/conducting-domain-persistence-with-dcsync/SKILL.md @@ -1,12 +1,26 @@ --- name: conducting-domain-persistence-with-dcsync -description: Perform DCSync attacks to replicate Active Directory credentials and establish domain persistence by extracting KRBTGT, Domain Admin, and service account hashes for Golden Ticket creation. +description: Perform DCSync attacks to replicate Active Directory credentials and establish domain persistence by extracting + KRBTGT, Domain Admin, and service account hashes for Golden Ticket creation. domain: cybersecurity subdomain: red-teaming -tags: [red-team, active-directory, dcsync, persistence, credential-dumping, golden-ticket, mimikatz] -version: "1.0" +tags: +- red-team +- active-directory +- dcsync +- persistence +- credential-dumping +- golden-ticket +- mimikatz +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Application Protocol Command Analysis +- Network Isolation +- Network Traffic Analysis +- Client-server Payload Profiling +- Platform Monitoring --- # Conducting Domain Persistence with DCSync diff --git a/skills/conducting-full-scope-red-team-engagement/SKILL.md b/skills/conducting-full-scope-red-team-engagement/SKILL.md index 085de757..b5321d1e 100644 --- a/skills/conducting-full-scope-red-team-engagement/SKILL.md +++ b/skills/conducting-full-scope-red-team-engagement/SKILL.md @@ -1,12 +1,26 @@ --- name: conducting-full-scope-red-team-engagement -description: Plan and execute a comprehensive red team engagement covering reconnaissance through post-exploitation using MITRE ATT&CK-aligned TTPs to evaluate an organization's detection and response capabilities. +description: Plan and execute a comprehensive red team engagement covering reconnaissance through post-exploitation using + MITRE ATT&CK-aligned TTPs to evaluate an organization's detection and response capabilities. domain: cybersecurity subdomain: red-teaming -tags: [red-team, adversary-emulation, mitre-attack, penetration-testing, offensive-security, purple-team, ttp-mapping] -version: "1.0" +tags: +- red-team +- adversary-emulation +- mitre-attack +- penetration-testing +- offensive-security +- purple-team +- ttp-mapping +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Application Protocol Command Analysis +- Identifier Analysis +- Content Format Conversion +- Message Analysis --- # Conducting Full-Scope Red Team Engagement diff --git a/skills/conducting-internal-network-penetration-test/SKILL.md b/skills/conducting-internal-network-penetration-test/SKILL.md index f7f7179c..da7b142c 100644 --- a/skills/conducting-internal-network-penetration-test/SKILL.md +++ b/skills/conducting-internal-network-penetration-test/SKILL.md @@ -1,12 +1,26 @@ --- name: conducting-internal-network-penetration-test -description: Execute an internal network penetration test simulating an insider threat or post-breach attacker to identify lateral movement paths, privilege escalation vectors, and sensitive data exposure within the corporate network. +description: Execute an internal network penetration test simulating an insider threat or post-breach attacker to identify + lateral movement paths, privilege escalation vectors, and sensitive data exposure within the corporate network. domain: cybersecurity subdomain: penetration-testing -tags: [internal-pentest, lateral-movement, privilege-escalation, Responder, Impacket, assumed-breach, network-security] -version: "1.0" +tags: +- internal-pentest +- lateral-movement +- privilege-escalation +- Responder +- Impacket +- assumed-breach +- network-security +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Application Protocol Command Analysis +- Network Isolation +- Network Traffic Analysis +- Client-server Payload Profiling +- Network Traffic Community Deviation --- # Conducting Internal Network Penetration Test diff --git a/skills/conducting-internal-reconnaissance-with-bloodhound-ce/SKILL.md b/skills/conducting-internal-reconnaissance-with-bloodhound-ce/SKILL.md index ac931134..101aa34b 100644 --- a/skills/conducting-internal-reconnaissance-with-bloodhound-ce/SKILL.md +++ b/skills/conducting-internal-reconnaissance-with-bloodhound-ce/SKILL.md @@ -1,12 +1,26 @@ --- name: conducting-internal-reconnaissance-with-bloodhound-ce -description: Conduct internal Active Directory reconnaissance using BloodHound Community Edition to map attack paths, identify privilege escalation chains, and discover misconfigurations in domain environments. +description: Conduct internal Active Directory reconnaissance using BloodHound Community Edition to map attack paths, identify + privilege escalation chains, and discover misconfigurations in domain environments. domain: cybersecurity subdomain: red-teaming -tags: [red-team, reconnaissance, bloodhound, active-directory, attack-paths, privilege-escalation, graph-analysis] -version: "1.0" +tags: +- red-team +- reconnaissance +- bloodhound +- active-directory +- attack-paths +- privilege-escalation +- graph-analysis +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Restore Access +- Password Authentication +- Biometric Authentication +- Strong Password Policy +- Restore User Account Access --- # Conducting Internal Reconnaissance with BloodHound CE diff --git a/skills/conducting-malware-incident-response/SKILL.md b/skills/conducting-malware-incident-response/SKILL.md index 48920450..77a4cc9a 100644 --- a/skills/conducting-malware-incident-response/SKILL.md +++ b/skills/conducting-malware-incident-response/SKILL.md @@ -1,207 +1,8 @@ --- -name: conducting-malware-incident-response -description: > - Responds to malware infections across enterprise endpoints by identifying the - malware family, determining infection vectors, assessing spread, and executing - eradication procedures. Covers the full lifecycle from detection through - containment, analysis, removal, and recovery. Activates for requests involving - malware response, malware eradication, trojan removal, worm containment, malware - triage, or infected endpoint remediation. -domain: cybersecurity -subdomain: incident-response -tags: [malware-response, malware-analysis, eradication, endpoint-remediation, MITRE-ATT&CK] -mitre_attack: ["T1204", "T1027", "T1055", "T1059", "T1486"] -version: 1.0.0 -author: mahipal -license: Apache-2.0 ---- - -# Conducting Malware Incident Response - -## When to Use - -- EDR or antivirus detects malware execution on one or more endpoints -- A user reports suspicious system behavior indicative of malware infection -- Threat intelligence indicates a malware campaign targeting the organization's industry -- Network monitoring detects beaconing traffic consistent with known malware C2 patterns -- A file detonation in a sandbox returns a malicious verdict - -**Do not use** for analyzing malware samples in a research context; use dedicated malware analysis procedures for reverse engineering. - -## Prerequisites - -- EDR platform with process tree visibility and host isolation capability -- Malware sandbox environment (Cuckoo, ANY.RUN, Joe Sandbox, Hybrid Analysis) -- Access to threat intelligence platforms for malware family identification (VirusTotal, MalwareBazaar) -- Forensic imaging tools for evidence preservation (FTK Imager, KAPE) -- Clean system images or gold images for endpoint rebuild -- MITRE ATT&CK framework reference for technique mapping - -## Workflow - -### Step 1: Detect and Confirm Malware Presence - -Validate the malware alert and gather initial indicators: - -- Review EDR alert details: detection name, file path, hash (SHA-256), process tree -- Check if the detection is a known malware family or generic heuristic detection -- Query the file hash against VirusTotal, MalwareBazaar, and internal threat intelligence -- Examine the process execution chain to determine how the malware was delivered - -``` -Detection Summary: -File: C:\Users\jsmith\AppData\Local\Temp\update.exe -SHA-256: a1b2c3d4e5f6... -Detection: CrowdStrike: Malware/Qakbot | VirusTotal: 58/72 engines -Parent: WINWORD.EXE → cmd.exe → powershell.exe → update.exe -Delivery: Email attachment (Invoice-Nov2025.docm) -Network: HTTPS POST to 185.220.101[.]42:443 every 60s -Persistence: Scheduled Task "WindowsUpdate" → update.exe -``` - -### Step 2: Scope the Infection - -Determine how many systems are affected and the malware's propagation method: - -- Use EDR to search for the malware hash, filename, and behavioral indicators across all endpoints -- Check for network-based spreading (SMB, WMI, PsExec, exploitation) -- Query email gateway logs for all recipients of the delivery email -- Search for C2 communications to the identified infrastructure from other internal hosts -- Check for persistence mechanisms on all identified infected hosts - -### Step 3: Contain Infected Systems - -Execute containment per the active breach containment procedures: - -- Network-isolate infected endpoints via EDR containment -- Block malware C2 infrastructure at firewall and DNS -- Block the malware hash in EDR prevention policy organization-wide -- Quarantine the delivery email from all mailboxes (if email-delivered) -- Disable compromised user accounts if credential theft is suspected - -### Step 4: Analyze the Malware - -Perform sufficient analysis to support complete eradication: - -- Submit the sample to a sandbox for dynamic analysis (behavioral report, dropped files, network IOCs) -- Identify all persistence mechanisms: registry keys, scheduled tasks, services, WMI subscriptions, startup folders -- Document all file system artifacts: dropped files, modified files, created directories -- Extract network IOCs: C2 domains, IPs, URLs, user agents, JA3/JA3S hashes -- Map observed behaviors to MITRE ATT&CK techniques - -``` -Malware Analysis Summary - Qakbot Variant -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ -Initial Access: T1566.001 - Spearphishing Attachment (.docm) -Execution: T1059.001 - PowerShell (encoded downloader) -Persistence: T1053.005 - Scheduled Task -Defense Evasion: T1055.012 - Process Hollowing (explorer.exe) -C2: T1071.001 - HTTPS with custom headers -Collection: T1005 - Data from Local System (browser credentials) -Exfiltration: T1041 - Exfiltration Over C2 Channel - -Artifacts: -- C:\Users\*\AppData\Local\Temp\update.exe (dropper) -- C:\ProgramData\Microsoft\{GUID}\config.dll (payload) -- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{random} (backup persistence) -- Scheduled Task: "WindowsUpdate" (primary persistence) -``` - -### Step 5: Eradicate the Malware - -Remove all malware artifacts from every infected system: - -- Terminate malicious processes and injected threads -- Delete malware files from all identified paths -- Remove persistence mechanisms (scheduled tasks, registry keys, services, WMI subscriptions) -- Clear browser credential stores if credential harvesting was confirmed -- Run a full EDR scan to verify no artifacts remain -- If eradication confidence is low, reimage the system from a known-clean gold image - -### Step 6: Recover and Validate - -Restore systems to production and verify clean status: - -- Reconnect contained systems to the network in stages -- Monitor for 72 hours for any recurrence of malware indicators -- Force password resets for all users on infected endpoints -- Verify that C2 traffic has completely ceased across the environment -- Update detection rules based on newly discovered IOCs from the investigation -- Distribute IOCs to threat intelligence sharing partners (ISAC, MISP) - -## Key Concepts - -| Term | Definition | -|------|------------| -| **Malware Family** | Classification of malware variants sharing code, infrastructure, or behavior patterns (e.g., Qakbot, Emotet, Cobalt Strike) | -| **Process Hollowing** | Technique where malware creates a legitimate process in a suspended state, replaces its memory with malicious code, then resumes execution | -| **Beacon** | Periodic network communication from malware to its C2 server, typically with a set interval and jitter for detection evasion | -| **Dropper** | Initial malware component that downloads or unpacks the primary payload; often delivered via phishing | -| **Persistence Mechanism** | Method used by malware to survive system reboots (registry run keys, scheduled tasks, services, WMI event subscriptions) | -| **IOC (Indicator of Compromise)** | Observable artifact such as file hash, IP address, domain, or registry key that indicates malware presence | - -## Tools & Systems - -- **CrowdStrike Falcon / Microsoft Defender for Endpoint**: EDR platforms for detection, containment, and threat hunting -- **ANY.RUN / Joe Sandbox**: Interactive malware sandboxes for dynamic behavioral analysis -- **VirusTotal / MalwareBazaar**: Malware intelligence platforms for sample identification and IOC enrichment -- **KAPE (Kroll Artifact Parser and Extractor)**: Forensic triage tool for rapid artifact collection from infected endpoints -- **YARA**: Pattern-matching engine for creating custom malware detection rules based on observed indicators - -## Common Scenarios - -### Scenario: Emotet Loader Leading to Cobalt Strike Deployment - -**Context**: EDR detects a macro-enabled document that spawns PowerShell, downloads an Emotet DLL, which subsequently loads a Cobalt Strike beacon. Three hosts are infected within 45 minutes. - -**Approach**: -1. Immediately isolate all three hosts and block C2 IPs at the perimeter -2. Search email gateway for all recipients of the original phishing email and quarantine it -3. Sweep all endpoints for the Emotet DLL hash and Cobalt Strike beacon indicators -4. Analyze the Cobalt Strike beacon configuration to extract watermark, C2 profile, and staging URLs -5. Check for credential harvesting (Mimikatz/LSASS dump) and lateral movement artifacts -6. Eradicate all malware artifacts and reset credentials for affected users - -**Pitfalls**: -- Focusing only on Emotet and missing the Cobalt Strike second-stage payload -- Failing to extract and block the Cobalt Strike Malleable C2 profile indicators -- Not checking for additional persistence beyond the initial detection (Emotet often installs multiple backup persistence mechanisms) - -## Output Format - -``` -MALWARE INCIDENT RESPONSE REPORT -================================= -Incident: INC-2025-1547 -Malware Family: Qakbot (variant: Obama265) -Delivery Vector: Spearphishing attachment (Invoice-Nov2025.docm) -First Detection: 2025-11-15T14:23:17Z -Scope: 4 endpoints confirmed infected - -INFECTION TIMELINE -14:18 UTC - Phishing email received by jsmith@corp.example.com -14:19 UTC - Macro executed in WINWORD.EXE -14:20 UTC - PowerShell downloads update.exe from staging server -14:21 UTC - update.exe establishes persistence (Scheduled Task) -14:23 UTC - C2 beacon initiated to 185.220.101[.]42 -14:35 UTC - Lateral spread to WKSTN-087 via stolen credentials -14:42 UTC - EDR detection fires, SOC alerted - -IOCs EXTRACTED -File Hashes: [SHA-256 list] -C2 Domains: [domain list] -C2 IPs: [IP list] -File Paths: [artifact paths] - -ERADICATION STATUS -[x] All malware artifacts removed from 4 hosts -[x] Persistence mechanisms deleted -[x] C2 infrastructure blocked -[x] Compromised credentials reset -[x] Email quarantined from all mailboxes - -RECOMMENDATIONS -1. Deploy YARA rule for Qakbot variant detection -2. Block macro execution in documents from external senders -3. Implement application whitelisting on finance workstations -``` +{} +---tags: +- malware-response +- malware-analysis +- eradication +- endpoint-remediation +- MITRE-ATT&CK diff --git a/skills/conducting-mobile-app-penetration-test/SKILL.md b/skills/conducting-mobile-app-penetration-test/SKILL.md index be53d7a1..9a335d3c 100644 --- a/skills/conducting-mobile-app-penetration-test/SKILL.md +++ b/skills/conducting-mobile-app-penetration-test/SKILL.md @@ -1,19 +1,31 @@ --- name: conducting-mobile-app-penetration-test -description: > - Conducts penetration testing of iOS and Android mobile applications following the OWASP - Mobile Application Security Testing Guide (MASTG) to identify vulnerabilities in data storage, - network communication, authentication, cryptography, and platform-specific security controls. - The tester performs static analysis of application binaries, dynamic analysis at runtime, and - API security testing to evaluate the complete mobile attack surface. Activates for requests - involving mobile app pentest, iOS security assessment, Android security testing, or OWASP - MASTG assessment. +description: 'Conducts penetration testing of iOS and Android mobile applications following the OWASP Mobile Application Security + Testing Guide (MASTG) to identify vulnerabilities in data storage, network communication, authentication, cryptography, + and platform-specific security controls. The tester performs static analysis of application binaries, dynamic analysis at + runtime, and API security testing to evaluate the complete mobile attack surface. Activates for requests involving mobile + app pentest, iOS security assessment, Android security testing, or OWASP MASTG assessment. + + ' domain: cybersecurity subdomain: penetration-testing -tags: [mobile-pentest, OWASP-MASTG, Android-security, iOS-security, mobile-application-security] +tags: +- mobile-pentest +- OWASP-MASTG +- Android-security +- iOS-security +- mobile-application-security version: 1.0.0 author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Conducting Mobile App Penetration Test diff --git a/skills/conducting-pass-the-ticket-attack/SKILL.md b/skills/conducting-pass-the-ticket-attack/SKILL.md index 6d788ece..86219d04 100644 --- a/skills/conducting-pass-the-ticket-attack/SKILL.md +++ b/skills/conducting-pass-the-ticket-attack/SKILL.md @@ -1,12 +1,27 @@ --- name: conducting-pass-the-ticket-attack -description: Pass-the-Ticket (PtT) is a lateral movement technique that uses stolen Kerberos tickets (TGT or TGS) to authenticate to services without knowing the user's password. By extracting Kerberos tickets fro +description: Pass-the-Ticket (PtT) is a lateral movement technique that uses stolen Kerberos tickets (TGT or TGS) to authenticate + to services without knowing the user's password. By extracting Kerberos tickets fro domain: cybersecurity subdomain: red-teaming -tags: [red-team, adversary-simulation, mitre-attack, exploitation, post-exploitation, kerberos, pass-the-ticket, lateral-movement] -version: "1.0" +tags: +- red-team +- adversary-simulation +- mitre-attack +- exploitation +- post-exploitation +- kerberos +- pass-the-ticket +- lateral-movement +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Token Binding +- Execution Isolation +- Restore Access +- Application Protocol Command Analysis +- Process Termination --- # Conducting Pass-the-Ticket Attack diff --git a/skills/conducting-social-engineering-penetration-test/SKILL.md b/skills/conducting-social-engineering-penetration-test/SKILL.md index 4c91b805..1a836f3a 100644 --- a/skills/conducting-social-engineering-penetration-test/SKILL.md +++ b/skills/conducting-social-engineering-penetration-test/SKILL.md @@ -1,12 +1,28 @@ --- name: conducting-social-engineering-penetration-test -description: Design and execute a social engineering penetration test including phishing, vishing, smishing, and physical pretexting campaigns to measure human security resilience and identify training gaps. +description: Design and execute a social engineering penetration test including phishing, vishing, smishing, and physical + pretexting campaigns to measure human security resilience and identify training gaps. domain: cybersecurity subdomain: penetration-testing -tags: [social-engineering, phishing, vishing, pretexting, GoPhish, SET, OSINT, security-awareness, red-team] -version: "1.0" +tags: +- social-engineering +- phishing +- vishing +- pretexting +- GoPhish +- SET +- OSINT +- security-awareness +- red-team +version: '1.0' author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0088 +- AML.T0052 +nist_ai_rmf: +- GOVERN-6.2 +- MAP-5.2 --- # Conducting Social Engineering Penetration Test diff --git a/skills/conducting-social-engineering-pretext-call/SKILL.md b/skills/conducting-social-engineering-pretext-call/SKILL.md index 2cb7af6c..a7de8dc7 100644 --- a/skills/conducting-social-engineering-pretext-call/SKILL.md +++ b/skills/conducting-social-engineering-pretext-call/SKILL.md @@ -1,12 +1,32 @@ --- name: conducting-social-engineering-pretext-call -description: Plan and execute authorized vishing (voice phishing) pretext calls to assess employee susceptibility to social engineering and evaluate security awareness controls. +description: Plan and execute authorized vishing (voice phishing) pretext calls to assess employee susceptibility to social + engineering and evaluate security awareness controls. domain: cybersecurity subdomain: red-teaming -tags: [social-engineering, vishing, pretext-call, security-awareness, red-team, phishing, human-risk] -version: "1.0" +tags: +- social-engineering +- vishing +- pretext-call +- security-awareness +- red-team +- phishing +- human-risk +version: '1.0' author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0088 +- AML.T0052 +nist_ai_rmf: +- GOVERN-6.2 +- MAP-5.2 +d3fend_techniques: +- File Metadata Consistency Validation +- Application Protocol Command Analysis +- Identifier Analysis +- Content Format Conversion +- Message Analysis --- # Conducting Social Engineering Pretext Call diff --git a/skills/conducting-spearphishing-simulation-campaign/SKILL.md b/skills/conducting-spearphishing-simulation-campaign/SKILL.md index 68eec549..3cd0b8cf 100644 --- a/skills/conducting-spearphishing-simulation-campaign/SKILL.md +++ b/skills/conducting-spearphishing-simulation-campaign/SKILL.md @@ -1,12 +1,26 @@ --- name: conducting-spearphishing-simulation-campaign -description: Spearphishing simulation is a targeted social engineering attack vector used by red teams to gain initial access. Unlike broad phishing campaigns, spearphishing uses OSINT-derived intelligence to craf +description: Spearphishing simulation is a targeted social engineering attack vector used by red teams to gain initial access. + Unlike broad phishing campaigns, spearphishing uses OSINT-derived intelligence to craf domain: cybersecurity subdomain: red-teaming -tags: [red-team, adversary-simulation, mitre-attack, exploitation, post-exploitation, spearphishing, social-engineering] -version: "1.0" +tags: +- red-team +- adversary-simulation +- mitre-attack +- exploitation +- post-exploitation +- spearphishing +- social-engineering +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Application Protocol Command Analysis +- Identifier Analysis +- Content Format Conversion +- Message Analysis --- # Conducting Spearphishing Simulation Campaign diff --git a/skills/configuring-hsm-for-key-storage/SKILL.md b/skills/configuring-hsm-for-key-storage/SKILL.md index df28670f..eaa75826 100644 --- a/skills/configuring-hsm-for-key-storage/SKILL.md +++ b/skills/configuring-hsm-for-key-storage/SKILL.md @@ -1,12 +1,26 @@ --- name: configuring-hsm-for-key-storage -description: Hardware Security Modules (HSMs) are tamper-resistant physical devices that safeguard cryptographic keys and perform cryptographic operations in a hardened environment. Keys stored in an HSM never lea +description: Hardware Security Modules (HSMs) are tamper-resistant physical devices that safeguard cryptographic keys and + perform cryptographic operations in a hardened environment. Keys stored in an HSM never lea domain: cybersecurity subdomain: cryptography -tags: [cryptography, hsm, key-management, pkcs11, hardware-security] -version: "1.0" +tags: +- cryptography +- hsm +- key-management +- pkcs11 +- hardware-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Configuring HSM for Key Storage diff --git a/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md b/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md index e218178b..4d2d5abc 100644 --- a/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md +++ b/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md @@ -1,363 +1,11 @@ --- -name: deobfuscating-powershell-obfuscated-malware -description: Systematically deobfuscate multi-layer PowerShell malware using AST analysis, dynamic tracing, and tools like PSDecode and PowerDecode to reveal hidden payloads and C2 infrastructure. -domain: cybersecurity -subdomain: malware-analysis -tags: [powershell, deobfuscation, malware-analysis, scripting, obfuscation, ast-analysis, incident-response] -mitre_attack: ["T1059.001", "T1027", "T1140"] -version: "1.0" -author: mahipal -license: Apache-2.0 ---- -# Deobfuscating PowerShell Obfuscated Malware - -## Overview - -PowerShell is heavily abused by malware authors due to its deep Windows integration and powerful scripting capabilities. Obfuscation techniques include string concatenation, Base64 encoding, character substitution, Invoke-Expression layering, SecureString abuse, environment variable manipulation, and tick-mark insertion. Modern malware uses multiple obfuscation layers requiring iterative deobfuscation. Tools like PSDecode, PowerDecode, and PowerPeeler automate much of this process, while manual AST (Abstract Syntax Tree) analysis handles custom obfuscation. PowerPeeler achieves a 95% deobfuscation correctness rate using instruction-level dynamic analysis of expression-related AST nodes. - - -## When to Use - -- When performing authorized security testing that involves deobfuscating powershell obfuscated malware -- When analyzing malware samples or attack artifacts in a controlled environment -- When conducting red team exercises or penetration testing engagements -- When building detection capabilities based on offensive technique understanding - -## Prerequisites - -- Python 3.9+ with `base64`, `re`, `subprocess` modules -- PowerShell 5.1+ or PowerShell 7+ (for AST access) -- PSDecode (`Install-Module PSDecode`) -- PowerDecode (https://github.com/Malandrone/PowerDecode) -- Isolated VM or sandbox for safe script execution -- CyberChef for manual encoding transformations -- Understanding of PowerShell AST and Invoke-Expression patterns - -## Key Concepts - -### Common Obfuscation Techniques - -PowerShell malware employs layered obfuscation to evade static detection. String concatenation splits commands across variables (`$a='In'+'voke'`). Base64 encoding wraps entire scripts in `-EncodedCommand` parameters. Character code arrays use `[char]` casting (`[char[]](73,69,88)|%{$r+=$_}`). Environment variable abuse reads substrings from `$env:` paths. Tick-mark insertion adds backticks between characters that PowerShell ignores (`I`nv`oke-Exp`ression`). SecureString conversion encrypts strings using ConvertTo-SecureString with embedded keys. - -### AST-Based Deobfuscation - -PowerShell's Abstract Syntax Tree exposes the parsed structure of scripts regardless of surface-level obfuscation. By walking the AST and evaluating expression nodes, analysts can resolve concatenated strings, decode encoded values, and reconstruct the original commands. PowerPeeler uses this approach at the instruction level, monitoring the execution process to correlate AST nodes with their evaluated results. - -### Dynamic Execution Tracing - -By replacing `Invoke-Expression` (IEX) with `Write-Output`, analysts can safely capture the deobfuscated script content that would normally be executed. This technique works across multiple layers by iteratively replacing IEX calls until the final payload is revealed. - -## Workflow - -### Step 1: Identify Obfuscation Layers - -```python -#!/usr/bin/env python3 -"""Identify and classify PowerShell obfuscation techniques.""" -import re -import base64 -import sys - - -def analyze_obfuscation(script_content): - """Identify obfuscation techniques used in PowerShell script.""" - techniques = [] - - # Check for Base64 encoded command - b64_pattern = re.compile( - r'-[Ee](?:nc(?:odedcommand)?)\s+([A-Za-z0-9+/=]{20,})', - re.IGNORECASE - ) - if b64_pattern.search(script_content): - techniques.append("Base64 EncodedCommand") - - # Check for FromBase64String - if re.search(r'\[Convert\]::FromBase64String', script_content, re.IGNORECASE): - techniques.append("Base64 FromBase64String") - - # Check for string concatenation - concat_count = script_content.count("'+'") + script_content.count('"+"') - if concat_count > 3: - techniques.append(f"String Concatenation ({concat_count} joins)") - - # Check for char array construction - if re.search(r'\[char\]\s*\d+', script_content, re.IGNORECASE): - techniques.append("Character Code Array") - - # Check for Invoke-Expression variants - iex_patterns = [ - r'Invoke-Expression', - r'\bIEX\b', - r'\.\s*\(\s*\$', - r'&\s*\(\s*\$', - r'\|\s*IEX', - r'\|\s*Invoke-Expression', - ] - for pattern in iex_patterns: - if re.search(pattern, script_content, re.IGNORECASE): - techniques.append(f"Invoke-Expression variant: {pattern}") - - # Check for tick-mark obfuscation - tick_count = script_content.count('`') - if tick_count > 5: - techniques.append(f"Tick-mark Insertion ({tick_count} backticks)") - - # Check for environment variable abuse - if re.search(r'\$env:', script_content, re.IGNORECASE): - env_refs = re.findall(r'\$env:\w+', script_content, re.IGNORECASE) - if len(env_refs) > 2: - techniques.append(f"Environment Variable Abuse ({len(env_refs)} refs)") - - # Check for SecureString - if re.search(r'ConvertTo-SecureString', script_content, re.IGNORECASE): - techniques.append("SecureString Encryption") - - # Check for compression - if re.search(r'IO\.Compression|DeflateStream|GZipStream', - script_content, re.IGNORECASE): - techniques.append("Compression (Deflate/GZip)") - - # Check for XOR encoding - if re.search(r'-bxor\s+\d+', script_content, re.IGNORECASE): - techniques.append("XOR Encoding") - - # Check for Replace chain - replace_count = len(re.findall(r'\.Replace\(', script_content)) - if replace_count > 2: - techniques.append(f"Replace Chain ({replace_count} replacements)") - - return techniques - - -def decode_base64_command(script_content): - """Extract and decode Base64 encoded commands.""" - b64_match = re.search( - r'-[Ee](?:nc(?:odedcommand)?)\s+([A-Za-z0-9+/=]{20,})', - script_content, re.IGNORECASE - ) - if b64_match: - encoded = b64_match.group(1) - try: - decoded = base64.b64decode(encoded).decode('utf-16-le') - return decoded - except Exception: - return None - return None - - -def remove_tick_marks(script_content): - """Remove PowerShell tick-mark obfuscation.""" - # Remove backticks that are not escape sequences - escape_chars = {'`n', '`r', '`t', '`a', '`b', '`f', '`v', '`0', '``'} - result = [] - i = 0 - while i < len(script_content): - if script_content[i] == '`' and i + 1 < len(script_content): - pair = script_content[i:i+2] - if pair in escape_chars: - result.append(pair) - i += 2 - else: - # Skip the backtick, keep the next char - result.append(script_content[i+1]) - i += 2 - else: - result.append(script_content[i]) - i += 1 - return ''.join(result) - - -def resolve_string_concat(script_content): - """Resolve simple string concatenation patterns.""" - # Pattern: 'str1' + 'str2' - pattern = re.compile(r"'([^']*)'\s*\+\s*'([^']*)'") - while pattern.search(script_content): - script_content = pattern.sub(lambda m: f"'{m.group(1)}{m.group(2)}'", - script_content) - # Pattern: "str1" + "str2" - pattern = re.compile(r'"([^"]*)"\s*\+\s*"([^"]*)"') - while pattern.search(script_content): - script_content = pattern.sub(lambda m: f'"{m.group(1)}{m.group(2)}"', - script_content) - return script_content - - -if __name__ == "__main__": - if len(sys.argv) < 2: - print(f"Usage: {sys.argv[0]} ") - sys.exit(1) - - with open(sys.argv[1], 'r', errors='replace') as f: - content = f.read() - - print("[+] Obfuscation Analysis") - print("=" * 60) - techniques = analyze_obfuscation(content) - for t in techniques: - print(f" - {t}") - - # Attempt automatic deobfuscation - print("\n[+] Attempting Deobfuscation") - print("=" * 60) - - # Layer 1: Remove tick marks - deobfuscated = remove_tick_marks(content) - - # Layer 2: Resolve string concatenation - deobfuscated = resolve_string_concat(deobfuscated) - - # Layer 3: Decode Base64 - b64_decoded = decode_base64_command(deobfuscated) - if b64_decoded: - print("[+] Base64 decoded content:") - print(b64_decoded[:2000]) - deobfuscated = b64_decoded - - print(f"\n[+] Deobfuscated script length: {len(deobfuscated)} chars") - output_file = sys.argv[1] + ".deobfuscated.ps1" - with open(output_file, 'w') as f: - f.write(deobfuscated) - print(f"[+] Saved to {output_file}") -``` - -### Step 2: Multi-Layer IEX Replacement - -```python -import subprocess -import tempfile -import os - -def iex_replacement_deobfuscate(script_content, max_layers=10): - """Iteratively replace IEX with Write-Output to unwrap layers.""" - # IEX replacement patterns - replacements = [ - (r'\bInvoke-Expression\b', 'Write-Output'), - (r'\bIEX\b', 'Write-Output'), - (r'\|\s*IEX\b', '| Write-Output'), - ] - - current = script_content - layers = [] - - for layer_num in range(max_layers): - # Apply IEX replacements - modified = current - for pattern, replacement in replacements: - modified = re.sub(pattern, replacement, modified, flags=re.IGNORECASE) - - if modified == current and layer_num > 0: - print(f" [+] No more IEX layers found at layer {layer_num}") - break - - # Write to temp file and execute in constrained PowerShell - with tempfile.NamedTemporaryFile(mode='w', suffix='.ps1', - delete=False) as tmp: - tmp.write(modified) - tmp_path = tmp.name - - try: - result = subprocess.run( - ['powershell', '-NoProfile', '-ExecutionPolicy', 'Bypass', - '-File', tmp_path], - capture_output=True, text=True, timeout=30 - ) - - output = result.stdout.strip() - if output and output != current: - print(f" [+] Layer {layer_num + 1}: Unwrapped " - f"{len(output)} chars") - layers.append({ - "layer": layer_num + 1, - "technique": "IEX replacement", - "content_length": len(output), - }) - current = output - else: - break - - except subprocess.TimeoutExpired: - print(f" [!] Layer {layer_num + 1}: Execution timeout") - break - finally: - os.unlink(tmp_path) - - return current, layers -``` - -### Step 3: Extract IOCs from Deobfuscated Script - -```python -def extract_iocs_from_script(deobfuscated_content): - """Extract indicators of compromise from deobfuscated PowerShell.""" - iocs = { - "urls": [], - "ips": [], - "domains": [], - "file_paths": [], - "registry_keys": [], - "commands": [], - "base64_blobs": [], - } - - # URLs - url_pattern = re.compile( - r'https?://[^\s\'"<>)\]]+', re.IGNORECASE - ) - iocs["urls"] = list(set(url_pattern.findall(deobfuscated_content))) - - # IP addresses - ip_pattern = re.compile( - r'\b(?:\d{1,3}\.){3}\d{1,3}\b' - ) - iocs["ips"] = list(set(ip_pattern.findall(deobfuscated_content))) - - # File paths - path_pattern = re.compile( - r'[A-Za-z]:\\[^\s\'"<>|]+|' - r'\\\\[^\s\'"<>|]+|' - r'%(?:APPDATA|TEMP|USERPROFILE|PROGRAMFILES)%[^\s\'"<>|]*', - re.IGNORECASE - ) - iocs["file_paths"] = list(set(path_pattern.findall(deobfuscated_content))) - - # Registry keys - reg_pattern = re.compile( - r'(?:HKLM|HKCU|HKCR|HKU|HKCC)(?:\\[^\s\'"<>|]+)+', - re.IGNORECASE - ) - iocs["registry_keys"] = list(set(reg_pattern.findall(deobfuscated_content))) - - # Suspicious commands - suspicious_cmds = [ - 'New-Object Net.WebClient', - 'DownloadString', 'DownloadFile', 'DownloadData', - 'Start-Process', 'Invoke-WebRequest', - 'New-Object IO.MemoryStream', - 'Reflection.Assembly', - 'Add-MpPreference -ExclusionPath', - 'Set-MpPreference -DisableRealtimeMonitoring', - 'New-ScheduledTask', 'Register-ScheduledTask', - ] - for cmd in suspicious_cmds: - if cmd.lower() in deobfuscated_content.lower(): - iocs["commands"].append(cmd) - - return iocs -``` - -## Validation Criteria - -- All obfuscation layers identified and classified correctly -- Base64 encoded commands decoded to readable PowerShell -- Tick-mark and string concatenation obfuscation resolved -- IEX replacement reveals next-stage payloads -- URLs, IPs, and file paths extracted from final deobfuscated stage -- Deobfuscated script matches observed malware behavior in sandbox - -## References - -- [PSDecode - PowerShell Deobfuscation](https://github.com/R3MRUM/PSDecode) -- [PowerDecode - Multi-layer Deobfuscation](https://github.com/Malandrone/PowerDecode) -- [PowerPeeler - Instruction-level Deobfuscation](https://arxiv.org/html/2406.04027v2) -- [SentinelOne - Deconstructing PowerShell Obfuscation](https://www.sentinelone.com/blog/deconstructing-powershell-obfuscation-in-malspam-campaigns/) -- [MITRE ATT&CK T1059.001 - PowerShell](https://attack.mitre.org/techniques/T1059/001/) +{} +---tags: +- powershell +- deobfuscation +- malware-analysis +- scripting +- obfuscation +- ast-analysis +- incident-response +version: '1.0' diff --git a/skills/deploying-cloudflare-access-for-zero-trust/SKILL.md b/skills/deploying-cloudflare-access-for-zero-trust/SKILL.md index f2fbce51..6147d879 100644 --- a/skills/deploying-cloudflare-access-for-zero-trust/SKILL.md +++ b/skills/deploying-cloudflare-access-for-zero-trust/SKILL.md @@ -1,15 +1,31 @@ --- name: deploying-cloudflare-access-for-zero-trust -description: > - Deploying Cloudflare Access with Cloudflare Tunnel to provide zero trust access - to self-hosted and private applications, configuring identity-aware access policies, - device posture checks, and WARP client enrollment for VPN replacement. +description: 'Deploying Cloudflare Access with Cloudflare Tunnel to provide zero trust access to self-hosted and private applications, + configuring identity-aware access policies, device posture checks, and WARP client enrollment for VPN replacement. + + ' domain: cybersecurity subdomain: zero-trust-architecture -tags: [cloudflare, cloudflare-access, zero-trust, cloudflare-tunnel, warp, ztna, cloudflare-one] -version: "1.0" +tags: +- cloudflare +- cloudflare-access +- zero-trust +- cloudflare-tunnel +- warp +- ztna +- cloudflare-one +version: '1.0' author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0051 +- AML.T0054 +- AML.T0056 +nist_ai_rmf: +- MEASURE-2.7 +- MEASURE-2.5 +- GOVERN-6.1 +- MAP-5.1 --- # Deploying Cloudflare Access for Zero Trust diff --git a/skills/deploying-edr-agent-with-crowdstrike/SKILL.md b/skills/deploying-edr-agent-with-crowdstrike/SKILL.md index 36b6d8bd..0854f45e 100644 --- a/skills/deploying-edr-agent-with-crowdstrike/SKILL.md +++ b/skills/deploying-edr-agent-with-crowdstrike/SKILL.md @@ -1,17 +1,33 @@ --- name: deploying-edr-agent-with-crowdstrike -description: > - Deploys and configures CrowdStrike Falcon EDR agents across enterprise endpoints to enable - real-time threat detection, behavioral analysis, and automated response. Use when onboarding - endpoints to EDR coverage, configuring detection policies, or integrating Falcon telemetry - with SIEM platforms. Activates for requests involving CrowdStrike deployment, Falcon sensor - installation, EDR policy configuration, or endpoint detection and response. +description: 'Deploys and configures CrowdStrike Falcon EDR agents across enterprise endpoints to enable real-time threat + detection, behavioral analysis, and automated response. Use when onboarding endpoints to EDR coverage, configuring detection + policies, or integrating Falcon telemetry with SIEM platforms. Activates for requests involving CrowdStrike deployment, + Falcon sensor installation, EDR policy configuration, or endpoint detection and response. + + ' domain: cybersecurity subdomain: endpoint-security -tags: [endpoint, edr, CrowdStrike, Falcon, threat-detection, sensor-deployment] +tags: +- endpoint +- edr +- CrowdStrike +- Falcon +- threat-detection +- sensor-deployment version: 1.0.0 author: mahipal license: Apache-2.0 +nist_ai_rmf: +- GOVERN-1.1 +- MEASURE-2.7 +- MANAGE-3.1 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Deploying EDR Agent with CrowdStrike diff --git a/skills/deploying-palo-alto-prisma-access-zero-trust/SKILL.md b/skills/deploying-palo-alto-prisma-access-zero-trust/SKILL.md index a74c677c..ebf25c5d 100644 --- a/skills/deploying-palo-alto-prisma-access-zero-trust/SKILL.md +++ b/skills/deploying-palo-alto-prisma-access-zero-trust/SKILL.md @@ -1,15 +1,26 @@ --- name: deploying-palo-alto-prisma-access-zero-trust -description: > - Deploying Palo Alto Networks Prisma Access for SASE-based zero trust network access - using GlobalProtect agents, ZTNA Connectors, security policy enforcement, and - integration with Strata Cloud Manager for unified security management. +description: 'Deploying Palo Alto Networks Prisma Access for SASE-based zero trust network access using GlobalProtect agents, + ZTNA Connectors, security policy enforcement, and integration with Strata Cloud Manager for unified security management. + + ' domain: cybersecurity subdomain: zero-trust-architecture -tags: [prisma-access, palo-alto, ztna, sase, globalprotect, strata-cloud-manager, zero-trust] -version: "1.0" +tags: +- prisma-access +- palo-alto +- ztna +- sase +- globalprotect +- strata-cloud-manager +- zero-trust +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- GOVERN-1.1 +- MEASURE-2.7 +- MANAGE-3.1 --- # Deploying Palo Alto Prisma Access Zero Trust diff --git a/skills/detecting-ai-model-prompt-injection-attacks/SKILL.md b/skills/detecting-ai-model-prompt-injection-attacks/SKILL.md index a3229253..54e5c1da 100644 --- a/skills/detecting-ai-model-prompt-injection-attacks/SKILL.md +++ b/skills/detecting-ai-model-prompt-injection-attacks/SKILL.md @@ -1,21 +1,43 @@ --- name: detecting-ai-model-prompt-injection-attacks -description: > - Detects prompt injection attacks targeting LLM-based applications using a multi-layered - defense combining regex pattern matching for known attack signatures, heuristic scoring - for structural anomalies, and transformer-based classification with DeBERTa models. The - detector analyzes user inputs before they reach the LLM, flagging direct injections - (system prompt overrides, role-play escapes, instruction hijacking) and indirect injections - (encoded payloads, multi-language obfuscation, delimiter-based escapes). Based on the - OWASP LLM Top 10 (LLM01:2025 Prompt Injection) and Simon Willison's prompt injection - taxonomy. Activates for requests involving prompt injection detection, LLM input - sanitization, AI security scanning, or prompt attack classification. +description: 'Detects prompt injection attacks targeting LLM-based applications using a multi-layered defense combining regex + pattern matching for known attack signatures, heuristic scoring for structural anomalies, and transformer-based classification + with DeBERTa models. The detector analyzes user inputs before they reach the LLM, flagging direct injections (system prompt + overrides, role-play escapes, instruction hijacking) and indirect injections (encoded payloads, multi-language obfuscation, + delimiter-based escapes). Based on the OWASP LLM Top 10 (LLM01:2025 Prompt Injection) and Simon Willison''s prompt injection + taxonomy. Activates for requests involving prompt injection detection, LLM input sanitization, AI security scanning, or + prompt attack classification. + + ' domain: cybersecurity subdomain: ai-security -tags: [prompt-injection, LLM-security, OWASP-LLM-Top10, NLP-classification, input-validation] +tags: +- prompt-injection +- LLM-security +- OWASP-LLM-Top10 +- NLP-classification +- input-validation version: 1.0.0 author: mukul975 license: Apache-2.0 +atlas_techniques: +- AML.T0051 +- AML.T0054 +- AML.T0056 +- AML.T0068 +- AML.T0067 +nist_ai_rmf: +- GOVERN-1.1 +- GOVERN-6.1 +- MEASURE-2.7 +- MEASURE-2.5 +- MANAGE-2.4 +d3fend_techniques: +- Content Validation +- Content Filtering +- Application Hardening +- Inbound Traffic Filtering +- User Behavior Analysis --- # Detecting AI Model Prompt Injection Attacks diff --git a/skills/detecting-anomalies-in-industrial-control-systems/SKILL.md b/skills/detecting-anomalies-in-industrial-control-systems/SKILL.md index 9b981148..b45b4a79 100644 --- a/skills/detecting-anomalies-in-industrial-control-systems/SKILL.md +++ b/skills/detecting-anomalies-in-industrial-control-systems/SKILL.md @@ -1,18 +1,31 @@ --- name: detecting-anomalies-in-industrial-control-systems -description: > - This skill covers deploying anomaly detection systems for industrial control - environments using machine learning models trained on OT network baselines, - physics-based process models, and behavioral analysis of industrial protocol - communications. It addresses building normal behavior profiles for SCADA polling - patterns, detecting deviations in Modbus/DNP3/OPC UA traffic, identifying rogue - devices, and correlating network anomalies with physical process data from historians. +description: 'This skill covers deploying anomaly detection systems for industrial control environments using machine learning + models trained on OT network baselines, physics-based process models, and behavioral analysis of industrial protocol communications. + It addresses building normal behavior profiles for SCADA polling patterns, detecting deviations in Modbus/DNP3/OPC UA traffic, + identifying rogue devices, and correlating network anomalies with physical process data from historians. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, scada, industrial-control, iec62443, anomaly-detection, machine-learning] +tags: +- ot-security +- ics +- scada +- industrial-control +- iec62443 +- anomaly-detection +- machine-learning version: 1.0.0 author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0043 +- AML.T0018 +nist_ai_rmf: +- MEASURE-2.7 +- MEASURE-2.5 +- MAP-5.1 --- # Detecting Anomalies in Industrial Control Systems diff --git a/skills/detecting-anomalous-authentication-patterns/SKILL.md b/skills/detecting-anomalous-authentication-patterns/SKILL.md index 5bc77aaf..b94e5d67 100644 --- a/skills/detecting-anomalous-authentication-patterns/SKILL.md +++ b/skills/detecting-anomalous-authentication-patterns/SKILL.md @@ -1,17 +1,30 @@ --- name: detecting-anomalous-authentication-patterns -description: > - Detects anomalous authentication patterns using UEBA analytics, statistical baselines, - and machine learning models to identify impossible travel, credential stuffing, brute force, - password spraying, and compromised account behaviors across authentication logs. - Activates for requests involving authentication anomaly detection, login behavior analysis, +description: 'Detects anomalous authentication patterns using UEBA analytics, statistical baselines, and machine learning + models to identify impossible travel, credential stuffing, brute force, password spraying, and compromised account behaviors + across authentication logs. Activates for requests involving authentication anomaly detection, login behavior analysis, UEBA implementation, or suspicious sign-in investigation. + + ' domain: cybersecurity subdomain: identity-access-management -tags: [UEBA, authentication-anomaly, impossible-travel, brute-force, credential-stuffing, behavioral-analytics] -version: "1.0" +tags: +- UEBA +- authentication-anomaly +- impossible-travel +- brute-force +- credential-stuffing +- behavioral-analytics +version: '1.0' author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0043 +- AML.T0018 +nist_ai_rmf: +- MEASURE-2.7 +- MEASURE-2.5 +- MAP-5.1 --- # Detecting Anomalous Authentication Patterns diff --git a/skills/detecting-attacks-on-scada-systems/SKILL.md b/skills/detecting-attacks-on-scada-systems/SKILL.md index 85abc162..59d58fdc 100644 --- a/skills/detecting-attacks-on-scada-systems/SKILL.md +++ b/skills/detecting-attacks-on-scada-systems/SKILL.md @@ -1,19 +1,33 @@ --- name: detecting-attacks-on-scada-systems -description: > - This skill covers detecting cyber attacks targeting Supervisory Control and Data - Acquisition (SCADA) systems including man-in-the-middle attacks on industrial - protocols, unauthorized command injection into PLCs, HMI compromise, historian - data manipulation, and denial-of-service against control system communications. - It leverages OT-specific intrusion detection systems, industrial protocol anomaly - detection, and process data analytics to identify attacks that traditional IT - security tools miss. +description: 'This skill covers detecting cyber attacks targeting Supervisory Control and Data Acquisition (SCADA) systems + including man-in-the-middle attacks on industrial protocols, unauthorized command injection into PLCs, HMI compromise, historian + data manipulation, and denial-of-service against control system communications. It leverages OT-specific intrusion detection + systems, industrial protocol anomaly detection, and process data analytics to identify attacks that traditional IT security + tools miss. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, scada, industrial-control, iec62443, intrusion-detection, threat-detection] +tags: +- ot-security +- ics +- scada +- industrial-control +- iec62443 +- intrusion-detection +- threat-detection version: 1.0.0 author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Detecting Attacks on SCADA Systems diff --git a/skills/detecting-azure-service-principal-abuse/SKILL.md b/skills/detecting-azure-service-principal-abuse/SKILL.md index 713e504b..55dcdb17 100644 --- a/skills/detecting-azure-service-principal-abuse/SKILL.md +++ b/skills/detecting-azure-service-principal-abuse/SKILL.md @@ -1,12 +1,27 @@ --- name: detecting-azure-service-principal-abuse -description: Detect and investigate Azure service principal abuse including privilege escalation, credential compromise, admin consent bypass, and unauthorized enumeration in Microsoft Entra ID environments. +description: Detect and investigate Azure service principal abuse including privilege escalation, credential compromise, admin + consent bypass, and unauthorized enumeration in Microsoft Entra ID environments. domain: cybersecurity subdomain: cloud-security -tags: [azure, entra-id, service-principal, privilege-escalation, credential-abuse, detection, splunk, sentinel] -version: "1.0" +tags: +- azure +- entra-id +- service-principal +- privilege-escalation +- credential-abuse +- detection +- splunk +- sentinel +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Token Binding +- Restore Access +- Application Protocol Command Analysis +- Reissue Credential +- Network Isolation --- # Detecting Azure Service Principal Abuse diff --git a/skills/detecting-azure-storage-account-misconfigurations/SKILL.md b/skills/detecting-azure-storage-account-misconfigurations/SKILL.md index 17dfebd5..f6617c2e 100644 --- a/skills/detecting-azure-storage-account-misconfigurations/SKILL.md +++ b/skills/detecting-azure-storage-account-misconfigurations/SKILL.md @@ -1,12 +1,30 @@ --- name: detecting-azure-storage-account-misconfigurations -description: Audit Azure Blob and ADLS storage accounts for public access exposure, weak or long-lived SAS tokens, missing encryption at rest, disabled HTTPS-only traffic, and outdated TLS versions using the azure-mgmt-storage Python SDK. +description: Audit Azure Blob and ADLS storage accounts for public access exposure, weak or long-lived SAS tokens, missing + encryption at rest, disabled HTTPS-only traffic, and outdated TLS versions using the azure-mgmt-storage Python SDK. domain: cybersecurity subdomain: cloud-security -tags: [Azure, storage-accounts, blob-storage, ADLS, SAS-tokens, encryption, public-access, cloud-misconfiguration, azure-mgmt-storage] -version: "1.0" +tags: +- Azure +- storage-accounts +- blob-storage +- ADLS +- SAS-tokens +- encryption +- public-access +- cloud-misconfiguration +- azure-mgmt-storage +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Detecting Azure Storage Account Misconfigurations diff --git a/skills/detecting-business-email-compromise-with-ai/SKILL.md b/skills/detecting-business-email-compromise-with-ai/SKILL.md index cc3d927a..51150519 100644 --- a/skills/detecting-business-email-compromise-with-ai/SKILL.md +++ b/skills/detecting-business-email-compromise-with-ai/SKILL.md @@ -1,12 +1,37 @@ --- name: detecting-business-email-compromise-with-ai -description: Deploy AI and NLP-powered detection systems to identify business email compromise attacks by analyzing writing style, behavioral patterns, and contextual anomalies that evade traditional rule-based filters. +description: Deploy AI and NLP-powered detection systems to identify business email compromise attacks by analyzing writing + style, behavioral patterns, and contextual anomalies that evade traditional rule-based filters. domain: cybersecurity subdomain: phishing-defense -tags: [bec, ai, nlp, machine-learning, email-security, behavioral-analytics, impersonation, fraud-detection] -version: "1.0" +tags: +- bec +- ai +- nlp +- machine-learning +- email-security +- behavioral-analytics +- impersonation +- fraud-detection +version: '1.0' author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0073 +- AML.T0052 +- AML.T0088 +nist_ai_rmf: +- GOVERN-6.2 +- MAP-5.2 +- GOVERN-6.1 +- MEASURE-2.7 +- MEASURE-2.5 +d3fend_techniques: +- Sender MTA Reputation Analysis +- Email Filtering +- Sender Reputation Analysis +- Homoglyph Detection +- Message Analysis --- # Detecting Business Email Compromise with AI diff --git a/skills/detecting-business-email-compromise/SKILL.md b/skills/detecting-business-email-compromise/SKILL.md index 77b17bcc..b057826a 100644 --- a/skills/detecting-business-email-compromise/SKILL.md +++ b/skills/detecting-business-email-compromise/SKILL.md @@ -1,12 +1,32 @@ --- name: detecting-business-email-compromise -description: Business Email Compromise (BEC) is a sophisticated fraud scheme where attackers impersonate executives, vendors, or trusted partners to trick employees into transferring funds, sharing sensitive data, +description: Business Email Compromise (BEC) is a sophisticated fraud scheme where attackers impersonate executives, vendors, + or trusted partners to trick employees into transferring funds, sharing sensitive data, domain: cybersecurity subdomain: phishing-defense -tags: [phishing, email-security, social-engineering, dmarc, awareness, bec, fraud] -version: "1.0" +tags: +- phishing +- email-security +- social-engineering +- dmarc +- awareness +- bec +- fraud +version: '1.0' author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0052 +- AML.T0088 +nist_ai_rmf: +- GOVERN-6.2 +- MAP-5.2 +d3fend_techniques: +- Restore Object +- Restore Configuration +- Application Configuration Hardening +- Application Hardening +- Disable Remote Access --- # Detecting Business Email Compromise diff --git a/skills/detecting-container-escape-attempts/SKILL.md b/skills/detecting-container-escape-attempts/SKILL.md index 6c1ddee8..598459f1 100644 --- a/skills/detecting-container-escape-attempts/SKILL.md +++ b/skills/detecting-container-escape-attempts/SKILL.md @@ -1,12 +1,25 @@ --- name: detecting-container-escape-attempts -description: Container escape is a critical attack technique where an adversary breaks out of container isolation to access the host system or other containers. Detection involves monitoring for escape indicators +description: Container escape is a critical attack technique where an adversary breaks out of container isolation to access + the host system or other containers. Detection involves monitoring for escape indicators domain: cybersecurity subdomain: container-security -tags: [containers, kubernetes, docker, security, runtime-security, escape-detection] -version: "1.0" +tags: +- containers +- kubernetes +- docker +- security +- runtime-security +- escape-detection +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Platform Monitoring +- Process Code Segment Verification +- Stack Frame Canary Validation +- Segment Address Offset Randomization +- Process Analysis --- # Detecting Container Escape Attempts diff --git a/skills/detecting-container-escape-with-falco-rules/SKILL.md b/skills/detecting-container-escape-with-falco-rules/SKILL.md index 49e48abc..09f9505f 100644 --- a/skills/detecting-container-escape-with-falco-rules/SKILL.md +++ b/skills/detecting-container-escape-with-falco-rules/SKILL.md @@ -1,12 +1,25 @@ --- name: detecting-container-escape-with-falco-rules -description: Detect container escape attempts in real-time using Falco runtime security rules that monitor syscalls, file access, and privilege escalation. +description: Detect container escape attempts in real-time using Falco runtime security rules that monitor syscalls, file + access, and privilege escalation. domain: cybersecurity subdomain: container-security -tags: [falco, container-escape, runtime-security, syscall-monitoring, kubernetes, detection] -version: "1.0" +tags: +- falco +- container-escape +- runtime-security +- syscall-monitoring +- kubernetes +- detection +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Token Binding +- Execution Isolation +- File Metadata Consistency Validation +- Restore Access +- Application Protocol Command Analysis --- # Detecting Container Escape with Falco Rules diff --git a/skills/detecting-credential-dumping-techniques/SKILL.md b/skills/detecting-credential-dumping-techniques/SKILL.md index 2794ae71..41a38cd2 100644 --- a/skills/detecting-credential-dumping-techniques/SKILL.md +++ b/skills/detecting-credential-dumping-techniques/SKILL.md @@ -1,19 +1,26 @@ --- name: detecting-credential-dumping-techniques -description: Detect LSASS credential dumping, SAM database extraction, and NTDS.dit theft using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules +description: Detect LSASS credential dumping, SAM database extraction, and NTDS.dit theft using Sysmon Event ID 10, Windows + Security logs, and SIEM correlation rules domain: cybersecurity subdomain: threat-detection tags: - - credential-dumping - - lsass - - mimikatz - - sysmon - - active-directory - - windows-security - - defense-evasion -version: "1.0" +- credential-dumping +- lsass +- mimikatz +- sysmon +- active-directory +- windows-security +- defense-evasion +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Token Binding +- Execution Isolation +- File Metadata Consistency Validation +- Restore Access +- Application Protocol Command Analysis --- # Detecting Credential Dumping Techniques diff --git a/skills/detecting-dcsync-attack-in-active-directory/SKILL.md b/skills/detecting-dcsync-attack-in-active-directory/SKILL.md index 885dfe71..02dc5e21 100644 --- a/skills/detecting-dcsync-attack-in-active-directory/SKILL.md +++ b/skills/detecting-dcsync-attack-in-active-directory/SKILL.md @@ -1,12 +1,26 @@ --- name: detecting-dcsync-attack-in-active-directory -description: Detect DCSync attacks where adversaries abuse Active Directory replication privileges to extract password hashes by monitoring for non-domain-controller accounts requesting directory replication via DsGetNCChanges. +description: Detect DCSync attacks where adversaries abuse Active Directory replication privileges to extract password hashes + by monitoring for non-domain-controller accounts requesting directory replication via DsGetNCChanges. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, active-directory, dcsync, credential-theft, mitre-t1003-006, mimikatz, kerberos] -version: "1.0" +tags: +- threat-hunting +- active-directory +- dcsync +- credential-theft +- mitre-t1003-006 +- mimikatz +- kerberos +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Application Protocol Command Analysis +- Network Isolation +- Network Traffic Analysis +- Client-server Payload Profiling +- Platform Monitoring --- # Detecting DCSync Attack in Active Directory diff --git a/skills/detecting-deepfake-audio-in-vishing-attacks/SKILL.md b/skills/detecting-deepfake-audio-in-vishing-attacks/SKILL.md index d524432c..2fa5b9a7 100644 --- a/skills/detecting-deepfake-audio-in-vishing-attacks/SKILL.md +++ b/skills/detecting-deepfake-audio-in-vishing-attacks/SKILL.md @@ -1,18 +1,41 @@ --- name: detecting-deepfake-audio-in-vishing-attacks -description: > - Detects AI-generated deepfake audio used in voice phishing (vishing) attacks by - extracting spectral features (MFCC, spectral centroid, spectral contrast, zero-crossing - rate) and classifying samples with machine learning models. Supports batch analysis of - audio files, generates confidence scores, and produces forensic reports. Activates for - requests involving deepfake voice detection, vishing investigation, AI-generated speech - analysis, voice cloning detection, or audio authenticity verification. +description: 'Detects AI-generated deepfake audio used in voice phishing (vishing) attacks by extracting spectral features + (MFCC, spectral centroid, spectral contrast, zero-crossing rate) and classifying samples with machine learning models. Supports + batch analysis of audio files, generates confidence scores, and produces forensic reports. Activates for requests involving + deepfake voice detection, vishing investigation, AI-generated speech analysis, voice cloning detection, or audio authenticity + verification. + + ' domain: cybersecurity subdomain: social-engineering-defense -tags: [deepfake-detection, vishing, audio-forensics, MFCC, spectral-analysis, voice-cloning] +tags: +- deepfake-detection +- vishing +- audio-forensics +- MFCC +- spectral-analysis +- voice-cloning version: 1.0.0 author: mukul975 license: Apache-2.0 +atlas_techniques: +- AML.T0088 +- AML.T0043 +- AML.T0018 +- AML.T0052 +nist_ai_rmf: +- MEASURE-2.7 +- GOVERN-6.2 +- MAP-5.2 +- MEASURE-2.5 +- MAP-5.1 +d3fend_techniques: +- Sender Reputation Analysis +- Content Validation +- Message Analysis +- User Behavior Analysis +- Identifier Analysis --- # Detecting Deepfake Audio in Vishing Attacks diff --git a/skills/detecting-dll-sideloading-attacks/SKILL.md b/skills/detecting-dll-sideloading-attacks/SKILL.md index c74554ae..7798ea3b 100644 --- a/skills/detecting-dll-sideloading-attacks/SKILL.md +++ b/skills/detecting-dll-sideloading-attacks/SKILL.md @@ -1,12 +1,26 @@ --- name: detecting-dll-sideloading-attacks -description: Detect DLL side-loading attacks where adversaries place malicious DLLs alongside legitimate applications to hijack execution flow for defense evasion. +description: Detect DLL side-loading attacks where adversaries place malicious DLLs alongside legitimate applications to hijack + execution flow for defense evasion. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, mitre-attack, dll-sideloading, defense-evasion, t1574, edr, proactive-detection] -version: "1.0" +tags: +- threat-hunting +- mitre-attack +- dll-sideloading +- defense-evasion +- t1574 +- edr +- proactive-detection +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis +- Platform Hardening +- File Format Verification --- # Detecting DLL Sideloading Attacks diff --git a/skills/detecting-dnp3-protocol-anomalies/SKILL.md b/skills/detecting-dnp3-protocol-anomalies/SKILL.md index 1c909f4b..6f855584 100644 --- a/skills/detecting-dnp3-protocol-anomalies/SKILL.md +++ b/skills/detecting-dnp3-protocol-anomalies/SKILL.md @@ -1,16 +1,31 @@ --- name: detecting-dnp3-protocol-anomalies -description: > - Detect anomalies in DNP3 (Distributed Network Protocol 3) communications - used in SCADA systems by monitoring for unauthorized control commands, - firmware update attempts, protocol violations, and deviations from baseline - traffic patterns using deep packet inspection and machine learning approaches. +description: 'Detect anomalies in DNP3 (Distributed Network Protocol 3) communications used in SCADA systems by monitoring + for unauthorized control commands, firmware update attempts, protocol violations, and deviations from baseline traffic patterns + using deep packet inspection and machine learning approaches. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, dnp3, scada, anomaly-detection, protocol-analysis, energy-sector, ids] -version: "1.0" +tags: +- ot-security +- ics +- dnp3 +- scada +- anomaly-detection +- protocol-analysis +- energy-sector +- ids +version: '1.0' author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0043 +- AML.T0018 +nist_ai_rmf: +- MEASURE-2.7 +- MEASURE-2.5 +- MAP-5.1 --- # Detecting DNP3 Protocol Anomalies diff --git a/skills/detecting-email-forwarding-rules-attack/SKILL.md b/skills/detecting-email-forwarding-rules-attack/SKILL.md index 2a8e6116..8b8bf266 100644 --- a/skills/detecting-email-forwarding-rules-attack/SKILL.md +++ b/skills/detecting-email-forwarding-rules-attack/SKILL.md @@ -1,12 +1,26 @@ --- name: detecting-email-forwarding-rules-attack -description: Detect malicious email forwarding rules created by adversaries to maintain persistent access to email communications for intelligence collection and BEC attacks. +description: Detect malicious email forwarding rules created by adversaries to maintain persistent access to email communications + for intelligence collection and BEC attacks. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, mitre-attack, email-forwarding, persistence, bec, t1114, proactive-detection] -version: "1.0" +tags: +- threat-hunting +- mitre-attack +- email-forwarding +- persistence +- bec +- t1114 +- proactive-detection +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Restore Object +- Restore Configuration +- Application Configuration Hardening +- Application Hardening +- Disable Remote Access --- # Detecting Email Forwarding Rules Attack diff --git a/skills/detecting-evasion-techniques-in-endpoint-logs/SKILL.md b/skills/detecting-evasion-techniques-in-endpoint-logs/SKILL.md index 4578a311..81c6f3b7 100644 --- a/skills/detecting-evasion-techniques-in-endpoint-logs/SKILL.md +++ b/skills/detecting-evasion-techniques-in-endpoint-logs/SKILL.md @@ -1,17 +1,29 @@ --- name: detecting-evasion-techniques-in-endpoint-logs -description: > - Detects defense evasion techniques used by adversaries in endpoint logs including log tampering, - timestomping, process injection, and security tool disabling. Use when investigating suspicious - endpoint behavior, building detection rules for evasion tactics, or conducting threat hunting - for stealthy adversary activity. Activates for requests involving evasion detection, defense - evasion analysis, log tampering detection, or MITRE ATT&CK TA0005. +description: 'Detects defense evasion techniques used by adversaries in endpoint logs including log tampering, timestomping, + process injection, and security tool disabling. Use when investigating suspicious endpoint behavior, building detection + rules for evasion tactics, or conducting threat hunting for stealthy adversary activity. Activates for requests involving + evasion detection, defense evasion analysis, log tampering detection, or MITRE ATT&CK TA0005. + + ' domain: cybersecurity subdomain: endpoint-security -tags: [endpoint, edr, threat-hunting, defense-evasion, MITRE-ATT&CK, detection-engineering] +tags: +- endpoint +- edr +- threat-hunting +- defense-evasion +- MITRE-ATT&CK +- detection-engineering version: 1.0.0 author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis +- Platform Hardening +- File Format Verification --- # Detecting Evasion Techniques in Endpoint Logs diff --git a/skills/detecting-fileless-malware-techniques/SKILL.md b/skills/detecting-fileless-malware-techniques/SKILL.md index ac001cfd..516d4752 100644 --- a/skills/detecting-fileless-malware-techniques/SKILL.md +++ b/skills/detecting-fileless-malware-techniques/SKILL.md @@ -1,17 +1,28 @@ --- name: detecting-fileless-malware-techniques -description: > - Detects and analyzes fileless malware that operates entirely in memory using PowerShell, - WMI, .NET reflection, registry-resident payloads, and living-off-the-land binaries (LOLBins) - without writing traditional executable files to disk. Activates for requests involving - fileless threat detection, in-memory malware investigation, LOLBin abuse analysis, or - WMI persistence examination. +description: 'Detects and analyzes fileless malware that operates entirely in memory using PowerShell, WMI, .NET reflection, + registry-resident payloads, and living-off-the-land binaries (LOLBins) without writing traditional executable files to disk. + Activates for requests involving fileless threat detection, in-memory malware investigation, LOLBin abuse analysis, or WMI + persistence examination. + + ' domain: cybersecurity subdomain: malware-analysis -tags: [malware, fileless, LOLBins, memory-analysis, detection] +tags: +- malware +- fileless +- LOLBins +- memory-analysis +- detection version: 1.0.0 author: mahipal license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis --- # Detecting Fileless Malware Techniques diff --git a/skills/detecting-golden-ticket-forgery/SKILL.md b/skills/detecting-golden-ticket-forgery/SKILL.md index 4be249bc..9d9dfa37 100644 --- a/skills/detecting-golden-ticket-forgery/SKILL.md +++ b/skills/detecting-golden-ticket-forgery/SKILL.md @@ -1,19 +1,26 @@ --- name: detecting-golden-ticket-forgery -description: Detect Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769 for RC4 encryption downgrades (0x17), abnormal ticket lifetimes, and krbtgt account anomalies in Splunk and Elastic SIEM +description: Detect Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769 for RC4 encryption downgrades (0x17), + abnormal ticket lifetimes, and krbtgt account anomalies in Splunk and Elastic SIEM domain: cybersecurity subdomain: threat-detection tags: - - golden-ticket - - kerberos - - active-directory - - mimikatz - - splunk - - credential-theft - - windows-security -version: "1.0" +- golden-ticket +- kerberos +- active-directory +- mimikatz +- splunk +- credential-theft +- windows-security +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Token Binding +- Restore Access +- Reissue Credential +- Decoy User Credential +- Authentication Cache Invalidation --- # Detecting Golden Ticket Forgery diff --git a/skills/detecting-insider-threat-behaviors/SKILL.md b/skills/detecting-insider-threat-behaviors/SKILL.md index 55d34ba3..02e792a0 100644 --- a/skills/detecting-insider-threat-behaviors/SKILL.md +++ b/skills/detecting-insider-threat-behaviors/SKILL.md @@ -1,12 +1,25 @@ --- name: detecting-insider-threat-behaviors -description: Detect insider threat behavioral indicators including unusual data access, off-hours activity, mass file downloads, privilege abuse, and resignation-correlated data theft. +description: Detect insider threat behavioral indicators including unusual data access, off-hours activity, mass file downloads, + privilege abuse, and resignation-correlated data theft. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, mitre-attack, insider-threat, data-theft, ueba, proactive-detection] -version: "1.0" +tags: +- threat-hunting +- mitre-attack +- insider-threat +- data-theft +- ueba +- proactive-detection +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Restore Access +- Password Authentication +- Biometric Authentication +- Strong Password Policy +- Restore User Account Access --- # Detecting Insider Threat Behaviors diff --git a/skills/detecting-kerberoasting-attacks/SKILL.md b/skills/detecting-kerberoasting-attacks/SKILL.md index c99f9ead..c5bccc96 100644 --- a/skills/detecting-kerberoasting-attacks/SKILL.md +++ b/skills/detecting-kerberoasting-attacks/SKILL.md @@ -1,12 +1,26 @@ --- name: detecting-kerberoasting-attacks -description: Detect Kerberoasting attacks by monitoring for anomalous Kerberos TGS requests targeting service accounts with SPNs for offline password cracking. +description: Detect Kerberoasting attacks by monitoring for anomalous Kerberos TGS requests targeting service accounts with + SPNs for offline password cracking. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, mitre-attack, kerberoasting, credential-access, kerberos, t1558, proactive-detection] -version: "1.0" +tags: +- threat-hunting +- mitre-attack +- kerberoasting +- credential-access +- kerberos +- t1558 +- proactive-detection +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Application Protocol Command Analysis +- Network Isolation +- Network Traffic Analysis +- Client-server Payload Profiling +- Network Traffic Community Deviation --- # Detecting Kerberoasting Attacks diff --git a/skills/detecting-lateral-movement-in-network/SKILL.md b/skills/detecting-lateral-movement-in-network/SKILL.md index c49a8d87..8787c195 100644 --- a/skills/detecting-lateral-movement-in-network/SKILL.md +++ b/skills/detecting-lateral-movement-in-network/SKILL.md @@ -1,15 +1,26 @@ --- name: detecting-lateral-movement-in-network -description: > - Identifies lateral movement techniques in enterprise networks by analyzing - authentication logs, network flows, SMB traffic, and RDP sessions using Zeek, - Velociraptor, and SIEM correlation rules to detect attackers moving between systems. +description: 'Identifies lateral movement techniques in enterprise networks by analyzing authentication logs, network flows, + SMB traffic, and RDP sessions using Zeek, Velociraptor, and SIEM correlation rules to detect attackers moving between systems. + + ' domain: cybersecurity subdomain: network-security -tags: [network-security, lateral-movement, threat-detection, siem, pass-the-hash] -version: "1.0" +tags: +- network-security +- lateral-movement +- threat-detection +- siem +- pass-the-hash +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Application Protocol Command Analysis +- Network Isolation +- Network Traffic Analysis +- Client-server Payload Profiling +- Network Traffic Community Deviation --- # Detecting Lateral Movement in Network diff --git a/skills/detecting-lateral-movement-with-splunk/SKILL.md b/skills/detecting-lateral-movement-with-splunk/SKILL.md index 354f210a..73e83f4f 100644 --- a/skills/detecting-lateral-movement-with-splunk/SKILL.md +++ b/skills/detecting-lateral-movement-with-splunk/SKILL.md @@ -1,12 +1,26 @@ --- name: detecting-lateral-movement-with-splunk -description: Detect adversary lateral movement across networks using Splunk SPL queries against Windows authentication logs, SMB traffic, and remote service abuse. +description: Detect adversary lateral movement across networks using Splunk SPL queries against Windows authentication logs, + SMB traffic, and remote service abuse. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, mitre-attack, lateral-movement, splunk, siem, proactive-detection, ta0008] -version: "1.0" +tags: +- threat-hunting +- mitre-attack +- lateral-movement +- splunk +- siem +- proactive-detection +- ta0008 +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Application Protocol Command Analysis +- Network Isolation +- Network Traffic Analysis +- Client-server Payload Profiling +- Network Traffic Community Deviation --- # Detecting Lateral Movement with Splunk diff --git a/skills/detecting-living-off-the-land-attacks/SKILL.md b/skills/detecting-living-off-the-land-attacks/SKILL.md index 022ce6b6..c4131e22 100644 --- a/skills/detecting-living-off-the-land-attacks/SKILL.md +++ b/skills/detecting-living-off-the-land-attacks/SKILL.md @@ -1,15 +1,25 @@ --- name: detecting-living-off-the-land-attacks -description: > - Detect abuse of legitimate Windows binaries (LOLBins) used for living off - the land attacks. Monitors process creation, command-line arguments, and - parent-child relationships to identify suspicious LOLBin execution patterns. +description: 'Detect abuse of legitimate Windows binaries (LOLBins) used for living off the land attacks. Monitors process + creation, command-line arguments, and parent-child relationships to identify suspicious LOLBin execution patterns. + + ' domain: cybersecurity subdomain: threat-detection -tags: [lolbins, lotl, fileless-attacks, process-monitoring] -version: "1.0" +tags: +- lolbins +- lotl +- fileless-attacks +- process-monitoring +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Application Protocol Command Analysis +- Network Isolation +- Network Traffic Analysis +- Client-server Payload Profiling +- Network Traffic Community Deviation --- # Detecting Living Off the Land Attacks diff --git a/skills/detecting-living-off-the-land-with-lolbas/SKILL.md b/skills/detecting-living-off-the-land-with-lolbas/SKILL.md index 1614ee8d..a81f2dc6 100644 --- a/skills/detecting-living-off-the-land-with-lolbas/SKILL.md +++ b/skills/detecting-living-off-the-land-with-lolbas/SKILL.md @@ -1,12 +1,26 @@ --- name: detecting-living-off-the-land-with-lolbas -description: Detect Living Off the Land Binaries (LOLBins/LOLBAS) abuse including certutil, regsvr32, mshta, and rundll32 via process telemetry, Sigma rules, and parent-child process analysis +description: Detect Living Off the Land Binaries (LOLBins/LOLBAS) abuse including certutil, regsvr32, mshta, and rundll32 + via process telemetry, Sigma rules, and parent-child process analysis domain: cybersecurity subdomain: threat-detection -tags: [lolbas, lolbins, sigma-rules, process-monitoring, sysmon, endpoint-detection, threat-hunting] -version: "1.0" +tags: +- lolbas +- lolbins +- sigma-rules +- process-monitoring +- sysmon +- endpoint-detection +- threat-hunting +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Application Protocol Command Analysis +- Content Format Conversion --- # Detecting Living Off the Land with LOLBAS diff --git a/skills/detecting-malicious-scheduled-tasks-with-sysmon/SKILL.md b/skills/detecting-malicious-scheduled-tasks-with-sysmon/SKILL.md index 6274d28a..a129ee9b 100644 --- a/skills/detecting-malicious-scheduled-tasks-with-sysmon/SKILL.md +++ b/skills/detecting-malicious-scheduled-tasks-with-sysmon/SKILL.md @@ -1,18 +1,30 @@ --- name: detecting-malicious-scheduled-tasks-with-sysmon -description: > - Detect malicious scheduled task creation and modification using Sysmon Event IDs 1 (Process - Create for schtasks.exe), 11 (File Create for task XML), and Windows Security Event 4698/4702. - The analyst correlates task creation with suspicious parent processes, public directory paths, - and encoded command arguments to identify persistence and lateral movement via scheduled tasks. - Activates for requests involving scheduled task detection, Sysmon persistence hunting, or - T1053.005 Scheduled Task/Job analysis. +description: 'Detect malicious scheduled task creation and modification using Sysmon Event IDs 1 (Process Create for schtasks.exe), + 11 (File Create for task XML), and Windows Security Event 4698/4702. The analyst correlates task creation with suspicious + parent processes, public directory paths, and encoded command arguments to identify persistence and lateral movement via + scheduled tasks. Activates for requests involving scheduled task detection, Sysmon persistence hunting, or T1053.005 Scheduled + Task/Job analysis. + + ' domain: cybersecurity subdomain: threat-hunting -tags: [sysmon, scheduled-tasks, persistence, detection, threat-hunting, windows-security] -version: "1.0" +tags: +- sysmon +- scheduled-tasks +- persistence +- detection +- threat-hunting +- windows-security +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Execution Isolation +- Process Termination +- Hardware-based Process Isolation +- Platform Monitoring +- Process Suspension --- # Detecting Malicious Scheduled Tasks with Sysmon diff --git a/skills/detecting-mimikatz-execution-patterns/SKILL.md b/skills/detecting-mimikatz-execution-patterns/SKILL.md index dc1b305c..1245b833 100644 --- a/skills/detecting-mimikatz-execution-patterns/SKILL.md +++ b/skills/detecting-mimikatz-execution-patterns/SKILL.md @@ -1,12 +1,26 @@ --- name: detecting-mimikatz-execution-patterns -description: Detect Mimikatz execution through command-line patterns, LSASS access signatures, binary indicators, and in-memory detection of known modules. +description: Detect Mimikatz execution through command-line patterns, LSASS access signatures, binary indicators, and in-memory + detection of known modules. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, mitre-attack, mimikatz, credential-dumping, edr, t1003, proactive-detection] -version: "1.0" +tags: +- threat-hunting +- mitre-attack +- mimikatz +- credential-dumping +- edr +- t1003 +- proactive-detection +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Execution Isolation +- Process Termination +- Hardware-based Process Isolation +- Web Session Access Mediation +- Process Suspension --- # Detecting Mimikatz Execution Patterns diff --git a/skills/detecting-misconfigured-azure-storage/SKILL.md b/skills/detecting-misconfigured-azure-storage/SKILL.md index 68ef2237..d5ec6c16 100644 --- a/skills/detecting-misconfigured-azure-storage/SKILL.md +++ b/skills/detecting-misconfigured-azure-storage/SKILL.md @@ -1,15 +1,30 @@ --- name: detecting-misconfigured-azure-storage -description: > - Detecting misconfigured Azure Storage accounts including publicly accessible blob containers, - missing encryption settings, overly permissive SAS tokens, disabled logging, and network - access violations using Azure CLI, PowerShell, and Microsoft Defender for Storage. +description: 'Detecting misconfigured Azure Storage accounts including publicly accessible blob containers, missing encryption + settings, overly permissive SAS tokens, disabled logging, and network access violations using Azure CLI, PowerShell, and + Microsoft Defender for Storage. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud-security, azure, storage-security, blob-storage, sas-tokens, data-protection] -version: "1.0" +tags: +- cloud-security +- azure +- storage-security +- blob-storage +- sas-tokens +- data-protection +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Detecting Misconfigured Azure Storage diff --git a/skills/detecting-modbus-protocol-anomalies/SKILL.md b/skills/detecting-modbus-protocol-anomalies/SKILL.md index 1c1b53a7..945bc77c 100644 --- a/skills/detecting-modbus-protocol-anomalies/SKILL.md +++ b/skills/detecting-modbus-protocol-anomalies/SKILL.md @@ -1,18 +1,32 @@ --- name: detecting-modbus-protocol-anomalies -description: > - This skill covers detecting anomalies in Modbus/TCP and Modbus RTU communications - in industrial control systems. It addresses function code monitoring, register - range validation, timing analysis, unauthorized client detection, and deep packet - inspection for malformed Modbus frames. The skill leverages Zeek with Modbus protocol - analyzers, Suricata IDS with OT rules, and custom Python-based detection using - Markov chain models for normal Modbus transaction sequences. +description: 'This skill covers detecting anomalies in Modbus/TCP and Modbus RTU communications in industrial control systems. + It addresses function code monitoring, register range validation, timing analysis, unauthorized client detection, and deep + packet inspection for malformed Modbus frames. The skill leverages Zeek with Modbus protocol analyzers, Suricata IDS with + OT rules, and custom Python-based detection using Markov chain models for normal Modbus transaction sequences. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, scada, industrial-control, iec62443, modbus, protocol-anomaly] +tags: +- ot-security +- ics +- scada +- industrial-control +- iec62443 +- modbus +- protocol-anomaly version: 1.0.0 author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Detecting Modbus Protocol Anomalies diff --git a/skills/detecting-ntlm-relay-with-event-correlation/SKILL.md b/skills/detecting-ntlm-relay-with-event-correlation/SKILL.md index fc960cf9..63082de8 100644 --- a/skills/detecting-ntlm-relay-with-event-correlation/SKILL.md +++ b/skills/detecting-ntlm-relay-with-event-correlation/SKILL.md @@ -1,16 +1,43 @@ --- name: detecting-ntlm-relay-with-event-correlation -description: > - Detect NTLM relay attacks through Windows Security Event correlation by analyzing - Event 4624 LogonType 3 for IP-to-hostname mismatches, identifying Responder/LLMNR - poisoning artifacts, auditing SMB and LDAP signing enforcement across the domain, - and detecting NTLM downgrade attacks from NTLMv2 to NTLMv1 using event log analysis. +description: 'Detect NTLM relay attacks through Windows Security Event correlation by analyzing Event 4624 LogonType 3 for + IP-to-hostname mismatches, identifying Responder/LLMNR poisoning artifacts, auditing SMB and LDAP signing enforcement across + the domain, and detecting NTLM downgrade attacks from NTLMv2 to NTLMv1 using event log analysis. + + ' domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, NTLM-relay, event-correlation, T1557.001, Event-4624, Responder, SMB-signing, LDAP-signing, NTLM-downgrade, PetitPotam, Active-Directory] -version: "1.0" +tags: +- threat-hunting +- NTLM-relay +- event-correlation +- T1557.001 +- Event-4624 +- Responder +- SMB-signing +- LDAP-signing +- NTLM-downgrade +- PetitPotam +- Active-Directory +version: '1.0' author: mukul975 license: Apache-2.0 +atlas_techniques: +- AML.T0051 +- AML.T0054 +- AML.T0056 +- AML.T0020 +d3fend_techniques: +- Application Protocol Command Analysis +- Network Isolation +- Network Traffic Analysis +- Client-server Payload Profiling +- Network Traffic Community Deviation +nist_ai_rmf: +- MEASURE-2.7 +- MEASURE-2.5 +- GOVERN-6.1 +- MAP-5.1 --- # Detecting NTLM Relay with Event Correlation diff --git a/skills/detecting-pass-the-hash-attacks/SKILL.md b/skills/detecting-pass-the-hash-attacks/SKILL.md index 3e862775..a2768a44 100644 --- a/skills/detecting-pass-the-hash-attacks/SKILL.md +++ b/skills/detecting-pass-the-hash-attacks/SKILL.md @@ -1,12 +1,25 @@ --- name: detecting-pass-the-hash-attacks -description: Detect Pass-the-Hash attacks by analyzing NTLM authentication patterns, identifying Type 3 logons with NTLM where Kerberos is expected, and correlating with credential dumping. +description: Detect Pass-the-Hash attacks by analyzing NTLM authentication patterns, identifying Type 3 logons with NTLM where + Kerberos is expected, and correlating with credential dumping. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, mitre-attack, pass-the-hash, credential-access, t1550, proactive-detection] -version: "1.0" +tags: +- threat-hunting +- mitre-attack +- pass-the-hash +- credential-access +- t1550 +- proactive-detection +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Token Binding +- Execution Isolation +- Restore Access +- Application Protocol Command Analysis +- Process Termination --- # Detecting Pass The Hash Attacks diff --git a/skills/detecting-pass-the-ticket-attacks/SKILL.md b/skills/detecting-pass-the-ticket-attacks/SKILL.md index 31ac0913..92d48133 100644 --- a/skills/detecting-pass-the-ticket-attacks/SKILL.md +++ b/skills/detecting-pass-the-ticket-attacks/SKILL.md @@ -1,19 +1,26 @@ --- name: detecting-pass-the-ticket-attacks -description: Detect Kerberos Pass-the-Ticket (PtT) attacks by analyzing Windows Event IDs 4768, 4769, and 4771 for anomalous ticket usage patterns in Splunk and Elastic SIEM +description: Detect Kerberos Pass-the-Ticket (PtT) attacks by analyzing Windows Event IDs 4768, 4769, and 4771 for anomalous + ticket usage patterns in Splunk and Elastic SIEM domain: cybersecurity subdomain: threat-detection tags: - - kerberos - - pass-the-ticket - - active-directory - - splunk - - elastic - - credential-theft - - windows-security -version: "1.0" +- kerberos +- pass-the-ticket +- active-directory +- splunk +- elastic +- credential-theft +- windows-security +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Token Binding +- Execution Isolation +- Restore Access +- Application Protocol Command Analysis +- Process Termination --- # Detecting Pass-the-Ticket Attacks diff --git a/skills/detecting-privilege-escalation-attempts/SKILL.md b/skills/detecting-privilege-escalation-attempts/SKILL.md index c536a641..138bdabc 100644 --- a/skills/detecting-privilege-escalation-attempts/SKILL.md +++ b/skills/detecting-privilege-escalation-attempts/SKILL.md @@ -1,12 +1,25 @@ --- name: detecting-privilege-escalation-attempts -description: Detect privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse across Windows and Linux. +description: Detect privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel + exploits, and sudo/doas abuse across Windows and Linux. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, mitre-attack, privilege-escalation, token-manipulation, uac-bypass, proactive-detection] -version: "1.0" +tags: +- threat-hunting +- mitre-attack +- privilege-escalation +- token-manipulation +- uac-bypass +- proactive-detection +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Token Binding +- Executable Denylisting +- Execution Isolation +- Restore Access +- Reissue Credential --- # Detecting Privilege Escalation Attempts diff --git a/skills/detecting-privilege-escalation-in-kubernetes-pods/SKILL.md b/skills/detecting-privilege-escalation-in-kubernetes-pods/SKILL.md index d3fd9524..eb3850c7 100644 --- a/skills/detecting-privilege-escalation-in-kubernetes-pods/SKILL.md +++ b/skills/detecting-privilege-escalation-in-kubernetes-pods/SKILL.md @@ -1,12 +1,25 @@ --- name: detecting-privilege-escalation-in-kubernetes-pods -description: Detect and prevent privilege escalation in Kubernetes pods by monitoring security contexts, capabilities, and syscall patterns with Falco and OPA policies. +description: Detect and prevent privilege escalation in Kubernetes pods by monitoring security contexts, capabilities, and + syscall patterns with Falco and OPA policies. domain: cybersecurity subdomain: container-security -tags: [kubernetes, privilege-escalation, security-context, capabilities, detection, pod-security] -version: "1.0" +tags: +- kubernetes +- privilege-escalation +- security-context +- capabilities +- detection +- pod-security +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Restore Access +- Password Authentication --- # Detecting Privilege Escalation in Kubernetes Pods diff --git a/skills/detecting-process-hollowing-technique/SKILL.md b/skills/detecting-process-hollowing-technique/SKILL.md index d4b3a971..a05baef1 100644 --- a/skills/detecting-process-hollowing-technique/SKILL.md +++ b/skills/detecting-process-hollowing-technique/SKILL.md @@ -1,12 +1,26 @@ --- name: detecting-process-hollowing-technique -description: Detect process hollowing (T1055.012) by analyzing memory-mapped sections, hollowed process indicators, and parent-child process anomalies in EDR telemetry. +description: Detect process hollowing (T1055.012) by analyzing memory-mapped sections, hollowed process indicators, and parent-child + process anomalies in EDR telemetry. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, mitre-attack, process-hollowing, process-injection, edr, t1055, proactive-detection] -version: "1.0" +tags: +- threat-hunting +- mitre-attack +- process-hollowing +- process-injection +- edr +- t1055 +- proactive-detection +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Platform Monitoring +- Process Code Segment Verification +- Segment Address Offset Randomization +- Process Analysis +- Application Hardening --- # Detecting Process Hollowing Technique diff --git a/skills/detecting-process-injection-techniques/SKILL.md b/skills/detecting-process-injection-techniques/SKILL.md index 24dfcf82..87904eb8 100644 --- a/skills/detecting-process-injection-techniques/SKILL.md +++ b/skills/detecting-process-injection-techniques/SKILL.md @@ -1,17 +1,28 @@ --- name: detecting-process-injection-techniques -description: > - Detects and analyzes process injection techniques used by malware including classic DLL - injection, process hollowing, APC injection, thread hijacking, and reflective loading. - Uses memory forensics, API monitoring, and behavioral analysis to identify injection - artifacts. Activates for requests involving process injection detection, code injection - analysis, hollowed process investigation, or in-memory threat detection. +description: 'Detects and analyzes process injection techniques used by malware including classic DLL injection, process hollowing, + APC injection, thread hijacking, and reflective loading. Uses memory forensics, API monitoring, and behavioral analysis + to identify injection artifacts. Activates for requests involving process injection detection, code injection analysis, + hollowed process investigation, or in-memory threat detection. + + ' domain: cybersecurity subdomain: malware-analysis -tags: [malware, process-injection, detection, memory-forensics, defense-evasion] +tags: +- malware +- process-injection +- detection +- memory-forensics +- defense-evasion version: 1.0.0 author: mahipal license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis --- # Detecting Process Injection Techniques diff --git a/skills/detecting-qr-code-phishing-with-email-security/SKILL.md b/skills/detecting-qr-code-phishing-with-email-security/SKILL.md index 5812eb54..cc8ed4a9 100644 --- a/skills/detecting-qr-code-phishing-with-email-security/SKILL.md +++ b/skills/detecting-qr-code-phishing-with-email-security/SKILL.md @@ -1,12 +1,27 @@ --- name: detecting-qr-code-phishing-with-email-security -description: Detect and prevent QR code phishing (quishing) attacks that bypass traditional email security by embedding malicious URLs in QR code images within emails. +description: Detect and prevent QR code phishing (quishing) attacks that bypass traditional email security by embedding malicious + URLs in QR code images within emails. domain: cybersecurity subdomain: phishing-defense -tags: [quishing, qr-code, phishing, email-security, image-analysis, ocr, mobile-security] -version: "1.0" +tags: +- quishing +- qr-code +- phishing +- email-security +- image-analysis +- ocr +- mobile-security +version: '1.0' author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0052 +- AML.T0024 +- AML.T0035 +nist_ai_rmf: +- MEASURE-2.8 +- MAP-5.1 --- # Detecting QR Code Phishing with Email Security diff --git a/skills/detecting-service-account-abuse/SKILL.md b/skills/detecting-service-account-abuse/SKILL.md index 120fc967..70da62a4 100644 --- a/skills/detecting-service-account-abuse/SKILL.md +++ b/skills/detecting-service-account-abuse/SKILL.md @@ -1,12 +1,25 @@ --- name: detecting-service-account-abuse -description: Detect abuse of service accounts through anomalous interactive logons, privilege escalation, lateral movement, and unauthorized access patterns. +description: Detect abuse of service accounts through anomalous interactive logons, privilege escalation, lateral movement, + and unauthorized access patterns. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, mitre-attack, service-accounts, privilege-escalation, t1078, proactive-detection] -version: "1.0" +tags: +- threat-hunting +- mitre-attack +- service-accounts +- privilege-escalation +- t1078 +- proactive-detection +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Restore Access +- Password Authentication +- Biometric Authentication +- Strong Password Policy +- Restore User Account Access --- # Detecting Service Account Abuse diff --git a/skills/detecting-supply-chain-attacks-in-ci-cd/SKILL.md b/skills/detecting-supply-chain-attacks-in-ci-cd/SKILL.md index a3175350..c7fec1a9 100644 --- a/skills/detecting-supply-chain-attacks-in-ci-cd/SKILL.md +++ b/skills/detecting-supply-chain-attacks-in-ci-cd/SKILL.md @@ -1,16 +1,27 @@ --- name: detecting-supply-chain-attacks-in-ci-cd -description: > - Scans GitHub Actions workflows and CI/CD pipeline configurations for supply chain - attack vectors including unpinned actions, script injection via expressions, dependency - confusion, and secrets exposure. Uses PyGithub and YAML parsing for automated audit. - Use when hardening CI/CD pipelines or investigating compromised build systems. +description: 'Scans GitHub Actions workflows and CI/CD pipeline configurations for supply chain attack vectors including unpinned + actions, script injection via expressions, dependency confusion, and secrets exposure. Uses PyGithub and YAML parsing for + automated audit. Use when hardening CI/CD pipelines or investigating compromised build systems. + + ' domain: cybersecurity subdomain: security-operations -tags: [detecting, supply, chain, attacks] -version: "1.0" +tags: +- detecting +- supply +- chain +- attacks +version: '1.0' author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0010 +- AML.T0104 +nist_ai_rmf: +- GOVERN-5.2 +- MAP-1.6 +- MANAGE-2.2 --- # Detecting Supply Chain Attacks in CI/CD diff --git a/skills/detecting-suspicious-powershell-execution/SKILL.md b/skills/detecting-suspicious-powershell-execution/SKILL.md index 7793d9be..16cd55cd 100644 --- a/skills/detecting-suspicious-powershell-execution/SKILL.md +++ b/skills/detecting-suspicious-powershell-execution/SKILL.md @@ -1,12 +1,26 @@ --- name: detecting-suspicious-powershell-execution -description: Detect suspicious PowerShell execution patterns including encoded commands, download cradles, AMSI bypass attempts, and constrained language mode evasion. +description: Detect suspicious PowerShell execution patterns including encoded commands, download cradles, AMSI bypass attempts, + and constrained language mode evasion. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, mitre-attack, powershell, execution, t1059, amsi, proactive-detection] -version: "1.0" +tags: +- threat-hunting +- mitre-attack +- powershell +- execution +- t1059 +- amsi +- proactive-detection +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis --- # Detecting Suspicious Powershell Execution diff --git a/skills/detecting-t1003-credential-dumping-with-edr/SKILL.md b/skills/detecting-t1003-credential-dumping-with-edr/SKILL.md index 09aaf124..1c26a1ba 100644 --- a/skills/detecting-t1003-credential-dumping-with-edr/SKILL.md +++ b/skills/detecting-t1003-credential-dumping-with-edr/SKILL.md @@ -1,12 +1,27 @@ --- name: detecting-t1003-credential-dumping-with-edr -description: Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation. +description: Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials + using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, credential-dumping, lsass, mitre-t1003, edr, mimikatz, ntds, sam-database] -version: "1.0" +tags: +- threat-hunting +- credential-dumping +- lsass +- mitre-t1003 +- edr +- mimikatz +- ntds +- sam-database +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Token Binding +- Execution Isolation +- File Metadata Consistency Validation +- Restore Access +- Application Protocol Command Analysis --- # Detecting T1003 Credential Dumping with EDR diff --git a/skills/detecting-t1055-process-injection-with-sysmon/SKILL.md b/skills/detecting-t1055-process-injection-with-sysmon/SKILL.md index 4509965d..3805337d 100644 --- a/skills/detecting-t1055-process-injection-with-sysmon/SKILL.md +++ b/skills/detecting-t1055-process-injection-with-sysmon/SKILL.md @@ -1,12 +1,26 @@ --- name: detecting-t1055-process-injection-with-sysmon -description: Detect process injection techniques (T1055) including classic DLL injection, process hollowing, and APC injection by analyzing Sysmon events for cross-process memory operations, remote thread creation, and anomalous DLL loading patterns. +description: Detect process injection techniques (T1055) including classic DLL injection, process hollowing, and APC injection + by analyzing Sysmon events for cross-process memory operations, remote thread creation, and anomalous DLL loading patterns. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, process-injection, sysmon, mitre-t1055, defense-evasion, dll-injection, process-hollowing] -version: "1.0" +tags: +- threat-hunting +- process-injection +- sysmon +- mitre-t1055 +- defense-evasion +- dll-injection +- process-hollowing +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis --- # Detecting T1055 Process Injection with Sysmon diff --git a/skills/detecting-t1548-abuse-elevation-control-mechanism/SKILL.md b/skills/detecting-t1548-abuse-elevation-control-mechanism/SKILL.md index 7d42d760..afcda79c 100644 --- a/skills/detecting-t1548-abuse-elevation-control-mechanism/SKILL.md +++ b/skills/detecting-t1548-abuse-elevation-control-mechanism/SKILL.md @@ -1,12 +1,25 @@ --- name: detecting-t1548-abuse-elevation-control-mechanism -description: Detect abuse of elevation control mechanisms including UAC bypass, sudo exploitation, and setuid/setgid manipulation by monitoring registry modifications, process elevation flags, and unusual parent-child process relationships. +description: Detect abuse of elevation control mechanisms including UAC bypass, sudo exploitation, and setuid/setgid manipulation + by monitoring registry modifications, process elevation flags, and unusual parent-child process relationships. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, uac-bypass, privilege-escalation, mitre-t1548, elevation-control, windows-security] -version: "1.0" +tags: +- threat-hunting +- uac-bypass +- privilege-escalation +- mitre-t1548 +- elevation-control +- windows-security +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Restore Access +- Password Authentication --- # Detecting T1548 Abuse Elevation Control Mechanism diff --git a/skills/detecting-wmi-persistence/SKILL.md b/skills/detecting-wmi-persistence/SKILL.md index 22b11d31..604c2272 100644 --- a/skills/detecting-wmi-persistence/SKILL.md +++ b/skills/detecting-wmi-persistence/SKILL.md @@ -1,12 +1,27 @@ --- name: detecting-wmi-persistence -description: Detect WMI event subscription persistence by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter, EventConsumer, and FilterToConsumerBinding creation. +description: Detect WMI event subscription persistence by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter, + EventConsumer, and FilterToConsumerBinding creation. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, wmi, persistence, sysmon, t1546.003, mitre-attack, windows, dfir] -version: "1.0" +tags: +- threat-hunting +- wmi +- persistence +- sysmon +- t1546.003 +- mitre-attack +- windows +- dfir +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Application Protocol Command Analysis +- Network Isolation +- Network Traffic Analysis +- Client-server Payload Profiling +- Platform Monitoring --- # Detecting WMI Persistence diff --git a/skills/executing-active-directory-attack-simulation/SKILL.md b/skills/executing-active-directory-attack-simulation/SKILL.md index 77a1bdb6..30ba0751 100644 --- a/skills/executing-active-directory-attack-simulation/SKILL.md +++ b/skills/executing-active-directory-attack-simulation/SKILL.md @@ -1,19 +1,29 @@ --- name: executing-active-directory-attack-simulation -description: > - Executes authorized attack simulations against Active Directory environments to identify - misconfigurations, weak credentials, dangerous privilege paths, and exploitable trust - relationships that could lead to domain compromise. The tester uses BloodHound for attack - path analysis, Mimikatz for credential extraction, and Impacket for protocol-level attacks - including Kerberoasting, AS-REP Roasting, and delegation abuse. Activates for requests - involving Active Directory pentest, AD attack simulation, domain compromise testing, - or Kerberos attack assessment. +description: 'Executes authorized attack simulations against Active Directory environments to identify misconfigurations, + weak credentials, dangerous privilege paths, and exploitable trust relationships that could lead to domain compromise. The + tester uses BloodHound for attack path analysis, Mimikatz for credential extraction, and Impacket for protocol-level attacks + including Kerberoasting, AS-REP Roasting, and delegation abuse. Activates for requests involving Active Directory pentest, + AD attack simulation, domain compromise testing, or Kerberos attack assessment. + + ' domain: cybersecurity subdomain: penetration-testing -tags: [Active-Directory, BloodHound, Mimikatz, Kerberoasting, domain-compromise] +tags: +- Active-Directory +- BloodHound +- Mimikatz +- Kerberoasting +- domain-compromise version: 1.0.0 author: mahipal license: Apache-2.0 +d3fend_techniques: +- Application Protocol Command Analysis +- Network Isolation +- Network Traffic Analysis +- Client-server Payload Profiling +- Network Traffic Community Deviation --- # Executing Active Directory Attack Simulation diff --git a/skills/executing-red-team-exercise/SKILL.md b/skills/executing-red-team-exercise/SKILL.md index 39d8693f..cbd75230 100644 --- a/skills/executing-red-team-exercise/SKILL.md +++ b/skills/executing-red-team-exercise/SKILL.md @@ -1,19 +1,30 @@ --- name: executing-red-team-exercise -description: > - Executes comprehensive red team exercises that simulate real-world adversary operations - against an organization's people, processes, and technology. The red team operates with - stealth as a primary objective, employing the full attack lifecycle from initial reconnaissance - through objective completion while testing the organization's detection and response - capabilities. This differs from penetration testing by focusing on adversary emulation - rather than vulnerability identification. Activates for requests involving red team exercise, - adversary simulation, adversary emulation, or full-scope offensive security assessment. +description: 'Executes comprehensive red team exercises that simulate real-world adversary operations against an organization''s + people, processes, and technology. The red team operates with stealth as a primary objective, employing the full attack + lifecycle from initial reconnaissance through objective completion while testing the organization''s detection and response + capabilities. This differs from penetration testing by focusing on adversary emulation rather than vulnerability identification. + Activates for requests involving red team exercise, adversary simulation, adversary emulation, or full-scope offensive security + assessment. + + ' domain: cybersecurity subdomain: penetration-testing -tags: [red-team, adversary-emulation, MITRE-ATT&CK, Cobalt-Strike, detection-assessment] +tags: +- red-team +- adversary-emulation +- MITRE-ATT&CK +- Cobalt-Strike +- detection-assessment version: 1.0.0 author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Application Protocol Command Analysis +- Identifier Analysis +- Content Format Conversion +- Message Analysis --- # Executing Red Team Exercise diff --git a/skills/exploiting-active-directory-certificate-services-esc1/SKILL.md b/skills/exploiting-active-directory-certificate-services-esc1/SKILL.md index ff078f57..2aae2f54 100644 --- a/skills/exploiting-active-directory-certificate-services-esc1/SKILL.md +++ b/skills/exploiting-active-directory-certificate-services-esc1/SKILL.md @@ -1,12 +1,26 @@ --- name: exploiting-active-directory-certificate-services-esc1 -description: Exploit misconfigured Active Directory Certificate Services (AD CS) ESC1 vulnerability to request certificates as high-privileged users and escalate domain privileges during authorized red team assessments. +description: Exploit misconfigured Active Directory Certificate Services (AD CS) ESC1 vulnerability to request certificates + as high-privileged users and escalate domain privileges during authorized red team assessments. domain: cybersecurity subdomain: red-teaming -tags: [red-team, active-directory, ad-cs, esc1, certificate-abuse, privilege-escalation, domain-escalation] -version: "1.0" +tags: +- red-team +- active-directory +- ad-cs +- esc1 +- certificate-abuse +- privilege-escalation +- domain-escalation +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Certificate Analysis +- Content Format Conversion +- File Content Analysis +- Platform Hardening --- # Exploiting Active Directory Certificate Services ESC1 diff --git a/skills/exploiting-active-directory-with-bloodhound/SKILL.md b/skills/exploiting-active-directory-with-bloodhound/SKILL.md index 01971817..42511b21 100644 --- a/skills/exploiting-active-directory-with-bloodhound/SKILL.md +++ b/skills/exploiting-active-directory-with-bloodhound/SKILL.md @@ -1,12 +1,26 @@ --- name: exploiting-active-directory-with-bloodhound -description: BloodHound is a graph-based Active Directory reconnaissance tool that uses graph theory to reveal hidden and unintended relationships within AD environments. Red teams use BloodHound to identify attac +description: BloodHound is a graph-based Active Directory reconnaissance tool that uses graph theory to reveal hidden and + unintended relationships within AD environments. Red teams use BloodHound to identify attac domain: cybersecurity subdomain: red-teaming -tags: [red-team, adversary-simulation, mitre-attack, exploitation, post-exploitation, active-directory, bloodhound] -version: "1.0" +tags: +- red-team +- adversary-simulation +- mitre-attack +- exploitation +- post-exploitation +- active-directory +- bloodhound +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Restore Access +- Password Authentication +- Biometric Authentication +- Strong Password Policy +- Restore User Account Access --- # Exploiting Active Directory with BloodHound diff --git a/skills/exploiting-constrained-delegation-abuse/SKILL.md b/skills/exploiting-constrained-delegation-abuse/SKILL.md index 910a0541..418c34ac 100644 --- a/skills/exploiting-constrained-delegation-abuse/SKILL.md +++ b/skills/exploiting-constrained-delegation-abuse/SKILL.md @@ -1,12 +1,26 @@ --- name: exploiting-constrained-delegation-abuse -description: Exploit Kerberos Constrained Delegation misconfigurations in Active Directory to impersonate privileged users via S4U2self and S4U2proxy extensions for lateral movement and privilege escalation. +description: Exploit Kerberos Constrained Delegation misconfigurations in Active Directory to impersonate privileged users + via S4U2self and S4U2proxy extensions for lateral movement and privilege escalation. domain: cybersecurity subdomain: red-teaming -tags: [red-team, active-directory, kerberos, constrained-delegation, s4u2proxy, privilege-escalation, lateral-movement] -version: "1.0" +tags: +- red-team +- active-directory +- kerberos +- constrained-delegation +- s4u2proxy +- privilege-escalation +- lateral-movement +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Application Protocol Command Analysis +- Network Isolation +- Network Traffic Analysis +- Client-server Payload Profiling +- Network Traffic Community Deviation --- # Exploiting Constrained Delegation Abuse diff --git a/skills/exploiting-insecure-data-storage-in-mobile/SKILL.md b/skills/exploiting-insecure-data-storage-in-mobile/SKILL.md index b142b651..930b6e3d 100644 --- a/skills/exploiting-insecure-data-storage-in-mobile/SKILL.md +++ b/skills/exploiting-insecure-data-storage-in-mobile/SKILL.md @@ -1,18 +1,32 @@ --- name: exploiting-insecure-data-storage-in-mobile -description: > - Identifies and exploits insecure local data storage vulnerabilities in Android and iOS mobile - applications including unencrypted databases, world-readable files, insecure SharedPreferences, - plaintext credential storage, and improper keychain/keystore usage. Use when performing mobile - penetration testing focused on OWASP M9 (Insecure Data Storage) or assessing compliance with - MASVS-STORAGE requirements. Activates for requests involving mobile data storage security, - local storage exploitation, SharedPreferences analysis, or mobile data leakage assessment. +description: 'Identifies and exploits insecure local data storage vulnerabilities in Android and iOS mobile applications including + unencrypted databases, world-readable files, insecure SharedPreferences, plaintext credential storage, and improper keychain/keystore + usage. Use when performing mobile penetration testing focused on OWASP M9 (Insecure Data Storage) or assessing compliance + with MASVS-STORAGE requirements. Activates for requests involving mobile data storage security, local storage exploitation, + SharedPreferences analysis, or mobile data leakage assessment. + + ' domain: cybersecurity subdomain: mobile-security author: mahipal -tags: [mobile-security, android, ios, data-storage, owasp-mobile, penetration-testing] +tags: +- mobile-security +- android +- ios +- data-storage +- owasp-mobile +- penetration-testing version: 1.0.0 license: Apache-2.0 +atlas_techniques: +- AML.T0057 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +- GOVERN-1.1 +- GOVERN-4.2 --- # Exploiting Insecure Data Storage in Mobile diff --git a/skills/exploiting-kerberoasting-with-impacket/SKILL.md b/skills/exploiting-kerberoasting-with-impacket/SKILL.md index 68b8caf8..85569a21 100644 --- a/skills/exploiting-kerberoasting-with-impacket/SKILL.md +++ b/skills/exploiting-kerberoasting-with-impacket/SKILL.md @@ -1,12 +1,26 @@ --- name: exploiting-kerberoasting-with-impacket -description: Perform Kerberoasting attacks using Impacket's GetUserSPNs to extract and crack Kerberos TGS tickets for Active Directory service accounts. +description: Perform Kerberoasting attacks using Impacket's GetUserSPNs to extract and crack Kerberos TGS tickets for Active + Directory service accounts. domain: cybersecurity subdomain: red-teaming -tags: [kerberoasting, impacket, active-directory, credential-access, kerberos, t1558-003, service-accounts] -version: "1.0" +tags: +- kerberoasting +- impacket +- active-directory +- credential-access +- kerberos +- t1558-003 +- service-accounts +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Application Protocol Command Analysis +- Network Isolation +- Network Traffic Analysis +- Client-server Payload Profiling +- Network Traffic Community Deviation --- # Exploiting Kerberoasting with Impacket diff --git a/skills/exploiting-ms17-010-eternalblue-vulnerability/SKILL.md b/skills/exploiting-ms17-010-eternalblue-vulnerability/SKILL.md index d411b9b5..f2df1ccf 100644 --- a/skills/exploiting-ms17-010-eternalblue-vulnerability/SKILL.md +++ b/skills/exploiting-ms17-010-eternalblue-vulnerability/SKILL.md @@ -1,12 +1,27 @@ --- name: exploiting-ms17-010-eternalblue-vulnerability -description: MS17-010 (EternalBlue) is a critical vulnerability in Microsoft's SMBv1 implementation that allows remote code execution. Originally discovered by the NSA and leaked by the Shadow Brokers in 2017, it +description: MS17-010 (EternalBlue) is a critical vulnerability in Microsoft's SMBv1 implementation that allows remote code + execution. Originally discovered by the NSA and leaked by the Shadow Brokers in 2017, it domain: cybersecurity subdomain: red-teaming -tags: [red-team, adversary-simulation, mitre-attack, exploitation, post-exploitation, eternalblue, smb, remote-code-execution] -version: "1.0" +tags: +- red-team +- adversary-simulation +- mitre-attack +- exploitation +- post-exploitation +- eternalblue +- smb +- remote-code-execution +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Application Protocol Command Analysis +- Network Isolation +- Network Traffic Analysis +- Client-server Payload Profiling +- Platform Monitoring --- # Exploiting MS17-010 EternalBlue Vulnerability diff --git a/skills/exploiting-nopac-cve-2021-42278-42287/SKILL.md b/skills/exploiting-nopac-cve-2021-42278-42287/SKILL.md index 89d4c1f7..08e81af4 100644 --- a/skills/exploiting-nopac-cve-2021-42278-42287/SKILL.md +++ b/skills/exploiting-nopac-cve-2021-42278-42287/SKILL.md @@ -1,12 +1,26 @@ --- name: exploiting-nopac-cve-2021-42278-42287 -description: Exploit the noPac vulnerability chain (CVE-2021-42278 sAMAccountName spoofing and CVE-2021-42287 KDC PAC confusion) to escalate from standard domain user to Domain Admin in Active Directory environments. +description: Exploit the noPac vulnerability chain (CVE-2021-42278 sAMAccountName spoofing and CVE-2021-42287 KDC PAC confusion) + to escalate from standard domain user to Domain Admin in Active Directory environments. domain: cybersecurity subdomain: red-teaming -tags: [red-team, active-directory, nopac, cve-2021-42278, cve-2021-42287, privilege-escalation, domain-escalation] -version: "1.0" +tags: +- red-team +- active-directory +- nopac +- cve-2021-42278 +- cve-2021-42287 +- privilege-escalation +- domain-escalation +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Platform Monitoring +- Process Code Segment Verification +- Stack Frame Canary Validation +- Segment Address Offset Randomization +- Process Analysis --- # Exploiting noPac (CVE-2021-42278 / CVE-2021-42287) diff --git a/skills/exploiting-zerologon-vulnerability-cve-2020-1472/SKILL.md b/skills/exploiting-zerologon-vulnerability-cve-2020-1472/SKILL.md index 4c20d82c..b56b062c 100644 --- a/skills/exploiting-zerologon-vulnerability-cve-2020-1472/SKILL.md +++ b/skills/exploiting-zerologon-vulnerability-cve-2020-1472/SKILL.md @@ -1,12 +1,26 @@ --- name: exploiting-zerologon-vulnerability-cve-2020-1472 -description: Exploit the Zerologon vulnerability (CVE-2020-1472) in the Netlogon Remote Protocol to achieve domain controller compromise by resetting the machine account password to empty. +description: Exploit the Zerologon vulnerability (CVE-2020-1472) in the Netlogon Remote Protocol to achieve domain controller + compromise by resetting the machine account password to empty. domain: cybersecurity subdomain: red-teaming -tags: [zerologon, cve-2020-1472, netlogon, domain-controller, privilege-escalation, active-directory, ms-nrpc] -version: "1.0" +tags: +- zerologon +- cve-2020-1472 +- netlogon +- domain-controller +- privilege-escalation +- active-directory +- ms-nrpc +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Platform Monitoring +- Process Code Segment Verification +- Stack Frame Canary Validation +- Segment Address Offset Randomization +- Process Analysis --- # Exploiting Zerologon Vulnerability (CVE-2020-1472) diff --git a/skills/extracting-config-from-agent-tesla-rat/SKILL.md b/skills/extracting-config-from-agent-tesla-rat/SKILL.md index 313129c2..4e6a953a 100644 --- a/skills/extracting-config-from-agent-tesla-rat/SKILL.md +++ b/skills/extracting-config-from-agent-tesla-rat/SKILL.md @@ -1,12 +1,28 @@ --- name: extracting-config-from-agent-tesla-rat -description: Extract embedded configuration from Agent Tesla RAT samples including SMTP/FTP/Telegram exfiltration credentials, keylogger settings, and C2 endpoints using .NET decompilation and memory analysis. +description: Extract embedded configuration from Agent Tesla RAT samples including SMTP/FTP/Telegram exfiltration credentials, + keylogger settings, and C2 endpoints using .NET decompilation and memory analysis. domain: cybersecurity subdomain: malware-analysis -tags: [agent-tesla, rat, config-extraction, dotnet, malware-analysis, keylogger, credential-theft] -version: "1.0" +tags: +- agent-tesla +- rat +- config-extraction +- dotnet +- malware-analysis +- keylogger +- credential-theft +version: '1.0' author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0024 +- AML.T0056 +- AML.T0086 +nist_ai_rmf: +- GOVERN-1.1 +- MEASURE-2.7 +- MANAGE-3.1 --- # Extracting Config from Agent Tesla RAT diff --git a/skills/hunting-advanced-persistent-threats/SKILL.md b/skills/hunting-advanced-persistent-threats/SKILL.md index 8c6b1097..07887217 100644 --- a/skills/hunting-advanced-persistent-threats/SKILL.md +++ b/skills/hunting-advanced-persistent-threats/SKILL.md @@ -1,17 +1,32 @@ --- name: hunting-advanced-persistent-threats -description: > - Proactively hunts for Advanced Persistent Threat (APT) activity within enterprise environments - using hypothesis-driven searches across endpoint telemetry, network logs, and memory artifacts. - Use when conducting scheduled threat hunting cycles, investigating anomalous behavior flagged by - UEBA, or validating that known APT TTPs are not present in the environment. Activates for requests - involving MITRE ATT&CK, Velociraptor, osquery, Zeek, or threat hunting playbooks. +description: 'Proactively hunts for Advanced Persistent Threat (APT) activity within enterprise environments using hypothesis-driven + searches across endpoint telemetry, network logs, and memory artifacts. Use when conducting scheduled threat hunting cycles, + investigating anomalous behavior flagged by UEBA, or validating that known APT TTPs are not present in the environment. + Activates for requests involving MITRE ATT&CK, Velociraptor, osquery, Zeek, or threat hunting playbooks. + + ' domain: cybersecurity subdomain: threat-intelligence -tags: [MITRE-ATT&CK, threat-hunting, APT, Velociraptor, osquery, Zeek, TTP, NIST-CSF, EDR] +tags: +- MITRE-ATT&CK +- threat-hunting +- APT +- Velociraptor +- osquery +- Zeek +- TTP +- NIST-CSF +- EDR version: 1.0.0 author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Application Protocol Command Analysis +- Identifier Analysis +- Content Format Conversion +- Message Analysis --- # Hunting Advanced Persistent Threats diff --git a/skills/hunting-for-beaconing-with-frequency-analysis/SKILL.md b/skills/hunting-for-beaconing-with-frequency-analysis/SKILL.md index 0eb8b835..a4a114bc 100644 --- a/skills/hunting-for-beaconing-with-frequency-analysis/SKILL.md +++ b/skills/hunting-for-beaconing-with-frequency-analysis/SKILL.md @@ -1,12 +1,27 @@ --- name: hunting-for-beaconing-with-frequency-analysis -description: Identify command-and-control beaconing patterns in network traffic by applying statistical frequency analysis, jitter calculation, and coefficient of variation scoring to detect periodic callbacks from compromised endpoints. +description: Identify command-and-control beaconing patterns in network traffic by applying statistical frequency analysis, + jitter calculation, and coefficient of variation scoring to detect periodic callbacks from compromised endpoints. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, beaconing, c2-detection, frequency-analysis, network-traffic, RITA, jitter-detection, mitre-t1071] -version: "1.0" +tags: +- threat-hunting +- beaconing +- c2-detection +- frequency-analysis +- network-traffic +- RITA +- jitter-detection +- mitre-t1071 +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Certificate Analysis +- Application Protocol Command Analysis +- Content Format Conversion +- File Content Analysis --- # Hunting for Beaconing with Frequency Analysis diff --git a/skills/hunting-for-command-and-control-beaconing/SKILL.md b/skills/hunting-for-command-and-control-beaconing/SKILL.md index 70acf7c0..b4b84838 100644 --- a/skills/hunting-for-command-and-control-beaconing/SKILL.md +++ b/skills/hunting-for-command-and-control-beaconing/SKILL.md @@ -1,12 +1,25 @@ --- name: hunting-for-command-and-control-beaconing -description: Detect C2 beaconing patterns in network traffic using frequency analysis, jitter detection, and domain reputation to identify compromised endpoints communicating with adversary infrastructure. +description: Detect C2 beaconing patterns in network traffic using frequency analysis, jitter detection, and domain reputation + to identify compromised endpoints communicating with adversary infrastructure. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, mitre-attack, c2, beaconing, network-analysis, proactive-detection] -version: "1.0" +tags: +- threat-hunting +- mitre-attack +- c2 +- beaconing +- network-analysis +- proactive-detection +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Certificate Analysis +- Application Protocol Command Analysis +- Content Format Conversion +- File Content Analysis --- # Hunting for Command and Control Beaconing diff --git a/skills/hunting-for-data-exfiltration-indicators/SKILL.md b/skills/hunting-for-data-exfiltration-indicators/SKILL.md index b3391661..ec9892aa 100644 --- a/skills/hunting-for-data-exfiltration-indicators/SKILL.md +++ b/skills/hunting-for-data-exfiltration-indicators/SKILL.md @@ -1,12 +1,32 @@ --- name: hunting-for-data-exfiltration-indicators -description: Hunt for data exfiltration through network traffic analysis, detecting unusual data flows, DNS tunneling, cloud storage uploads, and encrypted channel abuse. +description: Hunt for data exfiltration through network traffic analysis, detecting unusual data flows, DNS tunneling, cloud + storage uploads, and encrypted channel abuse. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, mitre-attack, data-exfiltration, dlp, network-analysis, proactive-detection] -version: "1.0" +tags: +- threat-hunting +- mitre-attack +- data-exfiltration +- dlp +- network-analysis +- proactive-detection +version: '1.0' author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0024 +- AML.T0056 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +d3fend_techniques: +- File Metadata Consistency Validation +- Certificate Analysis +- Application Protocol Command Analysis +- Content Format Conversion +- File Content Analysis --- # Hunting for Data Exfiltration Indicators diff --git a/skills/hunting-for-data-staging-before-exfiltration/SKILL.md b/skills/hunting-for-data-staging-before-exfiltration/SKILL.md index 52280f74..8d82429d 100644 --- a/skills/hunting-for-data-staging-before-exfiltration/SKILL.md +++ b/skills/hunting-for-data-staging-before-exfiltration/SKILL.md @@ -1,12 +1,26 @@ --- name: hunting-for-data-staging-before-exfiltration -description: Detect data staging activity before exfiltration by monitoring for archive creation with 7-Zip/RAR, unusual temp folder access, large file consolidation, and staging directory patterns via EDR and process telemetry +description: Detect data staging activity before exfiltration by monitoring for archive creation with 7-Zip/RAR, unusual temp + folder access, large file consolidation, and staging directory patterns via EDR and process telemetry domain: cybersecurity subdomain: threat-hunting -tags: [data-staging, exfiltration, t1074, archive-detection, edr, threat-hunting, dlp] -version: "1.0" +tags: +- data-staging +- exfiltration +- t1074 +- archive-detection +- edr +- threat-hunting +- dlp +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis +- Platform Hardening +- File Format Verification --- # Hunting for Data Staging Before Exfiltration diff --git a/skills/hunting-for-dcom-lateral-movement/SKILL.md b/skills/hunting-for-dcom-lateral-movement/SKILL.md index 16bcbc62..354511a3 100644 --- a/skills/hunting-for-dcom-lateral-movement/SKILL.md +++ b/skills/hunting-for-dcom-lateral-movement/SKILL.md @@ -1,16 +1,33 @@ --- name: hunting-for-dcom-lateral-movement -description: > - Hunt for DCOM-based lateral movement by detecting abuse of MMC20.Application, - ShellBrowserWindow, and ShellWindows COM objects through Sysmon Event ID 1 (process - creation) and Event ID 3 (network connection) correlation, WMI event analysis, RPC - endpoint mapper traffic on port 135, and DCOM-specific parent-child process relationships. +description: 'Hunt for DCOM-based lateral movement by detecting abuse of MMC20.Application, ShellBrowserWindow, and ShellWindows + COM objects through Sysmon Event ID 1 (process creation) and Event ID 3 (network connection) correlation, WMI event analysis, + RPC endpoint mapper traffic on port 135, and DCOM-specific parent-child process relationships. + + ' domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, DCOM, lateral-movement, T1021.003, Sysmon, MMC20, ShellWindows, ShellBrowserWindow, COM-objects, WMI, RPC] -version: "1.0" +tags: +- threat-hunting +- DCOM +- lateral-movement +- T1021.003 +- Sysmon +- MMC20 +- ShellWindows +- ShellBrowserWindow +- COM-objects +- WMI +- RPC +version: '1.0' author: mukul975 license: Apache-2.0 +d3fend_techniques: +- Application Protocol Command Analysis +- Network Isolation +- Network Traffic Analysis +- Client-server Payload Profiling +- Network Traffic Community Deviation --- # Hunting for DCOM Lateral Movement diff --git a/skills/hunting-for-dcsync-attacks/SKILL.md b/skills/hunting-for-dcsync-attacks/SKILL.md index f8f4a063..5db6c69c 100644 --- a/skills/hunting-for-dcsync-attacks/SKILL.md +++ b/skills/hunting-for-dcsync-attacks/SKILL.md @@ -1,12 +1,27 @@ --- name: hunting-for-dcsync-attacks -description: Detect DCSync attacks by analyzing Windows Event ID 4662 for unauthorized DS-Replication-Get-Changes requests from non-domain-controller accounts. +description: Detect DCSync attacks by analyzing Windows Event ID 4662 for unauthorized DS-Replication-Get-Changes requests + from non-domain-controller accounts. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, dcsync, active-directory, credential-access, t1003.006, mimikatz, windows, dfir] -version: "1.0" +tags: +- threat-hunting +- dcsync +- active-directory +- credential-access +- t1003.006 +- mimikatz +- windows +- dfir +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Application Protocol Command Analysis +- Network Isolation +- Network Traffic Analysis +- Client-server Payload Profiling +- Platform Monitoring --- # Hunting for DCSync Attacks diff --git a/skills/hunting-for-defense-evasion-via-timestomping/SKILL.md b/skills/hunting-for-defense-evasion-via-timestomping/SKILL.md index ea9768dd..a64a15a5 100644 --- a/skills/hunting-for-defense-evasion-via-timestomping/SKILL.md +++ b/skills/hunting-for-defense-evasion-via-timestomping/SKILL.md @@ -1,16 +1,26 @@ --- name: hunting-for-defense-evasion-via-timestomping -description: > - Detect NTFS timestamp manipulation (MITRE T1070.006) by comparing - $STANDARD_INFORMATION vs $FILE_NAME timestamps in the MFT. Uses - analyzeMFT and Python to identify files with anomalous temporal - patterns indicating anti-forensic timestomping activity. +description: 'Detect NTFS timestamp manipulation (MITRE T1070.006) by comparing $STANDARD_INFORMATION vs $FILE_NAME timestamps + in the MFT. Uses analyzeMFT and Python to identify files with anomalous temporal patterns indicating anti-forensic timestomping + activity. + + ' domain: cybersecurity subdomain: threat-hunting -tags: [timestomping, ntfs-forensics, mft-analysis, defense-evasion] -version: "1.0" +tags: +- timestomping +- ntfs-forensics +- mft-analysis +- defense-evasion +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis +- Platform Hardening +- File Format Verification --- # Hunting for Defense Evasion via Timestomping diff --git a/skills/hunting-for-dns-tunneling-with-zeek/SKILL.md b/skills/hunting-for-dns-tunneling-with-zeek/SKILL.md index 31a89b1c..96f9d309 100644 --- a/skills/hunting-for-dns-tunneling-with-zeek/SKILL.md +++ b/skills/hunting-for-dns-tunneling-with-zeek/SKILL.md @@ -1,12 +1,26 @@ --- name: hunting-for-dns-tunneling-with-zeek -description: Detect DNS tunneling and data exfiltration by analyzing Zeek dns.log for high-entropy subdomain queries, excessive query volume, long query lengths, and unusual DNS record types indicating covert channel communication. +description: Detect DNS tunneling and data exfiltration by analyzing Zeek dns.log for high-entropy subdomain queries, excessive + query volume, long query lengths, and unusual DNS record types indicating covert channel communication. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, dns-tunneling, zeek, data-exfiltration, covert-channel, mitre-t1071-004, network-monitoring] -version: "1.0" +tags: +- threat-hunting +- dns-tunneling +- zeek +- data-exfiltration +- covert-channel +- mitre-t1071-004 +- network-monitoring +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Application Protocol Command Analysis +- Network Isolation +- Network Traffic Analysis +- Client-server Payload Profiling +- DNS Traffic Analysis --- # Hunting for DNS Tunneling with Zeek diff --git a/skills/hunting-for-domain-fronting-c2-traffic/SKILL.md b/skills/hunting-for-domain-fronting-c2-traffic/SKILL.md index 558b3c20..cb012ebd 100644 --- a/skills/hunting-for-domain-fronting-c2-traffic/SKILL.md +++ b/skills/hunting-for-domain-fronting-c2-traffic/SKILL.md @@ -1,19 +1,26 @@ --- name: hunting-for-domain-fronting-c2-traffic -description: Detect domain fronting C2 traffic by analyzing SNI vs HTTP Host header mismatches in proxy logs and TLS certificate discrepancies using pyOpenSSL for certificate inspection +description: Detect domain fronting C2 traffic by analyzing SNI vs HTTP Host header mismatches in proxy logs and TLS certificate + discrepancies using pyOpenSSL for certificate inspection domain: cybersecurity subdomain: threat-hunting tags: - - domain-fronting - - c2-detection - - tls-inspection - - proxy-logs - - pyopenssl - - threat-hunting - - network-security -version: "1.0" +- domain-fronting +- c2-detection +- tls-inspection +- proxy-logs +- pyopenssl +- threat-hunting +- network-security +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Application Protocol Command Analysis +- Network Isolation +- Network Traffic Analysis +- Client-server Payload Profiling +- Network Traffic Community Deviation --- # Hunting for Domain Fronting C2 Traffic diff --git a/skills/hunting-for-living-off-the-cloud-techniques/SKILL.md b/skills/hunting-for-living-off-the-cloud-techniques/SKILL.md index aaa43eb6..f53f8ad0 100644 --- a/skills/hunting-for-living-off-the-cloud-techniques/SKILL.md +++ b/skills/hunting-for-living-off-the-cloud-techniques/SKILL.md @@ -1,12 +1,26 @@ --- name: hunting-for-living-off-the-cloud-techniques -description: Hunt for adversary abuse of legitimate cloud services for C2, data staging, and exfiltration including abuse of Azure, AWS, GCP services, and SaaS platforms. +description: Hunt for adversary abuse of legitimate cloud services for C2, data staging, and exfiltration including abuse + of Azure, AWS, GCP services, and SaaS platforms. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, mitre-attack, cloud-abuse, c2, lotc, saas, proactive-detection] -version: "1.0" +tags: +- threat-hunting +- mitre-attack +- cloud-abuse +- c2 +- lotc +- saas +- proactive-detection +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Application Protocol Command Analysis +- Network Isolation +- Network Traffic Analysis +- Client-server Payload Profiling +- Network Traffic Community Deviation --- # Hunting For Living Off The Cloud Techniques diff --git a/skills/hunting-for-living-off-the-land-binaries/SKILL.md b/skills/hunting-for-living-off-the-land-binaries/SKILL.md index a5928348..8110c97b 100644 --- a/skills/hunting-for-living-off-the-land-binaries/SKILL.md +++ b/skills/hunting-for-living-off-the-land-binaries/SKILL.md @@ -1,12 +1,26 @@ --- name: hunting-for-living-off-the-land-binaries -description: Proactively hunt for adversary abuse of legitimate system binaries (LOLBins) to execute malicious payloads while evading detection. +description: Proactively hunt for adversary abuse of legitimate system binaries (LOLBins) to execute malicious payloads while + evading detection. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, mitre-attack, lolbins, edr, siem, proactive-detection, defense-evasion] -version: "1.0" +tags: +- threat-hunting +- mitre-attack +- lolbins +- edr +- siem +- proactive-detection +- defense-evasion +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Application Protocol Command Analysis +- Content Format Conversion --- # Hunting for Living-off-the-Land Binaries (LOLBins) diff --git a/skills/hunting-for-lolbins-execution-in-endpoint-logs/SKILL.md b/skills/hunting-for-lolbins-execution-in-endpoint-logs/SKILL.md index 93052333..860fdb9e 100644 --- a/skills/hunting-for-lolbins-execution-in-endpoint-logs/SKILL.md +++ b/skills/hunting-for-lolbins-execution-in-endpoint-logs/SKILL.md @@ -1,12 +1,26 @@ --- name: hunting-for-lolbins-execution-in-endpoint-logs -description: Hunt for adversary abuse of Living Off the Land Binaries (LOLBins) by analyzing endpoint process creation logs for suspicious execution patterns of legitimate Windows system binaries used for malicious purposes. +description: Hunt for adversary abuse of Living Off the Land Binaries (LOLBins) by analyzing endpoint process creation logs + for suspicious execution patterns of legitimate Windows system binaries used for malicious purposes. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, lolbins, living-off-the-land, endpoint-detection, process-monitoring, mitre-t1218, defense-evasion] -version: "1.0" +tags: +- threat-hunting +- lolbins +- living-off-the-land +- endpoint-detection +- process-monitoring +- mitre-t1218 +- defense-evasion +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Application Protocol Command Analysis +- Content Format Conversion --- # Hunting for LOLBins Execution in Endpoint Logs diff --git a/skills/hunting-for-ntlm-relay-attacks/SKILL.md b/skills/hunting-for-ntlm-relay-attacks/SKILL.md index fcb2abb1..a19e997c 100644 --- a/skills/hunting-for-ntlm-relay-attacks/SKILL.md +++ b/skills/hunting-for-ntlm-relay-attacks/SKILL.md @@ -1,12 +1,29 @@ --- name: hunting-for-ntlm-relay-attacks -description: Detect NTLM relay attacks by analyzing Windows Event 4624 logon type 3 with NTLMSSP authentication, identifying IP-to-hostname mismatches, Responder traffic signatures, SMB signing status, and suspicious authentication patterns across the domain. +description: Detect NTLM relay attacks by analyzing Windows Event 4624 logon type 3 with NTLMSSP authentication, identifying + IP-to-hostname mismatches, Responder traffic signatures, SMB signing status, and suspicious authentication patterns across + the domain. domain: cybersecurity subdomain: threat-hunting -tags: [NTLM-relay, Windows-events, Event-4624, NTLMSSP, Responder, SMB-signing, credential-access, T1557.001, Active-Directory] -version: "1.0" +tags: +- NTLM-relay +- Windows-events +- Event-4624 +- NTLMSSP +- Responder +- SMB-signing +- credential-access +- T1557.001 +- Active-Directory +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Application Protocol Command Analysis +- Network Isolation +- Network Traffic Analysis +- Client-server Payload Profiling +- Network Traffic Community Deviation --- # Hunting for NTLM Relay Attacks diff --git a/skills/hunting-for-persistence-mechanisms-in-windows/SKILL.md b/skills/hunting-for-persistence-mechanisms-in-windows/SKILL.md index e15b482a..2522ca0a 100644 --- a/skills/hunting-for-persistence-mechanisms-in-windows/SKILL.md +++ b/skills/hunting-for-persistence-mechanisms-in-windows/SKILL.md @@ -1,12 +1,26 @@ --- name: hunting-for-persistence-mechanisms-in-windows -description: Systematically hunt for adversary persistence mechanisms across Windows endpoints including registry, services, startup folders, and WMI subscriptions. +description: Systematically hunt for adversary persistence mechanisms across Windows endpoints including registry, services, + startup folders, and WMI subscriptions. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, mitre-attack, persistence, windows, registry, siem, proactive-detection] -version: "1.0" +tags: +- threat-hunting +- mitre-attack +- persistence +- windows +- registry +- siem +- proactive-detection +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis --- # Hunting for Persistence Mechanisms in Windows diff --git a/skills/hunting-for-persistence-via-wmi-subscriptions/SKILL.md b/skills/hunting-for-persistence-via-wmi-subscriptions/SKILL.md index 5e6486d6..252a0280 100644 --- a/skills/hunting-for-persistence-via-wmi-subscriptions/SKILL.md +++ b/skills/hunting-for-persistence-via-wmi-subscriptions/SKILL.md @@ -1,12 +1,25 @@ --- name: hunting-for-persistence-via-wmi-subscriptions -description: Hunt for adversary persistence through Windows Management Instrumentation event subscriptions by monitoring WMI consumer, filter, and binding creation events that execute malicious code triggered by system events. +description: Hunt for adversary persistence through Windows Management Instrumentation event subscriptions by monitoring WMI + consumer, filter, and binding creation events that execute malicious code triggered by system events. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, wmi-persistence, mitre-t1546-003, event-subscription, windows, endpoint-detection] -version: "1.0" +tags: +- threat-hunting +- wmi-persistence +- mitre-t1546-003 +- event-subscription +- windows +- endpoint-detection +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Application Protocol Command Analysis +- Network Isolation +- Network Traffic Analysis +- Client-server Payload Profiling +- Platform Monitoring --- # Hunting for Persistence via WMI Subscriptions diff --git a/skills/hunting-for-process-injection-techniques/SKILL.md b/skills/hunting-for-process-injection-techniques/SKILL.md index c60c4151..6d7a937e 100644 --- a/skills/hunting-for-process-injection-techniques/SKILL.md +++ b/skills/hunting-for-process-injection-techniques/SKILL.md @@ -1,12 +1,26 @@ --- name: hunting-for-process-injection-techniques -description: Detect process injection techniques (T1055) including CreateRemoteThread, process hollowing, and DLL injection via Sysmon Event IDs 8 and 10 and EDR process telemetry +description: Detect process injection techniques (T1055) including CreateRemoteThread, process hollowing, and DLL injection + via Sysmon Event IDs 8 and 10 and EDR process telemetry domain: cybersecurity subdomain: threat-hunting -tags: [process-injection, t1055, sysmon, createremotethread, dll-injection, edr, threat-hunting] -version: "1.0" +tags: +- process-injection +- t1055 +- sysmon +- createremotethread +- dll-injection +- edr +- threat-hunting +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis --- # Hunting for Process Injection Techniques diff --git a/skills/hunting-for-registry-persistence-mechanisms/SKILL.md b/skills/hunting-for-registry-persistence-mechanisms/SKILL.md index 0152fbbd..aed5b7a5 100644 --- a/skills/hunting-for-registry-persistence-mechanisms/SKILL.md +++ b/skills/hunting-for-registry-persistence-mechanisms/SKILL.md @@ -1,12 +1,26 @@ --- name: hunting-for-registry-persistence-mechanisms -description: Hunt for registry-based persistence mechanisms including Run keys, Winlogon modifications, IFEO injection, and COM hijacking in Windows environments. +description: Hunt for registry-based persistence mechanisms including Run keys, Winlogon modifications, IFEO injection, and + COM hijacking in Windows environments. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, mitre-attack, registry, persistence, windows, t1547, proactive-detection] -version: "1.0" +tags: +- threat-hunting +- mitre-attack +- registry +- persistence +- windows +- t1547 +- proactive-detection +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis --- # Hunting For Registry Persistence Mechanisms diff --git a/skills/hunting-for-registry-run-key-persistence/SKILL.md b/skills/hunting-for-registry-run-key-persistence/SKILL.md index c9832e5b..61d6dc6a 100644 --- a/skills/hunting-for-registry-run-key-persistence/SKILL.md +++ b/skills/hunting-for-registry-run-key-persistence/SKILL.md @@ -1,12 +1,26 @@ --- name: hunting-for-registry-run-key-persistence -description: Detect MITRE ATT&CK T1547.001 registry Run key persistence by analyzing Sysmon Event ID 13 logs and registry queries to identify malicious auto-start entries. +description: Detect MITRE ATT&CK T1547.001 registry Run key persistence by analyzing Sysmon Event ID 13 logs and registry + queries to identify malicious auto-start entries. domain: cybersecurity subdomain: threat-hunting -tags: [persistence, registry-run-keys, t1547-001, sysmon, threat-hunting, windows-forensics, mitre-attack] -version: "1.0" +tags: +- persistence +- registry-run-keys +- t1547-001 +- sysmon +- threat-hunting +- windows-forensics +- mitre-attack +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis --- # Hunting for Registry Run Key Persistence diff --git a/skills/hunting-for-scheduled-task-persistence/SKILL.md b/skills/hunting-for-scheduled-task-persistence/SKILL.md index bf07d5dd..b8eee973 100644 --- a/skills/hunting-for-scheduled-task-persistence/SKILL.md +++ b/skills/hunting-for-scheduled-task-persistence/SKILL.md @@ -1,12 +1,25 @@ --- name: hunting-for-scheduled-task-persistence -description: Hunt for adversary persistence via Windows Scheduled Tasks by analyzing task creation events, suspicious task actions, and unusual scheduling patterns. +description: Hunt for adversary persistence via Windows Scheduled Tasks by analyzing task creation events, suspicious task + actions, and unusual scheduling patterns. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, mitre-attack, scheduled-tasks, persistence, t1053, proactive-detection] -version: "1.0" +tags: +- threat-hunting +- mitre-attack +- scheduled-tasks +- persistence +- t1053 +- proactive-detection +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Execution Isolation +- Process Termination +- Hardware-based Process Isolation +- Platform Monitoring +- Process Suspension --- # Hunting For Scheduled Task Persistence diff --git a/skills/hunting-for-shadow-copy-deletion/SKILL.md b/skills/hunting-for-shadow-copy-deletion/SKILL.md index d55e149f..0ff7b366 100644 --- a/skills/hunting-for-shadow-copy-deletion/SKILL.md +++ b/skills/hunting-for-shadow-copy-deletion/SKILL.md @@ -1,12 +1,26 @@ --- name: hunting-for-shadow-copy-deletion -description: Hunt for Volume Shadow Copy deletion activity that indicates ransomware preparation or anti-forensics by monitoring vssadmin, wmic, and PowerShell shadow copy commands. +description: Hunt for Volume Shadow Copy deletion activity that indicates ransomware preparation or anti-forensics by monitoring + vssadmin, wmic, and PowerShell shadow copy commands. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, mitre-attack, shadow-copy, ransomware, anti-forensics, t1490, proactive-detection] -version: "1.0" +tags: +- threat-hunting +- mitre-attack +- shadow-copy +- ransomware +- anti-forensics +- t1490 +- proactive-detection +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Platform Hardening +- Restore Object +- Restore Configuration +- Restore Software +- Software Update --- # Hunting For Shadow Copy Deletion diff --git a/skills/hunting-for-spearphishing-indicators/SKILL.md b/skills/hunting-for-spearphishing-indicators/SKILL.md index 483ba93a..01aba95a 100644 --- a/skills/hunting-for-spearphishing-indicators/SKILL.md +++ b/skills/hunting-for-spearphishing-indicators/SKILL.md @@ -1,12 +1,26 @@ --- name: hunting-for-spearphishing-indicators -description: Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks. +description: Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect + targeted email attacks. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, mitre-attack, spearphishing, initial-access, email-security, t1566, proactive-detection] -version: "1.0" +tags: +- threat-hunting +- mitre-attack +- spearphishing +- initial-access +- email-security +- t1566 +- proactive-detection +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Application Protocol Command Analysis +- Identifier Analysis +- Content Format Conversion +- Message Analysis --- # Hunting For Spearphishing Indicators diff --git a/skills/hunting-for-startup-folder-persistence/SKILL.md b/skills/hunting-for-startup-folder-persistence/SKILL.md index 849e7ca8..ff2651ad 100644 --- a/skills/hunting-for-startup-folder-persistence/SKILL.md +++ b/skills/hunting-for-startup-folder-persistence/SKILL.md @@ -1,12 +1,26 @@ --- name: hunting-for-startup-folder-persistence -description: Detect T1547.001 startup folder persistence by monitoring Windows startup directories for suspicious file creation, analyzing autoruns entries, and using Python watchdog for real-time filesystem monitoring. +description: Detect T1547.001 startup folder persistence by monitoring Windows startup directories for suspicious file creation, + analyzing autoruns entries, and using Python watchdog for real-time filesystem monitoring. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, T1547.001, startup-folder, persistence, autoruns, watchdog, filesystem-monitoring] -version: "1.0" +tags: +- threat-hunting +- T1547.001 +- startup-folder +- persistence +- autoruns +- watchdog +- filesystem-monitoring +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis --- # Hunting for Startup Folder Persistence diff --git a/skills/hunting-for-supply-chain-compromise/SKILL.md b/skills/hunting-for-supply-chain-compromise/SKILL.md index 700f8756..a773d332 100644 --- a/skills/hunting-for-supply-chain-compromise/SKILL.md +++ b/skills/hunting-for-supply-chain-compromise/SKILL.md @@ -1,12 +1,25 @@ --- name: hunting-for-supply-chain-compromise -description: Hunt for supply chain compromise indicators including trojanized software updates, compromised dependencies, unauthorized code modifications, and tampered build artifacts. +description: Hunt for supply chain compromise indicators including trojanized software updates, compromised dependencies, + unauthorized code modifications, and tampered build artifacts. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, mitre-attack, supply-chain, initial-access, t1195, proactive-detection] -version: "1.0" +tags: +- threat-hunting +- mitre-attack +- supply-chain +- initial-access +- t1195 +- proactive-detection +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Platform Hardening +- Restore Object +- Restore Software +- Software Update +- Asset Inventory --- # Hunting For Supply Chain Compromise diff --git a/skills/hunting-for-t1098-account-manipulation/SKILL.md b/skills/hunting-for-t1098-account-manipulation/SKILL.md index 190ea128..ace474b8 100644 --- a/skills/hunting-for-t1098-account-manipulation/SKILL.md +++ b/skills/hunting-for-t1098-account-manipulation/SKILL.md @@ -1,12 +1,25 @@ --- name: hunting-for-t1098-account-manipulation -description: Hunt for MITRE ATT&CK T1098 account manipulation including shadow admin creation, SID history injection, group membership changes, and credential modifications using Windows Security Event Logs. +description: Hunt for MITRE ATT&CK T1098 account manipulation including shadow admin creation, SID history injection, group + membership changes, and credential modifications using Windows Security Event Logs. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, mitre-attack, t1098, account-manipulation, active-directory, persistence] -version: "1.0" +tags: +- threat-hunting +- mitre-attack +- t1098 +- account-manipulation +- active-directory +- persistence +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Token Binding +- Restore Access +- Application Protocol Command Analysis +- Password Authentication +- Biometric Authentication --- # Hunting for T1098 Account Manipulation diff --git a/skills/hunting-for-unusual-network-connections/SKILL.md b/skills/hunting-for-unusual-network-connections/SKILL.md index 40340e56..6c1fb4b9 100644 --- a/skills/hunting-for-unusual-network-connections/SKILL.md +++ b/skills/hunting-for-unusual-network-connections/SKILL.md @@ -1,12 +1,25 @@ --- name: hunting-for-unusual-network-connections -description: Hunt for unusual network connections by analyzing outbound traffic patterns, rare destinations, non-standard ports, and anomalous connection frequencies from endpoints. +description: Hunt for unusual network connections by analyzing outbound traffic patterns, rare destinations, non-standard + ports, and anomalous connection frequencies from endpoints. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, mitre-attack, network-analysis, c2, anomaly-detection, proactive-detection] -version: "1.0" +tags: +- threat-hunting +- mitre-attack +- network-analysis +- c2 +- anomaly-detection +- proactive-detection +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Certificate Analysis +- Application Protocol Command Analysis +- Content Format Conversion +- File Content Analysis --- # Hunting For Unusual Network Connections diff --git a/skills/hunting-for-unusual-service-installations/SKILL.md b/skills/hunting-for-unusual-service-installations/SKILL.md index d97d2d6d..c1a64c61 100644 --- a/skills/hunting-for-unusual-service-installations/SKILL.md +++ b/skills/hunting-for-unusual-service-installations/SKILL.md @@ -1,12 +1,26 @@ --- name: hunting-for-unusual-service-installations -description: Detect suspicious Windows service installations (MITRE ATT&CK T1543.003) by parsing System event logs for Event ID 7045, analyzing service binary paths, and identifying indicators of persistence mechanisms. +description: Detect suspicious Windows service installations (MITRE ATT&CK T1543.003) by parsing System event logs for Event + ID 7045, analyzing service binary paths, and identifying indicators of persistence mechanisms. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, T1543.003, service-installation, persistence, Event-7045, Sysmon, Windows-services] -version: "1.0" +tags: +- threat-hunting +- T1543.003 +- service-installation +- persistence +- Event-7045 +- Sysmon +- Windows-services +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Platform Hardening +- System Configuration Permissions +- Restore Object +- Restore Database +- Asset Inventory --- # Hunting for Unusual Service Installations diff --git a/skills/hunting-for-webshell-activity/SKILL.md b/skills/hunting-for-webshell-activity/SKILL.md index c0919cfd..28b42b08 100644 --- a/skills/hunting-for-webshell-activity/SKILL.md +++ b/skills/hunting-for-webshell-activity/SKILL.md @@ -1,12 +1,26 @@ --- name: hunting-for-webshell-activity -description: Hunt for web shell deployments on internet-facing servers by analyzing file creation in web directories, suspicious process spawning from web servers, and anomalous HTTP patterns. +description: Hunt for web shell deployments on internet-facing servers by analyzing file creation in web directories, suspicious + process spawning from web servers, and anomalous HTTP patterns. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, mitre-attack, webshell, persistence, web-server, t1505, proactive-detection] -version: "1.0" +tags: +- threat-hunting +- mitre-attack +- webshell +- persistence +- web-server +- t1505 +- proactive-detection +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Restore Access +- Process Termination --- # Hunting For Webshell Activity diff --git a/skills/implementing-api-key-security-controls/SKILL.md b/skills/implementing-api-key-security-controls/SKILL.md index 66d212de..8c856595 100644 --- a/skills/implementing-api-key-security-controls/SKILL.md +++ b/skills/implementing-api-key-security-controls/SKILL.md @@ -1,18 +1,31 @@ --- name: implementing-api-key-security-controls -description: > - Implements secure API key generation, storage, rotation, and revocation controls to protect - API authentication credentials from leakage, brute force, and abuse. The engineer designs - API key formats with sufficient entropy, implements secure hashing for storage, enforces - per-key scoping and rate limiting, monitors for leaked keys in public repositories, and - builds key rotation workflows. Activates for requests involving API key management, API - key security, key rotation policy, or API credential protection. +description: 'Implements secure API key generation, storage, rotation, and revocation controls to protect API authentication + credentials from leakage, brute force, and abuse. The engineer designs API key formats with sufficient entropy, implements + secure hashing for storage, enforces per-key scoping and rate limiting, monitors for leaked keys in public repositories, + and builds key rotation workflows. Activates for requests involving API key management, API key security, key rotation policy, + or API credential protection. + + ' domain: cybersecurity subdomain: api-security -tags: [api-security, api-keys, credential-management, key-rotation, secret-management] +tags: +- api-security +- api-keys +- credential-management +- key-rotation +- secret-management version: 1.0.0 author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Implementing API Key Security Controls diff --git a/skills/implementing-aws-macie-for-data-classification/SKILL.md b/skills/implementing-aws-macie-for-data-classification/SKILL.md index 94d52f46..20cdec22 100644 --- a/skills/implementing-aws-macie-for-data-classification/SKILL.md +++ b/skills/implementing-aws-macie-for-data-classification/SKILL.md @@ -1,12 +1,30 @@ --- name: implementing-aws-macie-for-data-classification -description: Implement Amazon Macie to automatically discover, classify, and protect sensitive data in S3 buckets using machine learning and pattern matching for PII, financial data, and credentials detection. +description: Implement Amazon Macie to automatically discover, classify, and protect sensitive data in S3 buckets using machine + learning and pattern matching for PII, financial data, and credentials detection. domain: cybersecurity subdomain: cloud-security -tags: [aws, macie, data-classification, s3, pii, sensitive-data, dlp, compliance] -version: "1.0" +tags: +- aws +- macie +- data-classification +- s3 +- pii +- sensitive-data +- dlp +- compliance +version: '1.0' author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0043 +- AML.T0018 +nist_ai_rmf: +- GOVERN-1.1 +- GOVERN-4.2 +- MAP-2.3 +- MEASURE-2.7 +- MEASURE-2.5 --- # Implementing AWS Macie for Data Classification diff --git a/skills/implementing-azure-defender-for-cloud/SKILL.md b/skills/implementing-azure-defender-for-cloud/SKILL.md index 5a2afbbd..a8cc1619 100644 --- a/skills/implementing-azure-defender-for-cloud/SKILL.md +++ b/skills/implementing-azure-defender-for-cloud/SKILL.md @@ -1,15 +1,30 @@ --- name: implementing-azure-defender-for-cloud -description: > - Implementing Microsoft Defender for Cloud to enable cloud security posture management, - workload protection across VMs, containers, databases, and storage, configure security - recommendations, and set up adaptive security controls with automated remediation. +description: 'Implementing Microsoft Defender for Cloud to enable cloud security posture management, workload protection across + VMs, containers, databases, and storage, configure security recommendations, and set up adaptive security controls with + automated remediation. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud-security, azure, defender-for-cloud, cspm, cwpp, security-recommendations] -version: "1.0" +tags: +- cloud-security +- azure +- defender-for-cloud +- cspm +- cwpp +- security-recommendations +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Implementing Azure Defender for Cloud diff --git a/skills/implementing-cisa-zero-trust-maturity-model/SKILL.md b/skills/implementing-cisa-zero-trust-maturity-model/SKILL.md index 0d101326..0faf3931 100644 --- a/skills/implementing-cisa-zero-trust-maturity-model/SKILL.md +++ b/skills/implementing-cisa-zero-trust-maturity-model/SKILL.md @@ -1,12 +1,30 @@ --- name: implementing-cisa-zero-trust-maturity-model -description: Implement the CISA Zero Trust Maturity Model v2.0 across the five pillars of identity, devices, networks, applications, and data to achieve progressive organizational zero trust maturity. +description: Implement the CISA Zero Trust Maturity Model v2.0 across the five pillars of identity, devices, networks, applications, + and data to achieve progressive organizational zero trust maturity. domain: cybersecurity subdomain: zero-trust-architecture -tags: [zero-trust, cisa, maturity-model, federal-compliance, governance, nist-800-207, identity, devices, networks, applications, data-security] -version: "1.0" +tags: +- zero-trust +- cisa +- maturity-model +- federal-compliance +- governance +- nist-800-207 +- identity +- devices +- networks +- applications +- data-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- GOVERN-1.1 +- GOVERN-1.7 +- MAP-1.1 +- GOVERN-4.2 +- MAP-2.3 --- # Implementing CISA Zero Trust Maturity Model diff --git a/skills/implementing-cloud-dlp-for-data-protection/SKILL.md b/skills/implementing-cloud-dlp-for-data-protection/SKILL.md index 8bc8e825..cc07504e 100644 --- a/skills/implementing-cloud-dlp-for-data-protection/SKILL.md +++ b/skills/implementing-cloud-dlp-for-data-protection/SKILL.md @@ -1,15 +1,31 @@ --- name: implementing-cloud-dlp-for-data-protection -description: > - Implementing Cloud Data Loss Prevention (DLP) using Amazon Macie, Azure Information - Protection, and Google Cloud DLP API to discover, classify, and protect sensitive data - across cloud storage, databases, and data pipelines. +description: 'Implementing Cloud Data Loss Prevention (DLP) using Amazon Macie, Azure Information Protection, and Google Cloud + DLP API to discover, classify, and protect sensitive data across cloud storage, databases, and data pipelines. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud-security, dlp, data-protection, macie, data-classification, privacy] -version: "1.0" +tags: +- cloud-security +- dlp +- data-protection +- macie +- data-classification +- privacy +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +- MEASURE-2.8 +- MEASURE-2.9 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Implementing Cloud DLP for Data Protection diff --git a/skills/implementing-continuous-security-validation-with-bas/SKILL.md b/skills/implementing-continuous-security-validation-with-bas/SKILL.md index 0db9e9bc..cd6ffa93 100644 --- a/skills/implementing-continuous-security-validation-with-bas/SKILL.md +++ b/skills/implementing-continuous-security-validation-with-bas/SKILL.md @@ -1,12 +1,27 @@ --- name: implementing-continuous-security-validation-with-bas -description: Deploy Breach and Attack Simulation tools to continuously validate security control effectiveness by safely emulating real-world attack techniques across the kill chain. +description: Deploy Breach and Attack Simulation tools to continuously validate security control effectiveness by safely emulating + real-world attack techniques across the kill chain. domain: cybersecurity subdomain: vulnerability-management -tags: [breach-attack-simulation, bas, security-validation, safebreach, attackiq, picus, cymulate, mitre-attack] -version: "1.0" +tags: +- breach-attack-simulation +- bas +- security-validation +- safebreach +- attackiq +- picus +- cymulate +- mitre-attack +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Application Protocol Command Analysis +- Identifier Analysis +- Content Format Conversion +- Message Analysis --- # Implementing Continuous Security Validation with BAS diff --git a/skills/implementing-dragos-platform-for-ot-monitoring/SKILL.md b/skills/implementing-dragos-platform-for-ot-monitoring/SKILL.md index b2e42c93..65d8c0cf 100644 --- a/skills/implementing-dragos-platform-for-ot-monitoring/SKILL.md +++ b/skills/implementing-dragos-platform-for-ot-monitoring/SKILL.md @@ -1,16 +1,32 @@ --- name: implementing-dragos-platform-for-ot-monitoring -description: > - Deploy and configure the Dragos Platform for OT network monitoring, leveraging - its 600+ industrial protocol parsers, intelligence-driven threat detection - analytics, and asset visibility capabilities to protect ICS environments against +description: 'Deploy and configure the Dragos Platform for OT network monitoring, leveraging its 600+ industrial protocol + parsers, intelligence-driven threat detection analytics, and asset visibility capabilities to protect ICS environments against threat groups like VOLTZITE, GRAPHITE, and BAUXITE. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, dragos, threat-detection, ot-monitoring, scada, threat-intelligence, ndr] -version: "1.0" +tags: +- ot-security +- ics +- dragos +- threat-detection +- ot-monitoring +- scada +- threat-intelligence +- ndr +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Implementing Dragos Platform for OT Monitoring diff --git a/skills/implementing-ebpf-security-monitoring/SKILL.md b/skills/implementing-ebpf-security-monitoring/SKILL.md index e39f473c..7bd8b08d 100644 --- a/skills/implementing-ebpf-security-monitoring/SKILL.md +++ b/skills/implementing-ebpf-security-monitoring/SKILL.md @@ -1,18 +1,33 @@ --- name: implementing-ebpf-security-monitoring -description: > - Implements eBPF-based security monitoring using Cilium Tetragon for real-time - process execution tracking, network connection observability, file access auditing, - and runtime enforcement. Covers TracingPolicy CRD authoring with kprobe/tracepoint - hooks, in-kernel filtering via matchArgs/matchBinaries selectors, JSON event export, - and integration with SIEM pipelines. Use when building kernel-level runtime security - observability for Linux hosts or Kubernetes clusters. +description: 'Implements eBPF-based security monitoring using Cilium Tetragon for real-time process execution tracking, network + connection observability, file access auditing, and runtime enforcement. Covers TracingPolicy CRD authoring with kprobe/tracepoint + hooks, in-kernel filtering via matchArgs/matchBinaries selectors, JSON event export, and integration with SIEM pipelines. + Use when building kernel-level runtime security observability for Linux hosts or Kubernetes clusters. + + ' domain: cybersecurity subdomain: security-operations -tags: [implementing, ebpf, security, monitoring, tetragon, cilium, runtime, observability] -version: "1.0" +tags: +- implementing +- ebpf +- security +- monitoring +- tetragon +- cilium +- runtime +- observability +version: '1.0' author: mukul975 license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Implementing eBPF Security Monitoring diff --git a/skills/implementing-endpoint-detection-with-wazuh/SKILL.md b/skills/implementing-endpoint-detection-with-wazuh/SKILL.md index 79275208..18ed1d33 100644 --- a/skills/implementing-endpoint-detection-with-wazuh/SKILL.md +++ b/skills/implementing-endpoint-detection-with-wazuh/SKILL.md @@ -1,12 +1,25 @@ --- name: implementing-endpoint-detection-with-wazuh -description: Deploy and configure Wazuh SIEM/XDR for endpoint detection including agent management, custom decoder and rule XML creation, alert querying via the Wazuh REST API, and automated response actions. +description: Deploy and configure Wazuh SIEM/XDR for endpoint detection including agent management, custom decoder and rule + XML creation, alert querying via the Wazuh REST API, and automated response actions. domain: cybersecurity subdomain: security-operations -tags: [siem, xdr, wazuh, endpoint-detection, custom-rules, incident-response] -version: "1.0" +tags: +- siem +- xdr +- wazuh +- endpoint-detection +- custom-rules +- incident-response +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- GOVERN-1.1 +- MEASURE-2.7 +- MANAGE-3.1 +- MANAGE-2.4 +- MEASURE-3.1 --- # Implementing Endpoint Detection with Wazuh diff --git a/skills/implementing-endpoint-dlp-controls/SKILL.md b/skills/implementing-endpoint-dlp-controls/SKILL.md index 0ab3908a..3dbe8c2e 100644 --- a/skills/implementing-endpoint-dlp-controls/SKILL.md +++ b/skills/implementing-endpoint-dlp-controls/SKILL.md @@ -1,17 +1,31 @@ --- name: implementing-endpoint-dlp-controls -description: > - Implements endpoint Data Loss Prevention (DLP) controls to detect and prevent sensitive data - exfiltration through email, USB, cloud storage, and printing. Use when deploying DLP agents, - creating content inspection policies, or preventing unauthorized data movement from endpoints. - Activates for requests involving DLP, data exfiltration prevention, content inspection, or - sensitive data protection on endpoints. +description: 'Implements endpoint Data Loss Prevention (DLP) controls to detect and prevent sensitive data exfiltration through + email, USB, cloud storage, and printing. Use when deploying DLP agents, creating content inspection policies, or preventing + unauthorized data movement from endpoints. Activates for requests involving DLP, data exfiltration prevention, content inspection, + or sensitive data protection on endpoints. + + ' domain: cybersecurity subdomain: endpoint-security -tags: [endpoint, DLP, data-loss-prevention, data-protection, content-inspection] +tags: +- endpoint +- DLP +- data-loss-prevention +- data-protection +- content-inspection version: 1.0.0 author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0024 +- AML.T0056 +nist_ai_rmf: +- GOVERN-1.1 +- MEASURE-2.7 +- MANAGE-3.1 +- MAP-5.1 +- MANAGE-2.4 --- # Implementing Endpoint DLP Controls diff --git a/skills/implementing-fuzz-testing-in-cicd-with-aflplusplus/SKILL.md b/skills/implementing-fuzz-testing-in-cicd-with-aflplusplus/SKILL.md index fb90b440..b6327eec 100644 --- a/skills/implementing-fuzz-testing-in-cicd-with-aflplusplus/SKILL.md +++ b/skills/implementing-fuzz-testing-in-cicd-with-aflplusplus/SKILL.md @@ -1,12 +1,28 @@ --- name: implementing-fuzz-testing-in-cicd-with-aflplusplus -description: Integrate AFL++ coverage-guided fuzz testing into CI/CD pipelines to discover memory corruption, input handling, and logic vulnerabilities in C/C++ and compiled applications. +description: Integrate AFL++ coverage-guided fuzz testing into CI/CD pipelines to discover memory corruption, input handling, + and logic vulnerabilities in C/C++ and compiled applications. domain: cybersecurity subdomain: devsecops -tags: [aflplusplus, fuzz-testing, cicd, coverage-guided-fuzzing, security-testing, vulnerability-discovery, afl] -version: "1.0" +tags: +- aflplusplus +- fuzz-testing +- cicd +- coverage-guided-fuzzing +- security-testing +- vulnerability-discovery +- afl +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Implementing Fuzz Testing in CI/CD with AFL++ diff --git a/skills/implementing-gdpr-data-protection-controls/SKILL.md b/skills/implementing-gdpr-data-protection-controls/SKILL.md index 68c0ee37..69362b22 100644 --- a/skills/implementing-gdpr-data-protection-controls/SKILL.md +++ b/skills/implementing-gdpr-data-protection-controls/SKILL.md @@ -1,13 +1,38 @@ --- name: implementing-gdpr-data-protection-controls -description: The General Data Protection Regulation (EU) 2016/679 (GDPR) is the EU's comprehensive data protection law governing the collection, processing, storage, and transfer of personal data. This skill cover +description: The General Data Protection Regulation (EU) 2016/679 (GDPR) is the EU's comprehensive data protection law governing + the collection, processing, storage, and transfer of personal data. This skill cover domain: cybersecurity subdomain: compliance-governance -tags: [compliance, governance, gdpr, privacy, data-protection, eu-regulation] -nist_csf: [GV.OC, GV.PO, GV.RR, ID.AM, PR.AA, PR.DS, RS.CO, RS.MA] -version: "1.0" +tags: +- compliance +- governance +- gdpr +- privacy +- data-protection +- eu-regulation +nist_csf: +- GV.OC +- GV.PO +- GV.RR +- ID.AM +- PR.AA +- PR.DS +- RS.CO +- RS.MA +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +- MEASURE-2.8 +- MEASURE-2.9 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Implementing GDPR Data Protection Controls diff --git a/skills/implementing-hardware-security-key-authentication/SKILL.md b/skills/implementing-hardware-security-key-authentication/SKILL.md index b3929089..04ea0f44 100644 --- a/skills/implementing-hardware-security-key-authentication/SKILL.md +++ b/skills/implementing-hardware-security-key-authentication/SKILL.md @@ -1,18 +1,34 @@ --- name: implementing-hardware-security-key-authentication -description: > - Implements FIDO2/WebAuthn hardware security key authentication including registration ceremonies, - authentication flows, YubiKey enrollment, and passkey migration strategies. Builds a complete - relying party server using the python-fido2 library that supports cross-platform authenticators, - resident key (discoverable credential) workflows, and user verification policies. Activates for - requests involving FIDO2 implementation, WebAuthn registration, hardware security key enrollment, +description: 'Implements FIDO2/WebAuthn hardware security key authentication including registration ceremonies, authentication + flows, YubiKey enrollment, and passkey migration strategies. Builds a complete relying party server using the python-fido2 + library that supports cross-platform authenticators, resident key (discoverable credential) workflows, and user verification + policies. Activates for requests involving FIDO2 implementation, WebAuthn registration, hardware security key enrollment, YubiKey integration, or passkey migration from password-based authentication. + + ' domain: cybersecurity subdomain: identity-and-access-management -tags: [FIDO2, WebAuthn, hardware-security-key, YubiKey, passkeys, passwordless-authentication, CTAP2] +tags: +- FIDO2 +- WebAuthn +- hardware-security-key +- YubiKey +- passkeys +- passwordless-authentication +- CTAP2 version: 1.0.0 author: mukul975 license: Apache-2.0 +atlas_techniques: +- AML.T0051 +- AML.T0054 +- AML.T0056 +nist_ai_rmf: +- MEASURE-2.7 +- MEASURE-2.5 +- GOVERN-6.1 +- MAP-5.1 --- # Implementing Hardware Security Key Authentication diff --git a/skills/implementing-honeypot-for-ransomware-detection/SKILL.md b/skills/implementing-honeypot-for-ransomware-detection/SKILL.md index d3e266ac..ec4f9b70 100644 --- a/skills/implementing-honeypot-for-ransomware-detection/SKILL.md +++ b/skills/implementing-honeypot-for-ransomware-detection/SKILL.md @@ -1,19 +1,30 @@ --- name: implementing-honeypot-for-ransomware-detection -description: > - Deploys canary files, honeypot shares, and decoy systems to detect ransomware - activity at the earliest possible stage. Configures canary tokens embedded in - strategic file locations that trigger alerts when ransomware attempts encryption, - uses honeypot network shares that mimic high-value targets, and deploys Thinkst - Canary appliances for comprehensive deception-based detection. Activates for - requests involving ransomware honeypots, canary files, deception technology for - ransomware, or early ransomware alerting. +description: 'Deploys canary files, honeypot shares, and decoy systems to detect ransomware activity at the earliest possible + stage. Configures canary tokens embedded in strategic file locations that trigger alerts when ransomware attempts encryption, + uses honeypot network shares that mimic high-value targets, and deploys Thinkst Canary appliances for comprehensive deception-based + detection. Activates for requests involving ransomware honeypots, canary files, deception technology for ransomware, or + early ransomware alerting. + + ' domain: cybersecurity subdomain: ransomware-defense -tags: [ransomware, detection, honeypot, canary, defense, deception] +tags: +- ransomware +- detection +- honeypot +- canary +- defense +- deception version: 1.0.0 author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis +- Platform Hardening +- File Format Verification --- # Implementing Honeypot for Ransomware Detection diff --git a/skills/implementing-identity-verification-for-zero-trust/SKILL.md b/skills/implementing-identity-verification-for-zero-trust/SKILL.md index e8c569ce..205963b1 100644 --- a/skills/implementing-identity-verification-for-zero-trust/SKILL.md +++ b/skills/implementing-identity-verification-for-zero-trust/SKILL.md @@ -1,12 +1,24 @@ --- name: implementing-identity-verification-for-zero-trust -description: Implement continuous identity verification for zero trust using phishing-resistant MFA (FIDO2/WebAuthn), risk-based conditional access, and identity governance aligned with the CISA Zero Trust Maturity Model. +description: Implement continuous identity verification for zero trust using phishing-resistant MFA (FIDO2/WebAuthn), risk-based + conditional access, and identity governance aligned with the CISA Zero Trust Maturity Model. domain: cybersecurity subdomain: zero-trust-architecture -tags: [zero-trust, identity, authentication, mfa, identity-verification] -version: "1.0" +tags: +- zero-trust +- identity +- authentication +- mfa +- identity-verification +version: '1.0' author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0052 +nist_ai_rmf: +- GOVERN-1.1 +- GOVERN-1.7 +- MAP-1.1 --- # Implementing Identity Verification for Zero Trust diff --git a/skills/implementing-immutable-backup-with-restic/SKILL.md b/skills/implementing-immutable-backup-with-restic/SKILL.md index 87c74e55..88a323af 100644 --- a/skills/implementing-immutable-backup-with-restic/SKILL.md +++ b/skills/implementing-immutable-backup-with-restic/SKILL.md @@ -1,18 +1,33 @@ --- name: implementing-immutable-backup-with-restic -description: > - Implements immutable backup strategy using restic with S3-compatible storage - and object lock for ransomware-resistant data protection. Automates backup - creation, integrity verification via restic check --read-data, snapshot - retention policy enforcement, and restore testing. Integrates with AWS S3 - Object Lock, MinIO, and Backblaze B2 for WORM (Write Once Read Many) storage - that prevents backup deletion or encryption by ransomware actors. +description: 'Implements immutable backup strategy using restic with S3-compatible storage and object lock for ransomware-resistant + data protection. Automates backup creation, integrity verification via restic check --read-data, snapshot retention policy + enforcement, and restore testing. Integrates with AWS S3 Object Lock, MinIO, and Backblaze B2 for WORM (Write Once Read + Many) storage that prevents backup deletion or encryption by ransomware actors. + + ' domain: cybersecurity subdomain: ransomware-defense -tags: [restic, backup, immutable, ransomware, s3, object-lock, worm, recovery] +tags: +- restic +- backup +- immutable +- ransomware +- s3 +- object-lock +- worm +- recovery version: 1.0.0 author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Implementing Immutable Backup with Restic diff --git a/skills/implementing-llm-guardrails-for-security/SKILL.md b/skills/implementing-llm-guardrails-for-security/SKILL.md index fe3abb49..ce23619e 100644 --- a/skills/implementing-llm-guardrails-for-security/SKILL.md +++ b/skills/implementing-llm-guardrails-for-security/SKILL.md @@ -1,21 +1,43 @@ --- name: implementing-llm-guardrails-for-security -description: > - Implements input and output validation guardrails for LLM-powered applications to prevent - prompt injection, data leakage, toxic content generation, and hallucinated outputs. Builds - a security validation pipeline using NVIDIA NeMo Guardrails Colang definitions, custom Python - validators for PII detection and content policy enforcement, and the Guardrails AI framework - for structured output validation. The guardrails system intercepts both user inputs (blocking - injection attempts, stripping PII, enforcing topic boundaries) and model outputs (detecting - hallucinations, filtering toxic content, validating JSON schema compliance). Activates for - requests involving LLM output validation, AI content filtering, guardrail implementation, +description: 'Implements input and output validation guardrails for LLM-powered applications to prevent prompt injection, + data leakage, toxic content generation, and hallucinated outputs. Builds a security validation pipeline using NVIDIA NeMo + Guardrails Colang definitions, custom Python validators for PII detection and content policy enforcement, and the Guardrails + AI framework for structured output validation. The guardrails system intercepts both user inputs (blocking injection attempts, + stripping PII, enforcing topic boundaries) and model outputs (detecting hallucinations, filtering toxic content, validating + JSON schema compliance). Activates for requests involving LLM output validation, AI content filtering, guardrail implementation, or LLM safety enforcement. + + ' domain: cybersecurity subdomain: ai-security -tags: [LLM-guardrails, NeMo-Guardrails, input-validation, output-filtering, AI-safety] +tags: +- LLM-guardrails +- NeMo-Guardrails +- input-validation +- output-filtering +- AI-safety version: 1.0.0 author: mukul975 license: Apache-2.0 +atlas_techniques: +- AML.T0051 +- AML.T0054 +- AML.T0056 +- AML.T0057 +- AML.T0062 +nist_ai_rmf: +- GOVERN-1.1 +- GOVERN-6.1 +- MEASURE-2.7 +- MEASURE-2.5 +- MANAGE-2.4 +d3fend_techniques: +- Content Validation +- Content Filtering +- Content Excision +- Application Hardening +- Execution Isolation --- # Implementing LLM Guardrails for Security diff --git a/skills/implementing-mitre-attack-coverage-mapping/SKILL.md b/skills/implementing-mitre-attack-coverage-mapping/SKILL.md index 5eb152ff..cae92232 100644 --- a/skills/implementing-mitre-attack-coverage-mapping/SKILL.md +++ b/skills/implementing-mitre-attack-coverage-mapping/SKILL.md @@ -1,12 +1,33 @@ --- name: implementing-mitre-attack-coverage-mapping -description: Implement MITRE ATT&CK coverage mapping to identify detection gaps, prioritize rule development, and measure SOC detection maturity against adversary techniques. +description: Implement MITRE ATT&CK coverage mapping to identify detection gaps, prioritize rule development, and measure + SOC detection maturity against adversary techniques. domain: cybersecurity subdomain: soc-operations -tags: [mitre-attack, detection-coverage, gap-analysis, attack-navigator, soc, detection-engineering] -version: "1.0" +tags: +- mitre-attack +- detection-coverage +- gap-analysis +- attack-navigator +- soc +- detection-engineering +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 +d3fend_techniques: +- Token Binding +- Restore Access +- Application Protocol Command Analysis +- Password Authentication +- Reissue Credential --- # Implementing MITRE ATT&CK Coverage Mapping diff --git a/skills/implementing-ot-network-traffic-analysis-with-nozomi/SKILL.md b/skills/implementing-ot-network-traffic-analysis-with-nozomi/SKILL.md index 20af6aed..e13b0ab7 100644 --- a/skills/implementing-ot-network-traffic-analysis-with-nozomi/SKILL.md +++ b/skills/implementing-ot-network-traffic-analysis-with-nozomi/SKILL.md @@ -1,16 +1,32 @@ --- name: implementing-ot-network-traffic-analysis-with-nozomi -description: > - Deploy Nozomi Networks Guardian sensors for passive OT network traffic analysis - to achieve comprehensive asset visibility, real-time threat detection, and - vulnerability assessment across industrial control systems without disrupting +description: 'Deploy Nozomi Networks Guardian sensors for passive OT network traffic analysis to achieve comprehensive asset + visibility, real-time threat detection, and vulnerability assessment across industrial control systems without disrupting operations, leveraging behavioral anomaly detection and protocol-aware monitoring. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, nozomi, guardian, network-monitoring, asset-visibility, anomaly-detection, ndr] -version: "1.0" +tags: +- ot-security +- ics +- nozomi +- guardian +- network-monitoring +- asset-visibility +- anomaly-detection +- ndr +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Implementing OT Network Traffic Analysis with Nozomi diff --git a/skills/implementing-passwordless-authentication-with-fido2/SKILL.md b/skills/implementing-passwordless-authentication-with-fido2/SKILL.md index 9ab58024..919088aa 100644 --- a/skills/implementing-passwordless-authentication-with-fido2/SKILL.md +++ b/skills/implementing-passwordless-authentication-with-fido2/SKILL.md @@ -1,12 +1,29 @@ --- name: implementing-passwordless-authentication-with-fido2 -description: Deploy FIDO2/WebAuthn passwordless authentication using security keys and platform authenticators. Covers WebAuthn API integration, FIDO2 server configuration, passkey enrollment, biometric authentica +description: Deploy FIDO2/WebAuthn passwordless authentication using security keys and platform authenticators. Covers WebAuthn + API integration, FIDO2 server configuration, passkey enrollment, biometric authentica domain: cybersecurity subdomain: identity-access-management -tags: [iam, identity, access-control, authentication, fido2, webauthn, passwordless] -version: "1.0" +tags: +- iam +- identity +- access-control +- authentication +- fido2 +- webauthn +- passwordless +version: '1.0' author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0051 +- AML.T0054 +- AML.T0056 +nist_ai_rmf: +- MEASURE-2.7 +- MEASURE-2.5 +- GOVERN-6.1 +- MAP-5.1 --- # Implementing Passwordless Authentication with FIDO2 diff --git a/skills/implementing-policy-as-code-with-open-policy-agent/SKILL.md b/skills/implementing-policy-as-code-with-open-policy-agent/SKILL.md index 08a858ae..613c10cc 100644 --- a/skills/implementing-policy-as-code-with-open-policy-agent/SKILL.md +++ b/skills/implementing-policy-as-code-with-open-policy-agent/SKILL.md @@ -1,16 +1,27 @@ --- name: implementing-policy-as-code-with-open-policy-agent -description: > - This skill covers implementing Open Policy Agent (OPA) and Gatekeeper for policy-as-code - enforcement in Kubernetes and CI/CD pipelines. It addresses writing Rego policies, deploying - OPA Gatekeeper as a Kubernetes admission controller, testing policies in development, and - integrating policy evaluation into deployment pipelines. +description: 'This skill covers implementing Open Policy Agent (OPA) and Gatekeeper for policy-as-code enforcement in Kubernetes + and CI/CD pipelines. It addresses writing Rego policies, deploying OPA Gatekeeper as a Kubernetes admission controller, + testing policies in development, and integrating policy evaluation into deployment pipelines. + + ' domain: cybersecurity subdomain: devsecops -tags: [devsecops, cicd, opa, gatekeeper, policy-as-code, kubernetes, secure-sdlc] +tags: +- devsecops +- cicd +- opa +- gatekeeper +- policy-as-code +- kubernetes +- secure-sdlc version: 1.0.0 author: mahipal license: Apache-2.0 +nist_ai_rmf: +- GOVERN-1.1 +- MEASURE-2.7 +- MANAGE-3.1 --- # Implementing Policy as Code with Open Policy Agent diff --git a/skills/implementing-ransomware-backup-strategy/SKILL.md b/skills/implementing-ransomware-backup-strategy/SKILL.md index 8912a6dd..0060a62b 100644 --- a/skills/implementing-ransomware-backup-strategy/SKILL.md +++ b/skills/implementing-ransomware-backup-strategy/SKILL.md @@ -1,19 +1,34 @@ --- name: implementing-ransomware-backup-strategy -description: > - Designs and implements a ransomware-resilient backup strategy following the 3-2-1-1-0 - methodology (3 copies, 2 media types, 1 offsite, 1 immutable/air-gapped, 0 errors on - restore verification). Configures backup schedules aligned to RPO/RTO requirements, - implements backup credential isolation to prevent ransomware from compromising backup - infrastructure, and establishes automated restore testing. Activates for requests involving - ransomware backup planning, backup resilience, air-gapped backup design, or backup - recovery point objective configuration. +description: 'Designs and implements a ransomware-resilient backup strategy following the 3-2-1-1-0 methodology (3 copies, + 2 media types, 1 offsite, 1 immutable/air-gapped, 0 errors on restore verification). Configures backup schedules aligned + to RPO/RTO requirements, implements backup credential isolation to prevent ransomware from compromising backup infrastructure, + and establishes automated restore testing. Activates for requests involving ransomware backup planning, backup resilience, + air-gapped backup design, or backup recovery point objective configuration. + + ' domain: cybersecurity subdomain: ransomware-defense -tags: [ransomware, backup, incident-response, defense, recovery, immutable-storage] +tags: +- ransomware +- backup +- incident-response +- defense +- recovery +- immutable-storage version: 1.0.0 author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +- MANAGE-3.1 +- MEASURE-3.1 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Implementing Ransomware Backup Strategy diff --git a/skills/implementing-runtime-application-self-protection/SKILL.md b/skills/implementing-runtime-application-self-protection/SKILL.md index 320c546d..2edf2179 100644 --- a/skills/implementing-runtime-application-self-protection/SKILL.md +++ b/skills/implementing-runtime-application-self-protection/SKILL.md @@ -1,12 +1,26 @@ --- name: implementing-runtime-application-self-protection -description: Deploy Runtime Application Self-Protection (RASP) agents to detect and block attacks from within application runtime, covering OpenRASP integration, attack pattern detection, and security policy configuration for Java and Python web applications. +description: Deploy Runtime Application Self-Protection (RASP) agents to detect and block attacks from within application + runtime, covering OpenRASP integration, attack pattern detection, and security policy configuration for Java and Python + web applications. domain: cybersecurity subdomain: application-security -tags: [rasp, application-security, openrasp, runtime-protection, sqli, xss, rce, devsecops] -version: "1.0" +tags: +- rasp +- application-security +- openrasp +- runtime-protection +- sqli +- xss +- rce +- devsecops +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- GOVERN-1.1 +- MEASURE-2.7 +- MANAGE-3.1 --- # Implementing Runtime Application Self-Protection diff --git a/skills/implementing-runtime-security-with-tetragon/SKILL.md b/skills/implementing-runtime-security-with-tetragon/SKILL.md index 07c22d40..1bc3558b 100644 --- a/skills/implementing-runtime-security-with-tetragon/SKILL.md +++ b/skills/implementing-runtime-security-with-tetragon/SKILL.md @@ -1,12 +1,30 @@ --- name: implementing-runtime-security-with-tetragon -description: Implement eBPF-based runtime security observability and enforcement in Kubernetes clusters using Cilium Tetragon for kernel-level threat detection and policy enforcement. +description: Implement eBPF-based runtime security observability and enforcement in Kubernetes clusters using Cilium Tetragon + for kernel-level threat detection and policy enforcement. domain: cybersecurity subdomain: container-security -tags: [tetragon, ebpf, runtime-security, kubernetes, cilium, container-security, observability, kernel-security, cncf] -version: "1.0" +tags: +- tetragon +- ebpf +- runtime-security +- kubernetes +- cilium +- container-security +- observability +- kernel-security +- cncf +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Implementing Runtime Security with Tetragon diff --git a/skills/implementing-security-chaos-engineering/SKILL.md b/skills/implementing-security-chaos-engineering/SKILL.md index 2f8bc044..a68dfbaa 100644 --- a/skills/implementing-security-chaos-engineering/SKILL.md +++ b/skills/implementing-security-chaos-engineering/SKILL.md @@ -1,16 +1,28 @@ --- name: implementing-security-chaos-engineering -description: > - Implements security chaos engineering experiments that deliberately disable or degrade - security controls to verify detection and response capabilities. Tests WAF bypass, - firewall rule removal, log pipeline disruption, and EDR disablement scenarios using - boto3 and subprocess. Use when validating SOC detection coverage and resilience. +description: 'Implements security chaos engineering experiments that deliberately disable or degrade security controls to + verify detection and response capabilities. Tests WAF bypass, firewall rule removal, log pipeline disruption, and EDR disablement + scenarios using boto3 and subprocess. Use when validating SOC detection coverage and resilience. + + ' domain: cybersecurity subdomain: security-operations -tags: [implementing, security, chaos, engineering] -version: "1.0" +tags: +- implementing +- security +- chaos +- engineering +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Implementing Security Chaos Engineering diff --git a/skills/implementing-security-information-sharing-with-stix2/SKILL.md b/skills/implementing-security-information-sharing-with-stix2/SKILL.md index 6da93ce2..d278e826 100644 --- a/skills/implementing-security-information-sharing-with-stix2/SKILL.md +++ b/skills/implementing-security-information-sharing-with-stix2/SKILL.md @@ -1,15 +1,25 @@ --- name: implementing-security-information-sharing-with-stix2 -description: > - Create, validate, and share STIX 2.1 threat intelligence objects using - the stix2 Python library. Covers indicators, malware, campaigns, - relationships, bundles, and TAXII 2.1 publishing. +description: 'Create, validate, and share STIX 2.1 threat intelligence objects using the stix2 Python library. Covers indicators, + malware, campaigns, relationships, bundles, and TAXII 2.1 publishing. + + ' domain: cybersecurity subdomain: threat-intelligence -tags: [stix, taxii, threat-sharing, intelligence-exchange] -version: "1.0" +tags: +- stix +- taxii +- threat-sharing +- intelligence-exchange +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Application Protocol Command Analysis +- Identifier Analysis +- Content Format Conversion +- Message Analysis --- # Implementing Security Information Sharing with STIX 2.1 diff --git a/skills/implementing-security-monitoring-with-datadog/SKILL.md b/skills/implementing-security-monitoring-with-datadog/SKILL.md index 252b5e35..e2e3e02b 100644 --- a/skills/implementing-security-monitoring-with-datadog/SKILL.md +++ b/skills/implementing-security-monitoring-with-datadog/SKILL.md @@ -1,19 +1,37 @@ --- name: implementing-security-monitoring-with-datadog -description: > - Implements security monitoring using Datadog Cloud SIEM, Cloud Security - Management (CSM), and Workload Protection to detect threats, enforce - compliance, and respond to security events across cloud and hybrid - infrastructure. Covers Agent deployment, log source ingestion, detection - rule creation, security dashboards, and automated notification workflows. - Activates for requests involving Datadog security setup, Cloud SIEM - configuration, CSM threat detection, or security monitoring dashboards. +description: 'Implements security monitoring using Datadog Cloud SIEM, Cloud Security Management (CSM), and Workload Protection + to detect threats, enforce compliance, and respond to security events across cloud and hybrid infrastructure. Covers Agent + deployment, log source ingestion, detection rule creation, security dashboards, and automated notification workflows. Activates + for requests involving Datadog security setup, Cloud SIEM configuration, CSM threat detection, or security monitoring dashboards. + + ' domain: cybersecurity subdomain: security-operations -tags: [siem, monitoring, datadog, cloud-security, log-analysis, detection-rules, CSM, workload-protection] +tags: +- siem +- monitoring +- datadog +- cloud-security +- log-analysis +- detection-rules +- CSM +- workload-protection version: 1.0.0 author: mahipal license: Apache-2.0 +nist_ai_rmf: +- GOVERN-1.1 +- MEASURE-2.7 +- MANAGE-3.1 +- GOVERN-4.2 +- MAP-2.3 +d3fend_techniques: +- Restore Access +- Password Authentication +- Biometric Authentication +- Strong Password Policy +- Restore User Account Access --- # Implementing Security Monitoring with Datadog diff --git a/skills/implementing-siem-use-cases-for-detection/SKILL.md b/skills/implementing-siem-use-cases-for-detection/SKILL.md index df2e3e56..4cdf742e 100644 --- a/skills/implementing-siem-use-cases-for-detection/SKILL.md +++ b/skills/implementing-siem-use-cases-for-detection/SKILL.md @@ -1,16 +1,38 @@ --- name: implementing-siem-use-cases-for-detection -description: > - Implements SIEM detection use cases by designing correlation rules, threshold alerts, and - behavioral analytics mapped to MITRE ATT&CK techniques across Splunk, Elastic, and Sentinel. - Use when SOC teams need to expand detection coverage, formalize use case lifecycle management, - or build a detection library aligned to organizational threat profile. +description: 'Implements SIEM detection use cases by designing correlation rules, threshold alerts, and behavioral analytics + mapped to MITRE ATT&CK techniques across Splunk, Elastic, and Sentinel. Use when SOC teams need to expand detection coverage, + formalize use case lifecycle management, or build a detection library aligned to organizational threat profile. + + ' domain: cybersecurity subdomain: soc-operations -tags: [soc, siem, use-cases, detection-engineering, mitre-attack, splunk, elastic, sentinel] -version: "1.0" +tags: +- soc +- siem +- use-cases +- detection-engineering +- mitre-attack +- splunk +- elastic +- sentinel +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 +d3fend_techniques: +- Token Binding +- Restore Access +- Password Authentication +- Reissue Credential +- Strong Password Policy --- # Implementing SIEM Use Cases for Detection diff --git a/skills/implementing-threat-modeling-with-mitre-attack/SKILL.md b/skills/implementing-threat-modeling-with-mitre-attack/SKILL.md index 47fa4c9f..6af95ba9 100644 --- a/skills/implementing-threat-modeling-with-mitre-attack/SKILL.md +++ b/skills/implementing-threat-modeling-with-mitre-attack/SKILL.md @@ -1,16 +1,37 @@ --- name: implementing-threat-modeling-with-mitre-attack -description: > - Implements threat modeling using the MITRE ATT&CK framework to map adversary TTPs against - organizational assets, assess detection coverage gaps, and prioritize defensive investments. - Use when SOC teams need to align detection engineering with threat landscape, conduct threat - assessments for new environments, or justify security tool procurement. +description: 'Implements threat modeling using the MITRE ATT&CK framework to map adversary TTPs against organizational assets, + assess detection coverage gaps, and prioritize defensive investments. Use when SOC teams need to align detection engineering + with threat landscape, conduct threat assessments for new environments, or justify security tool procurement. + + ' domain: cybersecurity subdomain: soc-operations -tags: [soc, mitre-attack, threat-modeling, ttp, detection-coverage, attack-navigator, risk-assessment] -version: "1.0" +tags: +- soc +- mitre-attack +- threat-modeling +- ttp +- detection-coverage +- attack-navigator +- risk-assessment +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 +d3fend_techniques: +- File Metadata Consistency Validation +- Application Protocol Command Analysis +- Identifier Analysis +- Content Format Conversion +- Message Analysis --- # Implementing Threat Modeling with MITRE ATT&CK diff --git a/skills/implementing-velociraptor-for-ir-collection/SKILL.md b/skills/implementing-velociraptor-for-ir-collection/SKILL.md index 73a1e698..9f939c2c 100644 --- a/skills/implementing-velociraptor-for-ir-collection/SKILL.md +++ b/skills/implementing-velociraptor-for-ir-collection/SKILL.md @@ -1,277 +1,12 @@ --- -name: implementing-velociraptor-for-ir-collection -description: Deploy and configure Velociraptor for scalable endpoint forensic artifact collection during incident response using VQL queries, hunts, and pre-built artifact packs across Windows, Linux, and macOS environments. -domain: cybersecurity -subdomain: incident-response -tags: [velociraptor, dfir, endpoint-collection, vql, forensic-artifacts, rapid7, threat-hunting, incident-response] -mitre_attack: ["T1059", "T1003", "T1070", "T1547"] -version: "1.0" -author: mahipal -license: Apache-2.0 ---- - -# Implementing Velociraptor for IR Collection - -## Overview - -Velociraptor is an advanced open-source endpoint monitoring, digital forensics, and incident response platform developed by Rapid7. It uses the Velociraptor Query Language (VQL) to create custom artifacts that collect, query, and monitor almost any aspect of an endpoint. Velociraptor enables incident response teams to rapidly collect and examine forensic artifacts from across a network, supporting large-scale deployments with minimal performance impact. The client-server architecture with Fleetspeak communication enables real-time data collection from thousands of endpoints simultaneously, with offline endpoints picking up hunts when they reconnect. - - -## When to Use - -- When deploying or configuring implementing velociraptor for ir collection capabilities in your environment -- When establishing security controls aligned to compliance requirements -- When building or improving security architecture for this domain -- When conducting security assessments that require this implementation - -## Prerequisites - -- Familiarity with incident response concepts and tools -- Access to a test or lab environment for safe execution -- Python 3.8+ with required dependencies installed -- Appropriate authorization for any testing activities - -## Architecture - -### Components -- **Velociraptor Server**: Central management console with web UI and API -- **Velociraptor Client (Agent)**: Lightweight agent deployed to endpoints -- **Fleetspeak**: Communication framework between client and server -- **VQL Engine**: Query language engine for artifact collection -- **Filestore**: Server-side storage for collected artifacts -- **Datastore**: Metadata storage for hunts, flows, and client information - -### Supported Platforms -- Windows (7+, Server 2008R2+) -- Linux (Debian, Ubuntu, CentOS, RHEL) -- macOS (10.13+) - -## Deployment - -### Server Installation -```bash -# Download latest release -wget https://github.com/Velocidex/velociraptor/releases/latest/download/velociraptor-linux-amd64 - -# Generate server configuration -./velociraptor-linux-amd64 config generate -i - -# Start the server -./velociraptor-linux-amd64 --config server.config.yaml frontend - -# Or run as systemd service -sudo cp velociraptor-linux-amd64 /usr/local/bin/velociraptor -sudo velociraptor --config /etc/velociraptor/server.config.yaml service install -``` - -### Client Deployment -```bash -# Repack client MSI for Windows deployment -velociraptor --config server.config.yaml config client > client.config.yaml -velociraptor config repack --msi velociraptor-windows-amd64.msi client.config.yaml output.msi - -# Deploy via Group Policy, SCCM, or Intune -# Client runs as a Windows service: "Velociraptor" - -# Linux client deployment -velociraptor --config client.config.yaml client -v - -# macOS client deployment -velociraptor --config client.config.yaml client -v -``` - -### Docker Deployment -```bash -docker run --name velociraptor \ - -v /opt/velociraptor:/velociraptor/data \ - -p 8000:8000 -p 8001:8001 -p 8889:8889 \ - velocidex/velociraptor -``` - -## Core IR Artifact Collection - -### Windows Forensic Artifacts - -```sql --- Collect Windows Event Logs -SELECT * FROM Artifact.Windows.EventLogs.EvtxHunter( - EvtxGlob="C:/Windows/System32/winevt/Logs/*.evtx", - IDRegex="4624|4625|4648|4672|4688|4698|4769|7045" -) - --- Collect Prefetch files for execution evidence -SELECT * FROM Artifact.Windows.Forensics.Prefetch() - --- Collect Shimcache entries -SELECT * FROM Artifact.Windows.Registry.AppCompatCache() - --- Collect Amcache entries -SELECT * FROM Artifact.Windows.Forensics.Amcache() - --- Collect UserAssist data -SELECT * FROM Artifact.Windows.Forensics.UserAssist() - --- Collect NTFS MFT timestamps -SELECT * FROM Artifact.Windows.NTFS.MFT( - MFTFilename="C:/$MFT", - FileRegex=".(exe|dll|ps1|bat|cmd)$" -) - --- Collect scheduled tasks -SELECT * FROM Artifact.Windows.System.TaskScheduler() - --- Collect running processes with hashes -SELECT * FROM Artifact.Windows.System.Pslist() - --- Collect network connections -SELECT * FROM Artifact.Windows.Network.Netstat() - --- Collect DNS cache -SELECT * FROM Artifact.Windows.Network.DNSCache() - --- Collect browser history -SELECT * FROM Artifact.Windows.Applications.Chrome.History() - --- Collect PowerShell history -SELECT * FROM Artifact.Windows.Forensics.PowerShellHistory() - --- Collect autoruns/persistence -SELECT * FROM Artifact.Windows.Persistence.PermanentWMIEvents() -SELECT * FROM Artifact.Windows.System.Services() -SELECT * FROM Artifact.Windows.System.StartupItems() -``` - -### Linux Forensic Artifacts - -```sql --- Collect auth logs -SELECT * FROM Artifact.Linux.Sys.AuthLogs() - --- Collect bash history -SELECT * FROM Artifact.Linux.Forensics.BashHistory() - --- Collect crontab entries -SELECT * FROM Artifact.Linux.Sys.Crontab() - --- Collect running processes -SELECT * FROM Artifact.Linux.Sys.Pslist() - --- Collect network connections -SELECT * FROM Artifact.Linux.Network.Netstat() - --- Collect SSH authorized keys -SELECT * FROM Artifact.Linux.Ssh.AuthorizedKeys() - --- Collect systemd services -SELECT * FROM Artifact.Linux.Services() -``` - -### Triage Collection (All-in-One) - -```sql --- Windows Triage Collection artifact --- Collects event logs, prefetch, registry, browser data, and more -SELECT * FROM Artifact.Windows.KapeFiles.Targets( - Device="C:", - _AllFiles=FALSE, - _EventLogs=TRUE, - _Prefetch=TRUE, - _RegistryHives=TRUE, - _WebBrowsers=TRUE, - _WindowsTimeline=TRUE -) -``` - -## Hunt Operations - -### Creating a Hunt -``` -1. Navigate to Hunt Manager in Velociraptor Web UI -2. Click "New Hunt" -3. Configure: - - Description: "IR Triage - Case 2025-001" - - Include/Exclude labels for targeting - - Artifact selection (e.g., Windows.Forensics.Prefetch) - - Resource limits (CPU, IOPS, timeout) -4. Launch hunt -5. Monitor progress in real-time -``` - -### VQL Hunt Examples - -```sql --- Hunt for specific file hash across all endpoints -SELECT * FROM Artifact.Generic.Detection.HashHunter( - Hashes="e99a18c428cb38d5f260853678922e03" -) - --- Hunt for YARA signatures in memory -SELECT * FROM Artifact.Windows.Detection.Yara.Process( - YaraRule='rule malware { strings: $s1 = "malicious_string" condition: $s1 }' -) - --- Hunt for Sigma rule matches in event logs -SELECT * FROM Artifact.Server.Import.SigmaRules() - --- Hunt for suspicious scheduled tasks -SELECT * FROM Artifact.Windows.System.TaskScheduler() -WHERE Command =~ "powershell|cmd|wscript|mshta|rundll32" - --- Hunt for processes with network connections to suspicious IPs -SELECT * FROM Artifact.Windows.Network.Netstat() -WHERE RemoteAddr =~ "10\\.13\\.37\\." -``` - -## Real-Time Monitoring - -```sql --- Monitor for new process creation -SELECT * FROM watch_etw(guid="{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}") -WHERE EventData.ImageName =~ "powershell|cmd|wscript" - --- Monitor file system changes -SELECT * FROM watch_directory(path="C:/Windows/Temp/") - --- Monitor registry changes -SELECT * FROM watch_registry(key="HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/**") -``` - -## Integration with SIEM/SOAR - -### Splunk Integration -``` -Velociraptor Server --> Elastic/OpenSearch --> Splunk HEC - --> Direct syslog forwarding - --> Velociraptor API --> Custom scripts --> Splunk -``` - -### Elastic Stack Integration -```yaml -# Velociraptor server config for Elastic output -Monitoring: - elastic: - addresses: - - https://elastic.local:9200 - username: velociraptor - password: secure_password - index: velociraptor -``` - -## MITRE ATT&CK Mapping - -| Technique | VQL Artifact | -|-----------|-------------| -| T1059 - Command Scripting | Windows.EventLogs.EvtxHunter (4104, 4688) | -| T1053 - Scheduled Task | Windows.System.TaskScheduler | -| T1547 - Boot/Logon Autostart | Windows.Persistence.PermanentWMIEvents | -| T1003 - OS Credential Dumping | Windows.Detection.Yara.Process | -| T1021 - Remote Services | Windows.EventLogs.EvtxHunter (4624 Type 3/10) | -| T1070 - Indicator Removal | Windows.EventLogs.Cleared | - -## References - -- [Velociraptor Official Documentation](https://docs.velociraptor.app/) -- [Rapid7 Velociraptor Product Page](https://www.rapid7.com/products/velociraptor/) -- [CISA Velociraptor Resource](https://www.cisa.gov/resources-tools/services/velociraptor) -- [Velociraptor GitHub Repository](https://github.com/Velocidex/velociraptor) -- [Pen Test Partners: Large-Scale Velociraptor](https://www.pentestpartners.com/security-blog/using-velociraptor-for-large-scale-endpoint-visibility-and-rapid-threat-hunting/) +{} +---tags: +- velociraptor +- dfir +- endpoint-collection +- vql +- forensic-artifacts +- rapid7 +- threat-hunting +- incident-response +version: '1.0' diff --git a/skills/implementing-web-application-logging-with-modsecurity/SKILL.md b/skills/implementing-web-application-logging-with-modsecurity/SKILL.md index c2f9ffcb..a9c4ceca 100644 --- a/skills/implementing-web-application-logging-with-modsecurity/SKILL.md +++ b/skills/implementing-web-application-logging-with-modsecurity/SKILL.md @@ -1,18 +1,33 @@ --- name: implementing-web-application-logging-with-modsecurity -description: > - Configure ModSecurity WAF with OWASP Core Rule Set (CRS) for web application logging, - tune rules to reduce false positives, analyze audit logs for attack detection, and - implement custom SecRules for application-specific threats. The analyst configures - SecRuleEngine, SecAuditEngine, and CRS paranoia levels to balance security coverage - with operational stability. Activates for requests involving WAF configuration, - ModSecurity rule tuning, web application audit logging, or CRS deployment. +description: 'Configure ModSecurity WAF with OWASP Core Rule Set (CRS) for web application logging, tune rules to reduce false + positives, analyze audit logs for attack detection, and implement custom SecRules for application-specific threats. The + analyst configures SecRuleEngine, SecAuditEngine, and CRS paranoia levels to balance security coverage with operational + stability. Activates for requests involving WAF configuration, ModSecurity rule tuning, web application audit logging, or + CRS deployment. + + ' domain: cybersecurity subdomain: web-application-security -tags: [modsecurity, waf, crs, owasp, web-security, audit-logging, rule-tuning] -version: "1.0" +tags: +- modsecurity +- waf +- crs +- owasp +- web-security +- audit-logging +- rule-tuning +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Implementing Web Application Logging with ModSecurity diff --git a/skills/mapping-mitre-attack-techniques/SKILL.md b/skills/mapping-mitre-attack-techniques/SKILL.md index c4a7a680..21d2b117 100644 --- a/skills/mapping-mitre-attack-techniques/SKILL.md +++ b/skills/mapping-mitre-attack-techniques/SKILL.md @@ -1,17 +1,38 @@ --- name: mapping-mitre-attack-techniques -description: > - Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK - techniques and sub-techniques to quantify detection coverage and guide control prioritization. - Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, - aligning security controls to adversary playbooks, or reporting threat exposure to executives. +description: 'Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques + to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging + SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis. + + ' domain: cybersecurity subdomain: threat-intelligence -tags: [MITRE-ATT&CK, ATT&CK-Navigator, Sigma, D3FEND, TTP, detection-engineering, NIST-CSF] +tags: +- MITRE-ATT&CK +- ATT&CK-Navigator +- Sigma +- D3FEND +- TTP +- detection-engineering +- NIST-CSF version: 1.0.0 author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis --- # Mapping MITRE ATT&CK Techniques diff --git a/skills/monitoring-darkweb-sources/SKILL.md b/skills/monitoring-darkweb-sources/SKILL.md index e5cca37f..57486edd 100644 --- a/skills/monitoring-darkweb-sources/SKILL.md +++ b/skills/monitoring-darkweb-sources/SKILL.md @@ -1,18 +1,33 @@ --- name: monitoring-darkweb-sources -description: > - Monitors dark web forums, marketplaces, paste sites, and ransomware leak sites for mentions - of organizational assets, leaked credentials, threatened attacks, and threat actor communications - to provide early warning intelligence. Use when establishing dark web monitoring coverage, - investigating specific data breach claims, or enriching incident investigations with dark web - context. Activates for requests involving dark web OSINT, leak site monitoring, credential - exposure, Recorded Future dark web, or Tor hidden service intelligence. +description: 'Monitors dark web forums, marketplaces, paste sites, and ransomware leak sites for mentions of organizational + assets, leaked credentials, threatened attacks, and threat actor communications to provide early warning intelligence. Use + when establishing dark web monitoring coverage, investigating specific data breach claims, or enriching incident investigations + with dark web context. Activates for requests involving dark web OSINT, leak site monitoring, credential exposure, Recorded + Future dark web, or Tor hidden service intelligence. + + ' domain: cybersecurity subdomain: threat-intelligence -tags: [dark-web, OSINT, credential-monitoring, ransomware-leaks, Recorded-Future, SpiderFoot, CTI] +tags: +- dark-web +- OSINT +- credential-monitoring +- ransomware-leaks +- Recorded-Future +- SpiderFoot +- CTI version: 1.0.0 author: team-cybersecurity license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Monitoring Dark Web Sources diff --git a/skills/performing-active-directory-bloodhound-analysis/SKILL.md b/skills/performing-active-directory-bloodhound-analysis/SKILL.md index 2e04cb7a..2edfaebf 100644 --- a/skills/performing-active-directory-bloodhound-analysis/SKILL.md +++ b/skills/performing-active-directory-bloodhound-analysis/SKILL.md @@ -1,12 +1,26 @@ --- name: performing-active-directory-bloodhound-analysis -description: Use BloodHound and SharpHound to enumerate Active Directory relationships and identify attack paths from compromised users to Domain Admin. +description: Use BloodHound and SharpHound to enumerate Active Directory relationships and identify attack paths from compromised + users to Domain Admin. domain: cybersecurity subdomain: red-teaming -tags: [bloodhound, active-directory, sharphound, attack-path, ad-enumeration, graph-theory, privilege-escalation] -version: "1.0" +tags: +- bloodhound +- active-directory +- sharphound +- attack-path +- ad-enumeration +- graph-theory +- privilege-escalation +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Restore Access +- Password Authentication +- Biometric Authentication +- Strong Password Policy +- Restore User Account Access --- # Performing Active Directory BloodHound Analysis diff --git a/skills/performing-active-directory-compromise-investigation/SKILL.md b/skills/performing-active-directory-compromise-investigation/SKILL.md index 734b4839..80e8236a 100644 --- a/skills/performing-active-directory-compromise-investigation/SKILL.md +++ b/skills/performing-active-directory-compromise-investigation/SKILL.md @@ -1,184 +1,12 @@ --- -name: performing-active-directory-compromise-investigation -description: Investigate Active Directory compromise by analyzing authentication logs, replication metadata, Group Policy changes, and Kerberos ticket anomalies to identify attacker persistence and lateral movement paths. -domain: cybersecurity -subdomain: incident-response -tags: [active-directory, compromise-investigation, identity-forensics, kerberos, lateral-movement, dfir, ntds-dit, golden-ticket] -mitre_attack: ["T1003", "T1558", "T1021", "T1078", "T1484"] -version: "1.0" -author: mahipal -license: Apache-2.0 ---- - -# Performing Active Directory Compromise Investigation - -## Overview - -Active Directory (AD) compromise investigation is a critical incident response capability that focuses on identifying how attackers gained access to domain services, what persistence mechanisms they established, and the scope of credential compromise. Since 88% of breaches involve compromised credentials (Verizon 2025 DBIR), AD is the primary target for enterprise-wide attacks. Investigators must analyze NTDS.dit database integrity, Kerberos ticket-granting activity, Group Policy modifications, replication metadata, and privileged group membership changes to reconstruct the attack chain and determine full compromise scope. - - -## When to Use - -- When conducting security assessments that involve performing active directory compromise investigation -- When following incident response procedures for related security events -- When performing scheduled security testing or auditing activities -- When validating security controls through hands-on testing - -## Prerequisites - -- Familiarity with incident response concepts and tools -- Access to a test or lab environment for safe execution -- Python 3.8+ with required dependencies installed -- Appropriate authorization for any testing activities - -## Key Investigation Areas - -### 1. NTDS.dit Database Analysis - -The NTDS.dit file is the core Active Directory credential database containing all password hashes for domain accounts. Attackers commonly exfiltrate this file using tools like ntdsutil, secretsdump.py, or DCSync attacks via Mimikatz. - -**Detection indicators:** -- Event ID 4662: Access to directory service objects with replication permissions -- Event ID 4742: Computer account modifications on domain controllers -- Volume Shadow Copy creation on domain controllers (Event ID 8222) -- Unusual ntdsutil.exe or vssadmin.exe execution -- Replication traffic from non-DC sources (DCSync detection) - -### 2. Kerberos Attack Detection - -**Golden Ticket indicators:** -- TGT tickets with abnormally long lifetimes (default is 10 hours) -- Event ID 4769 with encryption type 0x17 (RC4) instead of AES -- TGT issued without corresponding Event ID 4768 (AS-REQ) -- Kerberos tickets referencing non-existent or disabled accounts - -**Silver Ticket indicators:** -- Service tickets without corresponding TGT requests -- Event ID 4769 with unusual service names -- Tickets with forged PAC data - -**Kerberoasting indicators:** -- High volume of Event ID 4769 for service accounts -- RC4 encryption requests for accounts that support AES -- Requests from workstations not normally accessing those services - -### 3. Group Policy Abuse - -- GPO modifications granting new privileges (Event ID 5136) -- Scheduled task deployment via GPO -- Software installation policies added to domain -- Login script modifications -- Registry-based policy changes for persistence - -### 4. Privileged Group Enumeration - -Track modifications to these critical groups: -- Domain Admins, Enterprise Admins, Schema Admins -- Account Operators, Backup Operators -- DnsAdmins (can execute arbitrary DLLs on DCs) -- Group Policy Creator Owners -- Protected Users group membership changes - -### 5. Trust Relationship Analysis - -- New forest/domain trusts created (Event ID 4706) -- SID History injection for privilege escalation -- Trust ticket forgery indicators -- Cross-domain authentication anomalies - -## Investigation Methodology - -### Phase 1: Scoping and Evidence Collection -``` -1. Identify potentially compromised domain controllers -2. Collect Security, System, Directory Service event logs -3. Extract AD replication metadata using repadmin -4. Capture ntdsutil snapshots for offline analysis -5. Collect DNS server logs and zone transfer records -6. Export Group Policy Object configurations -7. Document current privileged group memberships -``` - -### Phase 2: Authentication Log Analysis -``` -1. Parse Event ID 4624/4625 for logon patterns -2. Identify pass-the-hash indicators (Event ID 4624 Type 3 with NTLM) -3. Analyze Event ID 4768/4769/4771 for Kerberos anomalies -4. Review Event ID 4776 for NTLM authentication failures -5. Cross-reference logon events with known compromised accounts -6. Map lateral movement paths through authentication chains -``` - -### Phase 3: Persistence and Backdoor Detection -``` -1. Enumerate AdminSDHolder ACL modifications -2. Check for SID History abuse on accounts -3. Verify krbtgt account password age -4. Audit DSRM password configuration -5. Check for skeleton key malware indicators -6. Review AD Certificate Services for rogue certificates -7. Validate DNS records for poisoning -``` - -### Phase 4: Remediation Planning -``` -1. Double-rotate krbtgt password (wait replication between rotations) -2. Reset all compromised account passwords -3. Remove unauthorized privileged group members -4. Revoke rogue certificates if AD CS compromised -5. Rebuild domain controllers from clean media if needed -6. Implement tiered administration model -7. Enable Protected Users group for privileged accounts -``` - -## Critical Event IDs for AD Investigation - -| Event ID | Source | Description | -|----------|--------|-------------| -| 4624 | Security | Successful logon | -| 4625 | Security | Failed logon | -| 4648 | Security | Explicit credential logon | -| 4662 | Security | Operation on AD object | -| 4768 | Security | Kerberos TGT requested | -| 4769 | Security | Kerberos service ticket requested | -| 4771 | Security | Kerberos pre-authentication failed | -| 4776 | Security | NTLM credential validation | -| 5136 | Security | Directory object modified | -| 5137 | Security | Directory object created | -| 4706 | Security | Trust created | -| 4707 | Security | Trust removed | -| 4742 | Security | Computer account changed | -| 8222 | System | Shadow copy created | - -## Tools for AD Investigation - -| Tool | Purpose | -|------|---------| -| **BloodHound** | Attack path mapping and privilege escalation analysis | -| **Pingcastle** | AD security assessment and risk scoring | -| **Purple Knight** | AD vulnerability scanning by Semperis | -| **ADRecon** | Active Directory data gathering | -| **Mimikatz** | Credential extraction and Kerberos analysis | -| **Impacket** | DCSync detection and NTLM relay analysis | -| **Velociraptor** | Remote forensic artifact collection | -| **Timeline Explorer** | Event log timeline analysis | - -## MITRE ATT&CK Mapping - -| Technique | ID | Relevance | -|-----------|----|-----------| -| DCSync | T1003.006 | NTDS.dit credential extraction | -| Golden Ticket | T1558.001 | Kerberos TGT forgery | -| Silver Ticket | T1558.002 | Service ticket forgery | -| Kerberoasting | T1558.003 | Service account hash extraction | -| Pass-the-Hash | T1550.002 | NTLM hash reuse | -| Group Policy Modification | T1484.001 | Persistence via GPO | -| Account Manipulation | T1098 | Privileged group changes | -| SID-History Injection | T1134.005 | Privilege escalation | - -## References - -- [CISA: Detecting and Mitigating Active Directory Compromises](https://www.cisa.gov/resources-tools/resources/detecting-and-mitigating-active-directory-compromises) -- [Microsoft: Total Identity Compromise IR Lessons](https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/total-identity-compromise-microsoft-incident-response-lessons-on-securing-active/3753391) -- [Semperis: Top 10 Active Directory Risks](https://www.semperis.com/blog/10-ad-risks-caught-by-identity-forensics-and-incident-response/) -- [Fidelis: Active Directory Compromise Response](https://fidelissecurity.com/threatgeek/active-directory-security/respond-after-an-active-directory-compromise/) +{} +---tags: +- active-directory +- compromise-investigation +- identity-forensics +- kerberos +- lateral-movement +- dfir +- ntds-dit +- golden-ticket +version: '1.0' diff --git a/skills/performing-active-directory-vulnerability-assessment/SKILL.md b/skills/performing-active-directory-vulnerability-assessment/SKILL.md index fc244234..4244d5bc 100644 --- a/skills/performing-active-directory-vulnerability-assessment/SKILL.md +++ b/skills/performing-active-directory-vulnerability-assessment/SKILL.md @@ -1,12 +1,27 @@ --- name: performing-active-directory-vulnerability-assessment -description: Assess Active Directory security posture using PingCastle, BloodHound, and Purple Knight to identify misconfigurations, privilege escalation paths, and attack vectors. +description: Assess Active Directory security posture using PingCastle, BloodHound, and Purple Knight to identify misconfigurations, + privilege escalation paths, and attack vectors. domain: cybersecurity subdomain: vulnerability-management -tags: [active-directory, pingcastle, bloodhound, purple-knight, ad-security, privilege-escalation, ldap, kerberos] -version: "1.0" +tags: +- active-directory +- pingcastle +- bloodhound +- purple-knight +- ad-security +- privilege-escalation +- ldap +- kerberos +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Restore Object +- Network Traffic Policy Mapping +- Restore Configuration +- Access Modeling +- Operational Activity Mapping --- # Performing Active Directory Vulnerability Assessment diff --git a/skills/performing-agentless-vulnerability-scanning/SKILL.md b/skills/performing-agentless-vulnerability-scanning/SKILL.md index 429d030c..a06ff349 100644 --- a/skills/performing-agentless-vulnerability-scanning/SKILL.md +++ b/skills/performing-agentless-vulnerability-scanning/SKILL.md @@ -1,12 +1,25 @@ --- name: performing-agentless-vulnerability-scanning -description: Configure and execute agentless vulnerability scanning using network protocols, cloud snapshot analysis, and API-based discovery to assess systems without installing endpoint agents. +description: Configure and execute agentless vulnerability scanning using network protocols, cloud snapshot analysis, and + API-based discovery to assess systems without installing endpoint agents. domain: cybersecurity subdomain: vulnerability-management -tags: [agentless-scanning, vulnerability-assessment, cloud-security, ssh, wmi, snapshot-analysis, vuls, tenable] -version: "1.0" +tags: +- agentless-scanning +- vulnerability-assessment +- cloud-security +- ssh +- wmi +- snapshot-analysis +- vuls +- tenable +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- GOVERN-1.1 +- MEASURE-2.7 +- MANAGE-3.1 --- # Performing Agentless Vulnerability Scanning diff --git a/skills/performing-ai-driven-osint-correlation/SKILL.md b/skills/performing-ai-driven-osint-correlation/SKILL.md index 84b270c5..86ee145c 100644 --- a/skills/performing-ai-driven-osint-correlation/SKILL.md +++ b/skills/performing-ai-driven-osint-correlation/SKILL.md @@ -1,26 +1,39 @@ --- name: performing-ai-driven-osint-correlation -description: >- - Use AI and LLM-based reasoning to correlate findings across multiple OSINT - sources—username enumeration, email lookups, social media profiles, domain - records, breach databases, and dark-web mentions—into unified intelligence - profiles with confidence scoring and link analysis. +description: Use AI and LLM-based reasoning to correlate findings across multiple OSINT sources—username enumeration, email + lookups, social media profiles, domain records, breach databases, and dark-web mentions—into unified intelligence profiles + with confidence scoring and link analysis. domain: cybersecurity subdomain: threat-intelligence tags: - - osint - - ai-correlation - - threat-intelligence - - reconnaissance - - link-analysis - - target-profiling - - sherlock - - theharvester - - spiderfoot - - maltego -version: "1.0" +- osint +- ai-correlation +- threat-intelligence +- reconnaissance +- link-analysis +- target-profiling +- sherlock +- theharvester +- spiderfoot +- maltego +version: '1.0' author: juliosuas license: Apache-2.0 +atlas_techniques: +- AML.T0051 +- AML.T0054 +- AML.T0056 +nist_ai_rmf: +- MEASURE-2.7 +- MEASURE-2.5 +- GOVERN-6.1 +- MAP-5.1 +d3fend_techniques: +- Identifier Analysis +- URL Analysis +- Identifier Reputation Analysis +- User Behavior Analysis +- Content Validation --- # Performing AI-Driven OSINT Correlation diff --git a/skills/performing-alert-triage-with-elastic-siem/SKILL.md b/skills/performing-alert-triage-with-elastic-siem/SKILL.md index ebf17b03..d98a6563 100644 --- a/skills/performing-alert-triage-with-elastic-siem/SKILL.md +++ b/skills/performing-alert-triage-with-elastic-siem/SKILL.md @@ -1,12 +1,27 @@ --- name: performing-alert-triage-with-elastic-siem -description: Perform systematic alert triage in Elastic Security SIEM to rapidly classify, prioritize, and investigate security alerts for SOC operations. +description: Perform systematic alert triage in Elastic Security SIEM to rapidly classify, prioritize, and investigate security + alerts for SOC operations. domain: cybersecurity subdomain: soc-operations -tags: [elastic, siem, alert-triage, soc, elastic-security, detection, esql, kibana] -version: "1.0" +tags: +- elastic +- siem +- alert-triage +- soc +- elastic-security +- detection +- esql +- kibana +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Token Binding +- Restore Access +- Application Protocol Command Analysis +- Password Authentication +- Reissue Credential --- # Performing Alert Triage with Elastic SIEM diff --git a/skills/performing-clickjacking-attack-test/SKILL.md b/skills/performing-clickjacking-attack-test/SKILL.md index 8070ebda..5c9128e1 100644 --- a/skills/performing-clickjacking-attack-test/SKILL.md +++ b/skills/performing-clickjacking-attack-test/SKILL.md @@ -1,12 +1,25 @@ --- name: performing-clickjacking-attack-test -description: Testing web applications for clickjacking vulnerabilities by assessing frame embedding controls and crafting proof-of-concept overlay attacks during authorized security assessments. +description: Testing web applications for clickjacking vulnerabilities by assessing frame embedding controls and crafting + proof-of-concept overlay attacks during authorized security assessments. domain: cybersecurity subdomain: web-application-security -tags: [penetration-testing, clickjacking, ui-redressing, web-security, owasp, x-frame-options] -version: "1.0" +tags: +- penetration-testing +- clickjacking +- ui-redressing +- web-security +- owasp +- x-frame-options +version: '1.0' author: mahipal license: Apache-2.0 +atlas_techniques: +- AML.T0024 +- AML.T0035 +nist_ai_rmf: +- MEASURE-2.8 +- MAP-5.1 --- # Performing Clickjacking Attack Test diff --git a/skills/performing-cloud-incident-containment-procedures/SKILL.md b/skills/performing-cloud-incident-containment-procedures/SKILL.md index 4d01d222..1986af4f 100644 --- a/skills/performing-cloud-incident-containment-procedures/SKILL.md +++ b/skills/performing-cloud-incident-containment-procedures/SKILL.md @@ -1,285 +1,12 @@ --- -name: performing-cloud-incident-containment-procedures -description: Execute cloud-native incident containment across AWS, Azure, and GCP by isolating compromised resources, revoking credentials, preserving forensic evidence, and applying security group restrictions to prevent lateral movement. -domain: cybersecurity -subdomain: incident-response -tags: [cloud-security, incident-containment, aws, azure, gcp, cloud-forensics, credential-revocation, network-isolation] -mitre_attack: ["T1078", "T1537", "T1580", "T1525", "T1098"] -version: "1.0" -author: mahipal -license: Apache-2.0 ---- - -# Performing Cloud Incident Containment Procedures - -## Overview - -Cloud incident containment requires cloud-native approaches that differ significantly from traditional on-premises response. Containment procedures must leverage platform-specific controls including security groups, IAM policies, network ACLs, and service-level isolation to restrict compromised resources while preserving forensic evidence. According to the 2025 Unit 42 Global Incident Response Report, responding to cloud incidents requires understanding shared responsibility models, ephemeral infrastructure, and API-driven operations. Effective containment involves credential revocation, resource isolation, evidence snapshot creation, and automated response playbook execution. - - -## When to Use - -- When conducting security assessments that involve performing cloud incident containment procedures -- When following incident response procedures for related security events -- When performing scheduled security testing or auditing activities -- When validating security controls through hands-on testing - -## Prerequisites - -- Familiarity with incident response concepts and tools -- Access to a test or lab environment for safe execution -- Python 3.8+ with required dependencies installed -- Appropriate authorization for any testing activities - -## AWS Containment Procedures - -### 1. Credential Compromise Containment - -```bash -# Disable compromised IAM user access keys -aws iam update-access-key --user-name compromised-user \ - --access-key-id AKIA... --status Inactive - -# List and disable all access keys for user -aws iam list-access-keys --user-name compromised-user -aws iam delete-access-key --user-name compromised-user --access-key-id AKIA... - -# Attach deny-all policy to compromised user -aws iam put-user-policy --user-name compromised-user \ - --policy-name DenyAll \ - --policy-document '{ - "Version": "2012-10-17", - "Statement": [{ - "Effect": "Deny", - "Action": "*", - "Resource": "*" - }] - }' - -# Revoke all active sessions for IAM role -aws iam put-role-policy --role-name compromised-role \ - --policy-name RevokeOldSessions \ - --policy-document '{ - "Version": "2012-10-17", - "Statement": [{ - "Effect": "Deny", - "Action": "*", - "Resource": "*", - "Condition": { - "DateLessThan": {"aws:TokenIssueTime": "'$(date -u +%Y-%m-%dT%H:%M:%SZ)'"} - } - }] - }' - -# Invalidate temporary credentials by updating role trust policy -aws iam update-assume-role-policy --role-name compromised-role \ - --policy-document '{"Version":"2012-10-17","Statement":[]}' -``` - -### 2. EC2 Instance Isolation - -```bash -# Create quarantine security group (no inbound, no outbound) -aws ec2 create-security-group --group-name quarantine-sg \ - --description "Quarantine - No traffic allowed" --vpc-id vpc-xxxxx - -# Remove all rules from quarantine SG (default allows outbound) -aws ec2 revoke-security-group-egress --group-id sg-quarantine \ - --ip-permissions '[{"IpProtocol":"-1","FromPort":-1,"ToPort":-1,"IpRanges":[{"CidrIp":"0.0.0.0/0"}]}]' - -# Take forensic snapshot BEFORE containment -aws ec2 create-snapshot --volume-id vol-xxxxx \ - --description "Forensic snapshot - IR Case 2025-001" \ - --tag-specifications 'ResourceType=snapshot,Tags=[{Key=IR-Case,Value=2025-001}]' - -# Apply quarantine security group to compromised instance -aws ec2 modify-instance-attribute --instance-id i-xxxxx \ - --groups sg-quarantine - -# Tag instance as compromised -aws ec2 create-tags --resources i-xxxxx \ - --tags Key=IR-Status,Value=Contained Key=IR-Case,Value=2025-001 - -# Capture memory (if SSM agent available) -aws ssm send-command --instance-ids i-xxxxx \ - --document-name "AWS-RunShellScript" \ - --parameters 'commands=["dd if=/dev/mem of=/tmp/memory.dump bs=1M"]' -``` - -### 3. S3 Bucket Containment - -```bash -# Block all public access -aws s3api put-public-access-block --bucket compromised-bucket \ - --public-access-block-configuration \ - BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true - -# Apply deny policy to bucket -aws s3api put-bucket-policy --bucket compromised-bucket \ - --policy '{ - "Version": "2012-10-17", - "Statement": [{ - "Sid": "DenyAllExceptForensics", - "Effect": "Deny", - "NotPrincipal": {"AWS": "arn:aws:iam::ACCOUNT:role/IR-Forensics"}, - "Action": "s3:*", - "Resource": ["arn:aws:s3:::compromised-bucket","arn:aws:s3:::compromised-bucket/*"] - }] - }' - -# Enable versioning to preserve evidence -aws s3api put-bucket-versioning --bucket compromised-bucket \ - --versioning-configuration Status=Enabled - -# Enable Object Lock for evidence preservation -aws s3api put-object-lock-configuration --bucket evidence-bucket \ - --object-lock-configuration '{ - "ObjectLockEnabled": "Enabled", - "Rule": {"DefaultRetention": {"Mode": "COMPLIANCE", "Days": 365}} - }' -``` - -### 4. Lambda Function Containment - -```bash -# Set reserved concurrency to 0 (stops all invocations) -aws lambda put-function-concurrency --function-name compromised-function \ - --reserved-concurrent-executions 0 - -# Remove all event source mappings -aws lambda list-event-source-mappings --function-name compromised-function -aws lambda delete-event-source-mapping --uuid mapping-uuid -``` - -## Azure Containment Procedures - -### 1. Identity Containment - -```powershell -# Revoke all user sessions -Revoke-AzureADUserAllRefreshToken -ObjectId "user-object-id" - -# Disable user account -Set-AzureADUser -ObjectId "user-object-id" -AccountEnabled $false - -# Reset user password -Set-AzureADUserPassword -ObjectId "user-object-id" -Password ( - ConvertTo-SecureString "TempP@ss!" -AsPlainText -Force -) -ForceChangePasswordNextLogin $true - -# Block sign-in via Conditional Access (emergency policy) -# Create policy blocking user from all cloud apps - -# Revoke Azure AD application consent -Remove-AzureADServiceAppRoleAssignment -ObjectId "sp-object-id" \ - -AppRoleAssignmentId "assignment-id" -``` - -### 2. VM Isolation - -```powershell -# Create Network Security Group with deny-all rules -$nsg = New-AzNetworkSecurityGroup -ResourceGroupName "rg" -Location "eastus" ` - -Name "quarantine-nsg" ` - -SecurityRules @( - New-AzNetworkSecurityRuleConfig -Name "DenyAllInbound" -Protocol * ` - -Direction Inbound -Priority 100 -SourceAddressPrefix * ` - -SourcePortRange * -DestinationAddressPrefix * ` - -DestinationPortRange * -Access Deny, - New-AzNetworkSecurityRuleConfig -Name "DenyAllOutbound" -Protocol * ` - -Direction Outbound -Priority 100 -SourceAddressPrefix * ` - -SourcePortRange * -DestinationAddressPrefix * ` - -DestinationPortRange * -Access Deny - ) - -# Take disk snapshot for forensics -$vm = Get-AzVM -ResourceGroupName "rg" -Name "compromised-vm" -$snapshotConfig = New-AzSnapshotConfig -SourceUri $vm.StorageProfile.OsDisk.ManagedDisk.Id ` - -Location "eastus" -CreateOption Copy -New-AzSnapshot -ResourceGroupName "rg" -SnapshotName "forensic-snap" -Snapshot $snapshotConfig - -# Apply quarantine NSG to VM NIC -$nic = Get-AzNetworkInterface -ResourceGroupName "rg" -Name "compromised-nic" -$nic.NetworkSecurityGroup = $nsg -Set-AzNetworkInterface -NetworkInterface $nic -``` - -### 3. Storage Account Containment - -```powershell -# Remove network access -Update-AzStorageAccountNetworkRuleSet -ResourceGroupName "rg" ` - -Name "storageaccount" -DefaultAction Deny - -# Regenerate access keys -New-AzStorageAccountKey -ResourceGroupName "rg" -Name "storageaccount" -KeyName key1 -New-AzStorageAccountKey -ResourceGroupName "rg" -Name "storageaccount" -KeyName key2 - -# Revoke all SAS tokens (by rotating keys) -# Enable immutability for evidence preservation -``` - -## GCP Containment Procedures - -### 1. IAM Containment - -```bash -# Remove all IAM bindings for compromised service account -gcloud projects get-iam-policy PROJECT_ID --format=json > policy.json -# Edit policy.json to remove compromised account bindings -gcloud projects set-iam-policy PROJECT_ID policy.json - -# Disable service account -gcloud iam service-accounts disable SA_EMAIL - -# Delete service account keys -gcloud iam service-accounts keys list --iam-account SA_EMAIL -gcloud iam service-accounts keys delete KEY_ID --iam-account SA_EMAIL -``` - -### 2. Compute Instance Isolation - -```bash -# Create forensic snapshot -gcloud compute disks snapshot compromised-disk \ - --snapshot-names forensic-snap-$(date +%Y%m%d) \ - --zone us-central1-a - -# Apply firewall rule to deny all traffic -gcloud compute firewall-rules create quarantine-deny-all \ - --network default --action DENY --rules all \ - --target-tags quarantine --priority 0 - -# Tag compromised instance -gcloud compute instances add-tags compromised-instance \ - --tags quarantine --zone us-central1-a - -# Remove external IP -gcloud compute instances delete-access-config compromised-instance \ - --access-config-name "External NAT" --zone us-central1-a -``` - -## Evidence Preservation Best Practices - -1. **Always snapshot before containment** - Create disk/volume snapshots before network isolation -2. **Preserve CloudTrail/Activity Logs** - Copy logs to write-protected storage -3. **Document all actions** - Timestamp every containment step taken -4. **Use break-glass procedures** - Pre-establish emergency access for IR team -5. **Maintain forensic chain of custody** - Hash all evidence artifacts - -## MITRE ATT&CK Cloud Techniques - -| Technique | Containment Action | -|-----------|-------------------| -| T1078 - Valid Accounts | Disable accounts, revoke tokens | -| T1530 - Data from Cloud Storage | Lock down bucket/storage policies | -| T1537 - Transfer to Cloud Account | Block cross-account access | -| T1578 - Modify Cloud Compute | Isolate instances, snapshot disks | -| T1552 - Unsecured Credentials | Rotate all access keys and secrets | - -## References - -- [Sygnia: Cloud Incident Response Best Practices](https://www.sygnia.co/blog/incident-response-to-cloud-security-incidents-aws-azure-and-gcp-best-practices/) -- [Unit 42: Responding to Cloud Incidents](https://unit42.paloaltonetworks.com/responding-to-cloud-incidents/) -- [Wiz: Cloud Incident Response Checklist](https://www.wiz.io/academy/incident-response-checklist) -- [Microsoft Cloud Security Benchmark - IR](https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-incident-response) +{} +---tags: +- cloud-security +- incident-containment +- aws +- azure +- gcp +- cloud-forensics +- credential-revocation +- network-isolation +version: '1.0' diff --git a/skills/performing-cloud-storage-forensic-acquisition/SKILL.md b/skills/performing-cloud-storage-forensic-acquisition/SKILL.md index c1c8c251..7619b300 100644 --- a/skills/performing-cloud-storage-forensic-acquisition/SKILL.md +++ b/skills/performing-cloud-storage-forensic-acquisition/SKILL.md @@ -1,12 +1,31 @@ --- name: performing-cloud-storage-forensic-acquisition -description: Perform forensic acquisition and analysis of cloud storage services including Google Drive, OneDrive, Dropbox, and Box by collecting both API-based remote data and local sync client artifacts from endpoint devices. +description: Perform forensic acquisition and analysis of cloud storage services including Google Drive, OneDrive, Dropbox, + and Box by collecting both API-based remote data and local sync client artifacts from endpoint devices. domain: cybersecurity subdomain: digital-forensics -tags: [cloud-forensics, google-drive, onedrive, dropbox, box, cloud-acquisition, api-forensics, sync-client, endpoint-artifacts, magnet-axiom] -version: "1.0" +tags: +- cloud-forensics +- google-drive +- onedrive +- dropbox +- box +- cloud-acquisition +- api-forensics +- sync-client +- endpoint-artifacts +- magnet-axiom +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Performing Cloud Storage Forensic Acquisition diff --git a/skills/performing-credential-access-with-lazagne/SKILL.md b/skills/performing-credential-access-with-lazagne/SKILL.md index 8506eab0..345c2440 100644 --- a/skills/performing-credential-access-with-lazagne/SKILL.md +++ b/skills/performing-credential-access-with-lazagne/SKILL.md @@ -1,12 +1,26 @@ --- name: performing-credential-access-with-lazagne -description: Extract stored credentials from compromised endpoints using the LaZagne post-exploitation tool to recover passwords from browsers, databases, system vaults, and applications during authorized red team operations. +description: Extract stored credentials from compromised endpoints using the LaZagne post-exploitation tool to recover passwords + from browsers, databases, system vaults, and applications during authorized red team operations. domain: cybersecurity subdomain: red-teaming -tags: [red-team, credential-access, lazagne, post-exploitation, password-recovery, credential-dumping, lateral-movement] -version: "1.0" +tags: +- red-team +- credential-access +- lazagne +- post-exploitation +- password-recovery +- credential-dumping +- lateral-movement +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis +- Platform Hardening +- File Format Verification --- # Performing Credential Access with LaZagne diff --git a/skills/performing-cve-prioritization-with-kev-catalog/SKILL.md b/skills/performing-cve-prioritization-with-kev-catalog/SKILL.md index c54cf3ae..7ab32cd5 100644 --- a/skills/performing-cve-prioritization-with-kev-catalog/SKILL.md +++ b/skills/performing-cve-prioritization-with-kev-catalog/SKILL.md @@ -1,12 +1,28 @@ --- name: performing-cve-prioritization-with-kev-catalog -description: Leverage the CISA Known Exploited Vulnerabilities catalog alongside EPSS and CVSS to prioritize CVE remediation based on real-world exploitation evidence. +description: Leverage the CISA Known Exploited Vulnerabilities catalog alongside EPSS and CVSS to prioritize CVE remediation + based on real-world exploitation evidence. domain: cybersecurity subdomain: vulnerability-management -tags: [cisa-kev, cve, vulnerability-prioritization, epss, bod-22-01, threat-intelligence, remediation] -version: "1.0" +tags: +- cisa-kev +- cve +- vulnerability-prioritization +- epss +- bod-22-01 +- threat-intelligence +- remediation +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Performing CVE Prioritization with KEV Catalog diff --git a/skills/performing-dynamic-analysis-with-any-run/SKILL.md b/skills/performing-dynamic-analysis-with-any-run/SKILL.md index 13d2e18a..5ce304b3 100644 --- a/skills/performing-dynamic-analysis-with-any-run/SKILL.md +++ b/skills/performing-dynamic-analysis-with-any-run/SKILL.md @@ -1,16 +1,27 @@ --- name: performing-dynamic-analysis-with-any-run -description: > - Performs interactive dynamic malware analysis using the ANY.RUN cloud sandbox to observe - real-time execution behavior, interact with malware prompts, and capture process trees, - network traffic, and system changes. Activates for requests involving interactive sandbox - analysis, cloud-based malware detonation, real-time behavioral observation, or ANY.RUN usage. +description: 'Performs interactive dynamic malware analysis using the ANY.RUN cloud sandbox to observe real-time execution + behavior, interact with malware prompts, and capture process trees, network traffic, and system changes. Activates for requests + involving interactive sandbox analysis, cloud-based malware detonation, real-time behavioral observation, or ANY.RUN usage. + + ' domain: cybersecurity subdomain: malware-analysis -tags: [malware, dynamic-analysis, sandbox, ANY.RUN, interactive-analysis] +tags: +- malware +- dynamic-analysis +- sandbox +- ANY.RUN +- interactive-analysis version: 1.0.0 author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Application Protocol Command Analysis +- Identifier Analysis +- Content Format Conversion +- Message Analysis --- # Performing Dynamic Analysis with ANY.RUN diff --git a/skills/performing-false-positive-reduction-in-siem/SKILL.md b/skills/performing-false-positive-reduction-in-siem/SKILL.md index b801834a..e909926a 100644 --- a/skills/performing-false-positive-reduction-in-siem/SKILL.md +++ b/skills/performing-false-positive-reduction-in-siem/SKILL.md @@ -1,12 +1,26 @@ --- name: performing-false-positive-reduction-in-siem -description: Perform systematic SIEM false positive reduction through rule tuning, threshold adjustment, correlation refinement, and threat intelligence enrichment to combat alert fatigue. +description: Perform systematic SIEM false positive reduction through rule tuning, threshold adjustment, correlation refinement, + and threat intelligence enrichment to combat alert fatigue. domain: cybersecurity subdomain: soc-operations -tags: [siem, false-positive, alert-tuning, detection-engineering, alert-fatigue, soc, correlation] -version: "1.0" +tags: +- siem +- false-positive +- alert-tuning +- detection-engineering +- alert-fatigue +- soc +- correlation +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Token Binding +- Restore Access +- Password Authentication +- Reissue Credential +- Strong Password Policy --- # Performing False Positive Reduction in SIEM diff --git a/skills/performing-fuzzing-with-aflplusplus/SKILL.md b/skills/performing-fuzzing-with-aflplusplus/SKILL.md index f36f3898..14857b12 100644 --- a/skills/performing-fuzzing-with-aflplusplus/SKILL.md +++ b/skills/performing-fuzzing-with-aflplusplus/SKILL.md @@ -1,18 +1,32 @@ --- name: performing-fuzzing-with-aflplusplus -description: > - Perform coverage-guided fuzzing of compiled binaries using AFL++ (American Fuzzy Lop Plus Plus) - to discover memory corruption, crashes, and security vulnerabilities. The tester instruments - target binaries with afl-cc/afl-clang-fast, manages input corpora with afl-cmin and afl-tmin, - runs parallel fuzzing campaigns with afl-fuzz, and triages crashes using CASR or GDB scripts. - Activates for requests involving binary fuzzing, crash discovery, coverage-guided testing, or - AFL++ fuzzing campaigns. +description: 'Perform coverage-guided fuzzing of compiled binaries using AFL++ (American Fuzzy Lop Plus Plus) to discover + memory corruption, crashes, and security vulnerabilities. The tester instruments target binaries with afl-cc/afl-clang-fast, + manages input corpora with afl-cmin and afl-tmin, runs parallel fuzzing campaigns with afl-fuzz, and triages crashes using + CASR or GDB scripts. Activates for requests involving binary fuzzing, crash discovery, coverage-guided testing, or AFL++ + fuzzing campaigns. + + ' domain: cybersecurity subdomain: application-security -tags: [fuzzing, aflplusplus, coverage-guided, crash-triage, binary-analysis, security-testing] -version: "1.0" +tags: +- fuzzing +- aflplusplus +- coverage-guided +- crash-triage +- binary-analysis +- security-testing +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Performing Fuzzing with AFL++ diff --git a/skills/performing-gcp-penetration-testing-with-gcpbucketbrute/SKILL.md b/skills/performing-gcp-penetration-testing-with-gcpbucketbrute/SKILL.md index 52d3ea00..665ece09 100644 --- a/skills/performing-gcp-penetration-testing-with-gcpbucketbrute/SKILL.md +++ b/skills/performing-gcp-penetration-testing-with-gcpbucketbrute/SKILL.md @@ -1,12 +1,27 @@ --- name: performing-gcp-penetration-testing-with-gcpbucketbrute -description: Perform GCP security testing using GCPBucketBrute for storage bucket enumeration, gcloud IAM privilege escalation path analysis, and service account permission auditing +description: Perform GCP security testing using GCPBucketBrute for storage bucket enumeration, gcloud IAM privilege escalation + path analysis, and service account permission auditing domain: cybersecurity subdomain: cloud-security -tags: [gcp, cloud-pentesting, bucket-enumeration, iam-audit, privilege-escalation, gcpbucketbrute] -version: "1.0" +tags: +- gcp +- cloud-pentesting +- bucket-enumeration +- iam-audit +- privilege-escalation +- gcpbucketbrute +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Performing GCP Penetration Testing with GCPBucketBrute diff --git a/skills/performing-gcp-security-assessment-with-forseti/SKILL.md b/skills/performing-gcp-security-assessment-with-forseti/SKILL.md index 96d1ba67..411d1f55 100644 --- a/skills/performing-gcp-security-assessment-with-forseti/SKILL.md +++ b/skills/performing-gcp-security-assessment-with-forseti/SKILL.md @@ -1,15 +1,32 @@ --- name: performing-gcp-security-assessment-with-forseti -description: > - Performing comprehensive security assessments of Google Cloud Platform environments using - Forseti Security, Security Command Center, and gcloud CLI to audit IAM policies, firewall - rules, storage permissions, and compliance against CIS GCP Foundations Benchmark. +description: 'Performing comprehensive security assessments of Google Cloud Platform environments using Forseti Security, + Security Command Center, and gcloud CLI to audit IAM policies, firewall rules, storage permissions, and compliance against + CIS GCP Foundations Benchmark. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud-security, gcp, forseti, security-command-center, iam-audit, cis-benchmark] -version: "1.0" +tags: +- cloud-security +- gcp +- forseti +- security-command-center +- iam-audit +- cis-benchmark +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +- GOVERN-1.1 +- GOVERN-4.2 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Performing GCP Security Assessment with Forseti diff --git a/skills/performing-hardware-security-module-integration/SKILL.md b/skills/performing-hardware-security-module-integration/SKILL.md index 6296cb17..3f04bb69 100644 --- a/skills/performing-hardware-security-module-integration/SKILL.md +++ b/skills/performing-hardware-security-module-integration/SKILL.md @@ -1,12 +1,28 @@ --- name: performing-hardware-security-module-integration -description: Integrate Hardware Security Modules (HSMs) using PKCS#11 interface for cryptographic key management, signing operations, and secure key storage with python-pkcs11, AWS CloudHSM, and YubiHSM2. +description: Integrate Hardware Security Modules (HSMs) using PKCS#11 interface for cryptographic key management, signing + operations, and secure key storage with python-pkcs11, AWS CloudHSM, and YubiHSM2. domain: cybersecurity subdomain: cryptography -tags: [HSM, PKCS11, CloudHSM, YubiHSM2, key-management, cryptographic-operations, hardware-security] -version: "1.0" +tags: +- HSM +- PKCS11 +- CloudHSM +- YubiHSM2 +- key-management +- cryptographic-operations +- hardware-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Performing Hardware Security Module Integration diff --git a/skills/performing-ics-asset-discovery-with-claroty/SKILL.md b/skills/performing-ics-asset-discovery-with-claroty/SKILL.md index 2974299c..33d8e287 100644 --- a/skills/performing-ics-asset-discovery-with-claroty/SKILL.md +++ b/skills/performing-ics-asset-discovery-with-claroty/SKILL.md @@ -1,16 +1,32 @@ --- name: performing-ics-asset-discovery-with-claroty -description: > - Perform comprehensive ICS/OT asset discovery using Claroty xDome platform, - leveraging passive monitoring, Claroty Edge active queries, and integration - ecosystem to gain full visibility into industrial control system assets - including PLCs, RTUs, HMIs, and network infrastructure across Purdue Model levels. +description: 'Perform comprehensive ICS/OT asset discovery using Claroty xDome platform, leveraging passive monitoring, Claroty + Edge active queries, and integration ecosystem to gain full visibility into industrial control system assets including PLCs, + RTUs, HMIs, and network infrastructure across Purdue Model levels. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, asset-discovery, claroty, xdome, scada, network-visibility, iec62443] -version: "1.0" +tags: +- ot-security +- ics +- asset-discovery +- claroty +- xdome +- scada +- network-visibility +- iec62443 +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Performing ICS Asset Discovery with Claroty diff --git a/skills/performing-initial-access-with-evilginx3/SKILL.md b/skills/performing-initial-access-with-evilginx3/SKILL.md index 3aefd58e..64589234 100644 --- a/skills/performing-initial-access-with-evilginx3/SKILL.md +++ b/skills/performing-initial-access-with-evilginx3/SKILL.md @@ -1,12 +1,26 @@ --- name: performing-initial-access-with-evilginx3 -description: Perform authorized initial access using EvilGinx3 adversary-in-the-middle phishing framework to capture session tokens and bypass multi-factor authentication during red team engagements. +description: Perform authorized initial access using EvilGinx3 adversary-in-the-middle phishing framework to capture session + tokens and bypass multi-factor authentication during red team engagements. domain: cybersecurity subdomain: red-teaming -tags: [red-team, initial-access, phishing, evilginx, mfa-bypass, adversary-in-the-middle, credential-theft] -version: "1.0" +tags: +- red-team +- initial-access +- phishing +- evilginx +- mfa-bypass +- adversary-in-the-middle +- credential-theft +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Application Protocol Command Analysis +- Identifier Analysis +- Content Format Conversion +- Message Analysis --- # Performing Initial Access with EvilGinx3 diff --git a/skills/performing-kerberoasting-attack/SKILL.md b/skills/performing-kerberoasting-attack/SKILL.md index dfe120a9..299097bb 100644 --- a/skills/performing-kerberoasting-attack/SKILL.md +++ b/skills/performing-kerberoasting-attack/SKILL.md @@ -1,12 +1,27 @@ --- name: performing-kerberoasting-attack -description: Kerberoasting is a post-exploitation technique that targets service accounts in Active Directory by requesting Kerberos TGS (Ticket Granting Service) tickets for accounts with Service Principal Names +description: Kerberoasting is a post-exploitation technique that targets service accounts in Active Directory by requesting + Kerberos TGS (Ticket Granting Service) tickets for accounts with Service Principal Names domain: cybersecurity subdomain: red-teaming -tags: [red-team, adversary-simulation, mitre-attack, exploitation, post-exploitation, kerberoasting, active-directory, credential-access] -version: "1.0" +tags: +- red-team +- adversary-simulation +- mitre-attack +- exploitation +- post-exploitation +- kerberoasting +- active-directory +- credential-access +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Application Protocol Command Analysis +- Network Isolation +- Network Traffic Analysis +- Client-server Payload Profiling +- Network Traffic Community Deviation --- # Performing Kerberoasting Attack diff --git a/skills/performing-lateral-movement-detection/SKILL.md b/skills/performing-lateral-movement-detection/SKILL.md index 851f8075..2ab5167e 100644 --- a/skills/performing-lateral-movement-detection/SKILL.md +++ b/skills/performing-lateral-movement-detection/SKILL.md @@ -1,15 +1,31 @@ --- name: performing-lateral-movement-detection -description: > - Detects lateral movement techniques including Pass-the-Hash, PsExec, WMI execution, RDP pivoting, - and SMB-based spreading using SIEM correlation of Windows event logs, network flow data, and - endpoint telemetry mapped to MITRE ATT&CK Lateral Movement (TA0008) techniques. +description: 'Detects lateral movement techniques including Pass-the-Hash, PsExec, WMI execution, RDP pivoting, and SMB-based + spreading using SIEM correlation of Windows event logs, network flow data, and endpoint telemetry mapped to MITRE ATT&CK + Lateral Movement (TA0008) techniques. + + ' domain: cybersecurity subdomain: soc-operations -tags: [soc, lateral-movement, mitre-attack, pass-the-hash, psexec, wmi, rdp, smb, detection] -version: "1.0" +tags: +- soc +- lateral-movement +- mitre-attack +- pass-the-hash +- psexec +- wmi +- rdp +- smb +- detection +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Token Binding +- Execution Isolation +- Restore Access +- Application Protocol Command Analysis +- Process Termination --- # Performing Lateral Movement Detection diff --git a/skills/performing-lateral-movement-with-wmiexec/SKILL.md b/skills/performing-lateral-movement-with-wmiexec/SKILL.md index f59754a1..e9e13072 100644 --- a/skills/performing-lateral-movement-with-wmiexec/SKILL.md +++ b/skills/performing-lateral-movement-with-wmiexec/SKILL.md @@ -1,12 +1,26 @@ --- name: performing-lateral-movement-with-wmiexec -description: Perform lateral movement across Windows networks using WMI-based remote execution techniques including Impacket wmiexec.py, CrackMapExec, and native WMI commands for stealthy post-exploitation during red team engagements. +description: Perform lateral movement across Windows networks using WMI-based remote execution techniques including Impacket + wmiexec.py, CrackMapExec, and native WMI commands for stealthy post-exploitation during red team engagements. domain: cybersecurity subdomain: red-teaming -tags: [red-team, lateral-movement, wmiexec, wmi, post-exploitation, impacket, windows] -version: "1.0" +tags: +- red-team +- lateral-movement +- wmiexec +- wmi +- post-exploitation +- impacket +- windows +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- Application Protocol Command Analysis +- Network Isolation +- Network Traffic Analysis --- # Performing Lateral Movement with WMIExec diff --git a/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md b/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md index 5ab93348..38f9737a 100644 --- a/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md +++ b/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md @@ -1,12 +1,26 @@ --- name: performing-memory-forensics-with-volatility3-plugins -description: Analyze memory dumps using Volatility3 plugins to detect injected code, rootkits, credential theft, and malware artifacts in Windows, Linux, and macOS memory images. +description: Analyze memory dumps using Volatility3 plugins to detect injected code, rootkits, credential theft, and malware + artifacts in Windows, Linux, and macOS memory images. domain: cybersecurity subdomain: malware-analysis -tags: [memory-forensics, volatility3, malware-analysis, incident-response, process-injection, rootkit-detection, dfir] -version: "1.0" +tags: +- memory-forensics +- volatility3 +- malware-analysis +- incident-response +- process-injection +- rootkit-detection +- dfir +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis --- # Performing Memory Forensics with Volatility3 Plugins diff --git a/skills/performing-physical-intrusion-assessment/SKILL.md b/skills/performing-physical-intrusion-assessment/SKILL.md index 24cbe3c5..adfcd144 100644 --- a/skills/performing-physical-intrusion-assessment/SKILL.md +++ b/skills/performing-physical-intrusion-assessment/SKILL.md @@ -1,12 +1,26 @@ --- name: performing-physical-intrusion-assessment -description: Conduct authorized physical penetration testing using tailgating, badge cloning, lock bypassing, and rogue device deployment to evaluate facility security controls. +description: Conduct authorized physical penetration testing using tailgating, badge cloning, lock bypassing, and rogue device + deployment to evaluate facility security controls. domain: cybersecurity subdomain: red-teaming -tags: [physical-security, red-team, tailgating, badge-cloning, lock-picking, rfid, physical-pentest] -version: "1.0" +tags: +- physical-security +- red-team +- tailgating +- badge-cloning +- lock-picking +- rfid +- physical-pentest +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Platform Hardening +- Hardware Component Inventory +- Electromagnetic Radiation Hardening +- RF Shielding +- Asset Inventory --- # Performing Physical Intrusion Assessment diff --git a/skills/performing-privilege-escalation-assessment/SKILL.md b/skills/performing-privilege-escalation-assessment/SKILL.md index 74955a06..b0f0c269 100644 --- a/skills/performing-privilege-escalation-assessment/SKILL.md +++ b/skills/performing-privilege-escalation-assessment/SKILL.md @@ -1,18 +1,29 @@ --- name: performing-privilege-escalation-assessment -description: > - Performs privilege escalation assessments on compromised Linux and Windows systems to identify - paths from low-privilege access to root or SYSTEM-level control. The tester enumerates - misconfigurations, vulnerable services, kernel exploits, SUID binaries, unquoted service - paths, and credential stores to demonstrate the full impact of an initial compromise. - Activates for requests involving privilege escalation testing, local exploitation, post-compromise - escalation, or OS-level security assessment. +description: 'Performs privilege escalation assessments on compromised Linux and Windows systems to identify paths from low-privilege + access to root or SYSTEM-level control. The tester enumerates misconfigurations, vulnerable services, kernel exploits, SUID + binaries, unquoted service paths, and credential stores to demonstrate the full impact of an initial compromise. Activates + for requests involving privilege escalation testing, local exploitation, post-compromise escalation, or OS-level security + assessment. + + ' domain: cybersecurity subdomain: penetration-testing -tags: [privilege-escalation, post-exploitation, Linux-privesc, Windows-privesc, local-exploitation] +tags: +- privilege-escalation +- post-exploitation +- Linux-privesc +- Windows-privesc +- local-exploitation version: 1.0.0 author: mahipal license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Restore Access +- Password Authentication --- # Performing Privilege Escalation Assessment diff --git a/skills/performing-privilege-escalation-on-linux/SKILL.md b/skills/performing-privilege-escalation-on-linux/SKILL.md index 389125e6..d2deaae0 100644 --- a/skills/performing-privilege-escalation-on-linux/SKILL.md +++ b/skills/performing-privilege-escalation-on-linux/SKILL.md @@ -1,12 +1,26 @@ --- name: performing-privilege-escalation-on-linux -description: Linux privilege escalation involves elevating from a low-privilege user account to root access on a compromised system. Red teams exploit misconfigurations, vulnerable services, kernel exploits, and w +description: Linux privilege escalation involves elevating from a low-privilege user account to root access on a compromised + system. Red teams exploit misconfigurations, vulnerable services, kernel exploits, and w domain: cybersecurity subdomain: red-teaming -tags: [red-team, adversary-simulation, mitre-attack, exploitation, post-exploitation, privilege-escalation, linux] -version: "1.0" +tags: +- red-team +- adversary-simulation +- mitre-attack +- exploitation +- post-exploitation +- privilege-escalation +- linux +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Restore Object +- Network Traffic Policy Mapping +- Restore Configuration +- Access Modeling +- Operational Activity Mapping --- # Performing Privilege Escalation on Linux diff --git a/skills/performing-purple-team-atomic-testing/SKILL.md b/skills/performing-purple-team-atomic-testing/SKILL.md index 68dd55ec..685da746 100644 --- a/skills/performing-purple-team-atomic-testing/SKILL.md +++ b/skills/performing-purple-team-atomic-testing/SKILL.md @@ -1,18 +1,37 @@ --- name: performing-purple-team-atomic-testing -description: > - Executes Atomic Red Team tests mapped to MITRE ATT&CK techniques, performs coverage - gap analysis across the ATT&CK matrix, and runs detection validation loops to measure - blue team visibility. Covers Invoke-AtomicRedTeam PowerShell execution, ATT&CK Navigator - layer generation for heatmaps, Sigma rule correlation, and continuous atomic testing - pipelines. Activates for requests involving purple team exercises, atomic test execution, - ATT&CK coverage assessment, detection engineering validation, or adversary emulation testing. +description: 'Executes Atomic Red Team tests mapped to MITRE ATT&CK techniques, performs coverage gap analysis across the + ATT&CK matrix, and runs detection validation loops to measure blue team visibility. Covers Invoke-AtomicRedTeam PowerShell + execution, ATT&CK Navigator layer generation for heatmaps, Sigma rule correlation, and continuous atomic testing pipelines. + Activates for requests involving purple team exercises, atomic test execution, ATT&CK coverage assessment, detection engineering + validation, or adversary emulation testing. + + ' domain: cybersecurity subdomain: purple-team -tags: [purple-team, atomic-red-team, mitre-attack, detection-engineering, adversary-emulation] +tags: +- purple-team +- atomic-red-team +- mitre-attack +- detection-engineering +- adversary-emulation version: 1.0.0 author: mukul975 license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis --- # Performing Purple Team Atomic Testing diff --git a/skills/performing-purple-team-exercise/SKILL.md b/skills/performing-purple-team-exercise/SKILL.md index ddcd6a77..9e069a7a 100644 --- a/skills/performing-purple-team-exercise/SKILL.md +++ b/skills/performing-purple-team-exercise/SKILL.md @@ -1,16 +1,30 @@ --- name: performing-purple-team-exercise -description: > - Performs purple team exercises by coordinating red team adversary emulation with blue team - detection validation using MITRE ATT&CK-mapped attack scenarios, real-time detection testing, - and collaborative gap remediation. Use when SOC teams need to validate detection capabilities, - improve analyst skills, and close detection gaps through structured offensive-defensive collaboration. +description: 'Performs purple team exercises by coordinating red team adversary emulation with blue team detection validation + using MITRE ATT&CK-mapped attack scenarios, real-time detection testing, and collaborative gap remediation. Use when SOC + teams need to validate detection capabilities, improve analyst skills, and close detection gaps through structured offensive-defensive + collaboration. + + ' domain: cybersecurity subdomain: soc-operations -tags: [soc, purple-team, red-team, blue-team, mitre-attack, adversary-emulation, detection-validation] -version: "1.0" +tags: +- soc +- purple-team +- red-team +- blue-team +- mitre-attack +- adversary-emulation +- detection-validation +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Application Protocol Command Analysis +- Identifier Analysis +- Content Format Conversion +- Message Analysis --- # Performing Purple Team Exercise diff --git a/skills/performing-thick-client-application-penetration-test/SKILL.md b/skills/performing-thick-client-application-penetration-test/SKILL.md index 7f828950..a0293c23 100644 --- a/skills/performing-thick-client-application-penetration-test/SKILL.md +++ b/skills/performing-thick-client-application-penetration-test/SKILL.md @@ -1,12 +1,29 @@ --- name: performing-thick-client-application-penetration-test -description: Conduct a thick client application penetration test to identify insecure local storage, hardcoded credentials, DLL hijacking, memory manipulation, and insecure API communication in desktop applications using dnSpy, Procmon, and Burp Suite. +description: Conduct a thick client application penetration test to identify insecure local storage, hardcoded credentials, + DLL hijacking, memory manipulation, and insecure API communication in desktop applications using dnSpy, Procmon, and Burp + Suite. domain: cybersecurity subdomain: penetration-testing -tags: [thick-client, desktop-application, dnSpy, Procmon, DLL-hijacking, binary-analysis, API-interception] -version: "1.0" +tags: +- thick-client +- desktop-application +- dnSpy +- Procmon +- DLL-hijacking +- binary-analysis +- API-interception +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Performing Thick Client Application Penetration Test diff --git a/skills/performing-threat-emulation-with-atomic-red-team/SKILL.md b/skills/performing-threat-emulation-with-atomic-red-team/SKILL.md index 0782c4c5..7ef63455 100644 --- a/skills/performing-threat-emulation-with-atomic-red-team/SKILL.md +++ b/skills/performing-threat-emulation-with-atomic-red-team/SKILL.md @@ -1,16 +1,34 @@ --- name: performing-threat-emulation-with-atomic-red-team -description: > - Executes Atomic Red Team tests for MITRE ATT&CK technique validation using the - atomic-operator Python framework. Loads test definitions from YAML atomics, runs - attack simulations, and validates detection coverage. Use when testing SIEM detection - rules, validating EDR coverage, or conducting purple team exercises. +description: 'Executes Atomic Red Team tests for MITRE ATT&CK technique validation using the atomic-operator Python framework. + Loads test definitions from YAML atomics, runs attack simulations, and validates detection coverage. Use when testing SIEM + detection rules, validating EDR coverage, or conducting purple team exercises. + + ' domain: cybersecurity subdomain: threat-intelligence -tags: [performing, threat, emulation, with] -version: "1.0" +tags: +- performing +- threat +- emulation +- with +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis --- # Performing Threat Emulation with Atomic Red Team diff --git a/skills/performing-threat-hunting-with-elastic-siem/SKILL.md b/skills/performing-threat-hunting-with-elastic-siem/SKILL.md index 18db054b..62f48257 100644 --- a/skills/performing-threat-hunting-with-elastic-siem/SKILL.md +++ b/skills/performing-threat-hunting-with-elastic-siem/SKILL.md @@ -1,16 +1,38 @@ --- name: performing-threat-hunting-with-elastic-siem -description: > - Performs proactive threat hunting in Elastic Security SIEM using KQL/EQL queries, detection rules, - and Timeline investigation to identify threats that evade automated detection. Use when SOC teams - need to hunt for specific ATT&CK techniques, investigate anomalous behaviors, or validate detection - coverage gaps using Elasticsearch and Kibana Security. +description: 'Performs proactive threat hunting in Elastic Security SIEM using KQL/EQL queries, detection rules, and Timeline + investigation to identify threats that evade automated detection. Use when SOC teams need to hunt for specific ATT&CK techniques, + investigate anomalous behaviors, or validate detection coverage gaps using Elasticsearch and Kibana Security. + + ' domain: cybersecurity subdomain: soc-operations -tags: [soc, elastic, siem, threat-hunting, kql, eql, mitre-attack, kibana] -version: "1.0" +tags: +- soc +- elastic +- siem +- threat-hunting +- kql +- eql +- mitre-attack +- kibana +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 +d3fend_techniques: +- Application Protocol Command Analysis +- Network Isolation +- Network Traffic Analysis +- Client-server Payload Profiling +- Network Traffic Community Deviation --- # Performing Threat Hunting with Elastic SIEM diff --git a/skills/performing-threat-hunting-with-yara-rules/SKILL.md b/skills/performing-threat-hunting-with-yara-rules/SKILL.md index 970a2131..4ff4d79c 100644 --- a/skills/performing-threat-hunting-with-yara-rules/SKILL.md +++ b/skills/performing-threat-hunting-with-yara-rules/SKILL.md @@ -1,15 +1,25 @@ --- name: performing-threat-hunting-with-yara-rules -description: > - Use YARA pattern-matching rules to hunt for malware, suspicious files, and - indicators of compromise across filesystems and memory dumps. Covers rule - authoring, yara-python scanning, and integration with threat intel feeds. +description: 'Use YARA pattern-matching rules to hunt for malware, suspicious files, and indicators of compromise across filesystems + and memory dumps. Covers rule authoring, yara-python scanning, and integration with threat intel feeds. + + ' domain: cybersecurity subdomain: threat-hunting -tags: [yara, malware-detection, threat-hunting, pattern-matching] -version: "1.0" +tags: +- yara +- malware-detection +- threat-hunting +- pattern-matching +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis --- # Performing Threat Hunting with YARA Rules diff --git a/skills/performing-threat-landscape-assessment-for-sector/SKILL.md b/skills/performing-threat-landscape-assessment-for-sector/SKILL.md index 1d082a05..136e302a 100644 --- a/skills/performing-threat-landscape-assessment-for-sector/SKILL.md +++ b/skills/performing-threat-landscape-assessment-for-sector/SKILL.md @@ -1,12 +1,26 @@ --- name: performing-threat-landscape-assessment-for-sector -description: Conduct a sector-specific threat landscape assessment by analyzing threat actor targeting patterns, common attack vectors, and industry-specific vulnerabilities to inform organizational risk management. +description: Conduct a sector-specific threat landscape assessment by analyzing threat actor targeting patterns, common attack + vectors, and industry-specific vulnerabilities to inform organizational risk management. domain: cybersecurity subdomain: threat-intelligence -tags: [threat-landscape, sector-analysis, risk-assessment, threat-intelligence, industry-targeting, cti, strategic-intelligence] -version: "1.0" +tags: +- threat-landscape +- sector-analysis +- risk-assessment +- threat-intelligence +- industry-targeting +- cti +- strategic-intelligence +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Application Protocol Command Analysis +- Identifier Analysis +- Content Format Conversion +- Message Analysis --- # Performing Threat Landscape Assessment for Sector diff --git a/skills/performing-threat-modeling-with-owasp-threat-dragon/SKILL.md b/skills/performing-threat-modeling-with-owasp-threat-dragon/SKILL.md index 005ffcfe..c5c67e4d 100644 --- a/skills/performing-threat-modeling-with-owasp-threat-dragon/SKILL.md +++ b/skills/performing-threat-modeling-with-owasp-threat-dragon/SKILL.md @@ -1,12 +1,29 @@ --- name: performing-threat-modeling-with-owasp-threat-dragon -description: Use OWASP Threat Dragon to create data flow diagrams, identify threats using STRIDE and LINDDUN methodologies, and generate threat model reports for secure design review. +description: Use OWASP Threat Dragon to create data flow diagrams, identify threats using STRIDE and LINDDUN methodologies, + and generate threat model reports for secure design review. domain: cybersecurity subdomain: devsecops -tags: [threat-modeling, owasp, threat-dragon, stride, linddun, secure-design, dfd, data-flow] -version: "1.0" +tags: +- threat-modeling +- owasp +- threat-dragon +- stride +- linddun +- secure-design +- dfd +- data-flow +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Performing Threat Modeling with OWASP Threat Dragon diff --git a/skills/recovering-deleted-files-with-photorec/SKILL.md b/skills/recovering-deleted-files-with-photorec/SKILL.md index 8bdb552e..19d890e7 100644 --- a/skills/recovering-deleted-files-with-photorec/SKILL.md +++ b/skills/recovering-deleted-files-with-photorec/SKILL.md @@ -1,12 +1,27 @@ --- name: recovering-deleted-files-with-photorec -description: Recover deleted files from disk images and storage media using PhotoRec's file signature-based carving engine regardless of file system damage. +description: Recover deleted files from disk images and storage media using PhotoRec's file signature-based carving engine + regardless of file system damage. domain: cybersecurity subdomain: digital-forensics -tags: [forensics, file-recovery, photorec, file-carving, data-recovery, evidence-recovery] -version: "1.0" +tags: +- forensics +- file-recovery +- photorec +- file-carving +- data-recovery +- evidence-recovery +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Recovering Deleted Files with PhotoRec diff --git a/skills/reverse-engineering-ransomware-encryption-routine/SKILL.md b/skills/reverse-engineering-ransomware-encryption-routine/SKILL.md index c5ed13ca..9e628cc8 100644 --- a/skills/reverse-engineering-ransomware-encryption-routine/SKILL.md +++ b/skills/reverse-engineering-ransomware-encryption-routine/SKILL.md @@ -1,12 +1,27 @@ --- name: reverse-engineering-ransomware-encryption-routine -description: Reverse engineer ransomware encryption routines to identify cryptographic algorithms, key generation flaws, and potential decryption opportunities using static and dynamic analysis. +description: Reverse engineer ransomware encryption routines to identify cryptographic algorithms, key generation flaws, and + potential decryption opportunities using static and dynamic analysis. domain: cybersecurity subdomain: malware-analysis -tags: [ransomware, encryption, reverse-engineering, cryptanalysis, aes, rsa, decryption, malware-analysis] -version: "1.0" +tags: +- ransomware +- encryption +- reverse-engineering +- cryptanalysis +- aes +- rsa +- decryption +- malware-analysis +version: '1.0' author: mahipal license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis +- Platform Hardening +- File Format Verification --- # Reverse Engineering Ransomware Encryption Routine diff --git a/skills/securing-azure-with-microsoft-defender/SKILL.md b/skills/securing-azure-with-microsoft-defender/SKILL.md index d573871c..6798ab71 100644 --- a/skills/securing-azure-with-microsoft-defender/SKILL.md +++ b/skills/securing-azure-with-microsoft-defender/SKILL.md @@ -1,17 +1,30 @@ --- name: securing-azure-with-microsoft-defender -description: > - This skill instructs security practitioners on deploying Microsoft Defender for Cloud - as a cloud-native application protection platform for Azure, multi-cloud, and hybrid - environments. It covers enabling Defender plans for servers, containers, storage, and - databases, configuring security recommendations, managing Secure Score, and integrating - with the unified Defender portal for centralized threat management. +description: 'This skill instructs security practitioners on deploying Microsoft Defender for Cloud as a cloud-native application + protection platform for Azure, multi-cloud, and hybrid environments. It covers enabling Defender plans for servers, containers, + storage, and databases, configuring security recommendations, managing Secure Score, and integrating with the unified Defender + portal for centralized threat management. + + ' domain: cybersecurity subdomain: cloud-security -tags: [microsoft-defender, azure-security, cnapp, secure-score, cloud-workload-protection] +tags: +- microsoft-defender +- azure-security +- cnapp +- secure-score +- cloud-workload-protection version: 1.0.0 author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Securing Azure with Microsoft Defender diff --git a/skills/testing-for-sensitive-data-exposure/SKILL.md b/skills/testing-for-sensitive-data-exposure/SKILL.md index c9a02850..c19d0491 100644 --- a/skills/testing-for-sensitive-data-exposure/SKILL.md +++ b/skills/testing-for-sensitive-data-exposure/SKILL.md @@ -1,12 +1,28 @@ --- name: testing-for-sensitive-data-exposure -description: Identifying sensitive data exposure vulnerabilities including API key leakage, PII in responses, insecure storage, and unprotected data transmission during security assessments. +description: Identifying sensitive data exposure vulnerabilities including API key leakage, PII in responses, insecure storage, + and unprotected data transmission during security assessments. domain: cybersecurity subdomain: web-application-security -tags: [penetration-testing, data-exposure, pii, owasp, web-security, api-keys, secrets] -version: "1.0" +tags: +- penetration-testing +- data-exposure +- pii +- owasp +- web-security +- api-keys +- secrets +version: '1.0' author: mahipal license: Apache-2.0 +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 --- # Testing for Sensitive Data Exposure diff --git a/skills/triaging-security-incident/SKILL.md b/skills/triaging-security-incident/SKILL.md index 292657bb..1f71b88a 100644 --- a/skills/triaging-security-incident/SKILL.md +++ b/skills/triaging-security-incident/SKILL.md @@ -1,210 +1,8 @@ --- -name: triaging-security-incident -description: > - Performs initial triage of security incidents to determine severity, scope, and - required response actions using the NIST SP 800-61r3 and SANS PICERL frameworks. - Classifies incidents by type, assigns priority based on business impact, and routes - to appropriate response teams. Activates for requests involving incident triage, - security alert classification, severity assessment, incident prioritization, or - initial incident analysis. -domain: cybersecurity -subdomain: incident-response -tags: [incident-triage, NIST-800-61, SANS-PICERL, severity-classification, SOC-operations] -mitre_attack: ["T1190", "T1566", "T1078", "T1059"] -version: 1.0.0 -author: mahipal -license: Apache-2.0 ---- - -# Triaging Security Incidents - -## When to Use - -- A SIEM or EDR alert fires and requires human classification before escalation -- Multiple concurrent alerts arrive and the SOC must prioritize response order -- An end user reports suspicious activity and the incident needs initial categorization -- A threat intelligence feed matches an IOC observed in the environment - -**Do not use** for routine vulnerability scanning results or compliance audit findings that do not represent active security incidents. - -## Prerequisites - -- Access to SIEM platform (Splunk, Elastic, Microsoft Sentinel) with current alert data -- Incident classification taxonomy aligned to NIST SP 800-61r3 categories -- Predefined severity matrix mapping asset criticality to threat type -- Contact roster for escalation paths (Tier 1 through Tier 3 and CIRT) -- Asset inventory with business criticality ratings - -## Workflow - -### Step 1: Collect Initial Alert Data - -Gather all available context from the triggering alert before making classification decisions: - -- **Alert source**: Which detection system generated the alert (EDR, SIEM, IDS/IPS, firewall, user report) -- **Timestamp**: When the event occurred and when it was detected (dwell time gap) -- **Affected assets**: Hostnames, IP addresses, user accounts involved -- **Alert fidelity**: Historical true-positive rate for this detection rule -- **Raw evidence**: Log entries, packet captures, process execution chains - -``` -Example SIEM alert context: -Source: CrowdStrike Falcon -Detection: Suspicious PowerShell Execution (T1059.001) -Host: WORKSTATION-FIN-042 -User: jsmith@corp.example.com -Timestamp: 2025-11-15T14:23:17Z -Severity: High (detection rule confidence: 92%) -Process: powershell.exe -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoA... -Parent: outlook.exe (PID 4812) -``` - -### Step 2: Classify the Incident Type - -Map the alert to a standard incident category per NIST SP 800-61r3: - -| Category | Examples | -|----------|----------| -| Unauthorized Access | Compromised credentials, privilege escalation, IDOR | -| Denial of Service | Volumetric DDoS, application-layer flood, resource exhaustion | -| Malicious Code | Malware execution, ransomware detonation, cryptominer | -| Improper Usage | Policy violation, insider data exfiltration, shadow IT | -| Reconnaissance | Port scanning, directory enumeration, credential spraying | -| Web Application Attack | SQL injection, XSS, SSRF exploitation | - -### Step 3: Assign Severity Using Impact Matrix - -Calculate severity by combining asset criticality with threat severity: - -``` -Severity = f(Asset Criticality, Threat Type, Data Sensitivity, Lateral Movement Potential) - -Critical (P1): Crown jewel systems compromised, active data exfiltration, ransomware spreading -High (P2): Production system compromise, confirmed malware execution, privileged account takeover -Medium (P3): Non-production compromise, unsuccessful exploitation attempt, single endpoint malware -Low (P4): Reconnaissance activity, policy violation, benign true positive -``` - -Response SLA targets: -- P1: Acknowledge within 15 minutes, containment within 1 hour -- P2: Acknowledge within 30 minutes, containment within 4 hours -- P3: Acknowledge within 2 hours, investigation within 24 hours -- P4: Acknowledge within 8 hours, investigation within 72 hours - -### Step 4: Perform Initial Enrichment - -Before escalation, enrich the alert with contextual data: - -- **Threat intelligence**: Check IOCs (IP, hash, domain) against TI platforms (VirusTotal, OTX, MISP) -- **Asset context**: Query CMDB for asset owner, business function, data classification -- **User context**: Check identity provider for recent authentication anomalies, MFA status -- **Historical correlation**: Search for related alerts on the same host/user in the past 30 days -- **Network context**: Verify if source/destination IPs are internal, known partners, or external threat actors - -### Step 5: Document and Escalate - -Create a structured triage record and route to the appropriate response tier: - -``` -Incident Triage Record -━━━━━━━━━━━━━━━━━━━━━ -Ticket ID: INC-2025-1547 -Triage Analyst: [analyst name] -Triage Time: 2025-11-15T14:35:00Z (12 min from alert) -Classification: Malicious Code - Macro-based initial access -Severity: P2 - High -Affected Assets: WORKSTATION-FIN-042 (Finance dept, handles PII) -Affected Users: jsmith@corp.example.com -IOCs Identified: powershell.exe spawned by outlook.exe, encoded command -TI Matches: Base64 payload matches known Qakbot loader pattern -Escalation: Tier 2 - Malware IR team -Recommended: Isolate endpoint, preserve memory dump, block sender domain -``` - -### Step 6: Initiate Containment Hold - -If severity is P1 or P2, initiate immediate containment actions while awaiting full investigation: - -- Network-isolate the affected endpoint via EDR (CrowdStrike contain, Defender isolate) -- Disable compromised user accounts in Active Directory or identity provider -- Block identified malicious IPs/domains at firewall and DNS sinkhole -- Preserve volatile evidence (memory dump) before any remediation - -## Key Concepts - -| Term | Definition | -|------|------------| -| **Triage** | Rapid assessment process to classify and prioritize security incidents based on severity and business impact | -| **PICERL** | SANS incident response framework: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned | -| **Dwell Time** | Duration between initial compromise and detection; average is 10 days per Mandiant M-Trends 2025 | -| **True Positive Rate** | Percentage of alerts from a detection rule that represent genuine security incidents | -| **Crown Jewel Assets** | Systems and data critical to business operations whose compromise would cause severe organizational impact | -| **Alert Fatigue** | Degraded analyst performance caused by high volumes of low-fidelity or false-positive alerts | -| **Mean Time to Acknowledge (MTTA)** | Average time from alert generation to analyst acknowledgment; key SOC performance metric | - -## Tools & Systems - -- **Splunk Enterprise Security**: SIEM platform for alert aggregation, correlation, and triage workflow management -- **CrowdStrike Falcon**: EDR platform providing endpoint telemetry, detection, and one-click host containment -- **TheHive**: Open-source incident response platform for case management, task tracking, and team collaboration -- **MISP**: Threat intelligence sharing platform for IOC enrichment during triage -- **Cortex XSOAR**: SOAR platform for automating enrichment playbooks and triage decision trees - -## Common Scenarios - -### Scenario: Encoded PowerShell from Email Client - -**Context**: SOC analyst receives a P2 alert showing `powershell.exe` with a Base64-encoded command spawned as a child process of `outlook.exe` on a finance department workstation. - -**Approach**: -1. Decode the Base64 payload to determine the command intent -2. Check the parent process chain for anomalies (Outlook spawning PowerShell is abnormal) -3. Query VirusTotal for the decoded payload hash -4. Correlate with email gateway logs to identify the triggering email and sender -5. Check if other recipients in the organization received the same email -6. Isolate the endpoint and escalate to Tier 2 with full triage context - -**Pitfalls**: -- Dismissing encoded PowerShell as a false positive without decoding the payload -- Failing to check for lateral spread to other recipients of the same phishing email -- Remediating the endpoint before capturing volatile memory evidence - -## Output Format - -``` -INCIDENT TRIAGE REPORT -====================== -Ticket: INC-[YYYY]-[NNNN] -Date/Time: [ISO 8601 timestamp] -Triage Analyst: [Name] -Time to Triage: [minutes from alert to classification] - -CLASSIFICATION -Type: [NIST category] -Severity: [P1-P4] - [Critical/High/Medium/Low] -Confidence: [High/Medium/Low] -MITRE ATT&CK: [Technique ID and name] - -AFFECTED SCOPE -Assets: [hostname(s), IP(s)] -Users: [account(s)] -Data at Risk: [classification level] -Business Unit: [department] - -EVIDENCE SUMMARY -[Bullet list of key observations] - -ENRICHMENT RESULTS -TI Matches: [Yes/No - details] -Historical: [Related prior incidents] -Asset Criticality: [rating] - -RECOMMENDED ACTIONS -1. [Immediate action] -2. [Investigation step] -3. [Escalation target] - -ESCALATION -Routed To: [Team/Individual] -SLA Target: [Containment deadline] -``` +{} +---tags: +- incident-triage +- NIST-800-61 +- SANS-PICERL +- severity-classification +- SOC-operations