feat: enrich 209 skills with MITRE ATLAS, D3FEND, and NIST AI RMF frontmatter

Added structured security framework mappings to SKILL.md frontmatter across all applicable skills: - atlas_techniques: MITRE ATLAS v5.5 AML.TXXXX IDs (81 skills, AI-targeted attack techniques) - d3fend_techniques: MITRE D3FEND v1.3 defensive technique labels (139 skills, mapped from ATT&CK IDs) - nist_ai_rmf: NIST AI RMF 1.0 subcategory IDs (85 skills, AI risk management functions) Also updates ATTACK_COVERAGE.md with coverage statistics for all three frameworks.
2026-06-10 13:14:55 +03:00 · 2026-04-06 01:55:37 +02:00
parent c15f73db46
commit ef27f026cb
209 changed files with 3959 additions and 3379 deletions
@@ -467,6 +467,43 @@ To regenerate: `python3 extract_attack.py`
 ---
 ## MITRE ATLAS Coverage (v5.5.0)
 81 skills mapped to ATLAS adversarial ML techniques.
 Key techniques applied:
 - AML.T0051 — LLM Prompt Injection (Execution)
 - AML.T0054 — LLM Jailbreak (Privilege Escalation)
 - AML.T0088 — Generate Deepfakes (AI Attack Staging)
 - AML.T0010 — AI Supply Chain Compromise (Initial Access)
 - AML.T0020 — Poison Training Data (Resource Development)
 - AML.T0070 — RAG Poisoning (Persistence)
 - AML.T0080 — AI Agent Context Poisoning (Persistence)
 - AML.T0056 — Extract LLM System Prompt (Exfiltration)
 ## MITRE D3FEND Coverage (v1.3)
 11 skills mapped to D3FEND defensive countermeasures.
 Countermeasures applied span D3FEND tactical categories:
 Harden, Detect, Isolate, Deceive, Evict, Restore.
 Each skill's d3fend_techniques field lists the top 5 most relevant
 defensive countermeasures derived from the skill's ATT&CK technique tags.
 ## NIST AI RMF Coverage (AI 100-1)
 85 skills mapped to NIST AI Risk Management Framework subcategories.
 Core functions covered:
 - GOVERN: Organizational accountability for AI risk (GOVERN-1.1, GOVERN-6.1, GOVERN-6.2)
 - MAP: AI risk identification and context (MAP-5.1, MAP-5.2, MAP-1.6)
 - MEASURE: AI risk analysis and evaluation (MEASURE-2.5, MEASURE-2.7, MEASURE-2.8, MEASURE-2.11)
 - MANAGE: AI risk response and recovery (MANAGE-2.4, MANAGE-3.1)
 GenAI-specific subcategories applied: GOVERN-6.1, GOVERN-6.2 (responsible deployment policies).
 ---
 <p align="center">
  <sub>Part of <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills">Anthropic Cybersecurity Skills</a> — 753+ open-source cybersecurity skills for AI agents</sub>
 </p>
@@ -1,12 +1,27 @@
 ---
 name: analyzing-apt-group-with-mitre-navigator
-description: Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
+description: Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps
  of adversary TTPs for detection gap analysis and threat-informed defense.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [mitre-attack, navigator, apt, threat-actor, ttp-analysis, heatmap, detection-gap, threat-intelligence]
+tags:
-version: "1.0"
+- mitre-attack
 - navigator
 - apt
 - threat-actor
 - ttp-analysis
 - heatmap
 - detection-gap
 - threat-intelligence
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Executable Denylisting
 - Execution Isolation
 - File Metadata Consistency Validation
 - Content Format Conversion
 - File Content Analysis
 ---
 # Analyzing APT Group with MITRE ATT&CK Navigator
@@ -1,12 +1,23 @@
 ---
 name: analyzing-certificate-transparency-for-phishing
-description: Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.
+description: Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates,
  and unauthorized certificate issuance targeting your organization.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [certificate-transparency, ct-logs, phishing, crt-sh, certstream, ssl, domain-monitoring, threat-intelligence]
+tags:
-version: "1.0"
+- certificate-transparency
 - ct-logs
 - phishing
 - crt-sh
 - certstream
 - ssl
 - domain-monitoring
 - threat-intelligence
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0052
 ---
 # Analyzing Certificate Transparency for Phishing
@@ -1,16 +1,25 @@
 ---
 name: analyzing-cloud-storage-access-patterns
-description: >-
+description: Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS
-  Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail
+  audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API
-  Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads,
+  calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection.
  access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration
  using statistical baselines and time-series anomaly detection.
 domain: cybersecurity
 subdomain: cloud-security
-tags: [analyzing, cloud, storage, access]
+tags:
-version: "1.0"
+- analyzing
 - cloud
 - storage
 - access
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0024
 - AML.T0056
 nist_ai_rmf:
 - MEASURE-2.7
 - MAP-5.1
 - MANAGE-2.4
 ---
@@ -1,16 +1,28 @@
 ---
 name: analyzing-dns-logs-for-exfiltration
-description: >
+description: 'Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication, and covert
-  Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication,
+  C2 channels using entropy analysis, query volume anomalies, and subdomain length detection in SIEM platforms. Use when SOC
-  and covert C2 channels using entropy analysis, query volume anomalies, and subdomain length
+  teams need to identify DNS-based threats that bypass traditional network security controls.
-  detection in SIEM platforms. Use when SOC teams need to identify DNS-based threats that bypass
+
-  traditional network security controls.
+  '
 domain: cybersecurity
 subdomain: soc-operations
-tags: [soc, dns, exfiltration, dns-tunneling, dga, c2-detection, splunk, threat-detection]
+tags:
-version: "1.0"
+- soc
 - dns
 - exfiltration
 - dns-tunneling
 - dga
 - c2-detection
 - splunk
 - threat-detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0024
 - AML.T0056
 - AML.T0086
 ---
 # Analyzing DNS Logs for Exfiltration
@@ -1,12 +1,22 @@
 ---
 name: analyzing-email-headers-for-phishing-investigation
-description: Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation.
+description: Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify
  spoofing through SPF, DKIM, and DMARC validation.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, email-analysis, phishing, spf, dkim, dmarc, header-analysis]
+tags:
-version: "1.0"
+- forensics
 - email-analysis
 - phishing
 - spf
 - dkim
 - dmarc
 - header-analysis
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0052
 ---
 # Analyzing Email Headers for Phishing Investigation
@@ -1,17 +1,27 @@
 ---
 name: analyzing-indicators-of-compromise
-description: >
+description: 'Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs, and email artifacts
-  Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs,
+  to determine maliciousness confidence, campaign attribution, and blocking priority. Use when triaging IOCs from phishing
-  and email artifacts to determine maliciousness confidence, campaign attribution, and blocking
+  emails, security alerts, or external threat feeds; enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist
-  priority. Use when triaging IOCs from phishing emails, security alerts, or external threat feeds;
+  decisions. Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.
-  enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist decisions.
+
-  Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.
+  '
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [IOC, VirusTotal, AbuseIPDB, MalwareBazaar, MISP, threat-intelligence, STIX, NIST-CSF]
+tags:
 - IOC
 - VirusTotal
 - AbuseIPDB
 - MalwareBazaar
 - MISP
 - threat-intelligence
 - STIX
 - NIST-CSF
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0052
 ---
 # Analyzing Indicators of Compromise
@@ -1,18 +1,31 @@
 ---
 name: analyzing-ios-app-security-with-objection
-description: >
+description: 'Performs runtime mobile security exploration of iOS applications using Objection, a Frida-powered toolkit that
-  Performs runtime mobile security exploration of iOS applications using Objection, a Frida-powered
+  enables security testers to interact with app internals without jailbreaking. Use when assessing iOS app security posture,
-  toolkit that enables security testers to interact with app internals without jailbreaking. Use when
+  bypassing client-side protections, dumping keychain items, inspecting filesystem storage, and evaluating runtime behavior.
-  assessing iOS app security posture, bypassing client-side protections, dumping keychain items,
+  Activates for requests involving iOS security testing, Objection runtime analysis, Frida-based iOS assessment, or mobile
-  inspecting filesystem storage, and evaluating runtime behavior. Activates for requests involving
+  runtime exploration.
-  iOS security testing, Objection runtime analysis, Frida-based iOS assessment, or mobile runtime
+
-  exploration.
+  '
 domain: cybersecurity
 subdomain: mobile-security
 author: mahipal
-tags: [mobile-security, ios, objection, frida, owasp-mobile, penetration-testing]
+tags:
 - mobile-security
 - ios
 - objection
 - frida
 - owasp-mobile
 - penetration-testing
 version: 1.0.0
 license: Apache-2.0
 atlas_techniques:
 - AML.T0054
 nist_ai_rmf:
 - MEASURE-2.7
 - MANAGE-2.4
 - GOVERN-6.2
 - MAP-5.1
 ---
 # Analyzing iOS App Security with Objection
@@ -1,17 +1,31 @@
 ---
 name: analyzing-macro-malware-in-office-documents
-description: >
+description: 'Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint) to identify download
-  Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint)
+  cradles, payload execution, persistence mechanisms, and anti-analysis techniques. Uses olevba, oledump, and VBA deobfuscation
-  to identify download cradles, payload execution, persistence mechanisms, and anti-analysis
+  to extract the attack chain. Activates for requests involving Office macro analysis, VBA malware investigation, maldoc analysis,
-  techniques. Uses olevba, oledump, and VBA deobfuscation to extract the attack chain.
+  or document-based threat examination.
-  Activates for requests involving Office macro analysis, VBA malware investigation,
+
-  maldoc analysis, or document-based threat examination.
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, macro, Office, VBA, document-malware]
+tags:
 - malware
 - macro
 - Office
 - VBA
 - document-malware
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0068
 - AML.T0067
 d3fend_techniques:
 - File Metadata Consistency Validation
 - Application Protocol Command Analysis
 - Identifier Analysis
 - Content Format Conversion
 - Message Analysis
 ---
 # Analyzing Macro Malware in Office Documents
@@ -1,12 +1,22 @@
 ---
 name: analyzing-malicious-url-with-urlscan
-description: URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
+description: URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content,
  HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
 domain: cybersecurity
 subdomain: phishing-defense
-tags: [phishing, email-security, social-engineering, dmarc, awareness, url-analysis, threat-intelligence]
+tags:
-version: "1.0"
+- phishing
 - email-security
 - social-engineering
 - dmarc
 - awareness
 - url-analysis
 - threat-intelligence
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0052
 ---
 # Analyzing Malicious URL with URLScan
@@ -1,101 +1,12 @@
 ---
-name: analyzing-malware-persistence-with-autoruns
+{}
-description: Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry keys, scheduled tasks, services, drivers, and startup locations on Windows systems.
+---tags:
-domain: cybersecurity
+- autoruns
-subdomain: malware-analysis
+- persistence
-tags: [autoruns, persistence, malware-analysis, sysinternals, windows, registry, startup, incident-response]
+- malware-analysis
-mitre_attack: ["T1547", "T1053", "T1543", "T1546"]
+- sysinternals
-version: "1.0"
+- windows
-author: mahipal
+- registry
-license: Apache-2.0
+- startup
---
+- incident-response
-# Analyzing Malware Persistence with Autoruns
+version: '1.0'
 ## Overview
 Sysinternals Autoruns extracts data from hundreds of Auto-Start Extensibility Points (ASEPs) on Windows, scanning 18+ categories including Run/RunOnce keys, services, scheduled tasks, drivers, Winlogon entries, LSA providers, print monitors, WMI subscriptions, and AppInit DLLs. Digital signature verification filters Microsoft-signed entries. The compare function identifies newly added persistence via baseline diffing. VirusTotal integration checks hash reputation. Offline analysis via -z flag enables forensic disk image examination.
 ## When to Use
 - When investigating security incidents that require analyzing malware persistence with autoruns
 - When building detection rules or threat hunting queries for this domain
 - When SOC analysts need structured procedures for this analysis type
 - When validating security monitoring coverage for related attack techniques
 ## Prerequisites
 - Sysinternals Autoruns (GUI) and Autorunsc (CLI)
 - Administrative privileges on target system
 - Python 3.9+ for automated analysis
 - VirusTotal API key for reputation checks
 - Clean baseline export for comparison
 ## Workflow
 ### Step 1: Automated Persistence Scanning
 ```python
 #!/usr/bin/env python3
 """Automate Autoruns-based persistence analysis."""
 import subprocess
 import csv
 import json
 import sys
 def scan_and_analyze(autorunsc_path="autorunsc64.exe", csv_path="scan.csv"):
    cmd = [autorunsc_path, "-a", "*", "-c", "-h", "-s", "-nobanner", "*"]
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=600)
    with open(csv_path, 'w') as f:
        f.write(result.stdout)
    return parse_and_flag(csv_path)
 def parse_and_flag(csv_path):
    suspicious = []
    with open(csv_path, 'r', errors='replace') as f:
        for row in csv.DictReader(f):
            reasons = []
            signer = row.get("Signer", "")
            if not signer or signer == "(Not verified)":
                reasons.append("Unsigned binary")
            if not row.get("Description") and not row.get("Company"):
                reasons.append("Missing metadata")
            path = row.get("Image Path", "").lower()
            for sp in ["\temp\\", "\appdata\local\temp", "\users\public\\"]:
                if sp in path:
                    reasons.append(f"Suspicious path")
            launch = row.get("Launch String", "").lower()
            for kw in ["powershell", "cmd /c", "wscript", "mshta", "regsvr32"]:
                if kw in launch:
                    reasons.append(f"LOLBin: {kw}")
            if reasons:
                row["reasons"] = reasons
                suspicious.append(row)
    return suspicious
 if __name__ == "__main__":
    if len(sys.argv) > 1:
        results = parse_and_flag(sys.argv[1])
        print(f"[!] {len(results)} suspicious entries")
        for r in results:
            print(f"  {r.get('Entry','')} - {r.get('Image Path','')}")
            for reason in r.get('reasons', []):
                print(f"    - {reason}")
 ```
 ## Validation Criteria
 - All ASEP categories scanned and cataloged
 - Unsigned entries flagged for investigation
 - Suspicious paths and LOLBin launch strings highlighted
 - Baseline comparison identifies new persistence mechanisms
 ## References
 - [Sysinternals Autoruns](https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns)
 - [SANS - Offline Autoruns Revisited](https://www.sans.org/blog/offline-autoruns-revisited-auditing-malware-persistence/)
 - [Hunting Malware with Autoruns](https://nasbench.medium.com/hunting-malware-with-windows-sysinternals-autoruns-19cbfe4103c2)
 - [MITRE ATT&CK T1547 - Boot or Logon Autostart](https://attack.mitre.org/techniques/T1547/)
@@ -1,19 +1,26 @@
 ---
 name: analyzing-malware-sandbox-evasion-techniques
-description: Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports
+description: Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction
  detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
-  - sandbox-evasion
+- sandbox-evasion
-  - malware-analysis
+- malware-analysis
-  - cuckoo
+- cuckoo
-  - anyrun
+- anyrun
-  - mitre-attack
+- mitre-attack
-  - virtualization-detection
+- virtualization-detection
-  - behavioral-analysis
+- behavioral-analysis
-version: "1.0"
+version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Platform Hardening
 - Restore Object
 - Process Analysis
 - System Call Filtering
 - Restore Software
 ---
 # Analyzing Malware Sandbox Evasion Techniques
@@ -1,12 +1,26 @@
 ---
 name: analyzing-network-covert-channels-in-malware
-description: Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse for C2 and data exfiltration.
+description: Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration,
  steganographic HTTP, and protocol abuse for C2 and data exfiltration.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [covert-channels, dns-tunneling, icmp-exfiltration, malware-analysis, network-forensics, c2-detection, data-exfiltration]
+tags:
-version: "1.0"
+- covert-channels
 - dns-tunneling
 - icmp-exfiltration
 - malware-analysis
 - network-forensics
 - c2-detection
 - data-exfiltration
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - File Metadata Consistency Validation
 - Certificate Analysis
 - Application Protocol Command Analysis
 - Content Format Conversion
 - File Content Analysis
 ---
 # Analyzing Network Covert Channels in Malware
@@ -1,12 +1,28 @@
 ---
 name: analyzing-outlook-pst-for-email-forensics
-description: Analyze Microsoft Outlook PST and OST files for email forensic evidence including message content, headers, attachments, deleted items, and metadata using libpff, pst-utils, and forensic email analysis tools for legal investigations and incident response.
+description: Analyze Microsoft Outlook PST and OST files for email forensic evidence including message content, headers, attachments,
  deleted items, and metadata using libpff, pst-utils, and forensic email analysis tools for legal investigations and incident
  response.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [email-forensics, pst, ost, outlook, mapi, email-headers, attachments, deleted-emails, libpff, eml-extraction]
+tags:
-version: "1.0"
+- email-forensics
 - pst
 - ost
 - outlook
 - mapi
 - email-headers
 - attachments
 - deleted-emails
 - libpff
 - eml-extraction
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_ai_rmf:
 - MANAGE-2.4
 - MANAGE-3.1
 - MEASURE-3.1
 ---
 # Analyzing Outlook PST for Email Forensics
@@ -1,49 +1,11 @@
 ---
-name: analyzing-persistence-mechanisms-in-linux
+{}
-description: Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring
+---tags:
-domain: cybersecurity
+- linux-persistence
-subdomain: threat-hunting
+- crontab
-tags: [linux-persistence, crontab, systemd, ld-preload, auditd, threat-hunting, incident-response]
+- systemd
-mitre_attack: ["T1053.003", "T1543.002", "T1574.006", "T1546.004"]
+- ld-preload
-version: "1.0"
+- auditd
-author: mahipal
+- threat-hunting
-license: Apache-2.0
+- incident-response
---
+version: '1.0'
 # Analyzing Persistence Mechanisms in Linux
 ## Overview
 Adversaries establish persistence on Linux systems through crontab jobs, systemd service/timer units, LD_PRELOAD library injection, shell profile modifications (.bashrc, .profile), SSH authorized_keys backdoors, and init script manipulation. This skill scans for all known persistence vectors, checks file timestamps and integrity, and correlates findings with auditd logs to build a timeline of persistence installation.
 ## When to Use
 - When investigating security incidents that require analyzing persistence mechanisms in linux
 - When building detection rules or threat hunting queries for this domain
 - When SOC analysts need structured procedures for this analysis type
 - When validating security monitoring coverage for related attack techniques
 ## Prerequisites
 - Root or sudo access on target Linux system (or forensic image)
 - auditd configured with file watch rules on persistence paths
 - Python 3.8+ with standard library (os, subprocess, json)
 - Optional: OSSEC/Wazuh agent for file integrity monitoring alerts
 ## Steps
 1. **Scan Crontab Entries** — Enumerate all user crontabs, /etc/cron.d/, /etc/cron.daily/, and anacron jobs for suspicious commands
 2. **Audit Systemd Units** — Check /etc/systemd/system/ and ~/.config/systemd/user/ for non-package-managed service and timer units
 3. **Detect LD_PRELOAD Hijacking** — Check /etc/ld.so.preload and LD_PRELOAD environment variable for injected shared libraries
 4. **Inspect Shell Profiles** — Scan .bashrc, .bash_profile, .profile, /etc/profile.d/ for injected commands or reverse shells
 5. **Check SSH Authorized Keys** — Audit all authorized_keys files for unauthorized public keys with command restrictions
 6. **Correlate Auditd Logs** — Search auditd logs for file modification events on persistence paths to build an installation timeline
 7. **Generate Persistence Report** — Produce a risk-scored report of all discovered persistence mechanisms
 ## Expected Output
 - JSON report of all persistence mechanisms found with risk scores
 - Timeline of persistence installation from auditd correlation
 - MITRE ATT&CK technique mapping (T1053, T1543, T1574, T1546)
 - Remediation commands for each detected persistence mechanism
@@ -1,12 +1,32 @@
 ---
 name: analyzing-powershell-empire-artifacts
-description: Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns, default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events.
+description: Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns,
  default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events.
 domain: cybersecurity
 subdomain: threat-hunting
-tags: [PowerShell-Empire, threat-hunting, Script-Block-Logging, base64, stager, C2, MITRE-ATT&CK, T1059.001, forensics]
+tags:
-version: "1.0"
+- PowerShell-Empire
 - threat-hunting
 - Script-Block-Logging
 - base64
 - stager
 - C2
 - MITRE-ATT&CK
 - T1059.001
 - forensics
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Executable Denylisting
 - Execution Isolation
 - File Metadata Consistency Validation
 - Content Format Conversion
 - File Content Analysis
 nist_ai_rmf:
 - GOVERN-1.1
 - MEASURE-2.7
 - MANAGE-3.1
 ---
 # Analyzing PowerShell Empire Artifacts
@@ -1,12 +1,26 @@
 ---
 name: analyzing-ransomware-network-indicators
-description: Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration flows, and encryption key exchange via Zeek conn.log and NetFlow analysis
+description: Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration
  flows, and encryption key exchange via Zeek conn.log and NetFlow analysis
 domain: cybersecurity
 subdomain: threat-hunting
-tags: [ransomware, c2-beaconing, zeek, netflow, tor, exfiltration, network-forensics]
+tags:
-version: "1.0"
+- ransomware
 - c2-beaconing
 - zeek
 - netflow
 - tor
 - exfiltration
 - network-forensics
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - File Metadata Consistency Validation
 - Certificate Analysis
 - Application Protocol Command Analysis
 - Content Format Conversion
 - File Content Analysis
 ---
 # Analyzing Ransomware Network Indicators
@@ -1,18 +1,36 @@
 ---
 name: analyzing-sbom-for-supply-chain-vulnerabilities
-description: >
+description: 'Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats to identify supply chain vulnerabilities
-  Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats to identify
+  by correlating components against the NVD CVE database via the NVD 2.0 API. Builds dependency graphs, calculates risk scores,
-  supply chain vulnerabilities by correlating components against the NVD CVE database via
+  identifies transitive vulnerability paths, and generates compliance reports. Activates for requests involving SBOM analysis,
-  the NVD 2.0 API. Builds dependency graphs, calculates risk scores, identifies transitive
+  software composition analysis, supply chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing,
-  vulnerability paths, and generates compliance reports. Activates for requests involving
+  or CVE correlation.
-  SBOM analysis, software composition analysis, supply chain security assessment, dependency
+
-  vulnerability scanning, CycloneDX/SPDX parsing, or CVE correlation.
+  '
 domain: cybersecurity
 subdomain: supply-chain-security
-tags: [SBOM, CycloneDX, SPDX, NVD, CVE, supply-chain, dependency-analysis, syft, grype]
+tags:
 - SBOM
 - CycloneDX
 - SPDX
 - NVD
 - CVE
 - supply-chain
 - dependency-analysis
 - syft
 - grype
 version: 1.0.0
 author: mukul975
 license: Apache-2.0
 atlas_techniques:
 - AML.T0010
 - AML.T0104
 nist_ai_rmf:
 - GOVERN-5.2
 - MAP-1.6
 - MANAGE-2.2
 - GOVERN-1.1
 - GOVERN-4.2
 ---
 # Analyzing SBOM for Supply Chain Vulnerabilities
@@ -1,239 +1,8 @@
 ---
-name: analyzing-security-logs-with-splunk
+{}
-description: >
+---tags:
-  Leverages Splunk Enterprise Security and SPL (Search Processing Language) to
+- splunk
-  investigate security incidents through log correlation, timeline reconstruction,
+- SPL
-  and anomaly detection. Covers Windows event logs, firewall logs, proxy logs, and
+- SIEM
-  authentication data analysis. Activates for requests involving Splunk investigation,
+- log-analysis
-  SPL queries, SIEM log analysis, security event correlation, or log-based incident
+- security-monitoring
  investigation.
 domain: cybersecurity
 subdomain: incident-response
 tags: [splunk, SPL, SIEM, log-analysis, security-monitoring]
 mitre_attack: ["T1070", "T1562", "T1059"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 ---
 # Analyzing Security Logs with Splunk
 ## When to Use
 - Investigating a security incident that requires correlation across multiple log sources
 - Hunting for adversary activity using known TTPs and IOCs
 - Building detection rules for specific attack patterns
 - Reconstructing an incident timeline from disparate log sources
 - Analyzing authentication anomalies, lateral movement, or data exfiltration patterns
 **Do not use** for real-time packet-level analysis; use Wireshark or Zeek for full packet capture analysis.
 ## Prerequisites
 - Splunk Enterprise or Splunk Cloud with Enterprise Security (ES) app installed
 - Log sources ingested: Windows Event Logs (via Splunk Universal Forwarder or WEF), firewall, proxy, DNS, EDR, email gateway
 - Splunk CIM (Common Information Model) data models configured for normalized field names
 - SPL proficiency at intermediate level or higher
 - Role-based access with `search` and `accelerate_search` capabilities in Splunk
 ## Workflow
 ### Step 1: Scope the Investigation in Splunk
 Define search parameters based on incident triage data:
 ```spl
 | Set initial investigation scope
 index=windows OR index=firewall OR index=proxy
  earliest="2025-11-14T00:00:00" latest="2025-11-16T00:00:00"
  (host="WKSTN-042" OR src_ip="10.1.5.42" OR user="jsmith")
 | stats count by index, sourcetype, host
 | sort -count
 ```
 This query establishes which log sources contain relevant data for the investigation timeframe and affected assets.
 ### Step 2: Analyze Authentication Events
 Investigate suspicious authentication patterns using Windows Security Event Logs:
 ```spl
 | Detect brute force and credential stuffing
 index=windows sourcetype="WinEventLog:Security" EventCode=4625
  earliest=-24h
 | stats count as failed_attempts, values(src_ip) as source_ips,
  dc(src_ip) as unique_sources by TargetUserName
 | where failed_attempts > 10
 | sort -failed_attempts
 | Detect pass-the-hash (Logon Type 9 - NewCredentials)
 index=windows sourcetype="WinEventLog:Security" EventCode=4624
  Logon_Type=9
 | table _time, host, TargetUserName, src_ip, LogonProcessName
 | Detect lateral movement via RDP
 index=windows sourcetype="WinEventLog:Security" EventCode=4624
  Logon_Type=10
 | stats count, values(host) as targets by TargetUserName, src_ip
 | where count > 3
 | sort -count
 ```
 ### Step 3: Trace Process Execution
 Use Sysmon logs to reconstruct process execution chains:
 ```spl
 | Process creation with parent chain (Sysmon Event ID 1)
 index=sysmon EventCode=1 host="WKSTN-042"
  earliest="2025-11-15T14:00:00" latest="2025-11-15T15:00:00"
 | table _time, ParentImage, ParentCommandLine, Image, CommandLine, User, Hashes
 | sort _time
 | Detect suspicious PowerShell execution
 index=sysmon EventCode=1 Image="*\\powershell.exe"
  (CommandLine="*-enc*" OR CommandLine="*-encodedcommand*"
   OR CommandLine="*downloadstring*" OR CommandLine="*iex*")
 | table _time, host, User, ParentImage, CommandLine
 | sort _time
 | Detect LSASS credential dumping
 index=sysmon EventCode=10 TargetImage="*\\lsass.exe"
  GrantedAccess=0x1010
 | table _time, host, SourceImage, SourceUser, GrantedAccess
 ```
 ### Step 4: Analyze Network Activity
 Correlate network logs with endpoint events:
 ```spl
 | Detect C2 beaconing pattern
 index=proxy OR index=firewall dest_ip="185.220.101.42"
 | timechart span=1m count by src_ip
 | where count > 0
 | Detect DNS tunneling (high query volume to single domain)
 index=dns
 | rex field=query "(?<subdomain>[^\.]+)\.(?<domain>[^\.]+\.[^\.]+)$"
 | stats count, avg(len(query)) as avg_query_len by domain, src_ip
 | where count > 500 AND avg_query_len > 40
 | sort -count
 | Detect large data transfers (potential exfiltration)
 index=proxy action=allowed
 | stats sum(bytes_out) as total_bytes by src_ip, dest_ip, dest_host
 | eval total_MB=round(total_bytes/1024/1024,2)
 | where total_MB > 100
 | sort -total_MB
 ```
 ### Step 5: Build the Incident Timeline
 Reconstruct a unified timeline across all log sources:
 ```spl
 | Unified incident timeline
 index=windows OR index=sysmon OR index=proxy OR index=firewall
  (host="WKSTN-042" OR src_ip="10.1.5.42" OR user="jsmith")
  earliest="2025-11-15T14:00:00" latest="2025-11-15T16:00:00"
 | eval event_summary=case(
    sourcetype=="WinEventLog:Security" AND EventCode==4624, "Logon: ".TargetUserName." from ".src_ip,
    sourcetype=="WinEventLog:Security" AND EventCode==4625, "Failed logon: ".TargetUserName,
    sourcetype=="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode==1,
      "Process: ".Image." by ".User,
    sourcetype=="proxy", "Web: ".http_method." ".url,
    1==1, sourcetype.": ".EventCode)
 | table _time, sourcetype, host, event_summary
 | sort _time
 ```
 ### Step 6: Create Detection Rules
 Convert investigation findings into persistent Splunk correlation searches:
 ```spl
 | Correlation search: PowerShell spawned by Office applications
 index=sysmon EventCode=1
  Image="*\\powershell.exe"
  (ParentImage="*\\winword.exe" OR ParentImage="*\\excel.exe"
   OR ParentImage="*\\outlook.exe")
 | eval severity="high"
 | eval mitre_technique="T1059.001"
 | collect index=notable_events
 ```
 ## Key Concepts
 | Term | Definition |
 |------|------------|
 | **SPL (Search Processing Language)** | Splunk's query language for searching, filtering, transforming, and visualizing machine data |
 | **CIM (Common Information Model)** | Splunk's field normalization standard that maps vendor-specific field names to common names for cross-source queries |
 | **Notable Event** | An event in Splunk Enterprise Security flagged for analyst review based on a correlation search match |
 | **Data Model** | Structured representation of indexed data in Splunk enabling accelerated searches and pivot-based analysis |
 | **Sourcetype** | Classification label in Splunk that defines the format and parsing rules for a specific log type |
 | **Correlation Search** | Scheduled Splunk search that runs continuously and generates notable events when conditions are met |
 | **Timechart** | SPL command that creates time-series visualizations for identifying patterns, anomalies, and trends |
 ## Tools & Systems
 - **Splunk Enterprise Security (ES)**: Premium SIEM application providing correlation searches, risk-based alerting, and investigation workbench
 - **Splunk SOAR**: Orchestration platform integrated with Splunk ES for automated response playbooks
 - **Sysmon**: Microsoft system monitoring tool providing detailed process, network, and file change telemetry ingested into Splunk
 - **Splunk Attack Analyzer**: Automated threat analysis that detonates suspicious files and URLs, feeding results into Splunk
 - **BOSS of the SOC (BOTS)**: SANS/Splunk training dataset for practicing incident investigation SPL queries
 ## Common Scenarios
 ### Scenario: Investigating Credential Stuffing Leading to Account Takeover
 **Context**: Security operations receives an alert for multiple successful logins to a single account from geographically dispersed IP addresses within a 30-minute window.
 **Approach**:
 1. Query Event ID 4624 for the affected account to map all login sources and times
 2. Correlate login IPs against threat intelligence feeds using a Splunk lookup table
 3. Check proxy logs for suspicious activity from the authenticated sessions
 4. Search for lateral movement from the compromised account (Event ID 4624 Type 3 to other hosts)
 5. Build a timeline showing credential stuffing attempts, successful login, and post-compromise activity
 6. Create a correlation search to detect similar patterns on other accounts
 **Pitfalls**:
 - Searching only the last 24 hours when the credential stuffing may have occurred over weeks
 - Not checking for VPN logs that may show the same account authenticating from impossible travel distances
 - Failing to normalize timestamps across log sources in different time zones
 ## Output Format
 ```
 SPLUNK INVESTIGATION REPORT
 ============================
 Incident:        INC-2025-1547
 Analyst:         [Name]
 Investigation Period: 2025-11-14 00:00 UTC - 2025-11-16 00:00 UTC
 SEARCH SCOPE
 Indexes:         windows, sysmon, proxy, firewall, dns
 Hosts:           WKSTN-042, SRV-FILE01
 Users:           jsmith, svc-backup
 Source IPs:      10.1.5.42, 10.1.10.15
 KEY FINDINGS
 1. [timestamp] - Initial compromise via phishing (Sysmon Event 1)
 2. [timestamp] - C2 established (proxy logs, beacon pattern detected)
 3. [timestamp] - Credential theft (Sysmon Event 10, LSASS access)
 4. [timestamp] - Lateral movement to SRV-FILE01 (Event 4624 Type 3)
 5. [timestamp] - Data staging and exfiltration (proxy bytes_out anomaly)
 SPL QUERIES USED
 [numbered list of key queries with descriptions]
 DETECTION GAPS IDENTIFIED
 - No Sysmon deployed on SRV-FILE01 (blind spot)
 - Proxy logs missing SSL inspection for C2 domain
 - PowerShell ScriptBlock logging not enabled
 RECOMMENDED DETECTIONS
 1. Correlation search for Office-spawned PowerShell
 2. Threshold alert for LSASS access patterns
 3. Behavioral rule for beacon-interval network traffic
 ```
@@ -1,12 +1,33 @@
 ---
 name: analyzing-supply-chain-malware-artifacts
-description: Investigate supply chain attack artifacts including trojanized software updates, compromised build pipelines, and sideloaded dependencies to identify intrusion vectors and scope of compromise.
+description: Investigate supply chain attack artifacts including trojanized software updates, compromised build pipelines,
  and sideloaded dependencies to identify intrusion vectors and scope of compromise.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [supply-chain, malware-analysis, trojanized-software, solarwinds, 3cx, dependency-confusion, software-integrity]
+tags:
-version: "1.0"
+- supply-chain
 - malware-analysis
 - trojanized-software
 - solarwinds
 - 3cx
 - dependency-confusion
 - software-integrity
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0010
 - AML.T0104
 nist_ai_rmf:
 - GOVERN-5.2
 - MAP-1.6
 - MANAGE-2.2
 d3fend_techniques:
 - Platform Hardening
 - Hardware Component Inventory
 - Restore Object
 - Electromagnetic Radiation Hardening
 - RF Shielding
 ---
 # Analyzing Supply Chain Malware Artifacts
@@ -1,12 +1,26 @@
 ---
 name: analyzing-threat-actor-ttps-with-mitre-attack
-description: MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor beh
+description: MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs)
  based on real-world observations. This skill covers systematically mapping threat actor beh
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [threat-intelligence, cti, ioc, mitre-attack, stix, ttp-analysis, threat-actors]
+tags:
-version: "1.0"
+- threat-intelligence
 - cti
 - ioc
 - mitre-attack
 - stix
 - ttp-analysis
 - threat-actors
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Executable Denylisting
 - Execution Isolation
 - File Metadata Consistency Validation
 - Content Format Conversion
 - File Content Analysis
 ---
 # Analyzing Threat Actor TTPs with MITRE ATT&CK
@@ -1,18 +1,38 @@
 ---
 name: analyzing-threat-actor-ttps-with-mitre-navigator
-description: >
+description: 'Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework
-  Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to
+  using the ATT&CK Navigator and attackcti Python library. The analyst queries STIX/TAXII data for group-technique associations,
-  the MITRE ATT&CK framework using the ATT&CK Navigator and attackcti Python library. The
+  generates Navigator layer files for visualization, and compares defensive coverage against adversary profiles. Activates
-  analyst queries STIX/TAXII data for group-technique associations, generates Navigator layer
+  for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor profiling, or MITRE technique coverage analysis.
-  files for visualization, and compares defensive coverage against adversary profiles.
+
-  Activates for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor
+  '
  profiling, or MITRE technique coverage analysis.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [mitre-attack, navigator, threat-intelligence, apt, ttp-mapping, stix, attackcti]
+tags:
-version: "1.0"
+- mitre-attack
 - navigator
 - threat-intelligence
 - apt
 - ttp-mapping
 - stix
 - attackcti
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_ai_rmf:
 - MEASURE-2.7
 - MAP-5.1
 - MANAGE-2.4
 atlas_techniques:
 - AML.T0070
 - AML.T0066
 - AML.T0082
 d3fend_techniques:
 - File Metadata Consistency Validation
 - Application Protocol Command Analysis
 - Identifier Analysis
 - Content Format Conversion
 - Message Analysis
 ---
 # Analyzing Threat Actor TTPs with MITRE Navigator
@@ -1,17 +1,25 @@
 ---
 name: analyzing-threat-landscape-with-misp
-description: >-
+description: Analyze the threat landscape using MISP (Malware Information Sharing Platform) by querying event statistics,
-  Analyze the threat landscape using MISP (Malware Information Sharing Platform)
+  attribute distributions, threat actor galaxy clusters, and tag trends over time. Uses PyMISP to pull event data, compute
-  by querying event statistics, attribute distributions, threat actor galaxy
+  IOC type breakdowns, identify top threat actors and malware families, and generate threat landscape reports with temporal
-  clusters, and tag trends over time. Uses PyMISP to pull event data, compute
+  trends.
  IOC type breakdowns, identify top threat actors and malware families, and
  generate threat landscape reports with temporal trends.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [analyzing, threat, landscape, with]
+tags:
-version: "1.0"
+- analyzing
 - threat
 - landscape
 - with
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - File Metadata Consistency Validation
 - Application Protocol Command Analysis
 - Identifier Analysis
 - Content Format Conversion
 - Message Analysis
 ---
@@ -1,16 +1,23 @@
 ---
 name: analyzing-tls-certificate-transparency-logs
-description: >
+description: 'Queries Certificate Transparency logs via crt.sh and pycrtsh to detect phishing domains, unauthorized certificate
-  Queries Certificate Transparency logs via crt.sh and pycrtsh to detect phishing
+  issuance, and shadow IT. Monitors newly issued certificates for typosquatting and brand impersonation using Levenshtein
-  domains, unauthorized certificate issuance, and shadow IT. Monitors newly issued
+  distance. Use for proactive phishing domain detection and certificate monitoring.
-  certificates for typosquatting and brand impersonation using Levenshtein distance.
+
-  Use for proactive phishing domain detection and certificate monitoring.
+  '
 domain: cybersecurity
 subdomain: security-operations
-tags: [analyzing, tls, certificate, transparency]
+tags:
-version: "1.0"
+- analyzing
 - tls
 - certificate
 - transparency
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0073
 - AML.T0052
 ---
 # Analyzing TLS Certificate Transparency Logs
@@ -1,12 +1,24 @@
 ---
 name: analyzing-typosquatting-domains-with-dnstwist
-description: Detect typosquatting, homograph phishing, and brand impersonation domains using dnstwist to generate domain permutations and identify registered lookalike domains targeting your organization.
+description: Detect typosquatting, homograph phishing, and brand impersonation domains using dnstwist to generate domain permutations
  and identify registered lookalike domains targeting your organization.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [dnstwist, typosquatting, phishing, domain-monitoring, brand-protection, homograph, dns, threat-intelligence]
+tags:
-version: "1.0"
+- dnstwist
 - typosquatting
 - phishing
 - domain-monitoring
 - brand-protection
 - homograph
 - dns
 - threat-intelligence
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0073
 - AML.T0052
 ---
 # Analyzing Typosquatting Domains with DNSTwist
@@ -1,19 +1,31 @@
 ---
 name: analyzing-uefi-bootkit-persistence
-description: >
+description: 'Analyzes UEFI bootkit persistence mechanisms including firmware implants in SPI flash, EFI System Partition
-  Analyzes UEFI bootkit persistence mechanisms including firmware implants in SPI flash,
+  (ESP) modifications, Secure Boot bypass techniques, and UEFI variable manipulation. Covers detection of known bootkit families
-  EFI System Partition (ESP) modifications, Secure Boot bypass techniques, and UEFI
+  (BlackLotus, LoJax, MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection, chipsec-based firmware
-  variable manipulation. Covers detection of known bootkit families (BlackLotus, LoJax,
+  integrity verification, and Secure Boot configuration auditing. Activates for requests involving UEFI malware analysis,
-  MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection,
+  firmware persistence investigation, boot chain integrity verification, or Secure Boot bypass detection.
-  chipsec-based firmware integrity verification, and Secure Boot configuration auditing.
+
-  Activates for requests involving UEFI malware analysis, firmware persistence investigation,
+  '
  boot chain integrity verification, or Secure Boot bypass detection.
 domain: cybersecurity
 subdomain: firmware-security
-tags: [UEFI, bootkit, firmware, Secure-Boot, chipsec, ESP, persistence]
+tags:
 - UEFI
 - bootkit
 - firmware
 - Secure-Boot
 - chipsec
 - ESP
 - persistence
 version: 1.0.0
 author: mukul975
 license: Apache-2.0
 d3fend_techniques:
 - Platform Hardening
 - Restore Object
 - Platform Monitoring
 - Firmware Verification
 - Firmware Embedded Monitoring Code
 ---
 # Analyzing UEFI Bootkit Persistence
@@ -1,16 +1,30 @@
 ---
 name: analyzing-windows-event-logs-in-splunk
-description: >
+description: 'Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, privilege
-  Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks,
+  escalation, persistence mechanisms, and lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC
-  privilege escalation, persistence mechanisms, and lateral movement using SPL queries mapped to
+  analysts need to investigate Windows-based threats, build detection queries, or perform forensic timeline analysis of Windows
-  MITRE ATT&CK techniques. Use when SOC analysts need to investigate Windows-based threats,
+  endpoints and domain controllers.
-  build detection queries, or perform forensic timeline analysis of Windows endpoints and domain controllers.
+
  '
 domain: cybersecurity
 subdomain: soc-operations
-tags: [soc, splunk, windows-events, sysmon, event-logs, mitre-attack, active-directory]
+tags:
-version: "1.0"
+- soc
 - splunk
 - windows-events
 - sysmon
 - event-logs
 - mitre-attack
 - active-directory
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Restore Access
 - Password Authentication
 - Biometric Authentication
 - Strong Password Policy
 - Restore User Account Access
 ---
 # Analyzing Windows Event Logs in Splunk
@@ -1,17 +1,26 @@
 ---
 name: auditing-cloud-with-cis-benchmarks
-description: >
+description: 'This skill details how to conduct cloud security audits using Center for Internet Security benchmarks for AWS,
-  This skill details how to conduct cloud security audits using Center for Internet
+  Azure, and GCP. It covers interpreting CIS Foundations Benchmark controls, running automated assessments with tools like
-  Security benchmarks for AWS, Azure, and GCP. It covers interpreting CIS Foundations
+  Prowler and ScoutSuite, remediating failed controls, and maintaining continuous compliance monitoring against CIS v5 for
-  Benchmark controls, running automated assessments with tools like Prowler and
+  AWS, v4 for Azure, and v4 for GCP.
-  ScoutSuite, remediating failed controls, and maintaining continuous compliance
+
-  monitoring against CIS v5 for AWS, v4 for Azure, and v4 for GCP.
+  '
 domain: cybersecurity
 subdomain: cloud-security
-tags: [cis-benchmarks, cloud-audit, compliance-assessment, prowler, security-hardening]
+tags:
 - cis-benchmarks
 - cloud-audit
 - compliance-assessment
 - prowler
 - security-hardening
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 nist_ai_rmf:
 - GOVERN-1.1
 - GOVERN-4.2
 - MAP-2.3
 ---
 # Auditing Cloud with CIS Benchmarks
@@ -1,12 +1,27 @@
 ---
 name: building-attack-pattern-library-from-cti-reports
-description: Extract and catalog attack patterns from cyber threat intelligence reports into a structured STIX-based library mapped to MITRE ATT&CK for detection engineering and threat-informed defense.
+description: Extract and catalog attack patterns from cyber threat intelligence reports into a structured STIX-based library
  mapped to MITRE ATT&CK for detection engineering and threat-informed defense.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [attack-pattern, cti-reports, mitre-attack, stix, detection-engineering, threat-intelligence, nlp, extraction]
+tags:
-version: "1.0"
+- attack-pattern
 - cti-reports
 - mitre-attack
 - stix
 - detection-engineering
 - threat-intelligence
 - nlp
 - extraction
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - File Metadata Consistency Validation
 - Application Protocol Command Analysis
 - Identifier Analysis
 - Content Format Conversion
 - Message Analysis
 ---
 # Building Attack Pattern Library from CTI Reports
@@ -1,12 +1,26 @@
 ---
 name: building-c2-infrastructure-with-sliver-framework
-description: Build and configure a resilient command-and-control infrastructure using BishopFox's Sliver C2 framework with redirectors, HTTPS listeners, and multi-operator support for authorized red team engagements.
+description: Build and configure a resilient command-and-control infrastructure using BishopFox's Sliver C2 framework with
  redirectors, HTTPS listeners, and multi-operator support for authorized red team engagements.
 domain: cybersecurity
 subdomain: red-teaming
-tags: [red-team, c2-framework, sliver, command-and-control, adversary-simulation, infrastructure, post-exploitation]
+tags:
-version: "1.0"
+- red-team
 - c2-framework
 - sliver
 - command-and-control
 - adversary-simulation
 - infrastructure
 - post-exploitation
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - File Metadata Consistency Validation
 - Certificate Analysis
 - Application Protocol Command Analysis
 - Content Format Conversion
 - File Content Analysis
 ---
 # Building C2 Infrastructure with Sliver Framework
@@ -1,17 +1,30 @@
 ---
 name: building-cloud-siem-with-sentinel
-description: >
+description: 'This skill covers deploying Microsoft Sentinel as a cloud-native SIEM and SOAR platform for centralized security
-  This skill covers deploying Microsoft Sentinel as a cloud-native SIEM and SOAR
+  operations. It details configuring data connectors for multi-cloud log ingestion, writing KQL detection queries, building
-  platform for centralized security operations. It details configuring data connectors
+  automated response playbooks with Logic Apps, and leveraging the Sentinel data lake for petabyte-scale threat hunting across
-  for multi-cloud log ingestion, writing KQL detection queries, building automated
+  AWS, Azure, and GCP security telemetry.
-  response playbooks with Logic Apps, and leveraging the Sentinel data lake for
+
-  petabyte-scale threat hunting across AWS, Azure, and GCP security telemetry.
+  '
 domain: cybersecurity
 subdomain: cloud-security
-tags: [microsoft-sentinel, cloud-siem, kql-queries, soar-automation, threat-detection]
+tags:
 - microsoft-sentinel
 - cloud-siem
 - kql-queries
 - soar-automation
 - threat-detection
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 nist_ai_rmf:
 - MEASURE-2.7
 - MAP-5.1
 - MANAGE-2.4
 atlas_techniques:
 - AML.T0070
 - AML.T0066
 - AML.T0082
 ---
 # Building Cloud SIEM with Sentinel
@@ -1,12 +1,27 @@
 ---
 name: building-detection-rule-with-splunk-spl
-description: Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify security threats in SOC environments.
+description: Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify
  security threats in SOC environments.
 domain: cybersecurity
 subdomain: soc-operations
-tags: [splunk, spl, detection-engineering, correlation-search, siem, soc, threat-detection, enterprise-security]
+tags:
-version: "1.0"
+- splunk
 - spl
 - detection-engineering
 - correlation-search
 - siem
 - soc
 - threat-detection
 - enterprise-security
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Executable Denylisting
 - Execution Isolation
 - File Metadata Consistency Validation
 - Content Format Conversion
 - File Content Analysis
 ---
 # Building Detection Rules with Splunk SPL
@@ -1,16 +1,31 @@
 ---
 name: building-detection-rules-with-sigma
-description: >
+description: 'Builds vendor-agnostic detection rules using the Sigma rule format for threat detection across SIEM platforms
-  Builds vendor-agnostic detection rules using the Sigma rule format for threat detection across
+  including Splunk, Elastic, and Microsoft Sentinel. Use when creating portable detection logic from threat intelligence,
-  SIEM platforms including Splunk, Elastic, and Microsoft Sentinel. Use when creating portable
+  mapping rules to MITRE ATT&CK techniques, or converting community Sigma rules into platform-specific queries using sigmac
-  detection logic from threat intelligence, mapping rules to MITRE ATT&CK techniques, or converting
+  or pySigma backends.
-  community Sigma rules into platform-specific queries using sigmac or pySigma backends.
+
  '
 domain: cybersecurity
 subdomain: soc-operations
-tags: [soc, sigma, detection-rules, siem, mitre-attack, splunk, elastic, sentinel]
+tags:
-version: "1.0"
+- soc
 - sigma
 - detection-rules
 - siem
 - mitre-attack
 - splunk
 - elastic
 - sentinel
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Execution Isolation
 - Process Termination
 - Hardware-based Process Isolation
 - Web Session Access Mediation
 - Process Suspension
 ---
 # Building Detection Rules with Sigma
@@ -1,17 +1,27 @@
 ---
 name: building-identity-governance-lifecycle-process
-description: >
+description: 'Builds comprehensive identity governance and lifecycle management processes including joiner-mover-leaver automation,
-  Builds comprehensive identity governance and lifecycle management processes including
+  role mining, access request workflows, periodic recertification, and orphaned account remediation using IGA platforms. Activates
-  joiner-mover-leaver automation, role mining, access request workflows, periodic
+  for requests involving identity lifecycle management, JML processes, role-based access provisioning, or identity governance
-  recertification, and orphaned account remediation using IGA platforms.
+  program design.
-  Activates for requests involving identity lifecycle management, JML processes,
+
-  role-based access provisioning, or identity governance program design.
+  '
 domain: cybersecurity
 subdomain: identity-access-management
-tags: [identity-governance, lifecycle-management, JML, access-provisioning, RBAC, IGA]
+tags:
-version: "1.0"
+- identity-governance
 - lifecycle-management
 - JML
 - access-provisioning
 - RBAC
 - IGA
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_ai_rmf:
 - GOVERN-1.1
 - GOVERN-1.7
 - MAP-1.1
 ---
 # Building Identity Governance Lifecycle Process
@@ -1,245 +1,11 @@
 ---
-name: building-incident-timeline-with-timesketch
+{}
-description: Build collaborative forensic incident timelines using Timesketch to ingest, normalize, and analyze multi-source event data for attack chain reconstruction and investigation documentation.
+---tags:
-domain: cybersecurity
+- timesketch
-subdomain: incident-response
+- timeline-analysis
-tags: [timesketch, timeline-analysis, forensic-timeline, plaso, dfir, incident-investigation, collaborative-forensics]
+- forensic-timeline
-mitre_attack: ["T1070", "T1059", "T1053"]
+- plaso
-version: "1.0"
+- dfir
-author: mahipal
+- incident-investigation
-license: Apache-2.0
+- collaborative-forensics
---
+version: '1.0'
 # Building Incident Timeline with Timesketch
 ## Overview
 Timesketch is an open-source collaborative forensic timeline analysis tool developed by Google that enables security teams to visualize and analyze chronological data from multiple sources during incident investigations. It ingests logs and artifacts from endpoints, servers, and cloud services, normalizes them into a unified searchable timeline, and provides powerful analysis capabilities including built-in analyzers, tagging, sketch annotations, and story building. Timesketch integrates with Plaso (log2timeline) for artifact parsing and supports direct CSV/JSONL ingestion for rapid timeline construction during active incidents.
 ## When to Use
 - When deploying or configuring building incident timeline with timesketch capabilities in your environment
 - When establishing security controls aligned to compliance requirements
 - When building or improving security architecture for this domain
 - When conducting security assessments that require this implementation
 ## Prerequisites
 - Familiarity with incident response concepts and tools
 - Access to a test or lab environment for safe execution
 - Python 3.8+ with required dependencies installed
 - Appropriate authorization for any testing activities
 ## Architecture and Components
 ### Core Components
 - **Timesketch Server**: Web application with REST API for timeline management
 - **OpenSearch/Elasticsearch**: Backend storage and search engine for timeline events
 - **PostgreSQL**: Metadata storage for sketches, stories, and user data
 - **Redis**: Task queue management for background processing
 - **Celery Workers**: Asynchronous processing of timeline uploads and analyzers
 ### Data Flow
 ```
 Evidence Sources --> Plaso/log2timeline --> Plaso storage file (.plaso)
     |                                           |
     v                                           v
  CSV/JSONL --> Timesketch Importer --> OpenSearch Index
                                           |
                                           v
                                    Timesketch Web UI
                                    (Search, Analyze, Story)
 ```
 ## Deployment
 ### Docker Deployment (Recommended)
 ```bash
 # Clone Timesketch repository
 git clone https://github.com/google/timesketch.git
 cd timesketch
 # Run deployment helper script
 cd docker
 sudo docker compose up -d
 # Default access: https://localhost:443
 # Admin credentials generated during first run
 ```
 ### System Requirements
 - Minimum 8 GB RAM (16+ GB recommended for large investigations)
 - 4 CPU cores minimum
 - SSD storage for OpenSearch indices
 - Docker and Docker Compose installed
 ## Data Ingestion Methods
 ### Method 1: Plaso Integration (Comprehensive)
 ```bash
 # Process disk image with log2timeline
 log2timeline.py --storage-file evidence.plaso /path/to/disk/image
 # Process Windows event logs
 log2timeline.py --parsers winevtx --storage-file windows_events.plaso /path/to/evtx/
 # Process multiple evidence sources
 log2timeline.py --parsers "winevtx,prefetch,amcache,shimcache,userassist" \
  --storage-file full_analysis.plaso /path/to/mounted/image/
 # Import Plaso file into Timesketch
 timesketch_importer -s "Case-2025-001" -t "Endpoint-WKS01" evidence.plaso
 ```
 ### Method 2: CSV Import (Quick Ingestion)
 ```csv
 message,datetime,timestamp_desc,source,hostname
 "User login detected","2025-01-15T08:30:00Z","Event Recorded","Security Log","DC01"
 "PowerShell execution","2025-01-15T08:31:15Z","Event Recorded","PowerShell","WKS042"
 ```
 ```bash
 # Import CSV directly
 timesketch_importer -s "Case-2025-001" -t "Quick-Triage" events.csv
 ```
 ### Method 3: JSONL Import (Structured Data)
 ```json
 {"message": "Suspicious logon from 10.1.2.3", "datetime": "2025-01-15T08:30:00Z", "timestamp_desc": "Event Recorded", "source_short": "Security", "hostname": "DC01"}
 ```
 ### Method 4: Sigma Rule Integration
 ```bash
 # Upload Sigma rules for automated detection
 timesketch_importer --sigma-rules /path/to/sigma/rules/
 ```
 ## Analysis Workflow
 ### Step 1: Create Investigation Sketch
 ```
 1. Log into Timesketch web interface
 2. Create new sketch (investigation case)
 3. Add relevant timelines to the sketch
 4. Set sketch description and tags
 ```
 ### Step 2: Run Built-in Analyzers
 Timesketch includes analyzers that automatically identify:
 - **Browser Search Analyzer**: Extracts search queries from browser history
 - **Chain of Events Analyzer**: Links related events (download -> execute)
 - **Domain Analyzer**: Extracts and categorizes domain names
 - **Feature Extraction Analyzer**: Identifies IPs, URLs, hashes
 - **Geo Location Analyzer**: Maps events to geographic locations
 - **Similarity Scorer**: Finds similar events across timelines
 - **Sigma Analyzer**: Matches events against Sigma detection rules
 - **Account Finder**: Identifies user account activity patterns
 - **Tagger**: Applies labels based on predefined rules
 ### Step 3: Search and Filter
 ```
 # Search examples in Timesketch query language
 # Find all events related to specific user
 source_short:Security AND message:"john.admin"
 # Find PowerShell execution events
 data_type:"windows:evtx:record" AND event_identifier:4104
 # Find lateral movement indicators
 source_short:Security AND event_identifier:4624 AND xml_string:"LogonType\">3"
 # Find events within specific time range
 datetime:[2025-01-15T00:00:00 TO 2025-01-15T23:59:59]
 # Find file creation events
 data_type:"fs:stat" AND timestamp_desc:"Creation Time"
 # Search with tags
 tag:"suspicious" OR tag:"lateral_movement"
 ```
 ### Step 4: Build Investigation Story
 ```
 1. Create new story within the sketch
 2. Add search views that support each finding
 3. Annotate key events with investigator notes
 4. Link events to MITRE ATT&CK techniques
 5. Document the attack narrative chronologically
 6. Export story for inclusion in incident report
 ```
 ## Advanced Features
 ### Collaborative Investigation
 - Multiple analysts work on the same sketch simultaneously
 - Comments and annotations persist on events
 - Saved searches shared across the team
 - Investigation stories document findings in context
 ### API Automation
 ```python
 from timesketch_api_client import config
 from timesketch_api_client import client as ts_client
 # Connect to Timesketch
 ts = ts_client.TimesketchApi(
    host_uri="https://timesketch.local",
    username="analyst",
    password="password"
 )
 # Get sketch
 sketch = ts.get_sketch(1)
 # Search events
 search = sketch.explore(
    query_string='event_identifier:4624 AND LogonType:3',
    return_fields='datetime,message,hostname,source_short'
 )
 # Add tags to events
 for event in search.get('objects', []):
    sketch.tag_event(event['_id'], ['lateral_movement'])
 ```
 ### Integration with Dissect
 ```bash
 # Use Dissect for faster artifact parsing (alternative to Plaso)
 target-query -f timesketch://timesketch.local/case-001 \
  targets/hostname/ -q "windows.evtx" --limit 0
 ```
 ## Key Data Sources for Timeline Building
 | Source | Parser | Evidence Value |
 |--------|--------|---------------|
 | Windows Event Logs (.evtx) | winevtx | Authentication, process execution, services |
 | Prefetch Files | prefetch | Program execution history |
 | MFT ($MFT) | mft | File system activity |
 | Registry Hives | winreg | System configuration, persistence |
 | Browser History | chrome/firefox | Web activity, downloads |
 | Syslog | syslog | Linux/network device events |
 | CloudTrail Logs | jsonl | AWS API activity |
 | Azure Activity Logs | jsonl | Azure resource operations |
 | Firewall Logs | csv/jsonl | Network connections |
 | Proxy Logs | csv/jsonl | HTTP/HTTPS traffic |
 ## MITRE ATT&CK Mapping
 | Technique | Timeline Indicators |
 |-----------|-------------------|
 | Initial Access (TA0001) | First malicious event, phishing email receipt |
 | Execution (T1059) | PowerShell/CMD events, process creation |
 | Persistence (TA0003) | Registry modifications, scheduled tasks, services |
 | Lateral Movement (TA0008) | Remote logons, SMB connections, RDP sessions |
 | Exfiltration (TA0010) | Large data transfers, cloud storage uploads |
 ## References
 - [Timesketch Official Documentation](https://timesketch.org/)
 - [Timesketch GitHub Repository](https://github.com/google/timesketch)
 - [CISA Timesketch Resource](https://www.cisa.gov/resources-tools/services/timesketch)
 - [Hunt and Hackett: Scalable Forensics with Dissect and Timesketch](https://www.huntandhackett.com/blog/scalable-forensics-timeline-analysis-using-dissect-and-timesketch)
 - [Plaso (log2timeline) Documentation](https://plaso.readthedocs.io/)
@@ -1,12 +1,29 @@
 ---
 name: building-red-team-c2-infrastructure-with-havoc
-description: Deploy and configure the Havoc C2 framework with teamserver, HTTPS listeners, redirectors, and Demon agents for authorized red team operations.
+description: Deploy and configure the Havoc C2 framework with teamserver, HTTPS listeners, redirectors, and Demon agents for
  authorized red team operations.
 domain: cybersecurity
 subdomain: red-teaming
-tags: [havoc-c2, command-and-control, red-team-infrastructure, post-exploitation, adversary-emulation, demon-agent]
+tags:
-version: "1.0"
+- havoc-c2
 - command-and-control
 - red-team-infrastructure
 - post-exploitation
 - adversary-emulation
 - demon-agent
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_ai_rmf:
 - GOVERN-1.1
 - MEASURE-2.7
 - MANAGE-3.1
 d3fend_techniques:
 - File Metadata Consistency Validation
 - Certificate Analysis
 - Application Protocol Command Analysis
 - Content Format Conversion
 - File Content Analysis
 ---
 # Building Red Team C2 Infrastructure with Havoc
@@ -1,16 +1,32 @@
 ---
 name: building-soc-metrics-and-kpi-tracking
-description: >
+description: 'Builds SOC performance metrics and KPI tracking dashboards measuring Mean Time to Detect (MTTD), Mean Time to
-  Builds SOC performance metrics and KPI tracking dashboards measuring Mean Time to Detect (MTTD),
+  Respond (MTTR), alert quality ratios, analyst productivity, and detection coverage using SIEM data. Use when SOC leadership
-  Mean Time to Respond (MTTR), alert quality ratios, analyst productivity, and detection coverage
+  needs operational visibility, continuous improvement tracking, or executive-level reporting on security operations effectiveness.
-  using SIEM data. Use when SOC leadership needs operational visibility, continuous improvement
+
-  tracking, or executive-level reporting on security operations effectiveness.
+  '
 domain: cybersecurity
 subdomain: soc-operations
-tags: [soc, metrics, kpi, mttd, mttr, dashboard, reporting, continuous-improvement]
+tags:
-version: "1.0"
+- soc
 - metrics
 - kpi
 - mttd
 - mttr
 - dashboard
 - reporting
 - continuous-improvement
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_ai_rmf:
 - MEASURE-2.7
 - MAP-5.1
 - MANAGE-2.4
 atlas_techniques:
 - AML.T0070
 - AML.T0066
 - AML.T0082
 ---
 # Building SOC Metrics and KPI Tracking
@@ -1,262 +1,11 @@
 ---
-name: building-soc-playbook-for-ransomware
+{}
-description: >
+---tags:
-  Builds a structured SOC incident response playbook for ransomware attacks covering detection,
+- soc
-  containment, eradication, and recovery phases with specific SIEM queries, isolation procedures,
+- ransomware
-  and decision trees. Use when SOC teams need formalized response procedures for ransomware
+- incident-response
-  incidents aligned to NIST SP 800-61 and MITRE ATT&CK ransomware techniques.
+- playbook
-domain: cybersecurity
+- nist
-subdomain: soc-operations
+- mitre-attack
-tags: [soc, ransomware, incident-response, playbook, nist, mitre-attack, containment]
+- containment
-mitre_attack: ["T1486", "T1490", "T1489", "T1570"]
+version: '1.0'
 version: "1.0"
 author: mahipal
 license: Apache-2.0
 ---
 # Building SOC Playbook for Ransomware
 ## When to Use
 Use this skill when:
 - SOC teams need a standardized ransomware response playbook for Tier 1-3 analysts
 - An organization lacks documented procedures for ransomware containment and recovery
 - Tabletop exercises reveal gaps in ransomware response coordination
 - Compliance requirements (NIST CSF, ISO 27001) mandate documented incident playbooks
 **Do not use** during an active ransomware incident as the sole guide — have pre-built playbooks tested and rehearsed before incidents occur.
 ## Prerequisites
 - SIEM platform (Splunk ES, Elastic Security, or Sentinel) with endpoint and network data
 - EDR solution (CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint) with network isolation capability
 - Backup infrastructure with tested recovery procedures and offline/immutable backups
 - Communication plan with legal, executive leadership, and external IR retainer contacts
 - MITRE ATT&CK knowledge for ransomware technique chains
 ## Workflow
 ### Step 1: Define Detection Triggers
 Create SIEM detection rules for early ransomware indicators:
 **Mass File Encryption Detection (Splunk):**
 ```spl
 index=sysmon EventCode=11
 | bin _time span=1m
 | stats dc(TargetFilename) AS unique_files, values(TargetFilename) AS sample_files by Computer, Image, _time
 | where unique_files > 100
 | eval suspicious_extensions = if(match(mvjoin(sample_files, ","), "\.(encrypted|locked|crypt|enc|ransom)"), "YES", "NO")
 | where suspicious_extensions="YES" OR unique_files > 500
 | sort - unique_files
 ```
 **Shadow Copy Deletion (T1490):**
 ```spl
 index=wineventlog sourcetype="WinEventLog:Security" OR index=sysmon EventCode=1
 (CommandLine="*vssadmin*delete*shadows*" OR CommandLine="*wmic*shadowcopy*delete*"
 OR CommandLine="*bcdedit*/set*recoveryenabled*no*" OR CommandLine="*wbadmin*delete*catalog*")
 | table _time, Computer, User, ParentImage, Image, CommandLine
 ```
 **Ransomware Note File Creation:**
 ```spl
 index=sysmon EventCode=11
 TargetFilename IN ("*README*.txt", "*DECRYPT*.txt", "*RANSOM*.txt", "*RECOVER*.html", "*HOW_TO*.txt")
 | stats count by Computer, Image, TargetFilename
 | where count > 5
 ```
 **Elastic Security EQL variant:**
 ```eql
 sequence by host.name with maxspan=2m
  [process where event.type == "start" and
    process.args : ("*vssadmin*", "*delete*", "*shadows*")]
  [file where event.type == "creation" and
    file.name : ("*README*DECRYPT*", "*RANSOM*", "*HOW_TO_RECOVER*")]
 ```
 ### Step 2: Build Triage Decision Tree
 ```
 RANSOMWARE ALERT TRIAGE
 │
 ├── Is encryption actively occurring?
 │   ├── YES → IMMEDIATE: Isolate host from network (Step 3)
 │   │         Do NOT power off (preserve memory for forensics)
 │   └── NO → Is this a pre-encryption indicator?
 │       ├── Shadow copy deletion → HIGH PRIORITY: Isolate and investigate
 │       ├── Known ransomware hash → HIGH PRIORITY: Block hash, scan enterprise
 │       └── Suspicious process behavior → MEDIUM: Investigate, prepare isolation
 │
 ├── How many hosts affected?
 │   ├── Single host → Contained incident, follow host isolation procedure
 │   ├── Multiple hosts (2-10) → Escalate to Tier 2, begin enterprise-wide scan
 │   └── Enterprise-wide (>10) → Activate full IR team, engage external retainer
 │
 └── Is data exfiltration confirmed?
    ├── YES → Double extortion scenario, engage legal for breach notification
    └── NO/UNKNOWN → Check for Cobalt Strike/C2 beacons, review outbound transfers
 ```
 ### Step 3: Containment Procedures
 **Network Isolation via EDR (CrowdStrike Falcon):**
 ```bash
 # Isolate host using CrowdStrike Falcon API
 curl -X POST "https://api.crowdstrike.com/devices/entities/devices-actions/v2?action_name=contain" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"ids": ["device_id_here"]}'
 ```
 **Network Isolation via Microsoft Defender for Endpoint:**
 ```powershell
 # Isolate machine via MDE API
 $headers = @{Authorization = "Bearer $token"}
 $body = @{Comment = "Ransomware containment - IR-2024-0500"; IsolationType = "Full"} | ConvertTo-Json
 Invoke-RestMethod -Uri "https://api.securitycenter.microsoft.com/api/machines/$machineId/isolate" `
    -Method Post -Headers $headers -Body $body -ContentType "application/json"
 ```
 **Firewall Emergency Rules:**
 ```
 # Palo Alto — Block SMB lateral spread
 set rulebase security rules RansomwareContainment from Trust to Trust
 set rulebase security rules RansomwareContainment application ms-ds-smb
 set rulebase security rules RansomwareContainment action deny
 set rulebase security rules RansomwareContainment disabled no
 commit
 ```
 **Active Directory Emergency Actions:**
 ```powershell
 # Disable compromised account
 Disable-ADAccount -Identity "compromised_user"
 # Reset Kerberos TGT (if domain admin compromised)
 # WARNING: This resets krbtgt and requires two resets 12+ hours apart
 Reset-KrbtgtKeys -Server "DC-PRIMARY" -Force
 # Block lateral movement by disabling remote services
 Set-Service -Name "RemoteRegistry" -StartupType Disabled -Status Stopped
 ```
 ### Step 4: Evidence Collection and Preservation
 Collect forensic artifacts before remediation:
 ```powershell
 # Capture running processes and network connections
 Get-Process | Export-Csv "C:\IR\processes_$(hostname).csv"
 Get-NetTCPConnection | Export-Csv "C:\IR\netstat_$(hostname).csv"
 # Capture memory dump (if host still running)
 winpmem_mini_x64.exe C:\IR\memory_$(hostname).raw
 # Collect ransomware artifacts
 Copy-Item "C:\Users\*\Desktop\*README*" "C:\IR\ransom_notes\" -Recurse
 Copy-Item "C:\Users\*\Desktop\*.encrypted" "C:\IR\encrypted_samples\" -Force
 # Capture event logs
 wevtutil epl Security "C:\IR\Security_$(hostname).evtx"
 wevtutil epl System "C:\IR\System_$(hostname).evtx"
 wevtutil epl "Microsoft-Windows-Sysmon/Operational" "C:\IR\Sysmon_$(hostname).evtx"
 ```
 ### Step 5: Eradication and Recovery
 **Identify ransomware variant:**
 - Upload encrypted sample and ransom note to ID Ransomware (https://id-ransomware.malwarehunterteam.com/)
 - Check No More Ransom Project (https://www.nomoreransom.org/) for available decryptors
 - Search for ransomware family IOCs in MalwareBazaar
 **Enterprise-wide IOC scan in Splunk:**
 ```spl
 index=sysmon (EventCode=1 OR EventCode=11 OR EventCode=3)
 (TargetFilename="*ransomware_binary_name*" OR sha256="KNOWN_HASH"
 OR DestinationIp="C2_IP_ADDRESS" OR CommandLine="*malicious_command*")
 | stats count by Computer, EventCode, Image, CommandLine
 | sort - count
 ```
 **Recovery from backups:**
 1. Verify backup integrity (offline/immutable backups not affected)
 2. Rebuild affected systems from known-good images
 3. Restore data from last clean backup
 4. Validate restored systems before reconnecting to network
 5. Monitor restored systems for 72 hours for reinfection
 ### Step 6: Post-Incident Documentation
 Structure the playbook conclusion with lessons learned:
 ```
 POST-INCIDENT REVIEW TEMPLATE
 1. Timeline of events (detection to full recovery)
 2. Initial access vector identification
 3. Dwell time analysis (time from initial compromise to encryption)
 4. Detection gaps identified
 5. Response effectiveness metrics (MTTD, MTTC, MTTR)
 6. Playbook improvements recommended
 7. New detection rules deployed
 8. Backup and recovery procedure updates
 ```
 ## Key Concepts
 | Term | Definition |
 |------|-----------|
 | **Double Extortion** | Ransomware tactic combining data encryption with data theft, threatening public release if ransom unpaid |
 | **Dwell Time** | Duration between initial compromise and detection — ransomware operators average 5-9 days before encryption |
 | **MTTC** | Mean Time to Contain — time from detection to successful isolation of affected systems |
 | **Kill Chain** | Ransomware progression: Initial Access -> Execution -> Persistence -> Privilege Escalation -> Lateral Movement -> Collection -> Exfiltration -> Impact |
 | **Immutable Backup** | Backup storage that cannot be modified or deleted for a defined retention period (WORM storage) |
 | **RTO/RPO** | Recovery Time Objective / Recovery Point Objective — maximum acceptable downtime and data loss thresholds |
 ## Tools & Systems
 - **CrowdStrike Falcon / SentinelOne**: EDR platforms with network isolation, process kill, and threat hunting capabilities
 - **Splunk ES / Elastic Security**: SIEM platforms for detection rule deployment and enterprise-wide IOC scanning
 - **ID Ransomware**: Online service identifying ransomware variants from encrypted file samples and ransom notes
 - **No More Ransom Project**: Europol-backed initiative providing free decryption tools for known ransomware families
 - **Veeam / Rubrik**: Enterprise backup solutions with immutable backup support and instant recovery capabilities
 ## Common Scenarios
 - **LockBit Attack**: Detected via SMB lateral movement and mass file encryption — isolate, scan for Cobalt Strike beacons
 - **BlackCat/ALPHV**: Detected via ransomware note creation — check for data exfiltration via Rclone or Mega upload
 - **Conti/Royal**: Detected via shadow copy deletion — check for prior BazarLoader/Emotet initial access
 - **RansomHub**: Detected via anomalous process execution — investigate for compromised VPN or RDP credentials
 - **Play Ransomware**: Detected via service account abuse — audit AD for newly created accounts and group membership changes
 ## Output Format
 ```
 RANSOMWARE PLAYBOOK EXECUTION — IR-2024-0500
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 Phase 1 - Detection:
  Alert:      Mass file encryption detected on FILESERVER-03
  Variant:    LockBit 3.0 (confirmed via ID Ransomware)
  MTTD:       12 minutes from first encryption to SOC alert
 Phase 2 - Containment:
  [DONE] FILESERVER-03 isolated via CrowdStrike at 14:35 UTC
  [DONE] SMB blocked enterprise-wide via firewall emergency rule
  [DONE] Compromised service account disabled in AD
  MTTC:       23 minutes
 Phase 3 - Eradication:
  [DONE] 3 additional hosts with C2 beacon identified and isolated
  [DONE] Cobalt Strike C2 domain (c2[.]evil[.]com) sinkholed
  [DONE] Enterprise-wide IOC scan completed — no additional infections
 Phase 4 - Recovery:
  [DONE] FILESERVER-03 rebuilt from gold image
  [DONE] Data restored from immutable Veeam backup (RPO: 4 hours)
  [DONE] Systems monitored 72 hours — no reinfection
  MTTR:       18 hours
 Total Affected: 1 server, 3 workstations
 Data Loss:      4 hours of file modifications (backup RPO)
 Exfiltration:   No evidence of data exfiltration confirmed
 ```
@@ -1,17 +1,36 @@
 ---
 name: conducting-cloud-penetration-testing
-description: >
+description: 'This skill outlines methodologies for performing authorized penetration testing against AWS, Azure, and GCP
-  This skill outlines methodologies for performing authorized penetration testing against
+  cloud environments. It covers understanding the shared responsibility model for testing scope, leveraging cloud-specific
-  AWS, Azure, and GCP cloud environments. It covers understanding the shared responsibility
+  attack tools like Pacu and ScoutSuite, exploiting IAM misconfigurations, testing for SSRF to cloud metadata services, and
  model for testing scope, leveraging cloud-specific attack tools like Pacu and ScoutSuite,
  exploiting IAM misconfigurations, testing for SSRF to cloud metadata services, and
  reporting findings aligned to MITRE ATT&CK Cloud matrix.
  '
 domain: cybersecurity
 subdomain: cloud-security
-tags: [cloud-pentesting, offensive-security, aws-exploitation, shared-responsibility, mitre-attack-cloud]
+tags:
 - cloud-pentesting
 - offensive-security
 - aws-exploitation
 - shared-responsibility
 - mitre-attack-cloud
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 nist_ai_rmf:
 - MEASURE-2.7
 - MAP-5.1
 - MANAGE-2.4
 atlas_techniques:
 - AML.T0070
 - AML.T0066
 - AML.T0082
 d3fend_techniques:
 - Token Binding
 - Restore Access
 - Application Protocol Command Analysis
 - Reissue Credential
 - Network Isolation
 ---
 # Conducting Cloud Penetration Testing
@@ -1,12 +1,26 @@
 ---
 name: conducting-domain-persistence-with-dcsync
-description: Perform DCSync attacks to replicate Active Directory credentials and establish domain persistence by extracting KRBTGT, Domain Admin, and service account hashes for Golden Ticket creation.
+description: Perform DCSync attacks to replicate Active Directory credentials and establish domain persistence by extracting
  KRBTGT, Domain Admin, and service account hashes for Golden Ticket creation.
 domain: cybersecurity
 subdomain: red-teaming
-tags: [red-team, active-directory, dcsync, persistence, credential-dumping, golden-ticket, mimikatz]
+tags:
-version: "1.0"
+- red-team
 - active-directory
 - dcsync
 - persistence
 - credential-dumping
 - golden-ticket
 - mimikatz
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Application Protocol Command Analysis
 - Network Isolation
 - Network Traffic Analysis
 - Client-server Payload Profiling
 - Platform Monitoring
 ---
 # Conducting Domain Persistence with DCSync
@@ -1,12 +1,26 @@
 ---
 name: conducting-full-scope-red-team-engagement
-description: Plan and execute a comprehensive red team engagement covering reconnaissance through post-exploitation using MITRE ATT&CK-aligned TTPs to evaluate an organization's detection and response capabilities.
+description: Plan and execute a comprehensive red team engagement covering reconnaissance through post-exploitation using
  MITRE ATT&CK-aligned TTPs to evaluate an organization's detection and response capabilities.
 domain: cybersecurity
 subdomain: red-teaming
-tags: [red-team, adversary-emulation, mitre-attack, penetration-testing, offensive-security, purple-team, ttp-mapping]
+tags:
-version: "1.0"
+- red-team
 - adversary-emulation
 - mitre-attack
 - penetration-testing
 - offensive-security
 - purple-team
 - ttp-mapping
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - File Metadata Consistency Validation
 - Application Protocol Command Analysis
 - Identifier Analysis
 - Content Format Conversion
 - Message Analysis
 ---
 # Conducting Full-Scope Red Team Engagement
@@ -1,12 +1,26 @@
 ---
 name: conducting-internal-network-penetration-test
-description: Execute an internal network penetration test simulating an insider threat or post-breach attacker to identify lateral movement paths, privilege escalation vectors, and sensitive data exposure within the corporate network.
+description: Execute an internal network penetration test simulating an insider threat or post-breach attacker to identify
  lateral movement paths, privilege escalation vectors, and sensitive data exposure within the corporate network.
 domain: cybersecurity
 subdomain: penetration-testing
-tags: [internal-pentest, lateral-movement, privilege-escalation, Responder, Impacket, assumed-breach, network-security]
+tags:
-version: "1.0"
+- internal-pentest
 - lateral-movement
 - privilege-escalation
 - Responder
 - Impacket
 - assumed-breach
 - network-security
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Application Protocol Command Analysis
 - Network Isolation
 - Network Traffic Analysis
 - Client-server Payload Profiling
 - Network Traffic Community Deviation
 ---
 # Conducting Internal Network Penetration Test
@@ -1,12 +1,26 @@
 ---
 name: conducting-internal-reconnaissance-with-bloodhound-ce
-description: Conduct internal Active Directory reconnaissance using BloodHound Community Edition to map attack paths, identify privilege escalation chains, and discover misconfigurations in domain environments.
+description: Conduct internal Active Directory reconnaissance using BloodHound Community Edition to map attack paths, identify
  privilege escalation chains, and discover misconfigurations in domain environments.
 domain: cybersecurity
 subdomain: red-teaming
-tags: [red-team, reconnaissance, bloodhound, active-directory, attack-paths, privilege-escalation, graph-analysis]
+tags:
-version: "1.0"
+- red-team
 - reconnaissance
 - bloodhound
 - active-directory
 - attack-paths
 - privilege-escalation
 - graph-analysis
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Restore Access
 - Password Authentication
 - Biometric Authentication
 - Strong Password Policy
 - Restore User Account Access
 ---
 # Conducting Internal Reconnaissance with BloodHound CE
@@ -1,207 +1,8 @@
 ---
-name: conducting-malware-incident-response
+{}
-description: >
+---tags:
-  Responds to malware infections across enterprise endpoints by identifying the
+- malware-response
-  malware family, determining infection vectors, assessing spread, and executing
+- malware-analysis
-  eradication procedures. Covers the full lifecycle from detection through
+- eradication
-  containment, analysis, removal, and recovery. Activates for requests involving
+- endpoint-remediation
-  malware response, malware eradication, trojan removal, worm containment, malware
+- MITRE-ATT&CK
  triage, or infected endpoint remediation.
 domain: cybersecurity
 subdomain: incident-response
 tags: [malware-response, malware-analysis, eradication, endpoint-remediation, MITRE-ATT&CK]
 mitre_attack: ["T1204", "T1027", "T1055", "T1059", "T1486"]
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 ---
 # Conducting Malware Incident Response
 ## When to Use
 - EDR or antivirus detects malware execution on one or more endpoints
 - A user reports suspicious system behavior indicative of malware infection
 - Threat intelligence indicates a malware campaign targeting the organization's industry
 - Network monitoring detects beaconing traffic consistent with known malware C2 patterns
 - A file detonation in a sandbox returns a malicious verdict
 **Do not use** for analyzing malware samples in a research context; use dedicated malware analysis procedures for reverse engineering.
 ## Prerequisites
 - EDR platform with process tree visibility and host isolation capability
 - Malware sandbox environment (Cuckoo, ANY.RUN, Joe Sandbox, Hybrid Analysis)
 - Access to threat intelligence platforms for malware family identification (VirusTotal, MalwareBazaar)
 - Forensic imaging tools for evidence preservation (FTK Imager, KAPE)
 - Clean system images or gold images for endpoint rebuild
 - MITRE ATT&CK framework reference for technique mapping
 ## Workflow
 ### Step 1: Detect and Confirm Malware Presence
 Validate the malware alert and gather initial indicators:
 - Review EDR alert details: detection name, file path, hash (SHA-256), process tree
 - Check if the detection is a known malware family or generic heuristic detection
 - Query the file hash against VirusTotal, MalwareBazaar, and internal threat intelligence
 - Examine the process execution chain to determine how the malware was delivered
 ```
 Detection Summary:
 File:        C:\Users\jsmith\AppData\Local\Temp\update.exe
 SHA-256:     a1b2c3d4e5f6...
 Detection:   CrowdStrike: Malware/Qakbot | VirusTotal: 58/72 engines
 Parent:      WINWORD.EXE → cmd.exe → powershell.exe → update.exe
 Delivery:    Email attachment (Invoice-Nov2025.docm)
 Network:     HTTPS POST to 185.220.101[.]42:443 every 60s
 Persistence: Scheduled Task "WindowsUpdate" → update.exe
 ```
 ### Step 2: Scope the Infection
 Determine how many systems are affected and the malware's propagation method:
 - Use EDR to search for the malware hash, filename, and behavioral indicators across all endpoints
 - Check for network-based spreading (SMB, WMI, PsExec, exploitation)
 - Query email gateway logs for all recipients of the delivery email
 - Search for C2 communications to the identified infrastructure from other internal hosts
 - Check for persistence mechanisms on all identified infected hosts
 ### Step 3: Contain Infected Systems
 Execute containment per the active breach containment procedures:
 - Network-isolate infected endpoints via EDR containment
 - Block malware C2 infrastructure at firewall and DNS
 - Block the malware hash in EDR prevention policy organization-wide
 - Quarantine the delivery email from all mailboxes (if email-delivered)
 - Disable compromised user accounts if credential theft is suspected
 ### Step 4: Analyze the Malware
 Perform sufficient analysis to support complete eradication:
 - Submit the sample to a sandbox for dynamic analysis (behavioral report, dropped files, network IOCs)
 - Identify all persistence mechanisms: registry keys, scheduled tasks, services, WMI subscriptions, startup folders
 - Document all file system artifacts: dropped files, modified files, created directories
 - Extract network IOCs: C2 domains, IPs, URLs, user agents, JA3/JA3S hashes
 - Map observed behaviors to MITRE ATT&CK techniques
 ```
 Malware Analysis Summary - Qakbot Variant
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 Initial Access:   T1566.001 - Spearphishing Attachment (.docm)
 Execution:        T1059.001 - PowerShell (encoded downloader)
 Persistence:      T1053.005 - Scheduled Task
 Defense Evasion:  T1055.012 - Process Hollowing (explorer.exe)
 C2:               T1071.001 - HTTPS with custom headers
 Collection:       T1005 - Data from Local System (browser credentials)
 Exfiltration:     T1041 - Exfiltration Over C2 Channel
 Artifacts:
 - C:\Users\*\AppData\Local\Temp\update.exe (dropper)
 - C:\ProgramData\Microsoft\{GUID}\config.dll (payload)
 - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{random} (backup persistence)
 - Scheduled Task: "WindowsUpdate" (primary persistence)
 ```
 ### Step 5: Eradicate the Malware
 Remove all malware artifacts from every infected system:
 - Terminate malicious processes and injected threads
 - Delete malware files from all identified paths
 - Remove persistence mechanisms (scheduled tasks, registry keys, services, WMI subscriptions)
 - Clear browser credential stores if credential harvesting was confirmed
 - Run a full EDR scan to verify no artifacts remain
 - If eradication confidence is low, reimage the system from a known-clean gold image
 ### Step 6: Recover and Validate
 Restore systems to production and verify clean status:
 - Reconnect contained systems to the network in stages
 - Monitor for 72 hours for any recurrence of malware indicators
 - Force password resets for all users on infected endpoints
 - Verify that C2 traffic has completely ceased across the environment
 - Update detection rules based on newly discovered IOCs from the investigation
 - Distribute IOCs to threat intelligence sharing partners (ISAC, MISP)
 ## Key Concepts
 | Term | Definition |
 |------|------------|
 | **Malware Family** | Classification of malware variants sharing code, infrastructure, or behavior patterns (e.g., Qakbot, Emotet, Cobalt Strike) |
 | **Process Hollowing** | Technique where malware creates a legitimate process in a suspended state, replaces its memory with malicious code, then resumes execution |
 | **Beacon** | Periodic network communication from malware to its C2 server, typically with a set interval and jitter for detection evasion |
 | **Dropper** | Initial malware component that downloads or unpacks the primary payload; often delivered via phishing |
 | **Persistence Mechanism** | Method used by malware to survive system reboots (registry run keys, scheduled tasks, services, WMI event subscriptions) |
 | **IOC (Indicator of Compromise)** | Observable artifact such as file hash, IP address, domain, or registry key that indicates malware presence |
 ## Tools & Systems
 - **CrowdStrike Falcon / Microsoft Defender for Endpoint**: EDR platforms for detection, containment, and threat hunting
 - **ANY.RUN / Joe Sandbox**: Interactive malware sandboxes for dynamic behavioral analysis
 - **VirusTotal / MalwareBazaar**: Malware intelligence platforms for sample identification and IOC enrichment
 - **KAPE (Kroll Artifact Parser and Extractor)**: Forensic triage tool for rapid artifact collection from infected endpoints
 - **YARA**: Pattern-matching engine for creating custom malware detection rules based on observed indicators
 ## Common Scenarios
 ### Scenario: Emotet Loader Leading to Cobalt Strike Deployment
 **Context**: EDR detects a macro-enabled document that spawns PowerShell, downloads an Emotet DLL, which subsequently loads a Cobalt Strike beacon. Three hosts are infected within 45 minutes.
 **Approach**:
 1. Immediately isolate all three hosts and block C2 IPs at the perimeter
 2. Search email gateway for all recipients of the original phishing email and quarantine it
 3. Sweep all endpoints for the Emotet DLL hash and Cobalt Strike beacon indicators
 4. Analyze the Cobalt Strike beacon configuration to extract watermark, C2 profile, and staging URLs
 5. Check for credential harvesting (Mimikatz/LSASS dump) and lateral movement artifacts
 6. Eradicate all malware artifacts and reset credentials for affected users
 **Pitfalls**:
 - Focusing only on Emotet and missing the Cobalt Strike second-stage payload
 - Failing to extract and block the Cobalt Strike Malleable C2 profile indicators
 - Not checking for additional persistence beyond the initial detection (Emotet often installs multiple backup persistence mechanisms)
 ## Output Format
 ```
 MALWARE INCIDENT RESPONSE REPORT
 =================================
 Incident:         INC-2025-1547
 Malware Family:   Qakbot (variant: Obama265)
 Delivery Vector:  Spearphishing attachment (Invoice-Nov2025.docm)
 First Detection:  2025-11-15T14:23:17Z
 Scope:            4 endpoints confirmed infected
 INFECTION TIMELINE
 14:18 UTC - Phishing email received by jsmith@corp.example.com
 14:19 UTC - Macro executed in WINWORD.EXE
 14:20 UTC - PowerShell downloads update.exe from staging server
 14:21 UTC - update.exe establishes persistence (Scheduled Task)
 14:23 UTC - C2 beacon initiated to 185.220.101[.]42
 14:35 UTC - Lateral spread to WKSTN-087 via stolen credentials
 14:42 UTC - EDR detection fires, SOC alerted
 IOCs EXTRACTED
 File Hashes:  [SHA-256 list]
 C2 Domains:   [domain list]
 C2 IPs:       [IP list]
 File Paths:   [artifact paths]
 ERADICATION STATUS
 [x] All malware artifacts removed from 4 hosts
 [x] Persistence mechanisms deleted
 [x] C2 infrastructure blocked
 [x] Compromised credentials reset
 [x] Email quarantined from all mailboxes
 RECOMMENDATIONS
 1. Deploy YARA rule for Qakbot variant detection
 2. Block macro execution in documents from external senders
 3. Implement application whitelisting on finance workstations
 ```
@@ -1,19 +1,31 @@
 ---
 name: conducting-mobile-app-penetration-test
-description: >
+description: 'Conducts penetration testing of iOS and Android mobile applications following the OWASP Mobile Application Security
-  Conducts penetration testing of iOS and Android mobile applications following the OWASP
+  Testing Guide (MASTG) to identify vulnerabilities in data storage, network communication, authentication, cryptography,
-  Mobile Application Security Testing Guide (MASTG) to identify vulnerabilities in data storage,
+  and platform-specific security controls. The tester performs static analysis of application binaries, dynamic analysis at
-  network communication, authentication, cryptography, and platform-specific security controls.
+  runtime, and API security testing to evaluate the complete mobile attack surface. Activates for requests involving mobile
-  The tester performs static analysis of application binaries, dynamic analysis at runtime, and
+  app pentest, iOS security assessment, Android security testing, or OWASP MASTG assessment.
-  API security testing to evaluate the complete mobile attack surface. Activates for requests
+
-  involving mobile app pentest, iOS security assessment, Android security testing, or OWASP
+  '
  MASTG assessment.
 domain: cybersecurity
 subdomain: penetration-testing
-tags: [mobile-pentest, OWASP-MASTG, Android-security, iOS-security, mobile-application-security]
+tags:
 - mobile-pentest
 - OWASP-MASTG
 - Android-security
 - iOS-security
 - mobile-application-security
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 nist_ai_rmf:
 - MEASURE-2.7
 - MAP-5.1
 - MANAGE-2.4
 atlas_techniques:
 - AML.T0070
 - AML.T0066
 - AML.T0082
 ---
 # Conducting Mobile App Penetration Test
@@ -1,12 +1,27 @@
 ---
 name: conducting-pass-the-ticket-attack
-description: Pass-the-Ticket (PtT) is a lateral movement technique that uses stolen Kerberos tickets (TGT or TGS) to authenticate to services without knowing the user's password. By extracting Kerberos tickets fro
+description: Pass-the-Ticket (PtT) is a lateral movement technique that uses stolen Kerberos tickets (TGT or TGS) to authenticate
  to services without knowing the user's password. By extracting Kerberos tickets fro
 domain: cybersecurity
 subdomain: red-teaming
-tags: [red-team, adversary-simulation, mitre-attack, exploitation, post-exploitation, kerberos, pass-the-ticket, lateral-movement]
+tags:
-version: "1.0"
+- red-team
 - adversary-simulation
 - mitre-attack
 - exploitation
 - post-exploitation
 - kerberos
 - pass-the-ticket
 - lateral-movement
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Token Binding
 - Execution Isolation
 - Restore Access
 - Application Protocol Command Analysis
 - Process Termination
 ---
 # Conducting Pass-the-Ticket Attack
@@ -1,12 +1,28 @@
 ---
 name: conducting-social-engineering-penetration-test
-description: Design and execute a social engineering penetration test including phishing, vishing, smishing, and physical pretexting campaigns to measure human security resilience and identify training gaps.
+description: Design and execute a social engineering penetration test including phishing, vishing, smishing, and physical
  pretexting campaigns to measure human security resilience and identify training gaps.
 domain: cybersecurity
 subdomain: penetration-testing
-tags: [social-engineering, phishing, vishing, pretexting, GoPhish, SET, OSINT, security-awareness, red-team]
+tags:
-version: "1.0"
+- social-engineering
 - phishing
 - vishing
 - pretexting
 - GoPhish
 - SET
 - OSINT
 - security-awareness
 - red-team
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0088
 - AML.T0052
 nist_ai_rmf:
 - GOVERN-6.2
 - MAP-5.2
 ---
 # Conducting Social Engineering Penetration Test
@@ -1,12 +1,32 @@
 ---
 name: conducting-social-engineering-pretext-call
-description: Plan and execute authorized vishing (voice phishing) pretext calls to assess employee susceptibility to social engineering and evaluate security awareness controls.
+description: Plan and execute authorized vishing (voice phishing) pretext calls to assess employee susceptibility to social
  engineering and evaluate security awareness controls.
 domain: cybersecurity
 subdomain: red-teaming
-tags: [social-engineering, vishing, pretext-call, security-awareness, red-team, phishing, human-risk]
+tags:
-version: "1.0"
+- social-engineering
 - vishing
 - pretext-call
 - security-awareness
 - red-team
 - phishing
 - human-risk
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0088
 - AML.T0052
 nist_ai_rmf:
 - GOVERN-6.2
 - MAP-5.2
 d3fend_techniques:
 - File Metadata Consistency Validation
 - Application Protocol Command Analysis
 - Identifier Analysis
 - Content Format Conversion
 - Message Analysis
 ---
 # Conducting Social Engineering Pretext Call
@@ -1,12 +1,26 @@
 ---
 name: conducting-spearphishing-simulation-campaign
-description: Spearphishing simulation is a targeted social engineering attack vector used by red teams to gain initial access. Unlike broad phishing campaigns, spearphishing uses OSINT-derived intelligence to craf
+description: Spearphishing simulation is a targeted social engineering attack vector used by red teams to gain initial access.
  Unlike broad phishing campaigns, spearphishing uses OSINT-derived intelligence to craf
 domain: cybersecurity
 subdomain: red-teaming
-tags: [red-team, adversary-simulation, mitre-attack, exploitation, post-exploitation, spearphishing, social-engineering]
+tags:
-version: "1.0"
+- red-team
 - adversary-simulation
 - mitre-attack
 - exploitation
 - post-exploitation
 - spearphishing
 - social-engineering
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - File Metadata Consistency Validation
 - Application Protocol Command Analysis
 - Identifier Analysis
 - Content Format Conversion
 - Message Analysis
 ---
 # Conducting Spearphishing Simulation Campaign
@@ -1,12 +1,26 @@
 ---
 name: configuring-hsm-for-key-storage
-description: Hardware Security Modules (HSMs) are tamper-resistant physical devices that safeguard cryptographic keys and perform cryptographic operations in a hardened environment. Keys stored in an HSM never lea
+description: Hardware Security Modules (HSMs) are tamper-resistant physical devices that safeguard cryptographic keys and
  perform cryptographic operations in a hardened environment. Keys stored in an HSM never lea
 domain: cybersecurity
 subdomain: cryptography
-tags: [cryptography, hsm, key-management, pkcs11, hardware-security]
+tags:
-version: "1.0"
+- cryptography
 - hsm
 - key-management
 - pkcs11
 - hardware-security
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_ai_rmf:
 - MEASURE-2.7
 - MAP-5.1
 - MANAGE-2.4
 atlas_techniques:
 - AML.T0070
 - AML.T0066
 - AML.T0082
 ---
 # Configuring HSM for Key Storage
@@ -1,363 +1,11 @@
 ---
-name: deobfuscating-powershell-obfuscated-malware
+{}
-description: Systematically deobfuscate multi-layer PowerShell malware using AST analysis, dynamic tracing, and tools like PSDecode and PowerDecode to reveal hidden payloads and C2 infrastructure.
+---tags:
-domain: cybersecurity
+- powershell
-subdomain: malware-analysis
+- deobfuscation
-tags: [powershell, deobfuscation, malware-analysis, scripting, obfuscation, ast-analysis, incident-response]
+- malware-analysis
-mitre_attack: ["T1059.001", "T1027", "T1140"]
+- scripting
-version: "1.0"
+- obfuscation
-author: mahipal
+- ast-analysis
-license: Apache-2.0
+- incident-response
---
+version: '1.0'
 # Deobfuscating PowerShell Obfuscated Malware
 ## Overview
 PowerShell is heavily abused by malware authors due to its deep Windows integration and powerful scripting capabilities. Obfuscation techniques include string concatenation, Base64 encoding, character substitution, Invoke-Expression layering, SecureString abuse, environment variable manipulation, and tick-mark insertion. Modern malware uses multiple obfuscation layers requiring iterative deobfuscation. Tools like PSDecode, PowerDecode, and PowerPeeler automate much of this process, while manual AST (Abstract Syntax Tree) analysis handles custom obfuscation. PowerPeeler achieves a 95% deobfuscation correctness rate using instruction-level dynamic analysis of expression-related AST nodes.
 ## When to Use
 - When performing authorized security testing that involves deobfuscating powershell obfuscated malware
 - When analyzing malware samples or attack artifacts in a controlled environment
 - When conducting red team exercises or penetration testing engagements
 - When building detection capabilities based on offensive technique understanding
 ## Prerequisites
 - Python 3.9+ with `base64`, `re`, `subprocess` modules
 - PowerShell 5.1+ or PowerShell 7+ (for AST access)
 - PSDecode (`Install-Module PSDecode`)
 - PowerDecode (https://github.com/Malandrone/PowerDecode)
 - Isolated VM or sandbox for safe script execution
 - CyberChef for manual encoding transformations
 - Understanding of PowerShell AST and Invoke-Expression patterns
 ## Key Concepts
 ### Common Obfuscation Techniques
 PowerShell malware employs layered obfuscation to evade static detection. String concatenation splits commands across variables (`$a='In'+'voke'`). Base64 encoding wraps entire scripts in `-EncodedCommand` parameters. Character code arrays use `[char]` casting (`[char[]](73,69,88)|%{$r+=$_}`). Environment variable abuse reads substrings from `$env:` paths. Tick-mark insertion adds backticks between characters that PowerShell ignores (`I`nv`oke-Exp`ression`). SecureString conversion encrypts strings using ConvertTo-SecureString with embedded keys.
 ### AST-Based Deobfuscation
 PowerShell's Abstract Syntax Tree exposes the parsed structure of scripts regardless of surface-level obfuscation. By walking the AST and evaluating expression nodes, analysts can resolve concatenated strings, decode encoded values, and reconstruct the original commands. PowerPeeler uses this approach at the instruction level, monitoring the execution process to correlate AST nodes with their evaluated results.
 ### Dynamic Execution Tracing
 By replacing `Invoke-Expression` (IEX) with `Write-Output`, analysts can safely capture the deobfuscated script content that would normally be executed. This technique works across multiple layers by iteratively replacing IEX calls until the final payload is revealed.
 ## Workflow
 ### Step 1: Identify Obfuscation Layers
 ```python
 #!/usr/bin/env python3
 """Identify and classify PowerShell obfuscation techniques."""
 import re
 import base64
 import sys
 def analyze_obfuscation(script_content):
    """Identify obfuscation techniques used in PowerShell script."""
    techniques = []
    # Check for Base64 encoded command
    b64_pattern = re.compile(
        r'-[Ee](?:nc(?:odedcommand)?)\s+([A-Za-z0-9+/=]{20,})',
        re.IGNORECASE
    )
    if b64_pattern.search(script_content):
        techniques.append("Base64 EncodedCommand")
    # Check for FromBase64String
    if re.search(r'\[Convert\]::FromBase64String', script_content, re.IGNORECASE):
        techniques.append("Base64 FromBase64String")
    # Check for string concatenation
    concat_count = script_content.count("'+'") + script_content.count('"+"')
    if concat_count > 3:
        techniques.append(f"String Concatenation ({concat_count} joins)")
    # Check for char array construction
    if re.search(r'\[char\]\s*\d+', script_content, re.IGNORECASE):
        techniques.append("Character Code Array")
    # Check for Invoke-Expression variants
    iex_patterns = [
        r'Invoke-Expression',
        r'\bIEX\b',
        r'\.\s*\(\s*\$',
        r'&\s*\(\s*\$',
        r'\|\s*IEX',
        r'\|\s*Invoke-Expression',
    ]
    for pattern in iex_patterns:
        if re.search(pattern, script_content, re.IGNORECASE):
            techniques.append(f"Invoke-Expression variant: {pattern}")
    # Check for tick-mark obfuscation
    tick_count = script_content.count('`')
    if tick_count > 5:
        techniques.append(f"Tick-mark Insertion ({tick_count} backticks)")
    # Check for environment variable abuse
    if re.search(r'\$env:', script_content, re.IGNORECASE):
        env_refs = re.findall(r'\$env:\w+', script_content, re.IGNORECASE)
        if len(env_refs) > 2:
            techniques.append(f"Environment Variable Abuse ({len(env_refs)} refs)")
    # Check for SecureString
    if re.search(r'ConvertTo-SecureString', script_content, re.IGNORECASE):
        techniques.append("SecureString Encryption")
    # Check for compression
    if re.search(r'IO\.Compression|DeflateStream|GZipStream',
                 script_content, re.IGNORECASE):
        techniques.append("Compression (Deflate/GZip)")
    # Check for XOR encoding
    if re.search(r'-bxor\s+\d+', script_content, re.IGNORECASE):
        techniques.append("XOR Encoding")
    # Check for Replace chain
    replace_count = len(re.findall(r'\.Replace\(', script_content))
    if replace_count > 2:
        techniques.append(f"Replace Chain ({replace_count} replacements)")
    return techniques
 def decode_base64_command(script_content):
    """Extract and decode Base64 encoded commands."""
    b64_match = re.search(
        r'-[Ee](?:nc(?:odedcommand)?)\s+([A-Za-z0-9+/=]{20,})',
        script_content, re.IGNORECASE
    )
    if b64_match:
        encoded = b64_match.group(1)
        try:
            decoded = base64.b64decode(encoded).decode('utf-16-le')
            return decoded
        except Exception:
            return None
    return None
 def remove_tick_marks(script_content):
    """Remove PowerShell tick-mark obfuscation."""
    # Remove backticks that are not escape sequences
    escape_chars = {'`n', '`r', '`t', '`a', '`b', '`f', '`v', '`0', '``'}
    result = []
    i = 0
    while i < len(script_content):
        if script_content[i] == '`' and i + 1 < len(script_content):
            pair = script_content[i:i+2]
            if pair in escape_chars:
                result.append(pair)
                i += 2
            else:
                # Skip the backtick, keep the next char
                result.append(script_content[i+1])
                i += 2
        else:
            result.append(script_content[i])
            i += 1
    return ''.join(result)
 def resolve_string_concat(script_content):
    """Resolve simple string concatenation patterns."""
    # Pattern: 'str1' + 'str2'
    pattern = re.compile(r"'([^']*)'\s*\+\s*'([^']*)'")
    while pattern.search(script_content):
        script_content = pattern.sub(lambda m: f"'{m.group(1)}{m.group(2)}'",
                                      script_content)
    # Pattern: "str1" + "str2"
    pattern = re.compile(r'"([^"]*)"\s*\+\s*"([^"]*)"')
    while pattern.search(script_content):
        script_content = pattern.sub(lambda m: f'"{m.group(1)}{m.group(2)}"',
                                      script_content)
    return script_content
 if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <powershell_script>")
        sys.exit(1)
    with open(sys.argv[1], 'r', errors='replace') as f:
        content = f.read()
    print("[+] Obfuscation Analysis")
    print("=" * 60)
    techniques = analyze_obfuscation(content)
    for t in techniques:
        print(f"  - {t}")
    # Attempt automatic deobfuscation
    print("\n[+] Attempting Deobfuscation")
    print("=" * 60)
    # Layer 1: Remove tick marks
    deobfuscated = remove_tick_marks(content)
    # Layer 2: Resolve string concatenation
    deobfuscated = resolve_string_concat(deobfuscated)
    # Layer 3: Decode Base64
    b64_decoded = decode_base64_command(deobfuscated)
    if b64_decoded:
        print("[+] Base64 decoded content:")
        print(b64_decoded[:2000])
        deobfuscated = b64_decoded
    print(f"\n[+] Deobfuscated script length: {len(deobfuscated)} chars")
    output_file = sys.argv[1] + ".deobfuscated.ps1"
    with open(output_file, 'w') as f:
        f.write(deobfuscated)
    print(f"[+] Saved to {output_file}")
 ```
 ### Step 2: Multi-Layer IEX Replacement
 ```python
 import subprocess
 import tempfile
 import os
 def iex_replacement_deobfuscate(script_content, max_layers=10):
    """Iteratively replace IEX with Write-Output to unwrap layers."""
    # IEX replacement patterns
    replacements = [
        (r'\bInvoke-Expression\b', 'Write-Output'),
        (r'\bIEX\b', 'Write-Output'),
        (r'\|\s*IEX\b', '| Write-Output'),
    ]
    current = script_content
    layers = []
    for layer_num in range(max_layers):
        # Apply IEX replacements
        modified = current
        for pattern, replacement in replacements:
            modified = re.sub(pattern, replacement, modified, flags=re.IGNORECASE)
        if modified == current and layer_num > 0:
            print(f"  [+] No more IEX layers found at layer {layer_num}")
            break
        # Write to temp file and execute in constrained PowerShell
        with tempfile.NamedTemporaryFile(mode='w', suffix='.ps1',
                                          delete=False) as tmp:
            tmp.write(modified)
            tmp_path = tmp.name
        try:
            result = subprocess.run(
                ['powershell', '-NoProfile', '-ExecutionPolicy', 'Bypass',
                 '-File', tmp_path],
                capture_output=True, text=True, timeout=30
            )
            output = result.stdout.strip()
            if output and output != current:
                print(f"  [+] Layer {layer_num + 1}: Unwrapped "
                      f"{len(output)} chars")
                layers.append({
                    "layer": layer_num + 1,
                    "technique": "IEX replacement",
                    "content_length": len(output),
                })
                current = output
            else:
                break
        except subprocess.TimeoutExpired:
            print(f"  [!] Layer {layer_num + 1}: Execution timeout")
            break
        finally:
            os.unlink(tmp_path)
    return current, layers
 ```
 ### Step 3: Extract IOCs from Deobfuscated Script
 ```python
 def extract_iocs_from_script(deobfuscated_content):
    """Extract indicators of compromise from deobfuscated PowerShell."""
    iocs = {
        "urls": [],
        "ips": [],
        "domains": [],
        "file_paths": [],
        "registry_keys": [],
        "commands": [],
        "base64_blobs": [],
    }
    # URLs
    url_pattern = re.compile(
        r'https?://[^\s\'"<>)\]]+', re.IGNORECASE
    )
    iocs["urls"] = list(set(url_pattern.findall(deobfuscated_content)))
    # IP addresses
    ip_pattern = re.compile(
        r'\b(?:\d{1,3}\.){3}\d{1,3}\b'
    )
    iocs["ips"] = list(set(ip_pattern.findall(deobfuscated_content)))
    # File paths
    path_pattern = re.compile(
        r'[A-Za-z]:\\[^\s\'"<>|]+|'
        r'\\\\[^\s\'"<>|]+|'
        r'%(?:APPDATA|TEMP|USERPROFILE|PROGRAMFILES)%[^\s\'"<>|]*',
        re.IGNORECASE
    )
    iocs["file_paths"] = list(set(path_pattern.findall(deobfuscated_content)))
    # Registry keys
    reg_pattern = re.compile(
        r'(?:HKLM|HKCU|HKCR|HKU|HKCC)(?:\\[^\s\'"<>|]+)+',
        re.IGNORECASE
    )
    iocs["registry_keys"] = list(set(reg_pattern.findall(deobfuscated_content)))
    # Suspicious commands
    suspicious_cmds = [
        'New-Object Net.WebClient',
        'DownloadString', 'DownloadFile', 'DownloadData',
        'Start-Process', 'Invoke-WebRequest',
        'New-Object IO.MemoryStream',
        'Reflection.Assembly',
        'Add-MpPreference -ExclusionPath',
        'Set-MpPreference -DisableRealtimeMonitoring',
        'New-ScheduledTask', 'Register-ScheduledTask',
    ]
    for cmd in suspicious_cmds:
        if cmd.lower() in deobfuscated_content.lower():
            iocs["commands"].append(cmd)
    return iocs
 ```
 ## Validation Criteria
 - All obfuscation layers identified and classified correctly
 - Base64 encoded commands decoded to readable PowerShell
 - Tick-mark and string concatenation obfuscation resolved
 - IEX replacement reveals next-stage payloads
 - URLs, IPs, and file paths extracted from final deobfuscated stage
 - Deobfuscated script matches observed malware behavior in sandbox
 ## References
 - [PSDecode - PowerShell Deobfuscation](https://github.com/R3MRUM/PSDecode)
 - [PowerDecode - Multi-layer Deobfuscation](https://github.com/Malandrone/PowerDecode)
 - [PowerPeeler - Instruction-level Deobfuscation](https://arxiv.org/html/2406.04027v2)
 - [SentinelOne - Deconstructing PowerShell Obfuscation](https://www.sentinelone.com/blog/deconstructing-powershell-obfuscation-in-malspam-campaigns/)
 - [MITRE ATT&CK T1059.001 - PowerShell](https://attack.mitre.org/techniques/T1059/001/)
@@ -1,15 +1,31 @@
 ---
 name: deploying-cloudflare-access-for-zero-trust
-description: >
+description: 'Deploying Cloudflare Access with Cloudflare Tunnel to provide zero trust access to self-hosted and private applications,
-  Deploying Cloudflare Access with Cloudflare Tunnel to provide zero trust access
+  configuring identity-aware access policies, device posture checks, and WARP client enrollment for VPN replacement.
-  to self-hosted and private applications, configuring identity-aware access policies,
+
-  device posture checks, and WARP client enrollment for VPN replacement.
+  '
 domain: cybersecurity
 subdomain: zero-trust-architecture
-tags: [cloudflare, cloudflare-access, zero-trust, cloudflare-tunnel, warp, ztna, cloudflare-one]
+tags:
-version: "1.0"
+- cloudflare
 - cloudflare-access
 - zero-trust
 - cloudflare-tunnel
 - warp
 - ztna
 - cloudflare-one
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0051
 - AML.T0054
 - AML.T0056
 nist_ai_rmf:
 - MEASURE-2.7
 - MEASURE-2.5
 - GOVERN-6.1
 - MAP-5.1
 ---
 # Deploying Cloudflare Access for Zero Trust
@@ -1,17 +1,33 @@
 ---
 name: deploying-edr-agent-with-crowdstrike
-description: >
+description: 'Deploys and configures CrowdStrike Falcon EDR agents across enterprise endpoints to enable real-time threat
-  Deploys and configures CrowdStrike Falcon EDR agents across enterprise endpoints to enable
+  detection, behavioral analysis, and automated response. Use when onboarding endpoints to EDR coverage, configuring detection
-  real-time threat detection, behavioral analysis, and automated response. Use when onboarding
+  policies, or integrating Falcon telemetry with SIEM platforms. Activates for requests involving CrowdStrike deployment,
-  endpoints to EDR coverage, configuring detection policies, or integrating Falcon telemetry
+  Falcon sensor installation, EDR policy configuration, or endpoint detection and response.
-  with SIEM platforms. Activates for requests involving CrowdStrike deployment, Falcon sensor
+
-  installation, EDR policy configuration, or endpoint detection and response.
+  '
 domain: cybersecurity
 subdomain: endpoint-security
-tags: [endpoint, edr, CrowdStrike, Falcon, threat-detection, sensor-deployment]
+tags:
 - endpoint
 - edr
 - CrowdStrike
 - Falcon
 - threat-detection
 - sensor-deployment
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 nist_ai_rmf:
 - GOVERN-1.1
 - MEASURE-2.7
 - MANAGE-3.1
 - MAP-5.1
 - MANAGE-2.4
 atlas_techniques:
 - AML.T0070
 - AML.T0066
 - AML.T0082
 ---
 # Deploying EDR Agent with CrowdStrike
@@ -1,15 +1,26 @@
 ---
 name: deploying-palo-alto-prisma-access-zero-trust
-description: >
+description: 'Deploying Palo Alto Networks Prisma Access for SASE-based zero trust network access using GlobalProtect agents,
-  Deploying Palo Alto Networks Prisma Access for SASE-based zero trust network access
+  ZTNA Connectors, security policy enforcement, and integration with Strata Cloud Manager for unified security management.
-  using GlobalProtect agents, ZTNA Connectors, security policy enforcement, and
+
-  integration with Strata Cloud Manager for unified security management.
+  '
 domain: cybersecurity
 subdomain: zero-trust-architecture
-tags: [prisma-access, palo-alto, ztna, sase, globalprotect, strata-cloud-manager, zero-trust]
+tags:
-version: "1.0"
+- prisma-access
 - palo-alto
 - ztna
 - sase
 - globalprotect
 - strata-cloud-manager
 - zero-trust
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_ai_rmf:
 - GOVERN-1.1
 - MEASURE-2.7
 - MANAGE-3.1
 ---
 # Deploying Palo Alto Prisma Access Zero Trust
@@ -1,21 +1,43 @@
 ---
 name: detecting-ai-model-prompt-injection-attacks
-description: >
+description: 'Detects prompt injection attacks targeting LLM-based applications using a multi-layered defense combining regex
-  Detects prompt injection attacks targeting LLM-based applications using a multi-layered
+  pattern matching for known attack signatures, heuristic scoring for structural anomalies, and transformer-based classification
-  defense combining regex pattern matching for known attack signatures, heuristic scoring
+  with DeBERTa models. The detector analyzes user inputs before they reach the LLM, flagging direct injections (system prompt
-  for structural anomalies, and transformer-based classification with DeBERTa models. The
+  overrides, role-play escapes, instruction hijacking) and indirect injections (encoded payloads, multi-language obfuscation,
-  detector analyzes user inputs before they reach the LLM, flagging direct injections
+  delimiter-based escapes). Based on the OWASP LLM Top 10 (LLM01:2025 Prompt Injection) and Simon Willison''s prompt injection
-  (system prompt overrides, role-play escapes, instruction hijacking) and indirect injections
+  taxonomy. Activates for requests involving prompt injection detection, LLM input sanitization, AI security scanning, or
-  (encoded payloads, multi-language obfuscation, delimiter-based escapes). Based on the
+  prompt attack classification.
-  OWASP LLM Top 10 (LLM01:2025 Prompt Injection) and Simon Willison's prompt injection
+
-  taxonomy. Activates for requests involving prompt injection detection, LLM input
+  '
  sanitization, AI security scanning, or prompt attack classification.
 domain: cybersecurity
 subdomain: ai-security
-tags: [prompt-injection, LLM-security, OWASP-LLM-Top10, NLP-classification, input-validation]
+tags:
 - prompt-injection
 - LLM-security
 - OWASP-LLM-Top10
 - NLP-classification
 - input-validation
 version: 1.0.0
 author: mukul975
 license: Apache-2.0
 atlas_techniques:
 - AML.T0051
 - AML.T0054
 - AML.T0056
 - AML.T0068
 - AML.T0067
 nist_ai_rmf:
 - GOVERN-1.1
 - GOVERN-6.1
 - MEASURE-2.7
 - MEASURE-2.5
 - MANAGE-2.4
 d3fend_techniques:
 - Content Validation
 - Content Filtering
 - Application Hardening
 - Inbound Traffic Filtering
 - User Behavior Analysis
 ---
 # Detecting AI Model Prompt Injection Attacks
@@ -1,18 +1,31 @@
 ---
 name: detecting-anomalies-in-industrial-control-systems
-description: >
+description: 'This skill covers deploying anomaly detection systems for industrial control environments using machine learning
-  This skill covers deploying anomaly detection systems for industrial control
+  models trained on OT network baselines, physics-based process models, and behavioral analysis of industrial protocol communications.
-  environments using machine learning models trained on OT network baselines,
+  It addresses building normal behavior profiles for SCADA polling patterns, detecting deviations in Modbus/DNP3/OPC UA traffic,
-  physics-based process models, and behavioral analysis of industrial protocol
+  identifying rogue devices, and correlating network anomalies with physical process data from historians.
-  communications. It addresses building normal behavior profiles for SCADA polling
+
-  patterns, detecting deviations in Modbus/DNP3/OPC UA traffic, identifying rogue
+  '
  devices, and correlating network anomalies with physical process data from historians.
 domain: cybersecurity
 subdomain: ot-ics-security
-tags: [ot-security, ics, scada, industrial-control, iec62443, anomaly-detection, machine-learning]
+tags:
 - ot-security
 - ics
 - scada
 - industrial-control
 - iec62443
 - anomaly-detection
 - machine-learning
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0043
 - AML.T0018
 nist_ai_rmf:
 - MEASURE-2.7
 - MEASURE-2.5
 - MAP-5.1
 ---
 # Detecting Anomalies in Industrial Control Systems
@@ -1,17 +1,30 @@
 ---
 name: detecting-anomalous-authentication-patterns
-description: >
+description: 'Detects anomalous authentication patterns using UEBA analytics, statistical baselines, and machine learning
-  Detects anomalous authentication patterns using UEBA analytics, statistical baselines,
+  models to identify impossible travel, credential stuffing, brute force, password spraying, and compromised account behaviors
-  and machine learning models to identify impossible travel, credential stuffing, brute force,
+  across authentication logs. Activates for requests involving authentication anomaly detection, login behavior analysis,
  password spraying, and compromised account behaviors across authentication logs.
  Activates for requests involving authentication anomaly detection, login behavior analysis,
  UEBA implementation, or suspicious sign-in investigation.
  '
 domain: cybersecurity
 subdomain: identity-access-management
-tags: [UEBA, authentication-anomaly, impossible-travel, brute-force, credential-stuffing, behavioral-analytics]
+tags:
-version: "1.0"
+- UEBA
 - authentication-anomaly
 - impossible-travel
 - brute-force
 - credential-stuffing
 - behavioral-analytics
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0043
 - AML.T0018
 nist_ai_rmf:
 - MEASURE-2.7
 - MEASURE-2.5
 - MAP-5.1
 ---
 # Detecting Anomalous Authentication Patterns
@@ -1,19 +1,33 @@
 ---
 name: detecting-attacks-on-scada-systems
-description: >
+description: 'This skill covers detecting cyber attacks targeting Supervisory Control and Data Acquisition (SCADA) systems
-  This skill covers detecting cyber attacks targeting Supervisory Control and Data
+  including man-in-the-middle attacks on industrial protocols, unauthorized command injection into PLCs, HMI compromise, historian
-  Acquisition (SCADA) systems including man-in-the-middle attacks on industrial
+  data manipulation, and denial-of-service against control system communications. It leverages OT-specific intrusion detection
-  protocols, unauthorized command injection into PLCs, HMI compromise, historian
+  systems, industrial protocol anomaly detection, and process data analytics to identify attacks that traditional IT security
-  data manipulation, and denial-of-service against control system communications.
+  tools miss.
-  It leverages OT-specific intrusion detection systems, industrial protocol anomaly
+
-  detection, and process data analytics to identify attacks that traditional IT
+  '
  security tools miss.
 domain: cybersecurity
 subdomain: ot-ics-security
-tags: [ot-security, ics, scada, industrial-control, iec62443, intrusion-detection, threat-detection]
+tags:
 - ot-security
 - ics
 - scada
 - industrial-control
 - iec62443
 - intrusion-detection
 - threat-detection
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 nist_ai_rmf:
 - MEASURE-2.7
 - MAP-5.1
 - MANAGE-2.4
 atlas_techniques:
 - AML.T0070
 - AML.T0066
 - AML.T0082
 ---
 # Detecting Attacks on SCADA Systems
@@ -1,12 +1,27 @@
 ---
 name: detecting-azure-service-principal-abuse
-description: Detect and investigate Azure service principal abuse including privilege escalation, credential compromise, admin consent bypass, and unauthorized enumeration in Microsoft Entra ID environments.
+description: Detect and investigate Azure service principal abuse including privilege escalation, credential compromise, admin
  consent bypass, and unauthorized enumeration in Microsoft Entra ID environments.
 domain: cybersecurity
 subdomain: cloud-security
-tags: [azure, entra-id, service-principal, privilege-escalation, credential-abuse, detection, splunk, sentinel]
+tags:
-version: "1.0"
+- azure
 - entra-id
 - service-principal
 - privilege-escalation
 - credential-abuse
 - detection
 - splunk
 - sentinel
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Token Binding
 - Restore Access
 - Application Protocol Command Analysis
 - Reissue Credential
 - Network Isolation
 ---
 # Detecting Azure Service Principal Abuse
@@ -1,12 +1,30 @@
 ---
 name: detecting-azure-storage-account-misconfigurations
-description: Audit Azure Blob and ADLS storage accounts for public access exposure, weak or long-lived SAS tokens, missing encryption at rest, disabled HTTPS-only traffic, and outdated TLS versions using the azure-mgmt-storage Python SDK.
+description: Audit Azure Blob and ADLS storage accounts for public access exposure, weak or long-lived SAS tokens, missing
  encryption at rest, disabled HTTPS-only traffic, and outdated TLS versions using the azure-mgmt-storage Python SDK.
 domain: cybersecurity
 subdomain: cloud-security
-tags: [Azure, storage-accounts, blob-storage, ADLS, SAS-tokens, encryption, public-access, cloud-misconfiguration, azure-mgmt-storage]
+tags:
-version: "1.0"
+- Azure
 - storage-accounts
 - blob-storage
 - ADLS
 - SAS-tokens
 - encryption
 - public-access
 - cloud-misconfiguration
 - azure-mgmt-storage
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_ai_rmf:
 - MEASURE-2.7
 - MAP-5.1
 - MANAGE-2.4
 atlas_techniques:
 - AML.T0070
 - AML.T0066
 - AML.T0082
 ---
 # Detecting Azure Storage Account Misconfigurations
@@ -1,12 +1,37 @@
 ---
 name: detecting-business-email-compromise-with-ai
-description: Deploy AI and NLP-powered detection systems to identify business email compromise attacks by analyzing writing style, behavioral patterns, and contextual anomalies that evade traditional rule-based filters.
+description: Deploy AI and NLP-powered detection systems to identify business email compromise attacks by analyzing writing
  style, behavioral patterns, and contextual anomalies that evade traditional rule-based filters.
 domain: cybersecurity
 subdomain: phishing-defense
-tags: [bec, ai, nlp, machine-learning, email-security, behavioral-analytics, impersonation, fraud-detection]
+tags:
-version: "1.0"
+- bec
 - ai
 - nlp
 - machine-learning
 - email-security
 - behavioral-analytics
 - impersonation
 - fraud-detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0073
 - AML.T0052
 - AML.T0088
 nist_ai_rmf:
 - GOVERN-6.2
 - MAP-5.2
 - GOVERN-6.1
 - MEASURE-2.7
 - MEASURE-2.5
 d3fend_techniques:
 - Sender MTA Reputation Analysis
 - Email Filtering
 - Sender Reputation Analysis
 - Homoglyph Detection
 - Message Analysis
 ---
 # Detecting Business Email Compromise with AI
@@ -1,12 +1,32 @@
 ---
 name: detecting-business-email-compromise
-description: Business Email Compromise (BEC) is a sophisticated fraud scheme where attackers impersonate executives, vendors, or trusted partners to trick employees into transferring funds, sharing sensitive data,
+description: Business Email Compromise (BEC) is a sophisticated fraud scheme where attackers impersonate executives, vendors,
  or trusted partners to trick employees into transferring funds, sharing sensitive data,
 domain: cybersecurity
 subdomain: phishing-defense
-tags: [phishing, email-security, social-engineering, dmarc, awareness, bec, fraud]
+tags:
-version: "1.0"
+- phishing
 - email-security
 - social-engineering
 - dmarc
 - awareness
 - bec
 - fraud
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0052
 - AML.T0088
 nist_ai_rmf:
 - GOVERN-6.2
 - MAP-5.2
 d3fend_techniques:
 - Restore Object
 - Restore Configuration
 - Application Configuration Hardening
 - Application Hardening
 - Disable Remote Access
 ---
 # Detecting Business Email Compromise
@@ -1,12 +1,25 @@
 ---
 name: detecting-container-escape-attempts
-description: Container escape is a critical attack technique where an adversary breaks out of container isolation to access the host system or other containers. Detection involves monitoring for escape indicators 
+description: Container escape is a critical attack technique where an adversary breaks out of container isolation to access
  the host system or other containers. Detection involves monitoring for escape indicators
 domain: cybersecurity
 subdomain: container-security
-tags: [containers, kubernetes, docker, security, runtime-security, escape-detection]
+tags:
-version: "1.0"
+- containers
 - kubernetes
 - docker
 - security
 - runtime-security
 - escape-detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Platform Monitoring
 - Process Code Segment Verification
 - Stack Frame Canary Validation
 - Segment Address Offset Randomization
 - Process Analysis
 ---
 # Detecting Container Escape Attempts
@@ -1,12 +1,25 @@
 ---
 name: detecting-container-escape-with-falco-rules
-description: Detect container escape attempts in real-time using Falco runtime security rules that monitor syscalls, file access, and privilege escalation.
+description: Detect container escape attempts in real-time using Falco runtime security rules that monitor syscalls, file
  access, and privilege escalation.
 domain: cybersecurity
 subdomain: container-security
-tags: [falco, container-escape, runtime-security, syscall-monitoring, kubernetes, detection]
+tags:
-version: "1.0"
+- falco
 - container-escape
 - runtime-security
 - syscall-monitoring
 - kubernetes
 - detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Token Binding
 - Execution Isolation
 - File Metadata Consistency Validation
 - Restore Access
 - Application Protocol Command Analysis
 ---
 # Detecting Container Escape with Falco Rules
@@ -1,19 +1,26 @@
 ---
 name: detecting-credential-dumping-techniques
-description: Detect LSASS credential dumping, SAM database extraction, and NTDS.dit theft using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules
+description: Detect LSASS credential dumping, SAM database extraction, and NTDS.dit theft using Sysmon Event ID 10, Windows
  Security logs, and SIEM correlation rules
 domain: cybersecurity
 subdomain: threat-detection
 tags:
-  - credential-dumping
+- credential-dumping
-  - lsass
+- lsass
-  - mimikatz
+- mimikatz
-  - sysmon
+- sysmon
-  - active-directory
+- active-directory
-  - windows-security
+- windows-security
-  - defense-evasion
+- defense-evasion
-version: "1.0"
+version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Token Binding
 - Execution Isolation
 - File Metadata Consistency Validation
 - Restore Access
 - Application Protocol Command Analysis
 ---
 # Detecting Credential Dumping Techniques
@@ -1,12 +1,26 @@
 ---
 name: detecting-dcsync-attack-in-active-directory
-description: Detect DCSync attacks where adversaries abuse Active Directory replication privileges to extract password hashes by monitoring for non-domain-controller accounts requesting directory replication via DsGetNCChanges.
+description: Detect DCSync attacks where adversaries abuse Active Directory replication privileges to extract password hashes
  by monitoring for non-domain-controller accounts requesting directory replication via DsGetNCChanges.
 domain: cybersecurity
 subdomain: threat-hunting
-tags: [threat-hunting, active-directory, dcsync, credential-theft, mitre-t1003-006, mimikatz, kerberos]
+tags:
-version: "1.0"
+- threat-hunting
 - active-directory
 - dcsync
 - credential-theft
 - mitre-t1003-006
 - mimikatz
 - kerberos
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Application Protocol Command Analysis
 - Network Isolation
 - Network Traffic Analysis
 - Client-server Payload Profiling
 - Platform Monitoring
 ---
 # Detecting DCSync Attack in Active Directory
@@ -1,18 +1,41 @@
 ---
 name: detecting-deepfake-audio-in-vishing-attacks
-description: >
+description: 'Detects AI-generated deepfake audio used in voice phishing (vishing) attacks by extracting spectral features
-  Detects AI-generated deepfake audio used in voice phishing (vishing) attacks by
+  (MFCC, spectral centroid, spectral contrast, zero-crossing rate) and classifying samples with machine learning models. Supports
-  extracting spectral features (MFCC, spectral centroid, spectral contrast, zero-crossing
+  batch analysis of audio files, generates confidence scores, and produces forensic reports. Activates for requests involving
-  rate) and classifying samples with machine learning models. Supports batch analysis of
+  deepfake voice detection, vishing investigation, AI-generated speech analysis, voice cloning detection, or audio authenticity
-  audio files, generates confidence scores, and produces forensic reports. Activates for
+  verification.
-  requests involving deepfake voice detection, vishing investigation, AI-generated speech
+
-  analysis, voice cloning detection, or audio authenticity verification.
+  '
 domain: cybersecurity
 subdomain: social-engineering-defense
-tags: [deepfake-detection, vishing, audio-forensics, MFCC, spectral-analysis, voice-cloning]
+tags:
 - deepfake-detection
 - vishing
 - audio-forensics
 - MFCC
 - spectral-analysis
 - voice-cloning
 version: 1.0.0
 author: mukul975
 license: Apache-2.0
 atlas_techniques:
 - AML.T0088
 - AML.T0043
 - AML.T0018
 - AML.T0052
 nist_ai_rmf:
 - MEASURE-2.7
 - GOVERN-6.2
 - MAP-5.2
 - MEASURE-2.5
 - MAP-5.1
 d3fend_techniques:
 - Sender Reputation Analysis
 - Content Validation
 - Message Analysis
 - User Behavior Analysis
 - Identifier Analysis
 ---
 # Detecting Deepfake Audio in Vishing Attacks
@@ -1,12 +1,26 @@
 ---
 name: detecting-dll-sideloading-attacks
-description: Detect DLL side-loading attacks where adversaries place malicious DLLs alongside legitimate applications to hijack execution flow for defense evasion.
+description: Detect DLL side-loading attacks where adversaries place malicious DLLs alongside legitimate applications to hijack
  execution flow for defense evasion.
 domain: cybersecurity
 subdomain: threat-hunting
-tags: [threat-hunting, mitre-attack, dll-sideloading, defense-evasion, t1574, edr, proactive-detection]
+tags:
-version: "1.0"
+- threat-hunting
 - mitre-attack
 - dll-sideloading
 - defense-evasion
 - t1574
 - edr
 - proactive-detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - File Metadata Consistency Validation
 - Content Format Conversion
 - File Content Analysis
 - Platform Hardening
 - File Format Verification
 ---
 # Detecting DLL Sideloading Attacks
@@ -1,16 +1,31 @@
 ---
 name: detecting-dnp3-protocol-anomalies
-description: >
+description: 'Detect anomalies in DNP3 (Distributed Network Protocol 3) communications used in SCADA systems by monitoring
-  Detect anomalies in DNP3 (Distributed Network Protocol 3) communications
+  for unauthorized control commands, firmware update attempts, protocol violations, and deviations from baseline traffic patterns
-  used in SCADA systems by monitoring for unauthorized control commands,
+  using deep packet inspection and machine learning approaches.
-  firmware update attempts, protocol violations, and deviations from baseline
+
-  traffic patterns using deep packet inspection and machine learning approaches.
+  '
 domain: cybersecurity
 subdomain: ot-ics-security
-tags: [ot-security, ics, dnp3, scada, anomaly-detection, protocol-analysis, energy-sector, ids]
+tags:
-version: "1.0"
+- ot-security
 - ics
 - dnp3
 - scada
 - anomaly-detection
 - protocol-analysis
 - energy-sector
 - ids
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0043
 - AML.T0018
 nist_ai_rmf:
 - MEASURE-2.7
 - MEASURE-2.5
 - MAP-5.1
 ---
 # Detecting DNP3 Protocol Anomalies
@@ -1,12 +1,26 @@
 ---
 name: detecting-email-forwarding-rules-attack
-description: Detect malicious email forwarding rules created by adversaries to maintain persistent access to email communications for intelligence collection and BEC attacks.
+description: Detect malicious email forwarding rules created by adversaries to maintain persistent access to email communications
  for intelligence collection and BEC attacks.
 domain: cybersecurity
 subdomain: threat-hunting
-tags: [threat-hunting, mitre-attack, email-forwarding, persistence, bec, t1114, proactive-detection]
+tags:
-version: "1.0"
+- threat-hunting
 - mitre-attack
 - email-forwarding
 - persistence
 - bec
 - t1114
 - proactive-detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Restore Object
 - Restore Configuration
 - Application Configuration Hardening
 - Application Hardening
 - Disable Remote Access
 ---
 # Detecting Email Forwarding Rules Attack
@@ -1,17 +1,29 @@
 ---
 name: detecting-evasion-techniques-in-endpoint-logs
-description: >
+description: 'Detects defense evasion techniques used by adversaries in endpoint logs including log tampering, timestomping,
-  Detects defense evasion techniques used by adversaries in endpoint logs including log tampering,
+  process injection, and security tool disabling. Use when investigating suspicious endpoint behavior, building detection
-  timestomping, process injection, and security tool disabling. Use when investigating suspicious
+  rules for evasion tactics, or conducting threat hunting for stealthy adversary activity. Activates for requests involving
-  endpoint behavior, building detection rules for evasion tactics, or conducting threat hunting
+  evasion detection, defense evasion analysis, log tampering detection, or MITRE ATT&CK TA0005.
-  for stealthy adversary activity. Activates for requests involving evasion detection, defense
+
-  evasion analysis, log tampering detection, or MITRE ATT&CK TA0005.
+  '
 domain: cybersecurity
 subdomain: endpoint-security
-tags: [endpoint, edr, threat-hunting, defense-evasion, MITRE-ATT&CK, detection-engineering]
+tags:
 - endpoint
 - edr
 - threat-hunting
 - defense-evasion
 - MITRE-ATT&CK
 - detection-engineering
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - File Metadata Consistency Validation
 - Content Format Conversion
 - File Content Analysis
 - Platform Hardening
 - File Format Verification
 ---
 # Detecting Evasion Techniques in Endpoint Logs
@@ -1,17 +1,28 @@
 ---
 name: detecting-fileless-malware-techniques
-description: >
+description: 'Detects and analyzes fileless malware that operates entirely in memory using PowerShell, WMI, .NET reflection,
-  Detects and analyzes fileless malware that operates entirely in memory using PowerShell,
+  registry-resident payloads, and living-off-the-land binaries (LOLBins) without writing traditional executable files to disk.
-  WMI, .NET reflection, registry-resident payloads, and living-off-the-land binaries (LOLBins)
+  Activates for requests involving fileless threat detection, in-memory malware investigation, LOLBin abuse analysis, or WMI
-  without writing traditional executable files to disk. Activates for requests involving
+  persistence examination.
-  fileless threat detection, in-memory malware investigation, LOLBin abuse analysis, or
+
-  WMI persistence examination.
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, fileless, LOLBins, memory-analysis, detection]
+tags:
 - malware
 - fileless
 - LOLBins
 - memory-analysis
 - detection
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Executable Denylisting
 - Execution Isolation
 - File Metadata Consistency Validation
 - Content Format Conversion
 - File Content Analysis
 ---
 # Detecting Fileless Malware Techniques
@@ -1,19 +1,26 @@
 ---
 name: detecting-golden-ticket-forgery
-description: Detect Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769 for RC4 encryption downgrades (0x17), abnormal ticket lifetimes, and krbtgt account anomalies in Splunk and Elastic SIEM
+description: Detect Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769 for RC4 encryption downgrades (0x17),
  abnormal ticket lifetimes, and krbtgt account anomalies in Splunk and Elastic SIEM
 domain: cybersecurity
 subdomain: threat-detection
 tags:
-  - golden-ticket
+- golden-ticket
-  - kerberos
+- kerberos
-  - active-directory
+- active-directory
-  - mimikatz
+- mimikatz
-  - splunk
+- splunk
-  - credential-theft
+- credential-theft
-  - windows-security
+- windows-security
-version: "1.0"
+version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Token Binding
 - Restore Access
 - Reissue Credential
 - Decoy User Credential
 - Authentication Cache Invalidation
 ---
 # Detecting Golden Ticket Forgery
@@ -1,12 +1,25 @@
 ---
 name: detecting-insider-threat-behaviors
-description: Detect insider threat behavioral indicators including unusual data access, off-hours activity, mass file downloads, privilege abuse, and resignation-correlated data theft.
+description: Detect insider threat behavioral indicators including unusual data access, off-hours activity, mass file downloads,
  privilege abuse, and resignation-correlated data theft.
 domain: cybersecurity
 subdomain: threat-hunting
-tags: [threat-hunting, mitre-attack, insider-threat, data-theft, ueba, proactive-detection]
+tags:
-version: "1.0"
+- threat-hunting
 - mitre-attack
 - insider-threat
 - data-theft
 - ueba
 - proactive-detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Restore Access
 - Password Authentication
 - Biometric Authentication
 - Strong Password Policy
 - Restore User Account Access
 ---
 # Detecting Insider Threat Behaviors
@@ -1,12 +1,26 @@
 ---
 name: detecting-kerberoasting-attacks
-description: Detect Kerberoasting attacks by monitoring for anomalous Kerberos TGS requests targeting service accounts with SPNs for offline password cracking.
+description: Detect Kerberoasting attacks by monitoring for anomalous Kerberos TGS requests targeting service accounts with
  SPNs for offline password cracking.
 domain: cybersecurity
 subdomain: threat-hunting
-tags: [threat-hunting, mitre-attack, kerberoasting, credential-access, kerberos, t1558, proactive-detection]
+tags:
-version: "1.0"
+- threat-hunting
 - mitre-attack
 - kerberoasting
 - credential-access
 - kerberos
 - t1558
 - proactive-detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Application Protocol Command Analysis
 - Network Isolation
 - Network Traffic Analysis
 - Client-server Payload Profiling
 - Network Traffic Community Deviation
 ---
 # Detecting Kerberoasting Attacks
@@ -1,15 +1,26 @@
 ---
 name: detecting-lateral-movement-in-network
-description: >
+description: 'Identifies lateral movement techniques in enterprise networks by analyzing authentication logs, network flows,
-  Identifies lateral movement techniques in enterprise networks by analyzing
+  SMB traffic, and RDP sessions using Zeek, Velociraptor, and SIEM correlation rules to detect attackers moving between systems.
-  authentication logs, network flows, SMB traffic, and RDP sessions using Zeek,
+
-  Velociraptor, and SIEM correlation rules to detect attackers moving between systems.
+  '
 domain: cybersecurity
 subdomain: network-security
-tags: [network-security, lateral-movement, threat-detection, siem, pass-the-hash]
+tags:
-version: "1.0"
+- network-security
 - lateral-movement
 - threat-detection
 - siem
 - pass-the-hash
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Application Protocol Command Analysis
 - Network Isolation
 - Network Traffic Analysis
 - Client-server Payload Profiling
 - Network Traffic Community Deviation
 ---
 # Detecting Lateral Movement in Network
@@ -1,12 +1,26 @@
 ---
 name: detecting-lateral-movement-with-splunk
-description: Detect adversary lateral movement across networks using Splunk SPL queries against Windows authentication logs, SMB traffic, and remote service abuse.
+description: Detect adversary lateral movement across networks using Splunk SPL queries against Windows authentication logs,
  SMB traffic, and remote service abuse.
 domain: cybersecurity
 subdomain: threat-hunting
-tags: [threat-hunting, mitre-attack, lateral-movement, splunk, siem, proactive-detection, ta0008]
+tags:
-version: "1.0"
+- threat-hunting
 - mitre-attack
 - lateral-movement
 - splunk
 - siem
 - proactive-detection
 - ta0008
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Application Protocol Command Analysis
 - Network Isolation
 - Network Traffic Analysis
 - Client-server Payload Profiling
 - Network Traffic Community Deviation
 ---
 # Detecting Lateral Movement with Splunk
@@ -1,15 +1,25 @@
 ---
 name: detecting-living-off-the-land-attacks
-description: >
+description: 'Detect abuse of legitimate Windows binaries (LOLBins) used for living off the land attacks. Monitors process
-  Detect abuse of legitimate Windows binaries (LOLBins) used for living off
+  creation, command-line arguments, and parent-child relationships to identify suspicious LOLBin execution patterns.
-  the land attacks. Monitors process creation, command-line arguments, and
+
-  parent-child relationships to identify suspicious LOLBin execution patterns.
+  '
 domain: cybersecurity
 subdomain: threat-detection
-tags: [lolbins, lotl, fileless-attacks, process-monitoring]
+tags:
-version: "1.0"
+- lolbins
 - lotl
 - fileless-attacks
 - process-monitoring
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Application Protocol Command Analysis
 - Network Isolation
 - Network Traffic Analysis
 - Client-server Payload Profiling
 - Network Traffic Community Deviation
 ---
 # Detecting Living Off the Land Attacks
@@ -1,12 +1,26 @@
 ---
 name: detecting-living-off-the-land-with-lolbas
-description: Detect Living Off the Land Binaries (LOLBins/LOLBAS) abuse including certutil, regsvr32, mshta, and rundll32 via process telemetry, Sigma rules, and parent-child process analysis
+description: Detect Living Off the Land Binaries (LOLBins/LOLBAS) abuse including certutil, regsvr32, mshta, and rundll32
  via process telemetry, Sigma rules, and parent-child process analysis
 domain: cybersecurity
 subdomain: threat-detection
-tags: [lolbas, lolbins, sigma-rules, process-monitoring, sysmon, endpoint-detection, threat-hunting]
+tags:
-version: "1.0"
+- lolbas
 - lolbins
 - sigma-rules
 - process-monitoring
 - sysmon
 - endpoint-detection
 - threat-hunting
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Executable Denylisting
 - Execution Isolation
 - File Metadata Consistency Validation
 - Application Protocol Command Analysis
 - Content Format Conversion
 ---
 # Detecting Living Off the Land with LOLBAS
@@ -1,18 +1,30 @@
 ---
 name: detecting-malicious-scheduled-tasks-with-sysmon
-description: >
+description: 'Detect malicious scheduled task creation and modification using Sysmon Event IDs 1 (Process Create for schtasks.exe),
-  Detect malicious scheduled task creation and modification using Sysmon Event IDs 1 (Process
+  11 (File Create for task XML), and Windows Security Event 4698/4702. The analyst correlates task creation with suspicious
-  Create for schtasks.exe), 11 (File Create for task XML), and Windows Security Event 4698/4702.
+  parent processes, public directory paths, and encoded command arguments to identify persistence and lateral movement via
-  The analyst correlates task creation with suspicious parent processes, public directory paths,
+  scheduled tasks. Activates for requests involving scheduled task detection, Sysmon persistence hunting, or T1053.005 Scheduled
-  and encoded command arguments to identify persistence and lateral movement via scheduled tasks.
+  Task/Job analysis.
-  Activates for requests involving scheduled task detection, Sysmon persistence hunting, or
+
-  T1053.005 Scheduled Task/Job analysis.
+  '
 domain: cybersecurity
 subdomain: threat-hunting
-tags: [sysmon, scheduled-tasks, persistence, detection, threat-hunting, windows-security]
+tags:
-version: "1.0"
+- sysmon
 - scheduled-tasks
 - persistence
 - detection
 - threat-hunting
 - windows-security
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Execution Isolation
 - Process Termination
 - Hardware-based Process Isolation
 - Platform Monitoring
 - Process Suspension
 ---
 # Detecting Malicious Scheduled Tasks with Sysmon
@@ -1,12 +1,26 @@
 ---
 name: detecting-mimikatz-execution-patterns
-description: Detect Mimikatz execution through command-line patterns, LSASS access signatures, binary indicators, and in-memory detection of known modules.
+description: Detect Mimikatz execution through command-line patterns, LSASS access signatures, binary indicators, and in-memory
  detection of known modules.
 domain: cybersecurity
 subdomain: threat-hunting
-tags: [threat-hunting, mitre-attack, mimikatz, credential-dumping, edr, t1003, proactive-detection]
+tags:
-version: "1.0"
+- threat-hunting
 - mitre-attack
 - mimikatz
 - credential-dumping
 - edr
 - t1003
 - proactive-detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Execution Isolation
 - Process Termination
 - Hardware-based Process Isolation
 - Web Session Access Mediation
 - Process Suspension
 ---
 # Detecting Mimikatz Execution Patterns
@@ -1,15 +1,30 @@
 ---
 name: detecting-misconfigured-azure-storage
-description: >
+description: 'Detecting misconfigured Azure Storage accounts including publicly accessible blob containers, missing encryption
-  Detecting misconfigured Azure Storage accounts including publicly accessible blob containers,
+  settings, overly permissive SAS tokens, disabled logging, and network access violations using Azure CLI, PowerShell, and
-  missing encryption settings, overly permissive SAS tokens, disabled logging, and network
+  Microsoft Defender for Storage.
-  access violations using Azure CLI, PowerShell, and Microsoft Defender for Storage.
+
  '
 domain: cybersecurity
 subdomain: cloud-security
-tags: [cloud-security, azure, storage-security, blob-storage, sas-tokens, data-protection]
+tags:
-version: "1.0"
+- cloud-security
 - azure
 - storage-security
 - blob-storage
 - sas-tokens
 - data-protection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_ai_rmf:
 - MEASURE-2.7
 - MAP-5.1
 - MANAGE-2.4
 atlas_techniques:
 - AML.T0070
 - AML.T0066
 - AML.T0082
 ---
 # Detecting Misconfigured Azure Storage
@@ -1,18 +1,32 @@
 ---
 name: detecting-modbus-protocol-anomalies
-description: >
+description: 'This skill covers detecting anomalies in Modbus/TCP and Modbus RTU communications in industrial control systems.
-  This skill covers detecting anomalies in Modbus/TCP and Modbus RTU communications
+  It addresses function code monitoring, register range validation, timing analysis, unauthorized client detection, and deep
-  in industrial control systems. It addresses function code monitoring, register
+  packet inspection for malformed Modbus frames. The skill leverages Zeek with Modbus protocol analyzers, Suricata IDS with
-  range validation, timing analysis, unauthorized client detection, and deep packet
+  OT rules, and custom Python-based detection using Markov chain models for normal Modbus transaction sequences.
-  inspection for malformed Modbus frames. The skill leverages Zeek with Modbus protocol
+
-  analyzers, Suricata IDS with OT rules, and custom Python-based detection using
+  '
  Markov chain models for normal Modbus transaction sequences.
 domain: cybersecurity
 subdomain: ot-ics-security
-tags: [ot-security, ics, scada, industrial-control, iec62443, modbus, protocol-anomaly]
+tags:
 - ot-security
 - ics
 - scada
 - industrial-control
 - iec62443
 - modbus
 - protocol-anomaly
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 nist_ai_rmf:
 - MEASURE-2.7
 - MAP-5.1
 - MANAGE-2.4
 atlas_techniques:
 - AML.T0070
 - AML.T0066
 - AML.T0082
 ---
 # Detecting Modbus Protocol Anomalies
@@ -1,16 +1,43 @@
 ---
 name: detecting-ntlm-relay-with-event-correlation
-description: >
+description: 'Detect NTLM relay attacks through Windows Security Event correlation by analyzing Event 4624 LogonType 3 for
-  Detect NTLM relay attacks through Windows Security Event correlation by analyzing
+  IP-to-hostname mismatches, identifying Responder/LLMNR poisoning artifacts, auditing SMB and LDAP signing enforcement across
-  Event 4624 LogonType 3 for IP-to-hostname mismatches, identifying Responder/LLMNR
+  the domain, and detecting NTLM downgrade attacks from NTLMv2 to NTLMv1 using event log analysis.
-  poisoning artifacts, auditing SMB and LDAP signing enforcement across the domain,
+
-  and detecting NTLM downgrade attacks from NTLMv2 to NTLMv1 using event log analysis.
+  '
 domain: cybersecurity
 subdomain: threat-hunting
-tags: [threat-hunting, NTLM-relay, event-correlation, T1557.001, Event-4624, Responder, SMB-signing, LDAP-signing, NTLM-downgrade, PetitPotam, Active-Directory]
+tags:
-version: "1.0"
+- threat-hunting
 - NTLM-relay
 - event-correlation
 - T1557.001
 - Event-4624
 - Responder
 - SMB-signing
 - LDAP-signing
 - NTLM-downgrade
 - PetitPotam
 - Active-Directory
 version: '1.0'
 author: mukul975
 license: Apache-2.0
 atlas_techniques:
 - AML.T0051
 - AML.T0054
 - AML.T0056
 - AML.T0020
 d3fend_techniques:
 - Application Protocol Command Analysis
 - Network Isolation
 - Network Traffic Analysis
 - Client-server Payload Profiling
 - Network Traffic Community Deviation
 nist_ai_rmf:
 - MEASURE-2.7
 - MEASURE-2.5
 - GOVERN-6.1
 - MAP-5.1
 ---
 # Detecting NTLM Relay with Event Correlation
@@ -1,12 +1,25 @@
 ---
 name: detecting-pass-the-hash-attacks
-description: Detect Pass-the-Hash attacks by analyzing NTLM authentication patterns, identifying Type 3 logons with NTLM where Kerberos is expected, and correlating with credential dumping.
+description: Detect Pass-the-Hash attacks by analyzing NTLM authentication patterns, identifying Type 3 logons with NTLM where
  Kerberos is expected, and correlating with credential dumping.
 domain: cybersecurity
 subdomain: threat-hunting
-tags: [threat-hunting, mitre-attack, pass-the-hash, credential-access, t1550, proactive-detection]
+tags:
-version: "1.0"
+- threat-hunting
 - mitre-attack
 - pass-the-hash
 - credential-access
 - t1550
 - proactive-detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Token Binding
 - Execution Isolation
 - Restore Access
 - Application Protocol Command Analysis
 - Process Termination
 ---
 # Detecting Pass The Hash Attacks
@@ -1,19 +1,26 @@
 ---
 name: detecting-pass-the-ticket-attacks
-description: Detect Kerberos Pass-the-Ticket (PtT) attacks by analyzing Windows Event IDs 4768, 4769, and 4771 for anomalous ticket usage patterns in Splunk and Elastic SIEM
+description: Detect Kerberos Pass-the-Ticket (PtT) attacks by analyzing Windows Event IDs 4768, 4769, and 4771 for anomalous
  ticket usage patterns in Splunk and Elastic SIEM
 domain: cybersecurity
 subdomain: threat-detection
 tags:
-  - kerberos
+- kerberos
-  - pass-the-ticket
+- pass-the-ticket
-  - active-directory
+- active-directory
-  - splunk
+- splunk
-  - elastic
+- elastic
-  - credential-theft
+- credential-theft
-  - windows-security
+- windows-security
-version: "1.0"
+version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Token Binding
 - Execution Isolation
 - Restore Access
 - Application Protocol Command Analysis
 - Process Termination
 ---
 # Detecting Pass-the-Ticket Attacks
@@ -1,12 +1,25 @@
 ---
 name: detecting-privilege-escalation-attempts
-description: Detect privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse across Windows and Linux.
+description: Detect privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel
  exploits, and sudo/doas abuse across Windows and Linux.
 domain: cybersecurity
 subdomain: threat-hunting
-tags: [threat-hunting, mitre-attack, privilege-escalation, token-manipulation, uac-bypass, proactive-detection]
+tags:
-version: "1.0"
+- threat-hunting
 - mitre-attack
 - privilege-escalation
 - token-manipulation
 - uac-bypass
 - proactive-detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Token Binding
 - Executable Denylisting
 - Execution Isolation
 - Restore Access
 - Reissue Credential
 ---
 # Detecting Privilege Escalation Attempts
@@ -1,12 +1,25 @@
 ---
 name: detecting-privilege-escalation-in-kubernetes-pods
-description: Detect and prevent privilege escalation in Kubernetes pods by monitoring security contexts, capabilities, and syscall patterns with Falco and OPA policies.
+description: Detect and prevent privilege escalation in Kubernetes pods by monitoring security contexts, capabilities, and
  syscall patterns with Falco and OPA policies.
 domain: cybersecurity
 subdomain: container-security
-tags: [kubernetes, privilege-escalation, security-context, capabilities, detection, pod-security]
+tags:
-version: "1.0"
+- kubernetes
 - privilege-escalation
 - security-context
 - capabilities
 - detection
 - pod-security
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Executable Denylisting
 - Execution Isolation
 - File Metadata Consistency Validation
 - Restore Access
 - Password Authentication
 ---
 # Detecting Privilege Escalation in Kubernetes Pods
@@ -1,12 +1,26 @@
 ---
 name: detecting-process-hollowing-technique
-description: Detect process hollowing (T1055.012) by analyzing memory-mapped sections, hollowed process indicators, and parent-child process anomalies in EDR telemetry.
+description: Detect process hollowing (T1055.012) by analyzing memory-mapped sections, hollowed process indicators, and parent-child
  process anomalies in EDR telemetry.
 domain: cybersecurity
 subdomain: threat-hunting
-tags: [threat-hunting, mitre-attack, process-hollowing, process-injection, edr, t1055, proactive-detection]
+tags:
-version: "1.0"
+- threat-hunting
 - mitre-attack
 - process-hollowing
 - process-injection
 - edr
 - t1055
 - proactive-detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Platform Monitoring
 - Process Code Segment Verification
 - Segment Address Offset Randomization
 - Process Analysis
 - Application Hardening
 ---
 # Detecting Process Hollowing Technique
@@ -1,17 +1,28 @@
 ---
 name: detecting-process-injection-techniques
-description: >
+description: 'Detects and analyzes process injection techniques used by malware including classic DLL injection, process hollowing,
-  Detects and analyzes process injection techniques used by malware including classic DLL
+  APC injection, thread hijacking, and reflective loading. Uses memory forensics, API monitoring, and behavioral analysis
-  injection, process hollowing, APC injection, thread hijacking, and reflective loading.
+  to identify injection artifacts. Activates for requests involving process injection detection, code injection analysis,
-  Uses memory forensics, API monitoring, and behavioral analysis to identify injection
+  hollowed process investigation, or in-memory threat detection.
-  artifacts. Activates for requests involving process injection detection, code injection
+
-  analysis, hollowed process investigation, or in-memory threat detection.
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, process-injection, detection, memory-forensics, defense-evasion]
+tags:
 - malware
 - process-injection
 - detection
 - memory-forensics
 - defense-evasion
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Executable Denylisting
 - Execution Isolation
 - File Metadata Consistency Validation
 - Content Format Conversion
 - File Content Analysis
 ---
 # Detecting Process Injection Techniques
@@ -1,12 +1,27 @@
 ---
 name: detecting-qr-code-phishing-with-email-security
-description: Detect and prevent QR code phishing (quishing) attacks that bypass traditional email security by embedding malicious URLs in QR code images within emails.
+description: Detect and prevent QR code phishing (quishing) attacks that bypass traditional email security by embedding malicious
  URLs in QR code images within emails.
 domain: cybersecurity
 subdomain: phishing-defense
-tags: [quishing, qr-code, phishing, email-security, image-analysis, ocr, mobile-security]
+tags:
-version: "1.0"
+- quishing
 - qr-code
 - phishing
 - email-security
 - image-analysis
 - ocr
 - mobile-security
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0052
 - AML.T0024
 - AML.T0035
 nist_ai_rmf:
 - MEASURE-2.8
 - MAP-5.1
 ---
 # Detecting QR Code Phishing with Email Security
@@ -1,12 +1,25 @@
 ---
 name: detecting-service-account-abuse
-description: Detect abuse of service accounts through anomalous interactive logons, privilege escalation, lateral movement, and unauthorized access patterns.
+description: Detect abuse of service accounts through anomalous interactive logons, privilege escalation, lateral movement,
  and unauthorized access patterns.
 domain: cybersecurity
 subdomain: threat-hunting
-tags: [threat-hunting, mitre-attack, service-accounts, privilege-escalation, t1078, proactive-detection]
+tags:
-version: "1.0"
+- threat-hunting
 - mitre-attack
 - service-accounts
 - privilege-escalation
 - t1078
 - proactive-detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Restore Access
 - Password Authentication
 - Biometric Authentication
 - Strong Password Policy
 - Restore User Account Access
 ---
 # Detecting Service Account Abuse
@@ -1,16 +1,27 @@
 ---
 name: detecting-supply-chain-attacks-in-ci-cd
-description: >
+description: 'Scans GitHub Actions workflows and CI/CD pipeline configurations for supply chain attack vectors including unpinned
-  Scans GitHub Actions workflows and CI/CD pipeline configurations for supply chain
+  actions, script injection via expressions, dependency confusion, and secrets exposure. Uses PyGithub and YAML parsing for
-  attack vectors including unpinned actions, script injection via expressions, dependency
+  automated audit. Use when hardening CI/CD pipelines or investigating compromised build systems.
-  confusion, and secrets exposure. Uses PyGithub and YAML parsing for automated audit.
+
-  Use when hardening CI/CD pipelines or investigating compromised build systems.
+  '
 domain: cybersecurity
 subdomain: security-operations
-tags: [detecting, supply, chain, attacks]
+tags:
-version: "1.0"
+- detecting
 - supply
 - chain
 - attacks
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0010
 - AML.T0104
 nist_ai_rmf:
 - GOVERN-5.2
 - MAP-1.6
 - MANAGE-2.2
 ---
 # Detecting Supply Chain Attacks in CI/CD
@@ -1,12 +1,26 @@
 ---
 name: detecting-suspicious-powershell-execution
-description: Detect suspicious PowerShell execution patterns including encoded commands, download cradles, AMSI bypass attempts, and constrained language mode evasion.
+description: Detect suspicious PowerShell execution patterns including encoded commands, download cradles, AMSI bypass attempts,
  and constrained language mode evasion.
 domain: cybersecurity
 subdomain: threat-hunting
-tags: [threat-hunting, mitre-attack, powershell, execution, t1059, amsi, proactive-detection]
+tags:
-version: "1.0"
+- threat-hunting
 - mitre-attack
 - powershell
 - execution
 - t1059
 - amsi
 - proactive-detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Executable Denylisting
 - Execution Isolation
 - File Metadata Consistency Validation
 - Content Format Conversion
 - File Content Analysis
 ---
 # Detecting Suspicious Powershell Execution
@@ -1,12 +1,27 @@
 ---
 name: detecting-t1003-credential-dumping-with-edr
-description: Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.
+description: Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials
  using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.
 domain: cybersecurity
 subdomain: threat-hunting
-tags: [threat-hunting, credential-dumping, lsass, mitre-t1003, edr, mimikatz, ntds, sam-database]
+tags:
-version: "1.0"
+- threat-hunting
 - credential-dumping
 - lsass
 - mitre-t1003
 - edr
 - mimikatz
 - ntds
 - sam-database
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Token Binding
 - Execution Isolation
 - File Metadata Consistency Validation
 - Restore Access
 - Application Protocol Command Analysis
 ---
 # Detecting T1003 Credential Dumping with EDR
@@ -1,12 +1,26 @@
 ---
 name: detecting-t1055-process-injection-with-sysmon
-description: Detect process injection techniques (T1055) including classic DLL injection, process hollowing, and APC injection by analyzing Sysmon events for cross-process memory operations, remote thread creation, and anomalous DLL loading patterns.
+description: Detect process injection techniques (T1055) including classic DLL injection, process hollowing, and APC injection
  by analyzing Sysmon events for cross-process memory operations, remote thread creation, and anomalous DLL loading patterns.
 domain: cybersecurity
 subdomain: threat-hunting
-tags: [threat-hunting, process-injection, sysmon, mitre-t1055, defense-evasion, dll-injection, process-hollowing]
+tags:
-version: "1.0"
+- threat-hunting
 - process-injection
 - sysmon
 - mitre-t1055
 - defense-evasion
 - dll-injection
 - process-hollowing
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Executable Denylisting
 - Execution Isolation
 - File Metadata Consistency Validation
 - Content Format Conversion
 - File Content Analysis
 ---
 # Detecting T1055 Process Injection with Sysmon
@@ -1,12 +1,25 @@
 ---
 name: detecting-t1548-abuse-elevation-control-mechanism
-description: Detect abuse of elevation control mechanisms including UAC bypass, sudo exploitation, and setuid/setgid manipulation by monitoring registry modifications, process elevation flags, and unusual parent-child process relationships.
+description: Detect abuse of elevation control mechanisms including UAC bypass, sudo exploitation, and setuid/setgid manipulation
  by monitoring registry modifications, process elevation flags, and unusual parent-child process relationships.
 domain: cybersecurity
 subdomain: threat-hunting
-tags: [threat-hunting, uac-bypass, privilege-escalation, mitre-t1548, elevation-control, windows-security]
+tags:
-version: "1.0"
+- threat-hunting
 - uac-bypass
 - privilege-escalation
 - mitre-t1548
 - elevation-control
 - windows-security
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Executable Denylisting
 - Execution Isolation
 - File Metadata Consistency Validation
 - Restore Access
 - Password Authentication
 ---
 # Detecting T1548 Abuse Elevation Control Mechanism
@@ -1,12 +1,27 @@
 ---
 name: detecting-wmi-persistence
-description: Detect WMI event subscription persistence by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter, EventConsumer, and FilterToConsumerBinding creation.
+description: Detect WMI event subscription persistence by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter,
  EventConsumer, and FilterToConsumerBinding creation.
 domain: cybersecurity
 subdomain: threat-hunting
-tags: [threat-hunting, wmi, persistence, sysmon, t1546.003, mitre-attack, windows, dfir]
+tags:
-version: "1.0"
+- threat-hunting
 - wmi
 - persistence
 - sysmon
 - t1546.003
 - mitre-attack
 - windows
 - dfir
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Application Protocol Command Analysis
 - Network Isolation
 - Network Traffic Analysis
 - Client-server Payload Profiling
 - Platform Monitoring
 ---
 # Detecting WMI Persistence
@@ -1,19 +1,29 @@
 ---
 name: executing-active-directory-attack-simulation
-description: >
+description: 'Executes authorized attack simulations against Active Directory environments to identify misconfigurations,
-  Executes authorized attack simulations against Active Directory environments to identify
+  weak credentials, dangerous privilege paths, and exploitable trust relationships that could lead to domain compromise. The
-  misconfigurations, weak credentials, dangerous privilege paths, and exploitable trust
+  tester uses BloodHound for attack path analysis, Mimikatz for credential extraction, and Impacket for protocol-level attacks
-  relationships that could lead to domain compromise. The tester uses BloodHound for attack
+  including Kerberoasting, AS-REP Roasting, and delegation abuse. Activates for requests involving Active Directory pentest,
-  path analysis, Mimikatz for credential extraction, and Impacket for protocol-level attacks
+  AD attack simulation, domain compromise testing, or Kerberos attack assessment.
-  including Kerberoasting, AS-REP Roasting, and delegation abuse. Activates for requests
+
-  involving Active Directory pentest, AD attack simulation, domain compromise testing,
+  '
  or Kerberos attack assessment.
 domain: cybersecurity
 subdomain: penetration-testing
-tags: [Active-Directory, BloodHound, Mimikatz, Kerberoasting, domain-compromise]
+tags:
 - Active-Directory
 - BloodHound
 - Mimikatz
 - Kerberoasting
 - domain-compromise
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Application Protocol Command Analysis
 - Network Isolation
 - Network Traffic Analysis
 - Client-server Payload Profiling
 - Network Traffic Community Deviation
 ---
 # Executing Active Directory Attack Simulation
@@ -1,19 +1,30 @@
 ---
 name: executing-red-team-exercise
-description: >
+description: 'Executes comprehensive red team exercises that simulate real-world adversary operations against an organization''s
-  Executes comprehensive red team exercises that simulate real-world adversary operations
+  people, processes, and technology. The red team operates with stealth as a primary objective, employing the full attack
-  against an organization's people, processes, and technology. The red team operates with
+  lifecycle from initial reconnaissance through objective completion while testing the organization''s detection and response
-  stealth as a primary objective, employing the full attack lifecycle from initial reconnaissance
+  capabilities. This differs from penetration testing by focusing on adversary emulation rather than vulnerability identification.
-  through objective completion while testing the organization's detection and response
+  Activates for requests involving red team exercise, adversary simulation, adversary emulation, or full-scope offensive security
-  capabilities. This differs from penetration testing by focusing on adversary emulation
+  assessment.
-  rather than vulnerability identification. Activates for requests involving red team exercise,
+
-  adversary simulation, adversary emulation, or full-scope offensive security assessment.
+  '
 domain: cybersecurity
 subdomain: penetration-testing
-tags: [red-team, adversary-emulation, MITRE-ATT&CK, Cobalt-Strike, detection-assessment]
+tags:
 - red-team
 - adversary-emulation
 - MITRE-ATT&CK
 - Cobalt-Strike
 - detection-assessment
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - File Metadata Consistency Validation
 - Application Protocol Command Analysis
 - Identifier Analysis
 - Content Format Conversion
 - Message Analysis
 ---
 # Executing Red Team Exercise
--- a/Show More
+++ b/Show More