feat: add NIST CSF 2.0 nist_csf field to all 754 cybersecurity skills

Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions) based on subdomain and content analysis. Restores 11 skills corrupted during prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields. All 754 skills now carry structured mappings for all 5 security frameworks: - MITRE ATT&CK (in tags) - MITRE ATLAS v5.5 (atlas_techniques) - MITRE D3FEND v1.3 (d3fend_techniques) - NIST AI RMF 1.0 (nist_ai_rmf) - NIST CSF 2.0 (nist_csf)
2026-06-10 13:14:55 +03:00 · 2026-04-06 11:17:31 +02:00
parent e8105a2f4d
commit efca3ec611
754 changed files with 12847 additions and 2832 deletions
@@ -1,12 +1,24 @@
 ---
 name: acquiring-disk-image-with-dd-and-dcfldd
-description: Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
+description: Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through
+  hash verification.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, disk-imaging, evidence-acquisition, dd, dcfldd, hash-verification]
-version: "1.0"
+tags:
+- forensics
+- disk-imaging
+- evidence-acquisition
+- dd
+- dcfldd
+- hash-verification
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Acquiring Disk Image with dd and dcfldd
@@ -1,12 +1,21 @@
 ---
 name: analyzing-active-directory-acl-abuse
-description: Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
+description: Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and
+  WriteOwner abuse paths
 domain: cybersecurity
 subdomain: identity-security
-tags: [active-directory, acl-abuse, ldap, privilege-escalation]
-version: "1.0"
+tags:
+- active-directory
+- acl-abuse
+- ldap
+- privilege-escalation
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.AA-01
+- PR.AA-05
+- PR.AA-06
 ---


@@ -1,12 +1,26 @@
 ---
 name: analyzing-android-malware-with-apktool
-description: Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
+description: Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source
+  recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [Android, APK, apktool, jadx, androguard, mobile-malware, static-analysis, reverse-engineering]
-version: "1.0"
+tags:
+- Android
+- APK
+- apktool
+- jadx
+- androguard
+- mobile-malware
+- static-analysis
+- reverse-engineering
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---

 # Analyzing Android Malware with Apktool
@@ -1,16 +1,25 @@
 ---
 name: analyzing-api-gateway-access-logs
-description: >
-  Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR
-  attacks, rate limit bypass, credential scanning, and injection attempts. Uses pandas
-  for statistical analysis of request patterns and anomaly detection. Use when
-  investigating API abuse or building API-specific threat detection rules.
+description: 'Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass,
+  credential scanning, and injection attempts. Uses pandas for statistical analysis of request patterns and anomaly detection.
+  Use when investigating API abuse or building API-specific threat detection rules.
+
+  '
 domain: cybersecurity
 subdomain: security-operations
-tags: [analyzing, api, gateway, access]
-version: "1.0"
+tags:
+- analyzing
+- api
+- gateway
+- access
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.CM-01
+- RS.MA-01
+- GV.OV-01
+- DE.AE-02
 ---

 # Analyzing API Gateway Access Logs
@@ -22,6 +22,11 @@ d3fend_techniques:
 - File Metadata Consistency Validation
 - Content Format Conversion
 - File Content Analysis
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Analyzing APT Group with MITRE ATT&CK Navigator

@@ -1,16 +1,25 @@
 ---
 name: analyzing-azure-activity-logs-for-threats
-description: >
-  Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to
-  detect suspicious administrative operations, impossible travel, privilege escalation,
-  and resource modifications. Builds KQL queries for threat hunting in Azure environments.
-  Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.
+description: 'Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative
+  operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in
+  Azure environments. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.
+
+  '
 domain: cybersecurity
 subdomain: security-operations
-tags: [analyzing, azure, activity, logs]
-version: "1.0"
+tags:
+- analyzing
+- azure
+- activity
+- logs
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.CM-01
+- RS.MA-01
+- GV.OV-01
+- DE.AE-02
 ---

 # Analyzing Azure Activity Logs for Threats
@@ -1,17 +1,27 @@
 ---
 name: analyzing-bootkit-and-rootkit-samples
-description: >
-  Analyzes bootkit and advanced rootkit malware that infects the Master Boot Record (MBR),
-  Volume Boot Record (VBR), or UEFI firmware to gain persistence below the operating system.
-  Covers boot sector analysis, UEFI module inspection, and anti-rootkit detection techniques.
-  Activates for requests involving bootkit analysis, MBR malware investigation, UEFI
+description: 'Analyzes bootkit and advanced rootkit malware that infects the Master Boot Record (MBR), Volume Boot Record
+  (VBR), or UEFI firmware to gain persistence below the operating system. Covers boot sector analysis, UEFI module inspection,
+  and anti-rootkit detection techniques. Activates for requests involving bootkit analysis, MBR malware investigation, UEFI
  persistence analysis, or pre-OS malware detection.
+
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, bootkit, rootkit, UEFI, MBR-analysis]
+tags:
+- malware
+- bootkit
+- rootkit
+- UEFI
+- MBR-analysis
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---

 # Analyzing Bootkit and Rootkit Samples
@@ -1,12 +1,28 @@
 ---
 name: analyzing-browser-forensics-with-hindsight
-description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
+description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached
+  content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [browser-forensics, hindsight, chrome-forensics, chromium, edge, browsing-history, cookies, downloads, cache, web-artifacts]
-version: "1.0"
+tags:
+- browser-forensics
+- hindsight
+- chrome-forensics
+- chromium
+- edge
+- browsing-history
+- cookies
+- downloads
+- cache
+- web-artifacts
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing Browser Forensics with Hindsight
@@ -1,12 +1,25 @@
 ---
 name: analyzing-campaign-attribution-evidence
-description: Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
+description: Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or
+  group is responsible for a cyber operation. This skill covers collecting and weighting attr
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [threat-intelligence, cti, ioc, mitre-attack, stix, attribution, campaign-analysis]
-version: "1.0"
+tags:
+- threat-intelligence
+- cti
+- ioc
+- mitre-attack
+- stix
+- attribution
+- campaign-analysis
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Analyzing Campaign Attribution Evidence

@@ -18,6 +18,11 @@ author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0052
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Analyzing Certificate Transparency for Phishing

@@ -20,6 +20,11 @@ nist_ai_rmf:
 - MEASURE-2.7
 - MAP-5.1
 - MANAGE-2.4
+nist_csf:
+- PR.IR-01
+- ID.AM-08
+- GV.SC-06
+- DE.CM-01
 ---


@@ -1,12 +1,25 @@
 ---
 name: analyzing-cobalt-strike-beacon-configuration
-description: Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure, malleable profiles, and operator tradecraft.
+description: Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure,
+  malleable profiles, and operator tradecraft.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [cobalt-strike, beacon, c2, malware-analysis, config-extraction, threat-hunting, red-team-tools]
-version: "1.0"
+tags:
+- cobalt-strike
+- beacon
+- c2
+- malware-analysis
+- config-extraction
+- threat-hunting
+- red-team-tools
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---
 # Analyzing Cobalt Strike Beacon Configuration

@@ -1,12 +1,25 @@
 ---
 name: analyzing-cobaltstrike-malleable-c2-profiles
-description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate network detection signatures.
+description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract
+  C2 indicators, detect evasion techniques, and generate network detection signatures.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [cobalt-strike, malleable-c2, c2-detection, beacon-analysis, network-signatures, threat-hunting, red-team-tools]
-version: "1.0"
+tags:
+- cobalt-strike
+- malleable-c2
+- c2-detection
+- beacon-analysis
+- network-signatures
+- threat-hunting
+- red-team-tools
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---
 # Analyzing CobaltStrike Malleable C2 Profiles

@@ -1,17 +1,27 @@
 ---
 name: analyzing-command-and-control-communication
-description: >
-  Analyzes malware command-and-control (C2) communication protocols to understand beacon
-  patterns, command structures, data encoding, and infrastructure. Covers HTTP, HTTPS, DNS,
-  and custom protocol C2 analysis for detection development and threat intelligence.
-  Activates for requests involving C2 analysis, beacon detection, C2 protocol reverse
-  engineering, or command-and-control infrastructure mapping.
+description: 'Analyzes malware command-and-control (C2) communication protocols to understand beacon patterns, command structures,
+  data encoding, and infrastructure. Covers HTTP, HTTPS, DNS, and custom protocol C2 analysis for detection development and
+  threat intelligence. Activates for requests involving C2 analysis, beacon detection, C2 protocol reverse engineering, or
+  command-and-control infrastructure mapping.
+
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, C2, command-and-control, beacon, protocol-analysis]
+tags:
+- malware
+- C2
+- command-and-control
+- beacon
+- protocol-analysis
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---

 # Analyzing Command-and-Control Communication
@@ -1,18 +1,29 @@
 ---
 name: analyzing-cyber-kill-chain
-description: >
-  Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify
-  which phases an adversary has completed, where defenses succeeded or failed, and what controls
-  would have interrupted the attack at earlier phases. Use when conducting post-incident analysis,
-  building prevention-focused security controls, or mapping detection gaps to kill chain phases.
-  Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping,
+description: 'Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify which phases
+  an adversary has completed, where defenses succeeded or failed, and what controls would have interrupted the attack at earlier
+  phases. Use when conducting post-incident analysis, building prevention-focused security controls, or mapping detection
+  gaps to kill chain phases. Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping,
  or Lockheed Martin kill chain framework.
+
+  '
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [kill-chain, Lockheed-Martin, MITRE-ATT&CK, intrusion-analysis, defense-in-depth, NIST-CSF]
+tags:
+- kill-chain
+- Lockheed-Martin
+- MITRE-ATT&CK
+- intrusion-analysis
+- defense-in-depth
+- NIST-CSF
 version: 1.0.0
 author: team-cybersecurity
 license: Apache-2.0
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Analyzing Cyber Kill Chain

@@ -1,12 +1,24 @@
 ---
 name: analyzing-disk-image-with-autopsy
-description: Perform comprehensive forensic analysis of disk images using Autopsy to recover files, examine artifacts, and build investigation timelines.
+description: Perform comprehensive forensic analysis of disk images using Autopsy to recover files, examine artifacts, and
+  build investigation timelines.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, autopsy, disk-analysis, sleuth-kit, file-recovery, artifact-analysis]
-version: "1.0"
+tags:
+- forensics
+- autopsy
+- disk-analysis
+- sleuth-kit
+- file-recovery
+- artifact-analysis
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing Disk Image with Autopsy
@@ -23,6 +23,11 @@ atlas_techniques:
 - AML.T0024
 - AML.T0056
 - AML.T0086
+nist_csf:
+- DE.CM-01
+- DE.AE-02
+- RS.MA-01
+- DE.AE-06
 ---
 # Analyzing DNS Logs for Exfiltration

@@ -1,12 +1,24 @@
 ---
 name: analyzing-docker-container-forensics
-description: Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to identify malicious activity and evidence.
+description: Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to
+  identify malicious activity and evidence.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, docker, container-forensics, container-security, image-analysis, runtime-investigation]
-version: "1.0"
+tags:
+- forensics
+- docker
+- container-forensics
+- container-security
+- image-analysis
+- runtime-investigation
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing Docker Container Forensics
@@ -17,6 +17,11 @@ author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0052
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing Email Headers for Phishing Investigation
@@ -1,12 +1,25 @@
 ---
 name: analyzing-ethereum-smart-contract-vulnerabilities
-description: Perform static and symbolic analysis of Solidity smart contracts using Slither and Mythril to detect reentrancy, integer overflow, access control, and other vulnerability classes before deployment to Ethereum mainnet.
+description: Perform static and symbolic analysis of Solidity smart contracts using Slither and Mythril to detect reentrancy,
+  integer overflow, access control, and other vulnerability classes before deployment to Ethereum mainnet.
 domain: cybersecurity
 subdomain: blockchain-security
-tags: [ethereum, solidity, smart-contract, slither, mythril, blockchain, defi, audit]
-version: "1.0"
+tags:
+- ethereum
+- solidity
+- smart-contract
+- slither
+- mythril
+- blockchain
+- defi
+- audit
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.DS-01
+- PR.DS-02
+- ID.RA-01
 ---

 # Analyzing Ethereum Smart Contract Vulnerabilities
@@ -1,12 +1,25 @@
 ---
 name: analyzing-golang-malware-with-ghidra
-description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction, and type reconstruction in stripped Go binaries.
+description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction,
+  and type reconstruction in stripped Go binaries.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [golang, ghidra, reverse-engineering, malware-analysis, binary-analysis, go-malware, disassembly]
-version: "1.0"
+tags:
+- golang
+- ghidra
+- reverse-engineering
+- malware-analysis
+- binary-analysis
+- go-malware
+- disassembly
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---
 # Analyzing Golang Malware with Ghidra

@@ -1,12 +1,23 @@
 ---
 name: analyzing-heap-spray-exploitation
-description: Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns, shellcode landing zones, and suspicious large allocations in process virtual address space.
+description: Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns,
+  shellcode landing zones, and suspicious large allocations in process virtual address space.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware-analysis, memory-forensics, heap-spray, volatility3, exploit-analysis]
-version: "1.0"
+tags:
+- malware-analysis
+- memory-forensics
+- heap-spray
+- volatility3
+- exploit-analysis
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---
 # Analyzing Heap Spray Exploitation

@@ -22,6 +22,11 @@ author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0052
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Analyzing Indicators of Compromise

@@ -26,6 +26,11 @@ nist_ai_rmf:
 - MANAGE-2.4
 - GOVERN-6.2
 - MAP-5.1
+nist_csf:
+- PR.PS-01
+- PR.AA-05
+- ID.RA-01
+- DE.CM-09
 ---
 # Analyzing iOS App Security with Objection

@@ -1,16 +1,25 @@
 ---
 name: analyzing-kubernetes-audit-logs
-description: >
-  Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret
-  access, RBAC modifications, privileged pod creation, and anonymous API access. Builds
-  threat detection rules from audit event patterns. Use when investigating Kubernetes
-  cluster compromise or building k8s-specific SIEM detection rules.
+description: 'Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret access, RBAC modifications,
+  privileged pod creation, and anonymous API access. Builds threat detection rules from audit event patterns. Use when investigating
+  Kubernetes cluster compromise or building k8s-specific SIEM detection rules.
+
+  '
 domain: cybersecurity
 subdomain: container-security
-tags: [analyzing, kubernetes, audit, logs]
-version: "1.0"
+tags:
+- analyzing
+- kubernetes
+- audit
+- logs
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.PS-01
+- PR.IR-01
+- ID.AM-08
+- DE.CM-01
 ---

 # Analyzing Kubernetes Audit Logs
@@ -1,18 +1,29 @@
 ---
 name: analyzing-linux-audit-logs-for-intrusion
-description: >
-  Uses the Linux Audit framework (auditd) with ausearch and aureport utilities
-  to detect intrusion attempts, unauthorized access, privilege escalation, and
-  suspicious system activity. Covers audit rule configuration, log querying,
-  timeline reconstruction, and integration with SIEM platforms. Activates for
-  requests involving auditd analysis, Linux audit log investigation, ausearch
+description: 'Uses the Linux Audit framework (auditd) with ausearch and aureport utilities to detect intrusion attempts, unauthorized
+  access, privilege escalation, and suspicious system activity. Covers audit rule configuration, log querying, timeline reconstruction,
+  and integration with SIEM platforms. Activates for requests involving auditd analysis, Linux audit log investigation, ausearch
  queries, aureport summaries, or host-based intrusion detection on Linux.
+
+  '
 domain: cybersecurity
 subdomain: incident-response
-tags: [auditd, ausearch, aureport, linux-security, intrusion-detection, HIDS, forensics]
+tags:
+- auditd
+- ausearch
+- aureport
+- linux-security
+- intrusion-detection
+- HIDS
+- forensics
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.MA-01
+- RS.MA-02
+- RS.AN-03
+- RC.RP-01
 ---

 # Analyzing Linux Audit Logs for Intrusion
@@ -1,17 +1,27 @@
 ---
 name: analyzing-linux-elf-malware
-description: >
-  Analyzes malicious Linux ELF (Executable and Linkable Format) binaries including botnets,
-  cryptominers, ransomware, and rootkits targeting Linux servers, containers, and cloud
-  infrastructure. Covers static analysis, dynamic tracing, and reverse engineering of
-  x86_64 and ARM ELF samples. Activates for requests involving Linux malware analysis,
-  ELF binary investigation, Linux server compromise assessment, or container malware analysis.
+description: 'Analyzes malicious Linux ELF (Executable and Linkable Format) binaries including botnets, cryptominers, ransomware,
+  and rootkits targeting Linux servers, containers, and cloud infrastructure. Covers static analysis, dynamic tracing, and
+  reverse engineering of x86_64 and ARM ELF samples. Activates for requests involving Linux malware analysis, ELF binary investigation,
+  Linux server compromise assessment, or container malware analysis.
+
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, Linux, ELF, reverse-engineering, server-malware]
+tags:
+- malware
+- Linux
+- ELF
+- reverse-engineering
+- server-malware
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---

 # Analyzing Linux ELF Malware
@@ -1,12 +1,27 @@
 ---
 name: analyzing-linux-kernel-rootkits
-description: Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and tampered system structures.
+description: Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules),
+  rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and
+  tampered system structures.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [rootkit, linux, kernel, volatility3, memory-forensics, malware-analysis, rkhunter, forensics]
-version: "1.0"
+tags:
+- rootkit
+- linux
+- kernel
+- volatility3
+- memory-forensics
+- malware-analysis
+- rkhunter
+- forensics
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing Linux Kernel Rootkits
@@ -1,12 +1,24 @@
 ---
 name: analyzing-linux-system-artifacts
-description: Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover evidence of compromise or unauthorized activity.
+description: Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover
+  evidence of compromise or unauthorized activity.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, linux-forensics, system-artifacts, log-analysis, persistence-detection, incident-investigation]
-version: "1.0"
+tags:
+- forensics
+- linux-forensics
+- system-artifacts
+- log-analysis
+- persistence-detection
+- incident-investigation
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing Linux System Artifacts
@@ -1,12 +1,28 @@
 ---
 name: analyzing-lnk-file-and-jump-list-artifacts
-description: Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution, and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format.
+description: Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution,
+  and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [lnk-files, jump-lists, lecmd, jlecmd, windows-forensics, shell-link, user-activity, file-access, program-execution, recent-files]
-version: "1.0"
+tags:
+- lnk-files
+- jump-lists
+- lecmd
+- jlecmd
+- windows-forensics
+- shell-link
+- user-activity
+- file-access
+- program-execution
+- recent-files
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing LNK File and Jump List Artifacts
@@ -26,6 +26,11 @@ d3fend_techniques:
 - Identifier Analysis
 - Content Format Conversion
 - Message Analysis
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---

 # Analyzing Macro Malware in Office Documents
@@ -1,12 +1,26 @@
 ---
 name: analyzing-malicious-pdf-with-peepdf
-description: Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects.
+description: Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript,
+  shellcode, and suspicious objects.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware-analysis, pdf, peepdf, pdfid, pdf-parser, static-analysis, reverse-engineering, dfir]
-version: "1.0"
+tags:
+- malware-analysis
+- pdf
+- peepdf
+- pdfid
+- pdf-parser
+- static-analysis
+- reverse-engineering
+- dfir
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---

 # Analyzing Malicious PDF with peepdf
@@ -17,6 +17,11 @@ author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0052
+nist_csf:
+- PR.AT-01
+- DE.CM-09
+- RS.CO-02
+- DE.AE-02
 ---
 # Analyzing Malicious URL with URLScan

@@ -1,17 +1,27 @@
 ---
 name: analyzing-malware-behavior-with-cuckoo-sandbox
-description: >
-  Executes malware samples in Cuckoo Sandbox to observe runtime behavior including
-  process creation, file system modifications, registry changes, network communications,
-  and API calls. Generates comprehensive behavioral reports for malware classification
-  and IOC extraction. Activates for requests involving dynamic malware analysis, sandbox
-  detonation, behavioral analysis, or automated malware execution.
+description: 'Executes malware samples in Cuckoo Sandbox to observe runtime behavior including process creation, file system
+  modifications, registry changes, network communications, and API calls. Generates comprehensive behavioral reports for malware
+  classification and IOC extraction. Activates for requests involving dynamic malware analysis, sandbox detonation, behavioral
+  analysis, or automated malware execution.
+
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, dynamic-analysis, sandbox, Cuckoo, behavioral-analysis]
+tags:
+- malware
+- dynamic-analysis
+- sandbox
+- Cuckoo
+- behavioral-analysis
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---

 # Analyzing Malware Behavior with Cuckoo Sandbox
@@ -1,12 +1,26 @@
 ---
 name: analyzing-malware-family-relationships-with-malpedia
-description: Use the Malpedia platform and API to research malware family relationships, track variant evolution, link families to threat actors, and integrate YARA rules for detection across malware lineages.
+description: Use the Malpedia platform and API to research malware family relationships, track variant evolution, link families
+  to threat actors, and integrate YARA rules for detection across malware lineages.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [malpedia, malware-family, yara, threat-actor, malware-tracking, threat-intelligence, variant-analysis, malware-intelligence]
-version: "1.0"
+tags:
+- malpedia
+- malware-family
+- yara
+- threat-actor
+- malware-tracking
+- threat-intelligence
+- variant-analysis
+- malware-intelligence
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Analyzing Malware Family Relationships with Malpedia

@@ -1,6 +1,10 @@
 ---
-{}
---tags:
+name: analyzing-malware-persistence-with-autoruns
+description: Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry
+  keys, scheduled tasks, services, drivers, and startup locations on Windows systems.
+domain: cybersecurity
+subdomain: malware-analysis
+tags:
 - autoruns
 - persistence
 - malware-analysis
@@ -9,4 +13,113 @@
 - registry
 - startup
 - incident-response
+mitre_attack:
+- T1547
+- T1053
+- T1543
+- T1546
 version: '1.0'
+author: mahipal
+license: Apache-2.0
+d3fend_techniques:
+- Executable Denylisting
+- Execution Isolation
+- File Metadata Consistency Validation
+- Content Format Conversion
+- File Content Analysis
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
+---
+# Analyzing Malware Persistence with Autoruns
+
+## Overview
+
+Sysinternals Autoruns extracts data from hundreds of Auto-Start Extensibility Points (ASEPs) on Windows, scanning 18+ categories including Run/RunOnce keys, services, scheduled tasks, drivers, Winlogon entries, LSA providers, print monitors, WMI subscriptions, and AppInit DLLs. Digital signature verification filters Microsoft-signed entries. The compare function identifies newly added persistence via baseline diffing. VirusTotal integration checks hash reputation. Offline analysis via -z flag enables forensic disk image examination.
+
+
+## When to Use
+
+- When investigating security incidents that require analyzing malware persistence with autoruns
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
+## Prerequisites
+
+- Sysinternals Autoruns (GUI) and Autorunsc (CLI)
+- Administrative privileges on target system
+- Python 3.9+ for automated analysis
+- VirusTotal API key for reputation checks
+- Clean baseline export for comparison
+
+## Workflow
+
+### Step 1: Automated Persistence Scanning
+
+```python
+#!/usr/bin/env python3
+"""Automate Autoruns-based persistence analysis."""
+import subprocess
+import csv
+import json
+import sys
+
+
+def scan_and_analyze(autorunsc_path="autorunsc64.exe", csv_path="scan.csv"):
+    cmd = [autorunsc_path, "-a", "*", "-c", "-h", "-s", "-nobanner", "*"]
+    result = subprocess.run(cmd, capture_output=True, text=True, timeout=600)
+    with open(csv_path, 'w') as f:
+        f.write(result.stdout)
+    return parse_and_flag(csv_path)
+
+
+def parse_and_flag(csv_path):
+    suspicious = []
+    with open(csv_path, 'r', errors='replace') as f:
+        for row in csv.DictReader(f):
+            reasons = []
+            signer = row.get("Signer", "")
+            if not signer or signer == "(Not verified)":
+                reasons.append("Unsigned binary")
+            if not row.get("Description") and not row.get("Company"):
+                reasons.append("Missing metadata")
+            path = row.get("Image Path", "").lower()
+            for sp in ["\temp\\", "\appdata\local\temp", "\users\public\\"]:
+                if sp in path:
+                    reasons.append(f"Suspicious path")
+            launch = row.get("Launch String", "").lower()
+            for kw in ["powershell", "cmd /c", "wscript", "mshta", "regsvr32"]:
+                if kw in launch:
+                    reasons.append(f"LOLBin: {kw}")
+            if reasons:
+                row["reasons"] = reasons
+                suspicious.append(row)
+    return suspicious
+
+
+if __name__ == "__main__":
+    if len(sys.argv) > 1:
+        results = parse_and_flag(sys.argv[1])
+        print(f"[!] {len(results)} suspicious entries")
+        for r in results:
+            print(f"  {r.get('Entry','')} - {r.get('Image Path','')}")
+            for reason in r.get('reasons', []):
+                print(f"    - {reason}")
+```
+
+## Validation Criteria
+
+- All ASEP categories scanned and cataloged
+- Unsigned entries flagged for investigation
+- Suspicious paths and LOLBin launch strings highlighted
+- Baseline comparison identifies new persistence mechanisms
+
+## References
+
+- [Sysinternals Autoruns](https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns)
+- [SANS - Offline Autoruns Revisited](https://www.sans.org/blog/offline-autoruns-revisited-auditing-malware-persistence/)
+- [Hunting Malware with Autoruns](https://nasbench.medium.com/hunting-malware-with-windows-sysinternals-autoruns-19cbfe4103c2)
+- [MITRE ATT&CK T1547 - Boot or Logon Autostart](https://attack.mitre.org/techniques/T1547/)
@@ -21,6 +21,11 @@ d3fend_techniques:
 - Process Analysis
 - System Call Filtering
 - Restore Software
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---

 # Analyzing Malware Sandbox Evasion Techniques
@@ -1,18 +1,32 @@
 ---
 name: analyzing-memory-dumps-with-volatility
-description: >
-  Analyzes RAM memory dumps from compromised systems using the Volatility framework to
-  identify malicious processes, injected code, network connections, loaded modules, and
-  extracted credentials. Supports Windows, Linux, and macOS memory forensics. Activates
-  for requests involving memory forensics, RAM analysis, volatile data examination,
-  process injection detection, or memory-resident malware investigation.
+description: 'Analyzes RAM memory dumps from compromised systems using the Volatility framework to identify malicious processes,
+  injected code, network connections, loaded modules, and extracted credentials. Supports Windows, Linux, and macOS memory
+  forensics. Activates for requests involving memory forensics, RAM analysis, volatile data examination, process injection
+  detection, or memory-resident malware investigation.
+
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, memory-forensics, Volatility, RAM-analysis, incident-response]
-mitre_attack: ["T1055", "T1003", "T1059", "T1620"]
+tags:
+- malware
+- memory-forensics
+- Volatility
+- RAM-analysis
+- incident-response
+mitre_attack:
+- T1055
+- T1003
+- T1059
+- T1620
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---

 # Analyzing Memory Dumps with Volatility
@@ -1,16 +1,25 @@
 ---
 name: analyzing-memory-forensics-with-lime-and-volatility
-description: >
-  Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module
-  and analysis with Volatility 3 framework. Extracts process lists, network connections,
-  bash history, loaded kernel modules, and injected code from Linux memory images.
-  Use when performing incident response on compromised Linux systems.
+description: 'Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module and analysis with Volatility
+  3 framework. Extracts process lists, network connections, bash history, loaded kernel modules, and injected code from Linux
+  memory images. Use when performing incident response on compromised Linux systems.
+
+  '
 domain: cybersecurity
 subdomain: security-operations
-tags: [analyzing, memory, forensics, with]
-version: "1.0"
+tags:
+- analyzing
+- memory
+- forensics
+- with
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.CM-01
+- RS.MA-01
+- GV.OV-01
+- DE.AE-02
 ---

 # Analyzing Memory Forensics with LiME and Volatility
@@ -1,12 +1,28 @@
 ---
 name: analyzing-mft-for-deleted-file-recovery
-description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics.
+description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record
+  entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [mft, ntfs, deleted-files, file-recovery, mftecmd, usn-journal, logfile, mft-slack-space, file-system-forensics, dfir]
-version: "1.0"
+tags:
+- mft
+- ntfs
+- deleted-files
+- file-recovery
+- mftecmd
+- usn-journal
+- logfile
+- mft-slack-space
+- file-system-forensics
+- dfir
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing MFT for Deleted File Recovery
@@ -21,6 +21,11 @@ d3fend_techniques:
 - Application Protocol Command Analysis
 - Content Format Conversion
 - File Content Analysis
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---
 # Analyzing Network Covert Channels in Malware

@@ -1,16 +1,23 @@
 ---
 name: analyzing-network-flow-data-with-netflow
-description: >-
-  Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data
-  exfiltration, and C2 beaconing patterns. Uses the Python netflow library to decode flow
-  records, builds traffic baselines, and applies statistical analysis to identify flows
-  with abnormal byte counts, connection durations, and periodic timing patterns.
+description: Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data exfiltration, and C2 beaconing
+  patterns. Uses the Python netflow library to decode flow records, builds traffic baselines, and applies statistical analysis
+  to identify flows with abnormal byte counts, connection durations, and periodic timing patterns.
 domain: cybersecurity
 subdomain: network-security
-tags: [analyzing, network, flow, data]
-version: "1.0"
+tags:
+- analyzing
+- network
+- flow
+- data
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.IR-01
+- DE.CM-01
+- ID.AM-03
+- PR.DS-02
 ---


@@ -1,18 +1,24 @@
 ---
 name: analyzing-network-packets-with-scapy
-description: Craft, send, sniff, and dissect network packets using Scapy for protocol analysis, network reconnaissance, and traffic anomaly detection in authorized security testing
+description: Craft, send, sniff, and dissect network packets using Scapy for protocol analysis, network reconnaissance, and
+  traffic anomaly detection in authorized security testing
 domain: cybersecurity
 subdomain: network-security
 tags:
-  - scapy
-  - packet-analysis
-  - network-forensics
-  - protocol-dissection
-  - pcap
-  - traffic-analysis
-version: "1.0"
+- scapy
+- packet-analysis
+- network-forensics
+- protocol-dissection
+- pcap
+- traffic-analysis
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.IR-01
+- DE.CM-01
+- ID.AM-03
+- PR.DS-02
 ---

 # Analyzing Network Packets with Scapy
@@ -1,19 +1,32 @@
 ---
 name: analyzing-network-traffic-for-incidents
-description: >
-  Analyzes network traffic captures and flow data to identify adversary activity during
-  security incidents, including command-and-control communications, lateral movement,
-  data exfiltration, and exploitation attempts. Uses Wireshark, Zeek, and NetFlow
-  analysis techniques. Activates for requests involving network traffic analysis,
-  packet capture investigation, PCAP analysis, network forensics, C2 traffic detection,
-  or exfiltration detection.
+description: 'Analyzes network traffic captures and flow data to identify adversary activity during security incidents, including
+  command-and-control communications, lateral movement, data exfiltration, and exploitation attempts. Uses Wireshark, Zeek,
+  and NetFlow analysis techniques. Activates for requests involving network traffic analysis, packet capture investigation,
+  PCAP analysis, network forensics, C2 traffic detection, or exfiltration detection.
+
+  '
 domain: cybersecurity
 subdomain: incident-response
-tags: [network-forensics, PCAP-analysis, Wireshark, Zeek, traffic-analysis]
-mitre_attack: ["T1071", "T1095", "T1573", "T1572"]
+tags:
+- network-forensics
+- PCAP-analysis
+- Wireshark
+- Zeek
+- traffic-analysis
+mitre_attack:
+- T1071
+- T1095
+- T1573
+- T1572
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.MA-01
+- RS.MA-02
+- RS.AN-03
+- RC.RP-01
 ---

 # Analyzing Network Traffic for Incidents
@@ -1,17 +1,27 @@
 ---
 name: analyzing-network-traffic-of-malware
-description: >
-  Analyzes network traffic generated by malware during sandbox execution or live incident
-  response to identify C2 protocols, data exfiltration channels, payload downloads, and
-  lateral movement patterns using Wireshark, Zeek, and Suricata. Activates for requests
-  involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or
-  network-based malware detection.
+description: 'Analyzes network traffic generated by malware during sandbox execution or live incident response to identify
+  C2 protocols, data exfiltration channels, payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata.
+  Activates for requests involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or network-based
+  malware detection.
+
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, network-analysis, PCAP, Wireshark, C2-detection]
+tags:
+- malware
+- network-analysis
+- PCAP
+- Wireshark
+- C2-detection
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---

 # Analyzing Network Traffic of Malware
@@ -1,15 +1,25 @@
 ---
 name: analyzing-network-traffic-with-wireshark
-description: >
-  Captures and analyzes network packet data using Wireshark and tshark to identify
-  malicious traffic patterns, diagnose protocol issues, extract artifacts, and
-  support incident response investigations on authorized network segments.
+description: 'Captures and analyzes network packet data using Wireshark and tshark to identify malicious traffic patterns,
+  diagnose protocol issues, extract artifacts, and support incident response investigations on authorized network segments.
+
+  '
 domain: cybersecurity
 subdomain: network-security
-tags: [network-security, wireshark, packet-analysis, traffic-analysis, pcap]
-version: "1.0"
+tags:
+- network-security
+- wireshark
+- packet-analysis
+- traffic-analysis
+- pcap
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.IR-01
+- DE.CM-01
+- ID.AM-03
+- PR.DS-02
 ---
 # Analyzing Network Traffic with Wireshark

@@ -1,12 +1,25 @@
 ---
 name: analyzing-office365-audit-logs-for-compromise
-description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation, suspicious OAuth app grants, and other indicators of account compromise.
+description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation,
+  suspicious OAuth app grants, and other indicators of account compromise.
 domain: cybersecurity
 subdomain: cloud-security
-tags: [Office365, Microsoft-Graph, audit-logs, email-compromise, inbox-rules, OAuth, BEC]
-version: "1.0"
+tags:
+- Office365
+- Microsoft-Graph
+- audit-logs
+- email-compromise
+- inbox-rules
+- OAuth
+- BEC
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.IR-01
+- ID.AM-08
+- GV.SC-06
+- DE.CM-01
 ---

 # Analyzing Office 365 Audit Logs for Compromise
@@ -23,6 +23,11 @@ nist_ai_rmf:
 - MANAGE-2.4
 - MANAGE-3.1
 - MEASURE-3.1
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing Outlook PST for Email Forensics
@@ -1,16 +1,26 @@
 ---
 name: analyzing-packed-malware-with-upx-unpacker
-description: >
-  Identifies and unpacks UPX-packed and other packed malware samples to expose the original
-  executable code for static analysis. Covers both standard UPX unpacking and handling
-  modified UPX headers that prevent automated decompression. Activates for requests involving
-  malware unpacking, UPX decompression, packer removal, or preparing packed samples for analysis.
+description: 'Identifies and unpacks UPX-packed and other packed malware samples to expose the original executable code for
+  static analysis. Covers both standard UPX unpacking and handling modified UPX headers that prevent automated decompression.
+  Activates for requests involving malware unpacking, UPX decompression, packer removal, or preparing packed samples for analysis.
+
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, unpacking, UPX, packing, static-analysis]
+tags:
+- malware
+- unpacking
+- UPX
+- packing
+- static-analysis
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---

 # Analyzing Packed Malware with UPX Unpacker
@@ -1,17 +1,27 @@
 ---
 name: analyzing-pdf-malware-with-pdfid
-description: >
-  Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to identify embedded
-  JavaScript, shellcode, exploits, and suspicious objects without opening the document.
-  Determines the attack vector and extracts embedded payloads for further analysis.
-  Activates for requests involving PDF malware analysis, malicious document analysis,
-  PDF exploit investigation, or suspicious attachment triage.
+description: 'Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to identify embedded JavaScript, shellcode,
+  exploits, and suspicious objects without opening the document. Determines the attack vector and extracts embedded payloads
+  for further analysis. Activates for requests involving PDF malware analysis, malicious document analysis, PDF exploit investigation,
+  or suspicious attachment triage.
+
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, PDF-analysis, document-malware, PDFiD, static-analysis]
+tags:
+- malware
+- PDF-analysis
+- document-malware
+- PDFiD
+- static-analysis
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---

 # Analyzing PDF Malware with PDFiD
@@ -1,6 +1,10 @@
 ---
-{}
---tags:
+name: analyzing-persistence-mechanisms-in-linux
+description: Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD
+  hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring
+domain: cybersecurity
+subdomain: threat-hunting
+tags:
 - linux-persistence
 - crontab
 - systemd
@@ -8,4 +12,61 @@
 - auditd
 - threat-hunting
 - incident-response
+mitre_attack:
+- T1053.003
+- T1543.002
+- T1574.006
+- T1546.004
 version: '1.0'
+author: mahipal
+license: Apache-2.0
+d3fend_techniques:
+- Executable Denylisting
+- Execution Isolation
+- File Metadata Consistency Validation
+- Process Termination
+- Content Format Conversion
+nist_csf:
+- DE.CM-01
+- DE.AE-02
+- DE.AE-07
+- ID.RA-05
+---
+
+# Analyzing Persistence Mechanisms in Linux
+
+## Overview
+
+Adversaries establish persistence on Linux systems through crontab jobs, systemd service/timer units, LD_PRELOAD library injection, shell profile modifications (.bashrc, .profile), SSH authorized_keys backdoors, and init script manipulation. This skill scans for all known persistence vectors, checks file timestamps and integrity, and correlates findings with auditd logs to build a timeline of persistence installation.
+
+
+## When to Use
+
+- When investigating security incidents that require analyzing persistence mechanisms in linux
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
+## Prerequisites
+
+- Root or sudo access on target Linux system (or forensic image)
+- auditd configured with file watch rules on persistence paths
+- Python 3.8+ with standard library (os, subprocess, json)
+- Optional: OSSEC/Wazuh agent for file integrity monitoring alerts
+
+## Steps
+
+1. **Scan Crontab Entries** — Enumerate all user crontabs, /etc/cron.d/, /etc/cron.daily/, and anacron jobs for suspicious commands
+2. **Audit Systemd Units** — Check /etc/systemd/system/ and ~/.config/systemd/user/ for non-package-managed service and timer units
+3. **Detect LD_PRELOAD Hijacking** — Check /etc/ld.so.preload and LD_PRELOAD environment variable for injected shared libraries
+4. **Inspect Shell Profiles** — Scan .bashrc, .bash_profile, .profile, /etc/profile.d/ for injected commands or reverse shells
+5. **Check SSH Authorized Keys** — Audit all authorized_keys files for unauthorized public keys with command restrictions
+6. **Correlate Auditd Logs** — Search auditd logs for file modification events on persistence paths to build an installation timeline
+7. **Generate Persistence Report** — Produce a risk-scored report of all discovered persistence mechanisms
+
+## Expected Output
+
+- JSON report of all persistence mechanisms found with risk scores
+- Timeline of persistence installation from auditd correlation
+- MITRE ATT&CK technique mapping (T1053, T1543, T1574, T1546)
+- Remediation commands for each detected persistence mechanism
@@ -27,6 +27,11 @@ nist_ai_rmf:
 - GOVERN-1.1
 - MEASURE-2.7
 - MANAGE-3.1
+nist_csf:
+- DE.CM-01
+- DE.AE-02
+- DE.AE-07
+- ID.RA-05
 ---

 # Analyzing PowerShell Empire Artifacts
@@ -1,16 +1,23 @@
 ---
 name: analyzing-powershell-script-block-logging
-description: >-
-  Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated
-  commands, encoded payloads, and living-off-the-land techniques. Uses python-evtx to extract and
-  reconstruct multi-block scripts, applies entropy analysis and pattern matching for Base64-encoded
-  commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.
+description: Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded
+  payloads, and living-off-the-land techniques. Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy
+  analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.
 domain: cybersecurity
 subdomain: security-operations
-tags: [analyzing, powershell, script, block]
-version: "1.0"
+tags:
+- analyzing
+- powershell
+- script
+- block
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.CM-01
+- RS.MA-01
+- GV.OV-01
+- DE.AE-02
 ---


@@ -1,12 +1,24 @@
 ---
 name: analyzing-prefetch-files-for-execution-history
-description: Parse Windows Prefetch files to determine program execution history including run counts, timestamps, and referenced files for forensic investigation.
+description: Parse Windows Prefetch files to determine program execution history including run counts, timestamps, and referenced
+  files for forensic investigation.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, prefetch, windows-artifacts, execution-history, timeline-analysis, evidence-collection]
-version: "1.0"
+tags:
+- forensics
+- prefetch
+- windows-artifacts
+- execution-history
+- timeline-analysis
+- evidence-collection
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing Prefetch Files for Execution History
@@ -1,17 +1,27 @@
 ---
 name: analyzing-ransomware-encryption-mechanisms
-description: >
-  Analyzes encryption algorithms, key management, and file encryption routines used by
-  ransomware families to assess decryption feasibility, identify implementation weaknesses,
-  and support recovery efforts. Covers AES, RSA, ChaCha20, and hybrid encryption schemes.
-  Activates for requests involving ransomware cryptanalysis, encryption analysis, key
-  recovery assessment, or ransomware decryption feasibility.
+description: 'Analyzes encryption algorithms, key management, and file encryption routines used by ransomware families to
+  assess decryption feasibility, identify implementation weaknesses, and support recovery efforts. Covers AES, RSA, ChaCha20,
+  and hybrid encryption schemes. Activates for requests involving ransomware cryptanalysis, encryption analysis, key recovery
+  assessment, or ransomware decryption feasibility.
+
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, ransomware, encryption, cryptanalysis, reverse-engineering]
+tags:
+- malware
+- ransomware
+- encryption
+- cryptanalysis
+- reverse-engineering
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---

 # Analyzing Ransomware Encryption Mechanisms
@@ -1,12 +1,26 @@
 ---
 name: analyzing-ransomware-leak-site-intelligence
-description: Monitor and analyze ransomware group data leak sites (DLS) to track victim postings, extract threat intelligence on group tactics, and assess sector-specific ransomware risk for proactive defense.
+description: Monitor and analyze ransomware group data leak sites (DLS) to track victim postings, extract threat intelligence
+  on group tactics, and assess sector-specific ransomware risk for proactive defense.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [ransomware, leak-site, data-leak, extortion, threat-intelligence, monitoring, dls, victim-tracking]
-version: "1.0"
+tags:
+- ransomware
+- leak-site
+- data-leak
+- extortion
+- threat-intelligence
+- monitoring
+- dls
+- victim-tracking
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Analyzing Ransomware Leak Site Intelligence

@@ -21,6 +21,11 @@ d3fend_techniques:
 - Application Protocol Command Analysis
 - Content Format Conversion
 - File Content Analysis
+nist_csf:
+- DE.CM-01
+- DE.AE-02
+- DE.AE-07
+- ID.RA-05
 ---

 # Analyzing Ransomware Network Indicators
@@ -1,18 +1,28 @@
 ---
 name: analyzing-ransomware-payment-wallets
-description: >
-  Traces ransomware cryptocurrency payment flows using blockchain analysis tools
-  such as Chainalysis Reactor, WalletExplorer, and blockchain.com APIs. Identifies
-  wallet clusters, tracks fund movement through mixers and exchanges, and supports
-  law enforcement attribution. Activates for requests involving ransomware payment
-  tracing, bitcoin wallet analysis, cryptocurrency forensics, or blockchain
-  intelligence gathering.
+description: 'Traces ransomware cryptocurrency payment flows using blockchain analysis tools such as Chainalysis Reactor,
+  WalletExplorer, and blockchain.com APIs. Identifies wallet clusters, tracks fund movement through mixers and exchanges,
+  and supports law enforcement attribution. Activates for requests involving ransomware payment tracing, bitcoin wallet analysis,
+  cryptocurrency forensics, or blockchain intelligence gathering.
+
+  '
 domain: cybersecurity
 subdomain: ransomware-defense
-tags: [ransomware, blockchain, cryptocurrency, forensics, threat-intelligence, bitcoin]
+tags:
+- ransomware
+- blockchain
+- cryptocurrency
+- forensics
+- threat-intelligence
+- bitcoin
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.DS-11
+- RS.MA-01
+- RC.RP-01
+- PR.IR-01
 ---

 # Analyzing Ransomware Payment Wallets
@@ -31,6 +31,11 @@ nist_ai_rmf:
 - MANAGE-2.2
 - GOVERN-1.1
 - GOVERN-4.2
+nist_csf:
+- GV.SC-01
+- GV.SC-03
+- GV.SC-06
+- GV.SC-07
 ---

 # Analyzing SBOM for Supply Chain Vulnerabilities
@@ -1,8 +1,267 @@
 ---
-{}
---tags:
+name: analyzing-security-logs-with-splunk
+description: 'Leverages Splunk Enterprise Security and SPL (Search Processing Language) to investigate security incidents
+  through log correlation, timeline reconstruction, and anomaly detection. Covers Windows event logs, firewall logs, proxy
+  logs, and authentication data analysis. Activates for requests involving Splunk investigation, SPL queries, SIEM log analysis,
+  security event correlation, or log-based incident investigation.
+
+  '
+domain: cybersecurity
+subdomain: incident-response
+tags:
 - splunk
 - SPL
 - SIEM
 - log-analysis
 - security-monitoring
+mitre_attack:
+- T1070
+- T1562
+- T1059
+version: 1.0.0
+author: mahipal
+license: Apache-2.0
+atlas_techniques:
+- AML.T0070
+- AML.T0066
+- AML.T0082
+d3fend_techniques:
+- Executable Denylisting
+- Execution Isolation
+- File Metadata Consistency Validation
+- Content Format Conversion
+- File Content Analysis
+nist_ai_rmf:
+- MEASURE-2.7
+- MAP-5.1
+- MANAGE-2.4
+- MANAGE-3.1
+- MEASURE-3.1
+nist_csf:
+- RS.MA-01
+- RS.MA-02
+- RS.AN-03
+- RC.RP-01
+---
+
+# Analyzing Security Logs with Splunk
+
+## When to Use
+
+- Investigating a security incident that requires correlation across multiple log sources
+- Hunting for adversary activity using known TTPs and IOCs
+- Building detection rules for specific attack patterns
+- Reconstructing an incident timeline from disparate log sources
+- Analyzing authentication anomalies, lateral movement, or data exfiltration patterns
+
+**Do not use** for real-time packet-level analysis; use Wireshark or Zeek for full packet capture analysis.
+
+## Prerequisites
+
+- Splunk Enterprise or Splunk Cloud with Enterprise Security (ES) app installed
+- Log sources ingested: Windows Event Logs (via Splunk Universal Forwarder or WEF), firewall, proxy, DNS, EDR, email gateway
+- Splunk CIM (Common Information Model) data models configured for normalized field names
+- SPL proficiency at intermediate level or higher
+- Role-based access with `search` and `accelerate_search` capabilities in Splunk
+
+## Workflow
+
+### Step 1: Scope the Investigation in Splunk
+
+Define search parameters based on incident triage data:
+
+```spl
+| Set initial investigation scope
+index=windows OR index=firewall OR index=proxy
+  earliest="2025-11-14T00:00:00" latest="2025-11-16T00:00:00"
+  (host="WKSTN-042" OR src_ip="10.1.5.42" OR user="jsmith")
+| stats count by index, sourcetype, host
+| sort -count
+```
+
+This query establishes which log sources contain relevant data for the investigation timeframe and affected assets.
+
+### Step 2: Analyze Authentication Events
+
+Investigate suspicious authentication patterns using Windows Security Event Logs:
+
+```spl
+| Detect brute force and credential stuffing
+index=windows sourcetype="WinEventLog:Security" EventCode=4625
+  earliest=-24h
+| stats count as failed_attempts, values(src_ip) as source_ips,
+  dc(src_ip) as unique_sources by TargetUserName
+| where failed_attempts > 10
+| sort -failed_attempts
+
+| Detect pass-the-hash (Logon Type 9 - NewCredentials)
+index=windows sourcetype="WinEventLog:Security" EventCode=4624
+  Logon_Type=9
+| table _time, host, TargetUserName, src_ip, LogonProcessName
+
+| Detect lateral movement via RDP
+index=windows sourcetype="WinEventLog:Security" EventCode=4624
+  Logon_Type=10
+| stats count, values(host) as targets by TargetUserName, src_ip
+| where count > 3
+| sort -count
+```
+
+### Step 3: Trace Process Execution
+
+Use Sysmon logs to reconstruct process execution chains:
+
+```spl
+| Process creation with parent chain (Sysmon Event ID 1)
+index=sysmon EventCode=1 host="WKSTN-042"
+  earliest="2025-11-15T14:00:00" latest="2025-11-15T15:00:00"
+| table _time, ParentImage, ParentCommandLine, Image, CommandLine, User, Hashes
+| sort _time
+
+| Detect suspicious PowerShell execution
+index=sysmon EventCode=1 Image="*\\powershell.exe"
+  (CommandLine="*-enc*" OR CommandLine="*-encodedcommand*"
+   OR CommandLine="*downloadstring*" OR CommandLine="*iex*")
+| table _time, host, User, ParentImage, CommandLine
+| sort _time
+
+| Detect LSASS credential dumping
+index=sysmon EventCode=10 TargetImage="*\\lsass.exe"
+  GrantedAccess=0x1010
+| table _time, host, SourceImage, SourceUser, GrantedAccess
+```
+
+### Step 4: Analyze Network Activity
+
+Correlate network logs with endpoint events:
+
+```spl
+| Detect C2 beaconing pattern
+index=proxy OR index=firewall dest_ip="185.220.101.42"
+| timechart span=1m count by src_ip
+| where count > 0
+
+| Detect DNS tunneling (high query volume to single domain)
+index=dns
+| rex field=query "(?<subdomain>[^\.]+)\.(?<domain>[^\.]+\.[^\.]+)$"
+| stats count, avg(len(query)) as avg_query_len by domain, src_ip
+| where count > 500 AND avg_query_len > 40
+| sort -count
+
+| Detect large data transfers (potential exfiltration)
+index=proxy action=allowed
+| stats sum(bytes_out) as total_bytes by src_ip, dest_ip, dest_host
+| eval total_MB=round(total_bytes/1024/1024,2)
+| where total_MB > 100
+| sort -total_MB
+```
+
+### Step 5: Build the Incident Timeline
+
+Reconstruct a unified timeline across all log sources:
+
+```spl
+| Unified incident timeline
+index=windows OR index=sysmon OR index=proxy OR index=firewall
+  (host="WKSTN-042" OR src_ip="10.1.5.42" OR user="jsmith")
+  earliest="2025-11-15T14:00:00" latest="2025-11-15T16:00:00"
+| eval event_summary=case(
+    sourcetype=="WinEventLog:Security" AND EventCode==4624, "Logon: ".TargetUserName." from ".src_ip,
+    sourcetype=="WinEventLog:Security" AND EventCode==4625, "Failed logon: ".TargetUserName,
+    sourcetype=="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode==1,
+      "Process: ".Image." by ".User,
+    sourcetype=="proxy", "Web: ".http_method." ".url,
+    1==1, sourcetype.": ".EventCode)
+| table _time, sourcetype, host, event_summary
+| sort _time
+```
+
+### Step 6: Create Detection Rules
+
+Convert investigation findings into persistent Splunk correlation searches:
+
+```spl
+| Correlation search: PowerShell spawned by Office applications
+index=sysmon EventCode=1
+  Image="*\\powershell.exe"
+  (ParentImage="*\\winword.exe" OR ParentImage="*\\excel.exe"
+   OR ParentImage="*\\outlook.exe")
+| eval severity="high"
+| eval mitre_technique="T1059.001"
+| collect index=notable_events
+```
+
+## Key Concepts
+
+| Term | Definition |
+|------|------------|
+| **SPL (Search Processing Language)** | Splunk's query language for searching, filtering, transforming, and visualizing machine data |
+| **CIM (Common Information Model)** | Splunk's field normalization standard that maps vendor-specific field names to common names for cross-source queries |
+| **Notable Event** | An event in Splunk Enterprise Security flagged for analyst review based on a correlation search match |
+| **Data Model** | Structured representation of indexed data in Splunk enabling accelerated searches and pivot-based analysis |
+| **Sourcetype** | Classification label in Splunk that defines the format and parsing rules for a specific log type |
+| **Correlation Search** | Scheduled Splunk search that runs continuously and generates notable events when conditions are met |
+| **Timechart** | SPL command that creates time-series visualizations for identifying patterns, anomalies, and trends |
+
+## Tools & Systems
+
+- **Splunk Enterprise Security (ES)**: Premium SIEM application providing correlation searches, risk-based alerting, and investigation workbench
+- **Splunk SOAR**: Orchestration platform integrated with Splunk ES for automated response playbooks
+- **Sysmon**: Microsoft system monitoring tool providing detailed process, network, and file change telemetry ingested into Splunk
+- **Splunk Attack Analyzer**: Automated threat analysis that detonates suspicious files and URLs, feeding results into Splunk
+- **BOSS of the SOC (BOTS)**: SANS/Splunk training dataset for practicing incident investigation SPL queries
+
+## Common Scenarios
+
+### Scenario: Investigating Credential Stuffing Leading to Account Takeover
+
+**Context**: Security operations receives an alert for multiple successful logins to a single account from geographically dispersed IP addresses within a 30-minute window.
+
+**Approach**:
+1. Query Event ID 4624 for the affected account to map all login sources and times
+2. Correlate login IPs against threat intelligence feeds using a Splunk lookup table
+3. Check proxy logs for suspicious activity from the authenticated sessions
+4. Search for lateral movement from the compromised account (Event ID 4624 Type 3 to other hosts)
+5. Build a timeline showing credential stuffing attempts, successful login, and post-compromise activity
+6. Create a correlation search to detect similar patterns on other accounts
+
+**Pitfalls**:
+- Searching only the last 24 hours when the credential stuffing may have occurred over weeks
+- Not checking for VPN logs that may show the same account authenticating from impossible travel distances
+- Failing to normalize timestamps across log sources in different time zones
+
+## Output Format
+
+```
+SPLUNK INVESTIGATION REPORT
+============================
+Incident:        INC-2025-1547
+Analyst:         [Name]
+Investigation Period: 2025-11-14 00:00 UTC - 2025-11-16 00:00 UTC
+
+SEARCH SCOPE
+Indexes:         windows, sysmon, proxy, firewall, dns
+Hosts:           WKSTN-042, SRV-FILE01
+Users:           jsmith, svc-backup
+Source IPs:      10.1.5.42, 10.1.10.15
+
+KEY FINDINGS
+1. [timestamp] - Initial compromise via phishing (Sysmon Event 1)
+2. [timestamp] - C2 established (proxy logs, beacon pattern detected)
+3. [timestamp] - Credential theft (Sysmon Event 10, LSASS access)
+4. [timestamp] - Lateral movement to SRV-FILE01 (Event 4624 Type 3)
+5. [timestamp] - Data staging and exfiltration (proxy bytes_out anomaly)
+
+SPL QUERIES USED
+[numbered list of key queries with descriptions]
+
+DETECTION GAPS IDENTIFIED
+- No Sysmon deployed on SRV-FILE01 (blind spot)
+- Proxy logs missing SSL inspection for C2 domain
+- PowerShell ScriptBlock logging not enabled
+
+RECOMMENDED DETECTIONS
+1. Correlation search for Office-spawned PowerShell
+2. Threshold alert for LSASS access patterns
+3. Behavioral rule for beacon-interval network traffic
+```
@@ -1,12 +1,25 @@
 ---
 name: analyzing-slack-space-and-file-system-artifacts
-description: Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data and reconstruct file activity on NTFS volumes.
+description: Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data
+  and reconstruct file activity on NTFS volumes.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, slack-space, ntfs, mft, usn-journal, alternate-data-streams, file-system-analysis]
-version: "1.0"
+tags:
+- forensics
+- slack-space
+- ntfs
+- mft
+- usn-journal
+- alternate-data-streams
+- file-system-analysis
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing Slack Space and File System Artifacts
@@ -28,6 +28,11 @@ d3fend_techniques:
 - Restore Object
 - Electromagnetic Radiation Hardening
 - RF Shielding
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---
 # Analyzing Supply Chain Malware Artifacts

@@ -21,6 +21,11 @@ d3fend_techniques:
 - File Metadata Consistency Validation
 - Content Format Conversion
 - File Content Analysis
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Analyzing Threat Actor TTPs with MITRE ATT&CK

@@ -33,6 +33,11 @@ d3fend_techniques:
 - Identifier Analysis
 - Content Format Conversion
 - Message Analysis
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Analyzing Threat Actor TTPs with MITRE Navigator

@@ -1,17 +1,31 @@
 ---
 name: analyzing-threat-intelligence-feeds
-description: >
-  Analyzes structured and unstructured threat intelligence feeds to extract actionable indicators,
-  adversary tactics, and campaign context. Use when ingesting commercial or open-source CTI feeds,
-  evaluating feed quality, normalizing data into STIX 2.1 format, or enriching existing IOCs with
-  campaign attribution. Activates for requests involving ThreatConnect, Recorded Future, Mandiant
-  Advantage, MISP, AlienVault OTX, or automated feed aggregation pipelines.
+description: 'Analyzes structured and unstructured threat intelligence feeds to extract actionable indicators, adversary tactics,
+  and campaign context. Use when ingesting commercial or open-source CTI feeds, evaluating feed quality, normalizing data
+  into STIX 2.1 format, or enriching existing IOCs with campaign attribution. Activates for requests involving ThreatConnect,
+  Recorded Future, Mandiant Advantage, MISP, AlienVault OTX, or automated feed aggregation pipelines.
+
+  '
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [STIX, TAXII, MITRE-ATT&CK, IOC, ThreatConnect, Recorded-Future, MISP, CTI, NIST-CSF]
+tags:
+- STIX
+- TAXII
+- MITRE-ATT&CK
+- IOC
+- ThreatConnect
+- Recorded-Future
+- MISP
+- CTI
+- NIST-CSF
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Analyzing Threat Intelligence Feeds

@@ -20,6 +20,11 @@ d3fend_techniques:
 - Identifier Analysis
 - Content Format Conversion
 - Message Analysis
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---


@@ -18,6 +18,11 @@ license: Apache-2.0
 atlas_techniques:
 - AML.T0073
 - AML.T0052
+nist_csf:
+- DE.CM-01
+- RS.MA-01
+- GV.OV-01
+- DE.AE-02
 ---

 # Analyzing TLS Certificate Transparency Logs
@@ -19,6 +19,11 @@ license: Apache-2.0
 atlas_techniques:
 - AML.T0073
 - AML.T0052
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Analyzing Typosquatting Domains with DNSTwist

@@ -26,6 +26,10 @@ d3fend_techniques:
 - Platform Monitoring
 - Firmware Verification
 - Firmware Embedded Monitoring Code
+nist_csf:
+- ID.RA-01
+- PR.PS-01
+- PR.PS-02
 ---

 # Analyzing UEFI Bootkit Persistence
@@ -1,12 +1,24 @@
 ---
 name: analyzing-usb-device-connection-history
-description: Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable media usage and potential data exfiltration.
+description: Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable
+  media usage and potential data exfiltration.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, usb-forensics, removable-media, registry-analysis, data-exfiltration, device-history]
-version: "1.0"
+tags:
+- forensics
+- usb-forensics
+- removable-media
+- registry-analysis
+- data-exfiltration
+- device-history
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing USB Device Connection History
@@ -1,16 +1,23 @@
 ---
 name: analyzing-web-server-logs-for-intrusion
-description: >-
-  Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion,
-  directory traversal, web scanner fingerprints, and brute-force patterns. Uses regex-based
-  pattern matching against OWASP attack signatures, GeoIP enrichment for source attribution,
-  and statistical anomaly detection for request frequency and response size outliers.
+description: Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal,
+  web scanner fingerprints, and brute-force patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP
+  enrichment for source attribution, and statistical anomaly detection for request frequency and response size outliers.
 domain: cybersecurity
 subdomain: security-operations
-tags: [analyzing, web, server, logs]
-version: "1.0"
+tags:
+- analyzing
+- web
+- server
+- logs
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.CM-01
+- RS.MA-01
+- GV.OV-01
+- DE.AE-02
 ---


@@ -1,19 +1,29 @@
 ---
 name: analyzing-windows-amcache-artifacts
-description: >
-  Parses and analyzes the Windows Amcache.hve registry hive to extract evidence
-  of program execution, application installation, and driver loading for digital
-  forensics investigations. Uses Eric Zimmerman's AmcacheParser and Timeline
-  Explorer for artifact extraction, SHA-1 hash correlation with threat intel,
-  and timeline reconstruction. Activates for requests involving Amcache forensics,
-  program execution evidence, Windows artifact analysis, or application compatibility
-  cache investigation.
+description: 'Parses and analyzes the Windows Amcache.hve registry hive to extract evidence of program execution, application
+  installation, and driver loading for digital forensics investigations. Uses Eric Zimmerman''s AmcacheParser and Timeline
+  Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and timeline reconstruction. Activates for requests
+  involving Amcache forensics, program execution evidence, Windows artifact analysis, or application compatibility cache investigation.
+
+  '
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [amcache, windows-forensics, program-execution, AmcacheParser, eric-zimmerman, timeline-analysis, DFIR]
+tags:
+- amcache
+- windows-forensics
+- program-execution
+- AmcacheParser
+- eric-zimmerman
+- timeline-analysis
+- DFIR
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing Windows Amcache Artifacts
@@ -25,6 +25,11 @@ d3fend_techniques:
 - Biometric Authentication
 - Strong Password Policy
 - Restore User Account Access
+nist_csf:
+- DE.CM-01
+- DE.AE-02
+- RS.MA-01
+- DE.AE-06
 ---
 # Analyzing Windows Event Logs in Splunk

@@ -1,12 +1,24 @@
 ---
 name: analyzing-windows-lnk-files-for-artifacts
-description: Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers for forensic timeline reconstruction.
+description: Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers
+  for forensic timeline reconstruction.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, lnk-files, windows-artifacts, shortcut-analysis, timeline-reconstruction, evidence-collection]
-version: "1.0"
+tags:
+- forensics
+- lnk-files
+- windows-artifacts
+- shortcut-analysis
+- timeline-reconstruction
+- evidence-collection
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing Windows LNK Files for Artifacts
@@ -1,13 +1,28 @@
 ---
 name: analyzing-windows-prefetch-with-python
-description: Parse Windows Prefetch files using the windowsprefetch Python library to reconstruct application execution history, detect renamed or masquerading binaries, and identify suspicious program execution patterns.
+description: Parse Windows Prefetch files using the windowsprefetch Python library to reconstruct application execution history,
+  detect renamed or masquerading binaries, and identify suspicious program execution patterns.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [digital-forensics, windows, prefetch, execution-history, incident-response, malware-analysis]
-mitre_attack: ["T1059", "T1204", "T1036"]
-version: "1.0"
+tags:
+- digital-forensics
+- windows
+- prefetch
+- execution-history
+- incident-response
+- malware-analysis
+mitre_attack:
+- T1059
+- T1204
+- T1036
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---
 # Analyzing Windows Prefetch with Python

@@ -1,12 +1,24 @@
 ---
 name: analyzing-windows-registry-for-artifacts
-description: Extract and analyze Windows Registry hives to uncover user activity, installed software, autostart entries, and evidence of system compromise.
+description: Extract and analyze Windows Registry hives to uncover user activity, installed software, autostart entries, and
+  evidence of system compromise.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, windows-registry, artifact-analysis, regripper, registry-explorer, evidence-collection]
-version: "1.0"
+tags:
+- forensics
+- windows-registry
+- artifact-analysis
+- regripper
+- registry-explorer
+- evidence-collection
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing Windows Registry for Artifacts
@@ -1,12 +1,29 @@
 ---
 name: analyzing-windows-shellbag-artifacts
-description: Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable media and network shares, and establish user interaction with directories even after deletion using SBECmd and ShellBags Explorer.
+description: Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable
+  media and network shares, and establish user interaction with directories even after deletion using SBECmd and ShellBags
+  Explorer.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [shellbags, windows-registry, sbecmd, shellbags-explorer, folder-access, user-activity, removable-media, network-shares, bagmru, dfir]
-version: "1.0"
+tags:
+- shellbags
+- windows-registry
+- sbecmd
+- shellbags-explorer
+- folder-access
+- user-activity
+- removable-media
+- network-shares
+- bagmru
+- dfir
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing Windows Shellbag Artifacts
@@ -1,15 +1,27 @@
 ---
 name: auditing-aws-s3-bucket-permissions
-description: >
-  Systematically audit AWS S3 bucket permissions to identify publicly accessible buckets,
-  overly permissive ACLs, misconfigured bucket policies, and missing encryption settings
-  using AWS CLI, S3audit, and Prowler to enforce least-privilege data access controls.
+description: 'Systematically audit AWS S3 bucket permissions to identify publicly accessible buckets, overly permissive ACLs,
+  misconfigured bucket policies, and missing encryption settings using AWS CLI, S3audit, and Prowler to enforce least-privilege
+  data access controls.
+
+  '
 domain: cybersecurity
 subdomain: cloud-security
-tags: [cloud-security, aws, s3, bucket-permissions, data-protection, access-control]
-version: "1.0"
+tags:
+- cloud-security
+- aws
+- s3
+- bucket-permissions
+- data-protection
+- access-control
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.IR-01
+- ID.AM-08
+- GV.SC-06
+- DE.CM-01
 ---

 # Auditing AWS S3 Bucket Permissions
@@ -1,15 +1,27 @@
 ---
 name: auditing-azure-active-directory-configuration
-description: >
-  Auditing Microsoft Entra ID (Azure Active Directory) configuration to identify risky
-  authentication policies, overly permissive role assignments, stale accounts, conditional
-  access gaps, and guest user risks using AzureAD PowerShell, Microsoft Graph API, and ScoutSuite.
+description: 'Auditing Microsoft Entra ID (Azure Active Directory) configuration to identify risky authentication policies,
+  overly permissive role assignments, stale accounts, conditional access gaps, and guest user risks using AzureAD PowerShell,
+  Microsoft Graph API, and ScoutSuite.
+
+  '
 domain: cybersecurity
 subdomain: cloud-security
-tags: [cloud-security, azure, entra-id, active-directory, iam-audit, conditional-access]
-version: "1.0"
+tags:
+- cloud-security
+- azure
+- entra-id
+- active-directory
+- iam-audit
+- conditional-access
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.IR-01
+- ID.AM-08
+- GV.SC-06
+- DE.CM-01
 ---

 # Auditing Azure Active Directory Configuration
@@ -21,6 +21,11 @@ nist_ai_rmf:
 - GOVERN-1.1
 - GOVERN-4.2
 - MAP-2.3
+nist_csf:
+- PR.IR-01
+- ID.AM-08
+- GV.SC-06
+- DE.CM-01
 ---

 # Auditing Cloud with CIS Benchmarks
@@ -1,15 +1,26 @@
 ---
 name: auditing-gcp-iam-permissions
-description: >
-  Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings,
-  primitive role usage, service account key proliferation, and cross-project access risks
-  using gcloud CLI, Policy Analyzer, and IAM Recommender.
+description: 'Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings, primitive role usage,
+  service account key proliferation, and cross-project access risks using gcloud CLI, Policy Analyzer, and IAM Recommender.
+
+  '
 domain: cybersecurity
 subdomain: cloud-security
-tags: [cloud-security, gcp, iam, permissions-audit, service-accounts, policy-analyzer]
-version: "1.0"
+tags:
+- cloud-security
+- gcp
+- iam
+- permissions-audit
+- service-accounts
+- policy-analyzer
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.IR-01
+- ID.AM-08
+- GV.SC-06
+- DE.CM-01
 ---

 # Auditing GCP IAM Permissions
@@ -1,15 +1,27 @@
 ---
 name: auditing-kubernetes-cluster-rbac
-description: >
-  Auditing Kubernetes cluster RBAC configurations to identify overly permissive roles,
-  wildcard permissions, dangerous ClusterRoleBindings, service account abuse, and
-  privilege escalation paths using kubectl, rbac-tool, KubiScan, and Kubeaudit.
+description: 'Auditing Kubernetes cluster RBAC configurations to identify overly permissive roles, wildcard permissions, dangerous
+  ClusterRoleBindings, service account abuse, and privilege escalation paths using kubectl, rbac-tool, KubiScan, and Kubeaudit.
+
+  '
 domain: cybersecurity
 subdomain: cloud-security
-tags: [cloud-security, kubernetes, rbac, access-control, eks, gke, aks]
-version: "1.0"
+tags:
+- cloud-security
+- kubernetes
+- rbac
+- access-control
+- eks
+- gke
+- aks
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.IR-01
+- ID.AM-08
+- GV.SC-06
+- DE.CM-01
 ---

 # Auditing Kubernetes Cluster RBAC
@@ -1,15 +1,27 @@
 ---
 name: auditing-terraform-infrastructure-for-security
-description: >
-  Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov,
-  tfsec, Terrascan, and OPA/Rego policies to detect overly permissive IAM policies, public
-  resource exposure, missing encryption, and insecure defaults before cloud deployment.
+description: 'Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov, tfsec, Terrascan, and
+  OPA/Rego policies to detect overly permissive IAM policies, public resource exposure, missing encryption, and insecure defaults
+  before cloud deployment.
+
+  '
 domain: cybersecurity
 subdomain: cloud-security
-tags: [cloud-security, terraform, infrastructure-as-code, checkov, tfsec, policy-as-code]
-version: "1.0"
+tags:
+- cloud-security
+- terraform
+- infrastructure-as-code
+- checkov
+- tfsec
+- policy-as-code
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.IR-01
+- ID.AM-08
+- GV.SC-06
+- DE.CM-01
 ---

 # Auditing Terraform Infrastructure for Security
@@ -1,18 +1,29 @@
 ---
 name: auditing-tls-certificate-transparency-logs
-description: >
-  Monitors Certificate Transparency (CT) logs to detect unauthorized certificate issuance,
-  discover subdomains via CT data, and alert on suspicious certificate activity for owned domains.
-  Uses the crt.sh API and direct CT log querying based on RFC 6962 to build continuous monitoring
-  pipelines that catch rogue certificates, track CA behavior, and map the external attack surface.
-  Activates for requests involving certificate transparency monitoring, CT log auditing,
-  subdomain discovery via certificates, or certificate issuance alerting.
+description: 'Monitors Certificate Transparency (CT) logs to detect unauthorized certificate issuance, discover subdomains
+  via CT data, and alert on suspicious certificate activity for owned domains. Uses the crt.sh API and direct CT log querying
+  based on RFC 6962 to build continuous monitoring pipelines that catch rogue certificates, track CA behavior, and map the
+  external attack surface. Activates for requests involving certificate transparency monitoring, CT log auditing, subdomain
+  discovery via certificates, or certificate issuance alerting.
+
+  '
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [certificate-transparency, CT-logs, crt-sh, subdomain-discovery, TLS-monitoring, RFC-6962]
+tags:
+- certificate-transparency
+- CT-logs
+- crt-sh
+- subdomain-discovery
+- TLS-monitoring
+- RFC-6962
 version: 1.0.0
 author: mukul975
 license: Apache-2.0
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Auditing TLS Certificate Transparency Logs

@@ -1,18 +1,32 @@
 ---
 name: automating-ioc-enrichment
-description: >
-  Automates the enrichment of raw indicators of compromise with multi-source threat intelligence
-  context using SOAR platforms, Python pipelines, or TIP playbooks to reduce analyst triage time
-  and standardize enrichment outputs. Use when building automated enrichment workflows integrated
-  with SIEM alerts, email submission pipelines, or bulk IOC processing from threat feeds. Activates
-  for requests involving SOAR enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment
+description: 'Automates the enrichment of raw indicators of compromise with multi-source threat intelligence context using
+  SOAR platforms, Python pipelines, or TIP playbooks to reduce analyst triage time and standardize enrichment outputs. Use
+  when building automated enrichment workflows integrated with SIEM alerts, email submission pipelines, or bulk IOC processing
+  from threat feeds. Activates for requests involving SOAR enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment
  pipelines, or automated IOC processing.
+
+  '
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [SOAR, enrichment, IOC, Cortex-XSOAR, Splunk-SOAR, VirusTotal, automation, CTI, NIST-CSF]
+tags:
+- SOAR
+- enrichment
+- IOC
+- Cortex-XSOAR
+- Splunk-SOAR
+- VirusTotal
+- automation
+- CTI
+- NIST-CSF
 version: 1.0.0
 author: team-cybersecurity
 license: Apache-2.0
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Automating IOC Enrichment

@@ -1,12 +1,26 @@
 ---
 name: building-adversary-infrastructure-tracking-system
-description: Build an automated system to track adversary infrastructure using passive DNS, certificate transparency, WHOIS data, and IP enrichment to map and monitor threat actor command-and-control networks.
+description: Build an automated system to track adversary infrastructure using passive DNS, certificate transparency, WHOIS
+  data, and IP enrichment to map and monitor threat actor command-and-control networks.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [infrastructure-tracking, passive-dns, c2, whois, threat-actor, pivoting, threat-intelligence, domain-analysis]
-version: "1.0"
+tags:
+- infrastructure-tracking
+- passive-dns
+- c2
+- whois
+- threat-actor
+- pivoting
+- threat-intelligence
+- domain-analysis
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Building Adversary Infrastructure Tracking System

@@ -22,6 +22,11 @@ d3fend_techniques:
 - Identifier Analysis
 - Content Format Conversion
 - Message Analysis
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Building Attack Pattern Library from CTI Reports

@@ -1,16 +1,29 @@
 ---
 name: building-automated-malware-submission-pipeline
-description: >
-  Builds an automated malware submission and analysis pipeline that collects suspicious files from
-  endpoints and email gateways, submits them to sandbox environments and multi-engine scanners,
-  and generates verdicts with IOCs for SIEM integration. Use when SOC teams need to scale malware
-  analysis beyond manual sandbox submissions for high-volume alert triage.
+description: 'Builds an automated malware submission and analysis pipeline that collects suspicious files from endpoints and
+  email gateways, submits them to sandbox environments and multi-engine scanners, and generates verdicts with IOCs for SIEM
+  integration. Use when SOC teams need to scale malware analysis beyond manual sandbox submissions for high-volume alert triage.
+
+  '
 domain: cybersecurity
 subdomain: soc-operations
-tags: [soc, malware-analysis, sandbox, automation, virustotal, cuckoo, any-run, pipeline]
-version: "1.0"
+tags:
+- soc
+- malware-analysis
+- sandbox
+- automation
+- virustotal
+- cuckoo
+- any-run
+- pipeline
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.CM-01
+- DE.AE-02
+- RS.MA-01
+- DE.AE-06
 ---
 # Building Automated Malware Submission Pipeline

@@ -21,6 +21,10 @@ d3fend_techniques:
 - Application Protocol Command Analysis
 - Content Format Conversion
 - File Content Analysis
+nist_csf:
+- ID.RA-01
+- GV.OV-02
+- DE.AE-07
 ---
 # Building C2 Infrastructure with Sliver Framework

@@ -25,6 +25,11 @@ atlas_techniques:
 - AML.T0070
 - AML.T0066
 - AML.T0082
+nist_csf:
+- PR.IR-01
+- ID.AM-08
+- GV.SC-06
+- DE.CM-01
 ---

 # Building Cloud SIEM with Sentinel
@@ -22,6 +22,11 @@ d3fend_techniques:
 - File Metadata Consistency Validation
 - Content Format Conversion
 - File Content Analysis
+nist_csf:
+- DE.CM-01
+- DE.AE-02
+- RS.MA-01
+- DE.AE-06
 ---

 # Building Detection Rules with Splunk SPL
@@ -26,6 +26,11 @@ d3fend_techniques:
 - Hardware-based Process Isolation
 - Web Session Access Mediation
 - Process Suspension
+nist_csf:
+- DE.CM-01
+- DE.AE-02
+- RS.MA-01
+- DE.AE-06
 ---
 # Building Detection Rules with Sigma

@@ -1,12 +1,26 @@
 ---
 name: building-devsecops-pipeline-with-gitlab-ci
-description: Design and implement a comprehensive DevSecOps pipeline in GitLab CI/CD integrating SAST, DAST, container scanning, dependency scanning, and secret detection.
+description: Design and implement a comprehensive DevSecOps pipeline in GitLab CI/CD integrating SAST, DAST, container scanning,
+  dependency scanning, and secret detection.
 domain: cybersecurity
 subdomain: devsecops
-tags: [gitlab-ci, devsecops, sast, dast, container-scanning, dependency-scanning, secret-detection, cicd-security]
-version: "1.0"
+tags:
+- gitlab-ci
+- devsecops
+- sast
+- dast
+- container-scanning
+- dependency-scanning
+- secret-detection
+- cicd-security
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.PS-01
+- GV.SC-07
+- ID.IM-04
+- PR.PS-04
 ---

 # Building DevSecOps Pipeline with GitLab CI
@@ -1,12 +1,26 @@
 ---
 name: building-identity-federation-with-saml-azure-ad
-description: Establish SAML 2.0 identity federation between on-premises Active Directory and Azure AD (Microsoft Entra ID) for seamless cross-domain authentication and SSO to cloud applications.
+description: Establish SAML 2.0 identity federation between on-premises Active Directory and Azure AD (Microsoft Entra ID)
+  for seamless cross-domain authentication and SSO to cloud applications.
 domain: cybersecurity
 subdomain: identity-access-management
-tags: [saml, azure-ad, entra-id, federation, identity, sso, adfs, hybrid-identity]
-version: "1.0"
+tags:
+- saml
+- azure-ad
+- entra-id
+- federation
+- identity
+- sso
+- adfs
+- hybrid-identity
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.AA-01
+- PR.AA-02
+- PR.AA-05
+- PR.AA-06
 ---

 # Building Identity Federation with SAML Azure AD
@@ -22,6 +22,11 @@ nist_ai_rmf:
 - GOVERN-1.1
 - GOVERN-1.7
 - MAP-1.1
+nist_csf:
+- PR.AA-01
+- PR.AA-02
+- PR.AA-05
+- PR.AA-06
 ---

 # Building Identity Governance Lifecycle Process
@@ -1,16 +1,28 @@
 ---
 name: building-incident-response-dashboard
-description: >
-  Builds real-time incident response dashboards in Splunk, Elastic, or Grafana to provide SOC
-  analysts and leadership with situational awareness during active incidents, tracking affected
-  systems, containment status, IOC spread, and response timeline. Use when IR teams need unified
-  visibility during incident coordination and post-incident reporting.
+description: 'Builds real-time incident response dashboards in Splunk, Elastic, or Grafana to provide SOC analysts and leadership
+  with situational awareness during active incidents, tracking affected systems, containment status, IOC spread, and response
+  timeline. Use when IR teams need unified visibility during incident coordination and post-incident reporting.
+
+  '
 domain: cybersecurity
 subdomain: soc-operations
-tags: [soc, dashboard, incident-response, splunk, visualization, situational-awareness, metrics]
-version: "1.0"
+tags:
+- soc
+- dashboard
+- incident-response
+- splunk
+- visualization
+- situational-awareness
+- metrics
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.CM-01
+- DE.AE-02
+- RS.MA-01
+- DE.AE-06
 ---
 # Building Incident Response Dashboard

@@ -1,19 +1,31 @@
 ---
 name: building-incident-response-playbook
-description: >
-  Designs and documents structured incident response playbooks that define step-by-step
-  procedures for specific incident types aligned with NIST SP 800-61r3 and SANS PICERL
-  frameworks. Covers playbook structure, decision trees, escalation criteria, RACI matrices,
-  and integration with SOAR platforms. Activates for requests involving IR playbook creation,
-  incident response procedure documentation, response runbook development, or SOAR playbook
-  design.
+description: 'Designs and documents structured incident response playbooks that define step-by-step procedures for specific
+  incident types aligned with NIST SP 800-61r3 and SANS PICERL frameworks. Covers playbook structure, decision trees, escalation
+  criteria, RACI matrices, and integration with SOAR platforms. Activates for requests involving IR playbook creation, incident
+  response procedure documentation, response runbook development, or SOAR playbook design.
+
+  '
 domain: cybersecurity
 subdomain: incident-response
-tags: [IR-playbook, runbook, NIST-800-61, SOAR-integration, response-procedures]
-mitre_attack: ["T1190", "T1566", "T1078"]
+tags:
+- IR-playbook
+- runbook
+- NIST-800-61
+- SOAR-integration
+- response-procedures
+mitre_attack:
+- T1190
+- T1566
+- T1078
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.MA-01
+- RS.MA-02
+- RS.AN-03
+- RC.RP-01
 ---

 # Building Incident Response Playbooks
@@ -1,6 +1,10 @@
 ---
-{}
---tags:
+name: building-incident-timeline-with-timesketch
+description: Build collaborative forensic incident timelines using Timesketch to ingest, normalize, and analyze multi-source
+  event data for attack chain reconstruction and investigation documentation.
+domain: cybersecurity
+subdomain: incident-response
+tags:
 - timesketch
 - timeline-analysis
 - forensic-timeline
@@ -8,4 +12,256 @@
 - dfir
 - incident-investigation
 - collaborative-forensics
+mitre_attack:
+- T1070
+- T1059
+- T1053
 version: '1.0'
+author: mahipal
+license: Apache-2.0
+d3fend_techniques:
+- Executable Denylisting
+- Execution Isolation
+- File Metadata Consistency Validation
+- Content Format Conversion
+- File Content Analysis
+nist_csf:
+- RS.MA-01
+- RS.MA-02
+- RS.AN-03
+- RC.RP-01
+---
+
+# Building Incident Timeline with Timesketch
+
+## Overview
+
+Timesketch is an open-source collaborative forensic timeline analysis tool developed by Google that enables security teams to visualize and analyze chronological data from multiple sources during incident investigations. It ingests logs and artifacts from endpoints, servers, and cloud services, normalizes them into a unified searchable timeline, and provides powerful analysis capabilities including built-in analyzers, tagging, sketch annotations, and story building. Timesketch integrates with Plaso (log2timeline) for artifact parsing and supports direct CSV/JSONL ingestion for rapid timeline construction during active incidents.
+
+
+## When to Use
+
+- When deploying or configuring building incident timeline with timesketch capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
+## Prerequisites
+
+- Familiarity with incident response concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
+## Architecture and Components
+
+### Core Components
+- **Timesketch Server**: Web application with REST API for timeline management
+- **OpenSearch/Elasticsearch**: Backend storage and search engine for timeline events
+- **PostgreSQL**: Metadata storage for sketches, stories, and user data
+- **Redis**: Task queue management for background processing
+- **Celery Workers**: Asynchronous processing of timeline uploads and analyzers
+
+### Data Flow
+```
+Evidence Sources --> Plaso/log2timeline --> Plaso storage file (.plaso)
+     |                                           |
+     v                                           v
+  CSV/JSONL --> Timesketch Importer --> OpenSearch Index
+                                           |
+                                           v
+                                    Timesketch Web UI
+                                    (Search, Analyze, Story)
+```
+
+## Deployment
+
+### Docker Deployment (Recommended)
+```bash
+# Clone Timesketch repository
+git clone https://github.com/google/timesketch.git
+cd timesketch
+
+# Run deployment helper script
+cd docker
+sudo docker compose up -d
+
+# Default access: https://localhost:443
+# Admin credentials generated during first run
+```
+
+### System Requirements
+- Minimum 8 GB RAM (16+ GB recommended for large investigations)
+- 4 CPU cores minimum
+- SSD storage for OpenSearch indices
+- Docker and Docker Compose installed
+
+## Data Ingestion Methods
+
+### Method 1: Plaso Integration (Comprehensive)
+```bash
+# Process disk image with log2timeline
+log2timeline.py --storage-file evidence.plaso /path/to/disk/image
+
+# Process Windows event logs
+log2timeline.py --parsers winevtx --storage-file windows_events.plaso /path/to/evtx/
+
+# Process multiple evidence sources
+log2timeline.py --parsers "winevtx,prefetch,amcache,shimcache,userassist" \
+  --storage-file full_analysis.plaso /path/to/mounted/image/
+
+# Import Plaso file into Timesketch
+timesketch_importer -s "Case-2025-001" -t "Endpoint-WKS01" evidence.plaso
+```
+
+### Method 2: CSV Import (Quick Ingestion)
+```csv
+message,datetime,timestamp_desc,source,hostname
+"User login detected","2025-01-15T08:30:00Z","Event Recorded","Security Log","DC01"
+"PowerShell execution","2025-01-15T08:31:15Z","Event Recorded","PowerShell","WKS042"
+```
+
+```bash
+# Import CSV directly
+timesketch_importer -s "Case-2025-001" -t "Quick-Triage" events.csv
+```
+
+### Method 3: JSONL Import (Structured Data)
+```json
+{"message": "Suspicious logon from 10.1.2.3", "datetime": "2025-01-15T08:30:00Z", "timestamp_desc": "Event Recorded", "source_short": "Security", "hostname": "DC01"}
+```
+
+### Method 4: Sigma Rule Integration
+```bash
+# Upload Sigma rules for automated detection
+timesketch_importer --sigma-rules /path/to/sigma/rules/
+```
+
+## Analysis Workflow
+
+### Step 1: Create Investigation Sketch
+```
+1. Log into Timesketch web interface
+2. Create new sketch (investigation case)
+3. Add relevant timelines to the sketch
+4. Set sketch description and tags
+```
+
+### Step 2: Run Built-in Analyzers
+Timesketch includes analyzers that automatically identify:
+- **Browser Search Analyzer**: Extracts search queries from browser history
+- **Chain of Events Analyzer**: Links related events (download -> execute)
+- **Domain Analyzer**: Extracts and categorizes domain names
+- **Feature Extraction Analyzer**: Identifies IPs, URLs, hashes
+- **Geo Location Analyzer**: Maps events to geographic locations
+- **Similarity Scorer**: Finds similar events across timelines
+- **Sigma Analyzer**: Matches events against Sigma detection rules
+- **Account Finder**: Identifies user account activity patterns
+- **Tagger**: Applies labels based on predefined rules
+
+### Step 3: Search and Filter
+```
+# Search examples in Timesketch query language
+
+# Find all events related to specific user
+source_short:Security AND message:"john.admin"
+
+# Find PowerShell execution events
+data_type:"windows:evtx:record" AND event_identifier:4104
+
+# Find lateral movement indicators
+source_short:Security AND event_identifier:4624 AND xml_string:"LogonType\">3"
+
+# Find events within specific time range
+datetime:[2025-01-15T00:00:00 TO 2025-01-15T23:59:59]
+
+# Find file creation events
+data_type:"fs:stat" AND timestamp_desc:"Creation Time"
+
+# Search with tags
+tag:"suspicious" OR tag:"lateral_movement"
+```
+
+### Step 4: Build Investigation Story
+```
+1. Create new story within the sketch
+2. Add search views that support each finding
+3. Annotate key events with investigator notes
+4. Link events to MITRE ATT&CK techniques
+5. Document the attack narrative chronologically
+6. Export story for inclusion in incident report
+```
+
+## Advanced Features
+
+### Collaborative Investigation
+- Multiple analysts work on the same sketch simultaneously
+- Comments and annotations persist on events
+- Saved searches shared across the team
+- Investigation stories document findings in context
+
+### API Automation
+```python
+from timesketch_api_client import config
+from timesketch_api_client import client as ts_client
+
+# Connect to Timesketch
+ts = ts_client.TimesketchApi(
+    host_uri="https://timesketch.local",
+    username="analyst",
+    password="password"
+)
+
+# Get sketch
+sketch = ts.get_sketch(1)
+
+# Search events
+search = sketch.explore(
+    query_string='event_identifier:4624 AND LogonType:3',
+    return_fields='datetime,message,hostname,source_short'
+)
+
+# Add tags to events
+for event in search.get('objects', []):
+    sketch.tag_event(event['_id'], ['lateral_movement'])
+```
+
+### Integration with Dissect
+```bash
+# Use Dissect for faster artifact parsing (alternative to Plaso)
+target-query -f timesketch://timesketch.local/case-001 \
+  targets/hostname/ -q "windows.evtx" --limit 0
+```
+
+## Key Data Sources for Timeline Building
+
+| Source | Parser | Evidence Value |
+|--------|--------|---------------|
+| Windows Event Logs (.evtx) | winevtx | Authentication, process execution, services |
+| Prefetch Files | prefetch | Program execution history |
+| MFT ($MFT) | mft | File system activity |
+| Registry Hives | winreg | System configuration, persistence |
+| Browser History | chrome/firefox | Web activity, downloads |
+| Syslog | syslog | Linux/network device events |
+| CloudTrail Logs | jsonl | AWS API activity |
+| Azure Activity Logs | jsonl | Azure resource operations |
+| Firewall Logs | csv/jsonl | Network connections |
+| Proxy Logs | csv/jsonl | HTTP/HTTPS traffic |
+
+## MITRE ATT&CK Mapping
+
+| Technique | Timeline Indicators |
+|-----------|-------------------|
+| Initial Access (TA0001) | First malicious event, phishing email receipt |
+| Execution (T1059) | PowerShell/CMD events, process creation |
+| Persistence (TA0003) | Registry modifications, scheduled tasks, services |
+| Lateral Movement (TA0008) | Remote logons, SMB connections, RDP sessions |
+| Exfiltration (TA0010) | Large data transfers, cloud storage uploads |
+
+## References
+
+- [Timesketch Official Documentation](https://timesketch.org/)
+- [Timesketch GitHub Repository](https://github.com/google/timesketch)
+- [CISA Timesketch Resource](https://www.cisa.gov/resources-tools/services/timesketch)
+- [Hunt and Hackett: Scalable Forensics with Dissect and Timesketch](https://www.huntandhackett.com/blog/scalable-forensics-timeline-analysis-using-dissect-and-timesketch)
+- [Plaso (log2timeline) Documentation](https://plaso.readthedocs.io/)
@@ -1,12 +1,26 @@
 ---
 name: building-ioc-defanging-and-sharing-pipeline
-description: Build an automated pipeline to defang indicators of compromise (URLs, IPs, domains, emails) for safe sharing and distribute them in STIX format through TAXII feeds and threat intelligence platforms.
+description: Build an automated pipeline to defang indicators of compromise (URLs, IPs, domains, emails) for safe sharing
+  and distribute them in STIX format through TAXII feeds and threat intelligence platforms.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [ioc, defanging, threat-sharing, stix, pipeline, indicator, automation, threat-intelligence]
-version: "1.0"
+tags:
+- ioc
+- defanging
+- threat-sharing
+- stix
+- pipeline
+- indicator
+- automation
+- threat-intelligence
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Building IOC Defanging and Sharing Pipeline

@@ -1,12 +1,26 @@
 ---
 name: building-ioc-enrichment-pipeline-with-opencti
-description: OpenCTI is an open-source platform for managing cyber threat intelligence knowledge, built on STIX 2.1 as its native data model. This skill covers building an automated IOC enrichment pipeline using O
+description: OpenCTI is an open-source platform for managing cyber threat intelligence knowledge, built on STIX 2.1 as its
+  native data model. This skill covers building an automated IOC enrichment pipeline using O
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [threat-intelligence, cti, ioc, mitre-attack, stix, opencti, enrichment, virustotal]
-version: "1.0"
+tags:
+- threat-intelligence
+- cti
+- ioc
+- mitre-attack
+- stix
+- opencti
+- enrichment
+- virustotal
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Building IOC Enrichment Pipeline with OpenCTI

--- a/Show More
+++ b/Show More