diff --git a/skills/acquiring-disk-image-with-dd-and-dcfldd/SKILL.md b/skills/acquiring-disk-image-with-dd-and-dcfldd/SKILL.md index 94ad1029..d3d17300 100644 --- a/skills/acquiring-disk-image-with-dd-and-dcfldd/SKILL.md +++ b/skills/acquiring-disk-image-with-dd-and-dcfldd/SKILL.md @@ -1,12 +1,24 @@ --- name: acquiring-disk-image-with-dd-and-dcfldd -description: Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification. +description: Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through + hash verification. domain: cybersecurity subdomain: digital-forensics -tags: [forensics, disk-imaging, evidence-acquisition, dd, dcfldd, hash-verification] -version: "1.0" +tags: +- forensics +- disk-imaging +- evidence-acquisition +- dd +- dcfldd +- hash-verification +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Acquiring Disk Image with dd and dcfldd diff --git a/skills/analyzing-active-directory-acl-abuse/SKILL.md b/skills/analyzing-active-directory-acl-abuse/SKILL.md index 543d06f0..8deab1e8 100644 --- a/skills/analyzing-active-directory-acl-abuse/SKILL.md +++ b/skills/analyzing-active-directory-acl-abuse/SKILL.md @@ -1,12 +1,21 @@ --- name: analyzing-active-directory-acl-abuse -description: Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths +description: Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and + WriteOwner abuse paths domain: cybersecurity subdomain: identity-security -tags: [active-directory, acl-abuse, ldap, privilege-escalation] -version: "1.0" +tags: +- active-directory +- acl-abuse +- ldap +- privilege-escalation +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-05 +- PR.AA-06 --- diff --git a/skills/analyzing-android-malware-with-apktool/SKILL.md b/skills/analyzing-android-malware-with-apktool/SKILL.md index b39d37fb..1bb9a19e 100644 --- a/skills/analyzing-android-malware-with-apktool/SKILL.md +++ b/skills/analyzing-android-malware-with-apktool/SKILL.md @@ -1,12 +1,26 @@ --- name: analyzing-android-malware-with-apktool -description: Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection. +description: Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source + recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection. domain: cybersecurity subdomain: malware-analysis -tags: [Android, APK, apktool, jadx, androguard, mobile-malware, static-analysis, reverse-engineering] -version: "1.0" +tags: +- Android +- APK +- apktool +- jadx +- androguard +- mobile-malware +- static-analysis +- reverse-engineering +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Analyzing Android Malware with Apktool diff --git a/skills/analyzing-api-gateway-access-logs/SKILL.md b/skills/analyzing-api-gateway-access-logs/SKILL.md index f906f62c..24c08d00 100644 --- a/skills/analyzing-api-gateway-access-logs/SKILL.md +++ b/skills/analyzing-api-gateway-access-logs/SKILL.md @@ -1,16 +1,25 @@ --- name: analyzing-api-gateway-access-logs -description: > - Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR - attacks, rate limit bypass, credential scanning, and injection attempts. Uses pandas - for statistical analysis of request patterns and anomaly detection. Use when - investigating API abuse or building API-specific threat detection rules. +description: 'Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass, + credential scanning, and injection attempts. Uses pandas for statistical analysis of request patterns and anomaly detection. + Use when investigating API abuse or building API-specific threat detection rules. + + ' domain: cybersecurity subdomain: security-operations -tags: [analyzing, api, gateway, access] -version: "1.0" +tags: +- analyzing +- api +- gateway +- access +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- # Analyzing API Gateway Access Logs diff --git a/skills/analyzing-apt-group-with-mitre-navigator/SKILL.md b/skills/analyzing-apt-group-with-mitre-navigator/SKILL.md index d0a565d9..9e5bfab2 100644 --- a/skills/analyzing-apt-group-with-mitre-navigator/SKILL.md +++ b/skills/analyzing-apt-group-with-mitre-navigator/SKILL.md @@ -22,6 +22,11 @@ d3fend_techniques: - File Metadata Consistency Validation - Content Format Conversion - File Content Analysis +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Analyzing APT Group with MITRE ATT&CK Navigator diff --git a/skills/analyzing-azure-activity-logs-for-threats/SKILL.md b/skills/analyzing-azure-activity-logs-for-threats/SKILL.md index d4b6f164..e578391b 100644 --- a/skills/analyzing-azure-activity-logs-for-threats/SKILL.md +++ b/skills/analyzing-azure-activity-logs-for-threats/SKILL.md @@ -1,16 +1,25 @@ --- name: analyzing-azure-activity-logs-for-threats -description: > - Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to - detect suspicious administrative operations, impossible travel, privilege escalation, - and resource modifications. Builds KQL queries for threat hunting in Azure environments. - Use when investigating suspicious Azure tenant activity or building cloud SIEM detections. +description: 'Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative + operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in + Azure environments. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections. + + ' domain: cybersecurity subdomain: security-operations -tags: [analyzing, azure, activity, logs] -version: "1.0" +tags: +- analyzing +- azure +- activity +- logs +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- # Analyzing Azure Activity Logs for Threats diff --git a/skills/analyzing-bootkit-and-rootkit-samples/SKILL.md b/skills/analyzing-bootkit-and-rootkit-samples/SKILL.md index 1210f900..d8f381e3 100644 --- a/skills/analyzing-bootkit-and-rootkit-samples/SKILL.md +++ b/skills/analyzing-bootkit-and-rootkit-samples/SKILL.md @@ -1,17 +1,27 @@ --- name: analyzing-bootkit-and-rootkit-samples -description: > - Analyzes bootkit and advanced rootkit malware that infects the Master Boot Record (MBR), - Volume Boot Record (VBR), or UEFI firmware to gain persistence below the operating system. - Covers boot sector analysis, UEFI module inspection, and anti-rootkit detection techniques. - Activates for requests involving bootkit analysis, MBR malware investigation, UEFI +description: 'Analyzes bootkit and advanced rootkit malware that infects the Master Boot Record (MBR), Volume Boot Record + (VBR), or UEFI firmware to gain persistence below the operating system. Covers boot sector analysis, UEFI module inspection, + and anti-rootkit detection techniques. Activates for requests involving bootkit analysis, MBR malware investigation, UEFI persistence analysis, or pre-OS malware detection. + + ' domain: cybersecurity subdomain: malware-analysis -tags: [malware, bootkit, rootkit, UEFI, MBR-analysis] +tags: +- malware +- bootkit +- rootkit +- UEFI +- MBR-analysis version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Analyzing Bootkit and Rootkit Samples diff --git a/skills/analyzing-browser-forensics-with-hindsight/SKILL.md b/skills/analyzing-browser-forensics-with-hindsight/SKILL.md index c52d5f18..b6a94001 100644 --- a/skills/analyzing-browser-forensics-with-hindsight/SKILL.md +++ b/skills/analyzing-browser-forensics-with-hindsight/SKILL.md @@ -1,12 +1,28 @@ --- name: analyzing-browser-forensics-with-hindsight -description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation. +description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached + content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation. domain: cybersecurity subdomain: digital-forensics -tags: [browser-forensics, hindsight, chrome-forensics, chromium, edge, browsing-history, cookies, downloads, cache, web-artifacts] -version: "1.0" +tags: +- browser-forensics +- hindsight +- chrome-forensics +- chromium +- edge +- browsing-history +- cookies +- downloads +- cache +- web-artifacts +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Analyzing Browser Forensics with Hindsight diff --git a/skills/analyzing-campaign-attribution-evidence/SKILL.md b/skills/analyzing-campaign-attribution-evidence/SKILL.md index a07b909c..da9756cf 100644 --- a/skills/analyzing-campaign-attribution-evidence/SKILL.md +++ b/skills/analyzing-campaign-attribution-evidence/SKILL.md @@ -1,12 +1,25 @@ --- name: analyzing-campaign-attribution-evidence -description: Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr +description: Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or + group is responsible for a cyber operation. This skill covers collecting and weighting attr domain: cybersecurity subdomain: threat-intelligence -tags: [threat-intelligence, cti, ioc, mitre-attack, stix, attribution, campaign-analysis] -version: "1.0" +tags: +- threat-intelligence +- cti +- ioc +- mitre-attack +- stix +- attribution +- campaign-analysis +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Analyzing Campaign Attribution Evidence diff --git a/skills/analyzing-certificate-transparency-for-phishing/SKILL.md b/skills/analyzing-certificate-transparency-for-phishing/SKILL.md index f99547bf..0ae31579 100644 --- a/skills/analyzing-certificate-transparency-for-phishing/SKILL.md +++ b/skills/analyzing-certificate-transparency-for-phishing/SKILL.md @@ -18,6 +18,11 @@ author: mahipal license: Apache-2.0 atlas_techniques: - AML.T0052 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Analyzing Certificate Transparency for Phishing diff --git a/skills/analyzing-cloud-storage-access-patterns/SKILL.md b/skills/analyzing-cloud-storage-access-patterns/SKILL.md index 7d5887f3..a6149876 100644 --- a/skills/analyzing-cloud-storage-access-patterns/SKILL.md +++ b/skills/analyzing-cloud-storage-access-patterns/SKILL.md @@ -20,6 +20,11 @@ nist_ai_rmf: - MEASURE-2.7 - MAP-5.1 - MANAGE-2.4 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- diff --git a/skills/analyzing-cobalt-strike-beacon-configuration/SKILL.md b/skills/analyzing-cobalt-strike-beacon-configuration/SKILL.md index eaca5812..ebc4c113 100644 --- a/skills/analyzing-cobalt-strike-beacon-configuration/SKILL.md +++ b/skills/analyzing-cobalt-strike-beacon-configuration/SKILL.md @@ -1,12 +1,25 @@ --- name: analyzing-cobalt-strike-beacon-configuration -description: Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure, malleable profiles, and operator tradecraft. +description: Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure, + malleable profiles, and operator tradecraft. domain: cybersecurity subdomain: malware-analysis -tags: [cobalt-strike, beacon, c2, malware-analysis, config-extraction, threat-hunting, red-team-tools] -version: "1.0" +tags: +- cobalt-strike +- beacon +- c2 +- malware-analysis +- config-extraction +- threat-hunting +- red-team-tools +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Analyzing Cobalt Strike Beacon Configuration diff --git a/skills/analyzing-cobaltstrike-malleable-c2-profiles/SKILL.md b/skills/analyzing-cobaltstrike-malleable-c2-profiles/SKILL.md index d7ffd222..31f10c07 100644 --- a/skills/analyzing-cobaltstrike-malleable-c2-profiles/SKILL.md +++ b/skills/analyzing-cobaltstrike-malleable-c2-profiles/SKILL.md @@ -1,12 +1,25 @@ --- name: analyzing-cobaltstrike-malleable-c2-profiles -description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate network detection signatures. +description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract + C2 indicators, detect evasion techniques, and generate network detection signatures. domain: cybersecurity subdomain: malware-analysis -tags: [cobalt-strike, malleable-c2, c2-detection, beacon-analysis, network-signatures, threat-hunting, red-team-tools] -version: "1.0" +tags: +- cobalt-strike +- malleable-c2 +- c2-detection +- beacon-analysis +- network-signatures +- threat-hunting +- red-team-tools +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Analyzing CobaltStrike Malleable C2 Profiles diff --git a/skills/analyzing-command-and-control-communication/SKILL.md b/skills/analyzing-command-and-control-communication/SKILL.md index 3080ff1f..351cf7be 100644 --- a/skills/analyzing-command-and-control-communication/SKILL.md +++ b/skills/analyzing-command-and-control-communication/SKILL.md @@ -1,17 +1,27 @@ --- name: analyzing-command-and-control-communication -description: > - Analyzes malware command-and-control (C2) communication protocols to understand beacon - patterns, command structures, data encoding, and infrastructure. Covers HTTP, HTTPS, DNS, - and custom protocol C2 analysis for detection development and threat intelligence. - Activates for requests involving C2 analysis, beacon detection, C2 protocol reverse - engineering, or command-and-control infrastructure mapping. +description: 'Analyzes malware command-and-control (C2) communication protocols to understand beacon patterns, command structures, + data encoding, and infrastructure. Covers HTTP, HTTPS, DNS, and custom protocol C2 analysis for detection development and + threat intelligence. Activates for requests involving C2 analysis, beacon detection, C2 protocol reverse engineering, or + command-and-control infrastructure mapping. + + ' domain: cybersecurity subdomain: malware-analysis -tags: [malware, C2, command-and-control, beacon, protocol-analysis] +tags: +- malware +- C2 +- command-and-control +- beacon +- protocol-analysis version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Analyzing Command-and-Control Communication diff --git a/skills/analyzing-cyber-kill-chain/SKILL.md b/skills/analyzing-cyber-kill-chain/SKILL.md index ecb2be77..a399df03 100644 --- a/skills/analyzing-cyber-kill-chain/SKILL.md +++ b/skills/analyzing-cyber-kill-chain/SKILL.md @@ -1,18 +1,29 @@ --- name: analyzing-cyber-kill-chain -description: > - Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify - which phases an adversary has completed, where defenses succeeded or failed, and what controls - would have interrupted the attack at earlier phases. Use when conducting post-incident analysis, - building prevention-focused security controls, or mapping detection gaps to kill chain phases. - Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping, +description: 'Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify which phases + an adversary has completed, where defenses succeeded or failed, and what controls would have interrupted the attack at earlier + phases. Use when conducting post-incident analysis, building prevention-focused security controls, or mapping detection + gaps to kill chain phases. Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping, or Lockheed Martin kill chain framework. + + ' domain: cybersecurity subdomain: threat-intelligence -tags: [kill-chain, Lockheed-Martin, MITRE-ATT&CK, intrusion-analysis, defense-in-depth, NIST-CSF] +tags: +- kill-chain +- Lockheed-Martin +- MITRE-ATT&CK +- intrusion-analysis +- defense-in-depth +- NIST-CSF version: 1.0.0 author: team-cybersecurity license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Analyzing Cyber Kill Chain diff --git a/skills/analyzing-disk-image-with-autopsy/SKILL.md b/skills/analyzing-disk-image-with-autopsy/SKILL.md index 0357fb55..56b6641d 100644 --- a/skills/analyzing-disk-image-with-autopsy/SKILL.md +++ b/skills/analyzing-disk-image-with-autopsy/SKILL.md @@ -1,12 +1,24 @@ --- name: analyzing-disk-image-with-autopsy -description: Perform comprehensive forensic analysis of disk images using Autopsy to recover files, examine artifacts, and build investigation timelines. +description: Perform comprehensive forensic analysis of disk images using Autopsy to recover files, examine artifacts, and + build investigation timelines. domain: cybersecurity subdomain: digital-forensics -tags: [forensics, autopsy, disk-analysis, sleuth-kit, file-recovery, artifact-analysis] -version: "1.0" +tags: +- forensics +- autopsy +- disk-analysis +- sleuth-kit +- file-recovery +- artifact-analysis +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Analyzing Disk Image with Autopsy diff --git a/skills/analyzing-dns-logs-for-exfiltration/SKILL.md b/skills/analyzing-dns-logs-for-exfiltration/SKILL.md index 9401224e..83a08910 100644 --- a/skills/analyzing-dns-logs-for-exfiltration/SKILL.md +++ b/skills/analyzing-dns-logs-for-exfiltration/SKILL.md @@ -23,6 +23,11 @@ atlas_techniques: - AML.T0024 - AML.T0056 - AML.T0086 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Analyzing DNS Logs for Exfiltration diff --git a/skills/analyzing-docker-container-forensics/SKILL.md b/skills/analyzing-docker-container-forensics/SKILL.md index f4dd4881..d76d9543 100644 --- a/skills/analyzing-docker-container-forensics/SKILL.md +++ b/skills/analyzing-docker-container-forensics/SKILL.md @@ -1,12 +1,24 @@ --- name: analyzing-docker-container-forensics -description: Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to identify malicious activity and evidence. +description: Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to + identify malicious activity and evidence. domain: cybersecurity subdomain: digital-forensics -tags: [forensics, docker, container-forensics, container-security, image-analysis, runtime-investigation] -version: "1.0" +tags: +- forensics +- docker +- container-forensics +- container-security +- image-analysis +- runtime-investigation +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Analyzing Docker Container Forensics diff --git a/skills/analyzing-email-headers-for-phishing-investigation/SKILL.md b/skills/analyzing-email-headers-for-phishing-investigation/SKILL.md index dd8c0d10..32b98c2e 100644 --- a/skills/analyzing-email-headers-for-phishing-investigation/SKILL.md +++ b/skills/analyzing-email-headers-for-phishing-investigation/SKILL.md @@ -17,6 +17,11 @@ author: mahipal license: Apache-2.0 atlas_techniques: - AML.T0052 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Analyzing Email Headers for Phishing Investigation diff --git a/skills/analyzing-ethereum-smart-contract-vulnerabilities/SKILL.md b/skills/analyzing-ethereum-smart-contract-vulnerabilities/SKILL.md index 0a05706e..a94a14ad 100644 --- a/skills/analyzing-ethereum-smart-contract-vulnerabilities/SKILL.md +++ b/skills/analyzing-ethereum-smart-contract-vulnerabilities/SKILL.md @@ -1,12 +1,25 @@ --- name: analyzing-ethereum-smart-contract-vulnerabilities -description: Perform static and symbolic analysis of Solidity smart contracts using Slither and Mythril to detect reentrancy, integer overflow, access control, and other vulnerability classes before deployment to Ethereum mainnet. +description: Perform static and symbolic analysis of Solidity smart contracts using Slither and Mythril to detect reentrancy, + integer overflow, access control, and other vulnerability classes before deployment to Ethereum mainnet. domain: cybersecurity subdomain: blockchain-security -tags: [ethereum, solidity, smart-contract, slither, mythril, blockchain, defi, audit] -version: "1.0" +tags: +- ethereum +- solidity +- smart-contract +- slither +- mythril +- blockchain +- defi +- audit +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.DS-01 +- PR.DS-02 +- ID.RA-01 --- # Analyzing Ethereum Smart Contract Vulnerabilities diff --git a/skills/analyzing-golang-malware-with-ghidra/SKILL.md b/skills/analyzing-golang-malware-with-ghidra/SKILL.md index 3a7ab420..99fb9892 100644 --- a/skills/analyzing-golang-malware-with-ghidra/SKILL.md +++ b/skills/analyzing-golang-malware-with-ghidra/SKILL.md @@ -1,12 +1,25 @@ --- name: analyzing-golang-malware-with-ghidra -description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction, and type reconstruction in stripped Go binaries. +description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction, + and type reconstruction in stripped Go binaries. domain: cybersecurity subdomain: malware-analysis -tags: [golang, ghidra, reverse-engineering, malware-analysis, binary-analysis, go-malware, disassembly] -version: "1.0" +tags: +- golang +- ghidra +- reverse-engineering +- malware-analysis +- binary-analysis +- go-malware +- disassembly +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Analyzing Golang Malware with Ghidra diff --git a/skills/analyzing-heap-spray-exploitation/SKILL.md b/skills/analyzing-heap-spray-exploitation/SKILL.md index 409c9f57..5cc78234 100644 --- a/skills/analyzing-heap-spray-exploitation/SKILL.md +++ b/skills/analyzing-heap-spray-exploitation/SKILL.md @@ -1,12 +1,23 @@ --- name: analyzing-heap-spray-exploitation -description: Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns, shellcode landing zones, and suspicious large allocations in process virtual address space. +description: Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns, + shellcode landing zones, and suspicious large allocations in process virtual address space. domain: cybersecurity subdomain: malware-analysis -tags: [malware-analysis, memory-forensics, heap-spray, volatility3, exploit-analysis] -version: "1.0" +tags: +- malware-analysis +- memory-forensics +- heap-spray +- volatility3 +- exploit-analysis +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Analyzing Heap Spray Exploitation diff --git a/skills/analyzing-indicators-of-compromise/SKILL.md b/skills/analyzing-indicators-of-compromise/SKILL.md index 74af2ad2..3539430f 100644 --- a/skills/analyzing-indicators-of-compromise/SKILL.md +++ b/skills/analyzing-indicators-of-compromise/SKILL.md @@ -22,6 +22,11 @@ author: mahipal license: Apache-2.0 atlas_techniques: - AML.T0052 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Analyzing Indicators of Compromise diff --git a/skills/analyzing-ios-app-security-with-objection/SKILL.md b/skills/analyzing-ios-app-security-with-objection/SKILL.md index b862b830..3dea359c 100644 --- a/skills/analyzing-ios-app-security-with-objection/SKILL.md +++ b/skills/analyzing-ios-app-security-with-objection/SKILL.md @@ -26,6 +26,11 @@ nist_ai_rmf: - MANAGE-2.4 - GOVERN-6.2 - MAP-5.1 +nist_csf: +- PR.PS-01 +- PR.AA-05 +- ID.RA-01 +- DE.CM-09 --- # Analyzing iOS App Security with Objection diff --git a/skills/analyzing-kubernetes-audit-logs/SKILL.md b/skills/analyzing-kubernetes-audit-logs/SKILL.md index e312067e..c8b26fa4 100644 --- a/skills/analyzing-kubernetes-audit-logs/SKILL.md +++ b/skills/analyzing-kubernetes-audit-logs/SKILL.md @@ -1,16 +1,25 @@ --- name: analyzing-kubernetes-audit-logs -description: > - Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret - access, RBAC modifications, privileged pod creation, and anonymous API access. Builds - threat detection rules from audit event patterns. Use when investigating Kubernetes - cluster compromise or building k8s-specific SIEM detection rules. +description: 'Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret access, RBAC modifications, + privileged pod creation, and anonymous API access. Builds threat detection rules from audit event patterns. Use when investigating + Kubernetes cluster compromise or building k8s-specific SIEM detection rules. + + ' domain: cybersecurity subdomain: container-security -tags: [analyzing, kubernetes, audit, logs] -version: "1.0" +tags: +- analyzing +- kubernetes +- audit +- logs +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Analyzing Kubernetes Audit Logs diff --git a/skills/analyzing-linux-audit-logs-for-intrusion/SKILL.md b/skills/analyzing-linux-audit-logs-for-intrusion/SKILL.md index fe2d3b92..6fb404c9 100644 --- a/skills/analyzing-linux-audit-logs-for-intrusion/SKILL.md +++ b/skills/analyzing-linux-audit-logs-for-intrusion/SKILL.md @@ -1,18 +1,29 @@ --- name: analyzing-linux-audit-logs-for-intrusion -description: > - Uses the Linux Audit framework (auditd) with ausearch and aureport utilities - to detect intrusion attempts, unauthorized access, privilege escalation, and - suspicious system activity. Covers audit rule configuration, log querying, - timeline reconstruction, and integration with SIEM platforms. Activates for - requests involving auditd analysis, Linux audit log investigation, ausearch +description: 'Uses the Linux Audit framework (auditd) with ausearch and aureport utilities to detect intrusion attempts, unauthorized + access, privilege escalation, and suspicious system activity. Covers audit rule configuration, log querying, timeline reconstruction, + and integration with SIEM platforms. Activates for requests involving auditd analysis, Linux audit log investigation, ausearch queries, aureport summaries, or host-based intrusion detection on Linux. + + ' domain: cybersecurity subdomain: incident-response -tags: [auditd, ausearch, aureport, linux-security, intrusion-detection, HIDS, forensics] +tags: +- auditd +- ausearch +- aureport +- linux-security +- intrusion-detection +- HIDS +- forensics version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- RS.MA-01 +- RS.MA-02 +- RS.AN-03 +- RC.RP-01 --- # Analyzing Linux Audit Logs for Intrusion diff --git a/skills/analyzing-linux-elf-malware/SKILL.md b/skills/analyzing-linux-elf-malware/SKILL.md index 603f0d66..66f0f45d 100644 --- a/skills/analyzing-linux-elf-malware/SKILL.md +++ b/skills/analyzing-linux-elf-malware/SKILL.md @@ -1,17 +1,27 @@ --- name: analyzing-linux-elf-malware -description: > - Analyzes malicious Linux ELF (Executable and Linkable Format) binaries including botnets, - cryptominers, ransomware, and rootkits targeting Linux servers, containers, and cloud - infrastructure. Covers static analysis, dynamic tracing, and reverse engineering of - x86_64 and ARM ELF samples. Activates for requests involving Linux malware analysis, - ELF binary investigation, Linux server compromise assessment, or container malware analysis. +description: 'Analyzes malicious Linux ELF (Executable and Linkable Format) binaries including botnets, cryptominers, ransomware, + and rootkits targeting Linux servers, containers, and cloud infrastructure. Covers static analysis, dynamic tracing, and + reverse engineering of x86_64 and ARM ELF samples. Activates for requests involving Linux malware analysis, ELF binary investigation, + Linux server compromise assessment, or container malware analysis. + + ' domain: cybersecurity subdomain: malware-analysis -tags: [malware, Linux, ELF, reverse-engineering, server-malware] +tags: +- malware +- Linux +- ELF +- reverse-engineering +- server-malware version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Analyzing Linux ELF Malware diff --git a/skills/analyzing-linux-kernel-rootkits/SKILL.md b/skills/analyzing-linux-kernel-rootkits/SKILL.md index 799e67d6..6b893306 100644 --- a/skills/analyzing-linux-kernel-rootkits/SKILL.md +++ b/skills/analyzing-linux-kernel-rootkits/SKILL.md @@ -1,12 +1,27 @@ --- name: analyzing-linux-kernel-rootkits -description: Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and tampered system structures. +description: Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules), + rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and + tampered system structures. domain: cybersecurity subdomain: digital-forensics -tags: [rootkit, linux, kernel, volatility3, memory-forensics, malware-analysis, rkhunter, forensics] -version: "1.0" +tags: +- rootkit +- linux +- kernel +- volatility3 +- memory-forensics +- malware-analysis +- rkhunter +- forensics +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Analyzing Linux Kernel Rootkits diff --git a/skills/analyzing-linux-system-artifacts/SKILL.md b/skills/analyzing-linux-system-artifacts/SKILL.md index fb21804f..1bff8d23 100644 --- a/skills/analyzing-linux-system-artifacts/SKILL.md +++ b/skills/analyzing-linux-system-artifacts/SKILL.md @@ -1,12 +1,24 @@ --- name: analyzing-linux-system-artifacts -description: Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover evidence of compromise or unauthorized activity. +description: Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover + evidence of compromise or unauthorized activity. domain: cybersecurity subdomain: digital-forensics -tags: [forensics, linux-forensics, system-artifacts, log-analysis, persistence-detection, incident-investigation] -version: "1.0" +tags: +- forensics +- linux-forensics +- system-artifacts +- log-analysis +- persistence-detection +- incident-investigation +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Analyzing Linux System Artifacts diff --git a/skills/analyzing-lnk-file-and-jump-list-artifacts/SKILL.md b/skills/analyzing-lnk-file-and-jump-list-artifacts/SKILL.md index db35593e..aced390b 100644 --- a/skills/analyzing-lnk-file-and-jump-list-artifacts/SKILL.md +++ b/skills/analyzing-lnk-file-and-jump-list-artifacts/SKILL.md @@ -1,12 +1,28 @@ --- name: analyzing-lnk-file-and-jump-list-artifacts -description: Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution, and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format. +description: Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution, + and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format. domain: cybersecurity subdomain: digital-forensics -tags: [lnk-files, jump-lists, lecmd, jlecmd, windows-forensics, shell-link, user-activity, file-access, program-execution, recent-files] -version: "1.0" +tags: +- lnk-files +- jump-lists +- lecmd +- jlecmd +- windows-forensics +- shell-link +- user-activity +- file-access +- program-execution +- recent-files +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Analyzing LNK File and Jump List Artifacts diff --git a/skills/analyzing-macro-malware-in-office-documents/SKILL.md b/skills/analyzing-macro-malware-in-office-documents/SKILL.md index e37b826e..0dd25e3b 100644 --- a/skills/analyzing-macro-malware-in-office-documents/SKILL.md +++ b/skills/analyzing-macro-malware-in-office-documents/SKILL.md @@ -26,6 +26,11 @@ d3fend_techniques: - Identifier Analysis - Content Format Conversion - Message Analysis +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Analyzing Macro Malware in Office Documents diff --git a/skills/analyzing-malicious-pdf-with-peepdf/SKILL.md b/skills/analyzing-malicious-pdf-with-peepdf/SKILL.md index 3eb4955a..ec9d087d 100644 --- a/skills/analyzing-malicious-pdf-with-peepdf/SKILL.md +++ b/skills/analyzing-malicious-pdf-with-peepdf/SKILL.md @@ -1,12 +1,26 @@ --- name: analyzing-malicious-pdf-with-peepdf -description: Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects. +description: Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript, + shellcode, and suspicious objects. domain: cybersecurity subdomain: malware-analysis -tags: [malware-analysis, pdf, peepdf, pdfid, pdf-parser, static-analysis, reverse-engineering, dfir] -version: "1.0" +tags: +- malware-analysis +- pdf +- peepdf +- pdfid +- pdf-parser +- static-analysis +- reverse-engineering +- dfir +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Analyzing Malicious PDF with peepdf diff --git a/skills/analyzing-malicious-url-with-urlscan/SKILL.md b/skills/analyzing-malicious-url-with-urlscan/SKILL.md index 0f0f3452..22a27e5b 100644 --- a/skills/analyzing-malicious-url-with-urlscan/SKILL.md +++ b/skills/analyzing-malicious-url-with-urlscan/SKILL.md @@ -17,6 +17,11 @@ author: mahipal license: Apache-2.0 atlas_techniques: - AML.T0052 +nist_csf: +- PR.AT-01 +- DE.CM-09 +- RS.CO-02 +- DE.AE-02 --- # Analyzing Malicious URL with URLScan diff --git a/skills/analyzing-malware-behavior-with-cuckoo-sandbox/SKILL.md b/skills/analyzing-malware-behavior-with-cuckoo-sandbox/SKILL.md index fba0f175..243de4ca 100644 --- a/skills/analyzing-malware-behavior-with-cuckoo-sandbox/SKILL.md +++ b/skills/analyzing-malware-behavior-with-cuckoo-sandbox/SKILL.md @@ -1,17 +1,27 @@ --- name: analyzing-malware-behavior-with-cuckoo-sandbox -description: > - Executes malware samples in Cuckoo Sandbox to observe runtime behavior including - process creation, file system modifications, registry changes, network communications, - and API calls. Generates comprehensive behavioral reports for malware classification - and IOC extraction. Activates for requests involving dynamic malware analysis, sandbox - detonation, behavioral analysis, or automated malware execution. +description: 'Executes malware samples in Cuckoo Sandbox to observe runtime behavior including process creation, file system + modifications, registry changes, network communications, and API calls. Generates comprehensive behavioral reports for malware + classification and IOC extraction. Activates for requests involving dynamic malware analysis, sandbox detonation, behavioral + analysis, or automated malware execution. + + ' domain: cybersecurity subdomain: malware-analysis -tags: [malware, dynamic-analysis, sandbox, Cuckoo, behavioral-analysis] +tags: +- malware +- dynamic-analysis +- sandbox +- Cuckoo +- behavioral-analysis version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Analyzing Malware Behavior with Cuckoo Sandbox diff --git a/skills/analyzing-malware-family-relationships-with-malpedia/SKILL.md b/skills/analyzing-malware-family-relationships-with-malpedia/SKILL.md index e73479a2..91e72103 100644 --- a/skills/analyzing-malware-family-relationships-with-malpedia/SKILL.md +++ b/skills/analyzing-malware-family-relationships-with-malpedia/SKILL.md @@ -1,12 +1,26 @@ --- name: analyzing-malware-family-relationships-with-malpedia -description: Use the Malpedia platform and API to research malware family relationships, track variant evolution, link families to threat actors, and integrate YARA rules for detection across malware lineages. +description: Use the Malpedia platform and API to research malware family relationships, track variant evolution, link families + to threat actors, and integrate YARA rules for detection across malware lineages. domain: cybersecurity subdomain: threat-intelligence -tags: [malpedia, malware-family, yara, threat-actor, malware-tracking, threat-intelligence, variant-analysis, malware-intelligence] -version: "1.0" +tags: +- malpedia +- malware-family +- yara +- threat-actor +- malware-tracking +- threat-intelligence +- variant-analysis +- malware-intelligence +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Analyzing Malware Family Relationships with Malpedia diff --git a/skills/analyzing-malware-persistence-with-autoruns/SKILL.md b/skills/analyzing-malware-persistence-with-autoruns/SKILL.md index 452abcfe..30a4e5cd 100644 --- a/skills/analyzing-malware-persistence-with-autoruns/SKILL.md +++ b/skills/analyzing-malware-persistence-with-autoruns/SKILL.md @@ -1,6 +1,10 @@ --- -{} ----tags: +name: analyzing-malware-persistence-with-autoruns +description: Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry + keys, scheduled tasks, services, drivers, and startup locations on Windows systems. +domain: cybersecurity +subdomain: malware-analysis +tags: - autoruns - persistence - malware-analysis @@ -9,4 +13,113 @@ - registry - startup - incident-response +mitre_attack: +- T1547 +- T1053 +- T1543 +- T1546 version: '1.0' +author: mahipal +license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 +--- +# Analyzing Malware Persistence with Autoruns + +## Overview + +Sysinternals Autoruns extracts data from hundreds of Auto-Start Extensibility Points (ASEPs) on Windows, scanning 18+ categories including Run/RunOnce keys, services, scheduled tasks, drivers, Winlogon entries, LSA providers, print monitors, WMI subscriptions, and AppInit DLLs. Digital signature verification filters Microsoft-signed entries. The compare function identifies newly added persistence via baseline diffing. VirusTotal integration checks hash reputation. Offline analysis via -z flag enables forensic disk image examination. + + +## When to Use + +- When investigating security incidents that require analyzing malware persistence with autoruns +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + +## Prerequisites + +- Sysinternals Autoruns (GUI) and Autorunsc (CLI) +- Administrative privileges on target system +- Python 3.9+ for automated analysis +- VirusTotal API key for reputation checks +- Clean baseline export for comparison + +## Workflow + +### Step 1: Automated Persistence Scanning + +```python +#!/usr/bin/env python3 +"""Automate Autoruns-based persistence analysis.""" +import subprocess +import csv +import json +import sys + + +def scan_and_analyze(autorunsc_path="autorunsc64.exe", csv_path="scan.csv"): + cmd = [autorunsc_path, "-a", "*", "-c", "-h", "-s", "-nobanner", "*"] + result = subprocess.run(cmd, capture_output=True, text=True, timeout=600) + with open(csv_path, 'w') as f: + f.write(result.stdout) + return parse_and_flag(csv_path) + + +def parse_and_flag(csv_path): + suspicious = [] + with open(csv_path, 'r', errors='replace') as f: + for row in csv.DictReader(f): + reasons = [] + signer = row.get("Signer", "") + if not signer or signer == "(Not verified)": + reasons.append("Unsigned binary") + if not row.get("Description") and not row.get("Company"): + reasons.append("Missing metadata") + path = row.get("Image Path", "").lower() + for sp in ["\temp\\", "\appdata\local\temp", "\users\public\\"]: + if sp in path: + reasons.append(f"Suspicious path") + launch = row.get("Launch String", "").lower() + for kw in ["powershell", "cmd /c", "wscript", "mshta", "regsvr32"]: + if kw in launch: + reasons.append(f"LOLBin: {kw}") + if reasons: + row["reasons"] = reasons + suspicious.append(row) + return suspicious + + +if __name__ == "__main__": + if len(sys.argv) > 1: + results = parse_and_flag(sys.argv[1]) + print(f"[!] {len(results)} suspicious entries") + for r in results: + print(f" {r.get('Entry','')} - {r.get('Image Path','')}") + for reason in r.get('reasons', []): + print(f" - {reason}") +``` + +## Validation Criteria + +- All ASEP categories scanned and cataloged +- Unsigned entries flagged for investigation +- Suspicious paths and LOLBin launch strings highlighted +- Baseline comparison identifies new persistence mechanisms + +## References + +- [Sysinternals Autoruns](https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns) +- [SANS - Offline Autoruns Revisited](https://www.sans.org/blog/offline-autoruns-revisited-auditing-malware-persistence/) +- [Hunting Malware with Autoruns](https://nasbench.medium.com/hunting-malware-with-windows-sysinternals-autoruns-19cbfe4103c2) +- [MITRE ATT&CK T1547 - Boot or Logon Autostart](https://attack.mitre.org/techniques/T1547/) diff --git a/skills/analyzing-malware-sandbox-evasion-techniques/SKILL.md b/skills/analyzing-malware-sandbox-evasion-techniques/SKILL.md index 533c20d6..fcfc4527 100644 --- a/skills/analyzing-malware-sandbox-evasion-techniques/SKILL.md +++ b/skills/analyzing-malware-sandbox-evasion-techniques/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - Process Analysis - System Call Filtering - Restore Software +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Analyzing Malware Sandbox Evasion Techniques diff --git a/skills/analyzing-memory-dumps-with-volatility/SKILL.md b/skills/analyzing-memory-dumps-with-volatility/SKILL.md index 8681274a..0267aa22 100644 --- a/skills/analyzing-memory-dumps-with-volatility/SKILL.md +++ b/skills/analyzing-memory-dumps-with-volatility/SKILL.md @@ -1,18 +1,32 @@ --- name: analyzing-memory-dumps-with-volatility -description: > - Analyzes RAM memory dumps from compromised systems using the Volatility framework to - identify malicious processes, injected code, network connections, loaded modules, and - extracted credentials. Supports Windows, Linux, and macOS memory forensics. Activates - for requests involving memory forensics, RAM analysis, volatile data examination, - process injection detection, or memory-resident malware investigation. +description: 'Analyzes RAM memory dumps from compromised systems using the Volatility framework to identify malicious processes, + injected code, network connections, loaded modules, and extracted credentials. Supports Windows, Linux, and macOS memory + forensics. Activates for requests involving memory forensics, RAM analysis, volatile data examination, process injection + detection, or memory-resident malware investigation. + + ' domain: cybersecurity subdomain: malware-analysis -tags: [malware, memory-forensics, Volatility, RAM-analysis, incident-response] -mitre_attack: ["T1055", "T1003", "T1059", "T1620"] +tags: +- malware +- memory-forensics +- Volatility +- RAM-analysis +- incident-response +mitre_attack: +- T1055 +- T1003 +- T1059 +- T1620 version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Analyzing Memory Dumps with Volatility diff --git a/skills/analyzing-memory-forensics-with-lime-and-volatility/SKILL.md b/skills/analyzing-memory-forensics-with-lime-and-volatility/SKILL.md index 8a903203..a4d7a2db 100644 --- a/skills/analyzing-memory-forensics-with-lime-and-volatility/SKILL.md +++ b/skills/analyzing-memory-forensics-with-lime-and-volatility/SKILL.md @@ -1,16 +1,25 @@ --- name: analyzing-memory-forensics-with-lime-and-volatility -description: > - Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module - and analysis with Volatility 3 framework. Extracts process lists, network connections, - bash history, loaded kernel modules, and injected code from Linux memory images. - Use when performing incident response on compromised Linux systems. +description: 'Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module and analysis with Volatility + 3 framework. Extracts process lists, network connections, bash history, loaded kernel modules, and injected code from Linux + memory images. Use when performing incident response on compromised Linux systems. + + ' domain: cybersecurity subdomain: security-operations -tags: [analyzing, memory, forensics, with] -version: "1.0" +tags: +- analyzing +- memory +- forensics +- with +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- # Analyzing Memory Forensics with LiME and Volatility diff --git a/skills/analyzing-mft-for-deleted-file-recovery/SKILL.md b/skills/analyzing-mft-for-deleted-file-recovery/SKILL.md index 99b595b5..77b527e6 100644 --- a/skills/analyzing-mft-for-deleted-file-recovery/SKILL.md +++ b/skills/analyzing-mft-for-deleted-file-recovery/SKILL.md @@ -1,12 +1,28 @@ --- name: analyzing-mft-for-deleted-file-recovery -description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics. +description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record + entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics. domain: cybersecurity subdomain: digital-forensics -tags: [mft, ntfs, deleted-files, file-recovery, mftecmd, usn-journal, logfile, mft-slack-space, file-system-forensics, dfir] -version: "1.0" +tags: +- mft +- ntfs +- deleted-files +- file-recovery +- mftecmd +- usn-journal +- logfile +- mft-slack-space +- file-system-forensics +- dfir +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Analyzing MFT for Deleted File Recovery diff --git a/skills/analyzing-network-covert-channels-in-malware/SKILL.md b/skills/analyzing-network-covert-channels-in-malware/SKILL.md index c32d3bcd..e4fb5204 100644 --- a/skills/analyzing-network-covert-channels-in-malware/SKILL.md +++ b/skills/analyzing-network-covert-channels-in-malware/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - Application Protocol Command Analysis - Content Format Conversion - File Content Analysis +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Analyzing Network Covert Channels in Malware diff --git a/skills/analyzing-network-flow-data-with-netflow/SKILL.md b/skills/analyzing-network-flow-data-with-netflow/SKILL.md index eec7867d..3a1ca033 100644 --- a/skills/analyzing-network-flow-data-with-netflow/SKILL.md +++ b/skills/analyzing-network-flow-data-with-netflow/SKILL.md @@ -1,16 +1,23 @@ --- name: analyzing-network-flow-data-with-netflow -description: >- - Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data - exfiltration, and C2 beaconing patterns. Uses the Python netflow library to decode flow - records, builds traffic baselines, and applies statistical analysis to identify flows - with abnormal byte counts, connection durations, and periodic timing patterns. +description: Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data exfiltration, and C2 beaconing + patterns. Uses the Python netflow library to decode flow records, builds traffic baselines, and applies statistical analysis + to identify flows with abnormal byte counts, connection durations, and periodic timing patterns. domain: cybersecurity subdomain: network-security -tags: [analyzing, network, flow, data] -version: "1.0" +tags: +- analyzing +- network +- flow +- data +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- diff --git a/skills/analyzing-network-packets-with-scapy/SKILL.md b/skills/analyzing-network-packets-with-scapy/SKILL.md index 583247fb..c3c40999 100644 --- a/skills/analyzing-network-packets-with-scapy/SKILL.md +++ b/skills/analyzing-network-packets-with-scapy/SKILL.md @@ -1,18 +1,24 @@ --- name: analyzing-network-packets-with-scapy -description: Craft, send, sniff, and dissect network packets using Scapy for protocol analysis, network reconnaissance, and traffic anomaly detection in authorized security testing +description: Craft, send, sniff, and dissect network packets using Scapy for protocol analysis, network reconnaissance, and + traffic anomaly detection in authorized security testing domain: cybersecurity subdomain: network-security tags: - - scapy - - packet-analysis - - network-forensics - - protocol-dissection - - pcap - - traffic-analysis -version: "1.0" +- scapy +- packet-analysis +- network-forensics +- protocol-dissection +- pcap +- traffic-analysis +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Analyzing Network Packets with Scapy diff --git a/skills/analyzing-network-traffic-for-incidents/SKILL.md b/skills/analyzing-network-traffic-for-incidents/SKILL.md index e05cdf4e..feb9845c 100644 --- a/skills/analyzing-network-traffic-for-incidents/SKILL.md +++ b/skills/analyzing-network-traffic-for-incidents/SKILL.md @@ -1,19 +1,32 @@ --- name: analyzing-network-traffic-for-incidents -description: > - Analyzes network traffic captures and flow data to identify adversary activity during - security incidents, including command-and-control communications, lateral movement, - data exfiltration, and exploitation attempts. Uses Wireshark, Zeek, and NetFlow - analysis techniques. Activates for requests involving network traffic analysis, - packet capture investigation, PCAP analysis, network forensics, C2 traffic detection, - or exfiltration detection. +description: 'Analyzes network traffic captures and flow data to identify adversary activity during security incidents, including + command-and-control communications, lateral movement, data exfiltration, and exploitation attempts. Uses Wireshark, Zeek, + and NetFlow analysis techniques. Activates for requests involving network traffic analysis, packet capture investigation, + PCAP analysis, network forensics, C2 traffic detection, or exfiltration detection. + + ' domain: cybersecurity subdomain: incident-response -tags: [network-forensics, PCAP-analysis, Wireshark, Zeek, traffic-analysis] -mitre_attack: ["T1071", "T1095", "T1573", "T1572"] +tags: +- network-forensics +- PCAP-analysis +- Wireshark +- Zeek +- traffic-analysis +mitre_attack: +- T1071 +- T1095 +- T1573 +- T1572 version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- RS.MA-01 +- RS.MA-02 +- RS.AN-03 +- RC.RP-01 --- # Analyzing Network Traffic for Incidents diff --git a/skills/analyzing-network-traffic-of-malware/SKILL.md b/skills/analyzing-network-traffic-of-malware/SKILL.md index e4fe6f46..eb8838b6 100644 --- a/skills/analyzing-network-traffic-of-malware/SKILL.md +++ b/skills/analyzing-network-traffic-of-malware/SKILL.md @@ -1,17 +1,27 @@ --- name: analyzing-network-traffic-of-malware -description: > - Analyzes network traffic generated by malware during sandbox execution or live incident - response to identify C2 protocols, data exfiltration channels, payload downloads, and - lateral movement patterns using Wireshark, Zeek, and Suricata. Activates for requests - involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or - network-based malware detection. +description: 'Analyzes network traffic generated by malware during sandbox execution or live incident response to identify + C2 protocols, data exfiltration channels, payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata. + Activates for requests involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or network-based + malware detection. + + ' domain: cybersecurity subdomain: malware-analysis -tags: [malware, network-analysis, PCAP, Wireshark, C2-detection] +tags: +- malware +- network-analysis +- PCAP +- Wireshark +- C2-detection version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Analyzing Network Traffic of Malware diff --git a/skills/analyzing-network-traffic-with-wireshark/SKILL.md b/skills/analyzing-network-traffic-with-wireshark/SKILL.md index 50176825..4d5f3590 100644 --- a/skills/analyzing-network-traffic-with-wireshark/SKILL.md +++ b/skills/analyzing-network-traffic-with-wireshark/SKILL.md @@ -1,15 +1,25 @@ --- name: analyzing-network-traffic-with-wireshark -description: > - Captures and analyzes network packet data using Wireshark and tshark to identify - malicious traffic patterns, diagnose protocol issues, extract artifacts, and - support incident response investigations on authorized network segments. +description: 'Captures and analyzes network packet data using Wireshark and tshark to identify malicious traffic patterns, + diagnose protocol issues, extract artifacts, and support incident response investigations on authorized network segments. + + ' domain: cybersecurity subdomain: network-security -tags: [network-security, wireshark, packet-analysis, traffic-analysis, pcap] -version: "1.0" +tags: +- network-security +- wireshark +- packet-analysis +- traffic-analysis +- pcap +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Analyzing Network Traffic with Wireshark diff --git a/skills/analyzing-office365-audit-logs-for-compromise/SKILL.md b/skills/analyzing-office365-audit-logs-for-compromise/SKILL.md index 156546ce..a57ecc26 100644 --- a/skills/analyzing-office365-audit-logs-for-compromise/SKILL.md +++ b/skills/analyzing-office365-audit-logs-for-compromise/SKILL.md @@ -1,12 +1,25 @@ --- name: analyzing-office365-audit-logs-for-compromise -description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation, suspicious OAuth app grants, and other indicators of account compromise. +description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation, + suspicious OAuth app grants, and other indicators of account compromise. domain: cybersecurity subdomain: cloud-security -tags: [Office365, Microsoft-Graph, audit-logs, email-compromise, inbox-rules, OAuth, BEC] -version: "1.0" +tags: +- Office365 +- Microsoft-Graph +- audit-logs +- email-compromise +- inbox-rules +- OAuth +- BEC +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Analyzing Office 365 Audit Logs for Compromise diff --git a/skills/analyzing-outlook-pst-for-email-forensics/SKILL.md b/skills/analyzing-outlook-pst-for-email-forensics/SKILL.md index fad21aeb..9b734054 100644 --- a/skills/analyzing-outlook-pst-for-email-forensics/SKILL.md +++ b/skills/analyzing-outlook-pst-for-email-forensics/SKILL.md @@ -23,6 +23,11 @@ nist_ai_rmf: - MANAGE-2.4 - MANAGE-3.1 - MEASURE-3.1 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Analyzing Outlook PST for Email Forensics diff --git a/skills/analyzing-packed-malware-with-upx-unpacker/SKILL.md b/skills/analyzing-packed-malware-with-upx-unpacker/SKILL.md index 7b8eaaac..3ac87bab 100644 --- a/skills/analyzing-packed-malware-with-upx-unpacker/SKILL.md +++ b/skills/analyzing-packed-malware-with-upx-unpacker/SKILL.md @@ -1,16 +1,26 @@ --- name: analyzing-packed-malware-with-upx-unpacker -description: > - Identifies and unpacks UPX-packed and other packed malware samples to expose the original - executable code for static analysis. Covers both standard UPX unpacking and handling - modified UPX headers that prevent automated decompression. Activates for requests involving - malware unpacking, UPX decompression, packer removal, or preparing packed samples for analysis. +description: 'Identifies and unpacks UPX-packed and other packed malware samples to expose the original executable code for + static analysis. Covers both standard UPX unpacking and handling modified UPX headers that prevent automated decompression. + Activates for requests involving malware unpacking, UPX decompression, packer removal, or preparing packed samples for analysis. + + ' domain: cybersecurity subdomain: malware-analysis -tags: [malware, unpacking, UPX, packing, static-analysis] +tags: +- malware +- unpacking +- UPX +- packing +- static-analysis version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Analyzing Packed Malware with UPX Unpacker diff --git a/skills/analyzing-pdf-malware-with-pdfid/SKILL.md b/skills/analyzing-pdf-malware-with-pdfid/SKILL.md index 69f23776..8335d56a 100644 --- a/skills/analyzing-pdf-malware-with-pdfid/SKILL.md +++ b/skills/analyzing-pdf-malware-with-pdfid/SKILL.md @@ -1,17 +1,27 @@ --- name: analyzing-pdf-malware-with-pdfid -description: > - Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to identify embedded - JavaScript, shellcode, exploits, and suspicious objects without opening the document. - Determines the attack vector and extracts embedded payloads for further analysis. - Activates for requests involving PDF malware analysis, malicious document analysis, - PDF exploit investigation, or suspicious attachment triage. +description: 'Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to identify embedded JavaScript, shellcode, + exploits, and suspicious objects without opening the document. Determines the attack vector and extracts embedded payloads + for further analysis. Activates for requests involving PDF malware analysis, malicious document analysis, PDF exploit investigation, + or suspicious attachment triage. + + ' domain: cybersecurity subdomain: malware-analysis -tags: [malware, PDF-analysis, document-malware, PDFiD, static-analysis] +tags: +- malware +- PDF-analysis +- document-malware +- PDFiD +- static-analysis version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Analyzing PDF Malware with PDFiD diff --git a/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md b/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md index d87b34e0..25c4439e 100644 --- a/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md +++ b/skills/analyzing-persistence-mechanisms-in-linux/SKILL.md @@ -1,6 +1,10 @@ --- -{} ----tags: +name: analyzing-persistence-mechanisms-in-linux +description: Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD + hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring +domain: cybersecurity +subdomain: threat-hunting +tags: - linux-persistence - crontab - systemd @@ -8,4 +12,61 @@ - auditd - threat-hunting - incident-response +mitre_attack: +- T1053.003 +- T1543.002 +- T1574.006 +- T1546.004 version: '1.0' +author: mahipal +license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Process Termination +- Content Format Conversion +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 +--- + +# Analyzing Persistence Mechanisms in Linux + +## Overview + +Adversaries establish persistence on Linux systems through crontab jobs, systemd service/timer units, LD_PRELOAD library injection, shell profile modifications (.bashrc, .profile), SSH authorized_keys backdoors, and init script manipulation. This skill scans for all known persistence vectors, checks file timestamps and integrity, and correlates findings with auditd logs to build a timeline of persistence installation. + + +## When to Use + +- When investigating security incidents that require analyzing persistence mechanisms in linux +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + +## Prerequisites + +- Root or sudo access on target Linux system (or forensic image) +- auditd configured with file watch rules on persistence paths +- Python 3.8+ with standard library (os, subprocess, json) +- Optional: OSSEC/Wazuh agent for file integrity monitoring alerts + +## Steps + +1. **Scan Crontab Entries** — Enumerate all user crontabs, /etc/cron.d/, /etc/cron.daily/, and anacron jobs for suspicious commands +2. **Audit Systemd Units** — Check /etc/systemd/system/ and ~/.config/systemd/user/ for non-package-managed service and timer units +3. **Detect LD_PRELOAD Hijacking** — Check /etc/ld.so.preload and LD_PRELOAD environment variable for injected shared libraries +4. **Inspect Shell Profiles** — Scan .bashrc, .bash_profile, .profile, /etc/profile.d/ for injected commands or reverse shells +5. **Check SSH Authorized Keys** — Audit all authorized_keys files for unauthorized public keys with command restrictions +6. **Correlate Auditd Logs** — Search auditd logs for file modification events on persistence paths to build an installation timeline +7. **Generate Persistence Report** — Produce a risk-scored report of all discovered persistence mechanisms + +## Expected Output + +- JSON report of all persistence mechanisms found with risk scores +- Timeline of persistence installation from auditd correlation +- MITRE ATT&CK technique mapping (T1053, T1543, T1574, T1546) +- Remediation commands for each detected persistence mechanism diff --git a/skills/analyzing-powershell-empire-artifacts/SKILL.md b/skills/analyzing-powershell-empire-artifacts/SKILL.md index b202e6a8..d9011ae1 100644 --- a/skills/analyzing-powershell-empire-artifacts/SKILL.md +++ b/skills/analyzing-powershell-empire-artifacts/SKILL.md @@ -27,6 +27,11 @@ nist_ai_rmf: - GOVERN-1.1 - MEASURE-2.7 - MANAGE-3.1 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Analyzing PowerShell Empire Artifacts diff --git a/skills/analyzing-powershell-script-block-logging/SKILL.md b/skills/analyzing-powershell-script-block-logging/SKILL.md index 62b31a31..97e87827 100644 --- a/skills/analyzing-powershell-script-block-logging/SKILL.md +++ b/skills/analyzing-powershell-script-block-logging/SKILL.md @@ -1,16 +1,23 @@ --- name: analyzing-powershell-script-block-logging -description: >- - Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated - commands, encoded payloads, and living-off-the-land techniques. Uses python-evtx to extract and - reconstruct multi-block scripts, applies entropy analysis and pattern matching for Base64-encoded - commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts. +description: Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded + payloads, and living-off-the-land techniques. Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy + analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts. domain: cybersecurity subdomain: security-operations -tags: [analyzing, powershell, script, block] -version: "1.0" +tags: +- analyzing +- powershell +- script +- block +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- diff --git a/skills/analyzing-prefetch-files-for-execution-history/SKILL.md b/skills/analyzing-prefetch-files-for-execution-history/SKILL.md index dc517784..598b18c5 100644 --- a/skills/analyzing-prefetch-files-for-execution-history/SKILL.md +++ b/skills/analyzing-prefetch-files-for-execution-history/SKILL.md @@ -1,12 +1,24 @@ --- name: analyzing-prefetch-files-for-execution-history -description: Parse Windows Prefetch files to determine program execution history including run counts, timestamps, and referenced files for forensic investigation. +description: Parse Windows Prefetch files to determine program execution history including run counts, timestamps, and referenced + files for forensic investigation. domain: cybersecurity subdomain: digital-forensics -tags: [forensics, prefetch, windows-artifacts, execution-history, timeline-analysis, evidence-collection] -version: "1.0" +tags: +- forensics +- prefetch +- windows-artifacts +- execution-history +- timeline-analysis +- evidence-collection +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Analyzing Prefetch Files for Execution History diff --git a/skills/analyzing-ransomware-encryption-mechanisms/SKILL.md b/skills/analyzing-ransomware-encryption-mechanisms/SKILL.md index 32eaf2ba..065662ea 100644 --- a/skills/analyzing-ransomware-encryption-mechanisms/SKILL.md +++ b/skills/analyzing-ransomware-encryption-mechanisms/SKILL.md @@ -1,17 +1,27 @@ --- name: analyzing-ransomware-encryption-mechanisms -description: > - Analyzes encryption algorithms, key management, and file encryption routines used by - ransomware families to assess decryption feasibility, identify implementation weaknesses, - and support recovery efforts. Covers AES, RSA, ChaCha20, and hybrid encryption schemes. - Activates for requests involving ransomware cryptanalysis, encryption analysis, key - recovery assessment, or ransomware decryption feasibility. +description: 'Analyzes encryption algorithms, key management, and file encryption routines used by ransomware families to + assess decryption feasibility, identify implementation weaknesses, and support recovery efforts. Covers AES, RSA, ChaCha20, + and hybrid encryption schemes. Activates for requests involving ransomware cryptanalysis, encryption analysis, key recovery + assessment, or ransomware decryption feasibility. + + ' domain: cybersecurity subdomain: malware-analysis -tags: [malware, ransomware, encryption, cryptanalysis, reverse-engineering] +tags: +- malware +- ransomware +- encryption +- cryptanalysis +- reverse-engineering version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Analyzing Ransomware Encryption Mechanisms diff --git a/skills/analyzing-ransomware-leak-site-intelligence/SKILL.md b/skills/analyzing-ransomware-leak-site-intelligence/SKILL.md index 004227b0..48c14a20 100644 --- a/skills/analyzing-ransomware-leak-site-intelligence/SKILL.md +++ b/skills/analyzing-ransomware-leak-site-intelligence/SKILL.md @@ -1,12 +1,26 @@ --- name: analyzing-ransomware-leak-site-intelligence -description: Monitor and analyze ransomware group data leak sites (DLS) to track victim postings, extract threat intelligence on group tactics, and assess sector-specific ransomware risk for proactive defense. +description: Monitor and analyze ransomware group data leak sites (DLS) to track victim postings, extract threat intelligence + on group tactics, and assess sector-specific ransomware risk for proactive defense. domain: cybersecurity subdomain: threat-intelligence -tags: [ransomware, leak-site, data-leak, extortion, threat-intelligence, monitoring, dls, victim-tracking] -version: "1.0" +tags: +- ransomware +- leak-site +- data-leak +- extortion +- threat-intelligence +- monitoring +- dls +- victim-tracking +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Analyzing Ransomware Leak Site Intelligence diff --git a/skills/analyzing-ransomware-network-indicators/SKILL.md b/skills/analyzing-ransomware-network-indicators/SKILL.md index 2ec5a291..7bb600ea 100644 --- a/skills/analyzing-ransomware-network-indicators/SKILL.md +++ b/skills/analyzing-ransomware-network-indicators/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - Application Protocol Command Analysis - Content Format Conversion - File Content Analysis +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Analyzing Ransomware Network Indicators diff --git a/skills/analyzing-ransomware-payment-wallets/SKILL.md b/skills/analyzing-ransomware-payment-wallets/SKILL.md index 9a9f4f03..eace7d62 100644 --- a/skills/analyzing-ransomware-payment-wallets/SKILL.md +++ b/skills/analyzing-ransomware-payment-wallets/SKILL.md @@ -1,18 +1,28 @@ --- name: analyzing-ransomware-payment-wallets -description: > - Traces ransomware cryptocurrency payment flows using blockchain analysis tools - such as Chainalysis Reactor, WalletExplorer, and blockchain.com APIs. Identifies - wallet clusters, tracks fund movement through mixers and exchanges, and supports - law enforcement attribution. Activates for requests involving ransomware payment - tracing, bitcoin wallet analysis, cryptocurrency forensics, or blockchain - intelligence gathering. +description: 'Traces ransomware cryptocurrency payment flows using blockchain analysis tools such as Chainalysis Reactor, + WalletExplorer, and blockchain.com APIs. Identifies wallet clusters, tracks fund movement through mixers and exchanges, + and supports law enforcement attribution. Activates for requests involving ransomware payment tracing, bitcoin wallet analysis, + cryptocurrency forensics, or blockchain intelligence gathering. + + ' domain: cybersecurity subdomain: ransomware-defense -tags: [ransomware, blockchain, cryptocurrency, forensics, threat-intelligence, bitcoin] +tags: +- ransomware +- blockchain +- cryptocurrency +- forensics +- threat-intelligence +- bitcoin version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.DS-11 +- RS.MA-01 +- RC.RP-01 +- PR.IR-01 --- # Analyzing Ransomware Payment Wallets diff --git a/skills/analyzing-sbom-for-supply-chain-vulnerabilities/SKILL.md b/skills/analyzing-sbom-for-supply-chain-vulnerabilities/SKILL.md index 08e7a681..9f76c210 100644 --- a/skills/analyzing-sbom-for-supply-chain-vulnerabilities/SKILL.md +++ b/skills/analyzing-sbom-for-supply-chain-vulnerabilities/SKILL.md @@ -31,6 +31,11 @@ nist_ai_rmf: - MANAGE-2.2 - GOVERN-1.1 - GOVERN-4.2 +nist_csf: +- GV.SC-01 +- GV.SC-03 +- GV.SC-06 +- GV.SC-07 --- # Analyzing SBOM for Supply Chain Vulnerabilities diff --git a/skills/analyzing-security-logs-with-splunk/SKILL.md b/skills/analyzing-security-logs-with-splunk/SKILL.md index 8c2ec7c5..f96f5291 100644 --- a/skills/analyzing-security-logs-with-splunk/SKILL.md +++ b/skills/analyzing-security-logs-with-splunk/SKILL.md @@ -1,8 +1,267 @@ --- -{} ----tags: +name: analyzing-security-logs-with-splunk +description: 'Leverages Splunk Enterprise Security and SPL (Search Processing Language) to investigate security incidents + through log correlation, timeline reconstruction, and anomaly detection. Covers Windows event logs, firewall logs, proxy + logs, and authentication data analysis. Activates for requests involving Splunk investigation, SPL queries, SIEM log analysis, + security event correlation, or log-based incident investigation. + + ' +domain: cybersecurity +subdomain: incident-response +tags: - splunk - SPL - SIEM - log-analysis - security-monitoring +mitre_attack: +- T1070 +- T1562 +- T1059 +version: 1.0.0 +author: mahipal +license: Apache-2.0 +atlas_techniques: +- AML.T0070 +- AML.T0066 +- AML.T0082 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis +nist_ai_rmf: +- MEASURE-2.7 +- MAP-5.1 +- MANAGE-2.4 +- MANAGE-3.1 +- MEASURE-3.1 +nist_csf: +- RS.MA-01 +- RS.MA-02 +- RS.AN-03 +- RC.RP-01 +--- + +# Analyzing Security Logs with Splunk + +## When to Use + +- Investigating a security incident that requires correlation across multiple log sources +- Hunting for adversary activity using known TTPs and IOCs +- Building detection rules for specific attack patterns +- Reconstructing an incident timeline from disparate log sources +- Analyzing authentication anomalies, lateral movement, or data exfiltration patterns + +**Do not use** for real-time packet-level analysis; use Wireshark or Zeek for full packet capture analysis. + +## Prerequisites + +- Splunk Enterprise or Splunk Cloud with Enterprise Security (ES) app installed +- Log sources ingested: Windows Event Logs (via Splunk Universal Forwarder or WEF), firewall, proxy, DNS, EDR, email gateway +- Splunk CIM (Common Information Model) data models configured for normalized field names +- SPL proficiency at intermediate level or higher +- Role-based access with `search` and `accelerate_search` capabilities in Splunk + +## Workflow + +### Step 1: Scope the Investigation in Splunk + +Define search parameters based on incident triage data: + +```spl +| Set initial investigation scope +index=windows OR index=firewall OR index=proxy + earliest="2025-11-14T00:00:00" latest="2025-11-16T00:00:00" + (host="WKSTN-042" OR src_ip="10.1.5.42" OR user="jsmith") +| stats count by index, sourcetype, host +| sort -count +``` + +This query establishes which log sources contain relevant data for the investigation timeframe and affected assets. + +### Step 2: Analyze Authentication Events + +Investigate suspicious authentication patterns using Windows Security Event Logs: + +```spl +| Detect brute force and credential stuffing +index=windows sourcetype="WinEventLog:Security" EventCode=4625 + earliest=-24h +| stats count as failed_attempts, values(src_ip) as source_ips, + dc(src_ip) as unique_sources by TargetUserName +| where failed_attempts > 10 +| sort -failed_attempts + +| Detect pass-the-hash (Logon Type 9 - NewCredentials) +index=windows sourcetype="WinEventLog:Security" EventCode=4624 + Logon_Type=9 +| table _time, host, TargetUserName, src_ip, LogonProcessName + +| Detect lateral movement via RDP +index=windows sourcetype="WinEventLog:Security" EventCode=4624 + Logon_Type=10 +| stats count, values(host) as targets by TargetUserName, src_ip +| where count > 3 +| sort -count +``` + +### Step 3: Trace Process Execution + +Use Sysmon logs to reconstruct process execution chains: + +```spl +| Process creation with parent chain (Sysmon Event ID 1) +index=sysmon EventCode=1 host="WKSTN-042" + earliest="2025-11-15T14:00:00" latest="2025-11-15T15:00:00" +| table _time, ParentImage, ParentCommandLine, Image, CommandLine, User, Hashes +| sort _time + +| Detect suspicious PowerShell execution +index=sysmon EventCode=1 Image="*\\powershell.exe" + (CommandLine="*-enc*" OR CommandLine="*-encodedcommand*" + OR CommandLine="*downloadstring*" OR CommandLine="*iex*") +| table _time, host, User, ParentImage, CommandLine +| sort _time + +| Detect LSASS credential dumping +index=sysmon EventCode=10 TargetImage="*\\lsass.exe" + GrantedAccess=0x1010 +| table _time, host, SourceImage, SourceUser, GrantedAccess +``` + +### Step 4: Analyze Network Activity + +Correlate network logs with endpoint events: + +```spl +| Detect C2 beaconing pattern +index=proxy OR index=firewall dest_ip="185.220.101.42" +| timechart span=1m count by src_ip +| where count > 0 + +| Detect DNS tunneling (high query volume to single domain) +index=dns +| rex field=query "(?[^\.]+)\.(?[^\.]+\.[^\.]+)$" +| stats count, avg(len(query)) as avg_query_len by domain, src_ip +| where count > 500 AND avg_query_len > 40 +| sort -count + +| Detect large data transfers (potential exfiltration) +index=proxy action=allowed +| stats sum(bytes_out) as total_bytes by src_ip, dest_ip, dest_host +| eval total_MB=round(total_bytes/1024/1024,2) +| where total_MB > 100 +| sort -total_MB +``` + +### Step 5: Build the Incident Timeline + +Reconstruct a unified timeline across all log sources: + +```spl +| Unified incident timeline +index=windows OR index=sysmon OR index=proxy OR index=firewall + (host="WKSTN-042" OR src_ip="10.1.5.42" OR user="jsmith") + earliest="2025-11-15T14:00:00" latest="2025-11-15T16:00:00" +| eval event_summary=case( + sourcetype=="WinEventLog:Security" AND EventCode==4624, "Logon: ".TargetUserName." from ".src_ip, + sourcetype=="WinEventLog:Security" AND EventCode==4625, "Failed logon: ".TargetUserName, + sourcetype=="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode==1, + "Process: ".Image." by ".User, + sourcetype=="proxy", "Web: ".http_method." ".url, + 1==1, sourcetype.": ".EventCode) +| table _time, sourcetype, host, event_summary +| sort _time +``` + +### Step 6: Create Detection Rules + +Convert investigation findings into persistent Splunk correlation searches: + +```spl +| Correlation search: PowerShell spawned by Office applications +index=sysmon EventCode=1 + Image="*\\powershell.exe" + (ParentImage="*\\winword.exe" OR ParentImage="*\\excel.exe" + OR ParentImage="*\\outlook.exe") +| eval severity="high" +| eval mitre_technique="T1059.001" +| collect index=notable_events +``` + +## Key Concepts + +| Term | Definition | +|------|------------| +| **SPL (Search Processing Language)** | Splunk's query language for searching, filtering, transforming, and visualizing machine data | +| **CIM (Common Information Model)** | Splunk's field normalization standard that maps vendor-specific field names to common names for cross-source queries | +| **Notable Event** | An event in Splunk Enterprise Security flagged for analyst review based on a correlation search match | +| **Data Model** | Structured representation of indexed data in Splunk enabling accelerated searches and pivot-based analysis | +| **Sourcetype** | Classification label in Splunk that defines the format and parsing rules for a specific log type | +| **Correlation Search** | Scheduled Splunk search that runs continuously and generates notable events when conditions are met | +| **Timechart** | SPL command that creates time-series visualizations for identifying patterns, anomalies, and trends | + +## Tools & Systems + +- **Splunk Enterprise Security (ES)**: Premium SIEM application providing correlation searches, risk-based alerting, and investigation workbench +- **Splunk SOAR**: Orchestration platform integrated with Splunk ES for automated response playbooks +- **Sysmon**: Microsoft system monitoring tool providing detailed process, network, and file change telemetry ingested into Splunk +- **Splunk Attack Analyzer**: Automated threat analysis that detonates suspicious files and URLs, feeding results into Splunk +- **BOSS of the SOC (BOTS)**: SANS/Splunk training dataset for practicing incident investigation SPL queries + +## Common Scenarios + +### Scenario: Investigating Credential Stuffing Leading to Account Takeover + +**Context**: Security operations receives an alert for multiple successful logins to a single account from geographically dispersed IP addresses within a 30-minute window. + +**Approach**: +1. Query Event ID 4624 for the affected account to map all login sources and times +2. Correlate login IPs against threat intelligence feeds using a Splunk lookup table +3. Check proxy logs for suspicious activity from the authenticated sessions +4. Search for lateral movement from the compromised account (Event ID 4624 Type 3 to other hosts) +5. Build a timeline showing credential stuffing attempts, successful login, and post-compromise activity +6. Create a correlation search to detect similar patterns on other accounts + +**Pitfalls**: +- Searching only the last 24 hours when the credential stuffing may have occurred over weeks +- Not checking for VPN logs that may show the same account authenticating from impossible travel distances +- Failing to normalize timestamps across log sources in different time zones + +## Output Format + +``` +SPLUNK INVESTIGATION REPORT +============================ +Incident: INC-2025-1547 +Analyst: [Name] +Investigation Period: 2025-11-14 00:00 UTC - 2025-11-16 00:00 UTC + +SEARCH SCOPE +Indexes: windows, sysmon, proxy, firewall, dns +Hosts: WKSTN-042, SRV-FILE01 +Users: jsmith, svc-backup +Source IPs: 10.1.5.42, 10.1.10.15 + +KEY FINDINGS +1. [timestamp] - Initial compromise via phishing (Sysmon Event 1) +2. [timestamp] - C2 established (proxy logs, beacon pattern detected) +3. [timestamp] - Credential theft (Sysmon Event 10, LSASS access) +4. [timestamp] - Lateral movement to SRV-FILE01 (Event 4624 Type 3) +5. [timestamp] - Data staging and exfiltration (proxy bytes_out anomaly) + +SPL QUERIES USED +[numbered list of key queries with descriptions] + +DETECTION GAPS IDENTIFIED +- No Sysmon deployed on SRV-FILE01 (blind spot) +- Proxy logs missing SSL inspection for C2 domain +- PowerShell ScriptBlock logging not enabled + +RECOMMENDED DETECTIONS +1. Correlation search for Office-spawned PowerShell +2. Threshold alert for LSASS access patterns +3. Behavioral rule for beacon-interval network traffic +``` diff --git a/skills/analyzing-slack-space-and-file-system-artifacts/SKILL.md b/skills/analyzing-slack-space-and-file-system-artifacts/SKILL.md index a858eb1d..8955ba9f 100644 --- a/skills/analyzing-slack-space-and-file-system-artifacts/SKILL.md +++ b/skills/analyzing-slack-space-and-file-system-artifacts/SKILL.md @@ -1,12 +1,25 @@ --- name: analyzing-slack-space-and-file-system-artifacts -description: Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data and reconstruct file activity on NTFS volumes. +description: Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data + and reconstruct file activity on NTFS volumes. domain: cybersecurity subdomain: digital-forensics -tags: [forensics, slack-space, ntfs, mft, usn-journal, alternate-data-streams, file-system-analysis] -version: "1.0" +tags: +- forensics +- slack-space +- ntfs +- mft +- usn-journal +- alternate-data-streams +- file-system-analysis +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Analyzing Slack Space and File System Artifacts diff --git a/skills/analyzing-supply-chain-malware-artifacts/SKILL.md b/skills/analyzing-supply-chain-malware-artifacts/SKILL.md index 2df5adb0..b92ecfeb 100644 --- a/skills/analyzing-supply-chain-malware-artifacts/SKILL.md +++ b/skills/analyzing-supply-chain-malware-artifacts/SKILL.md @@ -28,6 +28,11 @@ d3fend_techniques: - Restore Object - Electromagnetic Radiation Hardening - RF Shielding +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Analyzing Supply Chain Malware Artifacts diff --git a/skills/analyzing-threat-actor-ttps-with-mitre-attack/SKILL.md b/skills/analyzing-threat-actor-ttps-with-mitre-attack/SKILL.md index d4e475b8..8bd984b2 100644 --- a/skills/analyzing-threat-actor-ttps-with-mitre-attack/SKILL.md +++ b/skills/analyzing-threat-actor-ttps-with-mitre-attack/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - File Metadata Consistency Validation - Content Format Conversion - File Content Analysis +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Analyzing Threat Actor TTPs with MITRE ATT&CK diff --git a/skills/analyzing-threat-actor-ttps-with-mitre-navigator/SKILL.md b/skills/analyzing-threat-actor-ttps-with-mitre-navigator/SKILL.md index 54d6b033..36f709b7 100644 --- a/skills/analyzing-threat-actor-ttps-with-mitre-navigator/SKILL.md +++ b/skills/analyzing-threat-actor-ttps-with-mitre-navigator/SKILL.md @@ -33,6 +33,11 @@ d3fend_techniques: - Identifier Analysis - Content Format Conversion - Message Analysis +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Analyzing Threat Actor TTPs with MITRE Navigator diff --git a/skills/analyzing-threat-intelligence-feeds/SKILL.md b/skills/analyzing-threat-intelligence-feeds/SKILL.md index 1055f578..92ddf296 100644 --- a/skills/analyzing-threat-intelligence-feeds/SKILL.md +++ b/skills/analyzing-threat-intelligence-feeds/SKILL.md @@ -1,17 +1,31 @@ --- name: analyzing-threat-intelligence-feeds -description: > - Analyzes structured and unstructured threat intelligence feeds to extract actionable indicators, - adversary tactics, and campaign context. Use when ingesting commercial or open-source CTI feeds, - evaluating feed quality, normalizing data into STIX 2.1 format, or enriching existing IOCs with - campaign attribution. Activates for requests involving ThreatConnect, Recorded Future, Mandiant - Advantage, MISP, AlienVault OTX, or automated feed aggregation pipelines. +description: 'Analyzes structured and unstructured threat intelligence feeds to extract actionable indicators, adversary tactics, + and campaign context. Use when ingesting commercial or open-source CTI feeds, evaluating feed quality, normalizing data + into STIX 2.1 format, or enriching existing IOCs with campaign attribution. Activates for requests involving ThreatConnect, + Recorded Future, Mandiant Advantage, MISP, AlienVault OTX, or automated feed aggregation pipelines. + + ' domain: cybersecurity subdomain: threat-intelligence -tags: [STIX, TAXII, MITRE-ATT&CK, IOC, ThreatConnect, Recorded-Future, MISP, CTI, NIST-CSF] +tags: +- STIX +- TAXII +- MITRE-ATT&CK +- IOC +- ThreatConnect +- Recorded-Future +- MISP +- CTI +- NIST-CSF version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Analyzing Threat Intelligence Feeds diff --git a/skills/analyzing-threat-landscape-with-misp/SKILL.md b/skills/analyzing-threat-landscape-with-misp/SKILL.md index 349f4b3c..84948c4c 100644 --- a/skills/analyzing-threat-landscape-with-misp/SKILL.md +++ b/skills/analyzing-threat-landscape-with-misp/SKILL.md @@ -20,6 +20,11 @@ d3fend_techniques: - Identifier Analysis - Content Format Conversion - Message Analysis +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- diff --git a/skills/analyzing-tls-certificate-transparency-logs/SKILL.md b/skills/analyzing-tls-certificate-transparency-logs/SKILL.md index bd2ee82f..4208a7c1 100644 --- a/skills/analyzing-tls-certificate-transparency-logs/SKILL.md +++ b/skills/analyzing-tls-certificate-transparency-logs/SKILL.md @@ -18,6 +18,11 @@ license: Apache-2.0 atlas_techniques: - AML.T0073 - AML.T0052 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- # Analyzing TLS Certificate Transparency Logs diff --git a/skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.md b/skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.md index 57e8afc7..d0e49ec7 100644 --- a/skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.md +++ b/skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.md @@ -19,6 +19,11 @@ license: Apache-2.0 atlas_techniques: - AML.T0073 - AML.T0052 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Analyzing Typosquatting Domains with DNSTwist diff --git a/skills/analyzing-uefi-bootkit-persistence/SKILL.md b/skills/analyzing-uefi-bootkit-persistence/SKILL.md index d63cd6da..4007870f 100644 --- a/skills/analyzing-uefi-bootkit-persistence/SKILL.md +++ b/skills/analyzing-uefi-bootkit-persistence/SKILL.md @@ -26,6 +26,10 @@ d3fend_techniques: - Platform Monitoring - Firmware Verification - Firmware Embedded Monitoring Code +nist_csf: +- ID.RA-01 +- PR.PS-01 +- PR.PS-02 --- # Analyzing UEFI Bootkit Persistence diff --git a/skills/analyzing-usb-device-connection-history/SKILL.md b/skills/analyzing-usb-device-connection-history/SKILL.md index 0ac9519e..a59cf30b 100644 --- a/skills/analyzing-usb-device-connection-history/SKILL.md +++ b/skills/analyzing-usb-device-connection-history/SKILL.md @@ -1,12 +1,24 @@ --- name: analyzing-usb-device-connection-history -description: Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable media usage and potential data exfiltration. +description: Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable + media usage and potential data exfiltration. domain: cybersecurity subdomain: digital-forensics -tags: [forensics, usb-forensics, removable-media, registry-analysis, data-exfiltration, device-history] -version: "1.0" +tags: +- forensics +- usb-forensics +- removable-media +- registry-analysis +- data-exfiltration +- device-history +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Analyzing USB Device Connection History diff --git a/skills/analyzing-web-server-logs-for-intrusion/SKILL.md b/skills/analyzing-web-server-logs-for-intrusion/SKILL.md index 5921c415..7ad71dcb 100644 --- a/skills/analyzing-web-server-logs-for-intrusion/SKILL.md +++ b/skills/analyzing-web-server-logs-for-intrusion/SKILL.md @@ -1,16 +1,23 @@ --- name: analyzing-web-server-logs-for-intrusion -description: >- - Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, - directory traversal, web scanner fingerprints, and brute-force patterns. Uses regex-based - pattern matching against OWASP attack signatures, GeoIP enrichment for source attribution, - and statistical anomaly detection for request frequency and response size outliers. +description: Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal, + web scanner fingerprints, and brute-force patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP + enrichment for source attribution, and statistical anomaly detection for request frequency and response size outliers. domain: cybersecurity subdomain: security-operations -tags: [analyzing, web, server, logs] -version: "1.0" +tags: +- analyzing +- web +- server +- logs +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- diff --git a/skills/analyzing-windows-amcache-artifacts/SKILL.md b/skills/analyzing-windows-amcache-artifacts/SKILL.md index ffbca2a2..0e3faca7 100644 --- a/skills/analyzing-windows-amcache-artifacts/SKILL.md +++ b/skills/analyzing-windows-amcache-artifacts/SKILL.md @@ -1,19 +1,29 @@ --- name: analyzing-windows-amcache-artifacts -description: > - Parses and analyzes the Windows Amcache.hve registry hive to extract evidence - of program execution, application installation, and driver loading for digital - forensics investigations. Uses Eric Zimmerman's AmcacheParser and Timeline - Explorer for artifact extraction, SHA-1 hash correlation with threat intel, - and timeline reconstruction. Activates for requests involving Amcache forensics, - program execution evidence, Windows artifact analysis, or application compatibility - cache investigation. +description: 'Parses and analyzes the Windows Amcache.hve registry hive to extract evidence of program execution, application + installation, and driver loading for digital forensics investigations. Uses Eric Zimmerman''s AmcacheParser and Timeline + Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and timeline reconstruction. Activates for requests + involving Amcache forensics, program execution evidence, Windows artifact analysis, or application compatibility cache investigation. + + ' domain: cybersecurity subdomain: digital-forensics -tags: [amcache, windows-forensics, program-execution, AmcacheParser, eric-zimmerman, timeline-analysis, DFIR] +tags: +- amcache +- windows-forensics +- program-execution +- AmcacheParser +- eric-zimmerman +- timeline-analysis +- DFIR version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Analyzing Windows Amcache Artifacts diff --git a/skills/analyzing-windows-event-logs-in-splunk/SKILL.md b/skills/analyzing-windows-event-logs-in-splunk/SKILL.md index 3edbbc37..4eca7231 100644 --- a/skills/analyzing-windows-event-logs-in-splunk/SKILL.md +++ b/skills/analyzing-windows-event-logs-in-splunk/SKILL.md @@ -25,6 +25,11 @@ d3fend_techniques: - Biometric Authentication - Strong Password Policy - Restore User Account Access +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Analyzing Windows Event Logs in Splunk diff --git a/skills/analyzing-windows-lnk-files-for-artifacts/SKILL.md b/skills/analyzing-windows-lnk-files-for-artifacts/SKILL.md index 3bbb88e8..a05221fe 100644 --- a/skills/analyzing-windows-lnk-files-for-artifacts/SKILL.md +++ b/skills/analyzing-windows-lnk-files-for-artifacts/SKILL.md @@ -1,12 +1,24 @@ --- name: analyzing-windows-lnk-files-for-artifacts -description: Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers for forensic timeline reconstruction. +description: Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers + for forensic timeline reconstruction. domain: cybersecurity subdomain: digital-forensics -tags: [forensics, lnk-files, windows-artifacts, shortcut-analysis, timeline-reconstruction, evidence-collection] -version: "1.0" +tags: +- forensics +- lnk-files +- windows-artifacts +- shortcut-analysis +- timeline-reconstruction +- evidence-collection +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Analyzing Windows LNK Files for Artifacts diff --git a/skills/analyzing-windows-prefetch-with-python/SKILL.md b/skills/analyzing-windows-prefetch-with-python/SKILL.md index 2d15cb1b..57764f0e 100644 --- a/skills/analyzing-windows-prefetch-with-python/SKILL.md +++ b/skills/analyzing-windows-prefetch-with-python/SKILL.md @@ -1,13 +1,28 @@ --- name: analyzing-windows-prefetch-with-python -description: Parse Windows Prefetch files using the windowsprefetch Python library to reconstruct application execution history, detect renamed or masquerading binaries, and identify suspicious program execution patterns. +description: Parse Windows Prefetch files using the windowsprefetch Python library to reconstruct application execution history, + detect renamed or masquerading binaries, and identify suspicious program execution patterns. domain: cybersecurity subdomain: digital-forensics -tags: [digital-forensics, windows, prefetch, execution-history, incident-response, malware-analysis] -mitre_attack: ["T1059", "T1204", "T1036"] -version: "1.0" +tags: +- digital-forensics +- windows +- prefetch +- execution-history +- incident-response +- malware-analysis +mitre_attack: +- T1059 +- T1204 +- T1036 +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Analyzing Windows Prefetch with Python diff --git a/skills/analyzing-windows-registry-for-artifacts/SKILL.md b/skills/analyzing-windows-registry-for-artifacts/SKILL.md index 5f4fa035..1030b1c7 100644 --- a/skills/analyzing-windows-registry-for-artifacts/SKILL.md +++ b/skills/analyzing-windows-registry-for-artifacts/SKILL.md @@ -1,12 +1,24 @@ --- name: analyzing-windows-registry-for-artifacts -description: Extract and analyze Windows Registry hives to uncover user activity, installed software, autostart entries, and evidence of system compromise. +description: Extract and analyze Windows Registry hives to uncover user activity, installed software, autostart entries, and + evidence of system compromise. domain: cybersecurity subdomain: digital-forensics -tags: [forensics, windows-registry, artifact-analysis, regripper, registry-explorer, evidence-collection] -version: "1.0" +tags: +- forensics +- windows-registry +- artifact-analysis +- regripper +- registry-explorer +- evidence-collection +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Analyzing Windows Registry for Artifacts diff --git a/skills/analyzing-windows-shellbag-artifacts/SKILL.md b/skills/analyzing-windows-shellbag-artifacts/SKILL.md index ce91db51..65801f7a 100644 --- a/skills/analyzing-windows-shellbag-artifacts/SKILL.md +++ b/skills/analyzing-windows-shellbag-artifacts/SKILL.md @@ -1,12 +1,29 @@ --- name: analyzing-windows-shellbag-artifacts -description: Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable media and network shares, and establish user interaction with directories even after deletion using SBECmd and ShellBags Explorer. +description: Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable + media and network shares, and establish user interaction with directories even after deletion using SBECmd and ShellBags + Explorer. domain: cybersecurity subdomain: digital-forensics -tags: [shellbags, windows-registry, sbecmd, shellbags-explorer, folder-access, user-activity, removable-media, network-shares, bagmru, dfir] -version: "1.0" +tags: +- shellbags +- windows-registry +- sbecmd +- shellbags-explorer +- folder-access +- user-activity +- removable-media +- network-shares +- bagmru +- dfir +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Analyzing Windows Shellbag Artifacts diff --git a/skills/auditing-aws-s3-bucket-permissions/SKILL.md b/skills/auditing-aws-s3-bucket-permissions/SKILL.md index 0c08ea38..842ca1a6 100644 --- a/skills/auditing-aws-s3-bucket-permissions/SKILL.md +++ b/skills/auditing-aws-s3-bucket-permissions/SKILL.md @@ -1,15 +1,27 @@ --- name: auditing-aws-s3-bucket-permissions -description: > - Systematically audit AWS S3 bucket permissions to identify publicly accessible buckets, - overly permissive ACLs, misconfigured bucket policies, and missing encryption settings - using AWS CLI, S3audit, and Prowler to enforce least-privilege data access controls. +description: 'Systematically audit AWS S3 bucket permissions to identify publicly accessible buckets, overly permissive ACLs, + misconfigured bucket policies, and missing encryption settings using AWS CLI, S3audit, and Prowler to enforce least-privilege + data access controls. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud-security, aws, s3, bucket-permissions, data-protection, access-control] -version: "1.0" +tags: +- cloud-security +- aws +- s3 +- bucket-permissions +- data-protection +- access-control +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Auditing AWS S3 Bucket Permissions diff --git a/skills/auditing-azure-active-directory-configuration/SKILL.md b/skills/auditing-azure-active-directory-configuration/SKILL.md index a233c1ff..77a2605c 100644 --- a/skills/auditing-azure-active-directory-configuration/SKILL.md +++ b/skills/auditing-azure-active-directory-configuration/SKILL.md @@ -1,15 +1,27 @@ --- name: auditing-azure-active-directory-configuration -description: > - Auditing Microsoft Entra ID (Azure Active Directory) configuration to identify risky - authentication policies, overly permissive role assignments, stale accounts, conditional - access gaps, and guest user risks using AzureAD PowerShell, Microsoft Graph API, and ScoutSuite. +description: 'Auditing Microsoft Entra ID (Azure Active Directory) configuration to identify risky authentication policies, + overly permissive role assignments, stale accounts, conditional access gaps, and guest user risks using AzureAD PowerShell, + Microsoft Graph API, and ScoutSuite. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud-security, azure, entra-id, active-directory, iam-audit, conditional-access] -version: "1.0" +tags: +- cloud-security +- azure +- entra-id +- active-directory +- iam-audit +- conditional-access +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Auditing Azure Active Directory Configuration diff --git a/skills/auditing-cloud-with-cis-benchmarks/SKILL.md b/skills/auditing-cloud-with-cis-benchmarks/SKILL.md index 1fe8299c..a333f28a 100644 --- a/skills/auditing-cloud-with-cis-benchmarks/SKILL.md +++ b/skills/auditing-cloud-with-cis-benchmarks/SKILL.md @@ -21,6 +21,11 @@ nist_ai_rmf: - GOVERN-1.1 - GOVERN-4.2 - MAP-2.3 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Auditing Cloud with CIS Benchmarks diff --git a/skills/auditing-gcp-iam-permissions/SKILL.md b/skills/auditing-gcp-iam-permissions/SKILL.md index 134bd466..6b99af34 100644 --- a/skills/auditing-gcp-iam-permissions/SKILL.md +++ b/skills/auditing-gcp-iam-permissions/SKILL.md @@ -1,15 +1,26 @@ --- name: auditing-gcp-iam-permissions -description: > - Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings, - primitive role usage, service account key proliferation, and cross-project access risks - using gcloud CLI, Policy Analyzer, and IAM Recommender. +description: 'Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings, primitive role usage, + service account key proliferation, and cross-project access risks using gcloud CLI, Policy Analyzer, and IAM Recommender. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud-security, gcp, iam, permissions-audit, service-accounts, policy-analyzer] -version: "1.0" +tags: +- cloud-security +- gcp +- iam +- permissions-audit +- service-accounts +- policy-analyzer +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Auditing GCP IAM Permissions diff --git a/skills/auditing-kubernetes-cluster-rbac/SKILL.md b/skills/auditing-kubernetes-cluster-rbac/SKILL.md index d4585015..0fee07e4 100644 --- a/skills/auditing-kubernetes-cluster-rbac/SKILL.md +++ b/skills/auditing-kubernetes-cluster-rbac/SKILL.md @@ -1,15 +1,27 @@ --- name: auditing-kubernetes-cluster-rbac -description: > - Auditing Kubernetes cluster RBAC configurations to identify overly permissive roles, - wildcard permissions, dangerous ClusterRoleBindings, service account abuse, and - privilege escalation paths using kubectl, rbac-tool, KubiScan, and Kubeaudit. +description: 'Auditing Kubernetes cluster RBAC configurations to identify overly permissive roles, wildcard permissions, dangerous + ClusterRoleBindings, service account abuse, and privilege escalation paths using kubectl, rbac-tool, KubiScan, and Kubeaudit. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud-security, kubernetes, rbac, access-control, eks, gke, aks] -version: "1.0" +tags: +- cloud-security +- kubernetes +- rbac +- access-control +- eks +- gke +- aks +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Auditing Kubernetes Cluster RBAC diff --git a/skills/auditing-terraform-infrastructure-for-security/SKILL.md b/skills/auditing-terraform-infrastructure-for-security/SKILL.md index f55cfcbe..4a2f56bd 100644 --- a/skills/auditing-terraform-infrastructure-for-security/SKILL.md +++ b/skills/auditing-terraform-infrastructure-for-security/SKILL.md @@ -1,15 +1,27 @@ --- name: auditing-terraform-infrastructure-for-security -description: > - Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov, - tfsec, Terrascan, and OPA/Rego policies to detect overly permissive IAM policies, public - resource exposure, missing encryption, and insecure defaults before cloud deployment. +description: 'Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov, tfsec, Terrascan, and + OPA/Rego policies to detect overly permissive IAM policies, public resource exposure, missing encryption, and insecure defaults + before cloud deployment. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud-security, terraform, infrastructure-as-code, checkov, tfsec, policy-as-code] -version: "1.0" +tags: +- cloud-security +- terraform +- infrastructure-as-code +- checkov +- tfsec +- policy-as-code +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Auditing Terraform Infrastructure for Security diff --git a/skills/auditing-tls-certificate-transparency-logs/SKILL.md b/skills/auditing-tls-certificate-transparency-logs/SKILL.md index dbd3eb6c..ab5e29e4 100644 --- a/skills/auditing-tls-certificate-transparency-logs/SKILL.md +++ b/skills/auditing-tls-certificate-transparency-logs/SKILL.md @@ -1,18 +1,29 @@ --- name: auditing-tls-certificate-transparency-logs -description: > - Monitors Certificate Transparency (CT) logs to detect unauthorized certificate issuance, - discover subdomains via CT data, and alert on suspicious certificate activity for owned domains. - Uses the crt.sh API and direct CT log querying based on RFC 6962 to build continuous monitoring - pipelines that catch rogue certificates, track CA behavior, and map the external attack surface. - Activates for requests involving certificate transparency monitoring, CT log auditing, - subdomain discovery via certificates, or certificate issuance alerting. +description: 'Monitors Certificate Transparency (CT) logs to detect unauthorized certificate issuance, discover subdomains + via CT data, and alert on suspicious certificate activity for owned domains. Uses the crt.sh API and direct CT log querying + based on RFC 6962 to build continuous monitoring pipelines that catch rogue certificates, track CA behavior, and map the + external attack surface. Activates for requests involving certificate transparency monitoring, CT log auditing, subdomain + discovery via certificates, or certificate issuance alerting. + + ' domain: cybersecurity subdomain: threat-intelligence -tags: [certificate-transparency, CT-logs, crt-sh, subdomain-discovery, TLS-monitoring, RFC-6962] +tags: +- certificate-transparency +- CT-logs +- crt-sh +- subdomain-discovery +- TLS-monitoring +- RFC-6962 version: 1.0.0 author: mukul975 license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Auditing TLS Certificate Transparency Logs diff --git a/skills/automating-ioc-enrichment/SKILL.md b/skills/automating-ioc-enrichment/SKILL.md index 5e1cee0e..1bad03f1 100644 --- a/skills/automating-ioc-enrichment/SKILL.md +++ b/skills/automating-ioc-enrichment/SKILL.md @@ -1,18 +1,32 @@ --- name: automating-ioc-enrichment -description: > - Automates the enrichment of raw indicators of compromise with multi-source threat intelligence - context using SOAR platforms, Python pipelines, or TIP playbooks to reduce analyst triage time - and standardize enrichment outputs. Use when building automated enrichment workflows integrated - with SIEM alerts, email submission pipelines, or bulk IOC processing from threat feeds. Activates - for requests involving SOAR enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment +description: 'Automates the enrichment of raw indicators of compromise with multi-source threat intelligence context using + SOAR platforms, Python pipelines, or TIP playbooks to reduce analyst triage time and standardize enrichment outputs. Use + when building automated enrichment workflows integrated with SIEM alerts, email submission pipelines, or bulk IOC processing + from threat feeds. Activates for requests involving SOAR enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment pipelines, or automated IOC processing. + + ' domain: cybersecurity subdomain: threat-intelligence -tags: [SOAR, enrichment, IOC, Cortex-XSOAR, Splunk-SOAR, VirusTotal, automation, CTI, NIST-CSF] +tags: +- SOAR +- enrichment +- IOC +- Cortex-XSOAR +- Splunk-SOAR +- VirusTotal +- automation +- CTI +- NIST-CSF version: 1.0.0 author: team-cybersecurity license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Automating IOC Enrichment diff --git a/skills/building-adversary-infrastructure-tracking-system/SKILL.md b/skills/building-adversary-infrastructure-tracking-system/SKILL.md index b6b262a6..6f8d4c61 100644 --- a/skills/building-adversary-infrastructure-tracking-system/SKILL.md +++ b/skills/building-adversary-infrastructure-tracking-system/SKILL.md @@ -1,12 +1,26 @@ --- name: building-adversary-infrastructure-tracking-system -description: Build an automated system to track adversary infrastructure using passive DNS, certificate transparency, WHOIS data, and IP enrichment to map and monitor threat actor command-and-control networks. +description: Build an automated system to track adversary infrastructure using passive DNS, certificate transparency, WHOIS + data, and IP enrichment to map and monitor threat actor command-and-control networks. domain: cybersecurity subdomain: threat-intelligence -tags: [infrastructure-tracking, passive-dns, c2, whois, threat-actor, pivoting, threat-intelligence, domain-analysis] -version: "1.0" +tags: +- infrastructure-tracking +- passive-dns +- c2 +- whois +- threat-actor +- pivoting +- threat-intelligence +- domain-analysis +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Building Adversary Infrastructure Tracking System diff --git a/skills/building-attack-pattern-library-from-cti-reports/SKILL.md b/skills/building-attack-pattern-library-from-cti-reports/SKILL.md index fa70e1eb..ad5af9ae 100644 --- a/skills/building-attack-pattern-library-from-cti-reports/SKILL.md +++ b/skills/building-attack-pattern-library-from-cti-reports/SKILL.md @@ -22,6 +22,11 @@ d3fend_techniques: - Identifier Analysis - Content Format Conversion - Message Analysis +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Building Attack Pattern Library from CTI Reports diff --git a/skills/building-automated-malware-submission-pipeline/SKILL.md b/skills/building-automated-malware-submission-pipeline/SKILL.md index 6086263e..91b062a7 100644 --- a/skills/building-automated-malware-submission-pipeline/SKILL.md +++ b/skills/building-automated-malware-submission-pipeline/SKILL.md @@ -1,16 +1,29 @@ --- name: building-automated-malware-submission-pipeline -description: > - Builds an automated malware submission and analysis pipeline that collects suspicious files from - endpoints and email gateways, submits them to sandbox environments and multi-engine scanners, - and generates verdicts with IOCs for SIEM integration. Use when SOC teams need to scale malware - analysis beyond manual sandbox submissions for high-volume alert triage. +description: 'Builds an automated malware submission and analysis pipeline that collects suspicious files from endpoints and + email gateways, submits them to sandbox environments and multi-engine scanners, and generates verdicts with IOCs for SIEM + integration. Use when SOC teams need to scale malware analysis beyond manual sandbox submissions for high-volume alert triage. + + ' domain: cybersecurity subdomain: soc-operations -tags: [soc, malware-analysis, sandbox, automation, virustotal, cuckoo, any-run, pipeline] -version: "1.0" +tags: +- soc +- malware-analysis +- sandbox +- automation +- virustotal +- cuckoo +- any-run +- pipeline +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Building Automated Malware Submission Pipeline diff --git a/skills/building-c2-infrastructure-with-sliver-framework/SKILL.md b/skills/building-c2-infrastructure-with-sliver-framework/SKILL.md index eb7d2e36..590a9c35 100644 --- a/skills/building-c2-infrastructure-with-sliver-framework/SKILL.md +++ b/skills/building-c2-infrastructure-with-sliver-framework/SKILL.md @@ -21,6 +21,10 @@ d3fend_techniques: - Application Protocol Command Analysis - Content Format Conversion - File Content Analysis +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Building C2 Infrastructure with Sliver Framework diff --git a/skills/building-cloud-siem-with-sentinel/SKILL.md b/skills/building-cloud-siem-with-sentinel/SKILL.md index 938abeaa..878c242b 100644 --- a/skills/building-cloud-siem-with-sentinel/SKILL.md +++ b/skills/building-cloud-siem-with-sentinel/SKILL.md @@ -25,6 +25,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Building Cloud SIEM with Sentinel diff --git a/skills/building-detection-rule-with-splunk-spl/SKILL.md b/skills/building-detection-rule-with-splunk-spl/SKILL.md index e543da8f..d8aeb8c0 100644 --- a/skills/building-detection-rule-with-splunk-spl/SKILL.md +++ b/skills/building-detection-rule-with-splunk-spl/SKILL.md @@ -22,6 +22,11 @@ d3fend_techniques: - File Metadata Consistency Validation - Content Format Conversion - File Content Analysis +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Building Detection Rules with Splunk SPL diff --git a/skills/building-detection-rules-with-sigma/SKILL.md b/skills/building-detection-rules-with-sigma/SKILL.md index bcb52058..967cd29d 100644 --- a/skills/building-detection-rules-with-sigma/SKILL.md +++ b/skills/building-detection-rules-with-sigma/SKILL.md @@ -26,6 +26,11 @@ d3fend_techniques: - Hardware-based Process Isolation - Web Session Access Mediation - Process Suspension +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Building Detection Rules with Sigma diff --git a/skills/building-devsecops-pipeline-with-gitlab-ci/SKILL.md b/skills/building-devsecops-pipeline-with-gitlab-ci/SKILL.md index aaedfe21..fb68be4f 100644 --- a/skills/building-devsecops-pipeline-with-gitlab-ci/SKILL.md +++ b/skills/building-devsecops-pipeline-with-gitlab-ci/SKILL.md @@ -1,12 +1,26 @@ --- name: building-devsecops-pipeline-with-gitlab-ci -description: Design and implement a comprehensive DevSecOps pipeline in GitLab CI/CD integrating SAST, DAST, container scanning, dependency scanning, and secret detection. +description: Design and implement a comprehensive DevSecOps pipeline in GitLab CI/CD integrating SAST, DAST, container scanning, + dependency scanning, and secret detection. domain: cybersecurity subdomain: devsecops -tags: [gitlab-ci, devsecops, sast, dast, container-scanning, dependency-scanning, secret-detection, cicd-security] -version: "1.0" +tags: +- gitlab-ci +- devsecops +- sast +- dast +- container-scanning +- dependency-scanning +- secret-detection +- cicd-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- GV.SC-07 +- ID.IM-04 +- PR.PS-04 --- # Building DevSecOps Pipeline with GitLab CI diff --git a/skills/building-identity-federation-with-saml-azure-ad/SKILL.md b/skills/building-identity-federation-with-saml-azure-ad/SKILL.md index d7d4798d..b5708454 100644 --- a/skills/building-identity-federation-with-saml-azure-ad/SKILL.md +++ b/skills/building-identity-federation-with-saml-azure-ad/SKILL.md @@ -1,12 +1,26 @@ --- name: building-identity-federation-with-saml-azure-ad -description: Establish SAML 2.0 identity federation between on-premises Active Directory and Azure AD (Microsoft Entra ID) for seamless cross-domain authentication and SSO to cloud applications. +description: Establish SAML 2.0 identity federation between on-premises Active Directory and Azure AD (Microsoft Entra ID) + for seamless cross-domain authentication and SSO to cloud applications. domain: cybersecurity subdomain: identity-access-management -tags: [saml, azure-ad, entra-id, federation, identity, sso, adfs, hybrid-identity] -version: "1.0" +tags: +- saml +- azure-ad +- entra-id +- federation +- identity +- sso +- adfs +- hybrid-identity +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Building Identity Federation with SAML Azure AD diff --git a/skills/building-identity-governance-lifecycle-process/SKILL.md b/skills/building-identity-governance-lifecycle-process/SKILL.md index 2cc53a6e..9567cb7a 100644 --- a/skills/building-identity-governance-lifecycle-process/SKILL.md +++ b/skills/building-identity-governance-lifecycle-process/SKILL.md @@ -22,6 +22,11 @@ nist_ai_rmf: - GOVERN-1.1 - GOVERN-1.7 - MAP-1.1 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Building Identity Governance Lifecycle Process diff --git a/skills/building-incident-response-dashboard/SKILL.md b/skills/building-incident-response-dashboard/SKILL.md index 78d0cb1c..7274a250 100644 --- a/skills/building-incident-response-dashboard/SKILL.md +++ b/skills/building-incident-response-dashboard/SKILL.md @@ -1,16 +1,28 @@ --- name: building-incident-response-dashboard -description: > - Builds real-time incident response dashboards in Splunk, Elastic, or Grafana to provide SOC - analysts and leadership with situational awareness during active incidents, tracking affected - systems, containment status, IOC spread, and response timeline. Use when IR teams need unified - visibility during incident coordination and post-incident reporting. +description: 'Builds real-time incident response dashboards in Splunk, Elastic, or Grafana to provide SOC analysts and leadership + with situational awareness during active incidents, tracking affected systems, containment status, IOC spread, and response + timeline. Use when IR teams need unified visibility during incident coordination and post-incident reporting. + + ' domain: cybersecurity subdomain: soc-operations -tags: [soc, dashboard, incident-response, splunk, visualization, situational-awareness, metrics] -version: "1.0" +tags: +- soc +- dashboard +- incident-response +- splunk +- visualization +- situational-awareness +- metrics +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Building Incident Response Dashboard diff --git a/skills/building-incident-response-playbook/SKILL.md b/skills/building-incident-response-playbook/SKILL.md index 4499d90f..9ec4b972 100644 --- a/skills/building-incident-response-playbook/SKILL.md +++ b/skills/building-incident-response-playbook/SKILL.md @@ -1,19 +1,31 @@ --- name: building-incident-response-playbook -description: > - Designs and documents structured incident response playbooks that define step-by-step - procedures for specific incident types aligned with NIST SP 800-61r3 and SANS PICERL - frameworks. Covers playbook structure, decision trees, escalation criteria, RACI matrices, - and integration with SOAR platforms. Activates for requests involving IR playbook creation, - incident response procedure documentation, response runbook development, or SOAR playbook - design. +description: 'Designs and documents structured incident response playbooks that define step-by-step procedures for specific + incident types aligned with NIST SP 800-61r3 and SANS PICERL frameworks. Covers playbook structure, decision trees, escalation + criteria, RACI matrices, and integration with SOAR platforms. Activates for requests involving IR playbook creation, incident + response procedure documentation, response runbook development, or SOAR playbook design. + + ' domain: cybersecurity subdomain: incident-response -tags: [IR-playbook, runbook, NIST-800-61, SOAR-integration, response-procedures] -mitre_attack: ["T1190", "T1566", "T1078"] +tags: +- IR-playbook +- runbook +- NIST-800-61 +- SOAR-integration +- response-procedures +mitre_attack: +- T1190 +- T1566 +- T1078 version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- RS.MA-01 +- RS.MA-02 +- RS.AN-03 +- RC.RP-01 --- # Building Incident Response Playbooks diff --git a/skills/building-incident-timeline-with-timesketch/SKILL.md b/skills/building-incident-timeline-with-timesketch/SKILL.md index 74462b55..f89f01ef 100644 --- a/skills/building-incident-timeline-with-timesketch/SKILL.md +++ b/skills/building-incident-timeline-with-timesketch/SKILL.md @@ -1,6 +1,10 @@ --- -{} ----tags: +name: building-incident-timeline-with-timesketch +description: Build collaborative forensic incident timelines using Timesketch to ingest, normalize, and analyze multi-source + event data for attack chain reconstruction and investigation documentation. +domain: cybersecurity +subdomain: incident-response +tags: - timesketch - timeline-analysis - forensic-timeline @@ -8,4 +12,256 @@ - dfir - incident-investigation - collaborative-forensics +mitre_attack: +- T1070 +- T1059 +- T1053 version: '1.0' +author: mahipal +license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis +nist_csf: +- RS.MA-01 +- RS.MA-02 +- RS.AN-03 +- RC.RP-01 +--- + +# Building Incident Timeline with Timesketch + +## Overview + +Timesketch is an open-source collaborative forensic timeline analysis tool developed by Google that enables security teams to visualize and analyze chronological data from multiple sources during incident investigations. It ingests logs and artifacts from endpoints, servers, and cloud services, normalizes them into a unified searchable timeline, and provides powerful analysis capabilities including built-in analyzers, tagging, sketch annotations, and story building. Timesketch integrates with Plaso (log2timeline) for artifact parsing and supports direct CSV/JSONL ingestion for rapid timeline construction during active incidents. + + +## When to Use + +- When deploying or configuring building incident timeline with timesketch capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + +## Prerequisites + +- Familiarity with incident response concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + +## Architecture and Components + +### Core Components +- **Timesketch Server**: Web application with REST API for timeline management +- **OpenSearch/Elasticsearch**: Backend storage and search engine for timeline events +- **PostgreSQL**: Metadata storage for sketches, stories, and user data +- **Redis**: Task queue management for background processing +- **Celery Workers**: Asynchronous processing of timeline uploads and analyzers + +### Data Flow +``` +Evidence Sources --> Plaso/log2timeline --> Plaso storage file (.plaso) + | | + v v + CSV/JSONL --> Timesketch Importer --> OpenSearch Index + | + v + Timesketch Web UI + (Search, Analyze, Story) +``` + +## Deployment + +### Docker Deployment (Recommended) +```bash +# Clone Timesketch repository +git clone https://github.com/google/timesketch.git +cd timesketch + +# Run deployment helper script +cd docker +sudo docker compose up -d + +# Default access: https://localhost:443 +# Admin credentials generated during first run +``` + +### System Requirements +- Minimum 8 GB RAM (16+ GB recommended for large investigations) +- 4 CPU cores minimum +- SSD storage for OpenSearch indices +- Docker and Docker Compose installed + +## Data Ingestion Methods + +### Method 1: Plaso Integration (Comprehensive) +```bash +# Process disk image with log2timeline +log2timeline.py --storage-file evidence.plaso /path/to/disk/image + +# Process Windows event logs +log2timeline.py --parsers winevtx --storage-file windows_events.plaso /path/to/evtx/ + +# Process multiple evidence sources +log2timeline.py --parsers "winevtx,prefetch,amcache,shimcache,userassist" \ + --storage-file full_analysis.plaso /path/to/mounted/image/ + +# Import Plaso file into Timesketch +timesketch_importer -s "Case-2025-001" -t "Endpoint-WKS01" evidence.plaso +``` + +### Method 2: CSV Import (Quick Ingestion) +```csv +message,datetime,timestamp_desc,source,hostname +"User login detected","2025-01-15T08:30:00Z","Event Recorded","Security Log","DC01" +"PowerShell execution","2025-01-15T08:31:15Z","Event Recorded","PowerShell","WKS042" +``` + +```bash +# Import CSV directly +timesketch_importer -s "Case-2025-001" -t "Quick-Triage" events.csv +``` + +### Method 3: JSONL Import (Structured Data) +```json +{"message": "Suspicious logon from 10.1.2.3", "datetime": "2025-01-15T08:30:00Z", "timestamp_desc": "Event Recorded", "source_short": "Security", "hostname": "DC01"} +``` + +### Method 4: Sigma Rule Integration +```bash +# Upload Sigma rules for automated detection +timesketch_importer --sigma-rules /path/to/sigma/rules/ +``` + +## Analysis Workflow + +### Step 1: Create Investigation Sketch +``` +1. Log into Timesketch web interface +2. Create new sketch (investigation case) +3. Add relevant timelines to the sketch +4. Set sketch description and tags +``` + +### Step 2: Run Built-in Analyzers +Timesketch includes analyzers that automatically identify: +- **Browser Search Analyzer**: Extracts search queries from browser history +- **Chain of Events Analyzer**: Links related events (download -> execute) +- **Domain Analyzer**: Extracts and categorizes domain names +- **Feature Extraction Analyzer**: Identifies IPs, URLs, hashes +- **Geo Location Analyzer**: Maps events to geographic locations +- **Similarity Scorer**: Finds similar events across timelines +- **Sigma Analyzer**: Matches events against Sigma detection rules +- **Account Finder**: Identifies user account activity patterns +- **Tagger**: Applies labels based on predefined rules + +### Step 3: Search and Filter +``` +# Search examples in Timesketch query language + +# Find all events related to specific user +source_short:Security AND message:"john.admin" + +# Find PowerShell execution events +data_type:"windows:evtx:record" AND event_identifier:4104 + +# Find lateral movement indicators +source_short:Security AND event_identifier:4624 AND xml_string:"LogonType\">3" + +# Find events within specific time range +datetime:[2025-01-15T00:00:00 TO 2025-01-15T23:59:59] + +# Find file creation events +data_type:"fs:stat" AND timestamp_desc:"Creation Time" + +# Search with tags +tag:"suspicious" OR tag:"lateral_movement" +``` + +### Step 4: Build Investigation Story +``` +1. Create new story within the sketch +2. Add search views that support each finding +3. Annotate key events with investigator notes +4. Link events to MITRE ATT&CK techniques +5. Document the attack narrative chronologically +6. Export story for inclusion in incident report +``` + +## Advanced Features + +### Collaborative Investigation +- Multiple analysts work on the same sketch simultaneously +- Comments and annotations persist on events +- Saved searches shared across the team +- Investigation stories document findings in context + +### API Automation +```python +from timesketch_api_client import config +from timesketch_api_client import client as ts_client + +# Connect to Timesketch +ts = ts_client.TimesketchApi( + host_uri="https://timesketch.local", + username="analyst", + password="password" +) + +# Get sketch +sketch = ts.get_sketch(1) + +# Search events +search = sketch.explore( + query_string='event_identifier:4624 AND LogonType:3', + return_fields='datetime,message,hostname,source_short' +) + +# Add tags to events +for event in search.get('objects', []): + sketch.tag_event(event['_id'], ['lateral_movement']) +``` + +### Integration with Dissect +```bash +# Use Dissect for faster artifact parsing (alternative to Plaso) +target-query -f timesketch://timesketch.local/case-001 \ + targets/hostname/ -q "windows.evtx" --limit 0 +``` + +## Key Data Sources for Timeline Building + +| Source | Parser | Evidence Value | +|--------|--------|---------------| +| Windows Event Logs (.evtx) | winevtx | Authentication, process execution, services | +| Prefetch Files | prefetch | Program execution history | +| MFT ($MFT) | mft | File system activity | +| Registry Hives | winreg | System configuration, persistence | +| Browser History | chrome/firefox | Web activity, downloads | +| Syslog | syslog | Linux/network device events | +| CloudTrail Logs | jsonl | AWS API activity | +| Azure Activity Logs | jsonl | Azure resource operations | +| Firewall Logs | csv/jsonl | Network connections | +| Proxy Logs | csv/jsonl | HTTP/HTTPS traffic | + +## MITRE ATT&CK Mapping + +| Technique | Timeline Indicators | +|-----------|-------------------| +| Initial Access (TA0001) | First malicious event, phishing email receipt | +| Execution (T1059) | PowerShell/CMD events, process creation | +| Persistence (TA0003) | Registry modifications, scheduled tasks, services | +| Lateral Movement (TA0008) | Remote logons, SMB connections, RDP sessions | +| Exfiltration (TA0010) | Large data transfers, cloud storage uploads | + +## References + +- [Timesketch Official Documentation](https://timesketch.org/) +- [Timesketch GitHub Repository](https://github.com/google/timesketch) +- [CISA Timesketch Resource](https://www.cisa.gov/resources-tools/services/timesketch) +- [Hunt and Hackett: Scalable Forensics with Dissect and Timesketch](https://www.huntandhackett.com/blog/scalable-forensics-timeline-analysis-using-dissect-and-timesketch) +- [Plaso (log2timeline) Documentation](https://plaso.readthedocs.io/) diff --git a/skills/building-ioc-defanging-and-sharing-pipeline/SKILL.md b/skills/building-ioc-defanging-and-sharing-pipeline/SKILL.md index e69b9d38..91fc4350 100644 --- a/skills/building-ioc-defanging-and-sharing-pipeline/SKILL.md +++ b/skills/building-ioc-defanging-and-sharing-pipeline/SKILL.md @@ -1,12 +1,26 @@ --- name: building-ioc-defanging-and-sharing-pipeline -description: Build an automated pipeline to defang indicators of compromise (URLs, IPs, domains, emails) for safe sharing and distribute them in STIX format through TAXII feeds and threat intelligence platforms. +description: Build an automated pipeline to defang indicators of compromise (URLs, IPs, domains, emails) for safe sharing + and distribute them in STIX format through TAXII feeds and threat intelligence platforms. domain: cybersecurity subdomain: threat-intelligence -tags: [ioc, defanging, threat-sharing, stix, pipeline, indicator, automation, threat-intelligence] -version: "1.0" +tags: +- ioc +- defanging +- threat-sharing +- stix +- pipeline +- indicator +- automation +- threat-intelligence +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Building IOC Defanging and Sharing Pipeline diff --git a/skills/building-ioc-enrichment-pipeline-with-opencti/SKILL.md b/skills/building-ioc-enrichment-pipeline-with-opencti/SKILL.md index 59c2af07..fab7a67a 100644 --- a/skills/building-ioc-enrichment-pipeline-with-opencti/SKILL.md +++ b/skills/building-ioc-enrichment-pipeline-with-opencti/SKILL.md @@ -1,12 +1,26 @@ --- name: building-ioc-enrichment-pipeline-with-opencti -description: OpenCTI is an open-source platform for managing cyber threat intelligence knowledge, built on STIX 2.1 as its native data model. This skill covers building an automated IOC enrichment pipeline using O +description: OpenCTI is an open-source platform for managing cyber threat intelligence knowledge, built on STIX 2.1 as its + native data model. This skill covers building an automated IOC enrichment pipeline using O domain: cybersecurity subdomain: threat-intelligence -tags: [threat-intelligence, cti, ioc, mitre-attack, stix, opencti, enrichment, virustotal] -version: "1.0" +tags: +- threat-intelligence +- cti +- ioc +- mitre-attack +- stix +- opencti +- enrichment +- virustotal +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Building IOC Enrichment Pipeline with OpenCTI diff --git a/skills/building-malware-incident-communication-template/SKILL.md b/skills/building-malware-incident-communication-template/SKILL.md index cb86e086..7c5a3d00 100644 --- a/skills/building-malware-incident-communication-template/SKILL.md +++ b/skills/building-malware-incident-communication-template/SKILL.md @@ -1,13 +1,28 @@ --- name: building-malware-incident-communication-template -description: Build structured communication templates for malware incidents including stakeholder notifications, executive briefings, technical advisories, and regulatory disclosures with severity-based escalation procedures. +description: Build structured communication templates for malware incidents including stakeholder notifications, executive + briefings, technical advisories, and regulatory disclosures with severity-based escalation procedures. domain: cybersecurity subdomain: incident-response -tags: [incident-communication, malware-response, stakeholder-notification, crisis-communication, executive-briefing, regulatory-disclosure] -mitre_attack: ["T1566", "T1204", "T1027"] -version: "1.0" +tags: +- incident-communication +- malware-response +- stakeholder-notification +- crisis-communication +- executive-briefing +- regulatory-disclosure +mitre_attack: +- T1566 +- T1204 +- T1027 +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.MA-01 +- RS.MA-02 +- RS.AN-03 +- RC.RP-01 --- # Building Malware Incident Communication Template diff --git a/skills/building-patch-tuesday-response-process/SKILL.md b/skills/building-patch-tuesday-response-process/SKILL.md index c497c492..96488e6a 100644 --- a/skills/building-patch-tuesday-response-process/SKILL.md +++ b/skills/building-patch-tuesday-response-process/SKILL.md @@ -1,12 +1,25 @@ --- name: building-patch-tuesday-response-process -description: Establish a structured operational process to triage, test, and deploy Microsoft Patch Tuesday security updates within risk-based remediation SLAs. +description: Establish a structured operational process to triage, test, and deploy Microsoft Patch Tuesday security updates + within risk-based remediation SLAs. domain: cybersecurity subdomain: vulnerability-management -tags: [patch-management, patch-tuesday, microsoft, wsus, sccm, vulnerability-remediation, windows-update] -version: "1.0" +tags: +- patch-management +- patch-tuesday +- microsoft +- wsus +- sccm +- vulnerability-remediation +- windows-update +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-02 +- ID.IM-02 +- ID.RA-06 --- # Building Patch Tuesday Response Process diff --git a/skills/building-phishing-reporting-button-workflow/SKILL.md b/skills/building-phishing-reporting-button-workflow/SKILL.md index 8eac7357..e2260b0f 100644 --- a/skills/building-phishing-reporting-button-workflow/SKILL.md +++ b/skills/building-phishing-reporting-button-workflow/SKILL.md @@ -1,13 +1,29 @@ --- name: building-phishing-reporting-button-workflow -description: Implement a phishing report button in email clients with automated triage workflow that analyzes user-reported suspicious emails and provides feedback to reporters. +description: Implement a phishing report button in email clients with automated triage workflow that analyzes user-reported + suspicious emails and provides feedback to reporters. domain: cybersecurity subdomain: phishing-defense -tags: [phishing-reporting, email-security, incident-response, security-awareness, outlook, microsoft-365, soar] -mitre_attack: ["T1566", "T1204", "T1534"] -version: "1.0" +tags: +- phishing-reporting +- email-security +- incident-response +- security-awareness +- outlook +- microsoft-365 +- soar +mitre_attack: +- T1566 +- T1204 +- T1534 +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AT-01 +- DE.CM-09 +- RS.CO-02 +- DE.AE-02 --- # Building Phishing Reporting Button Workflow diff --git a/skills/building-ransomware-playbook-with-cisa-framework/SKILL.md b/skills/building-ransomware-playbook-with-cisa-framework/SKILL.md index c96f7f89..ae25fb3b 100644 --- a/skills/building-ransomware-playbook-with-cisa-framework/SKILL.md +++ b/skills/building-ransomware-playbook-with-cisa-framework/SKILL.md @@ -1,17 +1,28 @@ --- name: building-ransomware-playbook-with-cisa-framework -description: > - Builds a structured ransomware incident response playbook aligned with the CISA - StopRansomware Guide and NIST Cybersecurity Framework. Covers preparation, detection, - containment, eradication, recovery, and post-incident phases with actionable - checklists. Activates for requests involving ransomware response planning, CISA - compliance, incident response playbook creation, or ransomware preparedness assessment. +description: 'Builds a structured ransomware incident response playbook aligned with the CISA StopRansomware Guide and NIST + Cybersecurity Framework. Covers preparation, detection, containment, eradication, recovery, and post-incident phases with + actionable checklists. Activates for requests involving ransomware response planning, CISA compliance, incident response + playbook creation, or ransomware preparedness assessment. + + ' domain: cybersecurity subdomain: ransomware-defense -tags: [ransomware, incident-response, CISA, playbook, compliance, NIST] +tags: +- ransomware +- incident-response +- CISA +- playbook +- compliance +- NIST version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.DS-11 +- RS.MA-01 +- RC.RP-01 +- PR.IR-01 --- # Building Ransomware Playbook with CISA Framework diff --git a/skills/building-red-team-c2-infrastructure-with-havoc/SKILL.md b/skills/building-red-team-c2-infrastructure-with-havoc/SKILL.md index dd9eecef..cf021ae4 100644 --- a/skills/building-red-team-c2-infrastructure-with-havoc/SKILL.md +++ b/skills/building-red-team-c2-infrastructure-with-havoc/SKILL.md @@ -24,6 +24,10 @@ d3fend_techniques: - Application Protocol Command Analysis - Content Format Conversion - File Content Analysis +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Building Red Team C2 Infrastructure with Havoc diff --git a/skills/building-role-mining-for-rbac-optimization/SKILL.md b/skills/building-role-mining-for-rbac-optimization/SKILL.md index 26073ad0..0f2ad092 100644 --- a/skills/building-role-mining-for-rbac-optimization/SKILL.md +++ b/skills/building-role-mining-for-rbac-optimization/SKILL.md @@ -1,12 +1,24 @@ --- name: building-role-mining-for-rbac-optimization -description: Apply bottom-up and top-down role mining techniques to discover optimal RBAC roles from existing user-permission assignments, reducing role explosion and enforcing least privilege. +description: Apply bottom-up and top-down role mining techniques to discover optimal RBAC roles from existing user-permission + assignments, reducing role explosion and enforcing least privilege. domain: cybersecurity subdomain: identity-access-management -tags: [rbac, role-mining, identity-governance, access-control, least-privilege, clustering] -version: "1.0" +tags: +- rbac +- role-mining +- identity-governance +- access-control +- least-privilege +- clustering +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Building Role Mining for RBAC Optimization diff --git a/skills/building-soc-escalation-matrix/SKILL.md b/skills/building-soc-escalation-matrix/SKILL.md index 21912dc4..6f06c3a0 100644 --- a/skills/building-soc-escalation-matrix/SKILL.md +++ b/skills/building-soc-escalation-matrix/SKILL.md @@ -1,12 +1,25 @@ --- name: building-soc-escalation-matrix -description: Build a structured SOC escalation matrix defining severity tiers, response SLAs, escalation paths, and notification procedures for security incidents. +description: Build a structured SOC escalation matrix defining severity tiers, response SLAs, escalation paths, and notification + procedures for security incidents. domain: cybersecurity subdomain: soc-operations -tags: [soc, escalation, incident-management, severity, sla, triage, tiered-soc] -version: "1.0" +tags: +- soc +- escalation +- incident-management +- severity +- sla +- triage +- tiered-soc +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Building SOC Escalation Matrix diff --git a/skills/building-soc-metrics-and-kpi-tracking/SKILL.md b/skills/building-soc-metrics-and-kpi-tracking/SKILL.md index d0d7bee4..496309e8 100644 --- a/skills/building-soc-metrics-and-kpi-tracking/SKILL.md +++ b/skills/building-soc-metrics-and-kpi-tracking/SKILL.md @@ -27,6 +27,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Building SOC Metrics and KPI Tracking diff --git a/skills/building-soc-playbook-for-ransomware/SKILL.md b/skills/building-soc-playbook-for-ransomware/SKILL.md index bc7103f8..b5522c9d 100644 --- a/skills/building-soc-playbook-for-ransomware/SKILL.md +++ b/skills/building-soc-playbook-for-ransomware/SKILL.md @@ -1,6 +1,13 @@ --- -{} ----tags: +name: building-soc-playbook-for-ransomware +description: 'Builds a structured SOC incident response playbook for ransomware attacks covering detection, containment, eradication, + and recovery phases with specific SIEM queries, isolation procedures, and decision trees. Use when SOC teams need formalized + response procedures for ransomware incidents aligned to NIST SP 800-61 and MITRE ATT&CK ransomware techniques. + + ' +domain: cybersecurity +subdomain: soc-operations +tags: - soc - ransomware - incident-response @@ -8,4 +15,270 @@ - nist - mitre-attack - containment +mitre_attack: +- T1486 +- T1490 +- T1489 +- T1570 version: '1.0' +author: mahipal +license: Apache-2.0 +d3fend_techniques: +- Platform Hardening +- Restore Object +- Restore Configuration +- Restore Software +- Software Update +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 +--- +# Building SOC Playbook for Ransomware + +## When to Use + +Use this skill when: +- SOC teams need a standardized ransomware response playbook for Tier 1-3 analysts +- An organization lacks documented procedures for ransomware containment and recovery +- Tabletop exercises reveal gaps in ransomware response coordination +- Compliance requirements (NIST CSF, ISO 27001) mandate documented incident playbooks + +**Do not use** during an active ransomware incident as the sole guide — have pre-built playbooks tested and rehearsed before incidents occur. + +## Prerequisites + +- SIEM platform (Splunk ES, Elastic Security, or Sentinel) with endpoint and network data +- EDR solution (CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint) with network isolation capability +- Backup infrastructure with tested recovery procedures and offline/immutable backups +- Communication plan with legal, executive leadership, and external IR retainer contacts +- MITRE ATT&CK knowledge for ransomware technique chains + +## Workflow + +### Step 1: Define Detection Triggers + +Create SIEM detection rules for early ransomware indicators: + +**Mass File Encryption Detection (Splunk):** +```spl +index=sysmon EventCode=11 +| bin _time span=1m +| stats dc(TargetFilename) AS unique_files, values(TargetFilename) AS sample_files by Computer, Image, _time +| where unique_files > 100 +| eval suspicious_extensions = if(match(mvjoin(sample_files, ","), "\.(encrypted|locked|crypt|enc|ransom)"), "YES", "NO") +| where suspicious_extensions="YES" OR unique_files > 500 +| sort - unique_files +``` + +**Shadow Copy Deletion (T1490):** +```spl +index=wineventlog sourcetype="WinEventLog:Security" OR index=sysmon EventCode=1 +(CommandLine="*vssadmin*delete*shadows*" OR CommandLine="*wmic*shadowcopy*delete*" + OR CommandLine="*bcdedit*/set*recoveryenabled*no*" OR CommandLine="*wbadmin*delete*catalog*") +| table _time, Computer, User, ParentImage, Image, CommandLine +``` + +**Ransomware Note File Creation:** +```spl +index=sysmon EventCode=11 +TargetFilename IN ("*README*.txt", "*DECRYPT*.txt", "*RANSOM*.txt", "*RECOVER*.html", "*HOW_TO*.txt") +| stats count by Computer, Image, TargetFilename +| where count > 5 +``` + +**Elastic Security EQL variant:** +```eql +sequence by host.name with maxspan=2m + [process where event.type == "start" and + process.args : ("*vssadmin*", "*delete*", "*shadows*")] + [file where event.type == "creation" and + file.name : ("*README*DECRYPT*", "*RANSOM*", "*HOW_TO_RECOVER*")] +``` + +### Step 2: Build Triage Decision Tree + +``` +RANSOMWARE ALERT TRIAGE +│ +├── Is encryption actively occurring? +│ ├── YES → IMMEDIATE: Isolate host from network (Step 3) +│ │ Do NOT power off (preserve memory for forensics) +│ └── NO → Is this a pre-encryption indicator? +│ ├── Shadow copy deletion → HIGH PRIORITY: Isolate and investigate +│ ├── Known ransomware hash → HIGH PRIORITY: Block hash, scan enterprise +│ └── Suspicious process behavior → MEDIUM: Investigate, prepare isolation +│ +├── How many hosts affected? +│ ├── Single host → Contained incident, follow host isolation procedure +│ ├── Multiple hosts (2-10) → Escalate to Tier 2, begin enterprise-wide scan +│ └── Enterprise-wide (>10) → Activate full IR team, engage external retainer +│ +└── Is data exfiltration confirmed? + ├── YES → Double extortion scenario, engage legal for breach notification + └── NO/UNKNOWN → Check for Cobalt Strike/C2 beacons, review outbound transfers +``` + +### Step 3: Containment Procedures + +**Network Isolation via EDR (CrowdStrike Falcon):** +```bash +# Isolate host using CrowdStrike Falcon API +curl -X POST "https://api.crowdstrike.com/devices/entities/devices-actions/v2?action_name=contain" \ + -H "Authorization: Bearer $TOKEN" \ + -H "Content-Type: application/json" \ + -d '{"ids": ["device_id_here"]}' +``` + +**Network Isolation via Microsoft Defender for Endpoint:** +```powershell +# Isolate machine via MDE API +$headers = @{Authorization = "Bearer $token"} +$body = @{Comment = "Ransomware containment - IR-2024-0500"; IsolationType = "Full"} | ConvertTo-Json +Invoke-RestMethod -Uri "https://api.securitycenter.microsoft.com/api/machines/$machineId/isolate" ` + -Method Post -Headers $headers -Body $body -ContentType "application/json" +``` + +**Firewall Emergency Rules:** +``` +# Palo Alto — Block SMB lateral spread +set rulebase security rules RansomwareContainment from Trust to Trust +set rulebase security rules RansomwareContainment application ms-ds-smb +set rulebase security rules RansomwareContainment action deny +set rulebase security rules RansomwareContainment disabled no +commit +``` + +**Active Directory Emergency Actions:** +```powershell +# Disable compromised account +Disable-ADAccount -Identity "compromised_user" + +# Reset Kerberos TGT (if domain admin compromised) +# WARNING: This resets krbtgt and requires two resets 12+ hours apart +Reset-KrbtgtKeys -Server "DC-PRIMARY" -Force + +# Block lateral movement by disabling remote services +Set-Service -Name "RemoteRegistry" -StartupType Disabled -Status Stopped +``` + +### Step 4: Evidence Collection and Preservation + +Collect forensic artifacts before remediation: + +```powershell +# Capture running processes and network connections +Get-Process | Export-Csv "C:\IR\processes_$(hostname).csv" +Get-NetTCPConnection | Export-Csv "C:\IR\netstat_$(hostname).csv" + +# Capture memory dump (if host still running) +winpmem_mini_x64.exe C:\IR\memory_$(hostname).raw + +# Collect ransomware artifacts +Copy-Item "C:\Users\*\Desktop\*README*" "C:\IR\ransom_notes\" -Recurse +Copy-Item "C:\Users\*\Desktop\*.encrypted" "C:\IR\encrypted_samples\" -Force + +# Capture event logs +wevtutil epl Security "C:\IR\Security_$(hostname).evtx" +wevtutil epl System "C:\IR\System_$(hostname).evtx" +wevtutil epl "Microsoft-Windows-Sysmon/Operational" "C:\IR\Sysmon_$(hostname).evtx" +``` + +### Step 5: Eradication and Recovery + +**Identify ransomware variant:** +- Upload encrypted sample and ransom note to ID Ransomware (https://id-ransomware.malwarehunterteam.com/) +- Check No More Ransom Project (https://www.nomoreransom.org/) for available decryptors +- Search for ransomware family IOCs in MalwareBazaar + +**Enterprise-wide IOC scan in Splunk:** +```spl +index=sysmon (EventCode=1 OR EventCode=11 OR EventCode=3) +(TargetFilename="*ransomware_binary_name*" OR sha256="KNOWN_HASH" + OR DestinationIp="C2_IP_ADDRESS" OR CommandLine="*malicious_command*") +| stats count by Computer, EventCode, Image, CommandLine +| sort - count +``` + +**Recovery from backups:** +1. Verify backup integrity (offline/immutable backups not affected) +2. Rebuild affected systems from known-good images +3. Restore data from last clean backup +4. Validate restored systems before reconnecting to network +5. Monitor restored systems for 72 hours for reinfection + +### Step 6: Post-Incident Documentation + +Structure the playbook conclusion with lessons learned: + +``` +POST-INCIDENT REVIEW TEMPLATE +1. Timeline of events (detection to full recovery) +2. Initial access vector identification +3. Dwell time analysis (time from initial compromise to encryption) +4. Detection gaps identified +5. Response effectiveness metrics (MTTD, MTTC, MTTR) +6. Playbook improvements recommended +7. New detection rules deployed +8. Backup and recovery procedure updates +``` + +## Key Concepts + +| Term | Definition | +|------|-----------| +| **Double Extortion** | Ransomware tactic combining data encryption with data theft, threatening public release if ransom unpaid | +| **Dwell Time** | Duration between initial compromise and detection — ransomware operators average 5-9 days before encryption | +| **MTTC** | Mean Time to Contain — time from detection to successful isolation of affected systems | +| **Kill Chain** | Ransomware progression: Initial Access -> Execution -> Persistence -> Privilege Escalation -> Lateral Movement -> Collection -> Exfiltration -> Impact | +| **Immutable Backup** | Backup storage that cannot be modified or deleted for a defined retention period (WORM storage) | +| **RTO/RPO** | Recovery Time Objective / Recovery Point Objective — maximum acceptable downtime and data loss thresholds | + +## Tools & Systems + +- **CrowdStrike Falcon / SentinelOne**: EDR platforms with network isolation, process kill, and threat hunting capabilities +- **Splunk ES / Elastic Security**: SIEM platforms for detection rule deployment and enterprise-wide IOC scanning +- **ID Ransomware**: Online service identifying ransomware variants from encrypted file samples and ransom notes +- **No More Ransom Project**: Europol-backed initiative providing free decryption tools for known ransomware families +- **Veeam / Rubrik**: Enterprise backup solutions with immutable backup support and instant recovery capabilities + +## Common Scenarios + +- **LockBit Attack**: Detected via SMB lateral movement and mass file encryption — isolate, scan for Cobalt Strike beacons +- **BlackCat/ALPHV**: Detected via ransomware note creation — check for data exfiltration via Rclone or Mega upload +- **Conti/Royal**: Detected via shadow copy deletion — check for prior BazarLoader/Emotet initial access +- **RansomHub**: Detected via anomalous process execution — investigate for compromised VPN or RDP credentials +- **Play Ransomware**: Detected via service account abuse — audit AD for newly created accounts and group membership changes + +## Output Format + +``` +RANSOMWARE PLAYBOOK EXECUTION — IR-2024-0500 +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ +Phase 1 - Detection: + Alert: Mass file encryption detected on FILESERVER-03 + Variant: LockBit 3.0 (confirmed via ID Ransomware) + MTTD: 12 minutes from first encryption to SOC alert + +Phase 2 - Containment: + [DONE] FILESERVER-03 isolated via CrowdStrike at 14:35 UTC + [DONE] SMB blocked enterprise-wide via firewall emergency rule + [DONE] Compromised service account disabled in AD + MTTC: 23 minutes + +Phase 3 - Eradication: + [DONE] 3 additional hosts with C2 beacon identified and isolated + [DONE] Cobalt Strike C2 domain (c2[.]evil[.]com) sinkholed + [DONE] Enterprise-wide IOC scan completed — no additional infections + +Phase 4 - Recovery: + [DONE] FILESERVER-03 rebuilt from gold image + [DONE] Data restored from immutable Veeam backup (RPO: 4 hours) + [DONE] Systems monitored 72 hours — no reinfection + MTTR: 18 hours + +Total Affected: 1 server, 3 workstations +Data Loss: 4 hours of file modifications (backup RPO) +Exfiltration: No evidence of data exfiltration confirmed +``` diff --git a/skills/building-threat-actor-profile-from-osint/SKILL.md b/skills/building-threat-actor-profile-from-osint/SKILL.md index a7d43a12..5c37d1a3 100644 --- a/skills/building-threat-actor-profile-from-osint/SKILL.md +++ b/skills/building-threat-actor-profile-from-osint/SKILL.md @@ -1,12 +1,26 @@ --- name: building-threat-actor-profile-from-osint -description: Build comprehensive threat actor profiles using open-source intelligence (OSINT) techniques to document adversary motivations, capabilities, infrastructure, and TTPs for proactive defense. +description: Build comprehensive threat actor profiles using open-source intelligence (OSINT) techniques to document adversary + motivations, capabilities, infrastructure, and TTPs for proactive defense. domain: cybersecurity subdomain: threat-intelligence -tags: [osint, threat-actor, profiling, maltego, spiderfoot, attribution, threat-intelligence, reconnaissance] -version: "1.0" +tags: +- osint +- threat-actor +- profiling +- maltego +- spiderfoot +- attribution +- threat-intelligence +- reconnaissance +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Building Threat Actor Profile from OSINT diff --git a/skills/building-threat-feed-aggregation-with-misp/SKILL.md b/skills/building-threat-feed-aggregation-with-misp/SKILL.md index 3423cac9..3f84bfce 100644 --- a/skills/building-threat-feed-aggregation-with-misp/SKILL.md +++ b/skills/building-threat-feed-aggregation-with-misp/SKILL.md @@ -1,12 +1,26 @@ --- name: building-threat-feed-aggregation-with-misp -description: Deploy MISP (Malware Information Sharing Platform) to aggregate, correlate, and distribute threat intelligence feeds from multiple sources for centralized IOC management and automated SIEM integration. +description: Deploy MISP (Malware Information Sharing Platform) to aggregate, correlate, and distribute threat intelligence + feeds from multiple sources for centralized IOC management and automated SIEM integration. domain: cybersecurity subdomain: threat-intelligence -tags: [misp, threat-feed, aggregation, indicator, sharing, correlation, siem-integration, threat-intelligence] -version: "1.0" +tags: +- misp +- threat-feed +- aggregation +- indicator +- sharing +- correlation +- siem-integration +- threat-intelligence +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Building Threat Feed Aggregation with MISP diff --git a/skills/building-threat-hunt-hypothesis-framework/SKILL.md b/skills/building-threat-hunt-hypothesis-framework/SKILL.md index 5f9528dd..337da7e0 100644 --- a/skills/building-threat-hunt-hypothesis-framework/SKILL.md +++ b/skills/building-threat-hunt-hypothesis-framework/SKILL.md @@ -1,12 +1,24 @@ --- name: building-threat-hunt-hypothesis-framework -description: Build a systematic threat hunt hypothesis framework that transforms threat intelligence, attack patterns, and environmental data into testable hunting hypotheses. +description: Build a systematic threat hunt hypothesis framework that transforms threat intelligence, attack patterns, and + environmental data into testable hunting hypotheses. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, methodology, hypothesis, threat-intelligence, hunting-framework, proactive-detection] -version: "1.0" +tags: +- threat-hunting +- methodology +- hypothesis +- threat-intelligence +- hunting-framework +- proactive-detection +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Building Threat Hunt Hypothesis Framework diff --git a/skills/building-threat-intelligence-enrichment-in-splunk/SKILL.md b/skills/building-threat-intelligence-enrichment-in-splunk/SKILL.md index 7ea32b12..2af0ab91 100644 --- a/skills/building-threat-intelligence-enrichment-in-splunk/SKILL.md +++ b/skills/building-threat-intelligence-enrichment-in-splunk/SKILL.md @@ -1,12 +1,26 @@ --- name: building-threat-intelligence-enrichment-in-splunk -description: Build automated threat intelligence enrichment pipelines in Splunk Enterprise Security using lookup tables, modular inputs, and the Threat Intelligence Framework. +description: Build automated threat intelligence enrichment pipelines in Splunk Enterprise Security using lookup tables, modular + inputs, and the Threat Intelligence Framework. domain: cybersecurity subdomain: soc-operations -tags: [splunk, threat-intelligence, enrichment, ioc, lookup, siem, soc, enterprise-security] -version: "1.0" +tags: +- splunk +- threat-intelligence +- enrichment +- ioc +- lookup +- siem +- soc +- enterprise-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Building Threat Intelligence Enrichment in Splunk diff --git a/skills/building-threat-intelligence-feed-integration/SKILL.md b/skills/building-threat-intelligence-feed-integration/SKILL.md index 222f63be..72aa58fa 100644 --- a/skills/building-threat-intelligence-feed-integration/SKILL.md +++ b/skills/building-threat-intelligence-feed-integration/SKILL.md @@ -1,16 +1,30 @@ --- name: building-threat-intelligence-feed-integration -description: > - Builds automated threat intelligence feed integration pipelines connecting STIX/TAXII feeds, - open-source threat intel, and commercial TI platforms into SIEM and security tools for real-time - IOC matching and alerting. Use when SOC teams need to operationalize threat intelligence by - automating feed ingestion, normalization, scoring, and distribution to detection systems. +description: 'Builds automated threat intelligence feed integration pipelines connecting STIX/TAXII feeds, open-source threat + intel, and commercial TI platforms into SIEM and security tools for real-time IOC matching and alerting. Use when SOC teams + need to operationalize threat intelligence by automating feed ingestion, normalization, scoring, and distribution to detection + systems. + + ' domain: cybersecurity subdomain: soc-operations -tags: [soc, threat-intelligence, stix, taxii, misp, feeds, ioc, siem-integration] -version: "1.0" +tags: +- soc +- threat-intelligence +- stix +- taxii +- misp +- feeds +- ioc +- siem-integration +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Building Threat Intelligence Feed Integration diff --git a/skills/building-threat-intelligence-platform/SKILL.md b/skills/building-threat-intelligence-platform/SKILL.md index 8261a63f..7120416f 100644 --- a/skills/building-threat-intelligence-platform/SKILL.md +++ b/skills/building-threat-intelligence-platform/SKILL.md @@ -1,12 +1,26 @@ --- name: building-threat-intelligence-platform -description: Building a Threat Intelligence Platform (TIP) involves deploying and integrating multiple CTI tools into a unified system for collecting, analyzing, enriching, and disseminating threat intelligence. T +description: Building a Threat Intelligence Platform (TIP) involves deploying and integrating multiple CTI tools into a unified + system for collecting, analyzing, enriching, and disseminating threat intelligence. T domain: cybersecurity subdomain: threat-intelligence -tags: [threat-intelligence, cti, ioc, mitre-attack, stix, platform-building, misp, opencti] -version: "1.0" +tags: +- threat-intelligence +- cti +- ioc +- mitre-attack +- stix +- platform-building +- misp +- opencti +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Building Threat Intelligence Platform diff --git a/skills/building-vulnerability-aging-and-sla-tracking/SKILL.md b/skills/building-vulnerability-aging-and-sla-tracking/SKILL.md index 577d6c69..3e9e81db 100644 --- a/skills/building-vulnerability-aging-and-sla-tracking/SKILL.md +++ b/skills/building-vulnerability-aging-and-sla-tracking/SKILL.md @@ -1,12 +1,25 @@ --- name: building-vulnerability-aging-and-sla-tracking -description: Implement a vulnerability aging dashboard and SLA tracking system to measure remediation performance against severity-based timelines and drive accountability. +description: Implement a vulnerability aging dashboard and SLA tracking system to measure remediation performance against + severity-based timelines and drive accountability. domain: cybersecurity subdomain: vulnerability-management -tags: [vulnerability-management, sla-tracking, remediation-metrics, aging-report, kpi, compliance, risk-management] -version: "1.0" +tags: +- vulnerability-management +- sla-tracking +- remediation-metrics +- aging-report +- kpi +- compliance +- risk-management +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-02 +- ID.IM-02 +- ID.RA-06 --- # Building Vulnerability Aging and SLA Tracking diff --git a/skills/building-vulnerability-dashboard-with-defectdojo/SKILL.md b/skills/building-vulnerability-dashboard-with-defectdojo/SKILL.md index 9af1d88e..d0fa290a 100644 --- a/skills/building-vulnerability-dashboard-with-defectdojo/SKILL.md +++ b/skills/building-vulnerability-dashboard-with-defectdojo/SKILL.md @@ -1,12 +1,25 @@ --- name: building-vulnerability-dashboard-with-defectdojo -description: Deploy DefectDojo as a centralized vulnerability management dashboard with scanner integrations, deduplication, metrics tracking, and Jira ticketing workflows. +description: Deploy DefectDojo as a centralized vulnerability management dashboard with scanner integrations, deduplication, + metrics tracking, and Jira ticketing workflows. domain: cybersecurity subdomain: vulnerability-management -tags: [defectdojo, vulnerability-management, dashboard, deduplication, scanner-integration, devsecops, jira] -version: "1.0" +tags: +- defectdojo +- vulnerability-management +- dashboard +- deduplication +- scanner-integration +- devsecops +- jira +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-02 +- ID.IM-02 +- ID.RA-06 --- # Building Vulnerability Dashboard with DefectDojo diff --git a/skills/building-vulnerability-exception-tracking-system/SKILL.md b/skills/building-vulnerability-exception-tracking-system/SKILL.md index 72e13c5f..c3b640fe 100644 --- a/skills/building-vulnerability-exception-tracking-system/SKILL.md +++ b/skills/building-vulnerability-exception-tracking-system/SKILL.md @@ -1,12 +1,24 @@ --- name: building-vulnerability-exception-tracking-system -description: Build a vulnerability exception and risk acceptance tracking system with approval workflows, compensating controls documentation, and expiration management. +description: Build a vulnerability exception and risk acceptance tracking system with approval workflows, compensating controls + documentation, and expiration management. domain: cybersecurity subdomain: vulnerability-management -tags: [vulnerability-exception, risk-acceptance, compensating-controls, exception-tracking, vulnerability-management, governance] -version: "1.0" +tags: +- vulnerability-exception +- risk-acceptance +- compensating-controls +- exception-tracking +- vulnerability-management +- governance +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-02 +- ID.IM-02 +- ID.RA-06 --- # Building Vulnerability Exception Tracking System diff --git a/skills/building-vulnerability-scanning-workflow/SKILL.md b/skills/building-vulnerability-scanning-workflow/SKILL.md index 5ba7d9ae..740a2080 100644 --- a/skills/building-vulnerability-scanning-workflow/SKILL.md +++ b/skills/building-vulnerability-scanning-workflow/SKILL.md @@ -1,16 +1,30 @@ --- name: building-vulnerability-scanning-workflow -description: > - Builds a structured vulnerability scanning workflow using tools like Nessus, Qualys, and OpenVAS - to discover, prioritize, and track remediation of security vulnerabilities across infrastructure. - Use when SOC teams need to establish recurring vulnerability assessment processes, integrate - scan results with SIEM alerting, and build remediation tracking dashboards. +description: 'Builds a structured vulnerability scanning workflow using tools like Nessus, Qualys, and OpenVAS to discover, + prioritize, and track remediation of security vulnerabilities across infrastructure. Use when SOC teams need to establish + recurring vulnerability assessment processes, integrate scan results with SIEM alerting, and build remediation tracking + dashboards. + + ' domain: cybersecurity subdomain: soc-operations -tags: [soc, vulnerability-scanning, nessus, qualys, openvas, cvss, remediation, patch-management] -version: "1.0" +tags: +- soc +- vulnerability-scanning +- nessus +- qualys +- openvas +- cvss +- remediation +- patch-management +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Building Vulnerability Scanning Workflow diff --git a/skills/bypassing-authentication-with-forced-browsing/SKILL.md b/skills/bypassing-authentication-with-forced-browsing/SKILL.md index 37c70926..c6e4666d 100644 --- a/skills/bypassing-authentication-with-forced-browsing/SKILL.md +++ b/skills/bypassing-authentication-with-forced-browsing/SKILL.md @@ -1,12 +1,24 @@ --- name: bypassing-authentication-with-forced-browsing -description: Discovering and accessing unprotected pages, APIs, and administrative interfaces by enumerating URLs and bypassing authentication controls during authorized security assessments. +description: Discovering and accessing unprotected pages, APIs, and administrative interfaces by enumerating URLs and bypassing + authentication controls during authorized security assessments. domain: cybersecurity subdomain: web-application-security -tags: [penetration-testing, authentication-bypass, forced-browsing, ffuf, directory-enumeration, owasp] -version: "1.0" +tags: +- penetration-testing +- authentication-bypass +- forced-browsing +- ffuf +- directory-enumeration +- owasp +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Bypassing Authentication with Forced Browsing diff --git a/skills/collecting-indicators-of-compromise/SKILL.md b/skills/collecting-indicators-of-compromise/SKILL.md index d6da0c03..13a7b4d6 100644 --- a/skills/collecting-indicators-of-compromise/SKILL.md +++ b/skills/collecting-indicators-of-compromise/SKILL.md @@ -1,19 +1,32 @@ --- name: collecting-indicators-of-compromise -description: > - Systematically collects, categorizes, and distributes indicators of compromise (IOCs) - during and after security incidents to enable detection, blocking, and threat intelligence - sharing. Covers network, host, email, and behavioral indicators using STIX/TAXII - formats and threat intelligence platforms. Activates for requests involving IOC collection, - indicator extraction, threat indicator sharing, compromise indicators, STIX export, - or IOC enrichment. +description: 'Systematically collects, categorizes, and distributes indicators of compromise (IOCs) during and after security + incidents to enable detection, blocking, and threat intelligence sharing. Covers network, host, email, and behavioral indicators + using STIX/TAXII formats and threat intelligence platforms. Activates for requests involving IOC collection, indicator extraction, + threat indicator sharing, compromise indicators, STIX export, or IOC enrichment. + + ' domain: cybersecurity subdomain: incident-response -tags: [IOC-collection, threat-indicators, STIX-TAXII, MISP, threat-intelligence-sharing] -mitre_attack: ["T1071", "T1059", "T1547", "T1053"] +tags: +- IOC-collection +- threat-indicators +- STIX-TAXII +- MISP +- threat-intelligence-sharing +mitre_attack: +- T1071 +- T1059 +- T1547 +- T1053 version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- RS.MA-01 +- RS.MA-02 +- RS.AN-03 +- RC.RP-01 --- # Collecting Indicators of Compromise diff --git a/skills/collecting-open-source-intelligence/SKILL.md b/skills/collecting-open-source-intelligence/SKILL.md index 82a663a9..1c71fd26 100644 --- a/skills/collecting-open-source-intelligence/SKILL.md +++ b/skills/collecting-open-source-intelligence/SKILL.md @@ -1,18 +1,31 @@ --- name: collecting-open-source-intelligence -description: > - Collects and synthesizes open-source intelligence (OSINT) about threat actors, malicious - infrastructure, and attack campaigns using publicly available data sources, passive reconnaissance - tools, and dark web monitoring. Use when investigating external threat actor infrastructure, - performing pre-engagement reconnaissance for authorized red team assessments, or enriching CTI - reports with publicly available adversary context. Activates for requests involving Maltego, - Shodan, OSINT framework, SpiderFoot, or infrastructure reconnaissance. +description: 'Collects and synthesizes open-source intelligence (OSINT) about threat actors, malicious infrastructure, and + attack campaigns using publicly available data sources, passive reconnaissance tools, and dark web monitoring. Use when + investigating external threat actor infrastructure, performing pre-engagement reconnaissance for authorized red team assessments, + or enriching CTI reports with publicly available adversary context. Activates for requests involving Maltego, Shodan, OSINT + framework, SpiderFoot, or infrastructure reconnaissance. + + ' domain: cybersecurity subdomain: threat-intelligence -tags: [OSINT, Maltego, Shodan, Recon-ng, SpiderFoot, threat-intelligence, ATT&CK-T1591, NIST-CSF] +tags: +- OSINT +- Maltego +- Shodan +- Recon-ng +- SpiderFoot +- threat-intelligence +- ATT&CK-T1591 +- NIST-CSF version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Collecting Open-Source Intelligence diff --git a/skills/collecting-threat-intelligence-with-misp/SKILL.md b/skills/collecting-threat-intelligence-with-misp/SKILL.md index a2f83ec3..767e377a 100644 --- a/skills/collecting-threat-intelligence-with-misp/SKILL.md +++ b/skills/collecting-threat-intelligence-with-misp/SKILL.md @@ -1,12 +1,26 @@ --- name: collecting-threat-intelligence-with-misp -description: MISP (Malware Information Sharing Platform) is an open-source threat intelligence platform for gathering, sharing, storing, and correlating Indicators of Compromise (IOCs) of targeted attacks, threat +description: MISP (Malware Information Sharing Platform) is an open-source threat intelligence platform for gathering, sharing, + storing, and correlating Indicators of Compromise (IOCs) of targeted attacks, threat domain: cybersecurity subdomain: threat-intelligence -tags: [threat-intelligence, cti, ioc, mitre-attack, stix, misp, taxii, threat-sharing] -version: "1.0" +tags: +- threat-intelligence +- cti +- ioc +- mitre-attack +- stix +- misp +- taxii +- threat-sharing +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Collecting Threat Intelligence with MISP diff --git a/skills/collecting-volatile-evidence-from-compromised-host/SKILL.md b/skills/collecting-volatile-evidence-from-compromised-host/SKILL.md index ea6e32e9..c6999433 100644 --- a/skills/collecting-volatile-evidence-from-compromised-host/SKILL.md +++ b/skills/collecting-volatile-evidence-from-compromised-host/SKILL.md @@ -1,13 +1,29 @@ --- name: collecting-volatile-evidence-from-compromised-host -description: Collect volatile forensic evidence from a compromised system following order of volatility, preserving memory, network connections, processes, and system state before they are lost. +description: Collect volatile forensic evidence from a compromised system following order of volatility, preserving memory, + network connections, processes, and system state before they are lost. domain: cybersecurity subdomain: incident-response -tags: [incident-response, dfir, forensics, volatile-evidence, memory-forensics, chain-of-custody] -mitre_attack: ["T1003", "T1055", "T1059", "T1547"] -version: "1.0" +tags: +- incident-response +- dfir +- forensics +- volatile-evidence +- memory-forensics +- chain-of-custody +mitre_attack: +- T1003 +- T1055 +- T1059 +- T1547 +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.MA-01 +- RS.MA-02 +- RS.AN-03 +- RC.RP-01 --- # Collecting Volatile Evidence from Compromised Hosts diff --git a/skills/conducting-api-security-testing/SKILL.md b/skills/conducting-api-security-testing/SKILL.md index 89eafe1e..4a709f07 100644 --- a/skills/conducting-api-security-testing/SKILL.md +++ b/skills/conducting-api-security-testing/SKILL.md @@ -1,18 +1,28 @@ --- name: conducting-api-security-testing -description: > - Conducts security testing of REST, GraphQL, and gRPC APIs to identify vulnerabilities in - authentication, authorization, rate limiting, input validation, and business logic. The tester - uses the OWASP API Security Top 10 as the testing framework, combining Burp Suite interception - with Postman collections and custom scripts to test endpoint security at every privilege level. - Activates for requests involving API security testing, REST API pentest, GraphQL security - assessment, or API vulnerability testing. +description: 'Conducts security testing of REST, GraphQL, and gRPC APIs to identify vulnerabilities in authentication, authorization, + rate limiting, input validation, and business logic. The tester uses the OWASP API Security Top 10 as the testing framework, + combining Burp Suite interception with Postman collections and custom scripts to test endpoint security at every privilege + level. Activates for requests involving API security testing, REST API pentest, GraphQL security assessment, or API vulnerability + testing. + + ' domain: cybersecurity subdomain: penetration-testing -tags: [API-security, OWASP-API-Top10, REST, GraphQL, authorization-testing] +tags: +- API-security +- OWASP-API-Top10 +- REST +- GraphQL +- authorization-testing version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-06 +- GV.OV-02 +- DE.AE-07 --- # Conducting API Security Testing diff --git a/skills/conducting-cloud-incident-response/SKILL.md b/skills/conducting-cloud-incident-response/SKILL.md index 3b5fdd56..7763ba30 100644 --- a/skills/conducting-cloud-incident-response/SKILL.md +++ b/skills/conducting-cloud-incident-response/SKILL.md @@ -1,18 +1,32 @@ --- name: conducting-cloud-incident-response -description: > - Responds to security incidents in cloud environments (AWS, Azure, GCP) by performing - identity-based containment, cloud-native log analysis, resource isolation, and forensic - evidence acquisition adapted for ephemeral cloud infrastructure. Activates for requests - involving cloud incident response, AWS security incident, Azure compromise, GCP breach, - cloud forensics, or cloud identity compromise. +description: 'Responds to security incidents in cloud environments (AWS, Azure, GCP) by performing identity-based containment, + cloud-native log analysis, resource isolation, and forensic evidence acquisition adapted for ephemeral cloud infrastructure. + Activates for requests involving cloud incident response, AWS security incident, Azure compromise, GCP breach, cloud forensics, + or cloud identity compromise. + + ' domain: cybersecurity subdomain: incident-response -tags: [cloud-IR, AWS-forensics, Azure-incident-response, GCP-security, identity-containment] -mitre_attack: ["T1078", "T1537", "T1580", "T1525"] +tags: +- cloud-IR +- AWS-forensics +- Azure-incident-response +- GCP-security +- identity-containment +mitre_attack: +- T1078 +- T1537 +- T1580 +- T1525 version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- RS.MA-01 +- RS.MA-02 +- RS.AN-03 +- RC.RP-01 --- # Conducting Cloud Incident Response diff --git a/skills/conducting-cloud-penetration-testing/SKILL.md b/skills/conducting-cloud-penetration-testing/SKILL.md index 04b131a0..7acefcb6 100644 --- a/skills/conducting-cloud-penetration-testing/SKILL.md +++ b/skills/conducting-cloud-penetration-testing/SKILL.md @@ -31,6 +31,11 @@ d3fend_techniques: - Application Protocol Command Analysis - Reissue Credential - Network Isolation +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Conducting Cloud Penetration Testing diff --git a/skills/conducting-domain-persistence-with-dcsync/SKILL.md b/skills/conducting-domain-persistence-with-dcsync/SKILL.md index 71ebf394..bf859019 100644 --- a/skills/conducting-domain-persistence-with-dcsync/SKILL.md +++ b/skills/conducting-domain-persistence-with-dcsync/SKILL.md @@ -21,6 +21,10 @@ d3fend_techniques: - Network Traffic Analysis - Client-server Payload Profiling - Platform Monitoring +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Conducting Domain Persistence with DCSync diff --git a/skills/conducting-external-reconnaissance-with-osint/SKILL.md b/skills/conducting-external-reconnaissance-with-osint/SKILL.md index 6118eec9..0eba2196 100644 --- a/skills/conducting-external-reconnaissance-with-osint/SKILL.md +++ b/skills/conducting-external-reconnaissance-with-osint/SKILL.md @@ -1,18 +1,28 @@ --- name: conducting-external-reconnaissance-with-osint -description: > - Conducts external reconnaissance using Open Source Intelligence (OSINT) techniques to map - an organization's external attack surface without directly interacting with target systems. - The tester gathers information from public sources including DNS records, certificate - transparency logs, search engines, social media, code repositories, and data breach databases - to build a comprehensive target profile. Activates for requests involving OSINT reconnaissance, - external footprinting, attack surface mapping, or passive information gathering. +description: 'Conducts external reconnaissance using Open Source Intelligence (OSINT) techniques to map an organization''s + external attack surface without directly interacting with target systems. The tester gathers information from public sources + including DNS records, certificate transparency logs, search engines, social media, code repositories, and data breach databases + to build a comprehensive target profile. Activates for requests involving OSINT reconnaissance, external footprinting, attack + surface mapping, or passive information gathering. + + ' domain: cybersecurity subdomain: penetration-testing -tags: [OSINT, reconnaissance, attack-surface, footprinting, passive-recon] +tags: +- OSINT +- reconnaissance +- attack-surface +- footprinting +- passive-recon version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-06 +- GV.OV-02 +- DE.AE-07 --- # Conducting External Reconnaissance with OSINT diff --git a/skills/conducting-full-scope-red-team-engagement/SKILL.md b/skills/conducting-full-scope-red-team-engagement/SKILL.md index b5321d1e..4bf5f4e6 100644 --- a/skills/conducting-full-scope-red-team-engagement/SKILL.md +++ b/skills/conducting-full-scope-red-team-engagement/SKILL.md @@ -21,6 +21,10 @@ d3fend_techniques: - Identifier Analysis - Content Format Conversion - Message Analysis +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Conducting Full-Scope Red Team Engagement diff --git a/skills/conducting-internal-network-penetration-test/SKILL.md b/skills/conducting-internal-network-penetration-test/SKILL.md index da7b142c..2e5723bb 100644 --- a/skills/conducting-internal-network-penetration-test/SKILL.md +++ b/skills/conducting-internal-network-penetration-test/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - Network Traffic Analysis - Client-server Payload Profiling - Network Traffic Community Deviation +nist_csf: +- ID.RA-01 +- ID.RA-06 +- GV.OV-02 +- DE.AE-07 --- # Conducting Internal Network Penetration Test diff --git a/skills/conducting-internal-reconnaissance-with-bloodhound-ce/SKILL.md b/skills/conducting-internal-reconnaissance-with-bloodhound-ce/SKILL.md index 101aa34b..b2249ae8 100644 --- a/skills/conducting-internal-reconnaissance-with-bloodhound-ce/SKILL.md +++ b/skills/conducting-internal-reconnaissance-with-bloodhound-ce/SKILL.md @@ -21,6 +21,10 @@ d3fend_techniques: - Biometric Authentication - Strong Password Policy - Restore User Account Access +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Conducting Internal Reconnaissance with BloodHound CE diff --git a/skills/conducting-malware-incident-response/SKILL.md b/skills/conducting-malware-incident-response/SKILL.md index 77a4cc9a..8115336c 100644 --- a/skills/conducting-malware-incident-response/SKILL.md +++ b/skills/conducting-malware-incident-response/SKILL.md @@ -1,8 +1,227 @@ --- -{} ----tags: +name: conducting-malware-incident-response +description: 'Responds to malware infections across enterprise endpoints by identifying the malware family, determining infection + vectors, assessing spread, and executing eradication procedures. Covers the full lifecycle from detection through containment, + analysis, removal, and recovery. Activates for requests involving malware response, malware eradication, trojan removal, + worm containment, malware triage, or infected endpoint remediation. + + ' +domain: cybersecurity +subdomain: incident-response +tags: - malware-response - malware-analysis - eradication - endpoint-remediation - MITRE-ATT&CK +mitre_attack: +- T1204 +- T1027 +- T1055 +- T1059 +- T1486 +version: 1.0.0 +author: mahipal +license: Apache-2.0 +d3fend_techniques: +- File Metadata Consistency Validation +- Application Protocol Command Analysis +- Identifier Analysis +- Content Format Conversion +- Message Analysis +nist_csf: +- RS.MA-01 +- RS.MA-02 +- RS.AN-03 +- RC.RP-01 +--- + +# Conducting Malware Incident Response + +## When to Use + +- EDR or antivirus detects malware execution on one or more endpoints +- A user reports suspicious system behavior indicative of malware infection +- Threat intelligence indicates a malware campaign targeting the organization's industry +- Network monitoring detects beaconing traffic consistent with known malware C2 patterns +- A file detonation in a sandbox returns a malicious verdict + +**Do not use** for analyzing malware samples in a research context; use dedicated malware analysis procedures for reverse engineering. + +## Prerequisites + +- EDR platform with process tree visibility and host isolation capability +- Malware sandbox environment (Cuckoo, ANY.RUN, Joe Sandbox, Hybrid Analysis) +- Access to threat intelligence platforms for malware family identification (VirusTotal, MalwareBazaar) +- Forensic imaging tools for evidence preservation (FTK Imager, KAPE) +- Clean system images or gold images for endpoint rebuild +- MITRE ATT&CK framework reference for technique mapping + +## Workflow + +### Step 1: Detect and Confirm Malware Presence + +Validate the malware alert and gather initial indicators: + +- Review EDR alert details: detection name, file path, hash (SHA-256), process tree +- Check if the detection is a known malware family or generic heuristic detection +- Query the file hash against VirusTotal, MalwareBazaar, and internal threat intelligence +- Examine the process execution chain to determine how the malware was delivered + +``` +Detection Summary: +File: C:\Users\jsmith\AppData\Local\Temp\update.exe +SHA-256: a1b2c3d4e5f6... +Detection: CrowdStrike: Malware/Qakbot | VirusTotal: 58/72 engines +Parent: WINWORD.EXE → cmd.exe → powershell.exe → update.exe +Delivery: Email attachment (Invoice-Nov2025.docm) +Network: HTTPS POST to 185.220.101[.]42:443 every 60s +Persistence: Scheduled Task "WindowsUpdate" → update.exe +``` + +### Step 2: Scope the Infection + +Determine how many systems are affected and the malware's propagation method: + +- Use EDR to search for the malware hash, filename, and behavioral indicators across all endpoints +- Check for network-based spreading (SMB, WMI, PsExec, exploitation) +- Query email gateway logs for all recipients of the delivery email +- Search for C2 communications to the identified infrastructure from other internal hosts +- Check for persistence mechanisms on all identified infected hosts + +### Step 3: Contain Infected Systems + +Execute containment per the active breach containment procedures: + +- Network-isolate infected endpoints via EDR containment +- Block malware C2 infrastructure at firewall and DNS +- Block the malware hash in EDR prevention policy organization-wide +- Quarantine the delivery email from all mailboxes (if email-delivered) +- Disable compromised user accounts if credential theft is suspected + +### Step 4: Analyze the Malware + +Perform sufficient analysis to support complete eradication: + +- Submit the sample to a sandbox for dynamic analysis (behavioral report, dropped files, network IOCs) +- Identify all persistence mechanisms: registry keys, scheduled tasks, services, WMI subscriptions, startup folders +- Document all file system artifacts: dropped files, modified files, created directories +- Extract network IOCs: C2 domains, IPs, URLs, user agents, JA3/JA3S hashes +- Map observed behaviors to MITRE ATT&CK techniques + +``` +Malware Analysis Summary - Qakbot Variant +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ +Initial Access: T1566.001 - Spearphishing Attachment (.docm) +Execution: T1059.001 - PowerShell (encoded downloader) +Persistence: T1053.005 - Scheduled Task +Defense Evasion: T1055.012 - Process Hollowing (explorer.exe) +C2: T1071.001 - HTTPS with custom headers +Collection: T1005 - Data from Local System (browser credentials) +Exfiltration: T1041 - Exfiltration Over C2 Channel + +Artifacts: +- C:\Users\*\AppData\Local\Temp\update.exe (dropper) +- C:\ProgramData\Microsoft\{GUID}\config.dll (payload) +- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{random} (backup persistence) +- Scheduled Task: "WindowsUpdate" (primary persistence) +``` + +### Step 5: Eradicate the Malware + +Remove all malware artifacts from every infected system: + +- Terminate malicious processes and injected threads +- Delete malware files from all identified paths +- Remove persistence mechanisms (scheduled tasks, registry keys, services, WMI subscriptions) +- Clear browser credential stores if credential harvesting was confirmed +- Run a full EDR scan to verify no artifacts remain +- If eradication confidence is low, reimage the system from a known-clean gold image + +### Step 6: Recover and Validate + +Restore systems to production and verify clean status: + +- Reconnect contained systems to the network in stages +- Monitor for 72 hours for any recurrence of malware indicators +- Force password resets for all users on infected endpoints +- Verify that C2 traffic has completely ceased across the environment +- Update detection rules based on newly discovered IOCs from the investigation +- Distribute IOCs to threat intelligence sharing partners (ISAC, MISP) + +## Key Concepts + +| Term | Definition | +|------|------------| +| **Malware Family** | Classification of malware variants sharing code, infrastructure, or behavior patterns (e.g., Qakbot, Emotet, Cobalt Strike) | +| **Process Hollowing** | Technique where malware creates a legitimate process in a suspended state, replaces its memory with malicious code, then resumes execution | +| **Beacon** | Periodic network communication from malware to its C2 server, typically with a set interval and jitter for detection evasion | +| **Dropper** | Initial malware component that downloads or unpacks the primary payload; often delivered via phishing | +| **Persistence Mechanism** | Method used by malware to survive system reboots (registry run keys, scheduled tasks, services, WMI event subscriptions) | +| **IOC (Indicator of Compromise)** | Observable artifact such as file hash, IP address, domain, or registry key that indicates malware presence | + +## Tools & Systems + +- **CrowdStrike Falcon / Microsoft Defender for Endpoint**: EDR platforms for detection, containment, and threat hunting +- **ANY.RUN / Joe Sandbox**: Interactive malware sandboxes for dynamic behavioral analysis +- **VirusTotal / MalwareBazaar**: Malware intelligence platforms for sample identification and IOC enrichment +- **KAPE (Kroll Artifact Parser and Extractor)**: Forensic triage tool for rapid artifact collection from infected endpoints +- **YARA**: Pattern-matching engine for creating custom malware detection rules based on observed indicators + +## Common Scenarios + +### Scenario: Emotet Loader Leading to Cobalt Strike Deployment + +**Context**: EDR detects a macro-enabled document that spawns PowerShell, downloads an Emotet DLL, which subsequently loads a Cobalt Strike beacon. Three hosts are infected within 45 minutes. + +**Approach**: +1. Immediately isolate all three hosts and block C2 IPs at the perimeter +2. Search email gateway for all recipients of the original phishing email and quarantine it +3. Sweep all endpoints for the Emotet DLL hash and Cobalt Strike beacon indicators +4. Analyze the Cobalt Strike beacon configuration to extract watermark, C2 profile, and staging URLs +5. Check for credential harvesting (Mimikatz/LSASS dump) and lateral movement artifacts +6. Eradicate all malware artifacts and reset credentials for affected users + +**Pitfalls**: +- Focusing only on Emotet and missing the Cobalt Strike second-stage payload +- Failing to extract and block the Cobalt Strike Malleable C2 profile indicators +- Not checking for additional persistence beyond the initial detection (Emotet often installs multiple backup persistence mechanisms) + +## Output Format + +``` +MALWARE INCIDENT RESPONSE REPORT +================================= +Incident: INC-2025-1547 +Malware Family: Qakbot (variant: Obama265) +Delivery Vector: Spearphishing attachment (Invoice-Nov2025.docm) +First Detection: 2025-11-15T14:23:17Z +Scope: 4 endpoints confirmed infected + +INFECTION TIMELINE +14:18 UTC - Phishing email received by jsmith@corp.example.com +14:19 UTC - Macro executed in WINWORD.EXE +14:20 UTC - PowerShell downloads update.exe from staging server +14:21 UTC - update.exe establishes persistence (Scheduled Task) +14:23 UTC - C2 beacon initiated to 185.220.101[.]42 +14:35 UTC - Lateral spread to WKSTN-087 via stolen credentials +14:42 UTC - EDR detection fires, SOC alerted + +IOCs EXTRACTED +File Hashes: [SHA-256 list] +C2 Domains: [domain list] +C2 IPs: [IP list] +File Paths: [artifact paths] + +ERADICATION STATUS +[x] All malware artifacts removed from 4 hosts +[x] Persistence mechanisms deleted +[x] C2 infrastructure blocked +[x] Compromised credentials reset +[x] Email quarantined from all mailboxes + +RECOMMENDATIONS +1. Deploy YARA rule for Qakbot variant detection +2. Block macro execution in documents from external senders +3. Implement application whitelisting on finance workstations +``` diff --git a/skills/conducting-man-in-the-middle-attack-simulation/SKILL.md b/skills/conducting-man-in-the-middle-attack-simulation/SKILL.md index 7e93780d..2849f269 100644 --- a/skills/conducting-man-in-the-middle-attack-simulation/SKILL.md +++ b/skills/conducting-man-in-the-middle-attack-simulation/SKILL.md @@ -1,15 +1,25 @@ --- name: conducting-man-in-the-middle-attack-simulation -description: > - Simulates man-in-the-middle attacks using Ettercap, mitmproxy, and Bettercap in - authorized environments to intercept, analyze, and modify network traffic for - testing encryption enforcement, certificate validation, and detection capabilities. +description: 'Simulates man-in-the-middle attacks using Ettercap, mitmproxy, and Bettercap in authorized environments to intercept, + analyze, and modify network traffic for testing encryption enforcement, certificate validation, and detection capabilities. + + ' domain: cybersecurity subdomain: network-security -tags: [network-security, mitm, bettercap, ettercap, mitmproxy] -version: "1.0" +tags: +- network-security +- mitm +- bettercap +- ettercap +- mitmproxy +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Conducting Man-in-the-Middle Attack Simulation diff --git a/skills/conducting-memory-forensics-with-volatility/SKILL.md b/skills/conducting-memory-forensics-with-volatility/SKILL.md index 646d95ed..d00fbcf4 100644 --- a/skills/conducting-memory-forensics-with-volatility/SKILL.md +++ b/skills/conducting-memory-forensics-with-volatility/SKILL.md @@ -1,19 +1,32 @@ --- name: conducting-memory-forensics-with-volatility -description: > - Performs memory forensics analysis using Volatility 3 to extract evidence of - malware execution, process injection, network connections, and credential theft - from RAM dumps captured during incident response. Covers memory acquisition, - process analysis, DLL inspection, and malware detection. Activates for requests - involving memory forensics, RAM analysis, Volatility framework, memory dump - investigation, volatile evidence analysis, or live memory acquisition. +description: 'Performs memory forensics analysis using Volatility 3 to extract evidence of malware execution, process injection, + network connections, and credential theft from RAM dumps captured during incident response. Covers memory acquisition, process + analysis, DLL inspection, and malware detection. Activates for requests involving memory forensics, RAM analysis, Volatility + framework, memory dump investigation, volatile evidence analysis, or live memory acquisition. + + ' domain: cybersecurity subdomain: incident-response -tags: [memory-forensics, volatility, RAM-analysis, process-injection, DFIR] -mitre_attack: ["T1003", "T1055", "T1620", "T1574"] +tags: +- memory-forensics +- volatility +- RAM-analysis +- process-injection +- DFIR +mitre_attack: +- T1003 +- T1055 +- T1620 +- T1574 version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- RS.MA-01 +- RS.MA-02 +- RS.AN-03 +- RC.RP-01 --- # Conducting Memory Forensics with Volatility diff --git a/skills/conducting-mobile-app-penetration-test/SKILL.md b/skills/conducting-mobile-app-penetration-test/SKILL.md index 9a335d3c..f38b08c0 100644 --- a/skills/conducting-mobile-app-penetration-test/SKILL.md +++ b/skills/conducting-mobile-app-penetration-test/SKILL.md @@ -26,6 +26,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- ID.RA-01 +- ID.RA-06 +- GV.OV-02 +- DE.AE-07 --- # Conducting Mobile App Penetration Test diff --git a/skills/conducting-network-penetration-test/SKILL.md b/skills/conducting-network-penetration-test/SKILL.md index a040d3cf..b5213e01 100644 --- a/skills/conducting-network-penetration-test/SKILL.md +++ b/skills/conducting-network-penetration-test/SKILL.md @@ -1,18 +1,28 @@ --- name: conducting-network-penetration-test -description: > - Conducts comprehensive network penetration tests against authorized target environments by - performing host discovery, port scanning, service enumeration, vulnerability identification, - and controlled exploitation to assess the security posture of network infrastructure. The - tester follows PTES methodology from reconnaissance through post-exploitation and reporting. - Activates for requests involving network pentest, infrastructure security assessment, - internal network testing, or external perimeter testing. +description: 'Conducts comprehensive network penetration tests against authorized target environments by performing host discovery, + port scanning, service enumeration, vulnerability identification, and controlled exploitation to assess the security posture + of network infrastructure. The tester follows PTES methodology from reconnaissance through post-exploitation and reporting. + Activates for requests involving network pentest, infrastructure security assessment, internal network testing, or external + perimeter testing. + + ' domain: cybersecurity subdomain: penetration-testing -tags: [network-pentest, Nmap, Metasploit, vulnerability-exploitation, infrastructure-security] +tags: +- network-pentest +- Nmap +- Metasploit +- vulnerability-exploitation +- infrastructure-security version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-06 +- GV.OV-02 +- DE.AE-07 --- # Conducting Network Penetration Test diff --git a/skills/conducting-pass-the-ticket-attack/SKILL.md b/skills/conducting-pass-the-ticket-attack/SKILL.md index 86219d04..bd7aceb9 100644 --- a/skills/conducting-pass-the-ticket-attack/SKILL.md +++ b/skills/conducting-pass-the-ticket-attack/SKILL.md @@ -22,6 +22,10 @@ d3fend_techniques: - Restore Access - Application Protocol Command Analysis - Process Termination +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Conducting Pass-the-Ticket Attack diff --git a/skills/conducting-phishing-incident-response/SKILL.md b/skills/conducting-phishing-incident-response/SKILL.md index 03113d09..184705b7 100644 --- a/skills/conducting-phishing-incident-response/SKILL.md +++ b/skills/conducting-phishing-incident-response/SKILL.md @@ -1,19 +1,32 @@ --- name: conducting-phishing-incident-response -description: > - Responds to phishing incidents by analyzing reported emails, extracting indicators, - assessing credential compromise, quarantining malicious messages across the organization, - and remediating affected accounts. Covers email header analysis, URL/attachment - sandboxing, and mailbox-wide purge operations. Activates for requests involving - phishing response, email incident, credential phishing, spear phishing investigation, - or phishing remediation. +description: 'Responds to phishing incidents by analyzing reported emails, extracting indicators, assessing credential compromise, + quarantining malicious messages across the organization, and remediating affected accounts. Covers email header analysis, + URL/attachment sandboxing, and mailbox-wide purge operations. Activates for requests involving phishing response, email + incident, credential phishing, spear phishing investigation, or phishing remediation. + + ' domain: cybersecurity subdomain: incident-response -tags: [phishing-response, email-security, credential-compromise, email-header-analysis, mailbox-remediation] -mitre_attack: ["T1566", "T1204", "T1534", "T1598"] +tags: +- phishing-response +- email-security +- credential-compromise +- email-header-analysis +- mailbox-remediation +mitre_attack: +- T1566 +- T1204 +- T1534 +- T1598 version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- RS.MA-01 +- RS.MA-02 +- RS.AN-03 +- RC.RP-01 --- # Conducting Phishing Incident Response diff --git a/skills/conducting-post-incident-lessons-learned/SKILL.md b/skills/conducting-post-incident-lessons-learned/SKILL.md index 399d06df..ac5a94d3 100644 --- a/skills/conducting-post-incident-lessons-learned/SKILL.md +++ b/skills/conducting-post-incident-lessons-learned/SKILL.md @@ -1,13 +1,27 @@ --- name: conducting-post-incident-lessons-learned -description: Facilitate structured post-incident reviews to identify root causes, document what worked and failed, and produce actionable recommendations to improve future incident response. +description: Facilitate structured post-incident reviews to identify root causes, document what worked and failed, and produce + actionable recommendations to improve future incident response. domain: cybersecurity subdomain: incident-response -tags: [incident-response, lessons-learned, post-incident, after-action-review, process-improvement] -mitre_attack: ["T1190", "T1566", "T1078"] -version: "1.0" +tags: +- incident-response +- lessons-learned +- post-incident +- after-action-review +- process-improvement +mitre_attack: +- T1190 +- T1566 +- T1078 +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.MA-01 +- RS.MA-02 +- RS.AN-03 +- RC.RP-01 --- # Conducting Post-Incident Lessons Learned diff --git a/skills/conducting-social-engineering-penetration-test/SKILL.md b/skills/conducting-social-engineering-penetration-test/SKILL.md index 1a836f3a..54b446f6 100644 --- a/skills/conducting-social-engineering-penetration-test/SKILL.md +++ b/skills/conducting-social-engineering-penetration-test/SKILL.md @@ -23,6 +23,11 @@ atlas_techniques: nist_ai_rmf: - GOVERN-6.2 - MAP-5.2 +nist_csf: +- ID.RA-01 +- ID.RA-06 +- GV.OV-02 +- DE.AE-07 --- # Conducting Social Engineering Penetration Test diff --git a/skills/conducting-social-engineering-pretext-call/SKILL.md b/skills/conducting-social-engineering-pretext-call/SKILL.md index a7de8dc7..b1f530ee 100644 --- a/skills/conducting-social-engineering-pretext-call/SKILL.md +++ b/skills/conducting-social-engineering-pretext-call/SKILL.md @@ -27,6 +27,10 @@ d3fend_techniques: - Identifier Analysis - Content Format Conversion - Message Analysis +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Conducting Social Engineering Pretext Call diff --git a/skills/conducting-spearphishing-simulation-campaign/SKILL.md b/skills/conducting-spearphishing-simulation-campaign/SKILL.md index 3cd0b8cf..fa668935 100644 --- a/skills/conducting-spearphishing-simulation-campaign/SKILL.md +++ b/skills/conducting-spearphishing-simulation-campaign/SKILL.md @@ -21,6 +21,10 @@ d3fend_techniques: - Identifier Analysis - Content Format Conversion - Message Analysis +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Conducting Spearphishing Simulation Campaign diff --git a/skills/conducting-wireless-network-penetration-test/SKILL.md b/skills/conducting-wireless-network-penetration-test/SKILL.md index b590a651..1823b734 100644 --- a/skills/conducting-wireless-network-penetration-test/SKILL.md +++ b/skills/conducting-wireless-network-penetration-test/SKILL.md @@ -1,18 +1,28 @@ --- name: conducting-wireless-network-penetration-test -description: > - Conducts authorized wireless network penetration tests to assess the security of WiFi - infrastructure by testing for weak encryption protocols, captive portal bypasses, evil twin - attacks, WPA2/WPA3 handshake capture, rogue access point detection, and client-side attacks. - The tester evaluates wireless authentication, network segmentation, and the effectiveness of - wireless intrusion detection systems. Activates for requests involving wireless pentest, WiFi - security assessment, WPA2/WPA3 testing, or rogue access point detection. +description: 'Conducts authorized wireless network penetration tests to assess the security of WiFi infrastructure by testing + for weak encryption protocols, captive portal bypasses, evil twin attacks, WPA2/WPA3 handshake capture, rogue access point + detection, and client-side attacks. The tester evaluates wireless authentication, network segmentation, and the effectiveness + of wireless intrusion detection systems. Activates for requests involving wireless pentest, WiFi security assessment, WPA2/WPA3 + testing, or rogue access point detection. + + ' domain: cybersecurity subdomain: penetration-testing -tags: [wireless-pentest, WiFi-security, WPA2, WPA3, evil-twin] +tags: +- wireless-pentest +- WiFi-security +- WPA2 +- WPA3 +- evil-twin version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-06 +- GV.OV-02 +- DE.AE-07 --- # Conducting Wireless Network Penetration Test diff --git a/skills/configuring-active-directory-tiered-model/SKILL.md b/skills/configuring-active-directory-tiered-model/SKILL.md index 6323e5ef..e65ff928 100644 --- a/skills/configuring-active-directory-tiered-model/SKILL.md +++ b/skills/configuring-active-directory-tiered-model/SKILL.md @@ -1,12 +1,25 @@ --- name: configuring-active-directory-tiered-model -description: Implement Microsoft's Enhanced Security Admin Environment (ESAE) tiered administration model for Active Directory. Covers Tier 0/1/2 separation, privileged access workstations (PAWs), administrative f +description: Implement Microsoft's Enhanced Security Admin Environment (ESAE) tiered administration model for Active Directory. + Covers Tier 0/1/2 separation, privileged access workstations (PAWs), administrative f domain: cybersecurity subdomain: identity-access-management -tags: [iam, identity, access-control, active-directory, tiered-model, paw, esae] -version: "1.0" +tags: +- iam +- identity +- access-control +- active-directory +- tiered-model +- paw +- esae +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Configuring Active Directory Tiered Model diff --git a/skills/configuring-aws-verified-access-for-ztna/SKILL.md b/skills/configuring-aws-verified-access-for-ztna/SKILL.md index f4775f43..c63d09a8 100644 --- a/skills/configuring-aws-verified-access-for-ztna/SKILL.md +++ b/skills/configuring-aws-verified-access-for-ztna/SKILL.md @@ -1,12 +1,27 @@ --- name: configuring-aws-verified-access-for-ztna -description: Configure AWS Verified Access to provide VPN-less zero trust network access to internal applications using identity and device posture verification with Cedar policy language. +description: Configure AWS Verified Access to provide VPN-less zero trust network access to internal applications using identity + and device posture verification with Cedar policy language. domain: cybersecurity subdomain: zero-trust-architecture -tags: [zero-trust, aws, verified-access, ztna, cedar-policy, vpn-less, identity-verification, device-posture, aws-ram] -version: "1.0" +tags: +- zero-trust +- aws +- verified-access +- ztna +- cedar-policy +- vpn-less +- identity-verification +- device-posture +- aws-ram +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-05 +- PR.IR-01 +- GV.PO-01 --- # Configuring AWS Verified Access for ZTNA diff --git a/skills/configuring-certificate-authority-with-openssl/SKILL.md b/skills/configuring-certificate-authority-with-openssl/SKILL.md index d26195cf..d3435013 100644 --- a/skills/configuring-certificate-authority-with-openssl/SKILL.md +++ b/skills/configuring-certificate-authority-with-openssl/SKILL.md @@ -1,12 +1,22 @@ --- name: configuring-certificate-authority-with-openssl -description: A Certificate Authority (CA) is the trust anchor in a PKI hierarchy, responsible for issuing, signing, and revoking digital certificates. This skill covers building a two-tier CA hierarchy (Root CA + +description: A Certificate Authority (CA) is the trust anchor in a PKI hierarchy, responsible for issuing, signing, and revoking + digital certificates. This skill covers building a two-tier CA hierarchy (Root CA + domain: cybersecurity subdomain: cryptography -tags: [cryptography, pki, certificate-authority, openssl, x509] -version: "1.0" +tags: +- cryptography +- pki +- certificate-authority +- openssl +- x509 +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.DS-01 +- PR.DS-02 +- PR.DS-10 --- # Configuring Certificate Authority with OpenSSL diff --git a/skills/configuring-host-based-intrusion-detection/SKILL.md b/skills/configuring-host-based-intrusion-detection/SKILL.md index 2b29dc25..ea98eaa0 100644 --- a/skills/configuring-host-based-intrusion-detection/SKILL.md +++ b/skills/configuring-host-based-intrusion-detection/SKILL.md @@ -1,17 +1,28 @@ --- name: configuring-host-based-intrusion-detection -description: > - Configures host-based intrusion detection systems (HIDS) to monitor endpoint file integrity, - system calls, and configuration changes for security violations. Use when deploying OSSEC, - Wazuh, or AIDE for endpoint monitoring, building file integrity monitoring (FIM) policies, or - meeting compliance requirements for change detection. Activates for requests involving HIDS - configuration, file integrity monitoring, OSSEC/Wazuh deployment, or host-based detection. +description: 'Configures host-based intrusion detection systems (HIDS) to monitor endpoint file integrity, system calls, and + configuration changes for security violations. Use when deploying OSSEC, Wazuh, or AIDE for endpoint monitoring, building + file integrity monitoring (FIM) policies, or meeting compliance requirements for change detection. Activates for requests + involving HIDS configuration, file integrity monitoring, OSSEC/Wazuh deployment, or host-based detection. + + ' domain: cybersecurity subdomain: endpoint-security -tags: [endpoint, HIDS, Wazuh, OSSEC, file-integrity-monitoring, intrusion-detection] +tags: +- endpoint +- HIDS +- Wazuh +- OSSEC +- file-integrity-monitoring +- intrusion-detection version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.PS-02 +- DE.CM-01 +- PR.IR-01 --- # Configuring Host-Based Intrusion Detection diff --git a/skills/configuring-hsm-for-key-storage/SKILL.md b/skills/configuring-hsm-for-key-storage/SKILL.md index eaa75826..1f03cf26 100644 --- a/skills/configuring-hsm-for-key-storage/SKILL.md +++ b/skills/configuring-hsm-for-key-storage/SKILL.md @@ -21,6 +21,10 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- PR.DS-01 +- PR.DS-02 +- PR.DS-10 --- # Configuring HSM for Key Storage diff --git a/skills/configuring-identity-aware-proxy-with-google-iap/SKILL.md b/skills/configuring-identity-aware-proxy-with-google-iap/SKILL.md index 8cf981ea..e464229f 100644 --- a/skills/configuring-identity-aware-proxy-with-google-iap/SKILL.md +++ b/skills/configuring-identity-aware-proxy-with-google-iap/SKILL.md @@ -1,15 +1,28 @@ --- name: configuring-identity-aware-proxy-with-google-iap -description: > - Configuring Google Cloud Identity-Aware Proxy (IAP) to enforce per-request identity - verification for Compute Engine, App Engine, Cloud Run, and GKE services using - access levels, context-aware policies, and programmatic access with service accounts. +description: 'Configuring Google Cloud Identity-Aware Proxy (IAP) to enforce per-request identity verification for Compute + Engine, App Engine, Cloud Run, and GKE services using access levels, context-aware policies, and programmatic access with + service accounts. + + ' domain: cybersecurity subdomain: zero-trust-architecture -tags: [google-iap, identity-aware-proxy, gcp, zero-trust, access-context-manager, cloud-run, app-engine] -version: "1.0" +tags: +- google-iap +- identity-aware-proxy +- gcp +- zero-trust +- access-context-manager +- cloud-run +- app-engine +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-05 +- PR.IR-01 +- GV.PO-01 --- # Configuring Identity-Aware Proxy with Google IAP diff --git a/skills/configuring-ldap-security-hardening/SKILL.md b/skills/configuring-ldap-security-hardening/SKILL.md index e8bc0ebf..e330fd6b 100644 --- a/skills/configuring-ldap-security-hardening/SKILL.md +++ b/skills/configuring-ldap-security-hardening/SKILL.md @@ -1,12 +1,24 @@ --- name: configuring-ldap-security-hardening -description: Harden LDAP directory services against common attacks including credential harvesting, LDAP injection, anonymous binding, and channel binding bypass. Covers LDAPS enforcement, channel binding, LDAP si +description: Harden LDAP directory services against common attacks including credential harvesting, LDAP injection, anonymous + binding, and channel binding bypass. Covers LDAPS enforcement, channel binding, LDAP si domain: cybersecurity subdomain: identity-access-management -tags: [iam, identity, access-control, ldap, directory-services, hardening] -version: "1.0" +tags: +- iam +- identity +- access-control +- ldap +- directory-services +- hardening +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Configuring LDAP Security Hardening diff --git a/skills/configuring-microsegmentation-for-zero-trust/SKILL.md b/skills/configuring-microsegmentation-for-zero-trust/SKILL.md index d4001a13..0cb9cf51 100644 --- a/skills/configuring-microsegmentation-for-zero-trust/SKILL.md +++ b/skills/configuring-microsegmentation-for-zero-trust/SKILL.md @@ -1,12 +1,23 @@ --- name: configuring-microsegmentation-for-zero-trust -description: Configure microsegmentation policies to enforce least-privilege workload-to-workload access using tools like VMware NSX, Illumio, and Calico, preventing lateral movement in zero trust architectures. +description: Configure microsegmentation policies to enforce least-privilege workload-to-workload access using tools like + VMware NSX, Illumio, and Calico, preventing lateral movement in zero trust architectures. domain: cybersecurity subdomain: zero-trust-architecture -tags: [zero-trust, microsegmentation, network-access, lateral-movement, network-security] -version: "1.0" +tags: +- zero-trust +- microsegmentation +- network-access +- lateral-movement +- network-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-05 +- PR.IR-01 +- GV.PO-01 --- # Configuring Microsegmentation for Zero Trust diff --git a/skills/configuring-multi-factor-authentication-with-duo/SKILL.md b/skills/configuring-multi-factor-authentication-with-duo/SKILL.md index d881b2aa..0d75cfcd 100644 --- a/skills/configuring-multi-factor-authentication-with-duo/SKILL.md +++ b/skills/configuring-multi-factor-authentication-with-duo/SKILL.md @@ -1,12 +1,25 @@ --- name: configuring-multi-factor-authentication-with-duo -description: Deploy Cisco Duo multi-factor authentication across enterprise applications, VPN, RDP, and SSH access points. This skill covers Duo integration methods, adaptive authentication policies, device trust +description: Deploy Cisco Duo multi-factor authentication across enterprise applications, VPN, RDP, and SSH access points. + This skill covers Duo integration methods, adaptive authentication policies, device trust domain: cybersecurity subdomain: identity-access-management -tags: [iam, identity, access-control, authentication, mfa, duo, multi-factor] -version: "1.0" +tags: +- iam +- identity +- access-control +- authentication +- mfa +- duo +- multi-factor +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Configuring Multi-Factor Authentication with Duo diff --git a/skills/configuring-network-segmentation-with-vlans/SKILL.md b/skills/configuring-network-segmentation-with-vlans/SKILL.md index 75eddc96..7a9e22c4 100644 --- a/skills/configuring-network-segmentation-with-vlans/SKILL.md +++ b/skills/configuring-network-segmentation-with-vlans/SKILL.md @@ -1,15 +1,26 @@ --- name: configuring-network-segmentation-with-vlans -description: > - Designs and implements VLAN-based network segmentation on managed switches to isolate - network zones, enforce access control between segments, and reduce the attack surface - by limiting lateral movement paths in enterprise network environments. +description: 'Designs and implements VLAN-based network segmentation on managed switches to isolate network zones, enforce + access control between segments, and reduce the attack surface by limiting lateral movement paths in enterprise network + environments. + + ' domain: cybersecurity subdomain: network-security -tags: [network-security, vlan, network-segmentation, switch-security, 802.1q] -version: "1.0" +tags: +- network-security +- vlan +- network-segmentation +- switch-security +- 802.1q +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Configuring Network Segmentation with VLANs diff --git a/skills/configuring-oauth2-authorization-flow/SKILL.md b/skills/configuring-oauth2-authorization-flow/SKILL.md index 6ec72039..76a01e9a 100644 --- a/skills/configuring-oauth2-authorization-flow/SKILL.md +++ b/skills/configuring-oauth2-authorization-flow/SKILL.md @@ -1,12 +1,26 @@ --- name: configuring-oauth2-authorization-flow -description: Configure secure OAuth 2.0 authorization flows including Authorization Code with PKCE, Client Credentials, and Device Authorization Grant. This skill covers flow selection, PKCE implementation, token +description: Configure secure OAuth 2.0 authorization flows including Authorization Code with PKCE, Client Credentials, and + Device Authorization Grant. This skill covers flow selection, PKCE implementation, token domain: cybersecurity subdomain: identity-access-management -tags: [iam, identity, access-control, authentication, authorization, oauth2, oidc, pkce] -version: "1.0" +tags: +- iam +- identity +- access-control +- authentication +- authorization +- oauth2 +- oidc +- pkce +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Configuring OAuth 2.0 Authorization Flow diff --git a/skills/configuring-pfsense-firewall-rules/SKILL.md b/skills/configuring-pfsense-firewall-rules/SKILL.md index a9e3f648..07677f50 100644 --- a/skills/configuring-pfsense-firewall-rules/SKILL.md +++ b/skills/configuring-pfsense-firewall-rules/SKILL.md @@ -1,15 +1,25 @@ --- name: configuring-pfsense-firewall-rules -description: > - Configures pfSense firewall rules, NAT policies, VPN tunnels, and traffic shaping - to enforce network segmentation, control traffic flow, and protect internal network - zones in enterprise and small-to-medium business environments. +description: 'Configures pfSense firewall rules, NAT policies, VPN tunnels, and traffic shaping to enforce network segmentation, + control traffic flow, and protect internal network zones in enterprise and small-to-medium business environments. + + ' domain: cybersecurity subdomain: network-security -tags: [network-security, pfsense, firewall, nat, network-segmentation] -version: "1.0" +tags: +- network-security +- pfsense +- firewall +- nat +- network-segmentation +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Configuring pfSense Firewall Rules diff --git a/skills/configuring-snort-ids-for-intrusion-detection/SKILL.md b/skills/configuring-snort-ids-for-intrusion-detection/SKILL.md index a22e11c2..de021859 100644 --- a/skills/configuring-snort-ids-for-intrusion-detection/SKILL.md +++ b/skills/configuring-snort-ids-for-intrusion-detection/SKILL.md @@ -1,15 +1,25 @@ --- name: configuring-snort-ids-for-intrusion-detection -description: > - Installs, configures, and tunes Snort 3 intrusion detection system to monitor - network traffic for malicious activity using custom and community rulesets, - preprocessors, and alert output plugins on authorized network segments. +description: 'Installs, configures, and tunes Snort 3 intrusion detection system to monitor network traffic for malicious + activity using custom and community rulesets, preprocessors, and alert output plugins on authorized network segments. + + ' domain: cybersecurity subdomain: network-security -tags: [network-security, snort, ids, intrusion-detection, rule-writing] -version: "1.0" +tags: +- network-security +- snort +- ids +- intrusion-detection +- rule-writing +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Configuring Snort IDS for Intrusion Detection diff --git a/skills/configuring-suricata-for-network-monitoring/SKILL.md b/skills/configuring-suricata-for-network-monitoring/SKILL.md index 0e983591..2e915bb7 100644 --- a/skills/configuring-suricata-for-network-monitoring/SKILL.md +++ b/skills/configuring-suricata-for-network-monitoring/SKILL.md @@ -1,15 +1,25 @@ --- name: configuring-suricata-for-network-monitoring -description: > - Deploys and configures Suricata IDS/IPS with Emerging Threats rulesets, EVE JSON - logging, and custom rules for real-time network traffic inspection, threat detection, - and integration with SIEM platforms for centralized security monitoring. +description: 'Deploys and configures Suricata IDS/IPS with Emerging Threats rulesets, EVE JSON logging, and custom rules for + real-time network traffic inspection, threat detection, and integration with SIEM platforms for centralized security monitoring. + + ' domain: cybersecurity subdomain: network-security -tags: [network-security, suricata, ids, ips, network-monitoring] -version: "1.0" +tags: +- network-security +- suricata +- ids +- ips +- network-monitoring +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Configuring Suricata for Network Monitoring diff --git a/skills/configuring-tls-1-3-for-secure-communications/SKILL.md b/skills/configuring-tls-1-3-for-secure-communications/SKILL.md index 126d0123..48a2e110 100644 --- a/skills/configuring-tls-1-3-for-secure-communications/SKILL.md +++ b/skills/configuring-tls-1-3-for-secure-communications/SKILL.md @@ -1,12 +1,22 @@ --- name: configuring-tls-1-3-for-secure-communications -description: TLS 1.3 (RFC 8446) is the latest version of the Transport Layer Security protocol, providing significant improvements over TLS 1.2 in both security and performance. It reduces handshake latency to 1-R +description: TLS 1.3 (RFC 8446) is the latest version of the Transport Layer Security protocol, providing significant improvements + over TLS 1.2 in both security and performance. It reduces handshake latency to 1-R domain: cybersecurity subdomain: cryptography -tags: [cryptography, tls, ssl, transport-security, network-security] -version: "1.0" +tags: +- cryptography +- tls +- ssl +- transport-security +- network-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.DS-01 +- PR.DS-02 +- PR.DS-10 --- # Configuring TLS 1.3 for Secure Communications diff --git a/skills/configuring-windows-defender-advanced-settings/SKILL.md b/skills/configuring-windows-defender-advanced-settings/SKILL.md index 08021843..19cf6850 100644 --- a/skills/configuring-windows-defender-advanced-settings/SKILL.md +++ b/skills/configuring-windows-defender-advanced-settings/SKILL.md @@ -1,18 +1,29 @@ --- name: configuring-windows-defender-advanced-settings -description: > - Configures Microsoft Defender for Endpoint (MDE) advanced protection settings including - attack surface reduction rules, controlled folder access, network protection, and exploit - protection. Use when hardening Windows endpoints beyond default Defender settings, deploying - enterprise-grade endpoint protection, or meeting compliance requirements for advanced malware - defense. Activates for requests involving Windows Defender configuration, ASR rules, MDE - tuning, or Microsoft endpoint security. +description: 'Configures Microsoft Defender for Endpoint (MDE) advanced protection settings including attack surface reduction + rules, controlled folder access, network protection, and exploit protection. Use when hardening Windows endpoints beyond + default Defender settings, deploying enterprise-grade endpoint protection, or meeting compliance requirements for advanced + malware defense. Activates for requests involving Windows Defender configuration, ASR rules, MDE tuning, or Microsoft endpoint + security. + + ' domain: cybersecurity subdomain: endpoint-security -tags: [endpoint, windows-security, Microsoft-Defender, ASR, exploit-protection, MDE] +tags: +- endpoint +- windows-security +- Microsoft-Defender +- ASR +- exploit-protection +- MDE version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.PS-02 +- DE.CM-01 +- PR.IR-01 --- # Configuring Windows Defender Advanced Settings diff --git a/skills/configuring-windows-event-logging-for-detection/SKILL.md b/skills/configuring-windows-event-logging-for-detection/SKILL.md index d4699648..095f926e 100644 --- a/skills/configuring-windows-event-logging-for-detection/SKILL.md +++ b/skills/configuring-windows-event-logging-for-detection/SKILL.md @@ -1,17 +1,27 @@ --- name: configuring-windows-event-logging-for-detection -description: > - Configures Windows Event Logging with advanced audit policies to generate high-fidelity security - events for threat detection and forensic investigation. Use when enabling audit policies for - logon events, process creation, privilege use, and object access to feed SIEM detection rules. - Activates for requests involving Windows audit policy, event log configuration, security - logging, or detection-oriented logging. +description: 'Configures Windows Event Logging with advanced audit policies to generate high-fidelity security events for + threat detection and forensic investigation. Use when enabling audit policies for logon events, process creation, privilege + use, and object access to feed SIEM detection rules. Activates for requests involving Windows audit policy, event log configuration, + security logging, or detection-oriented logging. + + ' domain: cybersecurity subdomain: endpoint-security -tags: [endpoint, windows-security, event-logging, audit-policy, detection-engineering] +tags: +- endpoint +- windows-security +- event-logging +- audit-policy +- detection-engineering version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.PS-02 +- DE.CM-01 +- PR.IR-01 --- # Configuring Windows Event Logging for Detection diff --git a/skills/configuring-zscaler-private-access-for-ztna/SKILL.md b/skills/configuring-zscaler-private-access-for-ztna/SKILL.md index ff541f4f..9cd61d10 100644 --- a/skills/configuring-zscaler-private-access-for-ztna/SKILL.md +++ b/skills/configuring-zscaler-private-access-for-ztna/SKILL.md @@ -1,15 +1,28 @@ --- name: configuring-zscaler-private-access-for-ztna -description: > - Configuring Zscaler Private Access (ZPA) to replace traditional VPN with zero trust - network access by deploying App Connectors, defining application segments, configuring - access policies based on user identity and device posture, and integrating with IdPs. +description: 'Configuring Zscaler Private Access (ZPA) to replace traditional VPN with zero trust network access by deploying + App Connectors, defining application segments, configuring access policies based on user identity and device posture, and + integrating with IdPs. + + ' domain: cybersecurity subdomain: zero-trust-architecture -tags: [zscaler, zpa, ztna, zero-trust, app-connector, access-policy, sase] -version: "1.0" +tags: +- zscaler +- zpa +- ztna +- zero-trust +- app-connector +- access-policy +- sase +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-05 +- PR.IR-01 +- GV.PO-01 --- # Configuring Zscaler Private Access for ZTNA diff --git a/skills/containing-active-breach/SKILL.md b/skills/containing-active-breach/SKILL.md index ff59a0ca..42a51df4 100644 --- a/skills/containing-active-breach/SKILL.md +++ b/skills/containing-active-breach/SKILL.md @@ -1,19 +1,32 @@ --- name: containing-active-breach -description: > - Executes containment strategies to stop active adversary operations and prevent - lateral movement during a confirmed security breach. Implements short-term and - long-term containment using network segmentation, endpoint isolation, credential - revocation, and access control modifications. Activates for requests involving - breach containment, lateral movement prevention, network isolation, active - threat containment, or live incident response. +description: 'Executes containment strategies to stop active adversary operations and prevent lateral movement during a confirmed + security breach. Implements short-term and long-term containment using network segmentation, endpoint isolation, credential + revocation, and access control modifications. Activates for requests involving breach containment, lateral movement prevention, + network isolation, active threat containment, or live incident response. + + ' domain: cybersecurity subdomain: incident-response -tags: [breach-containment, lateral-movement, network-isolation, credential-revocation, live-response] -mitre_attack: ["T1021", "T1570", "T1210", "T1072"] +tags: +- breach-containment +- lateral-movement +- network-isolation +- credential-revocation +- live-response +mitre_attack: +- T1021 +- T1570 +- T1210 +- T1072 version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- RS.MA-01 +- RS.MA-02 +- RS.AN-03 +- RC.RP-01 --- # Containing Active Breaches diff --git a/skills/correlating-security-events-in-qradar/SKILL.md b/skills/correlating-security-events-in-qradar/SKILL.md index e0aad2cc..cfbae8d6 100644 --- a/skills/correlating-security-events-in-qradar/SKILL.md +++ b/skills/correlating-security-events-in-qradar/SKILL.md @@ -1,16 +1,28 @@ --- name: correlating-security-events-in-qradar -description: > - Correlates security events in IBM QRadar SIEM using AQL (Ariel Query Language), custom rules, - building blocks, and offense management to detect multi-stage attacks across network, endpoint, - and application log sources. Use when SOC analysts need to investigate QRadar offenses, build - correlation rules, or tune detection logic for reducing false positives. +description: 'Correlates security events in IBM QRadar SIEM using AQL (Ariel Query Language), custom rules, building blocks, + and offense management to detect multi-stage attacks across network, endpoint, and application log sources. Use when SOC + analysts need to investigate QRadar offenses, build correlation rules, or tune detection logic for reducing false positives. + + ' domain: cybersecurity subdomain: soc-operations -tags: [soc, qradar, siem, aql, correlation, offense-management, ibm] -version: "1.0" +tags: +- soc +- qradar +- siem +- aql +- correlation +- offense-management +- ibm +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Correlating Security Events in QRadar diff --git a/skills/correlating-threat-campaigns/SKILL.md b/skills/correlating-threat-campaigns/SKILL.md index ec0b7dcd..e0baf2ef 100644 --- a/skills/correlating-threat-campaigns/SKILL.md +++ b/skills/correlating-threat-campaigns/SKILL.md @@ -1,18 +1,31 @@ --- name: correlating-threat-campaigns -description: > - Correlates disparate security incidents, IOCs, and adversary behaviors across time and - organizations to identify unified threat campaigns, attribute them to common threat actors, - and extract shared indicators for improved detection. Use when multiple incidents exhibit - overlapping indicators, when sector-wide attack campaigns require cross-organizational analysis, - or when building campaign-level intelligence products. Activates for requests involving campaign - analysis, incident clustering, cross-organizational IOC correlation, or MISP correlation engine. +description: 'Correlates disparate security incidents, IOCs, and adversary behaviors across time and organizations to identify + unified threat campaigns, attribute them to common threat actors, and extract shared indicators for improved detection. + Use when multiple incidents exhibit overlapping indicators, when sector-wide attack campaigns require cross-organizational + analysis, or when building campaign-level intelligence products. Activates for requests involving campaign analysis, incident + clustering, cross-organizational IOC correlation, or MISP correlation engine. + + ' domain: cybersecurity subdomain: threat-intelligence -tags: [campaign-analysis, correlation, MISP, ATT&CK, threat-actor, intrusion-set, clustering, CTI] +tags: +- campaign-analysis +- correlation +- MISP +- ATT&CK +- threat-actor +- intrusion-set +- clustering +- CTI version: 1.0.0 author: team-cybersecurity license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Correlating Threat Campaigns diff --git a/skills/deobfuscating-javascript-malware/SKILL.md b/skills/deobfuscating-javascript-malware/SKILL.md index 27cbf1f5..b253577d 100644 --- a/skills/deobfuscating-javascript-malware/SKILL.md +++ b/skills/deobfuscating-javascript-malware/SKILL.md @@ -1,17 +1,27 @@ --- name: deobfuscating-javascript-malware -description: > - Deobfuscates malicious JavaScript code used in web-based attacks, phishing pages, and - dropper scripts by reversing encoding layers, eval chains, string manipulation, and - control flow obfuscation to reveal the original malicious logic. Activates for requests - involving JavaScript malware analysis, script deobfuscation, web skimmer analysis, or - obfuscated dropper investigation. +description: 'Deobfuscates malicious JavaScript code used in web-based attacks, phishing pages, and dropper scripts by reversing + encoding layers, eval chains, string manipulation, and control flow obfuscation to reveal the original malicious logic. + Activates for requests involving JavaScript malware analysis, script deobfuscation, web skimmer analysis, or obfuscated + dropper investigation. + + ' domain: cybersecurity subdomain: malware-analysis -tags: [malware, JavaScript, deobfuscation, web-malware, script-analysis] +tags: +- malware +- JavaScript +- deobfuscation +- web-malware +- script-analysis version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Deobfuscating JavaScript Malware diff --git a/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md b/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md index 4d2d5abc..e64db0c5 100644 --- a/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md +++ b/skills/deobfuscating-powershell-obfuscated-malware/SKILL.md @@ -1,6 +1,10 @@ --- -{} ----tags: +name: deobfuscating-powershell-obfuscated-malware +description: Systematically deobfuscate multi-layer PowerShell malware using AST analysis, dynamic tracing, and tools like + PSDecode and PowerDecode to reveal hidden payloads and C2 infrastructure. +domain: cybersecurity +subdomain: malware-analysis +tags: - powershell - deobfuscation - malware-analysis @@ -8,4 +12,374 @@ - obfuscation - ast-analysis - incident-response +mitre_attack: +- T1059.001 +- T1027 +- T1140 version: '1.0' +author: mahipal +license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 +--- +# Deobfuscating PowerShell Obfuscated Malware + +## Overview + +PowerShell is heavily abused by malware authors due to its deep Windows integration and powerful scripting capabilities. Obfuscation techniques include string concatenation, Base64 encoding, character substitution, Invoke-Expression layering, SecureString abuse, environment variable manipulation, and tick-mark insertion. Modern malware uses multiple obfuscation layers requiring iterative deobfuscation. Tools like PSDecode, PowerDecode, and PowerPeeler automate much of this process, while manual AST (Abstract Syntax Tree) analysis handles custom obfuscation. PowerPeeler achieves a 95% deobfuscation correctness rate using instruction-level dynamic analysis of expression-related AST nodes. + + +## When to Use + +- When performing authorized security testing that involves deobfuscating powershell obfuscated malware +- When analyzing malware samples or attack artifacts in a controlled environment +- When conducting red team exercises or penetration testing engagements +- When building detection capabilities based on offensive technique understanding + +## Prerequisites + +- Python 3.9+ with `base64`, `re`, `subprocess` modules +- PowerShell 5.1+ or PowerShell 7+ (for AST access) +- PSDecode (`Install-Module PSDecode`) +- PowerDecode (https://github.com/Malandrone/PowerDecode) +- Isolated VM or sandbox for safe script execution +- CyberChef for manual encoding transformations +- Understanding of PowerShell AST and Invoke-Expression patterns + +## Key Concepts + +### Common Obfuscation Techniques + +PowerShell malware employs layered obfuscation to evade static detection. String concatenation splits commands across variables (`$a='In'+'voke'`). Base64 encoding wraps entire scripts in `-EncodedCommand` parameters. Character code arrays use `[char]` casting (`[char[]](73,69,88)|%{$r+=$_}`). Environment variable abuse reads substrings from `$env:` paths. Tick-mark insertion adds backticks between characters that PowerShell ignores (`I`nv`oke-Exp`ression`). SecureString conversion encrypts strings using ConvertTo-SecureString with embedded keys. + +### AST-Based Deobfuscation + +PowerShell's Abstract Syntax Tree exposes the parsed structure of scripts regardless of surface-level obfuscation. By walking the AST and evaluating expression nodes, analysts can resolve concatenated strings, decode encoded values, and reconstruct the original commands. PowerPeeler uses this approach at the instruction level, monitoring the execution process to correlate AST nodes with their evaluated results. + +### Dynamic Execution Tracing + +By replacing `Invoke-Expression` (IEX) with `Write-Output`, analysts can safely capture the deobfuscated script content that would normally be executed. This technique works across multiple layers by iteratively replacing IEX calls until the final payload is revealed. + +## Workflow + +### Step 1: Identify Obfuscation Layers + +```python +#!/usr/bin/env python3 +"""Identify and classify PowerShell obfuscation techniques.""" +import re +import base64 +import sys + + +def analyze_obfuscation(script_content): + """Identify obfuscation techniques used in PowerShell script.""" + techniques = [] + + # Check for Base64 encoded command + b64_pattern = re.compile( + r'-[Ee](?:nc(?:odedcommand)?)\s+([A-Za-z0-9+/=]{20,})', + re.IGNORECASE + ) + if b64_pattern.search(script_content): + techniques.append("Base64 EncodedCommand") + + # Check for FromBase64String + if re.search(r'\[Convert\]::FromBase64String', script_content, re.IGNORECASE): + techniques.append("Base64 FromBase64String") + + # Check for string concatenation + concat_count = script_content.count("'+'") + script_content.count('"+"') + if concat_count > 3: + techniques.append(f"String Concatenation ({concat_count} joins)") + + # Check for char array construction + if re.search(r'\[char\]\s*\d+', script_content, re.IGNORECASE): + techniques.append("Character Code Array") + + # Check for Invoke-Expression variants + iex_patterns = [ + r'Invoke-Expression', + r'\bIEX\b', + r'\.\s*\(\s*\$', + r'&\s*\(\s*\$', + r'\|\s*IEX', + r'\|\s*Invoke-Expression', + ] + for pattern in iex_patterns: + if re.search(pattern, script_content, re.IGNORECASE): + techniques.append(f"Invoke-Expression variant: {pattern}") + + # Check for tick-mark obfuscation + tick_count = script_content.count('`') + if tick_count > 5: + techniques.append(f"Tick-mark Insertion ({tick_count} backticks)") + + # Check for environment variable abuse + if re.search(r'\$env:', script_content, re.IGNORECASE): + env_refs = re.findall(r'\$env:\w+', script_content, re.IGNORECASE) + if len(env_refs) > 2: + techniques.append(f"Environment Variable Abuse ({len(env_refs)} refs)") + + # Check for SecureString + if re.search(r'ConvertTo-SecureString', script_content, re.IGNORECASE): + techniques.append("SecureString Encryption") + + # Check for compression + if re.search(r'IO\.Compression|DeflateStream|GZipStream', + script_content, re.IGNORECASE): + techniques.append("Compression (Deflate/GZip)") + + # Check for XOR encoding + if re.search(r'-bxor\s+\d+', script_content, re.IGNORECASE): + techniques.append("XOR Encoding") + + # Check for Replace chain + replace_count = len(re.findall(r'\.Replace\(', script_content)) + if replace_count > 2: + techniques.append(f"Replace Chain ({replace_count} replacements)") + + return techniques + + +def decode_base64_command(script_content): + """Extract and decode Base64 encoded commands.""" + b64_match = re.search( + r'-[Ee](?:nc(?:odedcommand)?)\s+([A-Za-z0-9+/=]{20,})', + script_content, re.IGNORECASE + ) + if b64_match: + encoded = b64_match.group(1) + try: + decoded = base64.b64decode(encoded).decode('utf-16-le') + return decoded + except Exception: + return None + return None + + +def remove_tick_marks(script_content): + """Remove PowerShell tick-mark obfuscation.""" + # Remove backticks that are not escape sequences + escape_chars = {'`n', '`r', '`t', '`a', '`b', '`f', '`v', '`0', '``'} + result = [] + i = 0 + while i < len(script_content): + if script_content[i] == '`' and i + 1 < len(script_content): + pair = script_content[i:i+2] + if pair in escape_chars: + result.append(pair) + i += 2 + else: + # Skip the backtick, keep the next char + result.append(script_content[i+1]) + i += 2 + else: + result.append(script_content[i]) + i += 1 + return ''.join(result) + + +def resolve_string_concat(script_content): + """Resolve simple string concatenation patterns.""" + # Pattern: 'str1' + 'str2' + pattern = re.compile(r"'([^']*)'\s*\+\s*'([^']*)'") + while pattern.search(script_content): + script_content = pattern.sub(lambda m: f"'{m.group(1)}{m.group(2)}'", + script_content) + # Pattern: "str1" + "str2" + pattern = re.compile(r'"([^"]*)"\s*\+\s*"([^"]*)"') + while pattern.search(script_content): + script_content = pattern.sub(lambda m: f'"{m.group(1)}{m.group(2)}"', + script_content) + return script_content + + +if __name__ == "__main__": + if len(sys.argv) < 2: + print(f"Usage: {sys.argv[0]} ") + sys.exit(1) + + with open(sys.argv[1], 'r', errors='replace') as f: + content = f.read() + + print("[+] Obfuscation Analysis") + print("=" * 60) + techniques = analyze_obfuscation(content) + for t in techniques: + print(f" - {t}") + + # Attempt automatic deobfuscation + print("\n[+] Attempting Deobfuscation") + print("=" * 60) + + # Layer 1: Remove tick marks + deobfuscated = remove_tick_marks(content) + + # Layer 2: Resolve string concatenation + deobfuscated = resolve_string_concat(deobfuscated) + + # Layer 3: Decode Base64 + b64_decoded = decode_base64_command(deobfuscated) + if b64_decoded: + print("[+] Base64 decoded content:") + print(b64_decoded[:2000]) + deobfuscated = b64_decoded + + print(f"\n[+] Deobfuscated script length: {len(deobfuscated)} chars") + output_file = sys.argv[1] + ".deobfuscated.ps1" + with open(output_file, 'w') as f: + f.write(deobfuscated) + print(f"[+] Saved to {output_file}") +``` + +### Step 2: Multi-Layer IEX Replacement + +```python +import subprocess +import tempfile +import os + +def iex_replacement_deobfuscate(script_content, max_layers=10): + """Iteratively replace IEX with Write-Output to unwrap layers.""" + # IEX replacement patterns + replacements = [ + (r'\bInvoke-Expression\b', 'Write-Output'), + (r'\bIEX\b', 'Write-Output'), + (r'\|\s*IEX\b', '| Write-Output'), + ] + + current = script_content + layers = [] + + for layer_num in range(max_layers): + # Apply IEX replacements + modified = current + for pattern, replacement in replacements: + modified = re.sub(pattern, replacement, modified, flags=re.IGNORECASE) + + if modified == current and layer_num > 0: + print(f" [+] No more IEX layers found at layer {layer_num}") + break + + # Write to temp file and execute in constrained PowerShell + with tempfile.NamedTemporaryFile(mode='w', suffix='.ps1', + delete=False) as tmp: + tmp.write(modified) + tmp_path = tmp.name + + try: + result = subprocess.run( + ['powershell', '-NoProfile', '-ExecutionPolicy', 'Bypass', + '-File', tmp_path], + capture_output=True, text=True, timeout=30 + ) + + output = result.stdout.strip() + if output and output != current: + print(f" [+] Layer {layer_num + 1}: Unwrapped " + f"{len(output)} chars") + layers.append({ + "layer": layer_num + 1, + "technique": "IEX replacement", + "content_length": len(output), + }) + current = output + else: + break + + except subprocess.TimeoutExpired: + print(f" [!] Layer {layer_num + 1}: Execution timeout") + break + finally: + os.unlink(tmp_path) + + return current, layers +``` + +### Step 3: Extract IOCs from Deobfuscated Script + +```python +def extract_iocs_from_script(deobfuscated_content): + """Extract indicators of compromise from deobfuscated PowerShell.""" + iocs = { + "urls": [], + "ips": [], + "domains": [], + "file_paths": [], + "registry_keys": [], + "commands": [], + "base64_blobs": [], + } + + # URLs + url_pattern = re.compile( + r'https?://[^\s\'"<>)\]]+', re.IGNORECASE + ) + iocs["urls"] = list(set(url_pattern.findall(deobfuscated_content))) + + # IP addresses + ip_pattern = re.compile( + r'\b(?:\d{1,3}\.){3}\d{1,3}\b' + ) + iocs["ips"] = list(set(ip_pattern.findall(deobfuscated_content))) + + # File paths + path_pattern = re.compile( + r'[A-Za-z]:\\[^\s\'"<>|]+|' + r'\\\\[^\s\'"<>|]+|' + r'%(?:APPDATA|TEMP|USERPROFILE|PROGRAMFILES)%[^\s\'"<>|]*', + re.IGNORECASE + ) + iocs["file_paths"] = list(set(path_pattern.findall(deobfuscated_content))) + + # Registry keys + reg_pattern = re.compile( + r'(?:HKLM|HKCU|HKCR|HKU|HKCC)(?:\\[^\s\'"<>|]+)+', + re.IGNORECASE + ) + iocs["registry_keys"] = list(set(reg_pattern.findall(deobfuscated_content))) + + # Suspicious commands + suspicious_cmds = [ + 'New-Object Net.WebClient', + 'DownloadString', 'DownloadFile', 'DownloadData', + 'Start-Process', 'Invoke-WebRequest', + 'New-Object IO.MemoryStream', + 'Reflection.Assembly', + 'Add-MpPreference -ExclusionPath', + 'Set-MpPreference -DisableRealtimeMonitoring', + 'New-ScheduledTask', 'Register-ScheduledTask', + ] + for cmd in suspicious_cmds: + if cmd.lower() in deobfuscated_content.lower(): + iocs["commands"].append(cmd) + + return iocs +``` + +## Validation Criteria + +- All obfuscation layers identified and classified correctly +- Base64 encoded commands decoded to readable PowerShell +- Tick-mark and string concatenation obfuscation resolved +- IEX replacement reveals next-stage payloads +- URLs, IPs, and file paths extracted from final deobfuscated stage +- Deobfuscated script matches observed malware behavior in sandbox + +## References + +- [PSDecode - PowerShell Deobfuscation](https://github.com/R3MRUM/PSDecode) +- [PowerDecode - Multi-layer Deobfuscation](https://github.com/Malandrone/PowerDecode) +- [PowerPeeler - Instruction-level Deobfuscation](https://arxiv.org/html/2406.04027v2) +- [SentinelOne - Deconstructing PowerShell Obfuscation](https://www.sentinelone.com/blog/deconstructing-powershell-obfuscation-in-malspam-campaigns/) +- [MITRE ATT&CK T1059.001 - PowerShell](https://attack.mitre.org/techniques/T1059/001/) diff --git a/skills/deploying-active-directory-honeytokens/SKILL.md b/skills/deploying-active-directory-honeytokens/SKILL.md index 8e755a69..47167a56 100644 --- a/skills/deploying-active-directory-honeytokens/SKILL.md +++ b/skills/deploying-active-directory-honeytokens/SKILL.md @@ -1,17 +1,28 @@ --- name: deploying-active-directory-honeytokens -description: > - Deploys deception-based honeytokens in Active Directory including fake privileged accounts - with AdminCount=1, fake SPNs for Kerberoasting detection (honeyroasting), decoy GPOs with - cpassword traps, and fake BloodHound paths. Monitors Windows Security Event IDs 4769, 4625, - 4662, 5136 for honeytoken interaction. Use when implementing AD deception defenses for - detecting lateral movement, credential theft, and reconnaissance. +description: 'Deploys deception-based honeytokens in Active Directory including fake privileged accounts with AdminCount=1, + fake SPNs for Kerberoasting detection (honeyroasting), decoy GPOs with cpassword traps, and fake BloodHound paths. Monitors + Windows Security Event IDs 4769, 4625, 4662, 5136 for honeytoken interaction. Use when implementing AD deception defenses + for detecting lateral movement, credential theft, and reconnaissance. + + ' domain: cybersecurity subdomain: deception-technology -tags: [active-directory, honeytokens, kerberoasting, deception, detection, bloodhound, gpo] -version: "1.0" +tags: +- active-directory +- honeytokens +- kerberoasting +- deception +- detection +- bloodhound +- gpo +version: '1.0' author: mukul975 license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-06 +- PR.IR-01 --- # Deploying Active Directory Honeytokens diff --git a/skills/deploying-cloudflare-access-for-zero-trust/SKILL.md b/skills/deploying-cloudflare-access-for-zero-trust/SKILL.md index 6147d879..9502b4ed 100644 --- a/skills/deploying-cloudflare-access-for-zero-trust/SKILL.md +++ b/skills/deploying-cloudflare-access-for-zero-trust/SKILL.md @@ -26,6 +26,11 @@ nist_ai_rmf: - MEASURE-2.5 - GOVERN-6.1 - MAP-5.1 +nist_csf: +- PR.AA-01 +- PR.AA-05 +- PR.IR-01 +- GV.PO-01 --- # Deploying Cloudflare Access for Zero Trust diff --git a/skills/deploying-decoy-files-for-ransomware-detection/SKILL.md b/skills/deploying-decoy-files-for-ransomware-detection/SKILL.md index 7ac70104..a9e37384 100644 --- a/skills/deploying-decoy-files-for-ransomware-detection/SKILL.md +++ b/skills/deploying-decoy-files-for-ransomware-detection/SKILL.md @@ -1,18 +1,28 @@ --- name: deploying-decoy-files-for-ransomware-detection -description: > - Deploys canary files (honeytokens) across file systems to detect ransomware - encryption activity in real time. Uses strategically placed decoy documents - monitored via file integrity monitoring or OS-level watchdogs to trigger - alerts when ransomware modifies or encrypts them. Activates for requests - involving ransomware canary deployment, honeyfile setup, deception-based - ransomware detection, or file integrity monitoring for encryption. +description: 'Deploys canary files (honeytokens) across file systems to detect ransomware encryption activity in real time. + Uses strategically placed decoy documents monitored via file integrity monitoring or OS-level watchdogs to trigger alerts + when ransomware modifies or encrypts them. Activates for requests involving ransomware canary deployment, honeyfile setup, + deception-based ransomware detection, or file integrity monitoring for encryption. + + ' domain: cybersecurity subdomain: ransomware-defense -tags: [ransomware, detection, canary-files, honeytokens, deception, file-integrity] +tags: +- ransomware +- detection +- canary-files +- honeytokens +- deception +- file-integrity version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.DS-11 +- RS.MA-01 +- RC.RP-01 +- PR.IR-01 --- # Deploying Decoy Files for Ransomware Detection diff --git a/skills/deploying-edr-agent-with-crowdstrike/SKILL.md b/skills/deploying-edr-agent-with-crowdstrike/SKILL.md index 0854f45e..c88c93da 100644 --- a/skills/deploying-edr-agent-with-crowdstrike/SKILL.md +++ b/skills/deploying-edr-agent-with-crowdstrike/SKILL.md @@ -28,6 +28,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- PR.PS-01 +- PR.PS-02 +- DE.CM-01 +- PR.IR-01 --- # Deploying EDR Agent with CrowdStrike diff --git a/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md b/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md index 61dd827d..096b8190 100644 --- a/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md +++ b/skills/deploying-osquery-for-endpoint-monitoring/SKILL.md @@ -1,18 +1,34 @@ --- name: deploying-osquery-for-endpoint-monitoring -description: > - Deploys and configures osquery for real-time endpoint monitoring using SQL-based queries to - inspect running processes, open ports, installed software, and system configuration. Use when - building visibility into endpoint state, threat hunting across fleet, or implementing - compliance monitoring. Activates for requests involving osquery deployment, endpoint visibility, - fleet management, or SQL-based endpoint querying. +description: 'Deploys and configures osquery for real-time endpoint monitoring using SQL-based queries to inspect running + processes, open ports, installed software, and system configuration. Use when building visibility into endpoint state, threat + hunting across fleet, or implementing compliance monitoring. Activates for requests involving osquery deployment, endpoint + visibility, fleet management, or SQL-based endpoint querying. + + ' domain: cybersecurity subdomain: endpoint-security -tags: [endpoint, osquery, endpoint-monitoring, threat-hunting, fleet-management] -mitre_attack: ["T1547", "T1049", "T1620", "T1053.003", "T1548.001", "T1552"] +tags: +- endpoint +- osquery +- endpoint-monitoring +- threat-hunting +- fleet-management +mitre_attack: +- T1547 +- T1049 +- T1620 +- T1053.003 +- T1548.001 +- T1552 version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.PS-02 +- DE.CM-01 +- PR.IR-01 --- # Deploying Osquery for Endpoint Monitoring diff --git a/skills/deploying-palo-alto-prisma-access-zero-trust/SKILL.md b/skills/deploying-palo-alto-prisma-access-zero-trust/SKILL.md index ebf25c5d..bc1d7e0b 100644 --- a/skills/deploying-palo-alto-prisma-access-zero-trust/SKILL.md +++ b/skills/deploying-palo-alto-prisma-access-zero-trust/SKILL.md @@ -21,6 +21,11 @@ nist_ai_rmf: - GOVERN-1.1 - MEASURE-2.7 - MANAGE-3.1 +nist_csf: +- PR.AA-01 +- PR.AA-05 +- PR.IR-01 +- GV.PO-01 --- # Deploying Palo Alto Prisma Access Zero Trust diff --git a/skills/deploying-ransomware-canary-files/SKILL.md b/skills/deploying-ransomware-canary-files/SKILL.md index ebe00abd..dcb034e5 100644 --- a/skills/deploying-ransomware-canary-files/SKILL.md +++ b/skills/deploying-ransomware-canary-files/SKILL.md @@ -1,19 +1,30 @@ --- name: deploying-ransomware-canary-files -description: > - Deploys and monitors ransomware canary files across critical directories using - Python's watchdog library for real-time filesystem event detection. Places - strategically named decoy files that mimic high-value targets (financial records, - credentials, database exports) in locations ransomware typically enumerates first. - Monitors for any read, modify, rename, or delete operations on canary files and - triggers immediate alerts via email, Slack webhook, or syslog when interaction is - detected, providing early warning before full encryption begins. +description: 'Deploys and monitors ransomware canary files across critical directories using Python''s watchdog library for + real-time filesystem event detection. Places strategically named decoy files that mimic high-value targets (financial records, + credentials, database exports) in locations ransomware typically enumerates first. Monitors for any read, modify, rename, + or delete operations on canary files and triggers immediate alerts via email, Slack webhook, or syslog when interaction + is detected, providing early warning before full encryption begins. + + ' domain: cybersecurity subdomain: ransomware-defense -tags: [ransomware, canary-files, watchdog, detection, early-warning, deception, defense] +tags: +- ransomware +- canary-files +- watchdog +- detection +- early-warning +- deception +- defense version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.DS-11 +- RS.MA-01 +- RC.RP-01 +- PR.IR-01 --- # Deploying Ransomware Canary Files diff --git a/skills/deploying-software-defined-perimeter/SKILL.md b/skills/deploying-software-defined-perimeter/SKILL.md index fc7eb86e..55522b97 100644 --- a/skills/deploying-software-defined-perimeter/SKILL.md +++ b/skills/deploying-software-defined-perimeter/SKILL.md @@ -1,12 +1,23 @@ --- name: deploying-software-defined-perimeter -description: Deploy a Software-Defined Perimeter using the CSA v2.0 specification with Single Packet Authorization, mutual TLS, and SDP controller/gateway configuration to enforce zero trust network access. +description: Deploy a Software-Defined Perimeter using the CSA v2.0 specification with Single Packet Authorization, mutual + TLS, and SDP controller/gateway configuration to enforce zero trust network access. domain: cybersecurity subdomain: zero-trust-architecture -tags: [zero-trust, sdp, software-defined-perimeter, network-access, ztna] -version: "1.0" +tags: +- zero-trust +- sdp +- software-defined-perimeter +- network-access +- ztna +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-05 +- PR.IR-01 +- GV.PO-01 --- # Deploying Software-Defined Perimeter diff --git a/skills/deploying-tailscale-for-zero-trust-vpn/SKILL.md b/skills/deploying-tailscale-for-zero-trust-vpn/SKILL.md index c7d26819..5a3cca73 100644 --- a/skills/deploying-tailscale-for-zero-trust-vpn/SKILL.md +++ b/skills/deploying-tailscale-for-zero-trust-vpn/SKILL.md @@ -1,12 +1,27 @@ --- name: deploying-tailscale-for-zero-trust-vpn -description: Deploy and configure Tailscale as a WireGuard-based zero trust mesh VPN with identity-aware access controls, ACLs, and exit nodes for secure peer-to-peer connectivity. +description: Deploy and configure Tailscale as a WireGuard-based zero trust mesh VPN with identity-aware access controls, + ACLs, and exit nodes for secure peer-to-peer connectivity. domain: cybersecurity subdomain: zero-trust-architecture -tags: [zero-trust, tailscale, wireguard, mesh-vpn, ztna, peer-to-peer, acl, identity-aware, headscale] -version: "1.0" +tags: +- zero-trust +- tailscale +- wireguard +- mesh-vpn +- ztna +- peer-to-peer +- acl +- identity-aware +- headscale +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-05 +- PR.IR-01 +- GV.PO-01 --- # Deploying Tailscale for Zero Trust VPN diff --git a/skills/detecting-ai-model-prompt-injection-attacks/SKILL.md b/skills/detecting-ai-model-prompt-injection-attacks/SKILL.md index 54e5c1da..2e5ce83c 100644 --- a/skills/detecting-ai-model-prompt-injection-attacks/SKILL.md +++ b/skills/detecting-ai-model-prompt-injection-attacks/SKILL.md @@ -38,6 +38,11 @@ d3fend_techniques: - Application Hardening - Inbound Traffic Filtering - User Behavior Analysis +nist_csf: +- GV.OC-03 +- ID.RA-01 +- PR.PS-01 +- DE.AE-02 --- # Detecting AI Model Prompt Injection Attacks diff --git a/skills/detecting-anomalies-in-industrial-control-systems/SKILL.md b/skills/detecting-anomalies-in-industrial-control-systems/SKILL.md index b45b4a79..cf83d155 100644 --- a/skills/detecting-anomalies-in-industrial-control-systems/SKILL.md +++ b/skills/detecting-anomalies-in-industrial-control-systems/SKILL.md @@ -26,6 +26,11 @@ nist_ai_rmf: - MEASURE-2.7 - MEASURE-2.5 - MAP-5.1 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Detecting Anomalies in Industrial Control Systems diff --git a/skills/detecting-anomalous-authentication-patterns/SKILL.md b/skills/detecting-anomalous-authentication-patterns/SKILL.md index b94e5d67..4be269e7 100644 --- a/skills/detecting-anomalous-authentication-patterns/SKILL.md +++ b/skills/detecting-anomalous-authentication-patterns/SKILL.md @@ -25,6 +25,11 @@ nist_ai_rmf: - MEASURE-2.7 - MEASURE-2.5 - MAP-5.1 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Detecting Anomalous Authentication Patterns diff --git a/skills/detecting-api-enumeration-attacks/SKILL.md b/skills/detecting-api-enumeration-attacks/SKILL.md index 5a897b0f..36abc865 100644 --- a/skills/detecting-api-enumeration-attacks/SKILL.md +++ b/skills/detecting-api-enumeration-attacks/SKILL.md @@ -1,12 +1,26 @@ --- name: detecting-api-enumeration-attacks -description: Detect and prevent API enumeration attacks including BOLA and IDOR exploitation by monitoring sequential identifier access patterns and authorization failures. +description: Detect and prevent API enumeration attacks including BOLA and IDOR exploitation by monitoring sequential identifier + access patterns and authorization failures. domain: cybersecurity subdomain: api-security -tags: [api-security, enumeration, bola, idor, broken-object-level-authorization, owasp-api-top-10, access-control, rate-limiting] -version: "1.0" +tags: +- api-security +- enumeration +- bola +- idor +- broken-object-level-authorization +- owasp-api-top-10 +- access-control +- rate-limiting +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Detecting API Enumeration Attacks diff --git a/skills/detecting-arp-poisoning-in-network-traffic/SKILL.md b/skills/detecting-arp-poisoning-in-network-traffic/SKILL.md index 14ce01d1..73e1b4f5 100644 --- a/skills/detecting-arp-poisoning-in-network-traffic/SKILL.md +++ b/skills/detecting-arp-poisoning-in-network-traffic/SKILL.md @@ -1,12 +1,26 @@ --- name: detecting-arp-poisoning-in-network-traffic -description: Detect and prevent ARP spoofing attacks using ARPWatch, Dynamic ARP Inspection, Wireshark analysis, and custom monitoring scripts to protect against man-in-the-middle interception. +description: Detect and prevent ARP spoofing attacks using ARPWatch, Dynamic ARP Inspection, Wireshark analysis, and custom + monitoring scripts to protect against man-in-the-middle interception. domain: cybersecurity subdomain: network-security -tags: [arp-poisoning, arp-spoofing, mitm, dynamic-arp-inspection, arpwatch, network-security, man-in-the-middle, layer-2-security] -version: "1.0" +tags: +- arp-poisoning +- arp-spoofing +- mitm +- dynamic-arp-inspection +- arpwatch +- network-security +- man-in-the-middle +- layer-2-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Detecting ARP Poisoning in Network Traffic diff --git a/skills/detecting-attacks-on-historian-servers/SKILL.md b/skills/detecting-attacks-on-historian-servers/SKILL.md index 122a0471..239b4147 100644 --- a/skills/detecting-attacks-on-historian-servers/SKILL.md +++ b/skills/detecting-attacks-on-historian-servers/SKILL.md @@ -1,17 +1,29 @@ --- name: detecting-attacks-on-historian-servers -description: > - Detect cyber attacks targeting OT historian servers (OSIsoft PI, Ignition, - Wonderware) that sit at the IT/OT boundary and serve as pivot points for - lateral movement between enterprise and control networks, including data - manipulation, unauthorized queries, and exploitation of historian-specific - vulnerabilities. +description: 'Detect cyber attacks targeting OT historian servers (OSIsoft PI, Ignition, Wonderware) that sit at the IT/OT + boundary and serve as pivot points for lateral movement between enterprise and control networks, including data manipulation, + unauthorized queries, and exploitation of historian-specific vulnerabilities. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, historian, osisoft-pi, ignition, pivot-point, data-integrity, lateral-movement] -version: "1.0" +tags: +- ot-security +- ics +- historian +- osisoft-pi +- ignition +- pivot-point +- data-integrity +- lateral-movement +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Detecting Attacks on Historian Servers diff --git a/skills/detecting-attacks-on-scada-systems/SKILL.md b/skills/detecting-attacks-on-scada-systems/SKILL.md index 59d58fdc..21cccc14 100644 --- a/skills/detecting-attacks-on-scada-systems/SKILL.md +++ b/skills/detecting-attacks-on-scada-systems/SKILL.md @@ -28,6 +28,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Detecting Attacks on SCADA Systems diff --git a/skills/detecting-aws-cloudtrail-anomalies/SKILL.md b/skills/detecting-aws-cloudtrail-anomalies/SKILL.md index 2c34cd21..5494c894 100644 --- a/skills/detecting-aws-cloudtrail-anomalies/SKILL.md +++ b/skills/detecting-aws-cloudtrail-anomalies/SKILL.md @@ -1,12 +1,24 @@ --- name: detecting-aws-cloudtrail-anomalies -description: Detect unusual API call patterns in AWS CloudTrail logs using boto3, statistical baselining, and behavioral analysis to identify credential compromise, privilege escalation, and unauthorized resource access. +description: Detect unusual API call patterns in AWS CloudTrail logs using boto3, statistical baselining, and behavioral analysis + to identify credential compromise, privilege escalation, and unauthorized resource access. domain: cybersecurity subdomain: cloud-security -tags: [cloud-security, aws, cloudtrail, anomaly-detection, threat-detection, boto3] -version: "1.0" +tags: +- cloud-security +- aws +- cloudtrail +- anomaly-detection +- threat-detection +- boto3 +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Detecting AWS CloudTrail Anomalies diff --git a/skills/detecting-aws-credential-exposure-with-trufflehog/SKILL.md b/skills/detecting-aws-credential-exposure-with-trufflehog/SKILL.md index 4723e70a..1f1a8232 100644 --- a/skills/detecting-aws-credential-exposure-with-trufflehog/SKILL.md +++ b/skills/detecting-aws-credential-exposure-with-trufflehog/SKILL.md @@ -1,15 +1,26 @@ --- name: detecting-aws-credential-exposure-with-trufflehog -description: > - Detecting exposed AWS credentials in source code repositories, CI/CD pipelines, and - configuration files using TruffleHog, git-secrets, and AWS-native detection mechanisms - to prevent credential theft and unauthorized account access. +description: 'Detecting exposed AWS credentials in source code repositories, CI/CD pipelines, and configuration files using + TruffleHog, git-secrets, and AWS-native detection mechanisms to prevent credential theft and unauthorized account access. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud-security, aws, credential-exposure, trufflehog, secrets-detection, devsecops] -version: "1.0" +tags: +- cloud-security +- aws +- credential-exposure +- trufflehog +- secrets-detection +- devsecops +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Detecting AWS Credential Exposure with TruffleHog diff --git a/skills/detecting-aws-guardduty-findings-automation/SKILL.md b/skills/detecting-aws-guardduty-findings-automation/SKILL.md index 62a99ffa..fa0e9c96 100644 --- a/skills/detecting-aws-guardduty-findings-automation/SKILL.md +++ b/skills/detecting-aws-guardduty-findings-automation/SKILL.md @@ -1,12 +1,26 @@ --- name: detecting-aws-guardduty-findings-automation -description: Automate AWS GuardDuty threat detection findings processing using EventBridge and Lambda to enable real-time incident response, automatic quarantine of compromised resources, and security notification workflows. +description: Automate AWS GuardDuty threat detection findings processing using EventBridge and Lambda to enable real-time + incident response, automatic quarantine of compromised resources, and security notification workflows. domain: cybersecurity subdomain: cloud-security -tags: [aws, guardduty, eventbridge, lambda, threat-detection, automation, incident-response, siem] -version: "1.0" +tags: +- aws +- guardduty +- eventbridge +- lambda +- threat-detection +- automation +- incident-response +- siem +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Detecting AWS GuardDuty Findings Automation diff --git a/skills/detecting-aws-iam-privilege-escalation/SKILL.md b/skills/detecting-aws-iam-privilege-escalation/SKILL.md index bfbf797a..fd814431 100644 --- a/skills/detecting-aws-iam-privilege-escalation/SKILL.md +++ b/skills/detecting-aws-iam-privilege-escalation/SKILL.md @@ -1,12 +1,25 @@ --- name: detecting-aws-iam-privilege-escalation -description: Detect AWS IAM privilege escalation paths using boto3 and Cloudsplaining policy analysis to identify overly permissive policies, dangerous permission combinations, and least-privilege violations +description: Detect AWS IAM privilege escalation paths using boto3 and Cloudsplaining policy analysis to identify overly permissive + policies, dangerous permission combinations, and least-privilege violations domain: cybersecurity subdomain: cloud-security -tags: [aws, iam, privilege-escalation, cloudsplaining, boto3, policy-analysis, least-privilege] -version: "1.0" +tags: +- aws +- iam +- privilege-escalation +- cloudsplaining +- boto3 +- policy-analysis +- least-privilege +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Detecting AWS IAM Privilege Escalation diff --git a/skills/detecting-azure-lateral-movement/SKILL.md b/skills/detecting-azure-lateral-movement/SKILL.md index bbb9967c..7441d218 100644 --- a/skills/detecting-azure-lateral-movement/SKILL.md +++ b/skills/detecting-azure-lateral-movement/SKILL.md @@ -1,12 +1,26 @@ --- name: detecting-azure-lateral-movement -description: Detect lateral movement in Azure AD/Entra ID environments using Microsoft Graph API audit logs, Azure Sentinel KQL hunting queries, and sign-in anomaly correlation to identify privilege escalation, token theft, and cross-tenant pivoting. +description: Detect lateral movement in Azure AD/Entra ID environments using Microsoft Graph API audit logs, Azure Sentinel + KQL hunting queries, and sign-in anomaly correlation to identify privilege escalation, token theft, and cross-tenant pivoting. domain: cybersecurity subdomain: cloud-security -tags: [azure, entra-id, lateral-movement, sentinel, kql, graph-api, cloud-security, threat-hunting] -version: "1.0" +tags: +- azure +- entra-id +- lateral-movement +- sentinel +- kql +- graph-api +- cloud-security +- threat-hunting +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Detecting Azure Lateral Movement diff --git a/skills/detecting-azure-service-principal-abuse/SKILL.md b/skills/detecting-azure-service-principal-abuse/SKILL.md index 55dcdb17..e3422a5e 100644 --- a/skills/detecting-azure-service-principal-abuse/SKILL.md +++ b/skills/detecting-azure-service-principal-abuse/SKILL.md @@ -22,6 +22,11 @@ d3fend_techniques: - Application Protocol Command Analysis - Reissue Credential - Network Isolation +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Detecting Azure Service Principal Abuse diff --git a/skills/detecting-azure-storage-account-misconfigurations/SKILL.md b/skills/detecting-azure-storage-account-misconfigurations/SKILL.md index f6617c2e..672b5f2f 100644 --- a/skills/detecting-azure-storage-account-misconfigurations/SKILL.md +++ b/skills/detecting-azure-storage-account-misconfigurations/SKILL.md @@ -25,6 +25,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Detecting Azure Storage Account Misconfigurations diff --git a/skills/detecting-beaconing-patterns-with-zeek/SKILL.md b/skills/detecting-beaconing-patterns-with-zeek/SKILL.md index 34ffc5c3..60b34359 100644 --- a/skills/detecting-beaconing-patterns-with-zeek/SKILL.md +++ b/skills/detecting-beaconing-patterns-with-zeek/SKILL.md @@ -1,16 +1,25 @@ --- name: detecting-beaconing-patterns-with-zeek -description: > - Performs statistical analysis of Zeek conn.log connection intervals to detect C2 - beaconing patterns. Uses the ZAT library to load Zeek logs into Pandas DataFrames, - calculates inter-arrival time standard deviation, and flags periodic connections - with low jitter. Use when hunting for command-and-control callbacks in network data. +description: 'Performs statistical analysis of Zeek conn.log connection intervals to detect C2 beaconing patterns. Uses the + ZAT library to load Zeek logs into Pandas DataFrames, calculates inter-arrival time standard deviation, and flags periodic + connections with low jitter. Use when hunting for command-and-control callbacks in network data. + + ' domain: cybersecurity subdomain: security-operations -tags: [detecting, beaconing, patterns, with] -version: "1.0" +tags: +- detecting +- beaconing +- patterns +- with +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- # Detecting Beaconing Patterns with Zeek diff --git a/skills/detecting-bluetooth-low-energy-attacks/SKILL.md b/skills/detecting-bluetooth-low-energy-attacks/SKILL.md index 0a0bbc0e..bb5ff148 100644 --- a/skills/detecting-bluetooth-low-energy-attacks/SKILL.md +++ b/skills/detecting-bluetooth-low-energy-attacks/SKILL.md @@ -1,19 +1,30 @@ --- name: detecting-bluetooth-low-energy-attacks -description: > - Detects and analyzes Bluetooth Low Energy (BLE) security attacks including sniffing, - replay attacks, GATT enumeration abuse, and Man-in-the-Middle interception. Uses - Ubertooth One and nRF52840 sniffers for packet capture, the bleak Python library for - GATT service enumeration, and crackle for BLE encryption cracking. Use when assessing - IoT device BLE security, monitoring for BLE-based attacks on wireless infrastructure, - or performing authorized BLE penetration testing. Activates for requests involving - BLE security assessment, Ubertooth sniffing, GATT enumeration, or BLE replay detection. +description: 'Detects and analyzes Bluetooth Low Energy (BLE) security attacks including sniffing, replay attacks, GATT enumeration + abuse, and Man-in-the-Middle interception. Uses Ubertooth One and nRF52840 sniffers for packet capture, the bleak Python + library for GATT service enumeration, and crackle for BLE encryption cracking. Use when assessing IoT device BLE security, + monitoring for BLE-based attacks on wireless infrastructure, or performing authorized BLE penetration testing. Activates + for requests involving BLE security assessment, Ubertooth sniffing, GATT enumeration, or BLE replay detection. + + ' domain: cybersecurity subdomain: wireless-security author: mukul975 -tags: [ble, bluetooth, ubertooth, nrf-sniffer, gatt, wireless-security, iot-security, replay-attack] +tags: +- ble +- bluetooth +- ubertooth +- nrf-sniffer +- gatt +- wireless-security +- iot-security +- replay-attack version: 1.0.0 license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 --- # Detecting Bluetooth Low Energy Attacks diff --git a/skills/detecting-broken-object-property-level-authorization/SKILL.md b/skills/detecting-broken-object-property-level-authorization/SKILL.md index f6b0f2a1..f1fa796e 100644 --- a/skills/detecting-broken-object-property-level-authorization/SKILL.md +++ b/skills/detecting-broken-object-property-level-authorization/SKILL.md @@ -1,12 +1,26 @@ --- name: detecting-broken-object-property-level-authorization -description: Detect and test for OWASP API3:2023 Broken Object Property Level Authorization vulnerabilities including excessive data exposure and mass assignment attacks. +description: Detect and test for OWASP API3:2023 Broken Object Property Level Authorization vulnerabilities including excessive + data exposure and mass assignment attacks. domain: cybersecurity subdomain: api-security -tags: [api-security, bopla, owasp-api3, mass-assignment, excessive-data-exposure, property-level-authorization, api-testing, penetration-testing] -version: "1.0" +tags: +- api-security +- bopla +- owasp-api3 +- mass-assignment +- excessive-data-exposure +- property-level-authorization +- api-testing +- penetration-testing +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Detecting Broken Object Property Level Authorization diff --git a/skills/detecting-business-email-compromise-with-ai/SKILL.md b/skills/detecting-business-email-compromise-with-ai/SKILL.md index 51150519..c64c02f8 100644 --- a/skills/detecting-business-email-compromise-with-ai/SKILL.md +++ b/skills/detecting-business-email-compromise-with-ai/SKILL.md @@ -32,6 +32,11 @@ d3fend_techniques: - Sender Reputation Analysis - Homoglyph Detection - Message Analysis +nist_csf: +- PR.AT-01 +- DE.CM-09 +- RS.CO-02 +- DE.AE-02 --- # Detecting Business Email Compromise with AI diff --git a/skills/detecting-business-email-compromise/SKILL.md b/skills/detecting-business-email-compromise/SKILL.md index b057826a..71d06a9d 100644 --- a/skills/detecting-business-email-compromise/SKILL.md +++ b/skills/detecting-business-email-compromise/SKILL.md @@ -27,6 +27,11 @@ d3fend_techniques: - Application Configuration Hardening - Application Hardening - Disable Remote Access +nist_csf: +- PR.AT-01 +- DE.CM-09 +- RS.CO-02 +- DE.AE-02 --- # Detecting Business Email Compromise diff --git a/skills/detecting-cloud-threats-with-guardduty/SKILL.md b/skills/detecting-cloud-threats-with-guardduty/SKILL.md index afd953fc..f92f165b 100644 --- a/skills/detecting-cloud-threats-with-guardduty/SKILL.md +++ b/skills/detecting-cloud-threats-with-guardduty/SKILL.md @@ -1,16 +1,26 @@ --- name: detecting-cloud-threats-with-guardduty -description: > - This skill teaches security teams how to deploy and operationalize Amazon GuardDuty - for continuous threat detection across AWS accounts and workloads. It covers enabling - protection plans for S3, EKS, EC2 runtime monitoring, and Lambda, interpreting finding - severity levels, and building automated response workflows using EventBridge and Lambda. +description: 'This skill teaches security teams how to deploy and operationalize Amazon GuardDuty for continuous threat detection + across AWS accounts and workloads. It covers enabling protection plans for S3, EKS, EC2 runtime monitoring, and Lambda, + interpreting finding severity levels, and building automated response workflows using EventBridge and Lambda. + + ' domain: cybersecurity subdomain: cloud-security -tags: [amazon-guardduty, threat-detection, aws-security, runtime-monitoring, cloud-soc] +tags: +- amazon-guardduty +- threat-detection +- aws-security +- runtime-monitoring +- cloud-soc version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Detecting Cloud Threats with GuardDuty diff --git a/skills/detecting-command-and-control-over-dns/SKILL.md b/skills/detecting-command-and-control-over-dns/SKILL.md index d6706c6f..c971f55b 100644 --- a/skills/detecting-command-and-control-over-dns/SKILL.md +++ b/skills/detecting-command-and-control-over-dns/SKILL.md @@ -1,20 +1,29 @@ --- name: detecting-command-and-control-over-dns -description: > - Detects command-and-control (C2) communications tunneled through DNS protocol - including DNS tunneling tools (Iodine, dnscat2, dns2tcp, Cobalt Strike DNS beacon), - domain generation algorithms (DGA), encoded payload delivery via TXT/CNAME records, - and DNS beaconing patterns. Covers Shannon entropy analysis of query subdomains, - statistical anomaly detection, ML-based DGA classification, passive DNS correlation, - and Zeek/Suricata signature development. Activates for requests involving DNS-based - C2 detection, DNS tunnel identification, suspicious DNS traffic investigation, or - DGA domain classification. +description: 'Detects command-and-control (C2) communications tunneled through DNS protocol including DNS tunneling tools + (Iodine, dnscat2, dns2tcp, Cobalt Strike DNS beacon), domain generation algorithms (DGA), encoded payload delivery via TXT/CNAME + records, and DNS beaconing patterns. Covers Shannon entropy analysis of query subdomains, statistical anomaly detection, + ML-based DGA classification, passive DNS correlation, and Zeek/Suricata signature development. Activates for requests involving + DNS-based C2 detection, DNS tunnel identification, suspicious DNS traffic investigation, or DGA domain classification. + + ' domain: cybersecurity subdomain: network-security -tags: [dns, c2, tunneling, dga, network-forensics, threat-detection] +tags: +- dns +- c2 +- tunneling +- dga +- network-forensics +- threat-detection version: 1.0.0 author: mukul975 license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Detecting Command and Control Over DNS diff --git a/skills/detecting-compromised-cloud-credentials/SKILL.md b/skills/detecting-compromised-cloud-credentials/SKILL.md index 8ad595a4..fb169d5c 100644 --- a/skills/detecting-compromised-cloud-credentials/SKILL.md +++ b/skills/detecting-compromised-cloud-credentials/SKILL.md @@ -1,16 +1,27 @@ --- name: detecting-compromised-cloud-credentials -description: > - Detecting compromised cloud credentials across AWS, Azure, and GCP by analyzing - anomalous API activity, impossible travel patterns, unauthorized resource provisioning, - and credential abuse indicators using GuardDuty, Defender for Identity, and SCC - Event Threat Detection. +description: 'Detecting compromised cloud credentials across AWS, Azure, and GCP by analyzing anomalous API activity, impossible + travel patterns, unauthorized resource provisioning, and credential abuse indicators using GuardDuty, Defender for Identity, + and SCC Event Threat Detection. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud-security, credential-compromise, threat-detection, guardduty, incident-response, anomaly-detection] -version: "1.0" +tags: +- cloud-security +- credential-compromise +- threat-detection +- guardduty +- incident-response +- anomaly-detection +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Detecting Compromised Cloud Credentials diff --git a/skills/detecting-container-drift-at-runtime/SKILL.md b/skills/detecting-container-drift-at-runtime/SKILL.md index cd91958e..3bd0f07b 100644 --- a/skills/detecting-container-drift-at-runtime/SKILL.md +++ b/skills/detecting-container-drift-at-runtime/SKILL.md @@ -1,12 +1,26 @@ --- name: detecting-container-drift-at-runtime -description: Detect unauthorized modifications to running containers by monitoring for binary execution drift, file system changes, and configuration deviations from the original container image. +description: Detect unauthorized modifications to running containers by monitoring for binary execution drift, file system + changes, and configuration deviations from the original container image. domain: cybersecurity subdomain: container-security -tags: [container-drift, runtime-security, immutable-containers, falco, kubernetes, container-security, drift-detection, microsoft-defender] -version: "1.0" +tags: +- container-drift +- runtime-security +- immutable-containers +- falco +- kubernetes +- container-security +- drift-detection +- microsoft-defender +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Detecting Container Drift at Runtime diff --git a/skills/detecting-container-escape-attempts/SKILL.md b/skills/detecting-container-escape-attempts/SKILL.md index 598459f1..52ae34db 100644 --- a/skills/detecting-container-escape-attempts/SKILL.md +++ b/skills/detecting-container-escape-attempts/SKILL.md @@ -20,6 +20,11 @@ d3fend_techniques: - Stack Frame Canary Validation - Segment Address Offset Randomization - Process Analysis +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Detecting Container Escape Attempts diff --git a/skills/detecting-container-escape-with-falco-rules/SKILL.md b/skills/detecting-container-escape-with-falco-rules/SKILL.md index 09f9505f..f3284bd7 100644 --- a/skills/detecting-container-escape-with-falco-rules/SKILL.md +++ b/skills/detecting-container-escape-with-falco-rules/SKILL.md @@ -20,6 +20,11 @@ d3fend_techniques: - File Metadata Consistency Validation - Restore Access - Application Protocol Command Analysis +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Detecting Container Escape with Falco Rules diff --git a/skills/detecting-credential-dumping-techniques/SKILL.md b/skills/detecting-credential-dumping-techniques/SKILL.md index 41a38cd2..f7add208 100644 --- a/skills/detecting-credential-dumping-techniques/SKILL.md +++ b/skills/detecting-credential-dumping-techniques/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - File Metadata Consistency Validation - Restore Access - Application Protocol Command Analysis +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-06 +- ID.RA-05 --- # Detecting Credential Dumping Techniques diff --git a/skills/detecting-cryptomining-in-cloud/SKILL.md b/skills/detecting-cryptomining-in-cloud/SKILL.md index 7091037a..5325525f 100644 --- a/skills/detecting-cryptomining-in-cloud/SKILL.md +++ b/skills/detecting-cryptomining-in-cloud/SKILL.md @@ -1,17 +1,27 @@ --- name: detecting-cryptomining-in-cloud -description: > - This skill teaches security teams how to detect and respond to unauthorized cryptocurrency - mining operations in cloud environments. It covers identifying cryptomining indicators - through compute usage anomalies, network traffic patterns to mining pools, GuardDuty - CryptoCurrency findings, and runtime process monitoring on EC2, ECS, EKS, and Azure - Automation workloads. +description: 'This skill teaches security teams how to detect and respond to unauthorized cryptocurrency mining operations + in cloud environments. It covers identifying cryptomining indicators through compute usage anomalies, network traffic patterns + to mining pools, GuardDuty CryptoCurrency findings, and runtime process monitoring on EC2, ECS, EKS, and Azure Automation + workloads. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cryptomining-detection, cloud-abuse, resource-hijacking, guardduty-crypto, cost-anomaly] +tags: +- cryptomining-detection +- cloud-abuse +- resource-hijacking +- guardduty-crypto +- cost-anomaly version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Detecting Cryptomining in Cloud diff --git a/skills/detecting-dcsync-attack-in-active-directory/SKILL.md b/skills/detecting-dcsync-attack-in-active-directory/SKILL.md index 02dc5e21..940ac3c8 100644 --- a/skills/detecting-dcsync-attack-in-active-directory/SKILL.md +++ b/skills/detecting-dcsync-attack-in-active-directory/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - Network Traffic Analysis - Client-server Payload Profiling - Platform Monitoring +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Detecting DCSync Attack in Active Directory diff --git a/skills/detecting-deepfake-audio-in-vishing-attacks/SKILL.md b/skills/detecting-deepfake-audio-in-vishing-attacks/SKILL.md index 2fa5b9a7..974a73e5 100644 --- a/skills/detecting-deepfake-audio-in-vishing-attacks/SKILL.md +++ b/skills/detecting-deepfake-audio-in-vishing-attacks/SKILL.md @@ -36,6 +36,10 @@ d3fend_techniques: - Message Analysis - User Behavior Analysis - Identifier Analysis +nist_csf: +- PR.AT-01 +- DE.CM-09 +- RS.CO-02 --- # Detecting Deepfake Audio in Vishing Attacks diff --git a/skills/detecting-dll-sideloading-attacks/SKILL.md b/skills/detecting-dll-sideloading-attacks/SKILL.md index 7798ea3b..59b2c429 100644 --- a/skills/detecting-dll-sideloading-attacks/SKILL.md +++ b/skills/detecting-dll-sideloading-attacks/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - File Content Analysis - Platform Hardening - File Format Verification +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Detecting DLL Sideloading Attacks diff --git a/skills/detecting-dnp3-protocol-anomalies/SKILL.md b/skills/detecting-dnp3-protocol-anomalies/SKILL.md index 6f855584..0be16d05 100644 --- a/skills/detecting-dnp3-protocol-anomalies/SKILL.md +++ b/skills/detecting-dnp3-protocol-anomalies/SKILL.md @@ -26,6 +26,11 @@ nist_ai_rmf: - MEASURE-2.7 - MEASURE-2.5 - MAP-5.1 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Detecting DNP3 Protocol Anomalies diff --git a/skills/detecting-dns-exfiltration-with-dns-query-analysis/SKILL.md b/skills/detecting-dns-exfiltration-with-dns-query-analysis/SKILL.md index fe82dfc3..2d35d261 100644 --- a/skills/detecting-dns-exfiltration-with-dns-query-analysis/SKILL.md +++ b/skills/detecting-dns-exfiltration-with-dns-query-analysis/SKILL.md @@ -1,12 +1,27 @@ --- name: detecting-dns-exfiltration-with-dns-query-analysis -description: Detect data exfiltration through DNS tunneling by analyzing query entropy, subdomain length, query volume, TXT record abuse, and response payload sizes using passive DNS monitoring. +description: Detect data exfiltration through DNS tunneling by analyzing query entropy, subdomain length, query volume, TXT + record abuse, and response payload sizes using passive DNS monitoring. domain: cybersecurity subdomain: network-security -tags: [dns-exfiltration, dns-tunneling, data-exfiltration, threat-detection, entropy-analysis, passive-dns, network-monitoring, iodine, dnscat2] -version: "1.0" +tags: +- dns-exfiltration +- dns-tunneling +- data-exfiltration +- threat-detection +- entropy-analysis +- passive-dns +- network-monitoring +- iodine +- dnscat2 +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Detecting DNS Exfiltration with DNS Query Analysis diff --git a/skills/detecting-email-account-compromise/SKILL.md b/skills/detecting-email-account-compromise/SKILL.md index e51290e7..7d8a9783 100644 --- a/skills/detecting-email-account-compromise/SKILL.md +++ b/skills/detecting-email-account-compromise/SKILL.md @@ -1,13 +1,30 @@ --- name: detecting-email-account-compromise -description: Detect compromised O365 and Google Workspace email accounts by analyzing inbox rule creation, suspicious sign-in locations, mail forwarding rules, and unusual API access patterns via Microsoft Graph and audit logs. +description: Detect compromised O365 and Google Workspace email accounts by analyzing inbox rule creation, suspicious sign-in + locations, mail forwarding rules, and unusual API access patterns via Microsoft Graph and audit logs. domain: cybersecurity subdomain: incident-response -tags: [email-compromise, office365, microsoft-graph, bec, inbox-rules, sign-in-analysis, account-takeover] -mitre_attack: ["T1114", "T1566", "T1078", "T1534"] -version: "1.0" +tags: +- email-compromise +- office365 +- microsoft-graph +- bec +- inbox-rules +- sign-in-analysis +- account-takeover +mitre_attack: +- T1114 +- T1566 +- T1078 +- T1534 +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.MA-01 +- RS.MA-02 +- RS.AN-03 +- RC.RP-01 --- # Detecting Email Account Compromise diff --git a/skills/detecting-email-forwarding-rules-attack/SKILL.md b/skills/detecting-email-forwarding-rules-attack/SKILL.md index 8b8bf266..f8c77b24 100644 --- a/skills/detecting-email-forwarding-rules-attack/SKILL.md +++ b/skills/detecting-email-forwarding-rules-attack/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - Application Configuration Hardening - Application Hardening - Disable Remote Access +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Detecting Email Forwarding Rules Attack diff --git a/skills/detecting-evasion-techniques-in-endpoint-logs/SKILL.md b/skills/detecting-evasion-techniques-in-endpoint-logs/SKILL.md index 81c6f3b7..2baf70cc 100644 --- a/skills/detecting-evasion-techniques-in-endpoint-logs/SKILL.md +++ b/skills/detecting-evasion-techniques-in-endpoint-logs/SKILL.md @@ -24,6 +24,11 @@ d3fend_techniques: - File Content Analysis - Platform Hardening - File Format Verification +nist_csf: +- PR.PS-01 +- PR.PS-02 +- DE.CM-01 +- PR.IR-01 --- # Detecting Evasion Techniques in Endpoint Logs diff --git a/skills/detecting-exfiltration-over-dns-with-zeek/SKILL.md b/skills/detecting-exfiltration-over-dns-with-zeek/SKILL.md index dbaaaa6f..ddb38f2c 100644 --- a/skills/detecting-exfiltration-over-dns-with-zeek/SKILL.md +++ b/skills/detecting-exfiltration-over-dns-with-zeek/SKILL.md @@ -1,12 +1,22 @@ --- name: detecting-exfiltration-over-dns-with-zeek -description: Detect DNS-based data exfiltration by analyzing Zeek dns.log for high-entropy subdomains and anomalous query patterns +description: Detect DNS-based data exfiltration by analyzing Zeek dns.log for high-entropy subdomains and anomalous query + patterns domain: cybersecurity subdomain: network-security -tags: [dns-exfiltration, zeek, entropy-analysis, threat-hunting] -version: "1.0" +tags: +- dns-exfiltration +- zeek +- entropy-analysis +- threat-hunting +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- diff --git a/skills/detecting-fileless-attacks-on-endpoints/SKILL.md b/skills/detecting-fileless-attacks-on-endpoints/SKILL.md index 73d64db6..6327b89a 100644 --- a/skills/detecting-fileless-attacks-on-endpoints/SKILL.md +++ b/skills/detecting-fileless-attacks-on-endpoints/SKILL.md @@ -1,17 +1,27 @@ --- name: detecting-fileless-attacks-on-endpoints -description: > - Detects fileless malware and in-memory attacks that execute entirely in RAM without writing - persistent files to disk, evading traditional antivirus. Use when building detections for - PowerShell-based attacks, reflective DLL injection, WMI persistence, and registry-resident - malware. Activates for requests involving fileless malware detection, in-memory attacks, +description: 'Detects fileless malware and in-memory attacks that execute entirely in RAM without writing persistent files + to disk, evading traditional antivirus. Use when building detections for PowerShell-based attacks, reflective DLL injection, + WMI persistence, and registry-resident malware. Activates for requests involving fileless malware detection, in-memory attacks, PowerShell exploitation, or living-off-the-land techniques. + + ' domain: cybersecurity subdomain: endpoint-security -tags: [endpoint, fileless-malware, memory-attacks, PowerShell, detection-engineering] +tags: +- endpoint +- fileless-malware +- memory-attacks +- PowerShell +- detection-engineering version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.PS-02 +- DE.CM-01 +- PR.IR-01 --- # Detecting Fileless Attacks on Endpoints diff --git a/skills/detecting-fileless-malware-techniques/SKILL.md b/skills/detecting-fileless-malware-techniques/SKILL.md index 516d4752..5ec83a61 100644 --- a/skills/detecting-fileless-malware-techniques/SKILL.md +++ b/skills/detecting-fileless-malware-techniques/SKILL.md @@ -23,6 +23,11 @@ d3fend_techniques: - File Metadata Consistency Validation - Content Format Conversion - File Content Analysis +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Detecting Fileless Malware Techniques diff --git a/skills/detecting-golden-ticket-attacks-in-kerberos-logs/SKILL.md b/skills/detecting-golden-ticket-attacks-in-kerberos-logs/SKILL.md index c830d0a5..ad37369e 100644 --- a/skills/detecting-golden-ticket-attacks-in-kerberos-logs/SKILL.md +++ b/skills/detecting-golden-ticket-attacks-in-kerberos-logs/SKILL.md @@ -1,12 +1,24 @@ --- name: detecting-golden-ticket-attacks-in-kerberos-logs -description: Detect Golden Ticket attacks in Active Directory by analyzing Kerberos TGT anomalies including mismatched encryption types, impossible ticket lifetimes, non-existent accounts, and forged PAC signatures in domain controller event logs. +description: Detect Golden Ticket attacks in Active Directory by analyzing Kerberos TGT anomalies including mismatched encryption + types, impossible ticket lifetimes, non-existent accounts, and forged PAC signatures in domain controller event logs. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, golden-ticket, kerberos, active-directory, mitre-t1558-001, credential-abuse] -version: "1.0" +tags: +- threat-hunting +- golden-ticket +- kerberos +- active-directory +- mitre-t1558-001 +- credential-abuse +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Detecting Golden Ticket Attacks in Kerberos Logs diff --git a/skills/detecting-golden-ticket-forgery/SKILL.md b/skills/detecting-golden-ticket-forgery/SKILL.md index 9d9dfa37..d79e0da8 100644 --- a/skills/detecting-golden-ticket-forgery/SKILL.md +++ b/skills/detecting-golden-ticket-forgery/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - Reissue Credential - Decoy User Credential - Authentication Cache Invalidation +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-06 +- ID.RA-05 --- # Detecting Golden Ticket Forgery diff --git a/skills/detecting-insider-data-exfiltration-via-dlp/SKILL.md b/skills/detecting-insider-data-exfiltration-via-dlp/SKILL.md index 0f55fcef..59f7a931 100644 --- a/skills/detecting-insider-data-exfiltration-via-dlp/SKILL.md +++ b/skills/detecting-insider-data-exfiltration-via-dlp/SKILL.md @@ -1,16 +1,25 @@ --- name: detecting-insider-data-exfiltration-via-dlp -description: > - Detects insider data exfiltration by analyzing DLP policy violations, file access - patterns, upload volume anomalies, and off-hours activity in endpoint and cloud logs. - Uses pandas for behavioral analytics and statistical baselines. Use when investigating - insider threats or building user behavior analytics for data loss prevention. +description: 'Detects insider data exfiltration by analyzing DLP policy violations, file access patterns, upload volume anomalies, + and off-hours activity in endpoint and cloud logs. Uses pandas for behavioral analytics and statistical baselines. Use when + investigating insider threats or building user behavior analytics for data loss prevention. + + ' domain: cybersecurity subdomain: security-operations -tags: [detecting, insider, data, exfiltration] -version: "1.0" +tags: +- detecting +- insider +- data +- exfiltration +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- # Detecting Insider Data Exfiltration via DLP diff --git a/skills/detecting-insider-threat-behaviors/SKILL.md b/skills/detecting-insider-threat-behaviors/SKILL.md index 02e792a0..9c0b7d59 100644 --- a/skills/detecting-insider-threat-behaviors/SKILL.md +++ b/skills/detecting-insider-threat-behaviors/SKILL.md @@ -20,6 +20,11 @@ d3fend_techniques: - Biometric Authentication - Strong Password Policy - Restore User Account Access +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Detecting Insider Threat Behaviors diff --git a/skills/detecting-insider-threat-with-ueba/SKILL.md b/skills/detecting-insider-threat-with-ueba/SKILL.md index e4ff2918..d92f5a7d 100644 --- a/skills/detecting-insider-threat-with-ueba/SKILL.md +++ b/skills/detecting-insider-threat-with-ueba/SKILL.md @@ -1,12 +1,26 @@ --- name: detecting-insider-threat-with-ueba -description: Implement User and Entity Behavior Analytics using Elasticsearch/OpenSearch to build behavioral baselines, calculate anomaly scores, perform peer group analysis, and detect insider threat indicators such as data exfiltration, privilege abuse, and unauthorized access patterns. +description: Implement User and Entity Behavior Analytics using Elasticsearch/OpenSearch to build behavioral baselines, calculate + anomaly scores, perform peer group analysis, and detect insider threat indicators such as data exfiltration, privilege abuse, + and unauthorized access patterns. domain: cybersecurity subdomain: threat-detection -tags: [ueba, insider-threat, anomaly-detection, elasticsearch, behavior-analytics, machine-learning, siem] -version: "1.0" +tags: +- ueba +- insider-threat +- anomaly-detection +- elasticsearch +- behavior-analytics +- machine-learning +- siem +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-06 +- ID.RA-05 --- # Detecting Insider Threat with UEBA diff --git a/skills/detecting-kerberoasting-attacks/SKILL.md b/skills/detecting-kerberoasting-attacks/SKILL.md index c5bccc96..915ae45a 100644 --- a/skills/detecting-kerberoasting-attacks/SKILL.md +++ b/skills/detecting-kerberoasting-attacks/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - Network Traffic Analysis - Client-server Payload Profiling - Network Traffic Community Deviation +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Detecting Kerberoasting Attacks diff --git a/skills/detecting-lateral-movement-in-network/SKILL.md b/skills/detecting-lateral-movement-in-network/SKILL.md index 8787c195..b744560b 100644 --- a/skills/detecting-lateral-movement-in-network/SKILL.md +++ b/skills/detecting-lateral-movement-in-network/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - Network Traffic Analysis - Client-server Payload Profiling - Network Traffic Community Deviation +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Detecting Lateral Movement in Network diff --git a/skills/detecting-lateral-movement-with-splunk/SKILL.md b/skills/detecting-lateral-movement-with-splunk/SKILL.md index 73e83f4f..32a2c66e 100644 --- a/skills/detecting-lateral-movement-with-splunk/SKILL.md +++ b/skills/detecting-lateral-movement-with-splunk/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - Network Traffic Analysis - Client-server Payload Profiling - Network Traffic Community Deviation +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Detecting Lateral Movement with Splunk diff --git a/skills/detecting-lateral-movement-with-zeek/SKILL.md b/skills/detecting-lateral-movement-with-zeek/SKILL.md index 491573c8..4890cf6c 100644 --- a/skills/detecting-lateral-movement-with-zeek/SKILL.md +++ b/skills/detecting-lateral-movement-with-zeek/SKILL.md @@ -1,16 +1,27 @@ --- name: detecting-lateral-movement-with-zeek -description: > - Detect lateral movement in network traffic using Zeek (formerly Bro) log - analysis. Parses conn.log, smb_mapping.log, smb_files.log, dce_rpc.log, - kerberos.log, and ntlm.log to identify SMB file transfers, NTLM account - spray activity, remote service execution, and anomalous internal connections. +description: 'Detect lateral movement in network traffic using Zeek (formerly Bro) log analysis. Parses conn.log, smb_mapping.log, + smb_files.log, dce_rpc.log, kerberos.log, and ntlm.log to identify SMB file transfers, NTLM account spray activity, remote + service execution, and anomalous internal connections. + + ' domain: cybersecurity subdomain: network-security -tags: [zeek, lateral-movement, smb, dce-rpc, ntlm-spray, network-forensics] -version: "1.0" +tags: +- zeek +- lateral-movement +- smb +- dce-rpc +- ntlm-spray +- network-forensics +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Detecting Lateral Movement with Zeek diff --git a/skills/detecting-living-off-the-land-attacks/SKILL.md b/skills/detecting-living-off-the-land-attacks/SKILL.md index c4131e22..1a4de25c 100644 --- a/skills/detecting-living-off-the-land-attacks/SKILL.md +++ b/skills/detecting-living-off-the-land-attacks/SKILL.md @@ -20,6 +20,11 @@ d3fend_techniques: - Network Traffic Analysis - Client-server Payload Profiling - Network Traffic Community Deviation +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-06 +- ID.RA-05 --- # Detecting Living Off the Land Attacks diff --git a/skills/detecting-living-off-the-land-with-lolbas/SKILL.md b/skills/detecting-living-off-the-land-with-lolbas/SKILL.md index a81f2dc6..8ed709c7 100644 --- a/skills/detecting-living-off-the-land-with-lolbas/SKILL.md +++ b/skills/detecting-living-off-the-land-with-lolbas/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - File Metadata Consistency Validation - Application Protocol Command Analysis - Content Format Conversion +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-06 +- ID.RA-05 --- # Detecting Living Off the Land with LOLBAS diff --git a/skills/detecting-malicious-scheduled-tasks-with-sysmon/SKILL.md b/skills/detecting-malicious-scheduled-tasks-with-sysmon/SKILL.md index a129ee9b..d979bc33 100644 --- a/skills/detecting-malicious-scheduled-tasks-with-sysmon/SKILL.md +++ b/skills/detecting-malicious-scheduled-tasks-with-sysmon/SKILL.md @@ -25,6 +25,11 @@ d3fend_techniques: - Hardware-based Process Isolation - Platform Monitoring - Process Suspension +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Detecting Malicious Scheduled Tasks with Sysmon diff --git a/skills/detecting-mimikatz-execution-patterns/SKILL.md b/skills/detecting-mimikatz-execution-patterns/SKILL.md index 1245b833..c428c8cd 100644 --- a/skills/detecting-mimikatz-execution-patterns/SKILL.md +++ b/skills/detecting-mimikatz-execution-patterns/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - Hardware-based Process Isolation - Web Session Access Mediation - Process Suspension +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Detecting Mimikatz Execution Patterns diff --git a/skills/detecting-misconfigured-azure-storage/SKILL.md b/skills/detecting-misconfigured-azure-storage/SKILL.md index d5ec6c16..6ef3e8ef 100644 --- a/skills/detecting-misconfigured-azure-storage/SKILL.md +++ b/skills/detecting-misconfigured-azure-storage/SKILL.md @@ -25,6 +25,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Detecting Misconfigured Azure Storage diff --git a/skills/detecting-mobile-malware-behavior/SKILL.md b/skills/detecting-mobile-malware-behavior/SKILL.md index 24187713..3d9839de 100644 --- a/skills/detecting-mobile-malware-behavior/SKILL.md +++ b/skills/detecting-mobile-malware-behavior/SKILL.md @@ -1,17 +1,28 @@ --- name: detecting-mobile-malware-behavior -description: > - Detects and analyzes malicious behavior in mobile applications through behavioral analysis, - permission abuse detection, network traffic monitoring, and dynamic instrumentation. Use when - analyzing suspicious mobile applications for data exfiltration, command-and-control communication, - credential stealing, SMS interception, or other malware indicators. Activates for requests involving - mobile malware analysis, app behavior monitoring, trojan detection, or suspicious app investigation. +description: 'Detects and analyzes malicious behavior in mobile applications through behavioral analysis, permission abuse + detection, network traffic monitoring, and dynamic instrumentation. Use when analyzing suspicious mobile applications for + data exfiltration, command-and-control communication, credential stealing, SMS interception, or other malware indicators. + Activates for requests involving mobile malware analysis, app behavior monitoring, trojan detection, or suspicious app investigation. + + ' domain: cybersecurity subdomain: mobile-security author: mahipal -tags: [mobile-security, android, ios, malware-analysis, owasp-mobile, penetration-testing] +tags: +- mobile-security +- android +- ios +- malware-analysis +- owasp-mobile +- penetration-testing version: 1.0.0 license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.AA-05 +- ID.RA-01 +- DE.CM-09 --- # Detecting Mobile Malware Behavior diff --git a/skills/detecting-modbus-command-injection-attacks/SKILL.md b/skills/detecting-modbus-command-injection-attacks/SKILL.md index 014f708a..43411614 100644 --- a/skills/detecting-modbus-command-injection-attacks/SKILL.md +++ b/skills/detecting-modbus-command-injection-attacks/SKILL.md @@ -1,16 +1,29 @@ --- name: detecting-modbus-command-injection-attacks -description: > - Detect command injection attacks against Modbus TCP/RTU protocol in ICS - environments by monitoring for unauthorized write operations, anomalous function - codes, malformed frames, and deviations from established communication baselines - using ICS-aware IDS and protocol deep packet inspection. +description: 'Detect command injection attacks against Modbus TCP/RTU protocol in ICS environments by monitoring for unauthorized + write operations, anomalous function codes, malformed frames, and deviations from established communication baselines using + ICS-aware IDS and protocol deep packet inspection. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, modbus, command-injection, protocol-analysis, ids, scada, threat-detection] -version: "1.0" +tags: +- ot-security +- ics +- modbus +- command-injection +- protocol-analysis +- ids +- scada +- threat-detection +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Detecting Modbus Command Injection Attacks diff --git a/skills/detecting-modbus-protocol-anomalies/SKILL.md b/skills/detecting-modbus-protocol-anomalies/SKILL.md index 945bc77c..e4549ceb 100644 --- a/skills/detecting-modbus-protocol-anomalies/SKILL.md +++ b/skills/detecting-modbus-protocol-anomalies/SKILL.md @@ -27,6 +27,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Detecting Modbus Protocol Anomalies diff --git a/skills/detecting-network-anomalies-with-zeek/SKILL.md b/skills/detecting-network-anomalies-with-zeek/SKILL.md index 61afc297..eae3ede5 100644 --- a/skills/detecting-network-anomalies-with-zeek/SKILL.md +++ b/skills/detecting-network-anomalies-with-zeek/SKILL.md @@ -1,15 +1,25 @@ --- name: detecting-network-anomalies-with-zeek -description: > - Deploys and configures Zeek (formerly Bro) network security monitor to passively - analyze network traffic, generate structured logs, detect anomalous behavior, - and create custom detection scripts for threat hunting and incident response. +description: 'Deploys and configures Zeek (formerly Bro) network security monitor to passively analyze network traffic, generate + structured logs, detect anomalous behavior, and create custom detection scripts for threat hunting and incident response. + + ' domain: cybersecurity subdomain: network-security -tags: [network-security, zeek, network-monitoring, anomaly-detection, threat-hunting] -version: "1.0" +tags: +- network-security +- zeek +- network-monitoring +- anomaly-detection +- threat-hunting +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Detecting Network Anomalies with Zeek diff --git a/skills/detecting-network-scanning-with-ids-signatures/SKILL.md b/skills/detecting-network-scanning-with-ids-signatures/SKILL.md index 09e53201..076425b0 100644 --- a/skills/detecting-network-scanning-with-ids-signatures/SKILL.md +++ b/skills/detecting-network-scanning-with-ids-signatures/SKILL.md @@ -1,12 +1,27 @@ --- name: detecting-network-scanning-with-ids-signatures -description: Detect network reconnaissance and port scanning using Suricata and Snort IDS signatures, threshold-based detection rules, and traffic anomaly analysis to identify Nmap, Masscan, and custom scanning activity. +description: Detect network reconnaissance and port scanning using Suricata and Snort IDS signatures, threshold-based detection + rules, and traffic anomaly analysis to identify Nmap, Masscan, and custom scanning activity. domain: cybersecurity subdomain: network-security -tags: [ids, nmap-detection, port-scanning, snort, suricata, reconnaissance, network-security, signature-detection, threshold-rules] -version: "1.0" +tags: +- ids +- nmap-detection +- port-scanning +- snort +- suricata +- reconnaissance +- network-security +- signature-detection +- threshold-rules +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Detecting Network Scanning with IDS Signatures diff --git a/skills/detecting-ntlm-relay-with-event-correlation/SKILL.md b/skills/detecting-ntlm-relay-with-event-correlation/SKILL.md index 63082de8..1074c409 100644 --- a/skills/detecting-ntlm-relay-with-event-correlation/SKILL.md +++ b/skills/detecting-ntlm-relay-with-event-correlation/SKILL.md @@ -38,6 +38,11 @@ nist_ai_rmf: - MEASURE-2.5 - GOVERN-6.1 - MAP-5.1 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Detecting NTLM Relay with Event Correlation diff --git a/skills/detecting-oauth-token-theft/SKILL.md b/skills/detecting-oauth-token-theft/SKILL.md index 5d05db24..c7d37b91 100644 --- a/skills/detecting-oauth-token-theft/SKILL.md +++ b/skills/detecting-oauth-token-theft/SKILL.md @@ -1,19 +1,30 @@ --- name: detecting-oauth-token-theft -description: > - Detects and responds to OAuth token theft and replay attacks in cloud - environments, focusing on Microsoft Entra ID (Azure AD) token protection, - conditional access policies, and sign-in anomaly detection. Covers access - token theft, refresh token replay, Primary Refresh Token (PRT) abuse, and - pass-the-cookie attacks. Activates for requests involving OAuth token theft - detection, token replay prevention, Azure AD conditional access token - protection, or cloud identity attack investigation. +description: 'Detects and responds to OAuth token theft and replay attacks in cloud environments, focusing on Microsoft Entra + ID (Azure AD) token protection, conditional access policies, and sign-in anomaly detection. Covers access token theft, refresh + token replay, Primary Refresh Token (PRT) abuse, and pass-the-cookie attacks. Activates for requests involving OAuth token + theft detection, token replay prevention, Azure AD conditional access token protection, or cloud identity attack investigation. + + ' domain: cybersecurity subdomain: cloud-security -tags: [oauth, token-theft, azure-ad, entra-id, conditional-access, token-replay, identity-security, PRT] +tags: +- oauth +- token-theft +- azure-ad +- entra-id +- conditional-access +- token-replay +- identity-security +- PRT version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Detecting OAuth Token Theft diff --git a/skills/detecting-pass-the-hash-attacks/SKILL.md b/skills/detecting-pass-the-hash-attacks/SKILL.md index a2768a44..321c00f7 100644 --- a/skills/detecting-pass-the-hash-attacks/SKILL.md +++ b/skills/detecting-pass-the-hash-attacks/SKILL.md @@ -20,6 +20,11 @@ d3fend_techniques: - Restore Access - Application Protocol Command Analysis - Process Termination +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Detecting Pass The Hash Attacks diff --git a/skills/detecting-pass-the-ticket-attacks/SKILL.md b/skills/detecting-pass-the-ticket-attacks/SKILL.md index 92d48133..d6bfd407 100644 --- a/skills/detecting-pass-the-ticket-attacks/SKILL.md +++ b/skills/detecting-pass-the-ticket-attacks/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - Restore Access - Application Protocol Command Analysis - Process Termination +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-06 +- ID.RA-05 --- # Detecting Pass-the-Ticket Attacks diff --git a/skills/detecting-port-scanning-with-fail2ban/SKILL.md b/skills/detecting-port-scanning-with-fail2ban/SKILL.md index a9875163..a335fa69 100644 --- a/skills/detecting-port-scanning-with-fail2ban/SKILL.md +++ b/skills/detecting-port-scanning-with-fail2ban/SKILL.md @@ -1,15 +1,26 @@ --- name: detecting-port-scanning-with-fail2ban -description: > - Configures Fail2ban with custom filters and actions to detect port scanning activity, - SSH brute force attempts, and network reconnaissance, automatically banning offending - IP addresses and alerting security teams to suspicious network probing. +description: 'Configures Fail2ban with custom filters and actions to detect port scanning activity, SSH brute force attempts, + and network reconnaissance, automatically banning offending IP addresses and alerting security teams to suspicious network + probing. + + ' domain: cybersecurity subdomain: network-security -tags: [network-security, fail2ban, port-scanning, intrusion-prevention, automated-defense] -version: "1.0" +tags: +- network-security +- fail2ban +- port-scanning +- intrusion-prevention +- automated-defense +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Detecting Port Scanning with Fail2ban diff --git a/skills/detecting-privilege-escalation-attempts/SKILL.md b/skills/detecting-privilege-escalation-attempts/SKILL.md index 138bdabc..059a6027 100644 --- a/skills/detecting-privilege-escalation-attempts/SKILL.md +++ b/skills/detecting-privilege-escalation-attempts/SKILL.md @@ -20,6 +20,11 @@ d3fend_techniques: - Execution Isolation - Restore Access - Reissue Credential +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Detecting Privilege Escalation Attempts diff --git a/skills/detecting-privilege-escalation-in-kubernetes-pods/SKILL.md b/skills/detecting-privilege-escalation-in-kubernetes-pods/SKILL.md index eb3850c7..7ce5d093 100644 --- a/skills/detecting-privilege-escalation-in-kubernetes-pods/SKILL.md +++ b/skills/detecting-privilege-escalation-in-kubernetes-pods/SKILL.md @@ -20,6 +20,11 @@ d3fend_techniques: - File Metadata Consistency Validation - Restore Access - Password Authentication +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Detecting Privilege Escalation in Kubernetes Pods diff --git a/skills/detecting-process-hollowing-technique/SKILL.md b/skills/detecting-process-hollowing-technique/SKILL.md index a05baef1..66311d85 100644 --- a/skills/detecting-process-hollowing-technique/SKILL.md +++ b/skills/detecting-process-hollowing-technique/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - Segment Address Offset Randomization - Process Analysis - Application Hardening +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Detecting Process Hollowing Technique diff --git a/skills/detecting-process-injection-techniques/SKILL.md b/skills/detecting-process-injection-techniques/SKILL.md index 87904eb8..7f3a4a83 100644 --- a/skills/detecting-process-injection-techniques/SKILL.md +++ b/skills/detecting-process-injection-techniques/SKILL.md @@ -23,6 +23,11 @@ d3fend_techniques: - File Metadata Consistency Validation - Content Format Conversion - File Content Analysis +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Detecting Process Injection Techniques diff --git a/skills/detecting-qr-code-phishing-with-email-security/SKILL.md b/skills/detecting-qr-code-phishing-with-email-security/SKILL.md index cc8ed4a9..60cfe926 100644 --- a/skills/detecting-qr-code-phishing-with-email-security/SKILL.md +++ b/skills/detecting-qr-code-phishing-with-email-security/SKILL.md @@ -22,6 +22,11 @@ atlas_techniques: nist_ai_rmf: - MEASURE-2.8 - MAP-5.1 +nist_csf: +- PR.AT-01 +- DE.CM-09 +- RS.CO-02 +- DE.AE-02 --- # Detecting QR Code Phishing with Email Security diff --git a/skills/detecting-ransomware-encryption-behavior/SKILL.md b/skills/detecting-ransomware-encryption-behavior/SKILL.md index aaa50828..a1247bc6 100644 --- a/skills/detecting-ransomware-encryption-behavior/SKILL.md +++ b/skills/detecting-ransomware-encryption-behavior/SKILL.md @@ -1,18 +1,28 @@ --- name: detecting-ransomware-encryption-behavior -description: > - Detects ransomware encryption activity in real time using entropy analysis, - file system I/O monitoring, and behavioral heuristics. Identifies mass file - modification patterns, abnormal entropy spikes in written data, and suspicious - process behavior characteristic of ransomware encryption routines. Activates - for requests involving ransomware behavioral detection, entropy-based file - monitoring, I/O anomaly detection, or real-time encryption activity alerting. +description: 'Detects ransomware encryption activity in real time using entropy analysis, file system I/O monitoring, and + behavioral heuristics. Identifies mass file modification patterns, abnormal entropy spikes in written data, and suspicious + process behavior characteristic of ransomware encryption routines. Activates for requests involving ransomware behavioral + detection, entropy-based file monitoring, I/O anomaly detection, or real-time encryption activity alerting. + + ' domain: cybersecurity subdomain: ransomware-defense -tags: [ransomware, detection, entropy, behavioral-analysis, file-monitoring, heuristics] +tags: +- ransomware +- detection +- entropy +- behavioral-analysis +- file-monitoring +- heuristics version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.DS-11 +- RS.MA-01 +- RC.RP-01 +- PR.IR-01 --- # Detecting Ransomware Encryption Behavior diff --git a/skills/detecting-ransomware-precursors-in-network/SKILL.md b/skills/detecting-ransomware-precursors-in-network/SKILL.md index 87c096c7..b299fe66 100644 --- a/skills/detecting-ransomware-precursors-in-network/SKILL.md +++ b/skills/detecting-ransomware-precursors-in-network/SKILL.md @@ -1,19 +1,28 @@ --- name: detecting-ransomware-precursors-in-network -description: > - Detects early-stage ransomware indicators in network traffic before encryption begins, - including initial access broker activity, command-and-control beaconing, credential - harvesting, reconnaissance scanning, and staging behavior. Uses network detection tools - (Zeek, Suricata, Arkime), SIEM correlation rules, and threat intelligence feeds to - identify ransomware precursor patterns such as Cobalt Strike beacons, Mimikatz network - signatures, and RDP brute-force attempts. Activates for requests involving pre-ransomware - detection, network-based ransomware indicators, or early warning ransomware monitoring. +description: 'Detects early-stage ransomware indicators in network traffic before encryption begins, including initial access + broker activity, command-and-control beaconing, credential harvesting, reconnaissance scanning, and staging behavior. Uses + network detection tools (Zeek, Suricata, Arkime), SIEM correlation rules, and threat intelligence feeds to identify ransomware + precursor patterns such as Cobalt Strike beacons, Mimikatz network signatures, and RDP brute-force attempts. Activates for + requests involving pre-ransomware detection, network-based ransomware indicators, or early warning ransomware monitoring. + + ' domain: cybersecurity subdomain: ransomware-defense -tags: [ransomware, detection, network-security, incident-response, defense] +tags: +- ransomware +- detection +- network-security +- incident-response +- defense version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.DS-11 +- RS.MA-01 +- RC.RP-01 +- PR.IR-01 --- # Detecting Ransomware Precursors in Network Traffic diff --git a/skills/detecting-rdp-brute-force-attacks/SKILL.md b/skills/detecting-rdp-brute-force-attacks/SKILL.md index 19116a65..9388d27b 100644 --- a/skills/detecting-rdp-brute-force-attacks/SKILL.md +++ b/skills/detecting-rdp-brute-force-attacks/SKILL.md @@ -1,12 +1,24 @@ --- name: detecting-rdp-brute-force-attacks -description: Detect RDP brute force attacks by analyzing Windows Security Event Logs for failed authentication patterns (Event ID 4625), successful logons after failures (Event ID 4624), NLA failures, and source IP frequency analysis. +description: Detect RDP brute force attacks by analyzing Windows Security Event Logs for failed authentication patterns (Event + ID 4625), successful logons after failures (Event ID 4624), NLA failures, and source IP frequency analysis. domain: cybersecurity subdomain: threat-detection -tags: [threat-detection, rdp, brute-force, windows-event-logs, blue-team, siem] -version: "1.0" +tags: +- threat-detection +- rdp +- brute-force +- windows-event-logs +- blue-team +- siem +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-06 +- ID.RA-05 --- # Detecting RDP Brute Force Attacks diff --git a/skills/detecting-rootkit-activity/SKILL.md b/skills/detecting-rootkit-activity/SKILL.md index 88751ac4..ebefb8fa 100644 --- a/skills/detecting-rootkit-activity/SKILL.md +++ b/skills/detecting-rootkit-activity/SKILL.md @@ -1,17 +1,27 @@ --- name: detecting-rootkit-activity -description: > - Detects rootkit presence on compromised systems by identifying hidden processes, hooked - system calls, modified kernel structures, hidden files, and covert network connections - using memory forensics, cross-view detection, and integrity checking techniques. - Activates for requests involving rootkit detection, hidden process discovery, kernel - integrity checking, or system call hook analysis. +description: 'Detects rootkit presence on compromised systems by identifying hidden processes, hooked system calls, modified + kernel structures, hidden files, and covert network connections using memory forensics, cross-view detection, and integrity + checking techniques. Activates for requests involving rootkit detection, hidden process discovery, kernel integrity checking, + or system call hook analysis. + + ' domain: cybersecurity subdomain: malware-analysis -tags: [malware, rootkit, detection, kernel-analysis, memory-forensics] +tags: +- malware +- rootkit +- detection +- kernel-analysis +- memory-forensics version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Detecting Rootkit Activity diff --git a/skills/detecting-s3-data-exfiltration-attempts/SKILL.md b/skills/detecting-s3-data-exfiltration-attempts/SKILL.md index 2bf8397f..6f9e3fdb 100644 --- a/skills/detecting-s3-data-exfiltration-attempts/SKILL.md +++ b/skills/detecting-s3-data-exfiltration-attempts/SKILL.md @@ -1,15 +1,28 @@ --- name: detecting-s3-data-exfiltration-attempts -description: > - Detecting data exfiltration attempts from AWS S3 buckets by analyzing CloudTrail S3 - data events, VPC Flow Logs, GuardDuty findings, Amazon Macie alerts, and S3 access - patterns to identify unauthorized bulk downloads and cross-account data transfers. +description: 'Detecting data exfiltration attempts from AWS S3 buckets by analyzing CloudTrail S3 data events, VPC Flow Logs, + GuardDuty findings, Amazon Macie alerts, and S3 access patterns to identify unauthorized bulk downloads and cross-account + data transfers. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud-security, aws, s3, data-exfiltration, guardduty, macie, threat-detection] -version: "1.0" +tags: +- cloud-security +- aws +- s3 +- data-exfiltration +- guardduty +- macie +- threat-detection +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Detecting S3 Data Exfiltration Attempts diff --git a/skills/detecting-serverless-function-injection/SKILL.md b/skills/detecting-serverless-function-injection/SKILL.md index ea2f4063..3439e68f 100644 --- a/skills/detecting-serverless-function-injection/SKILL.md +++ b/skills/detecting-serverless-function-injection/SKILL.md @@ -1,20 +1,31 @@ --- name: detecting-serverless-function-injection -description: > - Detects and prevents code injection attacks targeting serverless functions (AWS Lambda, Azure Functions, - Google Cloud Functions) through event source poisoning, malicious layer injection, runtime command - execution, and IAM privilege escalation via function modification. The analyst combines static analysis - of function code, CloudTrail event correlation, runtime behavior monitoring, and IAM policy auditing - to identify injection vectors across the expanded serverless attack surface including API Gateway, - S3, SQS, DynamoDB Streams, and CloudWatch event triggers. Activates for requests involving Lambda - security assessment, serverless injection detection, function event poisoning analysis, or serverless - privilege escalation investigation. +description: 'Detects and prevents code injection attacks targeting serverless functions (AWS Lambda, Azure Functions, Google + Cloud Functions) through event source poisoning, malicious layer injection, runtime command execution, and IAM privilege + escalation via function modification. The analyst combines static analysis of function code, CloudTrail event correlation, + runtime behavior monitoring, and IAM policy auditing to identify injection vectors across the expanded serverless attack + surface including API Gateway, S3, SQS, DynamoDB Streams, and CloudWatch event triggers. Activates for requests involving + Lambda security assessment, serverless injection detection, function event poisoning analysis, or serverless privilege escalation + investigation. + + ' domain: cybersecurity subdomain: cloud-security -tags: [serverless-security, Lambda-injection, event-source-poisoning, OWASP-serverless, IAM-escalation, CloudTrail] +tags: +- serverless-security +- Lambda-injection +- event-source-poisoning +- OWASP-serverless +- IAM-escalation +- CloudTrail version: 1.0.0 author: mukul975 license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Detecting Serverless Function Injection diff --git a/skills/detecting-service-account-abuse/SKILL.md b/skills/detecting-service-account-abuse/SKILL.md index 70da62a4..5be7a213 100644 --- a/skills/detecting-service-account-abuse/SKILL.md +++ b/skills/detecting-service-account-abuse/SKILL.md @@ -20,6 +20,11 @@ d3fend_techniques: - Biometric Authentication - Strong Password Policy - Restore User Account Access +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Detecting Service Account Abuse diff --git a/skills/detecting-shadow-api-endpoints/SKILL.md b/skills/detecting-shadow-api-endpoints/SKILL.md index c1cbc1ff..ec26cede 100644 --- a/skills/detecting-shadow-api-endpoints/SKILL.md +++ b/skills/detecting-shadow-api-endpoints/SKILL.md @@ -1,12 +1,26 @@ --- name: detecting-shadow-api-endpoints -description: Discover and inventory shadow API endpoints that operate outside documented specifications using traffic analysis, code scanning, and API discovery platforms. +description: Discover and inventory shadow API endpoints that operate outside documented specifications using traffic analysis, + code scanning, and API discovery platforms. domain: cybersecurity subdomain: api-security -tags: [api-security, shadow-apis, api-discovery, undocumented-apis, zombie-apis, api-inventory, attack-surface-management, api-governance] -version: "1.0" +tags: +- api-security +- shadow-apis +- api-discovery +- undocumented-apis +- zombie-apis +- api-inventory +- attack-surface-management +- api-governance +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Detecting Shadow API Endpoints diff --git a/skills/detecting-shadow-it-cloud-usage/SKILL.md b/skills/detecting-shadow-it-cloud-usage/SKILL.md index 69436489..cbef89af 100644 --- a/skills/detecting-shadow-it-cloud-usage/SKILL.md +++ b/skills/detecting-shadow-it-cloud-usage/SKILL.md @@ -1,12 +1,25 @@ --- name: detecting-shadow-it-cloud-usage -description: Detect unauthorized SaaS and cloud service usage (shadow IT) by analyzing proxy logs, DNS query logs, and netflow data using Python pandas for traffic pattern analysis and domain classification. +description: Detect unauthorized SaaS and cloud service usage (shadow IT) by analyzing proxy logs, DNS query logs, and netflow + data using Python pandas for traffic pattern analysis and domain classification. domain: cybersecurity subdomain: cloud-security -tags: [shadow-IT, SaaS-discovery, proxy-logs, DNS-analysis, netflow, cloud-security, pandas] -version: "1.0" +tags: +- shadow-IT +- SaaS-discovery +- proxy-logs +- DNS-analysis +- netflow +- cloud-security +- pandas +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Detecting Shadow IT Cloud Usage diff --git a/skills/detecting-spearphishing-with-email-gateway/SKILL.md b/skills/detecting-spearphishing-with-email-gateway/SKILL.md index 7f19dc09..5fcafd1b 100644 --- a/skills/detecting-spearphishing-with-email-gateway/SKILL.md +++ b/skills/detecting-spearphishing-with-email-gateway/SKILL.md @@ -1,12 +1,25 @@ --- name: detecting-spearphishing-with-email-gateway -description: Spearphishing targets specific individuals using personalized, researched content that bypasses generic spam filters. Email security gateways (SEGs) like Microsoft Defender for Office 365, Proofpoint, +description: Spearphishing targets specific individuals using personalized, researched content that bypasses generic spam + filters. Email security gateways (SEGs) like Microsoft Defender for Office 365, Proofpoint, domain: cybersecurity subdomain: phishing-defense -tags: [phishing, email-security, social-engineering, dmarc, awareness, spearphishing, email-gateway] -version: "1.0" +tags: +- phishing +- email-security +- social-engineering +- dmarc +- awareness +- spearphishing +- email-gateway +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AT-01 +- DE.CM-09 +- RS.CO-02 +- DE.AE-02 --- # Detecting Spearphishing with Email Gateway diff --git a/skills/detecting-sql-injection-via-waf-logs/SKILL.md b/skills/detecting-sql-injection-via-waf-logs/SKILL.md index e1011bc5..8effd305 100644 --- a/skills/detecting-sql-injection-via-waf-logs/SKILL.md +++ b/skills/detecting-sql-injection-via-waf-logs/SKILL.md @@ -1,17 +1,23 @@ --- name: detecting-sql-injection-via-waf-logs -description: >- - Analyze WAF (ModSecurity/AWS WAF/Cloudflare) logs to detect SQL injection - attack campaigns. Parses ModSecurity audit logs and JSON WAF event logs to - identify SQLi patterns (UNION SELECT, OR 1=1, SLEEP(), BENCHMARK()), tracks - attack sources, correlates multi-stage injection attempts, and generates - incident reports with OWASP classification. +description: Analyze WAF (ModSecurity/AWS WAF/Cloudflare) logs to detect SQL injection attack campaigns. Parses ModSecurity + audit logs and JSON WAF event logs to identify SQLi patterns (UNION SELECT, OR 1=1, SLEEP(), BENCHMARK()), tracks attack + sources, correlates multi-stage injection attempts, and generates incident reports with OWASP classification. domain: cybersecurity subdomain: security-operations -tags: [detecting, sql, injection, via] -version: "1.0" +tags: +- detecting +- sql +- injection +- via +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- diff --git a/skills/detecting-stuxnet-style-attacks/SKILL.md b/skills/detecting-stuxnet-style-attacks/SKILL.md index 88a6072d..e5164c5f 100644 --- a/skills/detecting-stuxnet-style-attacks/SKILL.md +++ b/skills/detecting-stuxnet-style-attacks/SKILL.md @@ -1,18 +1,30 @@ --- name: detecting-stuxnet-style-attacks -description: > - This skill covers detecting sophisticated cyber-physical attacks that follow the - Stuxnet attack pattern of modifying PLC logic while spoofing sensor readings to - hide the manipulation from operators. It addresses PLC logic integrity monitoring, - physics-based process anomaly detection, engineering workstation compromise indicators, - USB-borne attack vectors, and multi-stage attack chain detection spanning IT-to-OT - lateral movement through to process manipulation. +description: 'This skill covers detecting sophisticated cyber-physical attacks that follow the Stuxnet attack pattern of modifying + PLC logic while spoofing sensor readings to hide the manipulation from operators. It addresses PLC logic integrity monitoring, + physics-based process anomaly detection, engineering workstation compromise indicators, USB-borne attack vectors, and multi-stage + attack chain detection spanning IT-to-OT lateral movement through to process manipulation. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, scada, industrial-control, iec62443, stuxnet, plc-integrity, apt] +tags: +- ot-security +- ics +- scada +- industrial-control +- iec62443 +- stuxnet +- plc-integrity +- apt version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Detecting Stuxnet-Style Attacks diff --git a/skills/detecting-supply-chain-attacks-in-ci-cd/SKILL.md b/skills/detecting-supply-chain-attacks-in-ci-cd/SKILL.md index c7fec1a9..cc57632e 100644 --- a/skills/detecting-supply-chain-attacks-in-ci-cd/SKILL.md +++ b/skills/detecting-supply-chain-attacks-in-ci-cd/SKILL.md @@ -22,6 +22,11 @@ nist_ai_rmf: - GOVERN-5.2 - MAP-1.6 - MANAGE-2.2 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- # Detecting Supply Chain Attacks in CI/CD diff --git a/skills/detecting-suspicious-oauth-application-consent/SKILL.md b/skills/detecting-suspicious-oauth-application-consent/SKILL.md index b82f8501..d31561fe 100644 --- a/skills/detecting-suspicious-oauth-application-consent/SKILL.md +++ b/skills/detecting-suspicious-oauth-application-consent/SKILL.md @@ -1,12 +1,25 @@ --- name: detecting-suspicious-oauth-application-consent -description: Detect risky OAuth application consent grants in Azure AD / Microsoft Entra ID using Microsoft Graph API, audit logs, and permission analysis to identify illicit consent grant attacks. +description: Detect risky OAuth application consent grants in Azure AD / Microsoft Entra ID using Microsoft Graph API, audit + logs, and permission analysis to identify illicit consent grant attacks. domain: cybersecurity subdomain: cloud-security -tags: [OAuth, Azure-AD, Entra-ID, Microsoft-Graph, illicit-consent, cloud-security, application-permissions] -version: "1.0" +tags: +- OAuth +- Azure-AD +- Entra-ID +- Microsoft-Graph +- illicit-consent +- cloud-security +- application-permissions +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Detecting Suspicious OAuth Application Consent diff --git a/skills/detecting-suspicious-powershell-execution/SKILL.md b/skills/detecting-suspicious-powershell-execution/SKILL.md index 16cd55cd..4051c1a7 100644 --- a/skills/detecting-suspicious-powershell-execution/SKILL.md +++ b/skills/detecting-suspicious-powershell-execution/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - File Metadata Consistency Validation - Content Format Conversion - File Content Analysis +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Detecting Suspicious Powershell Execution diff --git a/skills/detecting-t1003-credential-dumping-with-edr/SKILL.md b/skills/detecting-t1003-credential-dumping-with-edr/SKILL.md index 1c26a1ba..8a67f86a 100644 --- a/skills/detecting-t1003-credential-dumping-with-edr/SKILL.md +++ b/skills/detecting-t1003-credential-dumping-with-edr/SKILL.md @@ -22,6 +22,11 @@ d3fend_techniques: - File Metadata Consistency Validation - Restore Access - Application Protocol Command Analysis +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Detecting T1003 Credential Dumping with EDR diff --git a/skills/detecting-t1055-process-injection-with-sysmon/SKILL.md b/skills/detecting-t1055-process-injection-with-sysmon/SKILL.md index 3805337d..8e4ca740 100644 --- a/skills/detecting-t1055-process-injection-with-sysmon/SKILL.md +++ b/skills/detecting-t1055-process-injection-with-sysmon/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - File Metadata Consistency Validation - Content Format Conversion - File Content Analysis +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Detecting T1055 Process Injection with Sysmon diff --git a/skills/detecting-t1548-abuse-elevation-control-mechanism/SKILL.md b/skills/detecting-t1548-abuse-elevation-control-mechanism/SKILL.md index afcda79c..69003258 100644 --- a/skills/detecting-t1548-abuse-elevation-control-mechanism/SKILL.md +++ b/skills/detecting-t1548-abuse-elevation-control-mechanism/SKILL.md @@ -20,6 +20,11 @@ d3fend_techniques: - File Metadata Consistency Validation - Restore Access - Password Authentication +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Detecting T1548 Abuse Elevation Control Mechanism diff --git a/skills/detecting-typosquatting-packages-in-npm-pypi/SKILL.md b/skills/detecting-typosquatting-packages-in-npm-pypi/SKILL.md index 2e105f96..ef544105 100644 --- a/skills/detecting-typosquatting-packages-in-npm-pypi/SKILL.md +++ b/skills/detecting-typosquatting-packages-in-npm-pypi/SKILL.md @@ -1,20 +1,32 @@ --- name: detecting-typosquatting-packages-in-npm-pypi -description: > - Detects typosquatting attacks in npm and PyPI package registries by analyzing package name - similarity using Levenshtein distance and other string metrics, examining publish date - heuristics to identify recently created packages mimicking established ones, and flagging - download count anomalies where suspicious packages have disproportionately low usage compared - to their legitimate targets. The analyst queries the PyPI JSON API and npm registry API to - gather package metadata for automated comparison. Activates for requests involving package - typosquatting detection, dependency confusion analysis, malicious package identification, - or software supply chain threat hunting in package registries. +description: 'Detects typosquatting attacks in npm and PyPI package registries by analyzing package name similarity using + Levenshtein distance and other string metrics, examining publish date heuristics to identify recently created packages mimicking + established ones, and flagging download count anomalies where suspicious packages have disproportionately low usage compared + to their legitimate targets. The analyst queries the PyPI JSON API and npm registry API to gather package metadata for automated + comparison. Activates for requests involving package typosquatting detection, dependency confusion analysis, malicious package + identification, or software supply chain threat hunting in package registries. + + ' domain: cybersecurity subdomain: supply-chain-security -tags: [typosquatting, npm, pypi, supply-chain, package-security, Levenshtein, dependency-confusion, malicious-packages] +tags: +- typosquatting +- npm +- pypi +- supply-chain +- package-security +- Levenshtein +- dependency-confusion +- malicious-packages version: 1.0.0 author: mukul975 license: Apache-2.0 +nist_csf: +- GV.SC-01 +- GV.SC-03 +- GV.SC-06 +- GV.SC-07 --- # Detecting Typosquatting Packages in npm and PyPI diff --git a/skills/detecting-wmi-persistence/SKILL.md b/skills/detecting-wmi-persistence/SKILL.md index 604c2272..206745e6 100644 --- a/skills/detecting-wmi-persistence/SKILL.md +++ b/skills/detecting-wmi-persistence/SKILL.md @@ -22,6 +22,11 @@ d3fend_techniques: - Network Traffic Analysis - Client-server Payload Profiling - Platform Monitoring +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Detecting WMI Persistence diff --git a/skills/eradicating-malware-from-infected-systems/SKILL.md b/skills/eradicating-malware-from-infected-systems/SKILL.md index 42c278b2..69dd461d 100644 --- a/skills/eradicating-malware-from-infected-systems/SKILL.md +++ b/skills/eradicating-malware-from-infected-systems/SKILL.md @@ -1,13 +1,28 @@ --- name: eradicating-malware-from-infected-systems -description: Systematically remove malware, backdoors, and attacker persistence mechanisms from infected systems while ensuring complete eradication and preventing re-infection. +description: Systematically remove malware, backdoors, and attacker persistence mechanisms from infected systems while ensuring + complete eradication and preventing re-infection. domain: cybersecurity subdomain: incident-response -tags: [incident-response, eradication, malware-removal, persistence, dfir] -mitre_attack: ["T1547", "T1053", "T1543", "T1574"] -version: "1.0" +tags: +- incident-response +- eradication +- malware-removal +- persistence +- dfir +mitre_attack: +- T1547 +- T1053 +- T1543 +- T1574 +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.MA-01 +- RS.MA-02 +- RS.AN-03 +- RC.RP-01 --- # Eradicating Malware from Infected Systems diff --git a/skills/evaluating-threat-intelligence-platforms/SKILL.md b/skills/evaluating-threat-intelligence-platforms/SKILL.md index f443d3dd..0124d599 100644 --- a/skills/evaluating-threat-intelligence-platforms/SKILL.md +++ b/skills/evaluating-threat-intelligence-platforms/SKILL.md @@ -1,18 +1,31 @@ --- name: evaluating-threat-intelligence-platforms -description: > - Evaluates and selects Threat Intelligence Platform (TIP) products based on organizational - requirements including feed integration capability, STIX/TAXII support, workflow automation, - analyst interface, and total cost of ownership. Use when conducting a TIP procurement, migrating - between TIP solutions, or assessing whether the current TIP meets program maturity requirements. - Activates for requests involving ThreatConnect, MISP, OpenCTI, Anomali, EclecticIQ, or TIP - procurement decisions. +description: 'Evaluates and selects Threat Intelligence Platform (TIP) products based on organizational requirements including + feed integration capability, STIX/TAXII support, workflow automation, analyst interface, and total cost of ownership. Use + when conducting a TIP procurement, migrating between TIP solutions, or assessing whether the current TIP meets program maturity + requirements. Activates for requests involving ThreatConnect, MISP, OpenCTI, Anomali, EclecticIQ, or TIP procurement decisions. + + ' domain: cybersecurity subdomain: threat-intelligence -tags: [TIP, ThreatConnect, MISP, OpenCTI, Anomali, EclecticIQ, STIX-TAXII, CTI-program, procurement] +tags: +- TIP +- ThreatConnect +- MISP +- OpenCTI +- Anomali +- EclecticIQ +- STIX-TAXII +- CTI-program +- procurement version: 1.0.0 author: team-cybersecurity license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Evaluating Threat Intelligence Platforms diff --git a/skills/executing-active-directory-attack-simulation/SKILL.md b/skills/executing-active-directory-attack-simulation/SKILL.md index 30ba0751..0fe535af 100644 --- a/skills/executing-active-directory-attack-simulation/SKILL.md +++ b/skills/executing-active-directory-attack-simulation/SKILL.md @@ -24,6 +24,11 @@ d3fend_techniques: - Network Traffic Analysis - Client-server Payload Profiling - Network Traffic Community Deviation +nist_csf: +- ID.RA-01 +- ID.RA-06 +- GV.OV-02 +- DE.AE-07 --- # Executing Active Directory Attack Simulation diff --git a/skills/executing-phishing-simulation-campaign/SKILL.md b/skills/executing-phishing-simulation-campaign/SKILL.md index ce873d69..4f7b33b4 100644 --- a/skills/executing-phishing-simulation-campaign/SKILL.md +++ b/skills/executing-phishing-simulation-campaign/SKILL.md @@ -1,18 +1,28 @@ --- name: executing-phishing-simulation-campaign -description: > - Executes authorized phishing simulation campaigns to assess an organization's susceptibility - to email-based social engineering attacks. The tester designs realistic phishing scenarios, - builds credential harvesting infrastructure, sends targeted phishing emails, and tracks - open rates, click-through rates, and credential submission rates to measure human security - awareness. Activates for requests involving phishing simulation, social engineering assessment, - email security testing, or security awareness measurement. +description: 'Executes authorized phishing simulation campaigns to assess an organization''s susceptibility to email-based + social engineering attacks. The tester designs realistic phishing scenarios, builds credential harvesting infrastructure, + sends targeted phishing emails, and tracks open rates, click-through rates, and credential submission rates to measure human + security awareness. Activates for requests involving phishing simulation, social engineering assessment, email security + testing, or security awareness measurement. + + ' domain: cybersecurity subdomain: penetration-testing -tags: [phishing-simulation, social-engineering, GoPhish, email-security, security-awareness] +tags: +- phishing-simulation +- social-engineering +- GoPhish +- email-security +- security-awareness version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-06 +- GV.OV-02 +- DE.AE-07 --- # Executing Phishing Simulation Campaign diff --git a/skills/executing-red-team-engagement-planning/SKILL.md b/skills/executing-red-team-engagement-planning/SKILL.md index dbfa8751..6e9af11f 100644 --- a/skills/executing-red-team-engagement-planning/SKILL.md +++ b/skills/executing-red-team-engagement-planning/SKILL.md @@ -1,12 +1,24 @@ --- name: executing-red-team-engagement-planning -description: Red team engagement planning is the foundational phase that defines scope, objectives, rules of engagement (ROE), threat model selection, and operational timelines before any offensive testing begins. +description: Red team engagement planning is the foundational phase that defines scope, objectives, rules of engagement (ROE), + threat model selection, and operational timelines before any offensive testing begins. domain: cybersecurity subdomain: red-teaming -tags: [red-team, adversary-simulation, mitre-attack, exploitation, post-exploitation, engagement-planning, rules-of-engagement] -version: "1.0" +tags: +- red-team +- adversary-simulation +- mitre-attack +- exploitation +- post-exploitation +- engagement-planning +- rules-of-engagement +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Executing Red Team Engagement Planning diff --git a/skills/executing-red-team-exercise/SKILL.md b/skills/executing-red-team-exercise/SKILL.md index cbd75230..653eb2dc 100644 --- a/skills/executing-red-team-exercise/SKILL.md +++ b/skills/executing-red-team-exercise/SKILL.md @@ -25,6 +25,11 @@ d3fend_techniques: - Identifier Analysis - Content Format Conversion - Message Analysis +nist_csf: +- ID.RA-01 +- ID.RA-06 +- GV.OV-02 +- DE.AE-07 --- # Executing Red Team Exercise diff --git a/skills/exploiting-active-directory-certificate-services-esc1/SKILL.md b/skills/exploiting-active-directory-certificate-services-esc1/SKILL.md index 2aae2f54..b3590920 100644 --- a/skills/exploiting-active-directory-certificate-services-esc1/SKILL.md +++ b/skills/exploiting-active-directory-certificate-services-esc1/SKILL.md @@ -21,6 +21,10 @@ d3fend_techniques: - Content Format Conversion - File Content Analysis - Platform Hardening +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Exploiting Active Directory Certificate Services ESC1 diff --git a/skills/exploiting-active-directory-with-bloodhound/SKILL.md b/skills/exploiting-active-directory-with-bloodhound/SKILL.md index 42511b21..1c69282d 100644 --- a/skills/exploiting-active-directory-with-bloodhound/SKILL.md +++ b/skills/exploiting-active-directory-with-bloodhound/SKILL.md @@ -21,6 +21,10 @@ d3fend_techniques: - Biometric Authentication - Strong Password Policy - Restore User Account Access +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Exploiting Active Directory with BloodHound diff --git a/skills/exploiting-api-injection-vulnerabilities/SKILL.md b/skills/exploiting-api-injection-vulnerabilities/SKILL.md index 41ae587e..cf5a5bbd 100644 --- a/skills/exploiting-api-injection-vulnerabilities/SKILL.md +++ b/skills/exploiting-api-injection-vulnerabilities/SKILL.md @@ -1,19 +1,30 @@ --- name: exploiting-api-injection-vulnerabilities -description: > - Tests APIs for injection vulnerabilities including SQL injection, NoSQL injection, OS command - injection, LDAP injection, and Server-Side Request Forgery (SSRF) through API parameters, - headers, and request bodies. The tester crafts malicious payloads targeting different backend - technologies and injection contexts to extract data, execute commands, or access internal - services. Maps to OWASP API8:2023 Security Misconfiguration and API7:2023 SSRF. Activates - for requests involving API injection testing, SQLi in APIs, NoSQL injection, SSRF testing, - or API input validation assessment. +description: 'Tests APIs for injection vulnerabilities including SQL injection, NoSQL injection, OS command injection, LDAP + injection, and Server-Side Request Forgery (SSRF) through API parameters, headers, and request bodies. The tester crafts + malicious payloads targeting different backend technologies and injection contexts to extract data, execute commands, or + access internal services. Maps to OWASP API8:2023 Security Misconfiguration and API7:2023 SSRF. Activates for requests involving + API injection testing, SQLi in APIs, NoSQL injection, SSRF testing, or API input validation assessment. + + ' domain: cybersecurity subdomain: api-security -tags: [api-security, owasp, injection, sqli, nosql, ssrf, command-injection] +tags: +- api-security +- owasp +- injection +- sqli +- nosql +- ssrf +- command-injection version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Exploiting API Injection Vulnerabilities diff --git a/skills/exploiting-bgp-hijacking-vulnerabilities/SKILL.md b/skills/exploiting-bgp-hijacking-vulnerabilities/SKILL.md index cf21753f..bbd7fe8c 100644 --- a/skills/exploiting-bgp-hijacking-vulnerabilities/SKILL.md +++ b/skills/exploiting-bgp-hijacking-vulnerabilities/SKILL.md @@ -1,15 +1,25 @@ --- name: exploiting-bgp-hijacking-vulnerabilities -description: > - Analyzes and simulates BGP hijacking scenarios in authorized lab environments to - assess route origin validation, RPKI deployment, and BGP monitoring defenses - against prefix hijacking and route leak attacks on internet routing infrastructure. +description: 'Analyzes and simulates BGP hijacking scenarios in authorized lab environments to assess route origin validation, + RPKI deployment, and BGP monitoring defenses against prefix hijacking and route leak attacks on internet routing infrastructure. + + ' domain: cybersecurity subdomain: network-security -tags: [network-security, bgp, routing-security, rpki, route-hijacking] -version: "1.0" +tags: +- network-security +- bgp +- routing-security +- rpki +- route-hijacking +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Exploiting BGP Hijacking Vulnerabilities diff --git a/skills/exploiting-broken-function-level-authorization/SKILL.md b/skills/exploiting-broken-function-level-authorization/SKILL.md index 5b5b60f6..d97c5a0c 100644 --- a/skills/exploiting-broken-function-level-authorization/SKILL.md +++ b/skills/exploiting-broken-function-level-authorization/SKILL.md @@ -1,19 +1,29 @@ --- name: exploiting-broken-function-level-authorization -description: > - Tests APIs for Broken Function Level Authorization (BFLA) vulnerabilities where regular - users can invoke administrative functions or access privileged API endpoints by directly - calling them. The tester identifies admin and privileged endpoints, then attempts to access - them with regular user credentials by manipulating HTTP methods, URL paths, and request - parameters. Maps to OWASP API5:2023 Broken Function Level Authorization. Activates for - requests involving BFLA testing, admin endpoint bypass, function-level access control - testing, or API privilege escalation. +description: 'Tests APIs for Broken Function Level Authorization (BFLA) vulnerabilities where regular users can invoke administrative + functions or access privileged API endpoints by directly calling them. The tester identifies admin and privileged endpoints, + then attempts to access them with regular user credentials by manipulating HTTP methods, URL paths, and request parameters. + Maps to OWASP API5:2023 Broken Function Level Authorization. Activates for requests involving BFLA testing, admin endpoint + bypass, function-level access control testing, or API privilege escalation. + + ' domain: cybersecurity subdomain: api-security -tags: [api-security, owasp, authorization, bfla, privilege-escalation, access-control] +tags: +- api-security +- owasp +- authorization +- bfla +- privilege-escalation +- access-control version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Exploiting Broken Function Level Authorization diff --git a/skills/exploiting-broken-link-hijacking/SKILL.md b/skills/exploiting-broken-link-hijacking/SKILL.md index d58b987c..3000a0ab 100644 --- a/skills/exploiting-broken-link-hijacking/SKILL.md +++ b/skills/exploiting-broken-link-hijacking/SKILL.md @@ -1,12 +1,25 @@ --- name: exploiting-broken-link-hijacking -description: Discover and exploit broken link hijacking vulnerabilities by identifying references to expired domains, decommissioned cloud resources, and dead external services that can be claimed by an attacker. +description: Discover and exploit broken link hijacking vulnerabilities by identifying references to expired domains, decommissioned + cloud resources, and dead external services that can be claimed by an attacker. domain: cybersecurity subdomain: web-application-security -tags: [broken-link-hijacking, blh, subdomain-takeover, dead-link, expired-domain, supply-chain, external-resource] -version: "1.0" +tags: +- broken-link-hijacking +- blh +- subdomain-takeover +- dead-link +- expired-domain +- supply-chain +- external-resource +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Exploiting Broken Link Hijacking diff --git a/skills/exploiting-constrained-delegation-abuse/SKILL.md b/skills/exploiting-constrained-delegation-abuse/SKILL.md index 418c34ac..435c0ed6 100644 --- a/skills/exploiting-constrained-delegation-abuse/SKILL.md +++ b/skills/exploiting-constrained-delegation-abuse/SKILL.md @@ -21,6 +21,10 @@ d3fend_techniques: - Network Traffic Analysis - Client-server Payload Profiling - Network Traffic Community Deviation +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Exploiting Constrained Delegation Abuse diff --git a/skills/exploiting-deeplink-vulnerabilities/SKILL.md b/skills/exploiting-deeplink-vulnerabilities/SKILL.md index 5161f32d..e1cd9982 100644 --- a/skills/exploiting-deeplink-vulnerabilities/SKILL.md +++ b/skills/exploiting-deeplink-vulnerabilities/SKILL.md @@ -1,17 +1,28 @@ --- name: exploiting-deeplink-vulnerabilities -description: > - Tests and exploits deep link (URL scheme and App Link) vulnerabilities in Android and iOS mobile - applications to identify unauthorized access, data injection, intent hijacking, and redirect - manipulation. Use when assessing mobile app attack surface through custom URI schemes, Android - App Links, iOS Universal Links, or intent-based navigation. Activates for requests involving - deep link security testing, URL scheme exploitation, mobile intent abuse, or link hijacking. +description: 'Tests and exploits deep link (URL scheme and App Link) vulnerabilities in Android and iOS mobile applications + to identify unauthorized access, data injection, intent hijacking, and redirect manipulation. Use when assessing mobile + app attack surface through custom URI schemes, Android App Links, iOS Universal Links, or intent-based navigation. Activates + for requests involving deep link security testing, URL scheme exploitation, mobile intent abuse, or link hijacking. + + ' domain: cybersecurity subdomain: mobile-security author: mahipal -tags: [mobile-security, android, ios, deep-links, owasp-mobile, penetration-testing] +tags: +- mobile-security +- android +- ios +- deep-links +- owasp-mobile +- penetration-testing version: 1.0.0 license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.AA-05 +- ID.RA-01 +- DE.CM-09 --- # Exploiting Deep Link Vulnerabilities diff --git a/skills/exploiting-excessive-data-exposure-in-api/SKILL.md b/skills/exploiting-excessive-data-exposure-in-api/SKILL.md index 8fcae545..14ac2eeb 100644 --- a/skills/exploiting-excessive-data-exposure-in-api/SKILL.md +++ b/skills/exploiting-excessive-data-exposure-in-api/SKILL.md @@ -1,18 +1,28 @@ --- name: exploiting-excessive-data-exposure-in-api -description: > - Tests APIs for excessive data exposure where endpoints return more data than the client - application needs, relying on the frontend to filter sensitive fields. The tester intercepts - API responses and analyzes them for leaked PII, internal identifiers, debug information, - or sensitive business data that the UI does not display but the API transmits. This maps to - OWASP API3:2023 Broken Object Property Level Authorization. Activates for requests involving - API data leakage testing, excessive data exposure, response filtering bypass, or API over-fetching. +description: 'Tests APIs for excessive data exposure where endpoints return more data than the client application needs, relying + on the frontend to filter sensitive fields. The tester intercepts API responses and analyzes them for leaked PII, internal + identifiers, debug information, or sensitive business data that the UI does not display but the API transmits. This maps + to OWASP API3:2023 Broken Object Property Level Authorization. Activates for requests involving API data leakage testing, + excessive data exposure, response filtering bypass, or API over-fetching. + + ' domain: cybersecurity subdomain: api-security -tags: [api-security, owasp, data-exposure, rest-security, pii-leakage] +tags: +- api-security +- owasp +- data-exposure +- rest-security +- pii-leakage version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Exploiting Excessive Data Exposure in API diff --git a/skills/exploiting-http-request-smuggling/SKILL.md b/skills/exploiting-http-request-smuggling/SKILL.md index d02bb146..4084d536 100644 --- a/skills/exploiting-http-request-smuggling/SKILL.md +++ b/skills/exploiting-http-request-smuggling/SKILL.md @@ -1,12 +1,24 @@ --- name: exploiting-http-request-smuggling -description: Detecting and exploiting HTTP request smuggling vulnerabilities caused by Content-Length and Transfer-Encoding parsing discrepancies between front-end and back-end servers. +description: Detecting and exploiting HTTP request smuggling vulnerabilities caused by Content-Length and Transfer-Encoding + parsing discrepancies between front-end and back-end servers. domain: cybersecurity subdomain: web-application-security -tags: [penetration-testing, request-smuggling, http-desync, web-security, burpsuite, owasp] -version: "1.0" +tags: +- penetration-testing +- request-smuggling +- http-desync +- web-security +- burpsuite +- owasp +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Exploiting HTTP Request Smuggling diff --git a/skills/exploiting-idor-vulnerabilities/SKILL.md b/skills/exploiting-idor-vulnerabilities/SKILL.md index 9e4e7b9e..2b49c0db 100644 --- a/skills/exploiting-idor-vulnerabilities/SKILL.md +++ b/skills/exploiting-idor-vulnerabilities/SKILL.md @@ -1,12 +1,24 @@ --- name: exploiting-idor-vulnerabilities -description: Identifying and exploiting Insecure Direct Object Reference vulnerabilities to access unauthorized resources by manipulating object identifiers in API requests and URLs. +description: Identifying and exploiting Insecure Direct Object Reference vulnerabilities to access unauthorized resources + by manipulating object identifiers in API requests and URLs. domain: cybersecurity subdomain: web-application-security -tags: [penetration-testing, idor, access-control, owasp, burpsuite, web-security] -version: "1.0" +tags: +- penetration-testing +- idor +- access-control +- owasp +- burpsuite +- web-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Exploiting IDOR Vulnerabilities diff --git a/skills/exploiting-insecure-data-storage-in-mobile/SKILL.md b/skills/exploiting-insecure-data-storage-in-mobile/SKILL.md index 930b6e3d..c89cae43 100644 --- a/skills/exploiting-insecure-data-storage-in-mobile/SKILL.md +++ b/skills/exploiting-insecure-data-storage-in-mobile/SKILL.md @@ -27,6 +27,11 @@ nist_ai_rmf: - MANAGE-2.4 - GOVERN-1.1 - GOVERN-4.2 +nist_csf: +- PR.PS-01 +- PR.AA-05 +- ID.RA-01 +- DE.CM-09 --- # Exploiting Insecure Data Storage in Mobile diff --git a/skills/exploiting-insecure-deserialization/SKILL.md b/skills/exploiting-insecure-deserialization/SKILL.md index 7431eaa9..fcc317ac 100644 --- a/skills/exploiting-insecure-deserialization/SKILL.md +++ b/skills/exploiting-insecure-deserialization/SKILL.md @@ -1,12 +1,24 @@ --- name: exploiting-insecure-deserialization -description: Identifying and exploiting insecure deserialization vulnerabilities in Java, PHP, Python, and .NET applications to achieve remote code execution during authorized penetration tests. +description: Identifying and exploiting insecure deserialization vulnerabilities in Java, PHP, Python, and .NET applications + to achieve remote code execution during authorized penetration tests. domain: cybersecurity subdomain: web-application-security -tags: [penetration-testing, deserialization, rce, owasp, web-security, ysoserial] -version: "1.0" +tags: +- penetration-testing +- deserialization +- rce +- owasp +- web-security +- ysoserial +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Exploiting Insecure Deserialization diff --git a/skills/exploiting-ipv6-vulnerabilities/SKILL.md b/skills/exploiting-ipv6-vulnerabilities/SKILL.md index bde32db5..613498f8 100644 --- a/skills/exploiting-ipv6-vulnerabilities/SKILL.md +++ b/skills/exploiting-ipv6-vulnerabilities/SKILL.md @@ -1,15 +1,25 @@ --- name: exploiting-ipv6-vulnerabilities -description: > - Identifies and exploits IPv6-specific vulnerabilities including SLAAC spoofing, - Router Advertisement flooding, and IPv6 tunneling during authorized assessments - to test dual-stack security controls and IPv6-aware network defenses. +description: 'Identifies and exploits IPv6-specific vulnerabilities including SLAAC spoofing, Router Advertisement flooding, + and IPv6 tunneling during authorized assessments to test dual-stack security controls and IPv6-aware network defenses. + + ' domain: cybersecurity subdomain: network-security -tags: [network-security, ipv6, slaac, router-advertisement, dual-stack-security] -version: "1.0" +tags: +- network-security +- ipv6 +- slaac +- router-advertisement +- dual-stack-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Exploiting IPv6 Vulnerabilities diff --git a/skills/exploiting-jwt-algorithm-confusion-attack/SKILL.md b/skills/exploiting-jwt-algorithm-confusion-attack/SKILL.md index 77c1269e..80131050 100644 --- a/skills/exploiting-jwt-algorithm-confusion-attack/SKILL.md +++ b/skills/exploiting-jwt-algorithm-confusion-attack/SKILL.md @@ -1,19 +1,28 @@ --- name: exploiting-jwt-algorithm-confusion-attack -description: > - Exploits JWT algorithm confusion vulnerabilities where the server's token verification - library accepts the algorithm specified in the JWT header rather than enforcing a fixed - algorithm. The tester manipulates the alg header to switch from RS256 to HS256 (using - the RSA public key as the HMAC secret), sets alg to none to bypass signature verification, - or exploits kid/jku/x5u header injection to supply attacker-controlled keys. Activates - for requests involving JWT algorithm confusion, alg none attack, key confusion attack, - or JWT signature bypass. +description: 'Exploits JWT algorithm confusion vulnerabilities where the server''s token verification library accepts the + algorithm specified in the JWT header rather than enforcing a fixed algorithm. The tester manipulates the alg header to + switch from RS256 to HS256 (using the RSA public key as the HMAC secret), sets alg to none to bypass signature verification, + or exploits kid/jku/x5u header injection to supply attacker-controlled keys. Activates for requests involving JWT algorithm + confusion, alg none attack, key confusion attack, or JWT signature bypass. + + ' domain: cybersecurity subdomain: api-security -tags: [api-security, jwt, algorithm-confusion, token-forgery, cryptographic-attack] +tags: +- api-security +- jwt +- algorithm-confusion +- token-forgery +- cryptographic-attack version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Exploiting JWT Algorithm Confusion Attack diff --git a/skills/exploiting-kerberoasting-with-impacket/SKILL.md b/skills/exploiting-kerberoasting-with-impacket/SKILL.md index 85569a21..92102fa3 100644 --- a/skills/exploiting-kerberoasting-with-impacket/SKILL.md +++ b/skills/exploiting-kerberoasting-with-impacket/SKILL.md @@ -21,6 +21,10 @@ d3fend_techniques: - Network Traffic Analysis - Client-server Payload Profiling - Network Traffic Community Deviation +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Exploiting Kerberoasting with Impacket diff --git a/skills/exploiting-mass-assignment-in-rest-apis/SKILL.md b/skills/exploiting-mass-assignment-in-rest-apis/SKILL.md index e23471fd..e7f87679 100644 --- a/skills/exploiting-mass-assignment-in-rest-apis/SKILL.md +++ b/skills/exploiting-mass-assignment-in-rest-apis/SKILL.md @@ -1,12 +1,25 @@ --- name: exploiting-mass-assignment-in-rest-apis -description: Discover and exploit mass assignment vulnerabilities in REST APIs to escalate privileges, modify restricted fields, and bypass authorization controls by injecting unexpected parameters in API requests. +description: Discover and exploit mass assignment vulnerabilities in REST APIs to escalate privileges, modify restricted fields, + and bypass authorization controls by injecting unexpected parameters in API requests. domain: cybersecurity subdomain: web-application-security -tags: [mass-assignment, api-security, privilege-escalation, rest-api, autobinding, parameter-injection, owasp-api] -version: "1.0" +tags: +- mass-assignment +- api-security +- privilege-escalation +- rest-api +- autobinding +- parameter-injection +- owasp-api +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Exploiting Mass Assignment in REST APIs diff --git a/skills/exploiting-ms17-010-eternalblue-vulnerability/SKILL.md b/skills/exploiting-ms17-010-eternalblue-vulnerability/SKILL.md index f2df1ccf..8e7d5061 100644 --- a/skills/exploiting-ms17-010-eternalblue-vulnerability/SKILL.md +++ b/skills/exploiting-ms17-010-eternalblue-vulnerability/SKILL.md @@ -22,6 +22,10 @@ d3fend_techniques: - Network Traffic Analysis - Client-server Payload Profiling - Platform Monitoring +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Exploiting MS17-010 EternalBlue Vulnerability diff --git a/skills/exploiting-nopac-cve-2021-42278-42287/SKILL.md b/skills/exploiting-nopac-cve-2021-42278-42287/SKILL.md index 08e81af4..a847a3f6 100644 --- a/skills/exploiting-nopac-cve-2021-42278-42287/SKILL.md +++ b/skills/exploiting-nopac-cve-2021-42278-42287/SKILL.md @@ -21,6 +21,10 @@ d3fend_techniques: - Stack Frame Canary Validation - Segment Address Offset Randomization - Process Analysis +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Exploiting noPac (CVE-2021-42278 / CVE-2021-42287) diff --git a/skills/exploiting-nosql-injection-vulnerabilities/SKILL.md b/skills/exploiting-nosql-injection-vulnerabilities/SKILL.md index 76ce3f67..99de35bf 100644 --- a/skills/exploiting-nosql-injection-vulnerabilities/SKILL.md +++ b/skills/exploiting-nosql-injection-vulnerabilities/SKILL.md @@ -1,12 +1,25 @@ --- name: exploiting-nosql-injection-vulnerabilities -description: Detect and exploit NoSQL injection vulnerabilities in MongoDB, CouchDB, and other NoSQL databases to demonstrate authentication bypass, data extraction, and unauthorized access risks. +description: Detect and exploit NoSQL injection vulnerabilities in MongoDB, CouchDB, and other NoSQL databases to demonstrate + authentication bypass, data extraction, and unauthorized access risks. domain: cybersecurity subdomain: web-application-security -tags: [nosql-injection, mongodb, authentication-bypass, injection-attack, web-security, database-security, api-testing] -version: "1.0" +tags: +- nosql-injection +- mongodb +- authentication-bypass +- injection-attack +- web-security +- database-security +- api-testing +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Exploiting NoSQL Injection Vulnerabilities diff --git a/skills/exploiting-oauth-misconfiguration/SKILL.md b/skills/exploiting-oauth-misconfiguration/SKILL.md index 421a8df0..b964a7d2 100644 --- a/skills/exploiting-oauth-misconfiguration/SKILL.md +++ b/skills/exploiting-oauth-misconfiguration/SKILL.md @@ -1,12 +1,24 @@ --- name: exploiting-oauth-misconfiguration -description: Identifying and exploiting OAuth 2.0 and OpenID Connect misconfigurations including redirect URI manipulation, token leakage, and authorization code theft during security assessments. +description: Identifying and exploiting OAuth 2.0 and OpenID Connect misconfigurations including redirect URI manipulation, + token leakage, and authorization code theft during security assessments. domain: cybersecurity subdomain: web-application-security -tags: [penetration-testing, oauth, oidc, authentication, web-security, authorization] -version: "1.0" +tags: +- penetration-testing +- oauth +- oidc +- authentication +- web-security +- authorization +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Exploiting OAuth Misconfiguration diff --git a/skills/exploiting-prototype-pollution-in-javascript/SKILL.md b/skills/exploiting-prototype-pollution-in-javascript/SKILL.md index aedfcd0f..63325228 100644 --- a/skills/exploiting-prototype-pollution-in-javascript/SKILL.md +++ b/skills/exploiting-prototype-pollution-in-javascript/SKILL.md @@ -1,12 +1,26 @@ --- name: exploiting-prototype-pollution-in-javascript -description: Detect and exploit JavaScript prototype pollution vulnerabilities on both client-side and server-side applications to achieve XSS, RCE, and authentication bypass through property injection. +description: Detect and exploit JavaScript prototype pollution vulnerabilities on both client-side and server-side applications + to achieve XSS, RCE, and authentication bypass through property injection. domain: cybersecurity subdomain: web-application-security -tags: [prototype-pollution, javascript, node-js, xss, rce, property-injection, dom-xss, server-side-pollution] -version: "1.0" +tags: +- prototype-pollution +- javascript +- node-js +- xss +- rce +- property-injection +- dom-xss +- server-side-pollution +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Exploiting Prototype Pollution in JavaScript diff --git a/skills/exploiting-race-condition-vulnerabilities/SKILL.md b/skills/exploiting-race-condition-vulnerabilities/SKILL.md index 0e58855f..9eb611dc 100644 --- a/skills/exploiting-race-condition-vulnerabilities/SKILL.md +++ b/skills/exploiting-race-condition-vulnerabilities/SKILL.md @@ -1,12 +1,25 @@ --- name: exploiting-race-condition-vulnerabilities -description: Detect and exploit race condition vulnerabilities in web applications using Turbo Intruder's single-packet attack technique to bypass rate limits, duplicate transactions, and exploit time-of-check-to-time-of-use flaws. +description: Detect and exploit race condition vulnerabilities in web applications using Turbo Intruder's single-packet attack + technique to bypass rate limits, duplicate transactions, and exploit time-of-check-to-time-of-use flaws. domain: cybersecurity subdomain: web-application-security -tags: [race-condition, turbo-intruder, toctou, concurrency, single-packet-attack, limit-overrun, burp-suite] -version: "1.0" +tags: +- race-condition +- turbo-intruder +- toctou +- concurrency +- single-packet-attack +- limit-overrun +- burp-suite +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Exploiting Race Condition Vulnerabilities diff --git a/skills/exploiting-server-side-request-forgery/SKILL.md b/skills/exploiting-server-side-request-forgery/SKILL.md index 71bf5ebf..a391c067 100644 --- a/skills/exploiting-server-side-request-forgery/SKILL.md +++ b/skills/exploiting-server-side-request-forgery/SKILL.md @@ -1,12 +1,24 @@ --- name: exploiting-server-side-request-forgery -description: Identifying and exploiting SSRF vulnerabilities to access internal services, cloud metadata, and restricted network resources during authorized penetration tests. +description: Identifying and exploiting SSRF vulnerabilities to access internal services, cloud metadata, and restricted network + resources during authorized penetration tests. domain: cybersecurity subdomain: web-application-security -tags: [penetration-testing, ssrf, owasp, cloud-security, web-security, burpsuite] -version: "1.0" +tags: +- penetration-testing +- ssrf +- owasp +- cloud-security +- web-security +- burpsuite +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Exploiting Server-Side Request Forgery diff --git a/skills/exploiting-smb-vulnerabilities-with-metasploit/SKILL.md b/skills/exploiting-smb-vulnerabilities-with-metasploit/SKILL.md index 873687a7..b448f83e 100644 --- a/skills/exploiting-smb-vulnerabilities-with-metasploit/SKILL.md +++ b/skills/exploiting-smb-vulnerabilities-with-metasploit/SKILL.md @@ -1,15 +1,25 @@ --- name: exploiting-smb-vulnerabilities-with-metasploit -description: > - Identifies and exploits SMB protocol vulnerabilities using Metasploit Framework - during authorized penetration tests to demonstrate risks from unpatched Windows - systems, misconfigured shares, and weak authentication in enterprise networks. +description: 'Identifies and exploits SMB protocol vulnerabilities using Metasploit Framework during authorized penetration + tests to demonstrate risks from unpatched Windows systems, misconfigured shares, and weak authentication in enterprise networks. + + ' domain: cybersecurity subdomain: network-security -tags: [network-security, smb, metasploit, exploitation, eternalblue] -version: "1.0" +tags: +- network-security +- smb +- metasploit +- exploitation +- eternalblue +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Exploiting SMB Vulnerabilities with Metasploit diff --git a/skills/exploiting-sql-injection-vulnerabilities/SKILL.md b/skills/exploiting-sql-injection-vulnerabilities/SKILL.md index 74ddb8d8..7443429e 100644 --- a/skills/exploiting-sql-injection-vulnerabilities/SKILL.md +++ b/skills/exploiting-sql-injection-vulnerabilities/SKILL.md @@ -1,19 +1,28 @@ --- name: exploiting-sql-injection-vulnerabilities -description: > - Identifies and exploits SQL injection vulnerabilities in web applications during authorized - penetration tests using manual techniques and automated tools like sqlmap. The tester detects - injection points through error-based, union-based, blind boolean, and time-based blind - techniques across all major database engines (MySQL, PostgreSQL, MSSQL, Oracle) to demonstrate - data extraction, authentication bypass, and potential remote code execution. Activates for - requests involving SQL injection testing, SQLi exploitation, database security assessment, - or injection vulnerability verification. +description: 'Identifies and exploits SQL injection vulnerabilities in web applications during authorized penetration tests + using manual techniques and automated tools like sqlmap. The tester detects injection points through error-based, union-based, + blind boolean, and time-based blind techniques across all major database engines (MySQL, PostgreSQL, MSSQL, Oracle) to demonstrate + data extraction, authentication bypass, and potential remote code execution. Activates for requests involving SQL injection + testing, SQLi exploitation, database security assessment, or injection vulnerability verification. + + ' domain: cybersecurity subdomain: penetration-testing -tags: [SQL-injection, sqlmap, database-security, OWASP-A03, injection-testing] +tags: +- SQL-injection +- sqlmap +- database-security +- OWASP-A03 +- injection-testing version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-06 +- GV.OV-02 +- DE.AE-07 --- # Exploiting SQL Injection Vulnerabilities diff --git a/skills/exploiting-sql-injection-with-sqlmap/SKILL.md b/skills/exploiting-sql-injection-with-sqlmap/SKILL.md index 50867010..92124979 100644 --- a/skills/exploiting-sql-injection-with-sqlmap/SKILL.md +++ b/skills/exploiting-sql-injection-with-sqlmap/SKILL.md @@ -1,12 +1,24 @@ --- name: exploiting-sql-injection-with-sqlmap -description: Detecting and exploiting SQL injection vulnerabilities using sqlmap to extract database contents during authorized penetration tests. +description: Detecting and exploiting SQL injection vulnerabilities using sqlmap to extract database contents during authorized + penetration tests. domain: cybersecurity subdomain: web-application-security -tags: [penetration-testing, sql-injection, sqlmap, owasp, database-security, web-security] -version: "1.0" +tags: +- penetration-testing +- sql-injection +- sqlmap +- owasp +- database-security +- web-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Exploiting SQL Injection with sqlmap diff --git a/skills/exploiting-template-injection-vulnerabilities/SKILL.md b/skills/exploiting-template-injection-vulnerabilities/SKILL.md index 7a171a6c..b137c7e7 100644 --- a/skills/exploiting-template-injection-vulnerabilities/SKILL.md +++ b/skills/exploiting-template-injection-vulnerabilities/SKILL.md @@ -1,12 +1,24 @@ --- name: exploiting-template-injection-vulnerabilities -description: Detecting and exploiting Server-Side Template Injection (SSTI) vulnerabilities across Jinja2, Twig, Freemarker, and other template engines to achieve remote code execution. +description: Detecting and exploiting Server-Side Template Injection (SSTI) vulnerabilities across Jinja2, Twig, Freemarker, + and other template engines to achieve remote code execution. domain: cybersecurity subdomain: web-application-security -tags: [penetration-testing, ssti, template-injection, rce, web-security, owasp] -version: "1.0" +tags: +- penetration-testing +- ssti +- template-injection +- rce +- web-security +- owasp +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Exploiting Template Injection Vulnerabilities diff --git a/skills/exploiting-type-juggling-vulnerabilities/SKILL.md b/skills/exploiting-type-juggling-vulnerabilities/SKILL.md index f52b520b..04b438f9 100644 --- a/skills/exploiting-type-juggling-vulnerabilities/SKILL.md +++ b/skills/exploiting-type-juggling-vulnerabilities/SKILL.md @@ -1,12 +1,25 @@ --- name: exploiting-type-juggling-vulnerabilities -description: Exploit PHP type juggling vulnerabilities caused by loose comparison operators to bypass authentication, circumvent hash verification, and manipulate application logic through type coercion attacks. +description: Exploit PHP type juggling vulnerabilities caused by loose comparison operators to bypass authentication, circumvent + hash verification, and manipulate application logic through type coercion attacks. domain: cybersecurity subdomain: web-application-security -tags: [type-juggling, php-security, loose-comparison, authentication-bypass, magic-hash, type-coercion, web-security] -version: "1.0" +tags: +- type-juggling +- php-security +- loose-comparison +- authentication-bypass +- magic-hash +- type-coercion +- web-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Exploiting Type Juggling Vulnerabilities diff --git a/skills/exploiting-vulnerabilities-with-metasploit-framework/SKILL.md b/skills/exploiting-vulnerabilities-with-metasploit-framework/SKILL.md index 1da850bb..078a5df3 100644 --- a/skills/exploiting-vulnerabilities-with-metasploit-framework/SKILL.md +++ b/skills/exploiting-vulnerabilities-with-metasploit-framework/SKILL.md @@ -1,12 +1,24 @@ --- name: exploiting-vulnerabilities-with-metasploit-framework -description: The Metasploit Framework is the world's most widely used penetration testing platform, maintained by Rapid7. It contains over 2,300 exploits, 1,200 auxiliary modules, and 400 post-exploitation modules +description: The Metasploit Framework is the world's most widely used penetration testing platform, maintained by Rapid7. + It contains over 2,300 exploits, 1,200 auxiliary modules, and 400 post-exploitation modules domain: cybersecurity subdomain: vulnerability-management -tags: [vulnerability-management, cve, metasploit, exploitation, penetration-testing, risk] -version: "1.0" +tags: +- vulnerability-management +- cve +- metasploit +- exploitation +- penetration-testing +- risk +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-02 +- ID.IM-02 +- ID.RA-06 --- # Exploiting Vulnerabilities with Metasploit Framework diff --git a/skills/exploiting-websocket-vulnerabilities/SKILL.md b/skills/exploiting-websocket-vulnerabilities/SKILL.md index 457c2237..0b625906 100644 --- a/skills/exploiting-websocket-vulnerabilities/SKILL.md +++ b/skills/exploiting-websocket-vulnerabilities/SKILL.md @@ -1,12 +1,24 @@ --- name: exploiting-websocket-vulnerabilities -description: Testing WebSocket implementations for authentication bypass, cross-site hijacking, injection attacks, and insecure message handling during authorized security assessments. +description: Testing WebSocket implementations for authentication bypass, cross-site hijacking, injection attacks, and insecure + message handling during authorized security assessments. domain: cybersecurity subdomain: web-application-security -tags: [penetration-testing, websocket, web-security, owasp, real-time, burpsuite] -version: "1.0" +tags: +- penetration-testing +- websocket +- web-security +- owasp +- real-time +- burpsuite +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Exploiting WebSocket Vulnerabilities diff --git a/skills/exploiting-zerologon-vulnerability-cve-2020-1472/SKILL.md b/skills/exploiting-zerologon-vulnerability-cve-2020-1472/SKILL.md index b56b062c..73de0300 100644 --- a/skills/exploiting-zerologon-vulnerability-cve-2020-1472/SKILL.md +++ b/skills/exploiting-zerologon-vulnerability-cve-2020-1472/SKILL.md @@ -21,6 +21,10 @@ d3fend_techniques: - Stack Frame Canary Validation - Segment Address Offset Randomization - Process Analysis +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Exploiting Zerologon Vulnerability (CVE-2020-1472) diff --git a/skills/extracting-browser-history-artifacts/SKILL.md b/skills/extracting-browser-history-artifacts/SKILL.md index 2f63f7b3..354505b1 100644 --- a/skills/extracting-browser-history-artifacts/SKILL.md +++ b/skills/extracting-browser-history-artifacts/SKILL.md @@ -1,12 +1,25 @@ --- name: extracting-browser-history-artifacts -description: Extract and analyze browser history, cookies, cache, downloads, and bookmarks from Chrome, Firefox, and Edge for forensic evidence of user web activity. +description: Extract and analyze browser history, cookies, cache, downloads, and bookmarks from Chrome, Firefox, and Edge + for forensic evidence of user web activity. domain: cybersecurity subdomain: digital-forensics -tags: [forensics, browser-forensics, chrome, firefox, edge, web-history, artifact-extraction] -version: "1.0" +tags: +- forensics +- browser-forensics +- chrome +- firefox +- edge +- web-history +- artifact-extraction +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Extracting Browser History Artifacts diff --git a/skills/extracting-config-from-agent-tesla-rat/SKILL.md b/skills/extracting-config-from-agent-tesla-rat/SKILL.md index 4e6a953a..c933783a 100644 --- a/skills/extracting-config-from-agent-tesla-rat/SKILL.md +++ b/skills/extracting-config-from-agent-tesla-rat/SKILL.md @@ -23,6 +23,11 @@ nist_ai_rmf: - GOVERN-1.1 - MEASURE-2.7 - MANAGE-3.1 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Extracting Config from Agent Tesla RAT diff --git a/skills/extracting-credentials-from-memory-dump/SKILL.md b/skills/extracting-credentials-from-memory-dump/SKILL.md index 08d88395..d2c54ae1 100644 --- a/skills/extracting-credentials-from-memory-dump/SKILL.md +++ b/skills/extracting-credentials-from-memory-dump/SKILL.md @@ -1,13 +1,29 @@ --- name: extracting-credentials-from-memory-dump -description: Extract cached credentials, password hashes, Kerberos tickets, and authentication tokens from memory dumps using Volatility and Mimikatz for forensic investigation. +description: Extract cached credentials, password hashes, Kerberos tickets, and authentication tokens from memory dumps using + Volatility and Mimikatz for forensic investigation. domain: cybersecurity subdomain: digital-forensics -tags: [forensics, credential-extraction, memory-forensics, volatility, mimikatz, password-hashes, incident-response] -mitre_attack: ["T1003", "T1558", "T1552"] -version: "1.0" +tags: +- forensics +- credential-extraction +- memory-forensics +- volatility +- mimikatz +- password-hashes +- incident-response +mitre_attack: +- T1003 +- T1558 +- T1552 +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Extracting Credentials from Memory Dump diff --git a/skills/extracting-iocs-from-malware-samples/SKILL.md b/skills/extracting-iocs-from-malware-samples/SKILL.md index 392105ab..eb3481e1 100644 --- a/skills/extracting-iocs-from-malware-samples/SKILL.md +++ b/skills/extracting-iocs-from-malware-samples/SKILL.md @@ -1,17 +1,27 @@ --- name: extracting-iocs-from-malware-samples -description: > - Extracts indicators of compromise (IOCs) from malware samples including file hashes, - network indicators (IPs, domains, URLs), host artifacts (file paths, registry keys, - mutexes), and behavioral patterns for threat intelligence sharing and detection rule - creation. Activates for requests involving IOC extraction, threat indicator harvesting, - malware indicator collection, or building detection content from samples. +description: 'Extracts indicators of compromise (IOCs) from malware samples including file hashes, network indicators (IPs, + domains, URLs), host artifacts (file paths, registry keys, mutexes), and behavioral patterns for threat intelligence sharing + and detection rule creation. Activates for requests involving IOC extraction, threat indicator harvesting, malware indicator + collection, or building detection content from samples. + + ' domain: cybersecurity subdomain: malware-analysis -tags: [malware, IOC-extraction, threat-intelligence, indicators, detection] +tags: +- malware +- IOC-extraction +- threat-intelligence +- indicators +- detection version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Extracting IOCs from Malware Samples diff --git a/skills/extracting-memory-artifacts-with-rekall/SKILL.md b/skills/extracting-memory-artifacts-with-rekall/SKILL.md index 2b700cc8..346b620c 100644 --- a/skills/extracting-memory-artifacts-with-rekall/SKILL.md +++ b/skills/extracting-memory-artifacts-with-rekall/SKILL.md @@ -1,16 +1,25 @@ --- name: extracting-memory-artifacts-with-rekall -description: > - Uses Rekall memory forensics framework to analyze memory dumps for process hollowing, - injected code via VAD anomalies, hidden processes, and rootkit detection. Applies - plugins like pslist, psscan, vadinfo, malfind, and dlllist to extract forensic - artifacts from Windows memory images. Use during incident response memory analysis. +description: 'Uses Rekall memory forensics framework to analyze memory dumps for process hollowing, injected code via VAD + anomalies, hidden processes, and rootkit detection. Applies plugins like pslist, psscan, vadinfo, malfind, and dlllist to + extract forensic artifacts from Windows memory images. Use during incident response memory analysis. + + ' domain: cybersecurity subdomain: security-operations -tags: [extracting, memory, artifacts, with] -version: "1.0" +tags: +- extracting +- memory +- artifacts +- with +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- # Extracting Memory Artifacts with Rekall diff --git a/skills/extracting-windows-event-logs-artifacts/SKILL.md b/skills/extracting-windows-event-logs-artifacts/SKILL.md index 195136a0..d828a68f 100644 --- a/skills/extracting-windows-event-logs-artifacts/SKILL.md +++ b/skills/extracting-windows-event-logs-artifacts/SKILL.md @@ -1,12 +1,25 @@ --- name: extracting-windows-event-logs-artifacts -description: Extract, parse, and analyze Windows Event Logs (EVTX) using Chainsaw, Hayabusa, and EvtxECmd to detect lateral movement, persistence, and privilege escalation. +description: Extract, parse, and analyze Windows Event Logs (EVTX) using Chainsaw, Hayabusa, and EvtxECmd to detect lateral + movement, persistence, and privilege escalation. domain: cybersecurity subdomain: digital-forensics -tags: [forensics, windows-event-logs, evtx, chainsaw, hayabusa, sigma-rules, incident-response] -version: "1.0" +tags: +- forensics +- windows-event-logs +- evtx +- chainsaw +- hayabusa +- sigma-rules +- incident-response +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Extracting Windows Event Logs Artifacts diff --git a/skills/generating-threat-intelligence-reports/SKILL.md b/skills/generating-threat-intelligence-reports/SKILL.md index 3fc284e3..b3f7a7f0 100644 --- a/skills/generating-threat-intelligence-reports/SKILL.md +++ b/skills/generating-threat-intelligence-reports/SKILL.md @@ -1,18 +1,30 @@ --- name: generating-threat-intelligence-reports -description: > - Generates structured cyber threat intelligence reports at strategic, operational, and tactical - levels tailored to specific audiences including executives, security operations teams, and technical - analysts. Use when producing finished intelligence products from raw collection data, creating - sector threat briefings, or delivering post-incident intelligence assessments. Activates for - requests involving CTI report writing, threat briefings, intelligence products, finished - intelligence, or executive security reporting. +description: 'Generates structured cyber threat intelligence reports at strategic, operational, and tactical levels tailored + to specific audiences including executives, security operations teams, and technical analysts. Use when producing finished + intelligence products from raw collection data, creating sector threat briefings, or delivering post-incident intelligence + assessments. Activates for requests involving CTI report writing, threat briefings, intelligence products, finished intelligence, + or executive security reporting. + + ' domain: cybersecurity subdomain: threat-intelligence -tags: [CTI, threat-intelligence, intelligence-products, TLP, PIR, report-writing, NIST-CSF] +tags: +- CTI +- threat-intelligence +- intelligence-products +- TLP +- PIR +- report-writing +- NIST-CSF version: 1.0.0 author: team-cybersecurity license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Generating Threat Intelligence Reports diff --git a/skills/hardening-docker-containers-for-production/SKILL.md b/skills/hardening-docker-containers-for-production/SKILL.md index 3bb3e1d0..cf50f3d7 100644 --- a/skills/hardening-docker-containers-for-production/SKILL.md +++ b/skills/hardening-docker-containers-for-production/SKILL.md @@ -1,12 +1,23 @@ --- name: hardening-docker-containers-for-production -description: Hardening Docker containers for production involves applying security best practices aligned with CIS Docker Benchmark v1.8.0 to minimize attack surface, prevent privilege escalation, and enforce leas +description: Hardening Docker containers for production involves applying security best practices aligned with CIS Docker + Benchmark v1.8.0 to minimize attack surface, prevent privilege escalation, and enforce leas domain: cybersecurity subdomain: container-security -tags: [containers, docker, security, hardening, CIS-benchmark] -version: "1.0" +tags: +- containers +- docker +- security +- hardening +- CIS-benchmark +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Hardening Docker Containers for Production diff --git a/skills/hardening-docker-daemon-configuration/SKILL.md b/skills/hardening-docker-daemon-configuration/SKILL.md index 23f215f3..fe852950 100644 --- a/skills/hardening-docker-daemon-configuration/SKILL.md +++ b/skills/hardening-docker-daemon-configuration/SKILL.md @@ -1,12 +1,24 @@ --- name: hardening-docker-daemon-configuration -description: Harden the Docker daemon by configuring daemon.json with user namespace remapping, TLS authentication, rootless mode, and CIS benchmark controls. +description: Harden the Docker daemon by configuring daemon.json with user namespace remapping, TLS authentication, rootless + mode, and CIS benchmark controls. domain: cybersecurity subdomain: container-security -tags: [docker, daemon-hardening, container-security, cis-benchmark, rootless, userns-remap] -version: "1.0" +tags: +- docker +- daemon-hardening +- container-security +- cis-benchmark +- rootless +- userns-remap +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Hardening Docker Daemon Configuration diff --git a/skills/hardening-linux-endpoint-with-cis-benchmark/SKILL.md b/skills/hardening-linux-endpoint-with-cis-benchmark/SKILL.md index fbd3787c..0fbe5d77 100644 --- a/skills/hardening-linux-endpoint-with-cis-benchmark/SKILL.md +++ b/skills/hardening-linux-endpoint-with-cis-benchmark/SKILL.md @@ -1,17 +1,28 @@ --- name: hardening-linux-endpoint-with-cis-benchmark -description: > - Hardens Linux endpoints using CIS Benchmark recommendations for Ubuntu, RHEL, and CentOS - to reduce attack surface, enforce security baselines, and meet compliance requirements. Use - when deploying new Linux servers, remediating audit findings, or establishing security - baselines for Linux infrastructure. Activates for requests involving Linux hardening, CIS - benchmarks for Linux, server security baselines, or Linux configuration compliance. +description: 'Hardens Linux endpoints using CIS Benchmark recommendations for Ubuntu, RHEL, and CentOS to reduce attack surface, + enforce security baselines, and meet compliance requirements. Use when deploying new Linux servers, remediating audit findings, + or establishing security baselines for Linux infrastructure. Activates for requests involving Linux hardening, CIS benchmarks + for Linux, server security baselines, or Linux configuration compliance. + + ' domain: cybersecurity subdomain: endpoint-security -tags: [endpoint, hardening, linux-security, CIS-benchmark, Ubuntu, RHEL] +tags: +- endpoint +- hardening +- linux-security +- CIS-benchmark +- Ubuntu +- RHEL version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.PS-02 +- DE.CM-01 +- PR.IR-01 --- # Hardening Linux Endpoint with CIS Benchmark diff --git a/skills/hardening-windows-endpoint-with-cis-benchmark/SKILL.md b/skills/hardening-windows-endpoint-with-cis-benchmark/SKILL.md index 4b6110e8..27d0a7d0 100644 --- a/skills/hardening-windows-endpoint-with-cis-benchmark/SKILL.md +++ b/skills/hardening-windows-endpoint-with-cis-benchmark/SKILL.md @@ -1,17 +1,28 @@ --- name: hardening-windows-endpoint-with-cis-benchmark -description: > - Hardens Windows endpoints using CIS (Center for Internet Security) Benchmark recommendations - to reduce attack surface, enforce security baselines, and meet compliance requirements. Use when - deploying new Windows workstations or servers, remediating audit findings, or establishing - organization-wide security baselines. Activates for requests involving Windows hardening, - CIS benchmarks, GPO security baselines, or endpoint configuration compliance. +description: 'Hardens Windows endpoints using CIS (Center for Internet Security) Benchmark recommendations to reduce attack + surface, enforce security baselines, and meet compliance requirements. Use when deploying new Windows workstations or servers, + remediating audit findings, or establishing organization-wide security baselines. Activates for requests involving Windows + hardening, CIS benchmarks, GPO security baselines, or endpoint configuration compliance. + + ' domain: cybersecurity subdomain: endpoint-security -tags: [endpoint, hardening, windows-security, CIS-benchmark, GPO, baseline-configuration] +tags: +- endpoint +- hardening +- windows-security +- CIS-benchmark +- GPO +- baseline-configuration version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.PS-02 +- DE.CM-01 +- PR.IR-01 --- # Hardening Windows Endpoint with CIS Benchmark diff --git a/skills/hunting-advanced-persistent-threats/SKILL.md b/skills/hunting-advanced-persistent-threats/SKILL.md index 07887217..e89d09d0 100644 --- a/skills/hunting-advanced-persistent-threats/SKILL.md +++ b/skills/hunting-advanced-persistent-threats/SKILL.md @@ -27,6 +27,11 @@ d3fend_techniques: - Identifier Analysis - Content Format Conversion - Message Analysis +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Hunting Advanced Persistent Threats diff --git a/skills/hunting-credential-stuffing-attacks/SKILL.md b/skills/hunting-credential-stuffing-attacks/SKILL.md index 9ac1d665..afdc17b2 100644 --- a/skills/hunting-credential-stuffing-attacks/SKILL.md +++ b/skills/hunting-credential-stuffing-attacks/SKILL.md @@ -1,16 +1,25 @@ --- name: hunting-credential-stuffing-attacks -description: > - Detects credential stuffing attacks by analyzing authentication logs for login velocity - anomalies, ASN diversity, password spray patterns, and geographic distribution of failed - logins. Uses statistical analysis on Splunk or raw log data. Use when investigating - account takeover campaigns or building detection rules for auth abuse. +description: 'Detects credential stuffing attacks by analyzing authentication logs for login velocity anomalies, ASN diversity, + password spray patterns, and geographic distribution of failed logins. Uses statistical analysis on Splunk or raw log data. + Use when investigating account takeover campaigns or building detection rules for auth abuse. + + ' domain: cybersecurity subdomain: security-operations -tags: [hunting, credential, stuffing, attacks] -version: "1.0" +tags: +- hunting +- credential +- stuffing +- attacks +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- # Hunting Credential Stuffing Attacks diff --git a/skills/hunting-for-anomalous-powershell-execution/SKILL.md b/skills/hunting-for-anomalous-powershell-execution/SKILL.md index 8cecc12d..5f7c60a2 100644 --- a/skills/hunting-for-anomalous-powershell-execution/SKILL.md +++ b/skills/hunting-for-anomalous-powershell-execution/SKILL.md @@ -1,18 +1,29 @@ --- name: hunting-for-anomalous-powershell-execution -description: > - Hunt for malicious PowerShell activity by analyzing Script Block Logging (Event 4104), - Module Logging (Event 4103), and process creation events. The analyst parses Windows - Event Log EVTX files to detect obfuscated commands, AMSI bypass attempts, encoded - payloads, credential dumping keywords, and suspicious download cradles. Activates for - requests involving PowerShell threat hunting, script block analysis, encoded command - detection, or AMSI bypass identification. +description: 'Hunt for malicious PowerShell activity by analyzing Script Block Logging (Event 4104), Module Logging (Event + 4103), and process creation events. The analyst parses Windows Event Log EVTX files to detect obfuscated commands, AMSI + bypass attempts, encoded payloads, credential dumping keywords, and suspicious download cradles. Activates for requests + involving PowerShell threat hunting, script block analysis, encoded command detection, or AMSI bypass identification. + + ' domain: cybersecurity subdomain: threat-hunting -tags: [powershell, script-block-logging, event-4104, amsi, threat-hunting, evtx, obfuscation] -version: "1.0" +tags: +- powershell +- script-block-logging +- event-4104 +- amsi +- threat-hunting +- evtx +- obfuscation +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting for Anomalous PowerShell Execution diff --git a/skills/hunting-for-beaconing-with-frequency-analysis/SKILL.md b/skills/hunting-for-beaconing-with-frequency-analysis/SKILL.md index a4a114bc..45f254a0 100644 --- a/skills/hunting-for-beaconing-with-frequency-analysis/SKILL.md +++ b/skills/hunting-for-beaconing-with-frequency-analysis/SKILL.md @@ -22,6 +22,11 @@ d3fend_techniques: - Application Protocol Command Analysis - Content Format Conversion - File Content Analysis +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting for Beaconing with Frequency Analysis diff --git a/skills/hunting-for-cobalt-strike-beacons/SKILL.md b/skills/hunting-for-cobalt-strike-beacons/SKILL.md index ba337ed7..2a607f72 100644 --- a/skills/hunting-for-cobalt-strike-beacons/SKILL.md +++ b/skills/hunting-for-cobalt-strike-beacons/SKILL.md @@ -1,12 +1,28 @@ --- name: hunting-for-cobalt-strike-beacons -description: Detect Cobalt Strike beacon network activity using default TLS certificate signatures (serial 8BB00EE), JA3/JA3S/JARM fingerprints, HTTP C2 profile pattern matching, beacon jitter analysis, and named pipe detection via Zeek, Suricata, and Python PCAP analysis. +description: Detect Cobalt Strike beacon network activity using default TLS certificate signatures (serial 8BB00EE), JA3/JA3S/JARM + fingerprints, HTTP C2 profile pattern matching, beacon jitter analysis, and named pipe detection via Zeek, Suricata, and + Python PCAP analysis. domain: cybersecurity subdomain: threat-hunting -tags: [cobalt-strike, beacon, threat-hunting, c2, zeek, suricata, ja3, jarm, network-forensics] -version: "1.0" +tags: +- cobalt-strike +- beacon +- threat-hunting +- c2 +- zeek +- suricata +- ja3 +- jarm +- network-forensics +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting for Cobalt Strike Beacons diff --git a/skills/hunting-for-command-and-control-beaconing/SKILL.md b/skills/hunting-for-command-and-control-beaconing/SKILL.md index b4b84838..5ebebbd9 100644 --- a/skills/hunting-for-command-and-control-beaconing/SKILL.md +++ b/skills/hunting-for-command-and-control-beaconing/SKILL.md @@ -20,6 +20,11 @@ d3fend_techniques: - Application Protocol Command Analysis - Content Format Conversion - File Content Analysis +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting for Command and Control Beaconing diff --git a/skills/hunting-for-data-exfiltration-indicators/SKILL.md b/skills/hunting-for-data-exfiltration-indicators/SKILL.md index ec9892aa..99e71e15 100644 --- a/skills/hunting-for-data-exfiltration-indicators/SKILL.md +++ b/skills/hunting-for-data-exfiltration-indicators/SKILL.md @@ -27,6 +27,11 @@ d3fend_techniques: - Application Protocol Command Analysis - Content Format Conversion - File Content Analysis +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting for Data Exfiltration Indicators diff --git a/skills/hunting-for-data-staging-before-exfiltration/SKILL.md b/skills/hunting-for-data-staging-before-exfiltration/SKILL.md index 8d82429d..16a2ce6f 100644 --- a/skills/hunting-for-data-staging-before-exfiltration/SKILL.md +++ b/skills/hunting-for-data-staging-before-exfiltration/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - File Content Analysis - Platform Hardening - File Format Verification +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting for Data Staging Before Exfiltration diff --git a/skills/hunting-for-dcom-lateral-movement/SKILL.md b/skills/hunting-for-dcom-lateral-movement/SKILL.md index 354511a3..708dcecb 100644 --- a/skills/hunting-for-dcom-lateral-movement/SKILL.md +++ b/skills/hunting-for-dcom-lateral-movement/SKILL.md @@ -28,6 +28,11 @@ d3fend_techniques: - Network Traffic Analysis - Client-server Payload Profiling - Network Traffic Community Deviation +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting for DCOM Lateral Movement diff --git a/skills/hunting-for-dcsync-attacks/SKILL.md b/skills/hunting-for-dcsync-attacks/SKILL.md index 5db6c69c..a8362571 100644 --- a/skills/hunting-for-dcsync-attacks/SKILL.md +++ b/skills/hunting-for-dcsync-attacks/SKILL.md @@ -22,6 +22,11 @@ d3fend_techniques: - Network Traffic Analysis - Client-server Payload Profiling - Platform Monitoring +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting for DCSync Attacks diff --git a/skills/hunting-for-defense-evasion-via-timestomping/SKILL.md b/skills/hunting-for-defense-evasion-via-timestomping/SKILL.md index a64a15a5..037d2d17 100644 --- a/skills/hunting-for-defense-evasion-via-timestomping/SKILL.md +++ b/skills/hunting-for-defense-evasion-via-timestomping/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - File Content Analysis - Platform Hardening - File Format Verification +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting for Defense Evasion via Timestomping diff --git a/skills/hunting-for-dns-based-persistence/SKILL.md b/skills/hunting-for-dns-based-persistence/SKILL.md index 54425414..391f18f3 100644 --- a/skills/hunting-for-dns-based-persistence/SKILL.md +++ b/skills/hunting-for-dns-based-persistence/SKILL.md @@ -1,12 +1,25 @@ --- name: hunting-for-dns-based-persistence -description: Hunt for DNS-based persistence mechanisms including DNS hijacking, dangling CNAME records, wildcard DNS abuse, and unauthorized zone modifications using passive DNS databases, SecurityTrails API, and DNS audit log analysis. +description: Hunt for DNS-based persistence mechanisms including DNS hijacking, dangling CNAME records, wildcard DNS abuse, + and unauthorized zone modifications using passive DNS databases, SecurityTrails API, and DNS audit log analysis. domain: cybersecurity subdomain: threat-hunting -tags: [dns, persistence, threat-hunting, passive-dns, dns-hijacking, subdomain-takeover, securitytrails] -version: "1.0" +tags: +- dns +- persistence +- threat-hunting +- passive-dns +- dns-hijacking +- subdomain-takeover +- securitytrails +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting for DNS-based Persistence diff --git a/skills/hunting-for-dns-tunneling-with-zeek/SKILL.md b/skills/hunting-for-dns-tunneling-with-zeek/SKILL.md index 96f9d309..94f45cac 100644 --- a/skills/hunting-for-dns-tunneling-with-zeek/SKILL.md +++ b/skills/hunting-for-dns-tunneling-with-zeek/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - Network Traffic Analysis - Client-server Payload Profiling - DNS Traffic Analysis +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting for DNS Tunneling with Zeek diff --git a/skills/hunting-for-domain-fronting-c2-traffic/SKILL.md b/skills/hunting-for-domain-fronting-c2-traffic/SKILL.md index cb012ebd..f1124df9 100644 --- a/skills/hunting-for-domain-fronting-c2-traffic/SKILL.md +++ b/skills/hunting-for-domain-fronting-c2-traffic/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - Network Traffic Analysis - Client-server Payload Profiling - Network Traffic Community Deviation +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting for Domain Fronting C2 Traffic diff --git a/skills/hunting-for-lateral-movement-via-wmi/SKILL.md b/skills/hunting-for-lateral-movement-via-wmi/SKILL.md index 881c43f2..8aa4ed08 100644 --- a/skills/hunting-for-lateral-movement-via-wmi/SKILL.md +++ b/skills/hunting-for-lateral-movement-via-wmi/SKILL.md @@ -1,12 +1,24 @@ --- name: hunting-for-lateral-movement-via-wmi -description: Detect WMI-based lateral movement by analyzing Windows Event ID 4688 process creation and Sysmon Event ID 1 for WmiPrvSE.exe child process patterns, remote process execution, and WMI event subscription persistence. +description: Detect WMI-based lateral movement by analyzing Windows Event ID 4688 process creation and Sysmon Event ID 1 for + WmiPrvSE.exe child process patterns, remote process execution, and WMI event subscription persistence. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, lateral-movement, wmi, sysmon, mitre-attack, process-creation] -version: "1.0" +tags: +- threat-hunting +- lateral-movement +- wmi +- sysmon +- mitre-attack +- process-creation +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting for Lateral Movement via WMI diff --git a/skills/hunting-for-living-off-the-cloud-techniques/SKILL.md b/skills/hunting-for-living-off-the-cloud-techniques/SKILL.md index f53f8ad0..7717584c 100644 --- a/skills/hunting-for-living-off-the-cloud-techniques/SKILL.md +++ b/skills/hunting-for-living-off-the-cloud-techniques/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - Network Traffic Analysis - Client-server Payload Profiling - Network Traffic Community Deviation +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting For Living Off The Cloud Techniques diff --git a/skills/hunting-for-living-off-the-land-binaries/SKILL.md b/skills/hunting-for-living-off-the-land-binaries/SKILL.md index 8110c97b..d13312ac 100644 --- a/skills/hunting-for-living-off-the-land-binaries/SKILL.md +++ b/skills/hunting-for-living-off-the-land-binaries/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - File Metadata Consistency Validation - Application Protocol Command Analysis - Content Format Conversion +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting for Living-off-the-Land Binaries (LOLBins) diff --git a/skills/hunting-for-lolbins-execution-in-endpoint-logs/SKILL.md b/skills/hunting-for-lolbins-execution-in-endpoint-logs/SKILL.md index 860fdb9e..08e1c2ab 100644 --- a/skills/hunting-for-lolbins-execution-in-endpoint-logs/SKILL.md +++ b/skills/hunting-for-lolbins-execution-in-endpoint-logs/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - File Metadata Consistency Validation - Application Protocol Command Analysis - Content Format Conversion +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting for LOLBins Execution in Endpoint Logs diff --git a/skills/hunting-for-ntlm-relay-attacks/SKILL.md b/skills/hunting-for-ntlm-relay-attacks/SKILL.md index a19e997c..80d78aa8 100644 --- a/skills/hunting-for-ntlm-relay-attacks/SKILL.md +++ b/skills/hunting-for-ntlm-relay-attacks/SKILL.md @@ -24,6 +24,11 @@ d3fend_techniques: - Network Traffic Analysis - Client-server Payload Profiling - Network Traffic Community Deviation +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting for NTLM Relay Attacks diff --git a/skills/hunting-for-persistence-mechanisms-in-windows/SKILL.md b/skills/hunting-for-persistence-mechanisms-in-windows/SKILL.md index 2522ca0a..4409057c 100644 --- a/skills/hunting-for-persistence-mechanisms-in-windows/SKILL.md +++ b/skills/hunting-for-persistence-mechanisms-in-windows/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - File Metadata Consistency Validation - Content Format Conversion - File Content Analysis +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting for Persistence Mechanisms in Windows diff --git a/skills/hunting-for-persistence-via-wmi-subscriptions/SKILL.md b/skills/hunting-for-persistence-via-wmi-subscriptions/SKILL.md index 252a0280..109cc3df 100644 --- a/skills/hunting-for-persistence-via-wmi-subscriptions/SKILL.md +++ b/skills/hunting-for-persistence-via-wmi-subscriptions/SKILL.md @@ -20,6 +20,11 @@ d3fend_techniques: - Network Traffic Analysis - Client-server Payload Profiling - Platform Monitoring +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting for Persistence via WMI Subscriptions diff --git a/skills/hunting-for-process-injection-techniques/SKILL.md b/skills/hunting-for-process-injection-techniques/SKILL.md index 6d7a937e..30c2ec3a 100644 --- a/skills/hunting-for-process-injection-techniques/SKILL.md +++ b/skills/hunting-for-process-injection-techniques/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - File Metadata Consistency Validation - Content Format Conversion - File Content Analysis +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting for Process Injection Techniques diff --git a/skills/hunting-for-registry-persistence-mechanisms/SKILL.md b/skills/hunting-for-registry-persistence-mechanisms/SKILL.md index aed5b7a5..a03e453a 100644 --- a/skills/hunting-for-registry-persistence-mechanisms/SKILL.md +++ b/skills/hunting-for-registry-persistence-mechanisms/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - File Metadata Consistency Validation - Content Format Conversion - File Content Analysis +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting For Registry Persistence Mechanisms diff --git a/skills/hunting-for-registry-run-key-persistence/SKILL.md b/skills/hunting-for-registry-run-key-persistence/SKILL.md index 61d6dc6a..09853c53 100644 --- a/skills/hunting-for-registry-run-key-persistence/SKILL.md +++ b/skills/hunting-for-registry-run-key-persistence/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - File Metadata Consistency Validation - Content Format Conversion - File Content Analysis +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting for Registry Run Key Persistence diff --git a/skills/hunting-for-scheduled-task-persistence/SKILL.md b/skills/hunting-for-scheduled-task-persistence/SKILL.md index b8eee973..03b4ed2a 100644 --- a/skills/hunting-for-scheduled-task-persistence/SKILL.md +++ b/skills/hunting-for-scheduled-task-persistence/SKILL.md @@ -20,6 +20,11 @@ d3fend_techniques: - Hardware-based Process Isolation - Platform Monitoring - Process Suspension +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting For Scheduled Task Persistence diff --git a/skills/hunting-for-shadow-copy-deletion/SKILL.md b/skills/hunting-for-shadow-copy-deletion/SKILL.md index 0ff7b366..5ab658aa 100644 --- a/skills/hunting-for-shadow-copy-deletion/SKILL.md +++ b/skills/hunting-for-shadow-copy-deletion/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - Restore Configuration - Restore Software - Software Update +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting For Shadow Copy Deletion diff --git a/skills/hunting-for-spearphishing-indicators/SKILL.md b/skills/hunting-for-spearphishing-indicators/SKILL.md index 01aba95a..a713f683 100644 --- a/skills/hunting-for-spearphishing-indicators/SKILL.md +++ b/skills/hunting-for-spearphishing-indicators/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - Identifier Analysis - Content Format Conversion - Message Analysis +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting For Spearphishing Indicators diff --git a/skills/hunting-for-startup-folder-persistence/SKILL.md b/skills/hunting-for-startup-folder-persistence/SKILL.md index ff2651ad..7f3ff518 100644 --- a/skills/hunting-for-startup-folder-persistence/SKILL.md +++ b/skills/hunting-for-startup-folder-persistence/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - File Metadata Consistency Validation - Content Format Conversion - File Content Analysis +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting for Startup Folder Persistence diff --git a/skills/hunting-for-supply-chain-compromise/SKILL.md b/skills/hunting-for-supply-chain-compromise/SKILL.md index a773d332..4fc2ae2c 100644 --- a/skills/hunting-for-supply-chain-compromise/SKILL.md +++ b/skills/hunting-for-supply-chain-compromise/SKILL.md @@ -20,6 +20,11 @@ d3fend_techniques: - Restore Software - Software Update - Asset Inventory +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting For Supply Chain Compromise diff --git a/skills/hunting-for-suspicious-scheduled-tasks/SKILL.md b/skills/hunting-for-suspicious-scheduled-tasks/SKILL.md index c3868e6a..baa25c83 100644 --- a/skills/hunting-for-suspicious-scheduled-tasks/SKILL.md +++ b/skills/hunting-for-suspicious-scheduled-tasks/SKILL.md @@ -1,12 +1,24 @@ --- name: hunting-for-suspicious-scheduled-tasks -description: Hunt for adversary persistence and execution via Windows scheduled tasks by analyzing task creation events, suspicious task properties, and unusual execution patterns that indicate T1053.005 abuse. +description: Hunt for adversary persistence and execution via Windows scheduled tasks by analyzing task creation events, suspicious + task properties, and unusual execution patterns that indicate T1053.005 abuse. domain: cybersecurity subdomain: threat-hunting -tags: [threat-hunting, scheduled-tasks, persistence, mitre-t1053-005, windows, endpoint-detection] -version: "1.0" +tags: +- threat-hunting +- scheduled-tasks +- persistence +- mitre-t1053-005 +- windows +- endpoint-detection +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting for Suspicious Scheduled Tasks diff --git a/skills/hunting-for-t1098-account-manipulation/SKILL.md b/skills/hunting-for-t1098-account-manipulation/SKILL.md index ace474b8..e6e2ec68 100644 --- a/skills/hunting-for-t1098-account-manipulation/SKILL.md +++ b/skills/hunting-for-t1098-account-manipulation/SKILL.md @@ -20,6 +20,11 @@ d3fend_techniques: - Application Protocol Command Analysis - Password Authentication - Biometric Authentication +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting for T1098 Account Manipulation diff --git a/skills/hunting-for-unusual-network-connections/SKILL.md b/skills/hunting-for-unusual-network-connections/SKILL.md index 6c1fb4b9..6f8b73f2 100644 --- a/skills/hunting-for-unusual-network-connections/SKILL.md +++ b/skills/hunting-for-unusual-network-connections/SKILL.md @@ -20,6 +20,11 @@ d3fend_techniques: - Application Protocol Command Analysis - Content Format Conversion - File Content Analysis +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting For Unusual Network Connections diff --git a/skills/hunting-for-unusual-service-installations/SKILL.md b/skills/hunting-for-unusual-service-installations/SKILL.md index c1a64c61..e8dce4e2 100644 --- a/skills/hunting-for-unusual-service-installations/SKILL.md +++ b/skills/hunting-for-unusual-service-installations/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - Restore Object - Restore Database - Asset Inventory +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting for Unusual Service Installations diff --git a/skills/hunting-for-webshell-activity/SKILL.md b/skills/hunting-for-webshell-activity/SKILL.md index 28b42b08..1126f80e 100644 --- a/skills/hunting-for-webshell-activity/SKILL.md +++ b/skills/hunting-for-webshell-activity/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - File Metadata Consistency Validation - Restore Access - Process Termination +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Hunting For Webshell Activity diff --git a/skills/implementing-aes-encryption-for-data-at-rest/SKILL.md b/skills/implementing-aes-encryption-for-data-at-rest/SKILL.md index f77414ed..a4c9be21 100644 --- a/skills/implementing-aes-encryption-for-data-at-rest/SKILL.md +++ b/skills/implementing-aes-encryption-for-data-at-rest/SKILL.md @@ -1,12 +1,22 @@ --- name: implementing-aes-encryption-for-data-at-rest -description: AES (Advanced Encryption Standard) is a symmetric block cipher standardized by NIST (FIPS 197) used to protect classified and sensitive data. This skill covers implementing AES-256 encryption in GCM m +description: AES (Advanced Encryption Standard) is a symmetric block cipher standardized by NIST (FIPS 197) used to protect + classified and sensitive data. This skill covers implementing AES-256 encryption in GCM m domain: cybersecurity subdomain: cryptography -tags: [cryptography, encryption, aes, data-at-rest, symmetric-encryption] -version: "1.0" +tags: +- cryptography +- encryption +- aes +- data-at-rest +- symmetric-encryption +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.DS-01 +- PR.DS-02 +- PR.DS-10 --- # Implementing AES Encryption for Data at Rest diff --git a/skills/implementing-alert-fatigue-reduction/SKILL.md b/skills/implementing-alert-fatigue-reduction/SKILL.md index 28c2a6e7..313d1ec3 100644 --- a/skills/implementing-alert-fatigue-reduction/SKILL.md +++ b/skills/implementing-alert-fatigue-reduction/SKILL.md @@ -1,16 +1,28 @@ --- name: implementing-alert-fatigue-reduction -description: > - Implements strategies to reduce SOC alert fatigue by tuning detection rules, consolidating - duplicate alerts, implementing risk-based alerting, and measuring alert quality metrics to - maintain analyst effectiveness and prevent critical alert dismissal. Use when SOC teams face - overwhelming alert volumes, high false positive rates, or declining analyst performance. +description: 'Implements strategies to reduce SOC alert fatigue by tuning detection rules, consolidating duplicate alerts, + implementing risk-based alerting, and measuring alert quality metrics to maintain analyst effectiveness and prevent critical + alert dismissal. Use when SOC teams face overwhelming alert volumes, high false positive rates, or declining analyst performance. + + ' domain: cybersecurity subdomain: soc-operations -tags: [soc, alert-fatigue, tuning, risk-based-alerting, false-positive, siem, detection-engineering] -version: "1.0" +tags: +- soc +- alert-fatigue +- tuning +- risk-based-alerting +- false-positive +- siem +- detection-engineering +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Implementing Alert Fatigue Reduction diff --git a/skills/implementing-anti-phishing-training-program/SKILL.md b/skills/implementing-anti-phishing-training-program/SKILL.md index 2293d2eb..bd8d38e0 100644 --- a/skills/implementing-anti-phishing-training-program/SKILL.md +++ b/skills/implementing-anti-phishing-training-program/SKILL.md @@ -1,12 +1,25 @@ --- name: implementing-anti-phishing-training-program -description: Security awareness training is the human layer of phishing defense. An effective anti-phishing training program combines regular simulations, interactive learning modules, metric tracking, and positiv +description: Security awareness training is the human layer of phishing defense. An effective anti-phishing training program + combines regular simulations, interactive learning modules, metric tracking, and positiv domain: cybersecurity subdomain: phishing-defense -tags: [phishing, email-security, social-engineering, dmarc, awareness, training, security-culture] -version: "1.0" +tags: +- phishing +- email-security +- social-engineering +- dmarc +- awareness +- training +- security-culture +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AT-01 +- DE.CM-09 +- RS.CO-02 +- DE.AE-02 --- # Implementing Anti-Phishing Training Program diff --git a/skills/implementing-anti-ransomware-group-policy/SKILL.md b/skills/implementing-anti-ransomware-group-policy/SKILL.md index 64c3bde9..058385ea 100644 --- a/skills/implementing-anti-ransomware-group-policy/SKILL.md +++ b/skills/implementing-anti-ransomware-group-policy/SKILL.md @@ -1,18 +1,28 @@ --- name: implementing-anti-ransomware-group-policy -description: > - Configures Windows Group Policy Objects (GPO) to prevent ransomware execution - and limit its spread. Implements AppLocker rules, Software Restriction Policies, - Controlled Folder Access, attack surface reduction rules, and network protection - settings. Activates for requests involving Windows GPO hardening against ransomware, - AppLocker configuration, Controlled Folder Access setup, or endpoint protection - via Group Policy. +description: 'Configures Windows Group Policy Objects (GPO) to prevent ransomware execution and limit its spread. Implements + AppLocker rules, Software Restriction Policies, Controlled Folder Access, attack surface reduction rules, and network protection + settings. Activates for requests involving Windows GPO hardening against ransomware, AppLocker configuration, Controlled + Folder Access setup, or endpoint protection via Group Policy. + + ' domain: cybersecurity subdomain: ransomware-defense -tags: [ransomware, group-policy, windows, AppLocker, hardening, prevention] +tags: +- ransomware +- group-policy +- windows +- AppLocker +- hardening +- prevention version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.DS-11 +- RS.MA-01 +- RC.RP-01 +- PR.IR-01 --- # Implementing Anti-Ransomware Group Policy diff --git a/skills/implementing-api-abuse-detection-with-rate-limiting/SKILL.md b/skills/implementing-api-abuse-detection-with-rate-limiting/SKILL.md index 6e866c23..9748a2be 100644 --- a/skills/implementing-api-abuse-detection-with-rate-limiting/SKILL.md +++ b/skills/implementing-api-abuse-detection-with-rate-limiting/SKILL.md @@ -1,12 +1,26 @@ --- name: implementing-api-abuse-detection-with-rate-limiting -description: Implement API abuse detection using token bucket, sliding window, and adaptive rate limiting algorithms to prevent DDoS, brute force, and credential stuffing attacks. +description: Implement API abuse detection using token bucket, sliding window, and adaptive rate limiting algorithms to prevent + DDoS, brute force, and credential stuffing attacks. domain: cybersecurity subdomain: api-security -tags: [api-security, rate-limiting, token-bucket, sliding-window, ddos-protection, brute-force-prevention, api-abuse, api-gateway] -version: "1.0" +tags: +- api-security +- rate-limiting +- token-bucket +- sliding-window +- ddos-protection +- brute-force-prevention +- api-abuse +- api-gateway +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Implementing API Abuse Detection with Rate Limiting diff --git a/skills/implementing-api-gateway-security-controls/SKILL.md b/skills/implementing-api-gateway-security-controls/SKILL.md index 02981bf8..180cd89e 100644 --- a/skills/implementing-api-gateway-security-controls/SKILL.md +++ b/skills/implementing-api-gateway-security-controls/SKILL.md @@ -1,18 +1,29 @@ --- name: implementing-api-gateway-security-controls -description: > - Implements security controls at the API gateway layer including authentication enforcement, - rate limiting, request validation, IP allowlisting, TLS termination, and threat protection. - The engineer configures API gateways (Kong, AWS API Gateway, Azure APIM, Apigee) to act - as a centralized security enforcement point that validates, throttles, and monitors all - API traffic before it reaches backend services. Activates for requests involving API gateway - security, API management security, gateway authentication, or centralized API protection. +description: 'Implements security controls at the API gateway layer including authentication enforcement, rate limiting, request + validation, IP allowlisting, TLS termination, and threat protection. The engineer configures API gateways (Kong, AWS API + Gateway, Azure APIM, Apigee) to act as a centralized security enforcement point that validates, throttles, and monitors + all API traffic before it reaches backend services. Activates for requests involving API gateway security, API management + security, gateway authentication, or centralized API protection. + + ' domain: cybersecurity subdomain: api-security -tags: [api-security, api-gateway, kong, aws-api-gateway, rate-limiting, waf] +tags: +- api-security +- api-gateway +- kong +- aws-api-gateway +- rate-limiting +- waf version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Implementing API Gateway Security Controls diff --git a/skills/implementing-api-key-security-controls/SKILL.md b/skills/implementing-api-key-security-controls/SKILL.md index 8c856595..eb90aa02 100644 --- a/skills/implementing-api-key-security-controls/SKILL.md +++ b/skills/implementing-api-key-security-controls/SKILL.md @@ -26,6 +26,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Implementing API Key Security Controls diff --git a/skills/implementing-api-rate-limiting-and-throttling/SKILL.md b/skills/implementing-api-rate-limiting-and-throttling/SKILL.md index e20b494b..26e40be7 100644 --- a/skills/implementing-api-rate-limiting-and-throttling/SKILL.md +++ b/skills/implementing-api-rate-limiting-and-throttling/SKILL.md @@ -1,19 +1,29 @@ --- name: implementing-api-rate-limiting-and-throttling -description: > - Implements API rate limiting and throttling controls using token bucket, sliding window, - and fixed window algorithms to protect against brute force attacks, credential stuffing, - resource exhaustion, and API abuse. The engineer configures per-user, per-IP, and per-endpoint - rate limits using Redis-backed counters, API gateway plugins, or application middleware, - and implements proper HTTP 429 responses with Retry-After headers. Activates for requests - involving rate limiting implementation, API throttling setup, request quota management, - or API abuse prevention. +description: 'Implements API rate limiting and throttling controls using token bucket, sliding window, and fixed window algorithms + to protect against brute force attacks, credential stuffing, resource exhaustion, and API abuse. The engineer configures + per-user, per-IP, and per-endpoint rate limits using Redis-backed counters, API gateway plugins, or application middleware, + and implements proper HTTP 429 responses with Retry-After headers. Activates for requests involving rate limiting implementation, + API throttling setup, request quota management, or API abuse prevention. + + ' domain: cybersecurity subdomain: api-security -tags: [api-security, rate-limiting, throttling, redis, token-bucket, abuse-prevention] +tags: +- api-security +- rate-limiting +- throttling +- redis +- token-bucket +- abuse-prevention version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Implementing API Rate Limiting and Throttling diff --git a/skills/implementing-api-schema-validation-security/SKILL.md b/skills/implementing-api-schema-validation-security/SKILL.md index 81ad2f8f..3bbf02ba 100644 --- a/skills/implementing-api-schema-validation-security/SKILL.md +++ b/skills/implementing-api-schema-validation-security/SKILL.md @@ -1,12 +1,26 @@ --- name: implementing-api-schema-validation-security -description: Implement API schema validation using OpenAPI specifications and JSON Schema to enforce input/output contracts and prevent injection, data exposure, and mass assignment attacks. +description: Implement API schema validation using OpenAPI specifications and JSON Schema to enforce input/output contracts + and prevent injection, data exposure, and mass assignment attacks. domain: cybersecurity subdomain: api-security -tags: [api-security, schema-validation, openapi, json-schema, input-validation, data-leakage-prevention, mass-assignment, api-gateway] -version: "1.0" +tags: +- api-security +- schema-validation +- openapi +- json-schema +- input-validation +- data-leakage-prevention +- mass-assignment +- api-gateway +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Implementing API Schema Validation Security diff --git a/skills/implementing-api-security-posture-management/SKILL.md b/skills/implementing-api-security-posture-management/SKILL.md index d30e0d8a..a7000ab3 100644 --- a/skills/implementing-api-security-posture-management/SKILL.md +++ b/skills/implementing-api-security-posture-management/SKILL.md @@ -1,12 +1,26 @@ --- name: implementing-api-security-posture-management -description: Implement API Security Posture Management to continuously discover, classify, and score APIs based on risk while enforcing security policies across the API lifecycle. +description: Implement API Security Posture Management to continuously discover, classify, and score APIs based on risk while + enforcing security policies across the API lifecycle. domain: cybersecurity subdomain: api-security -tags: [api-security, aspm, api-posture-management, api-discovery, risk-scoring, api-governance, continuous-monitoring, api-inventory] -version: "1.0" +tags: +- api-security +- aspm +- api-posture-management +- api-discovery +- risk-scoring +- api-governance +- continuous-monitoring +- api-inventory +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Implementing API Security Posture Management diff --git a/skills/implementing-api-security-testing-with-42crunch/SKILL.md b/skills/implementing-api-security-testing-with-42crunch/SKILL.md index 95f2a660..fe76dd48 100644 --- a/skills/implementing-api-security-testing-with-42crunch/SKILL.md +++ b/skills/implementing-api-security-testing-with-42crunch/SKILL.md @@ -1,12 +1,27 @@ --- name: implementing-api-security-testing-with-42crunch -description: Implement comprehensive API security testing using the 42Crunch platform to perform static audit and dynamic conformance scanning of OpenAPI specifications. +description: Implement comprehensive API security testing using the 42Crunch platform to perform static audit and dynamic + conformance scanning of OpenAPI specifications. domain: cybersecurity subdomain: api-security -tags: [api-security, 42crunch, openapi, api-audit, api-scan, conformance-testing, shift-left, ci-cd-security, owasp-api-top-10] -version: "1.0" +tags: +- api-security +- 42crunch +- openapi +- api-audit +- api-scan +- conformance-testing +- shift-left +- ci-cd-security +- owasp-api-top-10 +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Implementing API Security Testing with 42Crunch diff --git a/skills/implementing-api-threat-protection-with-apigee/SKILL.md b/skills/implementing-api-threat-protection-with-apigee/SKILL.md index 6dd4600a..5fb81178 100644 --- a/skills/implementing-api-threat-protection-with-apigee/SKILL.md +++ b/skills/implementing-api-threat-protection-with-apigee/SKILL.md @@ -1,12 +1,27 @@ --- name: implementing-api-threat-protection-with-apigee -description: Implement API threat protection using Google Apigee policies including JSON/XML threat protection, OAuth 2.0, SpikeArrest, and Advanced API Security for OWASP Top 10 defense. +description: Implement API threat protection using Google Apigee policies including JSON/XML threat protection, OAuth 2.0, + SpikeArrest, and Advanced API Security for OWASP Top 10 defense. domain: cybersecurity subdomain: api-security -tags: [apigee, api-gateway, threat-protection, json-threat-protection, xml-threat-protection, spike-arrest, oauth2, google-cloud, owasp-api-top-10] -version: "1.0" +tags: +- apigee +- api-gateway +- threat-protection +- json-threat-protection +- xml-threat-protection +- spike-arrest +- oauth2 +- google-cloud +- owasp-api-top-10 +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Implementing API Threat Protection with Apigee diff --git a/skills/implementing-application-whitelisting-with-applocker/SKILL.md b/skills/implementing-application-whitelisting-with-applocker/SKILL.md index d9a283f4..203c9130 100644 --- a/skills/implementing-application-whitelisting-with-applocker/SKILL.md +++ b/skills/implementing-application-whitelisting-with-applocker/SKILL.md @@ -1,17 +1,27 @@ --- name: implementing-application-whitelisting-with-applocker -description: > - Implements application whitelisting using Windows AppLocker to restrict unauthorized software - execution on endpoints, reducing attack surface from malware, unauthorized tools, and shadow IT. - Use when enforcing application control policies, meeting compliance requirements for software - restriction, or preventing execution of unsigned or untrusted binaries. Activates for requests - involving AppLocker, application whitelisting, software restriction, or executable control. +description: 'Implements application whitelisting using Windows AppLocker to restrict unauthorized software execution on endpoints, + reducing attack surface from malware, unauthorized tools, and shadow IT. Use when enforcing application control policies, + meeting compliance requirements for software restriction, or preventing execution of unsigned or untrusted binaries. Activates + for requests involving AppLocker, application whitelisting, software restriction, or executable control. + + ' domain: cybersecurity subdomain: endpoint-security -tags: [endpoint, AppLocker, application-whitelisting, windows-security, software-restriction] +tags: +- endpoint +- AppLocker +- application-whitelisting +- windows-security +- software-restriction version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.PS-02 +- DE.CM-01 +- PR.IR-01 --- # Implementing Application Whitelisting with AppLocker diff --git a/skills/implementing-aqua-security-for-container-scanning/SKILL.md b/skills/implementing-aqua-security-for-container-scanning/SKILL.md index 4c37bf5b..941ba882 100644 --- a/skills/implementing-aqua-security-for-container-scanning/SKILL.md +++ b/skills/implementing-aqua-security-for-container-scanning/SKILL.md @@ -1,12 +1,25 @@ --- name: implementing-aqua-security-for-container-scanning -description: Deploy Aqua Security's Trivy scanner to detect vulnerabilities, misconfigurations, secrets, and license issues in container images across CI/CD pipelines and registries. +description: Deploy Aqua Security's Trivy scanner to detect vulnerabilities, misconfigurations, secrets, and license issues + in container images across CI/CD pipelines and registries. domain: cybersecurity subdomain: devsecops -tags: [aqua-security, trivy, container-scanning, vulnerability-scanning, sbom, image-security, supply-chain] -version: "1.0" +tags: +- aqua-security +- trivy +- container-scanning +- vulnerability-scanning +- sbom +- image-security +- supply-chain +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- GV.SC-07 +- ID.IM-04 +- PR.PS-04 --- # Implementing Aqua Security for Container Scanning diff --git a/skills/implementing-attack-path-analysis-with-xm-cyber/SKILL.md b/skills/implementing-attack-path-analysis-with-xm-cyber/SKILL.md index 718cfeea..df1e5ac1 100644 --- a/skills/implementing-attack-path-analysis-with-xm-cyber/SKILL.md +++ b/skills/implementing-attack-path-analysis-with-xm-cyber/SKILL.md @@ -1,12 +1,25 @@ --- name: implementing-attack-path-analysis-with-xm-cyber -description: Deploy XM Cyber's continuous exposure management platform to map attack paths, identify choke points, and prioritize the 2% of exposures that threaten critical assets. +description: Deploy XM Cyber's continuous exposure management platform to map attack paths, identify choke points, and prioritize + the 2% of exposures that threaten critical assets. domain: cybersecurity subdomain: vulnerability-management -tags: [xm-cyber, attack-path-analysis, exposure-management, ctem, choke-points, breach-simulation, attack-surface] -version: "1.0" +tags: +- xm-cyber +- attack-path-analysis +- exposure-management +- ctem +- choke-points +- breach-simulation +- attack-surface +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-02 +- ID.IM-02 +- ID.RA-06 --- # Implementing Attack Path Analysis with XM Cyber diff --git a/skills/implementing-attack-surface-management/SKILL.md b/skills/implementing-attack-surface-management/SKILL.md index 4573ab24..2a0db0c5 100644 --- a/skills/implementing-attack-surface-management/SKILL.md +++ b/skills/implementing-attack-surface-management/SKILL.md @@ -1,18 +1,28 @@ --- name: implementing-attack-surface-management -description: > - Implements external attack surface management (EASM) using Shodan, Censys, and - ProjectDiscovery tools (subfinder, httpx, nuclei) for asset discovery, subdomain - enumeration, service fingerprinting, and exposure scoring. Includes a weighted - risk scoring algorithm based on OWASP attack surface analysis methodology and - the Relative Attack Surface Quotient (RSQ). Use when building continuous ASM - programs or performing external reconnaissance for security assessments. +description: 'Implements external attack surface management (EASM) using Shodan, Censys, and ProjectDiscovery tools (subfinder, + httpx, nuclei) for asset discovery, subdomain enumeration, service fingerprinting, and exposure scoring. Includes a weighted + risk scoring algorithm based on OWASP attack surface analysis methodology and the Relative Attack Surface Quotient (RSQ). + Use when building continuous ASM programs or performing external reconnaissance for security assessments. + + ' domain: cybersecurity subdomain: offensive-security -tags: [attack-surface, reconnaissance, shodan, censys, subfinder, nuclei, asset-discovery] -version: "1.0" +tags: +- attack-surface +- reconnaissance +- shodan +- censys +- subfinder +- nuclei +- asset-discovery +version: '1.0' author: mukul975 license: Apache-2.0 +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Implementing Attack Surface Management diff --git a/skills/implementing-aws-config-rules-for-compliance/SKILL.md b/skills/implementing-aws-config-rules-for-compliance/SKILL.md index 42ebebb1..fe256b44 100644 --- a/skills/implementing-aws-config-rules-for-compliance/SKILL.md +++ b/skills/implementing-aws-config-rules-for-compliance/SKILL.md @@ -1,15 +1,27 @@ --- name: implementing-aws-config-rules-for-compliance -description: > - Implementing AWS Config rules for continuous compliance monitoring of AWS resources, - deploying managed and custom rules aligned to CIS and PCI DSS frameworks, configuring - automatic remediation with SSM Automation, and aggregating compliance data across accounts. +description: 'Implementing AWS Config rules for continuous compliance monitoring of AWS resources, deploying managed and custom + rules aligned to CIS and PCI DSS frameworks, configuring automatic remediation with SSM Automation, and aggregating compliance + data across accounts. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud-security, aws, config-rules, compliance, automation, remediation] -version: "1.0" +tags: +- cloud-security +- aws +- config-rules +- compliance +- automation +- remediation +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Implementing AWS Config Rules for Compliance diff --git a/skills/implementing-aws-iam-permission-boundaries/SKILL.md b/skills/implementing-aws-iam-permission-boundaries/SKILL.md index 8b10e338..3063cb92 100644 --- a/skills/implementing-aws-iam-permission-boundaries/SKILL.md +++ b/skills/implementing-aws-iam-permission-boundaries/SKILL.md @@ -1,12 +1,24 @@ --- name: implementing-aws-iam-permission-boundaries -description: Configure IAM permission boundaries in AWS to delegate role creation to developers while enforcing maximum privilege limits set by the security team. +description: Configure IAM permission boundaries in AWS to delegate role creation to developers while enforcing maximum privilege + limits set by the security team. domain: cybersecurity subdomain: identity-access-management -tags: [aws, iam, permission-boundaries, least-privilege, delegation, cloud-security] -version: "1.0" +tags: +- aws +- iam +- permission-boundaries +- least-privilege +- delegation +- cloud-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Implementing AWS IAM Permission Boundaries diff --git a/skills/implementing-aws-macie-for-data-classification/SKILL.md b/skills/implementing-aws-macie-for-data-classification/SKILL.md index 20cdec22..7236194a 100644 --- a/skills/implementing-aws-macie-for-data-classification/SKILL.md +++ b/skills/implementing-aws-macie-for-data-classification/SKILL.md @@ -25,6 +25,11 @@ nist_ai_rmf: - MAP-2.3 - MEASURE-2.7 - MEASURE-2.5 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Implementing AWS Macie for Data Classification diff --git a/skills/implementing-aws-nitro-enclave-security/SKILL.md b/skills/implementing-aws-nitro-enclave-security/SKILL.md index bd799f59..616e576f 100644 --- a/skills/implementing-aws-nitro-enclave-security/SKILL.md +++ b/skills/implementing-aws-nitro-enclave-security/SKILL.md @@ -1,19 +1,31 @@ --- name: implementing-aws-nitro-enclave-security -description: > - Implements AWS Nitro Enclave-based confidential computing environments with cryptographic attestation, - KMS policy integration using PCR-based condition keys, and secure vsock communication channels. The - practitioner builds enclave images, configures attestation-aware KMS policies, validates attestation - documents against the AWS Nitro PKI root of trust, and establishes isolated computation pipelines - for processing sensitive data such as PII, cryptographic keys, and healthcare records. Activates for - requests involving Nitro Enclave setup, enclave attestation validation, confidential computing on AWS, - or KMS enclave policy configuration. +description: 'Implements AWS Nitro Enclave-based confidential computing environments with cryptographic attestation, KMS policy + integration using PCR-based condition keys, and secure vsock communication channels. The practitioner builds enclave images, + configures attestation-aware KMS policies, validates attestation documents against the AWS Nitro PKI root of trust, and + establishes isolated computation pipelines for processing sensitive data such as PII, cryptographic keys, and healthcare + records. Activates for requests involving Nitro Enclave setup, enclave attestation validation, confidential computing on + AWS, or KMS enclave policy configuration. + + ' domain: cybersecurity subdomain: cloud-security -tags: [AWS-Nitro-Enclaves, confidential-computing, attestation, KMS, enclave-isolation, vsock, PCR] +tags: +- AWS-Nitro-Enclaves +- confidential-computing +- attestation +- KMS +- enclave-isolation +- vsock +- PCR version: 1.0.0 author: mukul975 license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Implementing AWS Nitro Enclave Security diff --git a/skills/implementing-aws-security-hub-compliance/SKILL.md b/skills/implementing-aws-security-hub-compliance/SKILL.md index 61e19753..680974d7 100644 --- a/skills/implementing-aws-security-hub-compliance/SKILL.md +++ b/skills/implementing-aws-security-hub-compliance/SKILL.md @@ -1,15 +1,27 @@ --- name: implementing-aws-security-hub-compliance -description: > - Implementing AWS Security Hub to aggregate security findings across AWS accounts, enable - compliance standards like CIS AWS Foundations and PCI DSS, configure automated remediation - with EventBridge and Lambda, and create custom security insights for organizational risk management. +description: 'Implementing AWS Security Hub to aggregate security findings across AWS accounts, enable compliance standards + like CIS AWS Foundations and PCI DSS, configure automated remediation with EventBridge and Lambda, and create custom security + insights for organizational risk management. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud-security, aws, security-hub, compliance, cspm, cis-benchmark] -version: "1.0" +tags: +- cloud-security +- aws +- security-hub +- compliance +- cspm +- cis-benchmark +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Implementing AWS Security Hub Compliance diff --git a/skills/implementing-aws-security-hub/SKILL.md b/skills/implementing-aws-security-hub/SKILL.md index 0c5cf4a7..01e2e7f1 100644 --- a/skills/implementing-aws-security-hub/SKILL.md +++ b/skills/implementing-aws-security-hub/SKILL.md @@ -1,17 +1,27 @@ --- name: implementing-aws-security-hub -description: > - This skill covers deploying AWS Security Hub as a centralized cloud security posture - management platform that aggregates findings from GuardDuty, Inspector, Macie, and - third-party tools. It details enabling security standards like CIS AWS Foundations - Benchmark, configuring automated remediation, and building executive dashboards for - compliance tracking across multi-account AWS organizations. +description: 'This skill covers deploying AWS Security Hub as a centralized cloud security posture management platform that + aggregates findings from GuardDuty, Inspector, Macie, and third-party tools. It details enabling security standards like + CIS AWS Foundations Benchmark, configuring automated remediation, and building executive dashboards for compliance tracking + across multi-account AWS organizations. + + ' domain: cybersecurity subdomain: cloud-security -tags: [aws-security-hub, cspm, compliance-automation, security-standards, finding-aggregation] +tags: +- aws-security-hub +- cspm +- compliance-automation +- security-standards +- finding-aggregation version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Implementing AWS Security Hub diff --git a/skills/implementing-azure-ad-privileged-identity-management/SKILL.md b/skills/implementing-azure-ad-privileged-identity-management/SKILL.md index ca59b96d..1b6f6b61 100644 --- a/skills/implementing-azure-ad-privileged-identity-management/SKILL.md +++ b/skills/implementing-azure-ad-privileged-identity-management/SKILL.md @@ -1,12 +1,25 @@ --- name: implementing-azure-ad-privileged-identity-management -description: Configure Microsoft Entra Privileged Identity Management to enforce just-in-time role activation, approval workflows, and access reviews for Azure AD privileged roles. +description: Configure Microsoft Entra Privileged Identity Management to enforce just-in-time role activation, approval workflows, + and access reviews for Azure AD privileged roles. domain: cybersecurity subdomain: identity-access-management -tags: [azure-ad, pim, entra-id, just-in-time, privileged-roles, identity-governance, zero-trust] -version: "1.0" +tags: +- azure-ad +- pim +- entra-id +- just-in-time +- privileged-roles +- identity-governance +- zero-trust +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Implementing Azure AD Privileged Identity Management diff --git a/skills/implementing-azure-defender-for-cloud/SKILL.md b/skills/implementing-azure-defender-for-cloud/SKILL.md index a8cc1619..5fe6fbde 100644 --- a/skills/implementing-azure-defender-for-cloud/SKILL.md +++ b/skills/implementing-azure-defender-for-cloud/SKILL.md @@ -25,6 +25,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Implementing Azure Defender for Cloud diff --git a/skills/implementing-beyondcorp-zero-trust-access-model/SKILL.md b/skills/implementing-beyondcorp-zero-trust-access-model/SKILL.md index 3e3aa9ea..c89c0a95 100644 --- a/skills/implementing-beyondcorp-zero-trust-access-model/SKILL.md +++ b/skills/implementing-beyondcorp-zero-trust-access-model/SKILL.md @@ -1,15 +1,28 @@ --- name: implementing-beyondcorp-zero-trust-access-model -description: > - Implementing Google's BeyondCorp zero trust access model to eliminate implicit trust - from the network perimeter, enforce identity-aware access controls using IAP, Access - Context Manager, and Chrome Enterprise Premium for VPN-less secure application access. +description: 'Implementing Google''s BeyondCorp zero trust access model to eliminate implicit trust from the network perimeter, + enforce identity-aware access controls using IAP, Access Context Manager, and Chrome Enterprise Premium for VPN-less secure + application access. + + ' domain: cybersecurity subdomain: zero-trust-architecture -tags: [beyondcorp, zero-trust, google-cloud, iap, identity-aware-proxy, ztna, access-context-manager] -version: "1.0" +tags: +- beyondcorp +- zero-trust +- google-cloud +- iap +- identity-aware-proxy +- ztna +- access-context-manager +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-05 +- PR.IR-01 +- GV.PO-01 --- # Implementing BeyondCorp Zero Trust Access Model diff --git a/skills/implementing-bgp-security-with-rpki/SKILL.md b/skills/implementing-bgp-security-with-rpki/SKILL.md index f98df5ce..131cbb3e 100644 --- a/skills/implementing-bgp-security-with-rpki/SKILL.md +++ b/skills/implementing-bgp-security-with-rpki/SKILL.md @@ -1,12 +1,27 @@ --- name: implementing-bgp-security-with-rpki -description: Implement BGP route origin validation using RPKI with Route Origin Authorizations, RPKI-to-Router protocol, and ROV policies on Cisco and Juniper routers to prevent route hijacking. +description: Implement BGP route origin validation using RPKI with Route Origin Authorizations, RPKI-to-Router protocol, and + ROV policies on Cisco and Juniper routers to prevent route hijacking. domain: cybersecurity subdomain: network-security -tags: [bgp, rpki, route-origin-validation, rov, roa, route-hijacking, internet-routing, bgp-security, prefix-hijack] -version: "1.0" +tags: +- bgp +- rpki +- route-origin-validation +- rov +- roa +- route-hijacking +- internet-routing +- bgp-security +- prefix-hijack +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Implementing BGP Security with RPKI diff --git a/skills/implementing-browser-isolation-for-zero-trust/SKILL.md b/skills/implementing-browser-isolation-for-zero-trust/SKILL.md index f985bab0..f1ce2157 100644 --- a/skills/implementing-browser-isolation-for-zero-trust/SKILL.md +++ b/skills/implementing-browser-isolation-for-zero-trust/SKILL.md @@ -1,19 +1,30 @@ --- name: implementing-browser-isolation-for-zero-trust -description: > - Deploys remote browser isolation (RBI) as a core component of a Zero Trust - architecture. Implements isolation policies with URL categorization and risk-based - routing, content disarming and reconstruction (CDR) for file sanitization, data loss - prevention controls within isolated sessions, and integration with Secure Web Gateway - and ZTNA platforms. Based on Cloudflare Browser Isolation, Menlo Security, and Zscaler - RBI approaches. Use when hardening web access against zero-day exploits, phishing, - credential theft, and browser-based data exfiltration. +description: 'Deploys remote browser isolation (RBI) as a core component of a Zero Trust architecture. Implements isolation + policies with URL categorization and risk-based routing, content disarming and reconstruction (CDR) for file sanitization, + data loss prevention controls within isolated sessions, and integration with Secure Web Gateway and ZTNA platforms. Based + on Cloudflare Browser Isolation, Menlo Security, and Zscaler RBI approaches. Use when hardening web access against zero-day + exploits, phishing, credential theft, and browser-based data exfiltration. + + ' domain: cybersecurity subdomain: network-security -tags: [browser-isolation, zero-trust, RBI, CDR, URL-categorization, content-disarming, secure-web-gateway] -version: "1.0" +tags: +- browser-isolation +- zero-trust +- RBI +- CDR +- URL-categorization +- content-disarming +- secure-web-gateway +version: '1.0' author: mukul975 license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Implementing Browser Isolation for Zero Trust diff --git a/skills/implementing-canary-tokens-for-network-intrusion/SKILL.md b/skills/implementing-canary-tokens-for-network-intrusion/SKILL.md index 14a8846c..bf937c9f 100644 --- a/skills/implementing-canary-tokens-for-network-intrusion/SKILL.md +++ b/skills/implementing-canary-tokens-for-network-intrusion/SKILL.md @@ -1,18 +1,28 @@ --- name: implementing-canary-tokens-for-network-intrusion -description: > - Deploys DNS, HTTP, and AWS API key canary tokens across network infrastructure to - detect unauthorized access and lateral movement. Integrates with webhook alerting - (Slack, Teams, email, generic HTTP) for real-time intrusion notifications. Provides - automated token generation, placement strategies, and monitoring for enterprise - network environments. Use when building deception-based network intrusion detection - with Canarytokens.org and Thinkst Canary platforms. +description: 'Deploys DNS, HTTP, and AWS API key canary tokens across network infrastructure to detect unauthorized access + and lateral movement. Integrates with webhook alerting (Slack, Teams, email, generic HTTP) for real-time intrusion notifications. + Provides automated token generation, placement strategies, and monitoring for enterprise network environments. Use when + building deception-based network intrusion detection with Canarytokens.org and Thinkst Canary platforms. + + ' domain: cybersecurity subdomain: security-operations -tags: [canary-tokens, intrusion-detection, deception, network-security, honeytokens, breach-detection] -version: "1.0" +tags: +- canary-tokens +- intrusion-detection +- deception +- network-security +- honeytokens +- breach-detection +version: '1.0' author: mukul975 license: Apache-2.0 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- # Implementing Canary Tokens for Network Intrusion Detection diff --git a/skills/implementing-cisa-zero-trust-maturity-model/SKILL.md b/skills/implementing-cisa-zero-trust-maturity-model/SKILL.md index 0faf3931..550a606a 100644 --- a/skills/implementing-cisa-zero-trust-maturity-model/SKILL.md +++ b/skills/implementing-cisa-zero-trust-maturity-model/SKILL.md @@ -25,6 +25,11 @@ nist_ai_rmf: - MAP-1.1 - GOVERN-4.2 - MAP-2.3 +nist_csf: +- PR.AA-01 +- PR.AA-05 +- PR.IR-01 +- GV.PO-01 --- # Implementing CISA Zero Trust Maturity Model diff --git a/skills/implementing-cloud-dlp-for-data-protection/SKILL.md b/skills/implementing-cloud-dlp-for-data-protection/SKILL.md index cc07504e..c29c2ec5 100644 --- a/skills/implementing-cloud-dlp-for-data-protection/SKILL.md +++ b/skills/implementing-cloud-dlp-for-data-protection/SKILL.md @@ -26,6 +26,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Implementing Cloud DLP for Data Protection diff --git a/skills/implementing-cloud-security-posture-management/SKILL.md b/skills/implementing-cloud-security-posture-management/SKILL.md index 2764258c..a1b29d76 100644 --- a/skills/implementing-cloud-security-posture-management/SKILL.md +++ b/skills/implementing-cloud-security-posture-management/SKILL.md @@ -1,15 +1,27 @@ --- name: implementing-cloud-security-posture-management -description: > - Implementing Cloud Security Posture Management (CSPM) to continuously monitor multi-cloud - environments for misconfigurations, compliance violations, and security risks using Prowler, - ScoutSuite, AWS Security Hub, Azure Defender, and GCP Security Command Center. +description: 'Implementing Cloud Security Posture Management (CSPM) to continuously monitor multi-cloud environments for misconfigurations, + compliance violations, and security risks using Prowler, ScoutSuite, AWS Security Hub, Azure Defender, and GCP Security + Command Center. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud-security, cspm, multi-cloud, compliance, prowler, scoutsuite] -version: "1.0" +tags: +- cloud-security +- cspm +- multi-cloud +- compliance +- prowler +- scoutsuite +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Implementing Cloud Security Posture Management diff --git a/skills/implementing-cloud-trail-log-analysis/SKILL.md b/skills/implementing-cloud-trail-log-analysis/SKILL.md index 759f17e9..fbfc2d86 100644 --- a/skills/implementing-cloud-trail-log-analysis/SKILL.md +++ b/skills/implementing-cloud-trail-log-analysis/SKILL.md @@ -1,15 +1,27 @@ --- name: implementing-cloud-trail-log-analysis -description: > - Implementing AWS CloudTrail log analysis for security monitoring, threat detection, and - forensic investigation using Athena, CloudWatch Logs Insights, and SIEM integration to - identify unauthorized access, privilege escalation, and suspicious API activity. +description: 'Implementing AWS CloudTrail log analysis for security monitoring, threat detection, and forensic investigation + using Athena, CloudWatch Logs Insights, and SIEM integration to identify unauthorized access, privilege escalation, and + suspicious API activity. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud-security, aws, cloudtrail, log-analysis, threat-detection, forensics] -version: "1.0" +tags: +- cloud-security +- aws +- cloudtrail +- log-analysis +- threat-detection +- forensics +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Implementing CloudTrail Log Analysis diff --git a/skills/implementing-cloud-vulnerability-posture-management/SKILL.md b/skills/implementing-cloud-vulnerability-posture-management/SKILL.md index b50799eb..d8df1b0b 100644 --- a/skills/implementing-cloud-vulnerability-posture-management/SKILL.md +++ b/skills/implementing-cloud-vulnerability-posture-management/SKILL.md @@ -1,12 +1,26 @@ --- name: implementing-cloud-vulnerability-posture-management -description: Implement Cloud Security Posture Management using AWS Security Hub, Azure Defender for Cloud, and open-source tools like Prowler and ScoutSuite for multi-cloud vulnerability detection. +description: Implement Cloud Security Posture Management using AWS Security Hub, Azure Defender for Cloud, and open-source + tools like Prowler and ScoutSuite for multi-cloud vulnerability detection. domain: cybersecurity subdomain: vulnerability-management -tags: [cspm, cloud-security, aws-security-hub, azure-defender, prowler, scoutsuite, misconfiguration, cnapp] -version: "1.0" +tags: +- cspm +- cloud-security +- aws-security-hub +- azure-defender +- prowler +- scoutsuite +- misconfiguration +- cnapp +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-02 +- ID.IM-02 +- ID.RA-06 --- # Implementing Cloud Vulnerability Posture Management diff --git a/skills/implementing-cloud-waf-rules/SKILL.md b/skills/implementing-cloud-waf-rules/SKILL.md index fd8991a9..563becc7 100644 --- a/skills/implementing-cloud-waf-rules/SKILL.md +++ b/skills/implementing-cloud-waf-rules/SKILL.md @@ -1,17 +1,28 @@ --- name: implementing-cloud-waf-rules -description: > - This skill covers deploying and tuning Web Application Firewall rules on AWS WAF, - Azure WAF, and Cloudflare to protect cloud-hosted applications against OWASP Top 10 - attacks. It details configuring managed rule sets, creating custom rules for business - logic protection, implementing rate limiting, deploying bot management, and reducing - false positives through rule tuning and logging analysis. +description: 'This skill covers deploying and tuning Web Application Firewall rules on AWS WAF, Azure WAF, and Cloudflare + to protect cloud-hosted applications against OWASP Top 10 attacks. It details configuring managed rule sets, creating custom + rules for business logic protection, implementing rate limiting, deploying bot management, and reducing false positives + through rule tuning and logging analysis. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud-waf, aws-waf, azure-waf, cloudflare-waf, owasp-protection, rate-limiting] +tags: +- cloud-waf +- aws-waf +- azure-waf +- cloudflare-waf +- owasp-protection +- rate-limiting version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Implementing Cloud WAF Rules diff --git a/skills/implementing-cloud-workload-protection/SKILL.md b/skills/implementing-cloud-workload-protection/SKILL.md index 200a066b..9e1ddbcb 100644 --- a/skills/implementing-cloud-workload-protection/SKILL.md +++ b/skills/implementing-cloud-workload-protection/SKILL.md @@ -1,16 +1,25 @@ --- name: implementing-cloud-workload-protection -description: > - Implements cloud workload protection using boto3 and google-cloud APIs for runtime - security monitoring, process anomaly detection, and file integrity checking on EC2/GCE - instances. Scans for cryptomining, reverse shells, and unauthorized binaries. - Use when building runtime security controls for cloud compute workloads. +description: 'Implements cloud workload protection using boto3 and google-cloud APIs for runtime security monitoring, process + anomaly detection, and file integrity checking on EC2/GCE instances. Scans for cryptomining, reverse shells, and unauthorized + binaries. Use when building runtime security controls for cloud compute workloads. + + ' domain: cybersecurity subdomain: cloud-security -tags: [implementing, cloud, workload, protection] -version: "1.0" +tags: +- implementing +- cloud +- workload +- protection +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Implementing Cloud Workload Protection diff --git a/skills/implementing-code-signing-for-artifacts/SKILL.md b/skills/implementing-code-signing-for-artifacts/SKILL.md index d1f08d84..0c92cf0d 100644 --- a/skills/implementing-code-signing-for-artifacts/SKILL.md +++ b/skills/implementing-code-signing-for-artifacts/SKILL.md @@ -1,16 +1,27 @@ --- name: implementing-code-signing-for-artifacts -description: > - This skill covers implementing code signing for build artifacts to ensure integrity - and authenticity throughout the software supply chain. It addresses signing binaries, - packages, and containers using GPG, Sigstore, and platform-specific signing tools, - establishing trust chains, and verifying signatures in deployment pipelines. +description: 'This skill covers implementing code signing for build artifacts to ensure integrity and authenticity throughout + the software supply chain. It addresses signing binaries, packages, and containers using GPG, Sigstore, and platform-specific + signing tools, establishing trust chains, and verifying signatures in deployment pipelines. + + ' domain: cybersecurity subdomain: devsecops -tags: [devsecops, cicd, code-signing, supply-chain, sigstore, secure-sdlc] +tags: +- devsecops +- cicd +- code-signing +- supply-chain +- sigstore +- secure-sdlc version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- GV.SC-07 +- ID.IM-04 +- PR.PS-04 --- # Implementing Code Signing for Artifacts diff --git a/skills/implementing-conditional-access-policies-azure-ad/SKILL.md b/skills/implementing-conditional-access-policies-azure-ad/SKILL.md index 8f595327..6628c89e 100644 --- a/skills/implementing-conditional-access-policies-azure-ad/SKILL.md +++ b/skills/implementing-conditional-access-policies-azure-ad/SKILL.md @@ -1,12 +1,25 @@ --- name: implementing-conditional-access-policies-azure-ad -description: Configure Microsoft Entra ID (Azure AD) Conditional Access policies for zero trust access control. Covers signal-based policy design, device compliance requirements, risk-based authentication, named l +description: Configure Microsoft Entra ID (Azure AD) Conditional Access policies for zero trust access control. Covers signal-based + policy design, device compliance requirements, risk-based authentication, named l domain: cybersecurity subdomain: identity-access-management -tags: [iam, identity, access-control, azure-ad, entra-id, conditional-access, zero-trust] -version: "1.0" +tags: +- iam +- identity +- access-control +- azure-ad +- entra-id +- conditional-access +- zero-trust +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Implementing Conditional Access Policies in Azure AD diff --git a/skills/implementing-conduit-security-for-ot-remote-access/SKILL.md b/skills/implementing-conduit-security-for-ot-remote-access/SKILL.md index a38b83fd..6748df91 100644 --- a/skills/implementing-conduit-security-for-ot-remote-access/SKILL.md +++ b/skills/implementing-conduit-security-for-ot-remote-access/SKILL.md @@ -1,16 +1,29 @@ --- name: implementing-conduit-security-for-ot-remote-access -description: > - Implement secure conduit architecture for OT remote access following IEC 62443 - zones and conduits model, deploying jump servers, MFA-enabled gateways, session - recording, and approval-based workflows to control vendor and engineer access +description: 'Implement secure conduit architecture for OT remote access following IEC 62443 zones and conduits model, deploying + jump servers, MFA-enabled gateways, session recording, and approval-based workflows to control vendor and engineer access to industrial control systems without exposing OT networks directly. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, remote-access, iec62443, jump-server, zero-trust, conduit, mfa] -version: "1.0" +tags: +- ot-security +- ics +- remote-access +- iec62443 +- jump-server +- zero-trust +- conduit +- mfa +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Implementing Conduit Security for OT Remote Access diff --git a/skills/implementing-container-image-minimal-base-with-distroless/SKILL.md b/skills/implementing-container-image-minimal-base-with-distroless/SKILL.md index 253d32dd..d0a0934c 100644 --- a/skills/implementing-container-image-minimal-base-with-distroless/SKILL.md +++ b/skills/implementing-container-image-minimal-base-with-distroless/SKILL.md @@ -1,12 +1,26 @@ --- name: implementing-container-image-minimal-base-with-distroless -description: Reduce container attack surface by building application images on Google distroless base images that contain only the application runtime with no shell, package manager, or unnecessary OS utilities. +description: Reduce container attack surface by building application images on Google distroless base images that contain + only the application runtime with no shell, package manager, or unnecessary OS utilities. domain: cybersecurity subdomain: container-security -tags: [distroless, container-images, minimal-base, attack-surface, docker, security-hardening, supply-chain, kubernetes] -version: "1.0" +tags: +- distroless +- container-images +- minimal-base +- attack-surface +- docker +- security-hardening +- supply-chain +- kubernetes +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Implementing Container Image Minimal Base with Distroless diff --git a/skills/implementing-container-network-policies-with-calico/SKILL.md b/skills/implementing-container-network-policies-with-calico/SKILL.md index 2999efd4..2a359a04 100644 --- a/skills/implementing-container-network-policies-with-calico/SKILL.md +++ b/skills/implementing-container-network-policies-with-calico/SKILL.md @@ -1,12 +1,24 @@ --- name: implementing-container-network-policies-with-calico -description: Enforce Kubernetes network segmentation using Calico CNI network policies and global network policies to control pod-to-pod traffic, restrict egress, and implement zero-trust microsegmentation. +description: Enforce Kubernetes network segmentation using Calico CNI network policies and global network policies to control + pod-to-pod traffic, restrict egress, and implement zero-trust microsegmentation. domain: cybersecurity subdomain: container-security -tags: [container-security, kubernetes, calico, network-policy, microsegmentation, cni] -version: "1.0" +tags: +- container-security +- kubernetes +- calico +- network-policy +- microsegmentation +- cni +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Implementing Container Network Policies with Calico diff --git a/skills/implementing-continuous-security-validation-with-bas/SKILL.md b/skills/implementing-continuous-security-validation-with-bas/SKILL.md index cd6ffa93..3eac479c 100644 --- a/skills/implementing-continuous-security-validation-with-bas/SKILL.md +++ b/skills/implementing-continuous-security-validation-with-bas/SKILL.md @@ -22,6 +22,11 @@ d3fend_techniques: - Identifier Analysis - Content Format Conversion - Message Analysis +nist_csf: +- ID.RA-01 +- ID.RA-02 +- ID.IM-02 +- ID.RA-06 --- # Implementing Continuous Security Validation with BAS diff --git a/skills/implementing-data-loss-prevention-with-microsoft-purview/SKILL.md b/skills/implementing-data-loss-prevention-with-microsoft-purview/SKILL.md index 5f2c176d..23c90687 100644 --- a/skills/implementing-data-loss-prevention-with-microsoft-purview/SKILL.md +++ b/skills/implementing-data-loss-prevention-with-microsoft-purview/SKILL.md @@ -1,21 +1,31 @@ --- name: implementing-data-loss-prevention-with-microsoft-purview -description: > - Implements data loss prevention policies using Microsoft Purview to protect sensitive information - across Exchange Online, SharePoint, OneDrive, Teams, endpoint devices, and Power BI. The analyst - configures sensitivity labels with encryption and content marking, creates DLP policies using - built-in and custom sensitive information types with regex patterns, deploys endpoint DLP rules - to control file operations on Windows and macOS devices, and monitors policy effectiveness through - Activity Explorer and DLP alert management. Uses PowerShell cmdlets and the Microsoft Graph API - for programmatic policy management. Activates for requests involving DLP policy creation, - sensitivity label configuration, data classification, endpoint data protection, or Microsoft - Purview compliance administration. +description: 'Implements data loss prevention policies using Microsoft Purview to protect sensitive information across Exchange + Online, SharePoint, OneDrive, Teams, endpoint devices, and Power BI. The analyst configures sensitivity labels with encryption + and content marking, creates DLP policies using built-in and custom sensitive information types with regex patterns, deploys + endpoint DLP rules to control file operations on Windows and macOS devices, and monitors policy effectiveness through Activity + Explorer and DLP alert management. Uses PowerShell cmdlets and the Microsoft Graph API for programmatic policy management. + Activates for requests involving DLP policy creation, sensitivity label configuration, data classification, endpoint data + protection, or Microsoft Purview compliance administration. + + ' domain: cybersecurity subdomain: data-protection -tags: [DLP, Microsoft-Purview, sensitivity-labels, endpoint-DLP, data-classification, compliance] +tags: +- DLP +- Microsoft-Purview +- sensitivity-labels +- endpoint-DLP +- data-classification +- compliance version: 1.0.0 author: mukul975 license: Apache-2.0 +nist_csf: +- PR.DS-01 +- PR.DS-02 +- PR.DS-10 +- GV.PO-01 --- # Implementing Data Loss Prevention with Microsoft Purview diff --git a/skills/implementing-ddos-mitigation-with-cloudflare/SKILL.md b/skills/implementing-ddos-mitigation-with-cloudflare/SKILL.md index 2c925c4b..a4b07ad3 100644 --- a/skills/implementing-ddos-mitigation-with-cloudflare/SKILL.md +++ b/skills/implementing-ddos-mitigation-with-cloudflare/SKILL.md @@ -1,12 +1,27 @@ --- name: implementing-ddos-mitigation-with-cloudflare -description: Configure Cloudflare DDoS protection with managed rulesets, rate limiting, WAF rules, Bot Management, and origin protection to mitigate volumetric, protocol, and application-layer attacks. +description: Configure Cloudflare DDoS protection with managed rulesets, rate limiting, WAF rules, Bot Management, and origin + protection to mitigate volumetric, protocol, and application-layer attacks. domain: cybersecurity subdomain: network-security -tags: [ddos, cloudflare, ddos-mitigation, rate-limiting, waf, bot-management, layer-7, volumetric-attack, network-security] -version: "1.0" +tags: +- ddos +- cloudflare +- ddos-mitigation +- rate-limiting +- waf +- bot-management +- layer-7 +- volumetric-attack +- network-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Implementing DDoS Mitigation with Cloudflare diff --git a/skills/implementing-deception-based-detection-with-canarytoken/SKILL.md b/skills/implementing-deception-based-detection-with-canarytoken/SKILL.md index 01dc5dfe..1c3f2eec 100644 --- a/skills/implementing-deception-based-detection-with-canarytoken/SKILL.md +++ b/skills/implementing-deception-based-detection-with-canarytoken/SKILL.md @@ -1,12 +1,24 @@ --- name: implementing-deception-based-detection-with-canarytoken -description: Deploy and monitor Canary Tokens via the Thinkst Canary API for deception-based breach detection using web bug tokens, DNS tokens, document tokens, and AWS key tokens. +description: Deploy and monitor Canary Tokens via the Thinkst Canary API for deception-based breach detection using web bug + tokens, DNS tokens, document tokens, and AWS key tokens. domain: cybersecurity subdomain: deception-technology -tags: [canarytoken, deception, honeytokens, breach-detection, Thinkst-Canary, tripwire, early-warning] -version: "1.0" +tags: +- canarytoken +- deception +- honeytokens +- breach-detection +- Thinkst-Canary +- tripwire +- early-warning +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-06 +- PR.IR-01 --- # Implementing Deception-Based Detection with Canarytoken diff --git a/skills/implementing-delinea-secret-server-for-pam/SKILL.md b/skills/implementing-delinea-secret-server-for-pam/SKILL.md index 9356e706..eeb25e01 100644 --- a/skills/implementing-delinea-secret-server-for-pam/SKILL.md +++ b/skills/implementing-delinea-secret-server-for-pam/SKILL.md @@ -1,17 +1,28 @@ --- name: implementing-delinea-secret-server-for-pam -description: > - Implements Delinea Secret Server for privileged access management (PAM) including - secret vault configuration, role-based access policies, automated password rotation, - session recording, and integration with Active Directory and cloud platforms. - Activates for requests involving PAM deployment, privileged credential vaulting, - secret server administration, or password rotation automation. +description: 'Implements Delinea Secret Server for privileged access management (PAM) including secret vault configuration, + role-based access policies, automated password rotation, session recording, and integration with Active Directory and cloud + platforms. Activates for requests involving PAM deployment, privileged credential vaulting, secret server administration, + or password rotation automation. + + ' domain: cybersecurity subdomain: identity-access-management -tags: [PAM, Delinea, Secret-Server, privileged-access, password-vault, credential-management] -version: "1.0" +tags: +- PAM +- Delinea +- Secret-Server +- privileged-access +- password-vault +- credential-management +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Implementing Delinea Secret Server for PAM diff --git a/skills/implementing-device-posture-assessment-in-zero-trust/SKILL.md b/skills/implementing-device-posture-assessment-in-zero-trust/SKILL.md index 11ff6d7a..7e933cc0 100644 --- a/skills/implementing-device-posture-assessment-in-zero-trust/SKILL.md +++ b/skills/implementing-device-posture-assessment-in-zero-trust/SKILL.md @@ -1,15 +1,28 @@ --- name: implementing-device-posture-assessment-in-zero-trust -description: > - Implementing device posture assessment as a zero trust access control by integrating - endpoint health signals from CrowdStrike ZTA, Microsoft Intune, and Jamf into - conditional access policies that enforce compliance before granting resource access. +description: 'Implementing device posture assessment as a zero trust access control by integrating endpoint health signals + from CrowdStrike ZTA, Microsoft Intune, and Jamf into conditional access policies that enforce compliance before granting + resource access. + + ' domain: cybersecurity subdomain: zero-trust-architecture -tags: [device-posture, zero-trust, endpoint-compliance, crowdstrike-zta, intune, conditional-access, jamf] -version: "1.0" +tags: +- device-posture +- zero-trust +- endpoint-compliance +- crowdstrike-zta +- intune +- conditional-access +- jamf +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-05 +- PR.IR-01 +- GV.PO-01 --- # Implementing Device Posture Assessment in Zero Trust diff --git a/skills/implementing-devsecops-security-scanning/SKILL.md b/skills/implementing-devsecops-security-scanning/SKILL.md index 249784e3..ebee7c9f 100644 --- a/skills/implementing-devsecops-security-scanning/SKILL.md +++ b/skills/implementing-devsecops-security-scanning/SKILL.md @@ -1,19 +1,32 @@ --- name: implementing-devsecops-security-scanning -description: > - Integrates Static Application Security Testing (SAST), Dynamic Application - Security Testing (DAST), and Software Composition Analysis (SCA) into CI/CD - pipelines using open-source tools. Covers Semgrep for SAST, Trivy for SCA - and container scanning, OWASP ZAP for DAST, and Gitleaks for secrets - detection. Activates for requests involving DevSecOps pipeline setup, - automated security scanning in CI/CD, SAST/DAST/SCA integration, or - shift-left security implementation. +description: 'Integrates Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software + Composition Analysis (SCA) into CI/CD pipelines using open-source tools. Covers Semgrep for SAST, Trivy for SCA and container + scanning, OWASP ZAP for DAST, and Gitleaks for secrets detection. Activates for requests involving DevSecOps pipeline setup, + automated security scanning in CI/CD, SAST/DAST/SCA integration, or shift-left security implementation. + + ' domain: cybersecurity subdomain: application-security -tags: [devsecops, SAST, DAST, SCA, semgrep, trivy, owasp-zap, gitleaks, CI-CD, shift-left] +tags: +- devsecops +- SAST +- DAST +- SCA +- semgrep +- trivy +- owasp-zap +- gitleaks +- CI-CD +- shift-left version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.PS-04 +- ID.RA-01 +- PR.DS-10 --- # Implementing DevSecOps Security Scanning diff --git a/skills/implementing-diamond-model-analysis/SKILL.md b/skills/implementing-diamond-model-analysis/SKILL.md index c97fcdae..f9f83120 100644 --- a/skills/implementing-diamond-model-analysis/SKILL.md +++ b/skills/implementing-diamond-model-analysis/SKILL.md @@ -1,16 +1,26 @@ --- name: implementing-diamond-model-analysis -description: >- - The Diamond Model of Intrusion Analysis provides a structured framework for analyzing - cyber intrusions by examining four core features - Adversary, Capability, Infrastructure, - and Victim. This skill covers implementing the Diamond Model programmatically to classify - and correlate intrusion events, build activity threads, and generate pivot-ready intelligence. +description: The Diamond Model of Intrusion Analysis provides a structured framework for analyzing cyber intrusions by examining + four core features - Adversary, Capability, Infrastructure, and Victim. This skill covers implementing the Diamond Model + programmatically to classify and correlate intrusion events, build activity threads, and generate pivot-ready intelligence. domain: cybersecurity subdomain: threat-intelligence -tags: [threat-intelligence, cti, ioc, mitre-attack, stix, diamond-model, intrusion-analysis] -version: "1.0" +tags: +- threat-intelligence +- cti +- ioc +- mitre-attack +- stix +- diamond-model +- intrusion-analysis +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Implementing Diamond Model Analysis diff --git a/skills/implementing-digital-signatures-with-ed25519/SKILL.md b/skills/implementing-digital-signatures-with-ed25519/SKILL.md index f0a05b0f..617041ab 100644 --- a/skills/implementing-digital-signatures-with-ed25519/SKILL.md +++ b/skills/implementing-digital-signatures-with-ed25519/SKILL.md @@ -1,12 +1,22 @@ --- name: implementing-digital-signatures-with-ed25519 -description: Ed25519 is a high-performance digital signature algorithm using the Edwards curve Curve25519. It provides 128-bit security with 64-byte signatures and 32-byte keys, offering significant advantages ove +description: Ed25519 is a high-performance digital signature algorithm using the Edwards curve Curve25519. It provides 128-bit + security with 64-byte signatures and 32-byte keys, offering significant advantages ove domain: cybersecurity subdomain: cryptography -tags: [cryptography, digital-signatures, ed25519, authentication, integrity] -version: "1.0" +tags: +- cryptography +- digital-signatures +- ed25519 +- authentication +- integrity +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.DS-01 +- PR.DS-02 +- PR.DS-10 --- # Implementing Digital Signatures with Ed25519 diff --git a/skills/implementing-disk-encryption-with-bitlocker/SKILL.md b/skills/implementing-disk-encryption-with-bitlocker/SKILL.md index 5750828c..b46f4b27 100644 --- a/skills/implementing-disk-encryption-with-bitlocker/SKILL.md +++ b/skills/implementing-disk-encryption-with-bitlocker/SKILL.md @@ -1,17 +1,28 @@ --- name: implementing-disk-encryption-with-bitlocker -description: > - Implements full disk encryption using Microsoft BitLocker on Windows endpoints to protect - data at rest from unauthorized access in case of device loss or theft. Use when deploying - encryption for compliance requirements, securing mobile workstations, or implementing data - protection controls across the enterprise. Activates for requests involving BitLocker +description: 'Implements full disk encryption using Microsoft BitLocker on Windows endpoints to protect data at rest from + unauthorized access in case of device loss or theft. Use when deploying encryption for compliance requirements, securing + mobile workstations, or implementing data protection controls across the enterprise. Activates for requests involving BitLocker encryption, disk encryption, TPM configuration, or data-at-rest protection. + + ' domain: cybersecurity subdomain: endpoint-security -tags: [endpoint, encryption, BitLocker, TPM, data-protection, windows-security] +tags: +- endpoint +- encryption +- BitLocker +- TPM +- data-protection +- windows-security version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.PS-02 +- DE.CM-01 +- PR.IR-01 --- # Implementing Disk Encryption with BitLocker diff --git a/skills/implementing-dmarc-dkim-spf-email-security/SKILL.md b/skills/implementing-dmarc-dkim-spf-email-security/SKILL.md index 37272447..8212032e 100644 --- a/skills/implementing-dmarc-dkim-spf-email-security/SKILL.md +++ b/skills/implementing-dmarc-dkim-spf-email-security/SKILL.md @@ -1,12 +1,26 @@ --- name: implementing-dmarc-dkim-spf-email-security -description: SPF, DKIM, and DMARC form the three pillars of email authentication. Together they prevent domain spoofing, validate message integrity, and define policies for handling unauthenticated mail. Proper im +description: SPF, DKIM, and DMARC form the three pillars of email authentication. Together they prevent domain spoofing, validate + message integrity, and define policies for handling unauthenticated mail. Proper im domain: cybersecurity subdomain: phishing-defense -tags: [phishing, email-security, social-engineering, dmarc, awareness, dkim, spf, dns] -version: "1.0" +tags: +- phishing +- email-security +- social-engineering +- dmarc +- awareness +- dkim +- spf +- dns +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AT-01 +- DE.CM-09 +- RS.CO-02 +- DE.AE-02 --- # Implementing DMARC, DKIM, and SPF Email Security diff --git a/skills/implementing-dragos-platform-for-ot-monitoring/SKILL.md b/skills/implementing-dragos-platform-for-ot-monitoring/SKILL.md index 65d8c0cf..482e0527 100644 --- a/skills/implementing-dragos-platform-for-ot-monitoring/SKILL.md +++ b/skills/implementing-dragos-platform-for-ot-monitoring/SKILL.md @@ -27,6 +27,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Implementing Dragos Platform for OT Monitoring diff --git a/skills/implementing-ebpf-security-monitoring/SKILL.md b/skills/implementing-ebpf-security-monitoring/SKILL.md index 7bd8b08d..d92af5c4 100644 --- a/skills/implementing-ebpf-security-monitoring/SKILL.md +++ b/skills/implementing-ebpf-security-monitoring/SKILL.md @@ -28,6 +28,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- # Implementing eBPF Security Monitoring diff --git a/skills/implementing-email-sandboxing-with-proofpoint/SKILL.md b/skills/implementing-email-sandboxing-with-proofpoint/SKILL.md index 9aaf1051..9ae7a3ea 100644 --- a/skills/implementing-email-sandboxing-with-proofpoint/SKILL.md +++ b/skills/implementing-email-sandboxing-with-proofpoint/SKILL.md @@ -1,12 +1,25 @@ --- name: implementing-email-sandboxing-with-proofpoint -description: Email sandboxing detonates suspicious attachments and URLs in isolated environments to detect zero-day malware and evasive phishing payloads. Proofpoint Targeted Attack Protection (TAP) is an industry +description: Email sandboxing detonates suspicious attachments and URLs in isolated environments to detect zero-day malware + and evasive phishing payloads. Proofpoint Targeted Attack Protection (TAP) is an industry domain: cybersecurity subdomain: phishing-defense -tags: [phishing, email-security, social-engineering, dmarc, awareness, sandboxing, proofpoint] -version: "1.0" +tags: +- phishing +- email-security +- social-engineering +- dmarc +- awareness +- sandboxing +- proofpoint +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AT-01 +- DE.CM-09 +- RS.CO-02 +- DE.AE-02 --- # Implementing Email Sandboxing with Proofpoint diff --git a/skills/implementing-end-to-end-encryption-for-messaging/SKILL.md b/skills/implementing-end-to-end-encryption-for-messaging/SKILL.md index 0b7a7a48..040b4873 100644 --- a/skills/implementing-end-to-end-encryption-for-messaging/SKILL.md +++ b/skills/implementing-end-to-end-encryption-for-messaging/SKILL.md @@ -1,12 +1,22 @@ --- name: implementing-end-to-end-encryption-for-messaging -description: End-to-end encryption (E2EE) ensures that only the communicating parties can read messages, with no intermediary (including the server) able to decrypt them. This skill implements a simplified version +description: End-to-end encryption (E2EE) ensures that only the communicating parties can read messages, with no intermediary + (including the server) able to decrypt them. This skill implements a simplified version domain: cybersecurity subdomain: cryptography -tags: [cryptography, encryption, e2e, messaging, signal-protocol] -version: "1.0" +tags: +- cryptography +- encryption +- e2e +- messaging +- signal-protocol +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.DS-01 +- PR.DS-02 +- PR.DS-10 --- # Implementing End-to-End Encryption for Messaging diff --git a/skills/implementing-endpoint-detection-with-wazuh/SKILL.md b/skills/implementing-endpoint-detection-with-wazuh/SKILL.md index 18ed1d33..462b837e 100644 --- a/skills/implementing-endpoint-detection-with-wazuh/SKILL.md +++ b/skills/implementing-endpoint-detection-with-wazuh/SKILL.md @@ -20,6 +20,11 @@ nist_ai_rmf: - MANAGE-3.1 - MANAGE-2.4 - MEASURE-3.1 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- # Implementing Endpoint Detection with Wazuh diff --git a/skills/implementing-endpoint-dlp-controls/SKILL.md b/skills/implementing-endpoint-dlp-controls/SKILL.md index 3dbe8c2e..6a20a9f1 100644 --- a/skills/implementing-endpoint-dlp-controls/SKILL.md +++ b/skills/implementing-endpoint-dlp-controls/SKILL.md @@ -26,6 +26,11 @@ nist_ai_rmf: - MANAGE-3.1 - MAP-5.1 - MANAGE-2.4 +nist_csf: +- PR.PS-01 +- PR.PS-02 +- DE.CM-01 +- PR.IR-01 --- # Implementing Endpoint DLP Controls diff --git a/skills/implementing-envelope-encryption-with-aws-kms/SKILL.md b/skills/implementing-envelope-encryption-with-aws-kms/SKILL.md index 80401241..175a5d04 100644 --- a/skills/implementing-envelope-encryption-with-aws-kms/SKILL.md +++ b/skills/implementing-envelope-encryption-with-aws-kms/SKILL.md @@ -1,12 +1,23 @@ --- name: implementing-envelope-encryption-with-aws-kms -description: Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself is encrypted with a master key (KEK) managed by AWS KMS. This approach allows encrypting +description: Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself + is encrypted with a master key (KEK) managed by AWS KMS. This approach allows encrypting domain: cybersecurity subdomain: cryptography -tags: [cryptography, encryption, aws, kms, envelope-encryption, key-management] -version: "1.0" +tags: +- cryptography +- encryption +- aws +- kms +- envelope-encryption +- key-management +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.DS-01 +- PR.DS-02 +- PR.DS-10 --- # Implementing Envelope Encryption with AWS KMS diff --git a/skills/implementing-epss-score-for-vulnerability-prioritization/SKILL.md b/skills/implementing-epss-score-for-vulnerability-prioritization/SKILL.md index 908b23ee..38115638 100644 --- a/skills/implementing-epss-score-for-vulnerability-prioritization/SKILL.md +++ b/skills/implementing-epss-score-for-vulnerability-prioritization/SKILL.md @@ -1,12 +1,25 @@ --- name: implementing-epss-score-for-vulnerability-prioritization -description: Integrate FIRST's Exploit Prediction Scoring System (EPSS) API to prioritize vulnerability remediation based on real-world exploitation probability within 30 days. +description: Integrate FIRST's Exploit Prediction Scoring System (EPSS) API to prioritize vulnerability remediation based + on real-world exploitation probability within 30 days. domain: cybersecurity subdomain: vulnerability-management -tags: [epss, vulnerability-prioritization, first, exploit-prediction, cvss, risk-based, machine-learning] -version: "1.0" +tags: +- epss +- vulnerability-prioritization +- first +- exploit-prediction +- cvss +- risk-based +- machine-learning +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-02 +- ID.IM-02 +- ID.RA-06 --- # Implementing EPSS Score for Vulnerability Prioritization diff --git a/skills/implementing-file-integrity-monitoring-with-aide/SKILL.md b/skills/implementing-file-integrity-monitoring-with-aide/SKILL.md index 864913c1..aee0cb59 100644 --- a/skills/implementing-file-integrity-monitoring-with-aide/SKILL.md +++ b/skills/implementing-file-integrity-monitoring-with-aide/SKILL.md @@ -1,12 +1,25 @@ --- name: implementing-file-integrity-monitoring-with-aide -description: Configure AIDE (Advanced Intrusion Detection Environment) for file integrity monitoring including baseline creation, scheduled integrity checks, change detection, and alerting +description: Configure AIDE (Advanced Intrusion Detection Environment) for file integrity monitoring including baseline creation, + scheduled integrity checks, change detection, and alerting domain: cybersecurity subdomain: endpoint-security -tags: [aide, file-integrity, hids, baseline, intrusion-detection, compliance, linux-security] -version: "1.0" +tags: +- aide +- file-integrity +- hids +- baseline +- intrusion-detection +- compliance +- linux-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.PS-02 +- DE.CM-01 +- PR.IR-01 --- # Implementing File Integrity Monitoring with AIDE diff --git a/skills/implementing-fuzz-testing-in-cicd-with-aflplusplus/SKILL.md b/skills/implementing-fuzz-testing-in-cicd-with-aflplusplus/SKILL.md index b6327eec..31be3ab2 100644 --- a/skills/implementing-fuzz-testing-in-cicd-with-aflplusplus/SKILL.md +++ b/skills/implementing-fuzz-testing-in-cicd-with-aflplusplus/SKILL.md @@ -23,6 +23,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- PR.PS-01 +- GV.SC-07 +- ID.IM-04 +- PR.PS-04 --- # Implementing Fuzz Testing in CI/CD with AFL++ diff --git a/skills/implementing-gcp-binary-authorization/SKILL.md b/skills/implementing-gcp-binary-authorization/SKILL.md index c23a465c..35287756 100644 --- a/skills/implementing-gcp-binary-authorization/SKILL.md +++ b/skills/implementing-gcp-binary-authorization/SKILL.md @@ -1,12 +1,26 @@ --- name: implementing-gcp-binary-authorization -description: Implement GCP Binary Authorization to enforce deploy-time security controls that ensure only trusted, attested container images are deployed to Google Kubernetes Engine and Cloud Run. +description: Implement GCP Binary Authorization to enforce deploy-time security controls that ensure only trusted, attested + container images are deployed to Google Kubernetes Engine and Cloud Run. domain: cybersecurity subdomain: cloud-security -tags: [gcp, binary-authorization, container-security, supply-chain, gke, cloud-run, attestation, software-integrity] -version: "1.0" +tags: +- gcp +- binary-authorization +- container-security +- supply-chain +- gke +- cloud-run +- attestation +- software-integrity +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Implementing GCP Binary Authorization diff --git a/skills/implementing-gcp-organization-policy-constraints/SKILL.md b/skills/implementing-gcp-organization-policy-constraints/SKILL.md index 38298240..7d1aa3dc 100644 --- a/skills/implementing-gcp-organization-policy-constraints/SKILL.md +++ b/skills/implementing-gcp-organization-policy-constraints/SKILL.md @@ -1,12 +1,25 @@ --- name: implementing-gcp-organization-policy-constraints -description: Implement GCP Organization Policy constraints to enforce security guardrails across the entire resource hierarchy, restricting risky configurations and ensuring compliance at organization, folder, and project levels. +description: Implement GCP Organization Policy constraints to enforce security guardrails across the entire resource hierarchy, + restricting risky configurations and ensuring compliance at organization, folder, and project levels. domain: cybersecurity subdomain: cloud-security -tags: [gcp, organization-policy, constraints, governance, compliance, cloud-security, resource-manager] -version: "1.0" +tags: +- gcp +- organization-policy +- constraints +- governance +- compliance +- cloud-security +- resource-manager +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Implementing GCP Organization Policy Constraints diff --git a/skills/implementing-gcp-vpc-firewall-rules/SKILL.md b/skills/implementing-gcp-vpc-firewall-rules/SKILL.md index 7320374e..29551e2a 100644 --- a/skills/implementing-gcp-vpc-firewall-rules/SKILL.md +++ b/skills/implementing-gcp-vpc-firewall-rules/SKILL.md @@ -1,15 +1,27 @@ --- name: implementing-gcp-vpc-firewall-rules -description: > - Implementing and auditing GCP VPC firewall rules to enforce network segmentation, - restrict ingress and egress traffic, apply hierarchical firewall policies across - the organization, and monitor firewall rule effectiveness using VPC Flow Logs. +description: 'Implementing and auditing GCP VPC firewall rules to enforce network segmentation, restrict ingress and egress + traffic, apply hierarchical firewall policies across the organization, and monitor firewall rule effectiveness using VPC + Flow Logs. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud-security, gcp, vpc, firewall-rules, network-security, segmentation] -version: "1.0" +tags: +- cloud-security +- gcp +- vpc +- firewall-rules +- network-security +- segmentation +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Implementing GCP VPC Firewall Rules diff --git a/skills/implementing-gdpr-data-protection-controls/SKILL.md b/skills/implementing-gdpr-data-protection-controls/SKILL.md index 69362b22..6abfaa7e 100644 --- a/skills/implementing-gdpr-data-protection-controls/SKILL.md +++ b/skills/implementing-gdpr-data-protection-controls/SKILL.md @@ -12,14 +12,11 @@ tags: - data-protection - eu-regulation nist_csf: -- GV.OC -- GV.PO -- GV.RR -- ID.AM -- PR.AA -- PR.DS -- RS.CO -- RS.MA +- GV.OC-02 +- GV.PO-01 +- PR.DS-01 +- PR.AA-01 +- ID.AM-02 version: '1.0' author: mahipal license: Apache-2.0 diff --git a/skills/implementing-gdpr-data-subject-access-request/SKILL.md b/skills/implementing-gdpr-data-subject-access-request/SKILL.md index d0a6f960..e55dc3a5 100644 --- a/skills/implementing-gdpr-data-subject-access-request/SKILL.md +++ b/skills/implementing-gdpr-data-subject-access-request/SKILL.md @@ -1,17 +1,28 @@ --- name: implementing-gdpr-data-subject-access-request -description: > - Automates GDPR Data Subject Access Request (DSAR) workflows including identity verification, - PII discovery across databases and files using regex and NER, data mapping, response - templating per Article 15 requirements, deadline tracking, and audit logging. Covers - ICO/EDPB guidance compliance, exemption handling, and scalable batch processing. Use when - building or auditing DSAR response capabilities under GDPR/UK GDPR. +description: 'Automates GDPR Data Subject Access Request (DSAR) workflows including identity verification, PII discovery across + databases and files using regex and NER, data mapping, response templating per Article 15 requirements, deadline tracking, + and audit logging. Covers ICO/EDPB guidance compliance, exemption handling, and scalable batch processing. Use when building + or auditing DSAR response capabilities under GDPR/UK GDPR. + + ' domain: cybersecurity subdomain: privacy-compliance -tags: [gdpr, dsar, privacy, pii-discovery, data-subject-rights, compliance, article-15] -version: "1.0" +tags: +- gdpr +- dsar +- privacy +- pii-discovery +- data-subject-rights +- compliance +- article-15 +version: '1.0' author: mukul975 license: Apache-2.0 +nist_csf: +- GV.PO-01 +- PR.DS-01 +- GV.OC-05 --- # Implementing GDPR Data Subject Access Request (DSAR) Workflow diff --git a/skills/implementing-github-advanced-security-for-code-scanning/SKILL.md b/skills/implementing-github-advanced-security-for-code-scanning/SKILL.md index 100c8d0e..ca923b87 100644 --- a/skills/implementing-github-advanced-security-for-code-scanning/SKILL.md +++ b/skills/implementing-github-advanced-security-for-code-scanning/SKILL.md @@ -1,12 +1,25 @@ --- name: implementing-github-advanced-security-for-code-scanning -description: Configure GitHub Advanced Security with CodeQL to perform automated static analysis and vulnerability detection across repositories at enterprise scale. +description: Configure GitHub Advanced Security with CodeQL to perform automated static analysis and vulnerability detection + across repositories at enterprise scale. domain: cybersecurity subdomain: devsecops -tags: [github-advanced-security, codeql, sast, code-scanning, supply-chain-security, devops-security, shift-left] -version: "1.0" +tags: +- github-advanced-security +- codeql +- sast +- code-scanning +- supply-chain-security +- devops-security +- shift-left +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- GV.SC-07 +- ID.IM-04 +- PR.PS-04 --- # Implementing GitHub Advanced Security for Code Scanning diff --git a/skills/implementing-google-workspace-admin-security/SKILL.md b/skills/implementing-google-workspace-admin-security/SKILL.md index 04b1a7b4..ec60c742 100644 --- a/skills/implementing-google-workspace-admin-security/SKILL.md +++ b/skills/implementing-google-workspace-admin-security/SKILL.md @@ -1,17 +1,28 @@ --- name: implementing-google-workspace-admin-security -description: > - Implements comprehensive Google Workspace security hardening including admin console - configuration, phishing-resistant MFA enforcement, DLP policies, email authentication - (SPF/DKIM/DMARC), OAuth app control, and external sharing restrictions. - Activates for requests involving Google Workspace hardening, G Suite security configuration, - or cloud office security administration. +description: 'Implements comprehensive Google Workspace security hardening including admin console configuration, phishing-resistant + MFA enforcement, DLP policies, email authentication (SPF/DKIM/DMARC), OAuth app control, and external sharing restrictions. + Activates for requests involving Google Workspace hardening, G Suite security configuration, or cloud office security administration. + + ' domain: cybersecurity subdomain: identity-access-management -tags: [Google-Workspace, admin-security, MFA, DMARC, DLP, OAuth, cloud-security] -version: "1.0" +tags: +- Google-Workspace +- admin-security +- MFA +- DMARC +- DLP +- OAuth +- cloud-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Implementing Google Workspace Admin Security diff --git a/skills/implementing-google-workspace-phishing-protection/SKILL.md b/skills/implementing-google-workspace-phishing-protection/SKILL.md index d64cc5a6..c047695d 100644 --- a/skills/implementing-google-workspace-phishing-protection/SKILL.md +++ b/skills/implementing-google-workspace-phishing-protection/SKILL.md @@ -1,12 +1,25 @@ --- name: implementing-google-workspace-phishing-protection -description: Configure Google Workspace advanced phishing and malware protection settings including pre-delivery scanning, attachment protection, spoofing detection, and Enhanced Safe Browsing. +description: Configure Google Workspace advanced phishing and malware protection settings including pre-delivery scanning, + attachment protection, spoofing detection, and Enhanced Safe Browsing. domain: cybersecurity subdomain: phishing-defense -tags: [google-workspace, gmail, phishing, email-security, safe-browsing, anti-spoofing, admin-console] -version: "1.0" +tags: +- google-workspace +- gmail +- phishing +- email-security +- safe-browsing +- anti-spoofing +- admin-console +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AT-01 +- DE.CM-09 +- RS.CO-02 +- DE.AE-02 --- # Implementing Google Workspace Phishing Protection diff --git a/skills/implementing-google-workspace-sso-configuration/SKILL.md b/skills/implementing-google-workspace-sso-configuration/SKILL.md index 1ac5d228..8d3cbb63 100644 --- a/skills/implementing-google-workspace-sso-configuration/SKILL.md +++ b/skills/implementing-google-workspace-sso-configuration/SKILL.md @@ -1,12 +1,24 @@ --- name: implementing-google-workspace-sso-configuration -description: Configure SAML 2.0 single sign-on for Google Workspace with a third-party identity provider, enabling centralized authentication and enforcing organization-wide access policies. +description: Configure SAML 2.0 single sign-on for Google Workspace with a third-party identity provider, enabling centralized + authentication and enforcing organization-wide access policies. domain: cybersecurity subdomain: identity-access-management -tags: [google-workspace, sso, saml, identity-provider, authentication, federation] -version: "1.0" +tags: +- google-workspace +- sso +- saml +- identity-provider +- authentication +- federation +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Implementing Google Workspace SSO Configuration diff --git a/skills/implementing-hardware-security-key-authentication/SKILL.md b/skills/implementing-hardware-security-key-authentication/SKILL.md index 04ea0f44..39acaf4a 100644 --- a/skills/implementing-hardware-security-key-authentication/SKILL.md +++ b/skills/implementing-hardware-security-key-authentication/SKILL.md @@ -29,6 +29,10 @@ nist_ai_rmf: - MEASURE-2.5 - GOVERN-6.1 - MAP-5.1 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 --- # Implementing Hardware Security Key Authentication diff --git a/skills/implementing-hashicorp-vault-dynamic-secrets/SKILL.md b/skills/implementing-hashicorp-vault-dynamic-secrets/SKILL.md index ae84ffde..bd46490c 100644 --- a/skills/implementing-hashicorp-vault-dynamic-secrets/SKILL.md +++ b/skills/implementing-hashicorp-vault-dynamic-secrets/SKILL.md @@ -1,17 +1,28 @@ --- name: implementing-hashicorp-vault-dynamic-secrets -description: > - Implements HashiCorp Vault dynamic secrets engines for database credentials, AWS IAM keys, - and PKI certificates with automatic generation, lease management, and credential rotation - to eliminate static secrets in application configurations. - Activates for requests involving Vault secrets engine configuration, dynamic database - credentials, ephemeral cloud credentials, or automated secret rotation. +description: 'Implements HashiCorp Vault dynamic secrets engines for database credentials, AWS IAM keys, and PKI certificates + with automatic generation, lease management, and credential rotation to eliminate static secrets in application configurations. + Activates for requests involving Vault secrets engine configuration, dynamic database credentials, ephemeral cloud credentials, + or automated secret rotation. + + ' domain: cybersecurity subdomain: identity-access-management -tags: [HashiCorp-Vault, dynamic-secrets, secrets-management, database-credentials, AWS-secrets, PKI] -version: "1.0" +tags: +- HashiCorp-Vault +- dynamic-secrets +- secrets-management +- database-credentials +- AWS-secrets +- PKI +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Implementing HashiCorp Vault Dynamic Secrets diff --git a/skills/implementing-honeypot-for-ransomware-detection/SKILL.md b/skills/implementing-honeypot-for-ransomware-detection/SKILL.md index ec4f9b70..19ce5f30 100644 --- a/skills/implementing-honeypot-for-ransomware-detection/SKILL.md +++ b/skills/implementing-honeypot-for-ransomware-detection/SKILL.md @@ -25,6 +25,11 @@ d3fend_techniques: - File Content Analysis - Platform Hardening - File Format Verification +nist_csf: +- PR.DS-11 +- RS.MA-01 +- RC.RP-01 +- PR.IR-01 --- # Implementing Honeypot for Ransomware Detection diff --git a/skills/implementing-honeytokens-for-breach-detection/SKILL.md b/skills/implementing-honeytokens-for-breach-detection/SKILL.md index ac412a8e..cd32bcae 100644 --- a/skills/implementing-honeytokens-for-breach-detection/SKILL.md +++ b/skills/implementing-honeytokens-for-breach-detection/SKILL.md @@ -1,16 +1,25 @@ --- name: implementing-honeytokens-for-breach-detection -description: > - Deploys canary tokens and honeytokens (fake AWS credentials, DNS canaries, document - beacons, database records) that trigger alerts when accessed by attackers. Uses the - Canarytokens API and custom webhook integrations for breach detection. Use when - building deception-based early warning systems for intrusion detection. +description: 'Deploys canary tokens and honeytokens (fake AWS credentials, DNS canaries, document beacons, database records) + that trigger alerts when accessed by attackers. Uses the Canarytokens API and custom webhook integrations for breach detection. + Use when building deception-based early warning systems for intrusion detection. + + ' domain: cybersecurity subdomain: security-operations -tags: [implementing, honeytokens, for, breach] -version: "1.0" +tags: +- implementing +- honeytokens +- for +- breach +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- # Implementing Honeytokens for Breach Detection diff --git a/skills/implementing-ics-firewall-with-tofino/SKILL.md b/skills/implementing-ics-firewall-with-tofino/SKILL.md index 301d838a..f12cf8e9 100644 --- a/skills/implementing-ics-firewall-with-tofino/SKILL.md +++ b/skills/implementing-ics-firewall-with-tofino/SKILL.md @@ -1,16 +1,29 @@ --- name: implementing-ics-firewall-with-tofino -description: > - Deploy and configure Tofino industrial firewalls from Belden/Hirschmann to - protect SCADA systems and PLCs using deep packet inspection for OT protocols - including Modbus, EtherNet/IP, OPC, and S7comm, enforcing granular access - control between ICS security zones. +description: 'Deploy and configure Tofino industrial firewalls from Belden/Hirschmann to protect SCADA systems and PLCs using + deep packet inspection for OT protocols including Modbus, EtherNet/IP, OPC, and S7comm, enforcing granular access control + between ICS security zones. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, firewall, tofino, belden, deep-packet-inspection, network-security, scada] -version: "1.0" +tags: +- ot-security +- ics +- firewall +- tofino +- belden +- deep-packet-inspection +- network-security +- scada +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Implementing ICS Firewall with Tofino diff --git a/skills/implementing-identity-governance-with-sailpoint/SKILL.md b/skills/implementing-identity-governance-with-sailpoint/SKILL.md index 3c200294..2c356e42 100644 --- a/skills/implementing-identity-governance-with-sailpoint/SKILL.md +++ b/skills/implementing-identity-governance-with-sailpoint/SKILL.md @@ -1,12 +1,25 @@ --- name: implementing-identity-governance-with-sailpoint -description: Deploy SailPoint IdentityNow or IdentityIQ for identity governance and administration. Covers identity lifecycle management, access request workflows, certification campaigns, role mining, SOD policy +description: Deploy SailPoint IdentityNow or IdentityIQ for identity governance and administration. Covers identity lifecycle + management, access request workflows, certification campaigns, role mining, SOD policy domain: cybersecurity subdomain: identity-access-management -tags: [iam, identity, access-control, governance, sailpoint, iga, lifecycle] -version: "1.0" +tags: +- iam +- identity +- access-control +- governance +- sailpoint +- iga +- lifecycle +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Implementing Identity Governance with SailPoint diff --git a/skills/implementing-identity-verification-for-zero-trust/SKILL.md b/skills/implementing-identity-verification-for-zero-trust/SKILL.md index 205963b1..599294a2 100644 --- a/skills/implementing-identity-verification-for-zero-trust/SKILL.md +++ b/skills/implementing-identity-verification-for-zero-trust/SKILL.md @@ -19,6 +19,11 @@ nist_ai_rmf: - GOVERN-1.1 - GOVERN-1.7 - MAP-1.1 +nist_csf: +- PR.AA-01 +- PR.AA-05 +- PR.IR-01 +- GV.PO-01 --- # Implementing Identity Verification for Zero Trust diff --git a/skills/implementing-iec-62443-security-zones/SKILL.md b/skills/implementing-iec-62443-security-zones/SKILL.md index bdf6e1ad..7843dbcd 100644 --- a/skills/implementing-iec-62443-security-zones/SKILL.md +++ b/skills/implementing-iec-62443-security-zones/SKILL.md @@ -1,18 +1,29 @@ --- name: implementing-iec-62443-security-zones -description: > - This skill covers designing and implementing security zones and conduits for - industrial automation and control systems (IACS) per IEC 62443-3-2. It addresses - zone partitioning based on risk assessment, assigning Security Level targets (SL-T), - designing conduit security controls, implementing microsegmentation with industrial - firewalls, and validating zone architecture through traffic analysis and penetration - testing against the Purdue Reference Model. +description: 'This skill covers designing and implementing security zones and conduits for industrial automation and control + systems (IACS) per IEC 62443-3-2. It addresses zone partitioning based on risk assessment, assigning Security Level targets + (SL-T), designing conduit security controls, implementing microsegmentation with industrial firewalls, and validating zone + architecture through traffic analysis and penetration testing against the Purdue Reference Model. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, scada, industrial-control, iec62443, network-segmentation, zones-conduits] +tags: +- ot-security +- ics +- scada +- industrial-control +- iec62443 +- network-segmentation +- zones-conduits version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Implementing IEC 62443 Security Zones diff --git a/skills/implementing-image-provenance-verification-with-cosign/SKILL.md b/skills/implementing-image-provenance-verification-with-cosign/SKILL.md index 0b58c8f7..be2c131b 100644 --- a/skills/implementing-image-provenance-verification-with-cosign/SKILL.md +++ b/skills/implementing-image-provenance-verification-with-cosign/SKILL.md @@ -1,12 +1,25 @@ --- name: implementing-image-provenance-verification-with-cosign -description: Sign and verify container image provenance using Sigstore Cosign with keyless OIDC-based signing, attestations, and Kubernetes admission enforcement. +description: Sign and verify container image provenance using Sigstore Cosign with keyless OIDC-based signing, attestations, + and Kubernetes admission enforcement. domain: cybersecurity subdomain: container-security -tags: [cosign, sigstore, image-signing, supply-chain, provenance, keyless, slsa] -version: "1.0" +tags: +- cosign +- sigstore +- image-signing +- supply-chain +- provenance +- keyless +- slsa +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Implementing Image Provenance Verification with Cosign diff --git a/skills/implementing-immutable-backup-with-restic/SKILL.md b/skills/implementing-immutable-backup-with-restic/SKILL.md index 88a323af..b02749fe 100644 --- a/skills/implementing-immutable-backup-with-restic/SKILL.md +++ b/skills/implementing-immutable-backup-with-restic/SKILL.md @@ -28,6 +28,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- PR.DS-11 +- RS.MA-01 +- RC.RP-01 +- PR.IR-01 --- # Implementing Immutable Backup with Restic diff --git a/skills/implementing-infrastructure-as-code-security-scanning/SKILL.md b/skills/implementing-infrastructure-as-code-security-scanning/SKILL.md index 0eb1fd36..9e678ba7 100644 --- a/skills/implementing-infrastructure-as-code-security-scanning/SKILL.md +++ b/skills/implementing-infrastructure-as-code-security-scanning/SKILL.md @@ -1,17 +1,29 @@ --- name: implementing-infrastructure-as-code-security-scanning -description: > - This skill covers implementing automated security scanning for Infrastructure as Code - (IaC) templates using tools like Checkov, tfsec, and KICS. It addresses detecting - misconfigurations in Terraform, CloudFormation, Kubernetes manifests, and Helm charts - before deployment, establishing policy-based governance, and integrating IaC scanning - into CI/CD pipelines to prevent insecure cloud resource provisioning. +description: 'This skill covers implementing automated security scanning for Infrastructure as Code (IaC) templates using + tools like Checkov, tfsec, and KICS. It addresses detecting misconfigurations in Terraform, CloudFormation, Kubernetes manifests, + and Helm charts before deployment, establishing policy-based governance, and integrating IaC scanning into CI/CD pipelines + to prevent insecure cloud resource provisioning. + + ' domain: cybersecurity subdomain: devsecops -tags: [devsecops, cicd, iac-security, checkov, tfsec, terraform, secure-sdlc] +tags: +- devsecops +- cicd +- iac-security +- checkov +- tfsec +- terraform +- secure-sdlc version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- GV.SC-07 +- ID.IM-04 +- PR.PS-04 --- # Implementing Infrastructure as Code Security Scanning diff --git a/skills/implementing-iso-27001-information-security-management/SKILL.md b/skills/implementing-iso-27001-information-security-management/SKILL.md index 8ba5e925..6c63636c 100644 --- a/skills/implementing-iso-27001-information-security-management/SKILL.md +++ b/skills/implementing-iso-27001-information-security-management/SKILL.md @@ -4,7 +4,7 @@ description: ISO/IEC 27001:2022 is the international standard for establishing, domain: cybersecurity subdomain: compliance-governance tags: [compliance, governance, iso27001, isms, risk-management, certification] -nist_csf: [GV.OC, GV.RM, GV.RR, GV.PO, GV.OV, ID.RA, PR.AA, PR.DS] +nist_csf: [GV.OC-01, GV.RM-01, GV.PO-01, ID.RA-01, PR.DS-01] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/implementing-just-in-time-access-provisioning/SKILL.md b/skills/implementing-just-in-time-access-provisioning/SKILL.md index 16e206fe..e8ef6fb0 100644 --- a/skills/implementing-just-in-time-access-provisioning/SKILL.md +++ b/skills/implementing-just-in-time-access-provisioning/SKILL.md @@ -1,12 +1,25 @@ --- name: implementing-just-in-time-access-provisioning -description: Implement Just-In-Time (JIT) access provisioning to eliminate standing privileges by granting temporary, time-bound access only when needed. This skill covers JIT architecture design, approval workflo +description: Implement Just-In-Time (JIT) access provisioning to eliminate standing privileges by granting temporary, time-bound + access only when needed. This skill covers JIT architecture design, approval workflo domain: cybersecurity subdomain: identity-access-management -tags: [iam, identity, access-control, jit, provisioning, zero-trust, least-privilege] -version: "1.0" +tags: +- iam +- identity +- access-control +- jit +- provisioning +- zero-trust +- least-privilege +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Implementing Just-In-Time Access Provisioning diff --git a/skills/implementing-jwt-signing-and-verification/SKILL.md b/skills/implementing-jwt-signing-and-verification/SKILL.md index 60ac2bf5..2d676bd0 100644 --- a/skills/implementing-jwt-signing-and-verification/SKILL.md +++ b/skills/implementing-jwt-signing-and-verification/SKILL.md @@ -1,12 +1,22 @@ --- name: implementing-jwt-signing-and-verification -description: JSON Web Tokens (JWT) defined in RFC 7519 are compact, URL-safe tokens used for authentication and authorization in web applications. This skill covers implementing secure JWT signing with HMAC-SHA256 +description: JSON Web Tokens (JWT) defined in RFC 7519 are compact, URL-safe tokens used for authentication and authorization + in web applications. This skill covers implementing secure JWT signing with HMAC-SHA256 domain: cybersecurity subdomain: cryptography -tags: [cryptography, jwt, authentication, token-security, digital-signatures] -version: "1.0" +tags: +- cryptography +- jwt +- authentication +- token-security +- digital-signatures +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.DS-01 +- PR.DS-02 +- PR.DS-10 --- # Implementing JWT Signing and Verification diff --git a/skills/implementing-kubernetes-network-policy-with-calico/SKILL.md b/skills/implementing-kubernetes-network-policy-with-calico/SKILL.md index 3b792149..da9268e8 100644 --- a/skills/implementing-kubernetes-network-policy-with-calico/SKILL.md +++ b/skills/implementing-kubernetes-network-policy-with-calico/SKILL.md @@ -1,12 +1,24 @@ --- name: implementing-kubernetes-network-policy-with-calico -description: Implement Kubernetes network segmentation using Calico NetworkPolicy and GlobalNetworkPolicy for zero-trust pod-to-pod communication. +description: Implement Kubernetes network segmentation using Calico NetworkPolicy and GlobalNetworkPolicy for zero-trust pod-to-pod + communication. domain: cybersecurity subdomain: container-security -tags: [calico, kubernetes, network-policy, network-segmentation, zero-trust, cni] -version: "1.0" +tags: +- calico +- kubernetes +- network-policy +- network-segmentation +- zero-trust +- cni +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Implementing Kubernetes Network Policy with Calico diff --git a/skills/implementing-kubernetes-pod-security-standards/SKILL.md b/skills/implementing-kubernetes-pod-security-standards/SKILL.md index 5c423ae8..80e27433 100644 --- a/skills/implementing-kubernetes-pod-security-standards/SKILL.md +++ b/skills/implementing-kubernetes-pod-security-standards/SKILL.md @@ -1,12 +1,23 @@ --- name: implementing-kubernetes-pod-security-standards -description: Pod Security Standards (PSS) define three levels of security policies -- Privileged, Baseline, and Restricted -- enforced by the Pod Security Admission (PSA) controller built into Kubernetes 1.25+. PS +description: Pod Security Standards (PSS) define three levels of security policies -- Privileged, Baseline, and Restricted + -- enforced by the Pod Security Admission (PSA) controller built into Kubernetes 1.25+. PS domain: cybersecurity subdomain: container-security -tags: [containers, kubernetes, security, pod-security, PSA] -version: "1.0" +tags: +- containers +- kubernetes +- security +- pod-security +- PSA +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Implementing Kubernetes Pod Security Standards diff --git a/skills/implementing-llm-guardrails-for-security/SKILL.md b/skills/implementing-llm-guardrails-for-security/SKILL.md index ce23619e..65257916 100644 --- a/skills/implementing-llm-guardrails-for-security/SKILL.md +++ b/skills/implementing-llm-guardrails-for-security/SKILL.md @@ -38,6 +38,11 @@ d3fend_techniques: - Content Excision - Application Hardening - Execution Isolation +nist_csf: +- GV.OC-03 +- ID.RA-01 +- PR.PS-01 +- DE.AE-02 --- # Implementing LLM Guardrails for Security diff --git a/skills/implementing-log-forwarding-with-fluentd/SKILL.md b/skills/implementing-log-forwarding-with-fluentd/SKILL.md index 47a827df..b9e9a380 100644 --- a/skills/implementing-log-forwarding-with-fluentd/SKILL.md +++ b/skills/implementing-log-forwarding-with-fluentd/SKILL.md @@ -1,12 +1,25 @@ --- name: implementing-log-forwarding-with-fluentd -description: Configure Fluentd and Fluent Bit for centralized log aggregation, routing, filtering, and enrichment across distributed infrastructure +description: Configure Fluentd and Fluent Bit for centralized log aggregation, routing, filtering, and enrichment across distributed + infrastructure domain: cybersecurity subdomain: security-operations -tags: [fluentd, fluent-bit, log-aggregation, log-forwarding, siem, centralized-logging, observability] -version: "1.0" +tags: +- fluentd +- fluent-bit +- log-aggregation +- log-forwarding +- siem +- centralized-logging +- observability +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- # Implementing Log Forwarding with Fluentd diff --git a/skills/implementing-log-integrity-with-blockchain/SKILL.md b/skills/implementing-log-integrity-with-blockchain/SKILL.md index 25dbe522..4d36a781 100644 --- a/skills/implementing-log-integrity-with-blockchain/SKILL.md +++ b/skills/implementing-log-integrity-with-blockchain/SKILL.md @@ -1,17 +1,24 @@ --- name: implementing-log-integrity-with-blockchain -description: >- - Build an append-only log integrity chain using SHA-256 hash chaining for tamper detection. - Each log entry is hashed with the previous entry's hash to create a blockchain-like structure - where modifying any entry invalidates all subsequent hashes. Implements log ingestion, - chain verification, tamper detection with pinpoint identification, and periodic checkpoint +description: Build an append-only log integrity chain using SHA-256 hash chaining for tamper detection. Each log entry is + hashed with the previous entry's hash to create a blockchain-like structure where modifying any entry invalidates all subsequent + hashes. Implements log ingestion, chain verification, tamper detection with pinpoint identification, and periodic checkpoint anchoring to external timestamping services. domain: cybersecurity subdomain: security-operations -tags: [implementing, log, integrity, with] -version: "1.0" +tags: +- implementing +- log +- integrity +- with +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- diff --git a/skills/implementing-memory-protection-with-dep-aslr/SKILL.md b/skills/implementing-memory-protection-with-dep-aslr/SKILL.md index 9e12fcd9..5b96b6f8 100644 --- a/skills/implementing-memory-protection-with-dep-aslr/SKILL.md +++ b/skills/implementing-memory-protection-with-dep-aslr/SKILL.md @@ -1,17 +1,28 @@ --- name: implementing-memory-protection-with-dep-aslr -description: > - Implements memory protection mechanisms including DEP (Data Execution Prevention), ASLR (Address - Space Layout Randomization), CFG (Control Flow Guard), and other exploit mitigations to prevent - memory corruption attacks. Use when hardening endpoints against buffer overflow exploits, ROP - chains, and code injection. Activates for requests involving memory protection, exploit - mitigation, DEP, ASLR, or CFG configuration. +description: 'Implements memory protection mechanisms including DEP (Data Execution Prevention), ASLR (Address Space Layout + Randomization), CFG (Control Flow Guard), and other exploit mitigations to prevent memory corruption attacks. Use when hardening + endpoints against buffer overflow exploits, ROP chains, and code injection. Activates for requests involving memory protection, + exploit mitigation, DEP, ASLR, or CFG configuration. + + ' domain: cybersecurity subdomain: endpoint-security -tags: [endpoint, memory-protection, DEP, ASLR, exploit-mitigation, CFG] +tags: +- endpoint +- memory-protection +- DEP +- ASLR +- exploit-mitigation +- CFG version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.PS-02 +- DE.CM-01 +- PR.IR-01 --- # Implementing Memory Protection with DEP and ASLR diff --git a/skills/implementing-microsegmentation-with-guardicore/SKILL.md b/skills/implementing-microsegmentation-with-guardicore/SKILL.md index 69ac38dd..cf692c31 100644 --- a/skills/implementing-microsegmentation-with-guardicore/SKILL.md +++ b/skills/implementing-microsegmentation-with-guardicore/SKILL.md @@ -1,15 +1,28 @@ --- name: implementing-microsegmentation-with-guardicore -description: > - Implementing microsegmentation using Akamai Guardicore Segmentation to map application - dependencies, create granular network policies, visualize east-west traffic flows, - and enforce least-privilege communication between workloads across data centers and cloud. +description: 'Implementing microsegmentation using Akamai Guardicore Segmentation to map application dependencies, create + granular network policies, visualize east-west traffic flows, and enforce least-privilege communication between workloads + across data centers and cloud. + + ' domain: cybersecurity subdomain: zero-trust-architecture -tags: [microsegmentation, guardicore, akamai, zero-trust, east-west-traffic, network-segmentation, lateral-movement] -version: "1.0" +tags: +- microsegmentation +- guardicore +- akamai +- zero-trust +- east-west-traffic +- network-segmentation +- lateral-movement +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-05 +- PR.IR-01 +- GV.PO-01 --- # Implementing Microsegmentation with Guardicore diff --git a/skills/implementing-mimecast-targeted-attack-protection/SKILL.md b/skills/implementing-mimecast-targeted-attack-protection/SKILL.md index 64e8be3d..69fe8e29 100644 --- a/skills/implementing-mimecast-targeted-attack-protection/SKILL.md +++ b/skills/implementing-mimecast-targeted-attack-protection/SKILL.md @@ -1,12 +1,25 @@ --- name: implementing-mimecast-targeted-attack-protection -description: Deploy Mimecast Targeted Threat Protection including URL Protect, Attachment Protect, Impersonation Protect, and Internal Email Protect to defend against advanced phishing and spearphishing attacks. +description: Deploy Mimecast Targeted Threat Protection including URL Protect, Attachment Protect, Impersonation Protect, + and Internal Email Protect to defend against advanced phishing and spearphishing attacks. domain: cybersecurity subdomain: phishing-defense -tags: [mimecast, email-security, targeted-threat-protection, url-protect, impersonation, attachment-sandboxing, phishing] -version: "1.0" +tags: +- mimecast +- email-security +- targeted-threat-protection +- url-protect +- impersonation +- attachment-sandboxing +- phishing +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AT-01 +- DE.CM-09 +- RS.CO-02 +- DE.AE-02 --- # Implementing Mimecast Targeted Attack Protection diff --git a/skills/implementing-mitre-attack-coverage-mapping/SKILL.md b/skills/implementing-mitre-attack-coverage-mapping/SKILL.md index cae92232..6b655280 100644 --- a/skills/implementing-mitre-attack-coverage-mapping/SKILL.md +++ b/skills/implementing-mitre-attack-coverage-mapping/SKILL.md @@ -28,6 +28,11 @@ d3fend_techniques: - Application Protocol Command Analysis - Password Authentication - Reissue Credential +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Implementing MITRE ATT&CK Coverage Mapping diff --git a/skills/implementing-mobile-application-management/SKILL.md b/skills/implementing-mobile-application-management/SKILL.md index 9c54c299..95310f13 100644 --- a/skills/implementing-mobile-application-management/SKILL.md +++ b/skills/implementing-mobile-application-management/SKILL.md @@ -1,18 +1,29 @@ --- name: implementing-mobile-application-management -description: > - Implements Mobile Application Management (MAM) policies to protect enterprise data on managed - and unmanaged mobile devices through app-level controls including data loss prevention, selective - wipe, app configuration, and containerization. Use when securing corporate apps on BYOD devices, - implementing Intune App Protection Policies, or enforcing data separation between personal and - work apps. Activates for requests involving MAM deployment, app protection policies, mobile - containerization, or BYOD security. +description: 'Implements Mobile Application Management (MAM) policies to protect enterprise data on managed and unmanaged + mobile devices through app-level controls including data loss prevention, selective wipe, app configuration, and containerization. + Use when securing corporate apps on BYOD devices, implementing Intune App Protection Policies, or enforcing data separation + between personal and work apps. Activates for requests involving MAM deployment, app protection policies, mobile containerization, + or BYOD security. + + ' domain: cybersecurity subdomain: mobile-security author: mahipal -tags: [mobile-security, android, ios, mam, enterprise-security, owasp-mobile] +tags: +- mobile-security +- android +- ios +- mam +- enterprise-security +- owasp-mobile version: 1.0.0 license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.AA-05 +- ID.RA-01 +- DE.CM-09 --- # Implementing Mobile Application Management diff --git a/skills/implementing-mtls-for-zero-trust-services/SKILL.md b/skills/implementing-mtls-for-zero-trust-services/SKILL.md index d59c8a88..182bca4a 100644 --- a/skills/implementing-mtls-for-zero-trust-services/SKILL.md +++ b/skills/implementing-mtls-for-zero-trust-services/SKILL.md @@ -1,16 +1,25 @@ --- name: implementing-mtls-for-zero-trust-services -description: > - Configures mutual TLS (mTLS) authentication between microservices using Python - cryptography library for certificate generation and ssl module for TLS verification. - Validates certificate chains, checks expiration, and audits mTLS deployment status. - Use when implementing zero-trust service-to-service authentication. +description: 'Configures mutual TLS (mTLS) authentication between microservices using Python cryptography library for certificate + generation and ssl module for TLS verification. Validates certificate chains, checks expiration, and audits mTLS deployment + status. Use when implementing zero-trust service-to-service authentication. + + ' domain: cybersecurity subdomain: security-operations -tags: [implementing, mtls, for, zero] -version: "1.0" +tags: +- implementing +- mtls +- for +- zero +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- # Implementing mTLS for Zero Trust Services diff --git a/skills/implementing-nerc-cip-compliance-controls/SKILL.md b/skills/implementing-nerc-cip-compliance-controls/SKILL.md index a05a6acf..22dcb155 100644 --- a/skills/implementing-nerc-cip-compliance-controls/SKILL.md +++ b/skills/implementing-nerc-cip-compliance-controls/SKILL.md @@ -1,18 +1,31 @@ --- name: implementing-nerc-cip-compliance-controls -description: > - This skill covers implementing North American Electric Reliability Corporation - Critical Infrastructure Protection (NERC CIP) compliance controls for Bulk Electric - System (BES) cyber systems. It addresses asset categorization (CIP-002), electronic - security perimeters (CIP-005), system security management (CIP-007), configuration - management (CIP-010), supply chain risk management (CIP-013), and the 2025 updates - including mandatory MFA for remote access and expanded low-impact asset requirements. +description: 'This skill covers implementing North American Electric Reliability Corporation Critical Infrastructure Protection + (NERC CIP) compliance controls for Bulk Electric System (BES) cyber systems. It addresses asset categorization (CIP-002), + electronic security perimeters (CIP-005), system security management (CIP-007), configuration management (CIP-010), supply + chain risk management (CIP-013), and the 2025 updates including mandatory MFA for remote access and expanded low-impact + asset requirements. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, scada, industrial-control, iec62443, nerc-cip, power-grid, compliance] +tags: +- ot-security +- ics +- scada +- industrial-control +- iec62443 +- nerc-cip +- power-grid +- compliance version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Implementing NERC CIP Compliance Controls diff --git a/skills/implementing-network-access-control-with-cisco-ise/SKILL.md b/skills/implementing-network-access-control-with-cisco-ise/SKILL.md index c2eaee15..1fa743e7 100644 --- a/skills/implementing-network-access-control-with-cisco-ise/SKILL.md +++ b/skills/implementing-network-access-control-with-cisco-ise/SKILL.md @@ -1,12 +1,27 @@ --- name: implementing-network-access-control-with-cisco-ise -description: Deploy Cisco Identity Services Engine for 802.1X wired and wireless authentication, MAC Authentication Bypass, posture assessment, and dynamic VLAN assignment for network access control. +description: Deploy Cisco Identity Services Engine for 802.1X wired and wireless authentication, MAC Authentication Bypass, + posture assessment, and dynamic VLAN assignment for network access control. domain: cybersecurity subdomain: network-security -tags: [cisco-ise, 802.1x, nac, radius, network-access-control, posture-assessment, mab, dynamic-vlan, eap-tls] -version: "1.0" +tags: +- cisco-ise +- 802.1x +- nac +- radius +- network-access-control +- posture-assessment +- mab +- dynamic-vlan +- eap-tls +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Implementing Network Access Control with Cisco ISE diff --git a/skills/implementing-network-access-control/SKILL.md b/skills/implementing-network-access-control/SKILL.md index 5f53da75..33f95492 100644 --- a/skills/implementing-network-access-control/SKILL.md +++ b/skills/implementing-network-access-control/SKILL.md @@ -1,15 +1,26 @@ --- name: implementing-network-access-control -description: > - Implements 802.1X port-based network access control using RADIUS authentication, - PacketFence NAC, and switch configurations to enforce identity-based access policies, - posture assessment, and automatic VLAN assignment for authorized devices. +description: 'Implements 802.1X port-based network access control using RADIUS authentication, PacketFence NAC, and switch + configurations to enforce identity-based access policies, posture assessment, and automatic VLAN assignment for authorized + devices. + + ' domain: cybersecurity subdomain: network-security -tags: [network-security, nac, 802.1x, radius, packetfence] -version: "1.0" +tags: +- network-security +- nac +- 802.1x +- radius +- packetfence +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Implementing Network Access Control diff --git a/skills/implementing-network-deception-with-honeypots/SKILL.md b/skills/implementing-network-deception-with-honeypots/SKILL.md index dbfa8306..3414cfa0 100644 --- a/skills/implementing-network-deception-with-honeypots/SKILL.md +++ b/skills/implementing-network-deception-with-honeypots/SKILL.md @@ -1,12 +1,25 @@ --- name: implementing-network-deception-with-honeypots -description: Deploy and manage network honeypots using OpenCanary, T-Pot, or Cowrie to detect unauthorized access, lateral movement, and attacker reconnaissance. +description: Deploy and manage network honeypots using OpenCanary, T-Pot, or Cowrie to detect unauthorized access, lateral + movement, and attacker reconnaissance. domain: cybersecurity subdomain: deception-technology -tags: [deception, honeypot, opencanary, cowrie, t-pot, detection, lateral-movement, network-security] -version: "1.0" +tags: +- deception +- honeypot +- opencanary +- cowrie +- t-pot +- detection +- lateral-movement +- network-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-06 +- PR.IR-01 --- # Implementing Network Deception with Honeypots diff --git a/skills/implementing-network-intrusion-prevention-with-suricata/SKILL.md b/skills/implementing-network-intrusion-prevention-with-suricata/SKILL.md index 77122832..5400cd8f 100644 --- a/skills/implementing-network-intrusion-prevention-with-suricata/SKILL.md +++ b/skills/implementing-network-intrusion-prevention-with-suricata/SKILL.md @@ -1,12 +1,27 @@ --- name: implementing-network-intrusion-prevention-with-suricata -description: Deploy and configure Suricata as a network intrusion prevention system with custom rules, Emerging Threats rulesets, and inline traffic inspection for real-time threat blocking. +description: Deploy and configure Suricata as a network intrusion prevention system with custom rules, Emerging Threats rulesets, + and inline traffic inspection for real-time threat blocking. domain: cybersecurity subdomain: network-security -tags: [suricata, ips, ids, intrusion-prevention, network-security, emerging-threats, rule-management, nfqueue, inline-mode] -version: "1.0" +tags: +- suricata +- ips +- ids +- intrusion-prevention +- network-security +- emerging-threats +- rule-management +- nfqueue +- inline-mode +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Implementing Network Intrusion Prevention with Suricata diff --git a/skills/implementing-network-policies-for-kubernetes/SKILL.md b/skills/implementing-network-policies-for-kubernetes/SKILL.md index 2012ee01..43d6832e 100644 --- a/skills/implementing-network-policies-for-kubernetes/SKILL.md +++ b/skills/implementing-network-policies-for-kubernetes/SKILL.md @@ -1,12 +1,23 @@ --- name: implementing-network-policies-for-kubernetes -description: Kubernetes NetworkPolicies provide pod-level network segmentation by defining ingress and egress rules that control traffic flow between pods, namespaces, and external endpoints. Combined with CNI plu +description: Kubernetes NetworkPolicies provide pod-level network segmentation by defining ingress and egress rules that control + traffic flow between pods, namespaces, and external endpoints. Combined with CNI plu domain: cybersecurity subdomain: container-security -tags: [containers, kubernetes, security, network-policies, microsegmentation] -version: "1.0" +tags: +- containers +- kubernetes +- security +- network-policies +- microsegmentation +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Implementing Network Policies for Kubernetes diff --git a/skills/implementing-network-segmentation-for-ot/SKILL.md b/skills/implementing-network-segmentation-for-ot/SKILL.md index 1edd6ecd..9ed6ebfd 100644 --- a/skills/implementing-network-segmentation-for-ot/SKILL.md +++ b/skills/implementing-network-segmentation-for-ot/SKILL.md @@ -1,18 +1,29 @@ --- name: implementing-network-segmentation-for-ot -description: > - This skill covers implementing network segmentation in Operational Technology - environments using VLANs, industrial firewalls, data diodes, and software-defined - networking. It addresses the Purdue Model-based segmentation strategy, migration - from flat networks to segmented architectures without disrupting operations, - configuring OT-aware firewalls with industrial protocol deep packet inspection, - and validating segmentation effectiveness through traffic analysis. +description: 'This skill covers implementing network segmentation in Operational Technology environments using VLANs, industrial + firewalls, data diodes, and software-defined networking. It addresses the Purdue Model-based segmentation strategy, migration + from flat networks to segmented architectures without disrupting operations, configuring OT-aware firewalls with industrial + protocol deep packet inspection, and validating segmentation effectiveness through traffic analysis. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, scada, industrial-control, iec62443, network-segmentation, vlan] +tags: +- ot-security +- ics +- scada +- industrial-control +- iec62443 +- network-segmentation +- vlan version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Implementing Network Segmentation for OT diff --git a/skills/implementing-network-segmentation-with-firewall-zones/SKILL.md b/skills/implementing-network-segmentation-with-firewall-zones/SKILL.md index db742b06..6fb63baa 100644 --- a/skills/implementing-network-segmentation-with-firewall-zones/SKILL.md +++ b/skills/implementing-network-segmentation-with-firewall-zones/SKILL.md @@ -1,12 +1,27 @@ --- name: implementing-network-segmentation-with-firewall-zones -description: Design and implement network segmentation using firewall security zones, VLANs, ACLs, and microsegmentation policies to restrict lateral movement and enforce least-privilege network access. +description: Design and implement network segmentation using firewall security zones, VLANs, ACLs, and microsegmentation policies + to restrict lateral movement and enforce least-privilege network access. domain: cybersecurity subdomain: network-security -tags: [network-segmentation, firewall-zones, vlan, microsegmentation, lateral-movement, zero-trust, acl, east-west-traffic, pci-dss] -version: "1.0" +tags: +- network-segmentation +- firewall-zones +- vlan +- microsegmentation +- lateral-movement +- zero-trust +- acl +- east-west-traffic +- pci-dss +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Implementing Network Segmentation with Firewall Zones diff --git a/skills/implementing-network-traffic-analysis-with-arkime/SKILL.md b/skills/implementing-network-traffic-analysis-with-arkime/SKILL.md index 2ba52e7c..9777a2e9 100644 --- a/skills/implementing-network-traffic-analysis-with-arkime/SKILL.md +++ b/skills/implementing-network-traffic-analysis-with-arkime/SKILL.md @@ -1,17 +1,23 @@ --- name: implementing-network-traffic-analysis-with-arkime -description: >- - Deploy and query Arkime (formerly Moloch) for full packet capture network - traffic analysis. Uses the Arkime API v3 to search sessions, download PCAPs, - analyze connection patterns, detect beaconing behavior, and identify suspicious - network flows. Monitors DNS queries, HTTP traffic, and TLS certificate anomalies - across captured traffic. +description: Deploy and query Arkime (formerly Moloch) for full packet capture network traffic analysis. Uses the Arkime API + v3 to search sessions, download PCAPs, analyze connection patterns, detect beaconing behavior, and identify suspicious network + flows. Monitors DNS queries, HTTP traffic, and TLS certificate anomalies across captured traffic. domain: cybersecurity subdomain: network-security -tags: [implementing, network, traffic, analysis] -version: "1.0" +tags: +- implementing +- network +- traffic +- analysis +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- diff --git a/skills/implementing-network-traffic-baselining/SKILL.md b/skills/implementing-network-traffic-baselining/SKILL.md index 9c1eee8b..d013f089 100644 --- a/skills/implementing-network-traffic-baselining/SKILL.md +++ b/skills/implementing-network-traffic-baselining/SKILL.md @@ -1,19 +1,25 @@ --- name: implementing-network-traffic-baselining -description: Build network traffic baselines from NetFlow/IPFIX data using Python pandas for statistical analysis, z-score anomaly detection, and hourly/daily traffic pattern profiling +description: Build network traffic baselines from NetFlow/IPFIX data using Python pandas for statistical analysis, z-score + anomaly detection, and hourly/daily traffic pattern profiling domain: cybersecurity subdomain: network-security tags: - - netflow - - ipfix - - traffic-analysis - - baselining - - anomaly-detection - - pandas - - network-monitoring -version: "1.0" +- netflow +- ipfix +- traffic-analysis +- baselining +- anomaly-detection +- pandas +- network-monitoring +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Implementing Network Traffic Baselining diff --git a/skills/implementing-next-generation-firewall-with-palo-alto/SKILL.md b/skills/implementing-next-generation-firewall-with-palo-alto/SKILL.md index 8f9e5928..186063e9 100644 --- a/skills/implementing-next-generation-firewall-with-palo-alto/SKILL.md +++ b/skills/implementing-next-generation-firewall-with-palo-alto/SKILL.md @@ -1,12 +1,27 @@ --- name: implementing-next-generation-firewall-with-palo-alto -description: Configure and deploy Palo Alto Networks next-generation firewalls with App-ID, User-ID, zone-based policies, SSL decryption, and threat prevention profiles for enterprise network security. +description: Configure and deploy Palo Alto Networks next-generation firewalls with App-ID, User-ID, zone-based policies, + SSL decryption, and threat prevention profiles for enterprise network security. domain: cybersecurity subdomain: network-security -tags: [palo-alto, ngfw, firewall, app-id, user-id, threat-prevention, network-security, ssl-decryption, zone-protection] -version: "1.0" +tags: +- palo-alto +- ngfw +- firewall +- app-id +- user-id +- threat-prevention +- network-security +- ssl-decryption +- zone-protection +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Implementing Next-Generation Firewall with Palo Alto diff --git a/skills/implementing-opa-gatekeeper-for-policy-enforcement/SKILL.md b/skills/implementing-opa-gatekeeper-for-policy-enforcement/SKILL.md index 314f86d0..92111b2e 100644 --- a/skills/implementing-opa-gatekeeper-for-policy-enforcement/SKILL.md +++ b/skills/implementing-opa-gatekeeper-for-policy-enforcement/SKILL.md @@ -1,12 +1,24 @@ --- name: implementing-opa-gatekeeper-for-policy-enforcement -description: Enforce Kubernetes admission policies using OPA Gatekeeper with ConstraintTemplates, Rego rules, and the Gatekeeper policy library. +description: Enforce Kubernetes admission policies using OPA Gatekeeper with ConstraintTemplates, Rego rules, and the Gatekeeper + policy library. domain: cybersecurity subdomain: container-security -tags: [opa, gatekeeper, kubernetes, admission-control, policy-as-code, rego] -version: "1.0" +tags: +- opa +- gatekeeper +- kubernetes +- admission-control +- policy-as-code +- rego +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Implementing OPA Gatekeeper for Policy Enforcement diff --git a/skills/implementing-ot-incident-response-playbook/SKILL.md b/skills/implementing-ot-incident-response-playbook/SKILL.md index 757c67df..12a0244c 100644 --- a/skills/implementing-ot-incident-response-playbook/SKILL.md +++ b/skills/implementing-ot-incident-response-playbook/SKILL.md @@ -1,16 +1,29 @@ --- name: implementing-ot-incident-response-playbook -description: > - Develop and implement OT-specific incident response playbooks aligned with - SANS PICERL framework, IEC 62443, and NIST SP 800-82 that address unique ICS - challenges including safety-critical systems, limited downtime tolerance, and +description: 'Develop and implement OT-specific incident response playbooks aligned with SANS PICERL framework, IEC 62443, + and NIST SP 800-82 that address unique ICS challenges including safety-critical systems, limited downtime tolerance, and coordination between IT SOC, OT engineering, and plant operations teams. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, incident-response, playbook, sans, iec62443, nist, safety-critical] -version: "1.0" +tags: +- ot-security +- ics +- incident-response +- playbook +- sans +- iec62443 +- nist +- safety-critical +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Implementing OT Incident Response Playbook diff --git a/skills/implementing-ot-network-traffic-analysis-with-nozomi/SKILL.md b/skills/implementing-ot-network-traffic-analysis-with-nozomi/SKILL.md index e13b0ab7..0383ac70 100644 --- a/skills/implementing-ot-network-traffic-analysis-with-nozomi/SKILL.md +++ b/skills/implementing-ot-network-traffic-analysis-with-nozomi/SKILL.md @@ -27,6 +27,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Implementing OT Network Traffic Analysis with Nozomi diff --git a/skills/implementing-pam-for-database-access/SKILL.md b/skills/implementing-pam-for-database-access/SKILL.md index a15b1ae1..2c922bf5 100644 --- a/skills/implementing-pam-for-database-access/SKILL.md +++ b/skills/implementing-pam-for-database-access/SKILL.md @@ -1,12 +1,25 @@ --- name: implementing-pam-for-database-access -description: Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia +description: Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. + Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia domain: cybersecurity subdomain: identity-access-management -tags: [iam, identity, access-control, privileged-access, pam, database, dba] -version: "1.0" +tags: +- iam +- identity +- access-control +- privileged-access +- pam +- database +- dba +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Implementing PAM for Database Access diff --git a/skills/implementing-passwordless-auth-with-microsoft-entra/SKILL.md b/skills/implementing-passwordless-auth-with-microsoft-entra/SKILL.md index 195231a1..a91783ac 100644 --- a/skills/implementing-passwordless-auth-with-microsoft-entra/SKILL.md +++ b/skills/implementing-passwordless-auth-with-microsoft-entra/SKILL.md @@ -1,17 +1,28 @@ --- name: implementing-passwordless-auth-with-microsoft-entra -description: > - Implements passwordless authentication using Microsoft Entra ID with FIDO2 security keys, - Windows Hello for Business, Microsoft Authenticator passkeys, and certificate-based - authentication to eliminate password-based attacks. - Activates for requests involving passwordless deployment, FIDO2 passkey configuration, - phishing-resistant MFA, or Microsoft Entra authentication method policies. +description: 'Implements passwordless authentication using Microsoft Entra ID with FIDO2 security keys, Windows Hello for + Business, Microsoft Authenticator passkeys, and certificate-based authentication to eliminate password-based attacks. Activates + for requests involving passwordless deployment, FIDO2 passkey configuration, phishing-resistant MFA, or Microsoft Entra + authentication method policies. + + ' domain: cybersecurity subdomain: identity-access-management -tags: [passwordless, FIDO2, passkeys, Microsoft-Entra, Windows-Hello, phishing-resistant-MFA] -version: "1.0" +tags: +- passwordless +- FIDO2 +- passkeys +- Microsoft-Entra +- Windows-Hello +- phishing-resistant-MFA +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Implementing Passwordless Auth with Microsoft Entra diff --git a/skills/implementing-passwordless-authentication-with-fido2/SKILL.md b/skills/implementing-passwordless-authentication-with-fido2/SKILL.md index 919088aa..aeb4f328 100644 --- a/skills/implementing-passwordless-authentication-with-fido2/SKILL.md +++ b/skills/implementing-passwordless-authentication-with-fido2/SKILL.md @@ -24,6 +24,11 @@ nist_ai_rmf: - MEASURE-2.5 - GOVERN-6.1 - MAP-5.1 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Implementing Passwordless Authentication with FIDO2 diff --git a/skills/implementing-patch-management-for-ot-systems/SKILL.md b/skills/implementing-patch-management-for-ot-systems/SKILL.md index d45c8f90..79a89796 100644 --- a/skills/implementing-patch-management-for-ot-systems/SKILL.md +++ b/skills/implementing-patch-management-for-ot-systems/SKILL.md @@ -1,18 +1,29 @@ --- name: implementing-patch-management-for-ot-systems -description: > - This skill covers implementing a structured patch management program for OT/ICS - environments where traditional IT patching approaches can cause process disruption - or safety hazards. It addresses vendor compatibility testing, risk-based patch - prioritization, staged deployment through test environments, maintenance window - coordination, rollback procedures, and compensating controls when patches cannot - be applied due to operational constraints or vendor restrictions. +description: 'This skill covers implementing a structured patch management program for OT/ICS environments where traditional + IT patching approaches can cause process disruption or safety hazards. It addresses vendor compatibility testing, risk-based + patch prioritization, staged deployment through test environments, maintenance window coordination, rollback procedures, + and compensating controls when patches cannot be applied due to operational constraints or vendor restrictions. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, scada, industrial-control, iec62443, patch-management, vulnerability-management] +tags: +- ot-security +- ics +- scada +- industrial-control +- iec62443 +- patch-management +- vulnerability-management version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Implementing Patch Management for OT Systems diff --git a/skills/implementing-patch-management-workflow/SKILL.md b/skills/implementing-patch-management-workflow/SKILL.md index 4207a63a..57dea667 100644 --- a/skills/implementing-patch-management-workflow/SKILL.md +++ b/skills/implementing-patch-management-workflow/SKILL.md @@ -1,12 +1,24 @@ --- name: implementing-patch-management-workflow -description: Patch management is the systematic process of identifying, testing, deploying, and verifying software updates to remediate vulnerabilities across an organization's IT infrastructure. An effective patc +description: Patch management is the systematic process of identifying, testing, deploying, and verifying software updates + to remediate vulnerabilities across an organization's IT infrastructure. An effective patc domain: cybersecurity subdomain: vulnerability-management -tags: [vulnerability-management, patch-management, wsus, sccm, ansible, risk] -version: "1.0" +tags: +- vulnerability-management +- patch-management +- wsus +- sccm +- ansible +- risk +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-02 +- ID.IM-02 +- ID.RA-06 --- # Implementing Patch Management Workflow diff --git a/skills/implementing-pci-dss-compliance-controls/SKILL.md b/skills/implementing-pci-dss-compliance-controls/SKILL.md index 8b97f951..d741d117 100644 --- a/skills/implementing-pci-dss-compliance-controls/SKILL.md +++ b/skills/implementing-pci-dss-compliance-controls/SKILL.md @@ -4,7 +4,7 @@ description: PCI DSS 4.0.1 establishes 12 requirements across 6 control objectiv domain: cybersecurity subdomain: compliance-governance tags: [compliance, governance, pci-dss, payment-security, cardholder-data] -nist_csf: [GV.PO, ID.RA, PR.AA, PR.DS, PR.PS, DE.CM, DE.AE] +nist_csf: [GV.PO-01, PR.DS-01, PR.AA-01, DE.CM-01, ID.RA-01] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/implementing-pod-security-admission-controller/SKILL.md b/skills/implementing-pod-security-admission-controller/SKILL.md index ec5ab134..dbf72ed7 100644 --- a/skills/implementing-pod-security-admission-controller/SKILL.md +++ b/skills/implementing-pod-security-admission-controller/SKILL.md @@ -1,12 +1,23 @@ --- name: implementing-pod-security-admission-controller -description: Implement Kubernetes Pod Security Admission to enforce baseline and restricted security profiles at namespace level using built-in admission controller. +description: Implement Kubernetes Pod Security Admission to enforce baseline and restricted security profiles at namespace + level using built-in admission controller. domain: cybersecurity subdomain: container-security -tags: [kubernetes, pod-security-admission, psa, pod-security-standards, admission-controller] -version: "1.0" +tags: +- kubernetes +- pod-security-admission +- psa +- pod-security-standards +- admission-controller +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Implementing Pod Security Admission Controller diff --git a/skills/implementing-policy-as-code-with-open-policy-agent/SKILL.md b/skills/implementing-policy-as-code-with-open-policy-agent/SKILL.md index 613c10cc..f559d7ce 100644 --- a/skills/implementing-policy-as-code-with-open-policy-agent/SKILL.md +++ b/skills/implementing-policy-as-code-with-open-policy-agent/SKILL.md @@ -22,6 +22,11 @@ nist_ai_rmf: - GOVERN-1.1 - MEASURE-2.7 - MANAGE-3.1 +nist_csf: +- PR.PS-01 +- GV.SC-07 +- ID.IM-04 +- PR.PS-04 --- # Implementing Policy as Code with Open Policy Agent diff --git a/skills/implementing-privileged-access-management-with-cyberark/SKILL.md b/skills/implementing-privileged-access-management-with-cyberark/SKILL.md index 7019e343..de5c7899 100644 --- a/skills/implementing-privileged-access-management-with-cyberark/SKILL.md +++ b/skills/implementing-privileged-access-management-with-cyberark/SKILL.md @@ -1,12 +1,24 @@ --- name: implementing-privileged-access-management-with-cyberark -description: Deploy CyberArk Privileged Access Management to discover, vault, rotate, and monitor privileged credentials across enterprise infrastructure. This skill covers vault architecture, session isolation, c +description: Deploy CyberArk Privileged Access Management to discover, vault, rotate, and monitor privileged credentials across + enterprise infrastructure. This skill covers vault architecture, session isolation, c domain: cybersecurity subdomain: identity-access-management -tags: [iam, identity, access-control, privileged-access, pam, cyberark] -version: "1.0" +tags: +- iam +- identity +- access-control +- privileged-access +- pam +- cyberark +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Implementing Privileged Access Management with CyberArk diff --git a/skills/implementing-privileged-access-workstation/SKILL.md b/skills/implementing-privileged-access-workstation/SKILL.md index 761b9dab..acd61341 100644 --- a/skills/implementing-privileged-access-workstation/SKILL.md +++ b/skills/implementing-privileged-access-workstation/SKILL.md @@ -1,12 +1,24 @@ --- name: implementing-privileged-access-workstation -description: Design and implement Privileged Access Workstations (PAWs) with device hardening, just-in-time access, and integration with CyberArk or BeyondTrust for secure administrative operations. +description: Design and implement Privileged Access Workstations (PAWs) with device hardening, just-in-time access, and integration + with CyberArk or BeyondTrust for secure administrative operations. domain: cybersecurity subdomain: identity-and-access-management -tags: [privileged-access, PAW, zero-trust, device-hardening, CyberArk, BeyondTrust, just-in-time-access] -version: "1.0" +tags: +- privileged-access +- PAW +- zero-trust +- device-hardening +- CyberArk +- BeyondTrust +- just-in-time-access +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 --- # Implementing Privileged Access Workstation diff --git a/skills/implementing-privileged-session-monitoring/SKILL.md b/skills/implementing-privileged-session-monitoring/SKILL.md index 7545a472..ec3859e3 100644 --- a/skills/implementing-privileged-session-monitoring/SKILL.md +++ b/skills/implementing-privileged-session-monitoring/SKILL.md @@ -1,19 +1,30 @@ --- name: implementing-privileged-session-monitoring -description: > - Implements privileged session monitoring and recording using Privileged Access - Management (PAM) solutions, focusing on CyberArk Privileged Session Manager - (PSM) and open-source alternatives. Covers session recording configuration, - keystroke logging, real-time monitoring, risk-based session analysis, and - compliance audit trail generation. Activates for requests involving privileged - session recording, PAM session monitoring, CyberArk PSM configuration, - administrator activity monitoring, or compliance session auditing. +description: 'Implements privileged session monitoring and recording using Privileged Access Management (PAM) solutions, focusing + on CyberArk Privileged Session Manager (PSM) and open-source alternatives. Covers session recording configuration, keystroke + logging, real-time monitoring, risk-based session analysis, and compliance audit trail generation. Activates for requests + involving privileged session recording, PAM session monitoring, CyberArk PSM configuration, administrator activity monitoring, + or compliance session auditing. + + ' domain: cybersecurity subdomain: identity-access-management -tags: [PAM, CyberArk, PSM, privileged-session, session-recording, session-monitoring, compliance] +tags: +- PAM +- CyberArk +- PSM +- privileged-session +- session-recording +- session-monitoring +- compliance version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Implementing Privileged Session Monitoring diff --git a/skills/implementing-proofpoint-email-security-gateway/SKILL.md b/skills/implementing-proofpoint-email-security-gateway/SKILL.md index 9418b67e..cbe4e841 100644 --- a/skills/implementing-proofpoint-email-security-gateway/SKILL.md +++ b/skills/implementing-proofpoint-email-security-gateway/SKILL.md @@ -1,12 +1,26 @@ --- name: implementing-proofpoint-email-security-gateway -description: Deploy and configure Proofpoint Email Protection as a secure email gateway to detect and block phishing, malware, BEC, and spam before messages reach user inboxes. +description: Deploy and configure Proofpoint Email Protection as a secure email gateway to detect and block phishing, malware, + BEC, and spam before messages reach user inboxes. domain: cybersecurity subdomain: phishing-defense -tags: [email-security, proofpoint, secure-email-gateway, phishing, anti-spam, anti-malware, bec, email-filtering] -version: "1.0" +tags: +- email-security +- proofpoint +- secure-email-gateway +- phishing +- anti-spam +- anti-malware +- bec +- email-filtering +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AT-01 +- DE.CM-09 +- RS.CO-02 +- DE.AE-02 --- # Implementing Proofpoint Email Security Gateway diff --git a/skills/implementing-purdue-model-network-segmentation/SKILL.md b/skills/implementing-purdue-model-network-segmentation/SKILL.md index 2293b789..5820fdac 100644 --- a/skills/implementing-purdue-model-network-segmentation/SKILL.md +++ b/skills/implementing-purdue-model-network-segmentation/SKILL.md @@ -1,16 +1,29 @@ --- name: implementing-purdue-model-network-segmentation -description: > - Implement network segmentation based on the Purdue Enterprise Reference - Architecture (PERA) model to separate industrial control system networks into - hierarchical security zones from Level 0 physical process through Level 5 - enterprise, enforcing strict traffic control between OT and IT domains. +description: 'Implement network segmentation based on the Purdue Enterprise Reference Architecture (PERA) model to separate + industrial control system networks into hierarchical security zones from Level 0 physical process through Level 5 enterprise, + enforcing strict traffic control between OT and IT domains. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, purdue-model, network-segmentation, iec62443, defense-in-depth, dmz, scada] -version: "1.0" +tags: +- ot-security +- ics +- purdue-model +- network-segmentation +- iec62443 +- defense-in-depth +- dmz +- scada +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Implementing Purdue Model Network Segmentation diff --git a/skills/implementing-ransomware-backup-strategy/SKILL.md b/skills/implementing-ransomware-backup-strategy/SKILL.md index 0060a62b..051569f6 100644 --- a/skills/implementing-ransomware-backup-strategy/SKILL.md +++ b/skills/implementing-ransomware-backup-strategy/SKILL.md @@ -29,6 +29,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- PR.DS-11 +- RS.MA-01 +- RC.RP-01 +- PR.IR-01 --- # Implementing Ransomware Backup Strategy diff --git a/skills/implementing-ransomware-kill-switch-detection/SKILL.md b/skills/implementing-ransomware-kill-switch-detection/SKILL.md index 2f8d5910..b5e75778 100644 --- a/skills/implementing-ransomware-kill-switch-detection/SKILL.md +++ b/skills/implementing-ransomware-kill-switch-detection/SKILL.md @@ -1,18 +1,28 @@ --- name: implementing-ransomware-kill-switch-detection -description: > - Detects and exploits ransomware kill switch mechanisms including mutex-based - execution guards, domain-based kill switches, and registry-based termination - checks. Implements proactive mutex vaccination and kill switch domain monitoring - to prevent ransomware from executing. Activates for requests involving ransomware - kill switch analysis, mutex vaccination, WannaCry-style domain kill switches, - or malware execution guard detection. +description: 'Detects and exploits ransomware kill switch mechanisms including mutex-based execution guards, domain-based + kill switches, and registry-based termination checks. Implements proactive mutex vaccination and kill switch domain monitoring + to prevent ransomware from executing. Activates for requests involving ransomware kill switch analysis, mutex vaccination, + WannaCry-style domain kill switches, or malware execution guard detection. + + ' domain: cybersecurity subdomain: ransomware-defense -tags: [ransomware, kill-switch, mutex, detection, WannaCry, malware-analysis] +tags: +- ransomware +- kill-switch +- mutex +- detection +- WannaCry +- malware-analysis version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.DS-11 +- RS.MA-01 +- RC.RP-01 +- PR.IR-01 --- # Implementing Ransomware Kill Switch Detection diff --git a/skills/implementing-rapid7-insightvm-for-scanning/SKILL.md b/skills/implementing-rapid7-insightvm-for-scanning/SKILL.md index 0cfc021f..95c84647 100644 --- a/skills/implementing-rapid7-insightvm-for-scanning/SKILL.md +++ b/skills/implementing-rapid7-insightvm-for-scanning/SKILL.md @@ -1,12 +1,25 @@ --- name: implementing-rapid7-insightvm-for-scanning -description: Deploy and configure Rapid7 InsightVM Security Console and Scan Engines for authenticated and unauthenticated vulnerability scanning across enterprise environments. +description: Deploy and configure Rapid7 InsightVM Security Console and Scan Engines for authenticated and unauthenticated + vulnerability scanning across enterprise environments. domain: cybersecurity subdomain: vulnerability-management -tags: [rapid7, insightvm, vulnerability-scanning, nexpose, scan-engine, asset-discovery, authenticated-scanning] -version: "1.0" +tags: +- rapid7 +- insightvm +- vulnerability-scanning +- nexpose +- scan-engine +- asset-discovery +- authenticated-scanning +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-02 +- ID.IM-02 +- ID.RA-06 --- # Implementing Rapid7 InsightVM for Scanning diff --git a/skills/implementing-rbac-hardening-for-kubernetes/SKILL.md b/skills/implementing-rbac-hardening-for-kubernetes/SKILL.md index 64be4ba4..b83a9733 100644 --- a/skills/implementing-rbac-hardening-for-kubernetes/SKILL.md +++ b/skills/implementing-rbac-hardening-for-kubernetes/SKILL.md @@ -1,12 +1,26 @@ --- name: implementing-rbac-hardening-for-kubernetes -description: Harden Kubernetes Role-Based Access Control by implementing least-privilege policies, auditing role bindings, eliminating cluster-admin sprawl, and integrating external identity providers. +description: Harden Kubernetes Role-Based Access Control by implementing least-privilege policies, auditing role bindings, + eliminating cluster-admin sprawl, and integrating external identity providers. domain: cybersecurity subdomain: container-security -tags: [kubernetes, rbac, access-control, least-privilege, security-hardening, iam, oidc, service-accounts] -version: "1.0" +tags: +- kubernetes +- rbac +- access-control +- least-privilege +- security-hardening +- iam +- oidc +- service-accounts +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Implementing RBAC Hardening for Kubernetes diff --git a/skills/implementing-rsa-key-pair-management/SKILL.md b/skills/implementing-rsa-key-pair-management/SKILL.md index 550c60ef..38429694 100644 --- a/skills/implementing-rsa-key-pair-management/SKILL.md +++ b/skills/implementing-rsa-key-pair-management/SKILL.md @@ -1,12 +1,22 @@ --- name: implementing-rsa-key-pair-management -description: RSA (Rivest-Shamir-Adleman) is the most widely deployed asymmetric cryptographic algorithm, used for digital signatures, key exchange, and encryption. This skill covers generating, storing, rotating, +description: RSA (Rivest-Shamir-Adleman) is the most widely deployed asymmetric cryptographic algorithm, used for digital + signatures, key exchange, and encryption. This skill covers generating, storing, rotating, domain: cybersecurity subdomain: cryptography -tags: [cryptography, rsa, key-management, pki, asymmetric-encryption] -version: "1.0" +tags: +- cryptography +- rsa +- key-management +- pki +- asymmetric-encryption +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.DS-01 +- PR.DS-02 +- PR.DS-10 --- # Implementing RSA Key Pair Management diff --git a/skills/implementing-runtime-application-self-protection/SKILL.md b/skills/implementing-runtime-application-self-protection/SKILL.md index 2edf2179..753f05fe 100644 --- a/skills/implementing-runtime-application-self-protection/SKILL.md +++ b/skills/implementing-runtime-application-self-protection/SKILL.md @@ -21,6 +21,11 @@ nist_ai_rmf: - GOVERN-1.1 - MEASURE-2.7 - MANAGE-3.1 +nist_csf: +- PR.PS-01 +- PR.PS-04 +- ID.RA-01 +- PR.DS-10 --- # Implementing Runtime Application Self-Protection diff --git a/skills/implementing-runtime-security-with-tetragon/SKILL.md b/skills/implementing-runtime-security-with-tetragon/SKILL.md index 1bc3558b..b91af904 100644 --- a/skills/implementing-runtime-security-with-tetragon/SKILL.md +++ b/skills/implementing-runtime-security-with-tetragon/SKILL.md @@ -25,6 +25,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Implementing Runtime Security with Tetragon diff --git a/skills/implementing-saml-sso-with-okta/SKILL.md b/skills/implementing-saml-sso-with-okta/SKILL.md index 514d4c21..a86c83ac 100644 --- a/skills/implementing-saml-sso-with-okta/SKILL.md +++ b/skills/implementing-saml-sso-with-okta/SKILL.md @@ -1,12 +1,25 @@ --- name: implementing-saml-sso-with-okta -description: Implement SAML 2.0 Single Sign-On (SSO) using Okta as the Identity Provider (IdP). This skill covers end-to-end configuration of SAML authentication flows, attribute mapping, certificate management, a +description: Implement SAML 2.0 Single Sign-On (SSO) using Okta as the Identity Provider (IdP). This skill covers end-to-end + configuration of SAML authentication flows, attribute mapping, certificate management, a domain: cybersecurity subdomain: identity-access-management -tags: [iam, identity, access-control, authentication, saml, sso, okta] -version: "1.0" +tags: +- iam +- identity +- access-control +- authentication +- saml +- sso +- okta +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Implementing SAML SSO with Okta diff --git a/skills/implementing-scim-provisioning-with-okta/SKILL.md b/skills/implementing-scim-provisioning-with-okta/SKILL.md index 55b2b867..b399e22f 100644 --- a/skills/implementing-scim-provisioning-with-okta/SKILL.md +++ b/skills/implementing-scim-provisioning-with-okta/SKILL.md @@ -3,10 +3,22 @@ name: implementing-scim-provisioning-with-okta description: Implement automated user provisioning and deprovisioning using SCIM 2.0 protocol with Okta as the identity provider. domain: cybersecurity subdomain: identity-access-management -tags: [scim, okta, provisioning, identity-management, automation, sso, lifecycle-management] -version: "1.0" +tags: +- scim +- okta +- provisioning +- identity-management +- automation +- sso +- lifecycle-management +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Implementing SCIM Provisioning with Okta diff --git a/skills/implementing-secret-scanning-with-gitleaks/SKILL.md b/skills/implementing-secret-scanning-with-gitleaks/SKILL.md index aead4072..2ea94a69 100644 --- a/skills/implementing-secret-scanning-with-gitleaks/SKILL.md +++ b/skills/implementing-secret-scanning-with-gitleaks/SKILL.md @@ -1,16 +1,27 @@ --- name: implementing-secret-scanning-with-gitleaks -description: > - This skill covers implementing Gitleaks for detecting and preventing hardcoded secrets - in git repositories. It addresses configuring pre-commit hooks, CI/CD pipeline integration, - custom rule authoring for organization-specific secrets, baseline management for existing - repositories, and remediation workflows for exposed credentials. +description: 'This skill covers implementing Gitleaks for detecting and preventing hardcoded secrets in git repositories. + It addresses configuring pre-commit hooks, CI/CD pipeline integration, custom rule authoring for organization-specific secrets, + baseline management for existing repositories, and remediation workflows for exposed credentials. + + ' domain: cybersecurity subdomain: devsecops -tags: [devsecops, cicd, secret-scanning, gitleaks, pre-commit, secure-sdlc] +tags: +- devsecops +- cicd +- secret-scanning +- gitleaks +- pre-commit +- secure-sdlc version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- GV.SC-07 +- ID.IM-04 +- PR.PS-04 --- # Implementing Secret Scanning with Gitleaks diff --git a/skills/implementing-secrets-management-with-vault/SKILL.md b/skills/implementing-secrets-management-with-vault/SKILL.md index d83ac127..8a0c221c 100644 --- a/skills/implementing-secrets-management-with-vault/SKILL.md +++ b/skills/implementing-secrets-management-with-vault/SKILL.md @@ -1,17 +1,27 @@ --- name: implementing-secrets-management-with-vault -description: > - This skill covers deploying HashiCorp Vault for centralized secrets management across - cloud environments, including dynamic secret generation for databases and cloud providers, - transit encryption, PKI certificate management, and Kubernetes integration. It addresses - eliminating hardcoded credentials from application code and CI/CD pipelines by implementing - short-lived, automatically rotated secrets. +description: 'This skill covers deploying HashiCorp Vault for centralized secrets management across cloud environments, including + dynamic secret generation for databases and cloud providers, transit encryption, PKI certificate management, and Kubernetes + integration. It addresses eliminating hardcoded credentials from application code and CI/CD pipelines by implementing short-lived, + automatically rotated secrets. + + ' domain: cybersecurity subdomain: cloud-security -tags: [hashicorp-vault, secrets-management, dynamic-secrets, credential-rotation, zero-trust] +tags: +- hashicorp-vault +- secrets-management +- dynamic-secrets +- credential-rotation +- zero-trust version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Implementing Secrets Management with Vault diff --git a/skills/implementing-secrets-scanning-in-ci-cd/SKILL.md b/skills/implementing-secrets-scanning-in-ci-cd/SKILL.md index f95f1fb5..6b10fc29 100644 --- a/skills/implementing-secrets-scanning-in-ci-cd/SKILL.md +++ b/skills/implementing-secrets-scanning-in-ci-cd/SKILL.md @@ -3,10 +3,19 @@ name: implementing-secrets-scanning-in-ci-cd description: Integrate gitleaks and trufflehog into CI/CD pipelines to detect leaked secrets before deployment domain: cybersecurity subdomain: devsecops -tags: [secrets-scanning, gitleaks, trufflehog, ci-cd] -version: "1.0" +tags: +- secrets-scanning +- gitleaks +- trufflehog +- ci-cd +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- GV.SC-07 +- ID.IM-04 +- PR.PS-04 --- diff --git a/skills/implementing-security-chaos-engineering/SKILL.md b/skills/implementing-security-chaos-engineering/SKILL.md index a68dfbaa..29253543 100644 --- a/skills/implementing-security-chaos-engineering/SKILL.md +++ b/skills/implementing-security-chaos-engineering/SKILL.md @@ -23,6 +23,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- # Implementing Security Chaos Engineering diff --git a/skills/implementing-security-information-sharing-with-stix2/SKILL.md b/skills/implementing-security-information-sharing-with-stix2/SKILL.md index d278e826..f76dbcb1 100644 --- a/skills/implementing-security-information-sharing-with-stix2/SKILL.md +++ b/skills/implementing-security-information-sharing-with-stix2/SKILL.md @@ -20,6 +20,11 @@ d3fend_techniques: - Identifier Analysis - Content Format Conversion - Message Analysis +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Implementing Security Information Sharing with STIX 2.1 diff --git a/skills/implementing-security-monitoring-with-datadog/SKILL.md b/skills/implementing-security-monitoring-with-datadog/SKILL.md index e2e3e02b..ac862c7d 100644 --- a/skills/implementing-security-monitoring-with-datadog/SKILL.md +++ b/skills/implementing-security-monitoring-with-datadog/SKILL.md @@ -32,6 +32,11 @@ d3fend_techniques: - Biometric Authentication - Strong Password Policy - Restore User Account Access +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- # Implementing Security Monitoring with Datadog diff --git a/skills/implementing-semgrep-for-custom-sast-rules/SKILL.md b/skills/implementing-semgrep-for-custom-sast-rules/SKILL.md index c859a70a..bcb0b045 100644 --- a/skills/implementing-semgrep-for-custom-sast-rules/SKILL.md +++ b/skills/implementing-semgrep-for-custom-sast-rules/SKILL.md @@ -1,12 +1,24 @@ --- name: implementing-semgrep-for-custom-sast-rules -description: Write custom Semgrep SAST rules in YAML to detect application-specific vulnerabilities, enforce coding standards, and integrate into CI/CD pipelines. +description: Write custom Semgrep SAST rules in YAML to detect application-specific vulnerabilities, enforce coding standards, + and integrate into CI/CD pipelines. domain: cybersecurity subdomain: devsecops -tags: [semgrep, sast, static-analysis, custom-rules, devsecops, code-security] -version: "1.0" +tags: +- semgrep +- sast +- static-analysis +- custom-rules +- devsecops +- code-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- GV.SC-07 +- ID.IM-04 +- PR.PS-04 --- # Implementing Semgrep for Custom SAST Rules diff --git a/skills/implementing-siem-correlation-rules-for-apt/SKILL.md b/skills/implementing-siem-correlation-rules-for-apt/SKILL.md index fc73f47e..924396b9 100644 --- a/skills/implementing-siem-correlation-rules-for-apt/SKILL.md +++ b/skills/implementing-siem-correlation-rules-for-apt/SKILL.md @@ -1,16 +1,24 @@ --- name: implementing-siem-correlation-rules-for-apt -description: >- - Write multi-event correlation rules that detect APT lateral movement by chaining Windows authentication events, - process execution telemetry, and network connection logs across hosts. Uses Splunk SPL and Sigma rule format - to correlate Event IDs 4624, 4648, 4688, and Sysmon Events 1/3 within sliding time windows to surface attack - sequences invisible to single-event detections. +description: Write multi-event correlation rules that detect APT lateral movement by chaining Windows authentication events, + process execution telemetry, and network connection logs across hosts. Uses Splunk SPL and Sigma rule format to correlate + Event IDs 4624, 4648, 4688, and Sysmon Events 1/3 within sliding time windows to surface attack sequences invisible to single-event + detections. domain: cybersecurity subdomain: security-operations -tags: [implementing, siem, correlation, rules] -version: "1.0" +tags: +- implementing +- siem +- correlation +- rules +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- diff --git a/skills/implementing-siem-use-case-tuning/SKILL.md b/skills/implementing-siem-use-case-tuning/SKILL.md index ba22eddf..bf5ae959 100644 --- a/skills/implementing-siem-use-case-tuning/SKILL.md +++ b/skills/implementing-siem-use-case-tuning/SKILL.md @@ -1,19 +1,25 @@ --- name: implementing-siem-use-case-tuning -description: Tune SIEM detection rules to reduce false positives by analyzing alert volumes, creating whitelists, adjusting thresholds, and measuring detection efficacy metrics in Splunk and Elastic +description: Tune SIEM detection rules to reduce false positives by analyzing alert volumes, creating whitelists, adjusting + thresholds, and measuring detection efficacy metrics in Splunk and Elastic domain: cybersecurity subdomain: security-operations tags: - - siem - - detection-engineering - - false-positive-reduction - - splunk - - elastic - - alert-tuning - - soc -version: "1.0" +- siem +- detection-engineering +- false-positive-reduction +- splunk +- elastic +- alert-tuning +- soc +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- # Implementing SIEM Use Case Tuning diff --git a/skills/implementing-siem-use-cases-for-detection/SKILL.md b/skills/implementing-siem-use-cases-for-detection/SKILL.md index 4cdf742e..d8579754 100644 --- a/skills/implementing-siem-use-cases-for-detection/SKILL.md +++ b/skills/implementing-siem-use-cases-for-detection/SKILL.md @@ -33,6 +33,11 @@ d3fend_techniques: - Password Authentication - Reissue Credential - Strong Password Policy +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Implementing SIEM Use Cases for Detection diff --git a/skills/implementing-sigstore-for-software-signing/SKILL.md b/skills/implementing-sigstore-for-software-signing/SKILL.md index ba9c61f8..b95e5f8b 100644 --- a/skills/implementing-sigstore-for-software-signing/SKILL.md +++ b/skills/implementing-sigstore-for-software-signing/SKILL.md @@ -1,19 +1,32 @@ --- name: implementing-sigstore-for-software-signing -description: > - Implements Sigstore-based software signing and verification using Cosign keyless signing, - Rekor transparency log verification, and Fulcio certificate authority integration to establish - cryptographic provenance for container images, binaries, and software artifacts. The practitioner - configures OIDC-based identity binding, verifies signing events against the Rekor transparency - log, and integrates signing workflows into CI/CD pipelines. Activates for requests involving - software supply chain signing, keyless container signing, Sigstore deployment, or artifact - provenance verification. +description: 'Implements Sigstore-based software signing and verification using Cosign keyless signing, Rekor transparency + log verification, and Fulcio certificate authority integration to establish cryptographic provenance for container images, + binaries, and software artifacts. The practitioner configures OIDC-based identity binding, verifies signing events against + the Rekor transparency log, and integrates signing workflows into CI/CD pipelines. Activates for requests involving software + supply chain signing, keyless container signing, Sigstore deployment, or artifact provenance verification. + + ' domain: cybersecurity subdomain: supply-chain-security -tags: [sigstore, cosign, rekor, fulcio, software-signing, supply-chain, keyless-signing, OIDC, transparency-log] +tags: +- sigstore +- cosign +- rekor +- fulcio +- software-signing +- supply-chain +- keyless-signing +- OIDC +- transparency-log version: 1.0.0 author: mukul975 license: Apache-2.0 +nist_csf: +- GV.SC-01 +- GV.SC-03 +- GV.SC-06 +- GV.SC-07 --- # Implementing Sigstore for Software Signing diff --git a/skills/implementing-soar-automation-with-phantom/SKILL.md b/skills/implementing-soar-automation-with-phantom/SKILL.md index 792bc9d1..98618559 100644 --- a/skills/implementing-soar-automation-with-phantom/SKILL.md +++ b/skills/implementing-soar-automation-with-phantom/SKILL.md @@ -1,17 +1,33 @@ --- name: implementing-soar-automation-with-phantom -description: > - Implements Security Orchestration, Automation, and Response (SOAR) workflows using Splunk SOAR - (formerly Phantom) to automate alert triage, IOC enrichment, containment actions, and incident - response playbooks. Use when SOC teams need to reduce manual analyst work, standardize response - procedures, or integrate multiple security tools into automated workflows. +description: 'Implements Security Orchestration, Automation, and Response (SOAR) workflows using Splunk SOAR (formerly Phantom) + to automate alert triage, IOC enrichment, containment actions, and incident response playbooks. Use when SOC teams need + to reduce manual analyst work, standardize response procedures, or integrate multiple security tools into automated workflows. + + ' domain: cybersecurity subdomain: soc-operations -tags: [soc, soar, phantom, splunk-soar, automation, playbook, orchestration, incident-response] -mitre_attack: ["T1566", "T1059", "T1078"] -version: "1.0" +tags: +- soc +- soar +- phantom +- splunk-soar +- automation +- playbook +- orchestration +- incident-response +mitre_attack: +- T1566 +- T1059 +- T1078 +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Implementing SOAR Automation with Phantom diff --git a/skills/implementing-soar-playbook-for-phishing/SKILL.md b/skills/implementing-soar-playbook-for-phishing/SKILL.md index f914f665..e21be146 100644 --- a/skills/implementing-soar-playbook-for-phishing/SKILL.md +++ b/skills/implementing-soar-playbook-for-phishing/SKILL.md @@ -1,12 +1,22 @@ --- name: implementing-soar-playbook-for-phishing -description: Automate phishing incident response using Splunk SOAR REST API to create containers, add artifacts, and trigger playbooks +description: Automate phishing incident response using Splunk SOAR REST API to create containers, add artifacts, and trigger + playbooks domain: cybersecurity subdomain: security-operations -tags: [soar, splunk-phantom, phishing, incident-response] -version: "1.0" +tags: +- soar +- splunk-phantom +- phishing +- incident-response +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- diff --git a/skills/implementing-soar-playbook-with-palo-alto-xsoar/SKILL.md b/skills/implementing-soar-playbook-with-palo-alto-xsoar/SKILL.md index 5ef9a5dd..a4ca38de 100644 --- a/skills/implementing-soar-playbook-with-palo-alto-xsoar/SKILL.md +++ b/skills/implementing-soar-playbook-with-palo-alto-xsoar/SKILL.md @@ -1,13 +1,30 @@ --- name: implementing-soar-playbook-with-palo-alto-xsoar -description: Implement automated incident response playbooks in Cortex XSOAR to orchestrate security workflows across SOC tools and reduce manual response time. +description: Implement automated incident response playbooks in Cortex XSOAR to orchestrate security workflows across SOC + tools and reduce manual response time. domain: cybersecurity subdomain: soc-operations -tags: [xsoar, soar, palo-alto, playbook, automation, incident-response, orchestration, cortex] -mitre_attack: ["T1566", "T1204", "T1078"] -version: "1.0" +tags: +- xsoar +- soar +- palo-alto +- playbook +- automation +- incident-response +- orchestration +- cortex +mitre_attack: +- T1566 +- T1204 +- T1078 +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Implementing SOAR Playbook with Palo Alto XSOAR diff --git a/skills/implementing-stix-taxii-feed-integration/SKILL.md b/skills/implementing-stix-taxii-feed-integration/SKILL.md index 997347b5..da519e42 100644 --- a/skills/implementing-stix-taxii-feed-integration/SKILL.md +++ b/skills/implementing-stix-taxii-feed-integration/SKILL.md @@ -1,12 +1,26 @@ --- name: implementing-stix-taxii-feed-integration -description: STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Intelligence Information) are OASIS open standards for representing and transporting cyber threat intelligence. +description: STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Intelligence Information) + are OASIS open standards for representing and transporting cyber threat intelligence. domain: cybersecurity subdomain: threat-intelligence -tags: [threat-intelligence, cti, ioc, mitre-attack, stix, taxii, feed-integration, oasis] -version: "1.0" +tags: +- threat-intelligence +- cti +- ioc +- mitre-attack +- stix +- taxii +- feed-integration +- oasis +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Implementing STIX/TAXII Feed Integration diff --git a/skills/implementing-supply-chain-security-with-in-toto/SKILL.md b/skills/implementing-supply-chain-security-with-in-toto/SKILL.md index 4fb21d62..b2b33720 100644 --- a/skills/implementing-supply-chain-security-with-in-toto/SKILL.md +++ b/skills/implementing-supply-chain-security-with-in-toto/SKILL.md @@ -1,12 +1,27 @@ --- name: implementing-supply-chain-security-with-in-toto -description: Implement software supply chain integrity verification for container builds using the in-toto framework to create cryptographically signed attestations across CI/CD pipeline steps. +description: Implement software supply chain integrity verification for container builds using the in-toto framework to create + cryptographically signed attestations across CI/CD pipeline steps. domain: cybersecurity subdomain: container-security -tags: [in-toto, supply-chain-security, attestation, slsa, sigstore, container-security, cncf, provenance, sbom] -version: "1.0" +tags: +- in-toto +- supply-chain-security +- attestation +- slsa +- sigstore +- container-security +- cncf +- provenance +- sbom +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Implementing Supply Chain Security with in-toto diff --git a/skills/implementing-syslog-centralization-with-rsyslog/SKILL.md b/skills/implementing-syslog-centralization-with-rsyslog/SKILL.md index e8618456..6fd3ec8b 100644 --- a/skills/implementing-syslog-centralization-with-rsyslog/SKILL.md +++ b/skills/implementing-syslog-centralization-with-rsyslog/SKILL.md @@ -1,16 +1,23 @@ --- name: implementing-syslog-centralization-with-rsyslog -description: >- - Configure rsyslog for centralized log collection with TLS encryption, custom templates, - and log rotation. Generates server and client configuration files with GnuTLS stream - drivers, x509 certificate authentication, per-host log segregation, and reliable - queue settings for high-availability syslog infrastructure. +description: Configure rsyslog for centralized log collection with TLS encryption, custom templates, and log rotation. Generates + server and client configuration files with GnuTLS stream drivers, x509 certificate authentication, per-host log segregation, + and reliable queue settings for high-availability syslog infrastructure. domain: cybersecurity subdomain: security-operations -tags: [implementing, syslog, centralization, with] -version: "1.0" +tags: +- implementing +- syslog +- centralization +- with +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- diff --git a/skills/implementing-taxii-server-with-opentaxii/SKILL.md b/skills/implementing-taxii-server-with-opentaxii/SKILL.md index 7e167bf7..a98d9f26 100644 --- a/skills/implementing-taxii-server-with-opentaxii/SKILL.md +++ b/skills/implementing-taxii-server-with-opentaxii/SKILL.md @@ -1,12 +1,26 @@ --- name: implementing-taxii-server-with-opentaxii -description: Deploy and configure an OpenTAXII server to share and consume STIX-formatted cyber threat intelligence using the TAXII 2.1 protocol for automated indicator exchange between organizations. +description: Deploy and configure an OpenTAXII server to share and consume STIX-formatted cyber threat intelligence using + the TAXII 2.1 protocol for automated indicator exchange between organizations. domain: cybersecurity subdomain: threat-intelligence -tags: [taxii, stix, opentaxii, threat-sharing, cti, indicator-exchange, taxii-server, automation] -version: "1.0" +tags: +- taxii +- stix +- opentaxii +- threat-sharing +- cti +- indicator-exchange +- taxii-server +- automation +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Implementing TAXII Server with OpenTAXII diff --git a/skills/implementing-threat-intelligence-lifecycle-management/SKILL.md b/skills/implementing-threat-intelligence-lifecycle-management/SKILL.md index 1c9a5594..abc77130 100644 --- a/skills/implementing-threat-intelligence-lifecycle-management/SKILL.md +++ b/skills/implementing-threat-intelligence-lifecycle-management/SKILL.md @@ -1,12 +1,26 @@ --- name: implementing-threat-intelligence-lifecycle-management -description: Implement a structured threat intelligence lifecycle encompassing planning, collection, processing, analysis, dissemination, and feedback stages to produce actionable intelligence for organizational decision-making. +description: Implement a structured threat intelligence lifecycle encompassing planning, collection, processing, analysis, + dissemination, and feedback stages to produce actionable intelligence for organizational decision-making. domain: cybersecurity subdomain: threat-intelligence -tags: [threat-intelligence, lifecycle, intelligence-cycle, collection, analysis, dissemination, strategic-intelligence, cti-program] -version: "1.0" +tags: +- threat-intelligence +- lifecycle +- intelligence-cycle +- collection +- analysis +- dissemination +- strategic-intelligence +- cti-program +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Implementing Threat Intelligence Lifecycle Management diff --git a/skills/implementing-threat-modeling-with-mitre-attack/SKILL.md b/skills/implementing-threat-modeling-with-mitre-attack/SKILL.md index 6af95ba9..bc110550 100644 --- a/skills/implementing-threat-modeling-with-mitre-attack/SKILL.md +++ b/skills/implementing-threat-modeling-with-mitre-attack/SKILL.md @@ -32,6 +32,11 @@ d3fend_techniques: - Identifier Analysis - Content Format Conversion - Message Analysis +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Implementing Threat Modeling with MITRE ATT&CK diff --git a/skills/implementing-ticketing-system-for-incidents/SKILL.md b/skills/implementing-ticketing-system-for-incidents/SKILL.md index acc8c53b..bb8ba9a6 100644 --- a/skills/implementing-ticketing-system-for-incidents/SKILL.md +++ b/skills/implementing-ticketing-system-for-incidents/SKILL.md @@ -1,16 +1,29 @@ --- name: implementing-ticketing-system-for-incidents -description: > - Implements an integrated incident ticketing system connecting SIEM alerts to ServiceNow, Jira, - or TheHive for structured incident tracking, SLA management, escalation workflows, and compliance - documentation. Use when SOC teams need formalized incident lifecycle management with automated - ticket creation, assignment routing, and resolution tracking. +description: 'Implements an integrated incident ticketing system connecting SIEM alerts to ServiceNow, Jira, or TheHive for + structured incident tracking, SLA management, escalation workflows, and compliance documentation. Use when SOC teams need + formalized incident lifecycle management with automated ticket creation, assignment routing, and resolution tracking. + + ' domain: cybersecurity subdomain: soc-operations -tags: [soc, ticketing, servicenow, jira, thehive, incident-management, sla, workflow] -version: "1.0" +tags: +- soc +- ticketing +- servicenow +- jira +- thehive +- incident-management +- sla +- workflow +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Implementing Ticketing System for Incidents diff --git a/skills/implementing-usb-device-control-policy/SKILL.md b/skills/implementing-usb-device-control-policy/SKILL.md index 4187e2bd..6bacf5a8 100644 --- a/skills/implementing-usb-device-control-policy/SKILL.md +++ b/skills/implementing-usb-device-control-policy/SKILL.md @@ -1,17 +1,27 @@ --- name: implementing-usb-device-control-policy -description: > - Implements USB device control policies to restrict unauthorized removable media access on - endpoints, preventing data exfiltration and malware introduction via USB devices. Use when - deploying device control via Group Policy, Intune, or EDR platforms to enforce USB restrictions. - Activates for requests involving USB control, removable media policy, device control, or - data loss prevention via USB. +description: 'Implements USB device control policies to restrict unauthorized removable media access on endpoints, preventing + data exfiltration and malware introduction via USB devices. Use when deploying device control via Group Policy, Intune, + or EDR platforms to enforce USB restrictions. Activates for requests involving USB control, removable media policy, device + control, or data loss prevention via USB. + + ' domain: cybersecurity subdomain: endpoint-security -tags: [endpoint, USB-control, device-control, data-loss-prevention, removable-media] +tags: +- endpoint +- USB-control +- device-control +- data-loss-prevention +- removable-media version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.PS-02 +- DE.CM-01 +- PR.IR-01 --- # Implementing USB Device Control Policy diff --git a/skills/implementing-velociraptor-for-ir-collection/SKILL.md b/skills/implementing-velociraptor-for-ir-collection/SKILL.md index 9f939c2c..17d1f6f9 100644 --- a/skills/implementing-velociraptor-for-ir-collection/SKILL.md +++ b/skills/implementing-velociraptor-for-ir-collection/SKILL.md @@ -1,6 +1,10 @@ --- -{} ----tags: +name: implementing-velociraptor-for-ir-collection +description: Deploy and configure Velociraptor for scalable endpoint forensic artifact collection during incident response + using VQL queries, hunts, and pre-built artifact packs across Windows, Linux, and macOS environments. +domain: cybersecurity +subdomain: incident-response +tags: - velociraptor - dfir - endpoint-collection @@ -9,4 +13,289 @@ - rapid7 - threat-hunting - incident-response +mitre_attack: +- T1059 +- T1003 +- T1070 +- T1547 version: '1.0' +author: mahipal +license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis +nist_csf: +- RS.MA-01 +- RS.MA-02 +- RS.AN-03 +- RC.RP-01 +--- + +# Implementing Velociraptor for IR Collection + +## Overview + +Velociraptor is an advanced open-source endpoint monitoring, digital forensics, and incident response platform developed by Rapid7. It uses the Velociraptor Query Language (VQL) to create custom artifacts that collect, query, and monitor almost any aspect of an endpoint. Velociraptor enables incident response teams to rapidly collect and examine forensic artifacts from across a network, supporting large-scale deployments with minimal performance impact. The client-server architecture with Fleetspeak communication enables real-time data collection from thousands of endpoints simultaneously, with offline endpoints picking up hunts when they reconnect. + + +## When to Use + +- When deploying or configuring implementing velociraptor for ir collection capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + +## Prerequisites + +- Familiarity with incident response concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + +## Architecture + +### Components +- **Velociraptor Server**: Central management console with web UI and API +- **Velociraptor Client (Agent)**: Lightweight agent deployed to endpoints +- **Fleetspeak**: Communication framework between client and server +- **VQL Engine**: Query language engine for artifact collection +- **Filestore**: Server-side storage for collected artifacts +- **Datastore**: Metadata storage for hunts, flows, and client information + +### Supported Platforms +- Windows (7+, Server 2008R2+) +- Linux (Debian, Ubuntu, CentOS, RHEL) +- macOS (10.13+) + +## Deployment + +### Server Installation +```bash +# Download latest release +wget https://github.com/Velocidex/velociraptor/releases/latest/download/velociraptor-linux-amd64 + +# Generate server configuration +./velociraptor-linux-amd64 config generate -i + +# Start the server +./velociraptor-linux-amd64 --config server.config.yaml frontend + +# Or run as systemd service +sudo cp velociraptor-linux-amd64 /usr/local/bin/velociraptor +sudo velociraptor --config /etc/velociraptor/server.config.yaml service install +``` + +### Client Deployment +```bash +# Repack client MSI for Windows deployment +velociraptor --config server.config.yaml config client > client.config.yaml +velociraptor config repack --msi velociraptor-windows-amd64.msi client.config.yaml output.msi + +# Deploy via Group Policy, SCCM, or Intune +# Client runs as a Windows service: "Velociraptor" + +# Linux client deployment +velociraptor --config client.config.yaml client -v + +# macOS client deployment +velociraptor --config client.config.yaml client -v +``` + +### Docker Deployment +```bash +docker run --name velociraptor \ + -v /opt/velociraptor:/velociraptor/data \ + -p 8000:8000 -p 8001:8001 -p 8889:8889 \ + velocidex/velociraptor +``` + +## Core IR Artifact Collection + +### Windows Forensic Artifacts + +```sql +-- Collect Windows Event Logs +SELECT * FROM Artifact.Windows.EventLogs.EvtxHunter( + EvtxGlob="C:/Windows/System32/winevt/Logs/*.evtx", + IDRegex="4624|4625|4648|4672|4688|4698|4769|7045" +) + +-- Collect Prefetch files for execution evidence +SELECT * FROM Artifact.Windows.Forensics.Prefetch() + +-- Collect Shimcache entries +SELECT * FROM Artifact.Windows.Registry.AppCompatCache() + +-- Collect Amcache entries +SELECT * FROM Artifact.Windows.Forensics.Amcache() + +-- Collect UserAssist data +SELECT * FROM Artifact.Windows.Forensics.UserAssist() + +-- Collect NTFS MFT timestamps +SELECT * FROM Artifact.Windows.NTFS.MFT( + MFTFilename="C:/$MFT", + FileRegex=".(exe|dll|ps1|bat|cmd)$" +) + +-- Collect scheduled tasks +SELECT * FROM Artifact.Windows.System.TaskScheduler() + +-- Collect running processes with hashes +SELECT * FROM Artifact.Windows.System.Pslist() + +-- Collect network connections +SELECT * FROM Artifact.Windows.Network.Netstat() + +-- Collect DNS cache +SELECT * FROM Artifact.Windows.Network.DNSCache() + +-- Collect browser history +SELECT * FROM Artifact.Windows.Applications.Chrome.History() + +-- Collect PowerShell history +SELECT * FROM Artifact.Windows.Forensics.PowerShellHistory() + +-- Collect autoruns/persistence +SELECT * FROM Artifact.Windows.Persistence.PermanentWMIEvents() +SELECT * FROM Artifact.Windows.System.Services() +SELECT * FROM Artifact.Windows.System.StartupItems() +``` + +### Linux Forensic Artifacts + +```sql +-- Collect auth logs +SELECT * FROM Artifact.Linux.Sys.AuthLogs() + +-- Collect bash history +SELECT * FROM Artifact.Linux.Forensics.BashHistory() + +-- Collect crontab entries +SELECT * FROM Artifact.Linux.Sys.Crontab() + +-- Collect running processes +SELECT * FROM Artifact.Linux.Sys.Pslist() + +-- Collect network connections +SELECT * FROM Artifact.Linux.Network.Netstat() + +-- Collect SSH authorized keys +SELECT * FROM Artifact.Linux.Ssh.AuthorizedKeys() + +-- Collect systemd services +SELECT * FROM Artifact.Linux.Services() +``` + +### Triage Collection (All-in-One) + +```sql +-- Windows Triage Collection artifact +-- Collects event logs, prefetch, registry, browser data, and more +SELECT * FROM Artifact.Windows.KapeFiles.Targets( + Device="C:", + _AllFiles=FALSE, + _EventLogs=TRUE, + _Prefetch=TRUE, + _RegistryHives=TRUE, + _WebBrowsers=TRUE, + _WindowsTimeline=TRUE +) +``` + +## Hunt Operations + +### Creating a Hunt +``` +1. Navigate to Hunt Manager in Velociraptor Web UI +2. Click "New Hunt" +3. Configure: + - Description: "IR Triage - Case 2025-001" + - Include/Exclude labels for targeting + - Artifact selection (e.g., Windows.Forensics.Prefetch) + - Resource limits (CPU, IOPS, timeout) +4. Launch hunt +5. Monitor progress in real-time +``` + +### VQL Hunt Examples + +```sql +-- Hunt for specific file hash across all endpoints +SELECT * FROM Artifact.Generic.Detection.HashHunter( + Hashes="e99a18c428cb38d5f260853678922e03" +) + +-- Hunt for YARA signatures in memory +SELECT * FROM Artifact.Windows.Detection.Yara.Process( + YaraRule='rule malware { strings: $s1 = "malicious_string" condition: $s1 }' +) + +-- Hunt for Sigma rule matches in event logs +SELECT * FROM Artifact.Server.Import.SigmaRules() + +-- Hunt for suspicious scheduled tasks +SELECT * FROM Artifact.Windows.System.TaskScheduler() +WHERE Command =~ "powershell|cmd|wscript|mshta|rundll32" + +-- Hunt for processes with network connections to suspicious IPs +SELECT * FROM Artifact.Windows.Network.Netstat() +WHERE RemoteAddr =~ "10\\.13\\.37\\." +``` + +## Real-Time Monitoring + +```sql +-- Monitor for new process creation +SELECT * FROM watch_etw(guid="{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}") +WHERE EventData.ImageName =~ "powershell|cmd|wscript" + +-- Monitor file system changes +SELECT * FROM watch_directory(path="C:/Windows/Temp/") + +-- Monitor registry changes +SELECT * FROM watch_registry(key="HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/**") +``` + +## Integration with SIEM/SOAR + +### Splunk Integration +``` +Velociraptor Server --> Elastic/OpenSearch --> Splunk HEC + --> Direct syslog forwarding + --> Velociraptor API --> Custom scripts --> Splunk +``` + +### Elastic Stack Integration +```yaml +# Velociraptor server config for Elastic output +Monitoring: + elastic: + addresses: + - https://elastic.local:9200 + username: velociraptor + password: secure_password + index: velociraptor +``` + +## MITRE ATT&CK Mapping + +| Technique | VQL Artifact | +|-----------|-------------| +| T1059 - Command Scripting | Windows.EventLogs.EvtxHunter (4104, 4688) | +| T1053 - Scheduled Task | Windows.System.TaskScheduler | +| T1547 - Boot/Logon Autostart | Windows.Persistence.PermanentWMIEvents | +| T1003 - OS Credential Dumping | Windows.Detection.Yara.Process | +| T1021 - Remote Services | Windows.EventLogs.EvtxHunter (4624 Type 3/10) | +| T1070 - Indicator Removal | Windows.EventLogs.Cleared | + +## References + +- [Velociraptor Official Documentation](https://docs.velociraptor.app/) +- [Rapid7 Velociraptor Product Page](https://www.rapid7.com/products/velociraptor/) +- [CISA Velociraptor Resource](https://www.cisa.gov/resources-tools/services/velociraptor) +- [Velociraptor GitHub Repository](https://github.com/Velocidex/velociraptor) +- [Pen Test Partners: Large-Scale Velociraptor](https://www.pentestpartners.com/security-blog/using-velociraptor-for-large-scale-endpoint-visibility-and-rapid-threat-hunting/) diff --git a/skills/implementing-vulnerability-management-with-greenbone/SKILL.md b/skills/implementing-vulnerability-management-with-greenbone/SKILL.md index 0aa10208..9afca65f 100644 --- a/skills/implementing-vulnerability-management-with-greenbone/SKILL.md +++ b/skills/implementing-vulnerability-management-with-greenbone/SKILL.md @@ -1,12 +1,25 @@ --- name: implementing-vulnerability-management-with-greenbone -description: Deploy and operate Greenbone/OpenVAS vulnerability management using the python-gvm library to create scan targets, execute vulnerability scans, and parse scan reports via GMP protocol. +description: Deploy and operate Greenbone/OpenVAS vulnerability management using the python-gvm library to create scan targets, + execute vulnerability scans, and parse scan reports via GMP protocol. domain: cybersecurity subdomain: vulnerability-management -tags: [openvas, greenbone, vulnerability-scanning, gmp, python-gvm, vulnerability-management, compliance] -version: "1.0" +tags: +- openvas +- greenbone +- vulnerability-scanning +- gmp +- python-gvm +- vulnerability-management +- compliance +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-02 +- ID.IM-02 +- ID.RA-06 --- # Implementing Vulnerability Management with Greenbone diff --git a/skills/implementing-vulnerability-remediation-sla/SKILL.md b/skills/implementing-vulnerability-remediation-sla/SKILL.md index 1f0ed3b5..f370ccdf 100644 --- a/skills/implementing-vulnerability-remediation-sla/SKILL.md +++ b/skills/implementing-vulnerability-remediation-sla/SKILL.md @@ -1,12 +1,24 @@ --- name: implementing-vulnerability-remediation-sla -description: Vulnerability remediation SLAs define mandatory timeframes for patching or mitigating identified vulnerabilities based on severity, asset criticality, and exploit availability. Effective SLA programs +description: Vulnerability remediation SLAs define mandatory timeframes for patching or mitigating identified vulnerabilities + based on severity, asset criticality, and exploit availability. Effective SLA programs domain: cybersecurity subdomain: vulnerability-management -tags: [vulnerability-management, cve, sla, remediation, patch-management, risk] -version: "1.0" +tags: +- vulnerability-management +- cve +- sla +- remediation +- patch-management +- risk +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-02 +- ID.IM-02 +- ID.RA-06 --- # Implementing Vulnerability Remediation SLA diff --git a/skills/implementing-vulnerability-sla-breach-alerting/SKILL.md b/skills/implementing-vulnerability-sla-breach-alerting/SKILL.md index 9e52d94d..8eb42597 100644 --- a/skills/implementing-vulnerability-sla-breach-alerting/SKILL.md +++ b/skills/implementing-vulnerability-sla-breach-alerting/SKILL.md @@ -1,12 +1,25 @@ --- name: implementing-vulnerability-sla-breach-alerting -description: Build automated alerting for vulnerability remediation SLA breaches with severity-based timelines, escalation workflows, and compliance reporting dashboards. +description: Build automated alerting for vulnerability remediation SLA breaches with severity-based timelines, escalation + workflows, and compliance reporting dashboards. domain: cybersecurity subdomain: vulnerability-management -tags: [vulnerability-sla, remediation-tracking, alerting, compliance, sla-breach, vulnerability-management, escalation] -version: "1.0" +tags: +- vulnerability-sla +- remediation-tracking +- alerting +- compliance +- sla-breach +- vulnerability-management +- escalation +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-02 +- ID.IM-02 +- ID.RA-06 --- # Implementing Vulnerability SLA Breach Alerting diff --git a/skills/implementing-web-application-logging-with-modsecurity/SKILL.md b/skills/implementing-web-application-logging-with-modsecurity/SKILL.md index a9c4ceca..44b7c500 100644 --- a/skills/implementing-web-application-logging-with-modsecurity/SKILL.md +++ b/skills/implementing-web-application-logging-with-modsecurity/SKILL.md @@ -28,6 +28,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Implementing Web Application Logging with ModSecurity diff --git a/skills/implementing-zero-knowledge-proof-for-authentication/SKILL.md b/skills/implementing-zero-knowledge-proof-for-authentication/SKILL.md index 1e3939ed..6244989c 100644 --- a/skills/implementing-zero-knowledge-proof-for-authentication/SKILL.md +++ b/skills/implementing-zero-knowledge-proof-for-authentication/SKILL.md @@ -1,12 +1,22 @@ --- name: implementing-zero-knowledge-proof-for-authentication -description: Zero-Knowledge Proofs (ZKPs) allow a prover to demonstrate knowledge of a secret (such as a password or private key) without revealing the secret itself. This skill implements the Schnorr identificati +description: Zero-Knowledge Proofs (ZKPs) allow a prover to demonstrate knowledge of a secret (such as a password or private + key) without revealing the secret itself. This skill implements the Schnorr identificati domain: cybersecurity subdomain: cryptography -tags: [cryptography, zero-knowledge-proof, authentication, privacy, zkp] -version: "1.0" +tags: +- cryptography +- zero-knowledge-proof +- authentication +- privacy +- zkp +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.DS-01 +- PR.DS-02 +- PR.DS-10 --- # Implementing Zero-Knowledge Proof for Authentication diff --git a/skills/implementing-zero-standing-privilege-with-cyberark/SKILL.md b/skills/implementing-zero-standing-privilege-with-cyberark/SKILL.md index 52efde98..17050ace 100644 --- a/skills/implementing-zero-standing-privilege-with-cyberark/SKILL.md +++ b/skills/implementing-zero-standing-privilege-with-cyberark/SKILL.md @@ -1,12 +1,24 @@ --- name: implementing-zero-standing-privilege-with-cyberark -description: Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls. +description: Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using + just-in-time access with time, entitlement, and approval controls. domain: cybersecurity subdomain: identity-access-management -tags: [cyberark, zero-standing-privilege, jit-access, pam, cloud-security, least-privilege] -version: "1.0" +tags: +- cyberark +- zero-standing-privilege +- jit-access +- pam +- cloud-security +- least-privilege +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Implementing Zero Standing Privilege with CyberArk diff --git a/skills/implementing-zero-trust-dns-with-nextdns/SKILL.md b/skills/implementing-zero-trust-dns-with-nextdns/SKILL.md index 4eeab2b1..8d79bada 100644 --- a/skills/implementing-zero-trust-dns-with-nextdns/SKILL.md +++ b/skills/implementing-zero-trust-dns-with-nextdns/SKILL.md @@ -1,12 +1,27 @@ --- name: implementing-zero-trust-dns-with-nextdns -description: Implement NextDNS as a zero trust DNS filtering layer with encrypted resolution, threat intelligence blocking, privacy protection, and organizational policy enforcement across all endpoints. +description: Implement NextDNS as a zero trust DNS filtering layer with encrypted resolution, threat intelligence blocking, + privacy protection, and organizational policy enforcement across all endpoints. domain: cybersecurity subdomain: zero-trust-architecture -tags: [zero-trust, dns, nextdns, dns-over-https, dns-over-tls, threat-blocking, dns-filtering, privacy, encrypted-dns] -version: "1.0" +tags: +- zero-trust +- dns +- nextdns +- dns-over-https +- dns-over-tls +- threat-blocking +- dns-filtering +- privacy +- encrypted-dns +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-05 +- PR.IR-01 +- GV.PO-01 --- # Implementing Zero Trust DNS with NextDNS diff --git a/skills/implementing-zero-trust-for-saas-applications/SKILL.md b/skills/implementing-zero-trust-for-saas-applications/SKILL.md index 7fbe6a9b..42e08bf8 100644 --- a/skills/implementing-zero-trust-for-saas-applications/SKILL.md +++ b/skills/implementing-zero-trust-for-saas-applications/SKILL.md @@ -1,15 +1,28 @@ --- name: implementing-zero-trust-for-saas-applications -description: > - Implementing zero trust access controls for SaaS applications using CASB, SSPM, - conditional access policies, OAuth app governance, and session controls to enforce - identity verification, device compliance, and data protection for cloud-hosted services. +description: 'Implementing zero trust access controls for SaaS applications using CASB, SSPM, conditional access policies, + OAuth app governance, and session controls to enforce identity verification, device compliance, and data protection for + cloud-hosted services. + + ' domain: cybersecurity subdomain: zero-trust-architecture -tags: [zero-trust, saas-security, casb, sspm, conditional-access, oauth-governance, session-controls] -version: "1.0" +tags: +- zero-trust +- saas-security +- casb +- sspm +- conditional-access +- oauth-governance +- session-controls +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-05 +- PR.IR-01 +- GV.PO-01 --- # Implementing Zero Trust for SaaS Applications diff --git a/skills/implementing-zero-trust-in-cloud/SKILL.md b/skills/implementing-zero-trust-in-cloud/SKILL.md index b9b8f5fe..ce26d55a 100644 --- a/skills/implementing-zero-trust-in-cloud/SKILL.md +++ b/skills/implementing-zero-trust-in-cloud/SKILL.md @@ -1,17 +1,27 @@ --- name: implementing-zero-trust-in-cloud -description: > - This skill guides organizations through implementing zero trust architecture in cloud - environments following NIST SP 800-207 and Google BeyondCorp principles. It covers - identity-centric access controls, micro-segmentation, continuous verification, device - trust assessment, and deploying Identity-Aware Proxy to eliminate implicit network - trust in AWS, Azure, and GCP environments. +description: 'This skill guides organizations through implementing zero trust architecture in cloud environments following + NIST SP 800-207 and Google BeyondCorp principles. It covers identity-centric access controls, micro-segmentation, continuous + verification, device trust assessment, and deploying Identity-Aware Proxy to eliminate implicit network trust in AWS, Azure, + and GCP environments. + + ' domain: cybersecurity subdomain: cloud-security -tags: [zero-trust, beyondcorp, identity-aware-proxy, micro-segmentation, continuous-verification] +tags: +- zero-trust +- beyondcorp +- identity-aware-proxy +- micro-segmentation +- continuous-verification version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Implementing Zero Trust in Cloud diff --git a/skills/implementing-zero-trust-network-access-with-zscaler/SKILL.md b/skills/implementing-zero-trust-network-access-with-zscaler/SKILL.md index 3ecca55c..8ef77342 100644 --- a/skills/implementing-zero-trust-network-access-with-zscaler/SKILL.md +++ b/skills/implementing-zero-trust-network-access-with-zscaler/SKILL.md @@ -1,12 +1,23 @@ --- name: implementing-zero-trust-network-access-with-zscaler -description: Implement Zero Trust Network Access using Zscaler Private Access (ZPA) to replace traditional VPN with identity-based, context-aware access to private applications through the Zscaler Zero Trust Exchange. +description: Implement Zero Trust Network Access using Zscaler Private Access (ZPA) to replace traditional VPN with identity-based, + context-aware access to private applications through the Zscaler Zero Trust Exchange. domain: cybersecurity subdomain: zero-trust-architecture -tags: [zero-trust, ztna, zscaler, network-access, vpn-replacement] -version: "1.0" +tags: +- zero-trust +- ztna +- zscaler +- network-access +- vpn-replacement +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-05 +- PR.IR-01 +- GV.PO-01 --- # Implementing Zero Trust Network Access with Zscaler diff --git a/skills/implementing-zero-trust-network-access/SKILL.md b/skills/implementing-zero-trust-network-access/SKILL.md index 0e732573..0cd7ae39 100644 --- a/skills/implementing-zero-trust-network-access/SKILL.md +++ b/skills/implementing-zero-trust-network-access/SKILL.md @@ -1,16 +1,27 @@ --- name: implementing-zero-trust-network-access -description: > - Implementing Zero Trust Network Access (ZTNA) in cloud environments by configuring - identity-aware proxies, micro-segmentation, continuous verification with conditional - access policies, and replacing traditional VPN-based access with BeyondCorp-style +description: 'Implementing Zero Trust Network Access (ZTNA) in cloud environments by configuring identity-aware proxies, micro-segmentation, + continuous verification with conditional access policies, and replacing traditional VPN-based access with BeyondCorp-style architectures across AWS, Azure, and GCP. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud-security, zero-trust, ztna, beyondcorp, identity-aware-proxy, micro-segmentation] -version: "1.0" +tags: +- cloud-security +- zero-trust +- ztna +- beyondcorp +- identity-aware-proxy +- micro-segmentation +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Implementing Zero Trust Network Access diff --git a/skills/implementing-zero-trust-with-beyondcorp/SKILL.md b/skills/implementing-zero-trust-with-beyondcorp/SKILL.md index 53815532..8fb0c075 100644 --- a/skills/implementing-zero-trust-with-beyondcorp/SKILL.md +++ b/skills/implementing-zero-trust-with-beyondcorp/SKILL.md @@ -1,12 +1,25 @@ --- name: implementing-zero-trust-with-beyondcorp -description: Deploy Google BeyondCorp Enterprise zero trust access controls using Identity-Aware Proxy (IAP), context-aware access policies, device trust validation, and Access Context Manager to enforce identity and posture-based access to GCP resources and internal applications. +description: Deploy Google BeyondCorp Enterprise zero trust access controls using Identity-Aware Proxy (IAP), context-aware + access policies, device trust validation, and Access Context Manager to enforce identity and posture-based access to GCP + resources and internal applications. domain: cybersecurity subdomain: zero-trust -tags: [zero-trust, beyondcorp, google-cloud, iap, context-aware-access, device-trust, identity] -version: "1.0" +tags: +- zero-trust +- beyondcorp +- google-cloud +- iap +- context-aware-access +- device-trust +- identity +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-05 +- PR.IR-01 --- # Implementing Zero Trust with BeyondCorp diff --git a/skills/implementing-zero-trust-with-hashicorp-boundary/SKILL.md b/skills/implementing-zero-trust-with-hashicorp-boundary/SKILL.md index 69550cf9..41bbe662 100644 --- a/skills/implementing-zero-trust-with-hashicorp-boundary/SKILL.md +++ b/skills/implementing-zero-trust-with-hashicorp-boundary/SKILL.md @@ -1,12 +1,26 @@ --- name: implementing-zero-trust-with-hashicorp-boundary -description: Implement HashiCorp Boundary for identity-aware zero trust infrastructure access management with dynamic credential brokering, session recording, and Vault integration. +description: Implement HashiCorp Boundary for identity-aware zero trust infrastructure access management with dynamic credential + brokering, session recording, and Vault integration. domain: cybersecurity subdomain: zero-trust-architecture -tags: [zero-trust, hashicorp, boundary, privileged-access, vault, identity-aware-proxy, session-recording, just-in-time-access] -version: "1.0" +tags: +- zero-trust +- hashicorp +- boundary +- privileged-access +- vault +- identity-aware-proxy +- session-recording +- just-in-time-access +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-05 +- PR.IR-01 +- GV.PO-01 --- # Implementing Zero Trust with HashiCorp Boundary diff --git a/skills/integrating-dast-with-owasp-zap-in-pipeline/SKILL.md b/skills/integrating-dast-with-owasp-zap-in-pipeline/SKILL.md index 979619bb..f5701d9d 100644 --- a/skills/integrating-dast-with-owasp-zap-in-pipeline/SKILL.md +++ b/skills/integrating-dast-with-owasp-zap-in-pipeline/SKILL.md @@ -1,16 +1,27 @@ --- name: integrating-dast-with-owasp-zap-in-pipeline -description: > - This skill covers integrating OWASP ZAP (Zed Attack Proxy) for Dynamic Application - Security Testing in CI/CD pipelines. It addresses configuring baseline, full, and API - scans against running applications, interpreting ZAP findings, tuning scan policies, - and establishing DAST quality gates in GitHub Actions and GitLab CI. +description: 'This skill covers integrating OWASP ZAP (Zed Attack Proxy) for Dynamic Application Security Testing in CI/CD + pipelines. It addresses configuring baseline, full, and API scans against running applications, interpreting ZAP findings, + tuning scan policies, and establishing DAST quality gates in GitHub Actions and GitLab CI. + + ' domain: cybersecurity subdomain: devsecops -tags: [devsecops, cicd, dast, owasp-zap, dynamic-testing, secure-sdlc] +tags: +- devsecops +- cicd +- dast +- owasp-zap +- dynamic-testing +- secure-sdlc version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- GV.SC-07 +- ID.IM-04 +- PR.PS-04 --- # Integrating DAST with OWASP ZAP in Pipeline diff --git a/skills/integrating-sast-into-github-actions-pipeline/SKILL.md b/skills/integrating-sast-into-github-actions-pipeline/SKILL.md index e089f237..739c6a29 100644 --- a/skills/integrating-sast-into-github-actions-pipeline/SKILL.md +++ b/skills/integrating-sast-into-github-actions-pipeline/SKILL.md @@ -1,17 +1,28 @@ --- name: integrating-sast-into-github-actions-pipeline -description: > - This skill covers integrating Static Application Security Testing (SAST) tools—CodeQL - and Semgrep—into GitHub Actions CI/CD pipelines. It addresses configuring automated code - scanning on pull requests and pushes, tuning rules to reduce false positives, uploading - SARIF results to GitHub Advanced Security, and establishing quality gates that block merges - when high-severity vulnerabilities are detected. +description: 'This skill covers integrating Static Application Security Testing (SAST) tools—CodeQL and Semgrep—into GitHub + Actions CI/CD pipelines. It addresses configuring automated code scanning on pull requests and pushes, tuning rules to reduce + false positives, uploading SARIF results to GitHub Advanced Security, and establishing quality gates that block merges when + high-severity vulnerabilities are detected. + + ' domain: cybersecurity subdomain: devsecops -tags: [devsecops, cicd, sast, codeql, semgrep, secure-sdlc] +tags: +- devsecops +- cicd +- sast +- codeql +- semgrep +- secure-sdlc version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- GV.SC-07 +- ID.IM-04 +- PR.PS-04 --- # Integrating SAST into GitHub Actions Pipeline diff --git a/skills/intercepting-mobile-traffic-with-burpsuite/SKILL.md b/skills/intercepting-mobile-traffic-with-burpsuite/SKILL.md index 73c3eefc..1cf93467 100644 --- a/skills/intercepting-mobile-traffic-with-burpsuite/SKILL.md +++ b/skills/intercepting-mobile-traffic-with-burpsuite/SKILL.md @@ -1,17 +1,28 @@ --- name: intercepting-mobile-traffic-with-burpsuite -description: > - Intercepts and analyzes HTTP/HTTPS traffic from mobile applications using Burp Suite proxy to - identify insecure API communications, authentication flaws, data leakage, and server-side - vulnerabilities. Use when performing mobile application penetration testing, assessing API security, - or evaluating client-server communication patterns. Activates for requests involving mobile traffic - interception, Burp Suite mobile proxy, API security testing, or mobile HTTPS analysis. +description: 'Intercepts and analyzes HTTP/HTTPS traffic from mobile applications using Burp Suite proxy to identify insecure + API communications, authentication flaws, data leakage, and server-side vulnerabilities. Use when performing mobile application + penetration testing, assessing API security, or evaluating client-server communication patterns. Activates for requests + involving mobile traffic interception, Burp Suite mobile proxy, API security testing, or mobile HTTPS analysis. + + ' domain: cybersecurity subdomain: mobile-security author: mahipal -tags: [mobile-security, android, ios, burp-suite, traffic-interception, penetration-testing] +tags: +- mobile-security +- android +- ios +- burp-suite +- traffic-interception +- penetration-testing version: 1.0.0 license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.AA-05 +- ID.RA-01 +- DE.CM-09 --- # Intercepting Mobile Traffic with Burp Suite diff --git a/skills/investigating-insider-threat-indicators/SKILL.md b/skills/investigating-insider-threat-indicators/SKILL.md index 0b86d8d2..73d272db 100644 --- a/skills/investigating-insider-threat-indicators/SKILL.md +++ b/skills/investigating-insider-threat-indicators/SKILL.md @@ -1,16 +1,29 @@ --- name: investigating-insider-threat-indicators -description: > - Investigates insider threat indicators including data exfiltration attempts, unauthorized access - patterns, policy violations, and pre-departure behaviors using SIEM analytics, DLP alerts, and - HR data correlation. Use when SOC teams receive insider threat referrals from HR, detect anomalous - data movement by employees, or need to build investigation timelines for potential insider threats. +description: 'Investigates insider threat indicators including data exfiltration attempts, unauthorized access patterns, policy + violations, and pre-departure behaviors using SIEM analytics, DLP alerts, and HR data correlation. Use when SOC teams receive + insider threat referrals from HR, detect anomalous data movement by employees, or need to build investigation timelines + for potential insider threats. + + ' domain: cybersecurity subdomain: soc-operations -tags: [soc, insider-threat, data-exfiltration, dlp, ueba, investigation, hr-correlation] -version: "1.0" +tags: +- soc +- insider-threat +- data-exfiltration +- dlp +- ueba +- investigation +- hr-correlation +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Investigating Insider Threat Indicators diff --git a/skills/investigating-phishing-email-incident/SKILL.md b/skills/investigating-phishing-email-incident/SKILL.md index 6950fb49..3d088ca4 100644 --- a/skills/investigating-phishing-email-incident/SKILL.md +++ b/skills/investigating-phishing-email-incident/SKILL.md @@ -1,17 +1,33 @@ --- name: investigating-phishing-email-incident -description: > - Investigates phishing email incidents from initial user report through header analysis, URL/attachment - detonation, impacted user identification, and containment actions using SOC tools like Splunk, - Microsoft Defender, and sandbox analysis platforms. Use when a reported phishing email requires - full incident investigation to determine scope and impact. +description: 'Investigates phishing email incidents from initial user report through header analysis, URL/attachment detonation, + impacted user identification, and containment actions using SOC tools like Splunk, Microsoft Defender, and sandbox analysis + platforms. Use when a reported phishing email requires full incident investigation to determine scope and impact. + + ' domain: cybersecurity subdomain: soc-operations -tags: [soc, phishing, incident-response, email-security, splunk, defender, sandbox] -mitre_attack: ["T1566.001", "T1566.002", "T1204.001", "T1598.003"] -version: "1.0" +tags: +- soc +- phishing +- incident-response +- email-security +- splunk +- defender +- sandbox +mitre_attack: +- T1566.001 +- T1566.002 +- T1204.001 +- T1598.003 +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Investigating Phishing Email Incident diff --git a/skills/investigating-ransomware-attack-artifacts/SKILL.md b/skills/investigating-ransomware-attack-artifacts/SKILL.md index 74f4f223..92655ab3 100644 --- a/skills/investigating-ransomware-attack-artifacts/SKILL.md +++ b/skills/investigating-ransomware-attack-artifacts/SKILL.md @@ -1,12 +1,24 @@ --- name: investigating-ransomware-attack-artifacts -description: Identify, collect, and analyze ransomware attack artifacts to determine the variant, initial access vector, encryption scope, and recovery options. +description: Identify, collect, and analyze ransomware attack artifacts to determine the variant, initial access vector, encryption + scope, and recovery options. domain: cybersecurity subdomain: digital-forensics -tags: [forensics, ransomware, malware-analysis, incident-response, encryption-recovery, evidence-collection] -version: "1.0" +tags: +- forensics +- ransomware +- malware-analysis +- incident-response +- encryption-recovery +- evidence-collection +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Investigating Ransomware Attack Artifacts diff --git a/skills/managing-cloud-identity-with-okta/SKILL.md b/skills/managing-cloud-identity-with-okta/SKILL.md index 9d5f0ef5..90af5c52 100644 --- a/skills/managing-cloud-identity-with-okta/SKILL.md +++ b/skills/managing-cloud-identity-with-okta/SKILL.md @@ -1,17 +1,26 @@ --- name: managing-cloud-identity-with-okta -description: > - This skill covers implementing Okta as a centralized identity provider for cloud - environments, configuring SSO integration with AWS, Azure, and GCP, deploying phishing- - resistant MFA with Okta FastPass, managing lifecycle automation for user provisioning - and deprovisioning, and enforcing adaptive access policies based on device posture - and risk signals. +description: 'This skill covers implementing Okta as a centralized identity provider for cloud environments, configuring SSO + integration with AWS, Azure, and GCP, deploying phishing- resistant MFA with Okta FastPass, managing lifecycle automation + for user provisioning and deprovisioning, and enforcing adaptive access policies based on device posture and risk signals. + + ' domain: cybersecurity subdomain: cloud-security -tags: [okta, cloud-identity, single-sign-on, phishing-resistant-mfa, identity-lifecycle] +tags: +- okta +- cloud-identity +- single-sign-on +- phishing-resistant-mfa +- identity-lifecycle version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Managing Cloud Identity with Okta diff --git a/skills/managing-intelligence-lifecycle/SKILL.md b/skills/managing-intelligence-lifecycle/SKILL.md index c554e185..2a685c23 100644 --- a/skills/managing-intelligence-lifecycle/SKILL.md +++ b/skills/managing-intelligence-lifecycle/SKILL.md @@ -1,18 +1,29 @@ --- name: managing-intelligence-lifecycle -description: > - Manages the end-to-end cyber threat intelligence lifecycle from planning and direction through - collection, processing, analysis, dissemination, and feedback to ensure intelligence products - meet stakeholder requirements and continuously improve. Use when establishing or maturing a CTI - program, defining intelligence requirements with business stakeholders, or building feedback loops - between intelligence consumers and producers. Activates for requests involving CTI program - maturity, intelligence requirements, PIRs, or intelligence lifecycle management. +description: 'Manages the end-to-end cyber threat intelligence lifecycle from planning and direction through collection, processing, + analysis, dissemination, and feedback to ensure intelligence products meet stakeholder requirements and continuously improve. + Use when establishing or maturing a CTI program, defining intelligence requirements with business stakeholders, or building + feedback loops between intelligence consumers and producers. Activates for requests involving CTI program maturity, intelligence + requirements, PIRs, or intelligence lifecycle management. + + ' domain: cybersecurity subdomain: threat-intelligence -tags: [CTI, intelligence-lifecycle, PIR, NIST-SP-800-150, threat-intelligence-program, NIST-CSF] +tags: +- CTI +- intelligence-lifecycle +- PIR +- NIST-SP-800-150 +- threat-intelligence-program +- NIST-CSF version: 1.0.0 author: team-cybersecurity license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Managing Intelligence Lifecycle diff --git a/skills/mapping-mitre-attack-techniques/SKILL.md b/skills/mapping-mitre-attack-techniques/SKILL.md index 21d2b117..e4f7588a 100644 --- a/skills/mapping-mitre-attack-techniques/SKILL.md +++ b/skills/mapping-mitre-attack-techniques/SKILL.md @@ -33,6 +33,11 @@ d3fend_techniques: - File Metadata Consistency Validation - Content Format Conversion - File Content Analysis +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Mapping MITRE ATT&CK Techniques diff --git a/skills/monitoring-darkweb-sources/SKILL.md b/skills/monitoring-darkweb-sources/SKILL.md index 57486edd..420ee163 100644 --- a/skills/monitoring-darkweb-sources/SKILL.md +++ b/skills/monitoring-darkweb-sources/SKILL.md @@ -28,6 +28,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Monitoring Dark Web Sources diff --git a/skills/monitoring-scada-modbus-traffic-anomalies/SKILL.md b/skills/monitoring-scada-modbus-traffic-anomalies/SKILL.md index 50f6ec76..b90e261b 100644 --- a/skills/monitoring-scada-modbus-traffic-anomalies/SKILL.md +++ b/skills/monitoring-scada-modbus-traffic-anomalies/SKILL.md @@ -1,19 +1,29 @@ --- name: monitoring-scada-modbus-traffic-anomalies -description: > - Monitors Modbus TCP traffic on SCADA and ICS networks to detect anomalous function code usage, - unauthorized register writes, and suspicious communication patterns. The analyst uses deep packet - inspection with pymodbus, Scapy, and Zeek to baseline normal PLC/RTU communication behavior, then - applies statistical and rule-based anomaly detection to identify reconnaissance, parameter - manipulation, and denial-of-service attacks targeting Modbus devices on port 502. Activates for - requests involving Modbus traffic analysis, SCADA network monitoring, ICS anomaly detection, - PLC security monitoring, or OT network threat detection. +description: 'Monitors Modbus TCP traffic on SCADA and ICS networks to detect anomalous function code usage, unauthorized + register writes, and suspicious communication patterns. The analyst uses deep packet inspection with pymodbus, Scapy, and + Zeek to baseline normal PLC/RTU communication behavior, then applies statistical and rule-based anomaly detection to identify + reconnaissance, parameter manipulation, and denial-of-service attacks targeting Modbus devices on port 502. Activates for + requests involving Modbus traffic analysis, SCADA network monitoring, ICS anomaly detection, PLC security monitoring, or + OT network threat detection. + + ' domain: cybersecurity subdomain: ot-security -tags: [Modbus-TCP, SCADA, ICS-security, deep-packet-inspection, anomaly-detection, OT-monitoring] +tags: +- Modbus-TCP +- SCADA +- ICS-security +- deep-packet-inspection +- anomaly-detection +- OT-monitoring version: 1.0.0 author: mukul975 license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 --- # Monitoring SCADA Modbus Traffic Anomalies diff --git a/skills/performing-access-recertification-with-saviynt/SKILL.md b/skills/performing-access-recertification-with-saviynt/SKILL.md index 7bff135f..c2b29c07 100644 --- a/skills/performing-access-recertification-with-saviynt/SKILL.md +++ b/skills/performing-access-recertification-with-saviynt/SKILL.md @@ -1,12 +1,24 @@ --- name: performing-access-recertification-with-saviynt -description: Configure and execute access recertification campaigns in Saviynt Enterprise Identity Cloud to validate user entitlements, revoke excessive access, and maintain compliance with SOX, SOC2, and HIPAA. +description: Configure and execute access recertification campaigns in Saviynt Enterprise Identity Cloud to validate user + entitlements, revoke excessive access, and maintain compliance with SOX, SOC2, and HIPAA. domain: cybersecurity subdomain: identity-access-management -tags: [saviynt, access-recertification, identity-governance, compliance, certification-campaign, iga] -version: "1.0" +tags: +- saviynt +- access-recertification +- identity-governance +- compliance +- certification-campaign +- iga +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Performing Access Recertification with Saviynt diff --git a/skills/performing-access-review-and-certification/SKILL.md b/skills/performing-access-review-and-certification/SKILL.md index 237ce618..5b5c982b 100644 --- a/skills/performing-access-review-and-certification/SKILL.md +++ b/skills/performing-access-review-and-certification/SKILL.md @@ -1,12 +1,25 @@ --- name: performing-access-review-and-certification -description: Conduct systematic access reviews and certifications to ensure users have appropriate access rights aligned with their roles. This skill covers review campaign design, reviewer selection, risk-based p +description: Conduct systematic access reviews and certifications to ensure users have appropriate access rights aligned with + their roles. This skill covers review campaign design, reviewer selection, risk-based p domain: cybersecurity subdomain: identity-access-management -tags: [iam, identity, access-control, access-review, certification, compliance, governance] -version: "1.0" +tags: +- iam +- identity +- access-control +- access-review +- certification +- compliance +- governance +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Performing Access Review and Certification diff --git a/skills/performing-active-directory-bloodhound-analysis/SKILL.md b/skills/performing-active-directory-bloodhound-analysis/SKILL.md index 2edfaebf..34fd6d82 100644 --- a/skills/performing-active-directory-bloodhound-analysis/SKILL.md +++ b/skills/performing-active-directory-bloodhound-analysis/SKILL.md @@ -21,6 +21,10 @@ d3fend_techniques: - Biometric Authentication - Strong Password Policy - Restore User Account Access +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Performing Active Directory BloodHound Analysis diff --git a/skills/performing-active-directory-compromise-investigation/SKILL.md b/skills/performing-active-directory-compromise-investigation/SKILL.md index 80e8236a..edef0d40 100644 --- a/skills/performing-active-directory-compromise-investigation/SKILL.md +++ b/skills/performing-active-directory-compromise-investigation/SKILL.md @@ -1,6 +1,10 @@ --- -{} ----tags: +name: performing-active-directory-compromise-investigation +description: Investigate Active Directory compromise by analyzing authentication logs, replication metadata, Group Policy + changes, and Kerberos ticket anomalies to identify attacker persistence and lateral movement paths. +domain: cybersecurity +subdomain: incident-response +tags: - active-directory - compromise-investigation - identity-forensics @@ -9,4 +13,197 @@ - dfir - ntds-dit - golden-ticket +mitre_attack: +- T1003 +- T1558 +- T1021 +- T1078 +- T1484 version: '1.0' +author: mahipal +license: Apache-2.0 +d3fend_techniques: +- Application Protocol Command Analysis +- Network Isolation +- Network Traffic Analysis +- Client-server Payload Profiling +- Platform Monitoring +nist_csf: +- RS.MA-01 +- RS.MA-02 +- RS.AN-03 +- RC.RP-01 +--- + +# Performing Active Directory Compromise Investigation + +## Overview + +Active Directory (AD) compromise investigation is a critical incident response capability that focuses on identifying how attackers gained access to domain services, what persistence mechanisms they established, and the scope of credential compromise. Since 88% of breaches involve compromised credentials (Verizon 2025 DBIR), AD is the primary target for enterprise-wide attacks. Investigators must analyze NTDS.dit database integrity, Kerberos ticket-granting activity, Group Policy modifications, replication metadata, and privileged group membership changes to reconstruct the attack chain and determine full compromise scope. + + +## When to Use + +- When conducting security assessments that involve performing active directory compromise investigation +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + +## Prerequisites + +- Familiarity with incident response concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + +## Key Investigation Areas + +### 1. NTDS.dit Database Analysis + +The NTDS.dit file is the core Active Directory credential database containing all password hashes for domain accounts. Attackers commonly exfiltrate this file using tools like ntdsutil, secretsdump.py, or DCSync attacks via Mimikatz. + +**Detection indicators:** +- Event ID 4662: Access to directory service objects with replication permissions +- Event ID 4742: Computer account modifications on domain controllers +- Volume Shadow Copy creation on domain controllers (Event ID 8222) +- Unusual ntdsutil.exe or vssadmin.exe execution +- Replication traffic from non-DC sources (DCSync detection) + +### 2. Kerberos Attack Detection + +**Golden Ticket indicators:** +- TGT tickets with abnormally long lifetimes (default is 10 hours) +- Event ID 4769 with encryption type 0x17 (RC4) instead of AES +- TGT issued without corresponding Event ID 4768 (AS-REQ) +- Kerberos tickets referencing non-existent or disabled accounts + +**Silver Ticket indicators:** +- Service tickets without corresponding TGT requests +- Event ID 4769 with unusual service names +- Tickets with forged PAC data + +**Kerberoasting indicators:** +- High volume of Event ID 4769 for service accounts +- RC4 encryption requests for accounts that support AES +- Requests from workstations not normally accessing those services + +### 3. Group Policy Abuse + +- GPO modifications granting new privileges (Event ID 5136) +- Scheduled task deployment via GPO +- Software installation policies added to domain +- Login script modifications +- Registry-based policy changes for persistence + +### 4. Privileged Group Enumeration + +Track modifications to these critical groups: +- Domain Admins, Enterprise Admins, Schema Admins +- Account Operators, Backup Operators +- DnsAdmins (can execute arbitrary DLLs on DCs) +- Group Policy Creator Owners +- Protected Users group membership changes + +### 5. Trust Relationship Analysis + +- New forest/domain trusts created (Event ID 4706) +- SID History injection for privilege escalation +- Trust ticket forgery indicators +- Cross-domain authentication anomalies + +## Investigation Methodology + +### Phase 1: Scoping and Evidence Collection +``` +1. Identify potentially compromised domain controllers +2. Collect Security, System, Directory Service event logs +3. Extract AD replication metadata using repadmin +4. Capture ntdsutil snapshots for offline analysis +5. Collect DNS server logs and zone transfer records +6. Export Group Policy Object configurations +7. Document current privileged group memberships +``` + +### Phase 2: Authentication Log Analysis +``` +1. Parse Event ID 4624/4625 for logon patterns +2. Identify pass-the-hash indicators (Event ID 4624 Type 3 with NTLM) +3. Analyze Event ID 4768/4769/4771 for Kerberos anomalies +4. Review Event ID 4776 for NTLM authentication failures +5. Cross-reference logon events with known compromised accounts +6. Map lateral movement paths through authentication chains +``` + +### Phase 3: Persistence and Backdoor Detection +``` +1. Enumerate AdminSDHolder ACL modifications +2. Check for SID History abuse on accounts +3. Verify krbtgt account password age +4. Audit DSRM password configuration +5. Check for skeleton key malware indicators +6. Review AD Certificate Services for rogue certificates +7. Validate DNS records for poisoning +``` + +### Phase 4: Remediation Planning +``` +1. Double-rotate krbtgt password (wait replication between rotations) +2. Reset all compromised account passwords +3. Remove unauthorized privileged group members +4. Revoke rogue certificates if AD CS compromised +5. Rebuild domain controllers from clean media if needed +6. Implement tiered administration model +7. Enable Protected Users group for privileged accounts +``` + +## Critical Event IDs for AD Investigation + +| Event ID | Source | Description | +|----------|--------|-------------| +| 4624 | Security | Successful logon | +| 4625 | Security | Failed logon | +| 4648 | Security | Explicit credential logon | +| 4662 | Security | Operation on AD object | +| 4768 | Security | Kerberos TGT requested | +| 4769 | Security | Kerberos service ticket requested | +| 4771 | Security | Kerberos pre-authentication failed | +| 4776 | Security | NTLM credential validation | +| 5136 | Security | Directory object modified | +| 5137 | Security | Directory object created | +| 4706 | Security | Trust created | +| 4707 | Security | Trust removed | +| 4742 | Security | Computer account changed | +| 8222 | System | Shadow copy created | + +## Tools for AD Investigation + +| Tool | Purpose | +|------|---------| +| **BloodHound** | Attack path mapping and privilege escalation analysis | +| **Pingcastle** | AD security assessment and risk scoring | +| **Purple Knight** | AD vulnerability scanning by Semperis | +| **ADRecon** | Active Directory data gathering | +| **Mimikatz** | Credential extraction and Kerberos analysis | +| **Impacket** | DCSync detection and NTLM relay analysis | +| **Velociraptor** | Remote forensic artifact collection | +| **Timeline Explorer** | Event log timeline analysis | + +## MITRE ATT&CK Mapping + +| Technique | ID | Relevance | +|-----------|----|-----------| +| DCSync | T1003.006 | NTDS.dit credential extraction | +| Golden Ticket | T1558.001 | Kerberos TGT forgery | +| Silver Ticket | T1558.002 | Service ticket forgery | +| Kerberoasting | T1558.003 | Service account hash extraction | +| Pass-the-Hash | T1550.002 | NTLM hash reuse | +| Group Policy Modification | T1484.001 | Persistence via GPO | +| Account Manipulation | T1098 | Privileged group changes | +| SID-History Injection | T1134.005 | Privilege escalation | + +## References + +- [CISA: Detecting and Mitigating Active Directory Compromises](https://www.cisa.gov/resources-tools/resources/detecting-and-mitigating-active-directory-compromises) +- [Microsoft: Total Identity Compromise IR Lessons](https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/total-identity-compromise-microsoft-incident-response-lessons-on-securing-active/3753391) +- [Semperis: Top 10 Active Directory Risks](https://www.semperis.com/blog/10-ad-risks-caught-by-identity-forensics-and-incident-response/) +- [Fidelis: Active Directory Compromise Response](https://fidelissecurity.com/threatgeek/active-directory-security/respond-after-an-active-directory-compromise/) diff --git a/skills/performing-active-directory-forest-trust-attack/SKILL.md b/skills/performing-active-directory-forest-trust-attack/SKILL.md index a5275e23..6a2a66c5 100644 --- a/skills/performing-active-directory-forest-trust-attack/SKILL.md +++ b/skills/performing-active-directory-forest-trust-attack/SKILL.md @@ -1,12 +1,24 @@ --- name: performing-active-directory-forest-trust-attack -description: Enumerate and audit Active Directory forest trust relationships using impacket for SID filtering analysis, trust key extraction, cross-forest SID history abuse detection, and inter-realm Kerberos ticket assessment. +description: Enumerate and audit Active Directory forest trust relationships using impacket for SID filtering analysis, trust + key extraction, cross-forest SID history abuse detection, and inter-realm Kerberos ticket assessment. domain: cybersecurity subdomain: red-team -tags: [active-directory, forest-trust, impacket, SID-filtering, kerberos, red-team, trust-enumeration] -version: "1.0" +tags: +- active-directory +- forest-trust +- impacket +- SID-filtering +- kerberos +- red-team +- trust-enumeration +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Performing Active Directory Forest Trust Attack diff --git a/skills/performing-active-directory-penetration-test/SKILL.md b/skills/performing-active-directory-penetration-test/SKILL.md index 2ecc2caf..b251c5e1 100644 --- a/skills/performing-active-directory-penetration-test/SKILL.md +++ b/skills/performing-active-directory-penetration-test/SKILL.md @@ -1,12 +1,26 @@ --- name: performing-active-directory-penetration-test -description: Conduct a focused Active Directory penetration test to enumerate domain objects, discover attack paths with BloodHound, exploit Kerberos weaknesses, escalate privileges via ADCS/DCSync, and demonstrate domain compromise. +description: Conduct a focused Active Directory penetration test to enumerate domain objects, discover attack paths with BloodHound, + exploit Kerberos weaknesses, escalate privileges via ADCS/DCSync, and demonstrate domain compromise. domain: cybersecurity subdomain: penetration-testing -tags: [active-directory, BloodHound, Kerberoasting, Impacket, DCSync, ADCS, domain-compromise, privilege-escalation] -version: "1.0" +tags: +- active-directory +- BloodHound +- Kerberoasting +- Impacket +- DCSync +- ADCS +- domain-compromise +- privilege-escalation +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-06 +- GV.OV-02 +- DE.AE-07 --- # Performing Active Directory Penetration Test diff --git a/skills/performing-active-directory-vulnerability-assessment/SKILL.md b/skills/performing-active-directory-vulnerability-assessment/SKILL.md index 4244d5bc..e6d229c5 100644 --- a/skills/performing-active-directory-vulnerability-assessment/SKILL.md +++ b/skills/performing-active-directory-vulnerability-assessment/SKILL.md @@ -22,6 +22,11 @@ d3fend_techniques: - Restore Configuration - Access Modeling - Operational Activity Mapping +nist_csf: +- ID.RA-01 +- ID.RA-02 +- ID.IM-02 +- ID.RA-06 --- # Performing Active Directory Vulnerability Assessment diff --git a/skills/performing-adversary-in-the-middle-phishing-detection/SKILL.md b/skills/performing-adversary-in-the-middle-phishing-detection/SKILL.md index 89af8933..72600c65 100644 --- a/skills/performing-adversary-in-the-middle-phishing-detection/SKILL.md +++ b/skills/performing-adversary-in-the-middle-phishing-detection/SKILL.md @@ -1,12 +1,26 @@ --- name: performing-adversary-in-the-middle-phishing-detection -description: Detect and respond to Adversary-in-the-Middle (AiTM) phishing attacks that use reverse proxy kits like EvilProxy, Evilginx, and Tycoon 2FA to bypass MFA and steal session tokens. +description: Detect and respond to Adversary-in-the-Middle (AiTM) phishing attacks that use reverse proxy kits like EvilProxy, + Evilginx, and Tycoon 2FA to bypass MFA and steal session tokens. domain: cybersecurity subdomain: phishing-defense -tags: [aitm, evilproxy, evilginx, phishing, mfa-bypass, session-hijacking, reverse-proxy, credential-theft] -version: "1.0" +tags: +- aitm +- evilproxy +- evilginx +- phishing +- mfa-bypass +- session-hijacking +- reverse-proxy +- credential-theft +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AT-01 +- DE.CM-09 +- RS.CO-02 +- DE.AE-02 --- # Performing Adversary-in-the-Middle Phishing Detection diff --git a/skills/performing-agentless-vulnerability-scanning/SKILL.md b/skills/performing-agentless-vulnerability-scanning/SKILL.md index a06ff349..e7292193 100644 --- a/skills/performing-agentless-vulnerability-scanning/SKILL.md +++ b/skills/performing-agentless-vulnerability-scanning/SKILL.md @@ -20,6 +20,11 @@ nist_ai_rmf: - GOVERN-1.1 - MEASURE-2.7 - MANAGE-3.1 +nist_csf: +- ID.RA-01 +- ID.RA-02 +- ID.IM-02 +- ID.RA-06 --- # Performing Agentless Vulnerability Scanning diff --git a/skills/performing-ai-driven-osint-correlation/SKILL.md b/skills/performing-ai-driven-osint-correlation/SKILL.md index 86ee145c..2da5cbd6 100644 --- a/skills/performing-ai-driven-osint-correlation/SKILL.md +++ b/skills/performing-ai-driven-osint-correlation/SKILL.md @@ -34,6 +34,11 @@ d3fend_techniques: - Identifier Reputation Analysis - User Behavior Analysis - Content Validation +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Performing AI-Driven OSINT Correlation diff --git a/skills/performing-alert-triage-with-elastic-siem/SKILL.md b/skills/performing-alert-triage-with-elastic-siem/SKILL.md index d98a6563..8017ad2b 100644 --- a/skills/performing-alert-triage-with-elastic-siem/SKILL.md +++ b/skills/performing-alert-triage-with-elastic-siem/SKILL.md @@ -22,6 +22,11 @@ d3fend_techniques: - Application Protocol Command Analysis - Password Authentication - Reissue Credential +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Performing Alert Triage with Elastic SIEM diff --git a/skills/performing-android-app-static-analysis-with-mobsf/SKILL.md b/skills/performing-android-app-static-analysis-with-mobsf/SKILL.md index 3d5a6d8b..938ffe40 100644 --- a/skills/performing-android-app-static-analysis-with-mobsf/SKILL.md +++ b/skills/performing-android-app-static-analysis-with-mobsf/SKILL.md @@ -1,18 +1,29 @@ --- name: performing-android-app-static-analysis-with-mobsf -description: > - Performs automated static analysis of Android applications using Mobile Security Framework (MobSF) - to identify hardcoded secrets, insecure permissions, vulnerable components, weak cryptography, - and code-level security flaws without executing the application. Use when assessing Android APK/AAB - files for security vulnerabilities before deployment, during penetration testing, or as part of - CI/CD security gates. Activates for requests involving Android static analysis, MobSF scanning, - APK security assessment, or mobile application code review. +description: 'Performs automated static analysis of Android applications using Mobile Security Framework (MobSF) to identify + hardcoded secrets, insecure permissions, vulnerable components, weak cryptography, and code-level security flaws without + executing the application. Use when assessing Android APK/AAB files for security vulnerabilities before deployment, during + penetration testing, or as part of CI/CD security gates. Activates for requests involving Android static analysis, MobSF + scanning, APK security assessment, or mobile application code review. + + ' domain: cybersecurity subdomain: mobile-security author: mahipal -tags: [mobile-security, android, mobsf, static-analysis, owasp-mobile, penetration-testing] +tags: +- mobile-security +- android +- mobsf +- static-analysis +- owasp-mobile +- penetration-testing version: 1.0.0 license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.AA-05 +- ID.RA-01 +- DE.CM-09 --- # Performing Android App Static Analysis with MobSF diff --git a/skills/performing-api-fuzzing-with-restler/SKILL.md b/skills/performing-api-fuzzing-with-restler/SKILL.md index 26b10c6b..99a802e4 100644 --- a/skills/performing-api-fuzzing-with-restler/SKILL.md +++ b/skills/performing-api-fuzzing-with-restler/SKILL.md @@ -1,19 +1,29 @@ --- name: performing-api-fuzzing-with-restler -description: > - Uses Microsoft RESTler to perform stateful REST API fuzzing by automatically generating - and executing test sequences that exercise API endpoints, discover producer-consumer - dependencies between requests, and find security and reliability bugs. The tester compiles - an OpenAPI specification into a RESTler fuzzing grammar, configures authentication, runs - test/fuzz-lean/fuzz modes, and analyzes results for 500 errors, authentication bypasses, - resource leaks, and payload injection vulnerabilities. Activates for requests involving - API fuzzing, RESTler testing, stateful API testing, or automated API security scanning. +description: 'Uses Microsoft RESTler to perform stateful REST API fuzzing by automatically generating and executing test sequences + that exercise API endpoints, discover producer-consumer dependencies between requests, and find security and reliability + bugs. The tester compiles an OpenAPI specification into a RESTler fuzzing grammar, configures authentication, runs test/fuzz-lean/fuzz + modes, and analyzes results for 500 errors, authentication bypasses, resource leaks, and payload injection vulnerabilities. + Activates for requests involving API fuzzing, RESTler testing, stateful API testing, or automated API security scanning. + + ' domain: cybersecurity subdomain: api-security -tags: [api-security, fuzzing, restler, automated-testing, openapi, stateful-testing] +tags: +- api-security +- fuzzing +- restler +- automated-testing +- openapi +- stateful-testing version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Performing API Fuzzing with RESTler diff --git a/skills/performing-api-inventory-and-discovery/SKILL.md b/skills/performing-api-inventory-and-discovery/SKILL.md index 7792a426..d968fe44 100644 --- a/skills/performing-api-inventory-and-discovery/SKILL.md +++ b/skills/performing-api-inventory-and-discovery/SKILL.md @@ -1,18 +1,29 @@ --- name: performing-api-inventory-and-discovery -description: > - Performs API inventory and discovery to identify all API endpoints in an organization's - environment including documented, undocumented, shadow, zombie, and deprecated APIs. The - tester uses passive traffic analysis, active scanning, DNS enumeration, JavaScript analysis, - and cloud resource inventory to build a comprehensive API catalog. Maps to OWASP API9:2023 - Improper Inventory Management. Activates for requests involving API discovery, shadow API - detection, API inventory audit, or attack surface mapping. +description: 'Performs API inventory and discovery to identify all API endpoints in an organization''s environment including + documented, undocumented, shadow, zombie, and deprecated APIs. The tester uses passive traffic analysis, active scanning, + DNS enumeration, JavaScript analysis, and cloud resource inventory to build a comprehensive API catalog. Maps to OWASP API9:2023 + Improper Inventory Management. Activates for requests involving API discovery, shadow API detection, API inventory audit, + or attack surface mapping. + + ' domain: cybersecurity subdomain: api-security -tags: [api-security, owasp, api-discovery, shadow-api, inventory, attack-surface] +tags: +- api-security +- owasp +- api-discovery +- shadow-api +- inventory +- attack-surface version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Performing API Inventory and Discovery diff --git a/skills/performing-api-rate-limiting-bypass/SKILL.md b/skills/performing-api-rate-limiting-bypass/SKILL.md index 0759f4c9..6681c30e 100644 --- a/skills/performing-api-rate-limiting-bypass/SKILL.md +++ b/skills/performing-api-rate-limiting-bypass/SKILL.md @@ -1,19 +1,29 @@ --- name: performing-api-rate-limiting-bypass -description: > - Tests API rate limiting implementations for bypass vulnerabilities by manipulating request - headers, IP addresses, HTTP methods, API versions, and encoding schemes to circumvent - request throttling controls. The tester identifies rate limit headers, determines enforcement - mechanisms, and attempts bypasses including X-Forwarded-For spoofing, parameter pollution, - case variation, and endpoint path manipulation. Maps to OWASP API4:2023 Unrestricted Resource - Consumption. Activates for requests involving rate limit bypass, API throttling evasion, - brute force protection testing, or API abuse prevention assessment. +description: 'Tests API rate limiting implementations for bypass vulnerabilities by manipulating request headers, IP addresses, + HTTP methods, API versions, and encoding schemes to circumvent request throttling controls. The tester identifies rate limit + headers, determines enforcement mechanisms, and attempts bypasses including X-Forwarded-For spoofing, parameter pollution, + case variation, and endpoint path manipulation. Maps to OWASP API4:2023 Unrestricted Resource Consumption. Activates for + requests involving rate limit bypass, API throttling evasion, brute force protection testing, or API abuse prevention assessment. + + ' domain: cybersecurity subdomain: api-security -tags: [api-security, owasp, rate-limiting, throttling, brute-force, dos-prevention] +tags: +- api-security +- owasp +- rate-limiting +- throttling +- brute-force +- dos-prevention version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Performing API Rate Limiting Bypass diff --git a/skills/performing-api-security-testing-with-postman/SKILL.md b/skills/performing-api-security-testing-with-postman/SKILL.md index e358b717..d4d7c989 100644 --- a/skills/performing-api-security-testing-with-postman/SKILL.md +++ b/skills/performing-api-security-testing-with-postman/SKILL.md @@ -1,18 +1,28 @@ --- name: performing-api-security-testing-with-postman -description: > - Uses Postman to perform structured API security testing by building collections that test - for OWASP API Security Top 10 vulnerabilities including authentication bypass, authorization - flaws, injection, and data exposure. The tester creates environments with multiple user - roles, writes test scripts for automated security validation, and integrates Postman with - OWASP ZAP and Newman for CI/CD security testing. Activates for requests involving Postman - security testing, API security collection, automated API testing, or OWASP API testing with Postman. +description: 'Uses Postman to perform structured API security testing by building collections that test for OWASP API Security + Top 10 vulnerabilities including authentication bypass, authorization flaws, injection, and data exposure. The tester creates + environments with multiple user roles, writes test scripts for automated security validation, and integrates Postman with + OWASP ZAP and Newman for CI/CD security testing. Activates for requests involving Postman security testing, API security + collection, automated API testing, or OWASP API testing with Postman. + + ' domain: cybersecurity subdomain: api-security -tags: [api-security, postman, owasp, automated-testing, security-validation] +tags: +- api-security +- postman +- owasp +- automated-testing +- security-validation version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Performing API Security Testing with Postman diff --git a/skills/performing-arp-spoofing-attack-simulation/SKILL.md b/skills/performing-arp-spoofing-attack-simulation/SKILL.md index 804a7310..e2fea4bd 100644 --- a/skills/performing-arp-spoofing-attack-simulation/SKILL.md +++ b/skills/performing-arp-spoofing-attack-simulation/SKILL.md @@ -1,15 +1,25 @@ --- name: performing-arp-spoofing-attack-simulation -description: > - Simulates ARP spoofing attacks in authorized lab or pentest environments using - arpspoof, Ettercap, and Scapy to demonstrate man-in-the-middle risks, test network - detection capabilities, and validate ARP inspection countermeasures. +description: 'Simulates ARP spoofing attacks in authorized lab or pentest environments using arpspoof, Ettercap, and Scapy + to demonstrate man-in-the-middle risks, test network detection capabilities, and validate ARP inspection countermeasures. + + ' domain: cybersecurity subdomain: network-security -tags: [network-security, arp-spoofing, mitm, ettercap, layer2-attack] -version: "1.0" +tags: +- network-security +- arp-spoofing +- mitm +- ettercap +- layer2-attack +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Performing ARP Spoofing Attack Simulation diff --git a/skills/performing-asset-criticality-scoring-for-vulns/SKILL.md b/skills/performing-asset-criticality-scoring-for-vulns/SKILL.md index 0bffdf0e..9f45ab2d 100644 --- a/skills/performing-asset-criticality-scoring-for-vulns/SKILL.md +++ b/skills/performing-asset-criticality-scoring-for-vulns/SKILL.md @@ -1,12 +1,25 @@ --- name: performing-asset-criticality-scoring-for-vulns -description: Develop and apply a multi-factor asset criticality scoring model to weight vulnerability prioritization based on business impact, data sensitivity, and operational importance. +description: Develop and apply a multi-factor asset criticality scoring model to weight vulnerability prioritization based + on business impact, data sensitivity, and operational importance. domain: cybersecurity subdomain: vulnerability-management -tags: [asset-criticality, vulnerability-prioritization, risk-management, cmdb, business-impact, crown-jewels, asset-classification] -version: "1.0" +tags: +- asset-criticality +- vulnerability-prioritization +- risk-management +- cmdb +- business-impact +- crown-jewels +- asset-classification +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-02 +- ID.IM-02 +- ID.RA-06 --- # Performing Asset Criticality Scoring for Vulns diff --git a/skills/performing-authenticated-scan-with-openvas/SKILL.md b/skills/performing-authenticated-scan-with-openvas/SKILL.md index e0666774..0f033a04 100644 --- a/skills/performing-authenticated-scan-with-openvas/SKILL.md +++ b/skills/performing-authenticated-scan-with-openvas/SKILL.md @@ -1,12 +1,25 @@ --- name: performing-authenticated-scan-with-openvas -description: Configure and execute authenticated vulnerability scans using OpenVAS/Greenbone Vulnerability Management with SSH and SMB credentials for comprehensive host-level assessment. +description: Configure and execute authenticated vulnerability scans using OpenVAS/Greenbone Vulnerability Management with + SSH and SMB credentials for comprehensive host-level assessment. domain: cybersecurity subdomain: vulnerability-management -tags: [openvas, gvm, authenticated-scan, vulnerability-scanning, greenbone, network-security, credentialed-scan] -version: "1.0" +tags: +- openvas +- gvm +- authenticated-scan +- vulnerability-scanning +- greenbone +- network-security +- credentialed-scan +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-02 +- ID.IM-02 +- ID.RA-06 --- # Performing Authenticated Scan with OpenVAS diff --git a/skills/performing-authenticated-vulnerability-scan/SKILL.md b/skills/performing-authenticated-vulnerability-scan/SKILL.md index 3e8f7dfd..bb62304e 100644 --- a/skills/performing-authenticated-vulnerability-scan/SKILL.md +++ b/skills/performing-authenticated-vulnerability-scan/SKILL.md @@ -1,12 +1,25 @@ --- name: performing-authenticated-vulnerability-scan -description: Authenticated (credentialed) vulnerability scanning uses valid system credentials to log into target hosts and perform deep inspection of installed software, patches, configurations, and security sett +description: Authenticated (credentialed) vulnerability scanning uses valid system credentials to log into target hosts and + perform deep inspection of installed software, patches, configurations, and security sett domain: cybersecurity subdomain: vulnerability-management -tags: [vulnerability-management, cve, authenticated-scanning, credentials, nessus, qualys, risk] -version: "1.0" +tags: +- vulnerability-management +- cve +- authenticated-scanning +- credentials +- nessus +- qualys +- risk +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-02 +- ID.IM-02 +- ID.RA-06 --- # Performing Authenticated Vulnerability Scan diff --git a/skills/performing-automated-malware-analysis-with-cape/SKILL.md b/skills/performing-automated-malware-analysis-with-cape/SKILL.md index ef20b395..202236d1 100644 --- a/skills/performing-automated-malware-analysis-with-cape/SKILL.md +++ b/skills/performing-automated-malware-analysis-with-cape/SKILL.md @@ -1,12 +1,25 @@ --- name: performing-automated-malware-analysis-with-cape -description: Deploy and operate CAPEv2 sandbox for automated malware analysis with behavioral monitoring, payload extraction, configuration parsing, and anti-evasion capabilities. +description: Deploy and operate CAPEv2 sandbox for automated malware analysis with behavioral monitoring, payload extraction, + configuration parsing, and anti-evasion capabilities. domain: cybersecurity subdomain: malware-analysis -tags: [cape, sandbox, automated-analysis, malware-analysis, behavioral-analysis, payload-extraction, cuckoo] -version: "1.0" +tags: +- cape +- sandbox +- automated-analysis +- malware-analysis +- behavioral-analysis +- payload-extraction +- cuckoo +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Performing Automated Malware Analysis with CAPE diff --git a/skills/performing-aws-account-enumeration-with-scout-suite/SKILL.md b/skills/performing-aws-account-enumeration-with-scout-suite/SKILL.md index 968ecb2e..ed563cd5 100644 --- a/skills/performing-aws-account-enumeration-with-scout-suite/SKILL.md +++ b/skills/performing-aws-account-enumeration-with-scout-suite/SKILL.md @@ -1,12 +1,26 @@ --- name: performing-aws-account-enumeration-with-scout-suite -description: Perform comprehensive security posture assessment of AWS accounts using ScoutSuite to enumerate resources, identify misconfigurations, and generate actionable security reports. +description: Perform comprehensive security posture assessment of AWS accounts using ScoutSuite to enumerate resources, identify + misconfigurations, and generate actionable security reports. domain: cybersecurity subdomain: cloud-security -tags: [aws, scoutsuite, cloud-security, enumeration, misconfiguration, security-audit, cspm, nccgroup] -version: "1.0" +tags: +- aws +- scoutsuite +- cloud-security +- enumeration +- misconfiguration +- security-audit +- cspm +- nccgroup +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Performing AWS Account Enumeration with ScoutSuite diff --git a/skills/performing-aws-privilege-escalation-assessment/SKILL.md b/skills/performing-aws-privilege-escalation-assessment/SKILL.md index 252bc355..236a0727 100644 --- a/skills/performing-aws-privilege-escalation-assessment/SKILL.md +++ b/skills/performing-aws-privilege-escalation-assessment/SKILL.md @@ -1,15 +1,27 @@ --- name: performing-aws-privilege-escalation-assessment -description: > - Performing authorized privilege escalation assessments in AWS environments to identify - IAM misconfigurations that allow users or roles to elevate their permissions using - Pacu, CloudFox, Principal Mapper, and manual IAM policy analysis techniques. +description: 'Performing authorized privilege escalation assessments in AWS environments to identify IAM misconfigurations + that allow users or roles to elevate their permissions using Pacu, CloudFox, Principal Mapper, and manual IAM policy analysis + techniques. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud-security, aws, privilege-escalation, iam, pacu, offensive-security] -version: "1.0" +tags: +- cloud-security +- aws +- privilege-escalation +- iam +- pacu +- offensive-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Performing AWS Privilege Escalation Assessment diff --git a/skills/performing-bandwidth-throttling-attack-simulation/SKILL.md b/skills/performing-bandwidth-throttling-attack-simulation/SKILL.md index 8ae4a90e..601ee77f 100644 --- a/skills/performing-bandwidth-throttling-attack-simulation/SKILL.md +++ b/skills/performing-bandwidth-throttling-attack-simulation/SKILL.md @@ -1,15 +1,25 @@ --- name: performing-bandwidth-throttling-attack-simulation -description: > - Simulates bandwidth throttling and network degradation attacks using tc, iperf3, and - Scapy in authorized environments to test quality-of-service controls, application - resilience, and network monitoring detection of traffic manipulation attacks. +description: 'Simulates bandwidth throttling and network degradation attacks using tc, iperf3, and Scapy in authorized environments + to test quality-of-service controls, application resilience, and network monitoring detection of traffic manipulation attacks. + + ' domain: cybersecurity subdomain: network-security -tags: [network-security, bandwidth-throttling, qos, traffic-shaping, network-resilience] -version: "1.0" +tags: +- network-security +- bandwidth-throttling +- qos +- traffic-shaping +- network-resilience +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Performing Bandwidth Throttling Attack Simulation diff --git a/skills/performing-binary-exploitation-analysis/SKILL.md b/skills/performing-binary-exploitation-analysis/SKILL.md index 04c177ae..9825fd8e 100644 --- a/skills/performing-binary-exploitation-analysis/SKILL.md +++ b/skills/performing-binary-exploitation-analysis/SKILL.md @@ -1,16 +1,23 @@ --- name: performing-binary-exploitation-analysis -description: > - Analyze binary exploitation techniques including buffer overflows and - ROP chains using pwntools Python library. Covers checksec analysis, - gadget discovery with ROPgadget, and exploit development for CTF and - authorized security assessments. +description: 'Analyze binary exploitation techniques including buffer overflows and ROP chains using pwntools Python library. + Covers checksec analysis, gadget discovery with ROPgadget, and exploit development for CTF and authorized security assessments. + + ' domain: cybersecurity subdomain: offensive-security -tags: [binary-exploitation, pwntools, rop-chains, buffer-overflow] -version: "1.0" +tags: +- binary-exploitation +- pwntools +- rop-chains +- buffer-overflow +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Performing Binary Exploitation Analysis diff --git a/skills/performing-blind-ssrf-exploitation/SKILL.md b/skills/performing-blind-ssrf-exploitation/SKILL.md index 42e10888..96d24456 100644 --- a/skills/performing-blind-ssrf-exploitation/SKILL.md +++ b/skills/performing-blind-ssrf-exploitation/SKILL.md @@ -1,12 +1,25 @@ --- name: performing-blind-ssrf-exploitation -description: Detect and exploit blind Server-Side Request Forgery vulnerabilities using out-of-band techniques, DNS interactions, and timing analysis to access internal services and cloud metadata endpoints. +description: Detect and exploit blind Server-Side Request Forgery vulnerabilities using out-of-band techniques, DNS interactions, + and timing analysis to access internal services and cloud metadata endpoints. domain: cybersecurity subdomain: web-application-security -tags: [blind-ssrf, ssrf, out-of-band, burp-collaborator, cloud-metadata, internal-network, oob-detection] -version: "1.0" +tags: +- blind-ssrf +- ssrf +- out-of-band +- burp-collaborator +- cloud-metadata +- internal-network +- oob-detection +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Performing Blind SSRF Exploitation diff --git a/skills/performing-bluetooth-security-assessment/SKILL.md b/skills/performing-bluetooth-security-assessment/SKILL.md index 46c102f5..49222568 100644 --- a/skills/performing-bluetooth-security-assessment/SKILL.md +++ b/skills/performing-bluetooth-security-assessment/SKILL.md @@ -3,10 +3,18 @@ name: performing-bluetooth-security-assessment description: Assess Bluetooth Low Energy device security by scanning, enumerating GATT services, and detecting vulnerabilities domain: cybersecurity subdomain: wireless-security -tags: [bluetooth, ble, gatt, wireless-security] -version: "1.0" +tags: +- bluetooth +- ble +- gatt +- wireless-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 --- diff --git a/skills/performing-brand-monitoring-for-impersonation/SKILL.md b/skills/performing-brand-monitoring-for-impersonation/SKILL.md index 938278ca..c4fe4418 100644 --- a/skills/performing-brand-monitoring-for-impersonation/SKILL.md +++ b/skills/performing-brand-monitoring-for-impersonation/SKILL.md @@ -1,12 +1,25 @@ --- name: performing-brand-monitoring-for-impersonation -description: Monitor for brand impersonation attacks across domains, social media, mobile apps, and dark web channels to detect phishing campaigns, fake sites, and unauthorized brand usage targeting your organization. +description: Monitor for brand impersonation attacks across domains, social media, mobile apps, and dark web channels to detect + phishing campaigns, fake sites, and unauthorized brand usage targeting your organization. domain: cybersecurity subdomain: threat-intelligence -tags: [brand-monitoring, impersonation, phishing, domain-monitoring, social-media, brand-protection, threat-intelligence] -version: "1.0" +tags: +- brand-monitoring +- impersonation +- phishing +- domain-monitoring +- social-media +- brand-protection +- threat-intelligence +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Performing Brand Monitoring for Impersonation diff --git a/skills/performing-clickjacking-attack-test/SKILL.md b/skills/performing-clickjacking-attack-test/SKILL.md index 5c9128e1..b3f10b7d 100644 --- a/skills/performing-clickjacking-attack-test/SKILL.md +++ b/skills/performing-clickjacking-attack-test/SKILL.md @@ -20,6 +20,11 @@ atlas_techniques: nist_ai_rmf: - MEASURE-2.8 - MAP-5.1 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Performing Clickjacking Attack Test diff --git a/skills/performing-cloud-asset-inventory-with-cartography/SKILL.md b/skills/performing-cloud-asset-inventory-with-cartography/SKILL.md index 7adf30fc..67e27a80 100644 --- a/skills/performing-cloud-asset-inventory-with-cartography/SKILL.md +++ b/skills/performing-cloud-asset-inventory-with-cartography/SKILL.md @@ -1,12 +1,26 @@ --- name: performing-cloud-asset-inventory-with-cartography -description: Perform comprehensive cloud asset inventory and relationship mapping using Cartography to build a Neo4j security graph of infrastructure assets, IAM permissions, and attack paths across AWS, GCP, and Azure. +description: Perform comprehensive cloud asset inventory and relationship mapping using Cartography to build a Neo4j security + graph of infrastructure assets, IAM permissions, and attack paths across AWS, GCP, and Azure. domain: cybersecurity subdomain: cloud-security -tags: [cartography, neo4j, cloud-security, asset-inventory, attack-path, graph-database, cncf, lyft] -version: "1.0" +tags: +- cartography +- neo4j +- cloud-security +- asset-inventory +- attack-path +- graph-database +- cncf +- lyft +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Performing Cloud Asset Inventory with Cartography diff --git a/skills/performing-cloud-forensics-investigation/SKILL.md b/skills/performing-cloud-forensics-investigation/SKILL.md index 268a39c0..5e6c0d9b 100644 --- a/skills/performing-cloud-forensics-investigation/SKILL.md +++ b/skills/performing-cloud-forensics-investigation/SKILL.md @@ -1,12 +1,25 @@ --- name: performing-cloud-forensics-investigation -description: Conduct forensic investigations in cloud environments by collecting and analyzing logs, snapshots, and metadata from AWS, Azure, and GCP services. +description: Conduct forensic investigations in cloud environments by collecting and analyzing logs, snapshots, and metadata + from AWS, Azure, and GCP services. domain: cybersecurity subdomain: digital-forensics -tags: [forensics, cloud-forensics, aws, azure, gcp, incident-response, log-analysis] -version: "1.0" +tags: +- forensics +- cloud-forensics +- aws +- azure +- gcp +- incident-response +- log-analysis +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Performing Cloud Forensics Investigation diff --git a/skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md b/skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md index 6c2536e7..39936b4f 100644 --- a/skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md +++ b/skills/performing-cloud-forensics-with-aws-cloudtrail/SKILL.md @@ -1,12 +1,26 @@ --- name: performing-cloud-forensics-with-aws-cloudtrail -description: Perform forensic investigation of AWS environments using CloudTrail logs to reconstruct attacker activity, identify compromised credentials, and analyze API call patterns. +description: Perform forensic investigation of AWS environments using CloudTrail logs to reconstruct attacker activity, identify + compromised credentials, and analyze API call patterns. domain: cybersecurity subdomain: cloud-security -tags: [cloud-security, aws, cloudtrail, forensics, incident-response, dfir, boto3, s3] -version: "1.0" +tags: +- cloud-security +- aws +- cloudtrail +- forensics +- incident-response +- dfir +- boto3 +- s3 +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Performing Cloud Forensics with AWS CloudTrail diff --git a/skills/performing-cloud-incident-containment-procedures/SKILL.md b/skills/performing-cloud-incident-containment-procedures/SKILL.md index 1986af4f..1aab7c13 100644 --- a/skills/performing-cloud-incident-containment-procedures/SKILL.md +++ b/skills/performing-cloud-incident-containment-procedures/SKILL.md @@ -1,6 +1,10 @@ --- -{} ----tags: +name: performing-cloud-incident-containment-procedures +description: Execute cloud-native incident containment across AWS, Azure, and GCP by isolating compromised resources, revoking + credentials, preserving forensic evidence, and applying security group restrictions to prevent lateral movement. +domain: cybersecurity +subdomain: incident-response +tags: - cloud-security - incident-containment - aws @@ -9,4 +13,298 @@ - cloud-forensics - credential-revocation - network-isolation +mitre_attack: +- T1078 +- T1537 +- T1580 +- T1525 +- T1098 version: '1.0' +author: mahipal +license: Apache-2.0 +d3fend_techniques: +- Restore Access +- Password Authentication +- Biometric Authentication +- Strong Password Policy +- Restore User Account Access +nist_csf: +- RS.MA-01 +- RS.MA-02 +- RS.AN-03 +- RC.RP-01 +--- + +# Performing Cloud Incident Containment Procedures + +## Overview + +Cloud incident containment requires cloud-native approaches that differ significantly from traditional on-premises response. Containment procedures must leverage platform-specific controls including security groups, IAM policies, network ACLs, and service-level isolation to restrict compromised resources while preserving forensic evidence. According to the 2025 Unit 42 Global Incident Response Report, responding to cloud incidents requires understanding shared responsibility models, ephemeral infrastructure, and API-driven operations. Effective containment involves credential revocation, resource isolation, evidence snapshot creation, and automated response playbook execution. + + +## When to Use + +- When conducting security assessments that involve performing cloud incident containment procedures +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + +## Prerequisites + +- Familiarity with incident response concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + +## AWS Containment Procedures + +### 1. Credential Compromise Containment + +```bash +# Disable compromised IAM user access keys +aws iam update-access-key --user-name compromised-user \ + --access-key-id AKIA... --status Inactive + +# List and disable all access keys for user +aws iam list-access-keys --user-name compromised-user +aws iam delete-access-key --user-name compromised-user --access-key-id AKIA... + +# Attach deny-all policy to compromised user +aws iam put-user-policy --user-name compromised-user \ + --policy-name DenyAll \ + --policy-document '{ + "Version": "2012-10-17", + "Statement": [{ + "Effect": "Deny", + "Action": "*", + "Resource": "*" + }] + }' + +# Revoke all active sessions for IAM role +aws iam put-role-policy --role-name compromised-role \ + --policy-name RevokeOldSessions \ + --policy-document '{ + "Version": "2012-10-17", + "Statement": [{ + "Effect": "Deny", + "Action": "*", + "Resource": "*", + "Condition": { + "DateLessThan": {"aws:TokenIssueTime": "'$(date -u +%Y-%m-%dT%H:%M:%SZ)'"} + } + }] + }' + +# Invalidate temporary credentials by updating role trust policy +aws iam update-assume-role-policy --role-name compromised-role \ + --policy-document '{"Version":"2012-10-17","Statement":[]}' +``` + +### 2. EC2 Instance Isolation + +```bash +# Create quarantine security group (no inbound, no outbound) +aws ec2 create-security-group --group-name quarantine-sg \ + --description "Quarantine - No traffic allowed" --vpc-id vpc-xxxxx + +# Remove all rules from quarantine SG (default allows outbound) +aws ec2 revoke-security-group-egress --group-id sg-quarantine \ + --ip-permissions '[{"IpProtocol":"-1","FromPort":-1,"ToPort":-1,"IpRanges":[{"CidrIp":"0.0.0.0/0"}]}]' + +# Take forensic snapshot BEFORE containment +aws ec2 create-snapshot --volume-id vol-xxxxx \ + --description "Forensic snapshot - IR Case 2025-001" \ + --tag-specifications 'ResourceType=snapshot,Tags=[{Key=IR-Case,Value=2025-001}]' + +# Apply quarantine security group to compromised instance +aws ec2 modify-instance-attribute --instance-id i-xxxxx \ + --groups sg-quarantine + +# Tag instance as compromised +aws ec2 create-tags --resources i-xxxxx \ + --tags Key=IR-Status,Value=Contained Key=IR-Case,Value=2025-001 + +# Capture memory (if SSM agent available) +aws ssm send-command --instance-ids i-xxxxx \ + --document-name "AWS-RunShellScript" \ + --parameters 'commands=["dd if=/dev/mem of=/tmp/memory.dump bs=1M"]' +``` + +### 3. S3 Bucket Containment + +```bash +# Block all public access +aws s3api put-public-access-block --bucket compromised-bucket \ + --public-access-block-configuration \ + BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true + +# Apply deny policy to bucket +aws s3api put-bucket-policy --bucket compromised-bucket \ + --policy '{ + "Version": "2012-10-17", + "Statement": [{ + "Sid": "DenyAllExceptForensics", + "Effect": "Deny", + "NotPrincipal": {"AWS": "arn:aws:iam::ACCOUNT:role/IR-Forensics"}, + "Action": "s3:*", + "Resource": ["arn:aws:s3:::compromised-bucket","arn:aws:s3:::compromised-bucket/*"] + }] + }' + +# Enable versioning to preserve evidence +aws s3api put-bucket-versioning --bucket compromised-bucket \ + --versioning-configuration Status=Enabled + +# Enable Object Lock for evidence preservation +aws s3api put-object-lock-configuration --bucket evidence-bucket \ + --object-lock-configuration '{ + "ObjectLockEnabled": "Enabled", + "Rule": {"DefaultRetention": {"Mode": "COMPLIANCE", "Days": 365}} + }' +``` + +### 4. Lambda Function Containment + +```bash +# Set reserved concurrency to 0 (stops all invocations) +aws lambda put-function-concurrency --function-name compromised-function \ + --reserved-concurrent-executions 0 + +# Remove all event source mappings +aws lambda list-event-source-mappings --function-name compromised-function +aws lambda delete-event-source-mapping --uuid mapping-uuid +``` + +## Azure Containment Procedures + +### 1. Identity Containment + +```powershell +# Revoke all user sessions +Revoke-AzureADUserAllRefreshToken -ObjectId "user-object-id" + +# Disable user account +Set-AzureADUser -ObjectId "user-object-id" -AccountEnabled $false + +# Reset user password +Set-AzureADUserPassword -ObjectId "user-object-id" -Password ( + ConvertTo-SecureString "TempP@ss!" -AsPlainText -Force +) -ForceChangePasswordNextLogin $true + +# Block sign-in via Conditional Access (emergency policy) +# Create policy blocking user from all cloud apps + +# Revoke Azure AD application consent +Remove-AzureADServiceAppRoleAssignment -ObjectId "sp-object-id" \ + -AppRoleAssignmentId "assignment-id" +``` + +### 2. VM Isolation + +```powershell +# Create Network Security Group with deny-all rules +$nsg = New-AzNetworkSecurityGroup -ResourceGroupName "rg" -Location "eastus" ` + -Name "quarantine-nsg" ` + -SecurityRules @( + New-AzNetworkSecurityRuleConfig -Name "DenyAllInbound" -Protocol * ` + -Direction Inbound -Priority 100 -SourceAddressPrefix * ` + -SourcePortRange * -DestinationAddressPrefix * ` + -DestinationPortRange * -Access Deny, + New-AzNetworkSecurityRuleConfig -Name "DenyAllOutbound" -Protocol * ` + -Direction Outbound -Priority 100 -SourceAddressPrefix * ` + -SourcePortRange * -DestinationAddressPrefix * ` + -DestinationPortRange * -Access Deny + ) + +# Take disk snapshot for forensics +$vm = Get-AzVM -ResourceGroupName "rg" -Name "compromised-vm" +$snapshotConfig = New-AzSnapshotConfig -SourceUri $vm.StorageProfile.OsDisk.ManagedDisk.Id ` + -Location "eastus" -CreateOption Copy +New-AzSnapshot -ResourceGroupName "rg" -SnapshotName "forensic-snap" -Snapshot $snapshotConfig + +# Apply quarantine NSG to VM NIC +$nic = Get-AzNetworkInterface -ResourceGroupName "rg" -Name "compromised-nic" +$nic.NetworkSecurityGroup = $nsg +Set-AzNetworkInterface -NetworkInterface $nic +``` + +### 3. Storage Account Containment + +```powershell +# Remove network access +Update-AzStorageAccountNetworkRuleSet -ResourceGroupName "rg" ` + -Name "storageaccount" -DefaultAction Deny + +# Regenerate access keys +New-AzStorageAccountKey -ResourceGroupName "rg" -Name "storageaccount" -KeyName key1 +New-AzStorageAccountKey -ResourceGroupName "rg" -Name "storageaccount" -KeyName key2 + +# Revoke all SAS tokens (by rotating keys) +# Enable immutability for evidence preservation +``` + +## GCP Containment Procedures + +### 1. IAM Containment + +```bash +# Remove all IAM bindings for compromised service account +gcloud projects get-iam-policy PROJECT_ID --format=json > policy.json +# Edit policy.json to remove compromised account bindings +gcloud projects set-iam-policy PROJECT_ID policy.json + +# Disable service account +gcloud iam service-accounts disable SA_EMAIL + +# Delete service account keys +gcloud iam service-accounts keys list --iam-account SA_EMAIL +gcloud iam service-accounts keys delete KEY_ID --iam-account SA_EMAIL +``` + +### 2. Compute Instance Isolation + +```bash +# Create forensic snapshot +gcloud compute disks snapshot compromised-disk \ + --snapshot-names forensic-snap-$(date +%Y%m%d) \ + --zone us-central1-a + +# Apply firewall rule to deny all traffic +gcloud compute firewall-rules create quarantine-deny-all \ + --network default --action DENY --rules all \ + --target-tags quarantine --priority 0 + +# Tag compromised instance +gcloud compute instances add-tags compromised-instance \ + --tags quarantine --zone us-central1-a + +# Remove external IP +gcloud compute instances delete-access-config compromised-instance \ + --access-config-name "External NAT" --zone us-central1-a +``` + +## Evidence Preservation Best Practices + +1. **Always snapshot before containment** - Create disk/volume snapshots before network isolation +2. **Preserve CloudTrail/Activity Logs** - Copy logs to write-protected storage +3. **Document all actions** - Timestamp every containment step taken +4. **Use break-glass procedures** - Pre-establish emergency access for IR team +5. **Maintain forensic chain of custody** - Hash all evidence artifacts + +## MITRE ATT&CK Cloud Techniques + +| Technique | Containment Action | +|-----------|-------------------| +| T1078 - Valid Accounts | Disable accounts, revoke tokens | +| T1530 - Data from Cloud Storage | Lock down bucket/storage policies | +| T1537 - Transfer to Cloud Account | Block cross-account access | +| T1578 - Modify Cloud Compute | Isolate instances, snapshot disks | +| T1552 - Unsecured Credentials | Rotate all access keys and secrets | + +## References + +- [Sygnia: Cloud Incident Response Best Practices](https://www.sygnia.co/blog/incident-response-to-cloud-security-incidents-aws-azure-and-gcp-best-practices/) +- [Unit 42: Responding to Cloud Incidents](https://unit42.paloaltonetworks.com/responding-to-cloud-incidents/) +- [Wiz: Cloud Incident Response Checklist](https://www.wiz.io/academy/incident-response-checklist) +- [Microsoft Cloud Security Benchmark - IR](https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-incident-response) diff --git a/skills/performing-cloud-log-forensics-with-athena/SKILL.md b/skills/performing-cloud-log-forensics-with-athena/SKILL.md index 1e2e0ea6..12e55636 100644 --- a/skills/performing-cloud-log-forensics-with-athena/SKILL.md +++ b/skills/performing-cloud-log-forensics-with-athena/SKILL.md @@ -1,17 +1,30 @@ --- name: performing-cloud-log-forensics-with-athena -description: > - Uses AWS Athena to query CloudTrail, VPC Flow Logs, S3 access logs, and ALB logs - for forensic investigation. Covers CREATE TABLE DDL with partition projection, - forensic SQL queries for detecting unauthorized access, data exfiltration, lateral - movement, and privilege escalation. Use when investigating AWS security incidents - or building cloud-native forensic workflows at scale. +description: 'Uses AWS Athena to query CloudTrail, VPC Flow Logs, S3 access logs, and ALB logs for forensic investigation. + Covers CREATE TABLE DDL with partition projection, forensic SQL queries for detecting unauthorized access, data exfiltration, + lateral movement, and privilege escalation. Use when investigating AWS security incidents or building cloud-native forensic + workflows at scale. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud, forensics, athena, aws, cloudtrail, vpc-flow-logs, s3, alb] -version: "1.0" +tags: +- cloud +- forensics +- athena +- aws +- cloudtrail +- vpc-flow-logs +- s3 +- alb +version: '1.0' author: mukul975 license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Performing Cloud Log Forensics with AWS Athena diff --git a/skills/performing-cloud-native-forensics-with-falco/SKILL.md b/skills/performing-cloud-native-forensics-with-falco/SKILL.md index 02a036e3..de922277 100644 --- a/skills/performing-cloud-native-forensics-with-falco/SKILL.md +++ b/skills/performing-cloud-native-forensics-with-falco/SKILL.md @@ -1,16 +1,25 @@ --- name: performing-cloud-native-forensics-with-falco -description: > - Uses Falco YAML rules for runtime threat detection in containers and Kubernetes, - monitoring syscalls for shell spawns, file tampering, network anomalies, and privilege - escalation. Manages Falco rules via the Falco gRPC API and parses Falco alert output. - Use when building container runtime security or investigating k8s cluster compromises. +description: 'Uses Falco YAML rules for runtime threat detection in containers and Kubernetes, monitoring syscalls for shell + spawns, file tampering, network anomalies, and privilege escalation. Manages Falco rules via the Falco gRPC API and parses + Falco alert output. Use when building container runtime security or investigating k8s cluster compromises. + + ' domain: cybersecurity subdomain: cloud-security -tags: [performing, cloud, native, forensics] -version: "1.0" +tags: +- performing +- cloud +- native +- forensics +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Performing Cloud Native Forensics with Falco diff --git a/skills/performing-cloud-native-threat-hunting-with-aws-detective/SKILL.md b/skills/performing-cloud-native-threat-hunting-with-aws-detective/SKILL.md index 0b0ae103..5f1c71a1 100644 --- a/skills/performing-cloud-native-threat-hunting-with-aws-detective/SKILL.md +++ b/skills/performing-cloud-native-threat-hunting-with-aws-detective/SKILL.md @@ -1,12 +1,27 @@ --- name: performing-cloud-native-threat-hunting-with-aws-detective -description: Hunt for threats in AWS environments using Detective behavior graphs, entity investigation timelines, GuardDuty finding correlation, and automated entity profiling across IAM users, EC2 instances, and IP addresses. +description: Hunt for threats in AWS environments using Detective behavior graphs, entity investigation timelines, GuardDuty + finding correlation, and automated entity profiling across IAM users, EC2 instances, and IP addresses. domain: cybersecurity subdomain: cloud-security -tags: [aws-detective, threat-hunting, cloud-security, guardduty, behavior-graph, aws, iam, ec2, incident-investigation] -version: "1.0" +tags: +- aws-detective +- threat-hunting +- cloud-security +- guardduty +- behavior-graph +- aws +- iam +- ec2 +- incident-investigation +version: '1.0' author: juliosuas license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Performing Cloud-Native Threat Hunting with AWS Detective diff --git a/skills/performing-cloud-penetration-testing-with-pacu/SKILL.md b/skills/performing-cloud-penetration-testing-with-pacu/SKILL.md index 82b42ef3..18a6908e 100644 --- a/skills/performing-cloud-penetration-testing-with-pacu/SKILL.md +++ b/skills/performing-cloud-penetration-testing-with-pacu/SKILL.md @@ -1,15 +1,27 @@ --- name: performing-cloud-penetration-testing-with-pacu -description: > - Performing authorized AWS penetration testing using Pacu, the open-source AWS exploitation - framework, to enumerate IAM configurations, discover privilege escalation paths, test - credential harvesting, and validate security controls through systematic attack simulation. +description: 'Performing authorized AWS penetration testing using Pacu, the open-source AWS exploitation framework, to enumerate + IAM configurations, discover privilege escalation paths, test credential harvesting, and validate security controls through + systematic attack simulation. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud-security, aws, pacu, penetration-testing, offensive-security, iam-exploitation] -version: "1.0" +tags: +- cloud-security +- aws +- pacu +- penetration-testing +- offensive-security +- iam-exploitation +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Performing Cloud Penetration Testing with Pacu diff --git a/skills/performing-cloud-storage-forensic-acquisition/SKILL.md b/skills/performing-cloud-storage-forensic-acquisition/SKILL.md index 7619b300..cc53e9e3 100644 --- a/skills/performing-cloud-storage-forensic-acquisition/SKILL.md +++ b/skills/performing-cloud-storage-forensic-acquisition/SKILL.md @@ -26,6 +26,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Performing Cloud Storage Forensic Acquisition diff --git a/skills/performing-container-escape-detection/SKILL.md b/skills/performing-container-escape-detection/SKILL.md index 00f665f4..49c6b473 100644 --- a/skills/performing-container-escape-detection/SKILL.md +++ b/skills/performing-container-escape-detection/SKILL.md @@ -1,16 +1,25 @@ --- name: performing-container-escape-detection -description: > - Detects container escape attempts by analyzing namespace configurations, privileged - container checks, dangerous capability assignments, and host path mounts using the - kubernetes Python client. Identifies CVE-2022-0492 style escapes via cgroup abuse. - Use when auditing container security posture or investigating escape attempts. +description: 'Detects container escape attempts by analyzing namespace configurations, privileged container checks, dangerous + capability assignments, and host path mounts using the kubernetes Python client. Identifies CVE-2022-0492 style escapes + via cgroup abuse. Use when auditing container security posture or investigating escape attempts. + + ' domain: cybersecurity subdomain: container-security -tags: [performing, container, escape, detection] -version: "1.0" +tags: +- performing +- container +- escape +- detection +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Performing Container Escape Detection diff --git a/skills/performing-container-image-hardening/SKILL.md b/skills/performing-container-image-hardening/SKILL.md index b6b2ee06..33e8e207 100644 --- a/skills/performing-container-image-hardening/SKILL.md +++ b/skills/performing-container-image-hardening/SKILL.md @@ -1,15 +1,27 @@ --- name: performing-container-image-hardening -description: > - This skill covers hardening container images by minimizing attack surface, removing - unnecessary packages, implementing multi-stage builds, configuring non-root users, - and applying CIS Docker Benchmark recommendations to produce secure production-ready images. +description: 'This skill covers hardening container images by minimizing attack surface, removing unnecessary packages, implementing + multi-stage builds, configuring non-root users, and applying CIS Docker Benchmark recommendations to produce secure production-ready + images. + + ' domain: cybersecurity subdomain: devsecops -tags: [devsecops, cicd, container-hardening, docker, cis-benchmark, secure-sdlc] +tags: +- devsecops +- cicd +- container-hardening +- docker +- cis-benchmark +- secure-sdlc version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- GV.SC-07 +- ID.IM-04 +- PR.PS-04 --- # Performing Container Image Hardening diff --git a/skills/performing-container-security-scanning-with-trivy/SKILL.md b/skills/performing-container-security-scanning-with-trivy/SKILL.md index 816ee7e8..411932a5 100644 --- a/skills/performing-container-security-scanning-with-trivy/SKILL.md +++ b/skills/performing-container-security-scanning-with-trivy/SKILL.md @@ -1,12 +1,26 @@ --- name: performing-container-security-scanning-with-trivy -description: Scan container images, filesystems, and Kubernetes manifests for vulnerabilities, misconfigurations, exposed secrets, and license compliance issues using Aqua Security Trivy with SBOM generation and CI/CD integration. +description: Scan container images, filesystems, and Kubernetes manifests for vulnerabilities, misconfigurations, exposed + secrets, and license compliance issues using Aqua Security Trivy with SBOM generation and CI/CD integration. domain: cybersecurity subdomain: container-security -tags: [trivy, container-security, vulnerability-scanning, sbom, docker, kubernetes, devsecops, supply-chain] -version: "1.0" +tags: +- trivy +- container-security +- vulnerability-scanning +- sbom +- docker +- kubernetes +- devsecops +- supply-chain +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Performing Container Security Scanning with Trivy diff --git a/skills/performing-content-security-policy-bypass/SKILL.md b/skills/performing-content-security-policy-bypass/SKILL.md index 4d86a5e7..c81ba173 100644 --- a/skills/performing-content-security-policy-bypass/SKILL.md +++ b/skills/performing-content-security-policy-bypass/SKILL.md @@ -1,12 +1,25 @@ --- name: performing-content-security-policy-bypass -description: Analyze and bypass Content Security Policy implementations to achieve cross-site scripting by exploiting misconfigurations, JSONP endpoints, unsafe directives, and policy injection techniques. +description: Analyze and bypass Content Security Policy implementations to achieve cross-site scripting by exploiting misconfigurations, + JSONP endpoints, unsafe directives, and policy injection techniques. domain: cybersecurity subdomain: web-application-security -tags: [csp-bypass, content-security-policy, xss, script-injection, nonce-bypass, jsonp, policy-misconfiguration] -version: "1.0" +tags: +- csp-bypass +- content-security-policy +- xss +- script-injection +- nonce-bypass +- jsonp +- policy-misconfiguration +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Performing Content Security Policy Bypass diff --git a/skills/performing-credential-access-with-lazagne/SKILL.md b/skills/performing-credential-access-with-lazagne/SKILL.md index 345c2440..251d92b9 100644 --- a/skills/performing-credential-access-with-lazagne/SKILL.md +++ b/skills/performing-credential-access-with-lazagne/SKILL.md @@ -21,6 +21,10 @@ d3fend_techniques: - File Content Analysis - Platform Hardening - File Format Verification +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Performing Credential Access with LaZagne diff --git a/skills/performing-cryptographic-audit-of-application/SKILL.md b/skills/performing-cryptographic-audit-of-application/SKILL.md index de5a1669..295e8ab4 100644 --- a/skills/performing-cryptographic-audit-of-application/SKILL.md +++ b/skills/performing-cryptographic-audit-of-application/SKILL.md @@ -1,12 +1,22 @@ --- name: performing-cryptographic-audit-of-application -description: A cryptographic audit systematically reviews an application's use of cryptographic primitives, protocols, and key management to identify vulnerabilities such as weak algorithms, insecure modes, hardco +description: A cryptographic audit systematically reviews an application's use of cryptographic primitives, protocols, and + key management to identify vulnerabilities such as weak algorithms, insecure modes, hardco domain: cybersecurity subdomain: cryptography -tags: [cryptography, audit, security-review, compliance, vulnerability-assessment] -version: "1.0" +tags: +- cryptography +- audit +- security-review +- compliance +- vulnerability-assessment +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.DS-01 +- PR.DS-02 +- PR.DS-10 --- # Performing Cryptographic Audit of Application diff --git a/skills/performing-csrf-attack-simulation/SKILL.md b/skills/performing-csrf-attack-simulation/SKILL.md index 4c1f1afd..521ae714 100644 --- a/skills/performing-csrf-attack-simulation/SKILL.md +++ b/skills/performing-csrf-attack-simulation/SKILL.md @@ -1,12 +1,24 @@ --- name: performing-csrf-attack-simulation -description: Testing web applications for Cross-Site Request Forgery vulnerabilities by crafting forged requests that exploit authenticated user sessions during authorized security assessments. +description: Testing web applications for Cross-Site Request Forgery vulnerabilities by crafting forged requests that exploit + authenticated user sessions during authorized security assessments. domain: cybersecurity subdomain: web-application-security -tags: [penetration-testing, csrf, owasp, web-security, session-management, burpsuite] -version: "1.0" +tags: +- penetration-testing +- csrf +- owasp +- web-security +- session-management +- burpsuite +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Performing CSRF Attack Simulation diff --git a/skills/performing-cve-prioritization-with-kev-catalog/SKILL.md b/skills/performing-cve-prioritization-with-kev-catalog/SKILL.md index 7ab32cd5..46f80df6 100644 --- a/skills/performing-cve-prioritization-with-kev-catalog/SKILL.md +++ b/skills/performing-cve-prioritization-with-kev-catalog/SKILL.md @@ -23,6 +23,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- ID.RA-01 +- ID.RA-02 +- ID.IM-02 +- ID.RA-06 --- # Performing CVE Prioritization with KEV Catalog diff --git a/skills/performing-dark-web-monitoring-for-threats/SKILL.md b/skills/performing-dark-web-monitoring-for-threats/SKILL.md index cd06b0f8..116c20ef 100644 --- a/skills/performing-dark-web-monitoring-for-threats/SKILL.md +++ b/skills/performing-dark-web-monitoring-for-threats/SKILL.md @@ -1,12 +1,26 @@ --- name: performing-dark-web-monitoring-for-threats -description: Dark web monitoring involves systematically scanning Tor hidden services, underground forums, paste sites, and dark web marketplaces to identify threats targeting an organization, including leaked cre +description: Dark web monitoring involves systematically scanning Tor hidden services, underground forums, paste sites, and + dark web marketplaces to identify threats targeting an organization, including leaked cre domain: cybersecurity subdomain: threat-intelligence -tags: [threat-intelligence, cti, ioc, mitre-attack, stix, dark-web, tor, threat-monitoring] -version: "1.0" +tags: +- threat-intelligence +- cti +- ioc +- mitre-attack +- stix +- dark-web +- tor +- threat-monitoring +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Performing Dark Web Monitoring for Threats diff --git a/skills/performing-deception-technology-deployment/SKILL.md b/skills/performing-deception-technology-deployment/SKILL.md index 3984e13a..6c223965 100644 --- a/skills/performing-deception-technology-deployment/SKILL.md +++ b/skills/performing-deception-technology-deployment/SKILL.md @@ -1,16 +1,29 @@ --- name: performing-deception-technology-deployment -description: > - Deploys deception technology including honeypots, honeytokens, and decoy systems to detect - attackers who have bypassed perimeter defenses, providing high-fidelity alerts with near-zero - false positive rates. Use when SOC teams need early warning of lateral movement, credential abuse, - or internal reconnaissance by deploying convincing traps across the network. +description: 'Deploys deception technology including honeypots, honeytokens, and decoy systems to detect attackers who have + bypassed perimeter defenses, providing high-fidelity alerts with near-zero false positive rates. Use when SOC teams need + early warning of lateral movement, credential abuse, or internal reconnaissance by deploying convincing traps across the + network. + + ' domain: cybersecurity subdomain: soc-operations -tags: [soc, deception, honeypot, honeytoken, canary, lateral-movement, detection] -version: "1.0" +tags: +- soc +- deception +- honeypot +- honeytoken +- canary +- lateral-movement +- detection +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Performing Deception Technology Deployment diff --git a/skills/performing-directory-traversal-testing/SKILL.md b/skills/performing-directory-traversal-testing/SKILL.md index 21c854d1..d905b274 100644 --- a/skills/performing-directory-traversal-testing/SKILL.md +++ b/skills/performing-directory-traversal-testing/SKILL.md @@ -1,12 +1,24 @@ --- name: performing-directory-traversal-testing -description: Testing web applications for path traversal vulnerabilities that allow reading or writing arbitrary files on the server by manipulating file path parameters. +description: Testing web applications for path traversal vulnerabilities that allow reading or writing arbitrary files on + the server by manipulating file path parameters. domain: cybersecurity subdomain: web-application-security -tags: [penetration-testing, directory-traversal, path-traversal, lfi, owasp, web-security] -version: "1.0" +tags: +- penetration-testing +- directory-traversal +- path-traversal +- lfi +- owasp +- web-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Performing Directory Traversal Testing diff --git a/skills/performing-disk-forensics-investigation/SKILL.md b/skills/performing-disk-forensics-investigation/SKILL.md index 18b7a2eb..d9bf3301 100644 --- a/skills/performing-disk-forensics-investigation/SKILL.md +++ b/skills/performing-disk-forensics-investigation/SKILL.md @@ -1,19 +1,32 @@ --- name: performing-disk-forensics-investigation -description: > - Conducts disk forensics investigations using forensic imaging, file system analysis, - artifact recovery, and timeline reconstruction to support incident response cases. - Utilizes tools such as FTK Imager, Autopsy, and The Sleuth Kit for evidence acquisition, - deleted file recovery, and artifact examination. Activates for requests involving disk - forensics, hard drive analysis, forensic imaging, file recovery, evidence acquisition, - or digital forensic investigation. +description: 'Conducts disk forensics investigations using forensic imaging, file system analysis, artifact recovery, and + timeline reconstruction to support incident response cases. Utilizes tools such as FTK Imager, Autopsy, and The Sleuth Kit + for evidence acquisition, deleted file recovery, and artifact examination. Activates for requests involving disk forensics, + hard drive analysis, forensic imaging, file recovery, evidence acquisition, or digital forensic investigation. + + ' domain: cybersecurity subdomain: incident-response -tags: [disk-forensics, forensic-imaging, evidence-acquisition, file-recovery, chain-of-custody] -mitre_attack: ["T1070", "T1027", "T1036", "T1564"] +tags: +- disk-forensics +- forensic-imaging +- evidence-acquisition +- file-recovery +- chain-of-custody +mitre_attack: +- T1070 +- T1027 +- T1036 +- T1564 version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- RS.MA-01 +- RS.MA-02 +- RS.AN-03 +- RC.RP-01 --- # Performing Disk Forensics Investigation diff --git a/skills/performing-dmarc-policy-enforcement-rollout/SKILL.md b/skills/performing-dmarc-policy-enforcement-rollout/SKILL.md index d408c33a..33afab4c 100644 --- a/skills/performing-dmarc-policy-enforcement-rollout/SKILL.md +++ b/skills/performing-dmarc-policy-enforcement-rollout/SKILL.md @@ -1,12 +1,26 @@ --- name: performing-dmarc-policy-enforcement-rollout -description: Execute a phased DMARC rollout from p=none monitoring through p=quarantine to p=reject enforcement, ensuring all legitimate email sources are authenticated before blocking unauthorized senders. +description: Execute a phased DMARC rollout from p=none monitoring through p=quarantine to p=reject enforcement, ensuring + all legitimate email sources are authenticated before blocking unauthorized senders. domain: cybersecurity subdomain: phishing-defense -tags: [dmarc, spf, dkim, email-authentication, anti-spoofing, phishing, dns, email-security] -version: "1.0" +tags: +- dmarc +- spf +- dkim +- email-authentication +- anti-spoofing +- phishing +- dns +- email-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AT-01 +- DE.CM-09 +- RS.CO-02 +- DE.AE-02 --- # Performing DMARC Policy Enforcement Rollout diff --git a/skills/performing-dns-enumeration-and-zone-transfer/SKILL.md b/skills/performing-dns-enumeration-and-zone-transfer/SKILL.md index e689bd5e..5f450f8e 100644 --- a/skills/performing-dns-enumeration-and-zone-transfer/SKILL.md +++ b/skills/performing-dns-enumeration-and-zone-transfer/SKILL.md @@ -1,15 +1,25 @@ --- name: performing-dns-enumeration-and-zone-transfer -description: > - Enumerates DNS records, attempts zone transfers, brute-forces subdomains, and - maps DNS infrastructure during authorized reconnaissance to identify attack surface, - misconfigurations, and information disclosure in target domains. +description: 'Enumerates DNS records, attempts zone transfers, brute-forces subdomains, and maps DNS infrastructure during + authorized reconnaissance to identify attack surface, misconfigurations, and information disclosure in target domains. + + ' domain: cybersecurity subdomain: network-security -tags: [network-security, dns, enumeration, zone-transfer, reconnaissance] -version: "1.0" +tags: +- network-security +- dns +- enumeration +- zone-transfer +- reconnaissance +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Performing DNS Enumeration and Zone Transfer diff --git a/skills/performing-dns-tunneling-detection/SKILL.md b/skills/performing-dns-tunneling-detection/SKILL.md index 259cafcc..15dedd7d 100644 --- a/skills/performing-dns-tunneling-detection/SKILL.md +++ b/skills/performing-dns-tunneling-detection/SKILL.md @@ -1,16 +1,25 @@ --- name: performing-dns-tunneling-detection -description: > - Detects DNS tunneling by computing Shannon entropy of DNS query names, analyzing - query length distributions, inspecting TXT record payloads, and identifying high - subdomain cardinality. Uses scapy for packet capture analysis and statistical methods - to distinguish legitimate DNS from covert channels. Use when hunting for data exfiltration. +description: 'Detects DNS tunneling by computing Shannon entropy of DNS query names, analyzing query length distributions, + inspecting TXT record payloads, and identifying high subdomain cardinality. Uses scapy for packet capture analysis and statistical + methods to distinguish legitimate DNS from covert channels. Use when hunting for data exfiltration. + + ' domain: cybersecurity subdomain: security-operations -tags: [performing, dns, tunneling, detection] -version: "1.0" +tags: +- performing +- dns +- tunneling +- detection +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- # Performing DNS Tunneling Detection diff --git a/skills/performing-docker-bench-security-assessment/SKILL.md b/skills/performing-docker-bench-security-assessment/SKILL.md index b70607c8..4b49fe13 100644 --- a/skills/performing-docker-bench-security-assessment/SKILL.md +++ b/skills/performing-docker-bench-security-assessment/SKILL.md @@ -1,12 +1,23 @@ --- name: performing-docker-bench-security-assessment -description: Docker Bench for Security is an open-source script that checks dozens of common best practices around deploying Docker containers in production. Based on the CIS Docker Benchmark, it audits host confi +description: Docker Bench for Security is an open-source script that checks dozens of common best practices around deploying + Docker containers in production. Based on the CIS Docker Benchmark, it audits host confi domain: cybersecurity subdomain: container-security -tags: [containers, docker, security, CIS-benchmark, assessment] -version: "1.0" +tags: +- containers +- docker +- security +- CIS-benchmark +- assessment +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Performing Docker Bench Security Assessment diff --git a/skills/performing-dynamic-analysis-of-android-app/SKILL.md b/skills/performing-dynamic-analysis-of-android-app/SKILL.md index 2b5364d3..b4c95f2b 100644 --- a/skills/performing-dynamic-analysis-of-android-app/SKILL.md +++ b/skills/performing-dynamic-analysis-of-android-app/SKILL.md @@ -1,18 +1,29 @@ --- name: performing-dynamic-analysis-of-android-app -description: > - Performs runtime dynamic analysis of Android applications using Frida, Objection, and Android - Debug Bridge to observe application behavior during execution, intercept function calls, modify - runtime values, and identify vulnerabilities that static analysis misses. Use when testing Android - apps for runtime security flaws, hooking sensitive methods, bypassing client-side protections, - or analyzing obfuscated applications. Activates for requests involving Android dynamic analysis, +description: 'Performs runtime dynamic analysis of Android applications using Frida, Objection, and Android Debug Bridge to + observe application behavior during execution, intercept function calls, modify runtime values, and identify vulnerabilities + that static analysis misses. Use when testing Android apps for runtime security flaws, hooking sensitive methods, bypassing + client-side protections, or analyzing obfuscated applications. Activates for requests involving Android dynamic analysis, runtime hooking, Frida Android instrumentation, or live app behavior analysis. + + ' domain: cybersecurity subdomain: mobile-security author: mahipal -tags: [mobile-security, android, frida, dynamic-analysis, owasp-mobile, penetration-testing] +tags: +- mobile-security +- android +- frida +- dynamic-analysis +- owasp-mobile +- penetration-testing version: 1.0.0 license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.AA-05 +- ID.RA-01 +- DE.CM-09 --- # Performing Dynamic Analysis of Android App diff --git a/skills/performing-dynamic-analysis-with-any-run/SKILL.md b/skills/performing-dynamic-analysis-with-any-run/SKILL.md index 5ce304b3..d7db2822 100644 --- a/skills/performing-dynamic-analysis-with-any-run/SKILL.md +++ b/skills/performing-dynamic-analysis-with-any-run/SKILL.md @@ -22,6 +22,11 @@ d3fend_techniques: - Identifier Analysis - Content Format Conversion - Message Analysis +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Performing Dynamic Analysis with ANY.RUN diff --git a/skills/performing-endpoint-forensics-investigation/SKILL.md b/skills/performing-endpoint-forensics-investigation/SKILL.md index a51d1e22..760570d3 100644 --- a/skills/performing-endpoint-forensics-investigation/SKILL.md +++ b/skills/performing-endpoint-forensics-investigation/SKILL.md @@ -1,17 +1,28 @@ --- name: performing-endpoint-forensics-investigation -description: > - Performs digital forensics investigation on compromised endpoints including memory acquisition, - disk imaging, artifact analysis, and timeline reconstruction. Use when investigating security - incidents, collecting evidence for legal proceedings, or analyzing endpoint compromise scope. - Activates for requests involving endpoint forensics, memory analysis, disk forensics, or - incident investigation. +description: 'Performs digital forensics investigation on compromised endpoints including memory acquisition, disk imaging, + artifact analysis, and timeline reconstruction. Use when investigating security incidents, collecting evidence for legal + proceedings, or analyzing endpoint compromise scope. Activates for requests involving endpoint forensics, memory analysis, + disk forensics, or incident investigation. + + ' domain: cybersecurity subdomain: endpoint-security -tags: [endpoint, forensics, memory-analysis, disk-imaging, incident-investigation, Volatility] +tags: +- endpoint +- forensics +- memory-analysis +- disk-imaging +- incident-investigation +- Volatility version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.PS-02 +- DE.CM-01 +- PR.IR-01 --- # Performing Endpoint Forensics Investigation diff --git a/skills/performing-endpoint-vulnerability-remediation/SKILL.md b/skills/performing-endpoint-vulnerability-remediation/SKILL.md index 07b9fb8c..59ce660c 100644 --- a/skills/performing-endpoint-vulnerability-remediation/SKILL.md +++ b/skills/performing-endpoint-vulnerability-remediation/SKILL.md @@ -1,17 +1,28 @@ --- name: performing-endpoint-vulnerability-remediation -description: > - Performs vulnerability remediation on endpoints by prioritizing CVEs based on risk scoring, - deploying patches, applying configuration changes, and validating fixes. Use when remediating - findings from vulnerability scans, responding to critical CVE advisories, or maintaining - endpoint compliance with patch management SLAs. Activates for requests involving vulnerability - remediation, CVE patching, endpoint vulnerability management, or security fix deployment. +description: 'Performs vulnerability remediation on endpoints by prioritizing CVEs based on risk scoring, deploying patches, + applying configuration changes, and validating fixes. Use when remediating findings from vulnerability scans, responding + to critical CVE advisories, or maintaining endpoint compliance with patch management SLAs. Activates for requests involving + vulnerability remediation, CVE patching, endpoint vulnerability management, or security fix deployment. + + ' domain: cybersecurity subdomain: endpoint-security -tags: [endpoint, vulnerability-management, patching, CVE, remediation, CVSS] +tags: +- endpoint +- vulnerability-management +- patching +- CVE +- remediation +- CVSS version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.PS-02 +- DE.CM-01 +- PR.IR-01 --- # Performing Endpoint Vulnerability Remediation diff --git a/skills/performing-entitlement-review-with-sailpoint-iiq/SKILL.md b/skills/performing-entitlement-review-with-sailpoint-iiq/SKILL.md index ae79c275..d3a0778a 100644 --- a/skills/performing-entitlement-review-with-sailpoint-iiq/SKILL.md +++ b/skills/performing-entitlement-review-with-sailpoint-iiq/SKILL.md @@ -1,17 +1,28 @@ --- name: performing-entitlement-review-with-sailpoint-iiq -description: > - Performs entitlement review and access certification campaigns using SailPoint IdentityIQ - including manager certifications, targeted entitlement reviews, role-based access validation, - SOD violation remediation, and automated revocation workflows. - Activates for requests involving access reviews, entitlement certifications, SailPoint IIQ - governance, or periodic user access recertification. +description: 'Performs entitlement review and access certification campaigns using SailPoint IdentityIQ including manager + certifications, targeted entitlement reviews, role-based access validation, SOD violation remediation, and automated revocation + workflows. Activates for requests involving access reviews, entitlement certifications, SailPoint IIQ governance, or periodic + user access recertification. + + ' domain: cybersecurity subdomain: identity-access-management -tags: [SailPoint, IdentityIQ, access-review, entitlement-certification, IGA, access-governance] -version: "1.0" +tags: +- SailPoint +- IdentityIQ +- access-review +- entitlement-certification +- IGA +- access-governance +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Performing Entitlement Review with SailPoint IdentityIQ diff --git a/skills/performing-external-network-penetration-test/SKILL.md b/skills/performing-external-network-penetration-test/SKILL.md index ad2a857f..58affa0b 100644 --- a/skills/performing-external-network-penetration-test/SKILL.md +++ b/skills/performing-external-network-penetration-test/SKILL.md @@ -1,12 +1,27 @@ --- name: performing-external-network-penetration-test -description: Conduct a comprehensive external network penetration test to identify vulnerabilities in internet-facing infrastructure using PTES methodology, reconnaissance, scanning, exploitation, and reporting. +description: Conduct a comprehensive external network penetration test to identify vulnerabilities in internet-facing infrastructure + using PTES methodology, reconnaissance, scanning, exploitation, and reporting. domain: cybersecurity subdomain: penetration-testing -tags: [external-pentest, network-security, PTES, OSSTMM, Nmap, Metasploit, vulnerability-assessment, reconnaissance, exploitation] -version: "1.0" +tags: +- external-pentest +- network-security +- PTES +- OSSTMM +- Nmap +- Metasploit +- vulnerability-assessment +- reconnaissance +- exploitation +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-06 +- GV.OV-02 +- DE.AE-07 --- # Performing External Network Penetration Test diff --git a/skills/performing-false-positive-reduction-in-siem/SKILL.md b/skills/performing-false-positive-reduction-in-siem/SKILL.md index e909926a..a01934e8 100644 --- a/skills/performing-false-positive-reduction-in-siem/SKILL.md +++ b/skills/performing-false-positive-reduction-in-siem/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - Password Authentication - Reissue Credential - Strong Password Policy +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Performing False Positive Reduction in SIEM diff --git a/skills/performing-file-carving-with-foremost/SKILL.md b/skills/performing-file-carving-with-foremost/SKILL.md index e8905ff8..ec6bb857 100644 --- a/skills/performing-file-carving-with-foremost/SKILL.md +++ b/skills/performing-file-carving-with-foremost/SKILL.md @@ -1,12 +1,24 @@ --- name: performing-file-carving-with-foremost -description: Recover files from disk images and unallocated space using Foremost's header-footer signature carving to extract evidence regardless of file system state. +description: Recover files from disk images and unallocated space using Foremost's header-footer signature carving to extract + evidence regardless of file system state. domain: cybersecurity subdomain: digital-forensics -tags: [forensics, file-carving, foremost, data-recovery, evidence-recovery, unallocated-space] -version: "1.0" +tags: +- forensics +- file-carving +- foremost +- data-recovery +- evidence-recovery +- unallocated-space +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Performing File Carving with Foremost diff --git a/skills/performing-firmware-extraction-with-binwalk/SKILL.md b/skills/performing-firmware-extraction-with-binwalk/SKILL.md index 71283597..db878244 100644 --- a/skills/performing-firmware-extraction-with-binwalk/SKILL.md +++ b/skills/performing-firmware-extraction-with-binwalk/SKILL.md @@ -1,19 +1,28 @@ --- name: performing-firmware-extraction-with-binwalk -description: > - Performs firmware image extraction and analysis using binwalk to identify embedded - filesystems, compressed archives, bootloaders, kernel images, and cryptographic - material. Covers entropy analysis for detecting encrypted or compressed regions, - recursive extraction of nested archives, SquashFS/CramFS/JFFS2 filesystem mounting, - and string analysis for credential and configuration discovery. Activates for requests - involving firmware reverse engineering, IoT device analysis, embedded system security - assessment, or router/camera firmware extraction. +description: 'Performs firmware image extraction and analysis using binwalk to identify embedded filesystems, compressed archives, + bootloaders, kernel images, and cryptographic material. Covers entropy analysis for detecting encrypted or compressed regions, + recursive extraction of nested archives, SquashFS/CramFS/JFFS2 filesystem mounting, and string analysis for credential and + configuration discovery. Activates for requests involving firmware reverse engineering, IoT device analysis, embedded system + security assessment, or router/camera firmware extraction. + + ' domain: cybersecurity subdomain: firmware-analysis -tags: [firmware, binwalk, extraction, entropy, IoT-security, reverse-engineering] +tags: +- firmware +- binwalk +- extraction +- entropy +- IoT-security +- reverse-engineering version: 1.0.0 author: mukul975 license: Apache-2.0 +nist_csf: +- ID.RA-01 +- PR.PS-01 +- DE.AE-02 --- # Performing Firmware Extraction with Binwalk diff --git a/skills/performing-firmware-malware-analysis/SKILL.md b/skills/performing-firmware-malware-analysis/SKILL.md index 31cad719..baec9d0e 100644 --- a/skills/performing-firmware-malware-analysis/SKILL.md +++ b/skills/performing-firmware-malware-analysis/SKILL.md @@ -1,17 +1,27 @@ --- name: performing-firmware-malware-analysis -description: > - Analyzes firmware images for embedded malware, backdoors, and unauthorized modifications - targeting routers, IoT devices, UEFI/BIOS, and embedded systems. Covers firmware extraction, - filesystem analysis, binary reverse engineering, and bootkit detection. Activates for - requests involving firmware security analysis, IoT malware investigation, UEFI rootkit +description: 'Analyzes firmware images for embedded malware, backdoors, and unauthorized modifications targeting routers, + IoT devices, UEFI/BIOS, and embedded systems. Covers firmware extraction, filesystem analysis, binary reverse engineering, + and bootkit detection. Activates for requests involving firmware security analysis, IoT malware investigation, UEFI rootkit detection, or embedded device compromise assessment. + + ' domain: cybersecurity subdomain: malware-analysis -tags: [malware, firmware, IoT, UEFI, embedded-security] +tags: +- malware +- firmware +- IoT +- UEFI +- embedded-security version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Performing Firmware Malware Analysis diff --git a/skills/performing-fuzzing-with-aflplusplus/SKILL.md b/skills/performing-fuzzing-with-aflplusplus/SKILL.md index 14857b12..433f970d 100644 --- a/skills/performing-fuzzing-with-aflplusplus/SKILL.md +++ b/skills/performing-fuzzing-with-aflplusplus/SKILL.md @@ -27,6 +27,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- PR.PS-01 +- PR.PS-04 +- ID.RA-01 +- PR.DS-10 --- # Performing Fuzzing with AFL++ diff --git a/skills/performing-gcp-penetration-testing-with-gcpbucketbrute/SKILL.md b/skills/performing-gcp-penetration-testing-with-gcpbucketbrute/SKILL.md index 665ece09..f9e9fe5d 100644 --- a/skills/performing-gcp-penetration-testing-with-gcpbucketbrute/SKILL.md +++ b/skills/performing-gcp-penetration-testing-with-gcpbucketbrute/SKILL.md @@ -22,6 +22,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Performing GCP Penetration Testing with GCPBucketBrute diff --git a/skills/performing-gcp-security-assessment-with-forseti/SKILL.md b/skills/performing-gcp-security-assessment-with-forseti/SKILL.md index 411d1f55..387bcee4 100644 --- a/skills/performing-gcp-security-assessment-with-forseti/SKILL.md +++ b/skills/performing-gcp-security-assessment-with-forseti/SKILL.md @@ -27,6 +27,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Performing GCP Security Assessment with Forseti diff --git a/skills/performing-graphql-depth-limit-attack/SKILL.md b/skills/performing-graphql-depth-limit-attack/SKILL.md index 30083aa3..8a15e903 100644 --- a/skills/performing-graphql-depth-limit-attack/SKILL.md +++ b/skills/performing-graphql-depth-limit-attack/SKILL.md @@ -1,12 +1,26 @@ --- name: performing-graphql-depth-limit-attack -description: Execute and test GraphQL depth limit attacks using deeply nested recursive queries to identify denial-of-service vulnerabilities in GraphQL APIs. +description: Execute and test GraphQL depth limit attacks using deeply nested recursive queries to identify denial-of-service + vulnerabilities in GraphQL APIs. domain: cybersecurity subdomain: api-security -tags: [graphql, depth-limit, denial-of-service, nested-queries, api-security, query-complexity, resource-exhaustion, penetration-testing] -version: "1.0" +tags: +- graphql +- depth-limit +- denial-of-service +- nested-queries +- api-security +- query-complexity +- resource-exhaustion +- penetration-testing +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Performing GraphQL Depth Limit Attack diff --git a/skills/performing-graphql-introspection-attack/SKILL.md b/skills/performing-graphql-introspection-attack/SKILL.md index 400cb87f..bbfa3eee 100644 --- a/skills/performing-graphql-introspection-attack/SKILL.md +++ b/skills/performing-graphql-introspection-attack/SKILL.md @@ -1,19 +1,28 @@ --- name: performing-graphql-introspection-attack -description: > - Performs GraphQL introspection attacks to extract the full API schema including types, queries, - mutations, subscriptions, and field definitions from GraphQL endpoints. The tester uses - introspection queries to map the attack surface, identifies sensitive fields and mutations, - tests for query depth and complexity limits, and exploits GraphQL-specific vulnerabilities - including batching attacks, alias-based brute force, and nested query DoS. Activates for - requests involving GraphQL security testing, introspection attack, GraphQL enumeration, or - GraphQL API penetration testing. +description: 'Performs GraphQL introspection attacks to extract the full API schema including types, queries, mutations, subscriptions, + and field definitions from GraphQL endpoints. The tester uses introspection queries to map the attack surface, identifies + sensitive fields and mutations, tests for query depth and complexity limits, and exploits GraphQL-specific vulnerabilities + including batching attacks, alias-based brute force, and nested query DoS. Activates for requests involving GraphQL security + testing, introspection attack, GraphQL enumeration, or GraphQL API penetration testing. + + ' domain: cybersecurity subdomain: api-security -tags: [api-security, graphql, introspection, schema-extraction, query-abuse] +tags: +- api-security +- graphql +- introspection +- schema-extraction +- query-abuse version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Performing GraphQL Introspection Attack diff --git a/skills/performing-graphql-security-assessment/SKILL.md b/skills/performing-graphql-security-assessment/SKILL.md index 365f7001..c4ae018c 100644 --- a/skills/performing-graphql-security-assessment/SKILL.md +++ b/skills/performing-graphql-security-assessment/SKILL.md @@ -1,12 +1,24 @@ --- name: performing-graphql-security-assessment -description: Assessing GraphQL API endpoints for introspection leaks, injection attacks, authorization flaws, and denial-of-service vulnerabilities during authorized security tests. +description: Assessing GraphQL API endpoints for introspection leaks, injection attacks, authorization flaws, and denial-of-service + vulnerabilities during authorized security tests. domain: cybersecurity subdomain: web-application-security -tags: [penetration-testing, graphql, api-security, owasp, web-security, introspection] -version: "1.0" +tags: +- penetration-testing +- graphql +- api-security +- owasp +- web-security +- introspection +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Performing GraphQL Security Assessment diff --git a/skills/performing-hardware-security-module-integration/SKILL.md b/skills/performing-hardware-security-module-integration/SKILL.md index 3f04bb69..fb5d369a 100644 --- a/skills/performing-hardware-security-module-integration/SKILL.md +++ b/skills/performing-hardware-security-module-integration/SKILL.md @@ -23,6 +23,10 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- PR.DS-01 +- PR.DS-02 +- PR.DS-10 --- # Performing Hardware Security Module Integration diff --git a/skills/performing-hash-cracking-with-hashcat/SKILL.md b/skills/performing-hash-cracking-with-hashcat/SKILL.md index cafaaff2..5eaee1a6 100644 --- a/skills/performing-hash-cracking-with-hashcat/SKILL.md +++ b/skills/performing-hash-cracking-with-hashcat/SKILL.md @@ -1,12 +1,22 @@ --- name: performing-hash-cracking-with-hashcat -description: Hash cracking is an essential skill for penetration testers and security auditors to evaluate password strength. Hashcat is the world's fastest password recovery tool, supporting over 300 hash types w +description: Hash cracking is an essential skill for penetration testers and security auditors to evaluate password strength. + Hashcat is the world's fastest password recovery tool, supporting over 300 hash types w domain: cybersecurity subdomain: cryptography -tags: [cryptography, hash-cracking, password-security, hashcat, penetration-testing] -version: "1.0" +tags: +- cryptography +- hash-cracking +- password-security +- hashcat +- penetration-testing +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.DS-01 +- PR.DS-02 +- PR.DS-10 --- # Performing Hash Cracking with Hashcat diff --git a/skills/performing-http-parameter-pollution-attack/SKILL.md b/skills/performing-http-parameter-pollution-attack/SKILL.md index a3d58cef..45bc07b6 100644 --- a/skills/performing-http-parameter-pollution-attack/SKILL.md +++ b/skills/performing-http-parameter-pollution-attack/SKILL.md @@ -1,12 +1,25 @@ --- name: performing-http-parameter-pollution-attack -description: Execute HTTP Parameter Pollution attacks to bypass input validation, WAF rules, and security controls by injecting duplicate parameters that are processed differently by front-end and back-end systems. +description: Execute HTTP Parameter Pollution attacks to bypass input validation, WAF rules, and security controls by injecting + duplicate parameters that are processed differently by front-end and back-end systems. domain: cybersecurity subdomain: web-application-security -tags: [http-parameter-pollution, hpp, waf-bypass, input-validation, web-security, parameter-injection, server-parsing] -version: "1.0" +tags: +- http-parameter-pollution +- hpp +- waf-bypass +- input-validation +- web-security +- parameter-injection +- server-parsing +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Performing HTTP Parameter Pollution Attack diff --git a/skills/performing-ics-asset-discovery-with-claroty/SKILL.md b/skills/performing-ics-asset-discovery-with-claroty/SKILL.md index 33d8e287..8b61c40d 100644 --- a/skills/performing-ics-asset-discovery-with-claroty/SKILL.md +++ b/skills/performing-ics-asset-discovery-with-claroty/SKILL.md @@ -27,6 +27,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Performing ICS Asset Discovery with Claroty diff --git a/skills/performing-indicator-lifecycle-management/SKILL.md b/skills/performing-indicator-lifecycle-management/SKILL.md index 27f4c5a5..e8dd3e6c 100644 --- a/skills/performing-indicator-lifecycle-management/SKILL.md +++ b/skills/performing-indicator-lifecycle-management/SKILL.md @@ -1,12 +1,25 @@ --- name: performing-indicator-lifecycle-management -description: Indicator lifecycle management tracks IOCs from initial discovery through validation, enrichment, deployment, monitoring, and eventual retirement. This skill covers implementing systematic processes f +description: Indicator lifecycle management tracks IOCs from initial discovery through validation, enrichment, deployment, + monitoring, and eventual retirement. This skill covers implementing systematic processes f domain: cybersecurity subdomain: threat-intelligence -tags: [threat-intelligence, cti, ioc, mitre-attack, stix, indicator-lifecycle, ioc-management] -version: "1.0" +tags: +- threat-intelligence +- cti +- ioc +- mitre-attack +- stix +- indicator-lifecycle +- ioc-management +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Performing Indicator Lifecycle Management diff --git a/skills/performing-initial-access-with-evilginx3/SKILL.md b/skills/performing-initial-access-with-evilginx3/SKILL.md index 64589234..a3b0bca9 100644 --- a/skills/performing-initial-access-with-evilginx3/SKILL.md +++ b/skills/performing-initial-access-with-evilginx3/SKILL.md @@ -21,6 +21,10 @@ d3fend_techniques: - Identifier Analysis - Content Format Conversion - Message Analysis +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Performing Initial Access with EvilGinx3 diff --git a/skills/performing-insider-threat-investigation/SKILL.md b/skills/performing-insider-threat-investigation/SKILL.md index 9ad2a2e3..e5f188c6 100644 --- a/skills/performing-insider-threat-investigation/SKILL.md +++ b/skills/performing-insider-threat-investigation/SKILL.md @@ -1,19 +1,32 @@ --- name: performing-insider-threat-investigation -description: > - Investigates insider threat incidents involving employees, contractors, or trusted - partners who misuse authorized access to steal data, sabotage systems, or violate - security policies. Combines digital forensics, user behavior analytics, and HR/legal - coordination to build an evidence-based case. Activates for requests involving insider - threat investigation, employee data theft, privilege misuse, user behavior anomaly, - or internal threat detection. +description: 'Investigates insider threat incidents involving employees, contractors, or trusted partners who misuse authorized + access to steal data, sabotage systems, or violate security policies. Combines digital forensics, user behavior analytics, + and HR/legal coordination to build an evidence-based case. Activates for requests involving insider threat investigation, + employee data theft, privilege misuse, user behavior anomaly, or internal threat detection. + + ' domain: cybersecurity subdomain: incident-response -tags: [insider-threat, user-behavior-analytics, data-exfiltration, privilege-misuse, DFIR] -mitre_attack: ["T1078", "T1048", "T1567", "T1114"] +tags: +- insider-threat +- user-behavior-analytics +- data-exfiltration +- privilege-misuse +- DFIR +mitre_attack: +- T1078 +- T1048 +- T1567 +- T1114 version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- RS.MA-01 +- RS.MA-02 +- RS.AN-03 +- RC.RP-01 --- # Performing Insider Threat Investigation diff --git a/skills/performing-ioc-enrichment-automation/SKILL.md b/skills/performing-ioc-enrichment-automation/SKILL.md index cfb4a0ac..32303af6 100644 --- a/skills/performing-ioc-enrichment-automation/SKILL.md +++ b/skills/performing-ioc-enrichment-automation/SKILL.md @@ -1,16 +1,29 @@ --- name: performing-ioc-enrichment-automation -description: > - Automates Indicator of Compromise (IOC) enrichment by orchestrating lookups across VirusTotal, - AbuseIPDB, Shodan, MISP, and other intelligence sources to provide contextual scoring and - disposition recommendations. Use when SOC analysts need rapid multi-source enrichment of IPs, - domains, URLs, and file hashes during alert triage or incident investigation. +description: 'Automates Indicator of Compromise (IOC) enrichment by orchestrating lookups across VirusTotal, AbuseIPDB, Shodan, + MISP, and other intelligence sources to provide contextual scoring and disposition recommendations. Use when SOC analysts + need rapid multi-source enrichment of IPs, domains, URLs, and file hashes during alert triage or incident investigation. + + ' domain: cybersecurity subdomain: soc-operations -tags: [soc, ioc, enrichment, automation, virustotal, abuseipdb, shodan, threat-intelligence] -version: "1.0" +tags: +- soc +- ioc +- enrichment +- automation +- virustotal +- abuseipdb +- shodan +- threat-intelligence +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Performing IOC Enrichment Automation diff --git a/skills/performing-ios-app-security-assessment/SKILL.md b/skills/performing-ios-app-security-assessment/SKILL.md index 62a3729b..c76d6d0c 100644 --- a/skills/performing-ios-app-security-assessment/SKILL.md +++ b/skills/performing-ios-app-security-assessment/SKILL.md @@ -1,19 +1,31 @@ --- name: performing-ios-app-security-assessment -description: > - Performs comprehensive iOS application security assessments using Frida for dynamic - instrumentation, Objection for runtime exploration, SSL pinning bypass for traffic - interception, keychain extraction for credential analysis, and IPA static analysis - for binary-level review. Use when conducting authorized iOS penetration tests, evaluating - mobile app security posture against OWASP MASTG, or assessing iOS app data protection - and transport security controls. Activates for requests involving iOS app pentesting, - Frida-based iOS instrumentation, mobile app SSL pinning bypass, or IPA reverse engineering. +description: 'Performs comprehensive iOS application security assessments using Frida for dynamic instrumentation, Objection + for runtime exploration, SSL pinning bypass for traffic interception, keychain extraction for credential analysis, and IPA + static analysis for binary-level review. Use when conducting authorized iOS penetration tests, evaluating mobile app security + posture against OWASP MASTG, or assessing iOS app data protection and transport security controls. Activates for requests + involving iOS app pentesting, Frida-based iOS instrumentation, mobile app SSL pinning bypass, or IPA reverse engineering. + + ' domain: cybersecurity subdomain: mobile-security author: mukul975 -tags: [mobile-security, ios, frida, objection, ssl-pinning, keychain, ipa-analysis, owasp-mastg] +tags: +- mobile-security +- ios +- frida +- objection +- ssl-pinning +- keychain +- ipa-analysis +- owasp-mastg version: 1.0.0 license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.AA-05 +- ID.RA-01 +- DE.CM-09 --- # Performing iOS App Security Assessment diff --git a/skills/performing-iot-security-assessment/SKILL.md b/skills/performing-iot-security-assessment/SKILL.md index 0611f255..fcb5c269 100644 --- a/skills/performing-iot-security-assessment/SKILL.md +++ b/skills/performing-iot-security-assessment/SKILL.md @@ -1,18 +1,28 @@ --- name: performing-iot-security-assessment -description: > - Performs comprehensive security assessments of IoT devices and their ecosystems by testing - hardware interfaces, firmware, network communications, cloud APIs, and companion mobile - applications. The tester uses firmware extraction and analysis, hardware debugging via UART - and JTAG, network protocol analysis, and runtime exploitation to identify vulnerabilities - across all layers of the IoT stack. Activates for requests involving IoT security testing, - embedded device assessment, firmware security analysis, or smart device penetration testing. +description: 'Performs comprehensive security assessments of IoT devices and their ecosystems by testing hardware interfaces, + firmware, network communications, cloud APIs, and companion mobile applications. The tester uses firmware extraction and + analysis, hardware debugging via UART and JTAG, network protocol analysis, and runtime exploitation to identify vulnerabilities + across all layers of the IoT stack. Activates for requests involving IoT security testing, embedded device assessment, firmware + security analysis, or smart device penetration testing. + + ' domain: cybersecurity subdomain: penetration-testing -tags: [IoT-security, firmware-analysis, embedded-systems, hardware-hacking, UART-JTAG] +tags: +- IoT-security +- firmware-analysis +- embedded-systems +- hardware-hacking +- UART-JTAG version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-06 +- GV.OV-02 +- DE.AE-07 --- # Performing IoT Security Assessment diff --git a/skills/performing-ip-reputation-analysis-with-shodan/SKILL.md b/skills/performing-ip-reputation-analysis-with-shodan/SKILL.md index 8188b816..587a6005 100644 --- a/skills/performing-ip-reputation-analysis-with-shodan/SKILL.md +++ b/skills/performing-ip-reputation-analysis-with-shodan/SKILL.md @@ -1,12 +1,26 @@ --- name: performing-ip-reputation-analysis-with-shodan -description: Analyze IP address reputation using the Shodan API to identify open ports, running services, known vulnerabilities, and hosting context for threat intelligence enrichment and incident triage. +description: Analyze IP address reputation using the Shodan API to identify open ports, running services, known vulnerabilities, + and hosting context for threat intelligence enrichment and incident triage. domain: cybersecurity subdomain: threat-intelligence -tags: [shodan, ip-reputation, enrichment, threat-intelligence, reconnaissance, vulnerability, api, internet-scanning] -version: "1.0" +tags: +- shodan +- ip-reputation +- enrichment +- threat-intelligence +- reconnaissance +- vulnerability +- api +- internet-scanning +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Performing IP Reputation Analysis with Shodan diff --git a/skills/performing-jwt-none-algorithm-attack/SKILL.md b/skills/performing-jwt-none-algorithm-attack/SKILL.md index f81917e8..f57ba279 100644 --- a/skills/performing-jwt-none-algorithm-attack/SKILL.md +++ b/skills/performing-jwt-none-algorithm-attack/SKILL.md @@ -1,12 +1,26 @@ --- name: performing-jwt-none-algorithm-attack -description: Execute and test the JWT none algorithm attack to bypass signature verification by manipulating the alg header field in JSON Web Tokens. +description: Execute and test the JWT none algorithm attack to bypass signature verification by manipulating the alg header + field in JSON Web Tokens. domain: cybersecurity subdomain: api-security -tags: [jwt, none-algorithm, authentication-bypass, token-manipulation, signature-bypass, penetration-testing, owasp, web-security] -version: "1.0" +tags: +- jwt +- none-algorithm +- authentication-bypass +- token-manipulation +- signature-bypass +- penetration-testing +- owasp +- web-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Performing JWT None Algorithm Attack diff --git a/skills/performing-kerberoasting-attack/SKILL.md b/skills/performing-kerberoasting-attack/SKILL.md index 299097bb..c9b6c666 100644 --- a/skills/performing-kerberoasting-attack/SKILL.md +++ b/skills/performing-kerberoasting-attack/SKILL.md @@ -22,6 +22,10 @@ d3fend_techniques: - Network Traffic Analysis - Client-server Payload Profiling - Network Traffic Community Deviation +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Performing Kerberoasting Attack diff --git a/skills/performing-kubernetes-cis-benchmark-with-kube-bench/SKILL.md b/skills/performing-kubernetes-cis-benchmark-with-kube-bench/SKILL.md index c8a0f207..1465522e 100644 --- a/skills/performing-kubernetes-cis-benchmark-with-kube-bench/SKILL.md +++ b/skills/performing-kubernetes-cis-benchmark-with-kube-bench/SKILL.md @@ -1,12 +1,24 @@ --- name: performing-kubernetes-cis-benchmark-with-kube-bench -description: Audit Kubernetes cluster security posture against CIS benchmarks using kube-bench with automated checks for control plane, worker nodes, and RBAC. +description: Audit Kubernetes cluster security posture against CIS benchmarks using kube-bench with automated checks for control + plane, worker nodes, and RBAC. domain: cybersecurity subdomain: container-security -tags: [kube-bench, cis-benchmark, kubernetes, compliance, hardening, aquasecurity] -version: "1.0" +tags: +- kube-bench +- cis-benchmark +- kubernetes +- compliance +- hardening +- aquasecurity +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Performing Kubernetes CIS Benchmark with kube-bench diff --git a/skills/performing-kubernetes-etcd-security-assessment/SKILL.md b/skills/performing-kubernetes-etcd-security-assessment/SKILL.md index badcb0fc..f68845bf 100644 --- a/skills/performing-kubernetes-etcd-security-assessment/SKILL.md +++ b/skills/performing-kubernetes-etcd-security-assessment/SKILL.md @@ -1,12 +1,26 @@ --- name: performing-kubernetes-etcd-security-assessment -description: Assess the security posture of Kubernetes etcd clusters by evaluating encryption at rest, TLS configuration, access controls, backup encryption, and network isolation. +description: Assess the security posture of Kubernetes etcd clusters by evaluating encryption at rest, TLS configuration, + access controls, backup encryption, and network isolation. domain: cybersecurity subdomain: container-security -tags: [kubernetes, etcd, encryption, tls, security-assessment, backup, secrets, control-plane] -version: "1.0" +tags: +- kubernetes +- etcd +- encryption +- tls +- security-assessment +- backup +- secrets +- control-plane +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Performing Kubernetes etcd Security Assessment diff --git a/skills/performing-kubernetes-penetration-testing/SKILL.md b/skills/performing-kubernetes-penetration-testing/SKILL.md index 22dfaa24..a9c95172 100644 --- a/skills/performing-kubernetes-penetration-testing/SKILL.md +++ b/skills/performing-kubernetes-penetration-testing/SKILL.md @@ -1,12 +1,23 @@ --- name: performing-kubernetes-penetration-testing -description: Kubernetes penetration testing systematically evaluates cluster security by simulating attacker techniques against the API server, kubelet, etcd, pods, RBAC, network policies, and secrets. Using tools +description: Kubernetes penetration testing systematically evaluates cluster security by simulating attacker techniques against + the API server, kubelet, etcd, pods, RBAC, network policies, and secrets. Using tools domain: cybersecurity subdomain: container-security -tags: [containers, kubernetes, security, penetration-testing, offensive-security] -version: "1.0" +tags: +- containers +- kubernetes +- security +- penetration-testing +- offensive-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Performing Kubernetes Penetration Testing diff --git a/skills/performing-lateral-movement-detection/SKILL.md b/skills/performing-lateral-movement-detection/SKILL.md index 2ab5167e..3386bb54 100644 --- a/skills/performing-lateral-movement-detection/SKILL.md +++ b/skills/performing-lateral-movement-detection/SKILL.md @@ -26,6 +26,11 @@ d3fend_techniques: - Restore Access - Application Protocol Command Analysis - Process Termination +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Performing Lateral Movement Detection diff --git a/skills/performing-lateral-movement-with-wmiexec/SKILL.md b/skills/performing-lateral-movement-with-wmiexec/SKILL.md index e9e13072..584b9bb1 100644 --- a/skills/performing-lateral-movement-with-wmiexec/SKILL.md +++ b/skills/performing-lateral-movement-with-wmiexec/SKILL.md @@ -21,6 +21,10 @@ d3fend_techniques: - Application Protocol Command Analysis - Network Isolation - Network Traffic Analysis +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Performing Lateral Movement with WMIExec diff --git a/skills/performing-linux-log-forensics-investigation/SKILL.md b/skills/performing-linux-log-forensics-investigation/SKILL.md index d722aa44..811ae991 100644 --- a/skills/performing-linux-log-forensics-investigation/SKILL.md +++ b/skills/performing-linux-log-forensics-investigation/SKILL.md @@ -1,12 +1,29 @@ --- name: performing-linux-log-forensics-investigation -description: Perform forensic investigation of Linux system logs including syslog, auth.log, systemd journal, kern.log, and application logs to reconstruct user activity, detect unauthorized access, and establish event timelines on compromised Linux systems. +description: Perform forensic investigation of Linux system logs including syslog, auth.log, systemd journal, kern.log, and + application logs to reconstruct user activity, detect unauthorized access, and establish event timelines on compromised + Linux systems. domain: cybersecurity subdomain: digital-forensics -tags: [linux-forensics, syslog, auth-log, systemd-journal, journalctl, linux-logs, ssh-forensics, cron, audit-log, log-analysis] -version: "1.0" +tags: +- linux-forensics +- syslog +- auth-log +- systemd-journal +- journalctl +- linux-logs +- ssh-forensics +- cron +- audit-log +- log-analysis +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Performing Linux Log Forensics Investigation diff --git a/skills/performing-log-analysis-for-forensic-investigation/SKILL.md b/skills/performing-log-analysis-for-forensic-investigation/SKILL.md index f727b7fb..d94602e9 100644 --- a/skills/performing-log-analysis-for-forensic-investigation/SKILL.md +++ b/skills/performing-log-analysis-for-forensic-investigation/SKILL.md @@ -1,12 +1,24 @@ --- name: performing-log-analysis-for-forensic-investigation -description: Collect, parse, and correlate system, application, and security logs to reconstruct events and establish timelines during forensic investigations. +description: Collect, parse, and correlate system, application, and security logs to reconstruct events and establish timelines + during forensic investigations. domain: cybersecurity subdomain: digital-forensics -tags: [forensics, log-analysis, siem, event-correlation, timeline-analysis, evidence-collection] -version: "1.0" +tags: +- forensics +- log-analysis +- siem +- event-correlation +- timeline-analysis +- evidence-collection +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Performing Log Analysis for Forensic Investigation diff --git a/skills/performing-log-source-onboarding-in-siem/SKILL.md b/skills/performing-log-source-onboarding-in-siem/SKILL.md index 98af609f..47531b09 100644 --- a/skills/performing-log-source-onboarding-in-siem/SKILL.md +++ b/skills/performing-log-source-onboarding-in-siem/SKILL.md @@ -1,12 +1,25 @@ --- name: performing-log-source-onboarding-in-siem -description: Perform structured log source onboarding into SIEM platforms by configuring collectors, parsers, normalization, and validation for complete security visibility. +description: Perform structured log source onboarding into SIEM platforms by configuring collectors, parsers, normalization, + and validation for complete security visibility. domain: cybersecurity subdomain: soc-operations -tags: [siem, log-onboarding, log-management, data-ingestion, parsing, normalization, soc] -version: "1.0" +tags: +- siem +- log-onboarding +- log-management +- data-ingestion +- parsing +- normalization +- soc +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Performing Log Source Onboarding in SIEM diff --git a/skills/performing-malware-hash-enrichment-with-virustotal/SKILL.md b/skills/performing-malware-hash-enrichment-with-virustotal/SKILL.md index baaa76d5..3fac455b 100644 --- a/skills/performing-malware-hash-enrichment-with-virustotal/SKILL.md +++ b/skills/performing-malware-hash-enrichment-with-virustotal/SKILL.md @@ -1,12 +1,26 @@ --- name: performing-malware-hash-enrichment-with-virustotal -description: Enrich malware file hashes using the VirusTotal API to retrieve detection rates, behavioral analysis, YARA matches, and contextual threat intelligence for incident triage and IOC validation. +description: Enrich malware file hashes using the VirusTotal API to retrieve detection rates, behavioral analysis, YARA matches, + and contextual threat intelligence for incident triage and IOC validation. domain: cybersecurity subdomain: threat-intelligence -tags: [virustotal, malware-analysis, hash-enrichment, ioc, threat-intelligence, triage, api, detection] -version: "1.0" +tags: +- virustotal +- malware-analysis +- hash-enrichment +- ioc +- threat-intelligence +- triage +- api +- detection +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Performing Malware Hash Enrichment with VirusTotal diff --git a/skills/performing-malware-ioc-extraction/SKILL.md b/skills/performing-malware-ioc-extraction/SKILL.md index dde01e34..8c3c7576 100644 --- a/skills/performing-malware-ioc-extraction/SKILL.md +++ b/skills/performing-malware-ioc-extraction/SKILL.md @@ -1,12 +1,26 @@ --- name: performing-malware-ioc-extraction -description: Malware IOC extraction is the process of analyzing malicious software to identify actionable indicators of compromise including file hashes, network indicators (C2 domains, IP addresses, URLs), regist +description: Malware IOC extraction is the process of analyzing malicious software to identify actionable indicators of compromise + including file hashes, network indicators (C2 domains, IP addresses, URLs), regist domain: cybersecurity subdomain: threat-intelligence -tags: [threat-intelligence, cti, ioc, mitre-attack, stix, malware-analysis, yara, reverse-engineering] -version: "1.0" +tags: +- threat-intelligence +- cti +- ioc +- mitre-attack +- stix +- malware-analysis +- yara +- reverse-engineering +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Performing Malware IOC Extraction diff --git a/skills/performing-malware-persistence-investigation/SKILL.md b/skills/performing-malware-persistence-investigation/SKILL.md index 00f1925b..b2f580c6 100644 --- a/skills/performing-malware-persistence-investigation/SKILL.md +++ b/skills/performing-malware-persistence-investigation/SKILL.md @@ -1,13 +1,31 @@ --- name: performing-malware-persistence-investigation -description: Systematically investigate all persistence mechanisms on Windows and Linux systems to identify how malware survives reboots and maintains access. +description: Systematically investigate all persistence mechanisms on Windows and Linux systems to identify how malware survives + reboots and maintains access. domain: cybersecurity subdomain: digital-forensics -tags: [forensics, malware-persistence, autoruns, registry, scheduled-tasks, rootkit-detection, incident-response] -mitre_attack: ["T1547.001", "T1053.005", "T1543.003", "T1546.003", "T1574"] -version: "1.0" +tags: +- forensics +- malware-persistence +- autoruns +- registry +- scheduled-tasks +- rootkit-detection +- incident-response +mitre_attack: +- T1547.001 +- T1053.005 +- T1543.003 +- T1546.003 +- T1574 +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Performing Malware Persistence Investigation diff --git a/skills/performing-malware-triage-with-yara/SKILL.md b/skills/performing-malware-triage-with-yara/SKILL.md index 36ed4dab..1ddde8fe 100644 --- a/skills/performing-malware-triage-with-yara/SKILL.md +++ b/skills/performing-malware-triage-with-yara/SKILL.md @@ -1,17 +1,27 @@ --- name: performing-malware-triage-with-yara -description: > - Performs rapid malware triage and classification using YARA rules to match file patterns, - strings, byte sequences, and structural characteristics against known malware families - and suspicious indicators. Covers rule writing, scanning, and integration with analysis - pipelines. Activates for requests involving YARA rule creation, malware classification, - pattern matching, sample triage, or signature-based detection. +description: 'Performs rapid malware triage and classification using YARA rules to match file patterns, strings, byte sequences, + and structural characteristics against known malware families and suspicious indicators. Covers rule writing, scanning, + and integration with analysis pipelines. Activates for requests involving YARA rule creation, malware classification, pattern + matching, sample triage, or signature-based detection. + + ' domain: cybersecurity subdomain: malware-analysis -tags: [malware, YARA, triage, classification, pattern-matching] +tags: +- malware +- YARA +- triage +- classification +- pattern-matching version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Performing Malware Triage with YARA diff --git a/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md b/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md index 38f9737a..8152bd78 100644 --- a/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md +++ b/skills/performing-memory-forensics-with-volatility3-plugins/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - File Metadata Consistency Validation - Content Format Conversion - File Content Analysis +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Performing Memory Forensics with Volatility3 Plugins diff --git a/skills/performing-memory-forensics-with-volatility3/SKILL.md b/skills/performing-memory-forensics-with-volatility3/SKILL.md index ccc5cd98..385ff0e4 100644 --- a/skills/performing-memory-forensics-with-volatility3/SKILL.md +++ b/skills/performing-memory-forensics-with-volatility3/SKILL.md @@ -1,12 +1,24 @@ --- name: performing-memory-forensics-with-volatility3 -description: Analyze volatile memory dumps using Volatility 3 to extract running processes, network connections, loaded modules, and evidence of malicious activity. +description: Analyze volatile memory dumps using Volatility 3 to extract running processes, network connections, loaded modules, + and evidence of malicious activity. domain: cybersecurity subdomain: digital-forensics -tags: [forensics, memory-forensics, volatility, ram-analysis, malware-detection, incident-response] -version: "1.0" +tags: +- forensics +- memory-forensics +- volatility +- ram-analysis +- malware-detection +- incident-response +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Performing Memory Forensics with Volatility 3 diff --git a/skills/performing-mobile-app-certificate-pinning-bypass/SKILL.md b/skills/performing-mobile-app-certificate-pinning-bypass/SKILL.md index 28f92051..b8574f9b 100644 --- a/skills/performing-mobile-app-certificate-pinning-bypass/SKILL.md +++ b/skills/performing-mobile-app-certificate-pinning-bypass/SKILL.md @@ -1,17 +1,28 @@ --- name: performing-mobile-app-certificate-pinning-bypass -description: > - Bypasses SSL/TLS certificate pinning implementations in Android and iOS applications to enable - traffic interception during authorized security assessments. Covers OkHttp, TrustManager, - NSURLSession, and third-party pinning library bypass techniques using Frida, Objection, and - custom scripts. Activates for requests involving certificate pinning bypass, SSL pinning defeat, - mobile TLS interception, or proxy-resistant app testing. +description: 'Bypasses SSL/TLS certificate pinning implementations in Android and iOS applications to enable traffic interception + during authorized security assessments. Covers OkHttp, TrustManager, NSURLSession, and third-party pinning library bypass + techniques using Frida, Objection, and custom scripts. Activates for requests involving certificate pinning bypass, SSL + pinning defeat, mobile TLS interception, or proxy-resistant app testing. + + ' domain: cybersecurity subdomain: mobile-security author: mahipal -tags: [mobile-security, android, ios, certificate-pinning, frida, penetration-testing] +tags: +- mobile-security +- android +- ios +- certificate-pinning +- frida +- penetration-testing version: 1.0.0 license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.AA-05 +- ID.RA-01 +- DE.CM-09 --- # Performing Mobile App Certificate Pinning Bypass diff --git a/skills/performing-mobile-device-forensics-with-cellebrite/SKILL.md b/skills/performing-mobile-device-forensics-with-cellebrite/SKILL.md index 7c9f1bda..8812125f 100644 --- a/skills/performing-mobile-device-forensics-with-cellebrite/SKILL.md +++ b/skills/performing-mobile-device-forensics-with-cellebrite/SKILL.md @@ -1,12 +1,24 @@ --- name: performing-mobile-device-forensics-with-cellebrite -description: Acquire and analyze mobile device data using Cellebrite UFED and open-source tools to extract communications, location data, and application artifacts. +description: Acquire and analyze mobile device data using Cellebrite UFED and open-source tools to extract communications, + location data, and application artifacts. domain: cybersecurity subdomain: digital-forensics -tags: [forensics, mobile-forensics, cellebrite, smartphone-analysis, ios-forensics, android-forensics] -version: "1.0" +tags: +- forensics +- mobile-forensics +- cellebrite +- smartphone-analysis +- ios-forensics +- android-forensics +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Performing Mobile Device Forensics with Cellebrite diff --git a/skills/performing-network-forensics-with-wireshark/SKILL.md b/skills/performing-network-forensics-with-wireshark/SKILL.md index e15033b2..e8d4f302 100644 --- a/skills/performing-network-forensics-with-wireshark/SKILL.md +++ b/skills/performing-network-forensics-with-wireshark/SKILL.md @@ -1,12 +1,24 @@ --- name: performing-network-forensics-with-wireshark -description: Capture and analyze network traffic using Wireshark and tshark to reconstruct network events, extract artifacts, and identify malicious communications. +description: Capture and analyze network traffic using Wireshark and tshark to reconstruct network events, extract artifacts, + and identify malicious communications. domain: cybersecurity subdomain: digital-forensics -tags: [forensics, network-forensics, wireshark, pcap, packet-analysis, traffic-analysis] -version: "1.0" +tags: +- forensics +- network-forensics +- wireshark +- pcap +- packet-analysis +- traffic-analysis +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Performing Network Forensics with Wireshark diff --git a/skills/performing-network-packet-capture-analysis/SKILL.md b/skills/performing-network-packet-capture-analysis/SKILL.md index 4d32cb6a..9d1b652c 100644 --- a/skills/performing-network-packet-capture-analysis/SKILL.md +++ b/skills/performing-network-packet-capture-analysis/SKILL.md @@ -1,12 +1,29 @@ --- name: performing-network-packet-capture-analysis -description: Perform forensic analysis of network packet captures (PCAP/PCAPNG) using Wireshark, tshark, and tcpdump to reconstruct network communications, extract transferred files, identify malicious traffic, and establish evidence of data exfiltration or command-and-control activity. +description: Perform forensic analysis of network packet captures (PCAP/PCAPNG) using Wireshark, tshark, and tcpdump to reconstruct + network communications, extract transferred files, identify malicious traffic, and establish evidence of data exfiltration + or command-and-control activity. domain: cybersecurity subdomain: digital-forensics -tags: [pcap, wireshark, tshark, tcpdump, network-forensics, packet-capture, protocol-analysis, traffic-analysis, pcapng, network-evidence] -version: "1.0" +tags: +- pcap +- wireshark +- tshark +- tcpdump +- network-forensics +- packet-capture +- protocol-analysis +- traffic-analysis +- pcapng +- network-evidence +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Performing Network Packet Capture Analysis diff --git a/skills/performing-network-traffic-analysis-with-tshark/SKILL.md b/skills/performing-network-traffic-analysis-with-tshark/SKILL.md index b6762d13..67ce616e 100644 --- a/skills/performing-network-traffic-analysis-with-tshark/SKILL.md +++ b/skills/performing-network-traffic-analysis-with-tshark/SKILL.md @@ -1,12 +1,25 @@ --- name: performing-network-traffic-analysis-with-tshark -description: Automate network traffic analysis using tshark and pyshark for protocol statistics, suspicious flow detection, DNS anomaly identification, and IOC extraction from PCAP files +description: Automate network traffic analysis using tshark and pyshark for protocol statistics, suspicious flow detection, + DNS anomaly identification, and IOC extraction from PCAP files domain: cybersecurity subdomain: network-security -tags: [tshark, pyshark, pcap, packet-analysis, network-forensics, wireshark, traffic-analysis] -version: "1.0" +tags: +- tshark +- pyshark +- pcap +- packet-analysis +- network-forensics +- wireshark +- traffic-analysis +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Performing Network Traffic Analysis with TShark diff --git a/skills/performing-network-traffic-analysis-with-zeek/SKILL.md b/skills/performing-network-traffic-analysis-with-zeek/SKILL.md index 7bf74974..cde26865 100644 --- a/skills/performing-network-traffic-analysis-with-zeek/SKILL.md +++ b/skills/performing-network-traffic-analysis-with-zeek/SKILL.md @@ -1,12 +1,27 @@ --- name: performing-network-traffic-analysis-with-zeek -description: Deploy Zeek network security monitor to capture, parse, and analyze network traffic metadata for threat detection, anomaly identification, and forensic investigation. +description: Deploy Zeek network security monitor to capture, parse, and analyze network traffic metadata for threat detection, + anomaly identification, and forensic investigation. domain: cybersecurity subdomain: network-security -tags: [zeek, network-monitoring, traffic-analysis, ids, nids, pcap, threat-detection, forensics, siem-integration] -version: "1.0" +tags: +- zeek +- network-monitoring +- traffic-analysis +- ids +- nids +- pcap +- threat-detection +- forensics +- siem-integration +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Performing Network Traffic Analysis with Zeek diff --git a/skills/performing-nist-csf-maturity-assessment/SKILL.md b/skills/performing-nist-csf-maturity-assessment/SKILL.md index 042b1a13..e782ce17 100644 --- a/skills/performing-nist-csf-maturity-assessment/SKILL.md +++ b/skills/performing-nist-csf-maturity-assessment/SKILL.md @@ -9,7 +9,7 @@ description: >- domain: cybersecurity subdomain: compliance-governance tags: [compliance, governance, nist, csf, maturity-assessment, risk-management] -nist_csf: [GV.OC, GV.RM, GV.RR, GV.PO, GV.OV, GV.SC, ID.AM, ID.RA, ID.IM, PR.AA, PR.AT, PR.DS, PR.PS, PR.IR, DE.CM, DE.AE, RS.MA, RS.CO, RS.AN, RS.MI, RC.RP, RC.CO] +nist_csf: [GV.OC-01, GV.RM-01, GV.PO-01, ID.RA-01, GV.OV-01] version: "1.0" author: mahipal license: Apache-2.0 diff --git a/skills/performing-oauth-scope-minimization-review/SKILL.md b/skills/performing-oauth-scope-minimization-review/SKILL.md index 16612952..72331274 100644 --- a/skills/performing-oauth-scope-minimization-review/SKILL.md +++ b/skills/performing-oauth-scope-minimization-review/SKILL.md @@ -1,17 +1,28 @@ --- name: performing-oauth-scope-minimization-review -description: > - Performs OAuth 2.0 scope minimization review to identify over-permissioned third-party - application integrations, excessive API scopes, unused token grants, and risky OAuth - consent patterns across identity providers and SaaS platforms. - Activates for requests involving OAuth scope audit, API permission review, third-party - app risk assessment, or consent grant minimization. +description: 'Performs OAuth 2.0 scope minimization review to identify over-permissioned third-party application integrations, + excessive API scopes, unused token grants, and risky OAuth consent patterns across identity providers and SaaS platforms. + Activates for requests involving OAuth scope audit, API permission review, third-party app risk assessment, or consent grant + minimization. + + ' domain: cybersecurity subdomain: identity-access-management -tags: [OAuth, scope-minimization, API-security, consent-review, third-party-risk, token-audit] -version: "1.0" +tags: +- OAuth +- scope-minimization +- API-security +- consent-review +- third-party-risk +- token-audit +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Performing OAuth Scope Minimization Review diff --git a/skills/performing-oil-gas-cybersecurity-assessment/SKILL.md b/skills/performing-oil-gas-cybersecurity-assessment/SKILL.md index 6197a181..90986783 100644 --- a/skills/performing-oil-gas-cybersecurity-assessment/SKILL.md +++ b/skills/performing-oil-gas-cybersecurity-assessment/SKILL.md @@ -1,19 +1,31 @@ --- name: performing-oil-gas-cybersecurity-assessment -description: > - This skill covers conducting cybersecurity assessments specific to oil and gas - facilities including upstream (exploration/production), midstream (pipeline/transport), - and downstream (refining/distribution) operations. It addresses SCADA systems - controlling pipeline operations, DCS for refinery process control, safety instrumented - systems for hazardous processes, remote terminal units at unmanned wellhead sites, - and compliance with API 1164, TSA Pipeline Security Directives, IEC 62443, and - NIST Cybersecurity Framework for critical infrastructure. +description: 'This skill covers conducting cybersecurity assessments specific to oil and gas facilities including upstream + (exploration/production), midstream (pipeline/transport), and downstream (refining/distribution) operations. It addresses + SCADA systems controlling pipeline operations, DCS for refinery process control, safety instrumented systems for hazardous + processes, remote terminal units at unmanned wellhead sites, and compliance with API 1164, TSA Pipeline Security Directives, + IEC 62443, and NIST Cybersecurity Framework for critical infrastructure. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, scada, industrial-control, iec62443, oil-gas, pipeline-security, api1164] +tags: +- ot-security +- ics +- scada +- industrial-control +- iec62443 +- oil-gas +- pipeline-security +- api1164 version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Performing Oil & Gas Cybersecurity Assessment diff --git a/skills/performing-open-source-intelligence-gathering/SKILL.md b/skills/performing-open-source-intelligence-gathering/SKILL.md index ad269145..84444525 100644 --- a/skills/performing-open-source-intelligence-gathering/SKILL.md +++ b/skills/performing-open-source-intelligence-gathering/SKILL.md @@ -1,12 +1,24 @@ --- name: performing-open-source-intelligence-gathering -description: Open Source Intelligence (OSINT) gathering is the first active phase of a red team engagement, where operators collect publicly available information about the target organization to identify attack s +description: Open Source Intelligence (OSINT) gathering is the first active phase of a red team engagement, where operators + collect publicly available information about the target organization to identify attack s domain: cybersecurity subdomain: red-teaming -tags: [red-team, adversary-simulation, mitre-attack, exploitation, post-exploitation, osint, reconnaissance] -version: "1.0" +tags: +- red-team +- adversary-simulation +- mitre-attack +- exploitation +- post-exploitation +- osint +- reconnaissance +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Performing Open Source Intelligence Gathering diff --git a/skills/performing-osint-with-spiderfoot/SKILL.md b/skills/performing-osint-with-spiderfoot/SKILL.md index 8a85e6f4..6083f94c 100644 --- a/skills/performing-osint-with-spiderfoot/SKILL.md +++ b/skills/performing-osint-with-spiderfoot/SKILL.md @@ -1,18 +1,24 @@ --- name: performing-osint-with-spiderfoot -description: Automate OSINT collection using SpiderFoot REST API and CLI for target profiling, module-based reconnaissance, and structured result analysis across 200+ data sources +description: Automate OSINT collection using SpiderFoot REST API and CLI for target profiling, module-based reconnaissance, + and structured result analysis across 200+ data sources domain: cybersecurity subdomain: threat-intelligence tags: - - osint - - spiderfoot - - reconnaissance - - threat-intelligence - - attack-surface - - target-profiling -version: "1.0" +- osint +- spiderfoot +- reconnaissance +- threat-intelligence +- attack-surface +- target-profiling +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Performing OSINT with SpiderFoot diff --git a/skills/performing-ot-network-security-assessment/SKILL.md b/skills/performing-ot-network-security-assessment/SKILL.md index 843c616e..935957d5 100644 --- a/skills/performing-ot-network-security-assessment/SKILL.md +++ b/skills/performing-ot-network-security-assessment/SKILL.md @@ -1,18 +1,29 @@ --- name: performing-ot-network-security-assessment -description: > - This skill covers conducting comprehensive security assessments of Operational - Technology (OT) networks including SCADA systems, DCS architectures, and industrial - control system communication paths. It addresses the Purdue Reference Model layers, - identifies IT/OT convergence risks, evaluates firewall rules between zones, and - maps industrial protocol traffic (Modbus, DNP3, OPC UA, EtherNet/IP) to detect - misconfigurations, unauthorized connections, and attack surfaces in critical infrastructure. +description: 'This skill covers conducting comprehensive security assessments of Operational Technology (OT) networks including + SCADA systems, DCS architectures, and industrial control system communication paths. It addresses the Purdue Reference Model + layers, identifies IT/OT convergence risks, evaluates firewall rules between zones, and maps industrial protocol traffic + (Modbus, DNP3, OPC UA, EtherNet/IP) to detect misconfigurations, unauthorized connections, and attack surfaces in critical + infrastructure. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, scada, industrial-control, iec62443, network-assessment] +tags: +- ot-security +- ics +- scada +- industrial-control +- iec62443 +- network-assessment version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Performing OT Network Security Assessment diff --git a/skills/performing-ot-vulnerability-assessment-with-claroty/SKILL.md b/skills/performing-ot-vulnerability-assessment-with-claroty/SKILL.md index 23a74a10..9c4e55da 100644 --- a/skills/performing-ot-vulnerability-assessment-with-claroty/SKILL.md +++ b/skills/performing-ot-vulnerability-assessment-with-claroty/SKILL.md @@ -1,18 +1,29 @@ --- name: performing-ot-vulnerability-assessment-with-claroty -description: > - This skill covers performing vulnerability assessments in OT environments using - the Claroty xDome platform for comprehensive asset discovery, risk scoring, - vulnerability correlation, and remediation prioritization. It addresses passive - vulnerability identification through traffic analysis, active safe querying of - OT devices, integration with CVE databases and ICS-CERT advisories, and - risk-based prioritization that accounts for operational impact and compensating controls. +description: 'This skill covers performing vulnerability assessments in OT environments using the Claroty xDome platform for + comprehensive asset discovery, risk scoring, vulnerability correlation, and remediation prioritization. It addresses passive + vulnerability identification through traffic analysis, active safe querying of OT devices, integration with CVE databases + and ICS-CERT advisories, and risk-based prioritization that accounts for operational impact and compensating controls. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, scada, industrial-control, iec62443, vulnerability-assessment, claroty] +tags: +- ot-security +- ics +- scada +- industrial-control +- iec62443 +- vulnerability-assessment +- claroty version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Performing OT Vulnerability Assessment with Claroty diff --git a/skills/performing-ot-vulnerability-scanning-safely/SKILL.md b/skills/performing-ot-vulnerability-scanning-safely/SKILL.md index 672830b9..7a8a3a49 100644 --- a/skills/performing-ot-vulnerability-scanning-safely/SKILL.md +++ b/skills/performing-ot-vulnerability-scanning-safely/SKILL.md @@ -1,16 +1,29 @@ --- name: performing-ot-vulnerability-scanning-safely -description: > - Perform vulnerability scanning in OT/ICS environments safely using passive - monitoring, native protocol queries, and carefully controlled active scanning - with Tenable OT Security to identify vulnerabilities without disrupting - industrial processes or crashing legacy controllers. +description: 'Perform vulnerability scanning in OT/ICS environments safely using passive monitoring, native protocol queries, + and carefully controlled active scanning with Tenable OT Security to identify vulnerabilities without disrupting industrial + processes or crashing legacy controllers. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, vulnerability-scanning, tenable, nessus, passive-scanning, risk-management, nist] -version: "1.0" +tags: +- ot-security +- ics +- vulnerability-scanning +- tenable +- nessus +- passive-scanning +- risk-management +- nist +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Performing OT Vulnerability Scanning Safely diff --git a/skills/performing-packet-injection-attack/SKILL.md b/skills/performing-packet-injection-attack/SKILL.md index 5a41ff78..342ea0cc 100644 --- a/skills/performing-packet-injection-attack/SKILL.md +++ b/skills/performing-packet-injection-attack/SKILL.md @@ -1,15 +1,25 @@ --- name: performing-packet-injection-attack -description: > - Crafts and injects custom network packets using Scapy, hping3, and Nemesis during - authorized security assessments to test firewall rules, IDS detection, protocol - handling, and network stack resilience against malformed and spoofed traffic. +description: 'Crafts and injects custom network packets using Scapy, hping3, and Nemesis during authorized security assessments + to test firewall rules, IDS detection, protocol handling, and network stack resilience against malformed and spoofed traffic. + + ' domain: cybersecurity subdomain: network-security -tags: [network-security, packet-injection, scapy, hping3, protocol-testing] -version: "1.0" +tags: +- network-security +- packet-injection +- scapy +- hping3 +- protocol-testing +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Performing Packet Injection Attack diff --git a/skills/performing-paste-site-monitoring-for-credentials/SKILL.md b/skills/performing-paste-site-monitoring-for-credentials/SKILL.md index 3b2639d2..c30b1146 100644 --- a/skills/performing-paste-site-monitoring-for-credentials/SKILL.md +++ b/skills/performing-paste-site-monitoring-for-credentials/SKILL.md @@ -1,12 +1,25 @@ --- name: performing-paste-site-monitoring-for-credentials -description: Monitor paste sites like Pastebin and GitHub Gists for leaked credentials, API keys, and sensitive data dumps using automated scraping and keyword matching to detect breaches early. +description: Monitor paste sites like Pastebin and GitHub Gists for leaked credentials, API keys, and sensitive data dumps + using automated scraping and keyword matching to detect breaches early. domain: cybersecurity subdomain: threat-intelligence -tags: [paste-monitoring, credential-leak, pastebin, data-breach, threat-intelligence, osint, early-warning] -version: "1.0" +tags: +- paste-monitoring +- credential-leak +- pastebin +- data-breach +- threat-intelligence +- osint +- early-warning +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Performing Paste Site Monitoring for Credentials diff --git a/skills/performing-phishing-simulation-with-gophish/SKILL.md b/skills/performing-phishing-simulation-with-gophish/SKILL.md index ff07a9b4..122eff4c 100644 --- a/skills/performing-phishing-simulation-with-gophish/SKILL.md +++ b/skills/performing-phishing-simulation-with-gophish/SKILL.md @@ -1,12 +1,25 @@ --- name: performing-phishing-simulation-with-gophish -description: GoPhish is an open-source phishing simulation framework used by security teams to conduct authorized phishing awareness campaigns. It provides campaign management, email template creation, landing pag +description: GoPhish is an open-source phishing simulation framework used by security teams to conduct authorized phishing + awareness campaigns. It provides campaign management, email template creation, landing pag domain: cybersecurity subdomain: phishing-defense -tags: [phishing, email-security, social-engineering, dmarc, awareness, gophish, simulation] -version: "1.0" +tags: +- phishing +- email-security +- social-engineering +- dmarc +- awareness +- gophish +- simulation +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AT-01 +- DE.CM-09 +- RS.CO-02 +- DE.AE-02 --- # Performing Phishing Simulation with GoPhish diff --git a/skills/performing-physical-intrusion-assessment/SKILL.md b/skills/performing-physical-intrusion-assessment/SKILL.md index adfcd144..acc7c80a 100644 --- a/skills/performing-physical-intrusion-assessment/SKILL.md +++ b/skills/performing-physical-intrusion-assessment/SKILL.md @@ -21,6 +21,10 @@ d3fend_techniques: - Electromagnetic Radiation Hardening - RF Shielding - Asset Inventory +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Performing Physical Intrusion Assessment diff --git a/skills/performing-plc-firmware-security-analysis/SKILL.md b/skills/performing-plc-firmware-security-analysis/SKILL.md index d87ee666..8ff8ec9b 100644 --- a/skills/performing-plc-firmware-security-analysis/SKILL.md +++ b/skills/performing-plc-firmware-security-analysis/SKILL.md @@ -1,18 +1,29 @@ --- name: performing-plc-firmware-security-analysis -description: > - This skill covers analyzing Programmable Logic Controller (PLC) firmware for security - vulnerabilities including hardcoded credentials, insecure update mechanisms, backdoor - functions, memory corruption flaws, and undocumented debug interfaces. It addresses - firmware extraction from common PLC platforms (Siemens S7, Allen-Bradley, Schneider - Modicon), static analysis of firmware images, dynamic analysis in emulated environments, - and comparison against known-good baselines to detect tampering. +description: 'This skill covers analyzing Programmable Logic Controller (PLC) firmware for security vulnerabilities including + hardcoded credentials, insecure update mechanisms, backdoor functions, memory corruption flaws, and undocumented debug interfaces. + It addresses firmware extraction from common PLC platforms (Siemens S7, Allen-Bradley, Schneider Modicon), static analysis + of firmware images, dynamic analysis in emulated environments, and comparison against known-good baselines to detect tampering. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, scada, industrial-control, iec62443, firmware-analysis, plc-security] +tags: +- ot-security +- ics +- scada +- industrial-control +- iec62443 +- firmware-analysis +- plc-security version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Performing PLC Firmware Security Analysis diff --git a/skills/performing-post-quantum-cryptography-migration/SKILL.md b/skills/performing-post-quantum-cryptography-migration/SKILL.md index 706daba1..d67e8b4c 100644 --- a/skills/performing-post-quantum-cryptography-migration/SKILL.md +++ b/skills/performing-post-quantum-cryptography-migration/SKILL.md @@ -1,19 +1,31 @@ --- name: performing-post-quantum-cryptography-migration -description: > - Assesses organizational readiness for post-quantum cryptography migration per NIST - FIPS 203/204/205 standards. Performs cryptographic inventory scanning to identify - quantum-vulnerable algorithms (RSA, ECDH, ECDSA), evaluates hybrid TLS configurations - with X25519MLKEM768, and validates CRYSTALS-Kyber (ML-KEM) and CRYSTALS-Dilithium - (ML-DSA) readiness. Implements crypto-agility assessment using oqs-provider for - OpenSSL. Use when planning or executing the transition from classical to - post-quantum cryptographic algorithms across enterprise infrastructure. +description: 'Assesses organizational readiness for post-quantum cryptography migration per NIST FIPS 203/204/205 standards. + Performs cryptographic inventory scanning to identify quantum-vulnerable algorithms (RSA, ECDH, ECDSA), evaluates hybrid + TLS configurations with X25519MLKEM768, and validates CRYSTALS-Kyber (ML-KEM) and CRYSTALS-Dilithium (ML-DSA) readiness. + Implements crypto-agility assessment using oqs-provider for OpenSSL. Use when planning or executing the transition from + classical to post-quantum cryptographic algorithms across enterprise infrastructure. + + ' domain: cybersecurity subdomain: cryptography -tags: [post-quantum, PQC, CRYSTALS-Kyber, ML-KEM, ML-DSA, FIPS-203, FIPS-204, hybrid-TLS, crypto-agility] -version: "1.0" +tags: +- post-quantum +- PQC +- CRYSTALS-Kyber +- ML-KEM +- ML-DSA +- FIPS-203 +- FIPS-204 +- hybrid-TLS +- crypto-agility +version: '1.0' author: mukul975 license: Apache-2.0 +nist_csf: +- PR.DS-01 +- PR.DS-02 +- PR.DS-10 --- # Performing Post-Quantum Cryptography Migration diff --git a/skills/performing-power-grid-cybersecurity-assessment/SKILL.md b/skills/performing-power-grid-cybersecurity-assessment/SKILL.md index 203be302..74e0b0d4 100644 --- a/skills/performing-power-grid-cybersecurity-assessment/SKILL.md +++ b/skills/performing-power-grid-cybersecurity-assessment/SKILL.md @@ -1,18 +1,31 @@ --- name: performing-power-grid-cybersecurity-assessment -description: > - This skill covers conducting cybersecurity assessments of electric power grid - infrastructure including generation facilities, transmission substations, distribution - systems, and energy management system (EMS) control centers. It addresses NERC CIP - compliance verification, substation automation security, IEC 61850 protocol analysis, - synchrophasor (PMU) network security, and the unique threat landscape targeting - power grid operations as demonstrated by Industroyer/CrashOverride and related attacks. +description: 'This skill covers conducting cybersecurity assessments of electric power grid infrastructure including generation + facilities, transmission substations, distribution systems, and energy management system (EMS) control centers. It addresses + NERC CIP compliance verification, substation automation security, IEC 61850 protocol analysis, synchrophasor (PMU) network + security, and the unique threat landscape targeting power grid operations as demonstrated by Industroyer/CrashOverride and + related attacks. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, scada, industrial-control, iec62443, nerc-cip, power-grid, substation] +tags: +- ot-security +- ics +- scada +- industrial-control +- iec62443 +- nerc-cip +- power-grid +- substation version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Performing Power Grid Cybersecurity Assessment diff --git a/skills/performing-privacy-impact-assessment/SKILL.md b/skills/performing-privacy-impact-assessment/SKILL.md index af8a0c4b..7ab22d5e 100644 --- a/skills/performing-privacy-impact-assessment/SKILL.md +++ b/skills/performing-privacy-impact-assessment/SKILL.md @@ -1,19 +1,30 @@ --- name: performing-privacy-impact-assessment -description: > - Automates the Privacy Impact Assessment (PIA) workflow including data flow mapping, - privacy risk scoring matrices, GDPR Article 35 DPIA and CCPA/CPRA alignment checks, - data inventory cataloging, and remediation tracking. Implements the NIST Privacy - Framework PRAM methodology and ICO DPIA guidance for systematic identification and - mitigation of privacy risks across processing activities. Use when conducting privacy - assessments for new systems, evaluating regulatory compliance posture, or building - automated privacy governance programs. +description: 'Automates the Privacy Impact Assessment (PIA) workflow including data flow mapping, privacy risk scoring matrices, + GDPR Article 35 DPIA and CCPA/CPRA alignment checks, data inventory cataloging, and remediation tracking. Implements the + NIST Privacy Framework PRAM methodology and ICO DPIA guidance for systematic identification and mitigation of privacy risks + across processing activities. Use when conducting privacy assessments for new systems, evaluating regulatory compliance + posture, or building automated privacy governance programs. + + ' domain: cybersecurity subdomain: privacy-compliance -tags: [privacy, impact-assessment, GDPR, CCPA, NIST, DPIA, data-flow-mapping, risk-scoring] -version: "1.0" +tags: +- privacy +- impact-assessment +- GDPR +- CCPA +- NIST +- DPIA +- data-flow-mapping +- risk-scoring +version: '1.0' author: mukul975 license: Apache-2.0 +nist_csf: +- GV.PO-01 +- PR.DS-01 +- GV.OC-05 --- # Performing Privacy Impact Assessment diff --git a/skills/performing-privilege-escalation-assessment/SKILL.md b/skills/performing-privilege-escalation-assessment/SKILL.md index b0f0c269..58233456 100644 --- a/skills/performing-privilege-escalation-assessment/SKILL.md +++ b/skills/performing-privilege-escalation-assessment/SKILL.md @@ -24,6 +24,11 @@ d3fend_techniques: - File Metadata Consistency Validation - Restore Access - Password Authentication +nist_csf: +- ID.RA-01 +- ID.RA-06 +- GV.OV-02 +- DE.AE-07 --- # Performing Privilege Escalation Assessment diff --git a/skills/performing-privilege-escalation-on-linux/SKILL.md b/skills/performing-privilege-escalation-on-linux/SKILL.md index d2deaae0..4d1f32a5 100644 --- a/skills/performing-privilege-escalation-on-linux/SKILL.md +++ b/skills/performing-privilege-escalation-on-linux/SKILL.md @@ -21,6 +21,10 @@ d3fend_techniques: - Restore Configuration - Access Modeling - Operational Activity Mapping +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Performing Privilege Escalation on Linux diff --git a/skills/performing-privileged-account-access-review/SKILL.md b/skills/performing-privileged-account-access-review/SKILL.md index 45d32aff..3e9d95c4 100644 --- a/skills/performing-privileged-account-access-review/SKILL.md +++ b/skills/performing-privileged-account-access-review/SKILL.md @@ -1,12 +1,25 @@ --- name: performing-privileged-account-access-review -description: Conduct systematic reviews of privileged accounts to validate access rights, identify excessive permissions, and enforce least privilege across PAM infrastructure. +description: Conduct systematic reviews of privileged accounts to validate access rights, identify excessive permissions, + and enforce least privilege across PAM infrastructure. domain: cybersecurity subdomain: identity-access-management -tags: [pam, access-review, privileged-accounts, least-privilege, compliance, audit, identity-governance] -version: "1.0" +tags: +- pam +- access-review +- privileged-accounts +- least-privilege +- compliance +- audit +- identity-governance +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Performing Privileged Account Access Review diff --git a/skills/performing-privileged-account-discovery/SKILL.md b/skills/performing-privileged-account-discovery/SKILL.md index 51b2fa25..b79bc134 100644 --- a/skills/performing-privileged-account-discovery/SKILL.md +++ b/skills/performing-privileged-account-discovery/SKILL.md @@ -1,12 +1,24 @@ --- name: performing-privileged-account-discovery -description: Discover and inventory all privileged accounts across enterprise infrastructure including domain admins, local admins, service accounts, database admins, cloud IAM roles, and application admin account +description: Discover and inventory all privileged accounts across enterprise infrastructure including domain admins, local + admins, service accounts, database admins, cloud IAM roles, and application admin account domain: cybersecurity subdomain: identity-access-management -tags: [iam, identity, access-control, privileged-access, discovery, inventory] -version: "1.0" +tags: +- iam +- identity +- access-control +- privileged-access +- discovery +- inventory +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Performing Privileged Account Discovery diff --git a/skills/performing-purple-team-atomic-testing/SKILL.md b/skills/performing-purple-team-atomic-testing/SKILL.md index 685da746..8533dab7 100644 --- a/skills/performing-purple-team-atomic-testing/SKILL.md +++ b/skills/performing-purple-team-atomic-testing/SKILL.md @@ -32,6 +32,10 @@ d3fend_techniques: - File Metadata Consistency Validation - Content Format Conversion - File Content Analysis +nist_csf: +- ID.RA-01 +- DE.AE-07 +- GV.OV-02 --- # Performing Purple Team Atomic Testing diff --git a/skills/performing-purple-team-exercise/SKILL.md b/skills/performing-purple-team-exercise/SKILL.md index 9e069a7a..f27f91f2 100644 --- a/skills/performing-purple-team-exercise/SKILL.md +++ b/skills/performing-purple-team-exercise/SKILL.md @@ -25,6 +25,11 @@ d3fend_techniques: - Identifier Analysis - Content Format Conversion - Message Analysis +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Performing Purple Team Exercise diff --git a/skills/performing-ransomware-response/SKILL.md b/skills/performing-ransomware-response/SKILL.md index eae8d47e..f8524694 100644 --- a/skills/performing-ransomware-response/SKILL.md +++ b/skills/performing-ransomware-response/SKILL.md @@ -1,19 +1,33 @@ --- name: performing-ransomware-response -description: > - Executes a structured ransomware incident response from initial detection through - containment, forensic analysis, decryption assessment, recovery, and post-incident - hardening. Addresses ransom negotiation considerations, backup integrity verification, - and regulatory notification requirements. Activates for requests involving ransomware - response, ransomware recovery, crypto-ransomware, data encryption attack, ransom - payment decision, or ransomware containment. +description: 'Executes a structured ransomware incident response from initial detection through containment, forensic analysis, + decryption assessment, recovery, and post-incident hardening. Addresses ransom negotiation considerations, backup integrity + verification, and regulatory notification requirements. Activates for requests involving ransomware response, ransomware + recovery, crypto-ransomware, data encryption attack, ransom payment decision, or ransomware containment. + + ' domain: cybersecurity subdomain: incident-response -tags: [ransomware, encryption-recovery, backup-restoration, ransom-negotiation, CISA-guidance] -mitre_attack: ["T1486", "T1490", "T1489", "T1021", "T1570"] +tags: +- ransomware +- encryption-recovery +- backup-restoration +- ransom-negotiation +- CISA-guidance +mitre_attack: +- T1486 +- T1490 +- T1489 +- T1021 +- T1570 version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- RS.MA-01 +- RS.MA-02 +- RS.AN-03 +- RC.RP-01 --- # Performing Ransomware Response diff --git a/skills/performing-ransomware-tabletop-exercise/SKILL.md b/skills/performing-ransomware-tabletop-exercise/SKILL.md index 0e53a479..c19fb388 100644 --- a/skills/performing-ransomware-tabletop-exercise/SKILL.md +++ b/skills/performing-ransomware-tabletop-exercise/SKILL.md @@ -1,19 +1,28 @@ --- name: performing-ransomware-tabletop-exercise -description: > - Plans and facilitates tabletop exercises simulating ransomware incidents to test - organizational readiness, decision-making, and communication procedures. Designs - realistic scenarios based on current ransomware threat actors (LockBit, ALPHV/BlackCat, - Cl0p), injects covering double extortion, backup destruction, and regulatory notification - requirements. Evaluates participant responses against NIST CSF and CISA guidelines. - Activates for requests involving ransomware tabletop, incident response exercise, or - ransomware readiness drill. +description: 'Plans and facilitates tabletop exercises simulating ransomware incidents to test organizational readiness, decision-making, + and communication procedures. Designs realistic scenarios based on current ransomware threat actors (LockBit, ALPHV/BlackCat, + Cl0p), injects covering double extortion, backup destruction, and regulatory notification requirements. Evaluates participant + responses against NIST CSF and CISA guidelines. Activates for requests involving ransomware tabletop, incident response + exercise, or ransomware readiness drill. + + ' domain: cybersecurity subdomain: ransomware-defense -tags: [ransomware, incident-response, tabletop-exercise, defense, preparedness] +tags: +- ransomware +- incident-response +- tabletop-exercise +- defense +- preparedness version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.DS-11 +- RS.MA-01 +- RC.RP-01 +- PR.IR-01 --- # Performing Ransomware Tabletop Exercise diff --git a/skills/performing-red-team-phishing-with-gophish/SKILL.md b/skills/performing-red-team-phishing-with-gophish/SKILL.md index 80b06e1f..23ef1490 100644 --- a/skills/performing-red-team-phishing-with-gophish/SKILL.md +++ b/skills/performing-red-team-phishing-with-gophish/SKILL.md @@ -1,16 +1,23 @@ --- name: performing-red-team-phishing-with-gophish -description: >- - Automate GoPhish phishing simulation campaigns using the Python gophish library. Creates email - templates with tracking pixels, configures SMTP sending profiles, builds target groups from - CSV, launches campaigns, and analyzes results including open rates, click rates, and credential - submission statistics for security awareness assessment. +description: Automate GoPhish phishing simulation campaigns using the Python gophish library. Creates email templates with + tracking pixels, configures SMTP sending profiles, builds target groups from CSV, launches campaigns, and analyzes results + including open rates, click rates, and credential submission statistics for security awareness assessment. domain: cybersecurity subdomain: security-operations -tags: [performing, red, team, phishing] -version: "1.0" +tags: +- performing +- red +- team +- phishing +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- diff --git a/skills/performing-red-team-with-covenant/SKILL.md b/skills/performing-red-team-with-covenant/SKILL.md index a8f152f5..1006343d 100644 --- a/skills/performing-red-team-with-covenant/SKILL.md +++ b/skills/performing-red-team-with-covenant/SKILL.md @@ -1,12 +1,22 @@ --- name: performing-red-team-with-covenant -description: Conduct red team operations using the Covenant C2 framework for authorized adversary simulation, including listener setup, grunt deployment, task execution, and lateral movement tracking. +description: Conduct red team operations using the Covenant C2 framework for authorized adversary simulation, including listener + setup, grunt deployment, task execution, and lateral movement tracking. domain: cybersecurity subdomain: red-team -tags: [red-team, c2, covenant, adversary-simulation, penetration-testing] -version: "1.0" +tags: +- red-team +- c2 +- covenant +- adversary-simulation +- penetration-testing +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- GV.OV-02 +- DE.AE-07 --- # Performing Red Team Operations with Covenant C2 diff --git a/skills/performing-s7comm-protocol-security-analysis/SKILL.md b/skills/performing-s7comm-protocol-security-analysis/SKILL.md index dcb238d7..4cbf535f 100644 --- a/skills/performing-s7comm-protocol-security-analysis/SKILL.md +++ b/skills/performing-s7comm-protocol-security-analysis/SKILL.md @@ -1,16 +1,29 @@ --- name: performing-s7comm-protocol-security-analysis -description: > - Perform security analysis of Siemens S7comm and S7CommPlus protocols used by - SIMATIC S7 PLCs to identify vulnerabilities including replay attacks, integrity - bypass, unauthorized CPU stop commands, and program download manipulation - exploiting weaknesses in S7-300, S7-400, S7-1200, and S7-1500 controllers. +description: 'Perform security analysis of Siemens S7comm and S7CommPlus protocols used by SIMATIC S7 PLCs to identify vulnerabilities + including replay attacks, integrity bypass, unauthorized CPU stop commands, and program download manipulation exploiting + weaknesses in S7-300, S7-400, S7-1200, and S7-1500 controllers. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, s7comm, siemens, plc-security, protocol-analysis, scada, vulnerability-assessment] -version: "1.0" +tags: +- ot-security +- ics +- s7comm +- siemens +- plc-security +- protocol-analysis +- scada +- vulnerability-assessment +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Performing S7comm Protocol Security Analysis diff --git a/skills/performing-sca-dependency-scanning-with-snyk/SKILL.md b/skills/performing-sca-dependency-scanning-with-snyk/SKILL.md index 9d6dd41f..c92afaa3 100644 --- a/skills/performing-sca-dependency-scanning-with-snyk/SKILL.md +++ b/skills/performing-sca-dependency-scanning-with-snyk/SKILL.md @@ -1,17 +1,28 @@ --- name: performing-sca-dependency-scanning-with-snyk -description: > - This skill covers implementing Software Composition Analysis (SCA) using Snyk to detect - vulnerable open-source dependencies in CI/CD pipelines. It addresses scanning package - manifests and lockfiles, automated fix pull request generation, license compliance - checking, continuous monitoring of deployed applications, and integration with - GitHub, GitLab, and Jenkins pipelines. +description: 'This skill covers implementing Software Composition Analysis (SCA) using Snyk to detect vulnerable open-source + dependencies in CI/CD pipelines. It addresses scanning package manifests and lockfiles, automated fix pull request generation, + license compliance checking, continuous monitoring of deployed applications, and integration with GitHub, GitLab, and Jenkins + pipelines. + + ' domain: cybersecurity subdomain: devsecops -tags: [devsecops, cicd, sca, snyk, dependency-scanning, secure-sdlc] +tags: +- devsecops +- cicd +- sca +- snyk +- dependency-scanning +- secure-sdlc version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- GV.SC-07 +- ID.IM-04 +- PR.PS-04 --- # Performing SCA Dependency Scanning with Snyk diff --git a/skills/performing-scada-hmi-security-assessment/SKILL.md b/skills/performing-scada-hmi-security-assessment/SKILL.md index e6b360e5..300d1a9e 100644 --- a/skills/performing-scada-hmi-security-assessment/SKILL.md +++ b/skills/performing-scada-hmi-security-assessment/SKILL.md @@ -1,16 +1,29 @@ --- name: performing-scada-hmi-security-assessment -description: > - Perform security assessments of SCADA Human-Machine Interface (HMI) systems - to identify vulnerabilities in web-based HMIs, thin-client configurations, - authentication mechanisms, and communication channels between HMI and PLCs, - aligned with IEC 62443 and NIST SP 800-82 guidelines. +description: 'Perform security assessments of SCADA Human-Machine Interface (HMI) systems to identify vulnerabilities in web-based + HMIs, thin-client configurations, authentication mechanisms, and communication channels between HMI and PLCs, aligned with + IEC 62443 and NIST SP 800-82 guidelines. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, scada, hmi, security-assessment, vulnerability, iec62443, nist-800-82] -version: "1.0" +tags: +- ot-security +- ics +- scada +- hmi +- security-assessment +- vulnerability +- iec62443 +- nist-800-82 +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Performing SCADA HMI Security Assessment diff --git a/skills/performing-second-order-sql-injection/SKILL.md b/skills/performing-second-order-sql-injection/SKILL.md index 27b50f3e..5a95871d 100644 --- a/skills/performing-second-order-sql-injection/SKILL.md +++ b/skills/performing-second-order-sql-injection/SKILL.md @@ -1,12 +1,25 @@ --- name: performing-second-order-sql-injection -description: Detect and exploit second-order SQL injection vulnerabilities where malicious input is stored in a database and later executed in an unsafe SQL query during a different application operation. +description: Detect and exploit second-order SQL injection vulnerabilities where malicious input is stored in a database and + later executed in an unsafe SQL query during a different application operation. domain: cybersecurity subdomain: web-application-security -tags: [second-order-sqli, stored-sql-injection, sql-injection, database-security, web-security, blind-injection, persistent-sqli] -version: "1.0" +tags: +- second-order-sqli +- stored-sql-injection +- sql-injection +- database-security +- web-security +- blind-injection +- persistent-sqli +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Performing Second-Order SQL Injection diff --git a/skills/performing-security-headers-audit/SKILL.md b/skills/performing-security-headers-audit/SKILL.md index 38a113bf..81e0bdf1 100644 --- a/skills/performing-security-headers-audit/SKILL.md +++ b/skills/performing-security-headers-audit/SKILL.md @@ -1,12 +1,25 @@ --- name: performing-security-headers-audit -description: Auditing HTTP security headers including CSP, HSTS, X-Frame-Options, and cookie attributes to identify missing or misconfigured browser-level protections. +description: Auditing HTTP security headers including CSP, HSTS, X-Frame-Options, and cookie attributes to identify missing + or misconfigured browser-level protections. domain: cybersecurity subdomain: web-application-security -tags: [penetration-testing, security-headers, csp, hsts, owasp, web-security, hardening] -version: "1.0" +tags: +- penetration-testing +- security-headers +- csp +- hsts +- owasp +- web-security +- hardening +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Performing Security Headers Audit diff --git a/skills/performing-serverless-function-security-review/SKILL.md b/skills/performing-serverless-function-security-review/SKILL.md index 865f1ad6..f54abac0 100644 --- a/skills/performing-serverless-function-security-review/SKILL.md +++ b/skills/performing-serverless-function-security-review/SKILL.md @@ -1,15 +1,27 @@ --- name: performing-serverless-function-security-review -description: > - Performing security reviews of serverless functions across AWS Lambda, Azure Functions, - and GCP Cloud Functions to identify overly permissive execution roles, insecure environment - variables, injection vulnerabilities, and missing runtime protections. +description: 'Performing security reviews of serverless functions across AWS Lambda, Azure Functions, and GCP Cloud Functions + to identify overly permissive execution roles, insecure environment variables, injection vulnerabilities, and missing runtime + protections. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud-security, serverless, lambda, azure-functions, cloud-functions, security-review] -version: "1.0" +tags: +- cloud-security +- serverless +- lambda +- azure-functions +- cloud-functions +- security-review +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Performing Serverless Function Security Review diff --git a/skills/performing-service-account-audit/SKILL.md b/skills/performing-service-account-audit/SKILL.md index c4e33bbf..3e5386b8 100644 --- a/skills/performing-service-account-audit/SKILL.md +++ b/skills/performing-service-account-audit/SKILL.md @@ -1,12 +1,24 @@ --- name: performing-service-account-audit -description: Audit service accounts across enterprise infrastructure to identify orphaned, over-privileged, and non-compliant accounts. This skill covers discovery of service accounts in Active Directory, cloud pl +description: Audit service accounts across enterprise infrastructure to identify orphaned, over-privileged, and non-compliant + accounts. This skill covers discovery of service accounts in Active Directory, cloud pl domain: cybersecurity subdomain: identity-access-management -tags: [iam, identity, access-control, service-accounts, audit, governance] -version: "1.0" +tags: +- iam +- identity +- access-control +- service-accounts +- audit +- governance +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Performing Service Account Audit diff --git a/skills/performing-service-account-credential-rotation/SKILL.md b/skills/performing-service-account-credential-rotation/SKILL.md index 43dda48a..3e94fed6 100644 --- a/skills/performing-service-account-credential-rotation/SKILL.md +++ b/skills/performing-service-account-credential-rotation/SKILL.md @@ -1,12 +1,24 @@ --- name: performing-service-account-credential-rotation -description: Automate credential rotation for service accounts across Active Directory, cloud platforms, and application databases to eliminate stale secrets and reduce compromise risk. +description: Automate credential rotation for service accounts across Active Directory, cloud platforms, and application databases + to eliminate stale secrets and reduce compromise risk. domain: cybersecurity subdomain: identity-access-management -tags: [service-accounts, credential-rotation, secrets-management, pam, automation, vault] -version: "1.0" +tags: +- service-accounts +- credential-rotation +- secrets-management +- pam +- automation +- vault +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.AA-01 +- PR.AA-02 +- PR.AA-05 +- PR.AA-06 --- # Performing Service Account Credential Rotation diff --git a/skills/performing-soap-web-service-security-testing/SKILL.md b/skills/performing-soap-web-service-security-testing/SKILL.md index 9eaaf10a..6ff58e76 100644 --- a/skills/performing-soap-web-service-security-testing/SKILL.md +++ b/skills/performing-soap-web-service-security-testing/SKILL.md @@ -1,12 +1,27 @@ --- name: performing-soap-web-service-security-testing -description: Perform security testing of SOAP web services by analyzing WSDL definitions and testing for XML injection, XXE, WS-Security bypass, and SOAPAction spoofing. +description: Perform security testing of SOAP web services by analyzing WSDL definitions and testing for XML injection, XXE, + WS-Security bypass, and SOAPAction spoofing. domain: cybersecurity subdomain: api-security -tags: [soap, web-services, wsdl, xml-injection, xxe, ws-security, penetration-testing, soapaction-spoofing, xpath-injection] -version: "1.0" +tags: +- soap +- web-services +- wsdl +- xml-injection +- xxe +- ws-security +- penetration-testing +- soapaction-spoofing +- xpath-injection +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Performing SOAP Web Service Security Testing diff --git a/skills/performing-soc-tabletop-exercise/SKILL.md b/skills/performing-soc-tabletop-exercise/SKILL.md index c5bec820..7f7a8e32 100644 --- a/skills/performing-soc-tabletop-exercise/SKILL.md +++ b/skills/performing-soc-tabletop-exercise/SKILL.md @@ -1,17 +1,33 @@ --- name: performing-soc-tabletop-exercise -description: > - Performs tabletop exercises for SOC teams simulating security incidents through discussion-based - scenarios to test incident response procedures, communication workflows, and decision-making - under pressure without impacting production systems. Use when organizations need to validate - IR playbooks, train analysts, or meet compliance requirements for incident response testing. +description: 'Performs tabletop exercises for SOC teams simulating security incidents through discussion-based scenarios to + test incident response procedures, communication workflows, and decision-making under pressure without impacting production + systems. Use when organizations need to validate IR playbooks, train analysts, or meet compliance requirements for incident + response testing. + + ' domain: cybersecurity subdomain: soc-operations -tags: [soc, tabletop, exercise, incident-response, training, nist, playbook-validation] -mitre_attack: ["T1566", "T1486", "T1078"] -version: "1.0" +tags: +- soc +- tabletop +- exercise +- incident-response +- training +- nist +- playbook-validation +mitre_attack: +- T1566 +- T1486 +- T1078 +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Performing SOC Tabletop Exercise diff --git a/skills/performing-soc2-type2-audit-preparation/SKILL.md b/skills/performing-soc2-type2-audit-preparation/SKILL.md index aebef2cd..cb9b3bb7 100644 --- a/skills/performing-soc2-type2-audit-preparation/SKILL.md +++ b/skills/performing-soc2-type2-audit-preparation/SKILL.md @@ -1,19 +1,30 @@ --- name: performing-soc2-type2-audit-preparation -description: > - Automates SOC 2 Type II audit preparation including gap assessment against AICPA - Trust Services Criteria (CC1-CC9), evidence collection from cloud providers and - identity systems, control testing validation, remediation tracking, and continuous - compliance monitoring. Covers all five TSC categories (Security, Availability, - Processing Integrity, Confidentiality, Privacy) with automated evidence gathering - from AWS, Azure, GCP, Okta, GitHub, and Jira. Use when preparing for or maintaining - SOC 2 Type II certification. +description: 'Automates SOC 2 Type II audit preparation including gap assessment against AICPA Trust Services Criteria (CC1-CC9), + evidence collection from cloud providers and identity systems, control testing validation, remediation tracking, and continuous + compliance monitoring. Covers all five TSC categories (Security, Availability, Processing Integrity, Confidentiality, Privacy) + with automated evidence gathering from AWS, Azure, GCP, Okta, GitHub, and Jira. Use when preparing for or maintaining SOC + 2 Type II certification. + + ' domain: cybersecurity subdomain: governance-risk-compliance -tags: [performing, soc2, type2, audit, preparation, compliance, grc] -version: "1.0" +tags: +- performing +- soc2 +- type2 +- audit +- preparation +- compliance +- grc +version: '1.0' author: mukul975 license: Apache-2.0 +nist_csf: +- GV.OC-01 +- GV.RM-01 +- GV.PO-01 +- GV.OV-01 --- # Performing SOC 2 Type II Audit Preparation diff --git a/skills/performing-sqlite-database-forensics/SKILL.md b/skills/performing-sqlite-database-forensics/SKILL.md index 8a87e3f9..f4a6c9c4 100644 --- a/skills/performing-sqlite-database-forensics/SKILL.md +++ b/skills/performing-sqlite-database-forensics/SKILL.md @@ -1,12 +1,28 @@ --- name: performing-sqlite-database-forensics -description: Perform forensic analysis of SQLite databases to recover deleted records from freelists and WAL files, decode encoded timestamps, and extract evidence from browser history, messaging apps, and mobile device databases. +description: Perform forensic analysis of SQLite databases to recover deleted records from freelists and WAL files, decode + encoded timestamps, and extract evidence from browser history, messaging apps, and mobile device databases. domain: cybersecurity subdomain: digital-forensics -tags: [sqlite, database-forensics, freelist, wal, write-ahead-log, browser-history, mobile-forensics, deleted-records, b-tree, unallocated-space] -version: "1.0" +tags: +- sqlite +- database-forensics +- freelist +- wal +- write-ahead-log +- browser-history +- mobile-forensics +- deleted-records +- b-tree +- unallocated-space +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Performing SQLite Database Forensics diff --git a/skills/performing-ssl-certificate-lifecycle-management/SKILL.md b/skills/performing-ssl-certificate-lifecycle-management/SKILL.md index 5d70108e..60874fe9 100644 --- a/skills/performing-ssl-certificate-lifecycle-management/SKILL.md +++ b/skills/performing-ssl-certificate-lifecycle-management/SKILL.md @@ -1,12 +1,23 @@ --- name: performing-ssl-certificate-lifecycle-management -description: SSL/TLS certificate lifecycle management encompasses the full process of requesting, issuing, deploying, monitoring, renewing, and revoking X.509 certificates. Poor certificate management is a leading +description: SSL/TLS certificate lifecycle management encompasses the full process of requesting, issuing, deploying, monitoring, + renewing, and revoking X.509 certificates. Poor certificate management is a leading domain: cybersecurity subdomain: cryptography -tags: [cryptography, ssl, certificates, pki, tls, key-management] -version: "1.0" +tags: +- cryptography +- ssl +- certificates +- pki +- tls +- key-management +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.DS-01 +- PR.DS-02 +- PR.DS-10 --- # Performing SSL Certificate Lifecycle Management diff --git a/skills/performing-ssl-stripping-attack/SKILL.md b/skills/performing-ssl-stripping-attack/SKILL.md index bc121d37..83cc66e0 100644 --- a/skills/performing-ssl-stripping-attack/SKILL.md +++ b/skills/performing-ssl-stripping-attack/SKILL.md @@ -1,15 +1,26 @@ --- name: performing-ssl-stripping-attack -description: > - Simulates SSL stripping attacks using sslstrip, Bettercap, and mitmproxy in authorized - environments to test HSTS enforcement, certificate validation, and HTTPS upgrade - mechanisms that protect users from downgrade attacks on encrypted connections. +description: 'Simulates SSL stripping attacks using sslstrip, Bettercap, and mitmproxy in authorized environments to test + HSTS enforcement, certificate validation, and HTTPS upgrade mechanisms that protect users from downgrade attacks on encrypted + connections. + + ' domain: cybersecurity subdomain: network-security -tags: [network-security, ssl-stripping, https, hsts, tls-security] -version: "1.0" +tags: +- network-security +- ssl-stripping +- https +- hsts +- tls-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Performing SSL Stripping Attack diff --git a/skills/performing-ssl-tls-inspection-configuration/SKILL.md b/skills/performing-ssl-tls-inspection-configuration/SKILL.md index 14bfdf7a..20484076 100644 --- a/skills/performing-ssl-tls-inspection-configuration/SKILL.md +++ b/skills/performing-ssl-tls-inspection-configuration/SKILL.md @@ -1,12 +1,26 @@ --- name: performing-ssl-tls-inspection-configuration -description: Configure SSL/TLS inspection on network security devices to decrypt, inspect, and re-encrypt HTTPS traffic for threat detection while managing certificates, exemptions, and privacy compliance. +description: Configure SSL/TLS inspection on network security devices to decrypt, inspect, and re-encrypt HTTPS traffic for + threat detection while managing certificates, exemptions, and privacy compliance. domain: cybersecurity subdomain: network-security -tags: [ssl-inspection, tls-decryption, https-inspection, certificate-management, proxy, man-in-the-middle, network-security, forward-proxy] -version: "1.0" +tags: +- ssl-inspection +- tls-decryption +- https-inspection +- certificate-management +- proxy +- man-in-the-middle +- network-security +- forward-proxy +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Performing SSL/TLS Inspection Configuration diff --git a/skills/performing-ssl-tls-security-assessment/SKILL.md b/skills/performing-ssl-tls-security-assessment/SKILL.md index 075fc318..8f68b350 100644 --- a/skills/performing-ssl-tls-security-assessment/SKILL.md +++ b/skills/performing-ssl-tls-security-assessment/SKILL.md @@ -1,12 +1,25 @@ --- name: performing-ssl-tls-security-assessment -description: Assess SSL/TLS server configurations using the sslyze Python library to evaluate cipher suites, certificate chains, protocol versions, HSTS headers, and known vulnerabilities like Heartbleed and ROBOT. +description: Assess SSL/TLS server configurations using the sslyze Python library to evaluate cipher suites, certificate chains, + protocol versions, HSTS headers, and known vulnerabilities like Heartbleed and ROBOT. domain: cybersecurity subdomain: network-security -tags: [network-security, ssl, tls, sslyze, certificate, cipher-suites, vulnerability-assessment] -version: "1.0" +tags: +- network-security +- ssl +- tls +- sslyze +- certificate +- cipher-suites +- vulnerability-assessment +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Performing SSL/TLS Security Assessment diff --git a/skills/performing-ssrf-vulnerability-exploitation/SKILL.md b/skills/performing-ssrf-vulnerability-exploitation/SKILL.md index d8fb7fcb..63eeb708 100644 --- a/skills/performing-ssrf-vulnerability-exploitation/SKILL.md +++ b/skills/performing-ssrf-vulnerability-exploitation/SKILL.md @@ -1,16 +1,23 @@ --- name: performing-ssrf-vulnerability-exploitation -description: >- - Test for Server-Side Request Forgery vulnerabilities by probing cloud metadata endpoints, - internal network services, and protocol handlers through user-controllable URL parameters. - Tests AWS/GCP/Azure metadata APIs (169.254.169.254), internal port scanning via HTTP, - URL scheme bypass techniques, and DNS rebinding detection. +description: Test for Server-Side Request Forgery vulnerabilities by probing cloud metadata endpoints, internal network services, + and protocol handlers through user-controllable URL parameters. Tests AWS/GCP/Azure metadata APIs (169.254.169.254), internal + port scanning via HTTP, URL scheme bypass techniques, and DNS rebinding detection. domain: cybersecurity subdomain: security-operations -tags: [performing, ssrf, vulnerability, exploitation] -version: "1.0" +tags: +- performing +- ssrf +- vulnerability +- exploitation +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- RS.MA-01 +- GV.OV-01 +- DE.AE-02 --- diff --git a/skills/performing-static-malware-analysis-with-pe-studio/SKILL.md b/skills/performing-static-malware-analysis-with-pe-studio/SKILL.md index ce90828a..09e9c1bd 100644 --- a/skills/performing-static-malware-analysis-with-pe-studio/SKILL.md +++ b/skills/performing-static-malware-analysis-with-pe-studio/SKILL.md @@ -1,17 +1,27 @@ --- name: performing-static-malware-analysis-with-pe-studio -description: > - Performs static analysis of Windows PE (Portable Executable) malware samples using - PEStudio to examine file headers, imports, strings, resources, and indicators without - executing the binary. Identifies suspicious characteristics including packing, anti-analysis - techniques, and malicious imports. Activates for requests involving static malware analysis, +description: 'Performs static analysis of Windows PE (Portable Executable) malware samples using PEStudio to examine file + headers, imports, strings, resources, and indicators without executing the binary. Identifies suspicious characteristics + including packing, anti-analysis techniques, and malicious imports. Activates for requests involving static malware analysis, PE file inspection, Windows executable analysis, or pre-execution malware triage. + + ' domain: cybersecurity subdomain: malware-analysis -tags: [malware, static-analysis, PE-analysis, PEStudio, reverse-engineering] +tags: +- malware +- static-analysis +- PE-analysis +- PEStudio +- reverse-engineering version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Performing Static Malware Analysis with PEStudio diff --git a/skills/performing-steganography-detection/SKILL.md b/skills/performing-steganography-detection/SKILL.md index f73447a9..13934c89 100644 --- a/skills/performing-steganography-detection/SKILL.md +++ b/skills/performing-steganography-detection/SKILL.md @@ -1,12 +1,24 @@ --- name: performing-steganography-detection -description: Detect and extract hidden data embedded in images, audio, and other media files using steganalysis tools to uncover covert communication channels. +description: Detect and extract hidden data embedded in images, audio, and other media files using steganalysis tools to uncover + covert communication channels. domain: cybersecurity subdomain: digital-forensics -tags: [forensics, steganography, steganalysis, hidden-data, covert-channels, image-analysis] -version: "1.0" +tags: +- forensics +- steganography +- steganalysis +- hidden-data +- covert-channels +- image-analysis +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Performing Steganography Detection diff --git a/skills/performing-subdomain-enumeration-with-subfinder/SKILL.md b/skills/performing-subdomain-enumeration-with-subfinder/SKILL.md index 0539968d..aa119117 100644 --- a/skills/performing-subdomain-enumeration-with-subfinder/SKILL.md +++ b/skills/performing-subdomain-enumeration-with-subfinder/SKILL.md @@ -1,12 +1,25 @@ --- name: performing-subdomain-enumeration-with-subfinder -description: Enumerate subdomains of target domains using ProjectDiscovery's Subfinder passive reconnaissance tool to map the attack surface during security assessments. +description: Enumerate subdomains of target domains using ProjectDiscovery's Subfinder passive reconnaissance tool to map + the attack surface during security assessments. domain: cybersecurity subdomain: web-application-security -tags: [subdomain-enumeration, reconnaissance, bug-bounty, attack-surface, subfinder, passive-recon, osint] -version: "1.0" +tags: +- subdomain-enumeration +- reconnaissance +- bug-bounty +- attack-surface +- subfinder +- passive-recon +- osint +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Performing Subdomain Enumeration with Subfinder diff --git a/skills/performing-supply-chain-attack-simulation/SKILL.md b/skills/performing-supply-chain-attack-simulation/SKILL.md index ed8f9c97..65f1f7d0 100644 --- a/skills/performing-supply-chain-attack-simulation/SKILL.md +++ b/skills/performing-supply-chain-attack-simulation/SKILL.md @@ -1,12 +1,26 @@ --- name: performing-supply-chain-attack-simulation -description: Simulate and detect software supply chain attacks including typosquatting detection via Levenshtein distance, dependency confusion testing against private registries, package hash verification with pip, and known vulnerability scanning with pip-audit. +description: Simulate and detect software supply chain attacks including typosquatting detection via Levenshtein distance, + dependency confusion testing against private registries, package hash verification with pip, and known vulnerability scanning + with pip-audit. domain: cybersecurity subdomain: application-security -tags: [supply-chain, typosquatting, dependency-confusion, package-verification, pip-audit, PyPI, software-composition-analysis] -version: "1.0" +tags: +- supply-chain +- typosquatting +- dependency-confusion +- package-verification +- pip-audit +- PyPI +- software-composition-analysis +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.PS-04 +- ID.RA-01 +- PR.DS-10 --- # Performing Supply Chain Attack Simulation diff --git a/skills/performing-thick-client-application-penetration-test/SKILL.md b/skills/performing-thick-client-application-penetration-test/SKILL.md index a0293c23..b1a02915 100644 --- a/skills/performing-thick-client-application-penetration-test/SKILL.md +++ b/skills/performing-thick-client-application-penetration-test/SKILL.md @@ -24,6 +24,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- ID.RA-01 +- ID.RA-06 +- GV.OV-02 +- DE.AE-07 --- # Performing Thick Client Application Penetration Test diff --git a/skills/performing-threat-emulation-with-atomic-red-team/SKILL.md b/skills/performing-threat-emulation-with-atomic-red-team/SKILL.md index 7ef63455..f3fc239d 100644 --- a/skills/performing-threat-emulation-with-atomic-red-team/SKILL.md +++ b/skills/performing-threat-emulation-with-atomic-red-team/SKILL.md @@ -29,6 +29,11 @@ d3fend_techniques: - File Metadata Consistency Validation - Content Format Conversion - File Content Analysis +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Performing Threat Emulation with Atomic Red Team diff --git a/skills/performing-threat-hunting-with-elastic-siem/SKILL.md b/skills/performing-threat-hunting-with-elastic-siem/SKILL.md index 62f48257..a1be302c 100644 --- a/skills/performing-threat-hunting-with-elastic-siem/SKILL.md +++ b/skills/performing-threat-hunting-with-elastic-siem/SKILL.md @@ -33,6 +33,11 @@ d3fend_techniques: - Network Traffic Analysis - Client-server Payload Profiling - Network Traffic Community Deviation +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Performing Threat Hunting with Elastic SIEM diff --git a/skills/performing-threat-hunting-with-yara-rules/SKILL.md b/skills/performing-threat-hunting-with-yara-rules/SKILL.md index 4ff4d79c..8abaea81 100644 --- a/skills/performing-threat-hunting-with-yara-rules/SKILL.md +++ b/skills/performing-threat-hunting-with-yara-rules/SKILL.md @@ -20,6 +20,11 @@ d3fend_techniques: - File Metadata Consistency Validation - Content Format Conversion - File Content Analysis +nist_csf: +- DE.CM-01 +- DE.AE-02 +- DE.AE-07 +- ID.RA-05 --- # Performing Threat Hunting with YARA Rules diff --git a/skills/performing-threat-intelligence-sharing-with-misp/SKILL.md b/skills/performing-threat-intelligence-sharing-with-misp/SKILL.md index 4b2c0f32..8fc58736 100644 --- a/skills/performing-threat-intelligence-sharing-with-misp/SKILL.md +++ b/skills/performing-threat-intelligence-sharing-with-misp/SKILL.md @@ -1,12 +1,26 @@ --- name: performing-threat-intelligence-sharing-with-misp -description: Use PyMISP to create, enrich, and share threat intelligence events on a MISP platform, including IOC management, feed integration, STIX export, and community sharing workflows. +description: Use PyMISP to create, enrich, and share threat intelligence events on a MISP platform, including IOC management, + feed integration, STIX export, and community sharing workflows. domain: cybersecurity subdomain: threat-intelligence -tags: [misp, pymisp, threat-intelligence, ioc-sharing, stix, taxii, threat-feeds, information-sharing] -version: "1.0" +tags: +- misp +- pymisp +- threat-intelligence +- ioc-sharing +- stix +- taxii +- threat-feeds +- information-sharing +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Performing Threat Intelligence Sharing with MISP diff --git a/skills/performing-threat-landscape-assessment-for-sector/SKILL.md b/skills/performing-threat-landscape-assessment-for-sector/SKILL.md index 136e302a..fe15ae76 100644 --- a/skills/performing-threat-landscape-assessment-for-sector/SKILL.md +++ b/skills/performing-threat-landscape-assessment-for-sector/SKILL.md @@ -21,6 +21,11 @@ d3fend_techniques: - Identifier Analysis - Content Format Conversion - Message Analysis +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Performing Threat Landscape Assessment for Sector diff --git a/skills/performing-threat-modeling-with-owasp-threat-dragon/SKILL.md b/skills/performing-threat-modeling-with-owasp-threat-dragon/SKILL.md index c5c67e4d..ac636cee 100644 --- a/skills/performing-threat-modeling-with-owasp-threat-dragon/SKILL.md +++ b/skills/performing-threat-modeling-with-owasp-threat-dragon/SKILL.md @@ -24,6 +24,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- PR.PS-01 +- GV.SC-07 +- ID.IM-04 +- PR.PS-04 --- # Performing Threat Modeling with OWASP Threat Dragon diff --git a/skills/performing-timeline-reconstruction-with-plaso/SKILL.md b/skills/performing-timeline-reconstruction-with-plaso/SKILL.md index 0c6e1952..bfecc531 100644 --- a/skills/performing-timeline-reconstruction-with-plaso/SKILL.md +++ b/skills/performing-timeline-reconstruction-with-plaso/SKILL.md @@ -1,12 +1,24 @@ --- name: performing-timeline-reconstruction-with-plaso -description: Build comprehensive forensic super-timelines using Plaso (log2timeline) to correlate events across file systems, logs, and artifacts into a unified chronological view. +description: Build comprehensive forensic super-timelines using Plaso (log2timeline) to correlate events across file systems, + logs, and artifacts into a unified chronological view. domain: cybersecurity subdomain: digital-forensics -tags: [forensics, timeline-analysis, plaso, log2timeline, super-timeline, event-correlation] -version: "1.0" +tags: +- forensics +- timeline-analysis +- plaso +- log2timeline +- super-timeline +- event-correlation +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Performing Timeline Reconstruction with Plaso diff --git a/skills/performing-user-behavior-analytics/SKILL.md b/skills/performing-user-behavior-analytics/SKILL.md index 703afed7..b11143ca 100644 --- a/skills/performing-user-behavior-analytics/SKILL.md +++ b/skills/performing-user-behavior-analytics/SKILL.md @@ -1,16 +1,29 @@ --- name: performing-user-behavior-analytics -description: > - Performs User and Entity Behavior Analytics (UEBA) to detect anomalous user activities including - impossible travel, unusual access patterns, privilege abuse, and insider threats using SIEM-based - behavioral baselines and statistical analysis. Use when SOC teams need to identify compromised - accounts or insider threats through deviation from established behavioral norms. +description: 'Performs User and Entity Behavior Analytics (UEBA) to detect anomalous user activities including impossible + travel, unusual access patterns, privilege abuse, and insider threats using SIEM-based behavioral baselines and statistical + analysis. Use when SOC teams need to identify compromised accounts or insider threats through deviation from established + behavioral norms. + + ' domain: cybersecurity subdomain: soc-operations -tags: [soc, ueba, user-behavior, insider-threat, anomaly-detection, splunk, baseline] -version: "1.0" +tags: +- soc +- ueba +- user-behavior +- insider-threat +- anomaly-detection +- splunk +- baseline +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Performing User Behavior Analytics diff --git a/skills/performing-vlan-hopping-attack/SKILL.md b/skills/performing-vlan-hopping-attack/SKILL.md index 3d0d3009..8368607d 100644 --- a/skills/performing-vlan-hopping-attack/SKILL.md +++ b/skills/performing-vlan-hopping-attack/SKILL.md @@ -1,15 +1,25 @@ --- name: performing-vlan-hopping-attack -description: > - Simulates VLAN hopping attacks using switch spoofing and double tagging techniques - in authorized environments to test VLAN segmentation effectiveness and validate - switch port security configurations against Layer 2 bypass attacks. +description: 'Simulates VLAN hopping attacks using switch spoofing and double tagging techniques in authorized environments + to test VLAN segmentation effectiveness and validate switch port security configurations against Layer 2 bypass attacks. + + ' domain: cybersecurity subdomain: network-security -tags: [network-security, vlan-hopping, layer2-attack, switch-security, 802.1q] -version: "1.0" +tags: +- network-security +- vlan-hopping +- layer2-attack +- switch-security +- 802.1q +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Performing VLAN Hopping Attack diff --git a/skills/performing-vulnerability-scanning-with-nessus/SKILL.md b/skills/performing-vulnerability-scanning-with-nessus/SKILL.md index 2e515520..30093f55 100644 --- a/skills/performing-vulnerability-scanning-with-nessus/SKILL.md +++ b/skills/performing-vulnerability-scanning-with-nessus/SKILL.md @@ -1,18 +1,27 @@ --- name: performing-vulnerability-scanning-with-nessus -description: > - Performs authenticated and unauthenticated vulnerability scanning using Tenable Nessus to - identify known vulnerabilities, misconfigurations, default credentials, and missing patches - across network infrastructure, servers, and applications. The scanner correlates findings with - CVE databases and CVSS scores to produce prioritized remediation guidance. Activates for - requests involving vulnerability scanning, Nessus assessment, patch compliance checking, - or automated vulnerability detection. +description: 'Performs authenticated and unauthenticated vulnerability scanning using Tenable Nessus to identify known vulnerabilities, + misconfigurations, default credentials, and missing patches across network infrastructure, servers, and applications. The + scanner correlates findings with CVE databases and CVSS scores to produce prioritized remediation guidance. Activates for + requests involving vulnerability scanning, Nessus assessment, patch compliance checking, or automated vulnerability detection. + + ' domain: cybersecurity subdomain: penetration-testing -tags: [vulnerability-scanning, Nessus, CVE, patch-management, Tenable] +tags: +- vulnerability-scanning +- Nessus +- CVE +- patch-management +- Tenable version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-06 +- GV.OV-02 +- DE.AE-07 --- # Performing Vulnerability Scanning with Nessus diff --git a/skills/performing-web-application-firewall-bypass/SKILL.md b/skills/performing-web-application-firewall-bypass/SKILL.md index d4a696b9..d1628b37 100644 --- a/skills/performing-web-application-firewall-bypass/SKILL.md +++ b/skills/performing-web-application-firewall-bypass/SKILL.md @@ -1,12 +1,25 @@ --- name: performing-web-application-firewall-bypass -description: Bypass Web Application Firewall protections using encoding techniques, HTTP method manipulation, parameter pollution, and payload obfuscation to deliver SQL injection, XSS, and other attack payloads past WAF detection rules. +description: Bypass Web Application Firewall protections using encoding techniques, HTTP method manipulation, parameter pollution, + and payload obfuscation to deliver SQL injection, XSS, and other attack payloads past WAF detection rules. domain: cybersecurity subdomain: web-application-security -tags: [waf-bypass, waf-evasion, sql-injection, xss, payload-obfuscation, encoding-bypass, web-security] -version: "1.0" +tags: +- waf-bypass +- waf-evasion +- sql-injection +- xss +- payload-obfuscation +- encoding-bypass +- web-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Performing Web Application Firewall Bypass diff --git a/skills/performing-web-application-penetration-test/SKILL.md b/skills/performing-web-application-penetration-test/SKILL.md index 825903d1..961756ff 100644 --- a/skills/performing-web-application-penetration-test/SKILL.md +++ b/skills/performing-web-application-penetration-test/SKILL.md @@ -1,18 +1,28 @@ --- name: performing-web-application-penetration-test -description: > - Performs systematic security testing of web applications following the OWASP Web Security - Testing Guide (WSTG) methodology to identify vulnerabilities in authentication, authorization, - input validation, session management, and business logic. The tester uses Burp Suite as the - primary interception proxy alongside manual testing techniques to find flaws that automated - scanners miss. Activates for requests involving web app pentest, OWASP testing, application - security assessment, or web vulnerability testing. +description: 'Performs systematic security testing of web applications following the OWASP Web Security Testing Guide (WSTG) + methodology to identify vulnerabilities in authentication, authorization, input validation, session management, and business + logic. The tester uses Burp Suite as the primary interception proxy alongside manual testing techniques to find flaws that + automated scanners miss. Activates for requests involving web app pentest, OWASP testing, application security assessment, + or web vulnerability testing. + + ' domain: cybersecurity subdomain: penetration-testing -tags: [web-application-pentest, OWASP, Burp-Suite, WSTG, application-security] +tags: +- web-application-pentest +- OWASP +- Burp-Suite +- WSTG +- application-security version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-06 +- GV.OV-02 +- DE.AE-07 --- # Performing Web Application Penetration Test diff --git a/skills/performing-web-application-scanning-with-nikto/SKILL.md b/skills/performing-web-application-scanning-with-nikto/SKILL.md index b8a00864..2ebecd41 100644 --- a/skills/performing-web-application-scanning-with-nikto/SKILL.md +++ b/skills/performing-web-application-scanning-with-nikto/SKILL.md @@ -1,12 +1,24 @@ --- name: performing-web-application-scanning-with-nikto -description: Nikto is an open-source web server and web application scanner that tests against over 7,000 potentially dangerous files/programs, checks for outdated versions of over 1,250 servers, and identifies ve +description: Nikto is an open-source web server and web application scanner that tests against over 7,000 potentially dangerous + files/programs, checks for outdated versions of over 1,250 servers, and identifies ve domain: cybersecurity subdomain: vulnerability-management -tags: [vulnerability-management, cve, nikto, web-scanning, owasp, risk] -version: "1.0" +tags: +- vulnerability-management +- cve +- nikto +- web-scanning +- owasp +- risk +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-02 +- ID.IM-02 +- ID.RA-06 --- # Performing Web Application Scanning with Nikto diff --git a/skills/performing-web-application-vulnerability-triage/SKILL.md b/skills/performing-web-application-vulnerability-triage/SKILL.md index 31292a8b..f1040b6a 100644 --- a/skills/performing-web-application-vulnerability-triage/SKILL.md +++ b/skills/performing-web-application-vulnerability-triage/SKILL.md @@ -1,12 +1,27 @@ --- name: performing-web-application-vulnerability-triage -description: Triage web application vulnerability findings from DAST/SAST scanners using OWASP risk rating methodology to separate true positives from false positives and prioritize remediation. +description: Triage web application vulnerability findings from DAST/SAST scanners using OWASP risk rating methodology to + separate true positives from false positives and prioritize remediation. domain: cybersecurity subdomain: vulnerability-management -tags: [web-application, vulnerability-triage, owasp, dast, sast, burp-suite, zap, false-positive, risk-rating] -version: "1.0" +tags: +- web-application +- vulnerability-triage +- owasp +- dast +- sast +- burp-suite +- zap +- false-positive +- risk-rating +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-02 +- ID.IM-02 +- ID.RA-06 --- # Performing Web Application Vulnerability Triage diff --git a/skills/performing-web-cache-deception-attack/SKILL.md b/skills/performing-web-cache-deception-attack/SKILL.md index cc13b8c4..ccb45a9f 100644 --- a/skills/performing-web-cache-deception-attack/SKILL.md +++ b/skills/performing-web-cache-deception-attack/SKILL.md @@ -1,12 +1,25 @@ --- name: performing-web-cache-deception-attack -description: Execute web cache deception attacks by exploiting path normalization discrepancies between CDN caching layers and origin servers to cache and retrieve sensitive authenticated content. +description: Execute web cache deception attacks by exploiting path normalization discrepancies between CDN caching layers + and origin servers to cache and retrieve sensitive authenticated content. domain: cybersecurity subdomain: web-application-security -tags: [web-cache-deception, cdn-attack, cache-poisoning, path-normalization, cloudflare, cache-key, static-resource] -version: "1.0" +tags: +- web-cache-deception +- cdn-attack +- cache-poisoning +- path-normalization +- cloudflare +- cache-key +- static-resource +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Performing Web Cache Deception Attack diff --git a/skills/performing-web-cache-poisoning-attack/SKILL.md b/skills/performing-web-cache-poisoning-attack/SKILL.md index 7f921a44..62e7dd87 100644 --- a/skills/performing-web-cache-poisoning-attack/SKILL.md +++ b/skills/performing-web-cache-poisoning-attack/SKILL.md @@ -1,12 +1,24 @@ --- name: performing-web-cache-poisoning-attack -description: Exploiting web cache mechanisms to serve malicious content to other users by poisoning cached responses through unkeyed headers and parameters during authorized security tests. +description: Exploiting web cache mechanisms to serve malicious content to other users by poisoning cached responses through + unkeyed headers and parameters during authorized security tests. domain: cybersecurity subdomain: web-application-security -tags: [penetration-testing, cache-poisoning, web-security, cdn, burpsuite, owasp] -version: "1.0" +tags: +- penetration-testing +- cache-poisoning +- web-security +- cdn +- burpsuite +- owasp +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Performing Web Cache Poisoning Attack diff --git a/skills/performing-wifi-password-cracking-with-aircrack/SKILL.md b/skills/performing-wifi-password-cracking-with-aircrack/SKILL.md index 515978e8..db84e7fd 100644 --- a/skills/performing-wifi-password-cracking-with-aircrack/SKILL.md +++ b/skills/performing-wifi-password-cracking-with-aircrack/SKILL.md @@ -1,15 +1,25 @@ --- name: performing-wifi-password-cracking-with-aircrack -description: > - Captures WPA/WPA2 handshakes and performs offline password cracking using aircrack-ng, - hashcat, and dictionary attacks during authorized wireless security assessments to - evaluate passphrase strength and wireless network security posture. +description: 'Captures WPA/WPA2 handshakes and performs offline password cracking using aircrack-ng, hashcat, and dictionary + attacks during authorized wireless security assessments to evaluate passphrase strength and wireless network security posture. + + ' domain: cybersecurity subdomain: network-security -tags: [network-security, wifi, aircrack-ng, wpa2, wireless-security] -version: "1.0" +tags: +- network-security +- wifi +- aircrack-ng +- wpa2 +- wireless-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Performing WiFi Password Cracking with Aircrack-ng diff --git a/skills/performing-windows-artifact-analysis-with-eric-zimmerman-tools/SKILL.md b/skills/performing-windows-artifact-analysis-with-eric-zimmerman-tools/SKILL.md index dbafc21c..c858885b 100644 --- a/skills/performing-windows-artifact-analysis-with-eric-zimmerman-tools/SKILL.md +++ b/skills/performing-windows-artifact-analysis-with-eric-zimmerman-tools/SKILL.md @@ -1,12 +1,31 @@ --- name: performing-windows-artifact-analysis-with-eric-zimmerman-tools -description: Perform comprehensive Windows forensic artifact analysis using Eric Zimmerman's open-source EZ Tools suite including KAPE, MFTECmd, PECmd, LECmd, JLECmd, and Timeline Explorer for parsing registry hives, prefetch files, event logs, and file system metadata. +description: Perform comprehensive Windows forensic artifact analysis using Eric Zimmerman's open-source EZ Tools suite including + KAPE, MFTECmd, PECmd, LECmd, JLECmd, and Timeline Explorer for parsing registry hives, prefetch files, event logs, and file + system metadata. domain: cybersecurity subdomain: digital-forensics -tags: [eric-zimmerman, ez-tools, kape, mftecmd, pecmd, lecmd, jlecmd, registry-forensics, windows-forensics, timeline-explorer, dfir, artifact-analysis] -version: "1.0" +tags: +- eric-zimmerman +- ez-tools +- kape +- mftecmd +- pecmd +- lecmd +- jlecmd +- registry-forensics +- windows-forensics +- timeline-explorer +- dfir +- artifact-analysis +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Performing Windows Artifact Analysis with Eric Zimmerman Tools diff --git a/skills/performing-wireless-network-penetration-test/SKILL.md b/skills/performing-wireless-network-penetration-test/SKILL.md index 5fb87625..e82a6f8c 100644 --- a/skills/performing-wireless-network-penetration-test/SKILL.md +++ b/skills/performing-wireless-network-penetration-test/SKILL.md @@ -1,12 +1,27 @@ --- name: performing-wireless-network-penetration-test -description: Execute a wireless network penetration test to assess WiFi security by capturing handshakes, cracking WPA2/WPA3 keys, detecting rogue access points, and testing wireless segmentation using Aircrack-ng and related tools. +description: Execute a wireless network penetration test to assess WiFi security by capturing handshakes, cracking WPA2/WPA3 + keys, detecting rogue access points, and testing wireless segmentation using Aircrack-ng and related tools. domain: cybersecurity subdomain: penetration-testing -tags: [wireless-pentest, WiFi, Aircrack-ng, WPA2, WPA3, rogue-AP, evil-twin, 802.11, Kismet] -version: "1.0" +tags: +- wireless-pentest +- WiFi +- Aircrack-ng +- WPA2 +- WPA3 +- rogue-AP +- evil-twin +- 802.11 +- Kismet +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-06 +- GV.OV-02 +- DE.AE-07 --- # Performing Wireless Network Penetration Test diff --git a/skills/performing-wireless-security-assessment-with-kismet/SKILL.md b/skills/performing-wireless-security-assessment-with-kismet/SKILL.md index a3cb09a7..cb4bd215 100644 --- a/skills/performing-wireless-security-assessment-with-kismet/SKILL.md +++ b/skills/performing-wireless-security-assessment-with-kismet/SKILL.md @@ -1,12 +1,27 @@ --- name: performing-wireless-security-assessment-with-kismet -description: Conduct wireless network security assessments using Kismet to detect rogue access points, hidden SSIDs, weak encryption, and unauthorized clients through passive RF monitoring. +description: Conduct wireless network security assessments using Kismet to detect rogue access points, hidden SSIDs, weak + encryption, and unauthorized clients through passive RF monitoring. domain: cybersecurity subdomain: network-security -tags: [kismet, wireless-security, wifi-assessment, rogue-ap, 802.11, wardriving, wids, wireless-ids, rf-monitoring] -version: "1.0" +tags: +- kismet +- wireless-security +- wifi-assessment +- rogue-ap +- 802.11 +- wardriving +- wids +- wireless-ids +- rf-monitoring +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Performing Wireless Security Assessment with Kismet diff --git a/skills/performing-yara-rule-development-for-detection/SKILL.md b/skills/performing-yara-rule-development-for-detection/SKILL.md index 764caf63..782e7b5e 100644 --- a/skills/performing-yara-rule-development-for-detection/SKILL.md +++ b/skills/performing-yara-rule-development-for-detection/SKILL.md @@ -1,12 +1,25 @@ --- name: performing-yara-rule-development-for-detection -description: Develop precise YARA rules for malware detection by identifying unique byte patterns, strings, and behavioral indicators in executable files while minimizing false positives. +description: Develop precise YARA rules for malware detection by identifying unique byte patterns, strings, and behavioral + indicators in executable files while minimizing false positives. domain: cybersecurity subdomain: malware-analysis -tags: [yara, malware-detection, signature-development, threat-hunting, pattern-matching, yara-x, indicator-development] -version: "1.0" +tags: +- yara +- malware-detection +- signature-development +- threat-hunting +- pattern-matching +- yara-x +- indicator-development +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Performing YARA Rule Development for Detection diff --git a/skills/prioritizing-vulnerabilities-with-cvss-scoring/SKILL.md b/skills/prioritizing-vulnerabilities-with-cvss-scoring/SKILL.md index 7b41ab19..f8fcf87f 100644 --- a/skills/prioritizing-vulnerabilities-with-cvss-scoring/SKILL.md +++ b/skills/prioritizing-vulnerabilities-with-cvss-scoring/SKILL.md @@ -1,12 +1,24 @@ --- name: prioritizing-vulnerabilities-with-cvss-scoring -description: The Common Vulnerability Scoring System (CVSS) is the industry standard framework maintained by FIRST (Forum of Incident Response and Security Teams) for assessing vulnerability severity. CVSS v4.0 (r +description: The Common Vulnerability Scoring System (CVSS) is the industry standard framework maintained by FIRST (Forum + of Incident Response and Security Teams) for assessing vulnerability severity. CVSS v4.0 (r domain: cybersecurity subdomain: vulnerability-management -tags: [vulnerability-management, cve, cvss, risk, prioritization, nist] -version: "1.0" +tags: +- vulnerability-management +- cve +- cvss +- risk +- prioritization +- nist +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-02 +- ID.IM-02 +- ID.RA-06 --- # Prioritizing Vulnerabilities with CVSS Scoring diff --git a/skills/processing-stix-taxii-feeds/SKILL.md b/skills/processing-stix-taxii-feeds/SKILL.md index e8613896..68eb7c1d 100644 --- a/skills/processing-stix-taxii-feeds/SKILL.md +++ b/skills/processing-stix-taxii-feeds/SKILL.md @@ -1,17 +1,30 @@ --- name: processing-stix-taxii-feeds -description: > - Processes STIX 2.1 threat intelligence bundles delivered via TAXII 2.1 servers, normalizing - objects into platform-native schemas and routing them to appropriate consuming systems. Use when - onboarding new TAXII collection endpoints, automating bi-directional intelligence sharing with - ISACs, or building pipeline validation for malformed STIX bundles. Activates for requests - involving OASIS STIX, TAXII server configuration, MISP TAXII, or Cortex XSOAR feed integrations. +description: 'Processes STIX 2.1 threat intelligence bundles delivered via TAXII 2.1 servers, normalizing objects into platform-native + schemas and routing them to appropriate consuming systems. Use when onboarding new TAXII collection endpoints, automating + bi-directional intelligence sharing with ISACs, or building pipeline validation for malformed STIX bundles. Activates for + requests involving OASIS STIX, TAXII server configuration, MISP TAXII, or Cortex XSOAR feed integrations. + + ' domain: cybersecurity subdomain: threat-intelligence -tags: [STIX-2.1, TAXII-2.1, OASIS, MISP, CTI, IOC, threat-intelligence, NIST-SP-800-150] +tags: +- STIX-2.1 +- TAXII-2.1 +- OASIS +- MISP +- CTI +- IOC +- threat-intelligence +- NIST-SP-800-150 version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Processing STIX/TAXII Feeds diff --git a/skills/profiling-threat-actor-groups/SKILL.md b/skills/profiling-threat-actor-groups/SKILL.md index fa37c813..13942f97 100644 --- a/skills/profiling-threat-actor-groups/SKILL.md +++ b/skills/profiling-threat-actor-groups/SKILL.md @@ -1,18 +1,31 @@ --- name: profiling-threat-actor-groups -description: > - Develops comprehensive threat actor profiles for APT groups, criminal organizations, and - hacktivist collectives by aggregating TTP documentation, historical campaign data, tooling - fingerprints, and attribution indicators from multiple intelligence sources. Use when briefing - executives on sector-specific threats, updating threat model assumptions, or prioritizing - defensive controls against specific adversaries. Activates for requests involving MITRE ATT&CK - Groups, Mandiant APT profiles, CrowdStrike adversary naming, or sector-specific threat briefings. +description: 'Develops comprehensive threat actor profiles for APT groups, criminal organizations, and hacktivist collectives + by aggregating TTP documentation, historical campaign data, tooling fingerprints, and attribution indicators from multiple + intelligence sources. Use when briefing executives on sector-specific threats, updating threat model assumptions, or prioritizing + defensive controls against specific adversaries. Activates for requests involving MITRE ATT&CK Groups, Mandiant APT profiles, + CrowdStrike adversary naming, or sector-specific threat briefings. + + ' domain: cybersecurity subdomain: threat-intelligence -tags: [MITRE-ATT&CK, threat-actor, APT, CrowdStrike, Mandiant, attribution, kill-chain, NIST-CSF] +tags: +- MITRE-ATT&CK +- threat-actor +- APT +- CrowdStrike +- Mandiant +- attribution +- kill-chain +- NIST-CSF version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Profiling Threat Actor Groups diff --git a/skills/recovering-deleted-files-with-photorec/SKILL.md b/skills/recovering-deleted-files-with-photorec/SKILL.md index 19d890e7..721447ab 100644 --- a/skills/recovering-deleted-files-with-photorec/SKILL.md +++ b/skills/recovering-deleted-files-with-photorec/SKILL.md @@ -22,6 +22,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- RS.AN-01 +- RS.AN-03 +- DE.AE-02 +- RS.MA-01 --- # Recovering Deleted Files with PhotoRec diff --git a/skills/recovering-from-ransomware-attack/SKILL.md b/skills/recovering-from-ransomware-attack/SKILL.md index f232c90e..74714639 100644 --- a/skills/recovering-from-ransomware-attack/SKILL.md +++ b/skills/recovering-from-ransomware-attack/SKILL.md @@ -1,19 +1,28 @@ --- name: recovering-from-ransomware-attack -description: > - Executes structured recovery from a ransomware incident following NIST and CISA - frameworks, including environment isolation, forensic evidence preservation, clean - infrastructure rebuild, prioritized system restoration from verified backups, - credential reset, and validation against re-infection. Covers Active Directory - recovery, database restoration, and application stack rebuild in dependency order. - Activates for requests involving ransomware recovery, post-encryption restoration, - or disaster recovery from ransomware. +description: 'Executes structured recovery from a ransomware incident following NIST and CISA frameworks, including environment + isolation, forensic evidence preservation, clean infrastructure rebuild, prioritized system restoration from verified backups, + credential reset, and validation against re-infection. Covers Active Directory recovery, database restoration, and application + stack rebuild in dependency order. Activates for requests involving ransomware recovery, post-encryption restoration, or + disaster recovery from ransomware. + + ' domain: cybersecurity subdomain: ransomware-defense -tags: [ransomware, recovery, incident-response, backup, defense] +tags: +- ransomware +- recovery +- incident-response +- backup +- defense version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.DS-11 +- RS.MA-01 +- RC.RP-01 +- PR.IR-01 --- # Recovering from Ransomware Attack diff --git a/skills/remediating-s3-bucket-misconfiguration/SKILL.md b/skills/remediating-s3-bucket-misconfiguration/SKILL.md index 9771c6b2..794206a5 100644 --- a/skills/remediating-s3-bucket-misconfiguration/SKILL.md +++ b/skills/remediating-s3-bucket-misconfiguration/SKILL.md @@ -1,17 +1,27 @@ --- name: remediating-s3-bucket-misconfiguration -description: > - This skill provides step-by-step procedures for identifying and remediating Amazon S3 - bucket misconfigurations that expose sensitive data to unauthorized access. It covers - enabling S3 Block Public Access at account and bucket levels, auditing bucket policies - and ACLs, enforcing encryption, configuring access logging, and deploying automated - remediation using AWS Config and Lambda. +description: 'This skill provides step-by-step procedures for identifying and remediating Amazon S3 bucket misconfigurations + that expose sensitive data to unauthorized access. It covers enabling S3 Block Public Access at account and bucket levels, + auditing bucket policies and ACLs, enforcing encryption, configuring access logging, and deploying automated remediation + using AWS Config and Lambda. + + ' domain: cybersecurity subdomain: cloud-security -tags: [s3-security, bucket-misconfiguration, data-exposure, public-access-block, aws-config] +tags: +- s3-security +- bucket-misconfiguration +- data-exposure +- public-access-block +- aws-config version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Remediating S3 Bucket Misconfiguration diff --git a/skills/reverse-engineering-android-malware-with-jadx/SKILL.md b/skills/reverse-engineering-android-malware-with-jadx/SKILL.md index e1ea935b..c09ac499 100644 --- a/skills/reverse-engineering-android-malware-with-jadx/SKILL.md +++ b/skills/reverse-engineering-android-malware-with-jadx/SKILL.md @@ -1,17 +1,27 @@ --- name: reverse-engineering-android-malware-with-jadx -description: > - Reverse engineers malicious Android APK files using JADX decompiler to analyze Java/Kotlin - source code, identify malicious functionality including data theft, C2 communication, - privilege escalation, and overlay attacks. Examines manifest permissions, receivers, - services, and native libraries. Activates for requests involving Android malware analysis, - APK reverse engineering, mobile malware investigation, or Android threat analysis. +description: 'Reverse engineers malicious Android APK files using JADX decompiler to analyze Java/Kotlin source code, identify + malicious functionality including data theft, C2 communication, privilege escalation, and overlay attacks. Examines manifest + permissions, receivers, services, and native libraries. Activates for requests involving Android malware analysis, APK reverse + engineering, mobile malware investigation, or Android threat analysis. + + ' domain: cybersecurity subdomain: malware-analysis -tags: [malware, Android, reverse-engineering, JADX, mobile-malware] +tags: +- malware +- Android +- reverse-engineering +- JADX +- mobile-malware version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Reverse Engineering Android Malware with JADX diff --git a/skills/reverse-engineering-dotnet-malware-with-dnspy/SKILL.md b/skills/reverse-engineering-dotnet-malware-with-dnspy/SKILL.md index df40cc9a..9e3e2951 100644 --- a/skills/reverse-engineering-dotnet-malware-with-dnspy/SKILL.md +++ b/skills/reverse-engineering-dotnet-malware-with-dnspy/SKILL.md @@ -1,17 +1,27 @@ --- name: reverse-engineering-dotnet-malware-with-dnspy -description: > - Reverse engineers .NET malware using dnSpy decompiler and debugger to analyze C#/VB.NET - source code, identify obfuscation techniques, extract configurations, and understand - malicious functionality including stealers, RATs, and loaders. Activates for requests - involving .NET malware analysis, C# malware decompilation, managed code reverse - engineering, or .NET obfuscation analysis. +description: 'Reverse engineers .NET malware using dnSpy decompiler and debugger to analyze C#/VB.NET source code, identify + obfuscation techniques, extract configurations, and understand malicious functionality including stealers, RATs, and loaders. + Activates for requests involving .NET malware analysis, C# malware decompilation, managed code reverse engineering, or .NET + obfuscation analysis. + + ' domain: cybersecurity subdomain: malware-analysis -tags: [malware, dotnet, reverse-engineering, dnSpy, decompilation] +tags: +- malware +- dotnet +- reverse-engineering +- dnSpy +- decompilation version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Reverse Engineering .NET Malware with dnSpy diff --git a/skills/reverse-engineering-ios-app-with-frida/SKILL.md b/skills/reverse-engineering-ios-app-with-frida/SKILL.md index d22fa8e2..89034cfb 100644 --- a/skills/reverse-engineering-ios-app-with-frida/SKILL.md +++ b/skills/reverse-engineering-ios-app-with-frida/SKILL.md @@ -1,18 +1,29 @@ --- name: reverse-engineering-ios-app-with-frida -description: > - Reverse engineers iOS applications using Frida dynamic instrumentation to understand internal - logic, extract encryption keys, bypass security controls, and discover hidden functionality - without source code access. Use when performing authorized iOS penetration testing, analyzing - proprietary protocols, understanding obfuscated logic, or extracting runtime secrets from - iOS binaries. Activates for requests involving iOS reverse engineering, Frida iOS hooking, - Objective-C/Swift method tracing, or iOS binary analysis. +description: 'Reverse engineers iOS applications using Frida dynamic instrumentation to understand internal logic, extract + encryption keys, bypass security controls, and discover hidden functionality without source code access. Use when performing + authorized iOS penetration testing, analyzing proprietary protocols, understanding obfuscated logic, or extracting runtime + secrets from iOS binaries. Activates for requests involving iOS reverse engineering, Frida iOS hooking, Objective-C/Swift + method tracing, or iOS binary analysis. + + ' domain: cybersecurity subdomain: mobile-security author: mahipal -tags: [mobile-security, ios, frida, reverse-engineering, owasp-mobile, penetration-testing] +tags: +- mobile-security +- ios +- frida +- reverse-engineering +- owasp-mobile +- penetration-testing version: 1.0.0 license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.AA-05 +- ID.RA-01 +- DE.CM-09 --- # Reverse Engineering iOS App with Frida diff --git a/skills/reverse-engineering-malware-with-ghidra/SKILL.md b/skills/reverse-engineering-malware-with-ghidra/SKILL.md index e267c430..0b09addc 100644 --- a/skills/reverse-engineering-malware-with-ghidra/SKILL.md +++ b/skills/reverse-engineering-malware-with-ghidra/SKILL.md @@ -1,17 +1,26 @@ --- name: reverse-engineering-malware-with-ghidra -description: > - Reverse engineers malware binaries using NSA's Ghidra disassembler and decompiler to - understand internal logic, cryptographic routines, C2 protocols, and evasion techniques - at the assembly and pseudo-C level. Activates for requests involving malware reverse - engineering, disassembly analysis, decompilation, binary analysis, or understanding - malware internals. +description: 'Reverse engineers malware binaries using NSA''s Ghidra disassembler and decompiler to understand internal logic, + cryptographic routines, C2 protocols, and evasion techniques at the assembly and pseudo-C level. Activates for requests + involving malware reverse engineering, disassembly analysis, decompilation, binary analysis, or understanding malware internals. + + ' domain: cybersecurity subdomain: malware-analysis -tags: [malware, reverse-engineering, Ghidra, disassembly, decompilation] +tags: +- malware +- reverse-engineering +- Ghidra +- disassembly +- decompilation version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Reverse Engineering Malware with Ghidra diff --git a/skills/reverse-engineering-ransomware-encryption-routine/SKILL.md b/skills/reverse-engineering-ransomware-encryption-routine/SKILL.md index 9e628cc8..606a2b5b 100644 --- a/skills/reverse-engineering-ransomware-encryption-routine/SKILL.md +++ b/skills/reverse-engineering-ransomware-encryption-routine/SKILL.md @@ -22,6 +22,11 @@ d3fend_techniques: - File Content Analysis - Platform Hardening - File Format Verification +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Reverse Engineering Ransomware Encryption Routine diff --git a/skills/reverse-engineering-rust-malware/SKILL.md b/skills/reverse-engineering-rust-malware/SKILL.md index b3b41ece..35b55cd6 100644 --- a/skills/reverse-engineering-rust-malware/SKILL.md +++ b/skills/reverse-engineering-rust-malware/SKILL.md @@ -1,12 +1,25 @@ --- name: reverse-engineering-rust-malware -description: Reverse engineer Rust-compiled malware using IDA Pro and Ghidra with techniques for handling non-null-terminated strings, crate dependency extraction, and Rust-specific control flow analysis. +description: Reverse engineer Rust-compiled malware using IDA Pro and Ghidra with techniques for handling non-null-terminated + strings, crate dependency extraction, and Rust-specific control flow analysis. domain: cybersecurity subdomain: malware-analysis -tags: [rust, reverse-engineering, malware-analysis, ghidra, ida-pro, binary-analysis, rust-malware] -version: "1.0" +tags: +- rust +- reverse-engineering +- malware-analysis +- ghidra +- ida-pro +- binary-analysis +- rust-malware +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.AE-02 +- RS.AN-03 +- ID.RA-01 +- DE.CM-01 --- # Reverse Engineering Rust Malware diff --git a/skills/scanning-container-images-with-grype/SKILL.md b/skills/scanning-container-images-with-grype/SKILL.md index c8ab8ca9..40d689cc 100644 --- a/skills/scanning-container-images-with-grype/SKILL.md +++ b/skills/scanning-container-images-with-grype/SKILL.md @@ -1,12 +1,24 @@ --- name: scanning-container-images-with-grype -description: Scan container images for known vulnerabilities using Anchore Grype with SBOM-based matching and configurable severity thresholds. +description: Scan container images for known vulnerabilities using Anchore Grype with SBOM-based matching and configurable + severity thresholds. domain: cybersecurity subdomain: container-security -tags: [grype, vulnerability-scanning, container-security, sbom, anchore, supply-chain] -version: "1.0" +tags: +- grype +- vulnerability-scanning +- container-security +- sbom +- anchore +- supply-chain +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Scanning Container Images with Grype diff --git a/skills/scanning-containers-with-trivy-in-cicd/SKILL.md b/skills/scanning-containers-with-trivy-in-cicd/SKILL.md index 3a47095d..a9011aaa 100644 --- a/skills/scanning-containers-with-trivy-in-cicd/SKILL.md +++ b/skills/scanning-containers-with-trivy-in-cicd/SKILL.md @@ -1,17 +1,28 @@ --- name: scanning-containers-with-trivy-in-cicd -description: > - This skill covers integrating Aqua Security's Trivy scanner into CI/CD pipelines for - comprehensive container image vulnerability detection. It addresses scanning Docker images - for OS package and application dependency CVEs, detecting misconfigurations in Dockerfiles, - scanning filesystem and git repositories, and establishing severity-based quality gates +description: 'This skill covers integrating Aqua Security''s Trivy scanner into CI/CD pipelines for comprehensive container + image vulnerability detection. It addresses scanning Docker images for OS package and application dependency CVEs, detecting + misconfigurations in Dockerfiles, scanning filesystem and git repositories, and establishing severity-based quality gates that block deployment of vulnerable images. + + ' domain: cybersecurity subdomain: devsecops -tags: [devsecops, cicd, trivy, container-security, vulnerability-scanning, secure-sdlc] +tags: +- devsecops +- cicd +- trivy +- container-security +- vulnerability-scanning +- secure-sdlc version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- GV.SC-07 +- ID.IM-04 +- PR.PS-04 --- # Scanning Containers with Trivy in CI/CD diff --git a/skills/scanning-docker-images-with-trivy/SKILL.md b/skills/scanning-docker-images-with-trivy/SKILL.md index 401353a4..0a1a0916 100644 --- a/skills/scanning-docker-images-with-trivy/SKILL.md +++ b/skills/scanning-docker-images-with-trivy/SKILL.md @@ -1,12 +1,23 @@ --- name: scanning-docker-images-with-trivy -description: Trivy is a comprehensive open-source vulnerability scanner by Aqua Security that detects vulnerabilities in OS packages, language-specific dependencies, misconfigurations, secrets, and license violati +description: Trivy is a comprehensive open-source vulnerability scanner by Aqua Security that detects vulnerabilities in OS + packages, language-specific dependencies, misconfigurations, secrets, and license violati domain: cybersecurity subdomain: container-security -tags: [containers, docker, security, trivy, vulnerability-scanning] -version: "1.0" +tags: +- containers +- docker +- security +- trivy +- vulnerability-scanning +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Scanning Docker Images with Trivy diff --git a/skills/scanning-infrastructure-with-nessus/SKILL.md b/skills/scanning-infrastructure-with-nessus/SKILL.md index 6f695be0..3b685623 100644 --- a/skills/scanning-infrastructure-with-nessus/SKILL.md +++ b/skills/scanning-infrastructure-with-nessus/SKILL.md @@ -1,12 +1,24 @@ --- name: scanning-infrastructure-with-nessus -description: Tenable Nessus is the industry-leading vulnerability scanner used to identify security weaknesses across network infrastructure including servers, workstations, network devices, and operating systems. +description: Tenable Nessus is the industry-leading vulnerability scanner used to identify security weaknesses across network + infrastructure including servers, workstations, network devices, and operating systems. domain: cybersecurity subdomain: vulnerability-management -tags: [vulnerability-management, cve, nessus, tenable, infrastructure-scanning, risk] -version: "1.0" +tags: +- vulnerability-management +- cve +- nessus +- tenable +- infrastructure-scanning +- risk +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-02 +- ID.IM-02 +- ID.RA-06 --- # Scanning Infrastructure with Nessus diff --git a/skills/scanning-kubernetes-manifests-with-kubesec/SKILL.md b/skills/scanning-kubernetes-manifests-with-kubesec/SKILL.md index 660bce00..52eed576 100644 --- a/skills/scanning-kubernetes-manifests-with-kubesec/SKILL.md +++ b/skills/scanning-kubernetes-manifests-with-kubesec/SKILL.md @@ -1,12 +1,26 @@ --- name: scanning-kubernetes-manifests-with-kubesec -description: Perform security risk analysis on Kubernetes resource manifests using Kubesec to identify misconfigurations, privilege escalation risks, and deviations from security best practices. +description: Perform security risk analysis on Kubernetes resource manifests using Kubesec to identify misconfigurations, + privilege escalation risks, and deviations from security best practices. domain: cybersecurity subdomain: container-security -tags: [kubesec, kubernetes, manifest-scanning, security-scanning, devsecops, misconfiguration, static-analysis, ci-cd] -version: "1.0" +tags: +- kubesec +- kubernetes +- manifest-scanning +- security-scanning +- devsecops +- misconfiguration +- static-analysis +- ci-cd +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Scanning Kubernetes Manifests with Kubesec diff --git a/skills/scanning-network-with-nmap-advanced/SKILL.md b/skills/scanning-network-with-nmap-advanced/SKILL.md index 95040352..9db9b8df 100644 --- a/skills/scanning-network-with-nmap-advanced/SKILL.md +++ b/skills/scanning-network-with-nmap-advanced/SKILL.md @@ -1,15 +1,26 @@ --- name: scanning-network-with-nmap-advanced -description: > - Performs advanced network reconnaissance using Nmap's scripting engine, timing controls, - evasion techniques, and output parsing to discover hosts, enumerate services, detect - vulnerabilities, and fingerprint operating systems across authorized target networks. +description: 'Performs advanced network reconnaissance using Nmap''s scripting engine, timing controls, evasion techniques, + and output parsing to discover hosts, enumerate services, detect vulnerabilities, and fingerprint operating systems across + authorized target networks. + + ' domain: cybersecurity subdomain: network-security -tags: [network-security, nmap, port-scanning, service-enumeration, reconnaissance] -version: "1.0" +tags: +- network-security +- nmap +- port-scanning +- service-enumeration +- reconnaissance +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-03 +- PR.DS-02 --- # Scanning Network with Nmap Advanced Techniques diff --git a/skills/securing-api-gateway-with-aws-waf/SKILL.md b/skills/securing-api-gateway-with-aws-waf/SKILL.md index c4fa01df..26185c2f 100644 --- a/skills/securing-api-gateway-with-aws-waf/SKILL.md +++ b/skills/securing-api-gateway-with-aws-waf/SKILL.md @@ -1,15 +1,28 @@ --- name: securing-api-gateway-with-aws-waf -description: > - Securing API Gateway endpoints with AWS WAF by configuring managed rule groups for - OWASP Top 10 protection, creating custom rate limiting rules, implementing bot control, - setting up IP reputation filtering, and monitoring WAF metrics for security effectiveness. +description: 'Securing API Gateway endpoints with AWS WAF by configuring managed rule groups for OWASP Top 10 protection, + creating custom rate limiting rules, implementing bot control, setting up IP reputation filtering, and monitoring WAF metrics + for security effectiveness. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud-security, aws, waf, api-gateway, rate-limiting, bot-protection, owasp] -version: "1.0" +tags: +- cloud-security +- aws +- waf +- api-gateway +- rate-limiting +- bot-protection +- owasp +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Securing API Gateway with AWS WAF diff --git a/skills/securing-aws-iam-permissions/SKILL.md b/skills/securing-aws-iam-permissions/SKILL.md index faeb8082..28ea78a2 100644 --- a/skills/securing-aws-iam-permissions/SKILL.md +++ b/skills/securing-aws-iam-permissions/SKILL.md @@ -1,16 +1,26 @@ --- name: securing-aws-iam-permissions -description: > - This skill guides practitioners through hardening AWS Identity and Access Management - configurations to enforce least privilege access across cloud accounts. It covers IAM - policy scoping, permission boundaries, Access Analyzer integration, and credential - rotation strategies to reduce the blast radius of compromised identities. +description: 'This skill guides practitioners through hardening AWS Identity and Access Management configurations to enforce + least privilege access across cloud accounts. It covers IAM policy scoping, permission boundaries, Access Analyzer integration, + and credential rotation strategies to reduce the blast radius of compromised identities. + + ' domain: cybersecurity subdomain: cloud-security -tags: [aws-iam, least-privilege, permission-boundaries, access-analyzer, cloud-identity] +tags: +- aws-iam +- least-privilege +- permission-boundaries +- access-analyzer +- cloud-identity version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Securing AWS IAM Permissions diff --git a/skills/securing-aws-lambda-execution-roles/SKILL.md b/skills/securing-aws-lambda-execution-roles/SKILL.md index 9951d7e5..33121936 100644 --- a/skills/securing-aws-lambda-execution-roles/SKILL.md +++ b/skills/securing-aws-lambda-execution-roles/SKILL.md @@ -1,15 +1,27 @@ --- name: securing-aws-lambda-execution-roles -description: > - Securing AWS Lambda execution roles by implementing least-privilege IAM policies, - applying permission boundaries, restricting resource-based policies, using IAM Access - Analyzer to validate permissions, and enforcing role scoping through SCPs. +description: 'Securing AWS Lambda execution roles by implementing least-privilege IAM policies, applying permission boundaries, + restricting resource-based policies, using IAM Access Analyzer to validate permissions, and enforcing role scoping through + SCPs. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud-security, aws, lambda, iam, least-privilege, execution-roles] -version: "1.0" +tags: +- cloud-security +- aws +- lambda +- iam +- least-privilege +- execution-roles +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Securing AWS Lambda Execution Roles diff --git a/skills/securing-azure-with-microsoft-defender/SKILL.md b/skills/securing-azure-with-microsoft-defender/SKILL.md index 6798ab71..17846b08 100644 --- a/skills/securing-azure-with-microsoft-defender/SKILL.md +++ b/skills/securing-azure-with-microsoft-defender/SKILL.md @@ -25,6 +25,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Securing Azure with Microsoft Defender diff --git a/skills/securing-container-registry-images/SKILL.md b/skills/securing-container-registry-images/SKILL.md index a5fae3d1..52761688 100644 --- a/skills/securing-container-registry-images/SKILL.md +++ b/skills/securing-container-registry-images/SKILL.md @@ -1,15 +1,28 @@ --- name: securing-container-registry-images -description: > - Securing container registry images by implementing vulnerability scanning with Trivy - and Grype, enforcing image signing with Cosign and Sigstore, configuring registry access - controls, and building CI/CD pipelines that prevent deploying unscanned or unsigned images. +description: 'Securing container registry images by implementing vulnerability scanning with Trivy and Grype, enforcing image + signing with Cosign and Sigstore, configuring registry access controls, and building CI/CD pipelines that prevent deploying + unscanned or unsigned images. + + ' domain: cybersecurity subdomain: cloud-security -tags: [cloud-security, containers, registry, image-scanning, trivy, cosign, supply-chain] -version: "1.0" +tags: +- cloud-security +- containers +- registry +- image-scanning +- trivy +- cosign +- supply-chain +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Securing Container Registry Images diff --git a/skills/securing-container-registry-with-harbor/SKILL.md b/skills/securing-container-registry-with-harbor/SKILL.md index d8c9a4fc..ec0c9a2c 100644 --- a/skills/securing-container-registry-with-harbor/SKILL.md +++ b/skills/securing-container-registry-with-harbor/SKILL.md @@ -1,12 +1,24 @@ --- name: securing-container-registry-with-harbor -description: Harbor is an open-source container registry that provides security features including vulnerability scanning (integrated Trivy), image signing (Notary/Cosign), RBAC, content trust policies, replicatio +description: Harbor is an open-source container registry that provides security features including vulnerability scanning + (integrated Trivy), image signing (Notary/Cosign), RBAC, content trust policies, replicatio domain: cybersecurity subdomain: container-security -tags: [containers, kubernetes, docker, security, registry, harbor] -version: "1.0" +tags: +- containers +- kubernetes +- docker +- security +- registry +- harbor +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Securing Container Registry with Harbor diff --git a/skills/securing-github-actions-workflows/SKILL.md b/skills/securing-github-actions-workflows/SKILL.md index 48b939bc..13ef85ca 100644 --- a/skills/securing-github-actions-workflows/SKILL.md +++ b/skills/securing-github-actions-workflows/SKILL.md @@ -1,17 +1,27 @@ --- name: securing-github-actions-workflows -description: > - This skill covers hardening GitHub Actions workflows against supply chain attacks, - credential theft, and privilege escalation. It addresses pinning actions to SHA digests, - minimizing GITHUB_TOKEN permissions, protecting secrets from exfiltration, preventing - script injection in workflow expressions, and implementing required reviewers for - workflow changes. +description: 'This skill covers hardening GitHub Actions workflows against supply chain attacks, credential theft, and privilege + escalation. It addresses pinning actions to SHA digests, minimizing GITHUB_TOKEN permissions, protecting secrets from exfiltration, + preventing script injection in workflow expressions, and implementing required reviewers for workflow changes. + + ' domain: cybersecurity subdomain: devsecops -tags: [devsecops, cicd, github-actions, supply-chain, workflow-security, secure-sdlc] +tags: +- devsecops +- cicd +- github-actions +- supply-chain +- workflow-security +- secure-sdlc version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- GV.SC-07 +- ID.IM-04 +- PR.PS-04 --- # Securing GitHub Actions Workflows diff --git a/skills/securing-helm-chart-deployments/SKILL.md b/skills/securing-helm-chart-deployments/SKILL.md index 3315158c..b01f7c30 100644 --- a/skills/securing-helm-chart-deployments/SKILL.md +++ b/skills/securing-helm-chart-deployments/SKILL.md @@ -1,12 +1,24 @@ --- name: securing-helm-chart-deployments -description: Secure Helm chart deployments by validating chart integrity, scanning templates for misconfigurations, and enforcing security contexts in Kubernetes releases. +description: Secure Helm chart deployments by validating chart integrity, scanning templates for misconfigurations, and enforcing + security contexts in Kubernetes releases. domain: cybersecurity subdomain: container-security -tags: [helm, kubernetes, chart-security, supply-chain, configuration-security, deployment] -version: "1.0" +tags: +- helm +- kubernetes +- chart-security +- supply-chain +- configuration-security +- deployment +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.IR-01 +- ID.AM-08 +- DE.CM-01 --- # Securing Helm Chart Deployments diff --git a/skills/securing-historian-server-in-ot-environment/SKILL.md b/skills/securing-historian-server-in-ot-environment/SKILL.md index 77b95996..babd926d 100644 --- a/skills/securing-historian-server-in-ot-environment/SKILL.md +++ b/skills/securing-historian-server-in-ot-environment/SKILL.md @@ -1,18 +1,30 @@ --- name: securing-historian-server-in-ot-environment -description: > - This skill covers hardening and securing process historian servers (OSIsoft PI, - Honeywell PHD, GE Proficy, AVEVA Historian) in OT environments. It addresses - network placement across Purdue levels, access control for historian interfaces, - data replication through DMZ using data diodes or PI-to-PI connectors, SQL - injection prevention in historian queries, and integrity protection of process - data used for safety analysis, regulatory reporting, and process optimization. +description: 'This skill covers hardening and securing process historian servers (OSIsoft PI, Honeywell PHD, GE Proficy, AVEVA + Historian) in OT environments. It addresses network placement across Purdue levels, access control for historian interfaces, + data replication through DMZ using data diodes or PI-to-PI connectors, SQL injection prevention in historian queries, and + integrity protection of process data used for safety analysis, regulatory reporting, and process optimization. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, scada, industrial-control, iec62443, historian, osisoft-pi, data-integrity] +tags: +- ot-security +- ics +- scada +- industrial-control +- iec62443 +- historian +- osisoft-pi +- data-integrity version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Securing Historian Server in OT Environment diff --git a/skills/securing-kubernetes-on-cloud/SKILL.md b/skills/securing-kubernetes-on-cloud/SKILL.md index 7b5a04e0..141c41f8 100644 --- a/skills/securing-kubernetes-on-cloud/SKILL.md +++ b/skills/securing-kubernetes-on-cloud/SKILL.md @@ -1,17 +1,27 @@ --- name: securing-kubernetes-on-cloud -description: > - This skill covers hardening managed Kubernetes clusters on EKS, AKS, and GKE by - implementing Pod Security Standards, network policies, workload identity, RBAC - scoping, image admission controls, and runtime security monitoring. It addresses - cloud-specific security features including IRSA for EKS, Workload Identity for - GKE, and Managed Identities for AKS. +description: 'This skill covers hardening managed Kubernetes clusters on EKS, AKS, and GKE by implementing Pod Security Standards, + network policies, workload identity, RBAC scoping, image admission controls, and runtime security monitoring. It addresses + cloud-specific security features including IRSA for EKS, Workload Identity for GKE, and Managed Identities for AKS. + + ' domain: cybersecurity subdomain: cloud-security -tags: [kubernetes-security, eks, aks, gke, pod-security-standards, container-runtime] +tags: +- kubernetes-security +- eks +- aks +- gke +- pod-security-standards +- container-runtime version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Securing Kubernetes on Cloud diff --git a/skills/securing-remote-access-to-ot-environment/SKILL.md b/skills/securing-remote-access-to-ot-environment/SKILL.md index e89e3dde..eb6ac7ad 100644 --- a/skills/securing-remote-access-to-ot-environment/SKILL.md +++ b/skills/securing-remote-access-to-ot-environment/SKILL.md @@ -1,17 +1,30 @@ --- name: securing-remote-access-to-ot-environment -description: > - This skill covers implementing secure remote access to OT/ICS environments for - operators, engineers, and vendors while preventing unauthorized access that could - compromise industrial operations. It addresses jump server architecture, multi-factor - authentication, session recording, privileged access management, vendor remote access - controls, and compliance with IEC 62443 and NERC CIP-005 remote access requirements. +description: 'This skill covers implementing secure remote access to OT/ICS environments for operators, engineers, and vendors + while preventing unauthorized access that could compromise industrial operations. It addresses jump server architecture, + multi-factor authentication, session recording, privileged access management, vendor remote access controls, and compliance + with IEC 62443 and NERC CIP-005 remote access requirements. + + ' domain: cybersecurity subdomain: ot-ics-security -tags: [ot-security, ics, scada, industrial-control, iec62443, remote-access, jump-server, mfa] +tags: +- ot-security +- ics +- scada +- industrial-control +- iec62443 +- remote-access +- jump-server +- mfa version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- DE.CM-01 +- ID.AM-05 +- GV.OC-02 --- # Securing Remote Access to OT Environment diff --git a/skills/securing-serverless-functions/SKILL.md b/skills/securing-serverless-functions/SKILL.md index 417ec2bc..54ecb84e 100644 --- a/skills/securing-serverless-functions/SKILL.md +++ b/skills/securing-serverless-functions/SKILL.md @@ -1,17 +1,27 @@ --- name: securing-serverless-functions -description: > - This skill covers security hardening for serverless compute platforms including AWS - Lambda, Azure Functions, and Google Cloud Functions. It addresses least privilege IAM - roles, dependency vulnerability scanning, secrets management integration, input - validation, function URL authentication, and runtime monitoring to protect against - injection attacks, credential theft, and supply chain compromises. +description: 'This skill covers security hardening for serverless compute platforms including AWS Lambda, Azure Functions, + and Google Cloud Functions. It addresses least privilege IAM roles, dependency vulnerability scanning, secrets management + integration, input validation, function URL authentication, and runtime monitoring to protect against injection attacks, + credential theft, and supply chain compromises. + + ' domain: cybersecurity subdomain: cloud-security -tags: [serverless-security, aws-lambda, azure-functions, function-hardening, supply-chain] +tags: +- serverless-security +- aws-lambda +- azure-functions +- function-hardening +- supply-chain version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.IR-01 +- ID.AM-08 +- GV.SC-06 +- DE.CM-01 --- # Securing Serverless Functions diff --git a/skills/testing-android-intents-for-vulnerabilities/SKILL.md b/skills/testing-android-intents-for-vulnerabilities/SKILL.md index 6e9f773c..def20d83 100644 --- a/skills/testing-android-intents-for-vulnerabilities/SKILL.md +++ b/skills/testing-android-intents-for-vulnerabilities/SKILL.md @@ -1,17 +1,28 @@ --- name: testing-android-intents-for-vulnerabilities -description: > - Tests Android inter-process communication (IPC) through intents for vulnerabilities including - intent injection, unauthorized component access, broadcast sniffing, pending intent hijacking, - and content provider data leakage. Use when assessing Android app attack surface through exported - components, testing intent-based data flows, or evaluating IPC security. Activates for requests - involving Android intent security, IPC testing, exported component analysis, or Drozer assessment. +description: 'Tests Android inter-process communication (IPC) through intents for vulnerabilities including intent injection, + unauthorized component access, broadcast sniffing, pending intent hijacking, and content provider data leakage. Use when + assessing Android app attack surface through exported components, testing intent-based data flows, or evaluating IPC security. + Activates for requests involving Android intent security, IPC testing, exported component analysis, or Drozer assessment. + + ' domain: cybersecurity subdomain: mobile-security author: mahipal -tags: [mobile-security, android, intents, ipc-security, owasp-mobile, penetration-testing] +tags: +- mobile-security +- android +- intents +- ipc-security +- owasp-mobile +- penetration-testing version: 1.0.0 license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.AA-05 +- ID.RA-01 +- DE.CM-09 --- # Testing Android Intents for Vulnerabilities diff --git a/skills/testing-api-authentication-weaknesses/SKILL.md b/skills/testing-api-authentication-weaknesses/SKILL.md index 626b8085..758d1a14 100644 --- a/skills/testing-api-authentication-weaknesses/SKILL.md +++ b/skills/testing-api-authentication-weaknesses/SKILL.md @@ -1,19 +1,29 @@ --- name: testing-api-authentication-weaknesses -description: > - Tests API authentication mechanisms for weaknesses including broken token validation, - missing authentication on endpoints, weak password policies, credential stuffing - susceptibility, token leakage in URLs or logs, and session management flaws. The tester - evaluates JWT implementation, API key handling, OAuth flows, and session token entropy - to identify authentication bypasses. Maps to OWASP API2:2023 Broken Authentication. - Activates for requests involving API authentication testing, token validation assessment, - credential security testing, or API auth bypass. +description: 'Tests API authentication mechanisms for weaknesses including broken token validation, missing authentication + on endpoints, weak password policies, credential stuffing susceptibility, token leakage in URLs or logs, and session management + flaws. The tester evaluates JWT implementation, API key handling, OAuth flows, and session token entropy to identify authentication + bypasses. Maps to OWASP API2:2023 Broken Authentication. Activates for requests involving API authentication testing, token + validation assessment, credential security testing, or API auth bypass. + + ' domain: cybersecurity subdomain: api-security -tags: [api-security, owasp, authentication, jwt, session-management, credential-security] +tags: +- api-security +- owasp +- authentication +- jwt +- session-management +- credential-security version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Testing API Authentication Weaknesses diff --git a/skills/testing-api-for-broken-object-level-authorization/SKILL.md b/skills/testing-api-for-broken-object-level-authorization/SKILL.md index 622cca5d..1462d597 100644 --- a/skills/testing-api-for-broken-object-level-authorization/SKILL.md +++ b/skills/testing-api-for-broken-object-level-authorization/SKILL.md @@ -1,19 +1,30 @@ --- name: testing-api-for-broken-object-level-authorization -description: > - Tests REST and GraphQL APIs for Broken Object Level Authorization (BOLA/IDOR) vulnerabilities - where an authenticated user can access or modify resources belonging to other users by - manipulating object identifiers in API requests. The tester intercepts API calls, identifies - object ID parameters (numeric IDs, UUIDs, slugs), and systematically replaces them with IDs - belonging to other users to determine if the server enforces per-object authorization. This - is OWASP API Security Top 10 2023 risk API1. Activates for requests involving BOLA testing, - IDOR in APIs, object-level authorization testing, or API access control bypass. +description: 'Tests REST and GraphQL APIs for Broken Object Level Authorization (BOLA/IDOR) vulnerabilities where an authenticated + user can access or modify resources belonging to other users by manipulating object identifiers in API requests. The tester + intercepts API calls, identifies object ID parameters (numeric IDs, UUIDs, slugs), and systematically replaces them with + IDs belonging to other users to determine if the server enforces per-object authorization. This is OWASP API Security Top + 10 2023 risk API1. Activates for requests involving BOLA testing, IDOR in APIs, object-level authorization testing, or API + access control bypass. + + ' domain: cybersecurity subdomain: api-security -tags: [api-security, owasp, bola, idor, authorization, rest-security] +tags: +- api-security +- owasp +- bola +- idor +- authorization +- rest-security version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Testing API for Broken Object Level Authorization diff --git a/skills/testing-api-for-mass-assignment-vulnerability/SKILL.md b/skills/testing-api-for-mass-assignment-vulnerability/SKILL.md index 87bf4ed7..5c0da325 100644 --- a/skills/testing-api-for-mass-assignment-vulnerability/SKILL.md +++ b/skills/testing-api-for-mass-assignment-vulnerability/SKILL.md @@ -1,19 +1,28 @@ --- name: testing-api-for-mass-assignment-vulnerability -description: > - Tests APIs for mass assignment (auto-binding) vulnerabilities where clients can modify - object properties they should not have access to by including additional parameters in - API requests. The tester identifies writable endpoints, adds undocumented fields to request - bodies (role, isAdmin, price, balance), and checks if the server binds these to the data - model without filtering. Part of OWASP API3:2023 Broken Object Property Level Authorization. - Activates for requests involving mass assignment testing, parameter binding abuse, auto-binding - vulnerability, or API over-posting. +description: 'Tests APIs for mass assignment (auto-binding) vulnerabilities where clients can modify object properties they + should not have access to by including additional parameters in API requests. The tester identifies writable endpoints, + adds undocumented fields to request bodies (role, isAdmin, price, balance), and checks if the server binds these to the + data model without filtering. Part of OWASP API3:2023 Broken Object Property Level Authorization. Activates for requests + involving mass assignment testing, parameter binding abuse, auto-binding vulnerability, or API over-posting. + + ' domain: cybersecurity subdomain: api-security -tags: [api-security, owasp, mass-assignment, auto-binding, parameter-tampering] +tags: +- api-security +- owasp +- mass-assignment +- auto-binding +- parameter-tampering version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Testing API for Mass Assignment Vulnerability diff --git a/skills/testing-api-security-with-owasp-top-10/SKILL.md b/skills/testing-api-security-with-owasp-top-10/SKILL.md index 58ad066b..3f74dead 100644 --- a/skills/testing-api-security-with-owasp-top-10/SKILL.md +++ b/skills/testing-api-security-with-owasp-top-10/SKILL.md @@ -1,12 +1,25 @@ --- name: testing-api-security-with-owasp-top-10 -description: Systematically assessing REST and GraphQL API endpoints against the OWASP API Security Top 10 risks using automated and manual testing techniques. +description: Systematically assessing REST and GraphQL API endpoints against the OWASP API Security Top 10 risks using automated + and manual testing techniques. domain: cybersecurity subdomain: web-application-security -tags: [penetration-testing, api-security, owasp, rest-api, graphql, burpsuite, postman] -version: "1.0" +tags: +- penetration-testing +- api-security +- owasp +- rest-api +- graphql +- burpsuite +- postman +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Testing API Security with OWASP Top 10 diff --git a/skills/testing-cors-misconfiguration/SKILL.md b/skills/testing-cors-misconfiguration/SKILL.md index 23598782..b1e1adfa 100644 --- a/skills/testing-cors-misconfiguration/SKILL.md +++ b/skills/testing-cors-misconfiguration/SKILL.md @@ -1,12 +1,24 @@ --- name: testing-cors-misconfiguration -description: Identifying and exploiting Cross-Origin Resource Sharing misconfigurations that allow unauthorized cross-domain data access and credential theft during security assessments. +description: Identifying and exploiting Cross-Origin Resource Sharing misconfigurations that allow unauthorized cross-domain + data access and credential theft during security assessments. domain: cybersecurity subdomain: web-application-security -tags: [penetration-testing, cors, web-security, owasp, same-origin-policy, burpsuite] -version: "1.0" +tags: +- penetration-testing +- cors +- web-security +- owasp +- same-origin-policy +- burpsuite +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Testing CORS Misconfiguration diff --git a/skills/testing-for-broken-access-control/SKILL.md b/skills/testing-for-broken-access-control/SKILL.md index 0e317a4b..1c1e8549 100644 --- a/skills/testing-for-broken-access-control/SKILL.md +++ b/skills/testing-for-broken-access-control/SKILL.md @@ -1,12 +1,24 @@ --- name: testing-for-broken-access-control -description: Systematically testing web applications for broken access control vulnerabilities including privilege escalation, missing function-level checks, and insecure direct object references. +description: Systematically testing web applications for broken access control vulnerabilities including privilege escalation, + missing function-level checks, and insecure direct object references. domain: cybersecurity subdomain: web-application-security -tags: [penetration-testing, access-control, authorization, owasp, privilege-escalation, web-security] -version: "1.0" +tags: +- penetration-testing +- access-control +- authorization +- owasp +- privilege-escalation +- web-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Testing for Broken Access Control diff --git a/skills/testing-for-business-logic-vulnerabilities/SKILL.md b/skills/testing-for-business-logic-vulnerabilities/SKILL.md index 6a864154..e785fcec 100644 --- a/skills/testing-for-business-logic-vulnerabilities/SKILL.md +++ b/skills/testing-for-business-logic-vulnerabilities/SKILL.md @@ -1,12 +1,24 @@ --- name: testing-for-business-logic-vulnerabilities -description: Identifying flaws in application business logic that allow price manipulation, workflow bypass, and privilege escalation beyond what technical vulnerability scanners can detect. +description: Identifying flaws in application business logic that allow price manipulation, workflow bypass, and privilege + escalation beyond what technical vulnerability scanners can detect. domain: cybersecurity subdomain: web-application-security -tags: [penetration-testing, business-logic, owasp, web-security, burpsuite, manual-testing] -version: "1.0" +tags: +- penetration-testing +- business-logic +- owasp +- web-security +- burpsuite +- manual-testing +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Testing for Business Logic Vulnerabilities diff --git a/skills/testing-for-email-header-injection/SKILL.md b/skills/testing-for-email-header-injection/SKILL.md index 4caeedc1..9ad4f4ff 100644 --- a/skills/testing-for-email-header-injection/SKILL.md +++ b/skills/testing-for-email-header-injection/SKILL.md @@ -1,12 +1,25 @@ --- name: testing-for-email-header-injection -description: Test web application email functionality for SMTP header injection vulnerabilities that allow attackers to inject additional email headers, modify recipients, and abuse contact forms for spam relay. +description: Test web application email functionality for SMTP header injection vulnerabilities that allow attackers to inject + additional email headers, modify recipients, and abuse contact forms for spam relay. domain: cybersecurity subdomain: web-application-security -tags: [email-injection, smtp-injection, crlf-injection, header-injection, spam-relay, contact-form, email-security] -version: "1.0" +tags: +- email-injection +- smtp-injection +- crlf-injection +- header-injection +- spam-relay +- contact-form +- email-security +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Testing for Email Header Injection diff --git a/skills/testing-for-host-header-injection/SKILL.md b/skills/testing-for-host-header-injection/SKILL.md index ba63860f..721283fd 100644 --- a/skills/testing-for-host-header-injection/SKILL.md +++ b/skills/testing-for-host-header-injection/SKILL.md @@ -1,12 +1,25 @@ --- name: testing-for-host-header-injection -description: Test web applications for HTTP Host header injection vulnerabilities to identify password reset poisoning, web cache poisoning, SSRF, and virtual host routing manipulation risks. +description: Test web applications for HTTP Host header injection vulnerabilities to identify password reset poisoning, web + cache poisoning, SSRF, and virtual host routing manipulation risks. domain: cybersecurity subdomain: web-application-security -tags: [host-header-injection, password-reset-poisoning, cache-poisoning, virtual-host, web-security, header-manipulation, ssrf] -version: "1.0" +tags: +- host-header-injection +- password-reset-poisoning +- cache-poisoning +- virtual-host +- web-security +- header-manipulation +- ssrf +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Testing for Host Header Injection diff --git a/skills/testing-for-json-web-token-vulnerabilities/SKILL.md b/skills/testing-for-json-web-token-vulnerabilities/SKILL.md index c3b6e387..db390956 100644 --- a/skills/testing-for-json-web-token-vulnerabilities/SKILL.md +++ b/skills/testing-for-json-web-token-vulnerabilities/SKILL.md @@ -1,12 +1,25 @@ --- name: testing-for-json-web-token-vulnerabilities -description: Test JWT implementations for critical vulnerabilities including algorithm confusion, none algorithm bypass, kid parameter injection, and weak secret exploitation to achieve authentication bypass and privilege escalation. +description: Test JWT implementations for critical vulnerabilities including algorithm confusion, none algorithm bypass, kid + parameter injection, and weak secret exploitation to achieve authentication bypass and privilege escalation. domain: cybersecurity subdomain: web-application-security -tags: [jwt, json-web-token, algorithm-confusion, authentication-bypass, token-forgery, kid-injection, jku-attack] -version: "1.0" +tags: +- jwt +- json-web-token +- algorithm-confusion +- authentication-bypass +- token-forgery +- kid-injection +- jku-attack +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Testing for JSON Web Token Vulnerabilities diff --git a/skills/testing-for-open-redirect-vulnerabilities/SKILL.md b/skills/testing-for-open-redirect-vulnerabilities/SKILL.md index ba47b67e..1be439cf 100644 --- a/skills/testing-for-open-redirect-vulnerabilities/SKILL.md +++ b/skills/testing-for-open-redirect-vulnerabilities/SKILL.md @@ -1,12 +1,25 @@ --- name: testing-for-open-redirect-vulnerabilities -description: Identify and test open redirect vulnerabilities in web applications by analyzing URL redirection parameters, bypass techniques, and exploitation chains for phishing and token theft. +description: Identify and test open redirect vulnerabilities in web applications by analyzing URL redirection parameters, + bypass techniques, and exploitation chains for phishing and token theft. domain: cybersecurity subdomain: web-application-security -tags: [open-redirect, url-redirect, phishing, owasp, url-validation, redirect-bypass, unvalidated-redirect] -version: "1.0" +tags: +- open-redirect +- url-redirect +- phishing +- owasp +- url-validation +- redirect-bypass +- unvalidated-redirect +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Testing for Open Redirect Vulnerabilities diff --git a/skills/testing-for-sensitive-data-exposure/SKILL.md b/skills/testing-for-sensitive-data-exposure/SKILL.md index c19d0491..072f6df4 100644 --- a/skills/testing-for-sensitive-data-exposure/SKILL.md +++ b/skills/testing-for-sensitive-data-exposure/SKILL.md @@ -23,6 +23,11 @@ atlas_techniques: - AML.T0070 - AML.T0066 - AML.T0082 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Testing for Sensitive Data Exposure diff --git a/skills/testing-for-xml-injection-vulnerabilities/SKILL.md b/skills/testing-for-xml-injection-vulnerabilities/SKILL.md index e7d7cc4a..1948f845 100644 --- a/skills/testing-for-xml-injection-vulnerabilities/SKILL.md +++ b/skills/testing-for-xml-injection-vulnerabilities/SKILL.md @@ -1,12 +1,25 @@ --- name: testing-for-xml-injection-vulnerabilities -description: Test web applications for XML injection vulnerabilities including XXE, XPath injection, and XML entity attacks to identify data exposure and server-side request forgery risks. +description: Test web applications for XML injection vulnerabilities including XXE, XPath injection, and XML entity attacks + to identify data exposure and server-side request forgery risks. domain: cybersecurity subdomain: web-application-security -tags: [xml-injection, xxe, xpath-injection, xml-parsing, web-security, entity-injection, dtd-attack] -version: "1.0" +tags: +- xml-injection +- xxe +- xpath-injection +- xml-parsing +- web-security +- entity-injection +- dtd-attack +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Testing for XML Injection Vulnerabilities diff --git a/skills/testing-for-xss-vulnerabilities-with-burpsuite/SKILL.md b/skills/testing-for-xss-vulnerabilities-with-burpsuite/SKILL.md index a5f6c0b4..89931003 100644 --- a/skills/testing-for-xss-vulnerabilities-with-burpsuite/SKILL.md +++ b/skills/testing-for-xss-vulnerabilities-with-burpsuite/SKILL.md @@ -1,12 +1,24 @@ --- name: testing-for-xss-vulnerabilities-with-burpsuite -description: Identifying and validating cross-site scripting vulnerabilities using Burp Suite's scanner, intruder, and repeater tools during authorized security assessments. +description: Identifying and validating cross-site scripting vulnerabilities using Burp Suite's scanner, intruder, and repeater + tools during authorized security assessments. domain: cybersecurity subdomain: web-application-security -tags: [penetration-testing, xss, burpsuite, owasp, web-security, cross-site-scripting] -version: "1.0" +tags: +- penetration-testing +- xss +- burpsuite +- owasp +- web-security +- cross-site-scripting +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Testing for XSS Vulnerabilities with Burp Suite diff --git a/skills/testing-for-xss-vulnerabilities/SKILL.md b/skills/testing-for-xss-vulnerabilities/SKILL.md index a5192808..2c63f909 100644 --- a/skills/testing-for-xss-vulnerabilities/SKILL.md +++ b/skills/testing-for-xss-vulnerabilities/SKILL.md @@ -1,18 +1,28 @@ --- name: testing-for-xss-vulnerabilities -description: > - Tests web applications for Cross-Site Scripting (XSS) vulnerabilities by injecting JavaScript - payloads into reflected, stored, and DOM-based contexts to demonstrate client-side code - execution, session hijacking, and user impersonation. The tester identifies all injection - points and output contexts, crafts context-appropriate payloads, and bypasses sanitization - and CSP protections. Activates for requests involving XSS testing, cross-site scripting - assessment, client-side injection testing, or JavaScript injection vulnerability testing. +description: 'Tests web applications for Cross-Site Scripting (XSS) vulnerabilities by injecting JavaScript payloads into + reflected, stored, and DOM-based contexts to demonstrate client-side code execution, session hijacking, and user impersonation. + The tester identifies all injection points and output contexts, crafts context-appropriate payloads, and bypasses sanitization + and CSP protections. Activates for requests involving XSS testing, cross-site scripting assessment, client-side injection + testing, or JavaScript injection vulnerability testing. + + ' domain: cybersecurity subdomain: penetration-testing -tags: [XSS, cross-site-scripting, client-side-security, OWASP-A03, JavaScript-injection] +tags: +- XSS +- cross-site-scripting +- client-side-security +- OWASP-A03 +- JavaScript-injection version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-06 +- GV.OV-02 +- DE.AE-07 --- # Testing for XSS Vulnerabilities diff --git a/skills/testing-for-xxe-injection-vulnerabilities/SKILL.md b/skills/testing-for-xxe-injection-vulnerabilities/SKILL.md index 1f00f82e..a6cc7b33 100644 --- a/skills/testing-for-xxe-injection-vulnerabilities/SKILL.md +++ b/skills/testing-for-xxe-injection-vulnerabilities/SKILL.md @@ -1,12 +1,24 @@ --- name: testing-for-xxe-injection-vulnerabilities -description: Discovering and exploiting XML External Entity injection vulnerabilities to read server files, perform SSRF, and exfiltrate data during authorized penetration tests. +description: Discovering and exploiting XML External Entity injection vulnerabilities to read server files, perform SSRF, + and exfiltrate data during authorized penetration tests. domain: cybersecurity subdomain: web-application-security -tags: [penetration-testing, xxe, xml-injection, owasp, web-security, burpsuite] -version: "1.0" +tags: +- penetration-testing +- xxe +- xml-injection +- owasp +- web-security +- burpsuite +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Testing for XXE Injection Vulnerabilities diff --git a/skills/testing-jwt-token-security/SKILL.md b/skills/testing-jwt-token-security/SKILL.md index 0dc5a047..9ea65311 100644 --- a/skills/testing-jwt-token-security/SKILL.md +++ b/skills/testing-jwt-token-security/SKILL.md @@ -1,12 +1,24 @@ --- name: testing-jwt-token-security -description: Assessing JSON Web Token implementations for cryptographic weaknesses, algorithm confusion attacks, and authorization bypass vulnerabilities during security engagements. +description: Assessing JSON Web Token implementations for cryptographic weaknesses, algorithm confusion attacks, and authorization + bypass vulnerabilities during security engagements. domain: cybersecurity subdomain: web-application-security -tags: [penetration-testing, jwt, authentication, web-security, token-security, burpsuite] -version: "1.0" +tags: +- penetration-testing +- jwt +- authentication +- web-security +- token-security +- burpsuite +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Testing JWT Token Security diff --git a/skills/testing-mobile-api-authentication/SKILL.md b/skills/testing-mobile-api-authentication/SKILL.md index f878cc74..aa072198 100644 --- a/skills/testing-mobile-api-authentication/SKILL.md +++ b/skills/testing-mobile-api-authentication/SKILL.md @@ -1,18 +1,29 @@ --- name: testing-mobile-api-authentication -description: > - Tests authentication and authorization mechanisms in mobile application APIs to identify - broken authentication, insecure token management, session fixation, privilege escalation, - and IDOR vulnerabilities. Use when performing API security assessments against mobile app - backends, testing JWT implementations, evaluating OAuth flows, or assessing session management. - Activates for requests involving mobile API auth testing, token security assessment, OAuth - mobile flow testing, or API authorization bypass. +description: 'Tests authentication and authorization mechanisms in mobile application APIs to identify broken authentication, + insecure token management, session fixation, privilege escalation, and IDOR vulnerabilities. Use when performing API security + assessments against mobile app backends, testing JWT implementations, evaluating OAuth flows, or assessing session management. + Activates for requests involving mobile API auth testing, token security assessment, OAuth mobile flow testing, or API authorization + bypass. + + ' domain: cybersecurity subdomain: mobile-security author: mahipal -tags: [mobile-security, android, ios, api-security, authentication, penetration-testing] +tags: +- mobile-security +- android +- ios +- api-security +- authentication +- penetration-testing version: 1.0.0 license: Apache-2.0 +nist_csf: +- PR.PS-01 +- PR.AA-05 +- ID.RA-01 +- DE.CM-09 --- # Testing Mobile API Authentication diff --git a/skills/testing-oauth2-implementation-flaws/SKILL.md b/skills/testing-oauth2-implementation-flaws/SKILL.md index b64d2319..32a401f4 100644 --- a/skills/testing-oauth2-implementation-flaws/SKILL.md +++ b/skills/testing-oauth2-implementation-flaws/SKILL.md @@ -1,18 +1,29 @@ --- name: testing-oauth2-implementation-flaws -description: > - Tests OAuth 2.0 and OpenID Connect implementations for security flaws including authorization - code interception, redirect URI manipulation, CSRF in OAuth flows, token leakage, scope - escalation, and PKCE bypass. The tester evaluates the authorization server, client - application, and token handling for common misconfigurations that enable account takeover - or unauthorized access. Activates for requests involving OAuth security testing, OIDC - vulnerability assessment, OAuth2 redirect bypass, or authorization code flow testing. +description: 'Tests OAuth 2.0 and OpenID Connect implementations for security flaws including authorization code interception, + redirect URI manipulation, CSRF in OAuth flows, token leakage, scope escalation, and PKCE bypass. The tester evaluates the + authorization server, client application, and token handling for common misconfigurations that enable account takeover or + unauthorized access. Activates for requests involving OAuth security testing, OIDC vulnerability assessment, OAuth2 redirect + bypass, or authorization code flow testing. + + ' domain: cybersecurity subdomain: api-security -tags: [api-security, oauth2, oidc, authentication, redirect-uri, token-security] +tags: +- api-security +- oauth2 +- oidc +- authentication +- redirect-uri +- token-security version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Testing OAuth2 Implementation Flaws diff --git a/skills/testing-ransomware-recovery-procedures/SKILL.md b/skills/testing-ransomware-recovery-procedures/SKILL.md index 887eaf39..ca490385 100644 --- a/skills/testing-ransomware-recovery-procedures/SKILL.md +++ b/skills/testing-ransomware-recovery-procedures/SKILL.md @@ -1,15 +1,25 @@ --- name: testing-ransomware-recovery-procedures -description: >- - Test and validate ransomware recovery procedures including backup restore operations, - RTO/RPO target verification, recovery sequencing, and clean restore validation to ensure - organizational resilience against destructive ransomware attacks. +description: Test and validate ransomware recovery procedures including backup restore operations, RTO/RPO target verification, + recovery sequencing, and clean restore validation to ensure organizational resilience against destructive ransomware attacks. domain: cybersecurity subdomain: incident-response -tags: [incident-response, ransomware, disaster-recovery, backup, rto, rpo, resilience] -version: "1.0" +tags: +- incident-response +- ransomware +- disaster-recovery +- backup +- rto +- rpo +- resilience +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.MA-01 +- RS.MA-02 +- RS.AN-03 +- RC.RP-01 --- # Testing Ransomware Recovery Procedures diff --git a/skills/testing-websocket-api-security/SKILL.md b/skills/testing-websocket-api-security/SKILL.md index e398a8e4..422b9d5e 100644 --- a/skills/testing-websocket-api-security/SKILL.md +++ b/skills/testing-websocket-api-security/SKILL.md @@ -1,19 +1,30 @@ --- name: testing-websocket-api-security -description: > - Tests WebSocket API implementations for security vulnerabilities including missing - authentication on WebSocket upgrade, Cross-Site WebSocket Hijacking (CSWSH), injection - attacks through WebSocket messages, insufficient input validation, denial-of-service via - message flooding, and information leakage through WebSocket frames. The tester intercepts - WebSocket handshakes and messages using Burp Suite, crafts malicious payloads, and tests - for authorization bypass on WebSocket channels. Activates for requests involving WebSocket - security testing, WS penetration testing, CSWSH attack, or real-time API security assessment. +description: 'Tests WebSocket API implementations for security vulnerabilities including missing authentication on WebSocket + upgrade, Cross-Site WebSocket Hijacking (CSWSH), injection attacks through WebSocket messages, insufficient input validation, + denial-of-service via message flooding, and information leakage through WebSocket frames. The tester intercepts WebSocket + handshakes and messages using Burp Suite, crafts malicious payloads, and tests for authorization bypass on WebSocket channels. + Activates for requests involving WebSocket security testing, WS penetration testing, CSWSH attack, or real-time API security + assessment. + + ' domain: cybersecurity subdomain: api-security -tags: [api-security, websocket, cswsh, real-time, injection, authentication] +tags: +- api-security +- websocket +- cswsh +- real-time +- injection +- authentication version: 1.0.0 author: mahipal license: Apache-2.0 +nist_csf: +- PR.PS-01 +- ID.RA-01 +- PR.DS-10 +- DE.CM-01 --- # Testing WebSocket API Security diff --git a/skills/tracking-threat-actor-infrastructure/SKILL.md b/skills/tracking-threat-actor-infrastructure/SKILL.md index b74ae3f0..34708130 100644 --- a/skills/tracking-threat-actor-infrastructure/SKILL.md +++ b/skills/tracking-threat-actor-infrastructure/SKILL.md @@ -1,12 +1,27 @@ --- name: tracking-threat-actor-infrastructure -description: Threat actor infrastructure tracking involves monitoring and mapping adversary-controlled assets including command-and-control (C2) servers, phishing domains, exploit kit hosts, bulletproof hosting, a +description: Threat actor infrastructure tracking involves monitoring and mapping adversary-controlled assets including command-and-control + (C2) servers, phishing domains, exploit kit hosts, bulletproof hosting, a domain: cybersecurity subdomain: threat-intelligence -tags: [threat-intelligence, cti, ioc, mitre-attack, stix, infrastructure-tracking, shodan, censys, passive-dns] -version: "1.0" +tags: +- threat-intelligence +- cti +- ioc +- mitre-attack +- stix +- infrastructure-tracking +- shodan +- censys +- passive-dns +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-05 +- DE.CM-01 +- DE.AE-02 --- # Tracking Threat Actor Infrastructure diff --git a/skills/triaging-security-alerts-in-splunk/SKILL.md b/skills/triaging-security-alerts-in-splunk/SKILL.md index f6edc27a..02ab6bc5 100644 --- a/skills/triaging-security-alerts-in-splunk/SKILL.md +++ b/skills/triaging-security-alerts-in-splunk/SKILL.md @@ -1,17 +1,29 @@ --- name: triaging-security-alerts-in-splunk -description: > - Triages security alerts in Splunk Enterprise Security by classifying severity, investigating - notable events, correlating related telemetry, and making escalation or closure decisions using - SPL queries and the Incident Review dashboard. Use when SOC analysts face queued alerts from - correlation searches, need to prioritize investigation order, or must document triage decisions - for handoff to Tier 2/3 analysts. +description: 'Triages security alerts in Splunk Enterprise Security by classifying severity, investigating notable events, + correlating related telemetry, and making escalation or closure decisions using SPL queries and the Incident Review dashboard. + Use when SOC analysts face queued alerts from correlation searches, need to prioritize investigation order, or must document + triage decisions for handoff to Tier 2/3 analysts. + + ' domain: cybersecurity subdomain: soc-operations -tags: [soc, splunk, alert-triage, siem, notable-events, correlation-search, incident-review] -version: "1.0" +tags: +- soc +- splunk +- alert-triage +- siem +- notable-events +- correlation-search +- incident-review +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- DE.CM-01 +- DE.AE-02 +- RS.MA-01 +- DE.AE-06 --- # Triaging Security Alerts in Splunk diff --git a/skills/triaging-security-incident-with-ir-playbook/SKILL.md b/skills/triaging-security-incident-with-ir-playbook/SKILL.md index 73b3bcd3..3fc39623 100644 --- a/skills/triaging-security-incident-with-ir-playbook/SKILL.md +++ b/skills/triaging-security-incident-with-ir-playbook/SKILL.md @@ -1,13 +1,27 @@ --- name: triaging-security-incident-with-ir-playbook -description: Classify and prioritize security incidents using structured IR playbooks to determine severity, assign response teams, and initiate appropriate response procedures. +description: Classify and prioritize security incidents using structured IR playbooks to determine severity, assign response + teams, and initiate appropriate response procedures. domain: cybersecurity subdomain: incident-response -tags: [incident-response, triage, playbook, severity-classification, soc] -mitre_attack: ["T1190", "T1566", "T1078"] -version: "1.0" +tags: +- incident-response +- triage +- playbook +- severity-classification +- soc +mitre_attack: +- T1190 +- T1566 +- T1078 +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.MA-01 +- RS.MA-02 +- RS.AN-03 +- RC.RP-01 --- # Triaging Security Incidents with IR Playbooks diff --git a/skills/triaging-security-incident/SKILL.md b/skills/triaging-security-incident/SKILL.md index 1f71b88a..42a4b56f 100644 --- a/skills/triaging-security-incident/SKILL.md +++ b/skills/triaging-security-incident/SKILL.md @@ -1,8 +1,229 @@ --- -{} ----tags: +name: triaging-security-incident +description: 'Performs initial triage of security incidents to determine severity, scope, and required response actions using + the NIST SP 800-61r3 and SANS PICERL frameworks. Classifies incidents by type, assigns priority based on business impact, + and routes to appropriate response teams. Activates for requests involving incident triage, security alert classification, + severity assessment, incident prioritization, or initial incident analysis. + + ' +domain: cybersecurity +subdomain: incident-response +tags: - incident-triage - NIST-800-61 - SANS-PICERL - severity-classification - SOC-operations +mitre_attack: +- T1190 +- T1566 +- T1078 +- T1059 +version: 1.0.0 +author: mahipal +license: Apache-2.0 +d3fend_techniques: +- Executable Denylisting +- Execution Isolation +- File Metadata Consistency Validation +- Content Format Conversion +- File Content Analysis +nist_csf: +- RS.MA-01 +- RS.MA-02 +- RS.AN-03 +- RC.RP-01 +--- + +# Triaging Security Incidents + +## When to Use + +- A SIEM or EDR alert fires and requires human classification before escalation +- Multiple concurrent alerts arrive and the SOC must prioritize response order +- An end user reports suspicious activity and the incident needs initial categorization +- A threat intelligence feed matches an IOC observed in the environment + +**Do not use** for routine vulnerability scanning results or compliance audit findings that do not represent active security incidents. + +## Prerequisites + +- Access to SIEM platform (Splunk, Elastic, Microsoft Sentinel) with current alert data +- Incident classification taxonomy aligned to NIST SP 800-61r3 categories +- Predefined severity matrix mapping asset criticality to threat type +- Contact roster for escalation paths (Tier 1 through Tier 3 and CIRT) +- Asset inventory with business criticality ratings + +## Workflow + +### Step 1: Collect Initial Alert Data + +Gather all available context from the triggering alert before making classification decisions: + +- **Alert source**: Which detection system generated the alert (EDR, SIEM, IDS/IPS, firewall, user report) +- **Timestamp**: When the event occurred and when it was detected (dwell time gap) +- **Affected assets**: Hostnames, IP addresses, user accounts involved +- **Alert fidelity**: Historical true-positive rate for this detection rule +- **Raw evidence**: Log entries, packet captures, process execution chains + +``` +Example SIEM alert context: +Source: CrowdStrike Falcon +Detection: Suspicious PowerShell Execution (T1059.001) +Host: WORKSTATION-FIN-042 +User: jsmith@corp.example.com +Timestamp: 2025-11-15T14:23:17Z +Severity: High (detection rule confidence: 92%) +Process: powershell.exe -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoA... +Parent: outlook.exe (PID 4812) +``` + +### Step 2: Classify the Incident Type + +Map the alert to a standard incident category per NIST SP 800-61r3: + +| Category | Examples | +|----------|----------| +| Unauthorized Access | Compromised credentials, privilege escalation, IDOR | +| Denial of Service | Volumetric DDoS, application-layer flood, resource exhaustion | +| Malicious Code | Malware execution, ransomware detonation, cryptominer | +| Improper Usage | Policy violation, insider data exfiltration, shadow IT | +| Reconnaissance | Port scanning, directory enumeration, credential spraying | +| Web Application Attack | SQL injection, XSS, SSRF exploitation | + +### Step 3: Assign Severity Using Impact Matrix + +Calculate severity by combining asset criticality with threat severity: + +``` +Severity = f(Asset Criticality, Threat Type, Data Sensitivity, Lateral Movement Potential) + +Critical (P1): Crown jewel systems compromised, active data exfiltration, ransomware spreading +High (P2): Production system compromise, confirmed malware execution, privileged account takeover +Medium (P3): Non-production compromise, unsuccessful exploitation attempt, single endpoint malware +Low (P4): Reconnaissance activity, policy violation, benign true positive +``` + +Response SLA targets: +- P1: Acknowledge within 15 minutes, containment within 1 hour +- P2: Acknowledge within 30 minutes, containment within 4 hours +- P3: Acknowledge within 2 hours, investigation within 24 hours +- P4: Acknowledge within 8 hours, investigation within 72 hours + +### Step 4: Perform Initial Enrichment + +Before escalation, enrich the alert with contextual data: + +- **Threat intelligence**: Check IOCs (IP, hash, domain) against TI platforms (VirusTotal, OTX, MISP) +- **Asset context**: Query CMDB for asset owner, business function, data classification +- **User context**: Check identity provider for recent authentication anomalies, MFA status +- **Historical correlation**: Search for related alerts on the same host/user in the past 30 days +- **Network context**: Verify if source/destination IPs are internal, known partners, or external threat actors + +### Step 5: Document and Escalate + +Create a structured triage record and route to the appropriate response tier: + +``` +Incident Triage Record +━━━━━━━━━━━━━━━━━━━━━ +Ticket ID: INC-2025-1547 +Triage Analyst: [analyst name] +Triage Time: 2025-11-15T14:35:00Z (12 min from alert) +Classification: Malicious Code - Macro-based initial access +Severity: P2 - High +Affected Assets: WORKSTATION-FIN-042 (Finance dept, handles PII) +Affected Users: jsmith@corp.example.com +IOCs Identified: powershell.exe spawned by outlook.exe, encoded command +TI Matches: Base64 payload matches known Qakbot loader pattern +Escalation: Tier 2 - Malware IR team +Recommended: Isolate endpoint, preserve memory dump, block sender domain +``` + +### Step 6: Initiate Containment Hold + +If severity is P1 or P2, initiate immediate containment actions while awaiting full investigation: + +- Network-isolate the affected endpoint via EDR (CrowdStrike contain, Defender isolate) +- Disable compromised user accounts in Active Directory or identity provider +- Block identified malicious IPs/domains at firewall and DNS sinkhole +- Preserve volatile evidence (memory dump) before any remediation + +## Key Concepts + +| Term | Definition | +|------|------------| +| **Triage** | Rapid assessment process to classify and prioritize security incidents based on severity and business impact | +| **PICERL** | SANS incident response framework: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned | +| **Dwell Time** | Duration between initial compromise and detection; average is 10 days per Mandiant M-Trends 2025 | +| **True Positive Rate** | Percentage of alerts from a detection rule that represent genuine security incidents | +| **Crown Jewel Assets** | Systems and data critical to business operations whose compromise would cause severe organizational impact | +| **Alert Fatigue** | Degraded analyst performance caused by high volumes of low-fidelity or false-positive alerts | +| **Mean Time to Acknowledge (MTTA)** | Average time from alert generation to analyst acknowledgment; key SOC performance metric | + +## Tools & Systems + +- **Splunk Enterprise Security**: SIEM platform for alert aggregation, correlation, and triage workflow management +- **CrowdStrike Falcon**: EDR platform providing endpoint telemetry, detection, and one-click host containment +- **TheHive**: Open-source incident response platform for case management, task tracking, and team collaboration +- **MISP**: Threat intelligence sharing platform for IOC enrichment during triage +- **Cortex XSOAR**: SOAR platform for automating enrichment playbooks and triage decision trees + +## Common Scenarios + +### Scenario: Encoded PowerShell from Email Client + +**Context**: SOC analyst receives a P2 alert showing `powershell.exe` with a Base64-encoded command spawned as a child process of `outlook.exe` on a finance department workstation. + +**Approach**: +1. Decode the Base64 payload to determine the command intent +2. Check the parent process chain for anomalies (Outlook spawning PowerShell is abnormal) +3. Query VirusTotal for the decoded payload hash +4. Correlate with email gateway logs to identify the triggering email and sender +5. Check if other recipients in the organization received the same email +6. Isolate the endpoint and escalate to Tier 2 with full triage context + +**Pitfalls**: +- Dismissing encoded PowerShell as a false positive without decoding the payload +- Failing to check for lateral spread to other recipients of the same phishing email +- Remediating the endpoint before capturing volatile memory evidence + +## Output Format + +``` +INCIDENT TRIAGE REPORT +====================== +Ticket: INC-[YYYY]-[NNNN] +Date/Time: [ISO 8601 timestamp] +Triage Analyst: [Name] +Time to Triage: [minutes from alert to classification] + +CLASSIFICATION +Type: [NIST category] +Severity: [P1-P4] - [Critical/High/Medium/Low] +Confidence: [High/Medium/Low] +MITRE ATT&CK: [Technique ID and name] + +AFFECTED SCOPE +Assets: [hostname(s), IP(s)] +Users: [account(s)] +Data at Risk: [classification level] +Business Unit: [department] + +EVIDENCE SUMMARY +[Bullet list of key observations] + +ENRICHMENT RESULTS +TI Matches: [Yes/No - details] +Historical: [Related prior incidents] +Asset Criticality: [rating] + +RECOMMENDED ACTIONS +1. [Immediate action] +2. [Investigation step] +3. [Escalation target] + +ESCALATION +Routed To: [Team/Individual] +SLA Target: [Containment deadline] +``` diff --git a/skills/triaging-vulnerabilities-with-ssvc-framework/SKILL.md b/skills/triaging-vulnerabilities-with-ssvc-framework/SKILL.md index 610b5589..c945c775 100644 --- a/skills/triaging-vulnerabilities-with-ssvc-framework/SKILL.md +++ b/skills/triaging-vulnerabilities-with-ssvc-framework/SKILL.md @@ -1,12 +1,26 @@ --- name: triaging-vulnerabilities-with-ssvc-framework -description: Triage and prioritize vulnerabilities using CISA's Stakeholder-Specific Vulnerability Categorization (SSVC) decision tree framework to produce actionable remediation priorities. +description: Triage and prioritize vulnerabilities using CISA's Stakeholder-Specific Vulnerability Categorization (SSVC) decision + tree framework to produce actionable remediation priorities. domain: cybersecurity subdomain: vulnerability-management -tags: [ssvc, vulnerability-triage, cisa, vulnerability-prioritization, decision-tree, cvss, remediation, risk-management] -version: "1.0" +tags: +- ssvc +- vulnerability-triage +- cisa +- vulnerability-prioritization +- decision-tree +- cvss +- remediation +- risk-management +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- ID.RA-01 +- ID.RA-02 +- ID.IM-02 +- ID.RA-06 --- # Triaging Vulnerabilities with SSVC Framework diff --git a/skills/validating-backup-integrity-for-recovery/SKILL.md b/skills/validating-backup-integrity-for-recovery/SKILL.md index 60e82e3b..a01bec0a 100644 --- a/skills/validating-backup-integrity-for-recovery/SKILL.md +++ b/skills/validating-backup-integrity-for-recovery/SKILL.md @@ -1,15 +1,24 @@ --- name: validating-backup-integrity-for-recovery -description: >- - Validate backup integrity through cryptographic hash verification, automated restore testing, - corruption detection, and recoverability checks to ensure backups are reliable for disaster - recovery and ransomware response scenarios. +description: Validate backup integrity through cryptographic hash verification, automated restore testing, corruption detection, + and recoverability checks to ensure backups are reliable for disaster recovery and ransomware response scenarios. domain: cybersecurity subdomain: incident-response -tags: [incident-response, backup, integrity, hash-verification, restore-testing, disaster-recovery] -version: "1.0" +tags: +- incident-response +- backup +- integrity +- hash-verification +- restore-testing +- disaster-recovery +version: '1.0' author: mahipal license: Apache-2.0 +nist_csf: +- RS.MA-01 +- RS.MA-02 +- RS.AN-03 +- RC.RP-01 --- # Validating Backup Integrity for Recovery