diff --git a/skills/analyzing-api-gateway-access-logs/SKILL.md b/skills/analyzing-api-gateway-access-logs/SKILL.md index 43031911..f906f62c 100644 --- a/skills/analyzing-api-gateway-access-logs/SKILL.md +++ b/skills/analyzing-api-gateway-access-logs/SKILL.md @@ -15,6 +15,21 @@ license: Apache-2.0 # Analyzing API Gateway Access Logs + +## When to Use + +- When investigating security incidents that require analyzing api gateway access logs +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + +## Prerequisites + +- Familiarity with security operations concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions Parse API gateway access logs to identify attack patterns including broken object diff --git a/skills/analyzing-azure-activity-logs-for-threats/SKILL.md b/skills/analyzing-azure-activity-logs-for-threats/SKILL.md index 4e1b3fba..d4b6f164 100644 --- a/skills/analyzing-azure-activity-logs-for-threats/SKILL.md +++ b/skills/analyzing-azure-activity-logs-for-threats/SKILL.md @@ -15,6 +15,21 @@ license: Apache-2.0 # Analyzing Azure Activity Logs for Threats + +## When to Use + +- When investigating security incidents that require analyzing azure activity logs for threats +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + +## Prerequisites + +- Familiarity with security operations concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions Use azure-monitor-query to execute KQL queries against Azure Log Analytics workspaces, diff --git a/skills/analyzing-cloud-storage-access-patterns/SKILL.md b/skills/analyzing-cloud-storage-access-patterns/SKILL.md index 5fab18c9..625d0764 100644 --- a/skills/analyzing-cloud-storage-access-patterns/SKILL.md +++ b/skills/analyzing-cloud-storage-access-patterns/SKILL.md @@ -16,6 +16,21 @@ license: Apache-2.0 # Analyzing Cloud Storage Access Patterns + +## When to Use + +- When investigating security incidents that require analyzing cloud storage access patterns +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + +## Prerequisites + +- Familiarity with cloud security concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions 1. Install dependencies: `pip install boto3 requests` diff --git a/skills/analyzing-kubernetes-audit-logs/SKILL.md b/skills/analyzing-kubernetes-audit-logs/SKILL.md index 181be67a..e312067e 100644 --- a/skills/analyzing-kubernetes-audit-logs/SKILL.md +++ b/skills/analyzing-kubernetes-audit-logs/SKILL.md @@ -15,6 +15,21 @@ license: Apache-2.0 # Analyzing Kubernetes Audit Logs + +## When to Use + +- When investigating security incidents that require analyzing kubernetes audit logs +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + +## Prerequisites + +- Familiarity with container security concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions Parse Kubernetes audit log files (JSON lines format) to detect security-relevant diff --git a/skills/analyzing-memory-forensics-with-lime-and-volatility/SKILL.md b/skills/analyzing-memory-forensics-with-lime-and-volatility/SKILL.md index 5c68a151..8a903203 100644 --- a/skills/analyzing-memory-forensics-with-lime-and-volatility/SKILL.md +++ b/skills/analyzing-memory-forensics-with-lime-and-volatility/SKILL.md @@ -15,6 +15,21 @@ license: Apache-2.0 # Analyzing Memory Forensics with LiME and Volatility + +## When to Use + +- When investigating security incidents that require analyzing memory forensics with lime and volatility +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + +## Prerequisites + +- Familiarity with security operations concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions Acquire Linux memory using LiME kernel module, then analyze with Volatility 3 diff --git a/skills/analyzing-network-flow-data-with-netflow/SKILL.md b/skills/analyzing-network-flow-data-with-netflow/SKILL.md index 932ddadd..eec7867d 100644 --- a/skills/analyzing-network-flow-data-with-netflow/SKILL.md +++ b/skills/analyzing-network-flow-data-with-netflow/SKILL.md @@ -16,6 +16,21 @@ license: Apache-2.0 # Analyzing Network Flow Data with Netflow + +## When to Use + +- When investigating security incidents that require analyzing network flow data with netflow +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + +## Prerequisites + +- Familiarity with network security concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions 1. Install dependencies: `pip install netflow` diff --git a/skills/analyzing-powershell-script-block-logging/SKILL.md b/skills/analyzing-powershell-script-block-logging/SKILL.md index f3314519..62b31a31 100644 --- a/skills/analyzing-powershell-script-block-logging/SKILL.md +++ b/skills/analyzing-powershell-script-block-logging/SKILL.md @@ -16,6 +16,21 @@ license: Apache-2.0 # Analyzing PowerShell Script Block Logging + +## When to Use + +- When investigating security incidents that require analyzing powershell script block logging +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + +## Prerequisites + +- Familiarity with security operations concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions 1. Install dependencies: `pip install python-evtx lxml` diff --git a/skills/analyzing-threat-landscape-with-misp/SKILL.md b/skills/analyzing-threat-landscape-with-misp/SKILL.md index 04a4d688..a116a890 100644 --- a/skills/analyzing-threat-landscape-with-misp/SKILL.md +++ b/skills/analyzing-threat-landscape-with-misp/SKILL.md @@ -17,6 +17,21 @@ license: Apache-2.0 # Analyzing Threat Landscape with MISP + +## When to Use + +- When investigating security incidents that require analyzing threat landscape with misp +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + +## Prerequisites + +- Familiarity with threat intelligence concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions 1. Install dependencies: `pip install pymisp` diff --git a/skills/analyzing-tls-certificate-transparency-logs/SKILL.md b/skills/analyzing-tls-certificate-transparency-logs/SKILL.md index d8d630e0..30cc694f 100644 --- a/skills/analyzing-tls-certificate-transparency-logs/SKILL.md +++ b/skills/analyzing-tls-certificate-transparency-logs/SKILL.md @@ -15,6 +15,21 @@ license: Apache-2.0 # Analyzing TLS Certificate Transparency Logs + +## When to Use + +- When investigating security incidents that require analyzing tls certificate transparency logs +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + +## Prerequisites + +- Familiarity with security operations concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions Query crt.sh Certificate Transparency database to find certificates issued for diff --git a/skills/analyzing-web-server-logs-for-intrusion/SKILL.md b/skills/analyzing-web-server-logs-for-intrusion/SKILL.md index b001cac8..5921c415 100644 --- a/skills/analyzing-web-server-logs-for-intrusion/SKILL.md +++ b/skills/analyzing-web-server-logs-for-intrusion/SKILL.md @@ -16,6 +16,21 @@ license: Apache-2.0 # Analyzing Web Server Logs for Intrusion + +## When to Use + +- When investigating security incidents that require analyzing web server logs for intrusion +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + +## Prerequisites + +- Familiarity with security operations concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions 1. Install dependencies: `pip install geoip2 user-agents` diff --git a/skills/building-c2-infrastructure-with-sliver-framework/SKILL.md b/skills/building-c2-infrastructure-with-sliver-framework/SKILL.md index f01fc905..0476666a 100644 --- a/skills/building-c2-infrastructure-with-sliver-framework/SKILL.md +++ b/skills/building-c2-infrastructure-with-sliver-framework/SKILL.md @@ -14,6 +14,21 @@ license: Apache-2.0 Sliver is an open-source, cross-platform adversary emulation framework developed by BishopFox, written in Go. It provides red teams with implant generation, multi-protocol C2 channels (mTLS, HTTP/S, DNS, WireGuard), multi-operator support, and extensive post-exploitation capabilities. Sliver supports beacon (asynchronous) and session (interactive) modes, making it suitable for both long-haul operations and interactive exploitation. A properly architected Sliver infrastructure uses redirectors, domain fronting, and HTTPS certificates to maintain operational resilience and avoid detection. + +## When to Use + +- When deploying or configuring building c2 infrastructure with sliver framework capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + +## Prerequisites + +- Familiarity with red teaming concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Objectives - Deploy a Sliver team server on hardened cloud infrastructure diff --git a/skills/conducting-domain-persistence-with-dcsync/SKILL.md b/skills/conducting-domain-persistence-with-dcsync/SKILL.md index a68e40c7..cab84ad2 100644 --- a/skills/conducting-domain-persistence-with-dcsync/SKILL.md +++ b/skills/conducting-domain-persistence-with-dcsync/SKILL.md @@ -17,6 +17,21 @@ license: Apache-2.0 DCSync is an attack technique that abuses the Microsoft Directory Replication Service Remote Protocol (MS-DRSR) to impersonate a Domain Controller and request password data from the target DC. The attack was introduced by Benjamin Delpy (Mimikatz author) and Vincent Le Toux, leveraging the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All extended rights. Any principal (user or computer) with these rights can replicate password hashes for any account in the domain, including the KRBTGT account. With the KRBTGT hash, attackers can forge Golden Tickets for indefinite domain persistence. DCSync is categorized as MITRE ATT&CK T1003.006 and is a critical post-exploitation technique used by APT groups including APT28 (Fancy Bear), APT29 (Cozy Bear), and FIN6. + +## When to Use + +- When conducting security assessments that involve conducting domain persistence with dcsync +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + +## Prerequisites + +- Familiarity with red teaming concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Objectives - Identify accounts with DCSync (replication) rights in Active Directory diff --git a/skills/conducting-internal-reconnaissance-with-bloodhound-ce/SKILL.md b/skills/conducting-internal-reconnaissance-with-bloodhound-ce/SKILL.md index 1802d5df..ac931134 100644 --- a/skills/conducting-internal-reconnaissance-with-bloodhound-ce/SKILL.md +++ b/skills/conducting-internal-reconnaissance-with-bloodhound-ce/SKILL.md @@ -17,6 +17,21 @@ license: Apache-2.0 BloodHound Community Edition (CE) is a modern, web-based Active Directory reconnaissance platform developed by SpecterOps that uses graph theory to reveal hidden relationships and attack paths within AD environments. Unlike the legacy BloodHound application, BloodHound CE uses a PostgreSQL backend with a dedicated graph database, providing improved performance, a modern web UI, and enhanced API capabilities. Red teams use BloodHound CE to collect AD objects, ACLs, sessions, group memberships, and trust relationships, then visualize attack paths from compromised low-privileged accounts to high-value targets like Domain Admins. The SharpHound collector (v2 for CE) gathers data from Active Directory, while AzureHound collects from Azure AD / Entra ID environments. + +## When to Use + +- When conducting security assessments that involve conducting internal reconnaissance with bloodhound ce +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + +## Prerequisites + +- Familiarity with red teaming concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Objectives - Deploy BloodHound CE server using Docker Compose diff --git a/skills/conducting-pass-the-ticket-attack/SKILL.md b/skills/conducting-pass-the-ticket-attack/SKILL.md index 4c1d60e2..6d788ece 100644 --- a/skills/conducting-pass-the-ticket-attack/SKILL.md +++ b/skills/conducting-pass-the-ticket-attack/SKILL.md @@ -17,6 +17,21 @@ license: Apache-2.0 Pass-the-Ticket (PtT) is a lateral movement technique that uses stolen Kerberos tickets (TGT or TGS) to authenticate to services without knowing the user's password. By extracting Kerberos tickets from memory (LSASS) on a compromised host, an attacker can inject those tickets into their own session to impersonate the ticket owner and access resources as that user. + +## When to Use + +- When conducting security assessments that involve conducting pass the ticket attack +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + +## Prerequisites + +- Familiarity with red teaming concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## MITRE ATT&CK Mapping - **T1550.003** - Use Alternate Authentication Material: Pass the Ticket diff --git a/skills/conducting-spearphishing-simulation-campaign/SKILL.md b/skills/conducting-spearphishing-simulation-campaign/SKILL.md index 21e0a687..68eec549 100644 --- a/skills/conducting-spearphishing-simulation-campaign/SKILL.md +++ b/skills/conducting-spearphishing-simulation-campaign/SKILL.md @@ -17,6 +17,21 @@ license: Apache-2.0 Spearphishing simulation is a targeted social engineering attack vector used by red teams to gain initial access. Unlike broad phishing campaigns, spearphishing uses OSINT-derived intelligence to craft highly personalized messages targeting specific individuals. This skill covers developing pretexts, building payloads, setting up email infrastructure, executing the campaign, and tracking results. + +## When to Use + +- When conducting security assessments that involve conducting spearphishing simulation campaign +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + +## Prerequisites + +- Familiarity with red teaming concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Objectives - Develop convincing pretexts tailored to specific target personnel diff --git a/skills/configuring-microsegmentation-for-zero-trust/SKILL.md b/skills/configuring-microsegmentation-for-zero-trust/SKILL.md index 30f794b2..d4001a13 100644 --- a/skills/configuring-microsegmentation-for-zero-trust/SKILL.md +++ b/skills/configuring-microsegmentation-for-zero-trust/SKILL.md @@ -24,6 +24,21 @@ Microsegmentation divides a network into granular security zones, enforcing leas This skill covers designing microsegmentation policies using workload identity, implementing host-based and network-based enforcement, and validating segmentation effectiveness with tools like Illumio Core and VMware NSX. + +## When to Use + +- When deploying or configuring configuring microsegmentation for zero trust capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + +## Prerequisites + +- Familiarity with zero trust architecture concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Architecture ### Microsegmentation Models diff --git a/skills/configuring-multi-factor-authentication-with-duo/SKILL.md b/skills/configuring-multi-factor-authentication-with-duo/SKILL.md index ab470d10..d881b2aa 100644 --- a/skills/configuring-multi-factor-authentication-with-duo/SKILL.md +++ b/skills/configuring-multi-factor-authentication-with-duo/SKILL.md @@ -13,6 +13,21 @@ license: Apache-2.0 ## Overview Deploy Cisco Duo multi-factor authentication across enterprise applications, VPN, RDP, and SSH access points. This skill covers Duo integration methods, adaptive authentication policies, device trust assessment, and phishing-resistant MFA deployment aligned with NIST 800-63B AAL2/AAL3 requirements. + +## When to Use + +- When deploying or configuring configuring multi factor authentication with duo capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + +## Prerequisites + +- Familiarity with identity access management concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Objectives - Configure Duo MFA for VPN, RDP, SSH, and web applications - Implement adaptive access policies based on user, device, and network context diff --git a/skills/configuring-oauth2-authorization-flow/SKILL.md b/skills/configuring-oauth2-authorization-flow/SKILL.md index 54c75934..6ec72039 100644 --- a/skills/configuring-oauth2-authorization-flow/SKILL.md +++ b/skills/configuring-oauth2-authorization-flow/SKILL.md @@ -13,6 +13,21 @@ license: Apache-2.0 ## Overview Configure secure OAuth 2.0 authorization flows including Authorization Code with PKCE, Client Credentials, and Device Authorization Grant. This skill covers flow selection, PKCE implementation, token lifecycle management, scope design, and alignment with OAuth 2.1 security requirements. + +## When to Use + +- When deploying or configuring configuring oauth2 authorization flow capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + +## Prerequisites + +- Familiarity with identity access management concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Objectives - Implement Authorization Code flow with PKCE for public and confidential clients - Configure Client Credentials flow for machine-to-machine communication diff --git a/skills/configuring-tls-1-3-for-secure-communications/SKILL.md b/skills/configuring-tls-1-3-for-secure-communications/SKILL.md index 3791eda7..126d0123 100644 --- a/skills/configuring-tls-1-3-for-secure-communications/SKILL.md +++ b/skills/configuring-tls-1-3-for-secure-communications/SKILL.md @@ -14,6 +14,21 @@ license: Apache-2.0 TLS 1.3 (RFC 8446) is the latest version of the Transport Layer Security protocol, providing significant improvements over TLS 1.2 in both security and performance. It reduces handshake latency to 1-RTT (and 0-RTT for resumed sessions), removes obsolete cipher suites, and mandates perfect forward secrecy. This skill covers configuring TLS 1.3 on servers, validating configurations, and testing for common misconfigurations. + +## When to Use + +- When deploying or configuring configuring tls 1 3 for secure communications capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + +## Prerequisites + +- Familiarity with cryptography concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Objectives - Configure TLS 1.3 on nginx and Apache web servers diff --git a/skills/deploying-software-defined-perimeter/SKILL.md b/skills/deploying-software-defined-perimeter/SKILL.md index 315aac7a..fc7eb86e 100644 --- a/skills/deploying-software-defined-perimeter/SKILL.md +++ b/skills/deploying-software-defined-perimeter/SKILL.md @@ -24,6 +24,21 @@ A Software-Defined Perimeter (SDP) implements zero trust by creating a dynamical This skill covers deploying SDP using the CSA v2.0 specification, implementing Single Packet Authorization (SPA), configuring the SDP controller and gateway, and validating the deployment against NIST SP 800-207 requirements. + +## When to Use + +- When deploying or configuring deploying software defined perimeter capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + +## Prerequisites + +- Familiarity with zero trust architecture concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Architecture ### SDP Components (CSA Specification) diff --git a/skills/detecting-beaconing-patterns-with-zeek/SKILL.md b/skills/detecting-beaconing-patterns-with-zeek/SKILL.md index 3e60326b..34ffc5c3 100644 --- a/skills/detecting-beaconing-patterns-with-zeek/SKILL.md +++ b/skills/detecting-beaconing-patterns-with-zeek/SKILL.md @@ -15,6 +15,21 @@ license: Apache-2.0 # Detecting Beaconing Patterns with Zeek + +## When to Use + +- When investigating security incidents that require detecting beaconing patterns with zeek +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + +## Prerequisites + +- Familiarity with security operations concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions Load Zeek conn.log data using ZAT (Zeek Analysis Tools), group connections by diff --git a/skills/detecting-insider-data-exfiltration-via-dlp/SKILL.md b/skills/detecting-insider-data-exfiltration-via-dlp/SKILL.md index b1e9b91e..0f55fcef 100644 --- a/skills/detecting-insider-data-exfiltration-via-dlp/SKILL.md +++ b/skills/detecting-insider-data-exfiltration-via-dlp/SKILL.md @@ -15,6 +15,21 @@ license: Apache-2.0 # Detecting Insider Data Exfiltration via DLP + +## When to Use + +- When investigating security incidents that require detecting insider data exfiltration via dlp +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + +## Prerequisites + +- Familiarity with security operations concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions Analyze endpoint activity logs, cloud storage access, and email DLP events to detect diff --git a/skills/detecting-sql-injection-via-waf-logs/SKILL.md b/skills/detecting-sql-injection-via-waf-logs/SKILL.md index d30f9372..e1011bc5 100644 --- a/skills/detecting-sql-injection-via-waf-logs/SKILL.md +++ b/skills/detecting-sql-injection-via-waf-logs/SKILL.md @@ -17,6 +17,21 @@ license: Apache-2.0 # Detecting SQL Injection via WAF Logs + +## When to Use + +- When investigating security incidents that require detecting sql injection via waf logs +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + +## Prerequisites + +- Familiarity with security operations concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions 1. Install dependencies: `pip install requests` diff --git a/skills/detecting-supply-chain-attacks-in-ci-cd/SKILL.md b/skills/detecting-supply-chain-attacks-in-ci-cd/SKILL.md index 46377b9f..a3175350 100644 --- a/skills/detecting-supply-chain-attacks-in-ci-cd/SKILL.md +++ b/skills/detecting-supply-chain-attacks-in-ci-cd/SKILL.md @@ -15,6 +15,21 @@ license: Apache-2.0 # Detecting Supply Chain Attacks in CI/CD + +## When to Use + +- When investigating security incidents that require detecting supply chain attacks in ci cd +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + +## Prerequisites + +- Familiarity with security operations concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions Scan CI/CD workflow files for supply chain risks by parsing GitHub Actions YAML, diff --git a/skills/executing-red-team-engagement-planning/SKILL.md b/skills/executing-red-team-engagement-planning/SKILL.md index a6215ddf..dbfa8751 100644 --- a/skills/executing-red-team-engagement-planning/SKILL.md +++ b/skills/executing-red-team-engagement-planning/SKILL.md @@ -14,6 +14,21 @@ license: Apache-2.0 Red team engagement planning is the foundational phase that defines scope, objectives, rules of engagement (ROE), threat model selection, and operational timelines before any offensive testing begins. A well-structured engagement plan ensures the red team simulates realistic adversary behavior while maintaining safety guardrails that prevent unintended business disruption. + +## When to Use + +- When conducting security assessments that involve executing red team engagement planning +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + +## Prerequisites + +- Familiarity with red teaming concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Objectives - Define clear engagement scope including in-scope and out-of-scope assets, networks, and personnel diff --git a/skills/exploiting-active-directory-certificate-services-esc1/SKILL.md b/skills/exploiting-active-directory-certificate-services-esc1/SKILL.md index 5836988c..ff078f57 100644 --- a/skills/exploiting-active-directory-certificate-services-esc1/SKILL.md +++ b/skills/exploiting-active-directory-certificate-services-esc1/SKILL.md @@ -14,6 +14,21 @@ license: Apache-2.0 ESC1 (Escalation Scenario 1) is a critical misconfiguration in Active Directory Certificate Services where a certificate template allows a low-privileged user to request a certificate on behalf of any other user, including Domain Admins. The vulnerability exists when a template has the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag enabled (also called "Supply in Request"), combined with an Extended Key Usage (EKU) that permits client authentication (Client Authentication, PKINIT Client Authentication, Smart Card Logon, or Any Purpose). This allows an attacker to specify an arbitrary Subject Alternative Name (SAN) in the certificate request, effectively impersonating any domain user. ESC1 was documented by SpecterOps researchers Will Schroeder and Lee Christensen in their "Certified Pre-Owned" whitepaper (2021) and remains one of the most common AD CS attack paths. The MITRE ATT&CK framework tracks this as T1649 (Steal or Forge Authentication Certificates). + +## When to Use + +- When performing authorized security testing that involves exploiting active directory certificate services esc1 +- When analyzing malware samples or attack artifacts in a controlled environment +- When conducting red team exercises or penetration testing engagements +- When building detection capabilities based on offensive technique understanding + +## Prerequisites + +- Familiarity with red teaming concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Objectives - Enumerate AD CS infrastructure and certificate templates using Certify or Certipy diff --git a/skills/exploiting-active-directory-with-bloodhound/SKILL.md b/skills/exploiting-active-directory-with-bloodhound/SKILL.md index 74dac35b..01971817 100644 --- a/skills/exploiting-active-directory-with-bloodhound/SKILL.md +++ b/skills/exploiting-active-directory-with-bloodhound/SKILL.md @@ -17,6 +17,21 @@ license: Apache-2.0 BloodHound is a graph-based Active Directory reconnaissance tool that uses graph theory to reveal hidden and unintended relationships within AD environments. Red teams use BloodHound to identify attack paths from compromised accounts to high-value targets such as Domain Admins, identifying privilege escalation chains that would be nearly impossible to find manually. SharpHound is the official data collector that gathers AD objects, relationships, ACLs, sessions, and group memberships. + +## When to Use + +- When performing authorized security testing that involves exploiting active directory with bloodhound +- When analyzing malware samples or attack artifacts in a controlled environment +- When conducting red team exercises or penetration testing engagements +- When building detection capabilities based on offensive technique understanding + +## Prerequisites + +- Familiarity with red teaming concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Objectives - Collect Active Directory relationship data using SharpHound or BloodHound.py diff --git a/skills/exploiting-constrained-delegation-abuse/SKILL.md b/skills/exploiting-constrained-delegation-abuse/SKILL.md index 2b5c1a5a..910a0541 100644 --- a/skills/exploiting-constrained-delegation-abuse/SKILL.md +++ b/skills/exploiting-constrained-delegation-abuse/SKILL.md @@ -17,6 +17,21 @@ license: Apache-2.0 Kerberos Constrained Delegation (KCD) is a Windows Active Directory feature that allows a service to impersonate a user and access specific services on their behalf. The delegation targets are defined in the msDS-AllowedToDelegateTo attribute. When an attacker compromises an account configured with Constrained Delegation (particularly with the TRUSTED_TO_AUTH_FOR_DELEGATION flag), they can use the S4U2self and S4U2proxy Kerberos protocol extensions to request service tickets as any user (including Domain Admins) to the delegated services. If the delegation target includes services like CIFS, HTTP, or LDAP on a Domain Controller, this results in full domain compromise. The S4U2self extension requests a forwardable ticket on behalf of any user to the compromised service, and S4U2proxy forwards that ticket to the allowed delegation target. + +## When to Use + +- When performing authorized security testing that involves exploiting constrained delegation abuse +- When analyzing malware samples or attack artifacts in a controlled environment +- When conducting red team exercises or penetration testing engagements +- When building detection capabilities based on offensive technique understanding + +## Prerequisites + +- Familiarity with red teaming concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Objectives - Enumerate accounts with Constrained Delegation configured in the domain diff --git a/skills/exploiting-ms17-010-eternalblue-vulnerability/SKILL.md b/skills/exploiting-ms17-010-eternalblue-vulnerability/SKILL.md index 64b43285..d411b9b5 100644 --- a/skills/exploiting-ms17-010-eternalblue-vulnerability/SKILL.md +++ b/skills/exploiting-ms17-010-eternalblue-vulnerability/SKILL.md @@ -14,6 +14,21 @@ license: Apache-2.0 MS17-010 (EternalBlue) is a critical vulnerability in Microsoft's SMBv1 implementation that allows remote code execution. Originally discovered by the NSA and leaked by the Shadow Brokers in 2017, it was used in the WannaCry and NotPetya ransomware campaigns. Despite patches being available since March 2017, many organizations still have unpatched systems, making it a viable red team exploitation vector especially in legacy environments. + +## When to Use + +- When performing authorized security testing that involves exploiting ms17 010 eternalblue vulnerability +- When analyzing malware samples or attack artifacts in a controlled environment +- When conducting red team exercises or penetration testing engagements +- When building detection capabilities based on offensive technique understanding + +## Prerequisites + +- Familiarity with red teaming concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## MITRE ATT&CK Mapping - **T1210** - Exploitation of Remote Services diff --git a/skills/exploiting-nopac-cve-2021-42278-42287/SKILL.md b/skills/exploiting-nopac-cve-2021-42278-42287/SKILL.md index 8b7bfb20..89d4c1f7 100644 --- a/skills/exploiting-nopac-cve-2021-42278-42287/SKILL.md +++ b/skills/exploiting-nopac-cve-2021-42278-42287/SKILL.md @@ -17,6 +17,21 @@ license: Apache-2.0 noPac is a critical exploit chain combining two Active Directory vulnerabilities: CVE-2021-42278 (sAMAccountName spoofing) and CVE-2021-42287 (KDC PAC confusion). Together, they allow any authenticated domain user to escalate to Domain Admin privileges, potentially achieving full domain compromise in under 60 seconds. CVE-2021-42278 allows an attacker to modify a machine account's sAMAccountName attribute to match a Domain Controller's name (minus the trailing $). CVE-2021-42287 exploits a flaw in the Kerberos PAC validation where the KDC, unable to find the renamed account, falls back to appending $ and issues a ticket for the Domain Controller account. Microsoft patched both vulnerabilities in November 2021 (KB5008380 and KB5008602), but many environments remain unpatched. The exploit was publicly released by cube0x0 and Ridter in December 2021. + +## When to Use + +- When performing authorized security testing that involves exploiting nopac cve 2021 42278 42287 +- When analyzing malware samples or attack artifacts in a controlled environment +- When conducting red team exercises or penetration testing engagements +- When building detection capabilities based on offensive technique understanding + +## Prerequisites + +- Familiarity with red teaming concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Objectives - Scan the target domain for noPac vulnerability (CVE-2021-42278/42287) diff --git a/skills/extracting-memory-artifacts-with-rekall/SKILL.md b/skills/extracting-memory-artifacts-with-rekall/SKILL.md index 89531d08..2b700cc8 100644 --- a/skills/extracting-memory-artifacts-with-rekall/SKILL.md +++ b/skills/extracting-memory-artifacts-with-rekall/SKILL.md @@ -15,6 +15,21 @@ license: Apache-2.0 # Extracting Memory Artifacts with Rekall + +## When to Use + +- When performing authorized security testing that involves extracting memory artifacts with rekall +- When analyzing malware samples or attack artifacts in a controlled environment +- When conducting red team exercises or penetration testing engagements +- When building detection capabilities based on offensive technique understanding + +## Prerequisites + +- Familiarity with security operations concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions Use Rekall to analyze memory dumps for signs of compromise including process diff --git a/skills/hunting-credential-stuffing-attacks/SKILL.md b/skills/hunting-credential-stuffing-attacks/SKILL.md index 43f1e1e8..9ac1d665 100644 --- a/skills/hunting-credential-stuffing-attacks/SKILL.md +++ b/skills/hunting-credential-stuffing-attacks/SKILL.md @@ -15,6 +15,21 @@ license: Apache-2.0 # Hunting Credential Stuffing Attacks + +## When to Use + +- When investigating security incidents that require hunting credential stuffing attacks +- When building detection rules or threat hunting queries for this domain +- When SOC analysts need structured procedures for this analysis type +- When validating security monitoring coverage for related attack techniques + +## Prerequisites + +- Familiarity with security operations concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions Analyze authentication logs to detect credential stuffing by identifying patterns diff --git a/skills/implementing-aes-encryption-for-data-at-rest/SKILL.md b/skills/implementing-aes-encryption-for-data-at-rest/SKILL.md index aff2e8b6..f77414ed 100644 --- a/skills/implementing-aes-encryption-for-data-at-rest/SKILL.md +++ b/skills/implementing-aes-encryption-for-data-at-rest/SKILL.md @@ -14,6 +14,21 @@ license: Apache-2.0 AES (Advanced Encryption Standard) is a symmetric block cipher standardized by NIST (FIPS 197) used to protect classified and sensitive data. This skill covers implementing AES-256 encryption in GCM mode for encrypting files and data stores at rest, including proper key derivation, IV/nonce management, and authenticated encryption. + +## When to Use + +- When deploying or configuring implementing aes encryption for data at rest capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + +## Prerequisites + +- Familiarity with cryptography concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Objectives - Implement AES-256-GCM encryption and decryption for files diff --git a/skills/implementing-cloud-workload-protection/SKILL.md b/skills/implementing-cloud-workload-protection/SKILL.md index c163d051..200a066b 100644 --- a/skills/implementing-cloud-workload-protection/SKILL.md +++ b/skills/implementing-cloud-workload-protection/SKILL.md @@ -15,6 +15,21 @@ license: Apache-2.0 # Implementing Cloud Workload Protection + +## When to Use + +- When deploying or configuring implementing cloud workload protection capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + +## Prerequisites + +- Familiarity with cloud security concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions Monitor cloud workloads for runtime threats by checking process lists, network diff --git a/skills/implementing-honeytokens-for-breach-detection/SKILL.md b/skills/implementing-honeytokens-for-breach-detection/SKILL.md index 9f5b9164..ac412a8e 100644 --- a/skills/implementing-honeytokens-for-breach-detection/SKILL.md +++ b/skills/implementing-honeytokens-for-breach-detection/SKILL.md @@ -15,6 +15,21 @@ license: Apache-2.0 # Implementing Honeytokens for Breach Detection + +## When to Use + +- When deploying or configuring implementing honeytokens for breach detection capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + +## Prerequisites + +- Familiarity with security operations concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions Deploy honeytokens across critical systems to detect unauthorized access. Each token diff --git a/skills/implementing-identity-verification-for-zero-trust/SKILL.md b/skills/implementing-identity-verification-for-zero-trust/SKILL.md index 20c35f4b..e8c569ce 100644 --- a/skills/implementing-identity-verification-for-zero-trust/SKILL.md +++ b/skills/implementing-identity-verification-for-zero-trust/SKILL.md @@ -24,6 +24,21 @@ Identity is the foundational pillar of zero trust architecture. NIST SP 800-207 This skill covers implementing phishing-resistant MFA, continuous identity verification, risk-based conditional access, and identity governance aligned with the CISA Zero Trust Maturity Model Identity Pillar. + +## When to Use + +- When deploying or configuring implementing identity verification for zero trust capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + +## Prerequisites + +- Familiarity with zero trust architecture concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Architecture ### Identity Verification Flow diff --git a/skills/implementing-just-in-time-access-provisioning/SKILL.md b/skills/implementing-just-in-time-access-provisioning/SKILL.md index 0158ccad..16e206fe 100644 --- a/skills/implementing-just-in-time-access-provisioning/SKILL.md +++ b/skills/implementing-just-in-time-access-provisioning/SKILL.md @@ -13,6 +13,21 @@ license: Apache-2.0 ## Overview Implement Just-In-Time (JIT) access provisioning to eliminate standing privileges by granting temporary, time-bound access only when needed. This skill covers JIT architecture design, approval workflows, automatic expiration, integration with PAM and IGA platforms, and alignment with zero trust principles. + +## When to Use + +- When deploying or configuring implementing just in time access provisioning capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + +## Prerequisites + +- Familiarity with identity access management concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Objectives - Design JIT access request and approval workflows - Implement time-bound access grants with automatic expiration diff --git a/skills/implementing-log-integrity-with-blockchain/SKILL.md b/skills/implementing-log-integrity-with-blockchain/SKILL.md index 7108bc95..25dbe522 100644 --- a/skills/implementing-log-integrity-with-blockchain/SKILL.md +++ b/skills/implementing-log-integrity-with-blockchain/SKILL.md @@ -17,6 +17,21 @@ license: Apache-2.0 # Implementing Log Integrity with Blockchain + +## When to Use + +- When deploying or configuring implementing log integrity with blockchain capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + +## Prerequisites + +- Familiarity with security operations concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions 1. Install dependencies: `pip install requests` diff --git a/skills/implementing-mtls-for-zero-trust-services/SKILL.md b/skills/implementing-mtls-for-zero-trust-services/SKILL.md index ef393497..d59c8a88 100644 --- a/skills/implementing-mtls-for-zero-trust-services/SKILL.md +++ b/skills/implementing-mtls-for-zero-trust-services/SKILL.md @@ -15,6 +15,21 @@ license: Apache-2.0 # Implementing mTLS for Zero Trust Services + +## When to Use + +- When deploying or configuring implementing mtls for zero trust services capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + +## Prerequisites + +- Familiarity with security operations concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions Generate CA certificates, issue service certificates, and configure mutual TLS diff --git a/skills/implementing-network-traffic-analysis-with-arkime/SKILL.md b/skills/implementing-network-traffic-analysis-with-arkime/SKILL.md index 4bea0b15..2ba52e7c 100644 --- a/skills/implementing-network-traffic-analysis-with-arkime/SKILL.md +++ b/skills/implementing-network-traffic-analysis-with-arkime/SKILL.md @@ -17,6 +17,21 @@ license: Apache-2.0 # Implementing Network Traffic Analysis with Arkime + +## When to Use + +- When deploying or configuring implementing network traffic analysis with arkime capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + +## Prerequisites + +- Familiarity with network security concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions 1. Install dependencies: `pip install requests` diff --git a/skills/implementing-privileged-access-management-with-cyberark/SKILL.md b/skills/implementing-privileged-access-management-with-cyberark/SKILL.md index 58c00824..7019e343 100644 --- a/skills/implementing-privileged-access-management-with-cyberark/SKILL.md +++ b/skills/implementing-privileged-access-management-with-cyberark/SKILL.md @@ -13,6 +13,21 @@ license: Apache-2.0 ## Overview Deploy CyberArk Privileged Access Management to discover, vault, rotate, and monitor privileged credentials across enterprise infrastructure. This skill covers vault architecture, session isolation, credential rotation policies, and integration with NIST 800-53 access control requirements. + +## When to Use + +- When deploying or configuring implementing privileged access management with cyberark capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + +## Prerequisites + +- Familiarity with identity access management concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Objectives - Design CyberArk vault architecture with high availability - Implement automated privileged credential discovery and onboarding diff --git a/skills/implementing-saml-sso-with-okta/SKILL.md b/skills/implementing-saml-sso-with-okta/SKILL.md index 24106503..514d4c21 100644 --- a/skills/implementing-saml-sso-with-okta/SKILL.md +++ b/skills/implementing-saml-sso-with-okta/SKILL.md @@ -13,6 +13,21 @@ license: Apache-2.0 ## Overview Implement SAML 2.0 Single Sign-On (SSO) using Okta as the Identity Provider (IdP). This skill covers end-to-end configuration of SAML authentication flows, attribute mapping, certificate management, and security hardening for enterprise SSO deployments. + +## When to Use + +- When deploying or configuring implementing saml sso with okta capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + +## Prerequisites + +- Familiarity with identity access management concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Objectives - Configure Okta as a SAML 2.0 Identity Provider - Implement SP-initiated and IdP-initiated SSO flows diff --git a/skills/implementing-security-chaos-engineering/SKILL.md b/skills/implementing-security-chaos-engineering/SKILL.md index 12346f1f..2f8bc044 100644 --- a/skills/implementing-security-chaos-engineering/SKILL.md +++ b/skills/implementing-security-chaos-engineering/SKILL.md @@ -15,6 +15,21 @@ license: Apache-2.0 # Implementing Security Chaos Engineering + +## When to Use + +- When deploying or configuring implementing security chaos engineering capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + +## Prerequisites + +- Familiarity with security operations concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions Design and execute security chaos experiments that intentionally break security diff --git a/skills/implementing-siem-correlation-rules-for-apt/SKILL.md b/skills/implementing-siem-correlation-rules-for-apt/SKILL.md index 7318e67c..fc73f47e 100644 --- a/skills/implementing-siem-correlation-rules-for-apt/SKILL.md +++ b/skills/implementing-siem-correlation-rules-for-apt/SKILL.md @@ -16,6 +16,21 @@ license: Apache-2.0 # Implementing SIEM Correlation Rules for APT + +## When to Use + +- When deploying or configuring implementing siem correlation rules for apt capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + +## Prerequisites + +- Familiarity with security operations concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions 1. Install dependencies: `pip install requests pyyaml sigma-cli` diff --git a/skills/implementing-syslog-centralization-with-rsyslog/SKILL.md b/skills/implementing-syslog-centralization-with-rsyslog/SKILL.md index 3f96afcd..e8618456 100644 --- a/skills/implementing-syslog-centralization-with-rsyslog/SKILL.md +++ b/skills/implementing-syslog-centralization-with-rsyslog/SKILL.md @@ -16,6 +16,21 @@ license: Apache-2.0 # Implementing Syslog Centralization with Rsyslog + +## When to Use + +- When deploying or configuring implementing syslog centralization with rsyslog capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + +## Prerequisites + +- Familiarity with security operations concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions 1. Install dependencies: `pip install jinja2 paramiko` diff --git a/skills/implementing-vulnerability-remediation-sla/scripts/agent.py b/skills/implementing-vulnerability-remediation-sla/scripts/agent.py index 953000e5..9fc62bab 100644 --- a/skills/implementing-vulnerability-remediation-sla/scripts/agent.py +++ b/skills/implementing-vulnerability-remediation-sla/scripts/agent.py @@ -1,61 +1,232 @@ #!/usr/bin/env python3 -"""Vulnerability remediation SLA tracking.""" -import argparse, json -from datetime import datetime, timezone -try: - import requests -except ImportError: - requests = None +"""Vulnerability remediation SLA tracking agent. -def audit_config(target, token): - findings = [] - if not requests: return [{"error": "requests required"}] - headers = {"Authorization": f"Bearer {token}"} - try: - resp = requests.get(f"{target}/api/v1/status", headers=headers, timeout=10) - if resp.status_code == 200: - data = resp.json() - if not data.get("enabled", True): - findings.append({"check": "Service Status", "status": "DISABLED", "severity": "CRITICAL"}) - elif resp.status_code == 401: - findings.append({"check": "Authentication", "status": "UNAUTHORIZED", "severity": "HIGH"}) - except requests.RequestException as e: - findings.append({"error": str(e)}) - return findings +Tracks vulnerability remediation against defined SLA targets based on +severity. Ingests vulnerability data from scanners (JSON/CSV format), +calculates SLA compliance, identifies overdue items, and generates +remediation priority reports. +""" +import argparse +import csv +import json +import os +import sys +from datetime import datetime, timezone, timedelta + + +DEFAULT_SLA_DAYS = { + "CRITICAL": 7, + "HIGH": 30, + "MEDIUM": 90, + "LOW": 180, +} + + +def load_vulnerabilities(source_path): + """Load vulnerabilities from a JSON or CSV file.""" + ext = os.path.splitext(source_path)[1].lower() + if ext == ".json": + with open(source_path, "r") as f: + data = json.load(f) + if isinstance(data, list): + return data + return data.get("vulnerabilities", data.get("findings", data.get("results", []))) + elif ext == ".csv": + vulns = [] + with open(source_path, "r", newline="") as f: + reader = csv.DictReader(f) + for row in reader: + vulns.append(row) + return vulns + else: + print(f"[!] Unsupported file format: {ext}", file=sys.stderr) + return [] + + +def normalize_vulnerability(vuln): + """Normalize vulnerability fields from various scanner formats.""" + return { + "id": (vuln.get("id") or vuln.get("vulnerability_id") or + vuln.get("cve_id") or vuln.get("CVE") or vuln.get("plugin_id") or "unknown"), + "severity": (vuln.get("severity") or vuln.get("risk") or + vuln.get("Severity") or "MEDIUM").upper(), + "title": (vuln.get("title") or vuln.get("name") or + vuln.get("vulnerability_name") or vuln.get("Title") or "Unknown"), + "asset": (vuln.get("asset") or vuln.get("host") or + vuln.get("ip") or vuln.get("hostname") or "unknown"), + "discovered_date": (vuln.get("discovered_date") or vuln.get("first_found") or + vuln.get("discovered") or vuln.get("date_found") or + datetime.now(timezone.utc).isoformat()), + "status": (vuln.get("status") or vuln.get("state") or "open").lower(), + "remediation": (vuln.get("remediation") or vuln.get("fix") or + vuln.get("solution") or ""), + } + + +def calculate_sla_status(vulns, sla_days=None): + """Calculate SLA compliance for each vulnerability.""" + if sla_days is None: + sla_days = DEFAULT_SLA_DAYS + + now = datetime.now(timezone.utc) + results = [] + + for vuln in vulns: + norm = normalize_vulnerability(vuln) + if norm["status"] not in ("open", "new", "active", "unresolved"): + norm["sla_status"] = "RESOLVED" + norm["sla_days_remaining"] = None + results.append(norm) + continue + + severity = norm["severity"] + target_days = sla_days.get(severity, sla_days.get("MEDIUM", 90)) + + try: + disc_str = norm["discovered_date"] + if "T" in disc_str: + discovered = datetime.fromisoformat(disc_str.replace("Z", "+00:00")) + else: + discovered = datetime.strptime(disc_str[:10], "%Y-%m-%d").replace(tzinfo=timezone.utc) + except (ValueError, TypeError): + discovered = now + norm["parse_warning"] = "Could not parse discovered_date" + + age_days = (now - discovered).days + sla_deadline = discovered + timedelta(days=target_days) + days_remaining = (sla_deadline - now).days + + norm["age_days"] = age_days + norm["sla_target_days"] = target_days + norm["sla_deadline"] = sla_deadline.isoformat() + norm["sla_days_remaining"] = days_remaining + + if days_remaining < 0: + norm["sla_status"] = "BREACHED" + norm["sla_overdue_days"] = abs(days_remaining) + elif days_remaining <= 7: + norm["sla_status"] = "AT_RISK" + else: + norm["sla_status"] = "ON_TRACK" + + results.append(norm) + + return results + + +def generate_metrics(results): + """Generate SLA compliance metrics.""" + open_vulns = [r for r in results if r.get("sla_status") != "RESOLVED"] + breached = [r for r in open_vulns if r.get("sla_status") == "BREACHED"] + at_risk = [r for r in open_vulns if r.get("sla_status") == "AT_RISK"] + on_track = [r for r in open_vulns if r.get("sla_status") == "ON_TRACK"] + + compliance_rate = ((len(on_track) + len(at_risk)) / len(open_vulns) * 100) if open_vulns else 100.0 + + by_severity = {} + for r in open_vulns: + sev = r.get("severity", "MEDIUM") + by_severity.setdefault(sev, {"total": 0, "breached": 0, "at_risk": 0}) + by_severity[sev]["total"] += 1 + if r.get("sla_status") == "BREACHED": + by_severity[sev]["breached"] += 1 + elif r.get("sla_status") == "AT_RISK": + by_severity[sev]["at_risk"] += 1 + + oldest_breach = None + if breached: + oldest = max(breached, key=lambda r: r.get("sla_overdue_days", 0)) + oldest_breach = { + "id": oldest["id"], + "severity": oldest["severity"], + "overdue_days": oldest.get("sla_overdue_days", 0), + "asset": oldest["asset"], + } + + return { + "total_open": len(open_vulns), + "breached": len(breached), + "at_risk": len(at_risk), + "on_track": len(on_track), + "resolved": len(results) - len(open_vulns), + "compliance_rate": round(compliance_rate, 1), + "by_severity": by_severity, + "oldest_breach": oldest_breach, + } + + +def format_summary(metrics, results): + """Print SLA tracking summary.""" + print(f"\n{'='*60}") + print(f" Vulnerability Remediation SLA Report") + print(f"{'='*60}") + print(f" Open Vulnerabilities : {metrics['total_open']}") + print(f" SLA Breached : {metrics['breached']}") + print(f" At Risk (<7 days) : {metrics['at_risk']}") + print(f" On Track : {metrics['on_track']}") + print(f" Resolved : {metrics['resolved']}") + print(f" Compliance Rate : {metrics['compliance_rate']}%") + + print(f"\n By Severity:") + for sev in ["CRITICAL", "HIGH", "MEDIUM", "LOW"]: + data = metrics["by_severity"].get(sev, {}) + if data.get("total", 0) > 0: + print(f" {sev:10s}: {data['total']} open, {data['breached']} breached, {data['at_risk']} at-risk") + + breached = [r for r in results if r.get("sla_status") == "BREACHED"] + if breached: + print(f"\n SLA Breached ({len(breached)}):") + for r in sorted(breached, key=lambda x: -x.get("sla_overdue_days", 0))[:15]: + print(f" [{r['severity']:8s}] {r['id']:20s} | {r['asset']:20s} | " + f"{r.get('sla_overdue_days', 0)}d overdue | {r['title'][:30]}") + + if metrics.get("oldest_breach"): + ob = metrics["oldest_breach"] + print(f"\n Worst Breach: {ob['id']} ({ob['severity']}) on {ob['asset']} - " + f"{ob['overdue_days']} days overdue") -def check_compliance(target, token): - findings = [] - if not requests: return [] - headers = {"Authorization": f"Bearer {token}"} - try: - resp = requests.get(f"{target}/api/v1/compliance", headers=headers, timeout=10) - if resp.status_code == 200: - for item in resp.json().get("checks", []): - if item.get("status") != "PASS": - findings.append({"check": item.get("name"), "status": item.get("status"), - "severity": item.get("severity", "MEDIUM")}) - except requests.RequestException: - pass - return findings def main(): - p = argparse.ArgumentParser(description="Vulnerability remediation SLA tracking") - p.add_argument("--target", required=True, help="Target URL") - p.add_argument("--token", required=True, help="API token") - p.add_argument("--output", "-o", help="Output JSON report") - p.add_argument("--verbose", "-v", action="store_true") - a = p.parse_args() - print("[*] Vulnerability remediation SLA tracking") - report = {"timestamp": datetime.now(timezone.utc).isoformat(), "findings": []} - report["findings"].extend(audit_config(a.target, a.token)) - report["findings"].extend(check_compliance(a.target, a.token)) - high = sum(1 for f in report["findings"] if f.get("severity") in ("HIGH", "CRITICAL")) - report["risk_level"] = "HIGH" if high else "MEDIUM" if report["findings"] else "LOW" - print(f"[*] {len(report['findings'])} findings, risk: {report['risk_level']}") - if a.output: - with open(a.output, "w") as f: json.dump(report, f, indent=2) - else: + parser = argparse.ArgumentParser(description="Vulnerability remediation SLA tracking agent") + parser.add_argument("--source", required=True, help="Vulnerability data file (JSON or CSV)") + parser.add_argument("--sla-critical", type=int, default=7, help="SLA days for CRITICAL (default: 7)") + parser.add_argument("--sla-high", type=int, default=30, help="SLA days for HIGH (default: 30)") + parser.add_argument("--sla-medium", type=int, default=90, help="SLA days for MEDIUM (default: 90)") + parser.add_argument("--sla-low", type=int, default=180, help="SLA days for LOW (default: 180)") + parser.add_argument("--output", "-o", help="Output JSON report") + parser.add_argument("--verbose", "-v", action="store_true") + args = parser.parse_args() + + sla_days = { + "CRITICAL": args.sla_critical, + "HIGH": args.sla_high, + "MEDIUM": args.sla_medium, + "LOW": args.sla_low, + } + + vulns = load_vulnerabilities(args.source) + print(f"[*] Loaded {len(vulns)} vulnerabilities from {args.source}") + + results = calculate_sla_status(vulns, sla_days) + metrics = generate_metrics(results) + format_summary(metrics, results) + + report = { + "timestamp": datetime.now(timezone.utc).isoformat(), + "tool": "Vulnerability SLA Tracker", + "source": args.source, + "sla_targets": sla_days, + "metrics": metrics, + "vulnerabilities": results, + } + + if args.output: + with open(args.output, "w") as f: + json.dump(report, f, indent=2) + print(f"\n[+] Report saved to {args.output}") + elif args.verbose: print(json.dumps(report, indent=2)) + if __name__ == "__main__": main() diff --git a/skills/implementing-zero-trust-network-access-with-zscaler/SKILL.md b/skills/implementing-zero-trust-network-access-with-zscaler/SKILL.md index 1611a693..3ecca55c 100644 --- a/skills/implementing-zero-trust-network-access-with-zscaler/SKILL.md +++ b/skills/implementing-zero-trust-network-access-with-zscaler/SKILL.md @@ -24,6 +24,21 @@ Zero Trust Network Access (ZTNA) replaces traditional VPN architectures by enfor This skill covers end-to-end deployment of ZPA including connector setup, application segmentation, policy configuration, and integration with identity providers for continuous verification. + +## When to Use + +- When deploying or configuring implementing zero trust network access with zscaler capabilities in your environment +- When establishing security controls aligned to compliance requirements +- When building or improving security architecture for this domain +- When conducting security assessments that require this implementation + +## Prerequisites + +- Familiarity with zero trust architecture concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Architecture ### Zscaler Private Access Components diff --git a/skills/performing-access-review-and-certification/SKILL.md b/skills/performing-access-review-and-certification/SKILL.md index d19b5546..237ce618 100644 --- a/skills/performing-access-review-and-certification/SKILL.md +++ b/skills/performing-access-review-and-certification/SKILL.md @@ -13,6 +13,21 @@ license: Apache-2.0 ## Overview Conduct systematic access reviews and certifications to ensure users have appropriate access rights aligned with their roles. This skill covers review campaign design, reviewer selection, risk-based prioritization, micro-certification strategies, and remediation tracking for compliance with SOX, HIPAA, and PCI DSS requirements. + +## When to Use + +- When conducting security assessments that involve performing access review and certification +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + +## Prerequisites + +- Familiarity with identity access management concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Objectives - Design and execute access review campaigns across enterprise applications - Implement risk-based prioritization for review scope diff --git a/skills/performing-cloud-native-forensics-with-falco/SKILL.md b/skills/performing-cloud-native-forensics-with-falco/SKILL.md index d1e4c83a..02a036e3 100644 --- a/skills/performing-cloud-native-forensics-with-falco/SKILL.md +++ b/skills/performing-cloud-native-forensics-with-falco/SKILL.md @@ -15,6 +15,21 @@ license: Apache-2.0 # Performing Cloud Native Forensics with Falco + +## When to Use + +- When conducting security assessments that involve performing cloud native forensics with falco +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + +## Prerequisites + +- Familiarity with cloud security concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions Deploy and manage Falco rules for runtime security detection in containerized diff --git a/skills/performing-container-escape-detection/SKILL.md b/skills/performing-container-escape-detection/SKILL.md index 9d6ce884..00f665f4 100644 --- a/skills/performing-container-escape-detection/SKILL.md +++ b/skills/performing-container-escape-detection/SKILL.md @@ -15,6 +15,21 @@ license: Apache-2.0 # Performing Container Escape Detection + +## When to Use + +- When conducting security assessments that involve performing container escape detection +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + +## Prerequisites + +- Familiarity with container security concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions Audit Kubernetes pods for container escape vectors including privileged mode, diff --git a/skills/performing-credential-access-with-lazagne/SKILL.md b/skills/performing-credential-access-with-lazagne/SKILL.md index d19cdb36..8506eab0 100644 --- a/skills/performing-credential-access-with-lazagne/SKILL.md +++ b/skills/performing-credential-access-with-lazagne/SKILL.md @@ -14,6 +14,21 @@ license: Apache-2.0 LaZagne is an open-source post-exploitation tool designed to retrieve credentials stored on local systems. It supports Windows, Linux, and macOS, with the most extensive module library for Windows. LaZagne recovers passwords from browsers (Chrome, Firefox, Edge, Opera), email clients (Outlook, Thunderbird), databases (PostgreSQL, MySQL, SQLite), system stores (Windows Credential Manager, LSA secrets, DPAPI), Wi-Fi profiles, Git credentials, and dozens of other applications. The tool is categorized under MITRE ATT&CK T1555 (Credentials from Password Stores) and is listed as software S0349. Red teams use LaZagne after gaining initial access to harvest stored credentials that enable lateral movement and privilege escalation. + +## When to Use + +- When conducting security assessments that involve performing credential access with lazagne +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + +## Prerequisites + +- Familiarity with red teaming concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Objectives - Deploy LaZagne on compromised Windows, Linux, or macOS endpoints diff --git a/skills/performing-dns-tunneling-detection/SKILL.md b/skills/performing-dns-tunneling-detection/SKILL.md index 5ef960c0..259cafcc 100644 --- a/skills/performing-dns-tunneling-detection/SKILL.md +++ b/skills/performing-dns-tunneling-detection/SKILL.md @@ -15,6 +15,21 @@ license: Apache-2.0 # Performing DNS Tunneling Detection + +## When to Use + +- When conducting security assessments that involve performing dns tunneling detection +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + +## Prerequisites + +- Familiarity with security operations concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions Analyze DNS traffic for indicators of DNS tunneling using entropy analysis and diff --git a/skills/performing-initial-access-with-evilginx3/SKILL.md b/skills/performing-initial-access-with-evilginx3/SKILL.md index bfe00046..3aefd58e 100644 --- a/skills/performing-initial-access-with-evilginx3/SKILL.md +++ b/skills/performing-initial-access-with-evilginx3/SKILL.md @@ -14,6 +14,21 @@ license: Apache-2.0 EvilGinx3 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, enabling bypass of multi-factor authentication (MFA). Unlike traditional credential phishing that only captures usernames and passwords, EvilGinx3 operates as a transparent reverse proxy between the victim and the legitimate authentication service, intercepting the full authentication flow including MFA tokens and session cookies. This makes it the primary tool for red teams demonstrating the risk of adversary-in-the-middle (AiTM) attacks against organizations relying solely on MFA for protection. + +## When to Use + +- When conducting security assessments that involve performing initial access with evilginx3 +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + +## Prerequisites + +- Familiarity with red teaming concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Objectives - Deploy EvilGinx3 with custom phishlets targeting authorized scope diff --git a/skills/performing-kerberoasting-attack/SKILL.md b/skills/performing-kerberoasting-attack/SKILL.md index 364c3ea4..dfe120a9 100644 --- a/skills/performing-kerberoasting-attack/SKILL.md +++ b/skills/performing-kerberoasting-attack/SKILL.md @@ -17,6 +17,21 @@ license: Apache-2.0 Kerberoasting is a post-exploitation technique that targets service accounts in Active Directory by requesting Kerberos TGS (Ticket Granting Service) tickets for accounts with Service Principal Names (SPNs) set. These tickets are encrypted with the service account's NTLM hash, allowing offline brute-force cracking without generating failed login events. It is one of the most common privilege escalation paths in AD environments because any domain user can request TGS tickets. + +## When to Use + +- When conducting security assessments that involve performing kerberoasting attack +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + +## Prerequisites + +- Familiarity with red teaming concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## MITRE ATT&CK Mapping - **T1558.003** - Steal or Forge Kerberos Tickets: Kerberoasting diff --git a/skills/performing-lateral-movement-with-wmiexec/SKILL.md b/skills/performing-lateral-movement-with-wmiexec/SKILL.md index f253cbef..f59754a1 100644 --- a/skills/performing-lateral-movement-with-wmiexec/SKILL.md +++ b/skills/performing-lateral-movement-with-wmiexec/SKILL.md @@ -17,6 +17,21 @@ license: Apache-2.0 WMI (Windows Management Instrumentation) is a legitimate Windows administration framework that red teams abuse for lateral movement because it provides remote command execution without deploying additional services or leaving obvious artifacts like PsExec. Impacket's wmiexec.py creates a semi-interactive shell over WMI by executing commands through Win32_Process.Create and reading output via temporary files on ADMIN$ share. Unlike PsExec, WMIExec does not install a service on the target, making it stealthier and less likely to trigger security alerts. WMI-based lateral movement maps to MITRE ATT&CK T1047 (Windows Management Instrumentation) and is used by threat actors including APT29, APT32, and Lazarus Group. + +## When to Use + +- When conducting security assessments that involve performing lateral movement with wmiexec +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + +## Prerequisites + +- Familiarity with red teaming concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Objectives - Execute remote commands on Windows targets using WMI-based techniques diff --git a/skills/performing-open-source-intelligence-gathering/SKILL.md b/skills/performing-open-source-intelligence-gathering/SKILL.md index ba3cf231..ad269145 100644 --- a/skills/performing-open-source-intelligence-gathering/SKILL.md +++ b/skills/performing-open-source-intelligence-gathering/SKILL.md @@ -17,6 +17,21 @@ license: Apache-2.0 Open Source Intelligence (OSINT) gathering is the first active phase of a red team engagement, where operators collect publicly available information about the target organization to identify attack surfaces, potential targets for social engineering, technology stacks, and credential exposures. Effective OSINT directly shapes initial access strategies and reduces operational risk. + +## When to Use + +- When conducting security assessments that involve performing open source intelligence gathering +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + +## Prerequisites + +- Familiarity with red teaming concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Objectives - Enumerate the target organization's external attack surface (domains, IPs, cloud assets) diff --git a/skills/performing-red-team-phishing-with-gophish/SKILL.md b/skills/performing-red-team-phishing-with-gophish/SKILL.md index fbcaeb29..80b06e1f 100644 --- a/skills/performing-red-team-phishing-with-gophish/SKILL.md +++ b/skills/performing-red-team-phishing-with-gophish/SKILL.md @@ -13,6 +13,21 @@ author: mahipal license: Apache-2.0 --- + +## When to Use + +- When conducting security assessments that involve performing red team phishing with gophish +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + +## Prerequisites + +- Familiarity with security operations concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions 1. Install dependencies: `pip install gophish requests` diff --git a/skills/performing-service-account-audit/SKILL.md b/skills/performing-service-account-audit/SKILL.md index 442d4137..c4e33bbf 100644 --- a/skills/performing-service-account-audit/SKILL.md +++ b/skills/performing-service-account-audit/SKILL.md @@ -13,6 +13,21 @@ license: Apache-2.0 ## Overview Audit service accounts across enterprise infrastructure to identify orphaned, over-privileged, and non-compliant accounts. This skill covers discovery of service accounts in Active Directory, cloud platforms, databases, and applications, assessing privilege levels, identifying missing owners, and enforcing lifecycle policies. + +## When to Use + +- When conducting security assessments that involve performing service account audit +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + +## Prerequisites + +- Familiarity with identity access management concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Objectives - Discover all service accounts across AD, cloud, databases, and applications - Identify orphaned accounts with no valid owner or associated application diff --git a/skills/performing-ssrf-vulnerability-exploitation/SKILL.md b/skills/performing-ssrf-vulnerability-exploitation/SKILL.md index 29da626b..d8fb7fcb 100644 --- a/skills/performing-ssrf-vulnerability-exploitation/SKILL.md +++ b/skills/performing-ssrf-vulnerability-exploitation/SKILL.md @@ -13,6 +13,21 @@ author: mahipal license: Apache-2.0 --- + +## When to Use + +- When conducting security assessments that involve performing ssrf vulnerability exploitation +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + +## Prerequisites + +- Familiarity with security operations concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions 1. Install dependencies: `pip install requests` diff --git a/skills/performing-threat-emulation-with-atomic-red-team/SKILL.md b/skills/performing-threat-emulation-with-atomic-red-team/SKILL.md index b32268a8..0782c4c5 100644 --- a/skills/performing-threat-emulation-with-atomic-red-team/SKILL.md +++ b/skills/performing-threat-emulation-with-atomic-red-team/SKILL.md @@ -15,6 +15,21 @@ license: Apache-2.0 # Performing Threat Emulation with Atomic Red Team + +## When to Use + +- When conducting security assessments that involve performing threat emulation with atomic red team +- When following incident response procedures for related security events +- When performing scheduled security testing or auditing activities +- When validating security controls through hands-on testing + +## Prerequisites + +- Familiarity with threat intelligence concepts and tools +- Access to a test or lab environment for safe execution +- Python 3.8+ with required dependencies installed +- Appropriate authorization for any testing activities + ## Instructions Use atomic-operator to execute Atomic Red Team tests and validate detection coverage