Add 10 new cybersecurity skills with full folder anatomy

Skills added:
- implementing-privileged-access-workstation (IAM, PAW hardening)
- detecting-suspicious-oauth-application-consent (cloud security, Graph API)
- performing-hardware-security-module-integration (cryptography, PKCS#11)
- analyzing-android-malware-with-apktool (malware analysis, androguard)
- hunting-for-unusual-service-installations (threat hunting, T1543.003)
- detecting-shadow-it-cloud-usage (cloud security, proxy/DNS log analysis)
- performing-active-directory-forest-trust-attack (red team, impacket)
- implementing-deception-based-detection-with-canarytoken (deception, Canary API)
- analyzing-office365-audit-logs-for-compromise (cloud security, BEC detection)
- hunting-for-startup-folder-persistence (threat hunting, T1547.001)

Each skill includes SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
This commit is contained in:
mukul975
2026-03-11 00:46:49 +01:00
parent b6c7ac9d82
commit 4d6d585285
40 changed files with 3578 additions and 0 deletions
@@ -0,0 +1,21 @@
MIT License
Copyright (c) 2025 Mahipal
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
@@ -0,0 +1,39 @@
---
name: implementing-privileged-access-workstation
description: Design and implement Privileged Access Workstations (PAWs) with device hardening, just-in-time access, and integration with CyberArk or BeyondTrust for secure administrative operations.
domain: cybersecurity
subdomain: identity-and-access-management
tags: [privileged-access, PAW, zero-trust, device-hardening, CyberArk, BeyondTrust, just-in-time-access]
version: "1.0"
author: mahipal
license: Apache-2.0
---
# Implementing Privileged Access Workstation
## Overview
A Privileged Access Workstation (PAW) is a hardened device dedicated to performing sensitive administrative tasks. This skill covers PAW design using the tiered administration model, device compliance enforcement via Microsoft Intune or Group Policy, just-in-time (JIT) access provisioning, and integration with privileged access management (PAM) platforms like CyberArk and BeyondTrust.
## Prerequisites
- Windows 10/11 Enterprise with Virtualization Based Security (VBS)
- Microsoft Intune or Active Directory Group Policy
- CyberArk Privileged Access Security or BeyondTrust Password Safe (optional)
- Python 3.9+ with `requests`, `subprocess`, `json`
- Administrative access to target endpoints
## Steps
1. Audit current privileged access patterns and identify Tier 0/1/2 assets
2. Configure device hardening baselines (AppLocker, Credential Guard, Device Guard)
3. Enforce compliance policies via Intune or GPO
4. Implement just-in-time access with time-limited admin group membership
5. Integrate with CyberArk/BeyondTrust for credential vaulting
6. Validate PAW configuration against CIS and Microsoft PAW guidance
7. Monitor privileged sessions and generate compliance reports
## Expected Output
- JSON report listing device compliance status, hardening checks, JIT access windows, and PAM integration verification
- Risk scoring per workstation with remediation recommendations
@@ -0,0 +1,52 @@
# API Reference — Implementing Privileged Access Workstation
## Libraries Used
- **subprocess**: Execute PowerShell cmdlets for device hardening, group membership, software inventory
- **json**: Parse PowerShell ConvertTo-Json output
## CLI Interface
```
python agent.py harden
python agent.py admins
python agent.py software
python agent.py network
python agent.py full
```
## Core Functions
### `check_device_hardening()` — Audit 7 PAW hardening controls
Checks: Credential Guard, VBS status, Secure Boot, BitLocker, AppLocker,
Windows Firewall profiles, UAC level via registry.
### `check_local_admin_group()` — JIT access audit
Enumerates local Administrators group via `Get-LocalGroupMember`.
Flags unexpected members not matching known admin accounts.
### `check_installed_software()` — Software allowlist enforcement
Queries installed software from registry. Checks against blocked list:
browsers (Chrome, Firefox), personal apps (Spotify, Steam, Slack, Zoom, Dropbox).
### `check_network_restrictions()` — Network isolation verification
Counts outbound firewall block rules. Tests general internet connectivity.
PAW Tier 0 should block internet — only management endpoints allowed.
### `full_paw_audit()` — Comprehensive compliance report
## PAW Hardening Checks
| Check | PowerShell Source | Pass Criteria |
|-------|------------------|---------------|
| Credential Guard | Win32_DeviceGuard | SecurityServicesRunning > 0 |
| VBS | Win32_DeviceGuard | VirtualizationBasedSecurityStatus = 2 |
| Secure Boot | Confirm-SecureBootUEFI | Returns True |
| BitLocker | Get-BitLockerVolume | ProtectionStatus = On |
| AppLocker | Get-AppLockerPolicy | RuleCollection count > 0 |
| Firewall | Get-NetFirewallProfile | All profiles enabled |
| UAC | Registry query | ConsentPromptBehaviorAdmin >= 2 |
## Blocked Software Patterns
chrome, firefox, spotify, steam, vlc, zoom, slack, dropbox, itunes, whatsapp, telegram
## Dependencies
No external packages — Python standard library only.
Requires: Windows 10/11 Enterprise with PowerShell 5.1+
@@ -0,0 +1,170 @@
#!/usr/bin/env python3
"""Agent for implementing and auditing Privileged Access Workstation (PAW) configurations."""
import json
import argparse
import subprocess
import re
from datetime import datetime
def check_device_hardening():
"""Audit local device hardening controls for PAW compliance."""
checks = {}
hardening_cmds = {
"credential_guard": ["powershell", "-Command",
"(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\\Microsoft\\Windows\\DeviceGuard).SecurityServicesRunning"],
"vbs_status": ["powershell", "-Command",
"(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\\Microsoft\\Windows\\DeviceGuard).VirtualizationBasedSecurityStatus"],
"secure_boot": ["powershell", "-Command", "Confirm-SecureBootUEFI"],
"bitlocker": ["powershell", "-Command",
"(Get-BitLockerVolume -MountPoint C:).ProtectionStatus"],
"applocker_status": ["powershell", "-Command",
"(Get-AppLockerPolicy -Effective -Xml | Select-String 'RuleCollection').Count"],
"firewall_enabled": ["powershell", "-Command",
"(Get-NetFirewallProfile | Where-Object {$_.Enabled -eq $true}).Name -join ','"],
"uac_level": ["reg", "query",
"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"/v", "ConsentPromptBehaviorAdmin"],
}
for name, cmd in hardening_cmds.items():
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=15)
output = result.stdout.strip()
checks[name] = {"value": output, "status": "PASS" if output and output not in ("0", "False", "") else "FAIL"}
except Exception as e:
checks[name] = {"value": str(e), "status": "ERROR"}
passed = sum(1 for c in checks.values() if c["status"] == "PASS")
return {
"timestamp": datetime.utcnow().isoformat(),
"checks": checks,
"passed": passed,
"total": len(checks),
"compliance_pct": round(passed / len(checks) * 100, 1),
"risk": "LOW" if passed >= 6 else "MEDIUM" if passed >= 4 else "HIGH",
}
def check_local_admin_group():
"""Enumerate local Administrators group membership for JIT audit."""
try:
result = subprocess.run(
["powershell", "-Command",
"Get-LocalGroupMember -Group Administrators | Select-Object Name,ObjectClass,PrincipalSource | ConvertTo-Json"],
capture_output=True, text=True, timeout=15)
members = json.loads(result.stdout) if result.stdout.strip() else []
if isinstance(members, dict):
members = [members]
expected_admins = ["Administrator", "Domain Admins"]
unexpected = [m for m in members if not any(e in m.get("Name", "") for e in expected_admins)]
return {
"total_members": len(members),
"members": members,
"unexpected_admins": unexpected,
"jit_finding": "UNEXPECTED_ADMINS" if unexpected else "CLEAN",
"severity": "HIGH" if unexpected else "INFO",
}
except Exception as e:
return {"error": str(e)}
def check_installed_software():
"""Audit installed software against PAW allowlist."""
try:
result = subprocess.run(
["powershell", "-Command",
"Get-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | "
"Select-Object DisplayName,Publisher,InstallDate | Where-Object {$_.DisplayName -ne $null} | "
"ConvertTo-Json -Depth 2"],
capture_output=True, text=True, timeout=30)
software = json.loads(result.stdout) if result.stdout.strip() else []
if isinstance(software, dict):
software = [software]
blocked_patterns = [
"chrome", "firefox", "spotify", "steam", "vlc", "zoom", "slack",
"dropbox", "onedrive personal", "itunes", "whatsapp", "telegram",
]
violations = []
for sw in software:
name = (sw.get("DisplayName") or "").lower()
if any(p in name for p in blocked_patterns):
violations.append({"name": sw.get("DisplayName"), "publisher": sw.get("Publisher")})
return {
"total_installed": len(software),
"paw_violations": len(violations),
"violations": violations[:20],
"finding": "BLOCKED_SOFTWARE_FOUND" if violations else "COMPLIANT",
}
except Exception as e:
return {"error": str(e)}
def check_network_restrictions():
"""Verify PAW network isolation and restrictions."""
checks = {}
try:
result = subprocess.run(
["powershell", "-Command",
"Get-NetFirewallRule | Where-Object {$_.Enabled -eq 'True' -and $_.Direction -eq 'Outbound' -and $_.Action -eq 'Block'} | "
"Measure-Object | Select-Object -ExpandProperty Count"],
capture_output=True, text=True, timeout=15)
checks["outbound_block_rules"] = int(result.stdout.strip() or 0)
except Exception:
checks["outbound_block_rules"] = 0
try:
result = subprocess.run(["powershell", "-Command",
"Test-NetConnection -ComputerName google.com -Port 80 -WarningAction SilentlyContinue | Select-Object TcpTestSucceeded | ConvertTo-Json"],
capture_output=True, text=True, timeout=15)
data = json.loads(result.stdout) if result.stdout.strip() else {}
checks["internet_access"] = data.get("TcpTestSucceeded", True)
except Exception:
checks["internet_access"] = "unknown"
paw_should_block_internet = checks.get("internet_access") is False
return {
"network_checks": checks,
"internet_blocked": paw_should_block_internet,
"finding": "INTERNET_BLOCKED" if paw_should_block_internet else "INTERNET_ALLOWED",
"severity": "INFO" if paw_should_block_internet else "MEDIUM",
"recommendation": "PAW Tier 0 should block general internet — restrict to management endpoints only",
}
def full_paw_audit():
"""Run comprehensive PAW compliance audit."""
return {
"audit_type": "Privileged Access Workstation",
"timestamp": datetime.utcnow().isoformat(),
"device_hardening": check_device_hardening(),
"admin_group": check_local_admin_group(),
"software_compliance": check_installed_software(),
"network_isolation": check_network_restrictions(),
}
def main():
parser = argparse.ArgumentParser(description="Privileged Access Workstation Audit Agent")
sub = parser.add_subparsers(dest="command")
sub.add_parser("harden", help="Check device hardening controls")
sub.add_parser("admins", help="Audit local admin group membership")
sub.add_parser("software", help="Check installed software against allowlist")
sub.add_parser("network", help="Verify network isolation")
sub.add_parser("full", help="Full PAW compliance audit")
args = parser.parse_args()
if args.command == "harden":
result = check_device_hardening()
elif args.command == "admins":
result = check_local_admin_group()
elif args.command == "software":
result = check_installed_software()
elif args.command == "network":
result = check_network_restrictions()
elif args.command == "full":
result = full_paw_audit()
else:
parser.print_help()
return
print(json.dumps(result, indent=2, default=str))
if __name__ == "__main__":
main()