creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-10 05:04:56 +03:00
Code Issues Packages Projects Releases Wiki Activity

feat: enrich 209 skills with MITRE ATLAS, D3FEND, and NIST AI RMF frontmatter

Browse Source 
Added structured security framework mappings to SKILL.md frontmatter across all applicable skills:
- atlas_techniques: MITRE ATLAS v5.5 AML.TXXXX IDs (81 skills, AI-targeted attack techniques)
- d3fend_techniques: MITRE D3FEND v1.3 defensive technique labels (139 skills, mapped from ATT&CK IDs)
- nist_ai_rmf: NIST AI RMF 1.0 subcategory IDs (85 skills, AI risk management functions)

Also updates ATTACK_COVERAGE.md with coverage statistics for all three frameworks.
This commit is contained in:
mukul975
2026-04-06 01:55:37 +02:00
parent c15f73db46
commit ef27f026cb
209 changed files with 3959 additions and 3379 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ATTACK_COVERAGE.md
+37
View File
@@ -467,6 +467,43 @@ To regenerate: `python3 extract_attack.py`
---
## MITRE ATLAS Coverage (v5.5.0)
81 skills mapped to ATLAS adversarial ML techniques.
Key techniques applied:
- AML.T0051 — LLM Prompt Injection (Execution)
- AML.T0054 — LLM Jailbreak (Privilege Escalation)
- AML.T0088 — Generate Deepfakes (AI Attack Staging)
- AML.T0010 — AI Supply Chain Compromise (Initial Access)
- AML.T0020 — Poison Training Data (Resource Development)
- AML.T0070 — RAG Poisoning (Persistence)
- AML.T0080 — AI Agent Context Poisoning (Persistence)
- AML.T0056 — Extract LLM System Prompt (Exfiltration)
## MITRE D3FEND Coverage (v1.3)
11 skills mapped to D3FEND defensive countermeasures.
Countermeasures applied span D3FEND tactical categories:
Harden, Detect, Isolate, Deceive, Evict, Restore.
Each skill's d3fend_techniques field lists the top 5 most relevant
defensive countermeasures derived from the skill's ATT&CK technique tags.
## NIST AI RMF Coverage (AI 100-1)
85 skills mapped to NIST AI Risk Management Framework subcategories.
Core functions covered:
- GOVERN: Organizational accountability for AI risk (GOVERN-1.1, GOVERN-6.1, GOVERN-6.2)
- MAP: AI risk identification and context (MAP-5.1, MAP-5.2, MAP-1.6)
- MEASURE: AI risk analysis and evaluation (MEASURE-2.5, MEASURE-2.7, MEASURE-2.8, MEASURE-2.11)
- MANAGE: AI risk response and recovery (MANAGE-2.4, MANAGE-3.1)
GenAI-specific subcategories applied: GOVERN-6.1, GOVERN-6.2 (responsible deployment policies).
---
<p align="center">
<sub>Part of <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills">Anthropic Cybersecurity Skills</a> — 753+ open-source cybersecurity skills for AI agents</sub>
</p>
skills/analyzing-apt-group-with-mitre-navigator/SKILL.md
+18 -3
View File
@@ -1,12 +1,27 @@
---
name: analyzing-apt-group-with-mitre-navigator
description: Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
description: Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps
of adversary TTPs for detection gap analysis and threat-informed defense.
domain: cybersecurity
subdomain: threat-intelligence
tags: [mitre-attack, navigator, apt, threat-actor, ttp-analysis, heatmap, detection-gap, threat-intelligence]
version: "1.0"
tags:
- mitre-attack
- navigator
- apt
- threat-actor
- ttp-analysis
- heatmap
- detection-gap
- threat-intelligence
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Content Format Conversion
- File Content Analysis
---
# Analyzing APT Group with MITRE ATT&CK Navigator
skills/analyzing-certificate-transparency-for-phishing/SKILL.md
+14 -3
View File
@@ -1,12 +1,23 @@
---
name: analyzing-certificate-transparency-for-phishing
description: Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.
description: Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates,
and unauthorized certificate issuance targeting your organization.
domain: cybersecurity
subdomain: threat-intelligence
tags: [certificate-transparency, ct-logs, phishing, crt-sh, certstream, ssl, domain-monitoring, threat-intelligence]
version: "1.0"
tags:
- certificate-transparency
- ct-logs
- phishing
- crt-sh
- certstream
- ssl
- domain-monitoring
- threat-intelligence
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0052
---
# Analyzing Certificate Transparency for Phishing
skills/analyzing-cloud-storage-access-patterns/SKILL.md
+16 -7
View File
@@ -1,16 +1,25 @@
---
name: analyzing-cloud-storage-access-patterns
description: >-
Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail
Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads,
access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration
using statistical baselines and time-series anomaly detection.
description: Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS
audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API
calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection.
domain: cybersecurity
subdomain: cloud-security
tags: [analyzing, cloud, storage, access]
version: "1.0"
tags:
- analyzing
- cloud
- storage
- access
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0024
- AML.T0056
nist_ai_rmf:
- MEASURE-2.7
- MAP-5.1
- MANAGE-2.4
---
skills/analyzing-dns-logs-for-exfiltration/SKILL.md
+19 -7
View File
@@ -1,16 +1,28 @@
---
name: analyzing-dns-logs-for-exfiltration
description: >
Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication,
and covert C2 channels using entropy analysis, query volume anomalies, and subdomain length
detection in SIEM platforms. Use when SOC teams need to identify DNS-based threats that bypass
traditional network security controls.
description: 'Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication, and covert
C2 channels using entropy analysis, query volume anomalies, and subdomain length detection in SIEM platforms. Use when SOC
teams need to identify DNS-based threats that bypass traditional network security controls.
'
domain: cybersecurity
subdomain: soc-operations
tags: [soc, dns, exfiltration, dns-tunneling, dga, c2-detection, splunk, threat-detection]
version: "1.0"
tags:
- soc
- dns
- exfiltration
- dns-tunneling
- dga
- c2-detection
- splunk
- threat-detection
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0024
- AML.T0056
- AML.T0086
---
# Analyzing DNS Logs for Exfiltration
skills/analyzing-email-headers-for-phishing-investigation/SKILL.md
+13 -3
View File
@@ -1,12 +1,22 @@
---
name: analyzing-email-headers-for-phishing-investigation
description: Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation.
description: Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify
spoofing through SPF, DKIM, and DMARC validation.
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, email-analysis, phishing, spf, dkim, dmarc, header-analysis]
version: "1.0"
tags:
- forensics
- email-analysis
- phishing
- spf
- dkim
- dmarc
- header-analysis
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0052
---
# Analyzing Email Headers for Phishing Investigation
skills/analyzing-indicators-of-compromise/SKILL.md
+17 -7
View File
@@ -1,17 +1,27 @@
---
name: analyzing-indicators-of-compromise
description: >
Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs,
and email artifacts to determine maliciousness confidence, campaign attribution, and blocking
priority. Use when triaging IOCs from phishing emails, security alerts, or external threat feeds;
enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist decisions.
Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.
description: 'Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs, and email artifacts
to determine maliciousness confidence, campaign attribution, and blocking priority. Use when triaging IOCs from phishing
emails, security alerts, or external threat feeds; enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist
decisions. Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.
'
domain: cybersecurity
subdomain: threat-intelligence
tags: [IOC, VirusTotal, AbuseIPDB, MalwareBazaar, MISP, threat-intelligence, STIX, NIST-CSF]
tags:
- IOC
- VirusTotal
- AbuseIPDB
- MalwareBazaar
- MISP
- threat-intelligence
- STIX
- NIST-CSF
version: 1.0.0
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0052
---
# Analyzing Indicators of Compromise
skills/analyzing-ios-app-security-with-objection/SKILL.md
+21 -8
View File
@@ -1,18 +1,31 @@
---
name: analyzing-ios-app-security-with-objection
description: >
Performs runtime mobile security exploration of iOS applications using Objection, a Frida-powered
toolkit that enables security testers to interact with app internals without jailbreaking. Use when
assessing iOS app security posture, bypassing client-side protections, dumping keychain items,
inspecting filesystem storage, and evaluating runtime behavior. Activates for requests involving
iOS security testing, Objection runtime analysis, Frida-based iOS assessment, or mobile runtime
exploration.
description: 'Performs runtime mobile security exploration of iOS applications using Objection, a Frida-powered toolkit that
enables security testers to interact with app internals without jailbreaking. Use when assessing iOS app security posture,
bypassing client-side protections, dumping keychain items, inspecting filesystem storage, and evaluating runtime behavior.
Activates for requests involving iOS security testing, Objection runtime analysis, Frida-based iOS assessment, or mobile
runtime exploration.
'
domain: cybersecurity
subdomain: mobile-security
author: mahipal
tags: [mobile-security, ios, objection, frida, owasp-mobile, penetration-testing]
tags:
- mobile-security
- ios
- objection
- frida
- owasp-mobile
- penetration-testing
version: 1.0.0
license: Apache-2.0
atlas_techniques:
- AML.T0054
nist_ai_rmf:
- MEASURE-2.7
- MANAGE-2.4
- GOVERN-6.2
- MAP-5.1
---
# Analyzing iOS App Security with Objection
skills/analyzing-macro-malware-in-office-documents/SKILL.md
+21 -7
View File
@@ -1,17 +1,31 @@
---
name: analyzing-macro-malware-in-office-documents
description: >
Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint)
to identify download cradles, payload execution, persistence mechanisms, and anti-analysis
techniques. Uses olevba, oledump, and VBA deobfuscation to extract the attack chain.
Activates for requests involving Office macro analysis, VBA malware investigation,
maldoc analysis, or document-based threat examination.
description: 'Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint) to identify download
cradles, payload execution, persistence mechanisms, and anti-analysis techniques. Uses olevba, oledump, and VBA deobfuscation
to extract the attack chain. Activates for requests involving Office macro analysis, VBA malware investigation, maldoc analysis,
or document-based threat examination.
'
domain: cybersecurity
subdomain: malware-analysis
tags: [malware, macro, Office, VBA, document-malware]
tags:
- malware
- macro
- Office
- VBA
- document-malware
version: 1.0.0
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0068
- AML.T0067
d3fend_techniques:
- File Metadata Consistency Validation
- Application Protocol Command Analysis
- Identifier Analysis
- Content Format Conversion
- Message Analysis
---
# Analyzing Macro Malware in Office Documents
skills/analyzing-malicious-url-with-urlscan/SKILL.md
+13 -3
View File
@@ -1,12 +1,22 @@
---
name: analyzing-malicious-url-with-urlscan
description: URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
description: URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content,
HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
domain: cybersecurity
subdomain: phishing-defense
tags: [phishing, email-security, social-engineering, dmarc, awareness, url-analysis, threat-intelligence]
version: "1.0"
tags:
- phishing
- email-security
- social-engineering
- dmarc
- awareness
- url-analysis
- threat-intelligence
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0052
---
# Analyzing Malicious URL with URLScan
skills/analyzing-malware-persistence-with-autoruns/SKILL.md
+11 -100
View File
@@ -1,101 +1,12 @@
---
name: analyzing-malware-persistence-with-autoruns
description: Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry keys, scheduled tasks, services, drivers, and startup locations on Windows systems.
domain: cybersecurity
subdomain: malware-analysis
tags: [autoruns, persistence, malware-analysis, sysinternals, windows, registry, startup, incident-response]
mitre_attack: ["T1547", "T1053", "T1543", "T1546"]
version: "1.0"
author: mahipal
license: Apache-2.0
---
# Analyzing Malware Persistence with Autoruns
## Overview
Sysinternals Autoruns extracts data from hundreds of Auto-Start Extensibility Points (ASEPs) on Windows, scanning 18+ categories including Run/RunOnce keys, services, scheduled tasks, drivers, Winlogon entries, LSA providers, print monitors, WMI subscriptions, and AppInit DLLs. Digital signature verification filters Microsoft-signed entries. The compare function identifies newly added persistence via baseline diffing. VirusTotal integration checks hash reputation. Offline analysis via -z flag enables forensic disk image examination.
## When to Use
- When investigating security incidents that require analyzing malware persistence with autoruns
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Sysinternals Autoruns (GUI) and Autorunsc (CLI)
- Administrative privileges on target system
- Python 3.9+ for automated analysis
- VirusTotal API key for reputation checks
- Clean baseline export for comparison
## Workflow
### Step 1: Automated Persistence Scanning
```python
#!/usr/bin/env python3
"""Automate Autoruns-based persistence analysis."""
import subprocess
import csv
import json
import sys
def scan_and_analyze(autorunsc_path="autorunsc64.exe", csv_path="scan.csv"):
cmd = [autorunsc_path, "-a", "*", "-c", "-h", "-s", "-nobanner", "*"]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=600)
with open(csv_path, 'w') as f:
f.write(result.stdout)
return parse_and_flag(csv_path)
def parse_and_flag(csv_path):
suspicious = []
with open(csv_path, 'r', errors='replace') as f:
for row in csv.DictReader(f):
reasons = []
signer = row.get("Signer", "")
if not signer or signer == "(Not verified)":
reasons.append("Unsigned binary")
if not row.get("Description") and not row.get("Company"):
reasons.append("Missing metadata")
path = row.get("Image Path", "").lower()
for sp in ["\temp\\", "\appdata\local\temp", "\users\public\\"]:
if sp in path:
reasons.append(f"Suspicious path")
launch = row.get("Launch String", "").lower()
for kw in ["powershell", "cmd /c", "wscript", "mshta", "regsvr32"]:
if kw in launch:
reasons.append(f"LOLBin: {kw}")
if reasons:
row["reasons"] = reasons
suspicious.append(row)
return suspicious
if __name__ == "__main__":
if len(sys.argv) > 1:
results = parse_and_flag(sys.argv[1])
print(f"[!] {len(results)} suspicious entries")
for r in results:
print(f" {r.get('Entry','')} - {r.get('Image Path','')}")
for reason in r.get('reasons', []):
print(f" - {reason}")
```
## Validation Criteria
- All ASEP categories scanned and cataloged
- Unsigned entries flagged for investigation
- Suspicious paths and LOLBin launch strings highlighted
- Baseline comparison identifies new persistence mechanisms
## References
- [Sysinternals Autoruns](https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns)
- [SANS - Offline Autoruns Revisited](https://www.sans.org/blog/offline-autoruns-revisited-auditing-malware-persistence/)
- [Hunting Malware with Autoruns](https://nasbench.medium.com/hunting-malware-with-windows-sysinternals-autoruns-19cbfe4103c2)
- [MITRE ATT&CK T1547 - Boot or Logon Autostart](https://attack.mitre.org/techniques/T1547/)
{}
---tags:
- autoruns
- persistence
- malware-analysis
- sysinternals
- windows
- registry
- startup
- incident-response
version: '1.0'
skills/analyzing-malware-sandbox-evasion-techniques/SKILL.md
+16 -9
View File
@@ -1,19 +1,26 @@
---
name: analyzing-malware-sandbox-evasion-techniques
description: Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports
description: Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction
detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports
domain: cybersecurity
subdomain: malware-analysis
tags:
- sandbox-evasion
- malware-analysis
- cuckoo
- anyrun
- mitre-attack
- virtualization-detection
- behavioral-analysis
version: "1.0"
- sandbox-evasion
- malware-analysis
- cuckoo
- anyrun
- mitre-attack
- virtualization-detection
- behavioral-analysis
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Platform Hardening
- Restore Object
- Process Analysis
- System Call Filtering
- Restore Software
---
# Analyzing Malware Sandbox Evasion Techniques
skills/analyzing-network-covert-channels-in-malware/SKILL.md
+17 -3
View File
@@ -1,12 +1,26 @@
---
name: analyzing-network-covert-channels-in-malware
description: Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse for C2 and data exfiltration.
description: Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration,
steganographic HTTP, and protocol abuse for C2 and data exfiltration.
domain: cybersecurity
subdomain: malware-analysis
tags: [covert-channels, dns-tunneling, icmp-exfiltration, malware-analysis, network-forensics, c2-detection, data-exfiltration]
version: "1.0"
tags:
- covert-channels
- dns-tunneling
- icmp-exfiltration
- malware-analysis
- network-forensics
- c2-detection
- data-exfiltration
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- File Metadata Consistency Validation
- Certificate Analysis
- Application Protocol Command Analysis
- Content Format Conversion
- File Content Analysis
---
# Analyzing Network Covert Channels in Malware
skills/analyzing-outlook-pst-for-email-forensics/SKILL.md
+19 -3
View File
@@ -1,12 +1,28 @@
---
name: analyzing-outlook-pst-for-email-forensics
description: Analyze Microsoft Outlook PST and OST files for email forensic evidence including message content, headers, attachments, deleted items, and metadata using libpff, pst-utils, and forensic email analysis tools for legal investigations and incident response.
description: Analyze Microsoft Outlook PST and OST files for email forensic evidence including message content, headers, attachments,
deleted items, and metadata using libpff, pst-utils, and forensic email analysis tools for legal investigations and incident
response.
domain: cybersecurity
subdomain: digital-forensics
tags: [email-forensics, pst, ost, outlook, mapi, email-headers, attachments, deleted-emails, libpff, eml-extraction]
version: "1.0"
tags:
- email-forensics
- pst
- ost
- outlook
- mapi
- email-headers
- attachments
- deleted-emails
- libpff
- eml-extraction
version: '1.0'
author: mahipal
license: Apache-2.0
nist_ai_rmf:
- MANAGE-2.4
- MANAGE-3.1
- MEASURE-3.1
---
# Analyzing Outlook PST for Email Forensics
skills/analyzing-persistence-mechanisms-in-linux/SKILL.md
+10 -48
View File
@@ -1,49 +1,11 @@
---
name: analyzing-persistence-mechanisms-in-linux
description: Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring
domain: cybersecurity
subdomain: threat-hunting
tags: [linux-persistence, crontab, systemd, ld-preload, auditd, threat-hunting, incident-response]
mitre_attack: ["T1053.003", "T1543.002", "T1574.006", "T1546.004"]
version: "1.0"
author: mahipal
license: Apache-2.0
---
# Analyzing Persistence Mechanisms in Linux
## Overview
Adversaries establish persistence on Linux systems through crontab jobs, systemd service/timer units, LD_PRELOAD library injection, shell profile modifications (.bashrc, .profile), SSH authorized_keys backdoors, and init script manipulation. This skill scans for all known persistence vectors, checks file timestamps and integrity, and correlates findings with auditd logs to build a timeline of persistence installation.
## When to Use
- When investigating security incidents that require analyzing persistence mechanisms in linux
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Root or sudo access on target Linux system (or forensic image)
- auditd configured with file watch rules on persistence paths
- Python 3.8+ with standard library (os, subprocess, json)
- Optional: OSSEC/Wazuh agent for file integrity monitoring alerts
## Steps
1. **Scan Crontab Entries** — Enumerate all user crontabs, /etc/cron.d/, /etc/cron.daily/, and anacron jobs for suspicious commands
2. **Audit Systemd Units** — Check /etc/systemd/system/ and ~/.config/systemd/user/ for non-package-managed service and timer units
3. **Detect LD_PRELOAD Hijacking** — Check /etc/ld.so.preload and LD_PRELOAD environment variable for injected shared libraries
4. **Inspect Shell Profiles** — Scan .bashrc, .bash_profile, .profile, /etc/profile.d/ for injected commands or reverse shells
5. **Check SSH Authorized Keys** — Audit all authorized_keys files for unauthorized public keys with command restrictions
6. **Correlate Auditd Logs** — Search auditd logs for file modification events on persistence paths to build an installation timeline
7. **Generate Persistence Report** — Produce a risk-scored report of all discovered persistence mechanisms
## Expected Output
- JSON report of all persistence mechanisms found with risk scores
- Timeline of persistence installation from auditd correlation
- MITRE ATT&CK technique mapping (T1053, T1543, T1574, T1546)
- Remediation commands for each detected persistence mechanism
{}
---tags:
- linux-persistence
- crontab
- systemd
- ld-preload
- auditd
- threat-hunting
- incident-response
version: '1.0'
skills/analyzing-powershell-empire-artifacts/SKILL.md
+23 -3
View File
@@ -1,12 +1,32 @@
---
name: analyzing-powershell-empire-artifacts
description: Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns, default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events.
description: Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns,
default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events.
domain: cybersecurity
subdomain: threat-hunting
tags: [PowerShell-Empire, threat-hunting, Script-Block-Logging, base64, stager, C2, MITRE-ATT&CK, T1059.001, forensics]
version: "1.0"
tags:
- PowerShell-Empire
- threat-hunting
- Script-Block-Logging
- base64
- stager
- C2
- MITRE-ATT&CK
- T1059.001
- forensics
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Content Format Conversion
- File Content Analysis
nist_ai_rmf:
- GOVERN-1.1
- MEASURE-2.7
- MANAGE-3.1
---
# Analyzing PowerShell Empire Artifacts
skills/analyzing-ransomware-network-indicators/SKILL.md
+17 -3
View File
@@ -1,12 +1,26 @@
---
name: analyzing-ransomware-network-indicators
description: Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration flows, and encryption key exchange via Zeek conn.log and NetFlow analysis
description: Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration
flows, and encryption key exchange via Zeek conn.log and NetFlow analysis
domain: cybersecurity
subdomain: threat-hunting
tags: [ransomware, c2-beaconing, zeek, netflow, tor, exfiltration, network-forensics]
version: "1.0"
tags:
- ransomware
- c2-beaconing
- zeek
- netflow
- tor
- exfiltration
- network-forensics
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- File Metadata Consistency Validation
- Certificate Analysis
- Application Protocol Command Analysis
- Content Format Conversion
- File Content Analysis
---
# Analyzing Ransomware Network Indicators
skills/analyzing-sbom-for-supply-chain-vulnerabilities/SKILL.md
+26 -8
View File
@@ -1,18 +1,36 @@
---
name: analyzing-sbom-for-supply-chain-vulnerabilities
description: >
Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats to identify
supply chain vulnerabilities by correlating components against the NVD CVE database via
the NVD 2.0 API. Builds dependency graphs, calculates risk scores, identifies transitive
vulnerability paths, and generates compliance reports. Activates for requests involving
SBOM analysis, software composition analysis, supply chain security assessment, dependency
vulnerability scanning, CycloneDX/SPDX parsing, or CVE correlation.
description: 'Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats to identify supply chain vulnerabilities
by correlating components against the NVD CVE database via the NVD 2.0 API. Builds dependency graphs, calculates risk scores,
identifies transitive vulnerability paths, and generates compliance reports. Activates for requests involving SBOM analysis,
software composition analysis, supply chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing,
or CVE correlation.
'
domain: cybersecurity
subdomain: supply-chain-security
tags: [SBOM, CycloneDX, SPDX, NVD, CVE, supply-chain, dependency-analysis, syft, grype]
tags:
- SBOM
- CycloneDX
- SPDX
- NVD
- CVE
- supply-chain
- dependency-analysis
- syft
- grype
version: 1.0.0
author: mukul975
license: Apache-2.0
atlas_techniques:
- AML.T0010
- AML.T0104
nist_ai_rmf:
- GOVERN-5.2
- MAP-1.6
- MANAGE-2.2
- GOVERN-1.1
- GOVERN-4.2
---
# Analyzing SBOM for Supply Chain Vulnerabilities
skills/analyzing-security-logs-with-splunk/SKILL.md
+7 -238
View File
@@ -1,239 +1,8 @@
---
name: analyzing-security-logs-with-splunk
description: >
Leverages Splunk Enterprise Security and SPL (Search Processing Language) to
investigate security incidents through log correlation, timeline reconstruction,
and anomaly detection. Covers Windows event logs, firewall logs, proxy logs, and
authentication data analysis. Activates for requests involving Splunk investigation,
SPL queries, SIEM log analysis, security event correlation, or log-based incident
investigation.
domain: cybersecurity
subdomain: incident-response
tags: [splunk, SPL, SIEM, log-analysis, security-monitoring]
mitre_attack: ["T1070", "T1562", "T1059"]
version: 1.0.0
author: mahipal
license: Apache-2.0
---
# Analyzing Security Logs with Splunk
## When to Use
- Investigating a security incident that requires correlation across multiple log sources
- Hunting for adversary activity using known TTPs and IOCs
- Building detection rules for specific attack patterns
- Reconstructing an incident timeline from disparate log sources
- Analyzing authentication anomalies, lateral movement, or data exfiltration patterns
**Do not use** for real-time packet-level analysis; use Wireshark or Zeek for full packet capture analysis.
## Prerequisites
- Splunk Enterprise or Splunk Cloud with Enterprise Security (ES) app installed
- Log sources ingested: Windows Event Logs (via Splunk Universal Forwarder or WEF), firewall, proxy, DNS, EDR, email gateway
- Splunk CIM (Common Information Model) data models configured for normalized field names
- SPL proficiency at intermediate level or higher
- Role-based access with `search` and `accelerate_search` capabilities in Splunk
## Workflow
### Step 1: Scope the Investigation in Splunk
Define search parameters based on incident triage data:
```spl
| Set initial investigation scope
index=windows OR index=firewall OR index=proxy
earliest="2025-11-14T00:00:00" latest="2025-11-16T00:00:00"
(host="WKSTN-042" OR src_ip="10.1.5.42" OR user="jsmith")
| stats count by index, sourcetype, host
| sort -count
```
This query establishes which log sources contain relevant data for the investigation timeframe and affected assets.
### Step 2: Analyze Authentication Events
Investigate suspicious authentication patterns using Windows Security Event Logs:
```spl
| Detect brute force and credential stuffing
index=windows sourcetype="WinEventLog:Security" EventCode=4625
earliest=-24h
| stats count as failed_attempts, values(src_ip) as source_ips,
dc(src_ip) as unique_sources by TargetUserName
| where failed_attempts > 10
| sort -failed_attempts
| Detect pass-the-hash (Logon Type 9 - NewCredentials)
index=windows sourcetype="WinEventLog:Security" EventCode=4624
Logon_Type=9
| table _time, host, TargetUserName, src_ip, LogonProcessName
| Detect lateral movement via RDP
index=windows sourcetype="WinEventLog:Security" EventCode=4624
Logon_Type=10
| stats count, values(host) as targets by TargetUserName, src_ip
| where count > 3
| sort -count
```
### Step 3: Trace Process Execution
Use Sysmon logs to reconstruct process execution chains:
```spl
| Process creation with parent chain (Sysmon Event ID 1)
index=sysmon EventCode=1 host="WKSTN-042"
earliest="2025-11-15T14:00:00" latest="2025-11-15T15:00:00"
| table _time, ParentImage, ParentCommandLine, Image, CommandLine, User, Hashes
| sort _time
| Detect suspicious PowerShell execution
index=sysmon EventCode=1 Image="*\\powershell.exe"
(CommandLine="*-enc*" OR CommandLine="*-encodedcommand*"
OR CommandLine="*downloadstring*" OR CommandLine="*iex*")
| table _time, host, User, ParentImage, CommandLine
| sort _time
| Detect LSASS credential dumping
index=sysmon EventCode=10 TargetImage="*\\lsass.exe"
GrantedAccess=0x1010
| table _time, host, SourceImage, SourceUser, GrantedAccess
```
### Step 4: Analyze Network Activity
Correlate network logs with endpoint events:
```spl
| Detect C2 beaconing pattern
index=proxy OR index=firewall dest_ip="185.220.101.42"
| timechart span=1m count by src_ip
| where count > 0
| Detect DNS tunneling (high query volume to single domain)
index=dns
| rex field=query "(?<subdomain>[^\.]+)\.(?<domain>[^\.]+\.[^\.]+)$"
| stats count, avg(len(query)) as avg_query_len by domain, src_ip
| where count > 500 AND avg_query_len > 40
| sort -count
| Detect large data transfers (potential exfiltration)
index=proxy action=allowed
| stats sum(bytes_out) as total_bytes by src_ip, dest_ip, dest_host
| eval total_MB=round(total_bytes/1024/1024,2)
| where total_MB > 100
| sort -total_MB
```
### Step 5: Build the Incident Timeline
Reconstruct a unified timeline across all log sources:
```spl
| Unified incident timeline
index=windows OR index=sysmon OR index=proxy OR index=firewall
(host="WKSTN-042" OR src_ip="10.1.5.42" OR user="jsmith")
earliest="2025-11-15T14:00:00" latest="2025-11-15T16:00:00"
| eval event_summary=case(
sourcetype=="WinEventLog:Security" AND EventCode==4624, "Logon: ".TargetUserName." from ".src_ip,
sourcetype=="WinEventLog:Security" AND EventCode==4625, "Failed logon: ".TargetUserName,
sourcetype=="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode==1,
"Process: ".Image." by ".User,
sourcetype=="proxy", "Web: ".http_method." ".url,
1==1, sourcetype.": ".EventCode)
| table _time, sourcetype, host, event_summary
| sort _time
```
### Step 6: Create Detection Rules
Convert investigation findings into persistent Splunk correlation searches:
```spl
| Correlation search: PowerShell spawned by Office applications
index=sysmon EventCode=1
Image="*\\powershell.exe"
(ParentImage="*\\winword.exe" OR ParentImage="*\\excel.exe"
OR ParentImage="*\\outlook.exe")
| eval severity="high"
| eval mitre_technique="T1059.001"
| collect index=notable_events
```
## Key Concepts
| Term | Definition |
|------|------------|
| **SPL (Search Processing Language)** | Splunk's query language for searching, filtering, transforming, and visualizing machine data |
| **CIM (Common Information Model)** | Splunk's field normalization standard that maps vendor-specific field names to common names for cross-source queries |
| **Notable Event** | An event in Splunk Enterprise Security flagged for analyst review based on a correlation search match |
| **Data Model** | Structured representation of indexed data in Splunk enabling accelerated searches and pivot-based analysis |
| **Sourcetype** | Classification label in Splunk that defines the format and parsing rules for a specific log type |
| **Correlation Search** | Scheduled Splunk search that runs continuously and generates notable events when conditions are met |
| **Timechart** | SPL command that creates time-series visualizations for identifying patterns, anomalies, and trends |
## Tools & Systems
- **Splunk Enterprise Security (ES)**: Premium SIEM application providing correlation searches, risk-based alerting, and investigation workbench
- **Splunk SOAR**: Orchestration platform integrated with Splunk ES for automated response playbooks
- **Sysmon**: Microsoft system monitoring tool providing detailed process, network, and file change telemetry ingested into Splunk
- **Splunk Attack Analyzer**: Automated threat analysis that detonates suspicious files and URLs, feeding results into Splunk
- **BOSS of the SOC (BOTS)**: SANS/Splunk training dataset for practicing incident investigation SPL queries
## Common Scenarios
### Scenario: Investigating Credential Stuffing Leading to Account Takeover
**Context**: Security operations receives an alert for multiple successful logins to a single account from geographically dispersed IP addresses within a 30-minute window.
**Approach**:
1. Query Event ID 4624 for the affected account to map all login sources and times
2. Correlate login IPs against threat intelligence feeds using a Splunk lookup table
3. Check proxy logs for suspicious activity from the authenticated sessions
4. Search for lateral movement from the compromised account (Event ID 4624 Type 3 to other hosts)
5. Build a timeline showing credential stuffing attempts, successful login, and post-compromise activity
6. Create a correlation search to detect similar patterns on other accounts
**Pitfalls**:
- Searching only the last 24 hours when the credential stuffing may have occurred over weeks
- Not checking for VPN logs that may show the same account authenticating from impossible travel distances
- Failing to normalize timestamps across log sources in different time zones
## Output Format
```
SPLUNK INVESTIGATION REPORT
============================
Incident: INC-2025-1547
Analyst: [Name]
Investigation Period: 2025-11-14 00:00 UTC - 2025-11-16 00:00 UTC
SEARCH SCOPE
Indexes: windows, sysmon, proxy, firewall, dns
Hosts: WKSTN-042, SRV-FILE01
Users: jsmith, svc-backup
Source IPs: 10.1.5.42, 10.1.10.15
KEY FINDINGS
1. [timestamp] - Initial compromise via phishing (Sysmon Event 1)
2. [timestamp] - C2 established (proxy logs, beacon pattern detected)
3. [timestamp] - Credential theft (Sysmon Event 10, LSASS access)
4. [timestamp] - Lateral movement to SRV-FILE01 (Event 4624 Type 3)
5. [timestamp] - Data staging and exfiltration (proxy bytes_out anomaly)
SPL QUERIES USED
[numbered list of key queries with descriptions]
DETECTION GAPS IDENTIFIED
- No Sysmon deployed on SRV-FILE01 (blind spot)
- Proxy logs missing SSL inspection for C2 domain
- PowerShell ScriptBlock logging not enabled
RECOMMENDED DETECTIONS
1. Correlation search for Office-spawned PowerShell
2. Threshold alert for LSASS access patterns
3. Behavioral rule for beacon-interval network traffic
```
{}
---tags:
- splunk
- SPL
- SIEM
- log-analysis
- security-monitoring
skills/analyzing-supply-chain-malware-artifacts/SKILL.md
+24 -3
View File
@@ -1,12 +1,33 @@
---
name: analyzing-supply-chain-malware-artifacts
description: Investigate supply chain attack artifacts including trojanized software updates, compromised build pipelines, and sideloaded dependencies to identify intrusion vectors and scope of compromise.
description: Investigate supply chain attack artifacts including trojanized software updates, compromised build pipelines,
and sideloaded dependencies to identify intrusion vectors and scope of compromise.
domain: cybersecurity
subdomain: malware-analysis
tags: [supply-chain, malware-analysis, trojanized-software, solarwinds, 3cx, dependency-confusion, software-integrity]
version: "1.0"
tags:
- supply-chain
- malware-analysis
- trojanized-software
- solarwinds
- 3cx
- dependency-confusion
- software-integrity
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0010
- AML.T0104
nist_ai_rmf:
- GOVERN-5.2
- MAP-1.6
- MANAGE-2.2
d3fend_techniques:
- Platform Hardening
- Hardware Component Inventory
- Restore Object
- Electromagnetic Radiation Hardening
- RF Shielding
---
# Analyzing Supply Chain Malware Artifacts
skills/analyzing-threat-actor-ttps-with-mitre-attack/SKILL.md
+17 -3
View File
@@ -1,12 +1,26 @@
---
name: analyzing-threat-actor-ttps-with-mitre-attack
description: MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor beh
description: MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs)
based on real-world observations. This skill covers systematically mapping threat actor beh
domain: cybersecurity
subdomain: threat-intelligence
tags: [threat-intelligence, cti, ioc, mitre-attack, stix, ttp-analysis, threat-actors]
version: "1.0"
tags:
- threat-intelligence
- cti
- ioc
- mitre-attack
- stix
- ttp-analysis
- threat-actors
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Content Format Conversion
- File Content Analysis
---
# Analyzing Threat Actor TTPs with MITRE ATT&CK
skills/analyzing-threat-actor-ttps-with-mitre-navigator/SKILL.md
+29 -9
View File
@@ -1,18 +1,38 @@
---
name: analyzing-threat-actor-ttps-with-mitre-navigator
description: >
Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to
the MITRE ATT&CK framework using the ATT&CK Navigator and attackcti Python library. The
analyst queries STIX/TAXII data for group-technique associations, generates Navigator layer
files for visualization, and compares defensive coverage against adversary profiles.
Activates for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor
profiling, or MITRE technique coverage analysis.
description: 'Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework
using the ATT&CK Navigator and attackcti Python library. The analyst queries STIX/TAXII data for group-technique associations,
generates Navigator layer files for visualization, and compares defensive coverage against adversary profiles. Activates
for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor profiling, or MITRE technique coverage analysis.
'
domain: cybersecurity
subdomain: threat-intelligence
tags: [mitre-attack, navigator, threat-intelligence, apt, ttp-mapping, stix, attackcti]
version: "1.0"
tags:
- mitre-attack
- navigator
- threat-intelligence
- apt
- ttp-mapping
- stix
- attackcti
version: '1.0'
author: mahipal
license: Apache-2.0
nist_ai_rmf:
- MEASURE-2.7
- MAP-5.1
- MANAGE-2.4
atlas_techniques:
- AML.T0070
- AML.T0066
- AML.T0082
d3fend_techniques:
- File Metadata Consistency Validation
- Application Protocol Command Analysis
- Identifier Analysis
- Content Format Conversion
- Message Analysis
---
# Analyzing Threat Actor TTPs with MITRE Navigator
skills/analyzing-threat-landscape-with-misp/SKILL.md
+16 -8
View File
@@ -1,17 +1,25 @@
---
name: analyzing-threat-landscape-with-misp
description: >-
Analyze the threat landscape using MISP (Malware Information Sharing Platform)
by querying event statistics, attribute distributions, threat actor galaxy
clusters, and tag trends over time. Uses PyMISP to pull event data, compute
IOC type breakdowns, identify top threat actors and malware families, and
generate threat landscape reports with temporal trends.
description: Analyze the threat landscape using MISP (Malware Information Sharing Platform) by querying event statistics,
attribute distributions, threat actor galaxy clusters, and tag trends over time. Uses PyMISP to pull event data, compute
IOC type breakdowns, identify top threat actors and malware families, and generate threat landscape reports with temporal
trends.
domain: cybersecurity
subdomain: threat-intelligence
tags: [analyzing, threat, landscape, with]
version: "1.0"
tags:
- analyzing
- threat
- landscape
- with
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- File Metadata Consistency Validation
- Application Protocol Command Analysis
- Identifier Analysis
- Content Format Conversion
- Message Analysis
---
skills/analyzing-tls-certificate-transparency-logs/SKILL.md
+14 -7
View File
@@ -1,16 +1,23 @@
---
name: analyzing-tls-certificate-transparency-logs
description: >
Queries Certificate Transparency logs via crt.sh and pycrtsh to detect phishing
domains, unauthorized certificate issuance, and shadow IT. Monitors newly issued
certificates for typosquatting and brand impersonation using Levenshtein distance.
Use for proactive phishing domain detection and certificate monitoring.
description: 'Queries Certificate Transparency logs via crt.sh and pycrtsh to detect phishing domains, unauthorized certificate
issuance, and shadow IT. Monitors newly issued certificates for typosquatting and brand impersonation using Levenshtein
distance. Use for proactive phishing domain detection and certificate monitoring.
'
domain: cybersecurity
subdomain: security-operations
tags: [analyzing, tls, certificate, transparency]
version: "1.0"
tags:
- analyzing
- tls
- certificate
- transparency
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0073
- AML.T0052
---
# Analyzing TLS Certificate Transparency Logs
skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.md
+15 -3
View File
@@ -1,12 +1,24 @@
---
name: analyzing-typosquatting-domains-with-dnstwist
description: Detect typosquatting, homograph phishing, and brand impersonation domains using dnstwist to generate domain permutations and identify registered lookalike domains targeting your organization.
description: Detect typosquatting, homograph phishing, and brand impersonation domains using dnstwist to generate domain permutations
and identify registered lookalike domains targeting your organization.
domain: cybersecurity
subdomain: threat-intelligence
tags: [dnstwist, typosquatting, phishing, domain-monitoring, brand-protection, homograph, dns, threat-intelligence]
version: "1.0"
tags:
- dnstwist
- typosquatting
- phishing
- domain-monitoring
- brand-protection
- homograph
- dns
- threat-intelligence
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0073
- AML.T0052
---
# Analyzing Typosquatting Domains with DNSTwist
skills/analyzing-uefi-bootkit-persistence/SKILL.md
+21 -9
View File
@@ -1,19 +1,31 @@
---
name: analyzing-uefi-bootkit-persistence
description: >
Analyzes UEFI bootkit persistence mechanisms including firmware implants in SPI flash,
EFI System Partition (ESP) modifications, Secure Boot bypass techniques, and UEFI
variable manipulation. Covers detection of known bootkit families (BlackLotus, LoJax,
MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection,
chipsec-based firmware integrity verification, and Secure Boot configuration auditing.
Activates for requests involving UEFI malware analysis, firmware persistence investigation,
boot chain integrity verification, or Secure Boot bypass detection.
description: 'Analyzes UEFI bootkit persistence mechanisms including firmware implants in SPI flash, EFI System Partition
(ESP) modifications, Secure Boot bypass techniques, and UEFI variable manipulation. Covers detection of known bootkit families
(BlackLotus, LoJax, MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection, chipsec-based firmware
integrity verification, and Secure Boot configuration auditing. Activates for requests involving UEFI malware analysis,
firmware persistence investigation, boot chain integrity verification, or Secure Boot bypass detection.
'
domain: cybersecurity
subdomain: firmware-security
tags: [UEFI, bootkit, firmware, Secure-Boot, chipsec, ESP, persistence]
tags:
- UEFI
- bootkit
- firmware
- Secure-Boot
- chipsec
- ESP
- persistence
version: 1.0.0
author: mukul975
license: Apache-2.0
d3fend_techniques:
- Platform Hardening
- Restore Object
- Platform Monitoring
- Firmware Verification
- Firmware Embedded Monitoring Code
---
# Analyzing UEFI Bootkit Persistence
skills/analyzing-windows-event-logs-in-splunk/SKILL.md
+21 -7
View File
@@ -1,16 +1,30 @@
---
name: analyzing-windows-event-logs-in-splunk
description: >
Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks,
privilege escalation, persistence mechanisms, and lateral movement using SPL queries mapped to
MITRE ATT&CK techniques. Use when SOC analysts need to investigate Windows-based threats,
build detection queries, or perform forensic timeline analysis of Windows endpoints and domain controllers.
description: 'Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, privilege
escalation, persistence mechanisms, and lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC
analysts need to investigate Windows-based threats, build detection queries, or perform forensic timeline analysis of Windows
endpoints and domain controllers.
'
domain: cybersecurity
subdomain: soc-operations
tags: [soc, splunk, windows-events, sysmon, event-logs, mitre-attack, active-directory]
version: "1.0"
tags:
- soc
- splunk
- windows-events
- sysmon
- event-logs
- mitre-attack
- active-directory
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Restore Access
- Password Authentication
- Biometric Authentication
- Strong Password Policy
- Restore User Account Access
---
# Analyzing Windows Event Logs in Splunk
skills/auditing-cloud-with-cis-benchmarks/SKILL.md
+16 -7
View File
@@ -1,17 +1,26 @@
---
name: auditing-cloud-with-cis-benchmarks
description: >
This skill details how to conduct cloud security audits using Center for Internet
Security benchmarks for AWS, Azure, and GCP. It covers interpreting CIS Foundations
Benchmark controls, running automated assessments with tools like Prowler and
ScoutSuite, remediating failed controls, and maintaining continuous compliance
monitoring against CIS v5 for AWS, v4 for Azure, and v4 for GCP.
description: 'This skill details how to conduct cloud security audits using Center for Internet Security benchmarks for AWS,
Azure, and GCP. It covers interpreting CIS Foundations Benchmark controls, running automated assessments with tools like
Prowler and ScoutSuite, remediating failed controls, and maintaining continuous compliance monitoring against CIS v5 for
AWS, v4 for Azure, and v4 for GCP.
'
domain: cybersecurity
subdomain: cloud-security
tags: [cis-benchmarks, cloud-audit, compliance-assessment, prowler, security-hardening]
tags:
- cis-benchmarks
- cloud-audit
- compliance-assessment
- prowler
- security-hardening
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_ai_rmf:
- GOVERN-1.1
- GOVERN-4.2
- MAP-2.3
---
# Auditing Cloud with CIS Benchmarks
skills/building-attack-pattern-library-from-cti-reports/SKILL.md
+18 -3
View File
@@ -1,12 +1,27 @@
---
name: building-attack-pattern-library-from-cti-reports
description: Extract and catalog attack patterns from cyber threat intelligence reports into a structured STIX-based library mapped to MITRE ATT&CK for detection engineering and threat-informed defense.
description: Extract and catalog attack patterns from cyber threat intelligence reports into a structured STIX-based library
mapped to MITRE ATT&CK for detection engineering and threat-informed defense.
domain: cybersecurity
subdomain: threat-intelligence
tags: [attack-pattern, cti-reports, mitre-attack, stix, detection-engineering, threat-intelligence, nlp, extraction]
version: "1.0"
tags:
- attack-pattern
- cti-reports
- mitre-attack
- stix
- detection-engineering
- threat-intelligence
- nlp
- extraction
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- File Metadata Consistency Validation
- Application Protocol Command Analysis
- Identifier Analysis
- Content Format Conversion
- Message Analysis
---
# Building Attack Pattern Library from CTI Reports
skills/building-c2-infrastructure-with-sliver-framework/SKILL.md
+17 -3
View File
@@ -1,12 +1,26 @@
---
name: building-c2-infrastructure-with-sliver-framework
description: Build and configure a resilient command-and-control infrastructure using BishopFox's Sliver C2 framework with redirectors, HTTPS listeners, and multi-operator support for authorized red team engagements.
description: Build and configure a resilient command-and-control infrastructure using BishopFox's Sliver C2 framework with
redirectors, HTTPS listeners, and multi-operator support for authorized red team engagements.
domain: cybersecurity
subdomain: red-teaming
tags: [red-team, c2-framework, sliver, command-and-control, adversary-simulation, infrastructure, post-exploitation]
version: "1.0"
tags:
- red-team
- c2-framework
- sliver
- command-and-control
- adversary-simulation
- infrastructure
- post-exploitation
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- File Metadata Consistency Validation
- Certificate Analysis
- Application Protocol Command Analysis
- Content Format Conversion
- File Content Analysis
---
# Building C2 Infrastructure with Sliver Framework
skills/building-cloud-siem-with-sentinel/SKILL.md
+20 -7
View File
@@ -1,17 +1,30 @@
---
name: building-cloud-siem-with-sentinel
description: >
This skill covers deploying Microsoft Sentinel as a cloud-native SIEM and SOAR
platform for centralized security operations. It details configuring data connectors
for multi-cloud log ingestion, writing KQL detection queries, building automated
response playbooks with Logic Apps, and leveraging the Sentinel data lake for
petabyte-scale threat hunting across AWS, Azure, and GCP security telemetry.
description: 'This skill covers deploying Microsoft Sentinel as a cloud-native SIEM and SOAR platform for centralized security
operations. It details configuring data connectors for multi-cloud log ingestion, writing KQL detection queries, building
automated response playbooks with Logic Apps, and leveraging the Sentinel data lake for petabyte-scale threat hunting across
AWS, Azure, and GCP security telemetry.
'
domain: cybersecurity
subdomain: cloud-security
tags: [microsoft-sentinel, cloud-siem, kql-queries, soar-automation, threat-detection]
tags:
- microsoft-sentinel
- cloud-siem
- kql-queries
- soar-automation
- threat-detection
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_ai_rmf:
- MEASURE-2.7
- MAP-5.1
- MANAGE-2.4
atlas_techniques:
- AML.T0070
- AML.T0066
- AML.T0082
---
# Building Cloud SIEM with Sentinel
skills/building-detection-rule-with-splunk-spl/SKILL.md
+18 -3
View File
@@ -1,12 +1,27 @@
---
name: building-detection-rule-with-splunk-spl
description: Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify security threats in SOC environments.
description: Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify
security threats in SOC environments.
domain: cybersecurity
subdomain: soc-operations
tags: [splunk, spl, detection-engineering, correlation-search, siem, soc, threat-detection, enterprise-security]
version: "1.0"
tags:
- splunk
- spl
- detection-engineering
- correlation-search
- siem
- soc
- threat-detection
- enterprise-security
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Content Format Conversion
- File Content Analysis
---
# Building Detection Rules with Splunk SPL
skills/building-detection-rules-with-sigma/SKILL.md
+22 -7
View File
@@ -1,16 +1,31 @@
---
name: building-detection-rules-with-sigma
description: >
Builds vendor-agnostic detection rules using the Sigma rule format for threat detection across
SIEM platforms including Splunk, Elastic, and Microsoft Sentinel. Use when creating portable
detection logic from threat intelligence, mapping rules to MITRE ATT&CK techniques, or converting
community Sigma rules into platform-specific queries using sigmac or pySigma backends.
description: 'Builds vendor-agnostic detection rules using the Sigma rule format for threat detection across SIEM platforms
including Splunk, Elastic, and Microsoft Sentinel. Use when creating portable detection logic from threat intelligence,
mapping rules to MITRE ATT&CK techniques, or converting community Sigma rules into platform-specific queries using sigmac
or pySigma backends.
'
domain: cybersecurity
subdomain: soc-operations
tags: [soc, sigma, detection-rules, siem, mitre-attack, splunk, elastic, sentinel]
version: "1.0"
tags:
- soc
- sigma
- detection-rules
- siem
- mitre-attack
- splunk
- elastic
- sentinel
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Execution Isolation
- Process Termination
- Hardware-based Process Isolation
- Web Session Access Mediation
- Process Suspension
---
# Building Detection Rules with Sigma
skills/building-identity-governance-lifecycle-process/SKILL.md
+18 -8
View File
@@ -1,17 +1,27 @@
---
name: building-identity-governance-lifecycle-process
description: >
Builds comprehensive identity governance and lifecycle management processes including
joiner-mover-leaver automation, role mining, access request workflows, periodic
recertification, and orphaned account remediation using IGA platforms.
Activates for requests involving identity lifecycle management, JML processes,
role-based access provisioning, or identity governance program design.
description: 'Builds comprehensive identity governance and lifecycle management processes including joiner-mover-leaver automation,
role mining, access request workflows, periodic recertification, and orphaned account remediation using IGA platforms. Activates
for requests involving identity lifecycle management, JML processes, role-based access provisioning, or identity governance
program design.
'
domain: cybersecurity
subdomain: identity-access-management
tags: [identity-governance, lifecycle-management, JML, access-provisioning, RBAC, IGA]
version: "1.0"
tags:
- identity-governance
- lifecycle-management
- JML
- access-provisioning
- RBAC
- IGA
version: '1.0'
author: mahipal
license: Apache-2.0
nist_ai_rmf:
- GOVERN-1.1
- GOVERN-1.7
- MAP-1.1
---
# Building Identity Governance Lifecycle Process
skills/building-incident-timeline-with-timesketch/SKILL.md
+10 -244
View File
@@ -1,245 +1,11 @@
---
name: building-incident-timeline-with-timesketch
description: Build collaborative forensic incident timelines using Timesketch to ingest, normalize, and analyze multi-source event data for attack chain reconstruction and investigation documentation.
domain: cybersecurity
subdomain: incident-response
tags: [timesketch, timeline-analysis, forensic-timeline, plaso, dfir, incident-investigation, collaborative-forensics]
mitre_attack: ["T1070", "T1059", "T1053"]
version: "1.0"
author: mahipal
license: Apache-2.0
---
# Building Incident Timeline with Timesketch
## Overview
Timesketch is an open-source collaborative forensic timeline analysis tool developed by Google that enables security teams to visualize and analyze chronological data from multiple sources during incident investigations. It ingests logs and artifacts from endpoints, servers, and cloud services, normalizes them into a unified searchable timeline, and provides powerful analysis capabilities including built-in analyzers, tagging, sketch annotations, and story building. Timesketch integrates with Plaso (log2timeline) for artifact parsing and supports direct CSV/JSONL ingestion for rapid timeline construction during active incidents.
## When to Use
- When deploying or configuring building incident timeline with timesketch capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
## Prerequisites
- Familiarity with incident response concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
## Architecture and Components
### Core Components
- **Timesketch Server**: Web application with REST API for timeline management
- **OpenSearch/Elasticsearch**: Backend storage and search engine for timeline events
- **PostgreSQL**: Metadata storage for sketches, stories, and user data
- **Redis**: Task queue management for background processing
- **Celery Workers**: Asynchronous processing of timeline uploads and analyzers
### Data Flow
```
Evidence Sources --> Plaso/log2timeline --> Plaso storage file (.plaso)
| |
v v
CSV/JSONL --> Timesketch Importer --> OpenSearch Index
|
v
Timesketch Web UI
(Search, Analyze, Story)
```
## Deployment
### Docker Deployment (Recommended)
```bash
# Clone Timesketch repository
git clone https://github.com/google/timesketch.git
cd timesketch
# Run deployment helper script
cd docker
sudo docker compose up -d
# Default access: https://localhost:443
# Admin credentials generated during first run
```
### System Requirements
- Minimum 8 GB RAM (16+ GB recommended for large investigations)
- 4 CPU cores minimum
- SSD storage for OpenSearch indices
- Docker and Docker Compose installed
## Data Ingestion Methods
### Method 1: Plaso Integration (Comprehensive)
```bash
# Process disk image with log2timeline
log2timeline.py --storage-file evidence.plaso /path/to/disk/image
# Process Windows event logs
log2timeline.py --parsers winevtx --storage-file windows_events.plaso /path/to/evtx/
# Process multiple evidence sources
log2timeline.py --parsers "winevtx,prefetch,amcache,shimcache,userassist" \
--storage-file full_analysis.plaso /path/to/mounted/image/
# Import Plaso file into Timesketch
timesketch_importer -s "Case-2025-001" -t "Endpoint-WKS01" evidence.plaso
```
### Method 2: CSV Import (Quick Ingestion)
```csv
message,datetime,timestamp_desc,source,hostname
"User login detected","2025-01-15T08:30:00Z","Event Recorded","Security Log","DC01"
"PowerShell execution","2025-01-15T08:31:15Z","Event Recorded","PowerShell","WKS042"
```
```bash
# Import CSV directly
timesketch_importer -s "Case-2025-001" -t "Quick-Triage" events.csv
```
### Method 3: JSONL Import (Structured Data)
```json
{"message": "Suspicious logon from 10.1.2.3", "datetime": "2025-01-15T08:30:00Z", "timestamp_desc": "Event Recorded", "source_short": "Security", "hostname": "DC01"}
```
### Method 4: Sigma Rule Integration
```bash
# Upload Sigma rules for automated detection
timesketch_importer --sigma-rules /path/to/sigma/rules/
```
## Analysis Workflow
### Step 1: Create Investigation Sketch
```
1. Log into Timesketch web interface
2. Create new sketch (investigation case)
3. Add relevant timelines to the sketch
4. Set sketch description and tags
```
### Step 2: Run Built-in Analyzers
Timesketch includes analyzers that automatically identify:
- **Browser Search Analyzer**: Extracts search queries from browser history
- **Chain of Events Analyzer**: Links related events (download -> execute)
- **Domain Analyzer**: Extracts and categorizes domain names
- **Feature Extraction Analyzer**: Identifies IPs, URLs, hashes
- **Geo Location Analyzer**: Maps events to geographic locations
- **Similarity Scorer**: Finds similar events across timelines
- **Sigma Analyzer**: Matches events against Sigma detection rules
- **Account Finder**: Identifies user account activity patterns
- **Tagger**: Applies labels based on predefined rules
### Step 3: Search and Filter
```
# Search examples in Timesketch query language
# Find all events related to specific user
source_short:Security AND message:"john.admin"
# Find PowerShell execution events
data_type:"windows:evtx:record" AND event_identifier:4104
# Find lateral movement indicators
source_short:Security AND event_identifier:4624 AND xml_string:"LogonType\">3"
# Find events within specific time range
datetime:[2025-01-15T00:00:00 TO 2025-01-15T23:59:59]
# Find file creation events
data_type:"fs:stat" AND timestamp_desc:"Creation Time"
# Search with tags
tag:"suspicious" OR tag:"lateral_movement"
```
### Step 4: Build Investigation Story
```
1. Create new story within the sketch
2. Add search views that support each finding
3. Annotate key events with investigator notes
4. Link events to MITRE ATT&CK techniques
5. Document the attack narrative chronologically
6. Export story for inclusion in incident report
```
## Advanced Features
### Collaborative Investigation
- Multiple analysts work on the same sketch simultaneously
- Comments and annotations persist on events
- Saved searches shared across the team
- Investigation stories document findings in context
### API Automation
```python
from timesketch_api_client import config
from timesketch_api_client import client as ts_client
# Connect to Timesketch
ts = ts_client.TimesketchApi(
host_uri="https://timesketch.local",
username="analyst",
password="password"
)
# Get sketch
sketch = ts.get_sketch(1)
# Search events
search = sketch.explore(
query_string='event_identifier:4624 AND LogonType:3',
return_fields='datetime,message,hostname,source_short'
)
# Add tags to events
for event in search.get('objects', []):
sketch.tag_event(event['_id'], ['lateral_movement'])
```
### Integration with Dissect
```bash
# Use Dissect for faster artifact parsing (alternative to Plaso)
target-query -f timesketch://timesketch.local/case-001 \
targets/hostname/ -q "windows.evtx" --limit 0
```
## Key Data Sources for Timeline Building
| Source | Parser | Evidence Value |
|--------|--------|---------------|
| Windows Event Logs (.evtx) | winevtx | Authentication, process execution, services |
| Prefetch Files | prefetch | Program execution history |
| MFT ($MFT) | mft | File system activity |
| Registry Hives | winreg | System configuration, persistence |
| Browser History | chrome/firefox | Web activity, downloads |
| Syslog | syslog | Linux/network device events |
| CloudTrail Logs | jsonl | AWS API activity |
| Azure Activity Logs | jsonl | Azure resource operations |
| Firewall Logs | csv/jsonl | Network connections |
| Proxy Logs | csv/jsonl | HTTP/HTTPS traffic |
## MITRE ATT&CK Mapping
| Technique | Timeline Indicators |
|-----------|-------------------|
| Initial Access (TA0001) | First malicious event, phishing email receipt |
| Execution (T1059) | PowerShell/CMD events, process creation |
| Persistence (TA0003) | Registry modifications, scheduled tasks, services |
| Lateral Movement (TA0008) | Remote logons, SMB connections, RDP sessions |
| Exfiltration (TA0010) | Large data transfers, cloud storage uploads |
## References
- [Timesketch Official Documentation](https://timesketch.org/)
- [Timesketch GitHub Repository](https://github.com/google/timesketch)
- [CISA Timesketch Resource](https://www.cisa.gov/resources-tools/services/timesketch)
- [Hunt and Hackett: Scalable Forensics with Dissect and Timesketch](https://www.huntandhackett.com/blog/scalable-forensics-timeline-analysis-using-dissect-and-timesketch)
- [Plaso (log2timeline) Documentation](https://plaso.readthedocs.io/)
{}
---tags:
- timesketch
- timeline-analysis
- forensic-timeline
- plaso
- dfir
- incident-investigation
- collaborative-forensics
version: '1.0'
skills/building-red-team-c2-infrastructure-with-havoc/SKILL.md
+20 -3
View File
@@ -1,12 +1,29 @@
---
name: building-red-team-c2-infrastructure-with-havoc
description: Deploy and configure the Havoc C2 framework with teamserver, HTTPS listeners, redirectors, and Demon agents for authorized red team operations.
description: Deploy and configure the Havoc C2 framework with teamserver, HTTPS listeners, redirectors, and Demon agents for
authorized red team operations.
domain: cybersecurity
subdomain: red-teaming
tags: [havoc-c2, command-and-control, red-team-infrastructure, post-exploitation, adversary-emulation, demon-agent]
version: "1.0"
tags:
- havoc-c2
- command-and-control
- red-team-infrastructure
- post-exploitation
- adversary-emulation
- demon-agent
version: '1.0'
author: mahipal
license: Apache-2.0
nist_ai_rmf:
- GOVERN-1.1
- MEASURE-2.7
- MANAGE-3.1
d3fend_techniques:
- File Metadata Consistency Validation
- Certificate Analysis
- Application Protocol Command Analysis
- Content Format Conversion
- File Content Analysis
---
# Building Red Team C2 Infrastructure with Havoc
skills/building-soc-metrics-and-kpi-tracking/SKILL.md
+23 -7
View File
@@ -1,16 +1,32 @@
---
name: building-soc-metrics-and-kpi-tracking
description: >
Builds SOC performance metrics and KPI tracking dashboards measuring Mean Time to Detect (MTTD),
Mean Time to Respond (MTTR), alert quality ratios, analyst productivity, and detection coverage
using SIEM data. Use when SOC leadership needs operational visibility, continuous improvement
tracking, or executive-level reporting on security operations effectiveness.
description: 'Builds SOC performance metrics and KPI tracking dashboards measuring Mean Time to Detect (MTTD), Mean Time to
Respond (MTTR), alert quality ratios, analyst productivity, and detection coverage using SIEM data. Use when SOC leadership
needs operational visibility, continuous improvement tracking, or executive-level reporting on security operations effectiveness.
'
domain: cybersecurity
subdomain: soc-operations
tags: [soc, metrics, kpi, mttd, mttr, dashboard, reporting, continuous-improvement]
version: "1.0"
tags:
- soc
- metrics
- kpi
- mttd
- mttr
- dashboard
- reporting
- continuous-improvement
version: '1.0'
author: mahipal
license: Apache-2.0
nist_ai_rmf:
- MEASURE-2.7
- MAP-5.1
- MANAGE-2.4
atlas_techniques:
- AML.T0070
- AML.T0066
- AML.T0082
---
# Building SOC Metrics and KPI Tracking
skills/building-soc-playbook-for-ransomware/SKILL.md
+10 -261
View File
@@ -1,262 +1,11 @@
---
name: building-soc-playbook-for-ransomware
description: >
Builds a structured SOC incident response playbook for ransomware attacks covering detection,
containment, eradication, and recovery phases with specific SIEM queries, isolation procedures,
and decision trees. Use when SOC teams need formalized response procedures for ransomware
incidents aligned to NIST SP 800-61 and MITRE ATT&CK ransomware techniques.
domain: cybersecurity
subdomain: soc-operations
tags: [soc, ransomware, incident-response, playbook, nist, mitre-attack, containment]
mitre_attack: ["T1486", "T1490", "T1489", "T1570"]
version: "1.0"
author: mahipal
license: Apache-2.0
---
# Building SOC Playbook for Ransomware
## When to Use
Use this skill when:
- SOC teams need a standardized ransomware response playbook for Tier 1-3 analysts
- An organization lacks documented procedures for ransomware containment and recovery
- Tabletop exercises reveal gaps in ransomware response coordination
- Compliance requirements (NIST CSF, ISO 27001) mandate documented incident playbooks
**Do not use** during an active ransomware incident as the sole guide — have pre-built playbooks tested and rehearsed before incidents occur.
## Prerequisites
- SIEM platform (Splunk ES, Elastic Security, or Sentinel) with endpoint and network data
- EDR solution (CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint) with network isolation capability
- Backup infrastructure with tested recovery procedures and offline/immutable backups
- Communication plan with legal, executive leadership, and external IR retainer contacts
- MITRE ATT&CK knowledge for ransomware technique chains
## Workflow
### Step 1: Define Detection Triggers
Create SIEM detection rules for early ransomware indicators:
**Mass File Encryption Detection (Splunk):**
```spl
index=sysmon EventCode=11
| bin _time span=1m
| stats dc(TargetFilename) AS unique_files, values(TargetFilename) AS sample_files by Computer, Image, _time
| where unique_files > 100
| eval suspicious_extensions = if(match(mvjoin(sample_files, ","), "\.(encrypted|locked|crypt|enc|ransom)"), "YES", "NO")
| where suspicious_extensions="YES" OR unique_files > 500
| sort - unique_files
```
**Shadow Copy Deletion (T1490):**
```spl
index=wineventlog sourcetype="WinEventLog:Security" OR index=sysmon EventCode=1
(CommandLine="*vssadmin*delete*shadows*" OR CommandLine="*wmic*shadowcopy*delete*"
OR CommandLine="*bcdedit*/set*recoveryenabled*no*" OR CommandLine="*wbadmin*delete*catalog*")
| table _time, Computer, User, ParentImage, Image, CommandLine
```
**Ransomware Note File Creation:**
```spl
index=sysmon EventCode=11
TargetFilename IN ("*README*.txt", "*DECRYPT*.txt", "*RANSOM*.txt", "*RECOVER*.html", "*HOW_TO*.txt")
| stats count by Computer, Image, TargetFilename
| where count > 5
```
**Elastic Security EQL variant:**
```eql
sequence by host.name with maxspan=2m
[process where event.type == "start" and
process.args : ("*vssadmin*", "*delete*", "*shadows*")]
[file where event.type == "creation" and
file.name : ("*README*DECRYPT*", "*RANSOM*", "*HOW_TO_RECOVER*")]
```
### Step 2: Build Triage Decision Tree
```
RANSOMWARE ALERT TRIAGE
├── Is encryption actively occurring?
│ ├── YES → IMMEDIATE: Isolate host from network (Step 3)
│ │ Do NOT power off (preserve memory for forensics)
│ └── NO → Is this a pre-encryption indicator?
│ ├── Shadow copy deletion → HIGH PRIORITY: Isolate and investigate
│ ├── Known ransomware hash → HIGH PRIORITY: Block hash, scan enterprise
│ └── Suspicious process behavior → MEDIUM: Investigate, prepare isolation
├── How many hosts affected?
│ ├── Single host → Contained incident, follow host isolation procedure
│ ├── Multiple hosts (2-10) → Escalate to Tier 2, begin enterprise-wide scan
│ └── Enterprise-wide (>10) → Activate full IR team, engage external retainer
└── Is data exfiltration confirmed?
├── YES → Double extortion scenario, engage legal for breach notification
└── NO/UNKNOWN → Check for Cobalt Strike/C2 beacons, review outbound transfers
```
### Step 3: Containment Procedures
**Network Isolation via EDR (CrowdStrike Falcon):**
```bash
# Isolate host using CrowdStrike Falcon API
curl -X POST "https://api.crowdstrike.com/devices/entities/devices-actions/v2?action_name=contain" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"ids": ["device_id_here"]}'
```
**Network Isolation via Microsoft Defender for Endpoint:**
```powershell
# Isolate machine via MDE API
$headers = @{Authorization = "Bearer $token"}
$body = @{Comment = "Ransomware containment - IR-2024-0500"; IsolationType = "Full"} | ConvertTo-Json
Invoke-RestMethod -Uri "https://api.securitycenter.microsoft.com/api/machines/$machineId/isolate" `
-Method Post -Headers $headers -Body $body -ContentType "application/json"
```
**Firewall Emergency Rules:**
```
# Palo Alto — Block SMB lateral spread
set rulebase security rules RansomwareContainment from Trust to Trust
set rulebase security rules RansomwareContainment application ms-ds-smb
set rulebase security rules RansomwareContainment action deny
set rulebase security rules RansomwareContainment disabled no
commit
```
**Active Directory Emergency Actions:**
```powershell
# Disable compromised account
Disable-ADAccount -Identity "compromised_user"
# Reset Kerberos TGT (if domain admin compromised)
# WARNING: This resets krbtgt and requires two resets 12+ hours apart
Reset-KrbtgtKeys -Server "DC-PRIMARY" -Force
# Block lateral movement by disabling remote services
Set-Service -Name "RemoteRegistry" -StartupType Disabled -Status Stopped
```
### Step 4: Evidence Collection and Preservation
Collect forensic artifacts before remediation:
```powershell
# Capture running processes and network connections
Get-Process | Export-Csv "C:\IR\processes_$(hostname).csv"
Get-NetTCPConnection | Export-Csv "C:\IR\netstat_$(hostname).csv"
# Capture memory dump (if host still running)
winpmem_mini_x64.exe C:\IR\memory_$(hostname).raw
# Collect ransomware artifacts
Copy-Item "C:\Users\*\Desktop\*README*" "C:\IR\ransom_notes\" -Recurse
Copy-Item "C:\Users\*\Desktop\*.encrypted" "C:\IR\encrypted_samples\" -Force
# Capture event logs
wevtutil epl Security "C:\IR\Security_$(hostname).evtx"
wevtutil epl System "C:\IR\System_$(hostname).evtx"
wevtutil epl "Microsoft-Windows-Sysmon/Operational" "C:\IR\Sysmon_$(hostname).evtx"
```
### Step 5: Eradication and Recovery
**Identify ransomware variant:**
- Upload encrypted sample and ransom note to ID Ransomware (https://id-ransomware.malwarehunterteam.com/)
- Check No More Ransom Project (https://www.nomoreransom.org/) for available decryptors
- Search for ransomware family IOCs in MalwareBazaar
**Enterprise-wide IOC scan in Splunk:**
```spl
index=sysmon (EventCode=1 OR EventCode=11 OR EventCode=3)
(TargetFilename="*ransomware_binary_name*" OR sha256="KNOWN_HASH"
OR DestinationIp="C2_IP_ADDRESS" OR CommandLine="*malicious_command*")
| stats count by Computer, EventCode, Image, CommandLine
| sort - count
```
**Recovery from backups:**
1. Verify backup integrity (offline/immutable backups not affected)
2. Rebuild affected systems from known-good images
3. Restore data from last clean backup
4. Validate restored systems before reconnecting to network
5. Monitor restored systems for 72 hours for reinfection
### Step 6: Post-Incident Documentation
Structure the playbook conclusion with lessons learned:
```
POST-INCIDENT REVIEW TEMPLATE
1. Timeline of events (detection to full recovery)
2. Initial access vector identification
3. Dwell time analysis (time from initial compromise to encryption)
4. Detection gaps identified
5. Response effectiveness metrics (MTTD, MTTC, MTTR)
6. Playbook improvements recommended
7. New detection rules deployed
8. Backup and recovery procedure updates
```
## Key Concepts
| Term | Definition |
|------|-----------|
| **Double Extortion** | Ransomware tactic combining data encryption with data theft, threatening public release if ransom unpaid |
| **Dwell Time** | Duration between initial compromise and detection — ransomware operators average 5-9 days before encryption |
| **MTTC** | Mean Time to Contain — time from detection to successful isolation of affected systems |
| **Kill Chain** | Ransomware progression: Initial Access -> Execution -> Persistence -> Privilege Escalation -> Lateral Movement -> Collection -> Exfiltration -> Impact |
| **Immutable Backup** | Backup storage that cannot be modified or deleted for a defined retention period (WORM storage) |
| **RTO/RPO** | Recovery Time Objective / Recovery Point Objective — maximum acceptable downtime and data loss thresholds |
## Tools & Systems
- **CrowdStrike Falcon / SentinelOne**: EDR platforms with network isolation, process kill, and threat hunting capabilities
- **Splunk ES / Elastic Security**: SIEM platforms for detection rule deployment and enterprise-wide IOC scanning
- **ID Ransomware**: Online service identifying ransomware variants from encrypted file samples and ransom notes
- **No More Ransom Project**: Europol-backed initiative providing free decryption tools for known ransomware families
- **Veeam / Rubrik**: Enterprise backup solutions with immutable backup support and instant recovery capabilities
## Common Scenarios
- **LockBit Attack**: Detected via SMB lateral movement and mass file encryption — isolate, scan for Cobalt Strike beacons
- **BlackCat/ALPHV**: Detected via ransomware note creation — check for data exfiltration via Rclone or Mega upload
- **Conti/Royal**: Detected via shadow copy deletion — check for prior BazarLoader/Emotet initial access
- **RansomHub**: Detected via anomalous process execution — investigate for compromised VPN or RDP credentials
- **Play Ransomware**: Detected via service account abuse — audit AD for newly created accounts and group membership changes
## Output Format
```
RANSOMWARE PLAYBOOK EXECUTION — IR-2024-0500
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Phase 1 - Detection:
Alert: Mass file encryption detected on FILESERVER-03
Variant: LockBit 3.0 (confirmed via ID Ransomware)
MTTD: 12 minutes from first encryption to SOC alert
Phase 2 - Containment:
[DONE] FILESERVER-03 isolated via CrowdStrike at 14:35 UTC
[DONE] SMB blocked enterprise-wide via firewall emergency rule
[DONE] Compromised service account disabled in AD
MTTC: 23 minutes
Phase 3 - Eradication:
[DONE] 3 additional hosts with C2 beacon identified and isolated
[DONE] Cobalt Strike C2 domain (c2[.]evil[.]com) sinkholed
[DONE] Enterprise-wide IOC scan completed — no additional infections
Phase 4 - Recovery:
[DONE] FILESERVER-03 rebuilt from gold image
[DONE] Data restored from immutable Veeam backup (RPO: 4 hours)
[DONE] Systems monitored 72 hours — no reinfection
MTTR: 18 hours
Total Affected: 1 server, 3 workstations
Data Loss: 4 hours of file modifications (backup RPO)
Exfiltration: No evidence of data exfiltration confirmed
```
{}
---tags:
- soc
- ransomware
- incident-response
- playbook
- nist
- mitre-attack
- containment
version: '1.0'
skills/conducting-cloud-penetration-testing/SKILL.md
+25 -6
View File
@@ -1,17 +1,36 @@
---
name: conducting-cloud-penetration-testing
description: >
This skill outlines methodologies for performing authorized penetration testing against
AWS, Azure, and GCP cloud environments. It covers understanding the shared responsibility
model for testing scope, leveraging cloud-specific attack tools like Pacu and ScoutSuite,
exploiting IAM misconfigurations, testing for SSRF to cloud metadata services, and
description: 'This skill outlines methodologies for performing authorized penetration testing against AWS, Azure, and GCP
cloud environments. It covers understanding the shared responsibility model for testing scope, leveraging cloud-specific
attack tools like Pacu and ScoutSuite, exploiting IAM misconfigurations, testing for SSRF to cloud metadata services, and
reporting findings aligned to MITRE ATT&CK Cloud matrix.
'
domain: cybersecurity
subdomain: cloud-security
tags: [cloud-pentesting, offensive-security, aws-exploitation, shared-responsibility, mitre-attack-cloud]
tags:
- cloud-pentesting
- offensive-security
- aws-exploitation
- shared-responsibility
- mitre-attack-cloud
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_ai_rmf:
- MEASURE-2.7
- MAP-5.1
- MANAGE-2.4
atlas_techniques:
- AML.T0070
- AML.T0066
- AML.T0082
d3fend_techniques:
- Token Binding
- Restore Access
- Application Protocol Command Analysis
- Reissue Credential
- Network Isolation
---
# Conducting Cloud Penetration Testing
skills/conducting-domain-persistence-with-dcsync/SKILL.md
+17 -3
View File
@@ -1,12 +1,26 @@
---
name: conducting-domain-persistence-with-dcsync
description: Perform DCSync attacks to replicate Active Directory credentials and establish domain persistence by extracting KRBTGT, Domain Admin, and service account hashes for Golden Ticket creation.
description: Perform DCSync attacks to replicate Active Directory credentials and establish domain persistence by extracting
KRBTGT, Domain Admin, and service account hashes for Golden Ticket creation.
domain: cybersecurity
subdomain: red-teaming
tags: [red-team, active-directory, dcsync, persistence, credential-dumping, golden-ticket, mimikatz]
version: "1.0"
tags:
- red-team
- active-directory
- dcsync
- persistence
- credential-dumping
- golden-ticket
- mimikatz
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Application Protocol Command Analysis
- Network Isolation
- Network Traffic Analysis
- Client-server Payload Profiling
- Platform Monitoring
---
# Conducting Domain Persistence with DCSync
skills/conducting-full-scope-red-team-engagement/SKILL.md
+17 -3
View File
@@ -1,12 +1,26 @@
---
name: conducting-full-scope-red-team-engagement
description: Plan and execute a comprehensive red team engagement covering reconnaissance through post-exploitation using MITRE ATT&CK-aligned TTPs to evaluate an organization's detection and response capabilities.
description: Plan and execute a comprehensive red team engagement covering reconnaissance through post-exploitation using
MITRE ATT&CK-aligned TTPs to evaluate an organization's detection and response capabilities.
domain: cybersecurity
subdomain: red-teaming
tags: [red-team, adversary-emulation, mitre-attack, penetration-testing, offensive-security, purple-team, ttp-mapping]
version: "1.0"
tags:
- red-team
- adversary-emulation
- mitre-attack
- penetration-testing
- offensive-security
- purple-team
- ttp-mapping
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- File Metadata Consistency Validation
- Application Protocol Command Analysis
- Identifier Analysis
- Content Format Conversion
- Message Analysis
---
# Conducting Full-Scope Red Team Engagement
skills/conducting-internal-network-penetration-test/SKILL.md
+17 -3
View File
@@ -1,12 +1,26 @@
---
name: conducting-internal-network-penetration-test
description: Execute an internal network penetration test simulating an insider threat or post-breach attacker to identify lateral movement paths, privilege escalation vectors, and sensitive data exposure within the corporate network.
description: Execute an internal network penetration test simulating an insider threat or post-breach attacker to identify
lateral movement paths, privilege escalation vectors, and sensitive data exposure within the corporate network.
domain: cybersecurity
subdomain: penetration-testing
tags: [internal-pentest, lateral-movement, privilege-escalation, Responder, Impacket, assumed-breach, network-security]
version: "1.0"
tags:
- internal-pentest
- lateral-movement
- privilege-escalation
- Responder
- Impacket
- assumed-breach
- network-security
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Application Protocol Command Analysis
- Network Isolation
- Network Traffic Analysis
- Client-server Payload Profiling
- Network Traffic Community Deviation
---
# Conducting Internal Network Penetration Test
skills/conducting-internal-reconnaissance-with-bloodhound-ce/SKILL.md
+17 -3
View File
@@ -1,12 +1,26 @@
---
name: conducting-internal-reconnaissance-with-bloodhound-ce
description: Conduct internal Active Directory reconnaissance using BloodHound Community Edition to map attack paths, identify privilege escalation chains, and discover misconfigurations in domain environments.
description: Conduct internal Active Directory reconnaissance using BloodHound Community Edition to map attack paths, identify
privilege escalation chains, and discover misconfigurations in domain environments.
domain: cybersecurity
subdomain: red-teaming
tags: [red-team, reconnaissance, bloodhound, active-directory, attack-paths, privilege-escalation, graph-analysis]
version: "1.0"
tags:
- red-team
- reconnaissance
- bloodhound
- active-directory
- attack-paths
- privilege-escalation
- graph-analysis
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Restore Access
- Password Authentication
- Biometric Authentication
- Strong Password Policy
- Restore User Account Access
---
# Conducting Internal Reconnaissance with BloodHound CE
skills/conducting-malware-incident-response/SKILL.md
+7 -206
View File
@@ -1,207 +1,8 @@
---
name: conducting-malware-incident-response
description: >
Responds to malware infections across enterprise endpoints by identifying the
malware family, determining infection vectors, assessing spread, and executing
eradication procedures. Covers the full lifecycle from detection through
containment, analysis, removal, and recovery. Activates for requests involving
malware response, malware eradication, trojan removal, worm containment, malware
triage, or infected endpoint remediation.
domain: cybersecurity
subdomain: incident-response
tags: [malware-response, malware-analysis, eradication, endpoint-remediation, MITRE-ATT&CK]
mitre_attack: ["T1204", "T1027", "T1055", "T1059", "T1486"]
version: 1.0.0
author: mahipal
license: Apache-2.0
---
# Conducting Malware Incident Response
## When to Use
- EDR or antivirus detects malware execution on one or more endpoints
- A user reports suspicious system behavior indicative of malware infection
- Threat intelligence indicates a malware campaign targeting the organization's industry
- Network monitoring detects beaconing traffic consistent with known malware C2 patterns
- A file detonation in a sandbox returns a malicious verdict
**Do not use** for analyzing malware samples in a research context; use dedicated malware analysis procedures for reverse engineering.
## Prerequisites
- EDR platform with process tree visibility and host isolation capability
- Malware sandbox environment (Cuckoo, ANY.RUN, Joe Sandbox, Hybrid Analysis)
- Access to threat intelligence platforms for malware family identification (VirusTotal, MalwareBazaar)
- Forensic imaging tools for evidence preservation (FTK Imager, KAPE)
- Clean system images or gold images for endpoint rebuild
- MITRE ATT&CK framework reference for technique mapping
## Workflow
### Step 1: Detect and Confirm Malware Presence
Validate the malware alert and gather initial indicators:
- Review EDR alert details: detection name, file path, hash (SHA-256), process tree
- Check if the detection is a known malware family or generic heuristic detection
- Query the file hash against VirusTotal, MalwareBazaar, and internal threat intelligence
- Examine the process execution chain to determine how the malware was delivered
```
Detection Summary:
File: C:\Users\jsmith\AppData\Local\Temp\update.exe
SHA-256: a1b2c3d4e5f6...
Detection: CrowdStrike: Malware/Qakbot | VirusTotal: 58/72 engines
Parent: WINWORD.EXE → cmd.exe → powershell.exe → update.exe
Delivery: Email attachment (Invoice-Nov2025.docm)
Network: HTTPS POST to 185.220.101[.]42:443 every 60s
Persistence: Scheduled Task "WindowsUpdate" → update.exe
```
### Step 2: Scope the Infection
Determine how many systems are affected and the malware's propagation method:
- Use EDR to search for the malware hash, filename, and behavioral indicators across all endpoints
- Check for network-based spreading (SMB, WMI, PsExec, exploitation)
- Query email gateway logs for all recipients of the delivery email
- Search for C2 communications to the identified infrastructure from other internal hosts
- Check for persistence mechanisms on all identified infected hosts
### Step 3: Contain Infected Systems
Execute containment per the active breach containment procedures:
- Network-isolate infected endpoints via EDR containment
- Block malware C2 infrastructure at firewall and DNS
- Block the malware hash in EDR prevention policy organization-wide
- Quarantine the delivery email from all mailboxes (if email-delivered)
- Disable compromised user accounts if credential theft is suspected
### Step 4: Analyze the Malware
Perform sufficient analysis to support complete eradication:
- Submit the sample to a sandbox for dynamic analysis (behavioral report, dropped files, network IOCs)
- Identify all persistence mechanisms: registry keys, scheduled tasks, services, WMI subscriptions, startup folders
- Document all file system artifacts: dropped files, modified files, created directories
- Extract network IOCs: C2 domains, IPs, URLs, user agents, JA3/JA3S hashes
- Map observed behaviors to MITRE ATT&CK techniques
```
Malware Analysis Summary - Qakbot Variant
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Initial Access: T1566.001 - Spearphishing Attachment (.docm)
Execution: T1059.001 - PowerShell (encoded downloader)
Persistence: T1053.005 - Scheduled Task
Defense Evasion: T1055.012 - Process Hollowing (explorer.exe)
C2: T1071.001 - HTTPS with custom headers
Collection: T1005 - Data from Local System (browser credentials)
Exfiltration: T1041 - Exfiltration Over C2 Channel
Artifacts:
- C:\Users\*\AppData\Local\Temp\update.exe (dropper)
- C:\ProgramData\Microsoft\{GUID}\config.dll (payload)
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{random} (backup persistence)
- Scheduled Task: "WindowsUpdate" (primary persistence)
```
### Step 5: Eradicate the Malware
Remove all malware artifacts from every infected system:
- Terminate malicious processes and injected threads
- Delete malware files from all identified paths
- Remove persistence mechanisms (scheduled tasks, registry keys, services, WMI subscriptions)
- Clear browser credential stores if credential harvesting was confirmed
- Run a full EDR scan to verify no artifacts remain
- If eradication confidence is low, reimage the system from a known-clean gold image
### Step 6: Recover and Validate
Restore systems to production and verify clean status:
- Reconnect contained systems to the network in stages
- Monitor for 72 hours for any recurrence of malware indicators
- Force password resets for all users on infected endpoints
- Verify that C2 traffic has completely ceased across the environment
- Update detection rules based on newly discovered IOCs from the investigation
- Distribute IOCs to threat intelligence sharing partners (ISAC, MISP)
## Key Concepts
| Term | Definition |
|------|------------|
| **Malware Family** | Classification of malware variants sharing code, infrastructure, or behavior patterns (e.g., Qakbot, Emotet, Cobalt Strike) |
| **Process Hollowing** | Technique where malware creates a legitimate process in a suspended state, replaces its memory with malicious code, then resumes execution |
| **Beacon** | Periodic network communication from malware to its C2 server, typically with a set interval and jitter for detection evasion |
| **Dropper** | Initial malware component that downloads or unpacks the primary payload; often delivered via phishing |
| **Persistence Mechanism** | Method used by malware to survive system reboots (registry run keys, scheduled tasks, services, WMI event subscriptions) |
| **IOC (Indicator of Compromise)** | Observable artifact such as file hash, IP address, domain, or registry key that indicates malware presence |
## Tools & Systems
- **CrowdStrike Falcon / Microsoft Defender for Endpoint**: EDR platforms for detection, containment, and threat hunting
- **ANY.RUN / Joe Sandbox**: Interactive malware sandboxes for dynamic behavioral analysis
- **VirusTotal / MalwareBazaar**: Malware intelligence platforms for sample identification and IOC enrichment
- **KAPE (Kroll Artifact Parser and Extractor)**: Forensic triage tool for rapid artifact collection from infected endpoints
- **YARA**: Pattern-matching engine for creating custom malware detection rules based on observed indicators
## Common Scenarios
### Scenario: Emotet Loader Leading to Cobalt Strike Deployment
**Context**: EDR detects a macro-enabled document that spawns PowerShell, downloads an Emotet DLL, which subsequently loads a Cobalt Strike beacon. Three hosts are infected within 45 minutes.
**Approach**:
1. Immediately isolate all three hosts and block C2 IPs at the perimeter
2. Search email gateway for all recipients of the original phishing email and quarantine it
3. Sweep all endpoints for the Emotet DLL hash and Cobalt Strike beacon indicators
4. Analyze the Cobalt Strike beacon configuration to extract watermark, C2 profile, and staging URLs
5. Check for credential harvesting (Mimikatz/LSASS dump) and lateral movement artifacts
6. Eradicate all malware artifacts and reset credentials for affected users
**Pitfalls**:
- Focusing only on Emotet and missing the Cobalt Strike second-stage payload
- Failing to extract and block the Cobalt Strike Malleable C2 profile indicators
- Not checking for additional persistence beyond the initial detection (Emotet often installs multiple backup persistence mechanisms)
## Output Format
```
MALWARE INCIDENT RESPONSE REPORT
=================================
Incident: INC-2025-1547
Malware Family: Qakbot (variant: Obama265)
Delivery Vector: Spearphishing attachment (Invoice-Nov2025.docm)
First Detection: 2025-11-15T14:23:17Z
Scope: 4 endpoints confirmed infected
INFECTION TIMELINE
14:18 UTC - Phishing email received by jsmith@corp.example.com
14:19 UTC - Macro executed in WINWORD.EXE
14:20 UTC - PowerShell downloads update.exe from staging server
14:21 UTC - update.exe establishes persistence (Scheduled Task)
14:23 UTC - C2 beacon initiated to 185.220.101[.]42
14:35 UTC - Lateral spread to WKSTN-087 via stolen credentials
14:42 UTC - EDR detection fires, SOC alerted
IOCs EXTRACTED
File Hashes: [SHA-256 list]
C2 Domains: [domain list]
C2 IPs: [IP list]
File Paths: [artifact paths]
ERADICATION STATUS
[x] All malware artifacts removed from 4 hosts
[x] Persistence mechanisms deleted
[x] C2 infrastructure blocked
[x] Compromised credentials reset
[x] Email quarantined from all mailboxes
RECOMMENDATIONS
1. Deploy YARA rule for Qakbot variant detection
2. Block macro execution in documents from external senders
3. Implement application whitelisting on finance workstations
```
{}
---tags:
- malware-response
- malware-analysis
- eradication
- endpoint-remediation
- MITRE-ATT&CK
skills/conducting-mobile-app-penetration-test/SKILL.md
+21 -9
View File
@@ -1,19 +1,31 @@
---
name: conducting-mobile-app-penetration-test
description: >
Conducts penetration testing of iOS and Android mobile applications following the OWASP
Mobile Application Security Testing Guide (MASTG) to identify vulnerabilities in data storage,
network communication, authentication, cryptography, and platform-specific security controls.
The tester performs static analysis of application binaries, dynamic analysis at runtime, and
API security testing to evaluate the complete mobile attack surface. Activates for requests
involving mobile app pentest, iOS security assessment, Android security testing, or OWASP
MASTG assessment.
description: 'Conducts penetration testing of iOS and Android mobile applications following the OWASP Mobile Application Security
Testing Guide (MASTG) to identify vulnerabilities in data storage, network communication, authentication, cryptography,
and platform-specific security controls. The tester performs static analysis of application binaries, dynamic analysis at
runtime, and API security testing to evaluate the complete mobile attack surface. Activates for requests involving mobile
app pentest, iOS security assessment, Android security testing, or OWASP MASTG assessment.
'
domain: cybersecurity
subdomain: penetration-testing
tags: [mobile-pentest, OWASP-MASTG, Android-security, iOS-security, mobile-application-security]
tags:
- mobile-pentest
- OWASP-MASTG
- Android-security
- iOS-security
- mobile-application-security
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_ai_rmf:
- MEASURE-2.7
- MAP-5.1
- MANAGE-2.4
atlas_techniques:
- AML.T0070
- AML.T0066
- AML.T0082
---
# Conducting Mobile App Penetration Test
skills/conducting-pass-the-ticket-attack/SKILL.md
+18 -3
View File
@@ -1,12 +1,27 @@
---
name: conducting-pass-the-ticket-attack
description: Pass-the-Ticket (PtT) is a lateral movement technique that uses stolen Kerberos tickets (TGT or TGS) to authenticate to services without knowing the user's password. By extracting Kerberos tickets fro
description: Pass-the-Ticket (PtT) is a lateral movement technique that uses stolen Kerberos tickets (TGT or TGS) to authenticate
to services without knowing the user's password. By extracting Kerberos tickets fro
domain: cybersecurity
subdomain: red-teaming
tags: [red-team, adversary-simulation, mitre-attack, exploitation, post-exploitation, kerberos, pass-the-ticket, lateral-movement]
version: "1.0"
tags:
- red-team
- adversary-simulation
- mitre-attack
- exploitation
- post-exploitation
- kerberos
- pass-the-ticket
- lateral-movement
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Token Binding
- Execution Isolation
- Restore Access
- Application Protocol Command Analysis
- Process Termination
---
# Conducting Pass-the-Ticket Attack
skills/conducting-social-engineering-penetration-test/SKILL.md
+19 -3
View File
@@ -1,12 +1,28 @@
---
name: conducting-social-engineering-penetration-test
description: Design and execute a social engineering penetration test including phishing, vishing, smishing, and physical pretexting campaigns to measure human security resilience and identify training gaps.
description: Design and execute a social engineering penetration test including phishing, vishing, smishing, and physical
pretexting campaigns to measure human security resilience and identify training gaps.
domain: cybersecurity
subdomain: penetration-testing
tags: [social-engineering, phishing, vishing, pretexting, GoPhish, SET, OSINT, security-awareness, red-team]
version: "1.0"
tags:
- social-engineering
- phishing
- vishing
- pretexting
- GoPhish
- SET
- OSINT
- security-awareness
- red-team
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0088
- AML.T0052
nist_ai_rmf:
- GOVERN-6.2
- MAP-5.2
---
# Conducting Social Engineering Penetration Test
skills/conducting-social-engineering-pretext-call/SKILL.md
+23 -3
View File
@@ -1,12 +1,32 @@
---
name: conducting-social-engineering-pretext-call
description: Plan and execute authorized vishing (voice phishing) pretext calls to assess employee susceptibility to social engineering and evaluate security awareness controls.
description: Plan and execute authorized vishing (voice phishing) pretext calls to assess employee susceptibility to social
engineering and evaluate security awareness controls.
domain: cybersecurity
subdomain: red-teaming
tags: [social-engineering, vishing, pretext-call, security-awareness, red-team, phishing, human-risk]
version: "1.0"
tags:
- social-engineering
- vishing
- pretext-call
- security-awareness
- red-team
- phishing
- human-risk
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0088
- AML.T0052
nist_ai_rmf:
- GOVERN-6.2
- MAP-5.2
d3fend_techniques:
- File Metadata Consistency Validation
- Application Protocol Command Analysis
- Identifier Analysis
- Content Format Conversion
- Message Analysis
---
# Conducting Social Engineering Pretext Call
skills/conducting-spearphishing-simulation-campaign/SKILL.md
+17 -3
View File
@@ -1,12 +1,26 @@
---
name: conducting-spearphishing-simulation-campaign
description: Spearphishing simulation is a targeted social engineering attack vector used by red teams to gain initial access. Unlike broad phishing campaigns, spearphishing uses OSINT-derived intelligence to craf
description: Spearphishing simulation is a targeted social engineering attack vector used by red teams to gain initial access.
Unlike broad phishing campaigns, spearphishing uses OSINT-derived intelligence to craf
domain: cybersecurity
subdomain: red-teaming
tags: [red-team, adversary-simulation, mitre-attack, exploitation, post-exploitation, spearphishing, social-engineering]
version: "1.0"
tags:
- red-team
- adversary-simulation
- mitre-attack
- exploitation
- post-exploitation
- spearphishing
- social-engineering
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- File Metadata Consistency Validation
- Application Protocol Command Analysis
- Identifier Analysis
- Content Format Conversion
- Message Analysis
---
# Conducting Spearphishing Simulation Campaign
skills/configuring-hsm-for-key-storage/SKILL.md
+17 -3
View File
@@ -1,12 +1,26 @@
---
name: configuring-hsm-for-key-storage
description: Hardware Security Modules (HSMs) are tamper-resistant physical devices that safeguard cryptographic keys and perform cryptographic operations in a hardened environment. Keys stored in an HSM never lea
description: Hardware Security Modules (HSMs) are tamper-resistant physical devices that safeguard cryptographic keys and
perform cryptographic operations in a hardened environment. Keys stored in an HSM never lea
domain: cybersecurity
subdomain: cryptography
tags: [cryptography, hsm, key-management, pkcs11, hardware-security]
version: "1.0"
tags:
- cryptography
- hsm
- key-management
- pkcs11
- hardware-security
version: '1.0'
author: mahipal
license: Apache-2.0
nist_ai_rmf:
- MEASURE-2.7
- MAP-5.1
- MANAGE-2.4
atlas_techniques:
- AML.T0070
- AML.T0066
- AML.T0082
---
# Configuring HSM for Key Storage
skills/deobfuscating-powershell-obfuscated-malware/SKILL.md
+10 -362
View File
@@ -1,363 +1,11 @@
---
name: deobfuscating-powershell-obfuscated-malware
description: Systematically deobfuscate multi-layer PowerShell malware using AST analysis, dynamic tracing, and tools like PSDecode and PowerDecode to reveal hidden payloads and C2 infrastructure.
domain: cybersecurity
subdomain: malware-analysis
tags: [powershell, deobfuscation, malware-analysis, scripting, obfuscation, ast-analysis, incident-response]
mitre_attack: ["T1059.001", "T1027", "T1140"]
version: "1.0"
author: mahipal
license: Apache-2.0
---
# Deobfuscating PowerShell Obfuscated Malware
## Overview
PowerShell is heavily abused by malware authors due to its deep Windows integration and powerful scripting capabilities. Obfuscation techniques include string concatenation, Base64 encoding, character substitution, Invoke-Expression layering, SecureString abuse, environment variable manipulation, and tick-mark insertion. Modern malware uses multiple obfuscation layers requiring iterative deobfuscation. Tools like PSDecode, PowerDecode, and PowerPeeler automate much of this process, while manual AST (Abstract Syntax Tree) analysis handles custom obfuscation. PowerPeeler achieves a 95% deobfuscation correctness rate using instruction-level dynamic analysis of expression-related AST nodes.
## When to Use
- When performing authorized security testing that involves deobfuscating powershell obfuscated malware
- When analyzing malware samples or attack artifacts in a controlled environment
- When conducting red team exercises or penetration testing engagements
- When building detection capabilities based on offensive technique understanding
## Prerequisites
- Python 3.9+ with `base64`, `re`, `subprocess` modules
- PowerShell 5.1+ or PowerShell 7+ (for AST access)
- PSDecode (`Install-Module PSDecode`)
- PowerDecode (https://github.com/Malandrone/PowerDecode)
- Isolated VM or sandbox for safe script execution
- CyberChef for manual encoding transformations
- Understanding of PowerShell AST and Invoke-Expression patterns
## Key Concepts
### Common Obfuscation Techniques
PowerShell malware employs layered obfuscation to evade static detection. String concatenation splits commands across variables (`$a='In'+'voke'`). Base64 encoding wraps entire scripts in `-EncodedCommand` parameters. Character code arrays use `[char]` casting (`[char[]](73,69,88)|%{$r+=$_}`). Environment variable abuse reads substrings from `$env:` paths. Tick-mark insertion adds backticks between characters that PowerShell ignores (`I`nv`oke-Exp`ression`). SecureString conversion encrypts strings using ConvertTo-SecureString with embedded keys.
### AST-Based Deobfuscation
PowerShell's Abstract Syntax Tree exposes the parsed structure of scripts regardless of surface-level obfuscation. By walking the AST and evaluating expression nodes, analysts can resolve concatenated strings, decode encoded values, and reconstruct the original commands. PowerPeeler uses this approach at the instruction level, monitoring the execution process to correlate AST nodes with their evaluated results.
### Dynamic Execution Tracing
By replacing `Invoke-Expression` (IEX) with `Write-Output`, analysts can safely capture the deobfuscated script content that would normally be executed. This technique works across multiple layers by iteratively replacing IEX calls until the final payload is revealed.
## Workflow
### Step 1: Identify Obfuscation Layers
```python
#!/usr/bin/env python3
"""Identify and classify PowerShell obfuscation techniques."""
import re
import base64
import sys
def analyze_obfuscation(script_content):
"""Identify obfuscation techniques used in PowerShell script."""
techniques = []
# Check for Base64 encoded command
b64_pattern = re.compile(
r'-[Ee](?:nc(?:odedcommand)?)\s+([A-Za-z0-9+/=]{20,})',
re.IGNORECASE
)
if b64_pattern.search(script_content):
techniques.append("Base64 EncodedCommand")
# Check for FromBase64String
if re.search(r'\[Convert\]::FromBase64String', script_content, re.IGNORECASE):
techniques.append("Base64 FromBase64String")
# Check for string concatenation
concat_count = script_content.count("'+'") + script_content.count('"+"')
if concat_count > 3:
techniques.append(f"String Concatenation ({concat_count} joins)")
# Check for char array construction
if re.search(r'\[char\]\s*\d+', script_content, re.IGNORECASE):
techniques.append("Character Code Array")
# Check for Invoke-Expression variants
iex_patterns = [
r'Invoke-Expression',
r'\bIEX\b',
r'\.\s*\(\s*\$',
r'&\s*\(\s*\$',
r'\|\s*IEX',
r'\|\s*Invoke-Expression',
]
for pattern in iex_patterns:
if re.search(pattern, script_content, re.IGNORECASE):
techniques.append(f"Invoke-Expression variant: {pattern}")
# Check for tick-mark obfuscation
tick_count = script_content.count('`')
if tick_count > 5:
techniques.append(f"Tick-mark Insertion ({tick_count} backticks)")
# Check for environment variable abuse
if re.search(r'\$env:', script_content, re.IGNORECASE):
env_refs = re.findall(r'\$env:\w+', script_content, re.IGNORECASE)
if len(env_refs) > 2:
techniques.append(f"Environment Variable Abuse ({len(env_refs)} refs)")
# Check for SecureString
if re.search(r'ConvertTo-SecureString', script_content, re.IGNORECASE):
techniques.append("SecureString Encryption")
# Check for compression
if re.search(r'IO\.Compression|DeflateStream|GZipStream',
script_content, re.IGNORECASE):
techniques.append("Compression (Deflate/GZip)")
# Check for XOR encoding
if re.search(r'-bxor\s+\d+', script_content, re.IGNORECASE):
techniques.append("XOR Encoding")
# Check for Replace chain
replace_count = len(re.findall(r'\.Replace\(', script_content))
if replace_count > 2:
techniques.append(f"Replace Chain ({replace_count} replacements)")
return techniques
def decode_base64_command(script_content):
"""Extract and decode Base64 encoded commands."""
b64_match = re.search(
r'-[Ee](?:nc(?:odedcommand)?)\s+([A-Za-z0-9+/=]{20,})',
script_content, re.IGNORECASE
)
if b64_match:
encoded = b64_match.group(1)
try:
decoded = base64.b64decode(encoded).decode('utf-16-le')
return decoded
except Exception:
return None
return None
def remove_tick_marks(script_content):
"""Remove PowerShell tick-mark obfuscation."""
# Remove backticks that are not escape sequences
escape_chars = {'`n', '`r', '`t', '`a', '`b', '`f', '`v', '`0', '``'}
result = []
i = 0
while i < len(script_content):
if script_content[i] == '`' and i + 1 < len(script_content):
pair = script_content[i:i+2]
if pair in escape_chars:
result.append(pair)
i += 2
else:
# Skip the backtick, keep the next char
result.append(script_content[i+1])
i += 2
else:
result.append(script_content[i])
i += 1
return ''.join(result)
def resolve_string_concat(script_content):
"""Resolve simple string concatenation patterns."""
# Pattern: 'str1' + 'str2'
pattern = re.compile(r"'([^']*)'\s*\+\s*'([^']*)'")
while pattern.search(script_content):
script_content = pattern.sub(lambda m: f"'{m.group(1)}{m.group(2)}'",
script_content)
# Pattern: "str1" + "str2"
pattern = re.compile(r'"([^"]*)"\s*\+\s*"([^"]*)"')
while pattern.search(script_content):
script_content = pattern.sub(lambda m: f'"{m.group(1)}{m.group(2)}"',
script_content)
return script_content
if __name__ == "__main__":
if len(sys.argv) < 2:
print(f"Usage: {sys.argv[0]} <powershell_script>")
sys.exit(1)
with open(sys.argv[1], 'r', errors='replace') as f:
content = f.read()
print("[+] Obfuscation Analysis")
print("=" * 60)
techniques = analyze_obfuscation(content)
for t in techniques:
print(f" - {t}")
# Attempt automatic deobfuscation
print("\n[+] Attempting Deobfuscation")
print("=" * 60)
# Layer 1: Remove tick marks
deobfuscated = remove_tick_marks(content)
# Layer 2: Resolve string concatenation
deobfuscated = resolve_string_concat(deobfuscated)
# Layer 3: Decode Base64
b64_decoded = decode_base64_command(deobfuscated)
if b64_decoded:
print("[+] Base64 decoded content:")
print(b64_decoded[:2000])
deobfuscated = b64_decoded
print(f"\n[+] Deobfuscated script length: {len(deobfuscated)} chars")
output_file = sys.argv[1] + ".deobfuscated.ps1"
with open(output_file, 'w') as f:
f.write(deobfuscated)
print(f"[+] Saved to {output_file}")
```
### Step 2: Multi-Layer IEX Replacement
```python
import subprocess
import tempfile
import os
def iex_replacement_deobfuscate(script_content, max_layers=10):
"""Iteratively replace IEX with Write-Output to unwrap layers."""
# IEX replacement patterns
replacements = [
(r'\bInvoke-Expression\b', 'Write-Output'),
(r'\bIEX\b', 'Write-Output'),
(r'\|\s*IEX\b', '| Write-Output'),
]
current = script_content
layers = []
for layer_num in range(max_layers):
# Apply IEX replacements
modified = current
for pattern, replacement in replacements:
modified = re.sub(pattern, replacement, modified, flags=re.IGNORECASE)
if modified == current and layer_num > 0:
print(f" [+] No more IEX layers found at layer {layer_num}")
break
# Write to temp file and execute in constrained PowerShell
with tempfile.NamedTemporaryFile(mode='w', suffix='.ps1',
delete=False) as tmp:
tmp.write(modified)
tmp_path = tmp.name
try:
result = subprocess.run(
['powershell', '-NoProfile', '-ExecutionPolicy', 'Bypass',
'-File', tmp_path],
capture_output=True, text=True, timeout=30
)
output = result.stdout.strip()
if output and output != current:
print(f" [+] Layer {layer_num + 1}: Unwrapped "
f"{len(output)} chars")
layers.append({
"layer": layer_num + 1,
"technique": "IEX replacement",
"content_length": len(output),
})
current = output
else:
break
except subprocess.TimeoutExpired:
print(f" [!] Layer {layer_num + 1}: Execution timeout")
break
finally:
os.unlink(tmp_path)
return current, layers
```
### Step 3: Extract IOCs from Deobfuscated Script
```python
def extract_iocs_from_script(deobfuscated_content):
"""Extract indicators of compromise from deobfuscated PowerShell."""
iocs = {
"urls": [],
"ips": [],
"domains": [],
"file_paths": [],
"registry_keys": [],
"commands": [],
"base64_blobs": [],
}
# URLs
url_pattern = re.compile(
r'https?://[^\s\'"<>)\]]+', re.IGNORECASE
)
iocs["urls"] = list(set(url_pattern.findall(deobfuscated_content)))
# IP addresses
ip_pattern = re.compile(
r'\b(?:\d{1,3}\.){3}\d{1,3}\b'
)
iocs["ips"] = list(set(ip_pattern.findall(deobfuscated_content)))
# File paths
path_pattern = re.compile(
r'[A-Za-z]:\\[^\s\'"<>|]+|'
r'\\\\[^\s\'"<>|]+|'
r'%(?:APPDATA|TEMP|USERPROFILE|PROGRAMFILES)%[^\s\'"<>|]*',
re.IGNORECASE
)
iocs["file_paths"] = list(set(path_pattern.findall(deobfuscated_content)))
# Registry keys
reg_pattern = re.compile(
r'(?:HKLM|HKCU|HKCR|HKU|HKCC)(?:\\[^\s\'"<>|]+)+',
re.IGNORECASE
)
iocs["registry_keys"] = list(set(reg_pattern.findall(deobfuscated_content)))
# Suspicious commands
suspicious_cmds = [
'New-Object Net.WebClient',
'DownloadString', 'DownloadFile', 'DownloadData',
'Start-Process', 'Invoke-WebRequest',
'New-Object IO.MemoryStream',
'Reflection.Assembly',
'Add-MpPreference -ExclusionPath',
'Set-MpPreference -DisableRealtimeMonitoring',
'New-ScheduledTask', 'Register-ScheduledTask',
]
for cmd in suspicious_cmds:
if cmd.lower() in deobfuscated_content.lower():
iocs["commands"].append(cmd)
return iocs
```
## Validation Criteria
- All obfuscation layers identified and classified correctly
- Base64 encoded commands decoded to readable PowerShell
- Tick-mark and string concatenation obfuscation resolved
- IEX replacement reveals next-stage payloads
- URLs, IPs, and file paths extracted from final deobfuscated stage
- Deobfuscated script matches observed malware behavior in sandbox
## References
- [PSDecode - PowerShell Deobfuscation](https://github.com/R3MRUM/PSDecode)
- [PowerDecode - Multi-layer Deobfuscation](https://github.com/Malandrone/PowerDecode)
- [PowerPeeler - Instruction-level Deobfuscation](https://arxiv.org/html/2406.04027v2)
- [SentinelOne - Deconstructing PowerShell Obfuscation](https://www.sentinelone.com/blog/deconstructing-powershell-obfuscation-in-malspam-campaigns/)
- [MITRE ATT&CK T1059.001 - PowerShell](https://attack.mitre.org/techniques/T1059/001/)
{}
---tags:
- powershell
- deobfuscation
- malware-analysis
- scripting
- obfuscation
- ast-analysis
- incident-response
version: '1.0'
skills/deploying-cloudflare-access-for-zero-trust/SKILL.md
+22 -6
View File
@@ -1,15 +1,31 @@
---
name: deploying-cloudflare-access-for-zero-trust
description: >
Deploying Cloudflare Access with Cloudflare Tunnel to provide zero trust access
to self-hosted and private applications, configuring identity-aware access policies,
device posture checks, and WARP client enrollment for VPN replacement.
description: 'Deploying Cloudflare Access with Cloudflare Tunnel to provide zero trust access to self-hosted and private applications,
configuring identity-aware access policies, device posture checks, and WARP client enrollment for VPN replacement.
'
domain: cybersecurity
subdomain: zero-trust-architecture
tags: [cloudflare, cloudflare-access, zero-trust, cloudflare-tunnel, warp, ztna, cloudflare-one]
version: "1.0"
tags:
- cloudflare
- cloudflare-access
- zero-trust
- cloudflare-tunnel
- warp
- ztna
- cloudflare-one
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0051
- AML.T0054
- AML.T0056
nist_ai_rmf:
- MEASURE-2.7
- MEASURE-2.5
- GOVERN-6.1
- MAP-5.1
---
# Deploying Cloudflare Access for Zero Trust
skills/deploying-edr-agent-with-crowdstrike/SKILL.md
+23 -7
View File
@@ -1,17 +1,33 @@
---
name: deploying-edr-agent-with-crowdstrike
description: >
Deploys and configures CrowdStrike Falcon EDR agents across enterprise endpoints to enable
real-time threat detection, behavioral analysis, and automated response. Use when onboarding
endpoints to EDR coverage, configuring detection policies, or integrating Falcon telemetry
with SIEM platforms. Activates for requests involving CrowdStrike deployment, Falcon sensor
installation, EDR policy configuration, or endpoint detection and response.
description: 'Deploys and configures CrowdStrike Falcon EDR agents across enterprise endpoints to enable real-time threat
detection, behavioral analysis, and automated response. Use when onboarding endpoints to EDR coverage, configuring detection
policies, or integrating Falcon telemetry with SIEM platforms. Activates for requests involving CrowdStrike deployment,
Falcon sensor installation, EDR policy configuration, or endpoint detection and response.
'
domain: cybersecurity
subdomain: endpoint-security
tags: [endpoint, edr, CrowdStrike, Falcon, threat-detection, sensor-deployment]
tags:
- endpoint
- edr
- CrowdStrike
- Falcon
- threat-detection
- sensor-deployment
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_ai_rmf:
- GOVERN-1.1
- MEASURE-2.7
- MANAGE-3.1
- MAP-5.1
- MANAGE-2.4
atlas_techniques:
- AML.T0070
- AML.T0066
- AML.T0082
---
# Deploying EDR Agent with CrowdStrike
skills/deploying-palo-alto-prisma-access-zero-trust/SKILL.md
+17 -6
View File
@@ -1,15 +1,26 @@
---
name: deploying-palo-alto-prisma-access-zero-trust
description: >
Deploying Palo Alto Networks Prisma Access for SASE-based zero trust network access
using GlobalProtect agents, ZTNA Connectors, security policy enforcement, and
integration with Strata Cloud Manager for unified security management.
description: 'Deploying Palo Alto Networks Prisma Access for SASE-based zero trust network access using GlobalProtect agents,
ZTNA Connectors, security policy enforcement, and integration with Strata Cloud Manager for unified security management.
'
domain: cybersecurity
subdomain: zero-trust-architecture
tags: [prisma-access, palo-alto, ztna, sase, globalprotect, strata-cloud-manager, zero-trust]
version: "1.0"
tags:
- prisma-access
- palo-alto
- ztna
- sase
- globalprotect
- strata-cloud-manager
- zero-trust
version: '1.0'
author: mahipal
license: Apache-2.0
nist_ai_rmf:
- GOVERN-1.1
- MEASURE-2.7
- MANAGE-3.1
---
# Deploying Palo Alto Prisma Access Zero Trust
skills/detecting-ai-model-prompt-injection-attacks/SKILL.md
+33 -11
View File
@@ -1,21 +1,43 @@
---
name: detecting-ai-model-prompt-injection-attacks
description: >
Detects prompt injection attacks targeting LLM-based applications using a multi-layered
defense combining regex pattern matching for known attack signatures, heuristic scoring
for structural anomalies, and transformer-based classification with DeBERTa models. The
detector analyzes user inputs before they reach the LLM, flagging direct injections
(system prompt overrides, role-play escapes, instruction hijacking) and indirect injections
(encoded payloads, multi-language obfuscation, delimiter-based escapes). Based on the
OWASP LLM Top 10 (LLM01:2025 Prompt Injection) and Simon Willison's prompt injection
taxonomy. Activates for requests involving prompt injection detection, LLM input
sanitization, AI security scanning, or prompt attack classification.
description: 'Detects prompt injection attacks targeting LLM-based applications using a multi-layered defense combining regex
pattern matching for known attack signatures, heuristic scoring for structural anomalies, and transformer-based classification
with DeBERTa models. The detector analyzes user inputs before they reach the LLM, flagging direct injections (system prompt
overrides, role-play escapes, instruction hijacking) and indirect injections (encoded payloads, multi-language obfuscation,
delimiter-based escapes). Based on the OWASP LLM Top 10 (LLM01:2025 Prompt Injection) and Simon Willison''s prompt injection
taxonomy. Activates for requests involving prompt injection detection, LLM input sanitization, AI security scanning, or
prompt attack classification.
'
domain: cybersecurity
subdomain: ai-security
tags: [prompt-injection, LLM-security, OWASP-LLM-Top10, NLP-classification, input-validation]
tags:
- prompt-injection
- LLM-security
- OWASP-LLM-Top10
- NLP-classification
- input-validation
version: 1.0.0
author: mukul975
license: Apache-2.0
atlas_techniques:
- AML.T0051
- AML.T0054
- AML.T0056
- AML.T0068
- AML.T0067
nist_ai_rmf:
- GOVERN-1.1
- GOVERN-6.1
- MEASURE-2.7
- MEASURE-2.5
- MANAGE-2.4
d3fend_techniques:
- Content Validation
- Content Filtering
- Application Hardening
- Inbound Traffic Filtering
- User Behavior Analysis
---
# Detecting AI Model Prompt Injection Attacks
skills/detecting-anomalies-in-industrial-control-systems/SKILL.md
+21 -8
View File
@@ -1,18 +1,31 @@
---
name: detecting-anomalies-in-industrial-control-systems
description: >
This skill covers deploying anomaly detection systems for industrial control
environments using machine learning models trained on OT network baselines,
physics-based process models, and behavioral analysis of industrial protocol
communications. It addresses building normal behavior profiles for SCADA polling
patterns, detecting deviations in Modbus/DNP3/OPC UA traffic, identifying rogue
devices, and correlating network anomalies with physical process data from historians.
description: 'This skill covers deploying anomaly detection systems for industrial control environments using machine learning
models trained on OT network baselines, physics-based process models, and behavioral analysis of industrial protocol communications.
It addresses building normal behavior profiles for SCADA polling patterns, detecting deviations in Modbus/DNP3/OPC UA traffic,
identifying rogue devices, and correlating network anomalies with physical process data from historians.
'
domain: cybersecurity
subdomain: ot-ics-security
tags: [ot-security, ics, scada, industrial-control, iec62443, anomaly-detection, machine-learning]
tags:
- ot-security
- ics
- scada
- industrial-control
- iec62443
- anomaly-detection
- machine-learning
version: 1.0.0
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0043
- AML.T0018
nist_ai_rmf:
- MEASURE-2.7
- MEASURE-2.5
- MAP-5.1
---
# Detecting Anomalies in Industrial Control Systems
skills/detecting-anomalous-authentication-patterns/SKILL.md
+20 -7
View File
@@ -1,17 +1,30 @@
---
name: detecting-anomalous-authentication-patterns
description: >
Detects anomalous authentication patterns using UEBA analytics, statistical baselines,
and machine learning models to identify impossible travel, credential stuffing, brute force,
password spraying, and compromised account behaviors across authentication logs.
Activates for requests involving authentication anomaly detection, login behavior analysis,
description: 'Detects anomalous authentication patterns using UEBA analytics, statistical baselines, and machine learning
models to identify impossible travel, credential stuffing, brute force, password spraying, and compromised account behaviors
across authentication logs. Activates for requests involving authentication anomaly detection, login behavior analysis,
UEBA implementation, or suspicious sign-in investigation.
'
domain: cybersecurity
subdomain: identity-access-management
tags: [UEBA, authentication-anomaly, impossible-travel, brute-force, credential-stuffing, behavioral-analytics]
version: "1.0"
tags:
- UEBA
- authentication-anomaly
- impossible-travel
- brute-force
- credential-stuffing
- behavioral-analytics
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0043
- AML.T0018
nist_ai_rmf:
- MEASURE-2.7
- MEASURE-2.5
- MAP-5.1
---
# Detecting Anomalous Authentication Patterns
skills/detecting-attacks-on-scada-systems/SKILL.md
+23 -9
View File
@@ -1,19 +1,33 @@
---
name: detecting-attacks-on-scada-systems
description: >
This skill covers detecting cyber attacks targeting Supervisory Control and Data
Acquisition (SCADA) systems including man-in-the-middle attacks on industrial
protocols, unauthorized command injection into PLCs, HMI compromise, historian
data manipulation, and denial-of-service against control system communications.
It leverages OT-specific intrusion detection systems, industrial protocol anomaly
detection, and process data analytics to identify attacks that traditional IT
security tools miss.
description: 'This skill covers detecting cyber attacks targeting Supervisory Control and Data Acquisition (SCADA) systems
including man-in-the-middle attacks on industrial protocols, unauthorized command injection into PLCs, HMI compromise, historian
data manipulation, and denial-of-service against control system communications. It leverages OT-specific intrusion detection
systems, industrial protocol anomaly detection, and process data analytics to identify attacks that traditional IT security
tools miss.
'
domain: cybersecurity
subdomain: ot-ics-security
tags: [ot-security, ics, scada, industrial-control, iec62443, intrusion-detection, threat-detection]
tags:
- ot-security
- ics
- scada
- industrial-control
- iec62443
- intrusion-detection
- threat-detection
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_ai_rmf:
- MEASURE-2.7
- MAP-5.1
- MANAGE-2.4
atlas_techniques:
- AML.T0070
- AML.T0066
- AML.T0082
---
# Detecting Attacks on SCADA Systems
skills/detecting-azure-service-principal-abuse/SKILL.md
+18 -3
View File
@@ -1,12 +1,27 @@
---
name: detecting-azure-service-principal-abuse
description: Detect and investigate Azure service principal abuse including privilege escalation, credential compromise, admin consent bypass, and unauthorized enumeration in Microsoft Entra ID environments.
description: Detect and investigate Azure service principal abuse including privilege escalation, credential compromise, admin
consent bypass, and unauthorized enumeration in Microsoft Entra ID environments.
domain: cybersecurity
subdomain: cloud-security
tags: [azure, entra-id, service-principal, privilege-escalation, credential-abuse, detection, splunk, sentinel]
version: "1.0"
tags:
- azure
- entra-id
- service-principal
- privilege-escalation
- credential-abuse
- detection
- splunk
- sentinel
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Token Binding
- Restore Access
- Application Protocol Command Analysis
- Reissue Credential
- Network Isolation
---
# Detecting Azure Service Principal Abuse
skills/detecting-azure-storage-account-misconfigurations/SKILL.md
+21 -3
View File
@@ -1,12 +1,30 @@
---
name: detecting-azure-storage-account-misconfigurations
description: Audit Azure Blob and ADLS storage accounts for public access exposure, weak or long-lived SAS tokens, missing encryption at rest, disabled HTTPS-only traffic, and outdated TLS versions using the azure-mgmt-storage Python SDK.
description: Audit Azure Blob and ADLS storage accounts for public access exposure, weak or long-lived SAS tokens, missing
encryption at rest, disabled HTTPS-only traffic, and outdated TLS versions using the azure-mgmt-storage Python SDK.
domain: cybersecurity
subdomain: cloud-security
tags: [Azure, storage-accounts, blob-storage, ADLS, SAS-tokens, encryption, public-access, cloud-misconfiguration, azure-mgmt-storage]
version: "1.0"
tags:
- Azure
- storage-accounts
- blob-storage
- ADLS
- SAS-tokens
- encryption
- public-access
- cloud-misconfiguration
- azure-mgmt-storage
version: '1.0'
author: mahipal
license: Apache-2.0
nist_ai_rmf:
- MEASURE-2.7
- MAP-5.1
- MANAGE-2.4
atlas_techniques:
- AML.T0070
- AML.T0066
- AML.T0082
---
# Detecting Azure Storage Account Misconfigurations
skills/detecting-business-email-compromise-with-ai/SKILL.md
+28 -3
View File
@@ -1,12 +1,37 @@
---
name: detecting-business-email-compromise-with-ai
description: Deploy AI and NLP-powered detection systems to identify business email compromise attacks by analyzing writing style, behavioral patterns, and contextual anomalies that evade traditional rule-based filters.
description: Deploy AI and NLP-powered detection systems to identify business email compromise attacks by analyzing writing
style, behavioral patterns, and contextual anomalies that evade traditional rule-based filters.
domain: cybersecurity
subdomain: phishing-defense
tags: [bec, ai, nlp, machine-learning, email-security, behavioral-analytics, impersonation, fraud-detection]
version: "1.0"
tags:
- bec
- ai
- nlp
- machine-learning
- email-security
- behavioral-analytics
- impersonation
- fraud-detection
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0073
- AML.T0052
- AML.T0088
nist_ai_rmf:
- GOVERN-6.2
- MAP-5.2
- GOVERN-6.1
- MEASURE-2.7
- MEASURE-2.5
d3fend_techniques:
- Sender MTA Reputation Analysis
- Email Filtering
- Sender Reputation Analysis
- Homoglyph Detection
- Message Analysis
---
# Detecting Business Email Compromise with AI
skills/detecting-business-email-compromise/SKILL.md
+23 -3
View File
@@ -1,12 +1,32 @@
---
name: detecting-business-email-compromise
description: Business Email Compromise (BEC) is a sophisticated fraud scheme where attackers impersonate executives, vendors, or trusted partners to trick employees into transferring funds, sharing sensitive data,
description: Business Email Compromise (BEC) is a sophisticated fraud scheme where attackers impersonate executives, vendors,
or trusted partners to trick employees into transferring funds, sharing sensitive data,
domain: cybersecurity
subdomain: phishing-defense
tags: [phishing, email-security, social-engineering, dmarc, awareness, bec, fraud]
version: "1.0"
tags:
- phishing
- email-security
- social-engineering
- dmarc
- awareness
- bec
- fraud
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0052
- AML.T0088
nist_ai_rmf:
- GOVERN-6.2
- MAP-5.2
d3fend_techniques:
- Restore Object
- Restore Configuration
- Application Configuration Hardening
- Application Hardening
- Disable Remote Access
---
# Detecting Business Email Compromise
skills/detecting-container-escape-attempts/SKILL.md
+16 -3
View File
@@ -1,12 +1,25 @@
---
name: detecting-container-escape-attempts
description: Container escape is a critical attack technique where an adversary breaks out of container isolation to access the host system or other containers. Detection involves monitoring for escape indicators
description: Container escape is a critical attack technique where an adversary breaks out of container isolation to access
the host system or other containers. Detection involves monitoring for escape indicators
domain: cybersecurity
subdomain: container-security
tags: [containers, kubernetes, docker, security, runtime-security, escape-detection]
version: "1.0"
tags:
- containers
- kubernetes
- docker
- security
- runtime-security
- escape-detection
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Platform Monitoring
- Process Code Segment Verification
- Stack Frame Canary Validation
- Segment Address Offset Randomization
- Process Analysis
---
# Detecting Container Escape Attempts
skills/detecting-container-escape-with-falco-rules/SKILL.md
+16 -3
View File
@@ -1,12 +1,25 @@
---
name: detecting-container-escape-with-falco-rules
description: Detect container escape attempts in real-time using Falco runtime security rules that monitor syscalls, file access, and privilege escalation.
description: Detect container escape attempts in real-time using Falco runtime security rules that monitor syscalls, file
access, and privilege escalation.
domain: cybersecurity
subdomain: container-security
tags: [falco, container-escape, runtime-security, syscall-monitoring, kubernetes, detection]
version: "1.0"
tags:
- falco
- container-escape
- runtime-security
- syscall-monitoring
- kubernetes
- detection
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Token Binding
- Execution Isolation
- File Metadata Consistency Validation
- Restore Access
- Application Protocol Command Analysis
---
# Detecting Container Escape with Falco Rules
skills/detecting-credential-dumping-techniques/SKILL.md
+16 -9
View File
@@ -1,19 +1,26 @@
---
name: detecting-credential-dumping-techniques
description: Detect LSASS credential dumping, SAM database extraction, and NTDS.dit theft using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules
description: Detect LSASS credential dumping, SAM database extraction, and NTDS.dit theft using Sysmon Event ID 10, Windows
Security logs, and SIEM correlation rules
domain: cybersecurity
subdomain: threat-detection
tags:
- credential-dumping
- lsass
- mimikatz
- sysmon
- active-directory
- windows-security
- defense-evasion
version: "1.0"
- credential-dumping
- lsass
- mimikatz
- sysmon
- active-directory
- windows-security
- defense-evasion
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Token Binding
- Execution Isolation
- File Metadata Consistency Validation
- Restore Access
- Application Protocol Command Analysis
---
# Detecting Credential Dumping Techniques
skills/detecting-dcsync-attack-in-active-directory/SKILL.md
+17 -3
View File
@@ -1,12 +1,26 @@
---
name: detecting-dcsync-attack-in-active-directory
description: Detect DCSync attacks where adversaries abuse Active Directory replication privileges to extract password hashes by monitoring for non-domain-controller accounts requesting directory replication via DsGetNCChanges.
description: Detect DCSync attacks where adversaries abuse Active Directory replication privileges to extract password hashes
by monitoring for non-domain-controller accounts requesting directory replication via DsGetNCChanges.
domain: cybersecurity
subdomain: threat-hunting
tags: [threat-hunting, active-directory, dcsync, credential-theft, mitre-t1003-006, mimikatz, kerberos]
version: "1.0"
tags:
- threat-hunting
- active-directory
- dcsync
- credential-theft
- mitre-t1003-006
- mimikatz
- kerberos
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Application Protocol Command Analysis
- Network Isolation
- Network Traffic Analysis
- Client-server Payload Profiling
- Platform Monitoring
---
# Detecting DCSync Attack in Active Directory
skills/detecting-deepfake-audio-in-vishing-attacks/SKILL.md
+31 -8
View File
@@ -1,18 +1,41 @@
---
name: detecting-deepfake-audio-in-vishing-attacks
description: >
Detects AI-generated deepfake audio used in voice phishing (vishing) attacks by
extracting spectral features (MFCC, spectral centroid, spectral contrast, zero-crossing
rate) and classifying samples with machine learning models. Supports batch analysis of
audio files, generates confidence scores, and produces forensic reports. Activates for
requests involving deepfake voice detection, vishing investigation, AI-generated speech
analysis, voice cloning detection, or audio authenticity verification.
description: 'Detects AI-generated deepfake audio used in voice phishing (vishing) attacks by extracting spectral features
(MFCC, spectral centroid, spectral contrast, zero-crossing rate) and classifying samples with machine learning models. Supports
batch analysis of audio files, generates confidence scores, and produces forensic reports. Activates for requests involving
deepfake voice detection, vishing investigation, AI-generated speech analysis, voice cloning detection, or audio authenticity
verification.
'
domain: cybersecurity
subdomain: social-engineering-defense
tags: [deepfake-detection, vishing, audio-forensics, MFCC, spectral-analysis, voice-cloning]
tags:
- deepfake-detection
- vishing
- audio-forensics
- MFCC
- spectral-analysis
- voice-cloning
version: 1.0.0
author: mukul975
license: Apache-2.0
atlas_techniques:
- AML.T0088
- AML.T0043
- AML.T0018
- AML.T0052
nist_ai_rmf:
- MEASURE-2.7
- GOVERN-6.2
- MAP-5.2
- MEASURE-2.5
- MAP-5.1
d3fend_techniques:
- Sender Reputation Analysis
- Content Validation
- Message Analysis
- User Behavior Analysis
- Identifier Analysis
---
# Detecting Deepfake Audio in Vishing Attacks
skills/detecting-dll-sideloading-attacks/SKILL.md
+17 -3
View File
@@ -1,12 +1,26 @@
---
name: detecting-dll-sideloading-attacks
description: Detect DLL side-loading attacks where adversaries place malicious DLLs alongside legitimate applications to hijack execution flow for defense evasion.
description: Detect DLL side-loading attacks where adversaries place malicious DLLs alongside legitimate applications to hijack
execution flow for defense evasion.
domain: cybersecurity
subdomain: threat-hunting
tags: [threat-hunting, mitre-attack, dll-sideloading, defense-evasion, t1574, edr, proactive-detection]
version: "1.0"
tags:
- threat-hunting
- mitre-attack
- dll-sideloading
- defense-evasion
- t1574
- edr
- proactive-detection
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- File Metadata Consistency Validation
- Content Format Conversion
- File Content Analysis
- Platform Hardening
- File Format Verification
---
# Detecting DLL Sideloading Attacks
skills/detecting-dnp3-protocol-anomalies/SKILL.md
+22 -7
View File
@@ -1,16 +1,31 @@
---
name: detecting-dnp3-protocol-anomalies
description: >
Detect anomalies in DNP3 (Distributed Network Protocol 3) communications
used in SCADA systems by monitoring for unauthorized control commands,
firmware update attempts, protocol violations, and deviations from baseline
traffic patterns using deep packet inspection and machine learning approaches.
description: 'Detect anomalies in DNP3 (Distributed Network Protocol 3) communications used in SCADA systems by monitoring
for unauthorized control commands, firmware update attempts, protocol violations, and deviations from baseline traffic patterns
using deep packet inspection and machine learning approaches.
'
domain: cybersecurity
subdomain: ot-ics-security
tags: [ot-security, ics, dnp3, scada, anomaly-detection, protocol-analysis, energy-sector, ids]
version: "1.0"
tags:
- ot-security
- ics
- dnp3
- scada
- anomaly-detection
- protocol-analysis
- energy-sector
- ids
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0043
- AML.T0018
nist_ai_rmf:
- MEASURE-2.7
- MEASURE-2.5
- MAP-5.1
---
# Detecting DNP3 Protocol Anomalies
skills/detecting-email-forwarding-rules-attack/SKILL.md
+17 -3
View File
@@ -1,12 +1,26 @@
---
name: detecting-email-forwarding-rules-attack
description: Detect malicious email forwarding rules created by adversaries to maintain persistent access to email communications for intelligence collection and BEC attacks.
description: Detect malicious email forwarding rules created by adversaries to maintain persistent access to email communications
for intelligence collection and BEC attacks.
domain: cybersecurity
subdomain: threat-hunting
tags: [threat-hunting, mitre-attack, email-forwarding, persistence, bec, t1114, proactive-detection]
version: "1.0"
tags:
- threat-hunting
- mitre-attack
- email-forwarding
- persistence
- bec
- t1114
- proactive-detection
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Restore Object
- Restore Configuration
- Application Configuration Hardening
- Application Hardening
- Disable Remote Access
---
# Detecting Email Forwarding Rules Attack
skills/detecting-evasion-techniques-in-endpoint-logs/SKILL.md
+19 -7
View File
@@ -1,17 +1,29 @@
---
name: detecting-evasion-techniques-in-endpoint-logs
description: >
Detects defense evasion techniques used by adversaries in endpoint logs including log tampering,
timestomping, process injection, and security tool disabling. Use when investigating suspicious
endpoint behavior, building detection rules for evasion tactics, or conducting threat hunting
for stealthy adversary activity. Activates for requests involving evasion detection, defense
evasion analysis, log tampering detection, or MITRE ATT&CK TA0005.
description: 'Detects defense evasion techniques used by adversaries in endpoint logs including log tampering, timestomping,
process injection, and security tool disabling. Use when investigating suspicious endpoint behavior, building detection
rules for evasion tactics, or conducting threat hunting for stealthy adversary activity. Activates for requests involving
evasion detection, defense evasion analysis, log tampering detection, or MITRE ATT&CK TA0005.
'
domain: cybersecurity
subdomain: endpoint-security
tags: [endpoint, edr, threat-hunting, defense-evasion, MITRE-ATT&CK, detection-engineering]
tags:
- endpoint
- edr
- threat-hunting
- defense-evasion
- MITRE-ATT&CK
- detection-engineering
version: 1.0.0
author: mahipal
license: Apache-2.0
d3fend_techniques:
- File Metadata Consistency Validation
- Content Format Conversion
- File Content Analysis
- Platform Hardening
- File Format Verification
---
# Detecting Evasion Techniques in Endpoint Logs
skills/detecting-fileless-malware-techniques/SKILL.md
+18 -7
View File
@@ -1,17 +1,28 @@
---
name: detecting-fileless-malware-techniques
description: >
Detects and analyzes fileless malware that operates entirely in memory using PowerShell,
WMI, .NET reflection, registry-resident payloads, and living-off-the-land binaries (LOLBins)
without writing traditional executable files to disk. Activates for requests involving
fileless threat detection, in-memory malware investigation, LOLBin abuse analysis, or
WMI persistence examination.
description: 'Detects and analyzes fileless malware that operates entirely in memory using PowerShell, WMI, .NET reflection,
registry-resident payloads, and living-off-the-land binaries (LOLBins) without writing traditional executable files to disk.
Activates for requests involving fileless threat detection, in-memory malware investigation, LOLBin abuse analysis, or WMI
persistence examination.
'
domain: cybersecurity
subdomain: malware-analysis
tags: [malware, fileless, LOLBins, memory-analysis, detection]
tags:
- malware
- fileless
- LOLBins
- memory-analysis
- detection
version: 1.0.0
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Content Format Conversion
- File Content Analysis
---
# Detecting Fileless Malware Techniques
skills/detecting-golden-ticket-forgery/SKILL.md
+16 -9
View File
@@ -1,19 +1,26 @@
---
name: detecting-golden-ticket-forgery
description: Detect Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769 for RC4 encryption downgrades (0x17), abnormal ticket lifetimes, and krbtgt account anomalies in Splunk and Elastic SIEM
description: Detect Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769 for RC4 encryption downgrades (0x17),
abnormal ticket lifetimes, and krbtgt account anomalies in Splunk and Elastic SIEM
domain: cybersecurity
subdomain: threat-detection
tags:
- golden-ticket
- kerberos
- active-directory
- mimikatz
- splunk
- credential-theft
- windows-security
version: "1.0"
- golden-ticket
- kerberos
- active-directory
- mimikatz
- splunk
- credential-theft
- windows-security
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Token Binding
- Restore Access
- Reissue Credential
- Decoy User Credential
- Authentication Cache Invalidation
---
# Detecting Golden Ticket Forgery
skills/detecting-insider-threat-behaviors/SKILL.md
+16 -3
View File
@@ -1,12 +1,25 @@
---
name: detecting-insider-threat-behaviors
description: Detect insider threat behavioral indicators including unusual data access, off-hours activity, mass file downloads, privilege abuse, and resignation-correlated data theft.
description: Detect insider threat behavioral indicators including unusual data access, off-hours activity, mass file downloads,
privilege abuse, and resignation-correlated data theft.
domain: cybersecurity
subdomain: threat-hunting
tags: [threat-hunting, mitre-attack, insider-threat, data-theft, ueba, proactive-detection]
version: "1.0"
tags:
- threat-hunting
- mitre-attack
- insider-threat
- data-theft
- ueba
- proactive-detection
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Restore Access
- Password Authentication
- Biometric Authentication
- Strong Password Policy
- Restore User Account Access
---
# Detecting Insider Threat Behaviors
skills/detecting-kerberoasting-attacks/SKILL.md
+17 -3
View File
@@ -1,12 +1,26 @@
---
name: detecting-kerberoasting-attacks
description: Detect Kerberoasting attacks by monitoring for anomalous Kerberos TGS requests targeting service accounts with SPNs for offline password cracking.
description: Detect Kerberoasting attacks by monitoring for anomalous Kerberos TGS requests targeting service accounts with
SPNs for offline password cracking.
domain: cybersecurity
subdomain: threat-hunting
tags: [threat-hunting, mitre-attack, kerberoasting, credential-access, kerberos, t1558, proactive-detection]
version: "1.0"
tags:
- threat-hunting
- mitre-attack
- kerberoasting
- credential-access
- kerberos
- t1558
- proactive-detection
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Application Protocol Command Analysis
- Network Isolation
- Network Traffic Analysis
- Client-server Payload Profiling
- Network Traffic Community Deviation
---
# Detecting Kerberoasting Attacks
skills/detecting-lateral-movement-in-network/SKILL.md
+17 -6
View File
@@ -1,15 +1,26 @@
---
name: detecting-lateral-movement-in-network
description: >
Identifies lateral movement techniques in enterprise networks by analyzing
authentication logs, network flows, SMB traffic, and RDP sessions using Zeek,
Velociraptor, and SIEM correlation rules to detect attackers moving between systems.
description: 'Identifies lateral movement techniques in enterprise networks by analyzing authentication logs, network flows,
SMB traffic, and RDP sessions using Zeek, Velociraptor, and SIEM correlation rules to detect attackers moving between systems.
'
domain: cybersecurity
subdomain: network-security
tags: [network-security, lateral-movement, threat-detection, siem, pass-the-hash]
version: "1.0"
tags:
- network-security
- lateral-movement
- threat-detection
- siem
- pass-the-hash
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Application Protocol Command Analysis
- Network Isolation
- Network Traffic Analysis
- Client-server Payload Profiling
- Network Traffic Community Deviation
---
# Detecting Lateral Movement in Network
skills/detecting-lateral-movement-with-splunk/SKILL.md
+17 -3
View File
@@ -1,12 +1,26 @@
---
name: detecting-lateral-movement-with-splunk
description: Detect adversary lateral movement across networks using Splunk SPL queries against Windows authentication logs, SMB traffic, and remote service abuse.
description: Detect adversary lateral movement across networks using Splunk SPL queries against Windows authentication logs,
SMB traffic, and remote service abuse.
domain: cybersecurity
subdomain: threat-hunting
tags: [threat-hunting, mitre-attack, lateral-movement, splunk, siem, proactive-detection, ta0008]
version: "1.0"
tags:
- threat-hunting
- mitre-attack
- lateral-movement
- splunk
- siem
- proactive-detection
- ta0008
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Application Protocol Command Analysis
- Network Isolation
- Network Traffic Analysis
- Client-server Payload Profiling
- Network Traffic Community Deviation
---
# Detecting Lateral Movement with Splunk
skills/detecting-living-off-the-land-attacks/SKILL.md
+16 -6
View File
@@ -1,15 +1,25 @@
---
name: detecting-living-off-the-land-attacks
description: >
Detect abuse of legitimate Windows binaries (LOLBins) used for living off
the land attacks. Monitors process creation, command-line arguments, and
parent-child relationships to identify suspicious LOLBin execution patterns.
description: 'Detect abuse of legitimate Windows binaries (LOLBins) used for living off the land attacks. Monitors process
creation, command-line arguments, and parent-child relationships to identify suspicious LOLBin execution patterns.
'
domain: cybersecurity
subdomain: threat-detection
tags: [lolbins, lotl, fileless-attacks, process-monitoring]
version: "1.0"
tags:
- lolbins
- lotl
- fileless-attacks
- process-monitoring
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Application Protocol Command Analysis
- Network Isolation
- Network Traffic Analysis
- Client-server Payload Profiling
- Network Traffic Community Deviation
---
# Detecting Living Off the Land Attacks
skills/detecting-living-off-the-land-with-lolbas/SKILL.md
+17 -3
View File
@@ -1,12 +1,26 @@
---
name: detecting-living-off-the-land-with-lolbas
description: Detect Living Off the Land Binaries (LOLBins/LOLBAS) abuse including certutil, regsvr32, mshta, and rundll32 via process telemetry, Sigma rules, and parent-child process analysis
description: Detect Living Off the Land Binaries (LOLBins/LOLBAS) abuse including certutil, regsvr32, mshta, and rundll32
via process telemetry, Sigma rules, and parent-child process analysis
domain: cybersecurity
subdomain: threat-detection
tags: [lolbas, lolbins, sigma-rules, process-monitoring, sysmon, endpoint-detection, threat-hunting]
version: "1.0"
tags:
- lolbas
- lolbins
- sigma-rules
- process-monitoring
- sysmon
- endpoint-detection
- threat-hunting
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Application Protocol Command Analysis
- Content Format Conversion
---
# Detecting Living Off the Land with LOLBAS
skills/detecting-malicious-scheduled-tasks-with-sysmon/SKILL.md
+21 -9
View File
@@ -1,18 +1,30 @@
---
name: detecting-malicious-scheduled-tasks-with-sysmon
description: >
Detect malicious scheduled task creation and modification using Sysmon Event IDs 1 (Process
Create for schtasks.exe), 11 (File Create for task XML), and Windows Security Event 4698/4702.
The analyst correlates task creation with suspicious parent processes, public directory paths,
and encoded command arguments to identify persistence and lateral movement via scheduled tasks.
Activates for requests involving scheduled task detection, Sysmon persistence hunting, or
T1053.005 Scheduled Task/Job analysis.
description: 'Detect malicious scheduled task creation and modification using Sysmon Event IDs 1 (Process Create for schtasks.exe),
11 (File Create for task XML), and Windows Security Event 4698/4702. The analyst correlates task creation with suspicious
parent processes, public directory paths, and encoded command arguments to identify persistence and lateral movement via
scheduled tasks. Activates for requests involving scheduled task detection, Sysmon persistence hunting, or T1053.005 Scheduled
Task/Job analysis.
'
domain: cybersecurity
subdomain: threat-hunting
tags: [sysmon, scheduled-tasks, persistence, detection, threat-hunting, windows-security]
version: "1.0"
tags:
- sysmon
- scheduled-tasks
- persistence
- detection
- threat-hunting
- windows-security
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Execution Isolation
- Process Termination
- Hardware-based Process Isolation
- Platform Monitoring
- Process Suspension
---
# Detecting Malicious Scheduled Tasks with Sysmon
skills/detecting-mimikatz-execution-patterns/SKILL.md
+17 -3
View File
@@ -1,12 +1,26 @@
---
name: detecting-mimikatz-execution-patterns
description: Detect Mimikatz execution through command-line patterns, LSASS access signatures, binary indicators, and in-memory detection of known modules.
description: Detect Mimikatz execution through command-line patterns, LSASS access signatures, binary indicators, and in-memory
detection of known modules.
domain: cybersecurity
subdomain: threat-hunting
tags: [threat-hunting, mitre-attack, mimikatz, credential-dumping, edr, t1003, proactive-detection]
version: "1.0"
tags:
- threat-hunting
- mitre-attack
- mimikatz
- credential-dumping
- edr
- t1003
- proactive-detection
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Execution Isolation
- Process Termination
- Hardware-based Process Isolation
- Web Session Access Mediation
- Process Suspension
---
# Detecting Mimikatz Execution Patterns
skills/detecting-misconfigured-azure-storage/SKILL.md
+21 -6
View File
@@ -1,15 +1,30 @@
---
name: detecting-misconfigured-azure-storage
description: >
Detecting misconfigured Azure Storage accounts including publicly accessible blob containers,
missing encryption settings, overly permissive SAS tokens, disabled logging, and network
access violations using Azure CLI, PowerShell, and Microsoft Defender for Storage.
description: 'Detecting misconfigured Azure Storage accounts including publicly accessible blob containers, missing encryption
settings, overly permissive SAS tokens, disabled logging, and network access violations using Azure CLI, PowerShell, and
Microsoft Defender for Storage.
'
domain: cybersecurity
subdomain: cloud-security
tags: [cloud-security, azure, storage-security, blob-storage, sas-tokens, data-protection]
version: "1.0"
tags:
- cloud-security
- azure
- storage-security
- blob-storage
- sas-tokens
- data-protection
version: '1.0'
author: mahipal
license: Apache-2.0
nist_ai_rmf:
- MEASURE-2.7
- MAP-5.1
- MANAGE-2.4
atlas_techniques:
- AML.T0070
- AML.T0066
- AML.T0082
---
# Detecting Misconfigured Azure Storage
skills/detecting-modbus-protocol-anomalies/SKILL.md
+22 -8
View File
@@ -1,18 +1,32 @@
---
name: detecting-modbus-protocol-anomalies
description: >
This skill covers detecting anomalies in Modbus/TCP and Modbus RTU communications
in industrial control systems. It addresses function code monitoring, register
range validation, timing analysis, unauthorized client detection, and deep packet
inspection for malformed Modbus frames. The skill leverages Zeek with Modbus protocol
analyzers, Suricata IDS with OT rules, and custom Python-based detection using
Markov chain models for normal Modbus transaction sequences.
description: 'This skill covers detecting anomalies in Modbus/TCP and Modbus RTU communications in industrial control systems.
It addresses function code monitoring, register range validation, timing analysis, unauthorized client detection, and deep
packet inspection for malformed Modbus frames. The skill leverages Zeek with Modbus protocol analyzers, Suricata IDS with
OT rules, and custom Python-based detection using Markov chain models for normal Modbus transaction sequences.
'
domain: cybersecurity
subdomain: ot-ics-security
tags: [ot-security, ics, scada, industrial-control, iec62443, modbus, protocol-anomaly]
tags:
- ot-security
- ics
- scada
- industrial-control
- iec62443
- modbus
- protocol-anomaly
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_ai_rmf:
- MEASURE-2.7
- MAP-5.1
- MANAGE-2.4
atlas_techniques:
- AML.T0070
- AML.T0066
- AML.T0082
---
# Detecting Modbus Protocol Anomalies
skills/detecting-ntlm-relay-with-event-correlation/SKILL.md
+34 -7
View File
@@ -1,16 +1,43 @@
---
name: detecting-ntlm-relay-with-event-correlation
description: >
Detect NTLM relay attacks through Windows Security Event correlation by analyzing
Event 4624 LogonType 3 for IP-to-hostname mismatches, identifying Responder/LLMNR
poisoning artifacts, auditing SMB and LDAP signing enforcement across the domain,
and detecting NTLM downgrade attacks from NTLMv2 to NTLMv1 using event log analysis.
description: 'Detect NTLM relay attacks through Windows Security Event correlation by analyzing Event 4624 LogonType 3 for
IP-to-hostname mismatches, identifying Responder/LLMNR poisoning artifacts, auditing SMB and LDAP signing enforcement across
the domain, and detecting NTLM downgrade attacks from NTLMv2 to NTLMv1 using event log analysis.
'
domain: cybersecurity
subdomain: threat-hunting
tags: [threat-hunting, NTLM-relay, event-correlation, T1557.001, Event-4624, Responder, SMB-signing, LDAP-signing, NTLM-downgrade, PetitPotam, Active-Directory]
version: "1.0"
tags:
- threat-hunting
- NTLM-relay
- event-correlation
- T1557.001
- Event-4624
- Responder
- SMB-signing
- LDAP-signing
- NTLM-downgrade
- PetitPotam
- Active-Directory
version: '1.0'
author: mukul975
license: Apache-2.0
atlas_techniques:
- AML.T0051
- AML.T0054
- AML.T0056
- AML.T0020
d3fend_techniques:
- Application Protocol Command Analysis
- Network Isolation
- Network Traffic Analysis
- Client-server Payload Profiling
- Network Traffic Community Deviation
nist_ai_rmf:
- MEASURE-2.7
- MEASURE-2.5
- GOVERN-6.1
- MAP-5.1
---
# Detecting NTLM Relay with Event Correlation
skills/detecting-pass-the-hash-attacks/SKILL.md
+16 -3
View File
@@ -1,12 +1,25 @@
---
name: detecting-pass-the-hash-attacks
description: Detect Pass-the-Hash attacks by analyzing NTLM authentication patterns, identifying Type 3 logons with NTLM where Kerberos is expected, and correlating with credential dumping.
description: Detect Pass-the-Hash attacks by analyzing NTLM authentication patterns, identifying Type 3 logons with NTLM where
Kerberos is expected, and correlating with credential dumping.
domain: cybersecurity
subdomain: threat-hunting
tags: [threat-hunting, mitre-attack, pass-the-hash, credential-access, t1550, proactive-detection]
version: "1.0"
tags:
- threat-hunting
- mitre-attack
- pass-the-hash
- credential-access
- t1550
- proactive-detection
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Token Binding
- Execution Isolation
- Restore Access
- Application Protocol Command Analysis
- Process Termination
---
# Detecting Pass The Hash Attacks
skills/detecting-pass-the-ticket-attacks/SKILL.md
+16 -9
View File
@@ -1,19 +1,26 @@
---
name: detecting-pass-the-ticket-attacks
description: Detect Kerberos Pass-the-Ticket (PtT) attacks by analyzing Windows Event IDs 4768, 4769, and 4771 for anomalous ticket usage patterns in Splunk and Elastic SIEM
description: Detect Kerberos Pass-the-Ticket (PtT) attacks by analyzing Windows Event IDs 4768, 4769, and 4771 for anomalous
ticket usage patterns in Splunk and Elastic SIEM
domain: cybersecurity
subdomain: threat-detection
tags:
- kerberos
- pass-the-ticket
- active-directory
- splunk
- elastic
- credential-theft
- windows-security
version: "1.0"
- kerberos
- pass-the-ticket
- active-directory
- splunk
- elastic
- credential-theft
- windows-security
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Token Binding
- Execution Isolation
- Restore Access
- Application Protocol Command Analysis
- Process Termination
---
# Detecting Pass-the-Ticket Attacks
skills/detecting-privilege-escalation-attempts/SKILL.md
+16 -3
View File
@@ -1,12 +1,25 @@
---
name: detecting-privilege-escalation-attempts
description: Detect privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse across Windows and Linux.
description: Detect privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel
exploits, and sudo/doas abuse across Windows and Linux.
domain: cybersecurity
subdomain: threat-hunting
tags: [threat-hunting, mitre-attack, privilege-escalation, token-manipulation, uac-bypass, proactive-detection]
version: "1.0"
tags:
- threat-hunting
- mitre-attack
- privilege-escalation
- token-manipulation
- uac-bypass
- proactive-detection
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Token Binding
- Executable Denylisting
- Execution Isolation
- Restore Access
- Reissue Credential
---
# Detecting Privilege Escalation Attempts
skills/detecting-privilege-escalation-in-kubernetes-pods/SKILL.md
+16 -3
View File
@@ -1,12 +1,25 @@
---
name: detecting-privilege-escalation-in-kubernetes-pods
description: Detect and prevent privilege escalation in Kubernetes pods by monitoring security contexts, capabilities, and syscall patterns with Falco and OPA policies.
description: Detect and prevent privilege escalation in Kubernetes pods by monitoring security contexts, capabilities, and
syscall patterns with Falco and OPA policies.
domain: cybersecurity
subdomain: container-security
tags: [kubernetes, privilege-escalation, security-context, capabilities, detection, pod-security]
version: "1.0"
tags:
- kubernetes
- privilege-escalation
- security-context
- capabilities
- detection
- pod-security
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Restore Access
- Password Authentication
---
# Detecting Privilege Escalation in Kubernetes Pods
skills/detecting-process-hollowing-technique/SKILL.md
+17 -3
View File
@@ -1,12 +1,26 @@
---
name: detecting-process-hollowing-technique
description: Detect process hollowing (T1055.012) by analyzing memory-mapped sections, hollowed process indicators, and parent-child process anomalies in EDR telemetry.
description: Detect process hollowing (T1055.012) by analyzing memory-mapped sections, hollowed process indicators, and parent-child
process anomalies in EDR telemetry.
domain: cybersecurity
subdomain: threat-hunting
tags: [threat-hunting, mitre-attack, process-hollowing, process-injection, edr, t1055, proactive-detection]
version: "1.0"
tags:
- threat-hunting
- mitre-attack
- process-hollowing
- process-injection
- edr
- t1055
- proactive-detection
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Platform Monitoring
- Process Code Segment Verification
- Segment Address Offset Randomization
- Process Analysis
- Application Hardening
---
# Detecting Process Hollowing Technique
skills/detecting-process-injection-techniques/SKILL.md
+18 -7
View File
@@ -1,17 +1,28 @@
---
name: detecting-process-injection-techniques
description: >
Detects and analyzes process injection techniques used by malware including classic DLL
injection, process hollowing, APC injection, thread hijacking, and reflective loading.
Uses memory forensics, API monitoring, and behavioral analysis to identify injection
artifacts. Activates for requests involving process injection detection, code injection
analysis, hollowed process investigation, or in-memory threat detection.
description: 'Detects and analyzes process injection techniques used by malware including classic DLL injection, process hollowing,
APC injection, thread hijacking, and reflective loading. Uses memory forensics, API monitoring, and behavioral analysis
to identify injection artifacts. Activates for requests involving process injection detection, code injection analysis,
hollowed process investigation, or in-memory threat detection.
'
domain: cybersecurity
subdomain: malware-analysis
tags: [malware, process-injection, detection, memory-forensics, defense-evasion]
tags:
- malware
- process-injection
- detection
- memory-forensics
- defense-evasion
version: 1.0.0
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Content Format Conversion
- File Content Analysis
---
# Detecting Process Injection Techniques
skills/detecting-qr-code-phishing-with-email-security/SKILL.md
+18 -3
View File
@@ -1,12 +1,27 @@
---
name: detecting-qr-code-phishing-with-email-security
description: Detect and prevent QR code phishing (quishing) attacks that bypass traditional email security by embedding malicious URLs in QR code images within emails.
description: Detect and prevent QR code phishing (quishing) attacks that bypass traditional email security by embedding malicious
URLs in QR code images within emails.
domain: cybersecurity
subdomain: phishing-defense
tags: [quishing, qr-code, phishing, email-security, image-analysis, ocr, mobile-security]
version: "1.0"
tags:
- quishing
- qr-code
- phishing
- email-security
- image-analysis
- ocr
- mobile-security
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0052
- AML.T0024
- AML.T0035
nist_ai_rmf:
- MEASURE-2.8
- MAP-5.1
---
# Detecting QR Code Phishing with Email Security
skills/detecting-service-account-abuse/SKILL.md
+16 -3
View File
@@ -1,12 +1,25 @@
---
name: detecting-service-account-abuse
description: Detect abuse of service accounts through anomalous interactive logons, privilege escalation, lateral movement, and unauthorized access patterns.
description: Detect abuse of service accounts through anomalous interactive logons, privilege escalation, lateral movement,
and unauthorized access patterns.
domain: cybersecurity
subdomain: threat-hunting
tags: [threat-hunting, mitre-attack, service-accounts, privilege-escalation, t1078, proactive-detection]
version: "1.0"
tags:
- threat-hunting
- mitre-attack
- service-accounts
- privilege-escalation
- t1078
- proactive-detection
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Restore Access
- Password Authentication
- Biometric Authentication
- Strong Password Policy
- Restore User Account Access
---
# Detecting Service Account Abuse
skills/detecting-supply-chain-attacks-in-ci-cd/SKILL.md
+18 -7
View File
@@ -1,16 +1,27 @@
---
name: detecting-supply-chain-attacks-in-ci-cd
description: >
Scans GitHub Actions workflows and CI/CD pipeline configurations for supply chain
attack vectors including unpinned actions, script injection via expressions, dependency
confusion, and secrets exposure. Uses PyGithub and YAML parsing for automated audit.
Use when hardening CI/CD pipelines or investigating compromised build systems.
description: 'Scans GitHub Actions workflows and CI/CD pipeline configurations for supply chain attack vectors including unpinned
actions, script injection via expressions, dependency confusion, and secrets exposure. Uses PyGithub and YAML parsing for
automated audit. Use when hardening CI/CD pipelines or investigating compromised build systems.
'
domain: cybersecurity
subdomain: security-operations
tags: [detecting, supply, chain, attacks]
version: "1.0"
tags:
- detecting
- supply
- chain
- attacks
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0010
- AML.T0104
nist_ai_rmf:
- GOVERN-5.2
- MAP-1.6
- MANAGE-2.2
---
# Detecting Supply Chain Attacks in CI/CD
skills/detecting-suspicious-powershell-execution/SKILL.md
+17 -3
View File
@@ -1,12 +1,26 @@
---
name: detecting-suspicious-powershell-execution
description: Detect suspicious PowerShell execution patterns including encoded commands, download cradles, AMSI bypass attempts, and constrained language mode evasion.
description: Detect suspicious PowerShell execution patterns including encoded commands, download cradles, AMSI bypass attempts,
and constrained language mode evasion.
domain: cybersecurity
subdomain: threat-hunting
tags: [threat-hunting, mitre-attack, powershell, execution, t1059, amsi, proactive-detection]
version: "1.0"
tags:
- threat-hunting
- mitre-attack
- powershell
- execution
- t1059
- amsi
- proactive-detection
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Content Format Conversion
- File Content Analysis
---
# Detecting Suspicious Powershell Execution
skills/detecting-t1003-credential-dumping-with-edr/SKILL.md
+18 -3
View File
@@ -1,12 +1,27 @@
---
name: detecting-t1003-credential-dumping-with-edr
description: Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.
description: Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials
using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.
domain: cybersecurity
subdomain: threat-hunting
tags: [threat-hunting, credential-dumping, lsass, mitre-t1003, edr, mimikatz, ntds, sam-database]
version: "1.0"
tags:
- threat-hunting
- credential-dumping
- lsass
- mitre-t1003
- edr
- mimikatz
- ntds
- sam-database
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Token Binding
- Execution Isolation
- File Metadata Consistency Validation
- Restore Access
- Application Protocol Command Analysis
---
# Detecting T1003 Credential Dumping with EDR
skills/detecting-t1055-process-injection-with-sysmon/SKILL.md
+17 -3
View File
@@ -1,12 +1,26 @@
---
name: detecting-t1055-process-injection-with-sysmon
description: Detect process injection techniques (T1055) including classic DLL injection, process hollowing, and APC injection by analyzing Sysmon events for cross-process memory operations, remote thread creation, and anomalous DLL loading patterns.
description: Detect process injection techniques (T1055) including classic DLL injection, process hollowing, and APC injection
by analyzing Sysmon events for cross-process memory operations, remote thread creation, and anomalous DLL loading patterns.
domain: cybersecurity
subdomain: threat-hunting
tags: [threat-hunting, process-injection, sysmon, mitre-t1055, defense-evasion, dll-injection, process-hollowing]
version: "1.0"
tags:
- threat-hunting
- process-injection
- sysmon
- mitre-t1055
- defense-evasion
- dll-injection
- process-hollowing
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Content Format Conversion
- File Content Analysis
---
# Detecting T1055 Process Injection with Sysmon
skills/detecting-t1548-abuse-elevation-control-mechanism/SKILL.md
+16 -3
View File
@@ -1,12 +1,25 @@
---
name: detecting-t1548-abuse-elevation-control-mechanism
description: Detect abuse of elevation control mechanisms including UAC bypass, sudo exploitation, and setuid/setgid manipulation by monitoring registry modifications, process elevation flags, and unusual parent-child process relationships.
description: Detect abuse of elevation control mechanisms including UAC bypass, sudo exploitation, and setuid/setgid manipulation
by monitoring registry modifications, process elevation flags, and unusual parent-child process relationships.
domain: cybersecurity
subdomain: threat-hunting
tags: [threat-hunting, uac-bypass, privilege-escalation, mitre-t1548, elevation-control, windows-security]
version: "1.0"
tags:
- threat-hunting
- uac-bypass
- privilege-escalation
- mitre-t1548
- elevation-control
- windows-security
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Restore Access
- Password Authentication
---
# Detecting T1548 Abuse Elevation Control Mechanism
skills/detecting-wmi-persistence/SKILL.md
+18 -3
View File
@@ -1,12 +1,27 @@
---
name: detecting-wmi-persistence
description: Detect WMI event subscription persistence by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter, EventConsumer, and FilterToConsumerBinding creation.
description: Detect WMI event subscription persistence by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter,
EventConsumer, and FilterToConsumerBinding creation.
domain: cybersecurity
subdomain: threat-hunting
tags: [threat-hunting, wmi, persistence, sysmon, t1546.003, mitre-attack, windows, dfir]
version: "1.0"
tags:
- threat-hunting
- wmi
- persistence
- sysmon
- t1546.003
- mitre-attack
- windows
- dfir
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Application Protocol Command Analysis
- Network Isolation
- Network Traffic Analysis
- Client-server Payload Profiling
- Platform Monitoring
---
# Detecting WMI Persistence
skills/executing-active-directory-attack-simulation/SKILL.md
+19 -9
View File
@@ -1,19 +1,29 @@
---
name: executing-active-directory-attack-simulation
description: >
Executes authorized attack simulations against Active Directory environments to identify
misconfigurations, weak credentials, dangerous privilege paths, and exploitable trust
relationships that could lead to domain compromise. The tester uses BloodHound for attack
path analysis, Mimikatz for credential extraction, and Impacket for protocol-level attacks
including Kerberoasting, AS-REP Roasting, and delegation abuse. Activates for requests
involving Active Directory pentest, AD attack simulation, domain compromise testing,
or Kerberos attack assessment.
description: 'Executes authorized attack simulations against Active Directory environments to identify misconfigurations,
weak credentials, dangerous privilege paths, and exploitable trust relationships that could lead to domain compromise. The
tester uses BloodHound for attack path analysis, Mimikatz for credential extraction, and Impacket for protocol-level attacks
including Kerberoasting, AS-REP Roasting, and delegation abuse. Activates for requests involving Active Directory pentest,
AD attack simulation, domain compromise testing, or Kerberos attack assessment.
'
domain: cybersecurity
subdomain: penetration-testing
tags: [Active-Directory, BloodHound, Mimikatz, Kerberoasting, domain-compromise]
tags:
- Active-Directory
- BloodHound
- Mimikatz
- Kerberoasting
- domain-compromise
version: 1.0.0
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Application Protocol Command Analysis
- Network Isolation
- Network Traffic Analysis
- Client-server Payload Profiling
- Network Traffic Community Deviation
---
# Executing Active Directory Attack Simulation
skills/executing-red-team-exercise/SKILL.md
+20 -9
View File
@@ -1,19 +1,30 @@
---
name: executing-red-team-exercise
description: >
Executes comprehensive red team exercises that simulate real-world adversary operations
against an organization's people, processes, and technology. The red team operates with
stealth as a primary objective, employing the full attack lifecycle from initial reconnaissance
through objective completion while testing the organization's detection and response
capabilities. This differs from penetration testing by focusing on adversary emulation
rather than vulnerability identification. Activates for requests involving red team exercise,
adversary simulation, adversary emulation, or full-scope offensive security assessment.
description: 'Executes comprehensive red team exercises that simulate real-world adversary operations against an organization''s
people, processes, and technology. The red team operates with stealth as a primary objective, employing the full attack
lifecycle from initial reconnaissance through objective completion while testing the organization''s detection and response
capabilities. This differs from penetration testing by focusing on adversary emulation rather than vulnerability identification.
Activates for requests involving red team exercise, adversary simulation, adversary emulation, or full-scope offensive security
assessment.
'
domain: cybersecurity
subdomain: penetration-testing
tags: [red-team, adversary-emulation, MITRE-ATT&CK, Cobalt-Strike, detection-assessment]
tags:
- red-team
- adversary-emulation
- MITRE-ATT&CK
- Cobalt-Strike
- detection-assessment
version: 1.0.0
author: mahipal
license: Apache-2.0
d3fend_techniques:
- File Metadata Consistency Validation
- Application Protocol Command Analysis
- Identifier Analysis
- Content Format Conversion
- Message Analysis
---
# Executing Red Team Exercise

Some files were not shown because too many files have changed in this diff Show More