creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-26 19:54:37 +03:00
Code Issues Packages Projects Releases Wiki Activity
162 Commits 1 Branch 4 Tags
7d7c6342ebeded6f875d261cdf186a65ed304f4d
Commit Graph

56 Commits

Author SHA1 Message Date
mukul975 886658219f Add MITRE Fight Fraud Framework (F3 v1.1) mappings to fraud-relevant skills 
- Add mitre_f3 frontmatter block to 94 fraud-relevant skills (phishing,
  account takeover, banking malware, BEC, identity/KYC, payment/card fraud,
  money-mule/cash-out, ransomware extortion, DFIR, threat intel)
- Map each skill to F3 v1.1 tactics + precise technique IDs, including the
  two F3-specific tactics ATT&CK lacks: Positioning (FA0001) and
  Monetization (FA0002)
- All 123 F3 v1.1 technique IDs validated against the upstream STIX bundle
  (github.com/center-for-threat-informed-defense/fight-fraud-framework):
  0 invalid IDs, 0 invalid tactics, 0 name mismatches, no placeholder IDs
- mitre_f3 kept as a separate block from mitre_attack (F3 redefines several
  ATT&CK tactics for the fraud context)
- Add docs/mitre-f3-mapping.md schema reference
- Update README: F3 as the 6th framework, dedicated F3 section + badge
 2026-06-20 16:06:04 +02:00
mukul975 cb8d79e068 Map all 754 skills to MITRE ATT&CK v19.1 
- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
  techniques), verified against MITRE ATT&CK v19.1 via the official
  mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
  threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
  Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
  Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
  family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
  stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
 2026-06-01 12:13:29 +02:00
Andrew Barnes 2338e0371c Fix Objection skill description frontmatter 
Normalize YAML description so tools can reliably parse it.
 2026-05-25 09:04:36 -04:00
claude[bot] fbc47b7ac2 fix: replace word-split tags with domain-specific cybersecurity tags 
Three SKILL.md files had tags that were simply words split from the
skill name (e.g., "analyzing", "block", "with", "logs") rather than
meaningful discovery keywords. Replace with domain-specific terms that
agents and search tools can actually use for routing.

- analyzing-powershell-script-block-logging: [powershell, script-block-logging, event-id-4104, obfuscation-detection, windows-forensics, endpoint-security]
- analyzing-azure-activity-logs-for-threats: [azure, cloud-security, azure-monitor, kql, threat-hunting, activity-logs]
- analyzing-memory-forensics-with-lime-and-volatility: [memory-forensics, linux-forensics, lime, volatility, incident-response, kernel-modules]

Co-Authored-By: Claude Code <noreply@anthropic.com>
 2026-04-21 00:35:35 +00:00
mukul975 efca3ec611 feat: add NIST CSF 2.0 nist_csf field to all 754 cybersecurity skills 
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.

All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)
 2026-04-06 11:17:40 +02:00
mukul975 ef27f026cb feat: enrich 209 skills with MITRE ATLAS, D3FEND, and NIST AI RMF frontmatter 
Added structured security framework mappings to SKILL.md frontmatter across all applicable skills:
- atlas_techniques: MITRE ATLAS v5.5 AML.TXXXX IDs (81 skills, AI-targeted attack techniques)
- d3fend_techniques: MITRE D3FEND v1.3 defensive technique labels (139 skills, mapped from ATT&CK IDs)
- nist_ai_rmf: NIST AI RMF 1.0 subcategory IDs (85 skills, AI risk management functions)

Also updates ATTACK_COVERAGE.md with coverage statistics for all three frameworks.
 2026-04-06 01:56:17 +02:00
Mahipal 1cf19ded90 Merge pull request #26 from juliosuas/add-mitre-attack-incident-response 
Add MITRE ATT&CK IDs to incident response skills (fixes #1)
 2026-04-03 02:30:23 -04:00
Mahipal a7f577b482 Add skill: performing-cloud-native-threat-hunting-with-aws-detective 
Add skill: performing-cloud-native-threat-hunting-with-aws-detective
 2026-04-03 02:30:17 -04:00
mukul975 476a0880f4 Fix ESET AV false positive on AMSI bypass strings in skill docs 2026-03-28 12:40:53 +01:00
MAGI a072845a3f Fix review comments: correct AWS Detective API usage and forensic ordering 
- Fix FilterCriteria to use singular Severity/Status with Value objects
  instead of invalid plural Severities/Statuses arrays (SKILL.md + process.py)
- Fix get_entity_history: rename to get_investigation_indicators, use
  investigation_id instead of entity_arn for InvestigationId parameter
- Replace invalid inv-* placeholders with 21-digit numeric IDs
- Fix Expected Output to match real API response structure (no embedded
  Indicators; document separate list-indicators call and indicator types)
- Fix CLI --filter-criteria example to use correct format
- Update process.py --severity to accept single value with validation
- Add --max-results validation (1-100 range)
- Add pagination via _collect_all_pages helper for all list API calls
- Reorder Response Actions checklist: evidence preservation before containment
- Reorder Phase 5 workflow: preserve evidence first when safe
 2026-03-28 02:06:16 -06:00
MAGI 41b828e758 fix: add missing process.py implementation for aws-detective skill 
The process.py script was empty (0 bytes). Added a functional
implementation that lists behavior graphs, retrieves investigations,
queries indicators, and exports results — matching the pattern of
other skills in the repository.
 2026-03-28 02:06:16 -06:00
MAGI 2f6701d2d8 Add skill: performing-cloud-native-threat-hunting-with-aws-detective (fixes #6) 2026-03-28 02:06:16 -06:00
Julio César Suástegui 84b4699e59 fix: remove out-of-scope changes (cloud-waf tags, zero-trust description rewrite) 2026-03-28 02:06:00 -06:00
MAGI c7ad5e7b98 Fix round 3: refine MITRE ATT&CK mappings per CodeRabbit review 
- osquery: replace broad IDs with concrete detections (T1049, T1620, T1053.003, T1548.001, T1552)
- credential extraction: replace T1550 with T1552 (Unsecured Credentials)
- persistence investigation: use sub-techniques (T1547.001, T1053.005, T1543.003, T1546.003)
 2026-03-28 02:06:00 -06:00
MAGI 15d53bd09b Fix MITRE ATT&CK mappings per CodeRabbit review: align techniques to skill content 
- analyzing-malware-persistence-with-autoruns: add persistence techniques T1547, T1053, T1543, T1546
- analyzing-memory-dumps-with-volatility: add memory forensics techniques T1055, T1003, T1059, T1620
- analyzing-persistence-mechanisms-in-linux: add Linux-specific sub-techniques T1053.003, T1543.002, T1574.006, T1546.004
- analyzing-windows-prefetch-with-python: add execution techniques T1059, T1204, T1036
- building-incident-response-dashboard: remove misaligned mitre_attack (dashboard is a visibility tool)
- building-phishing-reporting-button-workflow: add phishing techniques T1566, T1204, T1534
- deobfuscating-powershell-obfuscated-malware: add PowerShell/obfuscation techniques T1059.001, T1027, T1140
 2026-03-28 02:06:00 -06:00
MAGI 100361c3e5 Scope fix: remove mitre_attack from 24 non-incident-response skills, use sub-techniques 
- Removed mitre_attack from digital-forensics, cloud-security, malware-analysis,
  endpoint-security, threat-hunting, ransomware-defense, phishing-defense, and
  security-operations subdomain skills (out of PR scope per issue #1)
- Applied sub-technique IDs where appropriate (T1566.001, T1003.001, etc.)
- Only incident-response and soc-operations skills retain mappings
 2026-03-28 02:06:00 -06:00
MAGI 42258456e8 Fix MITRE ATT&CK mappings per CodeRabbit review 
- Replace generic T1190/T1059/T1078 with context-specific techniques
- Persistence: T1547, T1053, T1543, T1574
- Credentials: T1003, T1558, T1550
- Phishing: T1566, T1204, T1534
- Ransomware: T1486, T1490, T1489
- Cloud: T1078, T1537, T1580, T1098
- Remove mappings from out-of-scope subdomains (ot-ics, malware-analysis, digital-forensics)
 2026-03-28 02:05:57 -06:00
MAGI 5e62a7ea2c Add MITRE ATT&CK technique IDs to 60 incident-response skills (fixes #1) 2026-03-28 02:05:53 -06:00
Julio César Suástegui 97c213f9a4 Add skill: detecting-lateral-movement-with-zeek (fixes #5) (#29) 2026-03-27 10:24:16 +01:00
mukul975 e2c3836c30 feat: upgrade 5 skills with full content for v1.1.0 
Replaced stub SKILL.md files with complete implementations:
- analyzing-linux-audit-logs-for-intrusion (257 lines, full auditd workflow)
- analyzing-windows-amcache-artifacts (237 lines, AmcacheParser + timeline)
- detecting-oauth-token-theft (266 lines, Azure AD token protection)
- implementing-devsecops-security-scanning (372 lines, full CI/CD pipeline)
- implementing-privileged-session-monitoring (323 lines, PAM session audit)

Also bumps index.json to version 1.1.0.
 2026-03-21 12:36:58 +01:00
mukul975 d833f0eab9 Add 30 new production-grade cybersecurity skills: AI security, supply chain, firmware, cloud-native, compliance, deception, crypto, threat hunting, purple team, OT, privacy 2026-03-19 19:14:25 +01:00
mukul975 a1e9ca5a4a Expand 4 remaining SKILL.md stubs with researched content 2026-03-19 14:12:18 +01:00
mukul975 5a64fb0416 Fix last 2 issues: expand Datadog SKILL.md, fix XSOAR verify=False 2026-03-19 13:56:37 +01:00
mukul975 051e7e72ed Expand 38 agent.py stubs, standardize 347 SKILL.md sections, fix 4 verify=False 2026-03-19 13:55:55 +01:00
mukul975 7e2e6ad664 Expand boilerplate agent.py stubs with real implementations (batch 2) 2026-03-19 13:44:38 +01:00
mukul975 682d416c6e Remove backed-up duplicate skills to fix validation pipeline 2026-03-19 13:41:56 +01:00
mukul975 3492302a13 Fix frontmatter descriptions, duplicate YAML blocks, title headings across 60 files 2026-03-19 13:39:41 +01:00
mukul975 d005ae764b Expand 39 api-reference stubs with real tool docs, expand 15 agent.py boilerplate stubs 2026-03-19 13:29:50 +01:00
mukul975 c47eed6a64 Production hardening: security fixes, code quality, 724 skills complete 
- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
 2026-03-19 13:26:49 +01:00
juliosuas 2967d69d48 Translate top skills to Spanish 
Adds Spanish translations for 7 cybersecurity skills.
 2026-03-19 10:06:13 +01:00
juliosuas cfa57cf8bf Add working example output to digital-forensics skills 
Adds realistic example output sections to 10 digital forensics skills.
 2026-03-19 10:05:56 +01:00
juliosuas 34e0cf6e2d Fix NIST CSF 2.0 category counts in table: ID=3, RC=2 
The summary table had incorrect category counts for Identify (4 → 3)
and Recover (1 → 2), inconsistent with the frontmatter mapping and
official NIST CSF 2.0 specification (GV:6 + ID:3 + PR:5 + DE:2 +
RS:4 + RC:2 = 22 categories).
 2026-03-19 10:02:23 +01:00
juliosuas 16201a7e60 Address CodeRabbit review: legal guardrails, mkdir, filename consistency, HIBP headers 2026-03-19 10:02:22 +01:00
juliosuas 788404ca75 Add skill: performing-ai-driven-osint-correlation 2026-03-19 10:02:22 +01:00
juliosuas ebffa4fb4f Fix NIST CSF 2.0: correct official 22 categories (add RS.MI, RC.CO; remove ID.AA) 2026-03-17 22:11:05 -06:00
juliosuas ba9146a2cd Fix NIST CSF category count: include all 22 categories 2026-03-17 17:17:02 -06:00
juliosuas 03da94c256 Add NIST CSF 2.0 categories to compliance-governance skills (fixes #2) 2026-03-17 10:28:43 -06:00
mukul975 4ed6f49151 chore: fix license, add disclaimer, quick start, GitHub topics, issue templates 2026-03-11 01:42:50 +01:00
mukul975 b29b23470a feat: add 5 new cybersecurity skills - secrets scanning CI/CD, Bluetooth assessment, DNS exfil Zeek, SOAR phishing, AD ACL abuse 2026-03-11 01:21:45 +01:00
mukul975 794489277c fix: correct license from Apache-2.0 to MIT for batch 2 skills 2026-03-11 00:52:29 +01:00
mukul975 aba13ca5af feat: add 5 new cybersecurity skills - Azure storage audit, supply chain simulation, Azure PIM, Empire artifacts, NTLM relay 2026-03-11 00:51:19 +01:00
mukul975 c0c5bbaac1 Add 5 new cybersecurity skills: golden ticket detection, traffic baselining, sandbox evasion analysis, domain fronting hunting, SpiderFoot OSINT 2026-03-11 00:49:24 +01:00
mukul975 ff3a9ce224 feat: add 4 new cybersecurity skills - UEBA insider threat, BeyondCorp zero trust, Linux kernel rootkits, CobaltStrike beacon hunting 2026-03-11 00:48:56 +01:00
mukul975 42cd69598e Add 5 new cybersecurity skills batch 2 - oauth token theft, binary exploitation, STIX2 sharing, linux audit logs, timestomping detection 2026-03-11 00:48:13 +01:00
mukul975 4d6d585285 Add 10 new cybersecurity skills with full folder anatomy 
Skills added:
- implementing-privileged-access-workstation (IAM, PAW hardening)
- detecting-suspicious-oauth-application-consent (cloud security, Graph API)
- performing-hardware-security-module-integration (cryptography, PKCS#11)
- analyzing-android-malware-with-apktool (malware analysis, androguard)
- hunting-for-unusual-service-installations (threat hunting, T1543.003)
- detecting-shadow-it-cloud-usage (cloud security, proxy/DNS log analysis)
- performing-active-directory-forest-trust-attack (red team, impacket)
- implementing-deception-based-detection-with-canarytoken (deception, Canary API)
- analyzing-office365-audit-logs-for-compromise (cloud security, BEC detection)
- hunting-for-startup-folder-persistence (threat hunting, T1547.001)

Each skill includes SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
 2026-03-11 00:47:03 +01:00
mukul975 014c387ff3 feat: add 5 cybersecurity skills - CloudTrail anomalies, SSL/TLS assessment, Wazuh detection, Prefetch analysis, WMI lateral movement 2026-03-11 00:44:42 +01:00
mukul975 7308b56252 feat: add 5 new cybersecurity skills - WMI persistence, CloudTrail forensics, honeypots, PDF malware, DCSync detection 2026-03-11 00:42:59 +01:00
mukul975 aea97ff9ff Add 5 new cybersecurity skills: AFL++ fuzzing, Sysmon scheduled task detection, ModSecurity WAF logging, MITRE Navigator TTP analysis, PowerShell script block hunting 2026-03-11 00:41:59 +01:00
mukul975 546f1ae6ef Add 5 new cybersecurity skills: greenbone vuln mgmt, email compromise detection, MISP sharing, CobaltStrike C2 analysis, registry run key hunting 2026-03-11 00:41:59 +01:00
mukul975 757f1c8eae Add 5 new cybersecurity skills with full implementations 
- implementing-vulnerability-management-with-greenbone: python-gvm GMP API, scan task creation, XML report parsing
- detecting-email-account-compromise: Microsoft Graph inbox rules, impossible travel detection, OAuth grant analysis
- performing-threat-intelligence-sharing-with-misp: PyMISP event creation, attribute management, sharing validation
- analyzing-cobaltstrike-malleable-c2-profiles: dissect.cobaltstrike C2Profile parsing, Suricata rule generation
- hunting-for-registry-run-key-persistence: Sysmon Event 13 analysis, T1547.001 detection, Sigma rule generation
 2026-03-11 00:41:59 +01:00