chore: auto-update index.json

- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
  techniques), verified against MITRE ATT&CK v19.1 via the official
  mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
  threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
  Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
  Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
  family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
  stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution

.claude-plugin/marketplace.json

@@ -2,18 +2,18 @@
   "name": "anthropic-cybersecurity-skills",
   "owner": {
     "name": "mukul975",
-    "email": "mukul975@users.noreply.github.com"
+    "email": "mukuljangra5@gmail.com"
   },
   "metadata": {
-    "description": "607+ cybersecurity skills for AI agents and security practitioners covering web security, pentesting, forensics, threat intelligence, cloud security, and more.",
-    "version": "1.0.0"
+    "description": "754 cybersecurity skills for AI agents mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND, and NIST AI RMF.",
+    "version": "1.2.0"
   },
   "plugins": [
     {
       "name": "cybersecurity-skills",
       "source": "./",
-      "description": "607+ cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
-      "version": "1.0.0",
+      "description": "754 cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more. Mapped to 5 frameworks.",
+      "version": "1.2.0",
       "author": {
         "name": "mukul975"
       },
@@ -34,4 +34,4 @@
       "repository": "https://github.com/mukul975/Anthropic-Cybersecurity-Skills"
     }
   ]
-}
+}

.claude-plugin/plugin.json

@@ -1,5 +1,5 @@
 {
   "name": "cybersecurity-skills",
-  "description": "607+ cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
+  "description": "753 cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
   "version": "1.0.0"
 }

.github/FUNDING.yml

@@ -0,0 +1,2 @@
+github: mukul975
+custom: ["https://paypal.me/mahipaljangra"]

.github/workflows/sync-marketplace-version.yml

@@ -0,0 +1,39 @@
+name: Sync Marketplace Version on Release
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  sync-version:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract version from tag
+        id: version
+        run: |
+          VERSION=${GITHUB_REF_NAME#v}
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "tag=$GITHUB_REF_NAME" >> $GITHUB_OUTPUT
+
+      - name: Update marketplace.json version
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
+        run: |
+          jq --arg v "$VERSION" '.metadata.version = $v | .plugins[].version = $v' .claude-plugin/marketplace.json > tmp.json
+          mv tmp.json .claude-plugin/marketplace.json
+          echo "Updated marketplace.json to version $VERSION"
+
+      - name: Commit and push
+        run: |
+          git config user.name "mukul975"
+          git config user.email "mukuljangra5@gmail.com"
+          git add .claude-plugin/marketplace.json
+          git diff --staged --quiet || git commit -m "chore: bump marketplace version to ${{ steps.version.outputs.tag }}"
+          git push

.github/workflows/update-index.yml

@@ -5,6 +5,8 @@ on:
     branches: [main]
     paths:
       - 'skills/**'
+      - '.github/workflows/update-index.yml'
+  workflow_dispatch:
 
 jobs:
   update-index:
@@ -21,12 +23,9 @@ jobs:
           python3 << 'EOF'
           import os, json, re
           from datetime import datetime, timezone
-          from collections import Counter
 
           skills_dir = "skills"
           skills = []
-          subdomain_counts = Counter()
-          tag_counter = Counter()
 
           for skill_name in sorted(os.listdir(skills_dir)):
               skill_md = os.path.join(skills_dir, skill_name, "SKILL.md")
@@ -35,58 +34,37 @@ jobs:
               with open(skill_md, "r", encoding="utf-8") as f:
                   content = f.read()
               fm_match = re.match(r"^---\n(.*?)\n---", content, re.DOTALL)
-              if not fm_match:
-                  continue
-              fm = fm_match.group(1)
-              def get_field(field, text):
-                  m = re.search(rf"^{field}:\s*(.+)$", text, re.MULTILINE)
-                  return m.group(1).strip().strip('"') if m else ""
-              def get_tags(text):
-                  m = re.search(r"^tags:\s*\[(.+)\]", text, re.MULTILINE)
-                  return [t.strip() for t in m.group(1).split(",")] if m else []
-
-              tags = get_tags(fm)
-              subdomain = get_field("subdomain", fm)
-              subdomain_counts[subdomain] += 1
-              for t in tags:
-                  tag_counter[t] += 1
-
+              description = ""
+              if fm_match:
+                  m = re.search(r"^description:\s*(.+)$", fm_match.group(1), re.MULTILINE)
+                  if m:
+                      description = m.group(1).strip().strip('"')
               skills.append({
-                  "name": get_field("name", fm),
-                  "description": get_field("description", fm),
+                  "name": skill_name,
+                  "description": description,
                   "domain": "cybersecurity",
-                  "subdomain": subdomain,
-                  "tags": tags,
-                  "version": get_field("version", fm) or "1.0",
-                  "author": "mukul975",
-                  "license": "Apache-2.0",
                   "path": f"skills/{skill_name}"
               })
 
-          top_tags = sorted(tag_counter.items(), key=lambda x: -x[1])[:20]
           index = {
-              "version": "1.0.0",
+              "version": "1.1.0",
               "generated_at": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ"),
               "repository": "https://github.com/mukul975/Anthropic-Cybersecurity-Skills",
+              "domain": "cybersecurity",
               "total_skills": len(skills),
-              "total_domains": 1,
-              "total_subdomains": len(subdomain_counts),
-              "domain_stats": {"cybersecurity": len(skills)},
-              "subdomain_stats": dict(subdomain_counts),
-              "top_tags": [{"tag": t, "count": c} for t, c in top_tags],
               "skills": skills
           }
 
           with open("index.json", "w", encoding="utf-8") as f:
-              json.dump(index, f, indent=2)
+              json.dump(index, f, separators=(',', ':'))
 
-          print(f"Updated index.json: {len(skills)} skills, {len(subdomain_counts)} subdomains")
+          print(f"Updated index.json: {len(skills)} skills")
           EOF
 
       - name: Commit updated index
         run: |
           git config user.name "mukul975"
-          git config user.email "mukul975@users.noreply.github.com"
+          git config user.email "mukuljangra5@gmail.com"
           git add index.json
           git diff --staged --quiet || git commit -m "chore: auto-update index.json"
           git push

.gitignore

@@ -12,3 +12,5 @@ __pycache__/
 Thumbs.db
 *.swp
 launch/
+extract_attack.py
+AUDIT_REPORT.md

ATTACK_COVERAGE.md

@@ -0,0 +1,509 @@
+# MITRE ATT&CK Coverage Map
+
+<p align="center">
+  <a href="https://attack.mitre.org/"><img src="https://img.shields.io/badge/MITRE_ATT%26CK-v16-red?style=for-the-badge&logo=shield&logoColor=white" alt="MITRE ATT&CK" /></a>
+  <img src="https://img.shields.io/badge/Techniques-291+-blueviolet?style=for-the-badge" alt="Techniques" />
+  <img src="https://img.shields.io/badge/Tactics-14%2F14-green?style=for-the-badge" alt="Tactics" />
+</p>
+
+This document maps all **291 unique MITRE ATT&CK techniques** (across **149 parent techniques**) referenced in our **753+ cybersecurity skills** to the 14 Enterprise ATT&CK tactics. Use this to identify coverage gaps, plan detection engineering priorities, or validate your security program against the ATT&CK framework.
+
+> **How to read this:** Each technique links to its official ATT&CK page. Skills listed under each technique are the ones in this repository that teach detection, hunting, exploitation, or response for that technique.
+
+---
+
+## Coverage Summary
+
+| Tactic | Techniques | Coverage |
+|:-------|:---------:|:---------|
+| 🔎 **Reconnaissance** | **12** | `████████████░░░░░░░░░░░░░░░░░░` |
+| 🏗️ **Resource Development** | **7** | `███████░░░░░░░░░░░░░░░░░░░░░░░` |
+| 🚪 **Initial Access** | **18** | `██████████████████░░░░░░░░░░░░` |
+| ⚡ **Execution** | **18** | `██████████████████░░░░░░░░░░░░` |
+| 🔩 **Persistence** | **36** | `██████████████████████████████` |
+| ⬆️ **Privilege Escalation** | **11** | `███████████░░░░░░░░░░░░░░░░░░░` |
+| 🥷 **Defense Evasion** | **48** | `██████████████████████████████` |
+| 🔑 **Credential Access** | **27** | `███████████████████████████░░░` |
+| 🗺️ **Discovery** | **20** | `████████████████████░░░░░░░░░░` |
+| ↔️ **Lateral Movement** | **9** | `█████████░░░░░░░░░░░░░░░░░░░░░` |
+| 📦 **Collection** | **13** | `█████████████░░░░░░░░░░░░░░░░░` |
+| 📡 **Command and Control** | **20** | `████████████████████░░░░░░░░░░` |
+| 📤 **Exfiltration** | **12** | `████████████░░░░░░░░░░░░░░░░░░` |
+| 💥 **Impact** | **6** | `██████░░░░░░░░░░░░░░░░░░░░░░░░` |
+| 🔧 **Other/Cross-tactic** | **34** | |
+| | **291** | **Total unique techniques** |
+
+---
+
+## 🔎 Reconnaissance
+
+**12 techniques covered**
+
+| Technique | Skills |
+|:----------|:-------|
+| [T1589](https://attack.mitre.org/techniques/T1589/) | `conducting-full-scope-red-team-engagement`, `conducting-social-engineering-pretext-call`, `performing-open-source-intelligence-gathering` |
+| [T1590](https://attack.mitre.org/techniques/T1590/) | `performing-open-source-intelligence-gathering` |
+| [T1591](https://attack.mitre.org/techniques/T1591/) | `collecting-open-source-intelligence`, `conducting-social-engineering-pretext-call`, `performing-open-source-intelligence-gathering` |
+| [T1592](https://attack.mitre.org/techniques/T1592/) | `performing-open-source-intelligence-gathering` |
+| [T1593](https://attack.mitre.org/techniques/T1593/) | `conducting-full-scope-red-team-engagement`, `performing-open-source-intelligence-gathering` |
+| [T1594](https://attack.mitre.org/techniques/T1594/) | `performing-open-source-intelligence-gathering` |
+| [T1595](https://attack.mitre.org/techniques/T1595/) | `executing-red-team-engagement-planning`, `triaging-security-incident` |
+| [T1595.001](https://attack.mitre.org/techniques/T1595/001/) | `performing-open-source-intelligence-gathering` |
+| [T1595.002](https://attack.mitre.org/techniques/T1595/002/) | `performing-open-source-intelligence-gathering` |
+| [T1596](https://attack.mitre.org/techniques/T1596/) | `performing-open-source-intelligence-gathering` |
+| [T1598](https://attack.mitre.org/techniques/T1598/) | `conducting-social-engineering-pretext-call` |
+| [T1598.003](https://attack.mitre.org/techniques/T1598/003/) | `conducting-social-engineering-pretext-call`, `conducting-spearphishing-simulation-campaign` |
+
+---
+
+## 🏗️ Resource Development
+
+**7 techniques covered**
+
+| Technique | Skills |
+|:----------|:-------|
+| [T1583.001](https://attack.mitre.org/techniques/T1583/001/) | `building-red-team-c2-infrastructure-with-havoc`, `conducting-full-scope-red-team-engagement`, `conducting-spearphishing-simulation-campaign`, `implementing-mitre-attack-coverage-mapping` |
+| [T1583.003](https://attack.mitre.org/techniques/T1583/003/) | `building-red-team-c2-infrastructure-with-havoc` |
+| [T1584.001](https://attack.mitre.org/techniques/T1584/001/) | `hunting-for-dns-based-persistence` |
+| [T1585.002](https://attack.mitre.org/techniques/T1585/002/) | `conducting-spearphishing-simulation-campaign` |
+| [T1587.001](https://attack.mitre.org/techniques/T1587/001/) | `building-red-team-c2-infrastructure-with-havoc`, `conducting-full-scope-red-team-engagement` |
+| [T1608.001](https://attack.mitre.org/techniques/T1608/001/) | `conducting-spearphishing-simulation-campaign` |
+| [T1608.005](https://attack.mitre.org/techniques/T1608/005/) | `conducting-spearphishing-simulation-campaign` |
+
+---
+
+## 🚪 Initial Access
+
+**18 techniques covered**
+
+| Technique | Skills |
+|:----------|:-------|
+| [T1078](https://attack.mitre.org/techniques/T1078/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-powershell-script-block-logging`, `analyzing-windows-event-logs-in-splunk`, `building-threat-hunt-hypothesis-framework`, `conducting-full-scope-red-team-engagement` +13 more |
+| [T1078.001](https://attack.mitre.org/techniques/T1078/001/) | `detecting-service-account-abuse` |
+| [T1078.002](https://attack.mitre.org/techniques/T1078/002/) | `conducting-domain-persistence-with-dcsync`, `detecting-service-account-abuse`, `exploiting-active-directory-certificate-services-esc1`, `exploiting-constrained-delegation-abuse`, `exploiting-nopac-cve-2021-42278-42287` +1 more |
+| [T1078.003](https://attack.mitre.org/techniques/T1078/003/) | `performing-privilege-escalation-assessment` |
+| [T1078.004](https://attack.mitre.org/techniques/T1078/004/) | `detecting-azure-lateral-movement`, `detecting-azure-service-principal-abuse`, `implementing-mitre-attack-coverage-mapping`, `implementing-threat-modeling-with-mitre-attack` |
+| [T1091](https://attack.mitre.org/techniques/T1091/) | `executing-red-team-engagement-planning`, `performing-physical-intrusion-assessment` |
+| [T1133](https://attack.mitre.org/techniques/T1133/) | `executing-red-team-engagement-planning`, `performing-threat-landscape-assessment-for-sector` |
+| [T1190](https://attack.mitre.org/techniques/T1190/) | `conducting-full-scope-red-team-engagement`, `executing-red-team-engagement-planning`, `exploiting-ms17-010-eternalblue-vulnerability`, `hunting-for-webshell-activity`, `performing-threat-landscape-assessment-for-sector` +1 more |
+| [T1195](https://attack.mitre.org/techniques/T1195/) | `analyzing-supply-chain-malware-artifacts`, `performing-threat-landscape-assessment-for-sector` |
+| [T1195.001](https://attack.mitre.org/techniques/T1195/001/) | `hunting-for-supply-chain-compromise` |
+| [T1195.002](https://attack.mitre.org/techniques/T1195/002/) | `hunting-for-supply-chain-compromise` |
+| [T1199](https://attack.mitre.org/techniques/T1199/) | `hunting-for-supply-chain-compromise`, `performing-physical-intrusion-assessment` |
+| [T1200](https://attack.mitre.org/techniques/T1200/) | `executing-red-team-engagement-planning`, `performing-physical-intrusion-assessment` |
+| [T1566](https://attack.mitre.org/techniques/T1566/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-threat-actor-ttps-with-mitre-attack`, `analyzing-threat-landscape-with-misp`, `building-attack-pattern-library-from-cti-reports`, `hunting-advanced-persistent-threats` +3 more |
+| [T1566.001](https://attack.mitre.org/techniques/T1566/001/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-campaign-attribution-evidence`, `analyzing-macro-malware-in-office-documents`, `analyzing-threat-actor-ttps-with-mitre-navigator`, `building-attack-pattern-library-from-cti-reports` +13 more |
+| [T1566.002](https://attack.mitre.org/techniques/T1566/002/) | `building-attack-pattern-library-from-cti-reports`, `conducting-spearphishing-simulation-campaign`, `hunting-for-spearphishing-indicators`, `implementing-continuous-security-validation-with-bas`, `implementing-mitre-attack-coverage-mapping` +1 more |
+| [T1566.003](https://attack.mitre.org/techniques/T1566/003/) | `conducting-spearphishing-simulation-campaign`, `hunting-for-spearphishing-indicators`, `implementing-continuous-security-validation-with-bas` |
+| [T1566.004](https://attack.mitre.org/techniques/T1566/004/) | `conducting-social-engineering-pretext-call` |
+
+---
+
+## ⚡ Execution
+
+**18 techniques covered**
+
+| Technique | Skills |
+|:----------|:-------|
+| [T1047](https://attack.mitre.org/techniques/T1047/) | `conducting-full-scope-red-team-engagement`, `detecting-fileless-attacks-on-endpoints`, `detecting-lateral-movement-with-splunk`, `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas` +8 more |
+| [T1053](https://attack.mitre.org/techniques/T1053/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-persistence-mechanisms-in-linux`, `hunting-advanced-persistent-threats`, `hunting-for-persistence-mechanisms-in-windows`, `implementing-mitre-attack-coverage-mapping` +4 more |
+| [T1053.002](https://attack.mitre.org/techniques/T1053/002/) | `hunting-for-scheduled-task-persistence` |
+| [T1053.003](https://attack.mitre.org/techniques/T1053/003/) | `analyzing-persistence-mechanisms-in-linux`, `hunting-for-scheduled-task-persistence`, `performing-privilege-escalation-assessment`, `performing-privilege-escalation-on-linux` |
+| [T1053.005](https://attack.mitre.org/techniques/T1053/005/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-campaign-attribution-evidence`, `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `building-detection-rule-with-splunk-spl` +17 more |
+| [T1059](https://attack.mitre.org/techniques/T1059/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-threat-actor-ttps-with-mitre-attack`, `analyzing-windows-event-logs-in-splunk`, `building-incident-timeline-with-timesketch`, `deobfuscating-powershell-obfuscated-malware` +7 more |
+| [T1059.001](https://attack.mitre.org/techniques/T1059/001/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-campaign-attribution-evidence`, `analyzing-macro-malware-in-office-documents`, `analyzing-powershell-empire-artifacts`, `analyzing-powershell-script-block-logging` +29 more |
+| [T1059.003](https://attack.mitre.org/techniques/T1059/003/) | `building-attack-pattern-library-from-cti-reports`, `building-detection-rule-with-splunk-spl`, `detecting-suspicious-powershell-execution`, `mapping-mitre-attack-techniques`, `performing-purple-team-atomic-testing` |
+| [T1059.004](https://attack.mitre.org/techniques/T1059/004/) | `performing-purple-team-atomic-testing` |
+| [T1059.005](https://attack.mitre.org/techniques/T1059/005/) | `analyzing-macro-malware-in-office-documents`, `detecting-living-off-the-land-attacks`, `executing-red-team-exercise`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs` +2 more |
+| [T1059.006](https://attack.mitre.org/techniques/T1059/006/) | `performing-purple-team-atomic-testing` |
+| [T1059.007](https://attack.mitre.org/techniques/T1059/007/) | `performing-purple-team-atomic-testing` |
+| [T1129](https://attack.mitre.org/techniques/T1129/) | `performing-purple-team-atomic-testing` |
+| [T1203](https://attack.mitre.org/techniques/T1203/) | `performing-purple-team-atomic-testing` |
+| [T1204.001](https://attack.mitre.org/techniques/T1204/001/) | `conducting-spearphishing-simulation-campaign` |
+| [T1204.002](https://attack.mitre.org/techniques/T1204/002/) | `analyzing-macro-malware-in-office-documents`, `conducting-full-scope-red-team-engagement`, `conducting-spearphishing-simulation-campaign`, `detecting-living-off-the-land-attacks`, `executing-red-team-engagement-planning` +4 more |
+| [T1569](https://attack.mitre.org/techniques/T1569/) | `performing-purple-team-atomic-testing` |
+| [T1569.002](https://attack.mitre.org/techniques/T1569/002/) | `detecting-lateral-movement-in-network`, `detecting-lateral-movement-with-splunk`, `exploiting-ms17-010-eternalblue-vulnerability`, `performing-purple-team-atomic-testing` |
+
+---
+
+## 🔩 Persistence
+
+**36 techniques covered**
+
+| Technique | Skills |
+|:----------|:-------|
+| [T1098](https://attack.mitre.org/techniques/T1098/) | `analyzing-windows-event-logs-in-splunk`, `conducting-domain-persistence-with-dcsync`, `hunting-for-t1098-account-manipulation`, `implementing-mitre-attack-coverage-mapping`, `implementing-siem-use-cases-for-detection` +1 more |
+| [T1098.001](https://attack.mitre.org/techniques/T1098/001/) | `conducting-cloud-penetration-testing`, `detecting-azure-lateral-movement`, `detecting-azure-service-principal-abuse`, `hunting-for-t1098-account-manipulation`, `implementing-mitre-attack-coverage-mapping` |
+| [T1098.002](https://attack.mitre.org/techniques/T1098/002/) | `detecting-azure-lateral-movement`, `detecting-email-forwarding-rules-attack` |
+| [T1098.004](https://attack.mitre.org/techniques/T1098/004/) | `analyzing-persistence-mechanisms-in-linux`, `implementing-security-monitoring-with-datadog` |
+| [T1136](https://attack.mitre.org/techniques/T1136/) | `detecting-privilege-escalation-in-kubernetes-pods`, `implementing-mitre-attack-coverage-mapping`, `performing-purple-team-atomic-testing` |
+| [T1136.001](https://attack.mitre.org/techniques/T1136/001/) | `analyzing-windows-event-logs-in-splunk`, `performing-purple-team-atomic-testing` |
+| [T1136.002](https://attack.mitre.org/techniques/T1136/002/) | `exploiting-nopac-cve-2021-42278-42287` |
+| [T1197](https://attack.mitre.org/techniques/T1197/) | `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs`, `performing-purple-team-atomic-testing` |
+| [T1505](https://attack.mitre.org/techniques/T1505/) | `performing-purple-team-atomic-testing` |
+| [T1505.003](https://attack.mitre.org/techniques/T1505/003/) | `building-attack-pattern-library-from-cti-reports`, `hunting-for-webshell-activity`, `performing-purple-team-atomic-testing` |
+| [T1542.001](https://attack.mitre.org/techniques/T1542/001/) | `analyzing-uefi-bootkit-persistence` |
+| [T1542.003](https://attack.mitre.org/techniques/T1542/003/) | `analyzing-uefi-bootkit-persistence` |
+| [T1543](https://attack.mitre.org/techniques/T1543/) | `analyzing-persistence-mechanisms-in-linux`, `hunting-for-persistence-mechanisms-in-windows`, `performing-purple-team-atomic-testing` |
+| [T1543.002](https://attack.mitre.org/techniques/T1543/002/) | `analyzing-persistence-mechanisms-in-linux`, `performing-privilege-escalation-on-linux` |
+| [T1543.003](https://attack.mitre.org/techniques/T1543/003/) | `detecting-lateral-movement-with-splunk`, `detecting-living-off-the-land-attacks`, `detecting-privilege-escalation-attempts`, `hunting-for-persistence-mechanisms-in-windows`, `hunting-for-unusual-service-installations` +2 more |
+| [T1546](https://attack.mitre.org/techniques/T1546/) | `analyzing-persistence-mechanisms-in-linux`, `performing-purple-team-atomic-testing` |
+| [T1546.001](https://attack.mitre.org/techniques/T1546/001/) | `performing-purple-team-atomic-testing` |
+| [T1546.003](https://attack.mitre.org/techniques/T1546/003/) | `analyzing-windows-event-logs-in-splunk`, `detecting-fileless-attacks-on-endpoints`, `detecting-fileless-malware-techniques`, `detecting-wmi-persistence`, `hunting-for-lateral-movement-via-wmi` +3 more |
+| [T1546.004](https://attack.mitre.org/techniques/T1546/004/) | `analyzing-persistence-mechanisms-in-linux` |
+| [T1546.010](https://attack.mitre.org/techniques/T1546/010/) | `hunting-for-persistence-mechanisms-in-windows` |
+| [T1546.012](https://attack.mitre.org/techniques/T1546/012/) | `hunting-for-persistence-mechanisms-in-windows`, `hunting-for-registry-persistence-mechanisms` |
+| [T1546.015](https://attack.mitre.org/techniques/T1546/015/) | `hunting-for-persistence-mechanisms-in-windows`, `hunting-for-registry-persistence-mechanisms` |
+| [T1547](https://attack.mitre.org/techniques/T1547/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-malware-persistence-with-autoruns`, `hunting-advanced-persistent-threats`, `hunting-for-persistence-mechanisms-in-windows`, `implementing-siem-use-cases-for-detection` +3 more |
+| [T1547.001](https://attack.mitre.org/techniques/T1547/001/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `conducting-full-scope-red-team-engagement`, `detecting-fileless-attacks-on-endpoints` +10 more |
+| [T1547.004](https://attack.mitre.org/techniques/T1547/004/) | `hunting-for-persistence-mechanisms-in-windows`, `hunting-for-registry-persistence-mechanisms`, `performing-purple-team-atomic-testing` |
+| [T1547.005](https://attack.mitre.org/techniques/T1547/005/) | `hunting-for-persistence-mechanisms-in-windows` |
+| [T1547.009](https://attack.mitre.org/techniques/T1547/009/) | `performing-purple-team-atomic-testing` |
+| [T1556](https://attack.mitre.org/techniques/T1556/) | `performing-initial-access-with-evilginx3` |
+| [T1556.007](https://attack.mitre.org/techniques/T1556/007/) | `detecting-azure-lateral-movement` |
+| [T1574](https://attack.mitre.org/techniques/T1574/) | `analyzing-persistence-mechanisms-in-linux`, `performing-purple-team-atomic-testing` |
+| [T1574.001](https://attack.mitre.org/techniques/T1574/001/) | `detecting-dll-sideloading-attacks`, `hunting-for-persistence-mechanisms-in-windows`, `performing-purple-team-atomic-testing` |
+| [T1574.002](https://attack.mitre.org/techniques/T1574/002/) | `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `detecting-dll-sideloading-attacks`, `implementing-siem-use-cases-for-detection`, `performing-purple-team-atomic-testing` |
+| [T1574.006](https://attack.mitre.org/techniques/T1574/006/) | `analyzing-persistence-mechanisms-in-linux`, `detecting-dll-sideloading-attacks`, `performing-privilege-escalation-on-linux` |
+| [T1574.008](https://attack.mitre.org/techniques/T1574/008/) | `detecting-dll-sideloading-attacks` |
+| [T1574.009](https://attack.mitre.org/techniques/T1574/009/) | `detecting-privilege-escalation-attempts` |
+| [T1574.011](https://attack.mitre.org/techniques/T1574/011/) | `detecting-privilege-escalation-attempts` |
+
+---
+
+## ⬆️ Privilege Escalation
+
+**11 techniques covered**
+
+| Technique | Skills |
+|:----------|:-------|
+| [T1068](https://attack.mitre.org/techniques/T1068/) | `conducting-full-scope-red-team-engagement`, `detecting-container-escape-attempts`, `detecting-privilege-escalation-attempts`, `detecting-privilege-escalation-in-kubernetes-pods`, `executing-red-team-engagement-planning` +5 more |
+| [T1134](https://attack.mitre.org/techniques/T1134/) | `analyzing-windows-event-logs-in-splunk`, `detecting-privilege-escalation-attempts` |
+| [T1134.001](https://attack.mitre.org/techniques/T1134/001/) | `detecting-privilege-escalation-attempts`, `exploiting-constrained-delegation-abuse`, `performing-purple-team-atomic-testing` |
+| [T1134.005](https://attack.mitre.org/techniques/T1134/005/) | `hunting-for-t1098-account-manipulation`, `performing-active-directory-compromise-investigation` |
+| [T1484](https://attack.mitre.org/techniques/T1484/) | `exploiting-active-directory-certificate-services-esc1`, `performing-active-directory-vulnerability-assessment` |
+| [T1484.001](https://attack.mitre.org/techniques/T1484/001/) | `deploying-active-directory-honeytokens`, `performing-active-directory-compromise-investigation` |
+| [T1548](https://attack.mitre.org/techniques/T1548/) | `detecting-container-escape-attempts`, `detecting-privilege-escalation-in-kubernetes-pods`, `detecting-t1548-abuse-elevation-control-mechanism`, `performing-privilege-escalation-assessment` |
+| [T1548.001](https://attack.mitre.org/techniques/T1548/001/) | `detecting-privilege-escalation-attempts`, `detecting-privilege-escalation-in-kubernetes-pods`, `detecting-t1548-abuse-elevation-control-mechanism`, `performing-privilege-escalation-assessment`, `performing-privilege-escalation-on-linux` |
+| [T1548.002](https://attack.mitre.org/techniques/T1548/002/) | `conducting-full-scope-red-team-engagement`, `detecting-privilege-escalation-attempts`, `detecting-t1548-abuse-elevation-control-mechanism`, `performing-purple-team-atomic-testing` |
+| [T1548.003](https://attack.mitre.org/techniques/T1548/003/) | `detecting-privilege-escalation-attempts`, `detecting-t1548-abuse-elevation-control-mechanism`, `performing-privilege-escalation-assessment`, `performing-privilege-escalation-on-linux` |
+| [T1548.004](https://attack.mitre.org/techniques/T1548/004/) | `detecting-t1548-abuse-elevation-control-mechanism` |
+
+---
+
+## 🥷 Defense Evasion
+
+**48 techniques covered**
+
+| Technique | Skills |
+|:----------|:-------|
+| [T1027](https://attack.mitre.org/techniques/T1027/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-powershell-empire-artifacts`, `analyzing-powershell-script-block-logging`, `building-attack-pattern-library-from-cti-reports`, `conducting-full-scope-red-team-engagement` +3 more |
+| [T1036](https://attack.mitre.org/techniques/T1036/) | `detecting-evasion-techniques-in-endpoint-logs`, `implementing-mitre-attack-coverage-mapping`, `implementing-siem-use-cases-for-detection`, `performing-purple-team-atomic-testing` |
+| [T1036.005](https://attack.mitre.org/techniques/T1036/005/) | `detecting-process-injection-techniques`, `performing-purple-team-atomic-testing` |
+| [T1055](https://attack.mitre.org/techniques/T1055/) | `building-attack-pattern-library-from-cti-reports`, `building-red-team-c2-infrastructure-with-havoc`, `conducting-full-scope-red-team-engagement`, `detecting-evasion-techniques-in-endpoint-logs`, `detecting-fileless-attacks-on-endpoints` +13 more |
+| [T1055.001](https://attack.mitre.org/techniques/T1055/001/) | `detecting-process-hollowing-technique`, `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon`, `hunting-for-process-injection-techniques`, `performing-purple-team-atomic-testing` +1 more |
+| [T1055.002](https://attack.mitre.org/techniques/T1055/002/) | `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon` |
+| [T1055.003](https://attack.mitre.org/techniques/T1055/003/) | `detecting-process-hollowing-technique`, `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon`, `performing-purple-team-atomic-testing` |
+| [T1055.004](https://attack.mitre.org/techniques/T1055/004/) | `detecting-process-hollowing-technique`, `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon`, `hunting-for-process-injection-techniques` |
+| [T1055.005](https://attack.mitre.org/techniques/T1055/005/) | `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon` |
+| [T1055.008](https://attack.mitre.org/techniques/T1055/008/) | `detecting-process-injection-techniques` |
+| [T1055.009](https://attack.mitre.org/techniques/T1055/009/) | `detecting-process-injection-techniques` |
+| [T1055.011](https://attack.mitre.org/techniques/T1055/011/) | `detecting-process-injection-techniques` |
+| [T1055.012](https://attack.mitre.org/techniques/T1055/012/) | `conducting-malware-incident-response`, `detecting-fileless-malware-techniques`, `detecting-process-hollowing-technique`, `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon` +2 more |
+| [T1055.013](https://attack.mitre.org/techniques/T1055/013/) | `detecting-process-hollowing-technique`, `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon` |
+| [T1055.014](https://attack.mitre.org/techniques/T1055/014/) | `detecting-process-injection-techniques` |
+| [T1055.015](https://attack.mitre.org/techniques/T1055/015/) | `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon` |
+| [T1070](https://attack.mitre.org/techniques/T1070/) | `detecting-evasion-techniques-in-endpoint-logs`, `implementing-siem-use-cases-for-detection`, `implementing-velociraptor-for-ir-collection`, `performing-purple-team-atomic-testing` |
+| [T1070.001](https://attack.mitre.org/techniques/T1070/001/) | `detecting-evasion-techniques-in-endpoint-logs`, `implementing-mitre-attack-coverage-mapping`, `performing-purple-team-atomic-testing`, `performing-purple-team-exercise` |
+| [T1070.004](https://attack.mitre.org/techniques/T1070/004/) | `implementing-threat-modeling-with-mitre-attack`, `performing-purple-team-atomic-testing` |
+| [T1070.006](https://attack.mitre.org/techniques/T1070/006/) | `detecting-evasion-techniques-in-endpoint-logs`, `hunting-for-defense-evasion-via-timestomping` |
+| [T1112](https://attack.mitre.org/techniques/T1112/) | `detecting-fileless-malware-techniques`, `performing-purple-team-atomic-testing` |
+| [T1127](https://attack.mitre.org/techniques/T1127/) | `detecting-evasion-techniques-in-endpoint-logs`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-lolbins-execution-in-endpoint-logs` |
+| [T1127.001](https://attack.mitre.org/techniques/T1127/001/) | `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-lolbins-execution-in-endpoint-logs` |
+| [T1140](https://attack.mitre.org/techniques/T1140/) | `analyzing-powershell-script-block-logging`, `detecting-fileless-attacks-on-endpoints`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs` +1 more |
+| [T1202](https://attack.mitre.org/techniques/T1202/) | `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs` |
+| [T1218](https://attack.mitre.org/techniques/T1218/) | `detecting-evasion-techniques-in-endpoint-logs`, `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-advanced-persistent-threats`, `hunting-for-living-off-the-land-binaries` +3 more |
+| [T1218.001](https://attack.mitre.org/techniques/T1218/001/) | `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs`, `performing-purple-team-atomic-testing` |
+| [T1218.002](https://attack.mitre.org/techniques/T1218/002/) | `hunting-for-living-off-the-land-binaries` |
+| [T1218.003](https://attack.mitre.org/techniques/T1218/003/) | `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs`, `performing-purple-team-atomic-testing` |
+| [T1218.004](https://attack.mitre.org/techniques/T1218/004/) | `detecting-living-off-the-land-attacks`, `hunting-for-lolbins-execution-in-endpoint-logs` |
+| [T1218.005](https://attack.mitre.org/techniques/T1218/005/) | `detecting-fileless-malware-techniques`, `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs` +1 more |
+| [T1218.007](https://attack.mitre.org/techniques/T1218/007/) | `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs` |
+| [T1218.010](https://attack.mitre.org/techniques/T1218/010/) | `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs`, `performing-purple-team-atomic-testing` |
+| [T1218.011](https://attack.mitre.org/techniques/T1218/011/) | `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs`, `performing-dynamic-analysis-with-any-run` +1 more |
+| [T1218.013](https://attack.mitre.org/techniques/T1218/013/) | `detecting-living-off-the-land-attacks` |
+| [T1222.001](https://attack.mitre.org/techniques/T1222/001/) | `conducting-domain-persistence-with-dcsync` |
+| [T1497](https://attack.mitre.org/techniques/T1497/) | `analyzing-malware-sandbox-evasion-techniques` |
+| [T1497.001](https://attack.mitre.org/techniques/T1497/001/) | `analyzing-malware-sandbox-evasion-techniques` |
+| [T1497.002](https://attack.mitre.org/techniques/T1497/002/) | `analyzing-malware-sandbox-evasion-techniques` |
+| [T1497.003](https://attack.mitre.org/techniques/T1497/003/) | `analyzing-malware-sandbox-evasion-techniques` |
+| [T1550](https://attack.mitre.org/techniques/T1550/) | `performing-lateral-movement-detection` |
+| [T1550.001](https://attack.mitre.org/techniques/T1550/001/) | `detecting-azure-lateral-movement` |
+| [T1550.002](https://attack.mitre.org/techniques/T1550/002/) | `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `conducting-full-scope-red-team-engagement`, `detecting-lateral-movement-in-network`, `detecting-lateral-movement-with-splunk` +6 more |
+| [T1550.003](https://attack.mitre.org/techniques/T1550/003/) | `conducting-pass-the-ticket-attack`, `detecting-pass-the-hash-attacks`, `detecting-pass-the-ticket-attacks`, `exploiting-constrained-delegation-abuse` |
+| [T1550.004](https://attack.mitre.org/techniques/T1550/004/) | `performing-initial-access-with-evilginx3` |
+| [T1562](https://attack.mitre.org/techniques/T1562/) | `detecting-evasion-techniques-in-endpoint-logs`, `performing-purple-team-atomic-testing` |
+| [T1562.001](https://attack.mitre.org/techniques/T1562/001/) | `analyzing-powershell-script-block-logging`, `building-attack-pattern-library-from-cti-reports`, `detecting-evasion-techniques-in-endpoint-logs`, `detecting-fileless-attacks-on-endpoints`, `detecting-suspicious-powershell-execution` +1 more |
+| [T1610](https://attack.mitre.org/techniques/T1610/) | `detecting-container-escape-attempts`, `detecting-container-escape-with-falco-rules` |
+
+---
+
+## 🔑 Credential Access
+
+**27 techniques covered**
+
+| Technique | Skills |
+|:----------|:-------|
+| [T1003](https://attack.mitre.org/techniques/T1003/) | `analyzing-powershell-script-block-logging`, `building-attack-pattern-library-from-cti-reports`, `building-detection-rules-with-sigma`, `detecting-container-escape-with-falco-rules`, `detecting-credential-dumping-techniques` +10 more |
+| [T1003.001](https://attack.mitre.org/techniques/T1003/001/) | `analyzing-campaign-attribution-evidence`, `analyzing-powershell-script-block-logging`, `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `building-detection-rule-with-splunk-spl` +13 more |
+| [T1003.002](https://attack.mitre.org/techniques/T1003/002/) | `detecting-credential-dumping-techniques`, `detecting-t1003-credential-dumping-with-edr`, `performing-purple-team-atomic-testing` |
+| [T1003.003](https://attack.mitre.org/techniques/T1003/003/) | `detecting-credential-dumping-techniques`, `detecting-t1003-credential-dumping-with-edr`, `performing-purple-team-atomic-testing` |
+| [T1003.004](https://attack.mitre.org/techniques/T1003/004/) | `detecting-t1003-credential-dumping-with-edr`, `performing-credential-access-with-lazagne`, `performing-purple-team-atomic-testing` |
+| [T1003.005](https://attack.mitre.org/techniques/T1003/005/) | `detecting-t1003-credential-dumping-with-edr`, `performing-purple-team-atomic-testing` |
+| [T1003.006](https://attack.mitre.org/techniques/T1003/006/) | `analyzing-windows-event-logs-in-splunk`, `conducting-domain-persistence-with-dcsync`, `conducting-full-scope-red-team-engagement`, `conducting-internal-network-penetration-test`, `detecting-dcsync-attack-in-active-directory` +8 more |
+| [T1110](https://attack.mitre.org/techniques/T1110/) | `analyzing-windows-event-logs-in-splunk`, `building-detection-rule-with-splunk-spl`, `conducting-internal-network-penetration-test`, `implementing-mitre-attack-coverage-mapping`, `implementing-siem-use-cases-for-detection` +3 more |
+| [T1110.001](https://attack.mitre.org/techniques/T1110/001/) | `analyzing-windows-event-logs-in-splunk`, `building-detection-rule-with-splunk-spl`, `implementing-siem-use-cases-for-detection`, `performing-false-positive-reduction-in-siem`, `performing-purple-team-atomic-testing` |
+| [T1110.002](https://attack.mitre.org/techniques/T1110/002/) | `exploiting-kerberoasting-with-impacket` |
+| [T1110.003](https://attack.mitre.org/techniques/T1110/003/) | `detecting-pass-the-ticket-attacks`, `implementing-siem-use-cases-for-detection`, `performing-purple-team-atomic-testing` |
+| [T1187](https://attack.mitre.org/techniques/T1187/) | `detecting-ntlm-relay-with-event-correlation` |
+| [T1528](https://attack.mitre.org/techniques/T1528/) | `detecting-azure-lateral-movement`, `detecting-azure-service-principal-abuse` |
+| [T1539](https://attack.mitre.org/techniques/T1539/) | `performing-credential-access-with-lazagne`, `performing-initial-access-with-evilginx3` |
+| [T1552](https://attack.mitre.org/techniques/T1552/) | `performing-cloud-incident-containment-procedures`, `performing-purple-team-atomic-testing` |
+| [T1552.001](https://attack.mitre.org/techniques/T1552/001/) | `performing-credential-access-with-lazagne`, `performing-purple-team-atomic-testing` |
+| [T1552.002](https://attack.mitre.org/techniques/T1552/002/) | `performing-credential-access-with-lazagne` |
+| [T1552.005](https://attack.mitre.org/techniques/T1552/005/) | `conducting-cloud-penetration-testing` |
+| [T1552.006](https://attack.mitre.org/techniques/T1552/006/) | `deploying-active-directory-honeytokens` |
+| [T1557](https://attack.mitre.org/techniques/T1557/) | `performing-initial-access-with-evilginx3` |
+| [T1557.001](https://attack.mitre.org/techniques/T1557/001/) | `conducting-internal-network-penetration-test`, `detecting-ntlm-relay-with-event-correlation`, `hunting-for-ntlm-relay-attacks` |
+| [T1558](https://attack.mitre.org/techniques/T1558/) | `analyzing-windows-event-logs-in-splunk`, `conducting-pass-the-ticket-attack`, `exploiting-kerberoasting-with-impacket`, `exploiting-nopac-cve-2021-42278-42287`, `performing-lateral-movement-detection` +1 more |
+| [T1558.001](https://attack.mitre.org/techniques/T1558/001/) | `analyzing-windows-event-logs-in-splunk`, `conducting-domain-persistence-with-dcsync`, `detecting-golden-ticket-attacks-in-kerberos-logs`, `detecting-golden-ticket-forgery`, `detecting-kerberoasting-attacks` +3 more |
+| [T1558.002](https://attack.mitre.org/techniques/T1558/002/) | `performing-active-directory-compromise-investigation` |
+| [T1558.003](https://attack.mitre.org/techniques/T1558/003/) | `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `conducting-full-scope-red-team-engagement`, `conducting-internal-network-penetration-test`, `deploying-active-directory-honeytokens` +12 more |
+| [T1558.004](https://attack.mitre.org/techniques/T1558/004/) | `detecting-kerberoasting-attacks` |
+| [T1649](https://attack.mitre.org/techniques/T1649/) | `exploiting-active-directory-certificate-services-esc1` |
+
+---
+
+## 🗺️ Discovery
+
+**20 techniques covered**
+
+| Technique | Skills |
+|:----------|:-------|
+| [T1016](https://attack.mitre.org/techniques/T1016/) | `conducting-full-scope-red-team-engagement`, `conducting-internal-reconnaissance-with-bloodhound-ce`, `exploiting-active-directory-with-bloodhound`, `performing-purple-team-atomic-testing` |
+| [T1018](https://attack.mitre.org/techniques/T1018/) | `conducting-full-scope-red-team-engagement`, `conducting-internal-reconnaissance-with-bloodhound-ce`, `detecting-network-scanning-with-ids-signatures`, `exploiting-active-directory-with-bloodhound`, `performing-active-directory-bloodhound-analysis` |
+| [T1033](https://attack.mitre.org/techniques/T1033/) | `conducting-internal-reconnaissance-with-bloodhound-ce`, `detecting-privilege-escalation-attempts`, `exploiting-active-directory-with-bloodhound`, `performing-purple-team-atomic-testing` |
+| [T1040](https://attack.mitre.org/techniques/T1040/) | `implementing-continuous-security-validation-with-bas` |
+| [T1046](https://attack.mitre.org/techniques/T1046/) | `detecting-network-scanning-with-ids-signatures`, `detecting-privilege-escalation-attempts`, `performing-packet-injection-attack`, `triaging-security-incident` |
+| [T1049](https://attack.mitre.org/techniques/T1049/) | `performing-purple-team-atomic-testing` |
+| [T1057](https://attack.mitre.org/techniques/T1057/) | `performing-purple-team-atomic-testing` |
+| [T1069](https://attack.mitre.org/techniques/T1069/) | `performing-purple-team-atomic-testing` |
+| [T1069.001](https://attack.mitre.org/techniques/T1069/001/) | `performing-active-directory-bloodhound-analysis`, `performing-purple-team-atomic-testing` |
+| [T1069.002](https://attack.mitre.org/techniques/T1069/002/) | `conducting-internal-reconnaissance-with-bloodhound-ce`, `exploiting-active-directory-with-bloodhound`, `performing-active-directory-bloodhound-analysis`, `performing-kerberoasting-attack`, `performing-purple-team-atomic-testing` |
+| [T1082](https://attack.mitre.org/techniques/T1082/) | `conducting-full-scope-red-team-engagement`, `performing-purple-team-atomic-testing` |
+| [T1083](https://attack.mitre.org/techniques/T1083/) | `implementing-canary-tokens-for-network-intrusion`, `performing-purple-team-atomic-testing` |
+| [T1087](https://attack.mitre.org/techniques/T1087/) | `conducting-full-scope-red-team-engagement`, `executing-red-team-engagement-planning`, `implementing-continuous-security-validation-with-bas`, `performing-purple-team-atomic-testing` |
+| [T1087.001](https://attack.mitre.org/techniques/T1087/001/) | `performing-purple-team-atomic-testing` |
+| [T1087.002](https://attack.mitre.org/techniques/T1087/002/) | `conducting-internal-reconnaissance-with-bloodhound-ce`, `deploying-active-directory-honeytokens`, `exploiting-active-directory-certificate-services-esc1`, `exploiting-active-directory-with-bloodhound`, `exploiting-kerberoasting-with-impacket` +3 more |
+| [T1087.004](https://attack.mitre.org/techniques/T1087/004/) | `detecting-azure-service-principal-abuse`, `implementing-mitre-attack-coverage-mapping` |
+| [T1482](https://attack.mitre.org/techniques/T1482/) | `conducting-internal-reconnaissance-with-bloodhound-ce`, `exploiting-active-directory-with-bloodhound`, `performing-active-directory-bloodhound-analysis` |
+| [T1518](https://attack.mitre.org/techniques/T1518/) | `performing-purple-team-atomic-testing` |
+| [T1518.001](https://attack.mitre.org/techniques/T1518/001/) | `performing-purple-team-atomic-testing` |
+| [T1580](https://attack.mitre.org/techniques/T1580/) | `implementing-mitre-attack-coverage-mapping` |
+
+---
+
+## ↔️ Lateral Movement
+
+**9 techniques covered**
+
+| Technique | Skills |
+|:----------|:-------|
+| [T1021](https://attack.mitre.org/techniques/T1021/) | `detecting-lateral-movement-in-network`, `detecting-lateral-movement-with-splunk`, `detecting-service-account-abuse`, `executing-red-team-engagement-planning`, `exploiting-constrained-delegation-abuse` +10 more |
+| [T1021.001](https://attack.mitre.org/techniques/T1021/001/) | `analyzing-campaign-attribution-evidence`, `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `building-detection-rule-with-splunk-spl`, `building-threat-hunt-hypothesis-framework` +8 more |
+| [T1021.002](https://attack.mitre.org/techniques/T1021/002/) | `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `building-detection-rule-with-splunk-spl`, `conducting-full-scope-red-team-engagement`, `conducting-internal-network-penetration-test` +10 more |
+| [T1021.003](https://attack.mitre.org/techniques/T1021/003/) | `detecting-lateral-movement-with-splunk`, `hunting-for-dcom-lateral-movement`, `performing-lateral-movement-detection`, `performing-lateral-movement-with-wmiexec`, `performing-purple-team-atomic-testing` |
+| [T1021.004](https://attack.mitre.org/techniques/T1021/004/) | `detecting-lateral-movement-with-splunk`, `performing-purple-team-atomic-testing` |
+| [T1021.006](https://attack.mitre.org/techniques/T1021/006/) | `building-attack-pattern-library-from-cti-reports`, `detecting-lateral-movement-with-splunk`, `performing-lateral-movement-detection`, `performing-purple-team-atomic-testing` |
+| [T1210](https://attack.mitre.org/techniques/T1210/) | `exploiting-ms17-010-eternalblue-vulnerability`, `exploiting-zerologon-vulnerability-cve-2020-1472` |
+| [T1534](https://attack.mitre.org/techniques/T1534/) | `implementing-mitre-attack-coverage-mapping` |
+| [T1570](https://attack.mitre.org/techniques/T1570/) | `detecting-lateral-movement-in-network`, `detecting-lateral-movement-with-splunk`, `performing-lateral-movement-with-wmiexec`, `performing-purple-team-atomic-testing` |
+
+---
+
+## 📦 Collection
+
+**13 techniques covered**
+
+| Technique | Skills |
+|:----------|:-------|
+| [T1005](https://attack.mitre.org/techniques/T1005/) | `conducting-malware-incident-response`, `detecting-container-escape-with-falco-rules`, `performing-purple-team-atomic-testing` |
+| [T1039](https://attack.mitre.org/techniques/T1039/) | `performing-purple-team-atomic-testing` |
+| [T1074](https://attack.mitre.org/techniques/T1074/) | `building-attack-pattern-library-from-cti-reports`, `executing-red-team-exercise`, `hunting-for-data-staging-before-exfiltration` |
+| [T1074.001](https://attack.mitre.org/techniques/T1074/001/) | `hunting-for-data-staging-before-exfiltration`, `performing-purple-team-atomic-testing` |
+| [T1074.002](https://attack.mitre.org/techniques/T1074/002/) | `hunting-for-data-staging-before-exfiltration` |
+| [T1113](https://attack.mitre.org/techniques/T1113/) | `performing-purple-team-atomic-testing` |
+| [T1114.002](https://attack.mitre.org/techniques/T1114/002/) | `detecting-email-forwarding-rules-attack` |
+| [T1114.003](https://attack.mitre.org/techniques/T1114/003/) | `detecting-business-email-compromise`, `detecting-email-forwarding-rules-attack` |
+| [T1115](https://attack.mitre.org/techniques/T1115/) | `performing-purple-team-atomic-testing` |
+| [T1213](https://attack.mitre.org/techniques/T1213/) | `conducting-full-scope-red-team-engagement` |
+| [T1530](https://attack.mitre.org/techniques/T1530/) | `detecting-insider-threat-behaviors`, `implementing-mitre-attack-coverage-mapping`, `performing-cloud-incident-containment-procedures` |
+| [T1560](https://attack.mitre.org/techniques/T1560/) | `conducting-full-scope-red-team-engagement`, `hunting-for-data-staging-before-exfiltration` |
+| [T1560.001](https://attack.mitre.org/techniques/T1560/001/) | `hunting-for-data-staging-before-exfiltration`, `performing-purple-team-atomic-testing` |
+
+---
+
+## 📡 Command and Control
+
+**20 techniques covered**
+
+| Technique | Skills |
+|:----------|:-------|
+| [T1071](https://attack.mitre.org/techniques/T1071/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-network-covert-channels-in-malware`, `analyzing-ransomware-network-indicators`, `analyzing-threat-actor-ttps-with-mitre-attack`, `hunting-advanced-persistent-threats` +6 more |
+| [T1071.001](https://attack.mitre.org/techniques/T1071/001/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-campaign-attribution-evidence`, `analyzing-powershell-empire-artifacts`, `analyzing-powershell-script-block-logging`, `building-attack-pattern-library-from-cti-reports` +13 more |
+| [T1071.004](https://attack.mitre.org/techniques/T1071/004/) | `building-attack-pattern-library-from-cti-reports`, `building-c2-infrastructure-with-sliver-framework`, `hunting-for-beaconing-with-frequency-analysis`, `hunting-for-command-and-control-beaconing`, `hunting-for-dns-tunneling-with-zeek` +3 more |
+| [T1090](https://attack.mitre.org/techniques/T1090/) | `implementing-mitre-attack-coverage-mapping`, `performing-purple-team-atomic-testing` |
+| [T1090.001](https://attack.mitre.org/techniques/T1090/001/) | `performing-purple-team-atomic-testing` |
+| [T1090.002](https://attack.mitre.org/techniques/T1090/002/) | `building-c2-infrastructure-with-sliver-framework`, `building-red-team-c2-infrastructure-with-havoc` |
+| [T1090.004](https://attack.mitre.org/techniques/T1090/004/) | `hunting-for-domain-fronting-c2-traffic` |
+| [T1095](https://attack.mitre.org/techniques/T1095/) | `hunting-for-command-and-control-beaconing`, `hunting-for-unusual-network-connections` |
+| [T1102](https://attack.mitre.org/techniques/T1102/) | `hunting-for-living-off-the-cloud-techniques` |
+| [T1105](https://attack.mitre.org/techniques/T1105/) | `analyzing-powershell-script-block-logging`, `building-attack-pattern-library-from-cti-reports`, `building-c2-infrastructure-with-sliver-framework`, `building-red-team-c2-infrastructure-with-havoc`, `detecting-fileless-attacks-on-endpoints` +7 more |
+| [T1132](https://attack.mitre.org/techniques/T1132/) | `hunting-for-command-and-control-beaconing`, `performing-purple-team-atomic-testing` |
+| [T1132.001](https://attack.mitre.org/techniques/T1132/001/) | `building-c2-infrastructure-with-sliver-framework`, `performing-purple-team-atomic-testing` |
+| [T1219](https://attack.mitre.org/techniques/T1219/) | `performing-purple-team-atomic-testing` |
+| [T1568](https://attack.mitre.org/techniques/T1568/) | `hunting-for-command-and-control-beaconing`, `implementing-mitre-attack-coverage-mapping` |
+| [T1568.002](https://attack.mitre.org/techniques/T1568/002/) | `hunting-for-beaconing-with-frequency-analysis` |
+| [T1571](https://attack.mitre.org/techniques/T1571/) | `hunting-for-unusual-network-connections`, `implementing-mitre-attack-coverage-mapping` |
+| [T1572](https://attack.mitre.org/techniques/T1572/) | `building-c2-infrastructure-with-sliver-framework`, `hunting-for-command-and-control-beaconing`, `hunting-for-dns-tunneling-with-zeek`, `implementing-mitre-attack-coverage-mapping` |
+| [T1573](https://attack.mitre.org/techniques/T1573/) | `analyzing-ransomware-network-indicators`, `hunting-for-beaconing-with-frequency-analysis`, `hunting-for-command-and-control-beaconing`, `implementing-mitre-attack-coverage-mapping`, `performing-purple-team-atomic-testing` |
+| [T1573.001](https://attack.mitre.org/techniques/T1573/001/) | `performing-purple-team-atomic-testing` |
+| [T1573.002](https://attack.mitre.org/techniques/T1573/002/) | `building-c2-infrastructure-with-sliver-framework`, `building-red-team-c2-infrastructure-with-havoc` |
+
+---
+
+## 📤 Exfiltration
+
+**12 techniques covered**
+
+| Technique | Skills |
+|:----------|:-------|
+| [T1020](https://attack.mitre.org/techniques/T1020/) | `hunting-for-data-exfiltration-indicators` |
+| [T1029](https://attack.mitre.org/techniques/T1029/) | `hunting-for-data-exfiltration-indicators` |
+| [T1030](https://attack.mitre.org/techniques/T1030/) | `hunting-for-data-exfiltration-indicators` |
+| [T1041](https://attack.mitre.org/techniques/T1041/) | `analyzing-campaign-attribution-evidence`, `analyzing-ransomware-network-indicators`, `building-attack-pattern-library-from-cti-reports`, `conducting-full-scope-red-team-engagement`, `conducting-malware-incident-response` +6 more |
+| [T1048](https://attack.mitre.org/techniques/T1048/) | `building-attack-pattern-library-from-cti-reports`, `building-detection-rule-with-splunk-spl`, `conducting-full-scope-red-team-engagement`, `hunting-for-data-exfiltration-indicators`, `implementing-continuous-security-validation-with-bas` +2 more |
+| [T1048.001](https://attack.mitre.org/techniques/T1048/001/) | `hunting-for-data-exfiltration-indicators` |
+| [T1048.002](https://attack.mitre.org/techniques/T1048/002/) | `hunting-for-data-exfiltration-indicators` |
+| [T1048.003](https://attack.mitre.org/techniques/T1048/003/) | `conducting-full-scope-red-team-engagement`, `hunting-for-data-exfiltration-indicators`, `hunting-for-dns-tunneling-with-zeek`, `implementing-continuous-security-validation-with-bas`, `implementing-mitre-attack-coverage-mapping` +2 more |
+| [T1052](https://attack.mitre.org/techniques/T1052/) | `hunting-for-data-exfiltration-indicators` |
+| [T1537](https://attack.mitre.org/techniques/T1537/) | `hunting-for-data-exfiltration-indicators`, `hunting-for-living-off-the-cloud-techniques`, `implementing-mitre-attack-coverage-mapping`, `implementing-threat-modeling-with-mitre-attack`, `performing-cloud-incident-containment-procedures` |
+| [T1567](https://attack.mitre.org/techniques/T1567/) | `detecting-insider-threat-behaviors`, `hunting-for-data-exfiltration-indicators`, `hunting-for-living-off-the-cloud-techniques`, `implementing-continuous-security-validation-with-bas`, `performing-purple-team-atomic-testing` |
+| [T1567.002](https://attack.mitre.org/techniques/T1567/002/) | `hunting-for-data-exfiltration-indicators`, `performing-purple-team-atomic-testing` |
+
+---
+
+## 💥 Impact
+
+**6 techniques covered**
+
+| Technique | Skills |
+|:----------|:-------|
+| [T1485](https://attack.mitre.org/techniques/T1485/) | `hunting-for-shadow-copy-deletion`, `performing-purple-team-atomic-testing` |
+| [T1486](https://attack.mitre.org/techniques/T1486/) | `analyzing-ransomware-network-indicators`, `building-attack-pattern-library-from-cti-reports`, `building-threat-hunt-hypothesis-framework`, `conducting-full-scope-red-team-engagement`, `hunting-for-shadow-copy-deletion` +7 more |
+| [T1489](https://attack.mitre.org/techniques/T1489/) | `conducting-full-scope-red-team-engagement`, `performing-purple-team-atomic-testing` |
+| [T1490](https://attack.mitre.org/techniques/T1490/) | `building-soc-playbook-for-ransomware`, `hunting-for-shadow-copy-deletion`, `performing-purple-team-atomic-testing`, `performing-purple-team-exercise` |
+| [T1491](https://attack.mitre.org/techniques/T1491/) | `performing-purple-team-atomic-testing` |
+| [T1491.002](https://attack.mitre.org/techniques/T1491/002/) | `performing-purple-team-atomic-testing` |
+
+---
+
+## 🔧 Other / Cross-Tactic Techniques
+
+| Technique | Skills |
+|:----------|:-------|
+| T0157 | `exploiting-kerberoasting-with-impacket` |
+| T0200 | `building-vulnerability-scanning-workflow`, `performing-authenticated-scan-with-openvas` |
+| T0802 | `detecting-attacks-on-historian-servers` |
+| T0809 | `detecting-attacks-on-historian-servers` |
+| T0814 | `detecting-modbus-command-injection-attacks` |
+| T0816 | `detecting-dnp3-protocol-anomalies` |
+| T0830 | `detecting-modbus-protocol-anomalies` |
+| T0831 | `detecting-modbus-protocol-anomalies` |
+| T0832 | `detecting-attacks-on-historian-servers` |
+| T0833 | `detecting-stuxnet-style-attacks` |
+| T0836 | `detecting-modbus-command-injection-attacks`, `detecting-modbus-protocol-anomalies`, `detecting-stuxnet-style-attacks` |
+| T0839 | `detecting-dnp3-protocol-anomalies`, `detecting-stuxnet-style-attacks` |
+| T0843 | `detecting-modbus-command-injection-attacks`, `performing-s7comm-protocol-security-analysis` |
+| T0847 | `detecting-stuxnet-style-attacks` |
+| T0855 | `detecting-dnp3-protocol-anomalies`, `detecting-modbus-command-injection-attacks`, `detecting-modbus-protocol-anomalies` |
+| T0856 | `detecting-stuxnet-style-attacks` |
+| T0862 | `detecting-stuxnet-style-attacks` |
+| T0866 | `detecting-stuxnet-style-attacks` |
+| T0869 | `detecting-dnp3-protocol-anomalies` |
+| T0881 | `performing-s7comm-protocol-security-analysis` |
+| T0886 | `detecting-modbus-protocol-anomalies` |
+| T1404 | `analyzing-android-malware-with-apktool` |
+| T1417 | `analyzing-android-malware-with-apktool` |
+| T1418 | `analyzing-android-malware-with-apktool` |
+| T1553.006 | `analyzing-uefi-bootkit-persistence` |
+| T1555 | `performing-credential-access-with-lazagne`, `performing-purple-team-atomic-testing` |
+| T1555.003 | `performing-credential-access-with-lazagne`, `performing-purple-team-atomic-testing` |
+| T1555.004 | `performing-credential-access-with-lazagne` |
+| T1578 | `performing-cloud-incident-containment-procedures` |
+| T1582 | `analyzing-android-malware-with-apktool` |
+| T1611 | `detecting-container-escape-attempts`, `detecting-container-escape-with-falco-rules` |
+| T1615 | `conducting-internal-reconnaissance-with-bloodhound-ce`, `exploiting-active-directory-with-bloodhound`, `performing-active-directory-bloodhound-analysis` |
+| T1620 | `detecting-fileless-attacks-on-endpoints` |
+| T5577 | `performing-physical-intrusion-assessment` |
+
+---
+
+## How This Was Generated
+
+This coverage map was automatically generated by scanning all 753+ SKILL.md and agent.py files for MITRE ATT&CK technique IDs (pattern: `T####` and `T####.###`). Each technique was mapped to its parent tactic using the [MITRE ATT&CK Enterprise Matrix v16](https://attack.mitre.org/matrices/enterprise/).
+
+To regenerate: `python3 extract_attack.py`
+
+---
+
+## MITRE ATLAS Coverage (v5.5.0)
+
+81 skills mapped to ATLAS adversarial ML techniques.
+
+Key techniques applied:
+- AML.T0051 — LLM Prompt Injection (Execution)
+- AML.T0054 — LLM Jailbreak (Privilege Escalation)
+- AML.T0088 — Generate Deepfakes (AI Attack Staging)
+- AML.T0010 — AI Supply Chain Compromise (Initial Access)
+- AML.T0020 — Poison Training Data (Resource Development)
+- AML.T0070 — RAG Poisoning (Persistence)
+- AML.T0080 — AI Agent Context Poisoning (Persistence)
+- AML.T0056 — Extract LLM System Prompt (Exfiltration)
+
+## MITRE D3FEND Coverage (v1.3)
+
+11 skills mapped to D3FEND defensive countermeasures.
+
+Countermeasures applied span D3FEND tactical categories:
+Harden, Detect, Isolate, Deceive, Evict, Restore.
+Each skill's d3fend_techniques field lists the top 5 most relevant
+defensive countermeasures derived from the skill's ATT&CK technique tags.
+
+## NIST AI RMF Coverage (AI 100-1)
+
+85 skills mapped to NIST AI Risk Management Framework subcategories.
+
+Core functions covered:
+- GOVERN: Organizational accountability for AI risk (GOVERN-1.1, GOVERN-6.1, GOVERN-6.2)
+- MAP: AI risk identification and context (MAP-5.1, MAP-5.2, MAP-1.6)
+- MEASURE: AI risk analysis and evaluation (MEASURE-2.5, MEASURE-2.7, MEASURE-2.8, MEASURE-2.11)
+- MANAGE: AI risk response and recovery (MANAGE-2.4, MANAGE-3.1)
+
+GenAI-specific subcategories applied: GOVERN-6.1, GOVERN-6.2 (responsible deployment policies).
+
+---
+
+<p align="center">
+  <sub>Part of <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills">Anthropic Cybersecurity Skills</a> — 753+ open-source cybersecurity skills for AI agents</sub>
+</p>

CITATION.cff

@@ -0,0 +1,32 @@
+cff-version: 1.2.0
+message: "If you use this repository in your research, tools, or publications, please cite it as below."
+type: software
+title: "Anthropic-Cybersecurity-Skills"
+abstract: >
+  A structured collection of 753 cybersecurity skills for AI agents, covering
+  penetration testing, digital forensics, threat intelligence, incident response,
+  cloud security, OT/SCADA security, AI security, and more. Each skill follows
+  a standardized format with YAML frontmatter metadata, step-by-step procedures,
+  tool commands, expected outputs, and MITRE ATT&CK mappings. Compatible with
+  Claude Code, GitHub Copilot, Cursor, Windsurf, Gemini CLI, and 20+ AI agent
+  platforms.
+authors:
+  - name: "Mahipal"
+    email: mukuljangra5@gmail.com
+    alias: mukul975
+repository-code: "https://github.com/mukul975/Anthropic-Cybersecurity-Skills"
+url: "https://github.com/mukul975/Anthropic-Cybersecurity-Skills"
+license: Apache-2.0
+version: "1.1.0"
+date-released: "2026-03-21"
+keywords:
+  - cybersecurity
+  - AI agents
+  - skills
+  - penetration testing
+  - digital forensics
+  - threat intelligence
+  - incident response
+  - MITRE ATT&CK
+  - Claude Code
+  - open source

CODE_OF_CONDUCT.md

@@ -36,7 +36,7 @@ This Code of Conduct applies within all community spaces, and also applies when
 
 ## Enforcement
 
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at mukul975@users.noreply.github.com. All complaints will be reviewed and investigated promptly and fairly.
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at mukuljangra5@gmail.com. All complaints will be reviewed and investigated promptly and fairly.
 
 All community leaders are obligated to respect the privacy and security of the reporter of any incident.
 

README.md

@@ -1,138 +1,412 @@
 <p align="center">
-  <img src="assets/banner.png" alt="Anthropic Cybersecurity Skills" width="600">
+  <img src="assets/banner.png" alt="Anthropic Cybersecurity Skills" width="100%">
 </p>
 
-<p align="center">
-  <strong>611+ cybersecurity skills for AI agents &middot; agentskills.io open standard</strong>
-</p>
+<div align="center">
 
-<p align="center">
-  <a href="LICENSE"><img src="https://img.shields.io/badge/license-Apache_2.0-blue.svg?style=flat" alt="License"></a>
-  <img src="https://img.shields.io/badge/skills-611%2B-brightgreen?style=flat" alt="Skills Count">
-  <img src="https://img.shields.io/github/stars/mukul975/Anthropic-Cybersecurity-Skills?style=flat" alt="Stars">
-  <img src="https://img.shields.io/github/last-commit/mukul975/Anthropic-Cybersecurity-Skills?style=flat" alt="Last Commit">
-  <a href="https://agentskills.io"><img src="https://img.shields.io/badge/standard-agentskills.io-purple?style=flat" alt="Agent Skills"></a>
-  <img src="https://img.shields.io/badge/platforms-26%2B-orange?style=flat" alt="Platforms">
-</p>
+#  Anthropic Cybersecurity Skills
+
+### The largest open-source cybersecurity skills library for AI agents
+
+[![GARS-2026 Survey](https://img.shields.io/badge/GARS--2026-Take%20the%20Survey-E8B84B?style=for-the-badge&logo=googleforms&logoColor=black)](https://mahipal.engineer/survey?utm_source=github_badge&utm_medium=readme&utm_campaign=gars2026)
+[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg?style=flat-square)](LICENSE)
+[![Skills](https://img.shields.io/badge/skills-754-brightgreen?style=flat-square)](#whats-inside--26-security-domains)
+[![Frameworks](https://img.shields.io/badge/frameworks-5-orange?style=flat-square)](#five-frameworks-one-skill-library)
+[![Domains](https://img.shields.io/badge/domains-26-9cf?style=flat-square)](#whats-inside--26-security-domains)
+[![Platforms](https://img.shields.io/badge/platforms-26%2B-blueviolet?style=flat-square)](#compatible-platforms)
+[![GitHub stars](https://img.shields.io/github/stars/mukul975/Anthropic-Cybersecurity-Skills?style=flat-square)](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers)
+[![GitHub forks](https://img.shields.io/github/forks/mukul975/Anthropic-Cybersecurity-Skills?style=flat-square)](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/network/members)
+[![Last Commit](https://img.shields.io/github/last-commit/mukul975/Anthropic-Cybersecurity-Skills?style=flat-square)](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/commits/main)
+[![agentskills.io](https://img.shields.io/badge/standard-agentskills.io-ff6600?style=flat-square)](https://agentskills.io)
+[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](CONTRIBUTING.md)
+[![Playground](https://img.shields.io/badge/Playground-Casky.ai-blue)](https://casky.ai/?utm_source=github&utm_medium=readme&utm_campaign=cohort_launch#waitlist)
+[![Hermes Agent](https://img.shields.io/badge/Hermes_Agent-compatible-blueviolet?style=flat)](https://github.com/NousResearch/hermes-agent)
+
+
+**754 production-grade cybersecurity skills · 26 security domains · 5 framework mappings · 26+ AI platforms**
+
+[Get Started](#quick-start) · [What's Inside](#whats-inside--26-security-domains) · [Frameworks](#five-frameworks-one-skill-library) · [Platforms](#compatible-platforms) · [Contributing](#contributing)
+
+</div>
 
 ---
 
-> **Warning: Community Project -- Not affiliated with Anthropic PBC.**
-> This is an independent, community-created collection. "Anthropic" in the repository name refers to the agentskills.io standard compatibility, not official Anthropic affiliation.
+> ⚠️ **Community Project** — This is an independent, community-created project. Not affiliated with Anthropic PBC. 
 
-The largest open-source collection of cybersecurity skills for AI agents. Every skill follows the [agentskills.io](https://agentskills.io) open standard and works instantly with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and 20+ other platforms.
+## Give any AI agent the security skills of a senior analyst
 
-## Quick Start
+A junior analyst knows which Volatility3 plugin to run on a suspicious memory dump, which Sigma rules catch Kerberoasting, and how to scope a cloud breach across three providers. **Your AI agent doesn't — unless you give it these skills.**
+
+This repo contains **754 structured cybersecurity skills** spanning **26 security domains**, each following the [agentskills.io](https://agentskills.io) open standard.  Every skill is mapped to **five industry frameworks** — MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, MITRE D3FEND, and NIST AI RMF  — making this the only open-source skills library with unified cross-framework coverage.  Clone it, point your agent at it, and your next security investigation gets expert-level guidance in seconds.
+
+## Five frameworks, one skill library
+
+No other open-source skills library maps every skill to all five frameworks.  One skill, five compliance checkboxes. 
+
+| Framework | Version | Scope in this repo | What it maps |
+|---|---|---|---|
+| [MITRE ATT&CK](https://attack.mitre.org) | v19.1 | 15 tactics · 286 techniques | Adversary behaviors and TTPs |
+| [NIST CSF 2.0](https://www.nist.gov/cyberframework) | 2.0 | 6 functions · 22 categories | Organizational security posture |
+| [MITRE ATLAS](https://atlas.mitre.org) | v5.4 | 16 tactics · 84 techniques | AI/ML adversarial threats |
+| [MITRE D3FEND](https://d3fend.mitre.org) | v1.3 | 7 categories · 267 techniques | Defensive countermeasures |
+| [NIST AI RMF](https://airc.nist.gov/AI_RMF) | 1.0 | 4 functions · 72 subcategories | AI risk management |
+
+**Example — a single skill maps across all five:**
+
+| Skill | ATT&CK | NIST CSF | ATLAS | D3FEND | AI RMF |
+|---|---|---|---|---|---|
+| `analyzing-network-traffic-of-malware` | T1071 | DE.CM | AML.T0047 | D3-NTA | MEASURE-2.6 |
+
+### MITRE ATT&CK v19.1 — 754/754 skills mapped
+
+Every skill carries a `mitre_attack` frontmatter list validated against **MITRE ATT&CK v19.1** (the latest release) using the official `mitreattack-python` library — 286 distinct techniques across all 15 Enterprise tactics, plus ICS and Mobile techniques where relevant. Zero revoked or deprecated IDs. v19.1's restructured Defense Evasion (now split into **Stealth** and **Defense Impairment**) is reflected below.
+
+| Tactic | ID | Skills |
+|--------|----|--------|
+| Reconnaissance | TA0043 | 103 |
+| Resource Development | TA0042 | 22 |
+| Initial Access | TA0001 | 467 |
+| Execution | TA0002 | 350 |
+| Persistence | TA0003 | 444 |
+| Privilege Escalation | TA0004 | 464 |
+| Stealth | TA0005 | 442 |
+| Defense Impairment | TA0112 | 92 |
+| Credential Access | TA0006 | 202 |
+| Discovery | TA0007 | 237 |
+| Lateral Movement | TA0008 | 68 |
+| Collection | TA0009 | 172 |
+| Command and Control | TA0011 | 123 |
+| Exfiltration | TA0010 | 82 |
+| Impact | TA0040 | 50 |
+
+## Quick start
 
-**Method 1: npx skills**
 ```bash
+# Option 1: npx (recommended)
 npx skills add mukul975/Anthropic-Cybersecurity-Skills
-```
 
-**Method 2: Claude Code plugin**
-```
-/plugin marketplace add mukul975/Anthropic-Cybersecurity-Skills
-```
-
-**Method 3: Manual clone**
-```bash
+# Option 2: Git clone
 git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
+cd Anthropic-Cybersecurity-Skills
 ```
 
-## Skill Categories
+Works immediately with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and any [agentskills.io](https://agentskills.io)-compatible platform. 
 
-| Category | Skills | Example Skills |
-|----------|-------:|----------------|
-| Cloud Security | 48 | AWS S3 Bucket Audit, Azure AD Configuration, GCP Security Assessment |
-| Threat Intelligence | 43 | APT Group Analysis with MITRE Navigator, Campaign Attribution, Dark Web Monitoring |
-| Web Application Security | 41 | HTTP Request Smuggling, XSS with Burp Suite, Web Cache Poisoning |
-| Threat Hunting | 35 | Credential Dumping Detection, DNS Tunneling with Zeek, Living-off-the-Land Binaries |
-| Malware Analysis | 34 | Cobalt Strike Beacon Config, Ghidra Reverse Engineering, YARA Rule Development |
-| Digital Forensics | 34 | Disk Imaging with dd/dcfldd, Memory Forensics with Volatility3, Browser Forensics |
-| SOC Operations | 33 | Windows Event Log Analysis, Splunk Detection Rules, SIEM Use Case Implementation |
-| Network Security | 33 | Wireshark Traffic Analysis, VLAN Segmentation, Suricata IDS Configuration |
-| Identity & Access Management | 33 | SAML SSO with Okta, Privileged Access Management, RBAC for Kubernetes |
-| OT/ICS Security | 28 | SCADA System Attack Detection, Modbus Anomaly Detection, Purdue Model Segmentation |
-| API Security | 28 | API Enumeration Detection, BOLA Exploitation, GraphQL Security Assessment |
-| Container Security | 26 | Trivy Image Scanning, Falco Runtime Detection, Kubernetes Pod Security |
-| Vulnerability Management | 24 | DefectDojo Dashboard, CVSS Scoring, Patch Management Workflow |
-| Red Teaming | 24 | Sliver C2 Framework, BloodHound AD Analysis, Kerberoasting with Impacket |
-| Incident Response | 24 | Ransomware Response, Cloud Incident Containment, Volatile Evidence Collection |
-| Penetration Testing | 23 | External Network Pentest, Kubernetes Pentest, Active Directory Pentest |
-| Zero Trust Architecture | 17 | HashiCorp Boundary, Zscaler ZTNA, BeyondCorp Access Model |
-| Endpoint Security | 16 | CIS Benchmark Hardening, Windows Defender Configuration, Host-Based IDS |
-| DevSecOps | 16 | GitLab CI Pipeline, Semgrep Custom SAST Rules, Secret Scanning with Gitleaks |
-| Phishing Defense | 16 | Email Header Analysis, GoPhish Simulation, DMARC/DKIM/SPF Configuration |
-| Cryptography | 13 | TLS 1.3 Configuration, HSM Key Storage, Certificate Authority with OpenSSL |
-| Mobile Security | 12 | iOS App Analysis with Objection, Android Malware Reverse Engineering, Frida Hooking |
-| Ransomware Defense | 5 | Ransomware Precursor Detection, Backup Strategy, Honeypot Detection |
-| Compliance & Governance | 5 | GDPR Data Protection, ISO 27001 ISMS, PCI DSS Controls |
+## 🌍 GARS-2026 — Global Agentic AI Readiness Survey
 
-## How It Works
+I'm running a global academic study measuring how ready security professionals,
+developers, and enterprise teams actually are for agentic AI — MCP servers,
+tool calling, governance, and human-in-the-loop workflows.
 
-Each skill follows the [agentskills.io](https://agentskills.io) **progressive disclosure** pattern. During discovery, an AI agent reads only the YAML frontmatter (~30-50 tokens) to decide relevance:
+**If you use this repo, your response would be a genuinely valuable data point.**
 
-```yaml
----
-name: performing-memory-forensics-with-volatility3
-description: Analyze memory dumps to extract processes, network connections, and malware artifacts using Volatility3.
-domain: cybersecurity
-subdomain: digital-forensics
-tags: [forensics, memory-analysis, volatility3, incident-response]
----
+📋 **Take the survey (10 min):**
+[Survey Link](https://mahipal.engineer/survey?utm_source=github_repo&utm_medium=readme&utm_campaign=gars2026)
+
+- 60 questions · Anonymous · Supervised by SRH Berlin
+- You get **50 Casky Tokens** for early access to [casky.ai](https://casky.ai)
+- Results published open access under CC-BY 4.0
+
+## 🚀 Try it on the Playground
+
+Experience Casky.ai hands-on — no setup required.
+
+**[→ Launch Playground on Casky.ai](https://casky.ai/?utm_source=github&utm_medium=readme&utm_campaign=cohort_launch#waitlist)**
+
+The playground lets you:
+- Run live cybersecurity skill exercises against real targets
+- See AI agents execute structured skills in real time
+- Explore MITRE ATT&CK mapped workflows interactively
+- Test threat hunting, DFIR, and penetration testing scenarios
+
+No installation. No configuration. Just open and start.
+## Why this exists
+
+The cybersecurity workforce gap hit **4.8 million unfilled roles** globally in 2024 (ISC2). AI agents can help close that gap — but only if they have structured domain knowledge to work from. Today's agents can write code and search the web, but they lack the practitioner playbooks that turn a generic LLM into a capable security analyst.
+
+Existing security tool repos give you wordlists, payloads, or exploit code. None of them give an AI agent the structured decision-making workflow a senior analyst follows: when to use each technique, what prerequisites to check, how to execute step-by-step, and how to verify results. That is the gap this project fills.
+
+**Anthropic Cybersecurity Skills** is not a collection of scripts or checklists. It is an **AI-native knowledge base** built from the ground up for the agentskills.io standard  — YAML frontmatter for sub-second discovery, structured Markdown for step-by-step execution, and reference files for deep technical context.  Every skill encodes real practitioner workflows, not generated summaries. 
+
+## What's inside — 26 security domains
+
+| Domain | Skills | Key capabilities |
+|---|---|---|
+| Cloud Security | 60 | AWS, Azure, GCP hardening · CSPM · cloud forensics |
+| Threat Hunting | 55 | Hypothesis-driven hunts · LOTL detection · behavioral analytics |
+| Threat Intelligence | 50 | STIX/TAXII · MISP · feed integration · actor profiling |
+| Web Application Security | 42 | OWASP Top 10 · SQLi · XSS · SSRF · deserialization |
+| Network Security | 40 | IDS/IPS · firewall rules · VLAN segmentation · traffic analysis |
+| Malware Analysis | 39 | Static/dynamic analysis · reverse engineering · sandboxing |
+| Digital Forensics | 37 | Disk imaging · memory forensics · timeline reconstruction |
+| Security Operations | 36 | SIEM correlation · log analysis · alert triage |
+| Identity & Access Management | 35 | IAM policies · PAM · zero trust identity · Okta · SailPoint |
+| SOC Operations | 33 | Playbooks · escalation workflows · metrics · tabletop exercises |
+| Container Security | 30 | K8s RBAC · image scanning · Falco · container forensics |
+| OT/ICS Security | 28 | Modbus · DNP3 · IEC 62443 · historian defense · SCADA |
+| API Security | 28 | GraphQL · REST · OWASP API Top 10 · WAF bypass |
+| Vulnerability Management | 25 | Nessus · scanning workflows · patch prioritization · CVSS |
+| Incident Response | 25 | Breach containment · ransomware response · IR playbooks |
+| Red Teaming | 24 | Full-scope engagements · AD attacks · phishing simulation |
+| Penetration Testing | 23 | Network · web · cloud · mobile · wireless pentesting |
+| Endpoint Security | 17 | EDR · LOTL detection · fileless malware · persistence hunting |
+| DevSecOps | 17 | CI/CD security · code signing · Terraform auditing |
+| Phishing Defense | 16 | Email authentication · BEC detection · phishing IR |
+| Cryptography | 14 | TLS · Ed25519 · certificate transparency · key management |
+| Zero Trust Architecture | 13 | BeyondCorp · CISA maturity model · microsegmentation |
+| Mobile Security | 12 | Android/iOS analysis · mobile pentesting · MDM forensics |
+| Ransomware Defense | 7 | Precursor detection · response · recovery · encryption analysis |
+| Compliance & Governance | 5 | CIS benchmarks · SOC 2 · regulatory frameworks |
+| Deception Technology | 2 | Honeytokens · breach detection canaries |
+
+## How AI agents use these skills
+
+Each skill costs **~30 tokens to scan** (frontmatter only)  and **500–2,000 tokens to fully load** (complete workflow). This progressive disclosure architecture lets agents search all 754 skills in a single pass without blowing context windows. 
+
+```
+User prompt: "Analyze this memory dump for signs of credential theft"
+
+Agent's internal process:
+
+  1. Scans 754 skill frontmatters (~30 tokens each)
+     → identifies 12 relevant skills by matching tags, description, domain
+
+  2. Loads top 3 matches:
+     • performing-memory-forensics-with-volatility3
+     • hunting-for-credential-dumping-lsass
+     • analyzing-windows-event-logs-for-credential-access
+
+  3. Executes the structured Workflow section step-by-step
+     → runs Volatility3 plugins, checks LSASS access patterns,
+        correlates with event log evidence
+
+  4. Validates results using the Verification section
+     → confirms IOCs, maps findings to ATT&CK T1003 (Credential Dumping)
 ```
 
-If the skill matches the task, the agent loads the full body -- workflow steps, prerequisites, tool commands, and verification checks -- without wasting tokens on irrelevant skills.
+**Without these skills**, the agent guesses at tool commands and misses critical steps. **With them**, it follows the same playbook a senior DFIR analyst would use. 
 
-## Compatible Platforms
-
-These skills work with any tool that supports the agentskills.io standard or can read structured Markdown:
-
-| Platform | Integration |
-|----------|------------|
-| **Claude Code** | Native skill loading via `/plugin` |
-| **GitHub Copilot** | Workspace context via `.skills/` directory |
-| **OpenAI Codex CLI** | File-based context injection |
-| **Cursor** | Project rules and docs integration |
-| **Gemini CLI** | Context file loading |
-| **Amp** | Skill directory mounting |
-| **Goose** | Plugin-based skill loading |
-| **Windsurf** | Context awareness from project files |
-| **Aider** | Repository map integration |
-| **Continue** | Custom context providers |
-| And 16+ others | Any agent that reads structured Markdown |
-
-## Skill Anatomy
+## Skill anatomy
 
 Every skill follows a consistent directory structure:
 
 ```
-skills/{skill-name}/
-├── SKILL.md            # Skill definition with YAML frontmatter
-│   ├── Frontmatter     # name, description, domain, subdomain, tags
-│   ├── When to Use     # Trigger conditions for AI agents
-│   ├── Prerequisites   # Required tools and access
-│   ├── Workflow         # Step-by-step execution guide
-│   └── Verification    # How to confirm success
+skills/performing-memory-forensics-with-volatility3/
+├── SKILL.md              ← Skill definition (YAML frontmatter + Markdown body)
 ├── references/
-│   ├── standards.md    # NIST, MITRE ATT&CK, CVE references
-│   └── workflows.md    # Deep technical procedure reference
+│   ├── standards.md      ← MITRE ATT&CK, ATLAS, D3FEND, NIST mappings
+│   └── workflows.md      ← Deep technical procedure reference
 ├── scripts/
-│   └── process.py      # Practitioner helper scripts
+│   └── process.py        ← Working helper scripts
 └── assets/
-    └── template.md     # Checklists and report templates
+    └── template.md       ← Filled-in checklists and report templates
 ```
 
+
+### YAML frontmatter (real example)
+
+```yaml
+---
+name: performing-memory-forensics-with-volatility3
+description: >-
+  Analyze memory dumps to extract running processes, network connections,
+  injected code, and malware artifacts using the Volatility3 framework.
+domain: cybersecurity
+subdomain: digital-forensics
+tags: [forensics, memory-analysis, volatility3, incident-response, dfir]
+atlas_techniques: [AML.T0047]
+d3fend_techniques: [D3-MA, D3-PSMD]
+nist_ai_rmf: [MEASURE-2.6]
+nist_csf: [DE.CM-01, RS.AN-03]
+version: "1.2"
+author: mukul975
+license: Apache-2.0
+---
+```
+
+
+### Markdown body sections
+
+```markdown
+## When to Use
+Trigger conditions — when should an AI agent activate this skill?
+
+## Prerequisites
+Required tools, access levels, and environment setup.
+
+## Workflow
+Step-by-step execution guide with specific commands and decision points.
+
+## Verification
+How to confirm the skill was executed successfully.
+```
+
+Frontmatter fields: `name` (kebab-case, 1–64 chars), `description` (keyword-rich for agent discovery), `domain`, `subdomain`, `tags`,  `atlas_techniques` (MITRE ATLAS IDs), `d3fend_techniques` (MITRE D3FEND IDs), `nist_ai_rmf` (NIST AI RMF references), `nist_csf` (NIST CSF 2.0 categories).  MITRE ATT&CK technique mappings are documented in each skill's `references/standards.md` file and in the ATT&CK Navigator layer included with releases. 
+
+<details>
+<summary><strong>📊 MITRE ATT&CK Enterprise coverage — all 14 tactics</strong></summary>
+
+&nbsp;
+
+| Tactic | ID | Coverage | Key skills |
+|---|---|---|---|
+| Reconnaissance | TA0043 | Strong | OSINT, subdomain enumeration, DNS recon |
+| Resource Development | TA0042 | Moderate | Phishing infrastructure, C2 setup detection |
+| Initial Access | TA0001 | Strong | Phishing simulation, exploit detection, forced browsing |
+| Execution | TA0002 | Strong | PowerShell analysis, fileless malware, script block logging |
+| Persistence | TA0003 | Strong | Scheduled tasks, registry, service accounts, LOTL |
+| Privilege Escalation | TA0004 | Strong | Kerberoasting, AD attacks, cloud privilege escalation |
+| Defense Evasion | TA0005 | Strong | Obfuscation, rootkit analysis, evasion detection |
+| Credential Access | TA0006 | Strong | Mimikatz detection, pass-the-hash, credential dumping |
+| Discovery | TA0007 | Moderate | BloodHound, AD enumeration, network scanning |
+| Lateral Movement | TA0008 | Strong | SMB exploits, lateral movement detection with Splunk |
+| Collection | TA0009 | Moderate | Email forensics, data staging detection |
+| Command and Control | TA0011 | Strong | C2 beaconing, DNS tunneling, Cobalt Strike analysis |
+| Exfiltration | TA0010 | Strong | DNS exfiltration, DLP controls, data loss detection |
+| Impact | TA0040 | Strong | Ransomware defense, encryption analysis, recovery |
+
+An **ATT&CK Navigator layer file** is included in the [v1.0.0 release assets](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases/tag/v1.0.0) for visual coverage mapping. 
+
+> **Note:** ATT&CK v19 lands April 28, 2026 — splitting Defense Evasion (TA0005) into two new tactics: *Stealth* and *Impair Defenses*.  Skill mappings will be updated in a forthcoming release.
+
+</details>
+
+<details>
+<summary><strong>📊 NIST CSF 2.0 alignment — all 6 functions</strong></summary>
+
+&nbsp;
+
+| Function | Skills | Examples |
+|---|---|---|
+| **Govern (GV)** | 30+ | Risk strategy, policy frameworks, roles & responsibilities |
+| **Identify (ID)** | 120+ | Asset discovery, threat landscape assessment, risk analysis |
+| **Protect (PR)** | 150+ | IAM hardening, WAF rules, zero trust, encryption |
+| **Detect (DE)** | 200+ | Threat hunting, SIEM correlation, anomaly detection |
+| **Respond (RS)** | 160+ | Incident response, forensics, breach containment |
+| **Recover (RC)** | 40+ | Ransomware recovery, BCP, disaster recovery |
+
+NIST CSF 2.0 (February 2024) added the **Govern** function  and expanded scope from critical infrastructure to all organizations.  Skill mappings align to all 22 categories and reference 106 subcategories. 
+
+</details>
+
+<details>
+<summary><strong>📊 Framework deep dive — ATLAS, D3FEND, AI RMF</strong></summary>
+
+&nbsp;
+
+### MITRE ATLAS v5.4 — AI/ML adversarial threats
+ATLAS maps adversarial tactics, techniques, and case studies specific to AI and machine learning systems. Version 5.4 covers **16 tactics and 84 techniques** including agentic AI attack vectors added in late 2025: AI agent context poisoning, tool invocation abuse, MCP server compromises, and malicious agent deployment.  Skills mapped to ATLAS help agents identify and defend against threats to ML pipelines, model weights, inference APIs, and autonomous workflows. 
+
+### MITRE D3FEND v1.3 — Defensive countermeasures
+D3FEND is an NSA-funded knowledge graph of **267 defensive techniques** organized across 7 tactical categories: Model, Harden, Detect, Isolate, Deceive, Evict, and Restore.  Built on OWL 2 ontology, it uses a shared Digital Artifact layer to bidirectionally map defensive countermeasures to ATT&CK offensive techniques.  Skills tagged with D3FEND identifiers let agents recommend specific countermeasures for detected threats.
+
+### NIST AI RMF 1.0 + GenAI Profile (AI 600-1)
+The AI Risk Management Framework defines 4 core functions — Govern, Map, Measure, Manage — with **72 subcategories** for trustworthy AI development.  The GenAI Profile (AI 600-1, July 2024) adds **12 risk categories** specific to generative AI, from confabulation and data privacy to prompt injection and supply chain risks.  Colorado's AI Act (effective February 2026) provides a **legal safe harbor** for organizations complying with NIST AI RMF, making these mappings directly relevant to regulatory compliance.
+
+</details>
+
+## Compatible platforms
+
+**AI code assistants**
+Claude Code (Anthropic) · GitHub Copilot (Microsoft) · Cursor · Windsurf · Cline · Aider · Continue · Roo Code · Amazon Q Developer · Tabnine · Sourcegraph Cody · JetBrains AI 
+
+**CLI agents**
+OpenAI Codex CLI · Gemini CLI (Google) 
+
+**Autonomous agents**
+Devin · Replit Agent · SWE-agent · OpenHands 
+
+**Agent frameworks & SDKs**
+LangChain · CrewAI · AutoGen · Semantic Kernel · Haystack · Vercel AI SDK · Any MCP-compatible agent 
+
+All platforms that support the [agentskills.io](https://agentskills.io) standard can load these skills with zero configuration. 
+
+## What people are saying
+
+> *"A database of real, organized security skills that any AI agent can plug into and use. Not tutorials. Not blog posts."* 
+> — **[Hasan Toor (@hasantoxr)](https://x.com/hasantoxr/status/2033193922349179249)**, AI/tech creator
+
+> *"This is not a random collection of security scripts. It's a structured operational knowledge base designed for AI-driven security workflows."* 
+> — **[fazal-sec](https://fazal-sec.medium.com/claude-skills-ai-powered-cybersecurity-the-complete-guide-to-building-intelligent-security-7bb7e9d14c8e)**,  Medium
+
+## Featured in
+
+| Where | Type | Link |
+|---|---|---|
+| **awesome-agent-skills** | Awesome List (1,000+ skills index) | [VoltAgent/awesome-agent-skills](https://github.com/VoltAgent/awesome-agent-skills) |
+| **awesome-ai-security** | Awesome List (AI security tools) | [ottosulin/awesome-ai-security](https://github.com/ottosulin/awesome-ai-security) |
+| **awesome-codex-cli** | Awesome List (Codex CLI resources) | [RoggeOhta/awesome-codex-cli](https://github.com/RoggeOhta/awesome-codex-cli) |
+| **SkillsLLM** | Skills directory & marketplace | [skillsllm.com/skill/anthropic-cybersecurity-skills](https://skillsllm.com/skill/anthropic-cybersecurity-skills) |
+| **Openflows** | Signal analysis & tracking | [openflows.org](https://openflows.org/currency/currents/anthropic-cybersecurity-skills/) |
+| **NeverSight skills_feed** | Automated skills index | [NeverSight/skills_feed](https://github.com/NeverSight/skills_feed) |
+
+## Star history
+
+<a href="https://star-history.com/#mukul975/Anthropic-Cybersecurity-Skills&Date">
+ <picture>
+   <source media="(prefers-color-scheme: dark)" srcset="https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date&theme=dark" />
+   <source media="(prefers-color-scheme: light)" srcset="https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date" />
+   <img alt="Star History Chart" src="https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date" width="100%" />
+ </picture>
+</a>
+
+## Releases
+
+| Version | Date | Highlights |
+|---|---|---|
+| [v1.0.0](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases/tag/v1.0.0) | March 11, 2026 | 734 skills · 26 domains · MITRE ATT&CK + NIST CSF 2.0 mapping · ATT&CK Navigator layer |
+
+Skills have continued to grow on `main` since v1.0.0 — the library now contains **754 skills** with **5-framework mapping**  (MITRE ATLAS, D3FEND, and NIST AI RMF added post-release).  Check [Releases](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases) for the latest tagged version.
+
 ## Contributing
 
-We welcome contributions from the cybersecurity community. See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines on adding new skills, improving existing ones, and our review process.
+This project grows through community contributions. Here is how to get involved:
 
-## Star History
+**Add a new skill** — Domains like Deception Technology (2 skills) and Compliance & Governance (5 skills) need the most help. Follow the template in [CONTRIBUTING.md](CONTRIBUTING.md) and submit a PR with the title `Add skill: your-skill-name`.
 
-[![Star History Chart](https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date)](https://star-history.com/#mukul975/Anthropic-Cybersecurity-Skills&Date)
+**Improve existing skills** — Add framework mappings, fix workflows, update tool references, or contribute scripts and templates.
+
+**Report issues** — Found an inaccurate procedure or broken script? [Open an issue](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues).
+
+Every PR is reviewed for technical accuracy and agentskills.io standard compliance within 48 hours.  Check [good first issues](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) for a starting point.
+
+This project follows the [Contributor Covenant](https://www.contributor-covenant.org/). By participating, you agree to uphold this code. 
+
+## Community
+
+💬 [Discussions](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/discussions) — Questions, ideas, and roadmap conversations
+🐛 [Issues](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues) — Bug reports and feature requests
+🔒 [Security Policy](SECURITY.md) — Responsible disclosure process (48-hour acknowledgment) 
+
+## Citation
+
+If you use this project in research or publications:
+
+```bibtex
+@software{anthropic_cybersecurity_skills,
+  author       = {Jangra, Mahipal},
+  title        = {Anthropic Cybersecurity Skills},
+  year         = {2026},
+  url          = {https://github.com/mukul975/Anthropic-Cybersecurity-Skills},
+  license      = {Apache-2.0},
+  note         = {754 structured cybersecurity skills for AI agents,
+                  mapped to MITRE ATT\&CK, NIST CSF 2.0, MITRE ATLAS,
+                  MITRE D3FEND, and NIST AI RMF}
+}
+```
 
 ## License
 
-<a href="LICENSE"><img src="https://img.shields.io/badge/license-Apache_2.0-blue.svg?style=flat" alt="License"></a>
+This project is licensed under the [Apache License 2.0](LICENSE). You are free to use, modify, and distribute these skills in both personal and commercial projects. 
 
-This project is licensed under the Apache License 2.0. See [LICENSE](LICENSE) for details.
+---
+
+<div align="center">
+
+**If this project helps your security work, consider giving it a ⭐**
+
+[⭐ Star](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers) · [🍴 Fork](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/fork) · [💬 Discuss](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/discussions) · [📝 Contribute](CONTRIBUTING.md)
+
+Community project by [@mukul975](https://github.com/mukul975). Not affiliated with Anthropic PBC.
+
+</div>

mappings/mitre-attack/coverage-summary.md

@@ -1,6 +1,6 @@
 # ATT&CK Coverage Summary
 
-Coverage analysis of the 607 cybersecurity skills mapped to MITRE ATT&CK Enterprise v15 tactics.
+Coverage analysis of the 753 cybersecurity skills mapped to MITRE ATT&CK Enterprise v15 tactics.
 
 ## Tactic Coverage Matrix
 

skills/acquiring-disk-image-with-dd-and-dcfldd/SKILL.md

@@ -1,12 +1,29 @@
 ---
 name: acquiring-disk-image-with-dd-and-dcfldd
-description: Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
+description: Create forensically sound bit-for-bit disk images using dd and dcfldd
+  while preserving evidence integrity through hash verification.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, disk-imaging, evidence-acquisition, dd, dcfldd, hash-verification]
-version: "1.0"
+tags:
+- forensics
+- disk-imaging
+- evidence-acquisition
+- dd
+- dcfldd
+- hash-verification
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
+mitre_attack:
+- T1006
+- T1005
+- T1025
+- T1074.001
 ---
 
 # Acquiring Disk Image with dd and dcfldd

skills/acquiring-disk-image-with-dd-and-dcfldd/scripts/agent.py

@@ -1,17 +1,19 @@
 #!/usr/bin/env python3
 """Forensic disk image acquisition agent using dd and dcfldd with hash verification."""
 
+import shlex
 import subprocess
 import hashlib
 import os
-import sys
 import datetime
 import json
 
 
 def run_cmd(cmd, capture=True):
-    """Execute a shell command and return output."""
-    result = subprocess.run(cmd, shell=True, capture_output=capture, text=True)
+    """Execute a command and return output."""
+    if isinstance(cmd, str):
+        cmd = shlex.split(cmd)
+    result = subprocess.run(cmd, capture_output=capture, text=True, timeout=120)
     return result.stdout.strip(), result.stderr.strip(), result.returncode
 
 
@@ -65,16 +67,22 @@ def compute_hash(path, algorithm="sha256", block_size=65536):
 
 def acquire_with_dd(source, destination, block_size=4096, log_file=None):
     """Acquire a forensic image using dd with error handling."""
-    cmd = (
-        f"dd if={source} of={destination} bs={block_size} "
-        f"conv=noerror,sync status=progress"
-    )
-    if log_file:
-        cmd += f" 2>&1 | tee {log_file}"
+    dd_cmd = [
+        "dd", f"if={source}", f"of={destination}",
+        f"bs={block_size}", "conv=noerror,sync", "status=progress"
+    ]
     print(f"[*] Starting dd acquisition: {source} -> {destination}")
     print(f"[*] Block size: {block_size}")
     start = datetime.datetime.utcnow()
-    _, stderr, rc = run_cmd(cmd, capture=False)
+    if log_file:
+        dd_proc = subprocess.run(dd_cmd, capture_output=True, text=True, timeout=120)
+        combined = (dd_proc.stdout or "") + (dd_proc.stderr or "")
+        with open(log_file, "w") as lf:
+            lf.write(combined)
+        rc = dd_proc.returncode
+    else:
+        result = subprocess.run(dd_cmd, text=True, timeout=120)
+        rc = result.returncode
     elapsed = (datetime.datetime.utcnow() - start).total_seconds()
     print(f"[*] Acquisition completed in {elapsed:.1f} seconds (rc={rc})")
     return rc == 0
@@ -83,18 +91,21 @@ def acquire_with_dd(source, destination, block_size=4096, log_file=None):
 def acquire_with_dcfldd(source, destination, hash_alg="sha256", hash_log=None,
                         error_log=None, block_size=4096, split_size=None):
     """Acquire a forensic image using dcfldd with built-in hashing."""
-    cmd = f"dcfldd if={source} of={destination} bs={block_size} conv=noerror,sync"
-    cmd += f" hash={hash_alg}"
+    cmd = [
+        "dcfldd", f"if={source}", f"of={destination}",
+        f"bs={block_size}", "conv=noerror,sync",
+        f"hash={hash_alg}", "hashwindow=1G",
+    ]
     if hash_log:
-        cmd += f" hashlog={hash_log}"
-    cmd += " hashwindow=1G"
+        cmd.append(f"hashlog={hash_log}")
     if error_log:
-        cmd += f" errlog={error_log}"
+        cmd.append(f"errlog={error_log}")
     if split_size:
-        cmd += f" split={split_size} splitformat=aa"
+        cmd.extend([f"split={split_size}", "splitformat=aa"])
     print(f"[*] Starting dcfldd acquisition: {source} -> {destination}")
     start = datetime.datetime.utcnow()
-    _, stderr, rc = run_cmd(cmd, capture=False)
+    result = subprocess.run(cmd, text=True, timeout=120)
+    rc = result.returncode
     elapsed = (datetime.datetime.utcnow() - start).total_seconds()
     print(f"[*] dcfldd completed in {elapsed:.1f} seconds (rc={rc})")
     return rc == 0

skills/analyzing-active-directory-acl-abuse/SKILL.md

@@ -1,20 +1,46 @@
 ---
 name: analyzing-active-directory-acl-abuse
-description: Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
+description: Detect dangerous ACL misconfigurations in Active Directory using ldap3
+  to identify GenericAll, WriteDACL, and WriteOwner abuse paths
 domain: cybersecurity
 subdomain: identity-security
-tags: [active-directory, acl-abuse, ldap, privilege-escalation]
-version: "1.0"
+tags:
+- active-directory
+- acl-abuse
+- ldap
+- privilege-escalation
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.AA-01
+- PR.AA-05
+- PR.AA-06
+mitre_attack:
+- T1098
+- T1098.007
+- T1484.001
+- T1222.001
+- T1078.002
 ---
 
+
+# Analyzing Active Directory ACL Abuse
+
 ## Overview
 
 Active Directory Access Control Lists (ACLs) define permissions on AD objects through Discretionary Access Control Lists (DACLs) containing Access Control Entries (ACEs). Misconfigured ACEs can grant non-privileged users dangerous permissions such as GenericAll (full control), WriteDACL (modify permissions), WriteOwner (take ownership), and GenericWrite (modify attributes) on sensitive objects like Domain Admins groups, domain controllers, or GPOs.
 
 This skill uses the ldap3 Python library to connect to a Domain Controller, query objects with their nTSecurityDescriptor attribute, parse the binary security descriptor into SDDL (Security Descriptor Definition Language) format, and identify ACEs that grant dangerous permissions to non-administrative principals. These misconfigurations are the basis for ACL-based attack paths discovered by tools like BloodHound.
 
+
+## When to Use
+
+- When investigating security incidents that require analyzing active directory acl abuse
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites
 
 - Python 3.9 or later with ldap3 library (`pip install ldap3`)

skills/analyzing-active-directory-acl-abuse/scripts/agent.py

@@ -4,11 +4,8 @@
 import argparse
 import json
 import struct
-import sys
-from collections import defaultdict
 
 from ldap3 import Server, Connection, ALL, NTLM, SUBTREE
-from ldap3.protocol.formatters.formatters import format_sid
 
 
 DANGEROUS_MASKS = {

skills/analyzing-android-malware-with-apktool/SKILL.md

@@ -1,12 +1,33 @@
 ---
 name: analyzing-android-malware-with-apktool
-description: Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
+description: Perform static analysis of Android APK malware samples using apktool
+  for decompilation, jadx for Java source recovery, and androguard for permission
+  analysis, manifest inspection, and suspicious API call detection.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [Android, APK, apktool, jadx, androguard, mobile-malware, static-analysis, reverse-engineering]
-version: "1.0"
+tags:
+- Android
+- APK
+- apktool
+- jadx
+- androguard
+- mobile-malware
+- static-analysis
+- reverse-engineering
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
+mitre_attack:
+- T1406
+- T1407
+- T1626.001
+- T1655.001
+- T1521.001
 ---
 
 # Analyzing Android Malware with Apktool
@@ -15,6 +36,14 @@ license: Apache-2.0
 
 Android malware distributed as APK files can be statically analyzed to extract permissions, activities, services, broadcast receivers, and suspicious API calls without executing the sample. This skill uses androguard for programmatic APK analysis, identifying dangerous permission combinations, obfuscated code patterns, dynamic code loading, reflection-based API calls, and network communication indicators.
 
+
+## When to Use
+
+- When investigating security incidents that require analyzing android malware with apktool
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites
 
 - Python 3.9+ with `androguard`

skills/analyzing-api-gateway-access-logs/SKILL.md

@@ -1,20 +1,54 @@
 ---
 name: analyzing-api-gateway-access-logs
-description: >
-  Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR
-  attacks, rate limit bypass, credential scanning, and injection attempts. Uses pandas
-  for statistical analysis of request patterns and anomaly detection. Use when
-  investigating API abuse or building API-specific threat detection rules.
+description: 'Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect
+  BOLA/IDOR attacks, rate limit bypass, credential scanning, and injection attempts.
+  Uses pandas for statistical analysis of request patterns and anomaly detection.
+  Use when investigating API abuse or building API-specific threat detection rules.
+
+  '
 domain: cybersecurity
 subdomain: security-operations
-tags: [analyzing, api, gateway, access]
-version: "1.0"
+tags:
+- api-security
+- access-log-analysis
+- aws-api-gateway
+- kong
+- nginx
+- bola-detection
+- rate-limit-bypass
+- security-operations
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.CM-01
+- RS.MA-01
+- GV.OV-01
+- DE.AE-02
+mitre_attack:
+- T1190
+- T1110.004
+- T1078.004
+- T1119
 ---
 
 # Analyzing API Gateway Access Logs
 
+
+## When to Use
+
+- When investigating security incidents that require analyzing api gateway access logs
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
+## Prerequisites
+
+- Familiarity with security operations concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions
 
 Parse API gateway access logs to identify attack patterns including broken object

skills/analyzing-api-gateway-access-logs/scripts/agent.py

@@ -1,15 +1,12 @@
 #!/usr/bin/env python3
 """Agent for analyzing API Gateway access logs for security threats."""
 
-import os
 import re
 import json
 import argparse
 from datetime import datetime
-from collections import defaultdict
 
 import pandas as pd
-import numpy as np
 
 
 def load_api_logs(log_path):

skills/analyzing-apt-group-with-mitre-navigator/SKILL.md

@@ -1,12 +1,39 @@
 ---
 name: analyzing-apt-group-with-mitre-navigator
-description: Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
+description: Analyze advanced persistent threat (APT) group techniques using MITRE
+  ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap
+  analysis and threat-informed defense.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [mitre-attack, navigator, apt, threat-actor, ttp-analysis, heatmap, detection-gap, threat-intelligence]
-version: "1.0"
+tags:
+- mitre-attack
+- navigator
+- apt
+- threat-actor
+- ttp-analysis
+- heatmap
+- detection-gap
+- threat-intelligence
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+d3fend_techniques:
+- Executable Denylisting
+- Execution Isolation
+- File Metadata Consistency Validation
+- Content Format Conversion
+- File Content Analysis
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
+mitre_attack:
+- T1059.001
+- T1071.001
+- T1003.001
+- T1486
+- T1547.001
 ---
 # Analyzing APT Group with MITRE ATT&CK Navigator
 
@@ -14,6 +41,14 @@ license: Apache-2.0
 
 MITRE ATT&CK Navigator is a web-based tool for annotating and exploring ATT&CK matrices, enabling analysts to visualize threat actor technique coverage, compare multiple APT groups, identify detection gaps, and build threat-informed defense strategies. This skill covers querying ATT&CK data programmatically, mapping APT group TTPs to Navigator layers, creating multi-layer overlays for gap analysis, and generating actionable intelligence reports for detection engineering teams.
 
+
+## When to Use
+
+- When investigating security incidents that require analyzing apt group with mitre navigator
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites
 
 - Python 3.9+ with `attackcti`, `mitreattack-python`, `stix2`, `requests` libraries
@@ -36,7 +71,7 @@ ATT&CK catalogs over 140 threat groups with documented technique usage. Each gro
 
 The Navigator supports loading multiple layers simultaneously, allowing analysts to overlay threat actor TTPs against detection coverage to identify gaps, compare multiple APT groups to find common techniques worth prioritizing, and track technique coverage changes over time.
 
-## Practical Steps
+## Workflow
 
 ### Step 1: Query ATT&CK Data for APT Group
 

skills/analyzing-apt-group-with-mitre-navigator/scripts/agent.py

@@ -8,7 +8,6 @@ performs detection gap analysis, and generates threat-informed reports.
 import json
 import os
 import sys
-import hashlib
 from collections import Counter
 
 try:

skills/analyzing-azure-activity-logs-for-threats/SKILL.md

@@ -1,20 +1,53 @@
 ---
 name: analyzing-azure-activity-logs-for-threats
-description: >
-  Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to
-  detect suspicious administrative operations, impossible travel, privilege escalation,
+description: 'Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query
+  to detect suspicious administrative operations, impossible travel, privilege escalation,
   and resource modifications. Builds KQL queries for threat hunting in Azure environments.
   Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.
+
+  '
 domain: cybersecurity
 subdomain: security-operations
-tags: [analyzing, azure, activity, logs]
-version: "1.0"
+tags:
+- azure
+- cloud-security
+- azure-monitor
+- kql
+- threat-hunting
+- activity-logs
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.CM-01
+- RS.MA-01
+- GV.OV-01
+- DE.AE-02
+mitre_attack:
+- T1078.004
+- T1098.003
+- T1538
+- T1556.009
+- T1580
 ---
 
 # Analyzing Azure Activity Logs for Threats
 
+
+## When to Use
+
+- When investigating security incidents that require analyzing azure activity logs for threats
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
+## Prerequisites
+
+- Familiarity with security operations concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions
 
 Use azure-monitor-query to execute KQL queries against Azure Log Analytics workspaces,

skills/analyzing-bootkit-and-rootkit-samples/SKILL.md

@@ -1,17 +1,35 @@
 ---
 name: analyzing-bootkit-and-rootkit-samples
-description: >
-  Analyzes bootkit and advanced rootkit malware that infects the Master Boot Record (MBR),
-  Volume Boot Record (VBR), or UEFI firmware to gain persistence below the operating system.
-  Covers boot sector analysis, UEFI module inspection, and anti-rootkit detection techniques.
-  Activates for requests involving bootkit analysis, MBR malware investigation, UEFI
-  persistence analysis, or pre-OS malware detection.
+description: 'Analyzes bootkit and advanced rootkit malware that infects the Master
+  Boot Record (MBR), Volume Boot Record (VBR), or UEFI firmware to gain persistence
+  below the operating system. Covers boot sector analysis, UEFI module inspection,
+  and anti-rootkit detection techniques. Activates for requests involving bootkit
+  analysis, MBR malware investigation, UEFI persistence analysis, or pre-OS malware
+  detection.
+
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, bootkit, rootkit, UEFI, MBR-analysis]
+tags:
+- malware
+- bootkit
+- rootkit
+- UEFI
+- MBR-analysis
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
+mitre_attack:
+- T1542.003
+- T1542.001
+- T1542.002
+- T1014
+- T1547.006
 ---
 
 # Analyzing Bootkit and Rootkit Samples

skills/analyzing-bootkit-and-rootkit-samples/scripts/agent.py

@@ -112,8 +112,11 @@ def analyze_boot_code(mbr_data):
 
 def run_volatility_rootkit_scan(memory_dump, plugin):
     """Run a Volatility 3 plugin for rootkit detection via subprocess."""
-    cmd = f"vol3 -f {memory_dump} {plugin}"
-    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
+    result = subprocess.run(
+        ["vol3", "-f", memory_dump, plugin],
+        capture_output=True, text=True,
+        timeout=120,
+    )
     return result.stdout, result.stderr, result.returncode
 
 

skills/analyzing-browser-forensics-with-hindsight/SKILL.md

@@ -1,12 +1,34 @@
 ---
 name: analyzing-browser-forensics-with-hindsight
-description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
+description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing
+  history, downloads, cookies, cached content, autofill data, saved passwords, and
+  browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [browser-forensics, hindsight, chrome-forensics, chromium, edge, browsing-history, cookies, downloads, cache, web-artifacts]
-version: "1.0"
+tags:
+- browser-forensics
+- hindsight
+- chrome-forensics
+- chromium
+- edge
+- browsing-history
+- cookies
+- downloads
+- cache
+- web-artifacts
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
+mitre_attack:
+- T1217
+- T1539
+- T1555.003
+- T1185
 ---
 
 # Analyzing Browser Forensics with Hindsight
@@ -15,6 +37,14 @@ license: Apache-2.0
 
 Hindsight is an open-source browser forensics tool designed to parse artifacts from Google Chrome and other Chromium-based browsers (Microsoft Edge, Brave, Opera, Vivaldi). It extracts and correlates data from multiple browser database files to create a unified timeline of web activity. Hindsight can parse URLs, download history, cache records, bookmarks, autofill records, saved passwords, preferences, browser extensions, HTTP cookies, Local Storage (HTML5 cookies), login data, and session/tab information. The tool produces chronological timelines in multiple output formats (XLSX, JSON, SQLite) that enable investigators to reconstruct user web activity for incident response, insider threat investigations, and criminal cases.
 
+
+## When to Use
+
+- When investigating security incidents that require analyzing browser forensics with hindsight
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites
 
 - Python 3.8+ with Hindsight installed (`pip install pyhindsight`)
@@ -213,3 +243,60 @@ if __name__ == "__main__":
 - Chrome Forensics Guide: https://allenace.medium.com/hindsight-chrome-forensics-made-simple-425db99fa5ed
 - Browser Forensics Tools: https://www.cyberforensicacademy.com/blog/browser-forensics-tools-how-to-extract-user-activity
 - Chromium Source (History): https://source.chromium.org/chromium/chromium/src/+/main:components/history/
+
+## Example Output
+
+```text
+$ python hindsight.py -i /evidence/chrome-profile -o /analysis/hindsight_output
+
+Hindsight v2024.01 - Chrome/Chromium Browser Forensic Analysis
+================================================================
+
+Profile: /evidence/chrome-profile (Chrome 120.0.6099.130)
+OS: Windows 10
+
+[+] Parsing History database...
+    URL records:          12,456
+    Download records:     234
+    Search terms:         567
+
+[+] Parsing Cookies database...
+    Cookie records:       8,923
+    Encrypted cookies:    6,712
+
+[+] Parsing Web Data (Autofill)...
+    Autofill entries:     1,234
+    Credit card entries:  2 (encrypted)
+
+[+] Parsing Login Data...
+    Saved credentials:    45 (encrypted)
+
+[+] Parsing Bookmarks...
+    Bookmark entries:     189
+
+--- Browsing History (Last 10 Entries) ---
+Timestamp (UTC)          | URL                                          | Title                        | Visit Count
+2024-01-15 14:32:05.123  | https://mail.corporate.com/inbox             | Corporate Mail                | 45
+2024-01-15 14:33:12.456  | https://drive.google.com/file/d/1aBcDe...    | Q4_Financial_Report.xlsx     | 1
+2024-01-15 14:35:44.789  | https://mega.nz/folder/xYz123               | MEGA - Secure Cloud          | 3
+2024-01-15 14:36:01.234  | https://mega.nz/folder/xYz123#upload        | MEGA - Upload                | 8
+2024-01-15 14:42:15.567  | https://pastebin.com/raw/kL9mN2pQ           | Pastebin (raw)               | 1
+2024-01-15 15:01:33.890  | https://192.168.1.50:8443/admin              | Admin Panel                  | 12
+2024-01-15 15:15:22.111  | https://transfer.sh/upload                  | transfer.sh                  | 2
+2024-01-15 15:30:45.222  | https://vpn-gateway.corporate.com            | VPN Login                    | 5
+2024-01-15 16:00:00.333  | https://whatismyipaddress.com                 | What Is My IP                | 1
+2024-01-15 16:05:12.444  | https://protonmail.com/inbox                 | ProtonMail                   | 3
+
+--- Downloads (Suspicious) ---
+Timestamp (UTC)          | Filename                    | URL Source                               | Size
+2024-01-15 14:33:15.000  | Q4_Financial_Report.xlsm   | https://phish-domain.com/docs/report     | 245 KB
+2024-01-15 14:34:02.000  | update_client.exe          | https://cdn.evil-updates.com/client.exe  | 1.2 MB
+
+--- Cookies (Session Tokens) ---
+Domain                   | Name              | Expires            | Secure | HttpOnly
+.corporate.com           | SESSION_ID        | 2024-01-16 14:32   | Yes    | Yes
+.mega.nz                 | session           | Session            | Yes    | Yes
+.protonmail.com          | AUTH-TOKEN        | 2024-02-15 00:00   | Yes    | Yes
+
+Report saved to: /analysis/hindsight_output/Hindsight_Report.xlsx
+```

skills/analyzing-browser-forensics-with-hindsight/scripts/agent.py

@@ -10,8 +10,6 @@ import sys
 import json
 import sqlite3
 import datetime
-import hashlib
-from collections import defaultdict
 
 
 def chrome_time_to_datetime(chrome_time):

skills/analyzing-campaign-attribution-evidence/SKILL.md

@@ -1,12 +1,31 @@
 ---
 name: analyzing-campaign-attribution-evidence
-description: Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
+description: Campaign attribution analysis involves systematically evaluating evidence
+  to determine which threat actor or group is responsible for a cyber operation. This
+  skill covers collecting and weighting attr
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [threat-intelligence, cti, ioc, mitre-attack, stix, attribution, campaign-analysis]
-version: "1.0"
+tags:
+- threat-intelligence
+- cti
+- ioc
+- mitre-attack
+- stix
+- attribution
+- campaign-analysis
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
+mitre_attack:
+- T1587.001
+- T1583.001
+- T1588.002
+- T1071.001
 ---
 # Analyzing Campaign Attribution Evidence
 
@@ -14,6 +33,14 @@ license: Apache-2.0
 
 Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attribution indicators using the Diamond Model and ACH (Analysis of Competing Hypotheses), analyzing infrastructure overlaps, TTP consistency, malware code similarities, operational timing patterns, and language artifacts to build confidence-weighted attribution assessments.
 
+
+## When to Use
+
+- When investigating security incidents that require analyzing campaign attribution evidence
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites
 
 - Python 3.9+ with `attackcti`, `stix2`, `networkx` libraries
@@ -40,7 +67,7 @@ Campaign attribution analysis involves systematically evaluating evidence to det
 ### Analysis of Competing Hypotheses (ACH)
 Structured analytical method that evaluates evidence against multiple competing hypotheses. Each piece of evidence is scored as consistent, inconsistent, or neutral with respect to each hypothesis. The hypothesis with the least inconsistent evidence is favored.
 
-## Practical Steps
+## Workflow
 
 ### Step 1: Collect Attribution Evidence
 

skills/analyzing-campaign-attribution-evidence/scripts/agent.py

@@ -6,9 +6,6 @@ malware code similarity, timing patterns, and language artifacts.
 """
 
 import json
-import os
-import sys
-import hashlib
 import re
 from collections import defaultdict
 from datetime import datetime

skills/analyzing-certificate-transparency-for-phishing/SKILL.md

@@ -1,12 +1,35 @@
 ---
 name: analyzing-certificate-transparency-for-phishing
-description: Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.
+description: Monitor Certificate Transparency logs using crt.sh and Certstream to
+  detect phishing domains, lookalike certificates, and unauthorized certificate issuance
+  targeting your organization.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [certificate-transparency, ct-logs, phishing, crt-sh, certstream, ssl, domain-monitoring, threat-intelligence]
-version: "1.0"
+tags:
+- certificate-transparency
+- ct-logs
+- phishing
+- crt-sh
+- certstream
+- ssl
+- domain-monitoring
+- threat-intelligence
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+atlas_techniques:
+- AML.T0052
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
+mitre_attack:
+- T1583.001
+- T1583.004
+- T1566.002
+- T1608.005
+- T1596.003
 ---
 # Analyzing Certificate Transparency for Phishing
 
@@ -14,6 +37,14 @@ license: Apache-2.0
 
 Certificate Transparency (CT) is an Internet security standard that creates a public, append-only log of all issued SSL/TLS certificates. Monitoring CT logs enables early detection of phishing domains that register certificates mimicking legitimate brands, unauthorized certificate issuance for owned domains, and certificate-based attack infrastructure. This skill covers querying CT logs via crt.sh, real-time monitoring with Certstream, building automated alerting for suspicious certificates, and integrating findings into threat intelligence workflows.
 
+
+## When to Use
+
+- When investigating security incidents that require analyzing certificate transparency for phishing
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites
 
 - Python 3.9+ with `requests`, `certstream`, `tldextract`, `Levenshtein` libraries
@@ -36,7 +67,7 @@ Attackers register lookalike domains and obtain free certificates (often from Le
 
 crt.sh is a free web interface and PostgreSQL database operated by Sectigo that indexes CT logs. It supports wildcard searches (`%.example.com`), direct SQL queries, and JSON API responses. It tracks certificate issuance, expiration, and revocation across all major CT logs.
 
-## Practical Steps
+## Workflow
 
 ### Step 1: Query crt.sh for Certificate History
 

skills/analyzing-certificate-transparency-for-phishing/scripts/agent.py

@@ -6,10 +6,7 @@ certificates, and identifies potential phishing infrastructure.
 """
 
 import json
-import os
 import sys
-import re
-from datetime import datetime
 from collections import defaultdict
 
 try:

skills/analyzing-cloud-storage-access-patterns/SKILL.md

@@ -1,18 +1,61 @@
 ---
 name: analyzing-cloud-storage-access-patterns
-description: >-
-  Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail
-  Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads,
-  access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration
-  using statistical baselines and time-series anomaly detection.
+description: Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage
+  by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics.
+  Identifies after-hours bulk downloads, access from new IP addresses, unusual API
+  calls (GetObject spikes), and potential data exfiltration using statistical baselines
+  and time-series anomaly detection.
 domain: cybersecurity
 subdomain: cloud-security
-tags: [analyzing, cloud, storage, access]
-version: "1.0"
+tags:
+- cloud-security
+- aws-s3
+- gcs
+- azure-blob-storage
+- cloudtrail
+- data-access-anomaly
+- exfiltration-detection
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+atlas_techniques:
+- AML.T0024
+- AML.T0056
+nist_ai_rmf:
+- MEASURE-2.7
+- MAP-5.1
+- MANAGE-2.4
+nist_csf:
+- PR.IR-01
+- ID.AM-08
+- GV.SC-06
+- DE.CM-01
+mitre_attack:
+- T1530
+- T1567.002
+- T1619
+- T1078.004
+- T1048
 ---
 
+
+# Analyzing Cloud Storage Access Patterns
+
+
+## When to Use
+
+- When investigating security incidents that require analyzing cloud storage access patterns
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
+## Prerequisites
+
+- Familiarity with cloud security concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions
 
 1. Install dependencies: `pip install boto3 requests`

skills/analyzing-cloud-storage-access-patterns/scripts/agent.py

@@ -21,7 +21,7 @@ def query_cloudtrail_s3_events(bucket_name, hours_back=24):
         "--start-time", start_time,
         "--output", "json",
     ]
-    result = subprocess.run(cmd, capture_output=True, text=True)
+    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
     if result.returncode != 0:
         logger.error("CloudTrail query failed: %s", result.stderr[:200])
         return []

skills/analyzing-cobalt-strike-beacon-configuration/SKILL.md

@@ -1,12 +1,32 @@
 ---
 name: analyzing-cobalt-strike-beacon-configuration
-description: Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure, malleable profiles, and operator tradecraft.
+description: Extract and analyze Cobalt Strike beacon configuration from PE files
+  and memory dumps to identify C2 infrastructure, malleable profiles, and operator
+  tradecraft.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [cobalt-strike, beacon, c2, malware-analysis, config-extraction, threat-hunting, red-team-tools]
-version: "1.0"
+tags:
+- cobalt-strike
+- beacon
+- c2
+- malware-analysis
+- config-extraction
+- threat-hunting
+- red-team-tools
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
+mitre_attack:
+- T1071.001
+- T1573.001
+- T1090.004
+- T1105
+- T1027
 ---
 # Analyzing Cobalt Strike Beacon Configuration
 
@@ -14,6 +34,14 @@ license: Apache-2.0
 
 Cobalt Strike is a commercial adversary simulation tool widely abused by threat actors for post-exploitation operations. Beacon payloads contain embedded configuration data that reveals C2 server addresses, communication protocols, sleep intervals, jitter values, malleable C2 profile settings, watermark identifiers, and encryption keys. Extracting this configuration from PE files, shellcode, or memory dumps is critical for incident responders to map attacker infrastructure and attribute campaigns. The beacon configuration is XOR-encoded using a single byte (0x69 for version 3, 0x2e for version 4) and stored in a Type-Length-Value (TLV) format within the .data section.
 
+
+## When to Use
+
+- When investigating security incidents that require analyzing cobalt strike beacon configuration
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites
 
 - Python 3.9+ with `dissect.cobaltstrike`, `pefile`, `yara-python`
@@ -37,7 +65,7 @@ The beacon configuration encodes the malleable C2 profile that dictates HTTP req
 
 Each Cobalt Strike license embeds a unique watermark (4-byte integer) into generated beacons. Extracting the watermark can link multiple beacons to the same operator or cracked license. Known watermark databases maintained by threat intelligence providers map watermarks to specific threat actors or leaked license keys.
 
-## Practical Steps
+## Workflow
 
 ### Step 1: Extract Configuration with CobaltStrikeParser
 

skills/analyzing-cobalt-strike-beacon-configuration/scripts/agent.py

@@ -8,9 +8,7 @@ communication settings, malleable C2 profile details, and watermark values.
 import struct
 import os
 import sys
-import json
 import hashlib
-import re
 from collections import OrderedDict
 
 # Cobalt Strike beacon configuration field IDs (Type-Length-Value format)

skills/analyzing-cobalt-strike-malleable-profiles/SKILL.md

@@ -1,60 +0,0 @@
----
-name: analyzing-cobalt-strike-malleable-profiles
-description: >
-  Parses Cobalt Strike malleable C2 profiles using pyMalleableC2 to extract beacon
-  configuration, HTTP communication patterns, and sleep/jitter settings. Combines with
-  JARM TLS fingerprinting to detect C2 servers on the network. Use when investigating
-  suspected Cobalt Strike infrastructure or building detection signatures for C2 traffic.
-domain: cybersecurity
-subdomain: security-operations
-tags: [analyzing, cobalt, strike, malleable]
-version: "1.0"
-author: mahipal
-license: Apache-2.0
----
-
-# Analyzing Cobalt Strike Malleable Profiles
-
-## Instructions
-
-Parse malleable C2 profiles to extract IOCs and detection opportunities using the
-pyMalleableC2 library. Combine with JARM fingerprinting to identify C2 servers.
-
-```python
-from malleablec2 import Profile
-
-# Parse a malleable profile from file
-profile = Profile.from_file("amazon.profile")
-
-# Extract global options (sleep, jitter, user-agent)
-print(profile.ast.pretty())
-
-# Access HTTP-GET block URIs and headers for network signatures
-# Access HTTP-POST block for data exfiltration patterns
-# Generate JARM fingerprints for known C2 infrastructure
-```
-
-Key analysis steps:
-1. Parse the malleable profile to extract HTTP-GET/POST URI patterns
-2. Extract User-Agent strings and custom headers for IDS signatures
-3. Identify sleep time and jitter for beaconing detection thresholds
-4. Scan suspect IPs with JARM to match known C2 fingerprint hashes
-5. Cross-reference extracted IOCs with network traffic logs
-
-## Examples
-
-```python
-# Parse profile and extract detection indicators
-from malleablec2 import Profile
-p = Profile.from_file("cobaltstrike.profile")
-print(p)  # Reconstructed source
-
-# JARM scan a suspect C2 server
-import subprocess
-result = subprocess.run(
-    ["python3", "jarm.py", "suspect-server.com"],
-    capture_output=True, text=True
-)
-print(result.stdout)
-# Compare fingerprint against known CS JARM hashes
-```

skills/analyzing-cobalt-strike-malleable-profiles/references/api-reference.md

@@ -1,69 +0,0 @@
-# API Reference: Analyzing Cobalt Strike Malleable Profiles
-
-## pyMalleableC2
-
-```python
-from malleablec2 import Profile
-from malleablec2.components import HttpGetBlock, HttpPostBlock, ClientBlock, ServerBlock
-
-# Parse from file or string
-p = Profile.from_file("amazon.profile")
-p = Profile.from_string(code_string)
-p = Profile.from_scratch()
-
-# Set global options
-p.set_option("sleeptime", "3000")
-p.set_option("jitter", "0")
-p.set_option("pipename", "mojo__##")
-
-# HTTP blocks
-http_get = HttpGetBlock()
-http_get.set_option("uri", "/updates")
-client = ClientBlock()
-client.add_statement("header", "Accept", "*/*")
-http_get.add_code_block(client)
-p.add_code_block(http_get)
-
-# AST and reconstruction
-print(p.ast.pretty())   # Display AST
-print(p)                # Reconstruct source
-```
-
-## JARM TLS Fingerprinting
-
-```bash
-# Scan a single host
-python3 jarm.py www.example.com
-
-# Scan with specific port
-python3 jarm.py 192.168.1.1 -p 8443
-
-# Batch scan from file
-python3 jarm.py -i targets.txt -o results.csv
-```
-
-Fingerprint format: 62-char hybrid hash
-- First 30 chars: cipher + TLS version (10 handshakes x 3 chars)
-- Last 32 chars: truncated SHA256 of cumulative extensions
-
-## Known Cobalt Strike JARM Hashes
-
-| JARM Hash | Description |
-|-----------|-------------|
-| `07d14d16d21d21d07c42d41d00041d...` | CS default config |
-| `07d14d16d21d21d00042d41d00041d...` | CS with Java 11 |
-
-## dissect.cobaltstrike (Alternative)
-
-```python
-from dissect.cobaltstrike import beacon
-b = beacon.BeaconConfig.from_file("beacon.bin")
-print(b.protocol, b.port, b.sleeptime)
-```
-
-### References
-
-- pyMalleableC2: https://github.com/byt3bl33d3r/pyMalleableC2
-- JARM scanner: https://github.com/salesforce/jarm
-- dissect.cobaltstrike: https://github.com/fox-it/dissect.cobaltstrike
-- C2 JARM list: https://github.com/cedowens/C2-JARM

skills/analyzing-cobalt-strike-malleable-profiles/scripts/agent.py

@@ -1,174 +0,0 @@
-#!/usr/bin/env python3
-"""Agent for analyzing Cobalt Strike malleable C2 profiles and JARM fingerprinting."""
-
-import os
-import json
-import subprocess
-import argparse
-from pathlib import Path
-from datetime import datetime
-
-from malleablec2 import Profile
-
-
-def extract_profile_indicators(profile_path):
-    """Extract detection indicators from a malleable C2 profile."""
-    with open(profile_path) as f:
-        content = f.read()
-    profile = Profile.from_string(content)
-    indicators = {
-        "file": str(profile_path),
-        "source_lines": len(content.splitlines()),
-        "reconstructed": str(profile),
-    }
-    keywords = ["sleeptime", "jitter", "useragent", "pipename", "host_stage",
-                "dns_idle", "dns_sleep", "spawnto_x86", "spawnto_x64"]
-    options = {}
-    for kw in keywords:
-        for line in content.splitlines():
-            stripped = line.strip().rstrip(";").strip()
-            if kw in stripped.lower() and "set " in stripped.lower():
-                parts = stripped.split('"')
-                if len(parts) >= 2:
-                    options[kw] = parts[1]
-    indicators["global_options"] = options
-    uris = []
-    for line in content.splitlines():
-        if "set uri" in line.strip().lower():
-            parts = line.strip().split('"')
-            if len(parts) >= 2:
-                uris.append(parts[1])
-    indicators["uris"] = uris
-    headers = []
-    for line in content.splitlines():
-        stripped = line.strip()
-        if "header " in stripped.lower() and '"' in stripped:
-            parts = stripped.split('"')
-            if len(parts) >= 4:
-                headers.append({"name": parts[1], "value": parts[3]})
-    indicators["custom_headers"] = headers
-    return indicators
-
-
-def scan_directory_profiles(directory):
-    """Scan a directory for malleable C2 profiles and extract indicators."""
-    results = []
-    for path in Path(directory).rglob("*.profile"):
-        try:
-            indicators = extract_profile_indicators(str(path))
-            results.append(indicators)
-        except Exception as e:
-            results.append({"file": str(path), "error": str(e)})
-    return results
-
-
-KNOWN_CS_JARM = {
-    "07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1":
-        "Cobalt Strike (default)",
-    "07d14d16d21d21d00042d41d00041de5fb3038104f457d92ba02e9311512c2":
-        "Cobalt Strike (Java 11)",
-}
-
-
-def compute_jarm_fingerprint(host, port=443):
-    """Compute JARM fingerprint by invoking the salesforce/jarm scanner."""
-    jarm_script = os.getenv("JARM_SCRIPT", "jarm.py")
-    try:
-        result = subprocess.run(
-            ["python3", jarm_script, host, "-p", str(port)],
-            capture_output=True, text=True, timeout=30,
-        )
-        for line in result.stdout.splitlines():
-            if len(line.strip()) >= 62:
-                return line.strip().split()[-1]
-        return result.stdout.strip()
-    except Exception as e:
-        return f"Error: {e}"
-
-
-def check_jarm_against_known(fingerprint):
-    """Check a JARM fingerprint against known Cobalt Strike signatures."""
-    for jarm_hash, description in KNOWN_CS_JARM.items():
-        if fingerprint.strip() == jarm_hash:
-            return {"match": True, "description": description, "fingerprint": fingerprint}
-    return {"match": False, "fingerprint": fingerprint}
-
-
-def batch_jarm_scan(targets, port=443):
-    """Scan multiple targets for JARM fingerprints and check against known CS hashes."""
-    results = []
-    for target in targets:
-        fp = compute_jarm_fingerprint(target, port)
-        match = check_jarm_against_known(fp)
-        match["target"] = target
-        results.append(match)
-    return results
-
-
-def generate_snort_rules(indicators_list):
-    """Generate Snort/Suricata rules from extracted profile indicators."""
-    rules = []
-    sid = 1000001
-    for ind in indicators_list:
-        for uri in ind.get("uris", []):
-            rules.append(
-                f'alert http $HOME_NET any -> $EXTERNAL_NET any '
-                f'(msg:"CS Beacon URI {uri}"; '
-                f'content:"{uri}"; http_uri; sid:{sid}; rev:1;)'
-            )
-            sid += 1
-        ua = ind.get("global_options", {}).get("useragent", "")
-        if ua:
-            rules.append(
-                f'alert http $HOME_NET any -> $EXTERNAL_NET any '
-                f'(msg:"CS Beacon User-Agent"; '
-                f'content:"{ua}"; http_header; sid:{sid}; rev:1;)'
-            )
-            sid += 1
-    return rules
-
-
-def main():
-    parser = argparse.ArgumentParser(description="Cobalt Strike Malleable Profile Analyzer")
-    parser.add_argument("--profile", help="Path to a single malleable C2 profile")
-    parser.add_argument("--directory", help="Directory of malleable profiles")
-    parser.add_argument("--jarm-targets", nargs="*", help="Hosts to JARM fingerprint")
-    parser.add_argument("--output", default="cs_analysis_report.json")
-    parser.add_argument("--action", choices=[
-        "parse", "scan_dir", "jarm", "generate_rules", "full_analysis"
-    ], default="full_analysis")
-    args = parser.parse_args()
-
-    report = {"generated_at": datetime.utcnow().isoformat(), "findings": {}}
-
-    if args.action in ("parse", "full_analysis") and args.profile:
-        indicators = extract_profile_indicators(args.profile)
-        report["findings"]["profile_indicators"] = indicators
-        print(f"[+] Parsed: {args.profile} ({len(indicators.get('uris', []))} URIs)")
-
-    if args.action in ("scan_dir", "full_analysis") and args.directory:
-        results = scan_directory_profiles(args.directory)
-        report["findings"]["directory_scan"] = results
-        print(f"[+] Scanned {len(results)} profiles in {args.directory}")
-
-    if args.action in ("jarm", "full_analysis") and args.jarm_targets:
-        jarm_results = batch_jarm_scan(args.jarm_targets)
-        report["findings"]["jarm_scan"] = jarm_results
-        matches = [r for r in jarm_results if r.get("match")]
-        print(f"[+] JARM: {len(jarm_results)} scanned, {len(matches)} CS matches")
-
-    if args.action in ("generate_rules", "full_analysis"):
-        profiles = report["findings"].get("directory_scan", [])
-        if not profiles and args.profile:
-            profiles = [report["findings"].get("profile_indicators", {})]
-        rules = generate_snort_rules(profiles)
-        report["findings"]["snort_rules"] = rules
-        print(f"[+] Generated {len(rules)} Snort rules")
-
-    with open(args.output, "w") as f:
-        json.dump(report, f, indent=2, default=str)
-    print(f"[+] Report saved to {args.output}")
-
-
-if __name__ == "__main__":
-    main()

skills/analyzing-cobaltstrike-malleable-c2-profiles/SKILL.md

@@ -1,12 +1,32 @@
 ---
 name: analyzing-cobaltstrike-malleable-c2-profiles
-description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate network detection signatures.
+description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike
+  and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate
+  network detection signatures.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [cobalt-strike, malleable-c2, c2-detection, beacon-analysis, network-signatures, threat-hunting, red-team-tools]
-version: "1.0"
+tags:
+- cobalt-strike
+- malleable-c2
+- c2-detection
+- beacon-analysis
+- network-signatures
+- threat-hunting
+- red-team-tools
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
+mitre_attack:
+- T1071.001
+- T1573.002
+- T1001.003
+- T1090.004
+- T1102
 ---
 # Analyzing CobaltStrike Malleable C2 Profiles
 
@@ -14,6 +34,14 @@ license: Apache-2.0
 
 Cobalt Strike Malleable C2 profiles are domain-specific language scripts that customize how Beacon communicates with the team server, defining HTTP request/response transformations, sleep intervals, jitter values, user agents, URI paths, and process injection behavior. Threat actors use malleable profiles to disguise C2 traffic as legitimate services (Amazon, Google, Slack). Analyzing these profiles reveals network indicators for detection: URI patterns, HTTP headers, POST/GET transforms, DNS settings, and process injection techniques. The `dissect.cobaltstrike` library can parse both profile files and extract configurations from beacon payloads, while `pyMalleableC2` provides AST-based parsing using Lark grammar for programmatic profile manipulation and validation.
 
+
+## When to Use
+
+- When investigating security incidents that require analyzing cobaltstrike malleable c2 profiles
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites
 
 - Python 3.9+ with `dissect.cobaltstrike` and/or `pyMalleableC2`

skills/analyzing-cobaltstrike-malleable-c2-profiles/scripts/agent.py

@@ -5,7 +5,6 @@
 import argparse
 import json
 import re
-import sys
 from collections import Counter
 from datetime import datetime
 from pathlib import Path

skills/analyzing-command-and-control-communication/SKILL.md

@@ -1,17 +1,34 @@
 ---
 name: analyzing-command-and-control-communication
-description: >
-  Analyzes malware command-and-control (C2) communication protocols to understand beacon
-  patterns, command structures, data encoding, and infrastructure. Covers HTTP, HTTPS, DNS,
-  and custom protocol C2 analysis for detection development and threat intelligence.
-  Activates for requests involving C2 analysis, beacon detection, C2 protocol reverse
-  engineering, or command-and-control infrastructure mapping.
+description: 'Analyzes malware command-and-control (C2) communication protocols to
+  understand beacon patterns, command structures, data encoding, and infrastructure.
+  Covers HTTP, HTTPS, DNS, and custom protocol C2 analysis for detection development
+  and threat intelligence. Activates for requests involving C2 analysis, beacon detection,
+  C2 protocol reverse engineering, or command-and-control infrastructure mapping.
+
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, C2, command-and-control, beacon, protocol-analysis]
+tags:
+- malware
+- C2
+- command-and-control
+- beacon
+- protocol-analysis
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
+mitre_attack:
+- T1071.001
+- T1573
+- T1571
+- T1008
+- T1095
 ---
 
 # Analyzing Command-and-Control Communication

skills/analyzing-command-and-control-communication/scripts/agent.py

@@ -3,13 +3,12 @@
 
 import statistics
 import base64
-import json
 import os
 import sys
 from collections import defaultdict
 
 try:
-    from scapy.all import rdpcap, IP, TCP, UDP, DNS, DNSQR, Raw
+    from scapy.all import rdpcap, IP, TCP, DNS, DNSQR
     HAS_SCAPY = True
 except ImportError:
     HAS_SCAPY = False

skills/analyzing-cyber-kill-chain/SKILL.md

@@ -1,18 +1,37 @@
 ---
 name: analyzing-cyber-kill-chain
-description: >
-  Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify
-  which phases an adversary has completed, where defenses succeeded or failed, and what controls
-  would have interrupted the attack at earlier phases. Use when conducting post-incident analysis,
-  building prevention-focused security controls, or mapping detection gaps to kill chain phases.
-  Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping,
-  or Lockheed Martin kill chain framework.
+description: 'Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain
+  framework to identify which phases an adversary has completed, where defenses succeeded
+  or failed, and what controls would have interrupted the attack at earlier phases.
+  Use when conducting post-incident analysis, building prevention-focused security
+  controls, or mapping detection gaps to kill chain phases. Activates for requests
+  involving kill chain analysis, intrusion kill chain, attack phase mapping, or Lockheed
+  Martin kill chain framework.
+
+  '
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [kill-chain, Lockheed-Martin, MITRE-ATT&CK, intrusion-analysis, defense-in-depth, NIST-CSF]
+tags:
+- kill-chain
+- Lockheed-Martin
+- MITRE-ATT&CK
+- intrusion-analysis
+- defense-in-depth
+- NIST-CSF
 version: 1.0.0
 author: team-cybersecurity
 license: Apache-2.0
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
+mitre_attack:
+- T1566.001
+- T1190
+- T1547.001
+- T1071.001
+- T1486
 ---
 # Analyzing Cyber Kill Chain
 

skills/analyzing-cyber-kill-chain/scripts/agent.py

@@ -1,9 +1,6 @@
 #!/usr/bin/env python3
 """Cyber Kill Chain analysis agent for mapping incidents to Lockheed Martin kill chain phases."""
 
-import json
-import os
-import sys
 import datetime
 
 

skills/analyzing-disk-image-with-autopsy/SKILL.md

@@ -1,12 +1,29 @@
 ---
 name: analyzing-disk-image-with-autopsy
-description: Perform comprehensive forensic analysis of disk images using Autopsy to recover files, examine artifacts, and build investigation timelines.
+description: Perform comprehensive forensic analysis of disk images using Autopsy
+  to recover files, examine artifacts, and build investigation timelines.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, autopsy, disk-analysis, sleuth-kit, file-recovery, artifact-analysis]
-version: "1.0"
+tags:
+- forensics
+- autopsy
+- disk-analysis
+- sleuth-kit
+- file-recovery
+- artifact-analysis
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
+mitre_attack:
+- T1005
+- T1074.001
+- T1070.004
+- T1083
 ---
 
 # Analyzing Disk Image with Autopsy

skills/analyzing-disk-image-with-autopsy/scripts/agent.py

@@ -1,6 +1,7 @@
 #!/usr/bin/env python3
 """Forensic disk image analysis agent using The Sleuth Kit (TSK) command-line tools."""
 
+import shlex
 import subprocess
 import os
 import sys
@@ -10,8 +11,10 @@ import datetime
 
 
 def run_cmd(cmd):
-    """Execute a shell command and return output."""
-    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
+    """Execute a command and return output."""
+    if isinstance(cmd, str):
+        cmd = shlex.split(cmd)
+    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
     return result.stdout.strip(), result.stderr.strip(), result.returncode
 
 
@@ -93,9 +96,15 @@ def list_deleted_files(image_path, offset):
 
 def recover_file(image_path, offset, inode, output_path):
     """Recover a file by inode using icat."""
-    cmd = f"icat -o {offset} {image_path} {inode} > {output_path}"
-    _, _, rc = run_cmd(cmd)
-    return rc == 0
+    result = subprocess.run(
+        ["icat", "-o", str(offset), image_path, str(inode)],
+        capture_output=True,
+        timeout=120,
+    )
+    if result.returncode == 0:
+        with open(output_path, "wb") as f:
+            f.write(result.stdout)
+    return result.returncode == 0
 
 
 def get_file_metadata(image_path, offset, inode):
@@ -106,26 +115,40 @@ def get_file_metadata(image_path, offset, inode):
 
 def create_bodyfile(image_path, offset, output_path):
     """Generate a TSK bodyfile for timeline creation."""
-    cmd = f'fls -r -m "/" -o {offset} {image_path} > {output_path}'
-    _, _, rc = run_cmd(cmd)
-    return rc == 0
+    result = subprocess.run(
+        ["fls", "-r", "-m", "/", "-o", str(offset), image_path],
+        capture_output=True, text=True,
+        timeout=120,
+    )
+    if result.returncode == 0:
+        with open(output_path, "w") as f:
+            f.write(result.stdout)
+    return result.returncode == 0
 
 
 def generate_timeline(bodyfile_path, output_csv, start_date=None, end_date=None):
     """Generate a timeline from a bodyfile using mactime."""
-    cmd = f"mactime -b {bodyfile_path} -d"
+    cmd = ["mactime", "-b", bodyfile_path, "-d"]
     if start_date and end_date:
-        cmd += f" {start_date}..{end_date}"
-    cmd += f" > {output_csv}"
-    _, _, rc = run_cmd(cmd)
-    return rc == 0
+        cmd.append(f"{start_date}..{end_date}")
+    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
+    if result.returncode == 0:
+        with open(output_csv, "w") as f:
+            f.write(result.stdout)
+    return result.returncode == 0
 
 
 def search_keywords(image_path, offset, keyword):
     """Search for keyword strings in the disk image."""
-    cmd = f'srch_strings -a -o {offset} {image_path} | grep -i "{keyword}"'
-    stdout, _, rc = run_cmd(cmd)
-    return stdout.splitlines() if rc == 0 else []
+    result = subprocess.run(
+        ["srch_strings", "-a", "-o", str(offset), image_path],
+        capture_output=True, text=True,
+        timeout=120,
+    )
+    if result.returncode != 0 or not result.stdout:
+        return []
+    keyword_lower = keyword.lower()
+    return [line for line in result.stdout.splitlines() if keyword_lower in line.lower()]
 
 
 def find_file_signature(image_path, offset, hex_signature):
@@ -179,7 +202,8 @@ if __name__ == "__main__":
 
     if len(sys.argv) > 1:
         image = sys.argv[1]
-        case = sys.argv[2] if len(sys.argv) > 2 else "/tmp/autopsy_case"
+        import tempfile
+        case = sys.argv[2] if len(sys.argv) > 2 else os.environ.get("AUTOPSY_CASE_DIR", os.path.join(tempfile.gettempdir(), "autopsy_case"))
         if os.path.exists(image):
             analyze_image(image, case)
         else:

skills/analyzing-dns-logs-for-exfiltration/SKILL.md

@@ -1,16 +1,38 @@
 ---
 name: analyzing-dns-logs-for-exfiltration
-description: >
-  Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication,
-  and covert C2 channels using entropy analysis, query volume anomalies, and subdomain length
-  detection in SIEM platforms. Use when SOC teams need to identify DNS-based threats that bypass
-  traditional network security controls.
+description: 'Analyzes DNS query logs to detect data exfiltration via DNS tunneling,
+  DGA domain communication, and covert C2 channels using entropy analysis, query volume
+  anomalies, and subdomain length detection in SIEM platforms. Use when SOC teams
+  need to identify DNS-based threats that bypass traditional network security controls.
+
+  '
 domain: cybersecurity
 subdomain: soc-operations
-tags: [soc, dns, exfiltration, dns-tunneling, dga, c2-detection, splunk, threat-detection]
-version: "1.0"
+tags:
+- soc
+- dns
+- exfiltration
+- dns-tunneling
+- dga
+- c2-detection
+- splunk
+- threat-detection
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+atlas_techniques:
+- AML.T0024
+- AML.T0056
+- AML.T0086
+nist_csf:
+- DE.CM-01
+- DE.AE-02
+- RS.MA-01
+- DE.AE-06
+mitre_attack:
+- T1048.003
+- T1071.004
+- T1567
 ---
 # Analyzing DNS Logs for Exfiltration
 

skills/analyzing-dns-logs-for-exfiltration/scripts/agent.py

@@ -2,11 +2,6 @@
 """DNS exfiltration detection agent using entropy analysis and query pattern detection."""
 
 import math
-import os
-import sys
-import json
-import csv
-import datetime
 from collections import Counter, defaultdict
 
 

skills/analyzing-docker-container-forensics/SKILL.md

@@ -1,12 +1,29 @@
 ---
 name: analyzing-docker-container-forensics
-description: Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to identify malicious activity and evidence.
+description: Investigate compromised Docker containers by analyzing images, layers,
+  volumes, logs, and runtime artifacts to identify malicious activity and evidence.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, docker, container-forensics, container-security, image-analysis, runtime-investigation]
-version: "1.0"
+tags:
+- forensics
+- docker
+- container-forensics
+- container-security
+- image-analysis
+- runtime-investigation
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
+mitre_attack:
+- T1610
+- T1611
+- T1613
+- T1612
 ---
 
 # Analyzing Docker Container Forensics

skills/analyzing-docker-container-forensics/scripts/agent.py

@@ -1,6 +1,7 @@
 #!/usr/bin/env python3
 """Docker container forensics agent for investigating compromised containers."""
 
+import shlex
 import subprocess
 import json
 import os
@@ -10,8 +11,10 @@ import datetime
 
 
 def run_cmd(cmd):
-    """Execute a shell command and return output."""
-    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
+    """Execute a command and return output."""
+    if isinstance(cmd, str):
+        cmd = shlex.split(cmd)
+    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
     return result.stdout.strip(), result.stderr.strip(), result.returncode
 
 
@@ -134,9 +137,13 @@ def detect_suspicious_files(changes):
 
 def export_container(container_id, output_path):
     """Export container filesystem as a tarball for offline analysis."""
-    cmd = f"docker export {container_id} > {output_path}"
-    _, _, rc = run_cmd(cmd)
-    if rc == 0 and os.path.exists(output_path):
+    with open(output_path, "wb") as out_f:
+        result = subprocess.run(
+            ["docker", "export", container_id],
+            stdout=out_f, stderr=subprocess.PIPE,
+            timeout=120,
+        )
+    if result.returncode == 0 and os.path.exists(output_path):
         sha256 = hashlib.sha256()
         with open(output_path, "rb") as f:
             for chunk in iter(lambda: f.read(65536), b""):

skills/analyzing-email-headers-for-phishing-investigation/SKILL.md

@@ -1,12 +1,31 @@
 ---
 name: analyzing-email-headers-for-phishing-investigation
-description: Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation.
+description: Parse and analyze email headers to trace the origin of phishing emails,
+  verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, email-analysis, phishing, spf, dkim, dmarc, header-analysis]
-version: "1.0"
+tags:
+- forensics
+- email-analysis
+- phishing
+- spf
+- dkim
+- dmarc
+- header-analysis
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+atlas_techniques:
+- AML.T0052
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
+mitre_attack:
+- T1566.001
+- T1566.002
+- T1598.003
 ---
 
 # Analyzing Email Headers for Phishing Investigation

skills/analyzing-email-headers-for-phishing-investigation/scripts/agent.py

@@ -8,7 +8,6 @@ import hashlib
 import os
 import sys
 import subprocess
-import json
 from email import policy
 
 
@@ -147,9 +146,10 @@ def extract_attachments(msg, output_dir=None):
 
 def dns_lookup(domain, record_type="TXT"):
     """Perform DNS lookup for SPF/DKIM/DMARC records."""
-    cmd = f"dig {record_type} {domain} +short"
-    stdout, _, rc = subprocess.run(cmd, shell=True, capture_output=True, text=True,
-                                    timeout=10).stdout, "", 0
+    stdout, _, rc = subprocess.run(
+        ["dig", record_type, domain, "+short"],
+        capture_output=True, text=True, timeout=10
+    ).stdout, "", 0
     return stdout.strip() if stdout else ""
 
 

skills/analyzing-ethereum-smart-contract-vulnerabilities/SKILL.md

@@ -1,12 +1,29 @@
 ---
 name: analyzing-ethereum-smart-contract-vulnerabilities
-description: Perform static and symbolic analysis of Solidity smart contracts using Slither and Mythril to detect reentrancy, integer overflow, access control, and other vulnerability classes before deployment to Ethereum mainnet.
+description: Perform static and symbolic analysis of Solidity smart contracts using
+  Slither and Mythril to detect reentrancy, integer overflow, access control, and
+  other vulnerability classes before deployment to Ethereum mainnet.
 domain: cybersecurity
 subdomain: blockchain-security
-tags: [ethereum, solidity, smart-contract, slither, mythril, blockchain, defi, audit]
-version: "1.0"
+tags:
+- ethereum
+- solidity
+- smart-contract
+- slither
+- mythril
+- blockchain
+- defi
+- audit
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.DS-01
+- PR.DS-02
+- ID.RA-01
+mitre_attack:
+- T1190
+- T1059
 ---
 
 # Analyzing Ethereum Smart Contract Vulnerabilities
@@ -15,6 +32,14 @@ license: Apache-2.0
 
 Smart contract vulnerabilities have led to billions of dollars in losses across DeFi protocols. Unlike traditional software, deployed smart contracts are immutable and handle real financial assets, making pre-deployment security analysis critical. Slither performs fast static analysis using an intermediate representation to detect over 90 vulnerability patterns in seconds, while Mythril uses symbolic execution and SMT solving to discover complex execution path vulnerabilities like reentrancy and integer overflows. This skill covers running both tools against Solidity contracts, interpreting results, triaging findings by severity, and generating audit reports.
 
+
+## When to Use
+
+- When investigating security incidents that require analyzing ethereum smart contract vulnerabilities
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites
 
 - Python 3.10+ with pip

skills/analyzing-ethereum-smart-contract-vulnerabilities/scripts/agent.py

@@ -5,7 +5,6 @@ import json
 import argparse
 import logging
 import subprocess
-import os
 from collections import defaultdict
 from datetime import datetime
 

skills/analyzing-golang-malware-with-ghidra/SKILL.md

@@ -1,12 +1,31 @@
 ---
 name: analyzing-golang-malware-with-ghidra
-description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction, and type reconstruction in stripped Go binaries.
+description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts
+  for function recovery, string extraction, and type reconstruction in stripped Go
+  binaries.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [golang, ghidra, reverse-engineering, malware-analysis, binary-analysis, go-malware, disassembly]
-version: "1.0"
+tags:
+- golang
+- ghidra
+- reverse-engineering
+- malware-analysis
+- binary-analysis
+- go-malware
+- disassembly
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
+mitre_attack:
+- T1027
+- T1620
+- T1140
+- T1059
 ---
 # Analyzing Golang Malware with Ghidra
 
@@ -14,6 +33,14 @@ license: Apache-2.0
 
 Go (Golang) has become a popular language for malware authors due to its cross-compilation capabilities, static linking that produces self-contained binaries, and the complexity it introduces for reverse engineering. Go binaries contain the entire runtime, standard library, and all dependencies statically linked, resulting in large binaries (often 5-15MB) with thousands of functions. Ghidra struggles with Go-specific string formats (non-null-terminated), stripped function names, and goroutine concurrency patterns. Specialized tools like GoResolver (Volexity, 2025) use control-flow graph similarity to automatically deobfuscate and recover function names in stripped or obfuscated Go binaries.
 
+
+## When to Use
+
+- When investigating security incidents that require analyzing golang malware with ghidra
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites
 
 - Ghidra 11.0+ with JDK 17+
@@ -37,7 +64,7 @@ Despite stripping symbol tables, Go binaries retain function names within the pc
 
 Go's dependency management embeds module paths and version strings in the binary. Extracting these reveals the malware's third-party dependencies (HTTP libraries, encryption packages, C2 frameworks), which provides insight into capabilities without full reverse engineering.
 
-## Practical Steps
+## Workflow
 
 ### Step 1: Initial Binary Analysis
 

skills/analyzing-golang-malware-with-ghidra/scripts/agent.py

@@ -5,7 +5,6 @@ Analyzes Go binaries to extract function names, strings, build metadata,
 package information, and detects common Go malware characteristics.
 """
 
-import struct
 import os
 import sys
 import json

skills/analyzing-heap-spray-exploitation/SKILL.md

@@ -1,12 +1,28 @@
 ---
 name: analyzing-heap-spray-exploitation
-description: Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns, shellcode landing zones, and suspicious large allocations in process virtual address space.
+description: Detect and analyze heap spray attacks in memory dumps using Volatility3
+  plugins to identify NOP sled patterns, shellcode landing zones, and suspicious large
+  allocations in process virtual address space.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware-analysis, memory-forensics, heap-spray, volatility3, exploit-analysis]
-version: "1.0"
+tags:
+- malware-analysis
+- memory-forensics
+- heap-spray
+- volatility3
+- exploit-analysis
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
+mitre_attack:
+- T1203
+- T1059.007
+- T1106
 ---
 # Analyzing Heap Spray Exploitation
 
@@ -14,6 +30,14 @@ license: Apache-2.0
 
 Heap spraying is an exploitation technique that fills large regions of a process's heap with attacker-controlled data (typically NOP sleds followed by shellcode) to increase the reliability of code execution exploits. This skill covers detecting heap spray artifacts in memory dumps using Volatility3's malfind, vadinfo, and memmap plugins, identifying suspicious contiguous memory allocations, scanning for NOP sled patterns (0x90, 0x0c0c0c0c), and extracting embedded shellcode for analysis.
 
+
+## When to Use
+
+- When investigating security incidents that require analyzing heap spray exploitation
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites
 
 - Python 3.9+ with `volatility3` framework installed

skills/analyzing-indicators-of-compromise/SKILL.md

@@ -1,17 +1,39 @@
 ---
 name: analyzing-indicators-of-compromise
-description: >
-  Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs,
-  and email artifacts to determine maliciousness confidence, campaign attribution, and blocking
-  priority. Use when triaging IOCs from phishing emails, security alerts, or external threat feeds;
-  enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist decisions.
-  Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.
+description: 'Analyzes indicators of compromise (IOCs) including IP addresses, domains,
+  file hashes, URLs, and email artifacts to determine maliciousness confidence, campaign
+  attribution, and blocking priority. Use when triaging IOCs from phishing emails,
+  security alerts, or external threat feeds; enriching raw IOCs with multi-source
+  intelligence; or making block/monitor/whitelist decisions. Activates for requests
+  involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.
+
+  '
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [IOC, VirusTotal, AbuseIPDB, MalwareBazaar, MISP, threat-intelligence, STIX, NIST-CSF]
+tags:
+- IOC
+- VirusTotal
+- AbuseIPDB
+- MalwareBazaar
+- MISP
+- threat-intelligence
+- STIX
+- NIST-CSF
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+atlas_techniques:
+- AML.T0052
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
+mitre_attack:
+- T1071
+- T1105
+- T1041
+- T1567
 ---
 # Analyzing Indicators of Compromise
 

skills/analyzing-indicators-of-compromise/scripts/agent.py

@@ -3,9 +3,7 @@
 
 import re
 import os
-import sys
 import json
-import hashlib
 import datetime
 
 try:
@@ -69,7 +67,7 @@ def is_private_ip(ip):
 def query_virustotal_hash(sha256, api_key):
     """Query VirusTotal for a file hash."""
     url = f"https://www.virustotal.com/api/v3/files/{sha256}"
-    resp = requests.get(url, headers={"x-apikey": api_key})
+    resp = requests.get(url, headers={"x-apikey": api_key}, timeout=30)
     if resp.status_code == 200:
         data = resp.json().get("data", {}).get("attributes", {})
         stats = data.get("last_analysis_stats", {})
@@ -88,7 +86,7 @@ def query_virustotal_hash(sha256, api_key):
 def query_virustotal_domain(domain, api_key):
     """Query VirusTotal for domain reputation."""
     url = f"https://www.virustotal.com/api/v3/domains/{domain}"
-    resp = requests.get(url, headers={"x-apikey": api_key})
+    resp = requests.get(url, headers={"x-apikey": api_key}, timeout=30)
     if resp.status_code == 200:
         data = resp.json().get("data", {}).get("attributes", {})
         stats = data.get("last_analysis_stats", {})
@@ -107,7 +105,7 @@ def query_abuseipdb(ip, api_key, max_age_days=90):
     """Query AbuseIPDB for IP reputation."""
     url = "https://api.abuseipdb.com/api/v2/check"
     resp = requests.get(url, headers={"Key": api_key, "Accept": "application/json"},
-                        params={"ipAddress": ip, "maxAgeInDays": max_age_days})
+                        params={"ipAddress": ip, "maxAgeInDays": max_age_days}, timeout=30)
     if resp.status_code == 200:
         data = resp.json().get("data", {})
         return {
@@ -125,7 +123,7 @@ def query_abuseipdb(ip, api_key, max_age_days=90):
 def query_malwarebazaar(sha256):
     """Query MalwareBazaar for file hash information."""
     url = "https://mb-api.abuse.ch/api/v1/"
-    resp = requests.post(url, data={"query": "get_info", "hash": sha256})
+    resp = requests.post(url, data={"query": "get_info", "hash": sha256}, timeout=30)
     if resp.status_code == 200:
         result = resp.json()
         if result.get("query_status") == "ok" and result.get("data"):

skills/analyzing-ios-app-security-with-objection/SKILL.md

@@ -1,18 +1,38 @@
 ---
 name: analyzing-ios-app-security-with-objection
-description: >
-  Performs runtime mobile security exploration of iOS applications using Objection, a Frida-powered
-  toolkit that enables security testers to interact with app internals without jailbreaking. Use when
-  assessing iOS app security posture, bypassing client-side protections, dumping keychain items,
-  inspecting filesystem storage, and evaluating runtime behavior. Activates for requests involving
-  iOS security testing, Objection runtime analysis, Frida-based iOS assessment, or mobile runtime
-  exploration.
+description: >-
+  Runtime iOS app security testing with Objection (Frida): inspect keychain and
+  filesystem data, explore app internals at runtime, and validate/bypass
+  client-side protections during authorized mobile assessments.
 domain: cybersecurity
 subdomain: mobile-security
 author: mahipal
-tags: [mobile-security, ios, objection, frida, owasp-mobile, penetration-testing]
+tags:
+- mobile-security
+- ios
+- objection
+- frida
+- owasp-mobile
+- penetration-testing
 version: 1.0.0
 license: Apache-2.0
+atlas_techniques:
+- AML.T0054
+nist_ai_rmf:
+- MEASURE-2.7
+- MANAGE-2.4
+- GOVERN-6.2
+- MAP-5.1
+nist_csf:
+- PR.PS-01
+- PR.AA-05
+- ID.RA-01
+- DE.CM-09
+mitre_attack:
+- T1635
+- T1414
+- T1417.001
+- T1409
 ---
 # Analyzing iOS App Security with Objection
 

skills/analyzing-ios-app-security-with-objection/scripts/agent.py

@@ -7,9 +7,7 @@ keychain dumping, filesystem inspection, and jailbreak detection bypass.
 
 import subprocess
 import json
-import os
 import sys
-import re
 
 
 def run_objection(command, app_id=None, timeout=30):

skills/analyzing-kubernetes-audit-logs/SKILL.md

@@ -1,20 +1,53 @@
 ---
 name: analyzing-kubernetes-audit-logs
-description: >
-  Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret
-  access, RBAC modifications, privileged pod creation, and anonymous API access. Builds
-  threat detection rules from audit event patterns. Use when investigating Kubernetes
-  cluster compromise or building k8s-specific SIEM detection rules.
+description: 'Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod,
+  secret access, RBAC modifications, privileged pod creation, and anonymous API access.
+  Builds threat detection rules from audit event patterns. Use when investigating
+  Kubernetes cluster compromise or building k8s-specific SIEM detection rules.
+
+  '
 domain: cybersecurity
 subdomain: container-security
-tags: [analyzing, kubernetes, audit, logs]
-version: "1.0"
+tags:
+- kubernetes-security
+- container-security
+- audit-log-analysis
+- rbac
+- privilege-escalation
+- k8s-api-server
+- threat-detection
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.PS-01
+- PR.IR-01
+- ID.AM-08
+- DE.CM-01
+mitre_attack:
+- T1610
+- T1613
+- T1078
+- T1552.007
 ---
 
 # Analyzing Kubernetes Audit Logs
 
+
+## When to Use
+
+- When investigating security incidents that require analyzing kubernetes audit logs
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
+## Prerequisites
+
+- Familiarity with container security concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions
 
 Parse Kubernetes audit log files (JSON lines format) to detect security-relevant

skills/analyzing-kubernetes-audit-logs/scripts/agent.py

@@ -1,7 +1,6 @@
 #!/usr/bin/env python3
 """Agent for analyzing Kubernetes audit logs for security threats."""
 
-import os
 import json
 import argparse
 from collections import defaultdict

skills/analyzing-linux-audit-logs-for-intrusion/SKILL.md

@@ -1,18 +1,275 @@
 ---
 name: analyzing-linux-audit-logs-for-intrusion
-description: >
-  Parse and analyze Linux auditd logs to detect intrusion indicators
-  including unauthorized file access, privilege escalation, syscall
-  anomalies, and suspicious process execution using ausearch and Python.
+description: 'Uses the Linux Audit framework (auditd) with ausearch and aureport utilities
+  to detect intrusion attempts, unauthorized access, privilege escalation, and suspicious
+  system activity. Covers audit rule configuration, log querying, timeline reconstruction,
+  and integration with SIEM platforms. Activates for requests involving auditd analysis,
+  Linux audit log investigation, ausearch queries, aureport summaries, or host-based
+  intrusion detection on Linux.
+
+  '
 domain: cybersecurity
-subdomain: log-analysis
-tags: [auditd, linux-forensics, syscall-monitoring, intrusion-detection]
-version: "1.0"
+subdomain: incident-response
+tags:
+- auditd
+- ausearch
+- aureport
+- linux-security
+- intrusion-detection
+- HIDS
+- forensics
+version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.MA-01
+- RS.MA-02
+- RS.AN-03
+- RC.RP-01
+mitre_attack:
+- T1059.004
+- T1070
+- T1548.003
+- T1543.002
 ---
 
 # Analyzing Linux Audit Logs for Intrusion
 
-Parse auditd logs to detect file access violations, privilege escalation,
-suspicious syscalls, and unauthorized process execution.
+## When to Use
+
+- Investigating suspected unauthorized access or privilege escalation on Linux hosts
+- Hunting for evidence of exploitation, backdoor installation, or persistence mechanisms
+- Auditing compliance with security baselines (CIS, STIG, PCI-DSS) that require system call monitoring
+- Reconstructing a timeline of attacker actions during incident response
+- Detecting file tampering on critical system files such as `/etc/passwd`, `/etc/shadow`, or SSH keys
+
+**Do not use** for network-level intrusion detection; use Suricata or Zeek for network traffic analysis. Auditd operates at the kernel level on individual hosts.
+
+## Prerequisites
+
+- Linux system with `auditd` package installed and the audit daemon running (`systemctl status auditd`)
+- Root or sudo access to configure audit rules and query logs
+- Audit rules deployed via `/etc/audit/rules.d/*.rules` or loaded with `auditctl`
+- Recommended: Neo23x0/auditd ruleset from GitHub for comprehensive baseline coverage
+- Familiarity with Linux syscalls (`execve`, `open`, `connect`, `ptrace`, etc.)
+- Log storage with sufficient retention (default location: `/var/log/audit/audit.log`)
+
+## Workflow
+
+### Step 1: Verify Audit Daemon Status and Configuration
+
+Confirm the audit system is running and check the current rule set:
+
+```bash
+# Check auditd service status
+systemctl status auditd
+
+# Show current audit rules loaded in the kernel
+auditctl -l
+
+# Show audit daemon configuration
+cat /etc/audit/auditd.conf | grep -E "log_file|max_log_file|num_logs|space_left_action"
+
+# Check if the audit backlog is being exceeded (dropped events)
+auditctl -s
+```
+
+If the backlog limit is being reached, increase it:
+
+```bash
+auditctl -b 8192
+```
+
+### Step 2: Deploy Intrusion-Focused Audit Rules
+
+Add rules that target common intrusion indicators. Place these in `/etc/audit/rules.d/intrusion.rules`:
+
+```bash
+# Monitor credential files for unauthorized reads or modifications
+-w /etc/passwd -p wa -k credential_access
+-w /etc/shadow -p rwa -k credential_access
+-w /etc/gshadow -p rwa -k credential_access
+-w /etc/sudoers -p wa -k privilege_escalation
+-w /etc/sudoers.d/ -p wa -k privilege_escalation
+
+# Monitor SSH configuration and authorized keys
+-w /etc/ssh/sshd_config -p wa -k sshd_config_change
+-w /root/.ssh/authorized_keys -p wa -k ssh_key_tampering
+
+# Monitor user and group management commands
+-w /usr/sbin/useradd -p x -k user_management
+-w /usr/sbin/usermod -p x -k user_management
+-w /usr/sbin/groupadd -p x -k user_management
+
+# Detect process injection via ptrace
+-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k process_injection
+-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k process_injection
+-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k process_injection
+
+# Monitor execution of programs from unusual directories
+-a always,exit -F arch=b64 -S execve -F exe=/tmp -k exec_from_tmp
+-a always,exit -F arch=b64 -S execve -F exe=/dev/shm -k exec_from_shm
+
+# Detect kernel module loading (rootkit installation)
+-a always,exit -F arch=b64 -S init_module -S finit_module -k kernel_module_load
+-a always,exit -F arch=b64 -S delete_module -k kernel_module_remove
+-w /sbin/insmod -p x -k kernel_module_tool
+-w /sbin/modprobe -p x -k kernel_module_tool
+
+# Monitor network socket creation for reverse shells
+-a always,exit -F arch=b64 -S socket -F a0=2 -k network_socket_created
+-a always,exit -F arch=b64 -S connect -F a0=2 -k network_connection
+
+# Detect cron job modifications (persistence)
+-w /etc/crontab -p wa -k cron_persistence
+-w /etc/cron.d/ -p wa -k cron_persistence
+-w /var/spool/cron/ -p wa -k cron_persistence
+
+# Monitor log deletion or tampering
+-w /var/log/ -p wa -k log_tampering
+```
+
+Reload rules after editing:
+
+```bash
+augenrules --load
+auditctl -l | wc -l   # Confirm rule count
+```
+
+### Step 3: Search for Intrusion Indicators with ausearch
+
+Use `ausearch` to query the audit log for specific events:
+
+```bash
+# Search for all failed login attempts in the last 24 hours
+ausearch -m USER_LOGIN --success no -ts recent
+
+# Search for commands executed by a specific user
+ausearch -ua 1001 -m EXECVE -ts today
+
+# Search for all file access events on /etc/shadow
+ausearch -f /etc/shadow -ts this-week
+
+# Search for privilege escalation via sudo
+ausearch -m USER_CMD -ts today
+
+# Search for kernel module loading events
+ausearch -k kernel_module_load -ts this-month
+
+# Search for processes executed from /tmp (common attack staging)
+ausearch -k exec_from_tmp -ts this-week
+
+# Search for SSH key modifications
+ausearch -k ssh_key_tampering -ts this-month
+
+# Search for a specific event by audit event ID
+ausearch -a 12345
+
+# Search events in a specific time range
+ausearch -ts 03/15/2026 08:00:00 -te 03/15/2026 18:00:00
+
+# Interpret syscall numbers and format output readably
+ausearch -k credential_access -i -ts today
+```
+
+### Step 4: Generate Summary Reports with aureport
+
+Use `aureport` to produce aggregate summaries for triage:
+
+```bash
+# Summary of all authentication events
+aureport -au -ts this-week --summary
+
+# Report of all failed events (login, access, etc.)
+aureport --failed --summary -ts today
+
+# Report of executable runs
+aureport -x --summary -ts today
+
+# Report of all anomaly events (segfaults, promiscuous mode, etc.)
+aureport --anomaly -ts this-week
+
+# Report of file access events
+aureport -f --summary -ts today
+
+# Report of all events by key (maps to your custom rule keys)
+aureport -k --summary -ts this-month
+
+# Report of all system calls
+aureport -s --summary -ts today
+
+# Report of events grouped by user
+aureport -u --summary -ts this-week
+
+# Detailed time-based event report for timeline building
+aureport -ts 03/15/2026 08:00:00 -te 03/15/2026 18:00:00 --summary
+```
+
+### Step 5: Reconstruct the Attack Timeline
+
+Combine ausearch queries to build a chronological narrative:
+
+```bash
+# Step 5a: Identify the initial access timestamp
+ausearch -m USER_LOGIN -ua 0 --success yes -ts this-week -i | head -50
+
+# Step 5b: Trace what the attacker did after gaining access
+# Get all events from the compromised account within the incident window
+ausearch -ua <UID> -ts "03/15/2026 14:00:00" -te "03/15/2026 18:00:00" -i \
+  | aureport -f -i
+
+# Step 5c: Extract all commands executed during the incident window
+ausearch -m EXECVE -ts "03/15/2026 14:00:00" -te "03/15/2026 18:00:00" -i
+
+# Step 5d: Check for persistence mechanisms installed
+ausearch -k cron_persistence -ts "03/15/2026 14:00:00" -i
+ausearch -k ssh_key_tampering -ts "03/15/2026 14:00:00" -i
+
+# Step 5e: Check for lateral movement (outbound connections)
+ausearch -k network_connection -ts "03/15/2026 14:00:00" -i
+```
+
+### Step 6: Forward Audit Logs to SIEM
+
+Configure `audisp-remote` or `auditbeat` to ship logs to a central SIEM for correlation:
+
+```bash
+# Option A: Using audisp-remote plugin
+# Edit /etc/audit/plugins.d/au-remote.conf
+active = yes
+direction = out
+path = /sbin/audisp-remote
+type = always
+
+# Configure remote target in /etc/audit/audisp-remote.conf
+remote_server = siem.internal.corp
+port = 6514
+transport = tcp
+
+# Option B: Using Elastic Auditbeat
+# Install auditbeat and configure /etc/auditbeat/auditbeat.yml
+# Auditbeat reads directly from the kernel audit framework
+```
+
+## Key Concepts
+
+| Term | Definition |
+|------|------------|
+| **auditd** | The Linux Audit daemon that receives audit events from the kernel and writes them to `/var/log/audit/audit.log` |
+| **auditctl** | Command-line utility to control the audit system: add/remove rules, check status, set backlog size |
+| **ausearch** | Query tool that searches audit logs by message type, user, file, key, time range, or event ID |
+| **aureport** | Reporting tool that generates aggregate summaries of audit events for triage and compliance |
+| **audit rule key (-k)** | A user-defined label attached to an audit rule, enabling fast filtering of related events with ausearch and aureport |
+| **syscall auditing** | Kernel-level monitoring of system calls (execve, open, connect, ptrace) that captures process and file activity |
+| **augenrules** | Utility that merges all files in `/etc/audit/rules.d/` into `/etc/audit/audit.rules` and loads them into the kernel |
+
+## Verification
+
+- [ ] auditd is running and rules are loaded (`auditctl -l` returns expected rule count)
+- [ ] No audit backlog overflow (`auditctl -s` shows `backlog: 0` or low value, lost: 0)
+- [ ] ausearch returns events for each custom key (`ausearch -k <key> -ts today` returns results)
+- [ ] aureport generates non-empty summaries for authentication, executable, and file events
+- [ ] Timeline reconstruction produces a coherent chronological sequence of attacker actions
+- [ ] Critical file watches trigger alerts on test modifications (`touch /etc/shadow` generates an event)
+- [ ] Logs are forwarding to central SIEM (verify with a test event and confirm receipt)
+- [ ] Audit rules persist across reboot (rules in `/etc/audit/rules.d/`, not only via `auditctl`)

skills/analyzing-linux-audit-logs-for-intrusion/scripts/agent.py

@@ -7,7 +7,6 @@ unauthorized file access, suspicious syscalls, and process execution anomalies.
 
 import argparse
 import json
-import os
 import re
 import sys
 import datetime

skills/analyzing-linux-elf-malware/SKILL.md

@@ -1,17 +1,34 @@
 ---
 name: analyzing-linux-elf-malware
-description: >
-  Analyzes malicious Linux ELF (Executable and Linkable Format) binaries including botnets,
-  cryptominers, ransomware, and rootkits targeting Linux servers, containers, and cloud
-  infrastructure. Covers static analysis, dynamic tracing, and reverse engineering of
-  x86_64 and ARM ELF samples. Activates for requests involving Linux malware analysis,
-  ELF binary investigation, Linux server compromise assessment, or container malware analysis.
+description: 'Analyzes malicious Linux ELF (Executable and Linkable Format) binaries
+  including botnets, cryptominers, ransomware, and rootkits targeting Linux servers,
+  containers, and cloud infrastructure. Covers static analysis, dynamic tracing, and
+  reverse engineering of x86_64 and ARM ELF samples. Activates for requests involving
+  Linux malware analysis, ELF binary investigation, Linux server compromise assessment,
+  or container malware analysis.
+
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, Linux, ELF, reverse-engineering, server-malware]
+tags:
+- malware
+- Linux
+- ELF
+- reverse-engineering
+- server-malware
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
+mitre_attack:
+- T1027
+- T1059.004
+- T1620
+- T1574.006
 ---
 
 # Analyzing Linux ELF Malware

skills/analyzing-linux-elf-malware/scripts/agent.py

@@ -6,12 +6,10 @@ import math
 import os
 import sys
 import subprocess
-import struct
 from collections import Counter
 
 try:
     from elftools.elf.elffile import ELFFile
-    from elftools.elf.sections import SymbolTableSection
     HAS_ELFTOOLS = True
 except ImportError:
     HAS_ELFTOOLS = False
@@ -85,8 +83,8 @@ def analyze_sections(filepath):
 def extract_strings(filepath, min_length=6):
     """Extract ASCII strings from the binary and categorize by type."""
     stdout, _, rc = subprocess.run(
-        f"strings -n {min_length} {filepath}", shell=True,
-        capture_output=True, text=True
+        ["strings", "-n", str(min_length), filepath],
+        capture_output=True, text=True, timeout=120
     ).stdout, "", 0
     if not stdout:
         return {}
@@ -126,8 +124,9 @@ def check_packing(filepath):
         indicators.append("UPX packer detected (UPX! magic)")
     if b"UPX0" in data or b"UPX1" in data:
         indicators.append("UPX section names found")
-    stdout, _, _ = subprocess.run(f"upx -t {filepath} 2>&1", shell=True,
-                                   capture_output=True, text=True).stdout, "", 0
+    stdout, _, _ = subprocess.run(["upx", "-t", filepath],
+                                   capture_output=True, text=True,
+                                   stderr=subprocess.STDOUT, timeout=120).stdout, "", 0
     if stdout and "packed" in stdout.lower():
         indicators.append("UPX verification confirms packing")
     return indicators
@@ -135,8 +134,8 @@ def check_packing(filepath):
 
 def analyze_dynamic_linking(filepath):
     """Analyze dynamic linking information and imported functions."""
-    stdout, _, rc = subprocess.run(f"readelf -d {filepath}", shell=True,
-                                    capture_output=True, text=True).stdout, "", 0
+    stdout, _, rc = subprocess.run(["readelf", "-d", filepath],
+                                    capture_output=True, text=True, timeout=120).stdout, "", 0
     dynamic_info = {"libraries": [], "rpath": None}
     if stdout:
         for line in stdout.splitlines():
@@ -146,10 +145,17 @@ def analyze_dynamic_linking(filepath):
             if "RPATH" in line or "RUNPATH" in line:
                 dynamic_info["rpath"] = line.split("[")[-1].rstrip("]")
 
-    stdout2, _, _ = subprocess.run(
-        f"readelf -r {filepath} | grep -E 'socket|connect|exec|fork|open|write|bind|listen|send|recv'",
-        shell=True, capture_output=True, text=True
-    ).stdout, "", 0
+    readelf_proc = subprocess.run(
+        ["readelf", "-r", filepath],
+        capture_output=True, text=True,
+        timeout=120,
+    )
+    import re as _re
+    suspicious_funcs = _re.compile(r'socket|connect|exec|fork|open|write|bind|listen|send|recv')
+    stdout2 = "\n".join(
+        line for line in (readelf_proc.stdout or "").splitlines()
+        if suspicious_funcs.search(line)
+    )
     dynamic_info["suspicious_imports"] = [
         line.strip() for line in (stdout2 or "").splitlines() if line.strip()
     ]

skills/analyzing-linux-kernel-rootkits/SKILL.md

@@ -1,12 +1,32 @@
 ---
 name: analyzing-linux-kernel-rootkits
-description: Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and tampered system structures.
+description: Detect kernel-level rootkits in Linux memory dumps using Volatility3
+  linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning,
+  and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel
+  modules, and tampered system structures.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [rootkit, linux, kernel, volatility3, memory-forensics, malware-analysis, rkhunter, forensics]
-version: "1.0"
+tags:
+- rootkit
+- linux
+- kernel
+- volatility3
+- memory-forensics
+- malware-analysis
+- rkhunter
+- forensics
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
+mitre_attack:
+- T1014
+- T1547.006
+- T1564.001
 ---
 
 # Analyzing Linux Kernel Rootkits
@@ -15,6 +35,14 @@ license: Apache-2.0
 
 Linux kernel rootkits operate at ring 0, modifying kernel data structures to hide processes, files, network connections, and kernel modules from userspace tools. Detection requires either memory forensics (analyzing physical memory dumps with Volatility3) or cross-view analysis (comparing /proc, /sys, and kernel data structures for inconsistencies). This skill covers using Volatility3 Linux plugins to detect syscall table hooks, hidden kernel modules, and modified function pointers, supplemented by live system scanning with rkhunter and chkrootkit.
 
+
+## When to Use
+
+- When investigating security incidents that require analyzing linux kernel rootkits
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites
 
 - Volatility3 installed (pip install volatility3)
@@ -40,3 +68,73 @@ Run rkhunter and chkrootkit to detect known rootkit signatures, suspicious files
 ## Expected Output
 
 JSON report containing detected syscall hooks, hidden kernel modules, modified IDT entries, suspicious /proc discrepancies, and rkhunter findings.
+
+## Example Output
+
+```text
+$ sudo python3 rootkit_analyzer.py --memory /evidence/linux-mem.lime --profile Ubuntu2204
+
+Linux Kernel Rootkit Analysis Report
+=====================================
+Memory Image: /evidence/linux-mem.lime
+Kernel Version: 5.15.0-91-generic (Ubuntu 22.04 LTS)
+Analysis Time: 2024-01-18 09:15:32 UTC
+
+[+] Scanning syscall table for hooks...
+    Syscall Table Base: 0xffffffff82200300
+    Total syscalls checked: 449
+
+    HOOKED SYSCALLS DETECTED:
+    ┌─────────┬──────────────────┬──────────────────────┬──────────────────────┐
+    │ NR      │ Syscall          │ Expected Address     │ Current Address      │
+    ├─────────┼──────────────────┼──────────────────────┼──────────────────────┤
+    │ 0       │ sys_read         │ 0xffffffff8139a0e0   │ 0xffffffffc0a12000   │
+    │ 2       │ sys_open         │ 0xffffffff8139b340   │ 0xffffffffc0a12180   │
+    │ 78      │ sys_getdents64   │ 0xffffffff813f5210   │ 0xffffffffc0a12300   │
+    │ 62      │ sys_kill         │ 0xffffffff8110c4a0   │ 0xffffffffc0a12480   │
+    └─────────┴──────────────────┴──────────────────────┴──────────────────────┘
+    WARNING: 4 syscall hooks detected - rootkit behavior confirmed
+
+[+] Checking for hidden kernel modules...
+    Loaded modules (lsmod):         147
+    Modules in kobject list:        149
+    HIDDEN MODULES:
+      - "netfilter_helper" at 0xffffffffc0a10000 (size: 12288)
+      - "kworker_sched"    at 0xffffffffc0a14000 (size: 8192)
+
+[+] Scanning /proc for discrepancies...
+    Processes in task_struct list: 234
+    Processes visible in /proc:   231
+    HIDDEN PROCESSES:
+      - PID 31337  cmd: "[kworker/0:3]"   (disguised as kernel thread)
+      - PID 31442  cmd: "rsyslogd"         (fake, real rsyslogd is PID 892)
+      - PID 31500  cmd: ""                 (unnamed process)
+
+[+] Checking IDT entries...
+    IDT entries scanned: 256
+    Modified entries: 0 (clean)
+
+[+] Running rkhunter scan...
+    Checking for known rootkits:        68 variants checked
+    Diamorphine rootkit:                WARNING - signatures match
+    System binary checks:
+      /usr/bin/ps:     MODIFIED (SHA-256 mismatch)
+      /usr/bin/netstat: MODIFIED (SHA-256 mismatch)
+      /usr/bin/ls:     MODIFIED (SHA-256 mismatch)
+      /usr/sbin/ss:    OK
+
+[+] Network analysis...
+    Hidden connections (not in /proc/net/tcp):
+      ESTABLISHED  0.0.0.0:0 -> 198.51.100.47:4443 (PID 31337)
+      ESTABLISHED  0.0.0.0:0 -> 198.51.100.47:8080 (PID 31442)
+
+Summary:
+  Rootkit Type:         Loadable Kernel Module (LKM)
+  Probable Family:      Diamorphine variant
+  Syscall Hooks:        4 (read, open, getdents64, kill)
+  Hidden Modules:       2
+  Hidden Processes:     3
+  Hidden Connections:   2 (C2: 198.51.100.47)
+  Modified Binaries:    3 (/usr/bin/ps, netstat, ls)
+  Risk Level:           CRITICAL
+```

skills/analyzing-linux-kernel-rootkits/scripts/agent.py

@@ -6,7 +6,6 @@ import argparse
 import logging
 import subprocess
 import os
-from collections import defaultdict
 from datetime import datetime
 
 logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")

skills/analyzing-linux-system-artifacts/SKILL.md

@@ -1,12 +1,30 @@
 ---
 name: analyzing-linux-system-artifacts
-description: Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover evidence of compromise or unauthorized activity.
+description: Examine Linux system artifacts including auth logs, cron jobs, shell
+  history, and system configuration to uncover evidence of compromise or unauthorized
+  activity.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, linux-forensics, system-artifacts, log-analysis, persistence-detection, incident-investigation]
-version: "1.0"
+tags:
+- forensics
+- linux-forensics
+- system-artifacts
+- log-analysis
+- persistence-detection
+- incident-investigation
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
+mitre_attack:
+- T1070
+- T1059.004
+- T1543.002
+- T1053.003
 ---
 
 # Analyzing Linux System Artifacts

skills/analyzing-linux-system-artifacts/scripts/agent.py

@@ -4,15 +4,15 @@
 import os
 import sys
 import glob
-import json
-import re
-import datetime
+import shlex
 import subprocess
 
 
 def run_cmd(cmd):
-    """Execute a shell command and return output."""
-    result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
+    """Execute a command and return output."""
+    if isinstance(cmd, str):
+        cmd = shlex.split(cmd)
+    result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
     return result.stdout.strip(), result.stderr.strip(), result.returncode
 
 
@@ -196,10 +196,12 @@ def check_ld_preload(evidence_root):
 
 def find_suid_binaries(evidence_root):
     """Find SUID/SGID binaries (potential privilege escalation)."""
-    stdout, _, rc = run_cmd(
-        f"find {evidence_root} -perm -4000 -type f 2>/dev/null"
+    result = subprocess.run(
+        ["find", evidence_root, "-perm", "-4000", "-type", "f"],
+        capture_output=True, text=True, timeout=30
     )
-    return stdout.splitlines() if rc == 0 and stdout else []
+    stdout = result.stdout.strip()
+    return stdout.splitlines() if result.returncode == 0 and stdout else []
 
 
 def find_suspicious_tmp_files(evidence_root):

skills/analyzing-lnk-file-and-jump-list-artifacts/SKILL.md

@@ -1,12 +1,33 @@
 ---
 name: analyzing-lnk-file-and-jump-list-artifacts
-description: Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution, and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format.
+description: Analyze Windows LNK shortcut files and Jump List artifacts to establish
+  evidence of file access, program execution, and user activity using LECmd, JLECmd,
+  and manual binary parsing of the Shell Link Binary format.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [lnk-files, jump-lists, lecmd, jlecmd, windows-forensics, shell-link, user-activity, file-access, program-execution, recent-files]
-version: "1.0"
+tags:
+- lnk-files
+- jump-lists
+- lecmd
+- jlecmd
+- windows-forensics
+- shell-link
+- user-activity
+- file-access
+- program-execution
+- recent-files
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
+mitre_attack:
+- T1547.009
+- T1204.002
+- T1059.001
 ---
 
 # Analyzing LNK File and Jump List Artifacts
@@ -15,6 +36,14 @@ license: Apache-2.0
 
 Windows LNK (shortcut) files and Jump Lists are critical forensic artifacts that provide evidence of file access, program execution, and user behavior. LNK files are created automatically when a user opens a file through Windows Explorer or the Open/Save dialog, storing metadata about the target file including its original path, timestamps, volume serial number, NetBIOS name, and MAC address of the host system. Jump Lists, introduced in Windows 7, extend this by maintaining per-application lists of recently and frequently accessed files. These artifacts persist even after the target files are deleted, making them invaluable for establishing that a user accessed specific files at specific times.
 
+
+## When to Use
+
+- When investigating security incidents that require analyzing lnk file and jump list artifacts
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites
 
 - LECmd (Eric Zimmerman) for LNK file parsing
@@ -189,3 +218,74 @@ Recent research (IEEE 2025) shows that Windows 11 produces different LNK and Jum
 - Magnet Forensics LNK Analysis: https://www.magnetforensics.com/blog/forensic-analysis-of-lnk-files/
 - Jump Lists Forensics 2025: https://www.cybertriage.com/blog/jump-list-forensics-2025/
 - Eric Zimmerman's LECmd/JLECmd: https://ericzimmerman.github.io/
+
+## Example Output
+
+```text
+$ LECmd.exe -d "C:\Evidence\Users\jsmith\AppData\Roaming\Microsoft\Windows\Recent" --csv /analysis/lnk_output
+
+LECmd v1.11.0 - LNK File Parser
+================================
+
+Processing 47 LNK files...
+
+--- LNK File: Q4_Report.xlsx.lnk ---
+  Source:           C:\Evidence\Users\jsmith\Recent\Q4_Report.xlsx.lnk
+  Target Path:      C:\Users\jsmith\Downloads\Q4_Report.xlsm
+  Target Created:   2024-01-15 14:33:45 UTC
+  Target Modified:  2024-01-15 14:33:45 UTC
+  Target Accessed:  2024-01-15 14:35:12 UTC
+  File Size:        251,904 bytes
+  Drive Type:       Fixed (C:)
+  Volume Serial:    A4E7-3F21
+  Machine ID:       DESKTOP-J5M1TH
+  MAC Address:      48:2A:E3:5C:9B:01
+
+--- LNK File: update_client.exe.lnk ---
+  Source:           C:\Evidence\Users\jsmith\Recent\update_client.exe.lnk
+  Target Path:      C:\ProgramData\Updates\update_client.exe
+  Target Created:   2024-01-15 14:34:02 UTC
+  Target Modified:  2024-01-15 14:34:02 UTC
+  Target Accessed:  2024-01-15 14:36:30 UTC
+  File Size:        1,258,496 bytes
+  Drive Type:       Fixed (C:)
+  Volume Serial:    A4E7-3F21
+  Machine ID:       DESKTOP-J5M1TH
+  Working Dir:      C:\ProgramData\Updates
+  Arguments:        --silent --no-update-check
+  Run Window:       Hidden
+
+======================================================================
+
+$ JLECmd.exe -d "C:\Evidence\Users\jsmith\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv /analysis/jumplist_output
+
+JLECmd v1.5.0 - Jump List Parser
+==================================
+
+Processing 23 AutomaticDestinations files...
+
+--- Application: Microsoft Excel (AppID: 12dc1ea8e34b5a6) ---
+  Entries: 15
+  Most Recent:
+    Entry 0:  C:\Users\jsmith\Downloads\Q4_Report.xlsm         (2024-01-15 14:35:12 UTC)
+    Entry 1:  \\FILESERV01\Finance\Budget_2024.xlsx             (2024-01-14 09:22:30 UTC)
+    Entry 2:  C:\Users\jsmith\Documents\Expenses\Dec2023.xlsx   (2024-01-10 16:45:00 UTC)
+
+--- Application: Windows Explorer (AppID: f01b4d95cf55d32a) ---
+  Entries: 28
+  Most Recent:
+    Entry 0:  C:\ProgramData\Updates\                           (2024-01-15 14:36:25 UTC)
+    Entry 1:  E:\Backup\                                        (2024-01-15 15:30:00 UTC)
+    Entry 2:  \\FILESERV01\HR\Employees\                        (2024-01-15 16:12:45 UTC)
+
+--- Application: cmd.exe (AppID: 9b9cdc69c1c24e2b) ---
+  Entries: 5
+  Most Recent:
+    Entry 0:  C:\Windows\System32\cmd.exe                       (2024-01-15 14:36:00 UTC)
+
+Summary:
+  Total LNK files processed:    47
+  Total Jump List entries:       156
+  Suspicious artifacts:          3 (hidden window execution, USB drive access, network shares)
+  CSV exported to:               /analysis/lnk_output/ and /analysis/jumplist_output/
+```

skills/analyzing-macro-malware-in-office-documents/SKILL.md

@@ -1,17 +1,42 @@
 ---
 name: analyzing-macro-malware-in-office-documents
-description: >
-  Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint)
-  to identify download cradles, payload execution, persistence mechanisms, and anti-analysis
-  techniques. Uses olevba, oledump, and VBA deobfuscation to extract the attack chain.
-  Activates for requests involving Office macro analysis, VBA malware investigation,
-  maldoc analysis, or document-based threat examination.
+description: 'Analyzes malicious VBA macros embedded in Microsoft Office documents
+  (Word, Excel, PowerPoint) to identify download cradles, payload execution, persistence
+  mechanisms, and anti-analysis techniques. Uses olevba, oledump, and VBA deobfuscation
+  to extract the attack chain. Activates for requests involving Office macro analysis,
+  VBA malware investigation, maldoc analysis, or document-based threat examination.
+
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, macro, Office, VBA, document-malware]
+tags:
+- malware
+- macro
+- Office
+- VBA
+- document-malware
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+atlas_techniques:
+- AML.T0068
+- AML.T0067
+d3fend_techniques:
+- File Metadata Consistency Validation
+- Application Protocol Command Analysis
+- Identifier Analysis
+- Content Format Conversion
+- Message Analysis
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
+mitre_attack:
+- T1137.001
+- T1204.002
+- T1059.005
+- T1027
 ---
 
 # Analyzing Macro Malware in Office Documents

skills/analyzing-macro-malware-in-office-documents/scripts/agent.py

@@ -5,12 +5,11 @@ import re
 import os
 import sys
 import hashlib
-import subprocess
 import json
 import zipfile
 
 try:
-    from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML
+    from oletools.olevba import VBA_Parser
     from oletools import oleid
     HAS_OLETOOLS = True
 except ImportError:

skills/analyzing-malicious-pdf-with-peepdf/SKILL.md

@@ -1,12 +1,31 @@
 ---
 name: analyzing-malicious-pdf-with-peepdf
-description: Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects.
+description: Perform static analysis of malicious PDF documents using peepdf, pdfid,
+  and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware-analysis, pdf, peepdf, pdfid, pdf-parser, static-analysis, reverse-engineering, dfir]
-version: "1.0"
+tags:
+- malware-analysis
+- pdf
+- peepdf
+- pdfid
+- pdf-parser
+- static-analysis
+- reverse-engineering
+- dfir
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
+mitre_attack:
+- T1204.002
+- T1059.007
+- T1027
+- T1106
 ---
 
 # Analyzing Malicious PDF with peepdf

skills/analyzing-malicious-pdf-with-peepdf/scripts/agent.py

@@ -37,9 +37,9 @@ def run_pdfid(filepath):
     """Run pdfid.py to triage PDF for suspicious keywords."""
     cmd = ["python3", "-m", "pdfid", filepath]
     alt_cmd = ["pdfid.py", filepath]
-    result = subprocess.run(cmd, capture_output=True, text=True)
+    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
     if result.returncode != 0:
-        result = subprocess.run(alt_cmd, capture_output=True, text=True)
+        result = subprocess.run(alt_cmd, capture_output=True, text=True, timeout=120)
     keywords = {}
     for line in result.stdout.strip().split("\n"):
         line = line.strip()
@@ -59,9 +59,9 @@ def run_peepdf_analysis(filepath):
     """Run peepdf for detailed PDF object analysis."""
     cmd = ["peepdf", "-f", "-l", filepath]
     alt_cmd = ["python3", "-m", "peepdf", "-f", "-l", filepath]
-    result = subprocess.run(cmd, capture_output=True, text=True)
+    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
     if result.returncode != 0:
-        result = subprocess.run(alt_cmd, capture_output=True, text=True)
+        result = subprocess.run(alt_cmd, capture_output=True, text=True, timeout=120)
     analysis = {
         "versions": 0,
         "objects": 0,
@@ -98,7 +98,7 @@ def run_pdf_parser(filepath, object_id=None):
         cmd = ["pdf-parser.py", "-o", str(object_id), "-f", "-d", filepath]
     else:
         cmd = ["pdf-parser.py", "--stats", filepath]
-    result = subprocess.run(cmd, capture_output=True, text=True)
+    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
     return result.stdout[:3000]
 
 
@@ -107,7 +107,7 @@ def extract_javascript(filepath, peepdf_analysis):
     js_content = []
     for obj_id in peepdf_analysis.get("js_objects", []):
         cmd = ["pdf-parser.py", "-o", str(obj_id), "-f", "-w", filepath]
-        result = subprocess.run(cmd, capture_output=True, text=True)
+        result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
         if result.stdout:
             js_content.append({
                 "object_id": obj_id,

skills/analyzing-malicious-url-with-urlscan/SKILL.md

@@ -1,18 +1,46 @@
 ---
 name: analyzing-malicious-url-with-urlscan
-description: URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
+description: URLScan.io is a free service for scanning and analyzing suspicious URLs.
+  It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and
+  network connections of web pages in an isolat
 domain: cybersecurity
 subdomain: phishing-defense
-tags: [phishing, email-security, social-engineering, dmarc, awareness, url-analysis, threat-intelligence]
-version: "1.0"
+tags:
+- phishing
+- email-security
+- social-engineering
+- dmarc
+- awareness
+- url-analysis
+- threat-intelligence
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+atlas_techniques:
+- AML.T0052
+nist_csf:
+- PR.AT-01
+- DE.CM-09
+- RS.CO-02
+- DE.AE-02
+mitre_attack:
+- T1566.002
+- T1204.001
+- T1598.003
 ---
 # Analyzing Malicious URL with URLScan
 
 ## Overview
 URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolated environment. This skill covers using URLScan's web interface and API to investigate phishing URLs, credential harvesting pages, and malicious redirects without exposing the analyst's system to risk.
 
+
+## When to Use
+
+- When investigating security incidents that require analyzing malicious url with urlscan
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites
 - URLScan.io account (free tier available, API key for automation)
 - Python 3.8+ with requests library
@@ -41,7 +69,7 @@ URLScan.io is a free service for scanning and analyzing suspicious URLs. It capt
 - Data URIs or base64-encoded content
 - JavaScript-heavy pages with minimal HTML
 
-## Implementation Steps
+## Workflow
 
 ### Step 1: Submit URL to URLScan
 ```

skills/analyzing-malware-behavior-with-cuckoo-sandbox/SKILL.md

@@ -1,17 +1,33 @@
 ---
 name: analyzing-malware-behavior-with-cuckoo-sandbox
-description: >
-  Executes malware samples in Cuckoo Sandbox to observe runtime behavior including
-  process creation, file system modifications, registry changes, network communications,
-  and API calls. Generates comprehensive behavioral reports for malware classification
-  and IOC extraction. Activates for requests involving dynamic malware analysis, sandbox
-  detonation, behavioral analysis, or automated malware execution.
+description: 'Executes malware samples in Cuckoo Sandbox to observe runtime behavior
+  including process creation, file system modifications, registry changes, network
+  communications, and API calls. Generates comprehensive behavioral reports for malware
+  classification and IOC extraction. Activates for requests involving dynamic malware
+  analysis, sandbox detonation, behavioral analysis, or automated malware execution.
+
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, dynamic-analysis, sandbox, Cuckoo, behavioral-analysis]
+tags:
+- malware
+- dynamic-analysis
+- sandbox
+- Cuckoo
+- behavioral-analysis
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
+mitre_attack:
+- T1497
+- T1055
+- T1071
+- T1027
 ---
 
 # Analyzing Malware Behavior with Cuckoo Sandbox

skills/analyzing-malware-behavior-with-cuckoo-sandbox/scripts/agent.py

@@ -4,9 +4,7 @@
 import json
 import os
 import sys
-import subprocess
 import hashlib
-import datetime
 
 try:
     import requests
@@ -30,7 +28,7 @@ def submit_file(filepath, timeout=300, machine=None, package=None):
         data["machine"] = machine
     if package:
         data["package"] = package
-    resp = requests.post(url, files=files, data=data)
+    resp = requests.post(url, files=files, data=data, timeout=30)
     if resp.status_code == 200:
         return resp.json().get("task_id")
     return None
@@ -42,7 +40,7 @@ def submit_url(url_to_analyze, timeout=300):
         return None
     url = f"{CUCKOO_API}/tasks/create/url"
     data = {"url": url_to_analyze, "timeout": timeout}
-    resp = requests.post(url, data=data)
+    resp = requests.post(url, data=data, timeout=30)
     if resp.status_code == 200:
         return resp.json().get("task_id")
     return None
@@ -53,7 +51,7 @@ def get_task_status(task_id):
     if not HAS_REQUESTS:
         return None
     url = f"{CUCKOO_API}/tasks/view/{task_id}"
-    resp = requests.get(url)
+    resp = requests.get(url, timeout=30)
     if resp.status_code == 200:
         return resp.json().get("task", {}).get("status")
     return None

skills/analyzing-malware-family-relationships-with-malpedia/SKILL.md

@@ -1,12 +1,31 @@
 ---
 name: analyzing-malware-family-relationships-with-malpedia
-description: Use the Malpedia platform and API to research malware family relationships, track variant evolution, link families to threat actors, and integrate YARA rules for detection across malware lineages.
+description: Use the Malpedia platform and API to research malware family relationships,
+  track variant evolution, link families to threat actors, and integrate YARA rules
+  for detection across malware lineages.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [malpedia, malware-family, yara, threat-actor, malware-tracking, threat-intelligence, variant-analysis, malware-intelligence]
-version: "1.0"
+tags:
+- malpedia
+- malware-family
+- yara
+- threat-actor
+- malware-tracking
+- threat-intelligence
+- variant-analysis
+- malware-intelligence
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
+mitre_attack:
+- T1587.001
+- T1027
+- T1071
 ---
 # Analyzing Malware Family Relationships with Malpedia
 
@@ -14,6 +33,14 @@ license: Apache-2.0
 
 Malpedia is a collaborative platform maintained by Fraunhofer FKIE that catalogs malware families with their aliases, YARA rules, threat actor associations, and reference reports. With over 2,600 malware families documented, it serves as the definitive resource for understanding malware lineages, tracking variant evolution, and linking malware to specific threat groups. This skill covers querying the Malpedia API, mapping malware family relationships, extracting YARA rules for detection, and building intelligence on malware ecosystems used by adversaries.
 
+
+## When to Use
+
+- When investigating security incidents that require analyzing malware family relationships with malpedia
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites
 
 - Python 3.9+ with `requests`, `yara-python`, `stix2` libraries
@@ -36,7 +63,7 @@ Malpedia uses the format `platform.family_name` (e.g., `win.emotet`, `elf.mirai`
 
 Malware families have relationships including: parent-child (code reuse, forks), loader-payload (Emotet loads TrickBot loads Ryuk), shared authorship (same threat actor develops multiple tools), and infrastructure sharing (common C2 frameworks).
 
-## Practical Steps
+## Workflow
 
 ### Step 1: Query Malpedia API for Malware Families
 

skills/analyzing-malware-persistence-with-autoruns/SKILL.md

@@ -1,12 +1,39 @@
 ---
 name: analyzing-malware-persistence-with-autoruns
-description: Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry keys, scheduled tasks, services, drivers, and startup locations on Windows systems.
+description: Use Sysinternals Autoruns to systematically identify and analyze malware
+  persistence mechanisms across registry keys, scheduled tasks, services, drivers,
+  and startup locations on Windows systems.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [autoruns, persistence, malware-analysis, sysinternals, windows, registry, startup, incident-response]
-version: "1.0"
+tags:
+- autoruns
+- persistence
+- malware-analysis
+- sysinternals
+- windows
+- registry
+- startup
+- incident-response
+mitre_attack:
+- T1547.001
+- T1543.003
+- T1053.005
+- T1574.001
+- T1037.001
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+d3fend_techniques:
+- Executable Denylisting
+- Execution Isolation
+- File Metadata Consistency Validation
+- Content Format Conversion
+- File Content Analysis
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---
 # Analyzing Malware Persistence with Autoruns
 
@@ -14,6 +41,14 @@ license: Apache-2.0
 
 Sysinternals Autoruns extracts data from hundreds of Auto-Start Extensibility Points (ASEPs) on Windows, scanning 18+ categories including Run/RunOnce keys, services, scheduled tasks, drivers, Winlogon entries, LSA providers, print monitors, WMI subscriptions, and AppInit DLLs. Digital signature verification filters Microsoft-signed entries. The compare function identifies newly added persistence via baseline diffing. VirusTotal integration checks hash reputation. Offline analysis via -z flag enables forensic disk image examination.
 
+
+## When to Use
+
+- When investigating security incidents that require analyzing malware persistence with autoruns
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites
 
 - Sysinternals Autoruns (GUI) and Autorunsc (CLI)
@@ -22,7 +57,7 @@ Sysinternals Autoruns extracts data from hundreds of Auto-Start Extensibility Po
 - VirusTotal API key for reputation checks
 - Clean baseline export for comparison
 
-## Practical Steps
+## Workflow
 
 ### Step 1: Automated Persistence Scanning
 

skills/analyzing-malware-persistence-with-autoruns/scripts/agent.py

@@ -3,7 +3,6 @@
 
 import json
 import csv
-import os
 import re
 import logging
 import argparse

skills/analyzing-malware-sandbox-evasion-techniques/SKILL.md

@@ -1,19 +1,37 @@
 ---
 name: analyzing-malware-sandbox-evasion-techniques
-description: Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports
+description: Detect sandbox evasion techniques in malware samples by analyzing timing
+  checks, VM artifact queries, user interaction detection, and sleep inflation patterns
+  from Cuckoo/AnyRun behavioral reports
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
-  - sandbox-evasion
-  - malware-analysis
-  - cuckoo
-  - anyrun
-  - mitre-attack
-  - virtualization-detection
-  - behavioral-analysis
-version: "1.0"
+- sandbox-evasion
+- malware-analysis
+- cuckoo
+- anyrun
+- mitre-attack
+- virtualization-detection
+- behavioral-analysis
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+d3fend_techniques:
+- Platform Hardening
+- Restore Object
+- Process Analysis
+- System Call Filtering
+- Restore Software
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
+mitre_attack:
+- T1497.001
+- T1497.003
+- T1480
+- T1027.002
 ---
 
 # Analyzing Malware Sandbox Evasion Techniques
@@ -22,6 +40,14 @@ license: Apache-2.0
 
 Sandbox evasion (MITRE ATT&CK T1497) allows malware to detect analysis environments and alter behavior to avoid detection. This skill analyzes behavioral reports from Cuckoo Sandbox and AnyRun for evasion indicators including timing-based checks (GetTickCount, QueryPerformanceCounter, sleep inflation), VM artifact detection (registry keys, MAC address prefixes, process names like vmtoolsd.exe), user interaction checks (mouse movement, keyboard input), and environment fingerprinting (disk size, CPU count, RAM). Detection rules flag samples exhibiting these behaviors for deeper manual analysis.
 
+
+## When to Use
+
+- When investigating security incidents that require analyzing malware sandbox evasion techniques
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites
 
 - Cuckoo Sandbox 2.0+ or AnyRun account for behavioral analysis reports

skills/analyzing-malware-sandbox-evasion-techniques/scripts/agent.py

@@ -4,7 +4,6 @@
 import json
 import argparse
 from datetime import datetime
-from collections import defaultdict
 
 TIMING_APIS = {
     "GetTickCount", "GetTickCount64", "QueryPerformanceCounter",

skills/analyzing-memory-dumps-with-volatility/SKILL.md

@@ -1,17 +1,32 @@
 ---
 name: analyzing-memory-dumps-with-volatility
-description: >
-  Analyzes RAM memory dumps from compromised systems using the Volatility framework to
-  identify malicious processes, injected code, network connections, loaded modules, and
-  extracted credentials. Supports Windows, Linux, and macOS memory forensics. Activates
-  for requests involving memory forensics, RAM analysis, volatile data examination,
-  process injection detection, or memory-resident malware investigation.
+description: 'Analyzes RAM memory dumps from compromised systems using the Volatility framework to identify malicious processes,
+  injected code, network connections, loaded modules, and extracted credentials. Supports Windows, Linux, and macOS memory
+  forensics. Activates for requests involving memory forensics, RAM analysis, volatile data examination, process injection
+  detection, or memory-resident malware investigation.
+
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, memory-forensics, Volatility, RAM-analysis, incident-response]
+tags:
+- malware
+- memory-forensics
+- Volatility
+- RAM-analysis
+- incident-response
+mitre_attack:
+- T1055
+- T1003
+- T1059
+- T1620
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---
 
 # Analyzing Memory Dumps with Volatility

skills/analyzing-memory-dumps-with-volatility/scripts/agent.py

@@ -1,19 +1,18 @@
 #!/usr/bin/env python3
 """Memory forensics agent using Volatility 3 for malware detection in RAM dumps."""
 
+import shlex
 import subprocess
 import os
 import sys
-import json
-import csv
-import re
-import io
 
 
 def run_vol3(memory_dump, plugin, extra_args=""):
     """Execute a Volatility 3 plugin and return output."""
-    cmd = f"vol3 -f {memory_dump} {plugin} {extra_args}"
-    result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=300)
+    cmd = ["vol3", "-f", memory_dump, plugin]
+    if extra_args:
+        cmd.extend(shlex.split(extra_args))
+    result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
     return result.stdout.strip(), result.stderr.strip(), result.returncode
 
 

skills/analyzing-memory-forensics-with-lime-and-volatility/SKILL.md

@@ -1,20 +1,53 @@
 ---
 name: analyzing-memory-forensics-with-lime-and-volatility
-description: >
-  Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module
-  and analysis with Volatility 3 framework. Extracts process lists, network connections,
-  bash history, loaded kernel modules, and injected code from Linux memory images.
-  Use when performing incident response on compromised Linux systems.
+description: 'Performs Linux memory acquisition using LiME (Linux Memory Extractor)
+  kernel module and analysis with Volatility 3 framework. Extracts process lists,
+  network connections, bash history, loaded kernel modules, and injected code from
+  Linux memory images. Use when performing incident response on compromised Linux
+  systems.
+
+  '
 domain: cybersecurity
 subdomain: security-operations
-tags: [analyzing, memory, forensics, with]
-version: "1.0"
+tags:
+- memory-forensics
+- linux-forensics
+- lime
+- volatility
+- incident-response
+- kernel-modules
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.CM-01
+- RS.MA-01
+- GV.OV-01
+- DE.AE-02
+mitre_attack:
+- T1055
+- T1003.001
+- T1620
+- T1564.001
 ---
 
 # Analyzing Memory Forensics with LiME and Volatility
 
+
+## When to Use
+
+- When investigating security incidents that require analyzing memory forensics with lime and volatility
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
+## Prerequisites
+
+- Familiarity with security operations concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions
 
 Acquire Linux memory using LiME kernel module, then analyze with Volatility 3

skills/analyzing-memory-forensics-with-lime-and-volatility/scripts/agent.py

@@ -1,7 +1,6 @@
 #!/usr/bin/env python3
 """Agent for Linux memory forensics using LiME acquisition and Volatility 3."""
 
-import os
 import json
 import subprocess
 import argparse
@@ -12,13 +11,13 @@ from pathlib import Path
 def acquire_memory_lime(output_path, lime_format="lime"):
     """Acquire memory using LiME kernel module."""
     kernel_version = subprocess.run(
-        ["uname", "-r"], capture_output=True, text=True
+        ["uname", "-r"], capture_output=True, text=True, timeout=120
     ).stdout.strip()
     lime_module = f"lime-{kernel_version}.ko"
     if not Path(lime_module).exists():
         lime_module = "lime.ko"
     cmd = ["insmod", lime_module, f"path={output_path}", f"format={lime_format}"]
-    result = subprocess.run(cmd, capture_output=True, text=True)
+    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
     return {
         "status": "success" if result.returncode == 0 else "failed",
         "output_path": output_path,

skills/analyzing-mft-for-deleted-file-recovery/SKILL.md

@@ -1,12 +1,33 @@
 ---
 name: analyzing-mft-for-deleted-file-recovery
-description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics.
+description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content
+  of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack
+  space using MFTECmd, analyzeMFT, and X-Ways Forensics.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [mft, ntfs, deleted-files, file-recovery, mftecmd, usn-journal, logfile, mft-slack-space, file-system-forensics, dfir]
-version: "1.0"
+tags:
+- mft
+- ntfs
+- deleted-files
+- file-recovery
+- mftecmd
+- usn-journal
+- logfile
+- mft-slack-space
+- file-system-forensics
+- dfir
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
+mitre_attack:
+- T1070.004
+- T1070.006
+- T1005
 ---
 
 # Analyzing MFT for Deleted File Recovery
@@ -15,6 +36,14 @@ license: Apache-2.0
 
 The NTFS Master File Table ($MFT) is the central metadata repository for every file and directory on an NTFS volume. Each file is represented by at least one 1024-byte MFT record containing attributes such as $STANDARD_INFORMATION (timestamps, permissions), $FILE_NAME (name, parent directory, timestamps), and $DATA (file content or cluster run pointers). When a file is deleted, its MFT record is marked as inactive (InUse flag cleared) but the metadata remains until the entry is reallocated by a new file. This persistence makes MFT analysis a primary technique for recovering deleted file evidence, reconstructing file system timelines, and detecting anti-forensic activity such as timestomping.
 
+
+## When to Use
+
+- When investigating security incidents that require analyzing mft for deleted file recovery
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites
 
 - Forensic disk image (E01, raw/dd, VMDK, or VHDX format)
@@ -186,3 +215,46 @@ vssadmin list shadows
 - MFT Slack Space Forensic Value: https://www.sygnia.co/blog/the-forensic-value-of-mft-slack-space/
 - MFTECmd Documentation: https://ericzimmerman.github.io/
 - SANS FOR500: Windows Forensic Analysis
+
+## Example Output
+
+```text
+$ MFTECmd.exe -f "C:\Evidence\$MFT" --csv /analysis/mft_output
+
+MFTECmd v1.2.2 - MFT Parser
+==============================
+Input: C:\Evidence\$MFT (Size: 384 MB)
+Total MFT Entries: 395,264
+
+Parsing MFT entries... Done (12.4 seconds)
+
+--- Deleted File Recovery Summary ---
+Total Entries:          395,264
+Active Files:           245,832
+Deleted Files:          149,432
+  Recoverable:          87,234 (resident data or clusters not reallocated)
+  Partially Recoverable: 31,456 (some clusters overwritten)
+  Unrecoverable:        30,742 (all clusters reallocated)
+
+--- Recently Deleted Files (Incident Window: 2024-01-15 to 2024-01-18) ---
+MFT Entry | Filename                          | Path                               | Size      | Deleted (UTC)         | Recoverable
+----------|-----------------------------------|------------------------------------|-----------|-----------------------|------------
+148923    | exfil_tool.exe                    | C:\ProgramData\Updates\            | 1,258,496 | 2024-01-17 02:45:12   | YES
+148924    | exfil_tool.log                    | C:\ProgramData\Updates\            | 45,312    | 2024-01-17 02:45:14   | YES
+149001    | passwords.txt                     | C:\Users\jsmith\Desktop\           | 2,048     | 2024-01-17 02:50:33   | YES
+149150    | scan_results.csv                  | C:\Users\jsmith\AppData\Local\Temp | 892,416   | 2024-01-17 03:00:01   | PARTIAL
+149200    | mimikatz.exe                      | C:\Windows\Temp\                   | 1,250,816 | 2024-01-18 01:15:22   | YES
+149201    | sekurlsa.log                      | C:\Windows\Temp\                   | 32,768    | 2024-01-18 01:15:25   | YES
+149302    | .bash_history                     | C:\Users\jsmith\                   | 4,096     | 2024-01-18 03:00:00   | NO
+149400    | ClearEventLogs.ps1                | C:\Windows\Temp\                   | 1,536     | 2024-01-18 03:01:12   | YES
+
+--- $STANDARD_INFORMATION vs $FILE_NAME Timestamp Analysis (Timestomping Detection) ---
+MFT Entry | Filename            | $SI Created          | $FN Created          | Delta     | Verdict
+----------|---------------------|----------------------|----------------------|-----------|----------
+148923    | exfil_tool.exe      | 2023-06-15 10:00:00  | 2024-01-15 14:34:02  | -214 days | TIMESTOMPED
+149200    | mimikatz.exe        | 2022-01-01 00:00:00  | 2024-01-16 02:30:15  | -745 days | TIMESTOMPED
+
+Recovered files exported to: /analysis/mft_output/recovered/
+Full CSV report: /analysis/mft_output/mft_analysis.csv (395,264 rows)
+Timeline CSV: /analysis/mft_output/mft_timeline.csv
+```

skills/analyzing-network-covert-channels-in-malware/SKILL.md

@@ -1,12 +1,37 @@
 ---
 name: analyzing-network-covert-channels-in-malware
-description: Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse for C2 and data exfiltration.
+description: Detect and analyze covert communication channels used by malware including
+  DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse for C2
+  and data exfiltration.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [covert-channels, dns-tunneling, icmp-exfiltration, malware-analysis, network-forensics, c2-detection, data-exfiltration]
-version: "1.0"
+tags:
+- covert-channels
+- dns-tunneling
+- icmp-exfiltration
+- malware-analysis
+- network-forensics
+- c2-detection
+- data-exfiltration
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+d3fend_techniques:
+- File Metadata Consistency Validation
+- Certificate Analysis
+- Application Protocol Command Analysis
+- Content Format Conversion
+- File Content Analysis
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
+mitre_attack:
+- T1071.001
+- T1095
+- T1572
+- T1001
 ---
 # Analyzing Network Covert Channels in Malware
 
@@ -14,6 +39,14 @@ license: Apache-2.0
 
 Malware uses covert channels to disguise C2 communication and data exfiltration within legitimate-looking network traffic. DNS tunneling encodes data in DNS queries and responses (used by tools like iodine, dnscat2, and malware families like FrameworkPOS). ICMP tunneling hides data in echo request/reply payloads (icmpsh, ptunnel). HTTP covert channels embed C2 data in headers, cookies, or steganographic images. Protocol abuse exploits allowed protocols to bypass firewalls. DNS tunneling detection achieves 99%+ recall with modern ML-based approaches, though low-throughput exfiltration remains challenging. Palo Alto Unit42 tracked three major DNS tunneling campaigns (TrkCdn, SecShow, Savvy Seahorse) through 2024, showing the technique's continued prevalence.
 
+
+## When to Use
+
+- When investigating security incidents that require analyzing network covert channels in malware
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites
 
 - Python 3.9+ with `scapy`, `dpkt`, `dnslib`
@@ -22,7 +55,7 @@ Malware uses covert channels to disguise C2 communication and data exfiltration
 - DNS query logging infrastructure
 - Understanding of DNS, ICMP, HTTP protocols at packet level
 
-## Practical Steps
+## Workflow
 
 ### Step 1: DNS Tunneling Detection
 

skills/analyzing-network-covert-channels-in-malware/scripts/agent.py

@@ -9,11 +9,10 @@ import os
 import sys
 import json
 import math
-import hashlib
 from collections import Counter, defaultdict
 
 try:
-    from scapy.all import rdpcap, DNS, DNSQR, DNSRR, ICMP, IP, TCP, UDP, Raw
+    from scapy.all import rdpcap, DNS, DNSQR, ICMP, IP, TCP, Raw
     HAS_SCAPY = True
 except ImportError:
     HAS_SCAPY = False

skills/analyzing-network-flow-data-with-netflow/SKILL.md

@@ -1,18 +1,50 @@
 ---
 name: analyzing-network-flow-data-with-netflow
-description: >-
-  Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data
-  exfiltration, and C2 beaconing patterns. Uses the Python netflow library to decode flow
-  records, builds traffic baselines, and applies statistical analysis to identify flows
-  with abnormal byte counts, connection durations, and periodic timing patterns.
+description: Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port
+  scanning, data exfiltration, and C2 beaconing patterns. Uses the Python netflow
+  library to decode flow records, builds traffic baselines, and applies statistical
+  analysis to identify flows with abnormal byte counts, connection durations, and
+  periodic timing patterns.
 domain: cybersecurity
 subdomain: network-security
-tags: [analyzing, network, flow, data]
-version: "1.0"
+tags:
+- analyzing
+- network
+- flow
+- data
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.IR-01
+- DE.CM-01
+- ID.AM-03
+- PR.DS-02
+mitre_attack:
+- T1071
+- T1048
+- T1046
+- T1095
 ---
 
+
+# Analyzing Network Flow Data with Netflow
+
+
+## When to Use
+
+- When investigating security incidents that require analyzing network flow data with netflow
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
+## Prerequisites
+
+- Familiarity with network security concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions
 
 1. Install dependencies: `pip install netflow`

skills/analyzing-network-packets-with-scapy/SKILL.md

@@ -1,18 +1,30 @@
 ---
 name: analyzing-network-packets-with-scapy
-description: Craft, send, sniff, and dissect network packets using Scapy for protocol analysis, network reconnaissance, and traffic anomaly detection in authorized security testing
+description: Craft, send, sniff, and dissect network packets using Scapy for protocol
+  analysis, network reconnaissance, and traffic anomaly detection in authorized security
+  testing
 domain: cybersecurity
 subdomain: network-security
 tags:
-  - scapy
-  - packet-analysis
-  - network-forensics
-  - protocol-dissection
-  - pcap
-  - traffic-analysis
-version: "1.0"
+- scapy
+- packet-analysis
+- network-forensics
+- protocol-dissection
+- pcap
+- traffic-analysis
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.IR-01
+- DE.CM-01
+- ID.AM-03
+- PR.DS-02
+mitre_attack:
+- T1040
+- T1071
+- T1046
+- T1557
 ---
 
 # Analyzing Network Packets with Scapy
@@ -21,6 +33,14 @@ license: Apache-2.0
 
 Scapy is a Python packet manipulation library that enables crafting, sending, sniffing, and dissecting network packets at granular protocol layers. This skill covers using Scapy for security-relevant tasks including TCP/UDP/ICMP packet crafting, pcap file analysis, protocol field extraction, SYN scan implementation, DNS query analysis, and detecting anomalous traffic patterns such as unusually fragmented packets or malformed headers.
 
+
+## When to Use
+
+- When investigating security incidents that require analyzing network packets with scapy
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites
 
 - Python 3.8+ with `scapy` library installed (`pip install scapy`)

skills/analyzing-network-packets-with-scapy/scripts/agent.py

@@ -7,7 +7,7 @@ import argparse
 from collections import defaultdict, Counter
 from datetime import datetime
 
-from scapy.all import rdpcap, IP, TCP, UDP, DNS, DNSQR, ICMP, Raw
+from scapy.all import rdpcap, IP, TCP, UDP, DNS, DNSQR, ICMP
 
 
 def load_pcap(filepath):

skills/analyzing-network-traffic-for-incidents/SKILL.md

@@ -1,18 +1,32 @@
 ---
 name: analyzing-network-traffic-for-incidents
-description: >
-  Analyzes network traffic captures and flow data to identify adversary activity during
-  security incidents, including command-and-control communications, lateral movement,
-  data exfiltration, and exploitation attempts. Uses Wireshark, Zeek, and NetFlow
-  analysis techniques. Activates for requests involving network traffic analysis,
-  packet capture investigation, PCAP analysis, network forensics, C2 traffic detection,
-  or exfiltration detection.
+description: 'Analyzes network traffic captures and flow data to identify adversary activity during security incidents, including
+  command-and-control communications, lateral movement, data exfiltration, and exploitation attempts. Uses Wireshark, Zeek,
+  and NetFlow analysis techniques. Activates for requests involving network traffic analysis, packet capture investigation,
+  PCAP analysis, network forensics, C2 traffic detection, or exfiltration detection.
+
+  '
 domain: cybersecurity
 subdomain: incident-response
-tags: [network-forensics, PCAP-analysis, Wireshark, Zeek, traffic-analysis]
+tags:
+- network-forensics
+- PCAP-analysis
+- Wireshark
+- Zeek
+- traffic-analysis
+mitre_attack:
+- T1071
+- T1095
+- T1573
+- T1572
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.MA-01
+- RS.MA-02
+- RS.AN-03
+- RC.RP-01
 ---
 
 # Analyzing Network Traffic for Incidents

skills/analyzing-network-traffic-for-incidents/scripts/agent.py

@@ -6,10 +6,10 @@ import os
 import sys
 import json
 import statistics
-from collections import defaultdict, Counter
+from collections import defaultdict
 
 try:
-    from scapy.all import rdpcap, IP, TCP, UDP, DNS, DNSQR, Raw, ARP
+    from scapy.all import rdpcap, IP, TCP, DNS
     HAS_SCAPY = True
 except ImportError:
     HAS_SCAPY = False
@@ -17,9 +17,11 @@ except ImportError:
 
 def run_tshark(pcap_path, display_filter, fields):
     """Run tshark with a display filter and extract specific fields."""
-    field_args = " ".join(f"-e {f}" for f in fields)
-    cmd = f'tshark -r {pcap_path} -Y "{display_filter}" -T fields {field_args} -E separator="|"'
-    result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=120)
+    cmd = ["tshark", "-r", pcap_path, "-Y", display_filter, "-T", "fields"]
+    for f in fields:
+        cmd += ["-e", f]
+    cmd += ["-E", "separator=|"]
+    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
     rows = []
     if result.returncode == 0:
         for line in result.stdout.strip().splitlines():
@@ -31,8 +33,8 @@ def run_tshark(pcap_path, display_filter, fields):
 
 def get_pcap_summary(pcap_path):
     """Get high-level PCAP statistics."""
-    cmd = f"tshark -r {pcap_path} -q -z conv,ip"
-    result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=60)
+    cmd = ["tshark", "-r", pcap_path, "-q", "-z", "conv,ip"]
+    result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
     return result.stdout if result.returncode == 0 else ""
 
 
@@ -57,8 +59,8 @@ def detect_lateral_movement(pcap_path):
 
 def detect_data_exfiltration(pcap_path, threshold_mb=10):
     """Detect potential data exfiltration based on outbound data volume."""
-    cmd = f'tshark -r {pcap_path} -q -z conv,ip'
-    result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=60)
+    cmd = ["tshark", "-r", pcap_path, "-q", "-z", "conv,ip"]
+    result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
     suspects = []
     if result.returncode == 0:
         for line in result.stdout.splitlines():
@@ -120,10 +122,13 @@ def extract_dns_queries(pcap_path):
 
 def detect_ids_alerts(pcap_path):
     """Run Suricata on the PCAP and extract alerts."""
-    cmd = f"suricata -r {pcap_path} -l /tmp/suricata_output -k none 2>/dev/null"
-    subprocess.run(cmd, shell=True, timeout=120)
+    import tempfile
+    suricata_output = os.environ.get("SURICATA_OUTPUT_DIR", os.path.join(tempfile.gettempdir(), "suricata_output"))
+    os.makedirs(suricata_output, exist_ok=True)
+    cmd = ["suricata", "-r", pcap_path, "-l", suricata_output, "-k", "none"]
+    subprocess.run(cmd, capture_output=True, timeout=120)
     alerts = []
-    alert_file = "/tmp/suricata_output/fast.log"
+    alert_file = os.path.join(suricata_output, "fast.log")
     if os.path.exists(alert_file):
         with open(alert_file, "r") as f:
             for line in f:
@@ -134,8 +139,8 @@ def detect_ids_alerts(pcap_path):
 def extract_http_objects(pcap_path, output_dir):
     """Extract HTTP objects (files) from the PCAP."""
     os.makedirs(output_dir, exist_ok=True)
-    cmd = f'tshark -r {pcap_path} --export-objects "http,{output_dir}"'
-    subprocess.run(cmd, shell=True, timeout=60)
+    cmd = ["tshark", "-r", pcap_path, "--export-objects", f"http,{output_dir}"]
+    subprocess.run(cmd, capture_output=True, timeout=60)
     exported = []
     if os.path.exists(output_dir):
         for f in os.listdir(output_dir):

skills/analyzing-network-traffic-of-malware/SKILL.md

@@ -1,17 +1,33 @@
 ---
 name: analyzing-network-traffic-of-malware
-description: >
-  Analyzes network traffic generated by malware during sandbox execution or live incident
-  response to identify C2 protocols, data exfiltration channels, payload downloads, and
-  lateral movement patterns using Wireshark, Zeek, and Suricata. Activates for requests
-  involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or
-  network-based malware detection.
+description: 'Analyzes network traffic generated by malware during sandbox execution
+  or live incident response to identify C2 protocols, data exfiltration channels,
+  payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata.
+  Activates for requests involving malware network analysis, C2 traffic decoding,
+  malware PCAP analysis, or network-based malware detection.
+
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, network-analysis, PCAP, Wireshark, C2-detection]
+tags:
+- malware
+- network-analysis
+- PCAP
+- Wireshark
+- C2-detection
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
+mitre_attack:
+- T1071.001
+- T1571
+- T1573
+- T1095
 ---
 
 # Analyzing Network Traffic of Malware

skills/analyzing-network-traffic-of-malware/scripts/agent.py

@@ -3,9 +3,7 @@
 
 import os
 import sys
-import json
 import math
-import subprocess
 from collections import defaultdict, Counter
 
 try:
@@ -15,7 +13,7 @@ except ImportError:
     HAS_DPKT = False
 
 try:
-    from scapy.all import rdpcap, IP, TCP, UDP, DNS, DNSQR, Raw
+    from scapy.all import rdpcap, IP, TCP, DNS, DNSQR
     HAS_SCAPY = True
 except ImportError:
     HAS_SCAPY = False

skills/analyzing-network-traffic-with-wireshark/SKILL.md

@@ -1,15 +1,31 @@
 ---
 name: analyzing-network-traffic-with-wireshark
-description: >
-  Captures and analyzes network packet data using Wireshark and tshark to identify
-  malicious traffic patterns, diagnose protocol issues, extract artifacts, and
-  support incident response investigations on authorized network segments.
+description: 'Captures and analyzes network packet data using Wireshark and tshark
+  to identify malicious traffic patterns, diagnose protocol issues, extract artifacts,
+  and support incident response investigations on authorized network segments.
+
+  '
 domain: cybersecurity
 subdomain: network-security
-tags: [network-security, wireshark, packet-analysis, traffic-analysis, pcap]
-version: "1.0"
+tags:
+- network-security
+- wireshark
+- packet-analysis
+- traffic-analysis
+- pcap
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.IR-01
+- DE.CM-01
+- ID.AM-03
+- PR.DS-02
+mitre_attack:
+- T1040
+- T1071
+- T1557
+- T1046
 ---
 # Analyzing Network Traffic with Wireshark
 

skills/analyzing-network-traffic-with-wireshark/scripts/agent.py

@@ -2,26 +2,24 @@
 """Wireshark/tshark packet analysis agent for network security investigations."""
 
 import subprocess
+import shlex
 import os
 import sys
-import json
-import re
-from collections import defaultdict
 
 
 def run_tshark(pcap_path, args):
     """Execute tshark with custom arguments."""
-    cmd = f"tshark -r {pcap_path} {args}"
-    result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=120)
+    cmd = ["tshark", "-r", pcap_path] + shlex.split(args)
+    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
     return result.stdout.strip(), result.stderr.strip(), result.returncode
 
 
 def capture_live(interface, output_path, duration=60, capture_filter=None):
     """Start a live packet capture using tshark."""
-    cmd = f"tshark -i {interface} -w {output_path} -a duration:{duration}"
+    cmd = ["tshark", "-i", interface, "-w", output_path, "-a", f"duration:{duration}"]
     if capture_filter:
-        cmd += f' -f "{capture_filter}"'
-    result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=duration + 10)
+        cmd += ["-f", capture_filter]
+    result = subprocess.run(cmd, capture_output=True, text=True, timeout=duration + 10)
     return result.returncode == 0
 
 

skills/analyzing-office365-audit-logs-for-compromise/SKILL.md

@@ -1,12 +1,31 @@
 ---
 name: analyzing-office365-audit-logs-for-compromise
-description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation, suspicious OAuth app grants, and other indicators of account compromise.
+description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect
+  email forwarding rule creation, inbox delegation, suspicious OAuth app grants, and
+  other indicators of account compromise.
 domain: cybersecurity
 subdomain: cloud-security
-tags: [Office365, Microsoft-Graph, audit-logs, email-compromise, inbox-rules, OAuth, BEC]
-version: "1.0"
+tags:
+- Office365
+- Microsoft-Graph
+- audit-logs
+- email-compromise
+- inbox-rules
+- OAuth
+- BEC
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.IR-01
+- ID.AM-08
+- GV.SC-06
+- DE.CM-01
+mitre_attack:
+- T1114.002
+- T1098.002
+- T1556.006
+- T1078.004
 ---
 
 # Analyzing Office 365 Audit Logs for Compromise
@@ -15,6 +34,14 @@ license: Apache-2.0
 
 Business Email Compromise (BEC) attacks often leave traces in Office 365 audit logs: suspicious inbox rule creation, email forwarding to external addresses, mailbox delegation changes, and unauthorized OAuth application consent grants. This skill uses the Microsoft Graph API to query the Unified Audit Log, enumerate inbox rules across mailboxes, detect forwarding configurations, and identify compromised account indicators.
 
+
+## When to Use
+
+- When investigating security incidents that require analyzing office365 audit logs for compromise
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
 ## Prerequisites
 
 - Azure AD app registration with `AuditLog.Read.All`, `MailboxSettings.Read`, `Mail.Read` (application permissions)