creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-10 21:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: creator/Anthropic-Cybersecurity-Skills:v1.0.0
Branches Tags
creator/Anthropic-Cybersecurity-Skills:main
creator/Anthropic-Cybersecurity-Skills:v1.2.0 creator/Anthropic-Cybersecurity-Skills:v1.1.0 creator/Anthropic-Cybersecurity-Skills:v1.0.0
..
compare: creator/Anthropic-Cybersecurity-Skills:v1.2.0
Branches Tags
creator/Anthropic-Cybersecurity-Skills:main
creator/Anthropic-Cybersecurity-Skills:v1.2.0 creator/Anthropic-Cybersecurity-Skills:v1.1.0 creator/Anthropic-Cybersecurity-Skills:v1.0.0

113 Commits
v1.0.0 .. v1.2.0

Author SHA1 Message Date
mukul975 c0ab6cfccb docs: update README for v1.2.0 — 5-framework coverage, 754 skills 2026-04-06 12:06:22 +02:00
mukul975 b4231b19e7 chore: auto-update index.json 2026-04-06 09:17:52 +00:00
mukul975 efca3ec611 feat: add NIST CSF 2.0 nist_csf field to all 754 cybersecurity skills 
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.

All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)
 2026-04-06 11:17:40 +02:00
mukul975 e8105a2f4d chore: auto-update index.json 2026-04-05 23:56:33 +00:00
mukul975 ef27f026cb feat: enrich 209 skills with MITRE ATLAS, D3FEND, and NIST AI RMF frontmatter 
Added structured security framework mappings to SKILL.md frontmatter across all applicable skills:
- atlas_techniques: MITRE ATLAS v5.5 AML.TXXXX IDs (81 skills, AI-targeted attack techniques)
- d3fend_techniques: MITRE D3FEND v1.3 defensive technique labels (139 skills, mapped from ATT&CK IDs)
- nist_ai_rmf: NIST AI RMF 1.0 subcategory IDs (85 skills, AI risk management functions)

Also updates ATTACK_COVERAGE.md with coverage statistics for all three frameworks.
 2026-04-06 01:56:17 +02:00
mukul975 c15f73db46 chore: auto-update index.json 2026-04-03 06:56:09 +00:00
mukul975 6325c202c5 chore: auto-update index.json 2026-04-03 06:30:32 +00:00
Mahipal 1cf19ded90 Merge pull request #26 from juliosuas/add-mitre-attack-incident-response 
Add MITRE ATT&CK IDs to incident response skills (fixes #1)
 2026-04-03 02:30:23 -04:00
Mahipal a7f577b482 Add skill: performing-cloud-native-threat-hunting-with-aws-detective 
Add skill: performing-cloud-native-threat-hunting-with-aws-detective
 2026-04-03 02:30:17 -04:00
Mahipal e26a736cf7 ci: add workflow to auto-sync marketplace version on release 2026-03-31 14:46:36 +02:00
Mahipal bb39fa73a9 Update marketplace version to v1.1.0 2026-03-31 14:41:58 +02:00
Mahipal 1cffd664f5 Remove Product Hunt badge from README 
Removed Product Hunt badge from README.
 2026-03-28 17:51:39 +01:00
Mahipal d7f205681a Add Product Hunt badge to README 
Added a Product Hunt badge to promote the project.
 2026-03-28 17:23:50 +01:00
mukul975 7283f02ba9 chore: auto-update index.json 2026-03-28 11:41:02 +00:00
mukul975 476a0880f4 Fix ESET AV false positive on AMSI bypass strings in skill docs 2026-03-28 12:40:53 +01:00
MAGI a072845a3f Fix review comments: correct AWS Detective API usage and forensic ordering 
- Fix FilterCriteria to use singular Severity/Status with Value objects
  instead of invalid plural Severities/Statuses arrays (SKILL.md + process.py)
- Fix get_entity_history: rename to get_investigation_indicators, use
  investigation_id instead of entity_arn for InvestigationId parameter
- Replace invalid inv-* placeholders with 21-digit numeric IDs
- Fix Expected Output to match real API response structure (no embedded
  Indicators; document separate list-indicators call and indicator types)
- Fix CLI --filter-criteria example to use correct format
- Update process.py --severity to accept single value with validation
- Add --max-results validation (1-100 range)
- Add pagination via _collect_all_pages helper for all list API calls
- Reorder Response Actions checklist: evidence preservation before containment
- Reorder Phase 5 workflow: preserve evidence first when safe
 2026-03-28 02:06:16 -06:00
MAGI 41b828e758 fix: add missing process.py implementation for aws-detective skill 
The process.py script was empty (0 bytes). Added a functional
implementation that lists behavior graphs, retrieves investigations,
queries indicators, and exports results — matching the pattern of
other skills in the repository.
 2026-03-28 02:06:16 -06:00
MAGI 2f6701d2d8 Add skill: performing-cloud-native-threat-hunting-with-aws-detective (fixes #6) 2026-03-28 02:06:16 -06:00
mukul975 aff90acbf5 Trigger contributor recalculation 2026-03-28 02:06:16 -06:00
Julio César Suástegui 84b4699e59 fix: remove out-of-scope changes (cloud-waf tags, zero-trust description rewrite) 2026-03-28 02:06:00 -06:00
MAGI c7ad5e7b98 Fix round 3: refine MITRE ATT&CK mappings per CodeRabbit review 
- osquery: replace broad IDs with concrete detections (T1049, T1620, T1053.003, T1548.001, T1552)
- credential extraction: replace T1550 with T1552 (Unsecured Credentials)
- persistence investigation: use sub-techniques (T1547.001, T1053.005, T1543.003, T1546.003)
 2026-03-28 02:06:00 -06:00
MAGI 15d53bd09b Fix MITRE ATT&CK mappings per CodeRabbit review: align techniques to skill content 
- analyzing-malware-persistence-with-autoruns: add persistence techniques T1547, T1053, T1543, T1546
- analyzing-memory-dumps-with-volatility: add memory forensics techniques T1055, T1003, T1059, T1620
- analyzing-persistence-mechanisms-in-linux: add Linux-specific sub-techniques T1053.003, T1543.002, T1574.006, T1546.004
- analyzing-windows-prefetch-with-python: add execution techniques T1059, T1204, T1036
- building-incident-response-dashboard: remove misaligned mitre_attack (dashboard is a visibility tool)
- building-phishing-reporting-button-workflow: add phishing techniques T1566, T1204, T1534
- deobfuscating-powershell-obfuscated-malware: add PowerShell/obfuscation techniques T1059.001, T1027, T1140
 2026-03-28 02:06:00 -06:00
MAGI 100361c3e5 Scope fix: remove mitre_attack from 24 non-incident-response skills, use sub-techniques 
- Removed mitre_attack from digital-forensics, cloud-security, malware-analysis,
  endpoint-security, threat-hunting, ransomware-defense, phishing-defense, and
  security-operations subdomain skills (out of PR scope per issue #1)
- Applied sub-technique IDs where appropriate (T1566.001, T1003.001, etc.)
- Only incident-response and soc-operations skills retain mappings
 2026-03-28 02:06:00 -06:00
MAGI 42258456e8 Fix MITRE ATT&CK mappings per CodeRabbit review 
- Replace generic T1190/T1059/T1078 with context-specific techniques
- Persistence: T1547, T1053, T1543, T1574
- Credentials: T1003, T1558, T1550
- Phishing: T1566, T1204, T1534
- Ransomware: T1486, T1490, T1489
- Cloud: T1078, T1537, T1580, T1098
- Remove mappings from out-of-scope subdomains (ot-ics, malware-analysis, digital-forensics)
 2026-03-28 02:05:57 -06:00
MAGI 5e62a7ea2c Add MITRE ATT&CK technique IDs to 60 incident-response skills (fixes #1) 2026-03-28 02:05:53 -06:00
mukul975 0fbcbdf8dd chore: auto-update index.json 2026-03-27 09:24:27 +00:00
Julio César Suástegui 97c213f9a4 Add skill: detecting-lateral-movement-with-zeek (fixes #5) (#29) 2026-03-27 10:24:16 +01:00
mukul975 9314565dd9 docs: update release version from v1.0.0 to v1.1.0 in README 2026-03-23 19:17:24 +01:00
mukul975 c74a7547bb docs: replace static contributors table with contrib.rocks auto-updating widget 2026-03-23 19:16:03 +01:00
mukul975 f4e791c06c docs: remove fake contributor Systech2021-1952 from README 2026-03-23 19:14:33 +01:00
mukul975 577f795252 docs: update skill count to 753 and domain count to 38 across all files 2026-03-21 13:57:15 +01:00
mukul975 ac77250450 docs: use single name Mahipal in CITATION.cff 2026-03-21 13:38:37 +01:00
mukul975 57b684e4d6 docs: add CITATION.cff for academic and tool attribution 2026-03-21 13:37:55 +01:00
mukul975 3856835990 chore: auto-update index.json 2026-03-21 12:23:42 +00:00
mukul975 db3eaaeaf2 fix: add workflow_dispatch and self-trigger to update-index workflow 2026-03-21 13:23:34 +01:00
mukul975 7f60276fd9 fix: add missing import re in update-index workflow, bump version to 1.1.0 2026-03-21 13:21:55 +01:00
mukul975 e2c3836c30 feat: upgrade 5 skills with full content for v1.1.0 
Replaced stub SKILL.md files with complete implementations:
- analyzing-linux-audit-logs-for-intrusion (257 lines, full auditd workflow)
- analyzing-windows-amcache-artifacts (237 lines, AmcacheParser + timeline)
- detecting-oauth-token-theft (266 lines, Azure AD token protection)
- implementing-devsecops-security-scanning (372 lines, full CI/CD pipeline)
- implementing-privileged-session-monitoring (323 lines, PAM session audit)

Also bumps index.json to version 1.1.0.
 2026-03-21 12:36:58 +01:00
mukul975 d77aaf8b28 Fix index.json: restore description field for skill registration 2026-03-21 11:46:09 +01:00
mukul975 777b3b97a2 Update contact email to mukuljangra5@gmail.com 2026-03-21 11:43:18 +01:00
mukul975 38915dec6d Slim index.json to name+path only, fix plugin domain loading 
- index.json: 463KB -> 84KB (name+path only, single cybersecurity domain)
- update-index.yml: generates compact slim index on every push
- marketplace.json + plugin.json: update skill count 607+ to 753
 2026-03-21 11:39:28 +01:00
mukul975 7bc1b2be1c Remove audit report from repo 2026-03-19 19:47:28 +01:00
mukul975 5cde5a95e6 Add MITRE ATT&CK coverage map: 291 techniques across 14/14 tactics 2026-03-19 19:43:25 +01:00
mukul975 201975ae70 chore: auto-update index.json 2026-03-19 18:14:37 +00:00
mukul975 d833f0eab9 Add 30 new production-grade cybersecurity skills: AI security, supply chain, firmware, cloud-native, compliance, deception, crypto, threat hunting, purple team, OT, privacy 2026-03-19 19:14:25 +01:00
mukul975 d43cc7a766 chore: auto-update index.json 2026-03-19 13:12:59 +00:00
mukul975 a1e9ca5a4a Expand 4 remaining SKILL.md stubs with researched content 2026-03-19 14:12:18 +01:00
mukul975 6dc9e739e3 chore: auto-update index.json 2026-03-19 12:56:47 +00:00
mukul975 5a64fb0416 Fix last 2 issues: expand Datadog SKILL.md, fix XSOAR verify=False 2026-03-19 13:56:37 +01:00
mukul975 0bf1fa2a41 chore: auto-update index.json 2026-03-19 12:56:06 +00:00
mukul975 051e7e72ed Expand 38 agent.py stubs, standardize 347 SKILL.md sections, fix 4 verify=False 2026-03-19 13:55:55 +01:00
mukul975 79287253fb chore: auto-update index.json 2026-03-19 12:44:47 +00:00
mukul975 7e2e6ad664 Expand boilerplate agent.py stubs with real implementations (batch 2) 2026-03-19 13:44:38 +01:00
mukul975 3803da65d5 chore: auto-update index.json 2026-03-19 12:42:21 +00:00
mukul975 682d416c6e Remove backed-up duplicate skills to fix validation pipeline 2026-03-19 13:41:56 +01:00
mukul975 2438c22972 chore: auto-update index.json 2026-03-19 12:39:52 +00:00
mukul975 3492302a13 Fix frontmatter descriptions, duplicate YAML blocks, title headings across 60 files 2026-03-19 13:39:41 +01:00
mukul975 b444d348f8 chore: auto-update index.json 2026-03-19 12:30:01 +00:00
mukul975 d005ae764b Expand 39 api-reference stubs with real tool docs, expand 15 agent.py boilerplate stubs 2026-03-19 13:29:50 +01:00
mukul975 d63b578a2f chore: auto-update index.json 2026-03-19 12:27:09 +00:00
mukul975 c47eed6a64 Production hardening: security fixes, code quality, 724 skills complete 
- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
 2026-03-19 13:26:49 +01:00
mukul975 63b442d347 Fix contributor avatar URLs with correct user IDs 2026-03-19 10:49:33 +01:00
mukul975 a4885abffe Fix nested code fences in README examples 2026-03-19 10:46:09 +01:00
mukul975 6f1099fb9d Update README with 734+ skills, MITRE ATT&CK coverage, platform compatibility 2026-03-19 10:29:35 +01:00
mukul975 4b6aa1e775 chore: auto-update index.json 2026-03-19 09:18:03 +00:00
mukul975 0c690a20c8 chore: auto-update index.json 2026-03-19 09:06:22 +00:00
juliosuas 2967d69d48 Translate top skills to Spanish 
Adds Spanish translations for 7 cybersecurity skills.
 2026-03-19 10:06:13 +01:00
mukul975 220f49477a chore: auto-update index.json 2026-03-19 09:06:04 +00:00
juliosuas cfa57cf8bf Add working example output to digital-forensics skills 
Adds realistic example output sections to 10 digital forensics skills.
 2026-03-19 10:05:56 +01:00
mukul975 1e98186845 chore: auto-update index.json 2026-03-19 09:02:56 +00:00
mukul975 2100487865 chore: auto-update index.json 2026-03-19 10:02:23 +01:00
juliosuas 34e0cf6e2d Fix NIST CSF 2.0 category counts in table: ID=3, RC=2 
The summary table had incorrect category counts for Identify (4 → 3)
and Recover (1 → 2), inconsistent with the frontmatter mapping and
official NIST CSF 2.0 specification (GV:6 + ID:3 + PR:5 + DE:2 +
RS:4 + RC:2 = 22 categories).
 2026-03-19 10:02:23 +01:00
mukul975 1e2d015ef4 chore: auto-update index.json 2026-03-19 10:02:22 +01:00
juliosuas 16201a7e60 Address CodeRabbit review: legal guardrails, mkdir, filename consistency, HIBP headers 2026-03-19 10:02:22 +01:00
juliosuas 788404ca75 Add skill: performing-ai-driven-osint-correlation 2026-03-19 10:02:22 +01:00
Mahipal c214ad111e Update PayPal link in FUNDING.yml 2026-03-19 10:02:22 +01:00
Mahipal ba41fb8de9 Create FUNDING.yml 2026-03-19 10:02:22 +01:00
juliosuas ebffa4fb4f Fix NIST CSF 2.0: correct official 22 categories (add RS.MI, RC.CO; remove ID.AA) 2026-03-17 22:11:05 -06:00
juliosuas ba9146a2cd Fix NIST CSF category count: include all 22 categories 2026-03-17 17:17:02 -06:00
juliosuas 03da94c256 Add NIST CSF 2.0 categories to compliance-governance skills (fixes #2) 2026-03-17 10:28:43 -06:00
Mahipal 106129b1eb Update README.md 2026-03-17 00:43:52 +01:00
mukul975 54a5b0df25 docs: add star history graph to README 2026-03-11 01:48:05 +01:00
mukul975 1c170f0f40 chore: untrack launch/twitter-thread.md (gitignored) 2026-03-11 01:47:44 +01:00
mukul975 1acb1a8f0c feat: add MITRE ATT&CK Navigator layer and coverage mappings 2026-03-11 01:45:51 +01:00
mukul975 93780c4e8e chore: add launch/ to gitignore 2026-03-11 01:45:50 +01:00
mukul975 6fa4350934 chore: auto-update index.json 2026-03-11 00:43:13 +00:00
mukul975 4ed6f49151 chore: fix license, add disclaimer, quick start, GitHub topics, issue templates 2026-03-11 01:42:50 +01:00
mukul975 e09b84a7da chore: auto-update index.json 2026-03-11 00:22:05 +00:00
mukul975 b29b23470a feat: add 5 new cybersecurity skills - secrets scanning CI/CD, Bluetooth assessment, DNS exfil Zeek, SOAR phishing, AD ACL abuse 2026-03-11 01:21:45 +01:00
mukul975 d547391908 chore: auto-update index.json 2026-03-10 23:52:39 +00:00
mukul975 794489277c fix: correct license from Apache-2.0 to MIT for batch 2 skills 2026-03-11 00:52:29 +01:00
mukul975 77c274fad7 chore: auto-update index.json 2026-03-10 23:51:29 +00:00
mukul975 aba13ca5af feat: add 5 new cybersecurity skills - Azure storage audit, supply chain simulation, Azure PIM, Empire artifacts, NTLM relay 2026-03-11 00:51:19 +01:00
mukul975 b7ef3190a1 chore: auto-update index.json 2026-03-10 23:49:32 +00:00
mukul975 c0c5bbaac1 Add 5 new cybersecurity skills: golden ticket detection, traffic baselining, sandbox evasion analysis, domain fronting hunting, SpiderFoot OSINT 2026-03-11 00:49:24 +01:00
mukul975 aa1fc4083d chore: auto-update index.json 2026-03-10 23:49:11 +00:00
mukul975 ff3a9ce224 feat: add 4 new cybersecurity skills - UEBA insider threat, BeyondCorp zero trust, Linux kernel rootkits, CobaltStrike beacon hunting 2026-03-11 00:48:56 +01:00
mukul975 85fce5551d chore: auto-update index.json 2026-03-10 23:48:22 +00:00
mukul975 42cd69598e Add 5 new cybersecurity skills batch 2 - oauth token theft, binary exploitation, STIX2 sharing, linux audit logs, timestomping detection 2026-03-11 00:48:13 +01:00
mukul975 7135f0cfe3 chore: auto-update index.json 2026-03-10 23:47:17 +00:00
mukul975 4d6d585285 Add 10 new cybersecurity skills with full folder anatomy 
Skills added:
- implementing-privileged-access-workstation (IAM, PAW hardening)
- detecting-suspicious-oauth-application-consent (cloud security, Graph API)
- performing-hardware-security-module-integration (cryptography, PKCS#11)
- analyzing-android-malware-with-apktool (malware analysis, androguard)
- hunting-for-unusual-service-installations (threat hunting, T1543.003)
- detecting-shadow-it-cloud-usage (cloud security, proxy/DNS log analysis)
- performing-active-directory-forest-trust-attack (red team, impacket)
- implementing-deception-based-detection-with-canarytoken (deception, Canary API)
- analyzing-office365-audit-logs-for-compromise (cloud security, BEC detection)
- hunting-for-startup-folder-persistence (threat hunting, T1547.001)

Each skill includes SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
 2026-03-11 00:47:03 +01:00
mukul975 b6c7ac9d82 chore: auto-update index.json 2026-03-10 23:44:50 +00:00
mukul975 014c387ff3 feat: add 5 cybersecurity skills - CloudTrail anomalies, SSL/TLS assessment, Wazuh detection, Prefetch analysis, WMI lateral movement 2026-03-11 00:44:42 +01:00
mukul975 3fbae3f3a4 chore: auto-update index.json 2026-03-10 23:43:12 +00:00
mukul975 7308b56252 feat: add 5 new cybersecurity skills - WMI persistence, CloudTrail forensics, honeypots, PDF malware, DCSync detection 2026-03-11 00:42:59 +01:00
mukul975 ab1fc6d87c chore: auto-update index.json 2026-03-10 23:42:14 +00:00
mukul975 aea97ff9ff Add 5 new cybersecurity skills: AFL++ fuzzing, Sysmon scheduled task detection, ModSecurity WAF logging, MITRE Navigator TTP analysis, PowerShell script block hunting 2026-03-11 00:41:59 +01:00
mukul975 546f1ae6ef Add 5 new cybersecurity skills: greenbone vuln mgmt, email compromise detection, MISP sharing, CobaltStrike C2 analysis, registry run key hunting 2026-03-11 00:41:59 +01:00
mukul975 757f1c8eae Add 5 new cybersecurity skills with full implementations 
- implementing-vulnerability-management-with-greenbone: python-gvm GMP API, scan task creation, XML report parsing
- detecting-email-account-compromise: Microsoft Graph inbox rules, impossible travel detection, OAuth grant analysis
- performing-threat-intelligence-sharing-with-misp: PyMISP event creation, attribute management, sharing validation
- analyzing-cobaltstrike-malleable-c2-profiles: dissect.cobaltstrike C2Profile parsing, Suricata rule generation
- hunting-for-registry-run-key-persistence: Sysmon Event 13 analysis, T1547.001 detection, Sigma rule generation
 2026-03-11 00:41:59 +01:00
mukul975 e77d55ad50 chore: auto-update index.json 2026-03-10 23:40:24 +00:00
mukul975 cd8a26b606 feat: add 5 new cybersecurity skills - yara hunting, devsecops scanning, amcache, LOtL, privileged session monitoring 2026-03-11 00:40:06 +01:00
Mahipal 7e3b1f87e4 Add files via upload 2026-03-11 00:40:01 +01:00
Mahipal 4cc24378c7 Delete assets/IMG_3214.jpeg 2026-03-11 00:39:39 +01:00
Mahipal d5140a66fa Add files via upload 2026-03-11 00:38:18 +01:00
1543 changed files with 95107 additions and 32806 deletions
Expand all files Collapse all files
.claude-plugin/marketplace.json
+6 -6
View File
@@ -2,18 +2,18 @@
"name": "anthropic-cybersecurity-skills",
"owner": {
"name": "mukul975",
"email": "mukul975@users.noreply.github.com"
"email": "mukuljangra5@gmail.com"
},
"metadata": {
"description": "607+ cybersecurity skills for AI agents and security practitioners covering web security, pentesting, forensics, threat intelligence, cloud security, and more.",
"version": "1.0.0"
"description": "753 cybersecurity skills for AI agents and security practitioners covering web security, pentesting, forensics, threat intelligence, cloud security, and more.",
"version": "1.1.0"
},
"plugins": [
{
"name": "cybersecurity-skills",
"source": "./",
"description": "607+ cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
"version": "1.0.0",
"descripyion": "753 cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
"version": "1.1.0",
"author": {
"name": "mukul975"
},
@@ -34,4 +34,4 @@
"repository": "https://github.com/mukul975/Anthropic-Cybersecurity-Skills"
}
]
}
}
.claude-plugin/plugin.json
+1 -1
View File
@@ -1,5 +1,5 @@
{
"name": "cybersecurity-skills",
"description": "607+ cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
"description": "753 cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
"version": "1.0.0"
}
.github/FUNDING.yml
+2
View File
@@ -0,0 +1,2 @@
github: mukul975
custom: ["https://paypal.me/mahipaljangra"]
.github/workflows/sync-marketplace-version.yml
+41
View File
@@ -0,0 +1,41 @@
name: Sync Marketplace Version on Release
on:
release:
types: [published]
jobs:
sync-version:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Extract version from tag
id: version
run: |
VERSION=${GITHUB_REF_NAME#v}
echo "version=$VERSION" >> $GITHUB_OUTPUT
echo "tag=$GITHUB_REF_NAME" >> $GITHUB_OUTPUT
- name: Update marketplace.json version
env:
VERSION: ${{ steps.version.outputs.version }}
run: |
jq --arg v "$VERSION"
'.metadata.version = $v | .plugins[].version = $v'
.claude-plugin/marketplace.json > tmp.json
mv tmp.json .claude-plugin/marketplace.json
echo "Updated marketplace.json to version $VERSION"
- name: Commit and push
run: |
git config user.name "mukul975"
git config user.email "mukuljangra5@gmail.com"
git add .claude-plugin/marketplace.json
git diff --staged --quiet || git commit -m "chore: bump marketplace version to ${{ steps.version.outputs.tag }}"
git push
.github/workflows/update-index.yml
+14 -36
View File
@@ -5,6 +5,8 @@ on:
branches: [main]
paths:
- 'skills/**'
- '.github/workflows/update-index.yml'
workflow_dispatch:
jobs:
update-index:
@@ -21,12 +23,9 @@ jobs:
python3 << 'EOF'
import os, json, re
from datetime import datetime, timezone
from collections import Counter
skills_dir = "skills"
skills = []
subdomain_counts = Counter()
tag_counter = Counter()
for skill_name in sorted(os.listdir(skills_dir)):
skill_md = os.path.join(skills_dir, skill_name, "SKILL.md")
@@ -35,58 +34,37 @@ jobs:
with open(skill_md, "r", encoding="utf-8") as f:
content = f.read()
fm_match = re.match(r"^---\n(.*?)\n---", content, re.DOTALL)
if not fm_match:
continue
fm = fm_match.group(1)
def get_field(field, text):
m = re.search(rf"^{field}:\s*(.+)$", text, re.MULTILINE)
return m.group(1).strip().strip('"') if m else ""
def get_tags(text):
m = re.search(r"^tags:\s*\[(.+)\]", text, re.MULTILINE)
return [t.strip() for t in m.group(1).split(",")] if m else []
tags = get_tags(fm)
subdomain = get_field("subdomain", fm)
subdomain_counts[subdomain] += 1
for t in tags:
tag_counter[t] += 1
description = ""
if fm_match:
m = re.search(r"^description:\s*(.+)$", fm_match.group(1), re.MULTILINE)
if m:
description = m.group(1).strip().strip('"')
skills.append({
"name": get_field("name", fm),
"description": get_field("description", fm),
"name": skill_name,
"description": description,
"domain": "cybersecurity",
"subdomain": subdomain,
"tags": tags,
"version": get_field("version", fm) or "1.0",
"author": "mukul975",
"license": "Apache-2.0",
"path": f"skills/{skill_name}"
})
top_tags = sorted(tag_counter.items(), key=lambda x: -x[1])[:20]
index = {
"version": "1.0.0",
"version": "1.1.0",
"generated_at": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ"),
"repository": "https://github.com/mukul975/Anthropic-Cybersecurity-Skills",
"domain": "cybersecurity",
"total_skills": len(skills),
"total_domains": 1,
"total_subdomains": len(subdomain_counts),
"domain_stats": {"cybersecurity": len(skills)},
"subdomain_stats": dict(subdomain_counts),
"top_tags": [{"tag": t, "count": c} for t, c in top_tags],
"skills": skills
}
with open("index.json", "w", encoding="utf-8") as f:
json.dump(index, f, indent=2)
json.dump(index, f, separators=(',', ':'))
print(f"Updated index.json: {len(skills)} skills, {len(subdomain_counts)} subdomains")
print(f"Updated index.json: {len(skills)} skills")
EOF
- name: Commit updated index
run: |
git config user.name "mukul975"
git config user.email "mukul975@users.noreply.github.com"
git config user.email "mukuljangra5@gmail.com"
git add index.json
git diff --staged --quiet || git commit -m "chore: auto-update index.json"
git push
.gitignore
+2
View File
@@ -12,3 +12,5 @@ __pycache__/
Thumbs.db
*.swp
launch/
extract_attack.py
AUDIT_REPORT.md
ATTACK_COVERAGE.md
+509
View File
@@ -0,0 +1,509 @@
# MITRE ATT&CK Coverage Map
<p align="center">
<a href="https://attack.mitre.org/"><img src="https://img.shields.io/badge/MITRE_ATT%26CK-v16-red?style=for-the-badge&logo=shield&logoColor=white" alt="MITRE ATT&CK" /></a>
<img src="https://img.shields.io/badge/Techniques-291+-blueviolet?style=for-the-badge" alt="Techniques" />
<img src="https://img.shields.io/badge/Tactics-14%2F14-green?style=for-the-badge" alt="Tactics" />
</p>
This document maps all **291 unique MITRE ATT&CK techniques** (across **149 parent techniques**) referenced in our **753+ cybersecurity skills** to the 14 Enterprise ATT&CK tactics. Use this to identify coverage gaps, plan detection engineering priorities, or validate your security program against the ATT&CK framework.
> **How to read this:** Each technique links to its official ATT&CK page. Skills listed under each technique are the ones in this repository that teach detection, hunting, exploitation, or response for that technique.
---
## Coverage Summary
| Tactic | Techniques | Coverage |
|:-------|:---------:|:---------|
| 🔎 **Reconnaissance** | **12** | `████████████░░░░░░░░░░░░░░░░░░` |
| 🏗️ **Resource Development** | **7** | `███████░░░░░░░░░░░░░░░░░░░░░░░` |
| 🚪 **Initial Access** | **18** | `██████████████████░░░░░░░░░░░░` |
| ⚡ **Execution** | **18** | `██████████████████░░░░░░░░░░░░` |
| 🔩 **Persistence** | **36** | `██████████████████████████████` |
| ⬆️ **Privilege Escalation** | **11** | `███████████░░░░░░░░░░░░░░░░░░░` |
| 🥷 **Defense Evasion** | **48** | `██████████████████████████████` |
| 🔑 **Credential Access** | **27** | `███████████████████████████░░░` |
| 🗺️ **Discovery** | **20** | `████████████████████░░░░░░░░░░` |
| ↔️ **Lateral Movement** | **9** | `█████████░░░░░░░░░░░░░░░░░░░░░` |
| 📦 **Collection** | **13** | `█████████████░░░░░░░░░░░░░░░░░` |
| 📡 **Command and Control** | **20** | `████████████████████░░░░░░░░░░` |
| 📤 **Exfiltration** | **12** | `████████████░░░░░░░░░░░░░░░░░░` |
| 💥 **Impact** | **6** | `██████░░░░░░░░░░░░░░░░░░░░░░░░` |
| 🔧 **Other/Cross-tactic** | **34** | |
| | **291** | **Total unique techniques** |
---
## 🔎 Reconnaissance
**12 techniques covered**
| Technique | Skills |
|:----------|:-------|
| [T1589](https://attack.mitre.org/techniques/T1589/) | `conducting-full-scope-red-team-engagement`, `conducting-social-engineering-pretext-call`, `performing-open-source-intelligence-gathering` |
| [T1590](https://attack.mitre.org/techniques/T1590/) | `performing-open-source-intelligence-gathering` |
| [T1591](https://attack.mitre.org/techniques/T1591/) | `collecting-open-source-intelligence`, `conducting-social-engineering-pretext-call`, `performing-open-source-intelligence-gathering` |
| [T1592](https://attack.mitre.org/techniques/T1592/) | `performing-open-source-intelligence-gathering` |
| [T1593](https://attack.mitre.org/techniques/T1593/) | `conducting-full-scope-red-team-engagement`, `performing-open-source-intelligence-gathering` |
| [T1594](https://attack.mitre.org/techniques/T1594/) | `performing-open-source-intelligence-gathering` |
| [T1595](https://attack.mitre.org/techniques/T1595/) | `executing-red-team-engagement-planning`, `triaging-security-incident` |
| [T1595.001](https://attack.mitre.org/techniques/T1595/001/) | `performing-open-source-intelligence-gathering` |
| [T1595.002](https://attack.mitre.org/techniques/T1595/002/) | `performing-open-source-intelligence-gathering` |
| [T1596](https://attack.mitre.org/techniques/T1596/) | `performing-open-source-intelligence-gathering` |
| [T1598](https://attack.mitre.org/techniques/T1598/) | `conducting-social-engineering-pretext-call` |
| [T1598.003](https://attack.mitre.org/techniques/T1598/003/) | `conducting-social-engineering-pretext-call`, `conducting-spearphishing-simulation-campaign` |
---
## 🏗️ Resource Development
**7 techniques covered**
| Technique | Skills |
|:----------|:-------|
| [T1583.001](https://attack.mitre.org/techniques/T1583/001/) | `building-red-team-c2-infrastructure-with-havoc`, `conducting-full-scope-red-team-engagement`, `conducting-spearphishing-simulation-campaign`, `implementing-mitre-attack-coverage-mapping` |
| [T1583.003](https://attack.mitre.org/techniques/T1583/003/) | `building-red-team-c2-infrastructure-with-havoc` |
| [T1584.001](https://attack.mitre.org/techniques/T1584/001/) | `hunting-for-dns-based-persistence` |
| [T1585.002](https://attack.mitre.org/techniques/T1585/002/) | `conducting-spearphishing-simulation-campaign` |
| [T1587.001](https://attack.mitre.org/techniques/T1587/001/) | `building-red-team-c2-infrastructure-with-havoc`, `conducting-full-scope-red-team-engagement` |
| [T1608.001](https://attack.mitre.org/techniques/T1608/001/) | `conducting-spearphishing-simulation-campaign` |
| [T1608.005](https://attack.mitre.org/techniques/T1608/005/) | `conducting-spearphishing-simulation-campaign` |
---
## 🚪 Initial Access
**18 techniques covered**
| Technique | Skills |
|:----------|:-------|
| [T1078](https://attack.mitre.org/techniques/T1078/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-powershell-script-block-logging`, `analyzing-windows-event-logs-in-splunk`, `building-threat-hunt-hypothesis-framework`, `conducting-full-scope-red-team-engagement` +13 more |
| [T1078.001](https://attack.mitre.org/techniques/T1078/001/) | `detecting-service-account-abuse` |
| [T1078.002](https://attack.mitre.org/techniques/T1078/002/) | `conducting-domain-persistence-with-dcsync`, `detecting-service-account-abuse`, `exploiting-active-directory-certificate-services-esc1`, `exploiting-constrained-delegation-abuse`, `exploiting-nopac-cve-2021-42278-42287` +1 more |
| [T1078.003](https://attack.mitre.org/techniques/T1078/003/) | `performing-privilege-escalation-assessment` |
| [T1078.004](https://attack.mitre.org/techniques/T1078/004/) | `detecting-azure-lateral-movement`, `detecting-azure-service-principal-abuse`, `implementing-mitre-attack-coverage-mapping`, `implementing-threat-modeling-with-mitre-attack` |
| [T1091](https://attack.mitre.org/techniques/T1091/) | `executing-red-team-engagement-planning`, `performing-physical-intrusion-assessment` |
| [T1133](https://attack.mitre.org/techniques/T1133/) | `executing-red-team-engagement-planning`, `performing-threat-landscape-assessment-for-sector` |
| [T1190](https://attack.mitre.org/techniques/T1190/) | `conducting-full-scope-red-team-engagement`, `executing-red-team-engagement-planning`, `exploiting-ms17-010-eternalblue-vulnerability`, `hunting-for-webshell-activity`, `performing-threat-landscape-assessment-for-sector` +1 more |
| [T1195](https://attack.mitre.org/techniques/T1195/) | `analyzing-supply-chain-malware-artifacts`, `performing-threat-landscape-assessment-for-sector` |
| [T1195.001](https://attack.mitre.org/techniques/T1195/001/) | `hunting-for-supply-chain-compromise` |
| [T1195.002](https://attack.mitre.org/techniques/T1195/002/) | `hunting-for-supply-chain-compromise` |
| [T1199](https://attack.mitre.org/techniques/T1199/) | `hunting-for-supply-chain-compromise`, `performing-physical-intrusion-assessment` |
| [T1200](https://attack.mitre.org/techniques/T1200/) | `executing-red-team-engagement-planning`, `performing-physical-intrusion-assessment` |
| [T1566](https://attack.mitre.org/techniques/T1566/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-threat-actor-ttps-with-mitre-attack`, `analyzing-threat-landscape-with-misp`, `building-attack-pattern-library-from-cti-reports`, `hunting-advanced-persistent-threats` +3 more |
| [T1566.001](https://attack.mitre.org/techniques/T1566/001/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-campaign-attribution-evidence`, `analyzing-macro-malware-in-office-documents`, `analyzing-threat-actor-ttps-with-mitre-navigator`, `building-attack-pattern-library-from-cti-reports` +13 more |
| [T1566.002](https://attack.mitre.org/techniques/T1566/002/) | `building-attack-pattern-library-from-cti-reports`, `conducting-spearphishing-simulation-campaign`, `hunting-for-spearphishing-indicators`, `implementing-continuous-security-validation-with-bas`, `implementing-mitre-attack-coverage-mapping` +1 more |
| [T1566.003](https://attack.mitre.org/techniques/T1566/003/) | `conducting-spearphishing-simulation-campaign`, `hunting-for-spearphishing-indicators`, `implementing-continuous-security-validation-with-bas` |
| [T1566.004](https://attack.mitre.org/techniques/T1566/004/) | `conducting-social-engineering-pretext-call` |
---
## ⚡ Execution
**18 techniques covered**
| Technique | Skills |
|:----------|:-------|
| [T1047](https://attack.mitre.org/techniques/T1047/) | `conducting-full-scope-red-team-engagement`, `detecting-fileless-attacks-on-endpoints`, `detecting-lateral-movement-with-splunk`, `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas` +8 more |
| [T1053](https://attack.mitre.org/techniques/T1053/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-persistence-mechanisms-in-linux`, `hunting-advanced-persistent-threats`, `hunting-for-persistence-mechanisms-in-windows`, `implementing-mitre-attack-coverage-mapping` +4 more |
| [T1053.002](https://attack.mitre.org/techniques/T1053/002/) | `hunting-for-scheduled-task-persistence` |
| [T1053.003](https://attack.mitre.org/techniques/T1053/003/) | `analyzing-persistence-mechanisms-in-linux`, `hunting-for-scheduled-task-persistence`, `performing-privilege-escalation-assessment`, `performing-privilege-escalation-on-linux` |
| [T1053.005](https://attack.mitre.org/techniques/T1053/005/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-campaign-attribution-evidence`, `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `building-detection-rule-with-splunk-spl` +17 more |
| [T1059](https://attack.mitre.org/techniques/T1059/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-threat-actor-ttps-with-mitre-attack`, `analyzing-windows-event-logs-in-splunk`, `building-incident-timeline-with-timesketch`, `deobfuscating-powershell-obfuscated-malware` +7 more |
| [T1059.001](https://attack.mitre.org/techniques/T1059/001/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-campaign-attribution-evidence`, `analyzing-macro-malware-in-office-documents`, `analyzing-powershell-empire-artifacts`, `analyzing-powershell-script-block-logging` +29 more |
| [T1059.003](https://attack.mitre.org/techniques/T1059/003/) | `building-attack-pattern-library-from-cti-reports`, `building-detection-rule-with-splunk-spl`, `detecting-suspicious-powershell-execution`, `mapping-mitre-attack-techniques`, `performing-purple-team-atomic-testing` |
| [T1059.004](https://attack.mitre.org/techniques/T1059/004/) | `performing-purple-team-atomic-testing` |
| [T1059.005](https://attack.mitre.org/techniques/T1059/005/) | `analyzing-macro-malware-in-office-documents`, `detecting-living-off-the-land-attacks`, `executing-red-team-exercise`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs` +2 more |
| [T1059.006](https://attack.mitre.org/techniques/T1059/006/) | `performing-purple-team-atomic-testing` |
| [T1059.007](https://attack.mitre.org/techniques/T1059/007/) | `performing-purple-team-atomic-testing` |
| [T1129](https://attack.mitre.org/techniques/T1129/) | `performing-purple-team-atomic-testing` |
| [T1203](https://attack.mitre.org/techniques/T1203/) | `performing-purple-team-atomic-testing` |
| [T1204.001](https://attack.mitre.org/techniques/T1204/001/) | `conducting-spearphishing-simulation-campaign` |
| [T1204.002](https://attack.mitre.org/techniques/T1204/002/) | `analyzing-macro-malware-in-office-documents`, `conducting-full-scope-red-team-engagement`, `conducting-spearphishing-simulation-campaign`, `detecting-living-off-the-land-attacks`, `executing-red-team-engagement-planning` +4 more |
| [T1569](https://attack.mitre.org/techniques/T1569/) | `performing-purple-team-atomic-testing` |
| [T1569.002](https://attack.mitre.org/techniques/T1569/002/) | `detecting-lateral-movement-in-network`, `detecting-lateral-movement-with-splunk`, `exploiting-ms17-010-eternalblue-vulnerability`, `performing-purple-team-atomic-testing` |
---
## 🔩 Persistence
**36 techniques covered**
| Technique | Skills |
|:----------|:-------|
| [T1098](https://attack.mitre.org/techniques/T1098/) | `analyzing-windows-event-logs-in-splunk`, `conducting-domain-persistence-with-dcsync`, `hunting-for-t1098-account-manipulation`, `implementing-mitre-attack-coverage-mapping`, `implementing-siem-use-cases-for-detection` +1 more |
| [T1098.001](https://attack.mitre.org/techniques/T1098/001/) | `conducting-cloud-penetration-testing`, `detecting-azure-lateral-movement`, `detecting-azure-service-principal-abuse`, `hunting-for-t1098-account-manipulation`, `implementing-mitre-attack-coverage-mapping` |
| [T1098.002](https://attack.mitre.org/techniques/T1098/002/) | `detecting-azure-lateral-movement`, `detecting-email-forwarding-rules-attack` |
| [T1098.004](https://attack.mitre.org/techniques/T1098/004/) | `analyzing-persistence-mechanisms-in-linux`, `implementing-security-monitoring-with-datadog` |
| [T1136](https://attack.mitre.org/techniques/T1136/) | `detecting-privilege-escalation-in-kubernetes-pods`, `implementing-mitre-attack-coverage-mapping`, `performing-purple-team-atomic-testing` |
| [T1136.001](https://attack.mitre.org/techniques/T1136/001/) | `analyzing-windows-event-logs-in-splunk`, `performing-purple-team-atomic-testing` |
| [T1136.002](https://attack.mitre.org/techniques/T1136/002/) | `exploiting-nopac-cve-2021-42278-42287` |
| [T1197](https://attack.mitre.org/techniques/T1197/) | `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs`, `performing-purple-team-atomic-testing` |
| [T1505](https://attack.mitre.org/techniques/T1505/) | `performing-purple-team-atomic-testing` |
| [T1505.003](https://attack.mitre.org/techniques/T1505/003/) | `building-attack-pattern-library-from-cti-reports`, `hunting-for-webshell-activity`, `performing-purple-team-atomic-testing` |
| [T1542.001](https://attack.mitre.org/techniques/T1542/001/) | `analyzing-uefi-bootkit-persistence` |
| [T1542.003](https://attack.mitre.org/techniques/T1542/003/) | `analyzing-uefi-bootkit-persistence` |
| [T1543](https://attack.mitre.org/techniques/T1543/) | `analyzing-persistence-mechanisms-in-linux`, `hunting-for-persistence-mechanisms-in-windows`, `performing-purple-team-atomic-testing` |
| [T1543.002](https://attack.mitre.org/techniques/T1543/002/) | `analyzing-persistence-mechanisms-in-linux`, `performing-privilege-escalation-on-linux` |
| [T1543.003](https://attack.mitre.org/techniques/T1543/003/) | `detecting-lateral-movement-with-splunk`, `detecting-living-off-the-land-attacks`, `detecting-privilege-escalation-attempts`, `hunting-for-persistence-mechanisms-in-windows`, `hunting-for-unusual-service-installations` +2 more |
| [T1546](https://attack.mitre.org/techniques/T1546/) | `analyzing-persistence-mechanisms-in-linux`, `performing-purple-team-atomic-testing` |
| [T1546.001](https://attack.mitre.org/techniques/T1546/001/) | `performing-purple-team-atomic-testing` |
| [T1546.003](https://attack.mitre.org/techniques/T1546/003/) | `analyzing-windows-event-logs-in-splunk`, `detecting-fileless-attacks-on-endpoints`, `detecting-fileless-malware-techniques`, `detecting-wmi-persistence`, `hunting-for-lateral-movement-via-wmi` +3 more |
| [T1546.004](https://attack.mitre.org/techniques/T1546/004/) | `analyzing-persistence-mechanisms-in-linux` |
| [T1546.010](https://attack.mitre.org/techniques/T1546/010/) | `hunting-for-persistence-mechanisms-in-windows` |
| [T1546.012](https://attack.mitre.org/techniques/T1546/012/) | `hunting-for-persistence-mechanisms-in-windows`, `hunting-for-registry-persistence-mechanisms` |
| [T1546.015](https://attack.mitre.org/techniques/T1546/015/) | `hunting-for-persistence-mechanisms-in-windows`, `hunting-for-registry-persistence-mechanisms` |
| [T1547](https://attack.mitre.org/techniques/T1547/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-malware-persistence-with-autoruns`, `hunting-advanced-persistent-threats`, `hunting-for-persistence-mechanisms-in-windows`, `implementing-siem-use-cases-for-detection` +3 more |
| [T1547.001](https://attack.mitre.org/techniques/T1547/001/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `conducting-full-scope-red-team-engagement`, `detecting-fileless-attacks-on-endpoints` +10 more |
| [T1547.004](https://attack.mitre.org/techniques/T1547/004/) | `hunting-for-persistence-mechanisms-in-windows`, `hunting-for-registry-persistence-mechanisms`, `performing-purple-team-atomic-testing` |
| [T1547.005](https://attack.mitre.org/techniques/T1547/005/) | `hunting-for-persistence-mechanisms-in-windows` |
| [T1547.009](https://attack.mitre.org/techniques/T1547/009/) | `performing-purple-team-atomic-testing` |
| [T1556](https://attack.mitre.org/techniques/T1556/) | `performing-initial-access-with-evilginx3` |
| [T1556.007](https://attack.mitre.org/techniques/T1556/007/) | `detecting-azure-lateral-movement` |
| [T1574](https://attack.mitre.org/techniques/T1574/) | `analyzing-persistence-mechanisms-in-linux`, `performing-purple-team-atomic-testing` |
| [T1574.001](https://attack.mitre.org/techniques/T1574/001/) | `detecting-dll-sideloading-attacks`, `hunting-for-persistence-mechanisms-in-windows`, `performing-purple-team-atomic-testing` |
| [T1574.002](https://attack.mitre.org/techniques/T1574/002/) | `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `detecting-dll-sideloading-attacks`, `implementing-siem-use-cases-for-detection`, `performing-purple-team-atomic-testing` |
| [T1574.006](https://attack.mitre.org/techniques/T1574/006/) | `analyzing-persistence-mechanisms-in-linux`, `detecting-dll-sideloading-attacks`, `performing-privilege-escalation-on-linux` |
| [T1574.008](https://attack.mitre.org/techniques/T1574/008/) | `detecting-dll-sideloading-attacks` |
| [T1574.009](https://attack.mitre.org/techniques/T1574/009/) | `detecting-privilege-escalation-attempts` |
| [T1574.011](https://attack.mitre.org/techniques/T1574/011/) | `detecting-privilege-escalation-attempts` |
---
## ⬆️ Privilege Escalation
**11 techniques covered**
| Technique | Skills |
|:----------|:-------|
| [T1068](https://attack.mitre.org/techniques/T1068/) | `conducting-full-scope-red-team-engagement`, `detecting-container-escape-attempts`, `detecting-privilege-escalation-attempts`, `detecting-privilege-escalation-in-kubernetes-pods`, `executing-red-team-engagement-planning` +5 more |
| [T1134](https://attack.mitre.org/techniques/T1134/) | `analyzing-windows-event-logs-in-splunk`, `detecting-privilege-escalation-attempts` |
| [T1134.001](https://attack.mitre.org/techniques/T1134/001/) | `detecting-privilege-escalation-attempts`, `exploiting-constrained-delegation-abuse`, `performing-purple-team-atomic-testing` |
| [T1134.005](https://attack.mitre.org/techniques/T1134/005/) | `hunting-for-t1098-account-manipulation`, `performing-active-directory-compromise-investigation` |
| [T1484](https://attack.mitre.org/techniques/T1484/) | `exploiting-active-directory-certificate-services-esc1`, `performing-active-directory-vulnerability-assessment` |
| [T1484.001](https://attack.mitre.org/techniques/T1484/001/) | `deploying-active-directory-honeytokens`, `performing-active-directory-compromise-investigation` |
| [T1548](https://attack.mitre.org/techniques/T1548/) | `detecting-container-escape-attempts`, `detecting-privilege-escalation-in-kubernetes-pods`, `detecting-t1548-abuse-elevation-control-mechanism`, `performing-privilege-escalation-assessment` |
| [T1548.001](https://attack.mitre.org/techniques/T1548/001/) | `detecting-privilege-escalation-attempts`, `detecting-privilege-escalation-in-kubernetes-pods`, `detecting-t1548-abuse-elevation-control-mechanism`, `performing-privilege-escalation-assessment`, `performing-privilege-escalation-on-linux` |
| [T1548.002](https://attack.mitre.org/techniques/T1548/002/) | `conducting-full-scope-red-team-engagement`, `detecting-privilege-escalation-attempts`, `detecting-t1548-abuse-elevation-control-mechanism`, `performing-purple-team-atomic-testing` |
| [T1548.003](https://attack.mitre.org/techniques/T1548/003/) | `detecting-privilege-escalation-attempts`, `detecting-t1548-abuse-elevation-control-mechanism`, `performing-privilege-escalation-assessment`, `performing-privilege-escalation-on-linux` |
| [T1548.004](https://attack.mitre.org/techniques/T1548/004/) | `detecting-t1548-abuse-elevation-control-mechanism` |
---
## 🥷 Defense Evasion
**48 techniques covered**
| Technique | Skills |
|:----------|:-------|
| [T1027](https://attack.mitre.org/techniques/T1027/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-powershell-empire-artifacts`, `analyzing-powershell-script-block-logging`, `building-attack-pattern-library-from-cti-reports`, `conducting-full-scope-red-team-engagement` +3 more |
| [T1036](https://attack.mitre.org/techniques/T1036/) | `detecting-evasion-techniques-in-endpoint-logs`, `implementing-mitre-attack-coverage-mapping`, `implementing-siem-use-cases-for-detection`, `performing-purple-team-atomic-testing` |
| [T1036.005](https://attack.mitre.org/techniques/T1036/005/) | `detecting-process-injection-techniques`, `performing-purple-team-atomic-testing` |
| [T1055](https://attack.mitre.org/techniques/T1055/) | `building-attack-pattern-library-from-cti-reports`, `building-red-team-c2-infrastructure-with-havoc`, `conducting-full-scope-red-team-engagement`, `detecting-evasion-techniques-in-endpoint-logs`, `detecting-fileless-attacks-on-endpoints` +13 more |
| [T1055.001](https://attack.mitre.org/techniques/T1055/001/) | `detecting-process-hollowing-technique`, `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon`, `hunting-for-process-injection-techniques`, `performing-purple-team-atomic-testing` +1 more |
| [T1055.002](https://attack.mitre.org/techniques/T1055/002/) | `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon` |
| [T1055.003](https://attack.mitre.org/techniques/T1055/003/) | `detecting-process-hollowing-technique`, `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon`, `performing-purple-team-atomic-testing` |
| [T1055.004](https://attack.mitre.org/techniques/T1055/004/) | `detecting-process-hollowing-technique`, `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon`, `hunting-for-process-injection-techniques` |
| [T1055.005](https://attack.mitre.org/techniques/T1055/005/) | `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon` |
| [T1055.008](https://attack.mitre.org/techniques/T1055/008/) | `detecting-process-injection-techniques` |
| [T1055.009](https://attack.mitre.org/techniques/T1055/009/) | `detecting-process-injection-techniques` |
| [T1055.011](https://attack.mitre.org/techniques/T1055/011/) | `detecting-process-injection-techniques` |
| [T1055.012](https://attack.mitre.org/techniques/T1055/012/) | `conducting-malware-incident-response`, `detecting-fileless-malware-techniques`, `detecting-process-hollowing-technique`, `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon` +2 more |
| [T1055.013](https://attack.mitre.org/techniques/T1055/013/) | `detecting-process-hollowing-technique`, `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon` |
| [T1055.014](https://attack.mitre.org/techniques/T1055/014/) | `detecting-process-injection-techniques` |
| [T1055.015](https://attack.mitre.org/techniques/T1055/015/) | `detecting-process-injection-techniques`, `detecting-t1055-process-injection-with-sysmon` |
| [T1070](https://attack.mitre.org/techniques/T1070/) | `detecting-evasion-techniques-in-endpoint-logs`, `implementing-siem-use-cases-for-detection`, `implementing-velociraptor-for-ir-collection`, `performing-purple-team-atomic-testing` |
| [T1070.001](https://attack.mitre.org/techniques/T1070/001/) | `detecting-evasion-techniques-in-endpoint-logs`, `implementing-mitre-attack-coverage-mapping`, `performing-purple-team-atomic-testing`, `performing-purple-team-exercise` |
| [T1070.004](https://attack.mitre.org/techniques/T1070/004/) | `implementing-threat-modeling-with-mitre-attack`, `performing-purple-team-atomic-testing` |
| [T1070.006](https://attack.mitre.org/techniques/T1070/006/) | `detecting-evasion-techniques-in-endpoint-logs`, `hunting-for-defense-evasion-via-timestomping` |
| [T1112](https://attack.mitre.org/techniques/T1112/) | `detecting-fileless-malware-techniques`, `performing-purple-team-atomic-testing` |
| [T1127](https://attack.mitre.org/techniques/T1127/) | `detecting-evasion-techniques-in-endpoint-logs`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-lolbins-execution-in-endpoint-logs` |
| [T1127.001](https://attack.mitre.org/techniques/T1127/001/) | `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-lolbins-execution-in-endpoint-logs` |
| [T1140](https://attack.mitre.org/techniques/T1140/) | `analyzing-powershell-script-block-logging`, `detecting-fileless-attacks-on-endpoints`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs` +1 more |
| [T1202](https://attack.mitre.org/techniques/T1202/) | `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs` |
| [T1218](https://attack.mitre.org/techniques/T1218/) | `detecting-evasion-techniques-in-endpoint-logs`, `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-advanced-persistent-threats`, `hunting-for-living-off-the-land-binaries` +3 more |
| [T1218.001](https://attack.mitre.org/techniques/T1218/001/) | `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs`, `performing-purple-team-atomic-testing` |
| [T1218.002](https://attack.mitre.org/techniques/T1218/002/) | `hunting-for-living-off-the-land-binaries` |
| [T1218.003](https://attack.mitre.org/techniques/T1218/003/) | `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs`, `performing-purple-team-atomic-testing` |
| [T1218.004](https://attack.mitre.org/techniques/T1218/004/) | `detecting-living-off-the-land-attacks`, `hunting-for-lolbins-execution-in-endpoint-logs` |
| [T1218.005](https://attack.mitre.org/techniques/T1218/005/) | `detecting-fileless-malware-techniques`, `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs` +1 more |
| [T1218.007](https://attack.mitre.org/techniques/T1218/007/) | `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs` |
| [T1218.010](https://attack.mitre.org/techniques/T1218/010/) | `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs`, `performing-purple-team-atomic-testing` |
| [T1218.011](https://attack.mitre.org/techniques/T1218/011/) | `detecting-living-off-the-land-attacks`, `detecting-living-off-the-land-with-lolbas`, `hunting-for-living-off-the-land-binaries`, `hunting-for-lolbins-execution-in-endpoint-logs`, `performing-dynamic-analysis-with-any-run` +1 more |
| [T1218.013](https://attack.mitre.org/techniques/T1218/013/) | `detecting-living-off-the-land-attacks` |
| [T1222.001](https://attack.mitre.org/techniques/T1222/001/) | `conducting-domain-persistence-with-dcsync` |
| [T1497](https://attack.mitre.org/techniques/T1497/) | `analyzing-malware-sandbox-evasion-techniques` |
| [T1497.001](https://attack.mitre.org/techniques/T1497/001/) | `analyzing-malware-sandbox-evasion-techniques` |
| [T1497.002](https://attack.mitre.org/techniques/T1497/002/) | `analyzing-malware-sandbox-evasion-techniques` |
| [T1497.003](https://attack.mitre.org/techniques/T1497/003/) | `analyzing-malware-sandbox-evasion-techniques` |
| [T1550](https://attack.mitre.org/techniques/T1550/) | `performing-lateral-movement-detection` |
| [T1550.001](https://attack.mitre.org/techniques/T1550/001/) | `detecting-azure-lateral-movement` |
| [T1550.002](https://attack.mitre.org/techniques/T1550/002/) | `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `conducting-full-scope-red-team-engagement`, `detecting-lateral-movement-in-network`, `detecting-lateral-movement-with-splunk` +6 more |
| [T1550.003](https://attack.mitre.org/techniques/T1550/003/) | `conducting-pass-the-ticket-attack`, `detecting-pass-the-hash-attacks`, `detecting-pass-the-ticket-attacks`, `exploiting-constrained-delegation-abuse` |
| [T1550.004](https://attack.mitre.org/techniques/T1550/004/) | `performing-initial-access-with-evilginx3` |
| [T1562](https://attack.mitre.org/techniques/T1562/) | `detecting-evasion-techniques-in-endpoint-logs`, `performing-purple-team-atomic-testing` |
| [T1562.001](https://attack.mitre.org/techniques/T1562/001/) | `analyzing-powershell-script-block-logging`, `building-attack-pattern-library-from-cti-reports`, `detecting-evasion-techniques-in-endpoint-logs`, `detecting-fileless-attacks-on-endpoints`, `detecting-suspicious-powershell-execution` +1 more |
| [T1610](https://attack.mitre.org/techniques/T1610/) | `detecting-container-escape-attempts`, `detecting-container-escape-with-falco-rules` |
---
## 🔑 Credential Access
**27 techniques covered**
| Technique | Skills |
|:----------|:-------|
| [T1003](https://attack.mitre.org/techniques/T1003/) | `analyzing-powershell-script-block-logging`, `building-attack-pattern-library-from-cti-reports`, `building-detection-rules-with-sigma`, `detecting-container-escape-with-falco-rules`, `detecting-credential-dumping-techniques` +10 more |
| [T1003.001](https://attack.mitre.org/techniques/T1003/001/) | `analyzing-campaign-attribution-evidence`, `analyzing-powershell-script-block-logging`, `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `building-detection-rule-with-splunk-spl` +13 more |
| [T1003.002](https://attack.mitre.org/techniques/T1003/002/) | `detecting-credential-dumping-techniques`, `detecting-t1003-credential-dumping-with-edr`, `performing-purple-team-atomic-testing` |
| [T1003.003](https://attack.mitre.org/techniques/T1003/003/) | `detecting-credential-dumping-techniques`, `detecting-t1003-credential-dumping-with-edr`, `performing-purple-team-atomic-testing` |
| [T1003.004](https://attack.mitre.org/techniques/T1003/004/) | `detecting-t1003-credential-dumping-with-edr`, `performing-credential-access-with-lazagne`, `performing-purple-team-atomic-testing` |
| [T1003.005](https://attack.mitre.org/techniques/T1003/005/) | `detecting-t1003-credential-dumping-with-edr`, `performing-purple-team-atomic-testing` |
| [T1003.006](https://attack.mitre.org/techniques/T1003/006/) | `analyzing-windows-event-logs-in-splunk`, `conducting-domain-persistence-with-dcsync`, `conducting-full-scope-red-team-engagement`, `conducting-internal-network-penetration-test`, `detecting-dcsync-attack-in-active-directory` +8 more |
| [T1110](https://attack.mitre.org/techniques/T1110/) | `analyzing-windows-event-logs-in-splunk`, `building-detection-rule-with-splunk-spl`, `conducting-internal-network-penetration-test`, `implementing-mitre-attack-coverage-mapping`, `implementing-siem-use-cases-for-detection` +3 more |
| [T1110.001](https://attack.mitre.org/techniques/T1110/001/) | `analyzing-windows-event-logs-in-splunk`, `building-detection-rule-with-splunk-spl`, `implementing-siem-use-cases-for-detection`, `performing-false-positive-reduction-in-siem`, `performing-purple-team-atomic-testing` |
| [T1110.002](https://attack.mitre.org/techniques/T1110/002/) | `exploiting-kerberoasting-with-impacket` |
| [T1110.003](https://attack.mitre.org/techniques/T1110/003/) | `detecting-pass-the-ticket-attacks`, `implementing-siem-use-cases-for-detection`, `performing-purple-team-atomic-testing` |
| [T1187](https://attack.mitre.org/techniques/T1187/) | `detecting-ntlm-relay-with-event-correlation` |
| [T1528](https://attack.mitre.org/techniques/T1528/) | `detecting-azure-lateral-movement`, `detecting-azure-service-principal-abuse` |
| [T1539](https://attack.mitre.org/techniques/T1539/) | `performing-credential-access-with-lazagne`, `performing-initial-access-with-evilginx3` |
| [T1552](https://attack.mitre.org/techniques/T1552/) | `performing-cloud-incident-containment-procedures`, `performing-purple-team-atomic-testing` |
| [T1552.001](https://attack.mitre.org/techniques/T1552/001/) | `performing-credential-access-with-lazagne`, `performing-purple-team-atomic-testing` |
| [T1552.002](https://attack.mitre.org/techniques/T1552/002/) | `performing-credential-access-with-lazagne` |
| [T1552.005](https://attack.mitre.org/techniques/T1552/005/) | `conducting-cloud-penetration-testing` |
| [T1552.006](https://attack.mitre.org/techniques/T1552/006/) | `deploying-active-directory-honeytokens` |
| [T1557](https://attack.mitre.org/techniques/T1557/) | `performing-initial-access-with-evilginx3` |
| [T1557.001](https://attack.mitre.org/techniques/T1557/001/) | `conducting-internal-network-penetration-test`, `detecting-ntlm-relay-with-event-correlation`, `hunting-for-ntlm-relay-attacks` |
| [T1558](https://attack.mitre.org/techniques/T1558/) | `analyzing-windows-event-logs-in-splunk`, `conducting-pass-the-ticket-attack`, `exploiting-kerberoasting-with-impacket`, `exploiting-nopac-cve-2021-42278-42287`, `performing-lateral-movement-detection` +1 more |
| [T1558.001](https://attack.mitre.org/techniques/T1558/001/) | `analyzing-windows-event-logs-in-splunk`, `conducting-domain-persistence-with-dcsync`, `detecting-golden-ticket-attacks-in-kerberos-logs`, `detecting-golden-ticket-forgery`, `detecting-kerberoasting-attacks` +3 more |
| [T1558.002](https://attack.mitre.org/techniques/T1558/002/) | `performing-active-directory-compromise-investigation` |
| [T1558.003](https://attack.mitre.org/techniques/T1558/003/) | `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `conducting-full-scope-red-team-engagement`, `conducting-internal-network-penetration-test`, `deploying-active-directory-honeytokens` +12 more |
| [T1558.004](https://attack.mitre.org/techniques/T1558/004/) | `detecting-kerberoasting-attacks` |
| [T1649](https://attack.mitre.org/techniques/T1649/) | `exploiting-active-directory-certificate-services-esc1` |
---
## 🗺️ Discovery
**20 techniques covered**
| Technique | Skills |
|:----------|:-------|
| [T1016](https://attack.mitre.org/techniques/T1016/) | `conducting-full-scope-red-team-engagement`, `conducting-internal-reconnaissance-with-bloodhound-ce`, `exploiting-active-directory-with-bloodhound`, `performing-purple-team-atomic-testing` |
| [T1018](https://attack.mitre.org/techniques/T1018/) | `conducting-full-scope-red-team-engagement`, `conducting-internal-reconnaissance-with-bloodhound-ce`, `detecting-network-scanning-with-ids-signatures`, `exploiting-active-directory-with-bloodhound`, `performing-active-directory-bloodhound-analysis` |
| [T1033](https://attack.mitre.org/techniques/T1033/) | `conducting-internal-reconnaissance-with-bloodhound-ce`, `detecting-privilege-escalation-attempts`, `exploiting-active-directory-with-bloodhound`, `performing-purple-team-atomic-testing` |
| [T1040](https://attack.mitre.org/techniques/T1040/) | `implementing-continuous-security-validation-with-bas` |
| [T1046](https://attack.mitre.org/techniques/T1046/) | `detecting-network-scanning-with-ids-signatures`, `detecting-privilege-escalation-attempts`, `performing-packet-injection-attack`, `triaging-security-incident` |
| [T1049](https://attack.mitre.org/techniques/T1049/) | `performing-purple-team-atomic-testing` |
| [T1057](https://attack.mitre.org/techniques/T1057/) | `performing-purple-team-atomic-testing` |
| [T1069](https://attack.mitre.org/techniques/T1069/) | `performing-purple-team-atomic-testing` |
| [T1069.001](https://attack.mitre.org/techniques/T1069/001/) | `performing-active-directory-bloodhound-analysis`, `performing-purple-team-atomic-testing` |
| [T1069.002](https://attack.mitre.org/techniques/T1069/002/) | `conducting-internal-reconnaissance-with-bloodhound-ce`, `exploiting-active-directory-with-bloodhound`, `performing-active-directory-bloodhound-analysis`, `performing-kerberoasting-attack`, `performing-purple-team-atomic-testing` |
| [T1082](https://attack.mitre.org/techniques/T1082/) | `conducting-full-scope-red-team-engagement`, `performing-purple-team-atomic-testing` |
| [T1083](https://attack.mitre.org/techniques/T1083/) | `implementing-canary-tokens-for-network-intrusion`, `performing-purple-team-atomic-testing` |
| [T1087](https://attack.mitre.org/techniques/T1087/) | `conducting-full-scope-red-team-engagement`, `executing-red-team-engagement-planning`, `implementing-continuous-security-validation-with-bas`, `performing-purple-team-atomic-testing` |
| [T1087.001](https://attack.mitre.org/techniques/T1087/001/) | `performing-purple-team-atomic-testing` |
| [T1087.002](https://attack.mitre.org/techniques/T1087/002/) | `conducting-internal-reconnaissance-with-bloodhound-ce`, `deploying-active-directory-honeytokens`, `exploiting-active-directory-certificate-services-esc1`, `exploiting-active-directory-with-bloodhound`, `exploiting-kerberoasting-with-impacket` +3 more |
| [T1087.004](https://attack.mitre.org/techniques/T1087/004/) | `detecting-azure-service-principal-abuse`, `implementing-mitre-attack-coverage-mapping` |
| [T1482](https://attack.mitre.org/techniques/T1482/) | `conducting-internal-reconnaissance-with-bloodhound-ce`, `exploiting-active-directory-with-bloodhound`, `performing-active-directory-bloodhound-analysis` |
| [T1518](https://attack.mitre.org/techniques/T1518/) | `performing-purple-team-atomic-testing` |
| [T1518.001](https://attack.mitre.org/techniques/T1518/001/) | `performing-purple-team-atomic-testing` |
| [T1580](https://attack.mitre.org/techniques/T1580/) | `implementing-mitre-attack-coverage-mapping` |
---
## ↔️ Lateral Movement
**9 techniques covered**
| Technique | Skills |
|:----------|:-------|
| [T1021](https://attack.mitre.org/techniques/T1021/) | `detecting-lateral-movement-in-network`, `detecting-lateral-movement-with-splunk`, `detecting-service-account-abuse`, `executing-red-team-engagement-planning`, `exploiting-constrained-delegation-abuse` +10 more |
| [T1021.001](https://attack.mitre.org/techniques/T1021/001/) | `analyzing-campaign-attribution-evidence`, `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `building-detection-rule-with-splunk-spl`, `building-threat-hunt-hypothesis-framework` +8 more |
| [T1021.002](https://attack.mitre.org/techniques/T1021/002/) | `analyzing-windows-event-logs-in-splunk`, `building-attack-pattern-library-from-cti-reports`, `building-detection-rule-with-splunk-spl`, `conducting-full-scope-red-team-engagement`, `conducting-internal-network-penetration-test` +10 more |
| [T1021.003](https://attack.mitre.org/techniques/T1021/003/) | `detecting-lateral-movement-with-splunk`, `hunting-for-dcom-lateral-movement`, `performing-lateral-movement-detection`, `performing-lateral-movement-with-wmiexec`, `performing-purple-team-atomic-testing` |
| [T1021.004](https://attack.mitre.org/techniques/T1021/004/) | `detecting-lateral-movement-with-splunk`, `performing-purple-team-atomic-testing` |
| [T1021.006](https://attack.mitre.org/techniques/T1021/006/) | `building-attack-pattern-library-from-cti-reports`, `detecting-lateral-movement-with-splunk`, `performing-lateral-movement-detection`, `performing-purple-team-atomic-testing` |
| [T1210](https://attack.mitre.org/techniques/T1210/) | `exploiting-ms17-010-eternalblue-vulnerability`, `exploiting-zerologon-vulnerability-cve-2020-1472` |
| [T1534](https://attack.mitre.org/techniques/T1534/) | `implementing-mitre-attack-coverage-mapping` |
| [T1570](https://attack.mitre.org/techniques/T1570/) | `detecting-lateral-movement-in-network`, `detecting-lateral-movement-with-splunk`, `performing-lateral-movement-with-wmiexec`, `performing-purple-team-atomic-testing` |
---
## 📦 Collection
**13 techniques covered**
| Technique | Skills |
|:----------|:-------|
| [T1005](https://attack.mitre.org/techniques/T1005/) | `conducting-malware-incident-response`, `detecting-container-escape-with-falco-rules`, `performing-purple-team-atomic-testing` |
| [T1039](https://attack.mitre.org/techniques/T1039/) | `performing-purple-team-atomic-testing` |
| [T1074](https://attack.mitre.org/techniques/T1074/) | `building-attack-pattern-library-from-cti-reports`, `executing-red-team-exercise`, `hunting-for-data-staging-before-exfiltration` |
| [T1074.001](https://attack.mitre.org/techniques/T1074/001/) | `hunting-for-data-staging-before-exfiltration`, `performing-purple-team-atomic-testing` |
| [T1074.002](https://attack.mitre.org/techniques/T1074/002/) | `hunting-for-data-staging-before-exfiltration` |
| [T1113](https://attack.mitre.org/techniques/T1113/) | `performing-purple-team-atomic-testing` |
| [T1114.002](https://attack.mitre.org/techniques/T1114/002/) | `detecting-email-forwarding-rules-attack` |
| [T1114.003](https://attack.mitre.org/techniques/T1114/003/) | `detecting-business-email-compromise`, `detecting-email-forwarding-rules-attack` |
| [T1115](https://attack.mitre.org/techniques/T1115/) | `performing-purple-team-atomic-testing` |
| [T1213](https://attack.mitre.org/techniques/T1213/) | `conducting-full-scope-red-team-engagement` |
| [T1530](https://attack.mitre.org/techniques/T1530/) | `detecting-insider-threat-behaviors`, `implementing-mitre-attack-coverage-mapping`, `performing-cloud-incident-containment-procedures` |
| [T1560](https://attack.mitre.org/techniques/T1560/) | `conducting-full-scope-red-team-engagement`, `hunting-for-data-staging-before-exfiltration` |
| [T1560.001](https://attack.mitre.org/techniques/T1560/001/) | `hunting-for-data-staging-before-exfiltration`, `performing-purple-team-atomic-testing` |
---
## 📡 Command and Control
**20 techniques covered**
| Technique | Skills |
|:----------|:-------|
| [T1071](https://attack.mitre.org/techniques/T1071/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-network-covert-channels-in-malware`, `analyzing-ransomware-network-indicators`, `analyzing-threat-actor-ttps-with-mitre-attack`, `hunting-advanced-persistent-threats` +6 more |
| [T1071.001](https://attack.mitre.org/techniques/T1071/001/) | `analyzing-apt-group-with-mitre-navigator`, `analyzing-campaign-attribution-evidence`, `analyzing-powershell-empire-artifacts`, `analyzing-powershell-script-block-logging`, `building-attack-pattern-library-from-cti-reports` +13 more |
| [T1071.004](https://attack.mitre.org/techniques/T1071/004/) | `building-attack-pattern-library-from-cti-reports`, `building-c2-infrastructure-with-sliver-framework`, `hunting-for-beaconing-with-frequency-analysis`, `hunting-for-command-and-control-beaconing`, `hunting-for-dns-tunneling-with-zeek` +3 more |
| [T1090](https://attack.mitre.org/techniques/T1090/) | `implementing-mitre-attack-coverage-mapping`, `performing-purple-team-atomic-testing` |
| [T1090.001](https://attack.mitre.org/techniques/T1090/001/) | `performing-purple-team-atomic-testing` |
| [T1090.002](https://attack.mitre.org/techniques/T1090/002/) | `building-c2-infrastructure-with-sliver-framework`, `building-red-team-c2-infrastructure-with-havoc` |
| [T1090.004](https://attack.mitre.org/techniques/T1090/004/) | `hunting-for-domain-fronting-c2-traffic` |
| [T1095](https://attack.mitre.org/techniques/T1095/) | `hunting-for-command-and-control-beaconing`, `hunting-for-unusual-network-connections` |
| [T1102](https://attack.mitre.org/techniques/T1102/) | `hunting-for-living-off-the-cloud-techniques` |
| [T1105](https://attack.mitre.org/techniques/T1105/) | `analyzing-powershell-script-block-logging`, `building-attack-pattern-library-from-cti-reports`, `building-c2-infrastructure-with-sliver-framework`, `building-red-team-c2-infrastructure-with-havoc`, `detecting-fileless-attacks-on-endpoints` +7 more |
| [T1132](https://attack.mitre.org/techniques/T1132/) | `hunting-for-command-and-control-beaconing`, `performing-purple-team-atomic-testing` |
| [T1132.001](https://attack.mitre.org/techniques/T1132/001/) | `building-c2-infrastructure-with-sliver-framework`, `performing-purple-team-atomic-testing` |
| [T1219](https://attack.mitre.org/techniques/T1219/) | `performing-purple-team-atomic-testing` |
| [T1568](https://attack.mitre.org/techniques/T1568/) | `hunting-for-command-and-control-beaconing`, `implementing-mitre-attack-coverage-mapping` |
| [T1568.002](https://attack.mitre.org/techniques/T1568/002/) | `hunting-for-beaconing-with-frequency-analysis` |
| [T1571](https://attack.mitre.org/techniques/T1571/) | `hunting-for-unusual-network-connections`, `implementing-mitre-attack-coverage-mapping` |
| [T1572](https://attack.mitre.org/techniques/T1572/) | `building-c2-infrastructure-with-sliver-framework`, `hunting-for-command-and-control-beaconing`, `hunting-for-dns-tunneling-with-zeek`, `implementing-mitre-attack-coverage-mapping` |
| [T1573](https://attack.mitre.org/techniques/T1573/) | `analyzing-ransomware-network-indicators`, `hunting-for-beaconing-with-frequency-analysis`, `hunting-for-command-and-control-beaconing`, `implementing-mitre-attack-coverage-mapping`, `performing-purple-team-atomic-testing` |
| [T1573.001](https://attack.mitre.org/techniques/T1573/001/) | `performing-purple-team-atomic-testing` |
| [T1573.002](https://attack.mitre.org/techniques/T1573/002/) | `building-c2-infrastructure-with-sliver-framework`, `building-red-team-c2-infrastructure-with-havoc` |
---
## 📤 Exfiltration
**12 techniques covered**
| Technique | Skills |
|:----------|:-------|
| [T1020](https://attack.mitre.org/techniques/T1020/) | `hunting-for-data-exfiltration-indicators` |
| [T1029](https://attack.mitre.org/techniques/T1029/) | `hunting-for-data-exfiltration-indicators` |
| [T1030](https://attack.mitre.org/techniques/T1030/) | `hunting-for-data-exfiltration-indicators` |
| [T1041](https://attack.mitre.org/techniques/T1041/) | `analyzing-campaign-attribution-evidence`, `analyzing-ransomware-network-indicators`, `building-attack-pattern-library-from-cti-reports`, `conducting-full-scope-red-team-engagement`, `conducting-malware-incident-response` +6 more |
| [T1048](https://attack.mitre.org/techniques/T1048/) | `building-attack-pattern-library-from-cti-reports`, `building-detection-rule-with-splunk-spl`, `conducting-full-scope-red-team-engagement`, `hunting-for-data-exfiltration-indicators`, `implementing-continuous-security-validation-with-bas` +2 more |
| [T1048.001](https://attack.mitre.org/techniques/T1048/001/) | `hunting-for-data-exfiltration-indicators` |
| [T1048.002](https://attack.mitre.org/techniques/T1048/002/) | `hunting-for-data-exfiltration-indicators` |
| [T1048.003](https://attack.mitre.org/techniques/T1048/003/) | `conducting-full-scope-red-team-engagement`, `hunting-for-data-exfiltration-indicators`, `hunting-for-dns-tunneling-with-zeek`, `implementing-continuous-security-validation-with-bas`, `implementing-mitre-attack-coverage-mapping` +2 more |
| [T1052](https://attack.mitre.org/techniques/T1052/) | `hunting-for-data-exfiltration-indicators` |
| [T1537](https://attack.mitre.org/techniques/T1537/) | `hunting-for-data-exfiltration-indicators`, `hunting-for-living-off-the-cloud-techniques`, `implementing-mitre-attack-coverage-mapping`, `implementing-threat-modeling-with-mitre-attack`, `performing-cloud-incident-containment-procedures` |
| [T1567](https://attack.mitre.org/techniques/T1567/) | `detecting-insider-threat-behaviors`, `hunting-for-data-exfiltration-indicators`, `hunting-for-living-off-the-cloud-techniques`, `implementing-continuous-security-validation-with-bas`, `performing-purple-team-atomic-testing` |
| [T1567.002](https://attack.mitre.org/techniques/T1567/002/) | `hunting-for-data-exfiltration-indicators`, `performing-purple-team-atomic-testing` |
---
## 💥 Impact
**6 techniques covered**
| Technique | Skills |
|:----------|:-------|
| [T1485](https://attack.mitre.org/techniques/T1485/) | `hunting-for-shadow-copy-deletion`, `performing-purple-team-atomic-testing` |
| [T1486](https://attack.mitre.org/techniques/T1486/) | `analyzing-ransomware-network-indicators`, `building-attack-pattern-library-from-cti-reports`, `building-threat-hunt-hypothesis-framework`, `conducting-full-scope-red-team-engagement`, `hunting-for-shadow-copy-deletion` +7 more |
| [T1489](https://attack.mitre.org/techniques/T1489/) | `conducting-full-scope-red-team-engagement`, `performing-purple-team-atomic-testing` |
| [T1490](https://attack.mitre.org/techniques/T1490/) | `building-soc-playbook-for-ransomware`, `hunting-for-shadow-copy-deletion`, `performing-purple-team-atomic-testing`, `performing-purple-team-exercise` |
| [T1491](https://attack.mitre.org/techniques/T1491/) | `performing-purple-team-atomic-testing` |
| [T1491.002](https://attack.mitre.org/techniques/T1491/002/) | `performing-purple-team-atomic-testing` |
---
## 🔧 Other / Cross-Tactic Techniques
| Technique | Skills |
|:----------|:-------|
| T0157 | `exploiting-kerberoasting-with-impacket` |
| T0200 | `building-vulnerability-scanning-workflow`, `performing-authenticated-scan-with-openvas` |
| T0802 | `detecting-attacks-on-historian-servers` |
| T0809 | `detecting-attacks-on-historian-servers` |
| T0814 | `detecting-modbus-command-injection-attacks` |
| T0816 | `detecting-dnp3-protocol-anomalies` |
| T0830 | `detecting-modbus-protocol-anomalies` |
| T0831 | `detecting-modbus-protocol-anomalies` |
| T0832 | `detecting-attacks-on-historian-servers` |
| T0833 | `detecting-stuxnet-style-attacks` |
| T0836 | `detecting-modbus-command-injection-attacks`, `detecting-modbus-protocol-anomalies`, `detecting-stuxnet-style-attacks` |
| T0839 | `detecting-dnp3-protocol-anomalies`, `detecting-stuxnet-style-attacks` |
| T0843 | `detecting-modbus-command-injection-attacks`, `performing-s7comm-protocol-security-analysis` |
| T0847 | `detecting-stuxnet-style-attacks` |
| T0855 | `detecting-dnp3-protocol-anomalies`, `detecting-modbus-command-injection-attacks`, `detecting-modbus-protocol-anomalies` |
| T0856 | `detecting-stuxnet-style-attacks` |
| T0862 | `detecting-stuxnet-style-attacks` |
| T0866 | `detecting-stuxnet-style-attacks` |
| T0869 | `detecting-dnp3-protocol-anomalies` |
| T0881 | `performing-s7comm-protocol-security-analysis` |
| T0886 | `detecting-modbus-protocol-anomalies` |
| T1404 | `analyzing-android-malware-with-apktool` |
| T1417 | `analyzing-android-malware-with-apktool` |
| T1418 | `analyzing-android-malware-with-apktool` |
| T1553.006 | `analyzing-uefi-bootkit-persistence` |
| T1555 | `performing-credential-access-with-lazagne`, `performing-purple-team-atomic-testing` |
| T1555.003 | `performing-credential-access-with-lazagne`, `performing-purple-team-atomic-testing` |
| T1555.004 | `performing-credential-access-with-lazagne` |
| T1578 | `performing-cloud-incident-containment-procedures` |
| T1582 | `analyzing-android-malware-with-apktool` |
| T1611 | `detecting-container-escape-attempts`, `detecting-container-escape-with-falco-rules` |
| T1615 | `conducting-internal-reconnaissance-with-bloodhound-ce`, `exploiting-active-directory-with-bloodhound`, `performing-active-directory-bloodhound-analysis` |
| T1620 | `detecting-fileless-attacks-on-endpoints` |
| T5577 | `performing-physical-intrusion-assessment` |
---
## How This Was Generated
This coverage map was automatically generated by scanning all 753+ SKILL.md and agent.py files for MITRE ATT&CK technique IDs (pattern: `T####` and `T####.###`). Each technique was mapped to its parent tactic using the [MITRE ATT&CK Enterprise Matrix v16](https://attack.mitre.org/matrices/enterprise/).
To regenerate: `python3 extract_attack.py`
---
## MITRE ATLAS Coverage (v5.5.0)
81 skills mapped to ATLAS adversarial ML techniques.
Key techniques applied:
- AML.T0051 — LLM Prompt Injection (Execution)
- AML.T0054 — LLM Jailbreak (Privilege Escalation)
- AML.T0088 — Generate Deepfakes (AI Attack Staging)
- AML.T0010 — AI Supply Chain Compromise (Initial Access)
- AML.T0020 — Poison Training Data (Resource Development)
- AML.T0070 — RAG Poisoning (Persistence)
- AML.T0080 — AI Agent Context Poisoning (Persistence)
- AML.T0056 — Extract LLM System Prompt (Exfiltration)
## MITRE D3FEND Coverage (v1.3)
11 skills mapped to D3FEND defensive countermeasures.
Countermeasures applied span D3FEND tactical categories:
Harden, Detect, Isolate, Deceive, Evict, Restore.
Each skill's d3fend_techniques field lists the top 5 most relevant
defensive countermeasures derived from the skill's ATT&CK technique tags.
## NIST AI RMF Coverage (AI 100-1)
85 skills mapped to NIST AI Risk Management Framework subcategories.
Core functions covered:
- GOVERN: Organizational accountability for AI risk (GOVERN-1.1, GOVERN-6.1, GOVERN-6.2)
- MAP: AI risk identification and context (MAP-5.1, MAP-5.2, MAP-1.6)
- MEASURE: AI risk analysis and evaluation (MEASURE-2.5, MEASURE-2.7, MEASURE-2.8, MEASURE-2.11)
- MANAGE: AI risk response and recovery (MANAGE-2.4, MANAGE-3.1)
GenAI-specific subcategories applied: GOVERN-6.1, GOVERN-6.2 (responsible deployment policies).
---
<p align="center">
<sub>Part of <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills">Anthropic Cybersecurity Skills</a> — 753+ open-source cybersecurity skills for AI agents</sub>
</p>
CITATION.cff
+32
View File
@@ -0,0 +1,32 @@
cff-version: 1.2.0
message: "If you use this repository in your research, tools, or publications, please cite it as below."
type: software
title: "Anthropic-Cybersecurity-Skills"
abstract: >
A structured collection of 753 cybersecurity skills for AI agents, covering
penetration testing, digital forensics, threat intelligence, incident response,
cloud security, OT/SCADA security, AI security, and more. Each skill follows
a standardized format with YAML frontmatter metadata, step-by-step procedures,
tool commands, expected outputs, and MITRE ATT&CK mappings. Compatible with
Claude Code, GitHub Copilot, Cursor, Windsurf, Gemini CLI, and 20+ AI agent
platforms.
authors:
- name: "Mahipal"
email: mukuljangra5@gmail.com
alias: mukul975
repository-code: "https://github.com/mukul975/Anthropic-Cybersecurity-Skills"
url: "https://github.com/mukul975/Anthropic-Cybersecurity-Skills"
license: Apache-2.0
version: "1.1.0"
date-released: "2026-03-21"
keywords:
- cybersecurity
- AI agents
- skills
- penetration testing
- digital forensics
- threat intelligence
- incident response
- MITRE ATT&CK
- Claude Code
- open source
CODE_OF_CONDUCT.md
+1 -1
View File
@@ -36,7 +36,7 @@ This Code of Conduct applies within all community spaces, and also applies when
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at mukul975@users.noreply.github.com. All complaints will be reviewed and investigated promptly and fairly.
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at mukuljangra5@gmail.com. All complaints will be reviewed and investigated promptly and fairly.
All community leaders are obligated to respect the privacy and security of the reporter of any incident.
README.md
+263 -90
View File
@@ -1,138 +1,311 @@
<p align="center">
<img src="assets/banner.png" alt="Anthropic Cybersecurity Skills" width="600">
<img src="assets/banner.png" alt="Anthropic Cybersecurity Skills" width="100%">
</p>
<p align="center">
<strong>611+ cybersecurity skills for AI agents &middot; agentskills.io open standard</strong>
<a href="LICENSE"><img src="https://img.shields.io/badge/license-Apache%202.0-blue.svg" alt="License"></a>
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers"><img src="https://img.shields.io/github/stars/mukul975/Anthropic-Cybersecurity-Skills?style=social" alt="Stars"></a>
<a href="#-framework-coverage"><img src="https://img.shields.io/badge/frameworks-5%20mapped-brightgreen.svg" alt="Frameworks"></a>
<a href="#-whats-inside"><img src="https://img.shields.io/badge/skills-754-orange.svg" alt="Skills"></a>
<a href="https://agentskills.io"><img src="https://img.shields.io/badge/standard-agentskills.io-purple.svg" alt="agentskills.io"></a>
<a href="#-compatible-platforms"><img src="https://img.shields.io/badge/platforms-26%2B-blue.svg" alt="Platforms"></a>
</p>
<p align="center">
<a href="LICENSE"><img src="https://img.shields.io/badge/license-Apache_2.0-blue.svg?style=flat" alt="License"></a>
<img src="https://img.shields.io/badge/skills-611%2B-brightgreen?style=flat" alt="Skills Count">
<img src="https://img.shields.io/github/stars/mukul975/Anthropic-Cybersecurity-Skills?style=flat" alt="Stars">
<img src="https://img.shields.io/github/last-commit/mukul975/Anthropic-Cybersecurity-Skills?style=flat" alt="Last Commit">
<a href="https://agentskills.io"><img src="https://img.shields.io/badge/standard-agentskills.io-purple?style=flat" alt="Agent Skills"></a>
<img src="https://img.shields.io/badge/platforms-26%2B-orange?style=flat" alt="Platforms">
<strong>754 production-grade cybersecurity skills for AI agents — mapped to 5 industry frameworks</strong>
</p>
<p align="center">
<em>MITRE ATT&CK · NIST CSF 2.0 · MITRE ATLAS · MITRE D3FEND · NIST AI RMF</em>
</p>
> ⚠️ **Community Project** — This is an independent, community-created project. Not affiliated with Anthropic PBC.
---
> **Warning: Community Project -- Not affiliated with Anthropic PBC.**
> This is an independent, community-created collection. "Anthropic" in the repository name refers to the agentskills.io standard compatibility, not official Anthropic affiliation.
## Why this exists
The largest open-source collection of cybersecurity skills for AI agents. Every skill follows the [agentskills.io](https://agentskills.io) open standard and works instantly with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and 20+ other platforms.
AI agents are transforming cybersecurity — but they lack structured domain knowledge. A junior analyst knows which Volatility3 plugin to run on a suspicious memory dump. Your AI agent doesn't — unless you give it the skills.
## Quick Start
**Anthropic Cybersecurity Skills** gives every AI agent instant access to **754 production-grade cybersecurity skills** spanning 26 security domains. Each skill follows the [agentskills.io](https://agentskills.io) open standard: YAML frontmatter for lightning-fast discovery, structured Markdown for step-by-step execution, and reference files for deep technical context.
**What makes v1.2.0 different from every other security skills repo:**
- **5-framework mapping** — Every skill is mapped to MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS v5.5, MITRE D3FEND v1.3, and NIST AI RMF 1.0. No other open-source library does this.
- **AI-native format** — Skills cost ~30 tokens to scan, provide full expert-level guidance when triggered, and work across 26+ AI agent platforms.
- **Real practitioner knowledge** — Not generated summaries. Structured workflows that mirror how senior security professionals actually work.
## 🚀 Quick start
**Method 1: npx skills**
```bash
# Option 1: npx (recommended)
npx skills add mukul975/Anthropic-Cybersecurity-Skills
```
**Method 2: Claude Code plugin**
```
# Option 2: Claude Code
/plugin marketplace add mukul975/Anthropic-Cybersecurity-Skills
```
**Method 3: Manual clone**
```bash
# Option 3: Manual clone
git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
cd Anthropic-Cybersecurity-Skills
```
## Skill Categories
Works immediately with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and any MCP-compatible agent.
| Category | Skills | Example Skills |
|----------|-------:|----------------|
| Cloud Security | 48 | AWS S3 Bucket Audit, Azure AD Configuration, GCP Security Assessment |
| Threat Intelligence | 43 | APT Group Analysis with MITRE Navigator, Campaign Attribution, Dark Web Monitoring |
| Web Application Security | 41 | HTTP Request Smuggling, XSS with Burp Suite, Web Cache Poisoning |
| Threat Hunting | 35 | Credential Dumping Detection, DNS Tunneling with Zeek, Living-off-the-Land Binaries |
| Malware Analysis | 34 | Cobalt Strike Beacon Config, Ghidra Reverse Engineering, YARA Rule Development |
| Digital Forensics | 34 | Disk Imaging with dd/dcfldd, Memory Forensics with Volatility3, Browser Forensics |
| SOC Operations | 33 | Windows Event Log Analysis, Splunk Detection Rules, SIEM Use Case Implementation |
| Network Security | 33 | Wireshark Traffic Analysis, VLAN Segmentation, Suricata IDS Configuration |
| Identity & Access Management | 33 | SAML SSO with Okta, Privileged Access Management, RBAC for Kubernetes |
| OT/ICS Security | 28 | SCADA System Attack Detection, Modbus Anomaly Detection, Purdue Model Segmentation |
| API Security | 28 | API Enumeration Detection, BOLA Exploitation, GraphQL Security Assessment |
| Container Security | 26 | Trivy Image Scanning, Falco Runtime Detection, Kubernetes Pod Security |
| Vulnerability Management | 24 | DefectDojo Dashboard, CVSS Scoring, Patch Management Workflow |
| Red Teaming | 24 | Sliver C2 Framework, BloodHound AD Analysis, Kerberoasting with Impacket |
| Incident Response | 24 | Ransomware Response, Cloud Incident Containment, Volatile Evidence Collection |
| Penetration Testing | 23 | External Network Pentest, Kubernetes Pentest, Active Directory Pentest |
| Zero Trust Architecture | 17 | HashiCorp Boundary, Zscaler ZTNA, BeyondCorp Access Model |
| Endpoint Security | 16 | CIS Benchmark Hardening, Windows Defender Configuration, Host-Based IDS |
| DevSecOps | 16 | GitLab CI Pipeline, Semgrep Custom SAST Rules, Secret Scanning with Gitleaks |
| Phishing Defense | 16 | Email Header Analysis, GoPhish Simulation, DMARC/DKIM/SPF Configuration |
| Cryptography | 13 | TLS 1.3 Configuration, HSM Key Storage, Certificate Authority with OpenSSL |
| Mobile Security | 12 | iOS App Analysis with Objection, Android Malware Reverse Engineering, Frida Hooking |
| Ransomware Defense | 5 | Ransomware Precursor Detection, Backup Strategy, Honeypot Detection |
| Compliance & Governance | 5 | GDPR Data Protection, ISO 27001 ISMS, PCI DSS Controls |
## 📖 Table of contents
## How It Works
- [🛡️ What's inside](#-whats-inside)
- [🗺️ Framework coverage](#-framework-coverage)
- [🤖 Compatible platforms](#-compatible-platforms)
- [📐 Skill structure](#-skill-structure)
- [🧠 How AI agents use these skills](#-how-ai-agents-use-these-skills)
- [📝 Example skills](#-example-skills)
- [👥 Contributing](#-contributing)
- [⭐ Star history](#-star-history)
- [📄 License](#-license)
Each skill follows the [agentskills.io](https://agentskills.io) **progressive disclosure** pattern. During discovery, an AI agent reads only the YAML frontmatter (~30-50 tokens) to decide relevance:
## 🛡️ What's inside
**754 skills across 26 security domains:**
| Domain | Skills | Example capabilities |
|--------|--------|---------------------|
| ☁️ Cloud Security | 60 | AWS S3 bucket audit, Azure AD config review, GCP IAM assessment |
| 🔍 Threat Hunting | 55 | C2 beaconing detection, DNS tunneling analysis, living-off-the-land |
| 📡 Threat Intelligence | 50 | APT group analysis with MITRE Navigator, campaign attribution, IOC enrichment |
| 🌐 Web Application Security | 42 | HTTP request smuggling, XSS with Burp Suite, web cache poisoning |
| 🔌 Network Security | 40 | Wireshark traffic analysis, VLAN segmentation, Suricata IDS tuning |
| 🦠 Malware Analysis | 39 | Ghidra reverse engineering, YARA rules, .NET decompilation |
| 🔎 Digital Forensics | 37 | Disk imaging with dd/dcfldd, Volatility3 memory forensics, browser artifacts |
| 📊 Security Operations | 36 | SIEM correlation rules, alert triage workflows, SOC playbooks |
| 🔑 IAM Security | 35 | SAML SSO with Okta, PAM deployment, service account hardening |
| 🖥️ SOC Operations | 33 | Tier 1-3 escalation procedures, incident classification, metrics tracking |
| ☸️ Container Security | 30 | Kubernetes RBAC audit, pod security policies, etcd encryption |
| 🏭 OT/ICS Security | 28 | SCADA monitoring, Modbus anomaly detection, Purdue model enforcement |
| 🔗 API Security | 28 | OAuth2 flow analysis, rate limiting, API gateway hardening |
| 🎯 Vulnerability Management | 25 | Nessus scanning, CVSS scoring, risk-based prioritization |
| 🚨 Incident Response | 25 | Containment procedures, evidence preservation, post-incident review |
| 🔴 Red Teaming | 24 | Cobalt Strike operations, LOTL techniques, evasion & persistence |
| 🎯 Penetration Testing | 23 | Active Directory exploitation, OSCP-style methodology, pivoting |
| 💻 Endpoint Security | 17 | EDR deployment, host-based detection, anti-tamper configuration |
| 🔧 DevSecOps | 17 | Pipeline security gates, SAST/DAST integration, IaC scanning |
| 🎣 Phishing Defense | 16 | Email header analysis, phishing simulation, DMARC/DKIM/SPF |
| 🕵️ OSINT | 15 | Domain reconnaissance, social engineering recon, dark web monitoring |
| 🔐 Cryptography | 14 | TLS configuration audit, certificate lifecycle, key management |
| 🏰 Zero Trust | 13 | Microsegmentation, BeyondCorp implementation, continuous verification |
| 📱 Mobile Security | 12 | APK analysis with APKTool, iOS forensics, MDM bypass detection |
| 🛡️ Ransomware Defense | 7 | Backup validation, recovery procedures, negotiation awareness |
| 🪤 Deception Technology | 5 | Honeypot deployment, honey tokens, decoy credential monitoring |
| **TOTAL** | **754** | |
## 🗺️ Framework coverage
v1.2.0 maps every skill to **5 industry-standard frameworks** — a first for any open-source cybersecurity skills library.
### MITRE ATT&CK Enterprise — 754/754 skills mapped
All 14 Enterprise tactics covered with 200+ technique mappings:
| Tactic | ID | Skills |
|--------|----|--------|
| Reconnaissance | TA0043 | 45+ |
| Resource Development | TA0042 | 30+ |
| Initial Access | TA0001 | 55+ |
| Execution | TA0002 | 60+ |
| Persistence | TA0003 | 50+ |
| Privilege Escalation | TA0004 | 55+ |
| Defense Evasion | TA0005 | 65+ |
| Credential Access | TA0006 | 45+ |
| Discovery | TA0007 | 50+ |
| Lateral Movement | TA0008 | 40+ |
| Collection | TA0009 | 35+ |
| Command and Control | TA0011 | 40+ |
| Exfiltration | TA0010 | 30+ |
| Impact | TA0040 | 35+ |
### NIST CSF 2.0 — 754/754 skills aligned
| Function | Skills | Coverage areas |
|----------|--------|---------------|
| Govern (GV) | 80+ | Policy, risk strategy, supply chain oversight |
| Identify (ID) | 120+ | Asset management, risk assessment, improvement |
| Protect (PR) | 150+ | Access control, awareness, data security, platform security |
| Detect (DE) | 200+ | Continuous monitoring, adverse event analysis |
| Respond (RS) | 160+ | Incident management, analysis, mitigation, reporting |
| Recover (RC) | 44+ | Recovery planning, execution, communication |
### 🆕 MITRE ATLAS v5.5 — 81 skills (NEW in v1.2.0)
AI-specific adversarial threat coverage including:
- ML model poisoning and evasion techniques
- AI supply chain compromise scenarios
- LLM prompt injection defense workflows
- AI agent tool abuse detection
- Agentic AI escape-to-host prevention
### 🆕 MITRE D3FEND v1.3 — 139 skills (NEW in v1.2.0)
Defensive technique mappings across all 7 D3FEND tactics:
- **Model** (27 techniques) — Threat modeling, attack surface analysis
- **Harden** (51 techniques) — System hardening, configuration management
- **Detect** (90 techniques) — Monitoring, anomaly detection, behavioral analysis
- **Isolate** (57 techniques) — Segmentation, sandboxing, containment
- **Deceive** (11 techniques) — Honeypots, decoys, misdirection
- **Evict** (19 techniques) — Threat removal, credential rotation
- **Restore** (12 techniques) — Backup, recovery, resilience
### 🆕 NIST AI RMF 1.0 — 85 skills (NEW in v1.2.0)
AI risk management coverage aligned with the four core functions:
- **Govern** — AI governance, accountability, organizational policies
- **Map** — AI system context, risk identification, stakeholder analysis
- **Measure** — AI risk metrics, testing, validation
- **Manage** — AI risk treatment, monitoring, continuous improvement
> 💡 **Why 5 frameworks matter:** Organizations face overlapping compliance requirements. A single skill like "analyzing-network-traffic-of-malware" maps to ATT&CK T1071 (Application Layer Protocol), NIST CSF DE.CM (Continuous Monitoring), ATLAS AML.T0047 (Evade ML Model), D3FEND D3-NTA (Network Traffic Analysis), and AI RMF MEASURE 2.6 (AI system monitoring). One skill, five compliance checkboxes.
## 🤖 Compatible platforms
**AI code assistants:**
Claude Code (Anthropic) · GitHub Copilot (Microsoft) · Cursor · Windsurf · Cline · Aider · Continue · Roo Code · Amazon Q Developer · Tabnine · Sourcegraph Cody · JetBrains AI
**CLI agents:**
OpenAI Codex CLI · Gemini CLI (Google)
**Autonomous agents:**
Devin · Replit Agent · SWE-agent · OpenHands
**Agent frameworks & SDKs:**
LangChain · CrewAI · AutoGen · Semantic Kernel · Haystack · Vercel AI SDK · Any MCP-compatible agent
## 📐 Skill structure
Every skill follows the [agentskills.io](https://agentskills.io) open standard:
```
skills/performing-memory-forensics-with-volatility3/
├── SKILL.md # Skill definition (YAML frontmatter + Markdown body)
│ ├── Frontmatter # → name, description, domain, tags, frameworks
│ ├── When to Use # → Trigger conditions for AI agents
│ ├── Prerequisites # → Required tools, access, environment
│ ├── Workflow # → Step-by-step execution guide
│ └── Verification # → How to confirm success
├── references/
│ ├── standards.md # MITRE ATT&CK, ATLAS, D3FEND, NIST mappings
│ └── workflows.md # Deep technical procedure reference
├── scripts/
│ └── process.py # Practitioner helper scripts
└── assets/
└── template.md # Checklists, report templates
```
**YAML frontmatter example:**
```yaml
---
name: performing-memory-forensics-with-volatility3
description: Analyze memory dumps to extract processes, network connections, and malware artifacts using Volatility3.
description: >-
Analyze memory dumps to extract running processes, network connections,
injected code, and malware artifacts using the Volatility3 framework.
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, memory-analysis, volatility3, incident-response]
tags: [forensics, memory-analysis, volatility3, incident-response, dfir]
atlas_techniques: [AML.T0047]
d3fend_techniques: [D3-MA, D3-PSMD]
nist_ai_rmf: [MEASURE-2.6]
nist_csf: [DE.CM-01, RS.AN-03]
version: "1.2"
author: mukul975
license: Apache-2.0
---
```
If the skill matches the task, the agent loads the full body -- workflow steps, prerequisites, tool commands, and verification checks -- without wasting tokens on irrelevant skills.
### Progressive disclosure — why 754 skills don't slow your agent down
## Compatible Platforms
| Stage | Token cost | When |
|-------|-----------|------|
| Discovery scan | ~30 tokens | Always — agent reads YAML frontmatter |
| Full skill load | 5002000 tokens | Only when skill matches the task |
| Deep reference pull | 10005000 tokens | Only when agent needs technical depth |
These skills work with any tool that supports the agentskills.io standard or can read structured Markdown:
Irrelevant skills cost virtually nothing. Relevant skills provide complete expert-level guidance.
| Platform | Integration |
|----------|------------|
| **Claude Code** | Native skill loading via `/plugin` |
| **GitHub Copilot** | Workspace context via `.skills/` directory |
| **OpenAI Codex CLI** | File-based context injection |
| **Cursor** | Project rules and docs integration |
| **Gemini CLI** | Context file loading |
| **Amp** | Skill directory mounting |
| **Goose** | Plugin-based skill loading |
| **Windsurf** | Context awareness from project files |
| **Aider** | Repository map integration |
| **Continue** | Custom context providers |
| And 16+ others | Any agent that reads structured Markdown |
## Skill Anatomy
Every skill follows a consistent directory structure:
## 🧠 How AI agents use these skills
```
skills/{skill-name}/
├── SKILL.md # Skill definition with YAML frontmatter
│ ├── Frontmatter # name, description, domain, subdomain, tags
│ ├── When to Use # Trigger conditions for AI agents
│ ├── Prerequisites # Required tools and access
│ ├── Workflow # Step-by-step execution guide
└── Verification # How to confirm success
├── references/
│ ├── standards.md # NIST, MITRE ATT&CK, CVE references
│ └── workflows.md # Deep technical procedure reference
├── scripts/
│ └── process.py # Practitioner helper scripts
└── assets/
└── template.md # Checklists and report templates
User prompt: "Analyze this memory dump for signs of credential theft"
Agent's internal process:
1. Scans 754 skill frontmatters (~30 tokens each) → finds 12 relevant skills
2. Loads top matches:
- performing-memory-forensics-with-volatility3
- hunting-for-credential-dumping-lsass
- analyzing-windows-event-logs-for-credential-access
3. Follows structured workflow from SKILL.md
4. References ATT&CK T1003 (Credential Dumping) mapping
5. Maps findings to D3FEND D3-PSMD (Process Self-Modification Detection)
6. Outputs structured findings with framework references
```
## Contributing
## 📝 Example skills
We welcome contributions from the cybersecurity community. See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines on adding new skills, improving existing ones, and our review process.
<details>
<summary><strong>🔍 Hunting for C2 beaconing</strong></summary>
## Star History
**Domain:** Threat Hunting · **ATT&CK:** T1071, T1573 · **D3FEND:** D3-NTA · **CSF:** DE.CM-01
Identifies command-and-control communication patterns in network traffic using beacon interval analysis, JA3/JA3S fingerprinting, and DNS request frequency modeling. Includes Zeek scripts for automated detection and SIEM correlation rules.
</details>
<details>
<summary><strong>🦠 Reverse engineering .NET malware with dnSpy</strong></summary>
**Domain:** Malware Analysis · **ATT&CK:** T1027, T1059.001 · **ATLAS:** AML.T0016 · **CSF:** DE.AE-02
Step-by-step decompilation workflow for .NET executables including de-obfuscation techniques, string decryption, C2 extraction, and behavioral analysis. Includes YARA rule templates for family classification.
</details>
<details>
<summary><strong>☸️ Auditing Kubernetes RBAC configurations</strong></summary>
**Domain:** Container Security · **ATT&CK:** T1078.004 · **D3FEND:** D3-ACL · **CSF:** PR.AA-01 · **AI RMF:** GOVERN-1.2
Systematic review of ClusterRoles, RoleBindings, and ServiceAccounts to identify overprivileged workloads, lateral movement paths, and secrets exposure. Includes kubectl audit scripts and remediation playbooks.
</details>
## 👥 Contributing
We welcome contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
**Ways to contribute:**
- 🆕 Add new skills using the [New Skill template](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues/new?template=new-skill.yml)
- 🐛 Report issues with the [Bug Report template](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues/new?template=bug-report.yml)
- 💡 Request features via [Feature Request](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues/new?template=feature-request.yml)
- 📝 Improve documentation or fix typos
- 🗺️ Add framework mappings to existing skills
Every PR gets reviewed for technical accuracy and consistency with the agentskills.io standard. We aim to review within 48 hours.
## ⭐ Star history
[![Star History Chart](https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date)](https://star-history.com/#mukul975/Anthropic-Cybersecurity-Skills&Date)
## License
## 🌐 Community
<a href="LICENSE"><img src="https://img.shields.io/badge/license-Apache_2.0-blue.svg?style=flat" alt="License"></a>
- 📋 Listed on [SkillsLLM](https://skillsllm.com/skill/anthropic-cybersecurity-skills)
- 📚 Featured in [awesome-agent-skills](https://github.com/VoltAgent/awesome-agent-skills)
- 🔒 Featured in [awesome-ai-security](https://github.com/ottosulin/awesome-ai-security)
- 🖥️ Featured in [awesome-codex-cli](https://github.com/RoggeOhta/awesome-codex-cli)
- 📖 [Complete guide on Medium](https://fazal-sec.medium.com/claude-skills-ai-powered-cybersecurity-the-complete-guide-to-building-intelligent-security-7bb7e9d14c8e)
This project is licensed under the Apache License 2.0. See [LICENSE](LICENSE) for details.
## 📄 License
Apache License 2.0 — free for commercial and personal use. See [LICENSE](LICENSE) for details.
---
<p align="center">
<strong>If these skills help your AI agent defend better, consider giving this repo a ⭐</strong>
</p>
index.json
+1 -13624
View File
File diff suppressed because one or more lines are too long
mappings/mitre-attack/coverage-summary.md
+1 -1
View File
@@ -1,6 +1,6 @@
# ATT&CK Coverage Summary
Coverage analysis of the 607 cybersecurity skills mapped to MITRE ATT&CK Enterprise v15 tactics.
Coverage analysis of the 753 cybersecurity skills mapped to MITRE ATT&CK Enterprise v15 tactics.
## Tactic Coverage Matrix
skills/acquiring-disk-image-with-dd-and-dcfldd/SKILL.md
+15 -3
View File
@@ -1,12 +1,24 @@
---
name: acquiring-disk-image-with-dd-and-dcfldd
description: Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
description: Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through
hash verification.
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, disk-imaging, evidence-acquisition, dd, dcfldd, hash-verification]
version: "1.0"
tags:
- forensics
- disk-imaging
- evidence-acquisition
- dd
- dcfldd
- hash-verification
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
---
# Acquiring Disk Image with dd and dcfldd
skills/acquiring-disk-image-with-dd-and-dcfldd/scripts/agent.py
+28 -17
View File
@@ -1,17 +1,19 @@
#!/usr/bin/env python3
"""Forensic disk image acquisition agent using dd and dcfldd with hash verification."""
import shlex
import subprocess
import hashlib
import os
import sys
import datetime
import json
def run_cmd(cmd, capture=True):
"""Execute a shell command and return output."""
result = subprocess.run(cmd, shell=True, capture_output=capture, text=True)
"""Execute a command and return output."""
if isinstance(cmd, str):
cmd = shlex.split(cmd)
result = subprocess.run(cmd, capture_output=capture, text=True, timeout=120)
return result.stdout.strip(), result.stderr.strip(), result.returncode
@@ -65,16 +67,22 @@ def compute_hash(path, algorithm="sha256", block_size=65536):
def acquire_with_dd(source, destination, block_size=4096, log_file=None):
"""Acquire a forensic image using dd with error handling."""
cmd = (
f"dd if={source} of={destination} bs={block_size} "
f"conv=noerror,sync status=progress"
)
if log_file:
cmd += f" 2>&1 | tee {log_file}"
dd_cmd = [
"dd", f"if={source}", f"of={destination}",
f"bs={block_size}", "conv=noerror,sync", "status=progress"
]
print(f"[*] Starting dd acquisition: {source} -> {destination}")
print(f"[*] Block size: {block_size}")
start = datetime.datetime.utcnow()
_, stderr, rc = run_cmd(cmd, capture=False)
if log_file:
dd_proc = subprocess.run(dd_cmd, capture_output=True, text=True, timeout=120)
combined = (dd_proc.stdout or "") + (dd_proc.stderr or "")
with open(log_file, "w") as lf:
lf.write(combined)
rc = dd_proc.returncode
else:
result = subprocess.run(dd_cmd, text=True, timeout=120)
rc = result.returncode
elapsed = (datetime.datetime.utcnow() - start).total_seconds()
print(f"[*] Acquisition completed in {elapsed:.1f} seconds (rc={rc})")
return rc == 0
@@ -83,18 +91,21 @@ def acquire_with_dd(source, destination, block_size=4096, log_file=None):
def acquire_with_dcfldd(source, destination, hash_alg="sha256", hash_log=None,
error_log=None, block_size=4096, split_size=None):
"""Acquire a forensic image using dcfldd with built-in hashing."""
cmd = f"dcfldd if={source} of={destination} bs={block_size} conv=noerror,sync"
cmd += f" hash={hash_alg}"
cmd = [
"dcfldd", f"if={source}", f"of={destination}",
f"bs={block_size}", "conv=noerror,sync",
f"hash={hash_alg}", "hashwindow=1G",
]
if hash_log:
cmd += f" hashlog={hash_log}"
cmd += " hashwindow=1G"
cmd.append(f"hashlog={hash_log}")
if error_log:
cmd += f" errlog={error_log}"
cmd.append(f"errlog={error_log}")
if split_size:
cmd += f" split={split_size} splitformat=aa"
cmd.extend([f"split={split_size}", "splitformat=aa"])
print(f"[*] Starting dcfldd acquisition: {source} -> {destination}")
start = datetime.datetime.utcnow()
_, stderr, rc = run_cmd(cmd, capture=False)
result = subprocess.run(cmd, text=True, timeout=120)
rc = result.returncode
elapsed = (datetime.datetime.utcnow() - start).total_seconds()
print(f"[*] dcfldd completed in {elapsed:.1f} seconds (rc={rc})")
return rc == 0
skills/analyzing-active-directory-acl-abuse/SKILL.md
+23 -3
View File
@@ -1,20 +1,40 @@
---
name: analyzing-active-directory-acl-abuse
description: Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
description: Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and
WriteOwner abuse paths
domain: cybersecurity
subdomain: identity-security
tags: [active-directory, acl-abuse, ldap, privilege-escalation]
version: "1.0"
tags:
- active-directory
- acl-abuse
- ldap
- privilege-escalation
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- PR.AA-01
- PR.AA-05
- PR.AA-06
---
# Analyzing Active Directory ACL Abuse
## Overview
Active Directory Access Control Lists (ACLs) define permissions on AD objects through Discretionary Access Control Lists (DACLs) containing Access Control Entries (ACEs). Misconfigured ACEs can grant non-privileged users dangerous permissions such as GenericAll (full control), WriteDACL (modify permissions), WriteOwner (take ownership), and GenericWrite (modify attributes) on sensitive objects like Domain Admins groups, domain controllers, or GPOs.
This skill uses the ldap3 Python library to connect to a Domain Controller, query objects with their nTSecurityDescriptor attribute, parse the binary security descriptor into SDDL (Security Descriptor Definition Language) format, and identify ACEs that grant dangerous permissions to non-administrative principals. These misconfigurations are the basis for ACL-based attack paths discovered by tools like BloodHound.
## When to Use
- When investigating security incidents that require analyzing active directory acl abuse
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Python 3.9 or later with ldap3 library (`pip install ldap3`)
skills/analyzing-active-directory-acl-abuse/scripts/agent.py
-3
View File
@@ -4,11 +4,8 @@
import argparse
import json
import struct
import sys
from collections import defaultdict
from ldap3 import Server, Connection, ALL, NTLM, SUBTREE
from ldap3.protocol.formatters.formatters import format_sid
DANGEROUS_MASKS = {
skills/analyzing-android-malware-with-apktool/SKILL.md
+25 -3
View File
@@ -1,12 +1,26 @@
---
name: analyzing-android-malware-with-apktool
description: Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
description: Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source
recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
domain: cybersecurity
subdomain: malware-analysis
tags: [Android, APK, apktool, jadx, androguard, mobile-malware, static-analysis, reverse-engineering]
version: "1.0"
tags:
- Android
- APK
- apktool
- jadx
- androguard
- mobile-malware
- static-analysis
- reverse-engineering
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
---
# Analyzing Android Malware with Apktool
@@ -15,6 +29,14 @@ license: Apache-2.0
Android malware distributed as APK files can be statically analyzed to extract permissions, activities, services, broadcast receivers, and suspicious API calls without executing the sample. This skill uses androguard for programmatic APK analysis, identifying dangerous permission combinations, obfuscated code patterns, dynamic code loading, reflection-based API calls, and network communication indicators.
## When to Use
- When investigating security incidents that require analyzing android malware with apktool
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Python 3.9+ with `androguard`
skills/analyzing-api-gateway-access-logs/SKILL.md
+31 -7
View File
@@ -1,20 +1,44 @@
---
name: analyzing-api-gateway-access-logs
description: >
Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR
attacks, rate limit bypass, credential scanning, and injection attempts. Uses pandas
for statistical analysis of request patterns and anomaly detection. Use when
investigating API abuse or building API-specific threat detection rules.
description: 'Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass,
credential scanning, and injection attempts. Uses pandas for statistical analysis of request patterns and anomaly detection.
Use when investigating API abuse or building API-specific threat detection rules.
'
domain: cybersecurity
subdomain: security-operations
tags: [analyzing, api, gateway, access]
version: "1.0"
tags:
- analyzing
- api
- gateway
- access
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- DE.CM-01
- RS.MA-01
- GV.OV-01
- DE.AE-02
---
# Analyzing API Gateway Access Logs
## When to Use
- When investigating security incidents that require analyzing api gateway access logs
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Familiarity with security operations concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
## Instructions
Parse API gateway access logs to identify attack patterns including broken object
skills/analyzing-api-gateway-access-logs/scripts/agent.py
-3
View File
@@ -1,15 +1,12 @@
#!/usr/bin/env python3
"""Agent for analyzing API Gateway access logs for security threats."""
import os
import re
import json
import argparse
from datetime import datetime
from collections import defaultdict
import pandas as pd
import numpy as np
def load_api_logs(log_path):
skills/analyzing-apt-group-with-mitre-navigator/SKILL.md
+32 -4
View File
@@ -1,12 +1,32 @@
---
name: analyzing-apt-group-with-mitre-navigator
description: Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
description: Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps
of adversary TTPs for detection gap analysis and threat-informed defense.
domain: cybersecurity
subdomain: threat-intelligence
tags: [mitre-attack, navigator, apt, threat-actor, ttp-analysis, heatmap, detection-gap, threat-intelligence]
version: "1.0"
tags:
- mitre-attack
- navigator
- apt
- threat-actor
- ttp-analysis
- heatmap
- detection-gap
- threat-intelligence
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Content Format Conversion
- File Content Analysis
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
---
# Analyzing APT Group with MITRE ATT&CK Navigator
@@ -14,6 +34,14 @@ license: Apache-2.0
MITRE ATT&CK Navigator is a web-based tool for annotating and exploring ATT&CK matrices, enabling analysts to visualize threat actor technique coverage, compare multiple APT groups, identify detection gaps, and build threat-informed defense strategies. This skill covers querying ATT&CK data programmatically, mapping APT group TTPs to Navigator layers, creating multi-layer overlays for gap analysis, and generating actionable intelligence reports for detection engineering teams.
## When to Use
- When investigating security incidents that require analyzing apt group with mitre navigator
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Python 3.9+ with `attackcti`, `mitreattack-python`, `stix2`, `requests` libraries
@@ -36,7 +64,7 @@ ATT&CK catalogs over 140 threat groups with documented technique usage. Each gro
The Navigator supports loading multiple layers simultaneously, allowing analysts to overlay threat actor TTPs against detection coverage to identify gaps, compare multiple APT groups to find common techniques worth prioritizing, and track technique coverage changes over time.
## Practical Steps
## Workflow
### Step 1: Query ATT&CK Data for APT Group
skills/analyzing-apt-group-with-mitre-navigator/scripts/agent.py
-1
View File
@@ -8,7 +8,6 @@ performs detection gap analysis, and generates threat-informed reports.
import json
import os
import sys
import hashlib
from collections import Counter
try:
skills/analyzing-azure-activity-logs-for-threats/SKILL.md
+31 -7
View File
@@ -1,20 +1,44 @@
---
name: analyzing-azure-activity-logs-for-threats
description: >
Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to
detect suspicious administrative operations, impossible travel, privilege escalation,
and resource modifications. Builds KQL queries for threat hunting in Azure environments.
Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.
description: 'Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative
operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in
Azure environments. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.
'
domain: cybersecurity
subdomain: security-operations
tags: [analyzing, azure, activity, logs]
version: "1.0"
tags:
- analyzing
- azure
- activity
- logs
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- DE.CM-01
- RS.MA-01
- GV.OV-01
- DE.AE-02
---
# Analyzing Azure Activity Logs for Threats
## When to Use
- When investigating security incidents that require analyzing azure activity logs for threats
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Familiarity with security operations concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
## Instructions
Use azure-monitor-query to execute KQL queries against Azure Log Analytics workspaces,
skills/analyzing-bootkit-and-rootkit-samples/SKILL.md
+16 -6
View File
@@ -1,17 +1,27 @@
---
name: analyzing-bootkit-and-rootkit-samples
description: >
Analyzes bootkit and advanced rootkit malware that infects the Master Boot Record (MBR),
Volume Boot Record (VBR), or UEFI firmware to gain persistence below the operating system.
Covers boot sector analysis, UEFI module inspection, and anti-rootkit detection techniques.
Activates for requests involving bootkit analysis, MBR malware investigation, UEFI
description: 'Analyzes bootkit and advanced rootkit malware that infects the Master Boot Record (MBR), Volume Boot Record
(VBR), or UEFI firmware to gain persistence below the operating system. Covers boot sector analysis, UEFI module inspection,
and anti-rootkit detection techniques. Activates for requests involving bootkit analysis, MBR malware investigation, UEFI
persistence analysis, or pre-OS malware detection.
'
domain: cybersecurity
subdomain: malware-analysis
tags: [malware, bootkit, rootkit, UEFI, MBR-analysis]
tags:
- malware
- bootkit
- rootkit
- UEFI
- MBR-analysis
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
---
# Analyzing Bootkit and Rootkit Samples
skills/analyzing-bootkit-and-rootkit-samples/scripts/agent.py
+5 -2
View File
@@ -112,8 +112,11 @@ def analyze_boot_code(mbr_data):
def run_volatility_rootkit_scan(memory_dump, plugin):
"""Run a Volatility 3 plugin for rootkit detection via subprocess."""
cmd = f"vol3 -f {memory_dump} {plugin}"
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
result = subprocess.run(
["vol3", "-f", memory_dump, plugin],
capture_output=True, text=True,
timeout=120,
)
return result.stdout, result.stderr, result.returncode
skills/analyzing-browser-forensics-with-hindsight/SKILL.md
+84 -3
View File
@@ -1,12 +1,28 @@
---
name: analyzing-browser-forensics-with-hindsight
description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached
content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
domain: cybersecurity
subdomain: digital-forensics
tags: [browser-forensics, hindsight, chrome-forensics, chromium, edge, browsing-history, cookies, downloads, cache, web-artifacts]
version: "1.0"
tags:
- browser-forensics
- hindsight
- chrome-forensics
- chromium
- edge
- browsing-history
- cookies
- downloads
- cache
- web-artifacts
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
---
# Analyzing Browser Forensics with Hindsight
@@ -15,6 +31,14 @@ license: Apache-2.0
Hindsight is an open-source browser forensics tool designed to parse artifacts from Google Chrome and other Chromium-based browsers (Microsoft Edge, Brave, Opera, Vivaldi). It extracts and correlates data from multiple browser database files to create a unified timeline of web activity. Hindsight can parse URLs, download history, cache records, bookmarks, autofill records, saved passwords, preferences, browser extensions, HTTP cookies, Local Storage (HTML5 cookies), login data, and session/tab information. The tool produces chronological timelines in multiple output formats (XLSX, JSON, SQLite) that enable investigators to reconstruct user web activity for incident response, insider threat investigations, and criminal cases.
## When to Use
- When investigating security incidents that require analyzing browser forensics with hindsight
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Python 3.8+ with Hindsight installed (`pip install pyhindsight`)
@@ -213,3 +237,60 @@ if __name__ == "__main__":
- Chrome Forensics Guide: https://allenace.medium.com/hindsight-chrome-forensics-made-simple-425db99fa5ed
- Browser Forensics Tools: https://www.cyberforensicacademy.com/blog/browser-forensics-tools-how-to-extract-user-activity
- Chromium Source (History): https://source.chromium.org/chromium/chromium/src/+/main:components/history/
## Example Output
```text
$ python hindsight.py -i /evidence/chrome-profile -o /analysis/hindsight_output
Hindsight v2024.01 - Chrome/Chromium Browser Forensic Analysis
================================================================
Profile: /evidence/chrome-profile (Chrome 120.0.6099.130)
OS: Windows 10
[+] Parsing History database...
URL records: 12,456
Download records: 234
Search terms: 567
[+] Parsing Cookies database...
Cookie records: 8,923
Encrypted cookies: 6,712
[+] Parsing Web Data (Autofill)...
Autofill entries: 1,234
Credit card entries: 2 (encrypted)
[+] Parsing Login Data...
Saved credentials: 45 (encrypted)
[+] Parsing Bookmarks...
Bookmark entries: 189
--- Browsing History (Last 10 Entries) ---
Timestamp (UTC) | URL | Title | Visit Count
2024-01-15 14:32:05.123 | https://mail.corporate.com/inbox | Corporate Mail | 45
2024-01-15 14:33:12.456 | https://drive.google.com/file/d/1aBcDe... | Q4_Financial_Report.xlsx | 1
2024-01-15 14:35:44.789 | https://mega.nz/folder/xYz123 | MEGA - Secure Cloud | 3
2024-01-15 14:36:01.234 | https://mega.nz/folder/xYz123#upload | MEGA - Upload | 8
2024-01-15 14:42:15.567 | https://pastebin.com/raw/kL9mN2pQ | Pastebin (raw) | 1
2024-01-15 15:01:33.890 | https://192.168.1.50:8443/admin | Admin Panel | 12
2024-01-15 15:15:22.111 | https://transfer.sh/upload | transfer.sh | 2
2024-01-15 15:30:45.222 | https://vpn-gateway.corporate.com | VPN Login | 5
2024-01-15 16:00:00.333 | https://whatismyipaddress.com | What Is My IP | 1
2024-01-15 16:05:12.444 | https://protonmail.com/inbox | ProtonMail | 3
--- Downloads (Suspicious) ---
Timestamp (UTC) | Filename | URL Source | Size
2024-01-15 14:33:15.000 | Q4_Financial_Report.xlsm | https://phish-domain.com/docs/report | 245 KB
2024-01-15 14:34:02.000 | update_client.exe | https://cdn.evil-updates.com/client.exe | 1.2 MB
--- Cookies (Session Tokens) ---
Domain | Name | Expires | Secure | HttpOnly
.corporate.com | SESSION_ID | 2024-01-16 14:32 | Yes | Yes
.mega.nz | session | Session | Yes | Yes
.protonmail.com | AUTH-TOKEN | 2024-02-15 00:00 | Yes | Yes
Report saved to: /analysis/hindsight_output/Hindsight_Report.xlsx
```
skills/analyzing-browser-forensics-with-hindsight/scripts/agent.py
-2
View File
@@ -10,8 +10,6 @@ import sys
import json
import sqlite3
import datetime
import hashlib
from collections import defaultdict
def chrome_time_to_datetime(chrome_time):
skills/analyzing-campaign-attribution-evidence/SKILL.md
+25 -4
View File
@@ -1,12 +1,25 @@
---
name: analyzing-campaign-attribution-evidence
description: Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
description: Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or
group is responsible for a cyber operation. This skill covers collecting and weighting attr
domain: cybersecurity
subdomain: threat-intelligence
tags: [threat-intelligence, cti, ioc, mitre-attack, stix, attribution, campaign-analysis]
version: "1.0"
tags:
- threat-intelligence
- cti
- ioc
- mitre-attack
- stix
- attribution
- campaign-analysis
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
---
# Analyzing Campaign Attribution Evidence
@@ -14,6 +27,14 @@ license: Apache-2.0
Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attribution indicators using the Diamond Model and ACH (Analysis of Competing Hypotheses), analyzing infrastructure overlaps, TTP consistency, malware code similarities, operational timing patterns, and language artifacts to build confidence-weighted attribution assessments.
## When to Use
- When investigating security incidents that require analyzing campaign attribution evidence
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Python 3.9+ with `attackcti`, `stix2`, `networkx` libraries
@@ -40,7 +61,7 @@ Campaign attribution analysis involves systematically evaluating evidence to det
### Analysis of Competing Hypotheses (ACH)
Structured analytical method that evaluates evidence against multiple competing hypotheses. Each piece of evidence is scored as consistent, inconsistent, or neutral with respect to each hypothesis. The hypothesis with the least inconsistent evidence is favored.
## Practical Steps
## Workflow
### Step 1: Collect Attribution Evidence
skills/analyzing-campaign-attribution-evidence/scripts/agent.py
-3
View File
@@ -6,9 +6,6 @@ malware code similarity, timing patterns, and language artifacts.
"""
import json
import os
import sys
import hashlib
import re
from collections import defaultdict
from datetime import datetime
skills/analyzing-certificate-transparency-for-phishing/SKILL.md
+28 -4
View File
@@ -1,12 +1,28 @@
---
name: analyzing-certificate-transparency-for-phishing
description: Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.
description: Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates,
and unauthorized certificate issuance targeting your organization.
domain: cybersecurity
subdomain: threat-intelligence
tags: [certificate-transparency, ct-logs, phishing, crt-sh, certstream, ssl, domain-monitoring, threat-intelligence]
version: "1.0"
tags:
- certificate-transparency
- ct-logs
- phishing
- crt-sh
- certstream
- ssl
- domain-monitoring
- threat-intelligence
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0052
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
---
# Analyzing Certificate Transparency for Phishing
@@ -14,6 +30,14 @@ license: Apache-2.0
Certificate Transparency (CT) is an Internet security standard that creates a public, append-only log of all issued SSL/TLS certificates. Monitoring CT logs enables early detection of phishing domains that register certificates mimicking legitimate brands, unauthorized certificate issuance for owned domains, and certificate-based attack infrastructure. This skill covers querying CT logs via crt.sh, real-time monitoring with Certstream, building automated alerting for suspicious certificates, and integrating findings into threat intelligence workflows.
## When to Use
- When investigating security incidents that require analyzing certificate transparency for phishing
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Python 3.9+ with `requests`, `certstream`, `tldextract`, `Levenshtein` libraries
@@ -36,7 +60,7 @@ Attackers register lookalike domains and obtain free certificates (often from Le
crt.sh is a free web interface and PostgreSQL database operated by Sectigo that indexes CT logs. It supports wildcard searches (`%.example.com`), direct SQL queries, and JSON API responses. It tracks certificate issuance, expiration, and revocation across all major CT logs.
## Practical Steps
## Workflow
### Step 1: Query crt.sh for Certificate History
skills/analyzing-certificate-transparency-for-phishing/scripts/agent.py
-3
View File
@@ -6,10 +6,7 @@ certificates, and identifies potential phishing infrastructure.
"""
import json
import os
import sys
import re
from datetime import datetime
from collections import defaultdict
try:
skills/analyzing-cloud-storage-access-patterns/SKILL.md
+39 -7
View File
@@ -1,18 +1,50 @@
---
name: analyzing-cloud-storage-access-patterns
description: >-
Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail
Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads,
access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration
using statistical baselines and time-series anomaly detection.
description: Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS
audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API
calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection.
domain: cybersecurity
subdomain: cloud-security
tags: [analyzing, cloud, storage, access]
version: "1.0"
tags:
- analyzing
- cloud
- storage
- access
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0024
- AML.T0056
nist_ai_rmf:
- MEASURE-2.7
- MAP-5.1
- MANAGE-2.4
nist_csf:
- PR.IR-01
- ID.AM-08
- GV.SC-06
- DE.CM-01
---
# Analyzing Cloud Storage Access Patterns
## When to Use
- When investigating security incidents that require analyzing cloud storage access patterns
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Familiarity with cloud security concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
## Instructions
1. Install dependencies: `pip install boto3 requests`
skills/analyzing-cloud-storage-access-patterns/scripts/agent.py
+1 -1
View File
@@ -21,7 +21,7 @@ def query_cloudtrail_s3_events(bucket_name, hours_back=24):
"--start-time", start_time,
"--output", "json",
]
result = subprocess.run(cmd, capture_output=True, text=True)
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
if result.returncode != 0:
logger.error("CloudTrail query failed: %s", result.stderr[:200])
return []
skills/analyzing-cobalt-strike-beacon-configuration/SKILL.md
+25 -4
View File
@@ -1,12 +1,25 @@
---
name: analyzing-cobalt-strike-beacon-configuration
description: Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure, malleable profiles, and operator tradecraft.
description: Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure,
malleable profiles, and operator tradecraft.
domain: cybersecurity
subdomain: malware-analysis
tags: [cobalt-strike, beacon, c2, malware-analysis, config-extraction, threat-hunting, red-team-tools]
version: "1.0"
tags:
- cobalt-strike
- beacon
- c2
- malware-analysis
- config-extraction
- threat-hunting
- red-team-tools
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
---
# Analyzing Cobalt Strike Beacon Configuration
@@ -14,6 +27,14 @@ license: Apache-2.0
Cobalt Strike is a commercial adversary simulation tool widely abused by threat actors for post-exploitation operations. Beacon payloads contain embedded configuration data that reveals C2 server addresses, communication protocols, sleep intervals, jitter values, malleable C2 profile settings, watermark identifiers, and encryption keys. Extracting this configuration from PE files, shellcode, or memory dumps is critical for incident responders to map attacker infrastructure and attribute campaigns. The beacon configuration is XOR-encoded using a single byte (0x69 for version 3, 0x2e for version 4) and stored in a Type-Length-Value (TLV) format within the .data section.
## When to Use
- When investigating security incidents that require analyzing cobalt strike beacon configuration
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Python 3.9+ with `dissect.cobaltstrike`, `pefile`, `yara-python`
@@ -37,7 +58,7 @@ The beacon configuration encodes the malleable C2 profile that dictates HTTP req
Each Cobalt Strike license embeds a unique watermark (4-byte integer) into generated beacons. Extracting the watermark can link multiple beacons to the same operator or cracked license. Known watermark databases maintained by threat intelligence providers map watermarks to specific threat actors or leaked license keys.
## Practical Steps
## Workflow
### Step 1: Extract Configuration with CobaltStrikeParser
skills/analyzing-cobalt-strike-beacon-configuration/scripts/agent.py
-2
View File
@@ -8,9 +8,7 @@ communication settings, malleable C2 profile details, and watermark values.
import struct
import os
import sys
import json
import hashlib
import re
from collections import OrderedDict
# Cobalt Strike beacon configuration field IDs (Type-Length-Value format)
skills/analyzing-cobalt-strike-malleable-profiles/SKILL.md
-60
View File
@@ -1,60 +0,0 @@
---
name: analyzing-cobalt-strike-malleable-profiles
description: >
Parses Cobalt Strike malleable C2 profiles using pyMalleableC2 to extract beacon
configuration, HTTP communication patterns, and sleep/jitter settings. Combines with
JARM TLS fingerprinting to detect C2 servers on the network. Use when investigating
suspected Cobalt Strike infrastructure or building detection signatures for C2 traffic.
domain: cybersecurity
subdomain: security-operations
tags: [analyzing, cobalt, strike, malleable]
version: "1.0"
author: mahipal
license: Apache-2.0
---
# Analyzing Cobalt Strike Malleable Profiles
## Instructions
Parse malleable C2 profiles to extract IOCs and detection opportunities using the
pyMalleableC2 library. Combine with JARM fingerprinting to identify C2 servers.
```python
from malleablec2 import Profile
# Parse a malleable profile from file
profile = Profile.from_file("amazon.profile")
# Extract global options (sleep, jitter, user-agent)
print(profile.ast.pretty())
# Access HTTP-GET block URIs and headers for network signatures
# Access HTTP-POST block for data exfiltration patterns
# Generate JARM fingerprints for known C2 infrastructure
```
Key analysis steps:
1. Parse the malleable profile to extract HTTP-GET/POST URI patterns
2. Extract User-Agent strings and custom headers for IDS signatures
3. Identify sleep time and jitter for beaconing detection thresholds
4. Scan suspect IPs with JARM to match known C2 fingerprint hashes
5. Cross-reference extracted IOCs with network traffic logs
## Examples
```python
# Parse profile and extract detection indicators
from malleablec2 import Profile
p = Profile.from_file("cobaltstrike.profile")
print(p) # Reconstructed source
# JARM scan a suspect C2 server
import subprocess
result = subprocess.run(
["python3", "jarm.py", "suspect-server.com"],
capture_output=True, text=True
)
print(result.stdout)
# Compare fingerprint against known CS JARM hashes
```
skills/analyzing-cobalt-strike-malleable-profiles/references/api-reference.md
-69
View File
@@ -1,69 +0,0 @@
# API Reference: Analyzing Cobalt Strike Malleable Profiles
## pyMalleableC2
```python
from malleablec2 import Profile
from malleablec2.components import HttpGetBlock, HttpPostBlock, ClientBlock, ServerBlock
# Parse from file or string
p = Profile.from_file("amazon.profile")
p = Profile.from_string(code_string)
p = Profile.from_scratch()
# Set global options
p.set_option("sleeptime", "3000")
p.set_option("jitter", "0")
p.set_option("pipename", "mojo__##")
# HTTP blocks
http_get = HttpGetBlock()
http_get.set_option("uri", "/updates")
client = ClientBlock()
client.add_statement("header", "Accept", "*/*")
http_get.add_code_block(client)
p.add_code_block(http_get)
# AST and reconstruction
print(p.ast.pretty()) # Display AST
print(p) # Reconstruct source
```
## JARM TLS Fingerprinting
```bash
# Scan a single host
python3 jarm.py www.example.com
# Scan with specific port
python3 jarm.py 192.168.1.1 -p 8443
# Batch scan from file
python3 jarm.py -i targets.txt -o results.csv
```
Fingerprint format: 62-char hybrid hash
- First 30 chars: cipher + TLS version (10 handshakes x 3 chars)
- Last 32 chars: truncated SHA256 of cumulative extensions
## Known Cobalt Strike JARM Hashes
| JARM Hash | Description |
|-----------|-------------|
| `07d14d16d21d21d07c42d41d00041d...` | CS default config |
| `07d14d16d21d21d00042d41d00041d...` | CS with Java 11 |
## dissect.cobaltstrike (Alternative)
```python
from dissect.cobaltstrike import beacon
b = beacon.BeaconConfig.from_file("beacon.bin")
print(b.protocol, b.port, b.sleeptime)
```
### References
- pyMalleableC2: https://github.com/byt3bl33d3r/pyMalleableC2
- JARM scanner: https://github.com/salesforce/jarm
- dissect.cobaltstrike: https://github.com/fox-it/dissect.cobaltstrike
- C2 JARM list: https://github.com/cedowens/C2-JARM
skills/analyzing-cobalt-strike-malleable-profiles/scripts/agent.py
-174
View File
@@ -1,174 +0,0 @@
#!/usr/bin/env python3
"""Agent for analyzing Cobalt Strike malleable C2 profiles and JARM fingerprinting."""
import os
import json
import subprocess
import argparse
from pathlib import Path
from datetime import datetime
from malleablec2 import Profile
def extract_profile_indicators(profile_path):
"""Extract detection indicators from a malleable C2 profile."""
with open(profile_path) as f:
content = f.read()
profile = Profile.from_string(content)
indicators = {
"file": str(profile_path),
"source_lines": len(content.splitlines()),
"reconstructed": str(profile),
}
keywords = ["sleeptime", "jitter", "useragent", "pipename", "host_stage",
"dns_idle", "dns_sleep", "spawnto_x86", "spawnto_x64"]
options = {}
for kw in keywords:
for line in content.splitlines():
stripped = line.strip().rstrip(";").strip()
if kw in stripped.lower() and "set " in stripped.lower():
parts = stripped.split('"')
if len(parts) >= 2:
options[kw] = parts[1]
indicators["global_options"] = options
uris = []
for line in content.splitlines():
if "set uri" in line.strip().lower():
parts = line.strip().split('"')
if len(parts) >= 2:
uris.append(parts[1])
indicators["uris"] = uris
headers = []
for line in content.splitlines():
stripped = line.strip()
if "header " in stripped.lower() and '"' in stripped:
parts = stripped.split('"')
if len(parts) >= 4:
headers.append({"name": parts[1], "value": parts[3]})
indicators["custom_headers"] = headers
return indicators
def scan_directory_profiles(directory):
"""Scan a directory for malleable C2 profiles and extract indicators."""
results = []
for path in Path(directory).rglob("*.profile"):
try:
indicators = extract_profile_indicators(str(path))
results.append(indicators)
except Exception as e:
results.append({"file": str(path), "error": str(e)})
return results
KNOWN_CS_JARM = {
"07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1":
"Cobalt Strike (default)",
"07d14d16d21d21d00042d41d00041de5fb3038104f457d92ba02e9311512c2":
"Cobalt Strike (Java 11)",
}
def compute_jarm_fingerprint(host, port=443):
"""Compute JARM fingerprint by invoking the salesforce/jarm scanner."""
jarm_script = os.getenv("JARM_SCRIPT", "jarm.py")
try:
result = subprocess.run(
["python3", jarm_script, host, "-p", str(port)],
capture_output=True, text=True, timeout=30,
)
for line in result.stdout.splitlines():
if len(line.strip()) >= 62:
return line.strip().split()[-1]
return result.stdout.strip()
except Exception as e:
return f"Error: {e}"
def check_jarm_against_known(fingerprint):
"""Check a JARM fingerprint against known Cobalt Strike signatures."""
for jarm_hash, description in KNOWN_CS_JARM.items():
if fingerprint.strip() == jarm_hash:
return {"match": True, "description": description, "fingerprint": fingerprint}
return {"match": False, "fingerprint": fingerprint}
def batch_jarm_scan(targets, port=443):
"""Scan multiple targets for JARM fingerprints and check against known CS hashes."""
results = []
for target in targets:
fp = compute_jarm_fingerprint(target, port)
match = check_jarm_against_known(fp)
match["target"] = target
results.append(match)
return results
def generate_snort_rules(indicators_list):
"""Generate Snort/Suricata rules from extracted profile indicators."""
rules = []
sid = 1000001
for ind in indicators_list:
for uri in ind.get("uris", []):
rules.append(
f'alert http $HOME_NET any -> $EXTERNAL_NET any '
f'(msg:"CS Beacon URI {uri}"; '
f'content:"{uri}"; http_uri; sid:{sid}; rev:1;)'
)
sid += 1
ua = ind.get("global_options", {}).get("useragent", "")
if ua:
rules.append(
f'alert http $HOME_NET any -> $EXTERNAL_NET any '
f'(msg:"CS Beacon User-Agent"; '
f'content:"{ua}"; http_header; sid:{sid}; rev:1;)'
)
sid += 1
return rules
def main():
parser = argparse.ArgumentParser(description="Cobalt Strike Malleable Profile Analyzer")
parser.add_argument("--profile", help="Path to a single malleable C2 profile")
parser.add_argument("--directory", help="Directory of malleable profiles")
parser.add_argument("--jarm-targets", nargs="*", help="Hosts to JARM fingerprint")
parser.add_argument("--output", default="cs_analysis_report.json")
parser.add_argument("--action", choices=[
"parse", "scan_dir", "jarm", "generate_rules", "full_analysis"
], default="full_analysis")
args = parser.parse_args()
report = {"generated_at": datetime.utcnow().isoformat(), "findings": {}}
if args.action in ("parse", "full_analysis") and args.profile:
indicators = extract_profile_indicators(args.profile)
report["findings"]["profile_indicators"] = indicators
print(f"[+] Parsed: {args.profile} ({len(indicators.get('uris', []))} URIs)")
if args.action in ("scan_dir", "full_analysis") and args.directory:
results = scan_directory_profiles(args.directory)
report["findings"]["directory_scan"] = results
print(f"[+] Scanned {len(results)} profiles in {args.directory}")
if args.action in ("jarm", "full_analysis") and args.jarm_targets:
jarm_results = batch_jarm_scan(args.jarm_targets)
report["findings"]["jarm_scan"] = jarm_results
matches = [r for r in jarm_results if r.get("match")]
print(f"[+] JARM: {len(jarm_results)} scanned, {len(matches)} CS matches")
if args.action in ("generate_rules", "full_analysis"):
profiles = report["findings"].get("directory_scan", [])
if not profiles and args.profile:
profiles = [report["findings"].get("profile_indicators", {})]
rules = generate_snort_rules(profiles)
report["findings"]["snort_rules"] = rules
print(f"[+] Generated {len(rules)} Snort rules")
with open(args.output, "w") as f:
json.dump(report, f, indent=2, default=str)
print(f"[+] Report saved to {args.output}")
if __name__ == "__main__":
main()
skills/analyzing-cobaltstrike-malleable-c2-profiles/SKILL.md
+24 -3
View File
@@ -1,12 +1,25 @@
---
name: analyzing-cobaltstrike-malleable-c2-profiles
description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate network detection signatures.
description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract
C2 indicators, detect evasion techniques, and generate network detection signatures.
domain: cybersecurity
subdomain: malware-analysis
tags: [cobalt-strike, malleable-c2, c2-detection, beacon-analysis, network-signatures, threat-hunting, red-team-tools]
version: "1.0"
tags:
- cobalt-strike
- malleable-c2
- c2-detection
- beacon-analysis
- network-signatures
- threat-hunting
- red-team-tools
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
---
# Analyzing CobaltStrike Malleable C2 Profiles
@@ -14,6 +27,14 @@ license: Apache-2.0
Cobalt Strike Malleable C2 profiles are domain-specific language scripts that customize how Beacon communicates with the team server, defining HTTP request/response transformations, sleep intervals, jitter values, user agents, URI paths, and process injection behavior. Threat actors use malleable profiles to disguise C2 traffic as legitimate services (Amazon, Google, Slack). Analyzing these profiles reveals network indicators for detection: URI patterns, HTTP headers, POST/GET transforms, DNS settings, and process injection techniques. The `dissect.cobaltstrike` library can parse both profile files and extract configurations from beacon payloads, while `pyMalleableC2` provides AST-based parsing using Lark grammar for programmatic profile manipulation and validation.
## When to Use
- When investigating security incidents that require analyzing cobaltstrike malleable c2 profiles
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Python 3.9+ with `dissect.cobaltstrike` and/or `pyMalleableC2`
skills/analyzing-cobaltstrike-malleable-c2-profiles/scripts/agent.py
-1
View File
@@ -5,7 +5,6 @@
import argparse
import json
import re
import sys
from collections import Counter
from datetime import datetime
from pathlib import Path
skills/analyzing-command-and-control-communication/SKILL.md
+17 -7
View File
@@ -1,17 +1,27 @@
---
name: analyzing-command-and-control-communication
description: >
Analyzes malware command-and-control (C2) communication protocols to understand beacon
patterns, command structures, data encoding, and infrastructure. Covers HTTP, HTTPS, DNS,
and custom protocol C2 analysis for detection development and threat intelligence.
Activates for requests involving C2 analysis, beacon detection, C2 protocol reverse
engineering, or command-and-control infrastructure mapping.
description: 'Analyzes malware command-and-control (C2) communication protocols to understand beacon patterns, command structures,
data encoding, and infrastructure. Covers HTTP, HTTPS, DNS, and custom protocol C2 analysis for detection development and
threat intelligence. Activates for requests involving C2 analysis, beacon detection, C2 protocol reverse engineering, or
command-and-control infrastructure mapping.
'
domain: cybersecurity
subdomain: malware-analysis
tags: [malware, C2, command-and-control, beacon, protocol-analysis]
tags:
- malware
- C2
- command-and-control
- beacon
- protocol-analysis
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
---
# Analyzing Command-and-Control Communication
skills/analyzing-command-and-control-communication/scripts/agent.py
+1 -2
View File
@@ -3,13 +3,12 @@
import statistics
import base64
import json
import os
import sys
from collections import defaultdict
try:
from scapy.all import rdpcap, IP, TCP, UDP, DNS, DNSQR, Raw
from scapy.all import rdpcap, IP, TCP, DNS, DNSQR
HAS_SCAPY = True
except ImportError:
HAS_SCAPY = False
skills/analyzing-cyber-kill-chain/SKILL.md
+18 -7
View File
@@ -1,18 +1,29 @@
---
name: analyzing-cyber-kill-chain
description: >
Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify
which phases an adversary has completed, where defenses succeeded or failed, and what controls
would have interrupted the attack at earlier phases. Use when conducting post-incident analysis,
building prevention-focused security controls, or mapping detection gaps to kill chain phases.
Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping,
description: 'Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify which phases
an adversary has completed, where defenses succeeded or failed, and what controls would have interrupted the attack at earlier
phases. Use when conducting post-incident analysis, building prevention-focused security controls, or mapping detection
gaps to kill chain phases. Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping,
or Lockheed Martin kill chain framework.
'
domain: cybersecurity
subdomain: threat-intelligence
tags: [kill-chain, Lockheed-Martin, MITRE-ATT&CK, intrusion-analysis, defense-in-depth, NIST-CSF]
tags:
- kill-chain
- Lockheed-Martin
- MITRE-ATT&CK
- intrusion-analysis
- defense-in-depth
- NIST-CSF
version: 1.0.0
author: team-cybersecurity
license: Apache-2.0
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
---
# Analyzing Cyber Kill Chain
skills/analyzing-cyber-kill-chain/scripts/agent.py
-3
View File
@@ -1,9 +1,6 @@
#!/usr/bin/env python3
"""Cyber Kill Chain analysis agent for mapping incidents to Lockheed Martin kill chain phases."""
import json
import os
import sys
import datetime
skills/analyzing-disk-image-with-autopsy/SKILL.md
+15 -3
View File
@@ -1,12 +1,24 @@
---
name: analyzing-disk-image-with-autopsy
description: Perform comprehensive forensic analysis of disk images using Autopsy to recover files, examine artifacts, and build investigation timelines.
description: Perform comprehensive forensic analysis of disk images using Autopsy to recover files, examine artifacts, and
build investigation timelines.
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, autopsy, disk-analysis, sleuth-kit, file-recovery, artifact-analysis]
version: "1.0"
tags:
- forensics
- autopsy
- disk-analysis
- sleuth-kit
- file-recovery
- artifact-analysis
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
---
# Analyzing Disk Image with Autopsy
skills/analyzing-disk-image-with-autopsy/scripts/agent.py
+41 -17
View File
@@ -1,6 +1,7 @@
#!/usr/bin/env python3
"""Forensic disk image analysis agent using The Sleuth Kit (TSK) command-line tools."""
import shlex
import subprocess
import os
import sys
@@ -10,8 +11,10 @@ import datetime
def run_cmd(cmd):
"""Execute a shell command and return output."""
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
"""Execute a command and return output."""
if isinstance(cmd, str):
cmd = shlex.split(cmd)
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
return result.stdout.strip(), result.stderr.strip(), result.returncode
@@ -93,9 +96,15 @@ def list_deleted_files(image_path, offset):
def recover_file(image_path, offset, inode, output_path):
"""Recover a file by inode using icat."""
cmd = f"icat -o {offset} {image_path} {inode} > {output_path}"
_, _, rc = run_cmd(cmd)
return rc == 0
result = subprocess.run(
["icat", "-o", str(offset), image_path, str(inode)],
capture_output=True,
timeout=120,
)
if result.returncode == 0:
with open(output_path, "wb") as f:
f.write(result.stdout)
return result.returncode == 0
def get_file_metadata(image_path, offset, inode):
@@ -106,26 +115,40 @@ def get_file_metadata(image_path, offset, inode):
def create_bodyfile(image_path, offset, output_path):
"""Generate a TSK bodyfile for timeline creation."""
cmd = f'fls -r -m "/" -o {offset} {image_path} > {output_path}'
_, _, rc = run_cmd(cmd)
return rc == 0
result = subprocess.run(
["fls", "-r", "-m", "/", "-o", str(offset), image_path],
capture_output=True, text=True,
timeout=120,
)
if result.returncode == 0:
with open(output_path, "w") as f:
f.write(result.stdout)
return result.returncode == 0
def generate_timeline(bodyfile_path, output_csv, start_date=None, end_date=None):
"""Generate a timeline from a bodyfile using mactime."""
cmd = f"mactime -b {bodyfile_path} -d"
cmd = ["mactime", "-b", bodyfile_path, "-d"]
if start_date and end_date:
cmd += f" {start_date}..{end_date}"
cmd += f" > {output_csv}"
_, _, rc = run_cmd(cmd)
return rc == 0
cmd.append(f"{start_date}..{end_date}")
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
if result.returncode == 0:
with open(output_csv, "w") as f:
f.write(result.stdout)
return result.returncode == 0
def search_keywords(image_path, offset, keyword):
"""Search for keyword strings in the disk image."""
cmd = f'srch_strings -a -o {offset} {image_path} | grep -i "{keyword}"'
stdout, _, rc = run_cmd(cmd)
return stdout.splitlines() if rc == 0 else []
result = subprocess.run(
["srch_strings", "-a", "-o", str(offset), image_path],
capture_output=True, text=True,
timeout=120,
)
if result.returncode != 0 or not result.stdout:
return []
keyword_lower = keyword.lower()
return [line for line in result.stdout.splitlines() if keyword_lower in line.lower()]
def find_file_signature(image_path, offset, hex_signature):
@@ -179,7 +202,8 @@ if __name__ == "__main__":
if len(sys.argv) > 1:
image = sys.argv[1]
case = sys.argv[2] if len(sys.argv) > 2 else "/tmp/autopsy_case"
import tempfile
case = sys.argv[2] if len(sys.argv) > 2 else os.environ.get("AUTOPSY_CASE_DIR", os.path.join(tempfile.gettempdir(), "autopsy_case"))
if os.path.exists(image):
analyze_image(image, case)
else:
skills/analyzing-dns-logs-for-exfiltration/SKILL.md
+24 -7
View File
@@ -1,16 +1,33 @@
---
name: analyzing-dns-logs-for-exfiltration
description: >
Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication,
and covert C2 channels using entropy analysis, query volume anomalies, and subdomain length
detection in SIEM platforms. Use when SOC teams need to identify DNS-based threats that bypass
traditional network security controls.
description: 'Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication, and covert
C2 channels using entropy analysis, query volume anomalies, and subdomain length detection in SIEM platforms. Use when SOC
teams need to identify DNS-based threats that bypass traditional network security controls.
'
domain: cybersecurity
subdomain: soc-operations
tags: [soc, dns, exfiltration, dns-tunneling, dga, c2-detection, splunk, threat-detection]
version: "1.0"
tags:
- soc
- dns
- exfiltration
- dns-tunneling
- dga
- c2-detection
- splunk
- threat-detection
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0024
- AML.T0056
- AML.T0086
nist_csf:
- DE.CM-01
- DE.AE-02
- RS.MA-01
- DE.AE-06
---
# Analyzing DNS Logs for Exfiltration
skills/analyzing-dns-logs-for-exfiltration/scripts/agent.py
-5
View File
@@ -2,11 +2,6 @@
"""DNS exfiltration detection agent using entropy analysis and query pattern detection."""
import math
import os
import sys
import json
import csv
import datetime
from collections import Counter, defaultdict
skills/analyzing-docker-container-forensics/SKILL.md
+15 -3
View File
@@ -1,12 +1,24 @@
---
name: analyzing-docker-container-forensics
description: Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to identify malicious activity and evidence.
description: Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to
identify malicious activity and evidence.
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, docker, container-forensics, container-security, image-analysis, runtime-investigation]
version: "1.0"
tags:
- forensics
- docker
- container-forensics
- container-security
- image-analysis
- runtime-investigation
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
---
# Analyzing Docker Container Forensics
skills/analyzing-docker-container-forensics/scripts/agent.py
+12 -5
View File
@@ -1,6 +1,7 @@
#!/usr/bin/env python3
"""Docker container forensics agent for investigating compromised containers."""
import shlex
import subprocess
import json
import os
@@ -10,8 +11,10 @@ import datetime
def run_cmd(cmd):
"""Execute a shell command and return output."""
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
"""Execute a command and return output."""
if isinstance(cmd, str):
cmd = shlex.split(cmd)
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
return result.stdout.strip(), result.stderr.strip(), result.returncode
@@ -134,9 +137,13 @@ def detect_suspicious_files(changes):
def export_container(container_id, output_path):
"""Export container filesystem as a tarball for offline analysis."""
cmd = f"docker export {container_id} > {output_path}"
_, _, rc = run_cmd(cmd)
if rc == 0 and os.path.exists(output_path):
with open(output_path, "wb") as out_f:
result = subprocess.run(
["docker", "export", container_id],
stdout=out_f, stderr=subprocess.PIPE,
timeout=120,
)
if result.returncode == 0 and os.path.exists(output_path):
sha256 = hashlib.sha256()
with open(output_path, "rb") as f:
for chunk in iter(lambda: f.read(65536), b""):
skills/analyzing-email-headers-for-phishing-investigation/SKILL.md
+18 -3
View File
@@ -1,12 +1,27 @@
---
name: analyzing-email-headers-for-phishing-investigation
description: Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation.
description: Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify
spoofing through SPF, DKIM, and DMARC validation.
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, email-analysis, phishing, spf, dkim, dmarc, header-analysis]
version: "1.0"
tags:
- forensics
- email-analysis
- phishing
- spf
- dkim
- dmarc
- header-analysis
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0052
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
---
# Analyzing Email Headers for Phishing Investigation
skills/analyzing-email-headers-for-phishing-investigation/scripts/agent.py
+4 -4
View File
@@ -8,7 +8,6 @@ import hashlib
import os
import sys
import subprocess
import json
from email import policy
@@ -147,9 +146,10 @@ def extract_attachments(msg, output_dir=None):
def dns_lookup(domain, record_type="TXT"):
"""Perform DNS lookup for SPF/DKIM/DMARC records."""
cmd = f"dig {record_type} {domain} +short"
stdout, _, rc = subprocess.run(cmd, shell=True, capture_output=True, text=True,
timeout=10).stdout, "", 0
stdout, _, rc = subprocess.run(
["dig", record_type, domain, "+short"],
capture_output=True, text=True, timeout=10
).stdout, "", 0
return stdout.strip() if stdout else ""
skills/analyzing-ethereum-smart-contract-vulnerabilities/SKILL.md
+24 -3
View File
@@ -1,12 +1,25 @@
---
name: analyzing-ethereum-smart-contract-vulnerabilities
description: Perform static and symbolic analysis of Solidity smart contracts using Slither and Mythril to detect reentrancy, integer overflow, access control, and other vulnerability classes before deployment to Ethereum mainnet.
description: Perform static and symbolic analysis of Solidity smart contracts using Slither and Mythril to detect reentrancy,
integer overflow, access control, and other vulnerability classes before deployment to Ethereum mainnet.
domain: cybersecurity
subdomain: blockchain-security
tags: [ethereum, solidity, smart-contract, slither, mythril, blockchain, defi, audit]
version: "1.0"
tags:
- ethereum
- solidity
- smart-contract
- slither
- mythril
- blockchain
- defi
- audit
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- PR.DS-01
- PR.DS-02
- ID.RA-01
---
# Analyzing Ethereum Smart Contract Vulnerabilities
@@ -15,6 +28,14 @@ license: Apache-2.0
Smart contract vulnerabilities have led to billions of dollars in losses across DeFi protocols. Unlike traditional software, deployed smart contracts are immutable and handle real financial assets, making pre-deployment security analysis critical. Slither performs fast static analysis using an intermediate representation to detect over 90 vulnerability patterns in seconds, while Mythril uses symbolic execution and SMT solving to discover complex execution path vulnerabilities like reentrancy and integer overflows. This skill covers running both tools against Solidity contracts, interpreting results, triaging findings by severity, and generating audit reports.
## When to Use
- When investigating security incidents that require analyzing ethereum smart contract vulnerabilities
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Python 3.10+ with pip
skills/analyzing-ethereum-smart-contract-vulnerabilities/scripts/agent.py
-1
View File
@@ -5,7 +5,6 @@ import json
import argparse
import logging
import subprocess
import os
from collections import defaultdict
from datetime import datetime
skills/analyzing-golang-malware-with-ghidra/SKILL.md
+25 -4
View File
@@ -1,12 +1,25 @@
---
name: analyzing-golang-malware-with-ghidra
description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction, and type reconstruction in stripped Go binaries.
description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction,
and type reconstruction in stripped Go binaries.
domain: cybersecurity
subdomain: malware-analysis
tags: [golang, ghidra, reverse-engineering, malware-analysis, binary-analysis, go-malware, disassembly]
version: "1.0"
tags:
- golang
- ghidra
- reverse-engineering
- malware-analysis
- binary-analysis
- go-malware
- disassembly
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
---
# Analyzing Golang Malware with Ghidra
@@ -14,6 +27,14 @@ license: Apache-2.0
Go (Golang) has become a popular language for malware authors due to its cross-compilation capabilities, static linking that produces self-contained binaries, and the complexity it introduces for reverse engineering. Go binaries contain the entire runtime, standard library, and all dependencies statically linked, resulting in large binaries (often 5-15MB) with thousands of functions. Ghidra struggles with Go-specific string formats (non-null-terminated), stripped function names, and goroutine concurrency patterns. Specialized tools like GoResolver (Volexity, 2025) use control-flow graph similarity to automatically deobfuscate and recover function names in stripped or obfuscated Go binaries.
## When to Use
- When investigating security incidents that require analyzing golang malware with ghidra
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Ghidra 11.0+ with JDK 17+
@@ -37,7 +58,7 @@ Despite stripping symbol tables, Go binaries retain function names within the pc
Go's dependency management embeds module paths and version strings in the binary. Extracting these reveals the malware's third-party dependencies (HTTP libraries, encryption packages, C2 frameworks), which provides insight into capabilities without full reverse engineering.
## Practical Steps
## Workflow
### Step 1: Initial Binary Analysis
skills/analyzing-golang-malware-with-ghidra/scripts/agent.py
-1
View File
@@ -5,7 +5,6 @@ Analyzes Go binaries to extract function names, strings, build metadata,
package information, and detects common Go malware characteristics.
"""
import struct
import os
import sys
import json
skills/analyzing-heap-spray-exploitation/SKILL.md
+22 -3
View File
@@ -1,12 +1,23 @@
---
name: analyzing-heap-spray-exploitation
description: Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns, shellcode landing zones, and suspicious large allocations in process virtual address space.
description: Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns,
shellcode landing zones, and suspicious large allocations in process virtual address space.
domain: cybersecurity
subdomain: malware-analysis
tags: [malware-analysis, memory-forensics, heap-spray, volatility3, exploit-analysis]
version: "1.0"
tags:
- malware-analysis
- memory-forensics
- heap-spray
- volatility3
- exploit-analysis
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
---
# Analyzing Heap Spray Exploitation
@@ -14,6 +25,14 @@ license: Apache-2.0
Heap spraying is an exploitation technique that fills large regions of a process's heap with attacker-controlled data (typically NOP sleds followed by shellcode) to increase the reliability of code execution exploits. This skill covers detecting heap spray artifacts in memory dumps using Volatility3's malfind, vadinfo, and memmap plugins, identifying suspicious contiguous memory allocations, scanning for NOP sled patterns (0x90, 0x0c0c0c0c), and extracting embedded shellcode for analysis.
## When to Use
- When investigating security incidents that require analyzing heap spray exploitation
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Python 3.9+ with `volatility3` framework installed
skills/analyzing-indicators-of-compromise/SKILL.md
+22 -7
View File
@@ -1,17 +1,32 @@
---
name: analyzing-indicators-of-compromise
description: >
Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs,
and email artifacts to determine maliciousness confidence, campaign attribution, and blocking
priority. Use when triaging IOCs from phishing emails, security alerts, or external threat feeds;
enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist decisions.
Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.
description: 'Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs, and email artifacts
to determine maliciousness confidence, campaign attribution, and blocking priority. Use when triaging IOCs from phishing
emails, security alerts, or external threat feeds; enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist
decisions. Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.
'
domain: cybersecurity
subdomain: threat-intelligence
tags: [IOC, VirusTotal, AbuseIPDB, MalwareBazaar, MISP, threat-intelligence, STIX, NIST-CSF]
tags:
- IOC
- VirusTotal
- AbuseIPDB
- MalwareBazaar
- MISP
- threat-intelligence
- STIX
- NIST-CSF
version: 1.0.0
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0052
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
---
# Analyzing Indicators of Compromise
skills/analyzing-indicators-of-compromise/scripts/agent.py
+4 -6
View File
@@ -3,9 +3,7 @@
import re
import os
import sys
import json
import hashlib
import datetime
try:
@@ -69,7 +67,7 @@ def is_private_ip(ip):
def query_virustotal_hash(sha256, api_key):
"""Query VirusTotal for a file hash."""
url = f"https://www.virustotal.com/api/v3/files/{sha256}"
resp = requests.get(url, headers={"x-apikey": api_key})
resp = requests.get(url, headers={"x-apikey": api_key}, timeout=30)
if resp.status_code == 200:
data = resp.json().get("data", {}).get("attributes", {})
stats = data.get("last_analysis_stats", {})
@@ -88,7 +86,7 @@ def query_virustotal_hash(sha256, api_key):
def query_virustotal_domain(domain, api_key):
"""Query VirusTotal for domain reputation."""
url = f"https://www.virustotal.com/api/v3/domains/{domain}"
resp = requests.get(url, headers={"x-apikey": api_key})
resp = requests.get(url, headers={"x-apikey": api_key}, timeout=30)
if resp.status_code == 200:
data = resp.json().get("data", {}).get("attributes", {})
stats = data.get("last_analysis_stats", {})
@@ -107,7 +105,7 @@ def query_abuseipdb(ip, api_key, max_age_days=90):
"""Query AbuseIPDB for IP reputation."""
url = "https://api.abuseipdb.com/api/v2/check"
resp = requests.get(url, headers={"Key": api_key, "Accept": "application/json"},
params={"ipAddress": ip, "maxAgeInDays": max_age_days})
params={"ipAddress": ip, "maxAgeInDays": max_age_days}, timeout=30)
if resp.status_code == 200:
data = resp.json().get("data", {})
return {
@@ -125,7 +123,7 @@ def query_abuseipdb(ip, api_key, max_age_days=90):
def query_malwarebazaar(sha256):
"""Query MalwareBazaar for file hash information."""
url = "https://mb-api.abuse.ch/api/v1/"
resp = requests.post(url, data={"query": "get_info", "hash": sha256})
resp = requests.post(url, data={"query": "get_info", "hash": sha256}, timeout=30)
if resp.status_code == 200:
result = resp.json()
if result.get("query_status") == "ok" and result.get("data"):
skills/analyzing-ios-app-security-with-objection/SKILL.md
+26 -8
View File
@@ -1,18 +1,36 @@
---
name: analyzing-ios-app-security-with-objection
description: >
Performs runtime mobile security exploration of iOS applications using Objection, a Frida-powered
toolkit that enables security testers to interact with app internals without jailbreaking. Use when
assessing iOS app security posture, bypassing client-side protections, dumping keychain items,
inspecting filesystem storage, and evaluating runtime behavior. Activates for requests involving
iOS security testing, Objection runtime analysis, Frida-based iOS assessment, or mobile runtime
exploration.
description: 'Performs runtime mobile security exploration of iOS applications using Objection, a Frida-powered toolkit that
enables security testers to interact with app internals without jailbreaking. Use when assessing iOS app security posture,
bypassing client-side protections, dumping keychain items, inspecting filesystem storage, and evaluating runtime behavior.
Activates for requests involving iOS security testing, Objection runtime analysis, Frida-based iOS assessment, or mobile
runtime exploration.
'
domain: cybersecurity
subdomain: mobile-security
author: mahipal
tags: [mobile-security, ios, objection, frida, owasp-mobile, penetration-testing]
tags:
- mobile-security
- ios
- objection
- frida
- owasp-mobile
- penetration-testing
version: 1.0.0
license: Apache-2.0
atlas_techniques:
- AML.T0054
nist_ai_rmf:
- MEASURE-2.7
- MANAGE-2.4
- GOVERN-6.2
- MAP-5.1
nist_csf:
- PR.PS-01
- PR.AA-05
- ID.RA-01
- DE.CM-09
---
# Analyzing iOS App Security with Objection
skills/analyzing-ios-app-security-with-objection/scripts/agent.py
-2
View File
@@ -7,9 +7,7 @@ keychain dumping, filesystem inspection, and jailbreak detection bypass.
import subprocess
import json
import os
import sys
import re
def run_objection(command, app_id=None, timeout=30):
skills/analyzing-kubernetes-audit-logs/SKILL.md
+31 -7
View File
@@ -1,20 +1,44 @@
---
name: analyzing-kubernetes-audit-logs
description: >
Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret
access, RBAC modifications, privileged pod creation, and anonymous API access. Builds
threat detection rules from audit event patterns. Use when investigating Kubernetes
cluster compromise or building k8s-specific SIEM detection rules.
description: 'Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret access, RBAC modifications,
privileged pod creation, and anonymous API access. Builds threat detection rules from audit event patterns. Use when investigating
Kubernetes cluster compromise or building k8s-specific SIEM detection rules.
'
domain: cybersecurity
subdomain: container-security
tags: [analyzing, kubernetes, audit, logs]
version: "1.0"
tags:
- analyzing
- kubernetes
- audit
- logs
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- PR.PS-01
- PR.IR-01
- ID.AM-08
- DE.CM-01
---
# Analyzing Kubernetes Audit Logs
## When to Use
- When investigating security incidents that require analyzing kubernetes audit logs
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Familiarity with container security concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
## Instructions
Parse Kubernetes audit log files (JSON lines format) to detect security-relevant
skills/analyzing-kubernetes-audit-logs/scripts/agent.py
-1
View File
@@ -1,7 +1,6 @@
#!/usr/bin/env python3
"""Agent for analyzing Kubernetes audit logs for security threats."""
import os
import json
import argparse
from collections import defaultdict
skills/analyzing-linux-audit-logs-for-intrusion/SKILL.md
+259 -9
View File
@@ -1,18 +1,268 @@
---
name: analyzing-linux-audit-logs-for-intrusion
description: >
Parse and analyze Linux auditd logs to detect intrusion indicators
including unauthorized file access, privilege escalation, syscall
anomalies, and suspicious process execution using ausearch and Python.
description: 'Uses the Linux Audit framework (auditd) with ausearch and aureport utilities to detect intrusion attempts, unauthorized
access, privilege escalation, and suspicious system activity. Covers audit rule configuration, log querying, timeline reconstruction,
and integration with SIEM platforms. Activates for requests involving auditd analysis, Linux audit log investigation, ausearch
queries, aureport summaries, or host-based intrusion detection on Linux.
'
domain: cybersecurity
subdomain: log-analysis
tags: [auditd, linux-forensics, syscall-monitoring, intrusion-detection]
version: "1.0"
subdomain: incident-response
tags:
- auditd
- ausearch
- aureport
- linux-security
- intrusion-detection
- HIDS
- forensics
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_csf:
- RS.MA-01
- RS.MA-02
- RS.AN-03
- RC.RP-01
---
# Analyzing Linux Audit Logs for Intrusion
Parse auditd logs to detect file access violations, privilege escalation,
suspicious syscalls, and unauthorized process execution.
## When to Use
- Investigating suspected unauthorized access or privilege escalation on Linux hosts
- Hunting for evidence of exploitation, backdoor installation, or persistence mechanisms
- Auditing compliance with security baselines (CIS, STIG, PCI-DSS) that require system call monitoring
- Reconstructing a timeline of attacker actions during incident response
- Detecting file tampering on critical system files such as `/etc/passwd`, `/etc/shadow`, or SSH keys
**Do not use** for network-level intrusion detection; use Suricata or Zeek for network traffic analysis. Auditd operates at the kernel level on individual hosts.
## Prerequisites
- Linux system with `auditd` package installed and the audit daemon running (`systemctl status auditd`)
- Root or sudo access to configure audit rules and query logs
- Audit rules deployed via `/etc/audit/rules.d/*.rules` or loaded with `auditctl`
- Recommended: Neo23x0/auditd ruleset from GitHub for comprehensive baseline coverage
- Familiarity with Linux syscalls (`execve`, `open`, `connect`, `ptrace`, etc.)
- Log storage with sufficient retention (default location: `/var/log/audit/audit.log`)
## Workflow
### Step 1: Verify Audit Daemon Status and Configuration
Confirm the audit system is running and check the current rule set:
```bash
# Check auditd service status
systemctl status auditd
# Show current audit rules loaded in the kernel
auditctl -l
# Show audit daemon configuration
cat /etc/audit/auditd.conf | grep -E "log_file|max_log_file|num_logs|space_left_action"
# Check if the audit backlog is being exceeded (dropped events)
auditctl -s
```
If the backlog limit is being reached, increase it:
```bash
auditctl -b 8192
```
### Step 2: Deploy Intrusion-Focused Audit Rules
Add rules that target common intrusion indicators. Place these in `/etc/audit/rules.d/intrusion.rules`:
```bash
# Monitor credential files for unauthorized reads or modifications
-w /etc/passwd -p wa -k credential_access
-w /etc/shadow -p rwa -k credential_access
-w /etc/gshadow -p rwa -k credential_access
-w /etc/sudoers -p wa -k privilege_escalation
-w /etc/sudoers.d/ -p wa -k privilege_escalation
# Monitor SSH configuration and authorized keys
-w /etc/ssh/sshd_config -p wa -k sshd_config_change
-w /root/.ssh/authorized_keys -p wa -k ssh_key_tampering
# Monitor user and group management commands
-w /usr/sbin/useradd -p x -k user_management
-w /usr/sbin/usermod -p x -k user_management
-w /usr/sbin/groupadd -p x -k user_management
# Detect process injection via ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k process_injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k process_injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k process_injection
# Monitor execution of programs from unusual directories
-a always,exit -F arch=b64 -S execve -F exe=/tmp -k exec_from_tmp
-a always,exit -F arch=b64 -S execve -F exe=/dev/shm -k exec_from_shm
# Detect kernel module loading (rootkit installation)
-a always,exit -F arch=b64 -S init_module -S finit_module -k kernel_module_load
-a always,exit -F arch=b64 -S delete_module -k kernel_module_remove
-w /sbin/insmod -p x -k kernel_module_tool
-w /sbin/modprobe -p x -k kernel_module_tool
# Monitor network socket creation for reverse shells
-a always,exit -F arch=b64 -S socket -F a0=2 -k network_socket_created
-a always,exit -F arch=b64 -S connect -F a0=2 -k network_connection
# Detect cron job modifications (persistence)
-w /etc/crontab -p wa -k cron_persistence
-w /etc/cron.d/ -p wa -k cron_persistence
-w /var/spool/cron/ -p wa -k cron_persistence
# Monitor log deletion or tampering
-w /var/log/ -p wa -k log_tampering
```
Reload rules after editing:
```bash
augenrules --load
auditctl -l | wc -l # Confirm rule count
```
### Step 3: Search for Intrusion Indicators with ausearch
Use `ausearch` to query the audit log for specific events:
```bash
# Search for all failed login attempts in the last 24 hours
ausearch -m USER_LOGIN --success no -ts recent
# Search for commands executed by a specific user
ausearch -ua 1001 -m EXECVE -ts today
# Search for all file access events on /etc/shadow
ausearch -f /etc/shadow -ts this-week
# Search for privilege escalation via sudo
ausearch -m USER_CMD -ts today
# Search for kernel module loading events
ausearch -k kernel_module_load -ts this-month
# Search for processes executed from /tmp (common attack staging)
ausearch -k exec_from_tmp -ts this-week
# Search for SSH key modifications
ausearch -k ssh_key_tampering -ts this-month
# Search for a specific event by audit event ID
ausearch -a 12345
# Search events in a specific time range
ausearch -ts 03/15/2026 08:00:00 -te 03/15/2026 18:00:00
# Interpret syscall numbers and format output readably
ausearch -k credential_access -i -ts today
```
### Step 4: Generate Summary Reports with aureport
Use `aureport` to produce aggregate summaries for triage:
```bash
# Summary of all authentication events
aureport -au -ts this-week --summary
# Report of all failed events (login, access, etc.)
aureport --failed --summary -ts today
# Report of executable runs
aureport -x --summary -ts today
# Report of all anomaly events (segfaults, promiscuous mode, etc.)
aureport --anomaly -ts this-week
# Report of file access events
aureport -f --summary -ts today
# Report of all events by key (maps to your custom rule keys)
aureport -k --summary -ts this-month
# Report of all system calls
aureport -s --summary -ts today
# Report of events grouped by user
aureport -u --summary -ts this-week
# Detailed time-based event report for timeline building
aureport -ts 03/15/2026 08:00:00 -te 03/15/2026 18:00:00 --summary
```
### Step 5: Reconstruct the Attack Timeline
Combine ausearch queries to build a chronological narrative:
```bash
# Step 5a: Identify the initial access timestamp
ausearch -m USER_LOGIN -ua 0 --success yes -ts this-week -i | head -50
# Step 5b: Trace what the attacker did after gaining access
# Get all events from the compromised account within the incident window
ausearch -ua <UID> -ts "03/15/2026 14:00:00" -te "03/15/2026 18:00:00" -i \
| aureport -f -i
# Step 5c: Extract all commands executed during the incident window
ausearch -m EXECVE -ts "03/15/2026 14:00:00" -te "03/15/2026 18:00:00" -i
# Step 5d: Check for persistence mechanisms installed
ausearch -k cron_persistence -ts "03/15/2026 14:00:00" -i
ausearch -k ssh_key_tampering -ts "03/15/2026 14:00:00" -i
# Step 5e: Check for lateral movement (outbound connections)
ausearch -k network_connection -ts "03/15/2026 14:00:00" -i
```
### Step 6: Forward Audit Logs to SIEM
Configure `audisp-remote` or `auditbeat` to ship logs to a central SIEM for correlation:
```bash
# Option A: Using audisp-remote plugin
# Edit /etc/audit/plugins.d/au-remote.conf
active = yes
direction = out
path = /sbin/audisp-remote
type = always
# Configure remote target in /etc/audit/audisp-remote.conf
remote_server = siem.internal.corp
port = 6514
transport = tcp
# Option B: Using Elastic Auditbeat
# Install auditbeat and configure /etc/auditbeat/auditbeat.yml
# Auditbeat reads directly from the kernel audit framework
```
## Key Concepts
| Term | Definition |
|------|------------|
| **auditd** | The Linux Audit daemon that receives audit events from the kernel and writes them to `/var/log/audit/audit.log` |
| **auditctl** | Command-line utility to control the audit system: add/remove rules, check status, set backlog size |
| **ausearch** | Query tool that searches audit logs by message type, user, file, key, time range, or event ID |
| **aureport** | Reporting tool that generates aggregate summaries of audit events for triage and compliance |
| **audit rule key (-k)** | A user-defined label attached to an audit rule, enabling fast filtering of related events with ausearch and aureport |
| **syscall auditing** | Kernel-level monitoring of system calls (execve, open, connect, ptrace) that captures process and file activity |
| **augenrules** | Utility that merges all files in `/etc/audit/rules.d/` into `/etc/audit/audit.rules` and loads them into the kernel |
## Verification
- [ ] auditd is running and rules are loaded (`auditctl -l` returns expected rule count)
- [ ] No audit backlog overflow (`auditctl -s` shows `backlog: 0` or low value, lost: 0)
- [ ] ausearch returns events for each custom key (`ausearch -k <key> -ts today` returns results)
- [ ] aureport generates non-empty summaries for authentication, executable, and file events
- [ ] Timeline reconstruction produces a coherent chronological sequence of attacker actions
- [ ] Critical file watches trigger alerts on test modifications (`touch /etc/shadow` generates an event)
- [ ] Logs are forwarding to central SIEM (verify with a test event and confirm receipt)
- [ ] Audit rules persist across reboot (rules in `/etc/audit/rules.d/`, not only via `auditctl`)
skills/analyzing-linux-audit-logs-for-intrusion/scripts/agent.py
-1
View File
@@ -7,7 +7,6 @@ unauthorized file access, suspicious syscalls, and process execution anomalies.
import argparse
import json
import os
import re
import sys
import datetime
skills/analyzing-linux-elf-malware/SKILL.md
+17 -7
View File
@@ -1,17 +1,27 @@
---
name: analyzing-linux-elf-malware
description: >
Analyzes malicious Linux ELF (Executable and Linkable Format) binaries including botnets,
cryptominers, ransomware, and rootkits targeting Linux servers, containers, and cloud
infrastructure. Covers static analysis, dynamic tracing, and reverse engineering of
x86_64 and ARM ELF samples. Activates for requests involving Linux malware analysis,
ELF binary investigation, Linux server compromise assessment, or container malware analysis.
description: 'Analyzes malicious Linux ELF (Executable and Linkable Format) binaries including botnets, cryptominers, ransomware,
and rootkits targeting Linux servers, containers, and cloud infrastructure. Covers static analysis, dynamic tracing, and
reverse engineering of x86_64 and ARM ELF samples. Activates for requests involving Linux malware analysis, ELF binary investigation,
Linux server compromise assessment, or container malware analysis.
'
domain: cybersecurity
subdomain: malware-analysis
tags: [malware, Linux, ELF, reverse-engineering, server-malware]
tags:
- malware
- Linux
- ELF
- reverse-engineering
- server-malware
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
---
# Analyzing Linux ELF Malware
skills/analyzing-linux-elf-malware/scripts/agent.py
+18 -12
View File
@@ -6,12 +6,10 @@ import math
import os
import sys
import subprocess
import struct
from collections import Counter
try:
from elftools.elf.elffile import ELFFile
from elftools.elf.sections import SymbolTableSection
HAS_ELFTOOLS = True
except ImportError:
HAS_ELFTOOLS = False
@@ -85,8 +83,8 @@ def analyze_sections(filepath):
def extract_strings(filepath, min_length=6):
"""Extract ASCII strings from the binary and categorize by type."""
stdout, _, rc = subprocess.run(
f"strings -n {min_length} {filepath}", shell=True,
capture_output=True, text=True
["strings", "-n", str(min_length), filepath],
capture_output=True, text=True, timeout=120
).stdout, "", 0
if not stdout:
return {}
@@ -126,8 +124,9 @@ def check_packing(filepath):
indicators.append("UPX packer detected (UPX! magic)")
if b"UPX0" in data or b"UPX1" in data:
indicators.append("UPX section names found")
stdout, _, _ = subprocess.run(f"upx -t {filepath} 2>&1", shell=True,
capture_output=True, text=True).stdout, "", 0
stdout, _, _ = subprocess.run(["upx", "-t", filepath],
capture_output=True, text=True,
stderr=subprocess.STDOUT, timeout=120).stdout, "", 0
if stdout and "packed" in stdout.lower():
indicators.append("UPX verification confirms packing")
return indicators
@@ -135,8 +134,8 @@ def check_packing(filepath):
def analyze_dynamic_linking(filepath):
"""Analyze dynamic linking information and imported functions."""
stdout, _, rc = subprocess.run(f"readelf -d {filepath}", shell=True,
capture_output=True, text=True).stdout, "", 0
stdout, _, rc = subprocess.run(["readelf", "-d", filepath],
capture_output=True, text=True, timeout=120).stdout, "", 0
dynamic_info = {"libraries": [], "rpath": None}
if stdout:
for line in stdout.splitlines():
@@ -146,10 +145,17 @@ def analyze_dynamic_linking(filepath):
if "RPATH" in line or "RUNPATH" in line:
dynamic_info["rpath"] = line.split("[")[-1].rstrip("]")
stdout2, _, _ = subprocess.run(
f"readelf -r {filepath} | grep -E 'socket|connect|exec|fork|open|write|bind|listen|send|recv'",
shell=True, capture_output=True, text=True
).stdout, "", 0
readelf_proc = subprocess.run(
["readelf", "-r", filepath],
capture_output=True, text=True,
timeout=120,
)
import re as _re
suspicious_funcs = _re.compile(r'socket|connect|exec|fork|open|write|bind|listen|send|recv')
stdout2 = "\n".join(
line for line in (readelf_proc.stdout or "").splitlines()
if suspicious_funcs.search(line)
)
dynamic_info["suspicious_imports"] = [
line.strip() for line in (stdout2 or "").splitlines() if line.strip()
]
skills/analyzing-linux-kernel-rootkits/SKILL.md
+96 -3
View File
@@ -1,12 +1,27 @@
---
name: analyzing-linux-kernel-rootkits
description: Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and tampered system structures.
description: Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules),
rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and
tampered system structures.
domain: cybersecurity
subdomain: digital-forensics
tags: [rootkit, linux, kernel, volatility3, memory-forensics, malware-analysis, rkhunter, forensics]
version: "1.0"
tags:
- rootkit
- linux
- kernel
- volatility3
- memory-forensics
- malware-analysis
- rkhunter
- forensics
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
---
# Analyzing Linux Kernel Rootkits
@@ -15,6 +30,14 @@ license: Apache-2.0
Linux kernel rootkits operate at ring 0, modifying kernel data structures to hide processes, files, network connections, and kernel modules from userspace tools. Detection requires either memory forensics (analyzing physical memory dumps with Volatility3) or cross-view analysis (comparing /proc, /sys, and kernel data structures for inconsistencies). This skill covers using Volatility3 Linux plugins to detect syscall table hooks, hidden kernel modules, and modified function pointers, supplemented by live system scanning with rkhunter and chkrootkit.
## When to Use
- When investigating security incidents that require analyzing linux kernel rootkits
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Volatility3 installed (pip install volatility3)
@@ -40,3 +63,73 @@ Run rkhunter and chkrootkit to detect known rootkit signatures, suspicious files
## Expected Output
JSON report containing detected syscall hooks, hidden kernel modules, modified IDT entries, suspicious /proc discrepancies, and rkhunter findings.
## Example Output
```text
$ sudo python3 rootkit_analyzer.py --memory /evidence/linux-mem.lime --profile Ubuntu2204
Linux Kernel Rootkit Analysis Report
=====================================
Memory Image: /evidence/linux-mem.lime
Kernel Version: 5.15.0-91-generic (Ubuntu 22.04 LTS)
Analysis Time: 2024-01-18 09:15:32 UTC
[+] Scanning syscall table for hooks...
Syscall Table Base: 0xffffffff82200300
Total syscalls checked: 449
HOOKED SYSCALLS DETECTED:
┌─────────┬──────────────────┬──────────────────────┬──────────────────────┐
│ NR │ Syscall │ Expected Address │ Current Address │
├─────────┼──────────────────┼──────────────────────┼──────────────────────┤
│ 0 │ sys_read │ 0xffffffff8139a0e0 │ 0xffffffffc0a12000 │
│ 2 │ sys_open │ 0xffffffff8139b340 │ 0xffffffffc0a12180 │
│ 78 │ sys_getdents64 │ 0xffffffff813f5210 │ 0xffffffffc0a12300 │
│ 62 │ sys_kill │ 0xffffffff8110c4a0 │ 0xffffffffc0a12480 │
└─────────┴──────────────────┴──────────────────────┴──────────────────────┘
WARNING: 4 syscall hooks detected - rootkit behavior confirmed
[+] Checking for hidden kernel modules...
Loaded modules (lsmod): 147
Modules in kobject list: 149
HIDDEN MODULES:
- "netfilter_helper" at 0xffffffffc0a10000 (size: 12288)
- "kworker_sched" at 0xffffffffc0a14000 (size: 8192)
[+] Scanning /proc for discrepancies...
Processes in task_struct list: 234
Processes visible in /proc: 231
HIDDEN PROCESSES:
- PID 31337 cmd: "[kworker/0:3]" (disguised as kernel thread)
- PID 31442 cmd: "rsyslogd" (fake, real rsyslogd is PID 892)
- PID 31500 cmd: "" (unnamed process)
[+] Checking IDT entries...
IDT entries scanned: 256
Modified entries: 0 (clean)
[+] Running rkhunter scan...
Checking for known rootkits: 68 variants checked
Diamorphine rootkit: WARNING - signatures match
System binary checks:
/usr/bin/ps: MODIFIED (SHA-256 mismatch)
/usr/bin/netstat: MODIFIED (SHA-256 mismatch)
/usr/bin/ls: MODIFIED (SHA-256 mismatch)
/usr/sbin/ss: OK
[+] Network analysis...
Hidden connections (not in /proc/net/tcp):
ESTABLISHED 0.0.0.0:0 -> 198.51.100.47:4443 (PID 31337)
ESTABLISHED 0.0.0.0:0 -> 198.51.100.47:8080 (PID 31442)
Summary:
Rootkit Type: Loadable Kernel Module (LKM)
Probable Family: Diamorphine variant
Syscall Hooks: 4 (read, open, getdents64, kill)
Hidden Modules: 2
Hidden Processes: 3
Hidden Connections: 2 (C2: 198.51.100.47)
Modified Binaries: 3 (/usr/bin/ps, netstat, ls)
Risk Level: CRITICAL
```
skills/analyzing-linux-kernel-rootkits/scripts/agent.py
-1
View File
@@ -6,7 +6,6 @@ import argparse
import logging
import subprocess
import os
from collections import defaultdict
from datetime import datetime
logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
skills/analyzing-linux-system-artifacts/SKILL.md
+15 -3
View File
@@ -1,12 +1,24 @@
---
name: analyzing-linux-system-artifacts
description: Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover evidence of compromise or unauthorized activity.
description: Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover
evidence of compromise or unauthorized activity.
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, linux-forensics, system-artifacts, log-analysis, persistence-detection, incident-investigation]
version: "1.0"
tags:
- forensics
- linux-forensics
- system-artifacts
- log-analysis
- persistence-detection
- incident-investigation
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
---
# Analyzing Linux System Artifacts
skills/analyzing-linux-system-artifacts/scripts/agent.py
+10 -8
View File
@@ -4,15 +4,15 @@
import os
import sys
import glob
import json
import re
import datetime
import shlex
import subprocess
def run_cmd(cmd):
"""Execute a shell command and return output."""
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
"""Execute a command and return output."""
if isinstance(cmd, str):
cmd = shlex.split(cmd)
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
return result.stdout.strip(), result.stderr.strip(), result.returncode
@@ -196,10 +196,12 @@ def check_ld_preload(evidence_root):
def find_suid_binaries(evidence_root):
"""Find SUID/SGID binaries (potential privilege escalation)."""
stdout, _, rc = run_cmd(
f"find {evidence_root} -perm -4000 -type f 2>/dev/null"
result = subprocess.run(
["find", evidence_root, "-perm", "-4000", "-type", "f"],
capture_output=True, text=True, timeout=30
)
return stdout.splitlines() if rc == 0 and stdout else []
stdout = result.stdout.strip()
return stdout.splitlines() if result.returncode == 0 and stdout else []
def find_suspicious_tmp_files(evidence_root):
skills/analyzing-lnk-file-and-jump-list-artifacts/SKILL.md
+98 -3
View File
@@ -1,12 +1,28 @@
---
name: analyzing-lnk-file-and-jump-list-artifacts
description: Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution, and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format.
description: Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution,
and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format.
domain: cybersecurity
subdomain: digital-forensics
tags: [lnk-files, jump-lists, lecmd, jlecmd, windows-forensics, shell-link, user-activity, file-access, program-execution, recent-files]
version: "1.0"
tags:
- lnk-files
- jump-lists
- lecmd
- jlecmd
- windows-forensics
- shell-link
- user-activity
- file-access
- program-execution
- recent-files
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
---
# Analyzing LNK File and Jump List Artifacts
@@ -15,6 +31,14 @@ license: Apache-2.0
Windows LNK (shortcut) files and Jump Lists are critical forensic artifacts that provide evidence of file access, program execution, and user behavior. LNK files are created automatically when a user opens a file through Windows Explorer or the Open/Save dialog, storing metadata about the target file including its original path, timestamps, volume serial number, NetBIOS name, and MAC address of the host system. Jump Lists, introduced in Windows 7, extend this by maintaining per-application lists of recently and frequently accessed files. These artifacts persist even after the target files are deleted, making them invaluable for establishing that a user accessed specific files at specific times.
## When to Use
- When investigating security incidents that require analyzing lnk file and jump list artifacts
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- LECmd (Eric Zimmerman) for LNK file parsing
@@ -189,3 +213,74 @@ Recent research (IEEE 2025) shows that Windows 11 produces different LNK and Jum
- Magnet Forensics LNK Analysis: https://www.magnetforensics.com/blog/forensic-analysis-of-lnk-files/
- Jump Lists Forensics 2025: https://www.cybertriage.com/blog/jump-list-forensics-2025/
- Eric Zimmerman's LECmd/JLECmd: https://ericzimmerman.github.io/
## Example Output
```text
$ LECmd.exe -d "C:\Evidence\Users\jsmith\AppData\Roaming\Microsoft\Windows\Recent" --csv /analysis/lnk_output
LECmd v1.11.0 - LNK File Parser
================================
Processing 47 LNK files...
--- LNK File: Q4_Report.xlsx.lnk ---
Source: C:\Evidence\Users\jsmith\Recent\Q4_Report.xlsx.lnk
Target Path: C:\Users\jsmith\Downloads\Q4_Report.xlsm
Target Created: 2024-01-15 14:33:45 UTC
Target Modified: 2024-01-15 14:33:45 UTC
Target Accessed: 2024-01-15 14:35:12 UTC
File Size: 251,904 bytes
Drive Type: Fixed (C:)
Volume Serial: A4E7-3F21
Machine ID: DESKTOP-J5M1TH
MAC Address: 48:2A:E3:5C:9B:01
--- LNK File: update_client.exe.lnk ---
Source: C:\Evidence\Users\jsmith\Recent\update_client.exe.lnk
Target Path: C:\ProgramData\Updates\update_client.exe
Target Created: 2024-01-15 14:34:02 UTC
Target Modified: 2024-01-15 14:34:02 UTC
Target Accessed: 2024-01-15 14:36:30 UTC
File Size: 1,258,496 bytes
Drive Type: Fixed (C:)
Volume Serial: A4E7-3F21
Machine ID: DESKTOP-J5M1TH
Working Dir: C:\ProgramData\Updates
Arguments: --silent --no-update-check
Run Window: Hidden
======================================================================
$ JLECmd.exe -d "C:\Evidence\Users\jsmith\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv /analysis/jumplist_output
JLECmd v1.5.0 - Jump List Parser
==================================
Processing 23 AutomaticDestinations files...
--- Application: Microsoft Excel (AppID: 12dc1ea8e34b5a6) ---
Entries: 15
Most Recent:
Entry 0: C:\Users\jsmith\Downloads\Q4_Report.xlsm (2024-01-15 14:35:12 UTC)
Entry 1: \\FILESERV01\Finance\Budget_2024.xlsx (2024-01-14 09:22:30 UTC)
Entry 2: C:\Users\jsmith\Documents\Expenses\Dec2023.xlsx (2024-01-10 16:45:00 UTC)
--- Application: Windows Explorer (AppID: f01b4d95cf55d32a) ---
Entries: 28
Most Recent:
Entry 0: C:\ProgramData\Updates\ (2024-01-15 14:36:25 UTC)
Entry 1: E:\Backup\ (2024-01-15 15:30:00 UTC)
Entry 2: \\FILESERV01\HR\Employees\ (2024-01-15 16:12:45 UTC)
--- Application: cmd.exe (AppID: 9b9cdc69c1c24e2b) ---
Entries: 5
Most Recent:
Entry 0: C:\Windows\System32\cmd.exe (2024-01-15 14:36:00 UTC)
Summary:
Total LNK files processed: 47
Total Jump List entries: 156
Suspicious artifacts: 3 (hidden window execution, USB drive access, network shares)
CSV exported to: /analysis/lnk_output/ and /analysis/jumplist_output/
```
skills/analyzing-macro-malware-in-office-documents/SKILL.md
+26 -7
View File
@@ -1,17 +1,36 @@
---
name: analyzing-macro-malware-in-office-documents
description: >
Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint)
to identify download cradles, payload execution, persistence mechanisms, and anti-analysis
techniques. Uses olevba, oledump, and VBA deobfuscation to extract the attack chain.
Activates for requests involving Office macro analysis, VBA malware investigation,
maldoc analysis, or document-based threat examination.
description: 'Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint) to identify download
cradles, payload execution, persistence mechanisms, and anti-analysis techniques. Uses olevba, oledump, and VBA deobfuscation
to extract the attack chain. Activates for requests involving Office macro analysis, VBA malware investigation, maldoc analysis,
or document-based threat examination.
'
domain: cybersecurity
subdomain: malware-analysis
tags: [malware, macro, Office, VBA, document-malware]
tags:
- malware
- macro
- Office
- VBA
- document-malware
version: 1.0.0
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0068
- AML.T0067
d3fend_techniques:
- File Metadata Consistency Validation
- Application Protocol Command Analysis
- Identifier Analysis
- Content Format Conversion
- Message Analysis
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
---
# Analyzing Macro Malware in Office Documents
skills/analyzing-macro-malware-in-office-documents/scripts/agent.py
+1 -2
View File
@@ -5,12 +5,11 @@ import re
import os
import sys
import hashlib
import subprocess
import json
import zipfile
try:
from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML
from oletools.olevba import VBA_Parser
from oletools import oleid
HAS_OLETOOLS = True
except ImportError:
skills/analyzing-malicious-pdf-with-peepdf/SKILL.md
+17 -3
View File
@@ -1,12 +1,26 @@
---
name: analyzing-malicious-pdf-with-peepdf
description: Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects.
description: Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript,
shellcode, and suspicious objects.
domain: cybersecurity
subdomain: malware-analysis
tags: [malware-analysis, pdf, peepdf, pdfid, pdf-parser, static-analysis, reverse-engineering, dfir]
version: "1.0"
tags:
- malware-analysis
- pdf
- peepdf
- pdfid
- pdf-parser
- static-analysis
- reverse-engineering
- dfir
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
---
# Analyzing Malicious PDF with peepdf
skills/analyzing-malicious-pdf-with-peepdf/scripts/agent.py
+6 -6
View File
@@ -37,9 +37,9 @@ def run_pdfid(filepath):
"""Run pdfid.py to triage PDF for suspicious keywords."""
cmd = ["python3", "-m", "pdfid", filepath]
alt_cmd = ["pdfid.py", filepath]
result = subprocess.run(cmd, capture_output=True, text=True)
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
if result.returncode != 0:
result = subprocess.run(alt_cmd, capture_output=True, text=True)
result = subprocess.run(alt_cmd, capture_output=True, text=True, timeout=120)
keywords = {}
for line in result.stdout.strip().split("\n"):
line = line.strip()
@@ -59,9 +59,9 @@ def run_peepdf_analysis(filepath):
"""Run peepdf for detailed PDF object analysis."""
cmd = ["peepdf", "-f", "-l", filepath]
alt_cmd = ["python3", "-m", "peepdf", "-f", "-l", filepath]
result = subprocess.run(cmd, capture_output=True, text=True)
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
if result.returncode != 0:
result = subprocess.run(alt_cmd, capture_output=True, text=True)
result = subprocess.run(alt_cmd, capture_output=True, text=True, timeout=120)
analysis = {
"versions": 0,
"objects": 0,
@@ -98,7 +98,7 @@ def run_pdf_parser(filepath, object_id=None):
cmd = ["pdf-parser.py", "-o", str(object_id), "-f", "-d", filepath]
else:
cmd = ["pdf-parser.py", "--stats", filepath]
result = subprocess.run(cmd, capture_output=True, text=True)
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
return result.stdout[:3000]
@@ -107,7 +107,7 @@ def extract_javascript(filepath, peepdf_analysis):
js_content = []
for obj_id in peepdf_analysis.get("js_objects", []):
cmd = ["pdf-parser.py", "-o", str(obj_id), "-f", "-w", filepath]
result = subprocess.run(cmd, capture_output=True, text=True)
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
if result.stdout:
js_content.append({
"object_id": obj_id,
skills/analyzing-malicious-url-with-urlscan/SKILL.md
+27 -4
View File
@@ -1,18 +1,41 @@
---
name: analyzing-malicious-url-with-urlscan
description: URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
description: URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content,
HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
domain: cybersecurity
subdomain: phishing-defense
tags: [phishing, email-security, social-engineering, dmarc, awareness, url-analysis, threat-intelligence]
version: "1.0"
tags:
- phishing
- email-security
- social-engineering
- dmarc
- awareness
- url-analysis
- threat-intelligence
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0052
nist_csf:
- PR.AT-01
- DE.CM-09
- RS.CO-02
- DE.AE-02
---
# Analyzing Malicious URL with URLScan
## Overview
URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolated environment. This skill covers using URLScan's web interface and API to investigate phishing URLs, credential harvesting pages, and malicious redirects without exposing the analyst's system to risk.
## When to Use
- When investigating security incidents that require analyzing malicious url with urlscan
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- URLScan.io account (free tier available, API key for automation)
- Python 3.8+ with requests library
@@ -41,7 +64,7 @@ URLScan.io is a free service for scanning and analyzing suspicious URLs. It capt
- Data URIs or base64-encoded content
- JavaScript-heavy pages with minimal HTML
## Implementation Steps
## Workflow
### Step 1: Submit URL to URLScan
```
skills/analyzing-malware-behavior-with-cuckoo-sandbox/SKILL.md
+17 -7
View File
@@ -1,17 +1,27 @@
---
name: analyzing-malware-behavior-with-cuckoo-sandbox
description: >
Executes malware samples in Cuckoo Sandbox to observe runtime behavior including
process creation, file system modifications, registry changes, network communications,
and API calls. Generates comprehensive behavioral reports for malware classification
and IOC extraction. Activates for requests involving dynamic malware analysis, sandbox
detonation, behavioral analysis, or automated malware execution.
description: 'Executes malware samples in Cuckoo Sandbox to observe runtime behavior including process creation, file system
modifications, registry changes, network communications, and API calls. Generates comprehensive behavioral reports for malware
classification and IOC extraction. Activates for requests involving dynamic malware analysis, sandbox detonation, behavioral
analysis, or automated malware execution.
'
domain: cybersecurity
subdomain: malware-analysis
tags: [malware, dynamic-analysis, sandbox, Cuckoo, behavioral-analysis]
tags:
- malware
- dynamic-analysis
- sandbox
- Cuckoo
- behavioral-analysis
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
---
# Analyzing Malware Behavior with Cuckoo Sandbox
skills/analyzing-malware-behavior-with-cuckoo-sandbox/scripts/agent.py
+3 -5
View File
@@ -4,9 +4,7 @@
import json
import os
import sys
import subprocess
import hashlib
import datetime
try:
import requests
@@ -30,7 +28,7 @@ def submit_file(filepath, timeout=300, machine=None, package=None):
data["machine"] = machine
if package:
data["package"] = package
resp = requests.post(url, files=files, data=data)
resp = requests.post(url, files=files, data=data, timeout=30)
if resp.status_code == 200:
return resp.json().get("task_id")
return None
@@ -42,7 +40,7 @@ def submit_url(url_to_analyze, timeout=300):
return None
url = f"{CUCKOO_API}/tasks/create/url"
data = {"url": url_to_analyze, "timeout": timeout}
resp = requests.post(url, data=data)
resp = requests.post(url, data=data, timeout=30)
if resp.status_code == 200:
return resp.json().get("task_id")
return None
@@ -53,7 +51,7 @@ def get_task_status(task_id):
if not HAS_REQUESTS:
return None
url = f"{CUCKOO_API}/tasks/view/{task_id}"
resp = requests.get(url)
resp = requests.get(url, timeout=30)
if resp.status_code == 200:
return resp.json().get("task", {}).get("status")
return None
skills/analyzing-malware-family-relationships-with-malpedia/SKILL.md
+26 -4
View File
@@ -1,12 +1,26 @@
---
name: analyzing-malware-family-relationships-with-malpedia
description: Use the Malpedia platform and API to research malware family relationships, track variant evolution, link families to threat actors, and integrate YARA rules for detection across malware lineages.
description: Use the Malpedia platform and API to research malware family relationships, track variant evolution, link families
to threat actors, and integrate YARA rules for detection across malware lineages.
domain: cybersecurity
subdomain: threat-intelligence
tags: [malpedia, malware-family, yara, threat-actor, malware-tracking, threat-intelligence, variant-analysis, malware-intelligence]
version: "1.0"
tags:
- malpedia
- malware-family
- yara
- threat-actor
- malware-tracking
- threat-intelligence
- variant-analysis
- malware-intelligence
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
---
# Analyzing Malware Family Relationships with Malpedia
@@ -14,6 +28,14 @@ license: Apache-2.0
Malpedia is a collaborative platform maintained by Fraunhofer FKIE that catalogs malware families with their aliases, YARA rules, threat actor associations, and reference reports. With over 2,600 malware families documented, it serves as the definitive resource for understanding malware lineages, tracking variant evolution, and linking malware to specific threat groups. This skill covers querying the Malpedia API, mapping malware family relationships, extracting YARA rules for detection, and building intelligence on malware ecosystems used by adversaries.
## When to Use
- When investigating security incidents that require analyzing malware family relationships with malpedia
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Python 3.9+ with `requests`, `yara-python`, `stix2` libraries
@@ -36,7 +58,7 @@ Malpedia uses the format `platform.family_name` (e.g., `win.emotet`, `elf.mirai`
Malware families have relationships including: parent-child (code reuse, forks), loader-payload (Emotet loads TrickBot loads Ryuk), shared authorship (same threat actor develops multiple tools), and infrastructure sharing (common C2 frameworks).
## Practical Steps
## Workflow
### Step 1: Query Malpedia API for Malware Families
skills/analyzing-malware-persistence-with-autoruns/SKILL.md
+37 -4
View File
@@ -1,12 +1,37 @@
---
name: analyzing-malware-persistence-with-autoruns
description: Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry keys, scheduled tasks, services, drivers, and startup locations on Windows systems.
description: Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry
keys, scheduled tasks, services, drivers, and startup locations on Windows systems.
domain: cybersecurity
subdomain: malware-analysis
tags: [autoruns, persistence, malware-analysis, sysinternals, windows, registry, startup, incident-response]
version: "1.0"
tags:
- autoruns
- persistence
- malware-analysis
- sysinternals
- windows
- registry
- startup
- incident-response
mitre_attack:
- T1547
- T1053
- T1543
- T1546
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Content Format Conversion
- File Content Analysis
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
---
# Analyzing Malware Persistence with Autoruns
@@ -14,6 +39,14 @@ license: Apache-2.0
Sysinternals Autoruns extracts data from hundreds of Auto-Start Extensibility Points (ASEPs) on Windows, scanning 18+ categories including Run/RunOnce keys, services, scheduled tasks, drivers, Winlogon entries, LSA providers, print monitors, WMI subscriptions, and AppInit DLLs. Digital signature verification filters Microsoft-signed entries. The compare function identifies newly added persistence via baseline diffing. VirusTotal integration checks hash reputation. Offline analysis via -z flag enables forensic disk image examination.
## When to Use
- When investigating security incidents that require analyzing malware persistence with autoruns
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Sysinternals Autoruns (GUI) and Autorunsc (CLI)
@@ -22,7 +55,7 @@ Sysinternals Autoruns extracts data from hundreds of Auto-Start Extensibility Po
- VirusTotal API key for reputation checks
- Clean baseline export for comparison
## Practical Steps
## Workflow
### Step 1: Automated Persistence Scanning
skills/analyzing-malware-persistence-with-autoruns/scripts/agent.py
-1
View File
@@ -3,7 +3,6 @@
import json
import csv
import os
import re
import logging
import argparse
skills/analyzing-malware-sandbox-evasion-techniques/SKILL.md
+29 -9
View File
@@ -1,19 +1,31 @@
---
name: analyzing-malware-sandbox-evasion-techniques
description: Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports
description: Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction
detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports
domain: cybersecurity
subdomain: malware-analysis
tags:
- sandbox-evasion
- malware-analysis
- cuckoo
- anyrun
- mitre-attack
- virtualization-detection
- behavioral-analysis
version: "1.0"
- sandbox-evasion
- malware-analysis
- cuckoo
- anyrun
- mitre-attack
- virtualization-detection
- behavioral-analysis
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Platform Hardening
- Restore Object
- Process Analysis
- System Call Filtering
- Restore Software
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
---
# Analyzing Malware Sandbox Evasion Techniques
@@ -22,6 +34,14 @@ license: Apache-2.0
Sandbox evasion (MITRE ATT&CK T1497) allows malware to detect analysis environments and alter behavior to avoid detection. This skill analyzes behavioral reports from Cuckoo Sandbox and AnyRun for evasion indicators including timing-based checks (GetTickCount, QueryPerformanceCounter, sleep inflation), VM artifact detection (registry keys, MAC address prefixes, process names like vmtoolsd.exe), user interaction checks (mouse movement, keyboard input), and environment fingerprinting (disk size, CPU count, RAM). Detection rules flag samples exhibiting these behaviors for deeper manual analysis.
## When to Use
- When investigating security incidents that require analyzing malware sandbox evasion techniques
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Cuckoo Sandbox 2.0+ or AnyRun account for behavioral analysis reports
skills/analyzing-malware-sandbox-evasion-techniques/scripts/agent.py
-1
View File
@@ -4,7 +4,6 @@
import json
import argparse
from datetime import datetime
from collections import defaultdict
TIMING_APIS = {
"GetTickCount", "GetTickCount64", "QueryPerformanceCounter",
skills/analyzing-memory-dumps-with-volatility/SKILL.md
+22 -7
View File
@@ -1,17 +1,32 @@
---
name: analyzing-memory-dumps-with-volatility
description: >
Analyzes RAM memory dumps from compromised systems using the Volatility framework to
identify malicious processes, injected code, network connections, loaded modules, and
extracted credentials. Supports Windows, Linux, and macOS memory forensics. Activates
for requests involving memory forensics, RAM analysis, volatile data examination,
process injection detection, or memory-resident malware investigation.
description: 'Analyzes RAM memory dumps from compromised systems using the Volatility framework to identify malicious processes,
injected code, network connections, loaded modules, and extracted credentials. Supports Windows, Linux, and macOS memory
forensics. Activates for requests involving memory forensics, RAM analysis, volatile data examination, process injection
detection, or memory-resident malware investigation.
'
domain: cybersecurity
subdomain: malware-analysis
tags: [malware, memory-forensics, Volatility, RAM-analysis, incident-response]
tags:
- malware
- memory-forensics
- Volatility
- RAM-analysis
- incident-response
mitre_attack:
- T1055
- T1003
- T1059
- T1620
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
---
# Analyzing Memory Dumps with Volatility
skills/analyzing-memory-dumps-with-volatility/scripts/agent.py
+5 -6
View File
@@ -1,19 +1,18 @@
#!/usr/bin/env python3
"""Memory forensics agent using Volatility 3 for malware detection in RAM dumps."""
import shlex
import subprocess
import os
import sys
import json
import csv
import re
import io
def run_vol3(memory_dump, plugin, extra_args=""):
"""Execute a Volatility 3 plugin and return output."""
cmd = f"vol3 -f {memory_dump} {plugin} {extra_args}"
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=300)
cmd = ["vol3", "-f", memory_dump, plugin]
if extra_args:
cmd.extend(shlex.split(extra_args))
result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
return result.stdout.strip(), result.stderr.strip(), result.returncode
skills/analyzing-memory-forensics-with-lime-and-volatility/SKILL.md
+31 -7
View File
@@ -1,20 +1,44 @@
---
name: analyzing-memory-forensics-with-lime-and-volatility
description: >
Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module
and analysis with Volatility 3 framework. Extracts process lists, network connections,
bash history, loaded kernel modules, and injected code from Linux memory images.
Use when performing incident response on compromised Linux systems.
description: 'Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module and analysis with Volatility
3 framework. Extracts process lists, network connections, bash history, loaded kernel modules, and injected code from Linux
memory images. Use when performing incident response on compromised Linux systems.
'
domain: cybersecurity
subdomain: security-operations
tags: [analyzing, memory, forensics, with]
version: "1.0"
tags:
- analyzing
- memory
- forensics
- with
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- DE.CM-01
- RS.MA-01
- GV.OV-01
- DE.AE-02
---
# Analyzing Memory Forensics with LiME and Volatility
## When to Use
- When investigating security incidents that require analyzing memory forensics with lime and volatility
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Familiarity with security operations concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
## Instructions
Acquire Linux memory using LiME kernel module, then analyze with Volatility 3
skills/analyzing-memory-forensics-with-lime-and-volatility/scripts/agent.py
+2 -3
View File
@@ -1,7 +1,6 @@
#!/usr/bin/env python3
"""Agent for Linux memory forensics using LiME acquisition and Volatility 3."""
import os
import json
import subprocess
import argparse
@@ -12,13 +11,13 @@ from pathlib import Path
def acquire_memory_lime(output_path, lime_format="lime"):
"""Acquire memory using LiME kernel module."""
kernel_version = subprocess.run(
["uname", "-r"], capture_output=True, text=True
["uname", "-r"], capture_output=True, text=True, timeout=120
).stdout.strip()
lime_module = f"lime-{kernel_version}.ko"
if not Path(lime_module).exists():
lime_module = "lime.ko"
cmd = ["insmod", lime_module, f"path={output_path}", f"format={lime_format}"]
result = subprocess.run(cmd, capture_output=True, text=True)
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
return {
"status": "success" if result.returncode == 0 else "failed",
"output_path": output_path,
skills/analyzing-mft-for-deleted-file-recovery/SKILL.md
+70 -3
View File
@@ -1,12 +1,28 @@
---
name: analyzing-mft-for-deleted-file-recovery
description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics.
description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record
entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics.
domain: cybersecurity
subdomain: digital-forensics
tags: [mft, ntfs, deleted-files, file-recovery, mftecmd, usn-journal, logfile, mft-slack-space, file-system-forensics, dfir]
version: "1.0"
tags:
- mft
- ntfs
- deleted-files
- file-recovery
- mftecmd
- usn-journal
- logfile
- mft-slack-space
- file-system-forensics
- dfir
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
---
# Analyzing MFT for Deleted File Recovery
@@ -15,6 +31,14 @@ license: Apache-2.0
The NTFS Master File Table ($MFT) is the central metadata repository for every file and directory on an NTFS volume. Each file is represented by at least one 1024-byte MFT record containing attributes such as $STANDARD_INFORMATION (timestamps, permissions), $FILE_NAME (name, parent directory, timestamps), and $DATA (file content or cluster run pointers). When a file is deleted, its MFT record is marked as inactive (InUse flag cleared) but the metadata remains until the entry is reallocated by a new file. This persistence makes MFT analysis a primary technique for recovering deleted file evidence, reconstructing file system timelines, and detecting anti-forensic activity such as timestomping.
## When to Use
- When investigating security incidents that require analyzing mft for deleted file recovery
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Forensic disk image (E01, raw/dd, VMDK, or VHDX format)
@@ -186,3 +210,46 @@ vssadmin list shadows
- MFT Slack Space Forensic Value: https://www.sygnia.co/blog/the-forensic-value-of-mft-slack-space/
- MFTECmd Documentation: https://ericzimmerman.github.io/
- SANS FOR500: Windows Forensic Analysis
## Example Output
```text
$ MFTECmd.exe -f "C:\Evidence\$MFT" --csv /analysis/mft_output
MFTECmd v1.2.2 - MFT Parser
==============================
Input: C:\Evidence\$MFT (Size: 384 MB)
Total MFT Entries: 395,264
Parsing MFT entries... Done (12.4 seconds)
--- Deleted File Recovery Summary ---
Total Entries: 395,264
Active Files: 245,832
Deleted Files: 149,432
Recoverable: 87,234 (resident data or clusters not reallocated)
Partially Recoverable: 31,456 (some clusters overwritten)
Unrecoverable: 30,742 (all clusters reallocated)
--- Recently Deleted Files (Incident Window: 2024-01-15 to 2024-01-18) ---
MFT Entry | Filename | Path | Size | Deleted (UTC) | Recoverable
----------|-----------------------------------|------------------------------------|-----------|-----------------------|------------
148923 | exfil_tool.exe | C:\ProgramData\Updates\ | 1,258,496 | 2024-01-17 02:45:12 | YES
148924 | exfil_tool.log | C:\ProgramData\Updates\ | 45,312 | 2024-01-17 02:45:14 | YES
149001 | passwords.txt | C:\Users\jsmith\Desktop\ | 2,048 | 2024-01-17 02:50:33 | YES
149150 | scan_results.csv | C:\Users\jsmith\AppData\Local\Temp | 892,416 | 2024-01-17 03:00:01 | PARTIAL
149200 | mimikatz.exe | C:\Windows\Temp\ | 1,250,816 | 2024-01-18 01:15:22 | YES
149201 | sekurlsa.log | C:\Windows\Temp\ | 32,768 | 2024-01-18 01:15:25 | YES
149302 | .bash_history | C:\Users\jsmith\ | 4,096 | 2024-01-18 03:00:00 | NO
149400 | ClearEventLogs.ps1 | C:\Windows\Temp\ | 1,536 | 2024-01-18 03:01:12 | YES
--- $STANDARD_INFORMATION vs $FILE_NAME Timestamp Analysis (Timestomping Detection) ---
MFT Entry | Filename | $SI Created | $FN Created | Delta | Verdict
----------|---------------------|----------------------|----------------------|-----------|----------
148923 | exfil_tool.exe | 2023-06-15 10:00:00 | 2024-01-15 14:34:02 | -214 days | TIMESTOMPED
149200 | mimikatz.exe | 2022-01-01 00:00:00 | 2024-01-16 02:30:15 | -745 days | TIMESTOMPED
Recovered files exported to: /analysis/mft_output/recovered/
Full CSV report: /analysis/mft_output/mft_analysis.csv (395,264 rows)
Timeline CSV: /analysis/mft_output/mft_timeline.csv
```
skills/analyzing-network-covert-channels-in-malware/SKILL.md
+31 -4
View File
@@ -1,12 +1,31 @@
---
name: analyzing-network-covert-channels-in-malware
description: Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse for C2 and data exfiltration.
description: Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration,
steganographic HTTP, and protocol abuse for C2 and data exfiltration.
domain: cybersecurity
subdomain: malware-analysis
tags: [covert-channels, dns-tunneling, icmp-exfiltration, malware-analysis, network-forensics, c2-detection, data-exfiltration]
version: "1.0"
tags:
- covert-channels
- dns-tunneling
- icmp-exfiltration
- malware-analysis
- network-forensics
- c2-detection
- data-exfiltration
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- File Metadata Consistency Validation
- Certificate Analysis
- Application Protocol Command Analysis
- Content Format Conversion
- File Content Analysis
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
---
# Analyzing Network Covert Channels in Malware
@@ -14,6 +33,14 @@ license: Apache-2.0
Malware uses covert channels to disguise C2 communication and data exfiltration within legitimate-looking network traffic. DNS tunneling encodes data in DNS queries and responses (used by tools like iodine, dnscat2, and malware families like FrameworkPOS). ICMP tunneling hides data in echo request/reply payloads (icmpsh, ptunnel). HTTP covert channels embed C2 data in headers, cookies, or steganographic images. Protocol abuse exploits allowed protocols to bypass firewalls. DNS tunneling detection achieves 99%+ recall with modern ML-based approaches, though low-throughput exfiltration remains challenging. Palo Alto Unit42 tracked three major DNS tunneling campaigns (TrkCdn, SecShow, Savvy Seahorse) through 2024, showing the technique's continued prevalence.
## When to Use
- When investigating security incidents that require analyzing network covert channels in malware
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Python 3.9+ with `scapy`, `dpkt`, `dnslib`
@@ -22,7 +49,7 @@ Malware uses covert channels to disguise C2 communication and data exfiltration
- DNS query logging infrastructure
- Understanding of DNS, ICMP, HTTP protocols at packet level
## Practical Steps
## Workflow
### Step 1: DNS Tunneling Detection
skills/analyzing-network-covert-channels-in-malware/scripts/agent.py
+1 -2
View File
@@ -9,11 +9,10 @@ import os
import sys
import json
import math
import hashlib
from collections import Counter, defaultdict
try:
from scapy.all import rdpcap, DNS, DNSQR, DNSRR, ICMP, IP, TCP, UDP, Raw
from scapy.all import rdpcap, DNS, DNSQR, ICMP, IP, TCP, Raw
HAS_SCAPY = True
except ImportError:
HAS_SCAPY = False
skills/analyzing-network-flow-data-with-netflow/SKILL.md
+32 -7
View File
@@ -1,18 +1,43 @@
---
name: analyzing-network-flow-data-with-netflow
description: >-
Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data
exfiltration, and C2 beaconing patterns. Uses the Python netflow library to decode flow
records, builds traffic baselines, and applies statistical analysis to identify flows
with abnormal byte counts, connection durations, and periodic timing patterns.
description: Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data exfiltration, and C2 beaconing
patterns. Uses the Python netflow library to decode flow records, builds traffic baselines, and applies statistical analysis
to identify flows with abnormal byte counts, connection durations, and periodic timing patterns.
domain: cybersecurity
subdomain: network-security
tags: [analyzing, network, flow, data]
version: "1.0"
tags:
- analyzing
- network
- flow
- data
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- PR.IR-01
- DE.CM-01
- ID.AM-03
- PR.DS-02
---
# Analyzing Network Flow Data with Netflow
## When to Use
- When investigating security incidents that require analyzing network flow data with netflow
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Familiarity with network security concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
## Instructions
1. Install dependencies: `pip install netflow`
skills/analyzing-network-packets-with-scapy/SKILL.md
+22 -8
View File
@@ -1,18 +1,24 @@
---
name: analyzing-network-packets-with-scapy
description: Craft, send, sniff, and dissect network packets using Scapy for protocol analysis, network reconnaissance, and traffic anomaly detection in authorized security testing
description: Craft, send, sniff, and dissect network packets using Scapy for protocol analysis, network reconnaissance, and
traffic anomaly detection in authorized security testing
domain: cybersecurity
subdomain: network-security
tags:
- scapy
- packet-analysis
- network-forensics
- protocol-dissection
- pcap
- traffic-analysis
version: "1.0"
- scapy
- packet-analysis
- network-forensics
- protocol-dissection
- pcap
- traffic-analysis
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- PR.IR-01
- DE.CM-01
- ID.AM-03
- PR.DS-02
---
# Analyzing Network Packets with Scapy
@@ -21,6 +27,14 @@ license: Apache-2.0
Scapy is a Python packet manipulation library that enables crafting, sending, sniffing, and dissecting network packets at granular protocol layers. This skill covers using Scapy for security-relevant tasks including TCP/UDP/ICMP packet crafting, pcap file analysis, protocol field extraction, SYN scan implementation, DNS query analysis, and detecting anomalous traffic patterns such as unusually fragmented packets or malformed headers.
## When to Use
- When investigating security incidents that require analyzing network packets with scapy
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Python 3.8+ with `scapy` library installed (`pip install scapy`)
skills/analyzing-network-packets-with-scapy/scripts/agent.py
+1 -1
View File
@@ -7,7 +7,7 @@ import argparse
from collections import defaultdict, Counter
from datetime import datetime
from scapy.all import rdpcap, IP, TCP, UDP, DNS, DNSQR, ICMP, Raw
from scapy.all import rdpcap, IP, TCP, UDP, DNS, DNSQR, ICMP
def load_pcap(filepath):
skills/analyzing-network-traffic-for-incidents/SKILL.md
+22 -8
View File
@@ -1,18 +1,32 @@
---
name: analyzing-network-traffic-for-incidents
description: >
Analyzes network traffic captures and flow data to identify adversary activity during
security incidents, including command-and-control communications, lateral movement,
data exfiltration, and exploitation attempts. Uses Wireshark, Zeek, and NetFlow
analysis techniques. Activates for requests involving network traffic analysis,
packet capture investigation, PCAP analysis, network forensics, C2 traffic detection,
or exfiltration detection.
description: 'Analyzes network traffic captures and flow data to identify adversary activity during security incidents, including
command-and-control communications, lateral movement, data exfiltration, and exploitation attempts. Uses Wireshark, Zeek,
and NetFlow analysis techniques. Activates for requests involving network traffic analysis, packet capture investigation,
PCAP analysis, network forensics, C2 traffic detection, or exfiltration detection.
'
domain: cybersecurity
subdomain: incident-response
tags: [network-forensics, PCAP-analysis, Wireshark, Zeek, traffic-analysis]
tags:
- network-forensics
- PCAP-analysis
- Wireshark
- Zeek
- traffic-analysis
mitre_attack:
- T1071
- T1095
- T1573
- T1572
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_csf:
- RS.MA-01
- RS.MA-02
- RS.AN-03
- RC.RP-01
---
# Analyzing Network Traffic for Incidents
skills/analyzing-network-traffic-for-incidents/scripts/agent.py
+19 -14
View File
@@ -6,10 +6,10 @@ import os
import sys
import json
import statistics
from collections import defaultdict, Counter
from collections import defaultdict
try:
from scapy.all import rdpcap, IP, TCP, UDP, DNS, DNSQR, Raw, ARP
from scapy.all import rdpcap, IP, TCP, DNS
HAS_SCAPY = True
except ImportError:
HAS_SCAPY = False
@@ -17,9 +17,11 @@ except ImportError:
def run_tshark(pcap_path, display_filter, fields):
"""Run tshark with a display filter and extract specific fields."""
field_args = " ".join(f"-e {f}" for f in fields)
cmd = f'tshark -r {pcap_path} -Y "{display_filter}" -T fields {field_args} -E separator="|"'
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=120)
cmd = ["tshark", "-r", pcap_path, "-Y", display_filter, "-T", "fields"]
for f in fields:
cmd += ["-e", f]
cmd += ["-E", "separator=|"]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
rows = []
if result.returncode == 0:
for line in result.stdout.strip().splitlines():
@@ -31,8 +33,8 @@ def run_tshark(pcap_path, display_filter, fields):
def get_pcap_summary(pcap_path):
"""Get high-level PCAP statistics."""
cmd = f"tshark -r {pcap_path} -q -z conv,ip"
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=60)
cmd = ["tshark", "-r", pcap_path, "-q", "-z", "conv,ip"]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
return result.stdout if result.returncode == 0 else ""
@@ -57,8 +59,8 @@ def detect_lateral_movement(pcap_path):
def detect_data_exfiltration(pcap_path, threshold_mb=10):
"""Detect potential data exfiltration based on outbound data volume."""
cmd = f'tshark -r {pcap_path} -q -z conv,ip'
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=60)
cmd = ["tshark", "-r", pcap_path, "-q", "-z", "conv,ip"]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
suspects = []
if result.returncode == 0:
for line in result.stdout.splitlines():
@@ -120,10 +122,13 @@ def extract_dns_queries(pcap_path):
def detect_ids_alerts(pcap_path):
"""Run Suricata on the PCAP and extract alerts."""
cmd = f"suricata -r {pcap_path} -l /tmp/suricata_output -k none 2>/dev/null"
subprocess.run(cmd, shell=True, timeout=120)
import tempfile
suricata_output = os.environ.get("SURICATA_OUTPUT_DIR", os.path.join(tempfile.gettempdir(), "suricata_output"))
os.makedirs(suricata_output, exist_ok=True)
cmd = ["suricata", "-r", pcap_path, "-l", suricata_output, "-k", "none"]
subprocess.run(cmd, capture_output=True, timeout=120)
alerts = []
alert_file = "/tmp/suricata_output/fast.log"
alert_file = os.path.join(suricata_output, "fast.log")
if os.path.exists(alert_file):
with open(alert_file, "r") as f:
for line in f:
@@ -134,8 +139,8 @@ def detect_ids_alerts(pcap_path):
def extract_http_objects(pcap_path, output_dir):
"""Extract HTTP objects (files) from the PCAP."""
os.makedirs(output_dir, exist_ok=True)
cmd = f'tshark -r {pcap_path} --export-objects "http,{output_dir}"'
subprocess.run(cmd, shell=True, timeout=60)
cmd = ["tshark", "-r", pcap_path, "--export-objects", f"http,{output_dir}"]
subprocess.run(cmd, capture_output=True, timeout=60)
exported = []
if os.path.exists(output_dir):
for f in os.listdir(output_dir):
skills/analyzing-network-traffic-of-malware/SKILL.md
+17 -7
View File
@@ -1,17 +1,27 @@
---
name: analyzing-network-traffic-of-malware
description: >
Analyzes network traffic generated by malware during sandbox execution or live incident
response to identify C2 protocols, data exfiltration channels, payload downloads, and
lateral movement patterns using Wireshark, Zeek, and Suricata. Activates for requests
involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or
network-based malware detection.
description: 'Analyzes network traffic generated by malware during sandbox execution or live incident response to identify
C2 protocols, data exfiltration channels, payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata.
Activates for requests involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or network-based
malware detection.
'
domain: cybersecurity
subdomain: malware-analysis
tags: [malware, network-analysis, PCAP, Wireshark, C2-detection]
tags:
- malware
- network-analysis
- PCAP
- Wireshark
- C2-detection
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
---
# Analyzing Network Traffic of Malware
skills/analyzing-network-traffic-of-malware/scripts/agent.py
+1 -3
View File
@@ -3,9 +3,7 @@
import os
import sys
import json
import math
import subprocess
from collections import defaultdict, Counter
try:
@@ -15,7 +13,7 @@ except ImportError:
HAS_DPKT = False
try:
from scapy.all import rdpcap, IP, TCP, UDP, DNS, DNSQR, Raw
from scapy.all import rdpcap, IP, TCP, DNS, DNSQR
HAS_SCAPY = True
except ImportError:
HAS_SCAPY = False
skills/analyzing-network-traffic-with-wireshark/SKILL.md
+16 -6
View File
@@ -1,15 +1,25 @@
---
name: analyzing-network-traffic-with-wireshark
description: >
Captures and analyzes network packet data using Wireshark and tshark to identify
malicious traffic patterns, diagnose protocol issues, extract artifacts, and
support incident response investigations on authorized network segments.
description: 'Captures and analyzes network packet data using Wireshark and tshark to identify malicious traffic patterns,
diagnose protocol issues, extract artifacts, and support incident response investigations on authorized network segments.
'
domain: cybersecurity
subdomain: network-security
tags: [network-security, wireshark, packet-analysis, traffic-analysis, pcap]
version: "1.0"
tags:
- network-security
- wireshark
- packet-analysis
- traffic-analysis
- pcap
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- PR.IR-01
- DE.CM-01
- ID.AM-03
- PR.DS-02
---
# Analyzing Network Traffic with Wireshark
skills/analyzing-network-traffic-with-wireshark/scripts/agent.py
+6 -8
View File
@@ -2,26 +2,24 @@
"""Wireshark/tshark packet analysis agent for network security investigations."""
import subprocess
import shlex
import os
import sys
import json
import re
from collections import defaultdict
def run_tshark(pcap_path, args):
"""Execute tshark with custom arguments."""
cmd = f"tshark -r {pcap_path} {args}"
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=120)
cmd = ["tshark", "-r", pcap_path] + shlex.split(args)
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
return result.stdout.strip(), result.stderr.strip(), result.returncode
def capture_live(interface, output_path, duration=60, capture_filter=None):
"""Start a live packet capture using tshark."""
cmd = f"tshark -i {interface} -w {output_path} -a duration:{duration}"
cmd = ["tshark", "-i", interface, "-w", output_path, "-a", f"duration:{duration}"]
if capture_filter:
cmd += f' -f "{capture_filter}"'
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=duration + 10)
cmd += ["-f", capture_filter]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=duration + 10)
return result.returncode == 0
skills/analyzing-office365-audit-logs-for-compromise/SKILL.md
+24 -3
View File
@@ -1,12 +1,25 @@
---
name: analyzing-office365-audit-logs-for-compromise
description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation, suspicious OAuth app grants, and other indicators of account compromise.
description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation,
suspicious OAuth app grants, and other indicators of account compromise.
domain: cybersecurity
subdomain: cloud-security
tags: [Office365, Microsoft-Graph, audit-logs, email-compromise, inbox-rules, OAuth, BEC]
version: "1.0"
tags:
- Office365
- Microsoft-Graph
- audit-logs
- email-compromise
- inbox-rules
- OAuth
- BEC
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- PR.IR-01
- ID.AM-08
- GV.SC-06
- DE.CM-01
---
# Analyzing Office 365 Audit Logs for Compromise
@@ -15,6 +28,14 @@ license: Apache-2.0
Business Email Compromise (BEC) attacks often leave traces in Office 365 audit logs: suspicious inbox rule creation, email forwarding to external addresses, mailbox delegation changes, and unauthorized OAuth application consent grants. This skill uses the Microsoft Graph API to query the Unified Audit Log, enumerate inbox rules across mailboxes, detect forwarding configurations, and identify compromised account indicators.
## When to Use
- When investigating security incidents that require analyzing office365 audit logs for compromise
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
## Prerequisites
- Azure AD app registration with `AuditLog.Read.All`, `MailboxSettings.Read`, `Mail.Read` (application permissions)

Some files were not shown because too many files have changed in this diff Show More