creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-10 21:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: creator/Anthropic-Cybersecurity-Skills:v1.1.0
Branches Tags
creator/Anthropic-Cybersecurity-Skills:main
creator/Anthropic-Cybersecurity-Skills:v1.2.0 creator/Anthropic-Cybersecurity-Skills:v1.1.0 creator/Anthropic-Cybersecurity-Skills:v1.0.0
...
compare: creator/Anthropic-Cybersecurity-Skills:main
Branches Tags
creator/Anthropic-Cybersecurity-Skills:main
creator/Anthropic-Cybersecurity-Skills:v1.2.0 creator/Anthropic-Cybersecurity-Skills:v1.1.0 creator/Anthropic-Cybersecurity-Skills:v1.0.0

60 Commits
v1.1.0 ... main

Author SHA1 Message Date
mukul975 04450304b1 chore: auto-update index.json 2026-06-01 10:15:47 +00:00
mukul975 cb8d79e068 Map all 754 skills to MITRE ATT&CK v19.1 
- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
  techniques), verified against MITRE ATT&CK v19.1 via the official
  mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
  threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
  Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
  Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
  family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
  stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
 2026-06-01 12:13:29 +02:00
mukul975 9a588e643e chore: auto-update index.json 2026-05-30 09:32:08 +00:00
Mahipal 868465b4e4 Merge pull request #58 from Bortlesboat/fix/objection-skill-description 
Fix description YAML for Objection iOS skill
 2026-05-30 11:32:00 +02:00
Andrew Barnes 2338e0371c Fix Objection skill description frontmatter 
Normalize YAML description so tools can reliably parse it.
 2026-05-25 09:04:36 -04:00
Mahipal 0f429d0f96 Update README.md 2026-05-13 11:07:15 +02:00
Mahipal 15b63716a4 Update README.md 2026-05-13 10:56:27 +02:00
mukul975 77d5d9d686 chore: auto-update index.json 2026-04-26 12:03:37 +00:00
Mahipal 812db448e0 Merge PR #44: Normalize tags in 3 skills 2026-04-26 14:03:28 +02:00
Mahipal fcc73ea471 Merge PR #28: Add bulk skill metadata validation script 2026-04-26 14:03:24 +02:00
claude[bot] fbc47b7ac2 fix: replace word-split tags with domain-specific cybersecurity tags 
Three SKILL.md files had tags that were simply words split from the
skill name (e.g., "analyzing", "block", "with", "logs") rather than
meaningful discovery keywords. Replace with domain-specific terms that
agents and search tools can actually use for routing.

- analyzing-powershell-script-block-logging: [powershell, script-block-logging, event-id-4104, obfuscation-detection, windows-forensics, endpoint-security]
- analyzing-azure-activity-logs-for-threats: [azure, cloud-security, azure-monitor, kql, threat-hunting, activity-logs]
- analyzing-memory-forensics-with-lime-and-volatility: [memory-forensics, linux-forensics, lime, volatility, incident-response, kernel-modules]

Co-Authored-By: Claude Code <noreply@anthropic.com>
 2026-04-21 00:35:35 +00:00
Mahipal 888bbe4c6e Delete star.yml 2026-04-18 02:09:43 +02:00
Mahipal c60cb4aa7b Update star.yml 2026-04-15 22:43:16 +02:00
Mahipal d5f3fa3248 Update star.yml 2026-04-15 22:37:28 +02:00
Mahipal 91a087aacc Update star.yml 2026-04-15 22:35:07 +02:00
Mahipal 780757902b Create star.yml 2026-04-15 19:15:45 +02:00
Mahipal 9e8a8cda80 Add Hermes Agent badge to README 2026-04-15 00:51:53 +02:00
Mahipal efbbbba5e2 Add Casky.ai Playground section to README 
Added a section for the Casky.ai Playground with details on its features and usage.
 2026-04-11 15:04:51 +02:00
Mahipal c715f0b36e Revise README for improved clarity and structure 
Updated README to enhance project visibility and clarify project scope.
 2026-04-11 00:46:21 +02:00
mukul975 4ae0be7f48 chore: bump marketplace version to v1.2.0 2026-04-06 12:26:39 +02:00
mukul975 dcc2dc32fd fix: jq command line continuation in sync-marketplace workflow 2026-04-06 12:25:16 +02:00
mukul975 c0ab6cfccb docs: update README for v1.2.0 — 5-framework coverage, 754 skills 2026-04-06 12:06:22 +02:00
mukul975 b4231b19e7 chore: auto-update index.json 2026-04-06 09:17:52 +00:00
mukul975 efca3ec611 feat: add NIST CSF 2.0 nist_csf field to all 754 cybersecurity skills 
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.

All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)
 2026-04-06 11:17:40 +02:00
mukul975 e8105a2f4d chore: auto-update index.json 2026-04-05 23:56:33 +00:00
mukul975 ef27f026cb feat: enrich 209 skills with MITRE ATLAS, D3FEND, and NIST AI RMF frontmatter 
Added structured security framework mappings to SKILL.md frontmatter across all applicable skills:
- atlas_techniques: MITRE ATLAS v5.5 AML.TXXXX IDs (81 skills, AI-targeted attack techniques)
- d3fend_techniques: MITRE D3FEND v1.3 defensive technique labels (139 skills, mapped from ATT&CK IDs)
- nist_ai_rmf: NIST AI RMF 1.0 subcategory IDs (85 skills, AI risk management functions)

Also updates ATTACK_COVERAGE.md with coverage statistics for all three frameworks.
 2026-04-06 01:56:17 +02:00
Julio César Suástegui efc9598525 fix(validator): address all remaining review feedback from @mukul975 
Three issues fixed:

1. Description list check — added elif isinstance(desc, list) branch that
   emits 'Description must be a string value, not a list'. Previously the
   block was silently skipped when YAML returned a list, causing the skill
   to pass without validating the description field.

2. tools/README.md synced — updated description constraint from '20-500
   characters' to 'at least 50 characters (no upper limit)' to match the
   current code (DESCRIPTION_MIN_CHARS=50, no max enforced).

3. --all with wrong CWD now exits 1 — if glob returns no skill dirs,
   the script prints an error and exits with code 1 instead of reporting
   'Total: 0 Passed: 0 Failed: 0' and exiting 0, which would cause CI to
   silently pass while validating nothing.

All 754 skills continue to pass (0 regressions).
 2026-04-04 05:34:31 -06:00
Julio César Suástegui 31f745385b fix(validator): address all review feedback from @mukul975 
Required changes:
- Error handling: IOError and UnicodeDecodeError already wrapped in
  try/except from previous commit — still present and correct.
- ALLOWED_SUBDOMAINS: synced with actual repo usage (audited all 754
  skills). identity-access-management (34 skills) added; identity-security
  was the placeholder in its place.

New in this commit:
1. Description minimum: raised from 20 → 50 chars to align with other
   repo tooling as requested.
2. Folded scalar support: parse_frontmatter now handles YAML `>-` and `>`
   folded scalars, preventing incorrect parse of multi-line descriptions.
   Added a comment documenting the one remaining edge case (value-less key
   followed by non-list content — treated as no-value, acceptable for
   well-formed SKILL.md files).
3. Canonical subdomain warnings: alias subdomain values (e.g.
   security-operations vs soc-operations) now print a WARN line pointing
   to the canonical form, but are non-blocking. A _SUBDOMAIN_ALIASES dict
   documents canonical/alias pairs explicitly.
4. Description upper limit: removed hard cap — folded scalars legitimately
   produce long strings in existing skills.
5. PR description: removed false mention of type hints (there are none
   in this file).

Validator now passes 754/754 skills in the repo with 0 errors.
 2026-04-03 09:51:27 -06:00
Julio César Suástegui b53f3d4991 fix: add error handling for IOError/UnicodeDecodeError + sync ALLOWED_SUBDOMAINS 
- Wrap open() call in try/except for IOError and UnicodeDecodeError
  to report clean errors instead of crashing on encoding issues
- Add all subdomains actually used by existing skills in the repo:
  identity-access-management (33 skills), security-operations (28),
  identity-and-access-management, zero-trust, ot-security, purple-team,
  red-team, ai-security, social-engineering-defense, and others
- Remove identity-security as the canonical form is identity-access-management
 2026-04-03 09:49:04 -06:00
mukul975 c15f73db46 chore: auto-update index.json 2026-04-03 06:56:09 +00:00
mukul975 6325c202c5 chore: auto-update index.json 2026-04-03 06:30:32 +00:00
Mahipal 1cf19ded90 Merge pull request #26 from juliosuas/add-mitre-attack-incident-response 
Add MITRE ATT&CK IDs to incident response skills (fixes #1)
 2026-04-03 02:30:23 -04:00
Mahipal a7f577b482 Add skill: performing-cloud-native-threat-hunting-with-aws-detective 
Add skill: performing-cloud-native-threat-hunting-with-aws-detective
 2026-04-03 02:30:17 -04:00
Mahipal e26a736cf7 ci: add workflow to auto-sync marketplace version on release 2026-03-31 14:46:36 +02:00
Mahipal bb39fa73a9 Update marketplace version to v1.1.0 2026-03-31 14:41:58 +02:00
Mahipal 1cffd664f5 Remove Product Hunt badge from README 
Removed Product Hunt badge from README.
 2026-03-28 17:51:39 +01:00
Mahipal d7f205681a Add Product Hunt badge to README 
Added a Product Hunt badge to promote the project.
 2026-03-28 17:23:50 +01:00
mukul975 7283f02ba9 chore: auto-update index.json 2026-03-28 11:41:02 +00:00
mukul975 476a0880f4 Fix ESET AV false positive on AMSI bypass strings in skill docs 2026-03-28 12:40:53 +01:00
MAGI a072845a3f Fix review comments: correct AWS Detective API usage and forensic ordering 
- Fix FilterCriteria to use singular Severity/Status with Value objects
  instead of invalid plural Severities/Statuses arrays (SKILL.md + process.py)
- Fix get_entity_history: rename to get_investigation_indicators, use
  investigation_id instead of entity_arn for InvestigationId parameter
- Replace invalid inv-* placeholders with 21-digit numeric IDs
- Fix Expected Output to match real API response structure (no embedded
  Indicators; document separate list-indicators call and indicator types)
- Fix CLI --filter-criteria example to use correct format
- Update process.py --severity to accept single value with validation
- Add --max-results validation (1-100 range)
- Add pagination via _collect_all_pages helper for all list API calls
- Reorder Response Actions checklist: evidence preservation before containment
- Reorder Phase 5 workflow: preserve evidence first when safe
 2026-03-28 02:06:16 -06:00
MAGI 41b828e758 fix: add missing process.py implementation for aws-detective skill 
The process.py script was empty (0 bytes). Added a functional
implementation that lists behavior graphs, retrieves investigations,
queries indicators, and exports results — matching the pattern of
other skills in the repository.
 2026-03-28 02:06:16 -06:00
MAGI 2f6701d2d8 Add skill: performing-cloud-native-threat-hunting-with-aws-detective (fixes #6) 2026-03-28 02:06:16 -06:00
mukul975 aff90acbf5 Trigger contributor recalculation 2026-03-28 02:06:16 -06:00
Julio César Suástegui 84b4699e59 fix: remove out-of-scope changes (cloud-waf tags, zero-trust description rewrite) 2026-03-28 02:06:00 -06:00
MAGI c7ad5e7b98 Fix round 3: refine MITRE ATT&CK mappings per CodeRabbit review 
- osquery: replace broad IDs with concrete detections (T1049, T1620, T1053.003, T1548.001, T1552)
- credential extraction: replace T1550 with T1552 (Unsecured Credentials)
- persistence investigation: use sub-techniques (T1547.001, T1053.005, T1543.003, T1546.003)
 2026-03-28 02:06:00 -06:00
MAGI 15d53bd09b Fix MITRE ATT&CK mappings per CodeRabbit review: align techniques to skill content 
- analyzing-malware-persistence-with-autoruns: add persistence techniques T1547, T1053, T1543, T1546
- analyzing-memory-dumps-with-volatility: add memory forensics techniques T1055, T1003, T1059, T1620
- analyzing-persistence-mechanisms-in-linux: add Linux-specific sub-techniques T1053.003, T1543.002, T1574.006, T1546.004
- analyzing-windows-prefetch-with-python: add execution techniques T1059, T1204, T1036
- building-incident-response-dashboard: remove misaligned mitre_attack (dashboard is a visibility tool)
- building-phishing-reporting-button-workflow: add phishing techniques T1566, T1204, T1534
- deobfuscating-powershell-obfuscated-malware: add PowerShell/obfuscation techniques T1059.001, T1027, T1140
 2026-03-28 02:06:00 -06:00
MAGI 100361c3e5 Scope fix: remove mitre_attack from 24 non-incident-response skills, use sub-techniques 
- Removed mitre_attack from digital-forensics, cloud-security, malware-analysis,
  endpoint-security, threat-hunting, ransomware-defense, phishing-defense, and
  security-operations subdomain skills (out of PR scope per issue #1)
- Applied sub-technique IDs where appropriate (T1566.001, T1003.001, etc.)
- Only incident-response and soc-operations skills retain mappings
 2026-03-28 02:06:00 -06:00
MAGI 42258456e8 Fix MITRE ATT&CK mappings per CodeRabbit review 
- Replace generic T1190/T1059/T1078 with context-specific techniques
- Persistence: T1547, T1053, T1543, T1574
- Credentials: T1003, T1558, T1550
- Phishing: T1566, T1204, T1534
- Ransomware: T1486, T1490, T1489
- Cloud: T1078, T1537, T1580, T1098
- Remove mappings from out-of-scope subdomains (ot-ics, malware-analysis, digital-forensics)
 2026-03-28 02:05:57 -06:00
MAGI 5e62a7ea2c Add MITRE ATT&CK technique IDs to 60 incident-response skills (fixes #1) 2026-03-28 02:05:53 -06:00
mukul975 0fbcbdf8dd chore: auto-update index.json 2026-03-27 09:24:27 +00:00
Julio César Suástegui 97c213f9a4 Add skill: detecting-lateral-movement-with-zeek (fixes #5) (#29) 2026-03-27 10:24:16 +01:00
mukul975 9314565dd9 docs: update release version from v1.0.0 to v1.1.0 in README 2026-03-23 19:17:24 +01:00
mukul975 c74a7547bb docs: replace static contributors table with contrib.rocks auto-updating widget 2026-03-23 19:16:03 +01:00
mukul975 f4e791c06c docs: remove fake contributor Systech2021-1952 from README 2026-03-23 19:14:33 +01:00
mukul975 577f795252 docs: update skill count to 753 and domain count to 38 across all files 2026-03-21 13:57:15 +01:00
mukul975 ac77250450 docs: use single name Mahipal in CITATION.cff 2026-03-21 13:38:37 +01:00
mukul975 57b684e4d6 docs: add CITATION.cff for academic and tool attribution 2026-03-21 13:37:55 +01:00
mukul975 3856835990 chore: auto-update index.json 2026-03-21 12:23:42 +00:00
mukul975 db3eaaeaf2 fix: add workflow_dispatch and self-trigger to update-index workflow 2026-03-21 13:23:34 +01:00
mukul975 7f60276fd9 fix: add missing import re in update-index workflow, bump version to 1.1.0 2026-03-21 13:21:55 +01:00
775 changed files with 21460 additions and 4263 deletions
Expand all files Collapse all files
.claude-plugin/marketplace.json
+5 -5
View File
@@ -5,15 +5,15 @@
"email": "mukuljangra5@gmail.com"
},
"metadata": {
"description": "753 cybersecurity skills for AI agents and security practitioners covering web security, pentesting, forensics, threat intelligence, cloud security, and more.",
"version": "1.0.0"
"description": "754 cybersecurity skills for AI agents mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND, and NIST AI RMF.",
"version": "1.2.0"
},
"plugins": [
{
"name": "cybersecurity-skills",
"source": "./",
"description": "607+ cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
"version": "1.0.0",
"description": "754 cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more. Mapped to 5 frameworks.",
"version": "1.2.0",
"author": {
"name": "mukul975"
},
@@ -34,4 +34,4 @@
"repository": "https://github.com/mukul975/Anthropic-Cybersecurity-Skills"
}
]
}
}
.github/workflows/sync-marketplace-version.yml
+39
View File
@@ -0,0 +1,39 @@
name: Sync Marketplace Version on Release
on:
release:
types: [published]
jobs:
sync-version:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Extract version from tag
id: version
run: |
VERSION=${GITHUB_REF_NAME#v}
echo "version=$VERSION" >> $GITHUB_OUTPUT
echo "tag=$GITHUB_REF_NAME" >> $GITHUB_OUTPUT
- name: Update marketplace.json version
env:
VERSION: ${{ steps.version.outputs.version }}
run: |
jq --arg v "$VERSION" '.metadata.version = $v | .plugins[].version = $v' .claude-plugin/marketplace.json > tmp.json
mv tmp.json .claude-plugin/marketplace.json
echo "Updated marketplace.json to version $VERSION"
- name: Commit and push
run: |
git config user.name "mukul975"
git config user.email "mukuljangra5@gmail.com"
git add .claude-plugin/marketplace.json
git diff --staged --quiet || git commit -m "chore: bump marketplace version to ${{ steps.version.outputs.tag }}"
git push
.github/workflows/update-index.yml
+4 -2
View File
@@ -5,6 +5,8 @@ on:
branches: [main]
paths:
- 'skills/**'
- '.github/workflows/update-index.yml'
workflow_dispatch:
jobs:
update-index:
@@ -19,7 +21,7 @@ jobs:
- name: Regenerate index.json
run: |
python3 << 'EOF'
import os, json
import os, json, re
from datetime import datetime, timezone
skills_dir = "skills"
@@ -45,7 +47,7 @@ jobs:
})
index = {
"version": "1.0.0",
"version": "1.1.0",
"generated_at": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ"),
"repository": "https://github.com/mukul975/Anthropic-Cybersecurity-Skills",
"domain": "cybersecurity",
ATTACK_COVERAGE.md
+37
View File
@@ -467,6 +467,43 @@ To regenerate: `python3 extract_attack.py`
---
## MITRE ATLAS Coverage (v5.5.0)
81 skills mapped to ATLAS adversarial ML techniques.
Key techniques applied:
- AML.T0051 — LLM Prompt Injection (Execution)
- AML.T0054 — LLM Jailbreak (Privilege Escalation)
- AML.T0088 — Generate Deepfakes (AI Attack Staging)
- AML.T0010 — AI Supply Chain Compromise (Initial Access)
- AML.T0020 — Poison Training Data (Resource Development)
- AML.T0070 — RAG Poisoning (Persistence)
- AML.T0080 — AI Agent Context Poisoning (Persistence)
- AML.T0056 — Extract LLM System Prompt (Exfiltration)
## MITRE D3FEND Coverage (v1.3)
11 skills mapped to D3FEND defensive countermeasures.
Countermeasures applied span D3FEND tactical categories:
Harden, Detect, Isolate, Deceive, Evict, Restore.
Each skill's d3fend_techniques field lists the top 5 most relevant
defensive countermeasures derived from the skill's ATT&CK technique tags.
## NIST AI RMF Coverage (AI 100-1)
85 skills mapped to NIST AI Risk Management Framework subcategories.
Core functions covered:
- GOVERN: Organizational accountability for AI risk (GOVERN-1.1, GOVERN-6.1, GOVERN-6.2)
- MAP: AI risk identification and context (MAP-5.1, MAP-5.2, MAP-1.6)
- MEASURE: AI risk analysis and evaluation (MEASURE-2.5, MEASURE-2.7, MEASURE-2.8, MEASURE-2.11)
- MANAGE: AI risk response and recovery (MANAGE-2.4, MANAGE-3.1)
GenAI-specific subcategories applied: GOVERN-6.1, GOVERN-6.2 (responsible deployment policies).
---
<p align="center">
<sub>Part of <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills">Anthropic Cybersecurity Skills</a> — 753+ open-source cybersecurity skills for AI agents</sub>
</p>
CITATION.cff
+32
View File
@@ -0,0 +1,32 @@
cff-version: 1.2.0
message: "If you use this repository in your research, tools, or publications, please cite it as below."
type: software
title: "Anthropic-Cybersecurity-Skills"
abstract: >
A structured collection of 753 cybersecurity skills for AI agents, covering
penetration testing, digital forensics, threat intelligence, incident response,
cloud security, OT/SCADA security, AI security, and more. Each skill follows
a standardized format with YAML frontmatter metadata, step-by-step procedures,
tool commands, expected outputs, and MITRE ATT&CK mappings. Compatible with
Claude Code, GitHub Copilot, Cursor, Windsurf, Gemini CLI, and 20+ AI agent
platforms.
authors:
- name: "Mahipal"
email: mukuljangra5@gmail.com
alias: mukul975
repository-code: "https://github.com/mukul975/Anthropic-Cybersecurity-Skills"
url: "https://github.com/mukul975/Anthropic-Cybersecurity-Skills"
license: Apache-2.0
version: "1.1.0"
date-released: "2026-03-21"
keywords:
- cybersecurity
- AI agents
- skills
- penetration testing
- digital forensics
- threat intelligence
- incident response
- MITRE ATT&CK
- Claude Code
- open source
README.md
+321 -498
View File
@@ -1,589 +1,412 @@
<p align="center">
<img src="assets/banner.png" alt="Anthropic Cybersecurity Skills — 734+ skills for AI agents" width="100%" />
<img src="assets/banner.png" alt="Anthropic Cybersecurity Skills" width="100%">
</p>
<p align="center">
<a href="https://opensource.org/licenses/Apache-2.0"><img src="https://img.shields.io/badge/License-Apache_2.0-blue.svg?style=for-the-badge" alt="License: Apache 2.0" /></a>
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers"><img src="https://img.shields.io/github/stars/mukul975/Anthropic-Cybersecurity-Skills?style=for-the-badge&logo=github" alt="GitHub Stars" /></a>
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/network/members"><img src="https://img.shields.io/github/forks/mukul975/Anthropic-Cybersecurity-Skills?style=for-the-badge&logo=github" alt="GitHub Forks" /></a>
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/commits"><img src="https://img.shields.io/github/last-commit/mukul975/Anthropic-Cybersecurity-Skills?style=for-the-badge&logo=github" alt="Last Commit" /></a>
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills"><img src="https://img.shields.io/badge/Skills-734+-blueviolet?style=for-the-badge&logo=bookstack&logoColor=white" alt="734+ Skills" /></a>
<a href="https://attack.mitre.org/"><img src="https://img.shields.io/badge/MITRE_ATT%26CK-Mapped-red?style=for-the-badge&logo=shield&logoColor=white" alt="MITRE ATT&CK Mapped" /></a>
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/graphs/contributors"><img src="https://img.shields.io/github/contributors/mukul975/Anthropic-Cybersecurity-Skills?style=for-the-badge&logo=github" alt="Contributors" /></a>
</p>
<div align="center">
<p align="center">
<b>The largest open-source collection of cybersecurity skills for AI agents.<br/>734+ structured skills · MITRE ATT&CK mapped · NIST CSF 2.0 aligned · <a href="https://agentskills.io">agentskills.io</a> open standard</b>
</p>
# Anthropic Cybersecurity Skills
<p align="center">
<a href="https://mahipal.engineer/Anthropic-Cybersecurity-Skills/">🌐 Landing Page</a> · <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases/tag/v1.0.0">📦 v1.0.0 Release</a> · <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues">🐛 Report Bug</a> · <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues">💡 Request Feature</a>
</p>
### The largest open-source cybersecurity skills library for AI agents
[![GARS-2026 Survey](https://img.shields.io/badge/GARS--2026-Take%20the%20Survey-E8B84B?style=for-the-badge&logo=googleforms&logoColor=black)](https://mahipal.engineer/survey?utm_source=github_badge&utm_medium=readme&utm_campaign=gars2026)
[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg?style=flat-square)](LICENSE)
[![Skills](https://img.shields.io/badge/skills-754-brightgreen?style=flat-square)](#whats-inside--26-security-domains)
[![Frameworks](https://img.shields.io/badge/frameworks-5-orange?style=flat-square)](#five-frameworks-one-skill-library)
[![Domains](https://img.shields.io/badge/domains-26-9cf?style=flat-square)](#whats-inside--26-security-domains)
[![Platforms](https://img.shields.io/badge/platforms-26%2B-blueviolet?style=flat-square)](#compatible-platforms)
[![GitHub stars](https://img.shields.io/github/stars/mukul975/Anthropic-Cybersecurity-Skills?style=flat-square)](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers)
[![GitHub forks](https://img.shields.io/github/forks/mukul975/Anthropic-Cybersecurity-Skills?style=flat-square)](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/network/members)
[![Last Commit](https://img.shields.io/github/last-commit/mukul975/Anthropic-Cybersecurity-Skills?style=flat-square)](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/commits/main)
[![agentskills.io](https://img.shields.io/badge/standard-agentskills.io-ff6600?style=flat-square)](https://agentskills.io)
[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](CONTRIBUTING.md)
[![Playground](https://img.shields.io/badge/Playground-Casky.ai-blue)](https://casky.ai/?utm_source=github&utm_medium=readme&utm_campaign=cohort_launch#waitlist)
[![Hermes Agent](https://img.shields.io/badge/Hermes_Agent-compatible-blueviolet?style=flat)](https://github.com/NousResearch/hermes-agent)
**754 production-grade cybersecurity skills · 26 security domains · 5 framework mappings · 26+ AI platforms**
[Get Started](#quick-start) · [What's Inside](#whats-inside--26-security-domains) · [Frameworks](#five-frameworks-one-skill-library) · [Platforms](#compatible-platforms) · [Contributing](#contributing)
</div>
---
Anthropic Cybersecurity Skills gives every AI agent — from Claude Code to GitHub Copilot to your custom LangChain pipeline — instant access to **734+ production-grade cybersecurity skills** spanning 26 security domains. Each skill follows the [agentskills.io](https://agentskills.io) open standard: a YAML frontmatter header for lightning-fast discovery, a structured Markdown body for step-by-step execution, and reference files for deep technical context. The entire collection is mapped to **MITRE ATT&CK** (all 14 Enterprise tactics, 200+ techniques) and aligned to **NIST CSF 2.0** — giving AI agents the same structured knowledge that senior security practitioners carry in their heads. Install in one command and your agent immediately knows how to perform memory forensics, hunt for C2 beaconing, audit Kubernetes RBAC, reverse .NET malware, and hundreds more tasks.
> ⚠️ **Community Project** — This is an independent, community-created project. Not affiliated with Anthropic PBC.
## 📑 Table of contents
## Give any AI agent the security skills of a senior analyst
- [🚀 Quick start](#-quick-start--install-cybersecurity-skills-for-ai-agents)
- [🛡️ What's inside](#-whats-inside--734-cybersecurity-skills-across-26-domains)
- [🤖 Compatible platforms](#-compatible-ai-agent-platforms)
- [📐 Skill structure](#-skill-structure-and-agentskillsio-format)
- [🗺️ MITRE ATT&CK coverage](#-mitre-attck-and-nist-csf-20-coverage)
- [🧠 How AI agents use these skills](#-how-ai-agents-use-these-cybersecurity-skills)
- [📝 Example skills](#-example-cybersecurity-skills)
- [👥 Contributors](#-contributors)
- [🤝 Contributing](#-contributing-to-cybersecurity-ai-skills)
- [⭐ Star history](#-star-history)
- [🌐 Community](#-community)
- [📄 License](#-license)
A junior analyst knows which Volatility3 plugin to run on a suspicious memory dump, which Sigma rules catch Kerberoasting, and how to scope a cloud breach across three providers. **Your AI agent doesn't — unless you give it these skills.**
---
This repo contains **754 structured cybersecurity skills** spanning **26 security domains**, each following the [agentskills.io](https://agentskills.io) open standard. Every skill is mapped to **five industry frameworks** — MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, MITRE D3FEND, and NIST AI RMF — making this the only open-source skills library with unified cross-framework coverage. Clone it, point your agent at it, and your next security investigation gets expert-level guidance in seconds.
## 🚀 Quick start — install cybersecurity skills for AI agents
## Five frameworks, one skill library
Get up and running in under 30 seconds. Choose your preferred method:
No other open-source skills library maps every skill to all five frameworks. One skill, five compliance checkboxes.
### Option 1 · npx (recommended)
| Framework | Version | Scope in this repo | What it maps |
|---|---|---|---|
| [MITRE ATT&CK](https://attack.mitre.org) | v19.1 | 15 tactics · 286 techniques | Adversary behaviors and TTPs |
| [NIST CSF 2.0](https://www.nist.gov/cyberframework) | 2.0 | 6 functions · 22 categories | Organizational security posture |
| [MITRE ATLAS](https://atlas.mitre.org) | v5.4 | 16 tactics · 84 techniques | AI/ML adversarial threats |
| [MITRE D3FEND](https://d3fend.mitre.org) | v1.3 | 7 categories · 267 techniques | Defensive countermeasures |
| [NIST AI RMF](https://airc.nist.gov/AI_RMF) | 1.0 | 4 functions · 72 subcategories | AI risk management |
**Example — a single skill maps across all five:**
| Skill | ATT&CK | NIST CSF | ATLAS | D3FEND | AI RMF |
|---|---|---|---|---|---|
| `analyzing-network-traffic-of-malware` | T1071 | DE.CM | AML.T0047 | D3-NTA | MEASURE-2.6 |
### MITRE ATT&CK v19.1 — 754/754 skills mapped
Every skill carries a `mitre_attack` frontmatter list validated against **MITRE ATT&CK v19.1** (the latest release) using the official `mitreattack-python` library — 286 distinct techniques across all 15 Enterprise tactics, plus ICS and Mobile techniques where relevant. Zero revoked or deprecated IDs. v19.1's restructured Defense Evasion (now split into **Stealth** and **Defense Impairment**) is reflected below.
| Tactic | ID | Skills |
|--------|----|--------|
| Reconnaissance | TA0043 | 103 |
| Resource Development | TA0042 | 22 |
| Initial Access | TA0001 | 467 |
| Execution | TA0002 | 350 |
| Persistence | TA0003 | 444 |
| Privilege Escalation | TA0004 | 464 |
| Stealth | TA0005 | 442 |
| Defense Impairment | TA0112 | 92 |
| Credential Access | TA0006 | 202 |
| Discovery | TA0007 | 237 |
| Lateral Movement | TA0008 | 68 |
| Collection | TA0009 | 172 |
| Command and Control | TA0011 | 123 |
| Exfiltration | TA0010 | 82 |
| Impact | TA0040 | 50 |
## Quick start
```bash
# Option 1: npx (recommended)
npx skills add mukul975/Anthropic-Cybersecurity-Skills
```
### Option 2 · Claude Code plugin marketplace
```
/plugin marketplace add mukul975/Anthropic-Cybersecurity-Skills
```
### Option 3 · Manual clone
```bash
# Option 2: Git clone
git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
cd Anthropic-Cybersecurity-Skills
```
> **That's it.** Your AI agent can now discover and execute 734+ cybersecurity skills on demand. No configuration, no API keys, no setup scripts.
Works immediately with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and any [agentskills.io](https://agentskills.io)-compatible platform.
---
## 🌍 GARS-2026 — Global Agentic AI Readiness Survey
## 🛡️ What's inside — 734+ cybersecurity skills across 26 domains
I'm running a global academic study measuring how ready security professionals,
developers, and enterprise teams actually are for agentic AI — MCP servers,
tool calling, governance, and human-in-the-loop workflows.
Every skill is a self-contained directory with structured workflows, reference materials, helper scripts, and validation steps. Here are the top 16 domains:
**If you use this repo, your response would be a genuinely valuable data point.**
| Domain | Skills | Example capabilities |
|:-------|:------:|:---------------------|
| ☁️ **Cloud Security** | **48** | AWS S3 bucket audit, Azure AD config review, GCP IAM assessment |
| 🌐 **Web Application Security** | **45** | HTTP request smuggling, XSS with Burp Suite, web cache poisoning |
| 🔌 **Network Security** | **41** | Wireshark traffic analysis, VLAN segmentation, Suricata IDS tuning |
| 🎯 **Penetration Testing** | **38** | Active Directory exploitation, OSCP-style methodology, pivoting |
| 🔴 **Red Teaming** | **35** | Cobalt Strike operations, LOTL techniques, evasion & persistence |
| 🔍 **DFIR** | **32** | Disk imaging, memory forensics with Volatility3, browser forensics |
| 🦠 **Malware Analysis** | **28** | Ghidra reverse engineering, YARA rules, .NET decompilation |
| 📡 **Threat Intelligence** | **26** | APT group analysis with MITRE Navigator, campaign attribution |
| ☸️ **Cloud Native / Kubernetes** | **24** | etcd security assessment, pod security policies, RBAC audit |
| 📋 **Compliance & Governance** | **22** | PCI DSS scoping, SOC 2 readiness, GDPR data mapping |
| 🔑 **IAM Security** | **20** | SAML SSO with Okta, PAM deployment, service account hardening |
| 🔐 **Cryptography** | **18** | TLS configuration audit, certificate lifecycle, key management |
| 🏰 **Zero Trust** | **16** | Microsegmentation, BeyondCorp implementation, continuous verification |
| 🏭 **OT / ICS Security** | **14** | SCADA monitoring, Modbus anomaly detection, Purdue model |
| 🔧 **DevSecOps** | **12** | Pipeline security gates, SAST/DAST integration, IaC scanning |
| 🕵️ **OSINT** | **15** | Domain reconnaissance, social engineering recon, dark web monitoring |
| **Additional domains (10+)** | **300+** | SOC operations, API security, endpoint security, phishing defense, ransomware defense, mobile security, deception technology, and more |
| | **734+** | **Total skills across 26 domains** |
📋 **Take the survey (10 min):**
[Survey Link](https://mahipal.engineer/survey?utm_source=github_repo&utm_medium=readme&utm_campaign=gars2026)
---
- 60 questions · Anonymous · Supervised by SRH Berlin
- You get **50 Casky Tokens** for early access to [casky.ai](https://casky.ai)
- Results published open access under CC-BY 4.0
## 🤖 Compatible AI agent platforms
## 🚀 Try it on the Playground
Skills follow the [agentskills.io](https://agentskills.io) open standard — **write once, use everywhere**. Any platform that reads `SKILL.md` files with YAML frontmatter works out of the box.
Experience Casky.ai hands-on — no setup required.
### AI code assistants
**[→ Launch Playground on Casky.ai](https://casky.ai/?utm_source=github&utm_medium=readme&utm_campaign=cohort_launch#waitlist)**
| Platform | Status | Install method |
|:---------|:------:|:---------------|
| **Claude Code** (Anthropic) | ✅ | `/plugin marketplace add mukul975/Anthropic-Cybersecurity-Skills` |
| **GitHub Copilot** (Microsoft) | ✅ | Place in `.github/skills` directory |
| **Cursor** | ✅ | `npx skills add` or manual clone |
| **Windsurf** | ✅ | `npx skills add` or manual clone |
| **Cline** | ✅ | `npx skills add` or manual clone |
| **Aider** | ✅ | `npx skills add` or manual clone |
| **Continue** | ✅ | `npx skills add` or manual clone |
| **Roo Code** | ✅ | `npx skills add` or manual clone |
| **Amazon Q Developer** | ✅ | `npx skills add` or manual clone |
| **Tabnine** | ✅ | `npx skills add` or manual clone |
| **Sourcegraph Cody** | ✅ | `npx skills add` or manual clone |
| **JetBrains AI** | ✅ | `npx skills add` or manual clone |
The playground lets you:
- Run live cybersecurity skill exercises against real targets
- See AI agents execute structured skills in real time
- Explore MITRE ATT&CK mapped workflows interactively
- Test threat hunting, DFIR, and penetration testing scenarios
### CLI agents
No installation. No configuration. Just open and start.
## Why this exists
| Platform | Status | Install method |
|:---------|:------:|:---------------|
| **OpenAI Codex CLI** | ✅ | `npx skills add` — reads from `~/.codex/skills` |
| **Gemini CLI** (Google) | ✅ | `npx skills add` or manual clone |
The cybersecurity workforce gap hit **4.8 million unfilled roles** globally in 2024 (ISC2). AI agents can help close that gap — but only if they have structured domain knowledge to work from. Today's agents can write code and search the web, but they lack the practitioner playbooks that turn a generic LLM into a capable security analyst.
### Autonomous agents
Existing security tool repos give you wordlists, payloads, or exploit code. None of them give an AI agent the structured decision-making workflow a senior analyst follows: when to use each technique, what prerequisites to check, how to execute step-by-step, and how to verify results. That is the gap this project fills.
| Platform | Status | Install method |
|:---------|:------:|:---------------|
| **Devin** | ✅ | Point to cloned skill directory |
| **Replit Agent** | ✅ | Import via repo URL |
| **SWE-agent** | ✅ | Mount skill directory |
| **OpenHands** | ✅ | Mount skill directory |
**Anthropic Cybersecurity Skills** is not a collection of scripts or checklists. It is an **AI-native knowledge base** built from the ground up for the agentskills.io standard — YAML frontmatter for sub-second discovery, structured Markdown for step-by-step execution, and reference files for deep technical context. Every skill encodes real practitioner workflows, not generated summaries.
### Agent frameworks & SDKs
## What's inside — 26 security domains
| Platform | Status | Install method |
|:---------|:------:|:---------------|
| **LangChain** | | Load `SKILL.md` files as tool descriptions |
| **CrewAI** | | Load as agent knowledge base |
| **AutoGen** | | Load as agent knowledge base |
| **Semantic Kernel** | | Load as plugins |
| **Haystack** | | Ingest via document store |
| **Vercel AI SDK** | | Load as tool definitions |
| **Any MCP-compatible agent** | | Via MCP tool integration |
| Domain | Skills | Key capabilities |
|---|---|---|
| Cloud Security | 60 | AWS, Azure, GCP hardening · CSPM · cloud forensics |
| Threat Hunting | 55 | Hypothesis-driven hunts · LOTL detection · behavioral analytics |
| Threat Intelligence | 50 | STIX/TAXII · MISP · feed integration · actor profiling |
| Web Application Security | 42 | OWASP Top 10 · SQLi · XSS · SSRF · deserialization |
| Network Security | 40 | IDS/IPS · firewall rules · VLAN segmentation · traffic analysis |
| Malware Analysis | 39 | Static/dynamic analysis · reverse engineering · sandboxing |
| Digital Forensics | 37 | Disk imaging · memory forensics · timeline reconstruction |
| Security Operations | 36 | SIEM correlation · log analysis · alert triage |
| Identity & Access Management | 35 | IAM policies · PAM · zero trust identity · Okta · SailPoint |
| SOC Operations | 33 | Playbooks · escalation workflows · metrics · tabletop exercises |
| Container Security | 30 | K8s RBAC · image scanning · Falco · container forensics |
| OT/ICS Security | 28 | Modbus · DNP3 · IEC 62443 · historian defense · SCADA |
| API Security | 28 | GraphQL · REST · OWASP API Top 10 · WAF bypass |
| Vulnerability Management | 25 | Nessus · scanning workflows · patch prioritization · CVSS |
| Incident Response | 25 | Breach containment · ransomware response · IR playbooks |
| Red Teaming | 24 | Full-scope engagements · AD attacks · phishing simulation |
| Penetration Testing | 23 | Network · web · cloud · mobile · wireless pentesting |
| Endpoint Security | 17 | EDR · LOTL detection · fileless malware · persistence hunting |
| DevSecOps | 17 | CI/CD security · code signing · Terraform auditing |
| Phishing Defense | 16 | Email authentication · BEC detection · phishing IR |
| Cryptography | 14 | TLS · Ed25519 · certificate transparency · key management |
| Zero Trust Architecture | 13 | BeyondCorp · CISA maturity model · microsegmentation |
| Mobile Security | 12 | Android/iOS analysis · mobile pentesting · MDM forensics |
| Ransomware Defense | 7 | Precursor detection · response · recovery · encryption analysis |
| Compliance & Governance | 5 | CIS benchmarks · SOC 2 · regulatory frameworks |
| Deception Technology | 2 | Honeytokens · breach detection canaries |
---
## How AI agents use these skills
## 📐 Skill structure and agentskills.io format
Each skill costs **~30 tokens to scan** (frontmatter only) and **5002,000 tokens to fully load** (complete workflow). This progressive disclosure architecture lets agents search all 754 skills in a single pass without blowing context windows.
Every skill lives in its own directory under `skills/` and follows a consistent structure:
```
User prompt: "Analyze this memory dump for signs of credential theft"
Agent's internal process:
1. Scans 754 skill frontmatters (~30 tokens each)
→ identifies 12 relevant skills by matching tags, description, domain
2. Loads top 3 matches:
• performing-memory-forensics-with-volatility3
• hunting-for-credential-dumping-lsass
• analyzing-windows-event-logs-for-credential-access
3. Executes the structured Workflow section step-by-step
→ runs Volatility3 plugins, checks LSASS access patterns,
correlates with event log evidence
4. Validates results using the Verification section
→ confirms IOCs, maps findings to ATT&CK T1003 (Credential Dumping)
```
**Without these skills**, the agent guesses at tool commands and misses critical steps. **With them**, it follows the same playbook a senior DFIR analyst would use.
## Skill anatomy
Every skill follows a consistent directory structure:
```
skills/performing-memory-forensics-with-volatility3/
├── SKILL.md # Skill definition (YAML frontmatter + Markdown body)
│ ├── Frontmatter # → name, description, domain, subdomain, tags
│ ├── When to Use # → Trigger conditions for AI agents
│ ├── Prerequisites # → Required tools, access, environment
│ ├── Workflow # → Step-by-step execution guide
│ └── Verification # → How to confirm success
├── SKILL.md Skill definition (YAML frontmatter + Markdown body)
├── references/
│ ├── standards.md # NIST, MITRE ATT&CK, CVE references
│ └── workflows.md # Deep technical procedure reference
│ ├── standards.md MITRE ATT&CK, ATLAS, D3FEND, NIST mappings
│ └── workflows.md Deep technical procedure reference
├── scripts/
│ └── process.py # Practitioner helper scripts
│ └── process.py ← Working helper scripts
└── assets/
└── template.md # Checklists, report templates
└── template.md ← Filled-in checklists and report templates
```
### YAML frontmatter (the discovery layer)
### YAML frontmatter (real example)
```yaml
---
name: performing-memory-forensics-with-volatility3
description: >-
Analyze memory dumps to extract running processes, network connections,
injected code, and malware artifacts using Volatility3 framework.
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, memory-analysis, volatility3, incident-response, dfir]
version: "1.0"
author: mukul975
license: Apache-2.0
---
```
**Required fields:** `name` (kebab-case, 164 chars), `description` (keyword-rich for agent discovery), `domain`, `subdomain`, `tags`
**Optional fields:** `version`, `author`, `license`
---
## 🗺️ MITRE ATT&CK and NIST CSF 2.0 coverage
This collection provides **comprehensive coverage** of the two most widely adopted cybersecurity frameworks in the industry.
### MITRE ATT&CK Enterprise
All **14 Enterprise tactics** are covered, with skills mapped to **200+ individual techniques**:
| Tactic | Coverage | Example skills |
|:-------|:--------:|:---------------|
| Reconnaissance | ✅ | OSINT gathering, domain enumeration, social engineering recon |
| Resource Development | ✅ | Infrastructure profiling, certificate analysis |
| Initial Access | ✅ | Phishing analysis, exploit detection, supply chain review |
| Execution | ✅ | Script analysis, command-line forensics, scheduled task audit |
| Persistence | ✅ | Registry analysis, startup item review, implant detection |
| Privilege Escalation | ✅ | Token manipulation detection, UAC bypass analysis |
| Defense Evasion | ✅ | Process injection detection, obfuscation analysis |
| Credential Access | ✅ | Credential dumping detection, Kerberoasting defense |
| Discovery | ✅ | Network scanning detection, AD enumeration monitoring |
| Lateral Movement | ✅ | Pass-the-hash detection, RDP abuse monitoring |
| Collection | ✅ | Data staging detection, screen capture forensics |
| Command and Control | ✅ | C2 beaconing detection, DNS tunneling analysis |
| Exfiltration | ✅ | Data transfer monitoring, covert channel detection |
| Impact | ✅ | Ransomware response, data destruction forensics |
### NIST CSF 2.0 alignment
Every skill maps to one or more **NIST Cybersecurity Framework 2.0** functions:
- **Identify (ID)** — Asset management, risk assessment, governance skills
- **Protect (PR)** — Access control, awareness training, data security skills
- **Detect (DE)** — Anomaly detection, continuous monitoring, event analysis skills
- **Respond (RS)** — Incident response, mitigation, communication skills
- **Recover (RC)** — Recovery planning, improvement, communication skills
> An ATT&CK Navigator layer file is included in the v1.0.0 release for visual coverage mapping.
---
## 🧠 How AI agents use these cybersecurity skills
Skills use a **progressive disclosure pattern** that minimizes token usage while maximizing agent capability. Here's what happens when you ask your AI agent to "analyze this memory dump for signs of compromise":
### Stage 1 · Discovery (~3050 tokens per skill)
The agent scans **only YAML frontmatter** across all 734+ skills. Each scan costs ~3050 tokens — the entire collection can be indexed for under 40K tokens. The agent matches your task against `name`, `description`, `subdomain`, and `tags` fields to find relevant skills.
```yaml
# Agent reads ONLY this:
name: performing-memory-forensics-with-volatility3
description: Analyze memory dumps to extract processes, network connections, and malware artifacts using Volatility3.
subdomain: digital-forensics
tags: [forensics, memory-analysis, volatility3, incident-response]
```
### Stage 2 · Full workflow load (~200500 tokens)
Once a skill matches, the agent loads the **complete `SKILL.md` body** — trigger conditions, prerequisites, step-by-step workflow, and verification checks. This gives the agent a structured playbook to follow.
### Stage 3 · Deep reference access (on demand)
For complex tasks, the agent pulls in **supporting files** from `references/`, `scripts/`, and `assets/` — NIST standards mappings, detailed technical procedures, helper scripts, and report templates. These files are loaded only when the agent needs deeper context.
> **Result:** Irrelevant skills cost ~30 tokens. Relevant skills provide complete, structured, expert-level guidance. No wasted context window.
---
## 📝 Example cybersecurity skills
<details>
<summary><b>🔍 Memory forensics with Volatility3</b> — DFIR domain</summary>
````yaml
---
name: performing-memory-forensics-with-volatility3
description: >-
Analyze memory dumps to extract running processes, network connections,
injected code, and malware artifacts using the Volatility3 framework.
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, memory-analysis, volatility3, incident-response, dfir]
version: "1.0"
atlas_techniques: [AML.T0047]
d3fend_techniques: [D3-MA, D3-PSMD]
nist_ai_rmf: [MEASURE-2.6]
nist_csf: [DE.CM-01, RS.AN-03]
version: "1.2"
author: mukul975
license: Apache-2.0
---
```
### Markdown body sections
```markdown
## When to Use
- Incident responder needs to analyze a memory dump from a compromised host
- Investigating potential malware infection or lateral movement
- Extracting indicators of compromise (IOCs) from volatile memory
- Identifying injected code, hidden processes, or rootkit activity
- Memory dump file (.raw, .mem, .dmp, .vmem) is available for analysis
Trigger conditions — when should an AI agent activate this skill?
## Prerequisites
- **Volatility3** installed (`pip install volatility3`)
- Memory dump file acquired from target system
- **Python 3.8+** runtime environment
- Symbol tables for target OS (auto-downloaded by Volatility3)
- Sufficient disk space for analysis output (~2x memory dump size)
Required tools, access levels, and environment setup.
## Workflow
### Step 1 — Identify the operating system profile
Run the banner and `windows.info` (or `linux.info` / `mac.info`) plugin to
auto-detect the OS version and confirm the dump is valid:
```bash
vol -f memory.raw windows.info
```
### Step 2 — List running processes
Extract the process tree to identify suspicious or unexpected processes:
```bash
vol -f memory.raw windows.pslist
vol -f memory.raw windows.pstree
vol -f memory.raw windows.psscan # Finds hidden/unlinked processes
```
Look for: unusual parent-child relationships, processes with suspicious names,
processes running from temp directories, unsigned executables.
### Step 3 — Analyze network connections
Extract active and closed network connections:
```bash
vol -f memory.raw windows.netscan
vol -f memory.raw windows.netstat
```
Flag: connections to known-bad IPs, unusual ports (4444, 8443, 1337),
beaconing patterns, connections from non-browser processes.
### Step 4 — Detect code injection
Scan for injected code in process memory:
```bash
vol -f memory.raw windows.malfind
```
Review output for: PAGE_EXECUTE_READWRITE memory regions, MZ headers in
non-image regions, shellcode signatures, hollow process indicators.
### Step 5 — Extract artifacts
Dump suspicious processes, DLLs, and drivers for further analysis:
```bash
vol -f memory.raw windows.dumpfiles --pid <PID>
vol -f memory.raw windows.dlllist --pid <PID>
vol -f memory.raw windows.handles --pid <PID>
```
### Step 6 — Check persistence mechanisms
Examine registry hives and services loaded in memory:
```bash
vol -f memory.raw windows.registry.hivelist
vol -f memory.raw windows.svcscan
vol -f memory.raw windows.cmdline
```
Step-by-step execution guide with specific commands and decision points.
## Verification
How to confirm the skill was executed successfully.
```
- [ ] OS profile correctly identified and dump validated
- [ ] Complete process tree exported and anomalies flagged
- [ ] Network connections reviewed and suspicious IPs documented
- [ ] Malfind output reviewed — injected code regions identified
- [ ] Suspicious binaries dumped for downstream malware analysis
- [ ] IOCs extracted (IPs, domains, file hashes, mutex names)
- [ ] Findings documented in incident report with timestamps
````
Frontmatter fields: `name` (kebab-case, 164 chars), `description` (keyword-rich for agent discovery), `domain`, `subdomain`, `tags`, `atlas_techniques` (MITRE ATLAS IDs), `d3fend_techniques` (MITRE D3FEND IDs), `nist_ai_rmf` (NIST AI RMF references), `nist_csf` (NIST CSF 2.0 categories). MITRE ATT&CK technique mappings are documented in each skill's `references/standards.md` file and in the ATT&CK Navigator layer included with releases.
<details>
<summary><strong>📊 MITRE ATT&CK Enterprise coverage — all 14 tactics</strong></summary>
&nbsp;
| Tactic | ID | Coverage | Key skills |
|---|---|---|---|
| Reconnaissance | TA0043 | Strong | OSINT, subdomain enumeration, DNS recon |
| Resource Development | TA0042 | Moderate | Phishing infrastructure, C2 setup detection |
| Initial Access | TA0001 | Strong | Phishing simulation, exploit detection, forced browsing |
| Execution | TA0002 | Strong | PowerShell analysis, fileless malware, script block logging |
| Persistence | TA0003 | Strong | Scheduled tasks, registry, service accounts, LOTL |
| Privilege Escalation | TA0004 | Strong | Kerberoasting, AD attacks, cloud privilege escalation |
| Defense Evasion | TA0005 | Strong | Obfuscation, rootkit analysis, evasion detection |
| Credential Access | TA0006 | Strong | Mimikatz detection, pass-the-hash, credential dumping |
| Discovery | TA0007 | Moderate | BloodHound, AD enumeration, network scanning |
| Lateral Movement | TA0008 | Strong | SMB exploits, lateral movement detection with Splunk |
| Collection | TA0009 | Moderate | Email forensics, data staging detection |
| Command and Control | TA0011 | Strong | C2 beaconing, DNS tunneling, Cobalt Strike analysis |
| Exfiltration | TA0010 | Strong | DNS exfiltration, DLP controls, data loss detection |
| Impact | TA0040 | Strong | Ransomware defense, encryption analysis, recovery |
An **ATT&CK Navigator layer file** is included in the [v1.0.0 release assets](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases/tag/v1.0.0) for visual coverage mapping.
> **Note:** ATT&CK v19 lands April 28, 2026 — splitting Defense Evasion (TA0005) into two new tactics: *Stealth* and *Impair Defenses*. Skill mappings will be updated in a forthcoming release.
</details>
<details>
<summary><b>🦠 Reverse engineering .NET malware with dnSpy</b>Malware Analysis domain</summary>
<summary><strong>📊 NIST CSF 2.0 alignment — all 6 functions</strong></summary>
````yaml
---
name: analyzing-dotnet-malware-with-dnspy
description: >-
Decompile, analyze, and extract IOCs from .NET-based malware samples
using dnSpy for static analysis and behavioral understanding.
domain: cybersecurity
subdomain: malware-analysis
tags: [malware, reverse-engineering, dotnet, dnspy, static-analysis]
version: "1.0"
author: mukul975
license: Apache-2.0
---
&nbsp;
## When to Use
| Function | Skills | Examples |
|---|---|---|
| **Govern (GV)** | 30+ | Risk strategy, policy frameworks, roles & responsibilities |
| **Identify (ID)** | 120+ | Asset discovery, threat landscape assessment, risk analysis |
| **Protect (PR)** | 150+ | IAM hardening, WAF rules, zero trust, encryption |
| **Detect (DE)** | 200+ | Threat hunting, SIEM correlation, anomaly detection |
| **Respond (RS)** | 160+ | Incident response, forensics, breach containment |
| **Recover (RC)** | 40+ | Ransomware recovery, BCP, disaster recovery |
- Triaging a suspected .NET malware sample (.exe or .dll compiled with CLR)
- Extracting hardcoded C2 URLs, encryption keys, or configuration data
- Understanding malware behavior before dynamic analysis
- Analyzing obfuscated .NET payloads (ConfuserEx, SmartAssembly, etc.)
- Building detection signatures (YARA, Sigma) from decompiled source
## Prerequisites
- **dnSpy** (or dnSpyEx fork) installed on analysis workstation
- Isolated malware analysis environment (VM with snapshots)
- **PE analysis tool** (CFF Explorer, PE-bear, or pestudio) for initial triage
- **de4dot** for automated .NET deobfuscation
- Sample SHA256 hash documented before analysis begins
- Network monitoring tools (Wireshark/FakeNet-NG) for dynamic validation
## Workflow
### Step 1 — Initial triage and environment setup
Confirm the sample is a .NET assembly before opening in dnSpy:
```bash
# Check for CLR metadata
file sample.exe
# Look for .NET version string, mscoree.dll import
pestudio sample.exe
```
Take a VM snapshot. Disable network adapters. Document sample hash.
### Step 2 — Deobfuscate if protected
Many .NET malware families use obfuscation. Run de4dot first:
```bash
de4dot sample.exe -o sample_clean.exe
```
Check output log for identified obfuscator (ConfuserEx, Dotfuscator,
SmartAssembly, Babel, Eazfuscator). If de4dot fails, note the packer
for manual unpacking in dnSpy.
### Step 3 — Load and explore in dnSpy
Open the cleaned binary in dnSpy. Start with high-level reconnaissance:
1. **Assembly Explorer** — Review namespaces, classes, entry point
2. **Entry point** (`Main()` or module initializer) — Trace execution flow
3. **Resources** — Check for embedded payloads, encrypted configs
4. **String references** — Search for URLs, IP addresses, registry keys
5. **References** — Note any P/Invoke calls (Win32 API) indicating native interaction
### Step 4 — Identify C2 infrastructure and configuration
Search decompiled source for network indicators:
- Hardcoded URLs, IP addresses, domain names
- Base64-encoded strings (decode in CyberChef)
- XOR / AES decryption routines with embedded keys
- HTTP User-Agent strings, custom headers
- Registry keys or file paths used for persistence
Set breakpoints in dnSpy debugger at decryption functions to capture
plaintext config at runtime if static extraction fails.
### Step 5 — Map capabilities to MITRE ATT&CK
Document each observed capability:
- **Execution method** — Process injection, scheduled tasks, WMI
- **Persistence** — Registry Run keys, startup folder, services
- **Credential access** — Browser credential theft, keylogging
- **Exfiltration** — HTTP POST, DNS tunneling, cloud storage APIs
- **Evasion** — Anti-VM checks, sleep timers, sandbox detection
### Step 6 — Extract IOCs and build detections
Compile all indicators into a structured IOC list:
```
# Network IOCs
C2: https://evil-domain[.]com/gate.php
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0)
DNS: ns1.malware-c2[.]net
# Host IOCs
Mutex: Global\{GUID-HERE}
Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost
File: %APPDATA%\svchost.exe (SHA256: abc123...)
```
Write YARA rule targeting unique strings or byte patterns.
## Verification
- [ ] Sample identified as .NET assembly and hash documented
- [ ] Deobfuscation attempted — obfuscator identified and handled
- [ ] Entry point traced — full execution flow mapped
- [ ] C2 infrastructure extracted (URLs, IPs, domains, ports)
- [ ] Encryption keys / decryption routines documented
- [ ] Capabilities mapped to MITRE ATT&CK techniques
- [ ] IOC list exported in structured format (STIX, OpenIOC, or CSV)
- [ ] YARA detection rule written and tested against sample
````
NIST CSF 2.0 (February 2024) added the **Govern** function and expanded scope from critical infrastructure to all organizations. Skill mappings align to all 22 categories and reference 106 subcategories.
</details>
---
<details>
<summary><strong>📊 Framework deep dive — ATLAS, D3FEND, AI RMF</strong></summary>
## 👥 Contributors
&nbsp;
Thanks to these wonderful people for building the largest open-source cybersecurity skills collection:
### MITRE ATLAS v5.4 — AI/ML adversarial threats
ATLAS maps adversarial tactics, techniques, and case studies specific to AI and machine learning systems. Version 5.4 covers **16 tactics and 84 techniques** including agentic AI attack vectors added in late 2025: AI agent context poisoning, tool invocation abuse, MCP server compromises, and malicious agent deployment. Skills mapped to ATLAS help agents identify and defend against threats to ML pipelines, model weights, inference APIs, and autonomous workflows.
<!-- ALL-CONTRIBUTORS-LIST:START -->
<table>
<tr>
<td align="center">
<a href="https://github.com/mukul975">
<img src="https://avatars.githubusercontent.com/u/42860185?v=4" width="100px;" alt="mukul975" /><br />
<sub><b>mukul975</b></sub>
</a><br />
💻 📖 🚧 🎨
</td>
<td align="center">
<a href="https://github.com/Systech2021-1952">
<img src="https://avatars.githubusercontent.com/u/151213461?v=4" width="100px;" alt="Systech2021-1952" /><br />
<sub><b>Systech2021-1952</b></sub>
</a><br />
💻 🌍
</td>
</tr>
</table>
<!-- ALL-CONTRIBUTORS-LIST:END -->
### MITRE D3FEND v1.3 — Defensive countermeasures
D3FEND is an NSA-funded knowledge graph of **267 defensive techniques** organized across 7 tactical categories: Model, Harden, Detect, Isolate, Deceive, Evict, and Restore. Built on OWL 2 ontology, it uses a shared Digital Artifact layer to bidirectionally map defensive countermeasures to ATT&CK offensive techniques. Skills tagged with D3FEND identifiers let agents recommend specific countermeasures for detected threats.
Want to see your name here? Check out the [contributing guide](#-contributing-to-cybersecurity-ai-skills) below.
### NIST AI RMF 1.0 + GenAI Profile (AI 600-1)
The AI Risk Management Framework defines 4 core functions — Govern, Map, Measure, Manage — with **72 subcategories** for trustworthy AI development. The GenAI Profile (AI 600-1, July 2024) adds **12 risk categories** specific to generative AI, from confabulation and data privacy to prompt injection and supply chain risks. Colorado's AI Act (effective February 2026) provides a **legal safe harbor** for organizations complying with NIST AI RMF, making these mappings directly relevant to regulatory compliance.
</details>
## Compatible platforms
**AI code assistants**
Claude Code (Anthropic) · GitHub Copilot (Microsoft) · Cursor · Windsurf · Cline · Aider · Continue · Roo Code · Amazon Q Developer · Tabnine · Sourcegraph Cody · JetBrains AI
**CLI agents**
OpenAI Codex CLI · Gemini CLI (Google)
**Autonomous agents**
Devin · Replit Agent · SWE-agent · OpenHands
**Agent frameworks & SDKs**
LangChain · CrewAI · AutoGen · Semantic Kernel · Haystack · Vercel AI SDK · Any MCP-compatible agent
All platforms that support the [agentskills.io](https://agentskills.io) standard can load these skills with zero configuration.
## What people are saying
> *"A database of real, organized security skills that any AI agent can plug into and use. Not tutorials. Not blog posts."*
> — **[Hasan Toor (@hasantoxr)](https://x.com/hasantoxr/status/2033193922349179249)**, AI/tech creator
> *"This is not a random collection of security scripts. It's a structured operational knowledge base designed for AI-driven security workflows."*
> — **[fazal-sec](https://fazal-sec.medium.com/claude-skills-ai-powered-cybersecurity-the-complete-guide-to-building-intelligent-security-7bb7e9d14c8e)**, Medium
## Featured in
| Where | Type | Link |
|---|---|---|
| **awesome-agent-skills** | Awesome List (1,000+ skills index) | [VoltAgent/awesome-agent-skills](https://github.com/VoltAgent/awesome-agent-skills) |
| **awesome-ai-security** | Awesome List (AI security tools) | [ottosulin/awesome-ai-security](https://github.com/ottosulin/awesome-ai-security) |
| **awesome-codex-cli** | Awesome List (Codex CLI resources) | [RoggeOhta/awesome-codex-cli](https://github.com/RoggeOhta/awesome-codex-cli) |
| **SkillsLLM** | Skills directory & marketplace | [skillsllm.com/skill/anthropic-cybersecurity-skills](https://skillsllm.com/skill/anthropic-cybersecurity-skills) |
| **Openflows** | Signal analysis & tracking | [openflows.org](https://openflows.org/currency/currents/anthropic-cybersecurity-skills/) |
| **NeverSight skills_feed** | Automated skills index | [NeverSight/skills_feed](https://github.com/NeverSight/skills_feed) |
## Star history
<a href="https://star-history.com/#mukul975/Anthropic-Cybersecurity-Skills&Date">
<picture>
<source media="(prefers-color-scheme: dark)" srcset="https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date&theme=dark" />
<source media="(prefers-color-scheme: light)" srcset="https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date" />
<img alt="Star History Chart" src="https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date" width="100%" />
</picture>
</a>
## Releases
| Version | Date | Highlights |
|---|---|---|
| [v1.0.0](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases/tag/v1.0.0) | March 11, 2026 | 734 skills · 26 domains · MITRE ATT&CK + NIST CSF 2.0 mapping · ATT&CK Navigator layer |
Skills have continued to grow on `main` since v1.0.0 — the library now contains **754 skills** with **5-framework mapping** (MITRE ATLAS, D3FEND, and NIST AI RMF added post-release). Check [Releases](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases) for the latest tagged version.
## Contributing
This project grows through community contributions. Here is how to get involved:
**Add a new skill** — Domains like Deception Technology (2 skills) and Compliance & Governance (5 skills) need the most help. Follow the template in [CONTRIBUTING.md](CONTRIBUTING.md) and submit a PR with the title `Add skill: your-skill-name`.
**Improve existing skills** — Add framework mappings, fix workflows, update tool references, or contribute scripts and templates.
**Report issues** — Found an inaccurate procedure or broken script? [Open an issue](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues).
Every PR is reviewed for technical accuracy and agentskills.io standard compliance within 48 hours. Check [good first issues](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) for a starting point.
This project follows the [Contributor Covenant](https://www.contributor-covenant.org/). By participating, you agree to uphold this code.
## Community
💬 [Discussions](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/discussions) — Questions, ideas, and roadmap conversations
🐛 [Issues](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues) — Bug reports and feature requests
🔒 [Security Policy](SECURITY.md) — Responsible disclosure process (48-hour acknowledgment)
## Citation
If you use this project in research or publications:
```bibtex
@software{anthropic_cybersecurity_skills,
author = {Jangra, Mahipal},
title = {Anthropic Cybersecurity Skills},
year = {2026},
url = {https://github.com/mukul975/Anthropic-Cybersecurity-Skills},
license = {Apache-2.0},
note = {754 structured cybersecurity skills for AI agents,
mapped to MITRE ATT\&CK, NIST CSF 2.0, MITRE ATLAS,
MITRE D3FEND, and NIST AI RMF}
}
```
## License
This project is licensed under the [Apache License 2.0](LICENSE). You are free to use, modify, and distribute these skills in both personal and commercial projects.
---
## 🤝 Contributing to cybersecurity AI skills
<div align="center">
This project hit **3.5k stars in two weeks** — the community momentum is real. With **328 forks**, **9 open PRs**, and security professionals from around the world getting involved, now is the perfect time to contribute.
**If this project helps your security work, consider giving it a ⭐**
We welcome four types of contributions:
[⭐ Star](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers) · [🍴 Fork](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/fork) · [💬 Discuss](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/discussions) · [📝 Contribute](CONTRIBUTING.md)
| Type | Description | Good for |
|:-----|:------------|:---------|
| 🆕 **New skills** | Add skills for uncovered techniques or domains | Security practitioners, pen testers, IR analysts |
| 📖 **Improve existing skills** | Enhance workflows, add edge cases, fix errors | Anyone who uses the skills and spots improvements |
| 🌍 **Translations & i18n** | Help make skills accessible to non-English speakers | Multilingual security professionals |
| 🐛 **Bug reports & feedback** | Report issues, suggest improvements, review PRs | Everyone — all experience levels welcome |
Community project by [@mukul975](https://github.com/mukul975). Not affiliated with Anthropic PBC.
### How to get started
1. **Browse [open issues](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues)** — look for `good first issue` and `help wanted` labels
2. **Read [`CONTRIBUTING.md`](CONTRIBUTING.md)** for the full skill template and submission guidelines
3. **Fork the repo**, create your skill directory under `skills/`, and submit a PR
4. **Title format:** `Add skill: your-skill-name-here`
> Every PR gets reviewed for technical accuracy and consistency with the agentskills.io standard. We aim to review within 48 hours.
---
## ⭐ Star history
[![Star History Chart](https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date)](https://star-history.com/#mukul975/Anthropic-Cybersecurity-Skills&Date)
---
## 🌐 Community
<p align="center">
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers">⭐ Star this repo</a> ·
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/fork">🍴 Fork it</a> ·
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/discussions">💬 Discuss</a> ·
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues/new">📝 Open an issue</a>
</p>
If this project saves you time or makes your AI agent more capable, **give it a ⭐** — it helps others discover these skills and keeps the community growing.
---
## 📄 License
This project is licensed under the **Apache License 2.0** — see the [`LICENSE`](LICENSE) file for details.
You are free to use, modify, and distribute these skills in both personal and commercial projects. Attribution is appreciated but not required.
---
<p align="center">
<sub>
<b>⚠️ Disclaimer:</b> This is an independent, community-created project. <b>Not affiliated with Anthropic PBC.</b><br/>
"Anthropic" in the repository name refers to compatibility with the <a href="https://agentskills.io">agentskills.io</a> open standard,<br/>
not official Anthropic endorsement or affiliation. All trademarks belong to their respective owners.
</sub>
</p>
</div>
index.json
+1 -1
View File
File diff suppressed because one or more lines are too long
mappings/mitre-attack/coverage-summary.md
+1 -1
View File
@@ -1,6 +1,6 @@
# ATT&CK Coverage Summary
Coverage analysis of the 607 cybersecurity skills mapped to MITRE ATT&CK Enterprise v15 tactics.
Coverage analysis of the 753 cybersecurity skills mapped to MITRE ATT&CK Enterprise v15 tactics.
## Tactic Coverage Matrix
skills/acquiring-disk-image-with-dd-and-dcfldd/SKILL.md
+20 -3
View File
@@ -1,12 +1,29 @@
---
name: acquiring-disk-image-with-dd-and-dcfldd
description: Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
description: Create forensically sound bit-for-bit disk images using dd and dcfldd
while preserving evidence integrity through hash verification.
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, disk-imaging, evidence-acquisition, dd, dcfldd, hash-verification]
version: "1.0"
tags:
- forensics
- disk-imaging
- evidence-acquisition
- dd
- dcfldd
- hash-verification
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1006
- T1005
- T1025
- T1074.001
---
# Acquiring Disk Image with dd and dcfldd
skills/analyzing-active-directory-acl-abuse/SKILL.md
+18 -3
View File
@@ -1,12 +1,27 @@
---
name: analyzing-active-directory-acl-abuse
description: Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
description: Detect dangerous ACL misconfigurations in Active Directory using ldap3
to identify GenericAll, WriteDACL, and WriteOwner abuse paths
domain: cybersecurity
subdomain: identity-security
tags: [active-directory, acl-abuse, ldap, privilege-escalation]
version: "1.0"
tags:
- active-directory
- acl-abuse
- ldap
- privilege-escalation
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- PR.AA-01
- PR.AA-05
- PR.AA-06
mitre_attack:
- T1098
- T1098.007
- T1484.001
- T1222.001
- T1078.002
---
skills/analyzing-android-malware-with-apktool/SKILL.md
+24 -3
View File
@@ -1,12 +1,33 @@
---
name: analyzing-android-malware-with-apktool
description: Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
description: Perform static analysis of Android APK malware samples using apktool
for decompilation, jadx for Java source recovery, and androguard for permission
analysis, manifest inspection, and suspicious API call detection.
domain: cybersecurity
subdomain: malware-analysis
tags: [Android, APK, apktool, jadx, androguard, mobile-malware, static-analysis, reverse-engineering]
version: "1.0"
tags:
- Android
- APK
- apktool
- jadx
- androguard
- mobile-malware
- static-analysis
- reverse-engineering
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1406
- T1407
- T1626.001
- T1655.001
- T1521.001
---
# Analyzing Android Malware with Apktool
skills/analyzing-api-gateway-access-logs/SKILL.md
+26 -7
View File
@@ -1,16 +1,35 @@
---
name: analyzing-api-gateway-access-logs
description: >
Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR
attacks, rate limit bypass, credential scanning, and injection attempts. Uses pandas
for statistical analysis of request patterns and anomaly detection. Use when
investigating API abuse or building API-specific threat detection rules.
description: 'Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect
BOLA/IDOR attacks, rate limit bypass, credential scanning, and injection attempts.
Uses pandas for statistical analysis of request patterns and anomaly detection.
Use when investigating API abuse or building API-specific threat detection rules.
'
domain: cybersecurity
subdomain: security-operations
tags: [analyzing, api, gateway, access]
version: "1.0"
tags:
- api-security
- access-log-analysis
- aws-api-gateway
- kong
- nginx
- bola-detection
- rate-limit-bypass
- security-operations
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- DE.CM-01
- RS.MA-01
- GV.OV-01
- DE.AE-02
mitre_attack:
- T1190
- T1110.004
- T1078.004
- T1119
---
# Analyzing API Gateway Access Logs
skills/analyzing-apt-group-with-mitre-navigator/SKILL.md
+30 -3
View File
@@ -1,12 +1,39 @@
---
name: analyzing-apt-group-with-mitre-navigator
description: Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
description: Analyze advanced persistent threat (APT) group techniques using MITRE
ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap
analysis and threat-informed defense.
domain: cybersecurity
subdomain: threat-intelligence
tags: [mitre-attack, navigator, apt, threat-actor, ttp-analysis, heatmap, detection-gap, threat-intelligence]
version: "1.0"
tags:
- mitre-attack
- navigator
- apt
- threat-actor
- ttp-analysis
- heatmap
- detection-gap
- threat-intelligence
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Content Format Conversion
- File Content Analysis
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1059.001
- T1071.001
- T1003.001
- T1486
- T1547.001
---
# Analyzing APT Group with MITRE ATT&CK Navigator
skills/analyzing-azure-activity-logs-for-threats/SKILL.md
+23 -5
View File
@@ -1,16 +1,34 @@
---
name: analyzing-azure-activity-logs-for-threats
description: >
Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to
detect suspicious administrative operations, impossible travel, privilege escalation,
description: 'Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query
to detect suspicious administrative operations, impossible travel, privilege escalation,
and resource modifications. Builds KQL queries for threat hunting in Azure environments.
Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.
'
domain: cybersecurity
subdomain: security-operations
tags: [analyzing, azure, activity, logs]
version: "1.0"
tags:
- azure
- cloud-security
- azure-monitor
- kql
- threat-hunting
- activity-logs
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- DE.CM-01
- RS.MA-01
- GV.OV-01
- DE.AE-02
mitre_attack:
- T1078.004
- T1098.003
- T1538
- T1556.009
- T1580
---
# Analyzing Azure Activity Logs for Threats
skills/analyzing-bootkit-and-rootkit-samples/SKILL.md
+25 -7
View File
@@ -1,17 +1,35 @@
---
name: analyzing-bootkit-and-rootkit-samples
description: >
Analyzes bootkit and advanced rootkit malware that infects the Master Boot Record (MBR),
Volume Boot Record (VBR), or UEFI firmware to gain persistence below the operating system.
Covers boot sector analysis, UEFI module inspection, and anti-rootkit detection techniques.
Activates for requests involving bootkit analysis, MBR malware investigation, UEFI
persistence analysis, or pre-OS malware detection.
description: 'Analyzes bootkit and advanced rootkit malware that infects the Master
Boot Record (MBR), Volume Boot Record (VBR), or UEFI firmware to gain persistence
below the operating system. Covers boot sector analysis, UEFI module inspection,
and anti-rootkit detection techniques. Activates for requests involving bootkit
analysis, MBR malware investigation, UEFI persistence analysis, or pre-OS malware
detection.
'
domain: cybersecurity
subdomain: malware-analysis
tags: [malware, bootkit, rootkit, UEFI, MBR-analysis]
tags:
- malware
- bootkit
- rootkit
- UEFI
- MBR-analysis
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1542.003
- T1542.001
- T1542.002
- T1014
- T1547.006
---
# Analyzing Bootkit and Rootkit Samples
skills/analyzing-browser-forensics-with-hindsight/SKILL.md
+25 -3
View File
@@ -1,12 +1,34 @@
---
name: analyzing-browser-forensics-with-hindsight
description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing
history, downloads, cookies, cached content, autofill data, saved passwords, and
browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
domain: cybersecurity
subdomain: digital-forensics
tags: [browser-forensics, hindsight, chrome-forensics, chromium, edge, browsing-history, cookies, downloads, cache, web-artifacts]
version: "1.0"
tags:
- browser-forensics
- hindsight
- chrome-forensics
- chromium
- edge
- browsing-history
- cookies
- downloads
- cache
- web-artifacts
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1217
- T1539
- T1555.003
- T1185
---
# Analyzing Browser Forensics with Hindsight
skills/analyzing-campaign-attribution-evidence/SKILL.md
+22 -3
View File
@@ -1,12 +1,31 @@
---
name: analyzing-campaign-attribution-evidence
description: Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
description: Campaign attribution analysis involves systematically evaluating evidence
to determine which threat actor or group is responsible for a cyber operation. This
skill covers collecting and weighting attr
domain: cybersecurity
subdomain: threat-intelligence
tags: [threat-intelligence, cti, ioc, mitre-attack, stix, attribution, campaign-analysis]
version: "1.0"
tags:
- threat-intelligence
- cti
- ioc
- mitre-attack
- stix
- attribution
- campaign-analysis
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1587.001
- T1583.001
- T1588.002
- T1071.001
---
# Analyzing Campaign Attribution Evidence
skills/analyzing-certificate-transparency-for-phishing/SKILL.md
+26 -3
View File
@@ -1,12 +1,35 @@
---
name: analyzing-certificate-transparency-for-phishing
description: Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.
description: Monitor Certificate Transparency logs using crt.sh and Certstream to
detect phishing domains, lookalike certificates, and unauthorized certificate issuance
targeting your organization.
domain: cybersecurity
subdomain: threat-intelligence
tags: [certificate-transparency, ct-logs, phishing, crt-sh, certstream, ssl, domain-monitoring, threat-intelligence]
version: "1.0"
tags:
- certificate-transparency
- ct-logs
- phishing
- crt-sh
- certstream
- ssl
- domain-monitoring
- threat-intelligence
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0052
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1583.001
- T1583.004
- T1566.002
- T1608.005
- T1596.003
---
# Analyzing Certificate Transparency for Phishing
skills/analyzing-cloud-storage-access-patterns/SKILL.md
+32 -7
View File
@@ -1,16 +1,41 @@
---
name: analyzing-cloud-storage-access-patterns
description: >-
Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail
Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads,
access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration
using statistical baselines and time-series anomaly detection.
description: Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage
by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics.
Identifies after-hours bulk downloads, access from new IP addresses, unusual API
calls (GetObject spikes), and potential data exfiltration using statistical baselines
and time-series anomaly detection.
domain: cybersecurity
subdomain: cloud-security
tags: [analyzing, cloud, storage, access]
version: "1.0"
tags:
- cloud-security
- aws-s3
- gcs
- azure-blob-storage
- cloudtrail
- data-access-anomaly
- exfiltration-detection
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0024
- AML.T0056
nist_ai_rmf:
- MEASURE-2.7
- MAP-5.1
- MANAGE-2.4
nist_csf:
- PR.IR-01
- ID.AM-08
- GV.SC-06
- DE.CM-01
mitre_attack:
- T1530
- T1567.002
- T1619
- T1078.004
- T1048
---
skills/analyzing-cobalt-strike-beacon-configuration/SKILL.md
+23 -3
View File
@@ -1,12 +1,32 @@
---
name: analyzing-cobalt-strike-beacon-configuration
description: Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure, malleable profiles, and operator tradecraft.
description: Extract and analyze Cobalt Strike beacon configuration from PE files
and memory dumps to identify C2 infrastructure, malleable profiles, and operator
tradecraft.
domain: cybersecurity
subdomain: malware-analysis
tags: [cobalt-strike, beacon, c2, malware-analysis, config-extraction, threat-hunting, red-team-tools]
version: "1.0"
tags:
- cobalt-strike
- beacon
- c2
- malware-analysis
- config-extraction
- threat-hunting
- red-team-tools
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1071.001
- T1573.001
- T1090.004
- T1105
- T1027
---
# Analyzing Cobalt Strike Beacon Configuration
skills/analyzing-cobaltstrike-malleable-c2-profiles/SKILL.md
+23 -3
View File
@@ -1,12 +1,32 @@
---
name: analyzing-cobaltstrike-malleable-c2-profiles
description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate network detection signatures.
description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike
and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate
network detection signatures.
domain: cybersecurity
subdomain: malware-analysis
tags: [cobalt-strike, malleable-c2, c2-detection, beacon-analysis, network-signatures, threat-hunting, red-team-tools]
version: "1.0"
tags:
- cobalt-strike
- malleable-c2
- c2-detection
- beacon-analysis
- network-signatures
- threat-hunting
- red-team-tools
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1071.001
- T1573.002
- T1001.003
- T1090.004
- T1102
---
# Analyzing CobaltStrike Malleable C2 Profiles
skills/analyzing-command-and-control-communication/SKILL.md
+24 -7
View File
@@ -1,17 +1,34 @@
---
name: analyzing-command-and-control-communication
description: >
Analyzes malware command-and-control (C2) communication protocols to understand beacon
patterns, command structures, data encoding, and infrastructure. Covers HTTP, HTTPS, DNS,
and custom protocol C2 analysis for detection development and threat intelligence.
Activates for requests involving C2 analysis, beacon detection, C2 protocol reverse
engineering, or command-and-control infrastructure mapping.
description: 'Analyzes malware command-and-control (C2) communication protocols to
understand beacon patterns, command structures, data encoding, and infrastructure.
Covers HTTP, HTTPS, DNS, and custom protocol C2 analysis for detection development
and threat intelligence. Activates for requests involving C2 analysis, beacon detection,
C2 protocol reverse engineering, or command-and-control infrastructure mapping.
'
domain: cybersecurity
subdomain: malware-analysis
tags: [malware, C2, command-and-control, beacon, protocol-analysis]
tags:
- malware
- C2
- command-and-control
- beacon
- protocol-analysis
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1071.001
- T1573
- T1571
- T1008
- T1095
---
# Analyzing Command-and-Control Communication
skills/analyzing-cyber-kill-chain/SKILL.md
+27 -8
View File
@@ -1,18 +1,37 @@
---
name: analyzing-cyber-kill-chain
description: >
Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify
which phases an adversary has completed, where defenses succeeded or failed, and what controls
would have interrupted the attack at earlier phases. Use when conducting post-incident analysis,
building prevention-focused security controls, or mapping detection gaps to kill chain phases.
Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping,
or Lockheed Martin kill chain framework.
description: 'Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain
framework to identify which phases an adversary has completed, where defenses succeeded
or failed, and what controls would have interrupted the attack at earlier phases.
Use when conducting post-incident analysis, building prevention-focused security
controls, or mapping detection gaps to kill chain phases. Activates for requests
involving kill chain analysis, intrusion kill chain, attack phase mapping, or Lockheed
Martin kill chain framework.
'
domain: cybersecurity
subdomain: threat-intelligence
tags: [kill-chain, Lockheed-Martin, MITRE-ATT&CK, intrusion-analysis, defense-in-depth, NIST-CSF]
tags:
- kill-chain
- Lockheed-Martin
- MITRE-ATT&CK
- intrusion-analysis
- defense-in-depth
- NIST-CSF
version: 1.0.0
author: team-cybersecurity
license: Apache-2.0
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1566.001
- T1190
- T1547.001
- T1071.001
- T1486
---
# Analyzing Cyber Kill Chain
skills/analyzing-disk-image-with-autopsy/SKILL.md
+20 -3
View File
@@ -1,12 +1,29 @@
---
name: analyzing-disk-image-with-autopsy
description: Perform comprehensive forensic analysis of disk images using Autopsy to recover files, examine artifacts, and build investigation timelines.
description: Perform comprehensive forensic analysis of disk images using Autopsy
to recover files, examine artifacts, and build investigation timelines.
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, autopsy, disk-analysis, sleuth-kit, file-recovery, artifact-analysis]
version: "1.0"
tags:
- forensics
- autopsy
- disk-analysis
- sleuth-kit
- file-recovery
- artifact-analysis
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1005
- T1074.001
- T1070.004
- T1083
---
# Analyzing Disk Image with Autopsy
skills/analyzing-dns-logs-for-exfiltration/SKILL.md
+29 -7
View File
@@ -1,16 +1,38 @@
---
name: analyzing-dns-logs-for-exfiltration
description: >
Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication,
and covert C2 channels using entropy analysis, query volume anomalies, and subdomain length
detection in SIEM platforms. Use when SOC teams need to identify DNS-based threats that bypass
traditional network security controls.
description: 'Analyzes DNS query logs to detect data exfiltration via DNS tunneling,
DGA domain communication, and covert C2 channels using entropy analysis, query volume
anomalies, and subdomain length detection in SIEM platforms. Use when SOC teams
need to identify DNS-based threats that bypass traditional network security controls.
'
domain: cybersecurity
subdomain: soc-operations
tags: [soc, dns, exfiltration, dns-tunneling, dga, c2-detection, splunk, threat-detection]
version: "1.0"
tags:
- soc
- dns
- exfiltration
- dns-tunneling
- dga
- c2-detection
- splunk
- threat-detection
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0024
- AML.T0056
- AML.T0086
nist_csf:
- DE.CM-01
- DE.AE-02
- RS.MA-01
- DE.AE-06
mitre_attack:
- T1048.003
- T1071.004
- T1567
---
# Analyzing DNS Logs for Exfiltration
skills/analyzing-docker-container-forensics/SKILL.md
+20 -3
View File
@@ -1,12 +1,29 @@
---
name: analyzing-docker-container-forensics
description: Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to identify malicious activity and evidence.
description: Investigate compromised Docker containers by analyzing images, layers,
volumes, logs, and runtime artifacts to identify malicious activity and evidence.
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, docker, container-forensics, container-security, image-analysis, runtime-investigation]
version: "1.0"
tags:
- forensics
- docker
- container-forensics
- container-security
- image-analysis
- runtime-investigation
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1610
- T1611
- T1613
- T1612
---
# Analyzing Docker Container Forensics
skills/analyzing-email-headers-for-phishing-investigation/SKILL.md
+22 -3
View File
@@ -1,12 +1,31 @@
---
name: analyzing-email-headers-for-phishing-investigation
description: Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation.
description: Parse and analyze email headers to trace the origin of phishing emails,
verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation.
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, email-analysis, phishing, spf, dkim, dmarc, header-analysis]
version: "1.0"
tags:
- forensics
- email-analysis
- phishing
- spf
- dkim
- dmarc
- header-analysis
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0052
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1566.001
- T1566.002
- T1598.003
---
# Analyzing Email Headers for Phishing Investigation
skills/analyzing-ethereum-smart-contract-vulnerabilities/SKILL.md
+20 -3
View File
@@ -1,12 +1,29 @@
---
name: analyzing-ethereum-smart-contract-vulnerabilities
description: Perform static and symbolic analysis of Solidity smart contracts using Slither and Mythril to detect reentrancy, integer overflow, access control, and other vulnerability classes before deployment to Ethereum mainnet.
description: Perform static and symbolic analysis of Solidity smart contracts using
Slither and Mythril to detect reentrancy, integer overflow, access control, and
other vulnerability classes before deployment to Ethereum mainnet.
domain: cybersecurity
subdomain: blockchain-security
tags: [ethereum, solidity, smart-contract, slither, mythril, blockchain, defi, audit]
version: "1.0"
tags:
- ethereum
- solidity
- smart-contract
- slither
- mythril
- blockchain
- defi
- audit
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- PR.DS-01
- PR.DS-02
- ID.RA-01
mitre_attack:
- T1190
- T1059
---
# Analyzing Ethereum Smart Contract Vulnerabilities
skills/analyzing-golang-malware-with-ghidra/SKILL.md
+22 -3
View File
@@ -1,12 +1,31 @@
---
name: analyzing-golang-malware-with-ghidra
description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction, and type reconstruction in stripped Go binaries.
description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts
for function recovery, string extraction, and type reconstruction in stripped Go
binaries.
domain: cybersecurity
subdomain: malware-analysis
tags: [golang, ghidra, reverse-engineering, malware-analysis, binary-analysis, go-malware, disassembly]
version: "1.0"
tags:
- golang
- ghidra
- reverse-engineering
- malware-analysis
- binary-analysis
- go-malware
- disassembly
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1027
- T1620
- T1140
- T1059
---
# Analyzing Golang Malware with Ghidra
skills/analyzing-heap-spray-exploitation/SKILL.md
+19 -3
View File
@@ -1,12 +1,28 @@
---
name: analyzing-heap-spray-exploitation
description: Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns, shellcode landing zones, and suspicious large allocations in process virtual address space.
description: Detect and analyze heap spray attacks in memory dumps using Volatility3
plugins to identify NOP sled patterns, shellcode landing zones, and suspicious large
allocations in process virtual address space.
domain: cybersecurity
subdomain: malware-analysis
tags: [malware-analysis, memory-forensics, heap-spray, volatility3, exploit-analysis]
version: "1.0"
tags:
- malware-analysis
- memory-forensics
- heap-spray
- volatility3
- exploit-analysis
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1203
- T1059.007
- T1106
---
# Analyzing Heap Spray Exploitation
skills/analyzing-indicators-of-compromise/SKILL.md
+29 -7
View File
@@ -1,17 +1,39 @@
---
name: analyzing-indicators-of-compromise
description: >
Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs,
and email artifacts to determine maliciousness confidence, campaign attribution, and blocking
priority. Use when triaging IOCs from phishing emails, security alerts, or external threat feeds;
enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist decisions.
Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.
description: 'Analyzes indicators of compromise (IOCs) including IP addresses, domains,
file hashes, URLs, and email artifacts to determine maliciousness confidence, campaign
attribution, and blocking priority. Use when triaging IOCs from phishing emails,
security alerts, or external threat feeds; enriching raw IOCs with multi-source
intelligence; or making block/monitor/whitelist decisions. Activates for requests
involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.
'
domain: cybersecurity
subdomain: threat-intelligence
tags: [IOC, VirusTotal, AbuseIPDB, MalwareBazaar, MISP, threat-intelligence, STIX, NIST-CSF]
tags:
- IOC
- VirusTotal
- AbuseIPDB
- MalwareBazaar
- MISP
- threat-intelligence
- STIX
- NIST-CSF
version: 1.0.0
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0052
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1071
- T1105
- T1041
- T1567
---
# Analyzing Indicators of Compromise
skills/analyzing-ios-app-security-with-objection/SKILL.md
+28 -8
View File
@@ -1,18 +1,38 @@
---
name: analyzing-ios-app-security-with-objection
description: >
Performs runtime mobile security exploration of iOS applications using Objection, a Frida-powered
toolkit that enables security testers to interact with app internals without jailbreaking. Use when
assessing iOS app security posture, bypassing client-side protections, dumping keychain items,
inspecting filesystem storage, and evaluating runtime behavior. Activates for requests involving
iOS security testing, Objection runtime analysis, Frida-based iOS assessment, or mobile runtime
exploration.
description: >-
Runtime iOS app security testing with Objection (Frida): inspect keychain and
filesystem data, explore app internals at runtime, and validate/bypass
client-side protections during authorized mobile assessments.
domain: cybersecurity
subdomain: mobile-security
author: mahipal
tags: [mobile-security, ios, objection, frida, owasp-mobile, penetration-testing]
tags:
- mobile-security
- ios
- objection
- frida
- owasp-mobile
- penetration-testing
version: 1.0.0
license: Apache-2.0
atlas_techniques:
- AML.T0054
nist_ai_rmf:
- MEASURE-2.7
- MANAGE-2.4
- GOVERN-6.2
- MAP-5.1
nist_csf:
- PR.PS-01
- PR.AA-05
- ID.RA-01
- DE.CM-09
mitre_attack:
- T1635
- T1414
- T1417.001
- T1409
---
# Analyzing iOS App Security with Objection
skills/analyzing-kubernetes-audit-logs/SKILL.md
+25 -7
View File
@@ -1,16 +1,34 @@
---
name: analyzing-kubernetes-audit-logs
description: >
Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret
access, RBAC modifications, privileged pod creation, and anonymous API access. Builds
threat detection rules from audit event patterns. Use when investigating Kubernetes
cluster compromise or building k8s-specific SIEM detection rules.
description: 'Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod,
secret access, RBAC modifications, privileged pod creation, and anonymous API access.
Builds threat detection rules from audit event patterns. Use when investigating
Kubernetes cluster compromise or building k8s-specific SIEM detection rules.
'
domain: cybersecurity
subdomain: container-security
tags: [analyzing, kubernetes, audit, logs]
version: "1.0"
tags:
- kubernetes-security
- container-security
- audit-log-analysis
- rbac
- privilege-escalation
- k8s-api-server
- threat-detection
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- PR.PS-01
- PR.IR-01
- ID.AM-08
- DE.CM-01
mitre_attack:
- T1610
- T1613
- T1078
- T1552.007
---
# Analyzing Kubernetes Audit Logs
skills/analyzing-linux-audit-logs-for-intrusion/SKILL.md
+26 -8
View File
@@ -1,18 +1,36 @@
---
name: analyzing-linux-audit-logs-for-intrusion
description: >
Uses the Linux Audit framework (auditd) with ausearch and aureport utilities
to detect intrusion attempts, unauthorized access, privilege escalation, and
suspicious system activity. Covers audit rule configuration, log querying,
timeline reconstruction, and integration with SIEM platforms. Activates for
requests involving auditd analysis, Linux audit log investigation, ausearch
queries, aureport summaries, or host-based intrusion detection on Linux.
description: 'Uses the Linux Audit framework (auditd) with ausearch and aureport utilities
to detect intrusion attempts, unauthorized access, privilege escalation, and suspicious
system activity. Covers audit rule configuration, log querying, timeline reconstruction,
and integration with SIEM platforms. Activates for requests involving auditd analysis,
Linux audit log investigation, ausearch queries, aureport summaries, or host-based
intrusion detection on Linux.
'
domain: cybersecurity
subdomain: incident-response
tags: [auditd, ausearch, aureport, linux-security, intrusion-detection, HIDS, forensics]
tags:
- auditd
- ausearch
- aureport
- linux-security
- intrusion-detection
- HIDS
- forensics
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_csf:
- RS.MA-01
- RS.MA-02
- RS.AN-03
- RC.RP-01
mitre_attack:
- T1059.004
- T1070
- T1548.003
- T1543.002
---
# Analyzing Linux Audit Logs for Intrusion
skills/analyzing-linux-elf-malware/SKILL.md
+24 -7
View File
@@ -1,17 +1,34 @@
---
name: analyzing-linux-elf-malware
description: >
Analyzes malicious Linux ELF (Executable and Linkable Format) binaries including botnets,
cryptominers, ransomware, and rootkits targeting Linux servers, containers, and cloud
infrastructure. Covers static analysis, dynamic tracing, and reverse engineering of
x86_64 and ARM ELF samples. Activates for requests involving Linux malware analysis,
ELF binary investigation, Linux server compromise assessment, or container malware analysis.
description: 'Analyzes malicious Linux ELF (Executable and Linkable Format) binaries
including botnets, cryptominers, ransomware, and rootkits targeting Linux servers,
containers, and cloud infrastructure. Covers static analysis, dynamic tracing, and
reverse engineering of x86_64 and ARM ELF samples. Activates for requests involving
Linux malware analysis, ELF binary investigation, Linux server compromise assessment,
or container malware analysis.
'
domain: cybersecurity
subdomain: malware-analysis
tags: [malware, Linux, ELF, reverse-engineering, server-malware]
tags:
- malware
- Linux
- ELF
- reverse-engineering
- server-malware
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1027
- T1059.004
- T1620
- T1574.006
---
# Analyzing Linux ELF Malware
skills/analyzing-linux-kernel-rootkits/SKILL.md
+23 -3
View File
@@ -1,12 +1,32 @@
---
name: analyzing-linux-kernel-rootkits
description: Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and tampered system structures.
description: Detect kernel-level rootkits in Linux memory dumps using Volatility3
linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning,
and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel
modules, and tampered system structures.
domain: cybersecurity
subdomain: digital-forensics
tags: [rootkit, linux, kernel, volatility3, memory-forensics, malware-analysis, rkhunter, forensics]
version: "1.0"
tags:
- rootkit
- linux
- kernel
- volatility3
- memory-forensics
- malware-analysis
- rkhunter
- forensics
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1014
- T1547.006
- T1564.001
---
# Analyzing Linux Kernel Rootkits
skills/analyzing-linux-system-artifacts/SKILL.md
+21 -3
View File
@@ -1,12 +1,30 @@
---
name: analyzing-linux-system-artifacts
description: Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover evidence of compromise or unauthorized activity.
description: Examine Linux system artifacts including auth logs, cron jobs, shell
history, and system configuration to uncover evidence of compromise or unauthorized
activity.
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, linux-forensics, system-artifacts, log-analysis, persistence-detection, incident-investigation]
version: "1.0"
tags:
- forensics
- linux-forensics
- system-artifacts
- log-analysis
- persistence-detection
- incident-investigation
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1070
- T1059.004
- T1543.002
- T1053.003
---
# Analyzing Linux System Artifacts
skills/analyzing-lnk-file-and-jump-list-artifacts/SKILL.md
+24 -3
View File
@@ -1,12 +1,33 @@
---
name: analyzing-lnk-file-and-jump-list-artifacts
description: Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution, and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format.
description: Analyze Windows LNK shortcut files and Jump List artifacts to establish
evidence of file access, program execution, and user activity using LECmd, JLECmd,
and manual binary parsing of the Shell Link Binary format.
domain: cybersecurity
subdomain: digital-forensics
tags: [lnk-files, jump-lists, lecmd, jlecmd, windows-forensics, shell-link, user-activity, file-access, program-execution, recent-files]
version: "1.0"
tags:
- lnk-files
- jump-lists
- lecmd
- jlecmd
- windows-forensics
- shell-link
- user-activity
- file-access
- program-execution
- recent-files
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1547.009
- T1204.002
- T1059.001
---
# Analyzing LNK File and Jump List Artifacts
skills/analyzing-macro-malware-in-office-documents/SKILL.md
+32 -7
View File
@@ -1,17 +1,42 @@
---
name: analyzing-macro-malware-in-office-documents
description: >
Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint)
to identify download cradles, payload execution, persistence mechanisms, and anti-analysis
techniques. Uses olevba, oledump, and VBA deobfuscation to extract the attack chain.
Activates for requests involving Office macro analysis, VBA malware investigation,
maldoc analysis, or document-based threat examination.
description: 'Analyzes malicious VBA macros embedded in Microsoft Office documents
(Word, Excel, PowerPoint) to identify download cradles, payload execution, persistence
mechanisms, and anti-analysis techniques. Uses olevba, oledump, and VBA deobfuscation
to extract the attack chain. Activates for requests involving Office macro analysis,
VBA malware investigation, maldoc analysis, or document-based threat examination.
'
domain: cybersecurity
subdomain: malware-analysis
tags: [malware, macro, Office, VBA, document-malware]
tags:
- malware
- macro
- Office
- VBA
- document-malware
version: 1.0.0
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0068
- AML.T0067
d3fend_techniques:
- File Metadata Consistency Validation
- Application Protocol Command Analysis
- Identifier Analysis
- Content Format Conversion
- Message Analysis
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1137.001
- T1204.002
- T1059.005
- T1027
---
# Analyzing Macro Malware in Office Documents
skills/analyzing-malicious-pdf-with-peepdf/SKILL.md
+22 -3
View File
@@ -1,12 +1,31 @@
---
name: analyzing-malicious-pdf-with-peepdf
description: Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects.
description: Perform static analysis of malicious PDF documents using peepdf, pdfid,
and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects.
domain: cybersecurity
subdomain: malware-analysis
tags: [malware-analysis, pdf, peepdf, pdfid, pdf-parser, static-analysis, reverse-engineering, dfir]
version: "1.0"
tags:
- malware-analysis
- pdf
- peepdf
- pdfid
- pdf-parser
- static-analysis
- reverse-engineering
- dfir
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1204.002
- T1059.007
- T1027
- T1106
---
# Analyzing Malicious PDF with peepdf
skills/analyzing-malicious-url-with-urlscan/SKILL.md
+23 -3
View File
@@ -1,12 +1,32 @@
---
name: analyzing-malicious-url-with-urlscan
description: URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
description: URLScan.io is a free service for scanning and analyzing suspicious URLs.
It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and
network connections of web pages in an isolat
domain: cybersecurity
subdomain: phishing-defense
tags: [phishing, email-security, social-engineering, dmarc, awareness, url-analysis, threat-intelligence]
version: "1.0"
tags:
- phishing
- email-security
- social-engineering
- dmarc
- awareness
- url-analysis
- threat-intelligence
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0052
nist_csf:
- PR.AT-01
- DE.CM-09
- RS.CO-02
- DE.AE-02
mitre_attack:
- T1566.002
- T1204.001
- T1598.003
---
# Analyzing Malicious URL with URLScan
skills/analyzing-malware-behavior-with-cuckoo-sandbox/SKILL.md
+23 -7
View File
@@ -1,17 +1,33 @@
---
name: analyzing-malware-behavior-with-cuckoo-sandbox
description: >
Executes malware samples in Cuckoo Sandbox to observe runtime behavior including
process creation, file system modifications, registry changes, network communications,
and API calls. Generates comprehensive behavioral reports for malware classification
and IOC extraction. Activates for requests involving dynamic malware analysis, sandbox
detonation, behavioral analysis, or automated malware execution.
description: 'Executes malware samples in Cuckoo Sandbox to observe runtime behavior
including process creation, file system modifications, registry changes, network
communications, and API calls. Generates comprehensive behavioral reports for malware
classification and IOC extraction. Activates for requests involving dynamic malware
analysis, sandbox detonation, behavioral analysis, or automated malware execution.
'
domain: cybersecurity
subdomain: malware-analysis
tags: [malware, dynamic-analysis, sandbox, Cuckoo, behavioral-analysis]
tags:
- malware
- dynamic-analysis
- sandbox
- Cuckoo
- behavioral-analysis
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1497
- T1055
- T1071
- T1027
---
# Analyzing Malware Behavior with Cuckoo Sandbox
skills/analyzing-malware-family-relationships-with-malpedia/SKILL.md
+22 -3
View File
@@ -1,12 +1,31 @@
---
name: analyzing-malware-family-relationships-with-malpedia
description: Use the Malpedia platform and API to research malware family relationships, track variant evolution, link families to threat actors, and integrate YARA rules for detection across malware lineages.
description: Use the Malpedia platform and API to research malware family relationships,
track variant evolution, link families to threat actors, and integrate YARA rules
for detection across malware lineages.
domain: cybersecurity
subdomain: threat-intelligence
tags: [malpedia, malware-family, yara, threat-actor, malware-tracking, threat-intelligence, variant-analysis, malware-intelligence]
version: "1.0"
tags:
- malpedia
- malware-family
- yara
- threat-actor
- malware-tracking
- threat-intelligence
- variant-analysis
- malware-intelligence
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1587.001
- T1027
- T1071
---
# Analyzing Malware Family Relationships with Malpedia
skills/analyzing-malware-persistence-with-autoruns/SKILL.md
+30 -3
View File
@@ -1,12 +1,39 @@
---
name: analyzing-malware-persistence-with-autoruns
description: Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry keys, scheduled tasks, services, drivers, and startup locations on Windows systems.
description: Use Sysinternals Autoruns to systematically identify and analyze malware
persistence mechanisms across registry keys, scheduled tasks, services, drivers,
and startup locations on Windows systems.
domain: cybersecurity
subdomain: malware-analysis
tags: [autoruns, persistence, malware-analysis, sysinternals, windows, registry, startup, incident-response]
version: "1.0"
tags:
- autoruns
- persistence
- malware-analysis
- sysinternals
- windows
- registry
- startup
- incident-response
mitre_attack:
- T1547.001
- T1543.003
- T1053.005
- T1574.001
- T1037.001
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Content Format Conversion
- File Content Analysis
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
---
# Analyzing Malware Persistence with Autoruns
skills/analyzing-malware-sandbox-evasion-techniques/SKILL.md
+27 -9
View File
@@ -1,19 +1,37 @@
---
name: analyzing-malware-sandbox-evasion-techniques
description: Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports
description: Detect sandbox evasion techniques in malware samples by analyzing timing
checks, VM artifact queries, user interaction detection, and sleep inflation patterns
from Cuckoo/AnyRun behavioral reports
domain: cybersecurity
subdomain: malware-analysis
tags:
- sandbox-evasion
- malware-analysis
- cuckoo
- anyrun
- mitre-attack
- virtualization-detection
- behavioral-analysis
version: "1.0"
- sandbox-evasion
- malware-analysis
- cuckoo
- anyrun
- mitre-attack
- virtualization-detection
- behavioral-analysis
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Platform Hardening
- Restore Object
- Process Analysis
- System Call Filtering
- Restore Software
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1497.001
- T1497.003
- T1480
- T1027.002
---
# Analyzing Malware Sandbox Evasion Techniques
skills/analyzing-memory-dumps-with-volatility/SKILL.md
+22 -7
View File
@@ -1,17 +1,32 @@
---
name: analyzing-memory-dumps-with-volatility
description: >
Analyzes RAM memory dumps from compromised systems using the Volatility framework to
identify malicious processes, injected code, network connections, loaded modules, and
extracted credentials. Supports Windows, Linux, and macOS memory forensics. Activates
for requests involving memory forensics, RAM analysis, volatile data examination,
process injection detection, or memory-resident malware investigation.
description: 'Analyzes RAM memory dumps from compromised systems using the Volatility framework to identify malicious processes,
injected code, network connections, loaded modules, and extracted credentials. Supports Windows, Linux, and macOS memory
forensics. Activates for requests involving memory forensics, RAM analysis, volatile data examination, process injection
detection, or memory-resident malware investigation.
'
domain: cybersecurity
subdomain: malware-analysis
tags: [malware, memory-forensics, Volatility, RAM-analysis, incident-response]
tags:
- malware
- memory-forensics
- Volatility
- RAM-analysis
- incident-response
mitre_attack:
- T1055
- T1003
- T1059
- T1620
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
---
# Analyzing Memory Dumps with Volatility
skills/analyzing-memory-forensics-with-lime-and-volatility/SKILL.md
+25 -7
View File
@@ -1,16 +1,34 @@
---
name: analyzing-memory-forensics-with-lime-and-volatility
description: >
Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module
and analysis with Volatility 3 framework. Extracts process lists, network connections,
bash history, loaded kernel modules, and injected code from Linux memory images.
Use when performing incident response on compromised Linux systems.
description: 'Performs Linux memory acquisition using LiME (Linux Memory Extractor)
kernel module and analysis with Volatility 3 framework. Extracts process lists,
network connections, bash history, loaded kernel modules, and injected code from
Linux memory images. Use when performing incident response on compromised Linux
systems.
'
domain: cybersecurity
subdomain: security-operations
tags: [analyzing, memory, forensics, with]
version: "1.0"
tags:
- memory-forensics
- linux-forensics
- lime
- volatility
- incident-response
- kernel-modules
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- DE.CM-01
- RS.MA-01
- GV.OV-01
- DE.AE-02
mitre_attack:
- T1055
- T1003.001
- T1620
- T1564.001
---
# Analyzing Memory Forensics with LiME and Volatility
skills/analyzing-mft-for-deleted-file-recovery/SKILL.md
+24 -3
View File
@@ -1,12 +1,33 @@
---
name: analyzing-mft-for-deleted-file-recovery
description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics.
description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content
of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack
space using MFTECmd, analyzeMFT, and X-Ways Forensics.
domain: cybersecurity
subdomain: digital-forensics
tags: [mft, ntfs, deleted-files, file-recovery, mftecmd, usn-journal, logfile, mft-slack-space, file-system-forensics, dfir]
version: "1.0"
tags:
- mft
- ntfs
- deleted-files
- file-recovery
- mftecmd
- usn-journal
- logfile
- mft-slack-space
- file-system-forensics
- dfir
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1070.004
- T1070.006
- T1005
---
# Analyzing MFT for Deleted File Recovery
skills/analyzing-network-covert-channels-in-malware/SKILL.md
+28 -3
View File
@@ -1,12 +1,37 @@
---
name: analyzing-network-covert-channels-in-malware
description: Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse for C2 and data exfiltration.
description: Detect and analyze covert communication channels used by malware including
DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse for C2
and data exfiltration.
domain: cybersecurity
subdomain: malware-analysis
tags: [covert-channels, dns-tunneling, icmp-exfiltration, malware-analysis, network-forensics, c2-detection, data-exfiltration]
version: "1.0"
tags:
- covert-channels
- dns-tunneling
- icmp-exfiltration
- malware-analysis
- network-forensics
- c2-detection
- data-exfiltration
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- File Metadata Consistency Validation
- Certificate Analysis
- Application Protocol Command Analysis
- Content Format Conversion
- File Content Analysis
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1071.001
- T1095
- T1572
- T1001
---
# Analyzing Network Covert Channels in Malware
skills/analyzing-network-flow-data-with-netflow/SKILL.md
+21 -7
View File
@@ -1,16 +1,30 @@
---
name: analyzing-network-flow-data-with-netflow
description: >-
Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data
exfiltration, and C2 beaconing patterns. Uses the Python netflow library to decode flow
records, builds traffic baselines, and applies statistical analysis to identify flows
with abnormal byte counts, connection durations, and periodic timing patterns.
description: Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port
scanning, data exfiltration, and C2 beaconing patterns. Uses the Python netflow
library to decode flow records, builds traffic baselines, and applies statistical
analysis to identify flows with abnormal byte counts, connection durations, and
periodic timing patterns.
domain: cybersecurity
subdomain: network-security
tags: [analyzing, network, flow, data]
version: "1.0"
tags:
- analyzing
- network
- flow
- data
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- PR.IR-01
- DE.CM-01
- ID.AM-03
- PR.DS-02
mitre_attack:
- T1071
- T1048
- T1046
- T1095
---
skills/analyzing-network-packets-with-scapy/SKILL.md
+20 -8
View File
@@ -1,18 +1,30 @@
---
name: analyzing-network-packets-with-scapy
description: Craft, send, sniff, and dissect network packets using Scapy for protocol analysis, network reconnaissance, and traffic anomaly detection in authorized security testing
description: Craft, send, sniff, and dissect network packets using Scapy for protocol
analysis, network reconnaissance, and traffic anomaly detection in authorized security
testing
domain: cybersecurity
subdomain: network-security
tags:
- scapy
- packet-analysis
- network-forensics
- protocol-dissection
- pcap
- traffic-analysis
version: "1.0"
- scapy
- packet-analysis
- network-forensics
- protocol-dissection
- pcap
- traffic-analysis
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- PR.IR-01
- DE.CM-01
- ID.AM-03
- PR.DS-02
mitre_attack:
- T1040
- T1071
- T1046
- T1557
---
# Analyzing Network Packets with Scapy
skills/analyzing-network-traffic-for-incidents/SKILL.md
+22 -8
View File
@@ -1,18 +1,32 @@
---
name: analyzing-network-traffic-for-incidents
description: >
Analyzes network traffic captures and flow data to identify adversary activity during
security incidents, including command-and-control communications, lateral movement,
data exfiltration, and exploitation attempts. Uses Wireshark, Zeek, and NetFlow
analysis techniques. Activates for requests involving network traffic analysis,
packet capture investigation, PCAP analysis, network forensics, C2 traffic detection,
or exfiltration detection.
description: 'Analyzes network traffic captures and flow data to identify adversary activity during security incidents, including
command-and-control communications, lateral movement, data exfiltration, and exploitation attempts. Uses Wireshark, Zeek,
and NetFlow analysis techniques. Activates for requests involving network traffic analysis, packet capture investigation,
PCAP analysis, network forensics, C2 traffic detection, or exfiltration detection.
'
domain: cybersecurity
subdomain: incident-response
tags: [network-forensics, PCAP-analysis, Wireshark, Zeek, traffic-analysis]
tags:
- network-forensics
- PCAP-analysis
- Wireshark
- Zeek
- traffic-analysis
mitre_attack:
- T1071
- T1095
- T1573
- T1572
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_csf:
- RS.MA-01
- RS.MA-02
- RS.AN-03
- RC.RP-01
---
# Analyzing Network Traffic for Incidents
skills/analyzing-network-traffic-of-malware/SKILL.md
+23 -7
View File
@@ -1,17 +1,33 @@
---
name: analyzing-network-traffic-of-malware
description: >
Analyzes network traffic generated by malware during sandbox execution or live incident
response to identify C2 protocols, data exfiltration channels, payload downloads, and
lateral movement patterns using Wireshark, Zeek, and Suricata. Activates for requests
involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or
network-based malware detection.
description: 'Analyzes network traffic generated by malware during sandbox execution
or live incident response to identify C2 protocols, data exfiltration channels,
payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata.
Activates for requests involving malware network analysis, C2 traffic decoding,
malware PCAP analysis, or network-based malware detection.
'
domain: cybersecurity
subdomain: malware-analysis
tags: [malware, network-analysis, PCAP, Wireshark, C2-detection]
tags:
- malware
- network-analysis
- PCAP
- Wireshark
- C2-detection
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1071.001
- T1571
- T1573
- T1095
---
# Analyzing Network Traffic of Malware
skills/analyzing-network-traffic-with-wireshark/SKILL.md
+22 -6
View File
@@ -1,15 +1,31 @@
---
name: analyzing-network-traffic-with-wireshark
description: >
Captures and analyzes network packet data using Wireshark and tshark to identify
malicious traffic patterns, diagnose protocol issues, extract artifacts, and
support incident response investigations on authorized network segments.
description: 'Captures and analyzes network packet data using Wireshark and tshark
to identify malicious traffic patterns, diagnose protocol issues, extract artifacts,
and support incident response investigations on authorized network segments.
'
domain: cybersecurity
subdomain: network-security
tags: [network-security, wireshark, packet-analysis, traffic-analysis, pcap]
version: "1.0"
tags:
- network-security
- wireshark
- packet-analysis
- traffic-analysis
- pcap
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- PR.IR-01
- DE.CM-01
- ID.AM-03
- PR.DS-02
mitre_attack:
- T1040
- T1071
- T1557
- T1046
---
# Analyzing Network Traffic with Wireshark
skills/analyzing-office365-audit-logs-for-compromise/SKILL.md
+22 -3
View File
@@ -1,12 +1,31 @@
---
name: analyzing-office365-audit-logs-for-compromise
description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation, suspicious OAuth app grants, and other indicators of account compromise.
description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect
email forwarding rule creation, inbox delegation, suspicious OAuth app grants, and
other indicators of account compromise.
domain: cybersecurity
subdomain: cloud-security
tags: [Office365, Microsoft-Graph, audit-logs, email-compromise, inbox-rules, OAuth, BEC]
version: "1.0"
tags:
- Office365
- Microsoft-Graph
- audit-logs
- email-compromise
- inbox-rules
- OAuth
- BEC
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- PR.IR-01
- ID.AM-08
- GV.SC-06
- DE.CM-01
mitre_attack:
- T1114.002
- T1098.002
- T1556.006
- T1078.004
---
# Analyzing Office 365 Audit Logs for Compromise
skills/analyzing-outlook-pst-for-email-forensics/SKILL.md
+29 -3
View File
@@ -1,12 +1,38 @@
---
name: analyzing-outlook-pst-for-email-forensics
description: Analyze Microsoft Outlook PST and OST files for email forensic evidence including message content, headers, attachments, deleted items, and metadata using libpff, pst-utils, and forensic email analysis tools for legal investigations and incident response.
description: Analyze Microsoft Outlook PST and OST files for email forensic evidence
including message content, headers, attachments, deleted items, and metadata using
libpff, pst-utils, and forensic email analysis tools for legal investigations and
incident response.
domain: cybersecurity
subdomain: digital-forensics
tags: [email-forensics, pst, ost, outlook, mapi, email-headers, attachments, deleted-emails, libpff, eml-extraction]
version: "1.0"
tags:
- email-forensics
- pst
- ost
- outlook
- mapi
- email-headers
- attachments
- deleted-emails
- libpff
- eml-extraction
version: '1.0'
author: mahipal
license: Apache-2.0
nist_ai_rmf:
- MANAGE-2.4
- MANAGE-3.1
- MEASURE-3.1
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1114.001
- T1564.008
- T1070.008
---
# Analyzing Outlook PST for Email Forensics
skills/analyzing-packed-malware-with-upx-unpacker/SKILL.md
+22 -6
View File
@@ -1,16 +1,32 @@
---
name: analyzing-packed-malware-with-upx-unpacker
description: >
Identifies and unpacks UPX-packed and other packed malware samples to expose the original
executable code for static analysis. Covers both standard UPX unpacking and handling
modified UPX headers that prevent automated decompression. Activates for requests involving
malware unpacking, UPX decompression, packer removal, or preparing packed samples for analysis.
description: 'Identifies and unpacks UPX-packed and other packed malware samples to
expose the original executable code for static analysis. Covers both standard UPX
unpacking and handling modified UPX headers that prevent automated decompression.
Activates for requests involving malware unpacking, UPX decompression, packer removal,
or preparing packed samples for analysis.
'
domain: cybersecurity
subdomain: malware-analysis
tags: [malware, unpacking, UPX, packing, static-analysis]
tags:
- malware
- unpacking
- UPX
- packing
- static-analysis
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1027.002
- T1140
- T1620
---
# Analyzing Packed Malware with UPX Unpacker
skills/analyzing-pdf-malware-with-pdfid/SKILL.md
+23 -7
View File
@@ -1,17 +1,33 @@
---
name: analyzing-pdf-malware-with-pdfid
description: >
Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to identify embedded
JavaScript, shellcode, exploits, and suspicious objects without opening the document.
Determines the attack vector and extracts embedded payloads for further analysis.
Activates for requests involving PDF malware analysis, malicious document analysis,
PDF exploit investigation, or suspicious attachment triage.
description: 'Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to
identify embedded JavaScript, shellcode, exploits, and suspicious objects without
opening the document. Determines the attack vector and extracts embedded payloads
for further analysis. Activates for requests involving PDF malware analysis, malicious
document analysis, PDF exploit investigation, or suspicious attachment triage.
'
domain: cybersecurity
subdomain: malware-analysis
tags: [malware, PDF-analysis, document-malware, PDFiD, static-analysis]
tags:
- malware
- PDF-analysis
- document-malware
- PDFiD
- static-analysis
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1204.002
- T1566.001
- T1059.007
- T1027
---
# Analyzing PDF Malware with PDFiD
skills/analyzing-persistence-mechanisms-in-linux/SKILL.md
+29 -3
View File
@@ -1,12 +1,38 @@
---
name: analyzing-persistence-mechanisms-in-linux
description: Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring
description: Detect and analyze Linux persistence mechanisms including crontab entries,
systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys
backdoors using auditd and file integrity monitoring
domain: cybersecurity
subdomain: threat-hunting
tags: [linux-persistence, crontab, systemd, ld-preload, auditd, threat-hunting, incident-response]
version: "1.0"
tags:
- linux-persistence
- crontab
- systemd
- ld-preload
- auditd
- threat-hunting
- incident-response
mitre_attack:
- T1053.003
- T1543.002
- T1574.006
- T1546.004
- T1098.004
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Process Termination
- Content Format Conversion
nist_csf:
- DE.CM-01
- DE.AE-02
- DE.AE-07
- ID.RA-05
---
# Analyzing Persistence Mechanisms in Linux
skills/analyzing-powershell-empire-artifacts/SKILL.md
+35 -3
View File
@@ -1,12 +1,44 @@
---
name: analyzing-powershell-empire-artifacts
description: Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns, default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events.
description: Detect PowerShell Empire framework artifacts in Windows event logs by
identifying Base64 encoded launcher patterns, default user agents, staging URL structures,
stager IOCs, and known Empire module signatures in Script Block Logging events.
domain: cybersecurity
subdomain: threat-hunting
tags: [PowerShell-Empire, threat-hunting, Script-Block-Logging, base64, stager, C2, MITRE-ATT&CK, T1059.001, forensics]
version: "1.0"
tags:
- PowerShell-Empire
- threat-hunting
- Script-Block-Logging
- base64
- stager
- C2
- MITRE-ATT&CK
- T1059.001
- forensics
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Content Format Conversion
- File Content Analysis
nist_ai_rmf:
- GOVERN-1.1
- MEASURE-2.7
- MANAGE-3.1
nist_csf:
- DE.CM-01
- DE.AE-02
- DE.AE-07
- ID.RA-05
mitre_attack:
- T1059.001
- T1071.001
- T1003.001
- T1558.003
- T1027.010
---
# Analyzing PowerShell Empire Artifacts
skills/analyzing-powershell-script-block-logging/SKILL.md
+23 -7
View File
@@ -1,16 +1,32 @@
---
name: analyzing-powershell-script-block-logging
description: >-
Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated
commands, encoded payloads, and living-off-the-land techniques. Uses python-evtx to extract and
reconstruct multi-block scripts, applies entropy analysis and pattern matching for Base64-encoded
commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.
description: Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX
files to detect obfuscated commands, encoded payloads, and living-off-the-land techniques.
Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy
analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse,
download cradles, and AMSI bypass attempts.
domain: cybersecurity
subdomain: security-operations
tags: [analyzing, powershell, script, block]
version: "1.0"
tags:
- powershell
- script-block-logging
- event-id-4104
- obfuscation-detection
- windows-forensics
- endpoint-security
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- DE.CM-01
- RS.MA-01
- GV.OV-01
- DE.AE-02
mitre_attack:
- T1059.001
- T1027.010
- T1140
- T1105
---
skills/analyzing-prefetch-files-for-execution-history/SKILL.md
+20 -3
View File
@@ -1,12 +1,29 @@
---
name: analyzing-prefetch-files-for-execution-history
description: Parse Windows Prefetch files to determine program execution history including run counts, timestamps, and referenced files for forensic investigation.
description: Parse Windows Prefetch files to determine program execution history including
run counts, timestamps, and referenced files for forensic investigation.
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, prefetch, windows-artifacts, execution-history, timeline-analysis, evidence-collection]
version: "1.0"
tags:
- forensics
- prefetch
- windows-artifacts
- execution-history
- timeline-analysis
- evidence-collection
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1059.001
- T1003.001
- T1021.002
- T1567.002
---
# Analyzing Prefetch Files for Execution History
skills/analyzing-ransomware-encryption-mechanisms/SKILL.md
+23 -7
View File
@@ -1,17 +1,33 @@
---
name: analyzing-ransomware-encryption-mechanisms
description: >
Analyzes encryption algorithms, key management, and file encryption routines used by
ransomware families to assess decryption feasibility, identify implementation weaknesses,
and support recovery efforts. Covers AES, RSA, ChaCha20, and hybrid encryption schemes.
Activates for requests involving ransomware cryptanalysis, encryption analysis, key
recovery assessment, or ransomware decryption feasibility.
description: 'Analyzes encryption algorithms, key management, and file encryption
routines used by ransomware families to assess decryption feasibility, identify
implementation weaknesses, and support recovery efforts. Covers AES, RSA, ChaCha20,
and hybrid encryption schemes. Activates for requests involving ransomware cryptanalysis,
encryption analysis, key recovery assessment, or ransomware decryption feasibility.
'
domain: cybersecurity
subdomain: malware-analysis
tags: [malware, ransomware, encryption, cryptanalysis, reverse-engineering]
tags:
- malware
- ransomware
- encryption
- cryptanalysis
- reverse-engineering
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1486
- T1573.001
- T1573.002
- T1027
---
# Analyzing Ransomware Encryption Mechanisms
skills/analyzing-ransomware-leak-site-intelligence/SKILL.md
+23 -3
View File
@@ -1,12 +1,32 @@
---
name: analyzing-ransomware-leak-site-intelligence
description: Monitor and analyze ransomware group data leak sites (DLS) to track victim postings, extract threat intelligence on group tactics, and assess sector-specific ransomware risk for proactive defense.
description: Monitor and analyze ransomware group data leak sites (DLS) to track victim
postings, extract threat intelligence on group tactics, and assess sector-specific
ransomware risk for proactive defense.
domain: cybersecurity
subdomain: threat-intelligence
tags: [ransomware, leak-site, data-leak, extortion, threat-intelligence, monitoring, dls, victim-tracking]
version: "1.0"
tags:
- ransomware
- leak-site
- data-leak
- extortion
- threat-intelligence
- leak-site-monitoring
- dls
- victim-tracking
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1657
- T1486
- T1567.002
- T1591
---
# Analyzing Ransomware Leak Site Intelligence
skills/analyzing-ransomware-network-indicators/SKILL.md
+29 -3
View File
@@ -1,12 +1,38 @@
---
name: analyzing-ransomware-network-indicators
description: Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration flows, and encryption key exchange via Zeek conn.log and NetFlow analysis
description: Identify ransomware network indicators including C2 beaconing patterns,
TOR exit node connections, data exfiltration flows, and encryption key exchange
via Zeek conn.log and NetFlow analysis
domain: cybersecurity
subdomain: threat-hunting
tags: [ransomware, c2-beaconing, zeek, netflow, tor, exfiltration, network-forensics]
version: "1.0"
tags:
- ransomware
- c2-beaconing
- zeek
- netflow
- tor
- exfiltration
- network-forensics
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- File Metadata Consistency Validation
- Certificate Analysis
- Application Protocol Command Analysis
- Content Format Conversion
- File Content Analysis
nist_csf:
- DE.CM-01
- DE.AE-02
- DE.AE-07
- ID.RA-05
mitre_attack:
- T1071.001
- T1573
- T1048
- T1567.002
- T1486
---
# Analyzing Ransomware Network Indicators
skills/analyzing-ransomware-payment-wallets/SKILL.md
+21 -6
View File
@@ -1,18 +1,33 @@
---
name: analyzing-ransomware-payment-wallets
description: >
Traces ransomware cryptocurrency payment flows using blockchain analysis tools
such as Chainalysis Reactor, WalletExplorer, and blockchain.com APIs. Identifies
description: 'Traces ransomware cryptocurrency payment flows using blockchain analysis
tools such as Chainalysis Reactor, WalletExplorer, and blockchain.com APIs. Identifies
wallet clusters, tracks fund movement through mixers and exchanges, and supports
law enforcement attribution. Activates for requests involving ransomware payment
tracing, bitcoin wallet analysis, cryptocurrency forensics, or blockchain
intelligence gathering.
tracing, bitcoin wallet analysis, cryptocurrency forensics, or blockchain intelligence
gathering.
'
domain: cybersecurity
subdomain: ransomware-defense
tags: [ransomware, blockchain, cryptocurrency, forensics, threat-intelligence, bitcoin]
tags:
- ransomware
- blockchain
- cryptocurrency
- forensics
- threat-intelligence
- bitcoin
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_csf:
- PR.DS-11
- RS.MA-01
- RC.RP-01
- PR.IR-01
mitre_attack:
- T1657
- T1486
---
# Analyzing Ransomware Payment Wallets
skills/analyzing-sbom-for-supply-chain-vulnerabilities/SKILL.md
+38 -8
View File
@@ -1,18 +1,48 @@
---
name: analyzing-sbom-for-supply-chain-vulnerabilities
description: >
Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats to identify
supply chain vulnerabilities by correlating components against the NVD CVE database via
the NVD 2.0 API. Builds dependency graphs, calculates risk scores, identifies transitive
vulnerability paths, and generates compliance reports. Activates for requests involving
SBOM analysis, software composition analysis, supply chain security assessment, dependency
vulnerability scanning, CycloneDX/SPDX parsing, or CVE correlation.
description: 'Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON
formats to identify supply chain vulnerabilities by correlating components against
the NVD CVE database via the NVD 2.0 API. Builds dependency graphs, calculates risk
scores, identifies transitive vulnerability paths, and generates compliance reports.
Activates for requests involving SBOM analysis, software composition analysis, supply
chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing,
or CVE correlation.
'
domain: cybersecurity
subdomain: supply-chain-security
tags: [SBOM, CycloneDX, SPDX, NVD, CVE, supply-chain, dependency-analysis, syft, grype]
tags:
- SBOM
- CycloneDX
- SPDX
- NVD
- CVE
- supply-chain
- dependency-analysis
- syft
- grype
version: 1.0.0
author: mukul975
license: Apache-2.0
atlas_techniques:
- AML.T0010
- AML.T0104
nist_ai_rmf:
- GOVERN-5.2
- MAP-1.6
- MANAGE-2.2
- GOVERN-1.1
- GOVERN-4.2
nist_csf:
- GV.SC-01
- GV.SC-03
- GV.SC-06
- GV.SC-07
mitre_attack:
- T1195.001
- T1195.002
- T1554
- T1190
---
# Analyzing SBOM for Supply Chain Vulnerabilities
skills/analyzing-security-logs-with-splunk/SKILL.md
+37 -4
View File
@@ -1,18 +1,51 @@
---
name: analyzing-security-logs-with-splunk
description: >
Leverages Splunk Enterprise Security and SPL (Search Processing Language) to
investigate security incidents through log correlation, timeline reconstruction,
description: 'Leverages Splunk Enterprise Security and SPL (Search Processing Language)
to investigate security incidents through log correlation, timeline reconstruction,
and anomaly detection. Covers Windows event logs, firewall logs, proxy logs, and
authentication data analysis. Activates for requests involving Splunk investigation,
SPL queries, SIEM log analysis, security event correlation, or log-based incident
investigation.
'
domain: cybersecurity
subdomain: incident-response
tags: [splunk, SPL, SIEM, log-analysis, security-monitoring]
tags:
- splunk
- SPL
- SIEM
- log-analysis
- security-monitoring
mitre_attack:
- T1110
- T1550.002
- T1021.001
- T1059.001
- T1003.001
version: 1.0.0
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0070
- AML.T0066
- AML.T0082
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Content Format Conversion
- File Content Analysis
nist_ai_rmf:
- MEASURE-2.7
- MAP-5.1
- MANAGE-2.4
- MANAGE-3.1
- MEASURE-3.1
nist_csf:
- RS.MA-01
- RS.MA-02
- RS.AN-03
- RC.RP-01
---
# Analyzing Security Logs with Splunk
skills/analyzing-slack-space-and-file-system-artifacts/SKILL.md
+22 -3
View File
@@ -1,12 +1,31 @@
---
name: analyzing-slack-space-and-file-system-artifacts
description: Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data and reconstruct file activity on NTFS volumes.
description: Examine file system slack space, MFT entries, USN journal, and alternate
data streams to recover hidden data and reconstruct file activity on NTFS volumes.
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, slack-space, ntfs, mft, usn-journal, alternate-data-streams, file-system-analysis]
version: "1.0"
tags:
- forensics
- slack-space
- ntfs
- mft
- usn-journal
- alternate-data-streams
- file-system-analysis
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1070.006
- T1564.004
- T1070.004
- T1005
- T1006
---
# Analyzing Slack Space and File System Artifacts
skills/analyzing-supply-chain-malware-artifacts/SKILL.md
+36 -3
View File
@@ -1,12 +1,45 @@
---
name: analyzing-supply-chain-malware-artifacts
description: Investigate supply chain attack artifacts including trojanized software updates, compromised build pipelines, and sideloaded dependencies to identify intrusion vectors and scope of compromise.
description: Investigate supply chain attack artifacts including trojanized software
updates, compromised build pipelines, and sideloaded dependencies to identify intrusion
vectors and scope of compromise.
domain: cybersecurity
subdomain: malware-analysis
tags: [supply-chain, malware-analysis, trojanized-software, solarwinds, 3cx, dependency-confusion, software-integrity]
version: "1.0"
tags:
- supply-chain
- malware-analysis
- trojanized-software
- solarwinds
- 3cx
- dependency-confusion
- software-integrity
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0010
- AML.T0104
nist_ai_rmf:
- GOVERN-5.2
- MAP-1.6
- MANAGE-2.2
d3fend_techniques:
- Platform Hardening
- Hardware Component Inventory
- Restore Object
- Electromagnetic Radiation Hardening
- RF Shielding
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1195.002
- T1195.001
- T1554
- T1553.002
- T1027
---
# Analyzing Supply Chain Malware Artifacts
skills/analyzing-threat-actor-ttps-with-mitre-attack/SKILL.md
+29 -3
View File
@@ -1,12 +1,38 @@
---
name: analyzing-threat-actor-ttps-with-mitre-attack
description: MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor beh
description: MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics,
techniques, and procedures (TTPs) based on real-world observations. This skill covers
systematically mapping threat actor beh
domain: cybersecurity
subdomain: threat-intelligence
tags: [threat-intelligence, cti, ioc, mitre-attack, stix, ttp-analysis, threat-actors]
version: "1.0"
tags:
- threat-intelligence
- cti
- ioc
- mitre-attack
- stix
- ttp-analysis
- threat-actors
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Content Format Conversion
- File Content Analysis
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1566.001
- T1059.001
- T1071.001
- T1547.001
- T1053.005
---
# Analyzing Threat Actor TTPs with MITRE ATT&CK
skills/analyzing-threat-actor-ttps-with-mitre-navigator/SKILL.md
+42 -9
View File
@@ -1,18 +1,51 @@
---
name: analyzing-threat-actor-ttps-with-mitre-navigator
description: >
Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to
the MITRE ATT&CK framework using the ATT&CK Navigator and attackcti Python library. The
analyst queries STIX/TAXII data for group-technique associations, generates Navigator layer
files for visualization, and compares defensive coverage against adversary profiles.
Activates for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor
profiling, or MITRE technique coverage analysis.
description: 'Map advanced persistent threat (APT) group tactics, techniques, and
procedures (TTPs) to the MITRE ATT&CK framework using the ATT&CK Navigator and attackcti
Python library. The analyst queries STIX/TAXII data for group-technique associations,
generates Navigator layer files for visualization, and compares defensive coverage
against adversary profiles. Activates for requests involving APT TTP mapping, ATT&CK
Navigator layers, threat actor profiling, or MITRE technique coverage analysis.
'
domain: cybersecurity
subdomain: threat-intelligence
tags: [mitre-attack, navigator, threat-intelligence, apt, ttp-mapping, stix, attackcti]
version: "1.0"
tags:
- mitre-attack
- navigator
- threat-intelligence
- apt
- ttp-mapping
- stix
- attackcti
version: '1.0'
author: mahipal
license: Apache-2.0
nist_ai_rmf:
- MEASURE-2.7
- MAP-5.1
- MANAGE-2.4
atlas_techniques:
- AML.T0070
- AML.T0066
- AML.T0082
d3fend_techniques:
- File Metadata Consistency Validation
- Application Protocol Command Analysis
- Identifier Analysis
- Content Format Conversion
- Message Analysis
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1566.001
- T1059.001
- T1071.001
- T1547.001
- T1053.005
---
# Analyzing Threat Actor TTPs with MITRE Navigator
skills/analyzing-threat-intelligence-feeds/SKILL.md
+29 -7
View File
@@ -1,17 +1,39 @@
---
name: analyzing-threat-intelligence-feeds
description: >
Analyzes structured and unstructured threat intelligence feeds to extract actionable indicators,
adversary tactics, and campaign context. Use when ingesting commercial or open-source CTI feeds,
evaluating feed quality, normalizing data into STIX 2.1 format, or enriching existing IOCs with
campaign attribution. Activates for requests involving ThreatConnect, Recorded Future, Mandiant
Advantage, MISP, AlienVault OTX, or automated feed aggregation pipelines.
description: 'Analyzes structured and unstructured threat intelligence feeds to extract
actionable indicators, adversary tactics, and campaign context. Use when ingesting
commercial or open-source CTI feeds, evaluating feed quality, normalizing data into
STIX 2.1 format, or enriching existing IOCs with campaign attribution. Activates
for requests involving ThreatConnect, Recorded Future, Mandiant Advantage, MISP,
AlienVault OTX, or automated feed aggregation pipelines.
'
domain: cybersecurity
subdomain: threat-intelligence
tags: [STIX, TAXII, MITRE-ATT&CK, IOC, ThreatConnect, Recorded-Future, MISP, CTI, NIST-CSF]
tags:
- STIX
- TAXII
- MITRE-ATT&CK
- IOC
- ThreatConnect
- Recorded-Future
- MISP
- CTI
- NIST-CSF
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1071.001
- T1566
- T1568
- T1583.001
- T1102
---
# Analyzing Threat Intelligence Feeds
skills/analyzing-threat-landscape-with-misp/SKILL.md
+30 -8
View File
@@ -1,17 +1,39 @@
---
name: analyzing-threat-landscape-with-misp
description: >-
Analyze the threat landscape using MISP (Malware Information Sharing Platform)
by querying event statistics, attribute distributions, threat actor galaxy
clusters, and tag trends over time. Uses PyMISP to pull event data, compute
IOC type breakdowns, identify top threat actors and malware families, and
generate threat landscape reports with temporal trends.
description: Analyze the threat landscape using MISP (Malware Information Sharing
Platform) by querying event statistics, attribute distributions, threat actor galaxy
clusters, and tag trends over time. Uses PyMISP to pull event data, compute IOC
type breakdowns, identify top threat actors and malware families, and generate threat
landscape reports with temporal trends.
domain: cybersecurity
subdomain: threat-intelligence
tags: [analyzing, threat, landscape, with]
version: "1.0"
tags:
- threat-intelligence
- misp
- threat-landscape
- ioc-analysis
- cti
- threat-sharing
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- File Metadata Consistency Validation
- Application Protocol Command Analysis
- Identifier Analysis
- Content Format Conversion
- Message Analysis
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1566
- T1071.001
- T1568
- T1583.001
- T1102
---
skills/analyzing-tls-certificate-transparency-logs/SKILL.md
+27 -7
View File
@@ -1,16 +1,36 @@
---
name: analyzing-tls-certificate-transparency-logs
description: >
Queries Certificate Transparency logs via crt.sh and pycrtsh to detect phishing
domains, unauthorized certificate issuance, and shadow IT. Monitors newly issued
certificates for typosquatting and brand impersonation using Levenshtein distance.
Use for proactive phishing domain detection and certificate monitoring.
description: 'Queries Certificate Transparency logs via crt.sh and pycrtsh to detect
phishing domains, unauthorized certificate issuance, and shadow IT. Monitors newly
issued certificates for typosquatting and brand impersonation using Levenshtein
distance. Use for proactive phishing domain detection and certificate monitoring.
'
domain: cybersecurity
subdomain: security-operations
tags: [analyzing, tls, certificate, transparency]
version: "1.0"
tags:
- certificate-transparency
- ct-logs
- crt-sh
- phishing-detection
- tls-monitoring
- security-operations
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0073
- AML.T0052
nist_csf:
- DE.CM-01
- RS.MA-01
- GV.OV-01
- DE.AE-02
mitre_attack:
- T1583.001
- T1566.002
- T1598.003
- T1583.006
---
# Analyzing TLS Certificate Transparency Logs
skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.md
+26 -3
View File
@@ -1,12 +1,35 @@
---
name: analyzing-typosquatting-domains-with-dnstwist
description: Detect typosquatting, homograph phishing, and brand impersonation domains using dnstwist to generate domain permutations and identify registered lookalike domains targeting your organization.
description: Detect typosquatting, homograph phishing, and brand impersonation domains
using dnstwist to generate domain permutations and identify registered lookalike
domains targeting your organization.
domain: cybersecurity
subdomain: threat-intelligence
tags: [dnstwist, typosquatting, phishing, domain-monitoring, brand-protection, homograph, dns, threat-intelligence]
version: "1.0"
tags:
- dnstwist
- typosquatting
- phishing
- domain-monitoring
- brand-protection
- homograph
- dns
- threat-intelligence
version: '1.0'
author: mahipal
license: Apache-2.0
atlas_techniques:
- AML.T0073
- AML.T0052
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1583.001
- T1566.002
- T1598.003
- T1583.006
---
# Analyzing Typosquatting Domains with DNSTwist
skills/analyzing-uefi-bootkit-persistence/SKILL.md
+30 -6
View File
@@ -1,19 +1,43 @@
---
name: analyzing-uefi-bootkit-persistence
description: >
Analyzes UEFI bootkit persistence mechanisms including firmware implants in SPI flash,
EFI System Partition (ESP) modifications, Secure Boot bypass techniques, and UEFI
variable manipulation. Covers detection of known bootkit families (BlackLotus, LoJax,
MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection,
description: 'Analyzes UEFI bootkit persistence mechanisms including firmware implants
in SPI flash, EFI System Partition (ESP) modifications, Secure Boot bypass techniques,
and UEFI variable manipulation. Covers detection of known bootkit families (BlackLotus,
LoJax, MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection,
chipsec-based firmware integrity verification, and Secure Boot configuration auditing.
Activates for requests involving UEFI malware analysis, firmware persistence investigation,
boot chain integrity verification, or Secure Boot bypass detection.
'
domain: cybersecurity
subdomain: firmware-security
tags: [UEFI, bootkit, firmware, Secure-Boot, chipsec, ESP, persistence]
tags:
- UEFI
- bootkit
- firmware
- Secure-Boot
- chipsec
- ESP
- persistence
version: 1.0.0
author: mukul975
license: Apache-2.0
d3fend_techniques:
- Platform Hardening
- Restore Object
- Platform Monitoring
- Firmware Verification
- Firmware Embedded Monitoring Code
nist_csf:
- ID.RA-01
- PR.PS-01
- PR.PS-02
mitre_attack:
- T1542.001
- T1542.003
- T1553.006
- T1542
- T1014
---
# Analyzing UEFI Bootkit Persistence
skills/analyzing-usb-device-connection-history/SKILL.md
+21 -3
View File
@@ -1,12 +1,30 @@
---
name: analyzing-usb-device-connection-history
description: Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable media usage and potential data exfiltration.
description: Investigate USB device connection history from Windows registry, event
logs, and setupapi logs to track removable media usage and potential data exfiltration.
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, usb-forensics, removable-media, registry-analysis, data-exfiltration, device-history]
version: "1.0"
tags:
- forensics
- usb-forensics
- removable-media
- registry-analysis
- data-exfiltration
- device-history
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1052.001
- T1025
- T1091
- T1005
- T1074.001
---
# Analyzing USB Device Connection History
skills/analyzing-web-server-logs-for-intrusion/SKILL.md
+25 -7
View File
@@ -1,16 +1,34 @@
---
name: analyzing-web-server-logs-for-intrusion
description: >-
Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion,
directory traversal, web scanner fingerprints, and brute-force patterns. Uses regex-based
pattern matching against OWASP attack signatures, GeoIP enrichment for source attribution,
and statistical anomaly detection for request frequency and response size outliers.
description: Parse Apache and Nginx access logs to detect SQL injection attempts,
local file inclusion, directory traversal, web scanner fingerprints, and brute-force
patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP
enrichment for source attribution, and statistical anomaly detection for request
frequency and response size outliers.
domain: cybersecurity
subdomain: security-operations
tags: [analyzing, web, server, logs]
version: "1.0"
tags:
- web-log-analysis
- apache-logs
- nginx-logs
- sql-injection-detection
- lfi-detection
- directory-traversal
- intrusion-detection
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- DE.CM-01
- RS.MA-01
- GV.OV-01
- DE.AE-02
mitre_attack:
- T1190
- T1059.007
- T1110
- T1595.002
- T1505.003
---
skills/analyzing-windows-amcache-artifacts/SKILL.md
+28 -9
View File
@@ -1,19 +1,38 @@
---
name: analyzing-windows-amcache-artifacts
description: >
Parses and analyzes the Windows Amcache.hve registry hive to extract evidence
of program execution, application installation, and driver loading for digital
forensics investigations. Uses Eric Zimmerman's AmcacheParser and Timeline
Explorer for artifact extraction, SHA-1 hash correlation with threat intel,
and timeline reconstruction. Activates for requests involving Amcache forensics,
program execution evidence, Windows artifact analysis, or application compatibility
cache investigation.
description: 'Parses and analyzes the Windows Amcache.hve registry hive to extract
evidence of program execution, application installation, and driver loading for
digital forensics investigations. Uses Eric Zimmerman''s AmcacheParser and Timeline
Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and
timeline reconstruction. Activates for requests involving Amcache forensics, program
execution evidence, Windows artifact analysis, or application compatibility cache
investigation.
'
domain: cybersecurity
subdomain: digital-forensics
tags: [amcache, windows-forensics, program-execution, AmcacheParser, eric-zimmerman, timeline-analysis, DFIR]
tags:
- amcache
- windows-forensics
- program-execution
- AmcacheParser
- eric-zimmerman
- timeline-analysis
- DFIR
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1070.004
- T1070.006
- T1036.005
- T1014
- T1005
---
# Analyzing Windows Amcache Artifacts
skills/analyzing-windows-event-logs-in-splunk/SKILL.md
+34 -7
View File
@@ -1,16 +1,43 @@
---
name: analyzing-windows-event-logs-in-splunk
description: >
Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks,
privilege escalation, persistence mechanisms, and lateral movement using SPL queries mapped to
MITRE ATT&CK techniques. Use when SOC analysts need to investigate Windows-based threats,
build detection queries, or perform forensic timeline analysis of Windows endpoints and domain controllers.
description: 'Analyzes Windows Security, System, and Sysmon event logs in Splunk to
detect authentication attacks, privilege escalation, persistence mechanisms, and
lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC
analysts need to investigate Windows-based threats, build detection queries, or
perform forensic timeline analysis of Windows endpoints and domain controllers.
'
domain: cybersecurity
subdomain: soc-operations
tags: [soc, splunk, windows-events, sysmon, event-logs, mitre-attack, active-directory]
version: "1.0"
tags:
- soc
- splunk
- windows-events
- sysmon
- event-logs
- mitre-attack
- active-directory
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Restore Access
- Password Authentication
- Biometric Authentication
- Strong Password Policy
- Restore User Account Access
nist_csf:
- DE.CM-01
- DE.AE-02
- RS.MA-01
- DE.AE-06
mitre_attack:
- T1110
- T1053.005
- T1547.001
- T1021.002
- T1558.003
- T1003.006
---
# Analyzing Windows Event Logs in Splunk
skills/analyzing-windows-lnk-files-for-artifacts/SKILL.md
+21 -3
View File
@@ -1,12 +1,30 @@
---
name: analyzing-windows-lnk-files-for-artifacts
description: Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers for forensic timeline reconstruction.
description: Parse Windows LNK shortcut files to extract target paths, timestamps,
volume information, and machine identifiers for forensic timeline reconstruction.
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, lnk-files, windows-artifacts, shortcut-analysis, timeline-reconstruction, evidence-collection]
version: "1.0"
tags:
- forensics
- lnk-files
- windows-artifacts
- shortcut-analysis
- timeline-reconstruction
- evidence-collection
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1547.001
- T1204.002
- T1005
- T1025
- T1074.001
---
# Analyzing Windows LNK Files for Artifacts
skills/analyzing-windows-prefetch-with-python/SKILL.md
+22 -3
View File
@@ -1,12 +1,31 @@
---
name: analyzing-windows-prefetch-with-python
description: Parse Windows Prefetch files using the windowsprefetch Python library to reconstruct application execution history, detect renamed or masquerading binaries, and identify suspicious program execution patterns.
description: Parse Windows Prefetch files using the windowsprefetch Python library
to reconstruct application execution history, detect renamed or masquerading binaries,
and identify suspicious program execution patterns.
domain: cybersecurity
subdomain: digital-forensics
tags: [digital-forensics, windows, prefetch, execution-history, incident-response, malware-analysis]
version: "1.0"
tags:
- digital-forensics
- windows
- prefetch
- execution-history
- incident-response
- malware-analysis
mitre_attack:
- T1036.005
- T1070.004
- T1070
- T1003.001
- T1057
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
---
# Analyzing Windows Prefetch with Python
skills/analyzing-windows-registry-for-artifacts/SKILL.md
+21 -3
View File
@@ -1,12 +1,30 @@
---
name: analyzing-windows-registry-for-artifacts
description: Extract and analyze Windows Registry hives to uncover user activity, installed software, autostart entries, and evidence of system compromise.
description: Extract and analyze Windows Registry hives to uncover user activity,
installed software, autostart entries, and evidence of system compromise.
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, windows-registry, artifact-analysis, regripper, registry-explorer, evidence-collection]
version: "1.0"
tags:
- forensics
- windows-registry
- artifact-analysis
- regripper
- registry-explorer
- evidence-collection
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1012
- T1547.001
- T1112
- T1003.002
- T1025
---
# Analyzing Windows Registry for Artifacts
skills/analyzing-windows-shellbag-artifacts/SKILL.md
+26 -3
View File
@@ -1,12 +1,35 @@
---
name: analyzing-windows-shellbag-artifacts
description: Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable media and network shares, and establish user interaction with directories even after deletion using SBECmd and ShellBags Explorer.
description: Analyze Windows Shellbag registry artifacts to reconstruct folder browsing
activity, detect access to removable media and network shares, and establish user
interaction with directories even after deletion using SBECmd and ShellBags Explorer.
domain: cybersecurity
subdomain: digital-forensics
tags: [shellbags, windows-registry, sbecmd, shellbags-explorer, folder-access, user-activity, removable-media, network-shares, bagmru, dfir]
version: "1.0"
tags:
- shellbags
- windows-registry
- sbecmd
- shellbags-explorer
- folder-access
- user-activity
- removable-media
- network-shares
- bagmru
- dfir
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1083
- T1074.001
- T1135
- T1025
- T1070.004
---
# Analyzing Windows Shellbag Artifacts
skills/auditing-aws-s3-bucket-permissions/SKILL.md
+25 -6
View File
@@ -1,15 +1,34 @@
---
name: auditing-aws-s3-bucket-permissions
description: >
Systematically audit AWS S3 bucket permissions to identify publicly accessible buckets,
overly permissive ACLs, misconfigured bucket policies, and missing encryption settings
using AWS CLI, S3audit, and Prowler to enforce least-privilege data access controls.
description: 'Systematically audit AWS S3 bucket permissions to identify publicly
accessible buckets, overly permissive ACLs, misconfigured bucket policies, and missing
encryption settings using AWS CLI, S3audit, and Prowler to enforce least-privilege
data access controls.
'
domain: cybersecurity
subdomain: cloud-security
tags: [cloud-security, aws, s3, bucket-permissions, data-protection, access-control]
version: "1.0"
tags:
- cloud-security
- aws
- s3
- bucket-permissions
- data-protection
- access-control
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- PR.IR-01
- ID.AM-08
- GV.SC-06
- DE.CM-01
mitre_attack:
- T1530
- T1619
- T1078.004
- T1537
- T1567.002
---
# Auditing AWS S3 Bucket Permissions
skills/auditing-azure-active-directory-configuration/SKILL.md
+25 -6
View File
@@ -1,15 +1,34 @@
---
name: auditing-azure-active-directory-configuration
description: >
Auditing Microsoft Entra ID (Azure Active Directory) configuration to identify risky
authentication policies, overly permissive role assignments, stale accounts, conditional
access gaps, and guest user risks using AzureAD PowerShell, Microsoft Graph API, and ScoutSuite.
description: 'Auditing Microsoft Entra ID (Azure Active Directory) configuration to
identify risky authentication policies, overly permissive role assignments, stale
accounts, conditional access gaps, and guest user risks using AzureAD PowerShell,
Microsoft Graph API, and ScoutSuite.
'
domain: cybersecurity
subdomain: cloud-security
tags: [cloud-security, azure, entra-id, active-directory, iam-audit, conditional-access]
version: "1.0"
tags:
- cloud-security
- azure
- entra-id
- active-directory
- iam-audit
- conditional-access
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- PR.IR-01
- ID.AM-08
- GV.SC-06
- DE.CM-01
mitre_attack:
- T1078.004
- T1098.003
- T1556.006
- T1069.003
- T1526
---
# Auditing Azure Active Directory Configuration
skills/auditing-cloud-with-cis-benchmarks/SKILL.md
+28 -7
View File
@@ -1,17 +1,38 @@
---
name: auditing-cloud-with-cis-benchmarks
description: >
This skill details how to conduct cloud security audits using Center for Internet
Security benchmarks for AWS, Azure, and GCP. It covers interpreting CIS Foundations
Benchmark controls, running automated assessments with tools like Prowler and
ScoutSuite, remediating failed controls, and maintaining continuous compliance
monitoring against CIS v5 for AWS, v4 for Azure, and v4 for GCP.
description: 'This skill details how to conduct cloud security audits using Center
for Internet Security benchmarks for AWS, Azure, and GCP. It covers interpreting
CIS Foundations Benchmark controls, running automated assessments with tools like
Prowler and ScoutSuite, remediating failed controls, and maintaining continuous
compliance monitoring against CIS v5 for AWS, v4 for Azure, and v4 for GCP.
'
domain: cybersecurity
subdomain: cloud-security
tags: [cis-benchmarks, cloud-audit, compliance-assessment, prowler, security-hardening]
tags:
- cis-benchmarks
- cloud-audit
- compliance-assessment
- prowler
- security-hardening
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_ai_rmf:
- GOVERN-1.1
- GOVERN-4.2
- MAP-2.3
nist_csf:
- PR.IR-01
- ID.AM-08
- GV.SC-06
- DE.CM-01
mitre_attack:
- T1078.004
- T1530
- T1098.003
- T1685.002
- T1580
---
# Auditing Cloud with CIS Benchmarks
skills/auditing-gcp-iam-permissions/SKILL.md
+24 -6
View File
@@ -1,15 +1,33 @@
---
name: auditing-gcp-iam-permissions
description: >
Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings,
primitive role usage, service account key proliferation, and cross-project access risks
using gcloud CLI, Policy Analyzer, and IAM Recommender.
description: 'Auditing Google Cloud Platform IAM permissions to identify overly permissive
bindings, primitive role usage, service account key proliferation, and cross-project
access risks using gcloud CLI, Policy Analyzer, and IAM Recommender.
'
domain: cybersecurity
subdomain: cloud-security
tags: [cloud-security, gcp, iam, permissions-audit, service-accounts, policy-analyzer]
version: "1.0"
tags:
- cloud-security
- gcp
- iam
- permissions-audit
- service-accounts
- policy-analyzer
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- PR.IR-01
- ID.AM-08
- GV.SC-06
- DE.CM-01
mitre_attack:
- T1078.004
- T1098.003
- T1528
- T1548.005
- T1580
---
# Auditing GCP IAM Permissions
skills/auditing-kubernetes-cluster-rbac/SKILL.md
+25 -6
View File
@@ -1,15 +1,34 @@
---
name: auditing-kubernetes-cluster-rbac
description: >
Auditing Kubernetes cluster RBAC configurations to identify overly permissive roles,
wildcard permissions, dangerous ClusterRoleBindings, service account abuse, and
privilege escalation paths using kubectl, rbac-tool, KubiScan, and Kubeaudit.
description: 'Auditing Kubernetes cluster RBAC configurations to identify overly permissive
roles, wildcard permissions, dangerous ClusterRoleBindings, service account abuse,
and privilege escalation paths using kubectl, rbac-tool, KubiScan, and Kubeaudit.
'
domain: cybersecurity
subdomain: cloud-security
tags: [cloud-security, kubernetes, rbac, access-control, eks, gke, aks]
version: "1.0"
tags:
- cloud-security
- kubernetes
- rbac
- access-control
- eks
- gke
- aks
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- PR.IR-01
- ID.AM-08
- GV.SC-06
- DE.CM-01
mitre_attack:
- T1098.006
- T1552.007
- T1611
- T1613
- T1078.004
---
# Auditing Kubernetes Cluster RBAC
skills/auditing-terraform-infrastructure-for-security/SKILL.md
+25 -6
View File
@@ -1,15 +1,34 @@
---
name: auditing-terraform-infrastructure-for-security
description: >
Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov,
tfsec, Terrascan, and OPA/Rego policies to detect overly permissive IAM policies, public
resource exposure, missing encryption, and insecure defaults before cloud deployment.
description: 'Auditing Terraform infrastructure-as-code for security misconfigurations
using Checkov, tfsec, Terrascan, and OPA/Rego policies to detect overly permissive
IAM policies, public resource exposure, missing encryption, and insecure defaults
before cloud deployment.
'
domain: cybersecurity
subdomain: cloud-security
tags: [cloud-security, terraform, infrastructure-as-code, checkov, tfsec, policy-as-code]
version: "1.0"
tags:
- cloud-security
- terraform
- infrastructure-as-code
- checkov
- tfsec
- policy-as-code
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- PR.IR-01
- ID.AM-08
- GV.SC-06
- DE.CM-01
mitre_attack:
- T1078.004
- T1530
- T1190
- T1552.001
- T1580
---
# Auditing Terraform Infrastructure for Security
skills/auditing-tls-certificate-transparency-logs/SKILL.md
+27 -8
View File
@@ -1,18 +1,37 @@
---
name: auditing-tls-certificate-transparency-logs
description: >
Monitors Certificate Transparency (CT) logs to detect unauthorized certificate issuance,
discover subdomains via CT data, and alert on suspicious certificate activity for owned domains.
Uses the crt.sh API and direct CT log querying based on RFC 6962 to build continuous monitoring
pipelines that catch rogue certificates, track CA behavior, and map the external attack surface.
Activates for requests involving certificate transparency monitoring, CT log auditing,
subdomain discovery via certificates, or certificate issuance alerting.
description: 'Monitors Certificate Transparency (CT) logs to detect unauthorized certificate
issuance, discover subdomains via CT data, and alert on suspicious certificate activity
for owned domains. Uses the crt.sh API and direct CT log querying based on RFC 6962
to build continuous monitoring pipelines that catch rogue certificates, track CA
behavior, and map the external attack surface. Activates for requests involving
certificate transparency monitoring, CT log auditing, subdomain discovery via certificates,
or certificate issuance alerting.
'
domain: cybersecurity
subdomain: threat-intelligence
tags: [certificate-transparency, CT-logs, crt-sh, subdomain-discovery, TLS-monitoring, RFC-6962]
tags:
- certificate-transparency
- CT-logs
- crt-sh
- subdomain-discovery
- TLS-monitoring
- RFC-6962
version: 1.0.0
author: mukul975
license: Apache-2.0
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1596.003
- T1583.001
- T1587.003
- T1593
- T1566.002
---
# Auditing TLS Certificate Transparency Logs
skills/automating-ioc-enrichment/SKILL.md
+30 -8
View File
@@ -1,18 +1,40 @@
---
name: automating-ioc-enrichment
description: >
Automates the enrichment of raw indicators of compromise with multi-source threat intelligence
context using SOAR platforms, Python pipelines, or TIP playbooks to reduce analyst triage time
and standardize enrichment outputs. Use when building automated enrichment workflows integrated
with SIEM alerts, email submission pipelines, or bulk IOC processing from threat feeds. Activates
for requests involving SOAR enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment
pipelines, or automated IOC processing.
description: 'Automates the enrichment of raw indicators of compromise with multi-source
threat intelligence context using SOAR platforms, Python pipelines, or TIP playbooks
to reduce analyst triage time and standardize enrichment outputs. Use when building
automated enrichment workflows integrated with SIEM alerts, email submission pipelines,
or bulk IOC processing from threat feeds. Activates for requests involving SOAR
enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment pipelines, or
automated IOC processing.
'
domain: cybersecurity
subdomain: threat-intelligence
tags: [SOAR, enrichment, IOC, Cortex-XSOAR, Splunk-SOAR, VirusTotal, automation, CTI, NIST-CSF]
tags:
- SOAR
- enrichment
- IOC
- Cortex-XSOAR
- Splunk-SOAR
- VirusTotal
- automation
- CTI
- NIST-CSF
version: 1.0.0
author: team-cybersecurity
license: Apache-2.0
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1071.001
- T1583.001
- T1588.001
- T1590.005
- T1596
---
# Automating IOC Enrichment
skills/building-adversary-infrastructure-tracking-system/SKILL.md
+24 -3
View File
@@ -1,12 +1,33 @@
---
name: building-adversary-infrastructure-tracking-system
description: Build an automated system to track adversary infrastructure using passive DNS, certificate transparency, WHOIS data, and IP enrichment to map and monitor threat actor command-and-control networks.
description: Build an automated system to track adversary infrastructure using passive
DNS, certificate transparency, WHOIS data, and IP enrichment to map and monitor
threat actor command-and-control networks.
domain: cybersecurity
subdomain: threat-intelligence
tags: [infrastructure-tracking, passive-dns, c2, whois, threat-actor, pivoting, threat-intelligence, domain-analysis]
version: "1.0"
tags:
- infrastructure-tracking
- passive-dns
- c2
- whois
- threat-actor
- pivoting
- threat-intelligence
- domain-analysis
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1583.001
- T1583.004
- T1596.001
- T1590.002
- T1071.001
---
# Building Adversary Infrastructure Tracking System
skills/building-attack-pattern-library-from-cti-reports/SKILL.md
+30 -3
View File
@@ -1,12 +1,39 @@
---
name: building-attack-pattern-library-from-cti-reports
description: Extract and catalog attack patterns from cyber threat intelligence reports into a structured STIX-based library mapped to MITRE ATT&CK for detection engineering and threat-informed defense.
description: Extract and catalog attack patterns from cyber threat intelligence reports
into a structured STIX-based library mapped to MITRE ATT&CK for detection engineering
and threat-informed defense.
domain: cybersecurity
subdomain: threat-intelligence
tags: [attack-pattern, cti-reports, mitre-attack, stix, detection-engineering, threat-intelligence, nlp, extraction]
version: "1.0"
tags:
- attack-pattern
- cti-reports
- mitre-attack
- stix
- detection-engineering
- threat-intelligence
- nlp
- extraction
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- File Metadata Consistency Validation
- Application Protocol Command Analysis
- Identifier Analysis
- Content Format Conversion
- Message Analysis
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1566.001
- T1059.001
- T1003.001
- T1558.003
- T1550.002
---
# Building Attack Pattern Library from CTI Reports
skills/building-automated-malware-submission-pipeline/SKILL.md
+28 -7
View File
@@ -1,16 +1,37 @@
---
name: building-automated-malware-submission-pipeline
description: >
Builds an automated malware submission and analysis pipeline that collects suspicious files from
endpoints and email gateways, submits them to sandbox environments and multi-engine scanners,
and generates verdicts with IOCs for SIEM integration. Use when SOC teams need to scale malware
analysis beyond manual sandbox submissions for high-volume alert triage.
description: 'Builds an automated malware submission and analysis pipeline that collects
suspicious files from endpoints and email gateways, submits them to sandbox environments
and multi-engine scanners, and generates verdicts with IOCs for SIEM integration.
Use when SOC teams need to scale malware analysis beyond manual sandbox submissions
for high-volume alert triage.
'
domain: cybersecurity
subdomain: soc-operations
tags: [soc, malware-analysis, sandbox, automation, virustotal, cuckoo, any-run, pipeline]
version: "1.0"
tags:
- soc
- malware-analysis
- sandbox
- automation
- virustotal
- cuckoo
- any-run
- pipeline
version: '1.0'
author: mahipal
license: Apache-2.0
nist_csf:
- DE.CM-01
- DE.AE-02
- RS.MA-01
- DE.AE-06
mitre_attack:
- T1204.002
- T1566.001
- T1027
- T1055
- T1497
---
# Building Automated Malware Submission Pipeline
skills/building-c2-infrastructure-with-sliver-framework/SKILL.md
+29 -3
View File
@@ -1,12 +1,38 @@
---
name: building-c2-infrastructure-with-sliver-framework
description: Build and configure a resilient command-and-control infrastructure using BishopFox's Sliver C2 framework with redirectors, HTTPS listeners, and multi-operator support for authorized red team engagements.
description: Build and configure a resilient command-and-control infrastructure using
BishopFox's Sliver C2 framework with redirectors, HTTPS listeners, and multi-operator
support for authorized red team engagements.
domain: cybersecurity
subdomain: red-teaming
tags: [red-team, c2-framework, sliver, command-and-control, adversary-simulation, infrastructure, post-exploitation]
version: "1.0"
tags:
- red-team
- c2-framework
- sliver
- command-and-control
- adversary-simulation
- infrastructure
- post-exploitation
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- File Metadata Consistency Validation
- Certificate Analysis
- Application Protocol Command Analysis
- Content Format Conversion
- File Content Analysis
nist_csf:
- ID.RA-01
- GV.OV-02
- DE.AE-07
mitre_attack:
- T1071.001
- T1071.004
- T1573.002
- T1090.002
- T1105
- T1572
---
# Building C2 Infrastructure with Sliver Framework
skills/building-cloud-siem-with-sentinel/SKILL.md
+32 -7
View File
@@ -1,17 +1,42 @@
---
name: building-cloud-siem-with-sentinel
description: >
This skill covers deploying Microsoft Sentinel as a cloud-native SIEM and SOAR
platform for centralized security operations. It details configuring data connectors
for multi-cloud log ingestion, writing KQL detection queries, building automated
response playbooks with Logic Apps, and leveraging the Sentinel data lake for
petabyte-scale threat hunting across AWS, Azure, and GCP security telemetry.
description: 'This skill covers deploying Microsoft Sentinel as a cloud-native SIEM
and SOAR platform for centralized security operations. It details configuring data
connectors for multi-cloud log ingestion, writing KQL detection queries, building
automated response playbooks with Logic Apps, and leveraging the Sentinel data lake
for petabyte-scale threat hunting across AWS, Azure, and GCP security telemetry.
'
domain: cybersecurity
subdomain: cloud-security
tags: [microsoft-sentinel, cloud-siem, kql-queries, soar-automation, threat-detection]
tags:
- microsoft-sentinel
- cloud-siem
- kql-queries
- soar-automation
- threat-detection
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_ai_rmf:
- MEASURE-2.7
- MAP-5.1
- MANAGE-2.4
atlas_techniques:
- AML.T0070
- AML.T0066
- AML.T0082
nist_csf:
- PR.IR-01
- ID.AM-08
- GV.SC-06
- DE.CM-01
mitre_attack:
- T1078.004
- T1548.005
- T1485
- T1530
- T1021.007
---
# Building Cloud SIEM with Sentinel
skills/building-detection-rule-with-splunk-spl/SKILL.md
+30 -3
View File
@@ -1,12 +1,39 @@
---
name: building-detection-rule-with-splunk-spl
description: Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify security threats in SOC environments.
description: Build effective detection rules using Splunk Search Processing Language
(SPL) correlation searches to identify security threats in SOC environments.
domain: cybersecurity
subdomain: soc-operations
tags: [splunk, spl, detection-engineering, correlation-search, siem, soc, threat-detection, enterprise-security]
version: "1.0"
tags:
- splunk
- spl
- detection-engineering
- correlation-search
- siem
- soc
- threat-detection
- enterprise-security
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Content Format Conversion
- File Content Analysis
nist_csf:
- DE.CM-01
- DE.AE-02
- RS.MA-01
- DE.AE-06
mitre_attack:
- T1059.001
- T1003.001
- T1021.002
- T1110.003
- T1053.005
- T1048
---
# Building Detection Rules with Splunk SPL
skills/building-detection-rules-with-sigma/SKILL.md
+34 -7
View File
@@ -1,16 +1,43 @@
---
name: building-detection-rules-with-sigma
description: >
Builds vendor-agnostic detection rules using the Sigma rule format for threat detection across
SIEM platforms including Splunk, Elastic, and Microsoft Sentinel. Use when creating portable
detection logic from threat intelligence, mapping rules to MITRE ATT&CK techniques, or converting
community Sigma rules into platform-specific queries using sigmac or pySigma backends.
description: 'Builds vendor-agnostic detection rules using the Sigma rule format for
threat detection across SIEM platforms including Splunk, Elastic, and Microsoft
Sentinel. Use when creating portable detection logic from threat intelligence, mapping
rules to MITRE ATT&CK techniques, or converting community Sigma rules into platform-specific
queries using sigmac or pySigma backends.
'
domain: cybersecurity
subdomain: soc-operations
tags: [soc, sigma, detection-rules, siem, mitre-attack, splunk, elastic, sentinel]
version: "1.0"
tags:
- soc
- sigma
- detection-rules
- siem
- mitre-attack
- splunk
- elastic
- sentinel
version: '1.0'
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Execution Isolation
- Process Termination
- Hardware-based Process Isolation
- Web Session Access Mediation
- Process Suspension
nist_csf:
- DE.CM-01
- DE.AE-02
- RS.MA-01
- DE.AE-06
mitre_attack:
- T1059.001
- T1003.001
- T1055
- T1053.005
- T1547.001
---
# Building Detection Rules with Sigma

Some files were not shown because too many files have changed in this diff Show More