creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 22:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: creator/Anthropic-Cybersecurity-Skills:v1.1.0
Branches Tags
creator/Anthropic-Cybersecurity-Skills:main
creator/Anthropic-Cybersecurity-Skills:v1.2.0 creator/Anthropic-Cybersecurity-Skills:v1.1.0 creator/Anthropic-Cybersecurity-Skills:v1.0.0
...
compare: creator/Anthropic-Cybersecurity-Skills:main
Branches Tags
creator/Anthropic-Cybersecurity-Skills:main
creator/Anthropic-Cybersecurity-Skills:v1.2.0 creator/Anthropic-Cybersecurity-Skills:v1.1.0 creator/Anthropic-Cybersecurity-Skills:v1.0.0

60 Commits
v1.1.0 ... main

Author SHA1 Message Date
mukul975 04450304b1 chore: auto-update index.json 2026-06-01 10:15:47 +00:00
mukul975 cb8d79e068 Map all 754 skills to MITRE ATT&CK v19.1 
- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
  techniques), verified against MITRE ATT&CK v19.1 via the official
  mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
  threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
  Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
  Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
  family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
  stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
 2026-06-01 12:13:29 +02:00
mukul975 9a588e643e chore: auto-update index.json 2026-05-30 09:32:08 +00:00
Mahipal 868465b4e4 Merge pull request #58 from Bortlesboat/fix/objection-skill-description 
Fix description YAML for Objection iOS skill
 2026-05-30 11:32:00 +02:00
Andrew Barnes 2338e0371c Fix Objection skill description frontmatter 
Normalize YAML description so tools can reliably parse it.
 2026-05-25 09:04:36 -04:00
Mahipal 0f429d0f96 Update README.md 2026-05-13 11:07:15 +02:00
Mahipal 15b63716a4 Update README.md 2026-05-13 10:56:27 +02:00
mukul975 77d5d9d686 chore: auto-update index.json 2026-04-26 12:03:37 +00:00
Mahipal 812db448e0 Merge PR #44: Normalize tags in 3 skills 2026-04-26 14:03:28 +02:00
Mahipal fcc73ea471 Merge PR #28: Add bulk skill metadata validation script 2026-04-26 14:03:24 +02:00
claude[bot] fbc47b7ac2 fix: replace word-split tags with domain-specific cybersecurity tags 
Three SKILL.md files had tags that were simply words split from the
skill name (e.g., "analyzing", "block", "with", "logs") rather than
meaningful discovery keywords. Replace with domain-specific terms that
agents and search tools can actually use for routing.

- analyzing-powershell-script-block-logging: [powershell, script-block-logging, event-id-4104, obfuscation-detection, windows-forensics, endpoint-security]
- analyzing-azure-activity-logs-for-threats: [azure, cloud-security, azure-monitor, kql, threat-hunting, activity-logs]
- analyzing-memory-forensics-with-lime-and-volatility: [memory-forensics, linux-forensics, lime, volatility, incident-response, kernel-modules]

Co-Authored-By: Claude Code <noreply@anthropic.com>
 2026-04-21 00:35:35 +00:00
Mahipal 888bbe4c6e Delete star.yml 2026-04-18 02:09:43 +02:00
Mahipal c60cb4aa7b Update star.yml 2026-04-15 22:43:16 +02:00
Mahipal d5f3fa3248 Update star.yml 2026-04-15 22:37:28 +02:00
Mahipal 91a087aacc Update star.yml 2026-04-15 22:35:07 +02:00
Mahipal 780757902b Create star.yml 2026-04-15 19:15:45 +02:00
Mahipal 9e8a8cda80 Add Hermes Agent badge to README 2026-04-15 00:51:53 +02:00
Mahipal efbbbba5e2 Add Casky.ai Playground section to README 
Added a section for the Casky.ai Playground with details on its features and usage.
 2026-04-11 15:04:51 +02:00
Mahipal c715f0b36e Revise README for improved clarity and structure 
Updated README to enhance project visibility and clarify project scope.
 2026-04-11 00:46:21 +02:00
mukul975 4ae0be7f48 chore: bump marketplace version to v1.2.0 2026-04-06 12:26:39 +02:00
mukul975 dcc2dc32fd fix: jq command line continuation in sync-marketplace workflow 2026-04-06 12:25:16 +02:00
mukul975 c0ab6cfccb docs: update README for v1.2.0 — 5-framework coverage, 754 skills 2026-04-06 12:06:22 +02:00
mukul975 b4231b19e7 chore: auto-update index.json 2026-04-06 09:17:52 +00:00
mukul975 efca3ec611 feat: add NIST CSF 2.0 nist_csf field to all 754 cybersecurity skills 
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.

All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)
 2026-04-06 11:17:40 +02:00
mukul975 e8105a2f4d chore: auto-update index.json 2026-04-05 23:56:33 +00:00
mukul975 ef27f026cb feat: enrich 209 skills with MITRE ATLAS, D3FEND, and NIST AI RMF frontmatter 
Added structured security framework mappings to SKILL.md frontmatter across all applicable skills:
- atlas_techniques: MITRE ATLAS v5.5 AML.TXXXX IDs (81 skills, AI-targeted attack techniques)
- d3fend_techniques: MITRE D3FEND v1.3 defensive technique labels (139 skills, mapped from ATT&CK IDs)
- nist_ai_rmf: NIST AI RMF 1.0 subcategory IDs (85 skills, AI risk management functions)

Also updates ATTACK_COVERAGE.md with coverage statistics for all three frameworks.
 2026-04-06 01:56:17 +02:00
Julio César Suástegui efc9598525 fix(validator): address all remaining review feedback from @mukul975 
Three issues fixed:

1. Description list check — added elif isinstance(desc, list) branch that
   emits 'Description must be a string value, not a list'. Previously the
   block was silently skipped when YAML returned a list, causing the skill
   to pass without validating the description field.

2. tools/README.md synced — updated description constraint from '20-500
   characters' to 'at least 50 characters (no upper limit)' to match the
   current code (DESCRIPTION_MIN_CHARS=50, no max enforced).

3. --all with wrong CWD now exits 1 — if glob returns no skill dirs,
   the script prints an error and exits with code 1 instead of reporting
   'Total: 0 Passed: 0 Failed: 0' and exiting 0, which would cause CI to
   silently pass while validating nothing.

All 754 skills continue to pass (0 regressions).
 2026-04-04 05:34:31 -06:00
Julio César Suástegui 31f745385b fix(validator): address all review feedback from @mukul975 
Required changes:
- Error handling: IOError and UnicodeDecodeError already wrapped in
  try/except from previous commit — still present and correct.
- ALLOWED_SUBDOMAINS: synced with actual repo usage (audited all 754
  skills). identity-access-management (34 skills) added; identity-security
  was the placeholder in its place.

New in this commit:
1. Description minimum: raised from 20 → 50 chars to align with other
   repo tooling as requested.
2. Folded scalar support: parse_frontmatter now handles YAML `>-` and `>`
   folded scalars, preventing incorrect parse of multi-line descriptions.
   Added a comment documenting the one remaining edge case (value-less key
   followed by non-list content — treated as no-value, acceptable for
   well-formed SKILL.md files).
3. Canonical subdomain warnings: alias subdomain values (e.g.
   security-operations vs soc-operations) now print a WARN line pointing
   to the canonical form, but are non-blocking. A _SUBDOMAIN_ALIASES dict
   documents canonical/alias pairs explicitly.
4. Description upper limit: removed hard cap — folded scalars legitimately
   produce long strings in existing skills.
5. PR description: removed false mention of type hints (there are none
   in this file).

Validator now passes 754/754 skills in the repo with 0 errors.
 2026-04-03 09:51:27 -06:00
Julio César Suástegui b53f3d4991 fix: add error handling for IOError/UnicodeDecodeError + sync ALLOWED_SUBDOMAINS 
- Wrap open() call in try/except for IOError and UnicodeDecodeError
  to report clean errors instead of crashing on encoding issues
- Add all subdomains actually used by existing skills in the repo:
  identity-access-management (33 skills), security-operations (28),
  identity-and-access-management, zero-trust, ot-security, purple-team,
  red-team, ai-security, social-engineering-defense, and others
- Remove identity-security as the canonical form is identity-access-management
 2026-04-03 09:49:04 -06:00
mukul975 c15f73db46 chore: auto-update index.json 2026-04-03 06:56:09 +00:00
mukul975 6325c202c5 chore: auto-update index.json 2026-04-03 06:30:32 +00:00
Mahipal 1cf19ded90 Merge pull request #26 from juliosuas/add-mitre-attack-incident-response 
Add MITRE ATT&CK IDs to incident response skills (fixes #1)
 2026-04-03 02:30:23 -04:00
Mahipal a7f577b482 Add skill: performing-cloud-native-threat-hunting-with-aws-detective 
Add skill: performing-cloud-native-threat-hunting-with-aws-detective
 2026-04-03 02:30:17 -04:00
Mahipal e26a736cf7 ci: add workflow to auto-sync marketplace version on release 2026-03-31 14:46:36 +02:00
Mahipal bb39fa73a9 Update marketplace version to v1.1.0 2026-03-31 14:41:58 +02:00
Mahipal 1cffd664f5 Remove Product Hunt badge from README 
Removed Product Hunt badge from README.
 2026-03-28 17:51:39 +01:00
Mahipal d7f205681a Add Product Hunt badge to README 
Added a Product Hunt badge to promote the project.
 2026-03-28 17:23:50 +01:00
mukul975 7283f02ba9 chore: auto-update index.json 2026-03-28 11:41:02 +00:00
mukul975 476a0880f4 Fix ESET AV false positive on AMSI bypass strings in skill docs 2026-03-28 12:40:53 +01:00
MAGI a072845a3f Fix review comments: correct AWS Detective API usage and forensic ordering 
- Fix FilterCriteria to use singular Severity/Status with Value objects
  instead of invalid plural Severities/Statuses arrays (SKILL.md + process.py)
- Fix get_entity_history: rename to get_investigation_indicators, use
  investigation_id instead of entity_arn for InvestigationId parameter
- Replace invalid inv-* placeholders with 21-digit numeric IDs
- Fix Expected Output to match real API response structure (no embedded
  Indicators; document separate list-indicators call and indicator types)
- Fix CLI --filter-criteria example to use correct format
- Update process.py --severity to accept single value with validation
- Add --max-results validation (1-100 range)
- Add pagination via _collect_all_pages helper for all list API calls
- Reorder Response Actions checklist: evidence preservation before containment
- Reorder Phase 5 workflow: preserve evidence first when safe
 2026-03-28 02:06:16 -06:00
MAGI 41b828e758 fix: add missing process.py implementation for aws-detective skill 
The process.py script was empty (0 bytes). Added a functional
implementation that lists behavior graphs, retrieves investigations,
queries indicators, and exports results — matching the pattern of
other skills in the repository.
 2026-03-28 02:06:16 -06:00
MAGI 2f6701d2d8 Add skill: performing-cloud-native-threat-hunting-with-aws-detective (fixes #6) 2026-03-28 02:06:16 -06:00
mukul975 aff90acbf5 Trigger contributor recalculation 2026-03-28 02:06:16 -06:00
Julio César Suástegui 84b4699e59 fix: remove out-of-scope changes (cloud-waf tags, zero-trust description rewrite) 2026-03-28 02:06:00 -06:00
MAGI c7ad5e7b98 Fix round 3: refine MITRE ATT&CK mappings per CodeRabbit review 
- osquery: replace broad IDs with concrete detections (T1049, T1620, T1053.003, T1548.001, T1552)
- credential extraction: replace T1550 with T1552 (Unsecured Credentials)
- persistence investigation: use sub-techniques (T1547.001, T1053.005, T1543.003, T1546.003)
 2026-03-28 02:06:00 -06:00
MAGI 15d53bd09b Fix MITRE ATT&CK mappings per CodeRabbit review: align techniques to skill content 
- analyzing-malware-persistence-with-autoruns: add persistence techniques T1547, T1053, T1543, T1546
- analyzing-memory-dumps-with-volatility: add memory forensics techniques T1055, T1003, T1059, T1620
- analyzing-persistence-mechanisms-in-linux: add Linux-specific sub-techniques T1053.003, T1543.002, T1574.006, T1546.004
- analyzing-windows-prefetch-with-python: add execution techniques T1059, T1204, T1036
- building-incident-response-dashboard: remove misaligned mitre_attack (dashboard is a visibility tool)
- building-phishing-reporting-button-workflow: add phishing techniques T1566, T1204, T1534
- deobfuscating-powershell-obfuscated-malware: add PowerShell/obfuscation techniques T1059.001, T1027, T1140
 2026-03-28 02:06:00 -06:00
MAGI 100361c3e5 Scope fix: remove mitre_attack from 24 non-incident-response skills, use sub-techniques 
- Removed mitre_attack from digital-forensics, cloud-security, malware-analysis,
  endpoint-security, threat-hunting, ransomware-defense, phishing-defense, and
  security-operations subdomain skills (out of PR scope per issue #1)
- Applied sub-technique IDs where appropriate (T1566.001, T1003.001, etc.)
- Only incident-response and soc-operations skills retain mappings
 2026-03-28 02:06:00 -06:00
MAGI 42258456e8 Fix MITRE ATT&CK mappings per CodeRabbit review 
- Replace generic T1190/T1059/T1078 with context-specific techniques
- Persistence: T1547, T1053, T1543, T1574
- Credentials: T1003, T1558, T1550
- Phishing: T1566, T1204, T1534
- Ransomware: T1486, T1490, T1489
- Cloud: T1078, T1537, T1580, T1098
- Remove mappings from out-of-scope subdomains (ot-ics, malware-analysis, digital-forensics)
 2026-03-28 02:05:57 -06:00
MAGI 5e62a7ea2c Add MITRE ATT&CK technique IDs to 60 incident-response skills (fixes #1) 2026-03-28 02:05:53 -06:00
mukul975 0fbcbdf8dd chore: auto-update index.json 2026-03-27 09:24:27 +00:00
Julio César Suástegui 97c213f9a4 Add skill: detecting-lateral-movement-with-zeek (fixes #5) (#29) 2026-03-27 10:24:16 +01:00
mukul975 9314565dd9 docs: update release version from v1.0.0 to v1.1.0 in README 2026-03-23 19:17:24 +01:00
mukul975 c74a7547bb docs: replace static contributors table with contrib.rocks auto-updating widget 2026-03-23 19:16:03 +01:00
mukul975 f4e791c06c docs: remove fake contributor Systech2021-1952 from README 2026-03-23 19:14:33 +01:00
mukul975 577f795252 docs: update skill count to 753 and domain count to 38 across all files 2026-03-21 13:57:15 +01:00
mukul975 ac77250450 docs: use single name Mahipal in CITATION.cff 2026-03-21 13:38:37 +01:00
mukul975 57b684e4d6 docs: add CITATION.cff for academic and tool attribution 2026-03-21 13:37:55 +01:00
mukul975 3856835990 chore: auto-update index.json 2026-03-21 12:23:42 +00:00
mukul975 db3eaaeaf2 fix: add workflow_dispatch and self-trigger to update-index workflow 2026-03-21 13:23:34 +01:00
mukul975 7f60276fd9 fix: add missing import re in update-index workflow, bump version to 1.1.0 2026-03-21 13:21:55 +01:00
775 changed files with 21460 additions and 4263 deletions
Expand all files Collapse all files
.claude-plugin/marketplace.json
+4 -4
View File
@@ -5,15 +5,15 @@
"email": "mukuljangra5@gmail.com" "email": "mukuljangra5@gmail.com"
}, },
"metadata": { "metadata": {
"description": "753 cybersecurity skills for AI agents and security practitioners covering web security, pentesting, forensics, threat intelligence, cloud security, and more.", "description": "754 cybersecurity skills for AI agents mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND, and NIST AI RMF.",
"version": "1.0.0" "version": "1.2.0"
}, },
"plugins": [ "plugins": [
{ {
"name": "cybersecurity-skills", "name": "cybersecurity-skills",
"source": "./", "source": "./",
"description": "607+ cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.", "description": "754 cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more. Mapped to 5 frameworks.",
"version": "1.0.0", "version": "1.2.0",
"author": { "author": {
"name": "mukul975" "name": "mukul975"
}, },
.github/workflows/sync-marketplace-version.yml
+39
View File
@@ -0,0 +1,39 @@
name: Sync Marketplace Version on Release
on:
release:
types: [published]
jobs:
sync-version:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Extract version from tag
id: version
run: |
VERSION=${GITHUB_REF_NAME#v}
echo "version=$VERSION" >> $GITHUB_OUTPUT
echo "tag=$GITHUB_REF_NAME" >> $GITHUB_OUTPUT
- name: Update marketplace.json version
env:
VERSION: ${{ steps.version.outputs.version }}
run: |
jq --arg v "$VERSION" '.metadata.version = $v | .plugins[].version = $v' .claude-plugin/marketplace.json > tmp.json
mv tmp.json .claude-plugin/marketplace.json
echo "Updated marketplace.json to version $VERSION"
- name: Commit and push
run: |
git config user.name "mukul975"
git config user.email "mukuljangra5@gmail.com"
git add .claude-plugin/marketplace.json
git diff --staged --quiet || git commit -m "chore: bump marketplace version to ${{ steps.version.outputs.tag }}"
git push
.github/workflows/update-index.yml
+4 -2
View File
@@ -5,6 +5,8 @@ on:
branches: [main] branches: [main]
paths: paths:
- 'skills/**' - 'skills/**'
- '.github/workflows/update-index.yml'
workflow_dispatch:
jobs: jobs:
update-index: update-index:
@@ -19,7 +21,7 @@ jobs:
- name: Regenerate index.json - name: Regenerate index.json
run: | run: |
python3 << 'EOF' python3 << 'EOF'
import os, json import os, json, re
from datetime import datetime, timezone from datetime import datetime, timezone
skills_dir = "skills" skills_dir = "skills"
@@ -45,7 +47,7 @@ jobs:
}) })
index = { index = {
"version": "1.0.0", "version": "1.1.0",
"generated_at": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ"), "generated_at": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ"),
"repository": "https://github.com/mukul975/Anthropic-Cybersecurity-Skills", "repository": "https://github.com/mukul975/Anthropic-Cybersecurity-Skills",
"domain": "cybersecurity", "domain": "cybersecurity",
ATTACK_COVERAGE.md
+37
View File
@@ -467,6 +467,43 @@ To regenerate: `python3 extract_attack.py`
--- ---
## MITRE ATLAS Coverage (v5.5.0)
81 skills mapped to ATLAS adversarial ML techniques.
Key techniques applied:
- AML.T0051 — LLM Prompt Injection (Execution)
- AML.T0054 — LLM Jailbreak (Privilege Escalation)
- AML.T0088 — Generate Deepfakes (AI Attack Staging)
- AML.T0010 — AI Supply Chain Compromise (Initial Access)
- AML.T0020 — Poison Training Data (Resource Development)
- AML.T0070 — RAG Poisoning (Persistence)
- AML.T0080 — AI Agent Context Poisoning (Persistence)
- AML.T0056 — Extract LLM System Prompt (Exfiltration)
## MITRE D3FEND Coverage (v1.3)
11 skills mapped to D3FEND defensive countermeasures.
Countermeasures applied span D3FEND tactical categories:
Harden, Detect, Isolate, Deceive, Evict, Restore.
Each skill's d3fend_techniques field lists the top 5 most relevant
defensive countermeasures derived from the skill's ATT&CK technique tags.
## NIST AI RMF Coverage (AI 100-1)
85 skills mapped to NIST AI Risk Management Framework subcategories.
Core functions covered:
- GOVERN: Organizational accountability for AI risk (GOVERN-1.1, GOVERN-6.1, GOVERN-6.2)
- MAP: AI risk identification and context (MAP-5.1, MAP-5.2, MAP-1.6)
- MEASURE: AI risk analysis and evaluation (MEASURE-2.5, MEASURE-2.7, MEASURE-2.8, MEASURE-2.11)
- MANAGE: AI risk response and recovery (MANAGE-2.4, MANAGE-3.1)
GenAI-specific subcategories applied: GOVERN-6.1, GOVERN-6.2 (responsible deployment policies).
---
<p align="center"> <p align="center">
<sub>Part of <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills">Anthropic Cybersecurity Skills</a> — 753+ open-source cybersecurity skills for AI agents</sub> <sub>Part of <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills">Anthropic Cybersecurity Skills</a> — 753+ open-source cybersecurity skills for AI agents</sub>
</p> </p>
CITATION.cff
+32
View File
@@ -0,0 +1,32 @@
cff-version: 1.2.0
message: "If you use this repository in your research, tools, or publications, please cite it as below."
type: software
title: "Anthropic-Cybersecurity-Skills"
abstract: >
A structured collection of 753 cybersecurity skills for AI agents, covering
penetration testing, digital forensics, threat intelligence, incident response,
cloud security, OT/SCADA security, AI security, and more. Each skill follows
a standardized format with YAML frontmatter metadata, step-by-step procedures,
tool commands, expected outputs, and MITRE ATT&CK mappings. Compatible with
Claude Code, GitHub Copilot, Cursor, Windsurf, Gemini CLI, and 20+ AI agent
platforms.
authors:
- name: "Mahipal"
email: mukuljangra5@gmail.com
alias: mukul975
repository-code: "https://github.com/mukul975/Anthropic-Cybersecurity-Skills"
url: "https://github.com/mukul975/Anthropic-Cybersecurity-Skills"
license: Apache-2.0
version: "1.1.0"
date-released: "2026-03-21"
keywords:
- cybersecurity
- AI agents
- skills
- penetration testing
- digital forensics
- threat intelligence
- incident response
- MITRE ATT&CK
- Claude Code
- open source
README.md
+321 -498
View File
@@ -1,589 +1,412 @@
<p align="center"> <p align="center">
<img src="assets/banner.png" alt="Anthropic Cybersecurity Skills — 734+ skills for AI agents" width="100%" /> <img src="assets/banner.png" alt="Anthropic Cybersecurity Skills" width="100%">
</p> </p>
<p align="center"> <div align="center">
<a href="https://opensource.org/licenses/Apache-2.0"><img src="https://img.shields.io/badge/License-Apache_2.0-blue.svg?style=for-the-badge" alt="License: Apache 2.0" /></a>
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers"><img src="https://img.shields.io/github/stars/mukul975/Anthropic-Cybersecurity-Skills?style=for-the-badge&logo=github" alt="GitHub Stars" /></a>
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/network/members"><img src="https://img.shields.io/github/forks/mukul975/Anthropic-Cybersecurity-Skills?style=for-the-badge&logo=github" alt="GitHub Forks" /></a>
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/commits"><img src="https://img.shields.io/github/last-commit/mukul975/Anthropic-Cybersecurity-Skills?style=for-the-badge&logo=github" alt="Last Commit" /></a>
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills"><img src="https://img.shields.io/badge/Skills-734+-blueviolet?style=for-the-badge&logo=bookstack&logoColor=white" alt="734+ Skills" /></a>
<a href="https://attack.mitre.org/"><img src="https://img.shields.io/badge/MITRE_ATT%26CK-Mapped-red?style=for-the-badge&logo=shield&logoColor=white" alt="MITRE ATT&CK Mapped" /></a>
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/graphs/contributors"><img src="https://img.shields.io/github/contributors/mukul975/Anthropic-Cybersecurity-Skills?style=for-the-badge&logo=github" alt="Contributors" /></a>
</p>
<p align="center"> # Anthropic Cybersecurity Skills
<b>The largest open-source collection of cybersecurity skills for AI agents.<br/>734+ structured skills · MITRE ATT&CK mapped · NIST CSF 2.0 aligned · <a href="https://agentskills.io">agentskills.io</a> open standard</b>
</p>
<p align="center"> ### The largest open-source cybersecurity skills library for AI agents
<a href="https://mahipal.engineer/Anthropic-Cybersecurity-Skills/">🌐 Landing Page</a> · <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases/tag/v1.0.0">📦 v1.0.0 Release</a> · <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues">🐛 Report Bug</a> · <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues">💡 Request Feature</a>
</p> [![GARS-2026 Survey](https://img.shields.io/badge/GARS--2026-Take%20the%20Survey-E8B84B?style=for-the-badge&logo=googleforms&logoColor=black)](https://mahipal.engineer/survey?utm_source=github_badge&utm_medium=readme&utm_campaign=gars2026)
[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg?style=flat-square)](LICENSE)
[![Skills](https://img.shields.io/badge/skills-754-brightgreen?style=flat-square)](#whats-inside--26-security-domains)
[![Frameworks](https://img.shields.io/badge/frameworks-5-orange?style=flat-square)](#five-frameworks-one-skill-library)
[![Domains](https://img.shields.io/badge/domains-26-9cf?style=flat-square)](#whats-inside--26-security-domains)
[![Platforms](https://img.shields.io/badge/platforms-26%2B-blueviolet?style=flat-square)](#compatible-platforms)
[![GitHub stars](https://img.shields.io/github/stars/mukul975/Anthropic-Cybersecurity-Skills?style=flat-square)](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers)
[![GitHub forks](https://img.shields.io/github/forks/mukul975/Anthropic-Cybersecurity-Skills?style=flat-square)](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/network/members)
[![Last Commit](https://img.shields.io/github/last-commit/mukul975/Anthropic-Cybersecurity-Skills?style=flat-square)](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/commits/main)
[![agentskills.io](https://img.shields.io/badge/standard-agentskills.io-ff6600?style=flat-square)](https://agentskills.io)
[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](CONTRIBUTING.md)
[![Playground](https://img.shields.io/badge/Playground-Casky.ai-blue)](https://casky.ai/?utm_source=github&utm_medium=readme&utm_campaign=cohort_launch#waitlist)
[![Hermes Agent](https://img.shields.io/badge/Hermes_Agent-compatible-blueviolet?style=flat)](https://github.com/NousResearch/hermes-agent)
**754 production-grade cybersecurity skills · 26 security domains · 5 framework mappings · 26+ AI platforms**
[Get Started](#quick-start) · [What's Inside](#whats-inside--26-security-domains) · [Frameworks](#five-frameworks-one-skill-library) · [Platforms](#compatible-platforms) · [Contributing](#contributing)
</div>
--- ---
Anthropic Cybersecurity Skills gives every AI agent — from Claude Code to GitHub Copilot to your custom LangChain pipeline — instant access to **734+ production-grade cybersecurity skills** spanning 26 security domains. Each skill follows the [agentskills.io](https://agentskills.io) open standard: a YAML frontmatter header for lightning-fast discovery, a structured Markdown body for step-by-step execution, and reference files for deep technical context. The entire collection is mapped to **MITRE ATT&CK** (all 14 Enterprise tactics, 200+ techniques) and aligned to **NIST CSF 2.0** — giving AI agents the same structured knowledge that senior security practitioners carry in their heads. Install in one command and your agent immediately knows how to perform memory forensics, hunt for C2 beaconing, audit Kubernetes RBAC, reverse .NET malware, and hundreds more tasks. > ⚠️ **Community Project** — This is an independent, community-created project. Not affiliated with Anthropic PBC.
## 📑 Table of contents ## Give any AI agent the security skills of a senior analyst
- [🚀 Quick start](#-quick-start--install-cybersecurity-skills-for-ai-agents) A junior analyst knows which Volatility3 plugin to run on a suspicious memory dump, which Sigma rules catch Kerberoasting, and how to scope a cloud breach across three providers. **Your AI agent doesn't — unless you give it these skills.**
- [🛡️ What's inside](#-whats-inside--734-cybersecurity-skills-across-26-domains)
- [🤖 Compatible platforms](#-compatible-ai-agent-platforms)
- [📐 Skill structure](#-skill-structure-and-agentskillsio-format)
- [🗺️ MITRE ATT&CK coverage](#-mitre-attck-and-nist-csf-20-coverage)
- [🧠 How AI agents use these skills](#-how-ai-agents-use-these-cybersecurity-skills)
- [📝 Example skills](#-example-cybersecurity-skills)
- [👥 Contributors](#-contributors)
- [🤝 Contributing](#-contributing-to-cybersecurity-ai-skills)
- [⭐ Star history](#-star-history)
- [🌐 Community](#-community)
- [📄 License](#-license)
--- This repo contains **754 structured cybersecurity skills** spanning **26 security domains**, each following the [agentskills.io](https://agentskills.io) open standard. Every skill is mapped to **five industry frameworks** — MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, MITRE D3FEND, and NIST AI RMF — making this the only open-source skills library with unified cross-framework coverage. Clone it, point your agent at it, and your next security investigation gets expert-level guidance in seconds.
## 🚀 Quick start — install cybersecurity skills for AI agents ## Five frameworks, one skill library
Get up and running in under 30 seconds. Choose your preferred method: No other open-source skills library maps every skill to all five frameworks. One skill, five compliance checkboxes.
### Option 1 · npx (recommended) | Framework | Version | Scope in this repo | What it maps |
|---|---|---|---|
| [MITRE ATT&CK](https://attack.mitre.org) | v19.1 | 15 tactics · 286 techniques | Adversary behaviors and TTPs |
| [NIST CSF 2.0](https://www.nist.gov/cyberframework) | 2.0 | 6 functions · 22 categories | Organizational security posture |
| [MITRE ATLAS](https://atlas.mitre.org) | v5.4 | 16 tactics · 84 techniques | AI/ML adversarial threats |
| [MITRE D3FEND](https://d3fend.mitre.org) | v1.3 | 7 categories · 267 techniques | Defensive countermeasures |
| [NIST AI RMF](https://airc.nist.gov/AI_RMF) | 1.0 | 4 functions · 72 subcategories | AI risk management |
**Example — a single skill maps across all five:**
| Skill | ATT&CK | NIST CSF | ATLAS | D3FEND | AI RMF |
|---|---|---|---|---|---|
| `analyzing-network-traffic-of-malware` | T1071 | DE.CM | AML.T0047 | D3-NTA | MEASURE-2.6 |
### MITRE ATT&CK v19.1 — 754/754 skills mapped
Every skill carries a `mitre_attack` frontmatter list validated against **MITRE ATT&CK v19.1** (the latest release) using the official `mitreattack-python` library — 286 distinct techniques across all 15 Enterprise tactics, plus ICS and Mobile techniques where relevant. Zero revoked or deprecated IDs. v19.1's restructured Defense Evasion (now split into **Stealth** and **Defense Impairment**) is reflected below.
| Tactic | ID | Skills |
|--------|----|--------|
| Reconnaissance | TA0043 | 103 |
| Resource Development | TA0042 | 22 |
| Initial Access | TA0001 | 467 |
| Execution | TA0002 | 350 |
| Persistence | TA0003 | 444 |
| Privilege Escalation | TA0004 | 464 |
| Stealth | TA0005 | 442 |
| Defense Impairment | TA0112 | 92 |
| Credential Access | TA0006 | 202 |
| Discovery | TA0007 | 237 |
| Lateral Movement | TA0008 | 68 |
| Collection | TA0009 | 172 |
| Command and Control | TA0011 | 123 |
| Exfiltration | TA0010 | 82 |
| Impact | TA0040 | 50 |
## Quick start
```bash ```bash
# Option 1: npx (recommended)
npx skills add mukul975/Anthropic-Cybersecurity-Skills npx skills add mukul975/Anthropic-Cybersecurity-Skills
```
### Option 2 · Claude Code plugin marketplace # Option 2: Git clone
```
/plugin marketplace add mukul975/Anthropic-Cybersecurity-Skills
```
### Option 3 · Manual clone
```bash
git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
cd Anthropic-Cybersecurity-Skills cd Anthropic-Cybersecurity-Skills
``` ```
> **That's it.** Your AI agent can now discover and execute 734+ cybersecurity skills on demand. No configuration, no API keys, no setup scripts. Works immediately with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and any [agentskills.io](https://agentskills.io)-compatible platform.
--- ## 🌍 GARS-2026 — Global Agentic AI Readiness Survey
## 🛡️ What's inside — 734+ cybersecurity skills across 26 domains I'm running a global academic study measuring how ready security professionals,
developers, and enterprise teams actually are for agentic AI — MCP servers,
tool calling, governance, and human-in-the-loop workflows.
Every skill is a self-contained directory with structured workflows, reference materials, helper scripts, and validation steps. Here are the top 16 domains: **If you use this repo, your response would be a genuinely valuable data point.**
| Domain | Skills | Example capabilities | 📋 **Take the survey (10 min):**
|:-------|:------:|:---------------------| [Survey Link](https://mahipal.engineer/survey?utm_source=github_repo&utm_medium=readme&utm_campaign=gars2026)
| ☁️ **Cloud Security** | **48** | AWS S3 bucket audit, Azure AD config review, GCP IAM assessment |
| 🌐 **Web Application Security** | **45** | HTTP request smuggling, XSS with Burp Suite, web cache poisoning |
| 🔌 **Network Security** | **41** | Wireshark traffic analysis, VLAN segmentation, Suricata IDS tuning |
| 🎯 **Penetration Testing** | **38** | Active Directory exploitation, OSCP-style methodology, pivoting |
| 🔴 **Red Teaming** | **35** | Cobalt Strike operations, LOTL techniques, evasion & persistence |
| 🔍 **DFIR** | **32** | Disk imaging, memory forensics with Volatility3, browser forensics |
| 🦠 **Malware Analysis** | **28** | Ghidra reverse engineering, YARA rules, .NET decompilation |
| 📡 **Threat Intelligence** | **26** | APT group analysis with MITRE Navigator, campaign attribution |
| ☸️ **Cloud Native / Kubernetes** | **24** | etcd security assessment, pod security policies, RBAC audit |
| 📋 **Compliance & Governance** | **22** | PCI DSS scoping, SOC 2 readiness, GDPR data mapping |
| 🔑 **IAM Security** | **20** | SAML SSO with Okta, PAM deployment, service account hardening |
| 🔐 **Cryptography** | **18** | TLS configuration audit, certificate lifecycle, key management |
| 🏰 **Zero Trust** | **16** | Microsegmentation, BeyondCorp implementation, continuous verification |
| 🏭 **OT / ICS Security** | **14** | SCADA monitoring, Modbus anomaly detection, Purdue model |
| 🔧 **DevSecOps** | **12** | Pipeline security gates, SAST/DAST integration, IaC scanning |
| 🕵️ **OSINT** | **15** | Domain reconnaissance, social engineering recon, dark web monitoring |
| **Additional domains (10+)** | **300+** | SOC operations, API security, endpoint security, phishing defense, ransomware defense, mobile security, deception technology, and more |
| | **734+** | **Total skills across 26 domains** |
--- - 60 questions · Anonymous · Supervised by SRH Berlin
- You get **50 Casky Tokens** for early access to [casky.ai](https://casky.ai)
- Results published open access under CC-BY 4.0
## 🤖 Compatible AI agent platforms ## 🚀 Try it on the Playground
Skills follow the [agentskills.io](https://agentskills.io) open standard — **write once, use everywhere**. Any platform that reads `SKILL.md` files with YAML frontmatter works out of the box. Experience Casky.ai hands-on — no setup required.
### AI code assistants **[→ Launch Playground on Casky.ai](https://casky.ai/?utm_source=github&utm_medium=readme&utm_campaign=cohort_launch#waitlist)**
| Platform | Status | Install method | The playground lets you:
|:---------|:------:|:---------------| - Run live cybersecurity skill exercises against real targets
| **Claude Code** (Anthropic) | ✅ | `/plugin marketplace add mukul975/Anthropic-Cybersecurity-Skills` | - See AI agents execute structured skills in real time
| **GitHub Copilot** (Microsoft) | ✅ | Place in `.github/skills` directory | - Explore MITRE ATT&CK mapped workflows interactively
| **Cursor** | ✅ | `npx skills add` or manual clone | - Test threat hunting, DFIR, and penetration testing scenarios
| **Windsurf** | ✅ | `npx skills add` or manual clone |
| **Cline** | ✅ | `npx skills add` or manual clone |
| **Aider** | ✅ | `npx skills add` or manual clone |
| **Continue** | ✅ | `npx skills add` or manual clone |
| **Roo Code** | ✅ | `npx skills add` or manual clone |
| **Amazon Q Developer** | ✅ | `npx skills add` or manual clone |
| **Tabnine** | ✅ | `npx skills add` or manual clone |
| **Sourcegraph Cody** | ✅ | `npx skills add` or manual clone |
| **JetBrains AI** | ✅ | `npx skills add` or manual clone |
### CLI agents No installation. No configuration. Just open and start.
## Why this exists
| Platform | Status | Install method | The cybersecurity workforce gap hit **4.8 million unfilled roles** globally in 2024 (ISC2). AI agents can help close that gap — but only if they have structured domain knowledge to work from. Today's agents can write code and search the web, but they lack the practitioner playbooks that turn a generic LLM into a capable security analyst.
|:---------|:------:|:---------------|
| **OpenAI Codex CLI** | ✅ | `npx skills add` — reads from `~/.codex/skills` |
| **Gemini CLI** (Google) | ✅ | `npx skills add` or manual clone |
### Autonomous agents Existing security tool repos give you wordlists, payloads, or exploit code. None of them give an AI agent the structured decision-making workflow a senior analyst follows: when to use each technique, what prerequisites to check, how to execute step-by-step, and how to verify results. That is the gap this project fills.
| Platform | Status | Install method | **Anthropic Cybersecurity Skills** is not a collection of scripts or checklists. It is an **AI-native knowledge base** built from the ground up for the agentskills.io standard — YAML frontmatter for sub-second discovery, structured Markdown for step-by-step execution, and reference files for deep technical context. Every skill encodes real practitioner workflows, not generated summaries.
|:---------|:------:|:---------------|
| **Devin** | ✅ | Point to cloned skill directory |
| **Replit Agent** | ✅ | Import via repo URL |
| **SWE-agent** | ✅ | Mount skill directory |
| **OpenHands** | ✅ | Mount skill directory |
### Agent frameworks & SDKs ## What's inside — 26 security domains
| Platform | Status | Install method | | Domain | Skills | Key capabilities |
|:---------|:------:|:---------------| |---|---|---|
| **LangChain** | | Load `SKILL.md` files as tool descriptions | | Cloud Security | 60 | AWS, Azure, GCP hardening · CSPM · cloud forensics |
| **CrewAI** | | Load as agent knowledge base | | Threat Hunting | 55 | Hypothesis-driven hunts · LOTL detection · behavioral analytics |
| **AutoGen** | | Load as agent knowledge base | | Threat Intelligence | 50 | STIX/TAXII · MISP · feed integration · actor profiling |
| **Semantic Kernel** | | Load as plugins | | Web Application Security | 42 | OWASP Top 10 · SQLi · XSS · SSRF · deserialization |
| **Haystack** | | Ingest via document store | | Network Security | 40 | IDS/IPS · firewall rules · VLAN segmentation · traffic analysis |
| **Vercel AI SDK** | | Load as tool definitions | | Malware Analysis | 39 | Static/dynamic analysis · reverse engineering · sandboxing |
| **Any MCP-compatible agent** | | Via MCP tool integration | | Digital Forensics | 37 | Disk imaging · memory forensics · timeline reconstruction |
| Security Operations | 36 | SIEM correlation · log analysis · alert triage |
| Identity & Access Management | 35 | IAM policies · PAM · zero trust identity · Okta · SailPoint |
| SOC Operations | 33 | Playbooks · escalation workflows · metrics · tabletop exercises |
| Container Security | 30 | K8s RBAC · image scanning · Falco · container forensics |
| OT/ICS Security | 28 | Modbus · DNP3 · IEC 62443 · historian defense · SCADA |
| API Security | 28 | GraphQL · REST · OWASP API Top 10 · WAF bypass |
| Vulnerability Management | 25 | Nessus · scanning workflows · patch prioritization · CVSS |
| Incident Response | 25 | Breach containment · ransomware response · IR playbooks |
| Red Teaming | 24 | Full-scope engagements · AD attacks · phishing simulation |
| Penetration Testing | 23 | Network · web · cloud · mobile · wireless pentesting |
| Endpoint Security | 17 | EDR · LOTL detection · fileless malware · persistence hunting |
| DevSecOps | 17 | CI/CD security · code signing · Terraform auditing |
| Phishing Defense | 16 | Email authentication · BEC detection · phishing IR |
| Cryptography | 14 | TLS · Ed25519 · certificate transparency · key management |
| Zero Trust Architecture | 13 | BeyondCorp · CISA maturity model · microsegmentation |
| Mobile Security | 12 | Android/iOS analysis · mobile pentesting · MDM forensics |
| Ransomware Defense | 7 | Precursor detection · response · recovery · encryption analysis |
| Compliance & Governance | 5 | CIS benchmarks · SOC 2 · regulatory frameworks |
| Deception Technology | 2 | Honeytokens · breach detection canaries |
--- ## How AI agents use these skills
## 📐 Skill structure and agentskills.io format Each skill costs **~30 tokens to scan** (frontmatter only) and **5002,000 tokens to fully load** (complete workflow). This progressive disclosure architecture lets agents search all 754 skills in a single pass without blowing context windows.
Every skill lives in its own directory under `skills/` and follows a consistent structure: ```
User prompt: "Analyze this memory dump for signs of credential theft"
Agent's internal process:
1. Scans 754 skill frontmatters (~30 tokens each)
→ identifies 12 relevant skills by matching tags, description, domain
2. Loads top 3 matches:
• performing-memory-forensics-with-volatility3
• hunting-for-credential-dumping-lsass
• analyzing-windows-event-logs-for-credential-access
3. Executes the structured Workflow section step-by-step
→ runs Volatility3 plugins, checks LSASS access patterns,
correlates with event log evidence
4. Validates results using the Verification section
→ confirms IOCs, maps findings to ATT&CK T1003 (Credential Dumping)
```
**Without these skills**, the agent guesses at tool commands and misses critical steps. **With them**, it follows the same playbook a senior DFIR analyst would use.
## Skill anatomy
Every skill follows a consistent directory structure:
``` ```
skills/performing-memory-forensics-with-volatility3/ skills/performing-memory-forensics-with-volatility3/
├── SKILL.md # Skill definition (YAML frontmatter + Markdown body) ├── SKILL.md Skill definition (YAML frontmatter + Markdown body)
│ ├── Frontmatter # → name, description, domain, subdomain, tags
│ ├── When to Use # → Trigger conditions for AI agents
│ ├── Prerequisites # → Required tools, access, environment
│ ├── Workflow # → Step-by-step execution guide
│ └── Verification # → How to confirm success
├── references/ ├── references/
│ ├── standards.md # NIST, MITRE ATT&CK, CVE references │ ├── standards.md MITRE ATT&CK, ATLAS, D3FEND, NIST mappings
│ └── workflows.md # Deep technical procedure reference │ └── workflows.md Deep technical procedure reference
├── scripts/ ├── scripts/
│ └── process.py # Practitioner helper scripts │ └── process.py ← Working helper scripts
└── assets/ └── assets/
└── template.md # Checklists, report templates └── template.md ← Filled-in checklists and report templates
``` ```
### YAML frontmatter (the discovery layer)
### YAML frontmatter (real example)
```yaml ```yaml
--- ---
name: performing-memory-forensics-with-volatility3 name: performing-memory-forensics-with-volatility3
description: >-
Analyze memory dumps to extract running processes, network connections,
injected code, and malware artifacts using Volatility3 framework.
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, memory-analysis, volatility3, incident-response, dfir]
version: "1.0"
author: mukul975
license: Apache-2.0
---
```
**Required fields:** `name` (kebab-case, 164 chars), `description` (keyword-rich for agent discovery), `domain`, `subdomain`, `tags`
**Optional fields:** `version`, `author`, `license`
---
## 🗺️ MITRE ATT&CK and NIST CSF 2.0 coverage
This collection provides **comprehensive coverage** of the two most widely adopted cybersecurity frameworks in the industry.
### MITRE ATT&CK Enterprise
All **14 Enterprise tactics** are covered, with skills mapped to **200+ individual techniques**:
| Tactic | Coverage | Example skills |
|:-------|:--------:|:---------------|
| Reconnaissance | ✅ | OSINT gathering, domain enumeration, social engineering recon |
| Resource Development | ✅ | Infrastructure profiling, certificate analysis |
| Initial Access | ✅ | Phishing analysis, exploit detection, supply chain review |
| Execution | ✅ | Script analysis, command-line forensics, scheduled task audit |
| Persistence | ✅ | Registry analysis, startup item review, implant detection |
| Privilege Escalation | ✅ | Token manipulation detection, UAC bypass analysis |
| Defense Evasion | ✅ | Process injection detection, obfuscation analysis |
| Credential Access | ✅ | Credential dumping detection, Kerberoasting defense |
| Discovery | ✅ | Network scanning detection, AD enumeration monitoring |
| Lateral Movement | ✅ | Pass-the-hash detection, RDP abuse monitoring |
| Collection | ✅ | Data staging detection, screen capture forensics |
| Command and Control | ✅ | C2 beaconing detection, DNS tunneling analysis |
| Exfiltration | ✅ | Data transfer monitoring, covert channel detection |
| Impact | ✅ | Ransomware response, data destruction forensics |
### NIST CSF 2.0 alignment
Every skill maps to one or more **NIST Cybersecurity Framework 2.0** functions:
- **Identify (ID)** — Asset management, risk assessment, governance skills
- **Protect (PR)** — Access control, awareness training, data security skills
- **Detect (DE)** — Anomaly detection, continuous monitoring, event analysis skills
- **Respond (RS)** — Incident response, mitigation, communication skills
- **Recover (RC)** — Recovery planning, improvement, communication skills
> An ATT&CK Navigator layer file is included in the v1.0.0 release for visual coverage mapping.
---
## 🧠 How AI agents use these cybersecurity skills
Skills use a **progressive disclosure pattern** that minimizes token usage while maximizing agent capability. Here's what happens when you ask your AI agent to "analyze this memory dump for signs of compromise":
### Stage 1 · Discovery (~3050 tokens per skill)
The agent scans **only YAML frontmatter** across all 734+ skills. Each scan costs ~3050 tokens — the entire collection can be indexed for under 40K tokens. The agent matches your task against `name`, `description`, `subdomain`, and `tags` fields to find relevant skills.
```yaml
# Agent reads ONLY this:
name: performing-memory-forensics-with-volatility3
description: Analyze memory dumps to extract processes, network connections, and malware artifacts using Volatility3.
subdomain: digital-forensics
tags: [forensics, memory-analysis, volatility3, incident-response]
```
### Stage 2 · Full workflow load (~200500 tokens)
Once a skill matches, the agent loads the **complete `SKILL.md` body** — trigger conditions, prerequisites, step-by-step workflow, and verification checks. This gives the agent a structured playbook to follow.
### Stage 3 · Deep reference access (on demand)
For complex tasks, the agent pulls in **supporting files** from `references/`, `scripts/`, and `assets/` — NIST standards mappings, detailed technical procedures, helper scripts, and report templates. These files are loaded only when the agent needs deeper context.
> **Result:** Irrelevant skills cost ~30 tokens. Relevant skills provide complete, structured, expert-level guidance. No wasted context window.
---
## 📝 Example cybersecurity skills
<details>
<summary><b>🔍 Memory forensics with Volatility3</b> — DFIR domain</summary>
````yaml
---
name: performing-memory-forensics-with-volatility3
description: >- description: >-
Analyze memory dumps to extract running processes, network connections, Analyze memory dumps to extract running processes, network connections,
injected code, and malware artifacts using the Volatility3 framework. injected code, and malware artifacts using the Volatility3 framework.
domain: cybersecurity domain: cybersecurity
subdomain: digital-forensics subdomain: digital-forensics
tags: [forensics, memory-analysis, volatility3, incident-response, dfir] tags: [forensics, memory-analysis, volatility3, incident-response, dfir]
version: "1.0" atlas_techniques: [AML.T0047]
d3fend_techniques: [D3-MA, D3-PSMD]
nist_ai_rmf: [MEASURE-2.6]
nist_csf: [DE.CM-01, RS.AN-03]
version: "1.2"
author: mukul975 author: mukul975
license: Apache-2.0 license: Apache-2.0
--- ---
```
### Markdown body sections
```markdown
## When to Use ## When to Use
Trigger conditions — when should an AI agent activate this skill?
- Incident responder needs to analyze a memory dump from a compromised host
- Investigating potential malware infection or lateral movement
- Extracting indicators of compromise (IOCs) from volatile memory
- Identifying injected code, hidden processes, or rootkit activity
- Memory dump file (.raw, .mem, .dmp, .vmem) is available for analysis
## Prerequisites ## Prerequisites
Required tools, access levels, and environment setup.
- **Volatility3** installed (`pip install volatility3`)
- Memory dump file acquired from target system
- **Python 3.8+** runtime environment
- Symbol tables for target OS (auto-downloaded by Volatility3)
- Sufficient disk space for analysis output (~2x memory dump size)
## Workflow ## Workflow
Step-by-step execution guide with specific commands and decision points.
### Step 1 — Identify the operating system profile
Run the banner and `windows.info` (or `linux.info` / `mac.info`) plugin to
auto-detect the OS version and confirm the dump is valid:
```bash
vol -f memory.raw windows.info
```
### Step 2 — List running processes
Extract the process tree to identify suspicious or unexpected processes:
```bash
vol -f memory.raw windows.pslist
vol -f memory.raw windows.pstree
vol -f memory.raw windows.psscan # Finds hidden/unlinked processes
```
Look for: unusual parent-child relationships, processes with suspicious names,
processes running from temp directories, unsigned executables.
### Step 3 — Analyze network connections
Extract active and closed network connections:
```bash
vol -f memory.raw windows.netscan
vol -f memory.raw windows.netstat
```
Flag: connections to known-bad IPs, unusual ports (4444, 8443, 1337),
beaconing patterns, connections from non-browser processes.
### Step 4 — Detect code injection
Scan for injected code in process memory:
```bash
vol -f memory.raw windows.malfind
```
Review output for: PAGE_EXECUTE_READWRITE memory regions, MZ headers in
non-image regions, shellcode signatures, hollow process indicators.
### Step 5 — Extract artifacts
Dump suspicious processes, DLLs, and drivers for further analysis:
```bash
vol -f memory.raw windows.dumpfiles --pid <PID>
vol -f memory.raw windows.dlllist --pid <PID>
vol -f memory.raw windows.handles --pid <PID>
```
### Step 6 — Check persistence mechanisms
Examine registry hives and services loaded in memory:
```bash
vol -f memory.raw windows.registry.hivelist
vol -f memory.raw windows.svcscan
vol -f memory.raw windows.cmdline
```
## Verification ## Verification
How to confirm the skill was executed successfully.
```
- [ ] OS profile correctly identified and dump validated Frontmatter fields: `name` (kebab-case, 164 chars), `description` (keyword-rich for agent discovery), `domain`, `subdomain`, `tags`, `atlas_techniques` (MITRE ATLAS IDs), `d3fend_techniques` (MITRE D3FEND IDs), `nist_ai_rmf` (NIST AI RMF references), `nist_csf` (NIST CSF 2.0 categories). MITRE ATT&CK technique mappings are documented in each skill's `references/standards.md` file and in the ATT&CK Navigator layer included with releases.
- [ ] Complete process tree exported and anomalies flagged
- [ ] Network connections reviewed and suspicious IPs documented <details>
- [ ] Malfind output reviewed — injected code regions identified <summary><strong>📊 MITRE ATT&CK Enterprise coverage — all 14 tactics</strong></summary>
- [ ] Suspicious binaries dumped for downstream malware analysis
- [ ] IOCs extracted (IPs, domains, file hashes, mutex names) &nbsp;
- [ ] Findings documented in incident report with timestamps
```` | Tactic | ID | Coverage | Key skills |
|---|---|---|---|
| Reconnaissance | TA0043 | Strong | OSINT, subdomain enumeration, DNS recon |
| Resource Development | TA0042 | Moderate | Phishing infrastructure, C2 setup detection |
| Initial Access | TA0001 | Strong | Phishing simulation, exploit detection, forced browsing |
| Execution | TA0002 | Strong | PowerShell analysis, fileless malware, script block logging |
| Persistence | TA0003 | Strong | Scheduled tasks, registry, service accounts, LOTL |
| Privilege Escalation | TA0004 | Strong | Kerberoasting, AD attacks, cloud privilege escalation |
| Defense Evasion | TA0005 | Strong | Obfuscation, rootkit analysis, evasion detection |
| Credential Access | TA0006 | Strong | Mimikatz detection, pass-the-hash, credential dumping |
| Discovery | TA0007 | Moderate | BloodHound, AD enumeration, network scanning |
| Lateral Movement | TA0008 | Strong | SMB exploits, lateral movement detection with Splunk |
| Collection | TA0009 | Moderate | Email forensics, data staging detection |
| Command and Control | TA0011 | Strong | C2 beaconing, DNS tunneling, Cobalt Strike analysis |
| Exfiltration | TA0010 | Strong | DNS exfiltration, DLP controls, data loss detection |
| Impact | TA0040 | Strong | Ransomware defense, encryption analysis, recovery |
An **ATT&CK Navigator layer file** is included in the [v1.0.0 release assets](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases/tag/v1.0.0) for visual coverage mapping.
> **Note:** ATT&CK v19 lands April 28, 2026 — splitting Defense Evasion (TA0005) into two new tactics: *Stealth* and *Impair Defenses*. Skill mappings will be updated in a forthcoming release.
</details> </details>
<details> <details>
<summary><b>🦠 Reverse engineering .NET malware with dnSpy</b>Malware Analysis domain</summary> <summary><strong>📊 NIST CSF 2.0 alignment — all 6 functions</strong></summary>
````yaml &nbsp;
---
name: analyzing-dotnet-malware-with-dnspy
description: >-
Decompile, analyze, and extract IOCs from .NET-based malware samples
using dnSpy for static analysis and behavioral understanding.
domain: cybersecurity
subdomain: malware-analysis
tags: [malware, reverse-engineering, dotnet, dnspy, static-analysis]
version: "1.0"
author: mukul975
license: Apache-2.0
---
## When to Use | Function | Skills | Examples |
|---|---|---|
| **Govern (GV)** | 30+ | Risk strategy, policy frameworks, roles & responsibilities |
| **Identify (ID)** | 120+ | Asset discovery, threat landscape assessment, risk analysis |
| **Protect (PR)** | 150+ | IAM hardening, WAF rules, zero trust, encryption |
| **Detect (DE)** | 200+ | Threat hunting, SIEM correlation, anomaly detection |
| **Respond (RS)** | 160+ | Incident response, forensics, breach containment |
| **Recover (RC)** | 40+ | Ransomware recovery, BCP, disaster recovery |
- Triaging a suspected .NET malware sample (.exe or .dll compiled with CLR) NIST CSF 2.0 (February 2024) added the **Govern** function and expanded scope from critical infrastructure to all organizations. Skill mappings align to all 22 categories and reference 106 subcategories.
- Extracting hardcoded C2 URLs, encryption keys, or configuration data
- Understanding malware behavior before dynamic analysis
- Analyzing obfuscated .NET payloads (ConfuserEx, SmartAssembly, etc.)
- Building detection signatures (YARA, Sigma) from decompiled source
## Prerequisites
- **dnSpy** (or dnSpyEx fork) installed on analysis workstation
- Isolated malware analysis environment (VM with snapshots)
- **PE analysis tool** (CFF Explorer, PE-bear, or pestudio) for initial triage
- **de4dot** for automated .NET deobfuscation
- Sample SHA256 hash documented before analysis begins
- Network monitoring tools (Wireshark/FakeNet-NG) for dynamic validation
## Workflow
### Step 1 — Initial triage and environment setup
Confirm the sample is a .NET assembly before opening in dnSpy:
```bash
# Check for CLR metadata
file sample.exe
# Look for .NET version string, mscoree.dll import
pestudio sample.exe
```
Take a VM snapshot. Disable network adapters. Document sample hash.
### Step 2 — Deobfuscate if protected
Many .NET malware families use obfuscation. Run de4dot first:
```bash
de4dot sample.exe -o sample_clean.exe
```
Check output log for identified obfuscator (ConfuserEx, Dotfuscator,
SmartAssembly, Babel, Eazfuscator). If de4dot fails, note the packer
for manual unpacking in dnSpy.
### Step 3 — Load and explore in dnSpy
Open the cleaned binary in dnSpy. Start with high-level reconnaissance:
1. **Assembly Explorer** — Review namespaces, classes, entry point
2. **Entry point** (`Main()` or module initializer) — Trace execution flow
3. **Resources** — Check for embedded payloads, encrypted configs
4. **String references** — Search for URLs, IP addresses, registry keys
5. **References** — Note any P/Invoke calls (Win32 API) indicating native interaction
### Step 4 — Identify C2 infrastructure and configuration
Search decompiled source for network indicators:
- Hardcoded URLs, IP addresses, domain names
- Base64-encoded strings (decode in CyberChef)
- XOR / AES decryption routines with embedded keys
- HTTP User-Agent strings, custom headers
- Registry keys or file paths used for persistence
Set breakpoints in dnSpy debugger at decryption functions to capture
plaintext config at runtime if static extraction fails.
### Step 5 — Map capabilities to MITRE ATT&CK
Document each observed capability:
- **Execution method** — Process injection, scheduled tasks, WMI
- **Persistence** — Registry Run keys, startup folder, services
- **Credential access** — Browser credential theft, keylogging
- **Exfiltration** — HTTP POST, DNS tunneling, cloud storage APIs
- **Evasion** — Anti-VM checks, sleep timers, sandbox detection
### Step 6 — Extract IOCs and build detections
Compile all indicators into a structured IOC list:
```
# Network IOCs
C2: https://evil-domain[.]com/gate.php
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0)
DNS: ns1.malware-c2[.]net
# Host IOCs
Mutex: Global\{GUID-HERE}
Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost
File: %APPDATA%\svchost.exe (SHA256: abc123...)
```
Write YARA rule targeting unique strings or byte patterns.
## Verification
- [ ] Sample identified as .NET assembly and hash documented
- [ ] Deobfuscation attempted — obfuscator identified and handled
- [ ] Entry point traced — full execution flow mapped
- [ ] C2 infrastructure extracted (URLs, IPs, domains, ports)
- [ ] Encryption keys / decryption routines documented
- [ ] Capabilities mapped to MITRE ATT&CK techniques
- [ ] IOC list exported in structured format (STIX, OpenIOC, or CSV)
- [ ] YARA detection rule written and tested against sample
````
</details> </details>
--- <details>
<summary><strong>📊 Framework deep dive — ATLAS, D3FEND, AI RMF</strong></summary>
## 👥 Contributors &nbsp;
Thanks to these wonderful people for building the largest open-source cybersecurity skills collection: ### MITRE ATLAS v5.4 — AI/ML adversarial threats
ATLAS maps adversarial tactics, techniques, and case studies specific to AI and machine learning systems. Version 5.4 covers **16 tactics and 84 techniques** including agentic AI attack vectors added in late 2025: AI agent context poisoning, tool invocation abuse, MCP server compromises, and malicious agent deployment. Skills mapped to ATLAS help agents identify and defend against threats to ML pipelines, model weights, inference APIs, and autonomous workflows.
<!-- ALL-CONTRIBUTORS-LIST:START --> ### MITRE D3FEND v1.3 — Defensive countermeasures
<table> D3FEND is an NSA-funded knowledge graph of **267 defensive techniques** organized across 7 tactical categories: Model, Harden, Detect, Isolate, Deceive, Evict, and Restore. Built on OWL 2 ontology, it uses a shared Digital Artifact layer to bidirectionally map defensive countermeasures to ATT&CK offensive techniques. Skills tagged with D3FEND identifiers let agents recommend specific countermeasures for detected threats.
<tr>
<td align="center">
<a href="https://github.com/mukul975">
<img src="https://avatars.githubusercontent.com/u/42860185?v=4" width="100px;" alt="mukul975" /><br />
<sub><b>mukul975</b></sub>
</a><br />
💻 📖 🚧 🎨
</td>
<td align="center">
<a href="https://github.com/Systech2021-1952">
<img src="https://avatars.githubusercontent.com/u/151213461?v=4" width="100px;" alt="Systech2021-1952" /><br />
<sub><b>Systech2021-1952</b></sub>
</a><br />
💻 🌍
</td>
</tr>
</table>
<!-- ALL-CONTRIBUTORS-LIST:END -->
Want to see your name here? Check out the [contributing guide](#-contributing-to-cybersecurity-ai-skills) below. ### NIST AI RMF 1.0 + GenAI Profile (AI 600-1)
The AI Risk Management Framework defines 4 core functions — Govern, Map, Measure, Manage — with **72 subcategories** for trustworthy AI development. The GenAI Profile (AI 600-1, July 2024) adds **12 risk categories** specific to generative AI, from confabulation and data privacy to prompt injection and supply chain risks. Colorado's AI Act (effective February 2026) provides a **legal safe harbor** for organizations complying with NIST AI RMF, making these mappings directly relevant to regulatory compliance.
</details>
## Compatible platforms
**AI code assistants**
Claude Code (Anthropic) · GitHub Copilot (Microsoft) · Cursor · Windsurf · Cline · Aider · Continue · Roo Code · Amazon Q Developer · Tabnine · Sourcegraph Cody · JetBrains AI
**CLI agents**
OpenAI Codex CLI · Gemini CLI (Google)
**Autonomous agents**
Devin · Replit Agent · SWE-agent · OpenHands
**Agent frameworks & SDKs**
LangChain · CrewAI · AutoGen · Semantic Kernel · Haystack · Vercel AI SDK · Any MCP-compatible agent
All platforms that support the [agentskills.io](https://agentskills.io) standard can load these skills with zero configuration.
## What people are saying
> *"A database of real, organized security skills that any AI agent can plug into and use. Not tutorials. Not blog posts."*
> — **[Hasan Toor (@hasantoxr)](https://x.com/hasantoxr/status/2033193922349179249)**, AI/tech creator
> *"This is not a random collection of security scripts. It's a structured operational knowledge base designed for AI-driven security workflows."*
> — **[fazal-sec](https://fazal-sec.medium.com/claude-skills-ai-powered-cybersecurity-the-complete-guide-to-building-intelligent-security-7bb7e9d14c8e)**, Medium
## Featured in
| Where | Type | Link |
|---|---|---|
| **awesome-agent-skills** | Awesome List (1,000+ skills index) | [VoltAgent/awesome-agent-skills](https://github.com/VoltAgent/awesome-agent-skills) |
| **awesome-ai-security** | Awesome List (AI security tools) | [ottosulin/awesome-ai-security](https://github.com/ottosulin/awesome-ai-security) |
| **awesome-codex-cli** | Awesome List (Codex CLI resources) | [RoggeOhta/awesome-codex-cli](https://github.com/RoggeOhta/awesome-codex-cli) |
| **SkillsLLM** | Skills directory & marketplace | [skillsllm.com/skill/anthropic-cybersecurity-skills](https://skillsllm.com/skill/anthropic-cybersecurity-skills) |
| **Openflows** | Signal analysis & tracking | [openflows.org](https://openflows.org/currency/currents/anthropic-cybersecurity-skills/) |
| **NeverSight skills_feed** | Automated skills index | [NeverSight/skills_feed](https://github.com/NeverSight/skills_feed) |
## Star history
<a href="https://star-history.com/#mukul975/Anthropic-Cybersecurity-Skills&Date">
<picture>
<source media="(prefers-color-scheme: dark)" srcset="https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date&theme=dark" />
<source media="(prefers-color-scheme: light)" srcset="https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date" />
<img alt="Star History Chart" src="https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date" width="100%" />
</picture>
</a>
## Releases
| Version | Date | Highlights |
|---|---|---|
| [v1.0.0](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases/tag/v1.0.0) | March 11, 2026 | 734 skills · 26 domains · MITRE ATT&CK + NIST CSF 2.0 mapping · ATT&CK Navigator layer |
Skills have continued to grow on `main` since v1.0.0 — the library now contains **754 skills** with **5-framework mapping** (MITRE ATLAS, D3FEND, and NIST AI RMF added post-release). Check [Releases](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases) for the latest tagged version.
## Contributing
This project grows through community contributions. Here is how to get involved:
**Add a new skill** — Domains like Deception Technology (2 skills) and Compliance & Governance (5 skills) need the most help. Follow the template in [CONTRIBUTING.md](CONTRIBUTING.md) and submit a PR with the title `Add skill: your-skill-name`.
**Improve existing skills** — Add framework mappings, fix workflows, update tool references, or contribute scripts and templates.
**Report issues** — Found an inaccurate procedure or broken script? [Open an issue](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues).
Every PR is reviewed for technical accuracy and agentskills.io standard compliance within 48 hours. Check [good first issues](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) for a starting point.
This project follows the [Contributor Covenant](https://www.contributor-covenant.org/). By participating, you agree to uphold this code.
## Community
💬 [Discussions](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/discussions) — Questions, ideas, and roadmap conversations
🐛 [Issues](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues) — Bug reports and feature requests
🔒 [Security Policy](SECURITY.md) — Responsible disclosure process (48-hour acknowledgment)
## Citation
If you use this project in research or publications:
```bibtex
@software{anthropic_cybersecurity_skills,
author = {Jangra, Mahipal},
title = {Anthropic Cybersecurity Skills},
year = {2026},
url = {https://github.com/mukul975/Anthropic-Cybersecurity-Skills},
license = {Apache-2.0},
note = {754 structured cybersecurity skills for AI agents,
mapped to MITRE ATT\&CK, NIST CSF 2.0, MITRE ATLAS,
MITRE D3FEND, and NIST AI RMF}
}
```
## License
This project is licensed under the [Apache License 2.0](LICENSE). You are free to use, modify, and distribute these skills in both personal and commercial projects.
--- ---
## 🤝 Contributing to cybersecurity AI skills <div align="center">
This project hit **3.5k stars in two weeks** — the community momentum is real. With **328 forks**, **9 open PRs**, and security professionals from around the world getting involved, now is the perfect time to contribute. **If this project helps your security work, consider giving it a ⭐**
We welcome four types of contributions: [⭐ Star](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers) · [🍴 Fork](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/fork) · [💬 Discuss](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/discussions) · [📝 Contribute](CONTRIBUTING.md)
| Type | Description | Good for | Community project by [@mukul975](https://github.com/mukul975). Not affiliated with Anthropic PBC.
|:-----|:------------|:---------|
| 🆕 **New skills** | Add skills for uncovered techniques or domains | Security practitioners, pen testers, IR analysts |
| 📖 **Improve existing skills** | Enhance workflows, add edge cases, fix errors | Anyone who uses the skills and spots improvements |
| 🌍 **Translations & i18n** | Help make skills accessible to non-English speakers | Multilingual security professionals |
| 🐛 **Bug reports & feedback** | Report issues, suggest improvements, review PRs | Everyone — all experience levels welcome |
### How to get started </div>
1. **Browse [open issues](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues)** — look for `good first issue` and `help wanted` labels
2. **Read [`CONTRIBUTING.md`](CONTRIBUTING.md)** for the full skill template and submission guidelines
3. **Fork the repo**, create your skill directory under `skills/`, and submit a PR
4. **Title format:** `Add skill: your-skill-name-here`
> Every PR gets reviewed for technical accuracy and consistency with the agentskills.io standard. We aim to review within 48 hours.
---
## ⭐ Star history
[![Star History Chart](https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date)](https://star-history.com/#mukul975/Anthropic-Cybersecurity-Skills&Date)
---
## 🌐 Community
<p align="center">
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers">⭐ Star this repo</a> ·
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/fork">🍴 Fork it</a> ·
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/discussions">💬 Discuss</a> ·
<a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues/new">📝 Open an issue</a>
</p>
If this project saves you time or makes your AI agent more capable, **give it a ⭐** — it helps others discover these skills and keeps the community growing.
---
## 📄 License
This project is licensed under the **Apache License 2.0** — see the [`LICENSE`](LICENSE) file for details.
You are free to use, modify, and distribute these skills in both personal and commercial projects. Attribution is appreciated but not required.
---
<p align="center">
<sub>
<b>⚠️ Disclaimer:</b> This is an independent, community-created project. <b>Not affiliated with Anthropic PBC.</b><br/>
"Anthropic" in the repository name refers to compatibility with the <a href="https://agentskills.io">agentskills.io</a> open standard,<br/>
not official Anthropic endorsement or affiliation. All trademarks belong to their respective owners.
</sub>
</p>
index.json
+1 -1
View File
File diff suppressed because one or more lines are too long
mappings/mitre-attack/coverage-summary.md
+1 -1
View File
@@ -1,6 +1,6 @@
# ATT&CK Coverage Summary # ATT&CK Coverage Summary
Coverage analysis of the 607 cybersecurity skills mapped to MITRE ATT&CK Enterprise v15 tactics. Coverage analysis of the 753 cybersecurity skills mapped to MITRE ATT&CK Enterprise v15 tactics.
## Tactic Coverage Matrix ## Tactic Coverage Matrix
skills/acquiring-disk-image-with-dd-and-dcfldd/SKILL.md
+20 -3
View File
@@ -1,12 +1,29 @@
--- ---
name: acquiring-disk-image-with-dd-and-dcfldd name: acquiring-disk-image-with-dd-and-dcfldd
description: Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification. description: Create forensically sound bit-for-bit disk images using dd and dcfldd
while preserving evidence integrity through hash verification.
domain: cybersecurity domain: cybersecurity
subdomain: digital-forensics subdomain: digital-forensics
tags: [forensics, disk-imaging, evidence-acquisition, dd, dcfldd, hash-verification] tags:
version: "1.0" - forensics
- disk-imaging
- evidence-acquisition
- dd
- dcfldd
- hash-verification
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1006
- T1005
- T1025
- T1074.001
--- ---
# Acquiring Disk Image with dd and dcfldd # Acquiring Disk Image with dd and dcfldd
skills/analyzing-active-directory-acl-abuse/SKILL.md
+18 -3
View File
@@ -1,12 +1,27 @@
--- ---
name: analyzing-active-directory-acl-abuse name: analyzing-active-directory-acl-abuse
description: Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths description: Detect dangerous ACL misconfigurations in Active Directory using ldap3
to identify GenericAll, WriteDACL, and WriteOwner abuse paths
domain: cybersecurity domain: cybersecurity
subdomain: identity-security subdomain: identity-security
tags: [active-directory, acl-abuse, ldap, privilege-escalation] tags:
version: "1.0" - active-directory
- acl-abuse
- ldap
- privilege-escalation
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- PR.AA-01
- PR.AA-05
- PR.AA-06
mitre_attack:
- T1098
- T1098.007
- T1484.001
- T1222.001
- T1078.002
--- ---
skills/analyzing-android-malware-with-apktool/SKILL.md
+24 -3
View File
@@ -1,12 +1,33 @@
--- ---
name: analyzing-android-malware-with-apktool name: analyzing-android-malware-with-apktool
description: Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection. description: Perform static analysis of Android APK malware samples using apktool
for decompilation, jadx for Java source recovery, and androguard for permission
analysis, manifest inspection, and suspicious API call detection.
domain: cybersecurity domain: cybersecurity
subdomain: malware-analysis subdomain: malware-analysis
tags: [Android, APK, apktool, jadx, androguard, mobile-malware, static-analysis, reverse-engineering] tags:
version: "1.0" - Android
- APK
- apktool
- jadx
- androguard
- mobile-malware
- static-analysis
- reverse-engineering
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1406
- T1407
- T1626.001
- T1655.001
- T1521.001
--- ---
# Analyzing Android Malware with Apktool # Analyzing Android Malware with Apktool
skills/analyzing-api-gateway-access-logs/SKILL.md
+26 -7
View File
@@ -1,16 +1,35 @@
--- ---
name: analyzing-api-gateway-access-logs name: analyzing-api-gateway-access-logs
description: > description: 'Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect
Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR BOLA/IDOR attacks, rate limit bypass, credential scanning, and injection attempts.
attacks, rate limit bypass, credential scanning, and injection attempts. Uses pandas Uses pandas for statistical analysis of request patterns and anomaly detection.
for statistical analysis of request patterns and anomaly detection. Use when Use when investigating API abuse or building API-specific threat detection rules.
investigating API abuse or building API-specific threat detection rules.
'
domain: cybersecurity domain: cybersecurity
subdomain: security-operations subdomain: security-operations
tags: [analyzing, api, gateway, access] tags:
version: "1.0" - api-security
- access-log-analysis
- aws-api-gateway
- kong
- nginx
- bola-detection
- rate-limit-bypass
- security-operations
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- DE.CM-01
- RS.MA-01
- GV.OV-01
- DE.AE-02
mitre_attack:
- T1190
- T1110.004
- T1078.004
- T1119
--- ---
# Analyzing API Gateway Access Logs # Analyzing API Gateway Access Logs
skills/analyzing-apt-group-with-mitre-navigator/SKILL.md
+30 -3
View File
@@ -1,12 +1,39 @@
--- ---
name: analyzing-apt-group-with-mitre-navigator name: analyzing-apt-group-with-mitre-navigator
description: Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense. description: Analyze advanced persistent threat (APT) group techniques using MITRE
ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap
analysis and threat-informed defense.
domain: cybersecurity domain: cybersecurity
subdomain: threat-intelligence subdomain: threat-intelligence
tags: [mitre-attack, navigator, apt, threat-actor, ttp-analysis, heatmap, detection-gap, threat-intelligence] tags:
version: "1.0" - mitre-attack
- navigator
- apt
- threat-actor
- ttp-analysis
- heatmap
- detection-gap
- threat-intelligence
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Content Format Conversion
- File Content Analysis
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1059.001
- T1071.001
- T1003.001
- T1486
- T1547.001
--- ---
# Analyzing APT Group with MITRE ATT&CK Navigator # Analyzing APT Group with MITRE ATT&CK Navigator
skills/analyzing-azure-activity-logs-for-threats/SKILL.md
+23 -5
View File
@@ -1,16 +1,34 @@
--- ---
name: analyzing-azure-activity-logs-for-threats name: analyzing-azure-activity-logs-for-threats
description: > description: 'Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query
Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to to detect suspicious administrative operations, impossible travel, privilege escalation,
detect suspicious administrative operations, impossible travel, privilege escalation,
and resource modifications. Builds KQL queries for threat hunting in Azure environments. and resource modifications. Builds KQL queries for threat hunting in Azure environments.
Use when investigating suspicious Azure tenant activity or building cloud SIEM detections. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.
'
domain: cybersecurity domain: cybersecurity
subdomain: security-operations subdomain: security-operations
tags: [analyzing, azure, activity, logs] tags:
version: "1.0" - azure
- cloud-security
- azure-monitor
- kql
- threat-hunting
- activity-logs
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- DE.CM-01
- RS.MA-01
- GV.OV-01
- DE.AE-02
mitre_attack:
- T1078.004
- T1098.003
- T1538
- T1556.009
- T1580
--- ---
# Analyzing Azure Activity Logs for Threats # Analyzing Azure Activity Logs for Threats
skills/analyzing-bootkit-and-rootkit-samples/SKILL.md
+25 -7
View File
@@ -1,17 +1,35 @@
--- ---
name: analyzing-bootkit-and-rootkit-samples name: analyzing-bootkit-and-rootkit-samples
description: > description: 'Analyzes bootkit and advanced rootkit malware that infects the Master
Analyzes bootkit and advanced rootkit malware that infects the Master Boot Record (MBR), Boot Record (MBR), Volume Boot Record (VBR), or UEFI firmware to gain persistence
Volume Boot Record (VBR), or UEFI firmware to gain persistence below the operating system. below the operating system. Covers boot sector analysis, UEFI module inspection,
Covers boot sector analysis, UEFI module inspection, and anti-rootkit detection techniques. and anti-rootkit detection techniques. Activates for requests involving bootkit
Activates for requests involving bootkit analysis, MBR malware investigation, UEFI analysis, MBR malware investigation, UEFI persistence analysis, or pre-OS malware
persistence analysis, or pre-OS malware detection. detection.
'
domain: cybersecurity domain: cybersecurity
subdomain: malware-analysis subdomain: malware-analysis
tags: [malware, bootkit, rootkit, UEFI, MBR-analysis] tags:
- malware
- bootkit
- rootkit
- UEFI
- MBR-analysis
version: 1.0.0 version: 1.0.0
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1542.003
- T1542.001
- T1542.002
- T1014
- T1547.006
--- ---
# Analyzing Bootkit and Rootkit Samples # Analyzing Bootkit and Rootkit Samples
skills/analyzing-browser-forensics-with-hindsight/SKILL.md
+25 -3
View File
@@ -1,12 +1,34 @@
--- ---
name: analyzing-browser-forensics-with-hindsight name: analyzing-browser-forensics-with-hindsight
description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation. description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing
history, downloads, cookies, cached content, autofill data, saved passwords, and
browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
domain: cybersecurity domain: cybersecurity
subdomain: digital-forensics subdomain: digital-forensics
tags: [browser-forensics, hindsight, chrome-forensics, chromium, edge, browsing-history, cookies, downloads, cache, web-artifacts] tags:
version: "1.0" - browser-forensics
- hindsight
- chrome-forensics
- chromium
- edge
- browsing-history
- cookies
- downloads
- cache
- web-artifacts
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1217
- T1539
- T1555.003
- T1185
--- ---
# Analyzing Browser Forensics with Hindsight # Analyzing Browser Forensics with Hindsight
skills/analyzing-campaign-attribution-evidence/SKILL.md
+22 -3
View File
@@ -1,12 +1,31 @@
--- ---
name: analyzing-campaign-attribution-evidence name: analyzing-campaign-attribution-evidence
description: Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr description: Campaign attribution analysis involves systematically evaluating evidence
to determine which threat actor or group is responsible for a cyber operation. This
skill covers collecting and weighting attr
domain: cybersecurity domain: cybersecurity
subdomain: threat-intelligence subdomain: threat-intelligence
tags: [threat-intelligence, cti, ioc, mitre-attack, stix, attribution, campaign-analysis] tags:
version: "1.0" - threat-intelligence
- cti
- ioc
- mitre-attack
- stix
- attribution
- campaign-analysis
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1587.001
- T1583.001
- T1588.002
- T1071.001
--- ---
# Analyzing Campaign Attribution Evidence # Analyzing Campaign Attribution Evidence
skills/analyzing-certificate-transparency-for-phishing/SKILL.md
+26 -3
View File
@@ -1,12 +1,35 @@
--- ---
name: analyzing-certificate-transparency-for-phishing name: analyzing-certificate-transparency-for-phishing
description: Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization. description: Monitor Certificate Transparency logs using crt.sh and Certstream to
detect phishing domains, lookalike certificates, and unauthorized certificate issuance
targeting your organization.
domain: cybersecurity domain: cybersecurity
subdomain: threat-intelligence subdomain: threat-intelligence
tags: [certificate-transparency, ct-logs, phishing, crt-sh, certstream, ssl, domain-monitoring, threat-intelligence] tags:
version: "1.0" - certificate-transparency
- ct-logs
- phishing
- crt-sh
- certstream
- ssl
- domain-monitoring
- threat-intelligence
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
atlas_techniques:
- AML.T0052
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1583.001
- T1583.004
- T1566.002
- T1608.005
- T1596.003
--- ---
# Analyzing Certificate Transparency for Phishing # Analyzing Certificate Transparency for Phishing
skills/analyzing-cloud-storage-access-patterns/SKILL.md
+32 -7
View File
@@ -1,16 +1,41 @@
--- ---
name: analyzing-cloud-storage-access-patterns name: analyzing-cloud-storage-access-patterns
description: >- description: Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage
Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics.
Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, Identifies after-hours bulk downloads, access from new IP addresses, unusual API
access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration calls (GetObject spikes), and potential data exfiltration using statistical baselines
using statistical baselines and time-series anomaly detection. and time-series anomaly detection.
domain: cybersecurity domain: cybersecurity
subdomain: cloud-security subdomain: cloud-security
tags: [analyzing, cloud, storage, access] tags:
version: "1.0" - cloud-security
- aws-s3
- gcs
- azure-blob-storage
- cloudtrail
- data-access-anomaly
- exfiltration-detection
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
atlas_techniques:
- AML.T0024
- AML.T0056
nist_ai_rmf:
- MEASURE-2.7
- MAP-5.1
- MANAGE-2.4
nist_csf:
- PR.IR-01
- ID.AM-08
- GV.SC-06
- DE.CM-01
mitre_attack:
- T1530
- T1567.002
- T1619
- T1078.004
- T1048
--- ---
skills/analyzing-cobalt-strike-beacon-configuration/SKILL.md
+23 -3
View File
@@ -1,12 +1,32 @@
--- ---
name: analyzing-cobalt-strike-beacon-configuration name: analyzing-cobalt-strike-beacon-configuration
description: Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure, malleable profiles, and operator tradecraft. description: Extract and analyze Cobalt Strike beacon configuration from PE files
and memory dumps to identify C2 infrastructure, malleable profiles, and operator
tradecraft.
domain: cybersecurity domain: cybersecurity
subdomain: malware-analysis subdomain: malware-analysis
tags: [cobalt-strike, beacon, c2, malware-analysis, config-extraction, threat-hunting, red-team-tools] tags:
version: "1.0" - cobalt-strike
- beacon
- c2
- malware-analysis
- config-extraction
- threat-hunting
- red-team-tools
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1071.001
- T1573.001
- T1090.004
- T1105
- T1027
--- ---
# Analyzing Cobalt Strike Beacon Configuration # Analyzing Cobalt Strike Beacon Configuration
skills/analyzing-cobaltstrike-malleable-c2-profiles/SKILL.md
+23 -3
View File
@@ -1,12 +1,32 @@
--- ---
name: analyzing-cobaltstrike-malleable-c2-profiles name: analyzing-cobaltstrike-malleable-c2-profiles
description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate network detection signatures. description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike
and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate
network detection signatures.
domain: cybersecurity domain: cybersecurity
subdomain: malware-analysis subdomain: malware-analysis
tags: [cobalt-strike, malleable-c2, c2-detection, beacon-analysis, network-signatures, threat-hunting, red-team-tools] tags:
version: "1.0" - cobalt-strike
- malleable-c2
- c2-detection
- beacon-analysis
- network-signatures
- threat-hunting
- red-team-tools
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1071.001
- T1573.002
- T1001.003
- T1090.004
- T1102
--- ---
# Analyzing CobaltStrike Malleable C2 Profiles # Analyzing CobaltStrike Malleable C2 Profiles
skills/analyzing-command-and-control-communication/SKILL.md
+24 -7
View File
@@ -1,17 +1,34 @@
--- ---
name: analyzing-command-and-control-communication name: analyzing-command-and-control-communication
description: > description: 'Analyzes malware command-and-control (C2) communication protocols to
Analyzes malware command-and-control (C2) communication protocols to understand beacon understand beacon patterns, command structures, data encoding, and infrastructure.
patterns, command structures, data encoding, and infrastructure. Covers HTTP, HTTPS, DNS, Covers HTTP, HTTPS, DNS, and custom protocol C2 analysis for detection development
and custom protocol C2 analysis for detection development and threat intelligence. and threat intelligence. Activates for requests involving C2 analysis, beacon detection,
Activates for requests involving C2 analysis, beacon detection, C2 protocol reverse C2 protocol reverse engineering, or command-and-control infrastructure mapping.
engineering, or command-and-control infrastructure mapping.
'
domain: cybersecurity domain: cybersecurity
subdomain: malware-analysis subdomain: malware-analysis
tags: [malware, C2, command-and-control, beacon, protocol-analysis] tags:
- malware
- C2
- command-and-control
- beacon
- protocol-analysis
version: 1.0.0 version: 1.0.0
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1071.001
- T1573
- T1571
- T1008
- T1095
--- ---
# Analyzing Command-and-Control Communication # Analyzing Command-and-Control Communication
skills/analyzing-cyber-kill-chain/SKILL.md
+27 -8
View File
@@ -1,18 +1,37 @@
--- ---
name: analyzing-cyber-kill-chain name: analyzing-cyber-kill-chain
description: > description: 'Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain
Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify framework to identify which phases an adversary has completed, where defenses succeeded
which phases an adversary has completed, where defenses succeeded or failed, and what controls or failed, and what controls would have interrupted the attack at earlier phases.
would have interrupted the attack at earlier phases. Use when conducting post-incident analysis, Use when conducting post-incident analysis, building prevention-focused security
building prevention-focused security controls, or mapping detection gaps to kill chain phases. controls, or mapping detection gaps to kill chain phases. Activates for requests
Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping, involving kill chain analysis, intrusion kill chain, attack phase mapping, or Lockheed
or Lockheed Martin kill chain framework. Martin kill chain framework.
'
domain: cybersecurity domain: cybersecurity
subdomain: threat-intelligence subdomain: threat-intelligence
tags: [kill-chain, Lockheed-Martin, MITRE-ATT&CK, intrusion-analysis, defense-in-depth, NIST-CSF] tags:
- kill-chain
- Lockheed-Martin
- MITRE-ATT&CK
- intrusion-analysis
- defense-in-depth
- NIST-CSF
version: 1.0.0 version: 1.0.0
author: team-cybersecurity author: team-cybersecurity
license: Apache-2.0 license: Apache-2.0
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1566.001
- T1190
- T1547.001
- T1071.001
- T1486
--- ---
# Analyzing Cyber Kill Chain # Analyzing Cyber Kill Chain
skills/analyzing-disk-image-with-autopsy/SKILL.md
+20 -3
View File
@@ -1,12 +1,29 @@
--- ---
name: analyzing-disk-image-with-autopsy name: analyzing-disk-image-with-autopsy
description: Perform comprehensive forensic analysis of disk images using Autopsy to recover files, examine artifacts, and build investigation timelines. description: Perform comprehensive forensic analysis of disk images using Autopsy
to recover files, examine artifacts, and build investigation timelines.
domain: cybersecurity domain: cybersecurity
subdomain: digital-forensics subdomain: digital-forensics
tags: [forensics, autopsy, disk-analysis, sleuth-kit, file-recovery, artifact-analysis] tags:
version: "1.0" - forensics
- autopsy
- disk-analysis
- sleuth-kit
- file-recovery
- artifact-analysis
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1005
- T1074.001
- T1070.004
- T1083
--- ---
# Analyzing Disk Image with Autopsy # Analyzing Disk Image with Autopsy
skills/analyzing-dns-logs-for-exfiltration/SKILL.md
+29 -7
View File
@@ -1,16 +1,38 @@
--- ---
name: analyzing-dns-logs-for-exfiltration name: analyzing-dns-logs-for-exfiltration
description: > description: 'Analyzes DNS query logs to detect data exfiltration via DNS tunneling,
Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication, DGA domain communication, and covert C2 channels using entropy analysis, query volume
and covert C2 channels using entropy analysis, query volume anomalies, and subdomain length anomalies, and subdomain length detection in SIEM platforms. Use when SOC teams
detection in SIEM platforms. Use when SOC teams need to identify DNS-based threats that bypass need to identify DNS-based threats that bypass traditional network security controls.
traditional network security controls.
'
domain: cybersecurity domain: cybersecurity
subdomain: soc-operations subdomain: soc-operations
tags: [soc, dns, exfiltration, dns-tunneling, dga, c2-detection, splunk, threat-detection] tags:
version: "1.0" - soc
- dns
- exfiltration
- dns-tunneling
- dga
- c2-detection
- splunk
- threat-detection
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
atlas_techniques:
- AML.T0024
- AML.T0056
- AML.T0086
nist_csf:
- DE.CM-01
- DE.AE-02
- RS.MA-01
- DE.AE-06
mitre_attack:
- T1048.003
- T1071.004
- T1567
--- ---
# Analyzing DNS Logs for Exfiltration # Analyzing DNS Logs for Exfiltration
skills/analyzing-docker-container-forensics/SKILL.md
+20 -3
View File
@@ -1,12 +1,29 @@
--- ---
name: analyzing-docker-container-forensics name: analyzing-docker-container-forensics
description: Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to identify malicious activity and evidence. description: Investigate compromised Docker containers by analyzing images, layers,
volumes, logs, and runtime artifacts to identify malicious activity and evidence.
domain: cybersecurity domain: cybersecurity
subdomain: digital-forensics subdomain: digital-forensics
tags: [forensics, docker, container-forensics, container-security, image-analysis, runtime-investigation] tags:
version: "1.0" - forensics
- docker
- container-forensics
- container-security
- image-analysis
- runtime-investigation
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1610
- T1611
- T1613
- T1612
--- ---
# Analyzing Docker Container Forensics # Analyzing Docker Container Forensics
skills/analyzing-email-headers-for-phishing-investigation/SKILL.md
+22 -3
View File
@@ -1,12 +1,31 @@
--- ---
name: analyzing-email-headers-for-phishing-investigation name: analyzing-email-headers-for-phishing-investigation
description: Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation. description: Parse and analyze email headers to trace the origin of phishing emails,
verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation.
domain: cybersecurity domain: cybersecurity
subdomain: digital-forensics subdomain: digital-forensics
tags: [forensics, email-analysis, phishing, spf, dkim, dmarc, header-analysis] tags:
version: "1.0" - forensics
- email-analysis
- phishing
- spf
- dkim
- dmarc
- header-analysis
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
atlas_techniques:
- AML.T0052
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1566.001
- T1566.002
- T1598.003
--- ---
# Analyzing Email Headers for Phishing Investigation # Analyzing Email Headers for Phishing Investigation
skills/analyzing-ethereum-smart-contract-vulnerabilities/SKILL.md
+20 -3
View File
@@ -1,12 +1,29 @@
--- ---
name: analyzing-ethereum-smart-contract-vulnerabilities name: analyzing-ethereum-smart-contract-vulnerabilities
description: Perform static and symbolic analysis of Solidity smart contracts using Slither and Mythril to detect reentrancy, integer overflow, access control, and other vulnerability classes before deployment to Ethereum mainnet. description: Perform static and symbolic analysis of Solidity smart contracts using
Slither and Mythril to detect reentrancy, integer overflow, access control, and
other vulnerability classes before deployment to Ethereum mainnet.
domain: cybersecurity domain: cybersecurity
subdomain: blockchain-security subdomain: blockchain-security
tags: [ethereum, solidity, smart-contract, slither, mythril, blockchain, defi, audit] tags:
version: "1.0" - ethereum
- solidity
- smart-contract
- slither
- mythril
- blockchain
- defi
- audit
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- PR.DS-01
- PR.DS-02
- ID.RA-01
mitre_attack:
- T1190
- T1059
--- ---
# Analyzing Ethereum Smart Contract Vulnerabilities # Analyzing Ethereum Smart Contract Vulnerabilities
skills/analyzing-golang-malware-with-ghidra/SKILL.md
+22 -3
View File
@@ -1,12 +1,31 @@
--- ---
name: analyzing-golang-malware-with-ghidra name: analyzing-golang-malware-with-ghidra
description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction, and type reconstruction in stripped Go binaries. description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts
for function recovery, string extraction, and type reconstruction in stripped Go
binaries.
domain: cybersecurity domain: cybersecurity
subdomain: malware-analysis subdomain: malware-analysis
tags: [golang, ghidra, reverse-engineering, malware-analysis, binary-analysis, go-malware, disassembly] tags:
version: "1.0" - golang
- ghidra
- reverse-engineering
- malware-analysis
- binary-analysis
- go-malware
- disassembly
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1027
- T1620
- T1140
- T1059
--- ---
# Analyzing Golang Malware with Ghidra # Analyzing Golang Malware with Ghidra
skills/analyzing-heap-spray-exploitation/SKILL.md
+19 -3
View File
@@ -1,12 +1,28 @@
--- ---
name: analyzing-heap-spray-exploitation name: analyzing-heap-spray-exploitation
description: Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns, shellcode landing zones, and suspicious large allocations in process virtual address space. description: Detect and analyze heap spray attacks in memory dumps using Volatility3
plugins to identify NOP sled patterns, shellcode landing zones, and suspicious large
allocations in process virtual address space.
domain: cybersecurity domain: cybersecurity
subdomain: malware-analysis subdomain: malware-analysis
tags: [malware-analysis, memory-forensics, heap-spray, volatility3, exploit-analysis] tags:
version: "1.0" - malware-analysis
- memory-forensics
- heap-spray
- volatility3
- exploit-analysis
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1203
- T1059.007
- T1106
--- ---
# Analyzing Heap Spray Exploitation # Analyzing Heap Spray Exploitation
skills/analyzing-indicators-of-compromise/SKILL.md
+29 -7
View File
@@ -1,17 +1,39 @@
--- ---
name: analyzing-indicators-of-compromise name: analyzing-indicators-of-compromise
description: > description: 'Analyzes indicators of compromise (IOCs) including IP addresses, domains,
Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs, file hashes, URLs, and email artifacts to determine maliciousness confidence, campaign
and email artifacts to determine maliciousness confidence, campaign attribution, and blocking attribution, and blocking priority. Use when triaging IOCs from phishing emails,
priority. Use when triaging IOCs from phishing emails, security alerts, or external threat feeds; security alerts, or external threat feeds; enriching raw IOCs with multi-source
enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist decisions. intelligence; or making block/monitor/whitelist decisions. Activates for requests
Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines. involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.
'
domain: cybersecurity domain: cybersecurity
subdomain: threat-intelligence subdomain: threat-intelligence
tags: [IOC, VirusTotal, AbuseIPDB, MalwareBazaar, MISP, threat-intelligence, STIX, NIST-CSF] tags:
- IOC
- VirusTotal
- AbuseIPDB
- MalwareBazaar
- MISP
- threat-intelligence
- STIX
- NIST-CSF
version: 1.0.0 version: 1.0.0
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
atlas_techniques:
- AML.T0052
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1071
- T1105
- T1041
- T1567
--- ---
# Analyzing Indicators of Compromise # Analyzing Indicators of Compromise
skills/analyzing-ios-app-security-with-objection/SKILL.md
+28 -8
View File
@@ -1,18 +1,38 @@
--- ---
name: analyzing-ios-app-security-with-objection name: analyzing-ios-app-security-with-objection
description: > description: >-
Performs runtime mobile security exploration of iOS applications using Objection, a Frida-powered Runtime iOS app security testing with Objection (Frida): inspect keychain and
toolkit that enables security testers to interact with app internals without jailbreaking. Use when filesystem data, explore app internals at runtime, and validate/bypass
assessing iOS app security posture, bypassing client-side protections, dumping keychain items, client-side protections during authorized mobile assessments.
inspecting filesystem storage, and evaluating runtime behavior. Activates for requests involving
iOS security testing, Objection runtime analysis, Frida-based iOS assessment, or mobile runtime
exploration.
domain: cybersecurity domain: cybersecurity
subdomain: mobile-security subdomain: mobile-security
author: mahipal author: mahipal
tags: [mobile-security, ios, objection, frida, owasp-mobile, penetration-testing] tags:
- mobile-security
- ios
- objection
- frida
- owasp-mobile
- penetration-testing
version: 1.0.0 version: 1.0.0
license: Apache-2.0 license: Apache-2.0
atlas_techniques:
- AML.T0054
nist_ai_rmf:
- MEASURE-2.7
- MANAGE-2.4
- GOVERN-6.2
- MAP-5.1
nist_csf:
- PR.PS-01
- PR.AA-05
- ID.RA-01
- DE.CM-09
mitre_attack:
- T1635
- T1414
- T1417.001
- T1409
--- ---
# Analyzing iOS App Security with Objection # Analyzing iOS App Security with Objection
skills/analyzing-kubernetes-audit-logs/SKILL.md
+25 -7
View File
@@ -1,16 +1,34 @@
--- ---
name: analyzing-kubernetes-audit-logs name: analyzing-kubernetes-audit-logs
description: > description: 'Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod,
Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret secret access, RBAC modifications, privileged pod creation, and anonymous API access.
access, RBAC modifications, privileged pod creation, and anonymous API access. Builds Builds threat detection rules from audit event patterns. Use when investigating
threat detection rules from audit event patterns. Use when investigating Kubernetes Kubernetes cluster compromise or building k8s-specific SIEM detection rules.
cluster compromise or building k8s-specific SIEM detection rules.
'
domain: cybersecurity domain: cybersecurity
subdomain: container-security subdomain: container-security
tags: [analyzing, kubernetes, audit, logs] tags:
version: "1.0" - kubernetes-security
- container-security
- audit-log-analysis
- rbac
- privilege-escalation
- k8s-api-server
- threat-detection
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- PR.PS-01
- PR.IR-01
- ID.AM-08
- DE.CM-01
mitre_attack:
- T1610
- T1613
- T1078
- T1552.007
--- ---
# Analyzing Kubernetes Audit Logs # Analyzing Kubernetes Audit Logs
skills/analyzing-linux-audit-logs-for-intrusion/SKILL.md
+26 -8
View File
@@ -1,18 +1,36 @@
--- ---
name: analyzing-linux-audit-logs-for-intrusion name: analyzing-linux-audit-logs-for-intrusion
description: > description: 'Uses the Linux Audit framework (auditd) with ausearch and aureport utilities
Uses the Linux Audit framework (auditd) with ausearch and aureport utilities to detect intrusion attempts, unauthorized access, privilege escalation, and suspicious
to detect intrusion attempts, unauthorized access, privilege escalation, and system activity. Covers audit rule configuration, log querying, timeline reconstruction,
suspicious system activity. Covers audit rule configuration, log querying, and integration with SIEM platforms. Activates for requests involving auditd analysis,
timeline reconstruction, and integration with SIEM platforms. Activates for Linux audit log investigation, ausearch queries, aureport summaries, or host-based
requests involving auditd analysis, Linux audit log investigation, ausearch intrusion detection on Linux.
queries, aureport summaries, or host-based intrusion detection on Linux.
'
domain: cybersecurity domain: cybersecurity
subdomain: incident-response subdomain: incident-response
tags: [auditd, ausearch, aureport, linux-security, intrusion-detection, HIDS, forensics] tags:
- auditd
- ausearch
- aureport
- linux-security
- intrusion-detection
- HIDS
- forensics
version: 1.0.0 version: 1.0.0
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- RS.MA-01
- RS.MA-02
- RS.AN-03
- RC.RP-01
mitre_attack:
- T1059.004
- T1070
- T1548.003
- T1543.002
--- ---
# Analyzing Linux Audit Logs for Intrusion # Analyzing Linux Audit Logs for Intrusion
skills/analyzing-linux-elf-malware/SKILL.md
+24 -7
View File
@@ -1,17 +1,34 @@
--- ---
name: analyzing-linux-elf-malware name: analyzing-linux-elf-malware
description: > description: 'Analyzes malicious Linux ELF (Executable and Linkable Format) binaries
Analyzes malicious Linux ELF (Executable and Linkable Format) binaries including botnets, including botnets, cryptominers, ransomware, and rootkits targeting Linux servers,
cryptominers, ransomware, and rootkits targeting Linux servers, containers, and cloud containers, and cloud infrastructure. Covers static analysis, dynamic tracing, and
infrastructure. Covers static analysis, dynamic tracing, and reverse engineering of reverse engineering of x86_64 and ARM ELF samples. Activates for requests involving
x86_64 and ARM ELF samples. Activates for requests involving Linux malware analysis, Linux malware analysis, ELF binary investigation, Linux server compromise assessment,
ELF binary investigation, Linux server compromise assessment, or container malware analysis. or container malware analysis.
'
domain: cybersecurity domain: cybersecurity
subdomain: malware-analysis subdomain: malware-analysis
tags: [malware, Linux, ELF, reverse-engineering, server-malware] tags:
- malware
- Linux
- ELF
- reverse-engineering
- server-malware
version: 1.0.0 version: 1.0.0
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1027
- T1059.004
- T1620
- T1574.006
--- ---
# Analyzing Linux ELF Malware # Analyzing Linux ELF Malware
skills/analyzing-linux-kernel-rootkits/SKILL.md
+23 -3
View File
@@ -1,12 +1,32 @@
--- ---
name: analyzing-linux-kernel-rootkits name: analyzing-linux-kernel-rootkits
description: Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and tampered system structures. description: Detect kernel-level rootkits in Linux memory dumps using Volatility3
linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning,
and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel
modules, and tampered system structures.
domain: cybersecurity domain: cybersecurity
subdomain: digital-forensics subdomain: digital-forensics
tags: [rootkit, linux, kernel, volatility3, memory-forensics, malware-analysis, rkhunter, forensics] tags:
version: "1.0" - rootkit
- linux
- kernel
- volatility3
- memory-forensics
- malware-analysis
- rkhunter
- forensics
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1014
- T1547.006
- T1564.001
--- ---
# Analyzing Linux Kernel Rootkits # Analyzing Linux Kernel Rootkits
skills/analyzing-linux-system-artifacts/SKILL.md
+21 -3
View File
@@ -1,12 +1,30 @@
--- ---
name: analyzing-linux-system-artifacts name: analyzing-linux-system-artifacts
description: Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover evidence of compromise or unauthorized activity. description: Examine Linux system artifacts including auth logs, cron jobs, shell
history, and system configuration to uncover evidence of compromise or unauthorized
activity.
domain: cybersecurity domain: cybersecurity
subdomain: digital-forensics subdomain: digital-forensics
tags: [forensics, linux-forensics, system-artifacts, log-analysis, persistence-detection, incident-investigation] tags:
version: "1.0" - forensics
- linux-forensics
- system-artifacts
- log-analysis
- persistence-detection
- incident-investigation
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1070
- T1059.004
- T1543.002
- T1053.003
--- ---
# Analyzing Linux System Artifacts # Analyzing Linux System Artifacts
skills/analyzing-lnk-file-and-jump-list-artifacts/SKILL.md
+24 -3
View File
@@ -1,12 +1,33 @@
--- ---
name: analyzing-lnk-file-and-jump-list-artifacts name: analyzing-lnk-file-and-jump-list-artifacts
description: Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution, and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format. description: Analyze Windows LNK shortcut files and Jump List artifacts to establish
evidence of file access, program execution, and user activity using LECmd, JLECmd,
and manual binary parsing of the Shell Link Binary format.
domain: cybersecurity domain: cybersecurity
subdomain: digital-forensics subdomain: digital-forensics
tags: [lnk-files, jump-lists, lecmd, jlecmd, windows-forensics, shell-link, user-activity, file-access, program-execution, recent-files] tags:
version: "1.0" - lnk-files
- jump-lists
- lecmd
- jlecmd
- windows-forensics
- shell-link
- user-activity
- file-access
- program-execution
- recent-files
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1547.009
- T1204.002
- T1059.001
--- ---
# Analyzing LNK File and Jump List Artifacts # Analyzing LNK File and Jump List Artifacts
skills/analyzing-macro-malware-in-office-documents/SKILL.md
+32 -7
View File
@@ -1,17 +1,42 @@
--- ---
name: analyzing-macro-malware-in-office-documents name: analyzing-macro-malware-in-office-documents
description: > description: 'Analyzes malicious VBA macros embedded in Microsoft Office documents
Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint) (Word, Excel, PowerPoint) to identify download cradles, payload execution, persistence
to identify download cradles, payload execution, persistence mechanisms, and anti-analysis mechanisms, and anti-analysis techniques. Uses olevba, oledump, and VBA deobfuscation
techniques. Uses olevba, oledump, and VBA deobfuscation to extract the attack chain. to extract the attack chain. Activates for requests involving Office macro analysis,
Activates for requests involving Office macro analysis, VBA malware investigation, VBA malware investigation, maldoc analysis, or document-based threat examination.
maldoc analysis, or document-based threat examination.
'
domain: cybersecurity domain: cybersecurity
subdomain: malware-analysis subdomain: malware-analysis
tags: [malware, macro, Office, VBA, document-malware] tags:
- malware
- macro
- Office
- VBA
- document-malware
version: 1.0.0 version: 1.0.0
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
atlas_techniques:
- AML.T0068
- AML.T0067
d3fend_techniques:
- File Metadata Consistency Validation
- Application Protocol Command Analysis
- Identifier Analysis
- Content Format Conversion
- Message Analysis
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1137.001
- T1204.002
- T1059.005
- T1027
--- ---
# Analyzing Macro Malware in Office Documents # Analyzing Macro Malware in Office Documents
skills/analyzing-malicious-pdf-with-peepdf/SKILL.md
+22 -3
View File
@@ -1,12 +1,31 @@
--- ---
name: analyzing-malicious-pdf-with-peepdf name: analyzing-malicious-pdf-with-peepdf
description: Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects. description: Perform static analysis of malicious PDF documents using peepdf, pdfid,
and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects.
domain: cybersecurity domain: cybersecurity
subdomain: malware-analysis subdomain: malware-analysis
tags: [malware-analysis, pdf, peepdf, pdfid, pdf-parser, static-analysis, reverse-engineering, dfir] tags:
version: "1.0" - malware-analysis
- pdf
- peepdf
- pdfid
- pdf-parser
- static-analysis
- reverse-engineering
- dfir
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1204.002
- T1059.007
- T1027
- T1106
--- ---
# Analyzing Malicious PDF with peepdf # Analyzing Malicious PDF with peepdf
skills/analyzing-malicious-url-with-urlscan/SKILL.md
+23 -3
View File
@@ -1,12 +1,32 @@
--- ---
name: analyzing-malicious-url-with-urlscan name: analyzing-malicious-url-with-urlscan
description: URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat description: URLScan.io is a free service for scanning and analyzing suspicious URLs.
It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and
network connections of web pages in an isolat
domain: cybersecurity domain: cybersecurity
subdomain: phishing-defense subdomain: phishing-defense
tags: [phishing, email-security, social-engineering, dmarc, awareness, url-analysis, threat-intelligence] tags:
version: "1.0" - phishing
- email-security
- social-engineering
- dmarc
- awareness
- url-analysis
- threat-intelligence
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
atlas_techniques:
- AML.T0052
nist_csf:
- PR.AT-01
- DE.CM-09
- RS.CO-02
- DE.AE-02
mitre_attack:
- T1566.002
- T1204.001
- T1598.003
--- ---
# Analyzing Malicious URL with URLScan # Analyzing Malicious URL with URLScan
skills/analyzing-malware-behavior-with-cuckoo-sandbox/SKILL.md
+23 -7
View File
@@ -1,17 +1,33 @@
--- ---
name: analyzing-malware-behavior-with-cuckoo-sandbox name: analyzing-malware-behavior-with-cuckoo-sandbox
description: > description: 'Executes malware samples in Cuckoo Sandbox to observe runtime behavior
Executes malware samples in Cuckoo Sandbox to observe runtime behavior including including process creation, file system modifications, registry changes, network
process creation, file system modifications, registry changes, network communications, communications, and API calls. Generates comprehensive behavioral reports for malware
and API calls. Generates comprehensive behavioral reports for malware classification classification and IOC extraction. Activates for requests involving dynamic malware
and IOC extraction. Activates for requests involving dynamic malware analysis, sandbox analysis, sandbox detonation, behavioral analysis, or automated malware execution.
detonation, behavioral analysis, or automated malware execution.
'
domain: cybersecurity domain: cybersecurity
subdomain: malware-analysis subdomain: malware-analysis
tags: [malware, dynamic-analysis, sandbox, Cuckoo, behavioral-analysis] tags:
- malware
- dynamic-analysis
- sandbox
- Cuckoo
- behavioral-analysis
version: 1.0.0 version: 1.0.0
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1497
- T1055
- T1071
- T1027
--- ---
# Analyzing Malware Behavior with Cuckoo Sandbox # Analyzing Malware Behavior with Cuckoo Sandbox
skills/analyzing-malware-family-relationships-with-malpedia/SKILL.md
+22 -3
View File
@@ -1,12 +1,31 @@
--- ---
name: analyzing-malware-family-relationships-with-malpedia name: analyzing-malware-family-relationships-with-malpedia
description: Use the Malpedia platform and API to research malware family relationships, track variant evolution, link families to threat actors, and integrate YARA rules for detection across malware lineages. description: Use the Malpedia platform and API to research malware family relationships,
track variant evolution, link families to threat actors, and integrate YARA rules
for detection across malware lineages.
domain: cybersecurity domain: cybersecurity
subdomain: threat-intelligence subdomain: threat-intelligence
tags: [malpedia, malware-family, yara, threat-actor, malware-tracking, threat-intelligence, variant-analysis, malware-intelligence] tags:
version: "1.0" - malpedia
- malware-family
- yara
- threat-actor
- malware-tracking
- threat-intelligence
- variant-analysis
- malware-intelligence
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1587.001
- T1027
- T1071
--- ---
# Analyzing Malware Family Relationships with Malpedia # Analyzing Malware Family Relationships with Malpedia
skills/analyzing-malware-persistence-with-autoruns/SKILL.md
+30 -3
View File
@@ -1,12 +1,39 @@
--- ---
name: analyzing-malware-persistence-with-autoruns name: analyzing-malware-persistence-with-autoruns
description: Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry keys, scheduled tasks, services, drivers, and startup locations on Windows systems. description: Use Sysinternals Autoruns to systematically identify and analyze malware
persistence mechanisms across registry keys, scheduled tasks, services, drivers,
and startup locations on Windows systems.
domain: cybersecurity domain: cybersecurity
subdomain: malware-analysis subdomain: malware-analysis
tags: [autoruns, persistence, malware-analysis, sysinternals, windows, registry, startup, incident-response] tags:
version: "1.0" - autoruns
- persistence
- malware-analysis
- sysinternals
- windows
- registry
- startup
- incident-response
mitre_attack:
- T1547.001
- T1543.003
- T1053.005
- T1574.001
- T1037.001
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Content Format Conversion
- File Content Analysis
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
--- ---
# Analyzing Malware Persistence with Autoruns # Analyzing Malware Persistence with Autoruns
skills/analyzing-malware-sandbox-evasion-techniques/SKILL.md
+27 -9
View File
@@ -1,19 +1,37 @@
--- ---
name: analyzing-malware-sandbox-evasion-techniques name: analyzing-malware-sandbox-evasion-techniques
description: Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports description: Detect sandbox evasion techniques in malware samples by analyzing timing
checks, VM artifact queries, user interaction detection, and sleep inflation patterns
from Cuckoo/AnyRun behavioral reports
domain: cybersecurity domain: cybersecurity
subdomain: malware-analysis subdomain: malware-analysis
tags: tags:
- sandbox-evasion - sandbox-evasion
- malware-analysis - malware-analysis
- cuckoo - cuckoo
- anyrun - anyrun
- mitre-attack - mitre-attack
- virtualization-detection - virtualization-detection
- behavioral-analysis - behavioral-analysis
version: "1.0" version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
d3fend_techniques:
- Platform Hardening
- Restore Object
- Process Analysis
- System Call Filtering
- Restore Software
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1497.001
- T1497.003
- T1480
- T1027.002
--- ---
# Analyzing Malware Sandbox Evasion Techniques # Analyzing Malware Sandbox Evasion Techniques
skills/analyzing-memory-dumps-with-volatility/SKILL.md
+22 -7
View File
@@ -1,17 +1,32 @@
--- ---
name: analyzing-memory-dumps-with-volatility name: analyzing-memory-dumps-with-volatility
description: > description: 'Analyzes RAM memory dumps from compromised systems using the Volatility framework to identify malicious processes,
Analyzes RAM memory dumps from compromised systems using the Volatility framework to injected code, network connections, loaded modules, and extracted credentials. Supports Windows, Linux, and macOS memory
identify malicious processes, injected code, network connections, loaded modules, and forensics. Activates for requests involving memory forensics, RAM analysis, volatile data examination, process injection
extracted credentials. Supports Windows, Linux, and macOS memory forensics. Activates detection, or memory-resident malware investigation.
for requests involving memory forensics, RAM analysis, volatile data examination,
process injection detection, or memory-resident malware investigation. '
domain: cybersecurity domain: cybersecurity
subdomain: malware-analysis subdomain: malware-analysis
tags: [malware, memory-forensics, Volatility, RAM-analysis, incident-response] tags:
- malware
- memory-forensics
- Volatility
- RAM-analysis
- incident-response
mitre_attack:
- T1055
- T1003
- T1059
- T1620
version: 1.0.0 version: 1.0.0
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
--- ---
# Analyzing Memory Dumps with Volatility # Analyzing Memory Dumps with Volatility
skills/analyzing-memory-forensics-with-lime-and-volatility/SKILL.md
+25 -7
View File
@@ -1,16 +1,34 @@
--- ---
name: analyzing-memory-forensics-with-lime-and-volatility name: analyzing-memory-forensics-with-lime-and-volatility
description: > description: 'Performs Linux memory acquisition using LiME (Linux Memory Extractor)
Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module kernel module and analysis with Volatility 3 framework. Extracts process lists,
and analysis with Volatility 3 framework. Extracts process lists, network connections, network connections, bash history, loaded kernel modules, and injected code from
bash history, loaded kernel modules, and injected code from Linux memory images. Linux memory images. Use when performing incident response on compromised Linux
Use when performing incident response on compromised Linux systems. systems.
'
domain: cybersecurity domain: cybersecurity
subdomain: security-operations subdomain: security-operations
tags: [analyzing, memory, forensics, with] tags:
version: "1.0" - memory-forensics
- linux-forensics
- lime
- volatility
- incident-response
- kernel-modules
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- DE.CM-01
- RS.MA-01
- GV.OV-01
- DE.AE-02
mitre_attack:
- T1055
- T1003.001
- T1620
- T1564.001
--- ---
# Analyzing Memory Forensics with LiME and Volatility # Analyzing Memory Forensics with LiME and Volatility
skills/analyzing-mft-for-deleted-file-recovery/SKILL.md
+24 -3
View File
@@ -1,12 +1,33 @@
--- ---
name: analyzing-mft-for-deleted-file-recovery name: analyzing-mft-for-deleted-file-recovery
description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics. description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content
of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack
space using MFTECmd, analyzeMFT, and X-Ways Forensics.
domain: cybersecurity domain: cybersecurity
subdomain: digital-forensics subdomain: digital-forensics
tags: [mft, ntfs, deleted-files, file-recovery, mftecmd, usn-journal, logfile, mft-slack-space, file-system-forensics, dfir] tags:
version: "1.0" - mft
- ntfs
- deleted-files
- file-recovery
- mftecmd
- usn-journal
- logfile
- mft-slack-space
- file-system-forensics
- dfir
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1070.004
- T1070.006
- T1005
--- ---
# Analyzing MFT for Deleted File Recovery # Analyzing MFT for Deleted File Recovery
skills/analyzing-network-covert-channels-in-malware/SKILL.md
+28 -3
View File
@@ -1,12 +1,37 @@
--- ---
name: analyzing-network-covert-channels-in-malware name: analyzing-network-covert-channels-in-malware
description: Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse for C2 and data exfiltration. description: Detect and analyze covert communication channels used by malware including
DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse for C2
and data exfiltration.
domain: cybersecurity domain: cybersecurity
subdomain: malware-analysis subdomain: malware-analysis
tags: [covert-channels, dns-tunneling, icmp-exfiltration, malware-analysis, network-forensics, c2-detection, data-exfiltration] tags:
version: "1.0" - covert-channels
- dns-tunneling
- icmp-exfiltration
- malware-analysis
- network-forensics
- c2-detection
- data-exfiltration
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
d3fend_techniques:
- File Metadata Consistency Validation
- Certificate Analysis
- Application Protocol Command Analysis
- Content Format Conversion
- File Content Analysis
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1071.001
- T1095
- T1572
- T1001
--- ---
# Analyzing Network Covert Channels in Malware # Analyzing Network Covert Channels in Malware
skills/analyzing-network-flow-data-with-netflow/SKILL.md
+21 -7
View File
@@ -1,16 +1,30 @@
--- ---
name: analyzing-network-flow-data-with-netflow name: analyzing-network-flow-data-with-netflow
description: >- description: Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port
Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data scanning, data exfiltration, and C2 beaconing patterns. Uses the Python netflow
exfiltration, and C2 beaconing patterns. Uses the Python netflow library to decode flow library to decode flow records, builds traffic baselines, and applies statistical
records, builds traffic baselines, and applies statistical analysis to identify flows analysis to identify flows with abnormal byte counts, connection durations, and
with abnormal byte counts, connection durations, and periodic timing patterns. periodic timing patterns.
domain: cybersecurity domain: cybersecurity
subdomain: network-security subdomain: network-security
tags: [analyzing, network, flow, data] tags:
version: "1.0" - analyzing
- network
- flow
- data
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- PR.IR-01
- DE.CM-01
- ID.AM-03
- PR.DS-02
mitre_attack:
- T1071
- T1048
- T1046
- T1095
--- ---
skills/analyzing-network-packets-with-scapy/SKILL.md
+20 -8
View File
@@ -1,18 +1,30 @@
--- ---
name: analyzing-network-packets-with-scapy name: analyzing-network-packets-with-scapy
description: Craft, send, sniff, and dissect network packets using Scapy for protocol analysis, network reconnaissance, and traffic anomaly detection in authorized security testing description: Craft, send, sniff, and dissect network packets using Scapy for protocol
analysis, network reconnaissance, and traffic anomaly detection in authorized security
testing
domain: cybersecurity domain: cybersecurity
subdomain: network-security subdomain: network-security
tags: tags:
- scapy - scapy
- packet-analysis - packet-analysis
- network-forensics - network-forensics
- protocol-dissection - protocol-dissection
- pcap - pcap
- traffic-analysis - traffic-analysis
version: "1.0" version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- PR.IR-01
- DE.CM-01
- ID.AM-03
- PR.DS-02
mitre_attack:
- T1040
- T1071
- T1046
- T1557
--- ---
# Analyzing Network Packets with Scapy # Analyzing Network Packets with Scapy
skills/analyzing-network-traffic-for-incidents/SKILL.md
+22 -8
View File
@@ -1,18 +1,32 @@
--- ---
name: analyzing-network-traffic-for-incidents name: analyzing-network-traffic-for-incidents
description: > description: 'Analyzes network traffic captures and flow data to identify adversary activity during security incidents, including
Analyzes network traffic captures and flow data to identify adversary activity during command-and-control communications, lateral movement, data exfiltration, and exploitation attempts. Uses Wireshark, Zeek,
security incidents, including command-and-control communications, lateral movement, and NetFlow analysis techniques. Activates for requests involving network traffic analysis, packet capture investigation,
data exfiltration, and exploitation attempts. Uses Wireshark, Zeek, and NetFlow PCAP analysis, network forensics, C2 traffic detection, or exfiltration detection.
analysis techniques. Activates for requests involving network traffic analysis,
packet capture investigation, PCAP analysis, network forensics, C2 traffic detection, '
or exfiltration detection.
domain: cybersecurity domain: cybersecurity
subdomain: incident-response subdomain: incident-response
tags: [network-forensics, PCAP-analysis, Wireshark, Zeek, traffic-analysis] tags:
- network-forensics
- PCAP-analysis
- Wireshark
- Zeek
- traffic-analysis
mitre_attack:
- T1071
- T1095
- T1573
- T1572
version: 1.0.0 version: 1.0.0
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- RS.MA-01
- RS.MA-02
- RS.AN-03
- RC.RP-01
--- ---
# Analyzing Network Traffic for Incidents # Analyzing Network Traffic for Incidents
skills/analyzing-network-traffic-of-malware/SKILL.md
+23 -7
View File
@@ -1,17 +1,33 @@
--- ---
name: analyzing-network-traffic-of-malware name: analyzing-network-traffic-of-malware
description: > description: 'Analyzes network traffic generated by malware during sandbox execution
Analyzes network traffic generated by malware during sandbox execution or live incident or live incident response to identify C2 protocols, data exfiltration channels,
response to identify C2 protocols, data exfiltration channels, payload downloads, and payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata.
lateral movement patterns using Wireshark, Zeek, and Suricata. Activates for requests Activates for requests involving malware network analysis, C2 traffic decoding,
involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or malware PCAP analysis, or network-based malware detection.
network-based malware detection.
'
domain: cybersecurity domain: cybersecurity
subdomain: malware-analysis subdomain: malware-analysis
tags: [malware, network-analysis, PCAP, Wireshark, C2-detection] tags:
- malware
- network-analysis
- PCAP
- Wireshark
- C2-detection
version: 1.0.0 version: 1.0.0
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1071.001
- T1571
- T1573
- T1095
--- ---
# Analyzing Network Traffic of Malware # Analyzing Network Traffic of Malware
skills/analyzing-network-traffic-with-wireshark/SKILL.md
+22 -6
View File
@@ -1,15 +1,31 @@
--- ---
name: analyzing-network-traffic-with-wireshark name: analyzing-network-traffic-with-wireshark
description: > description: 'Captures and analyzes network packet data using Wireshark and tshark
Captures and analyzes network packet data using Wireshark and tshark to identify to identify malicious traffic patterns, diagnose protocol issues, extract artifacts,
malicious traffic patterns, diagnose protocol issues, extract artifacts, and and support incident response investigations on authorized network segments.
support incident response investigations on authorized network segments.
'
domain: cybersecurity domain: cybersecurity
subdomain: network-security subdomain: network-security
tags: [network-security, wireshark, packet-analysis, traffic-analysis, pcap] tags:
version: "1.0" - network-security
- wireshark
- packet-analysis
- traffic-analysis
- pcap
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- PR.IR-01
- DE.CM-01
- ID.AM-03
- PR.DS-02
mitre_attack:
- T1040
- T1071
- T1557
- T1046
--- ---
# Analyzing Network Traffic with Wireshark # Analyzing Network Traffic with Wireshark
skills/analyzing-office365-audit-logs-for-compromise/SKILL.md
+22 -3
View File
@@ -1,12 +1,31 @@
--- ---
name: analyzing-office365-audit-logs-for-compromise name: analyzing-office365-audit-logs-for-compromise
description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation, suspicious OAuth app grants, and other indicators of account compromise. description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect
email forwarding rule creation, inbox delegation, suspicious OAuth app grants, and
other indicators of account compromise.
domain: cybersecurity domain: cybersecurity
subdomain: cloud-security subdomain: cloud-security
tags: [Office365, Microsoft-Graph, audit-logs, email-compromise, inbox-rules, OAuth, BEC] tags:
version: "1.0" - Office365
- Microsoft-Graph
- audit-logs
- email-compromise
- inbox-rules
- OAuth
- BEC
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- PR.IR-01
- ID.AM-08
- GV.SC-06
- DE.CM-01
mitre_attack:
- T1114.002
- T1098.002
- T1556.006
- T1078.004
--- ---
# Analyzing Office 365 Audit Logs for Compromise # Analyzing Office 365 Audit Logs for Compromise
skills/analyzing-outlook-pst-for-email-forensics/SKILL.md
+29 -3
View File
@@ -1,12 +1,38 @@
--- ---
name: analyzing-outlook-pst-for-email-forensics name: analyzing-outlook-pst-for-email-forensics
description: Analyze Microsoft Outlook PST and OST files for email forensic evidence including message content, headers, attachments, deleted items, and metadata using libpff, pst-utils, and forensic email analysis tools for legal investigations and incident response. description: Analyze Microsoft Outlook PST and OST files for email forensic evidence
including message content, headers, attachments, deleted items, and metadata using
libpff, pst-utils, and forensic email analysis tools for legal investigations and
incident response.
domain: cybersecurity domain: cybersecurity
subdomain: digital-forensics subdomain: digital-forensics
tags: [email-forensics, pst, ost, outlook, mapi, email-headers, attachments, deleted-emails, libpff, eml-extraction] tags:
version: "1.0" - email-forensics
- pst
- ost
- outlook
- mapi
- email-headers
- attachments
- deleted-emails
- libpff
- eml-extraction
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_ai_rmf:
- MANAGE-2.4
- MANAGE-3.1
- MEASURE-3.1
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1114.001
- T1564.008
- T1070.008
--- ---
# Analyzing Outlook PST for Email Forensics # Analyzing Outlook PST for Email Forensics
skills/analyzing-packed-malware-with-upx-unpacker/SKILL.md
+22 -6
View File
@@ -1,16 +1,32 @@
--- ---
name: analyzing-packed-malware-with-upx-unpacker name: analyzing-packed-malware-with-upx-unpacker
description: > description: 'Identifies and unpacks UPX-packed and other packed malware samples to
Identifies and unpacks UPX-packed and other packed malware samples to expose the original expose the original executable code for static analysis. Covers both standard UPX
executable code for static analysis. Covers both standard UPX unpacking and handling unpacking and handling modified UPX headers that prevent automated decompression.
modified UPX headers that prevent automated decompression. Activates for requests involving Activates for requests involving malware unpacking, UPX decompression, packer removal,
malware unpacking, UPX decompression, packer removal, or preparing packed samples for analysis. or preparing packed samples for analysis.
'
domain: cybersecurity domain: cybersecurity
subdomain: malware-analysis subdomain: malware-analysis
tags: [malware, unpacking, UPX, packing, static-analysis] tags:
- malware
- unpacking
- UPX
- packing
- static-analysis
version: 1.0.0 version: 1.0.0
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1027.002
- T1140
- T1620
--- ---
# Analyzing Packed Malware with UPX Unpacker # Analyzing Packed Malware with UPX Unpacker
skills/analyzing-pdf-malware-with-pdfid/SKILL.md
+23 -7
View File
@@ -1,17 +1,33 @@
--- ---
name: analyzing-pdf-malware-with-pdfid name: analyzing-pdf-malware-with-pdfid
description: > description: 'Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to
Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to identify embedded identify embedded JavaScript, shellcode, exploits, and suspicious objects without
JavaScript, shellcode, exploits, and suspicious objects without opening the document. opening the document. Determines the attack vector and extracts embedded payloads
Determines the attack vector and extracts embedded payloads for further analysis. for further analysis. Activates for requests involving PDF malware analysis, malicious
Activates for requests involving PDF malware analysis, malicious document analysis, document analysis, PDF exploit investigation, or suspicious attachment triage.
PDF exploit investigation, or suspicious attachment triage.
'
domain: cybersecurity domain: cybersecurity
subdomain: malware-analysis subdomain: malware-analysis
tags: [malware, PDF-analysis, document-malware, PDFiD, static-analysis] tags:
- malware
- PDF-analysis
- document-malware
- PDFiD
- static-analysis
version: 1.0.0 version: 1.0.0
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1204.002
- T1566.001
- T1059.007
- T1027
--- ---
# Analyzing PDF Malware with PDFiD # Analyzing PDF Malware with PDFiD
skills/analyzing-persistence-mechanisms-in-linux/SKILL.md
+29 -3
View File
@@ -1,12 +1,38 @@
--- ---
name: analyzing-persistence-mechanisms-in-linux name: analyzing-persistence-mechanisms-in-linux
description: Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring description: Detect and analyze Linux persistence mechanisms including crontab entries,
systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys
backdoors using auditd and file integrity monitoring
domain: cybersecurity domain: cybersecurity
subdomain: threat-hunting subdomain: threat-hunting
tags: [linux-persistence, crontab, systemd, ld-preload, auditd, threat-hunting, incident-response] tags:
version: "1.0" - linux-persistence
- crontab
- systemd
- ld-preload
- auditd
- threat-hunting
- incident-response
mitre_attack:
- T1053.003
- T1543.002
- T1574.006
- T1546.004
- T1098.004
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Process Termination
- Content Format Conversion
nist_csf:
- DE.CM-01
- DE.AE-02
- DE.AE-07
- ID.RA-05
--- ---
# Analyzing Persistence Mechanisms in Linux # Analyzing Persistence Mechanisms in Linux
skills/analyzing-powershell-empire-artifacts/SKILL.md
+35 -3
View File
@@ -1,12 +1,44 @@
--- ---
name: analyzing-powershell-empire-artifacts name: analyzing-powershell-empire-artifacts
description: Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns, default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events. description: Detect PowerShell Empire framework artifacts in Windows event logs by
identifying Base64 encoded launcher patterns, default user agents, staging URL structures,
stager IOCs, and known Empire module signatures in Script Block Logging events.
domain: cybersecurity domain: cybersecurity
subdomain: threat-hunting subdomain: threat-hunting
tags: [PowerShell-Empire, threat-hunting, Script-Block-Logging, base64, stager, C2, MITRE-ATT&CK, T1059.001, forensics] tags:
version: "1.0" - PowerShell-Empire
- threat-hunting
- Script-Block-Logging
- base64
- stager
- C2
- MITRE-ATT&CK
- T1059.001
- forensics
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Content Format Conversion
- File Content Analysis
nist_ai_rmf:
- GOVERN-1.1
- MEASURE-2.7
- MANAGE-3.1
nist_csf:
- DE.CM-01
- DE.AE-02
- DE.AE-07
- ID.RA-05
mitre_attack:
- T1059.001
- T1071.001
- T1003.001
- T1558.003
- T1027.010
--- ---
# Analyzing PowerShell Empire Artifacts # Analyzing PowerShell Empire Artifacts
skills/analyzing-powershell-script-block-logging/SKILL.md
+23 -7
View File
@@ -1,16 +1,32 @@
--- ---
name: analyzing-powershell-script-block-logging name: analyzing-powershell-script-block-logging
description: >- description: Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX
Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated files to detect obfuscated commands, encoded payloads, and living-off-the-land techniques.
commands, encoded payloads, and living-off-the-land techniques. Uses python-evtx to extract and Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy
reconstruct multi-block scripts, applies entropy analysis and pattern matching for Base64-encoded analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse,
commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts. download cradles, and AMSI bypass attempts.
domain: cybersecurity domain: cybersecurity
subdomain: security-operations subdomain: security-operations
tags: [analyzing, powershell, script, block] tags:
version: "1.0" - powershell
- script-block-logging
- event-id-4104
- obfuscation-detection
- windows-forensics
- endpoint-security
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- DE.CM-01
- RS.MA-01
- GV.OV-01
- DE.AE-02
mitre_attack:
- T1059.001
- T1027.010
- T1140
- T1105
--- ---
skills/analyzing-prefetch-files-for-execution-history/SKILL.md
+20 -3
View File
@@ -1,12 +1,29 @@
--- ---
name: analyzing-prefetch-files-for-execution-history name: analyzing-prefetch-files-for-execution-history
description: Parse Windows Prefetch files to determine program execution history including run counts, timestamps, and referenced files for forensic investigation. description: Parse Windows Prefetch files to determine program execution history including
run counts, timestamps, and referenced files for forensic investigation.
domain: cybersecurity domain: cybersecurity
subdomain: digital-forensics subdomain: digital-forensics
tags: [forensics, prefetch, windows-artifacts, execution-history, timeline-analysis, evidence-collection] tags:
version: "1.0" - forensics
- prefetch
- windows-artifacts
- execution-history
- timeline-analysis
- evidence-collection
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1059.001
- T1003.001
- T1021.002
- T1567.002
--- ---
# Analyzing Prefetch Files for Execution History # Analyzing Prefetch Files for Execution History
skills/analyzing-ransomware-encryption-mechanisms/SKILL.md
+23 -7
View File
@@ -1,17 +1,33 @@
--- ---
name: analyzing-ransomware-encryption-mechanisms name: analyzing-ransomware-encryption-mechanisms
description: > description: 'Analyzes encryption algorithms, key management, and file encryption
Analyzes encryption algorithms, key management, and file encryption routines used by routines used by ransomware families to assess decryption feasibility, identify
ransomware families to assess decryption feasibility, identify implementation weaknesses, implementation weaknesses, and support recovery efforts. Covers AES, RSA, ChaCha20,
and support recovery efforts. Covers AES, RSA, ChaCha20, and hybrid encryption schemes. and hybrid encryption schemes. Activates for requests involving ransomware cryptanalysis,
Activates for requests involving ransomware cryptanalysis, encryption analysis, key encryption analysis, key recovery assessment, or ransomware decryption feasibility.
recovery assessment, or ransomware decryption feasibility.
'
domain: cybersecurity domain: cybersecurity
subdomain: malware-analysis subdomain: malware-analysis
tags: [malware, ransomware, encryption, cryptanalysis, reverse-engineering] tags:
- malware
- ransomware
- encryption
- cryptanalysis
- reverse-engineering
version: 1.0.0 version: 1.0.0
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1486
- T1573.001
- T1573.002
- T1027
--- ---
# Analyzing Ransomware Encryption Mechanisms # Analyzing Ransomware Encryption Mechanisms
skills/analyzing-ransomware-leak-site-intelligence/SKILL.md
+23 -3
View File
@@ -1,12 +1,32 @@
--- ---
name: analyzing-ransomware-leak-site-intelligence name: analyzing-ransomware-leak-site-intelligence
description: Monitor and analyze ransomware group data leak sites (DLS) to track victim postings, extract threat intelligence on group tactics, and assess sector-specific ransomware risk for proactive defense. description: Monitor and analyze ransomware group data leak sites (DLS) to track victim
postings, extract threat intelligence on group tactics, and assess sector-specific
ransomware risk for proactive defense.
domain: cybersecurity domain: cybersecurity
subdomain: threat-intelligence subdomain: threat-intelligence
tags: [ransomware, leak-site, data-leak, extortion, threat-intelligence, monitoring, dls, victim-tracking] tags:
version: "1.0" - ransomware
- leak-site
- data-leak
- extortion
- threat-intelligence
- leak-site-monitoring
- dls
- victim-tracking
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1657
- T1486
- T1567.002
- T1591
--- ---
# Analyzing Ransomware Leak Site Intelligence # Analyzing Ransomware Leak Site Intelligence
skills/analyzing-ransomware-network-indicators/SKILL.md
+29 -3
View File
@@ -1,12 +1,38 @@
--- ---
name: analyzing-ransomware-network-indicators name: analyzing-ransomware-network-indicators
description: Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration flows, and encryption key exchange via Zeek conn.log and NetFlow analysis description: Identify ransomware network indicators including C2 beaconing patterns,
TOR exit node connections, data exfiltration flows, and encryption key exchange
via Zeek conn.log and NetFlow analysis
domain: cybersecurity domain: cybersecurity
subdomain: threat-hunting subdomain: threat-hunting
tags: [ransomware, c2-beaconing, zeek, netflow, tor, exfiltration, network-forensics] tags:
version: "1.0" - ransomware
- c2-beaconing
- zeek
- netflow
- tor
- exfiltration
- network-forensics
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
d3fend_techniques:
- File Metadata Consistency Validation
- Certificate Analysis
- Application Protocol Command Analysis
- Content Format Conversion
- File Content Analysis
nist_csf:
- DE.CM-01
- DE.AE-02
- DE.AE-07
- ID.RA-05
mitre_attack:
- T1071.001
- T1573
- T1048
- T1567.002
- T1486
--- ---
# Analyzing Ransomware Network Indicators # Analyzing Ransomware Network Indicators
skills/analyzing-ransomware-payment-wallets/SKILL.md
+21 -6
View File
@@ -1,18 +1,33 @@
--- ---
name: analyzing-ransomware-payment-wallets name: analyzing-ransomware-payment-wallets
description: > description: 'Traces ransomware cryptocurrency payment flows using blockchain analysis
Traces ransomware cryptocurrency payment flows using blockchain analysis tools tools such as Chainalysis Reactor, WalletExplorer, and blockchain.com APIs. Identifies
such as Chainalysis Reactor, WalletExplorer, and blockchain.com APIs. Identifies
wallet clusters, tracks fund movement through mixers and exchanges, and supports wallet clusters, tracks fund movement through mixers and exchanges, and supports
law enforcement attribution. Activates for requests involving ransomware payment law enforcement attribution. Activates for requests involving ransomware payment
tracing, bitcoin wallet analysis, cryptocurrency forensics, or blockchain tracing, bitcoin wallet analysis, cryptocurrency forensics, or blockchain intelligence
intelligence gathering. gathering.
'
domain: cybersecurity domain: cybersecurity
subdomain: ransomware-defense subdomain: ransomware-defense
tags: [ransomware, blockchain, cryptocurrency, forensics, threat-intelligence, bitcoin] tags:
- ransomware
- blockchain
- cryptocurrency
- forensics
- threat-intelligence
- bitcoin
version: 1.0.0 version: 1.0.0
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- PR.DS-11
- RS.MA-01
- RC.RP-01
- PR.IR-01
mitre_attack:
- T1657
- T1486
--- ---
# Analyzing Ransomware Payment Wallets # Analyzing Ransomware Payment Wallets
skills/analyzing-sbom-for-supply-chain-vulnerabilities/SKILL.md
+38 -8
View File
@@ -1,18 +1,48 @@
--- ---
name: analyzing-sbom-for-supply-chain-vulnerabilities name: analyzing-sbom-for-supply-chain-vulnerabilities
description: > description: 'Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON
Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats to identify formats to identify supply chain vulnerabilities by correlating components against
supply chain vulnerabilities by correlating components against the NVD CVE database via the NVD CVE database via the NVD 2.0 API. Builds dependency graphs, calculates risk
the NVD 2.0 API. Builds dependency graphs, calculates risk scores, identifies transitive scores, identifies transitive vulnerability paths, and generates compliance reports.
vulnerability paths, and generates compliance reports. Activates for requests involving Activates for requests involving SBOM analysis, software composition analysis, supply
SBOM analysis, software composition analysis, supply chain security assessment, dependency chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing,
vulnerability scanning, CycloneDX/SPDX parsing, or CVE correlation. or CVE correlation.
'
domain: cybersecurity domain: cybersecurity
subdomain: supply-chain-security subdomain: supply-chain-security
tags: [SBOM, CycloneDX, SPDX, NVD, CVE, supply-chain, dependency-analysis, syft, grype] tags:
- SBOM
- CycloneDX
- SPDX
- NVD
- CVE
- supply-chain
- dependency-analysis
- syft
- grype
version: 1.0.0 version: 1.0.0
author: mukul975 author: mukul975
license: Apache-2.0 license: Apache-2.0
atlas_techniques:
- AML.T0010
- AML.T0104
nist_ai_rmf:
- GOVERN-5.2
- MAP-1.6
- MANAGE-2.2
- GOVERN-1.1
- GOVERN-4.2
nist_csf:
- GV.SC-01
- GV.SC-03
- GV.SC-06
- GV.SC-07
mitre_attack:
- T1195.001
- T1195.002
- T1554
- T1190
--- ---
# Analyzing SBOM for Supply Chain Vulnerabilities # Analyzing SBOM for Supply Chain Vulnerabilities
skills/analyzing-security-logs-with-splunk/SKILL.md
+37 -4
View File
@@ -1,18 +1,51 @@
--- ---
name: analyzing-security-logs-with-splunk name: analyzing-security-logs-with-splunk
description: > description: 'Leverages Splunk Enterprise Security and SPL (Search Processing Language)
Leverages Splunk Enterprise Security and SPL (Search Processing Language) to to investigate security incidents through log correlation, timeline reconstruction,
investigate security incidents through log correlation, timeline reconstruction,
and anomaly detection. Covers Windows event logs, firewall logs, proxy logs, and and anomaly detection. Covers Windows event logs, firewall logs, proxy logs, and
authentication data analysis. Activates for requests involving Splunk investigation, authentication data analysis. Activates for requests involving Splunk investigation,
SPL queries, SIEM log analysis, security event correlation, or log-based incident SPL queries, SIEM log analysis, security event correlation, or log-based incident
investigation. investigation.
'
domain: cybersecurity domain: cybersecurity
subdomain: incident-response subdomain: incident-response
tags: [splunk, SPL, SIEM, log-analysis, security-monitoring] tags:
- splunk
- SPL
- SIEM
- log-analysis
- security-monitoring
mitre_attack:
- T1110
- T1550.002
- T1021.001
- T1059.001
- T1003.001
version: 1.0.0 version: 1.0.0
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
atlas_techniques:
- AML.T0070
- AML.T0066
- AML.T0082
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Content Format Conversion
- File Content Analysis
nist_ai_rmf:
- MEASURE-2.7
- MAP-5.1
- MANAGE-2.4
- MANAGE-3.1
- MEASURE-3.1
nist_csf:
- RS.MA-01
- RS.MA-02
- RS.AN-03
- RC.RP-01
--- ---
# Analyzing Security Logs with Splunk # Analyzing Security Logs with Splunk
skills/analyzing-slack-space-and-file-system-artifacts/SKILL.md
+22 -3
View File
@@ -1,12 +1,31 @@
--- ---
name: analyzing-slack-space-and-file-system-artifacts name: analyzing-slack-space-and-file-system-artifacts
description: Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data and reconstruct file activity on NTFS volumes. description: Examine file system slack space, MFT entries, USN journal, and alternate
data streams to recover hidden data and reconstruct file activity on NTFS volumes.
domain: cybersecurity domain: cybersecurity
subdomain: digital-forensics subdomain: digital-forensics
tags: [forensics, slack-space, ntfs, mft, usn-journal, alternate-data-streams, file-system-analysis] tags:
version: "1.0" - forensics
- slack-space
- ntfs
- mft
- usn-journal
- alternate-data-streams
- file-system-analysis
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1070.006
- T1564.004
- T1070.004
- T1005
- T1006
--- ---
# Analyzing Slack Space and File System Artifacts # Analyzing Slack Space and File System Artifacts
skills/analyzing-supply-chain-malware-artifacts/SKILL.md
+36 -3
View File
@@ -1,12 +1,45 @@
--- ---
name: analyzing-supply-chain-malware-artifacts name: analyzing-supply-chain-malware-artifacts
description: Investigate supply chain attack artifacts including trojanized software updates, compromised build pipelines, and sideloaded dependencies to identify intrusion vectors and scope of compromise. description: Investigate supply chain attack artifacts including trojanized software
updates, compromised build pipelines, and sideloaded dependencies to identify intrusion
vectors and scope of compromise.
domain: cybersecurity domain: cybersecurity
subdomain: malware-analysis subdomain: malware-analysis
tags: [supply-chain, malware-analysis, trojanized-software, solarwinds, 3cx, dependency-confusion, software-integrity] tags:
version: "1.0" - supply-chain
- malware-analysis
- trojanized-software
- solarwinds
- 3cx
- dependency-confusion
- software-integrity
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
atlas_techniques:
- AML.T0010
- AML.T0104
nist_ai_rmf:
- GOVERN-5.2
- MAP-1.6
- MANAGE-2.2
d3fend_techniques:
- Platform Hardening
- Hardware Component Inventory
- Restore Object
- Electromagnetic Radiation Hardening
- RF Shielding
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
mitre_attack:
- T1195.002
- T1195.001
- T1554
- T1553.002
- T1027
--- ---
# Analyzing Supply Chain Malware Artifacts # Analyzing Supply Chain Malware Artifacts
skills/analyzing-threat-actor-ttps-with-mitre-attack/SKILL.md
+29 -3
View File
@@ -1,12 +1,38 @@
--- ---
name: analyzing-threat-actor-ttps-with-mitre-attack name: analyzing-threat-actor-ttps-with-mitre-attack
description: MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor beh description: MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics,
techniques, and procedures (TTPs) based on real-world observations. This skill covers
systematically mapping threat actor beh
domain: cybersecurity domain: cybersecurity
subdomain: threat-intelligence subdomain: threat-intelligence
tags: [threat-intelligence, cti, ioc, mitre-attack, stix, ttp-analysis, threat-actors] tags:
version: "1.0" - threat-intelligence
- cti
- ioc
- mitre-attack
- stix
- ttp-analysis
- threat-actors
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Content Format Conversion
- File Content Analysis
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1566.001
- T1059.001
- T1071.001
- T1547.001
- T1053.005
--- ---
# Analyzing Threat Actor TTPs with MITRE ATT&CK # Analyzing Threat Actor TTPs with MITRE ATT&CK
skills/analyzing-threat-actor-ttps-with-mitre-navigator/SKILL.md
+42 -9
View File
@@ -1,18 +1,51 @@
--- ---
name: analyzing-threat-actor-ttps-with-mitre-navigator name: analyzing-threat-actor-ttps-with-mitre-navigator
description: > description: 'Map advanced persistent threat (APT) group tactics, techniques, and
Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to procedures (TTPs) to the MITRE ATT&CK framework using the ATT&CK Navigator and attackcti
the MITRE ATT&CK framework using the ATT&CK Navigator and attackcti Python library. The Python library. The analyst queries STIX/TAXII data for group-technique associations,
analyst queries STIX/TAXII data for group-technique associations, generates Navigator layer generates Navigator layer files for visualization, and compares defensive coverage
files for visualization, and compares defensive coverage against adversary profiles. against adversary profiles. Activates for requests involving APT TTP mapping, ATT&CK
Activates for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor Navigator layers, threat actor profiling, or MITRE technique coverage analysis.
profiling, or MITRE technique coverage analysis.
'
domain: cybersecurity domain: cybersecurity
subdomain: threat-intelligence subdomain: threat-intelligence
tags: [mitre-attack, navigator, threat-intelligence, apt, ttp-mapping, stix, attackcti] tags:
version: "1.0" - mitre-attack
- navigator
- threat-intelligence
- apt
- ttp-mapping
- stix
- attackcti
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_ai_rmf:
- MEASURE-2.7
- MAP-5.1
- MANAGE-2.4
atlas_techniques:
- AML.T0070
- AML.T0066
- AML.T0082
d3fend_techniques:
- File Metadata Consistency Validation
- Application Protocol Command Analysis
- Identifier Analysis
- Content Format Conversion
- Message Analysis
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1566.001
- T1059.001
- T1071.001
- T1547.001
- T1053.005
--- ---
# Analyzing Threat Actor TTPs with MITRE Navigator # Analyzing Threat Actor TTPs with MITRE Navigator
skills/analyzing-threat-intelligence-feeds/SKILL.md
+29 -7
View File
@@ -1,17 +1,39 @@
--- ---
name: analyzing-threat-intelligence-feeds name: analyzing-threat-intelligence-feeds
description: > description: 'Analyzes structured and unstructured threat intelligence feeds to extract
Analyzes structured and unstructured threat intelligence feeds to extract actionable indicators, actionable indicators, adversary tactics, and campaign context. Use when ingesting
adversary tactics, and campaign context. Use when ingesting commercial or open-source CTI feeds, commercial or open-source CTI feeds, evaluating feed quality, normalizing data into
evaluating feed quality, normalizing data into STIX 2.1 format, or enriching existing IOCs with STIX 2.1 format, or enriching existing IOCs with campaign attribution. Activates
campaign attribution. Activates for requests involving ThreatConnect, Recorded Future, Mandiant for requests involving ThreatConnect, Recorded Future, Mandiant Advantage, MISP,
Advantage, MISP, AlienVault OTX, or automated feed aggregation pipelines. AlienVault OTX, or automated feed aggregation pipelines.
'
domain: cybersecurity domain: cybersecurity
subdomain: threat-intelligence subdomain: threat-intelligence
tags: [STIX, TAXII, MITRE-ATT&CK, IOC, ThreatConnect, Recorded-Future, MISP, CTI, NIST-CSF] tags:
- STIX
- TAXII
- MITRE-ATT&CK
- IOC
- ThreatConnect
- Recorded-Future
- MISP
- CTI
- NIST-CSF
version: 1.0.0 version: 1.0.0
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1071.001
- T1566
- T1568
- T1583.001
- T1102
--- ---
# Analyzing Threat Intelligence Feeds # Analyzing Threat Intelligence Feeds
skills/analyzing-threat-landscape-with-misp/SKILL.md
+30 -8
View File
@@ -1,17 +1,39 @@
--- ---
name: analyzing-threat-landscape-with-misp name: analyzing-threat-landscape-with-misp
description: >- description: Analyze the threat landscape using MISP (Malware Information Sharing
Analyze the threat landscape using MISP (Malware Information Sharing Platform) Platform) by querying event statistics, attribute distributions, threat actor galaxy
by querying event statistics, attribute distributions, threat actor galaxy clusters, and tag trends over time. Uses PyMISP to pull event data, compute IOC
clusters, and tag trends over time. Uses PyMISP to pull event data, compute type breakdowns, identify top threat actors and malware families, and generate threat
IOC type breakdowns, identify top threat actors and malware families, and landscape reports with temporal trends.
generate threat landscape reports with temporal trends.
domain: cybersecurity domain: cybersecurity
subdomain: threat-intelligence subdomain: threat-intelligence
tags: [analyzing, threat, landscape, with] tags:
version: "1.0" - threat-intelligence
- misp
- threat-landscape
- ioc-analysis
- cti
- threat-sharing
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
d3fend_techniques:
- File Metadata Consistency Validation
- Application Protocol Command Analysis
- Identifier Analysis
- Content Format Conversion
- Message Analysis
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1566
- T1071.001
- T1568
- T1583.001
- T1102
--- ---
skills/analyzing-tls-certificate-transparency-logs/SKILL.md
+27 -7
View File
@@ -1,16 +1,36 @@
--- ---
name: analyzing-tls-certificate-transparency-logs name: analyzing-tls-certificate-transparency-logs
description: > description: 'Queries Certificate Transparency logs via crt.sh and pycrtsh to detect
Queries Certificate Transparency logs via crt.sh and pycrtsh to detect phishing phishing domains, unauthorized certificate issuance, and shadow IT. Monitors newly
domains, unauthorized certificate issuance, and shadow IT. Monitors newly issued issued certificates for typosquatting and brand impersonation using Levenshtein
certificates for typosquatting and brand impersonation using Levenshtein distance. distance. Use for proactive phishing domain detection and certificate monitoring.
Use for proactive phishing domain detection and certificate monitoring.
'
domain: cybersecurity domain: cybersecurity
subdomain: security-operations subdomain: security-operations
tags: [analyzing, tls, certificate, transparency] tags:
version: "1.0" - certificate-transparency
- ct-logs
- crt-sh
- phishing-detection
- tls-monitoring
- security-operations
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
atlas_techniques:
- AML.T0073
- AML.T0052
nist_csf:
- DE.CM-01
- RS.MA-01
- GV.OV-01
- DE.AE-02
mitre_attack:
- T1583.001
- T1566.002
- T1598.003
- T1583.006
--- ---
# Analyzing TLS Certificate Transparency Logs # Analyzing TLS Certificate Transparency Logs
skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.md
+26 -3
View File
@@ -1,12 +1,35 @@
--- ---
name: analyzing-typosquatting-domains-with-dnstwist name: analyzing-typosquatting-domains-with-dnstwist
description: Detect typosquatting, homograph phishing, and brand impersonation domains using dnstwist to generate domain permutations and identify registered lookalike domains targeting your organization. description: Detect typosquatting, homograph phishing, and brand impersonation domains
using dnstwist to generate domain permutations and identify registered lookalike
domains targeting your organization.
domain: cybersecurity domain: cybersecurity
subdomain: threat-intelligence subdomain: threat-intelligence
tags: [dnstwist, typosquatting, phishing, domain-monitoring, brand-protection, homograph, dns, threat-intelligence] tags:
version: "1.0" - dnstwist
- typosquatting
- phishing
- domain-monitoring
- brand-protection
- homograph
- dns
- threat-intelligence
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
atlas_techniques:
- AML.T0073
- AML.T0052
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1583.001
- T1566.002
- T1598.003
- T1583.006
--- ---
# Analyzing Typosquatting Domains with DNSTwist # Analyzing Typosquatting Domains with DNSTwist
skills/analyzing-uefi-bootkit-persistence/SKILL.md
+30 -6
View File
@@ -1,19 +1,43 @@
--- ---
name: analyzing-uefi-bootkit-persistence name: analyzing-uefi-bootkit-persistence
description: > description: 'Analyzes UEFI bootkit persistence mechanisms including firmware implants
Analyzes UEFI bootkit persistence mechanisms including firmware implants in SPI flash, in SPI flash, EFI System Partition (ESP) modifications, Secure Boot bypass techniques,
EFI System Partition (ESP) modifications, Secure Boot bypass techniques, and UEFI and UEFI variable manipulation. Covers detection of known bootkit families (BlackLotus,
variable manipulation. Covers detection of known bootkit families (BlackLotus, LoJax, LoJax, MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection,
MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection,
chipsec-based firmware integrity verification, and Secure Boot configuration auditing. chipsec-based firmware integrity verification, and Secure Boot configuration auditing.
Activates for requests involving UEFI malware analysis, firmware persistence investigation, Activates for requests involving UEFI malware analysis, firmware persistence investigation,
boot chain integrity verification, or Secure Boot bypass detection. boot chain integrity verification, or Secure Boot bypass detection.
'
domain: cybersecurity domain: cybersecurity
subdomain: firmware-security subdomain: firmware-security
tags: [UEFI, bootkit, firmware, Secure-Boot, chipsec, ESP, persistence] tags:
- UEFI
- bootkit
- firmware
- Secure-Boot
- chipsec
- ESP
- persistence
version: 1.0.0 version: 1.0.0
author: mukul975 author: mukul975
license: Apache-2.0 license: Apache-2.0
d3fend_techniques:
- Platform Hardening
- Restore Object
- Platform Monitoring
- Firmware Verification
- Firmware Embedded Monitoring Code
nist_csf:
- ID.RA-01
- PR.PS-01
- PR.PS-02
mitre_attack:
- T1542.001
- T1542.003
- T1553.006
- T1542
- T1014
--- ---
# Analyzing UEFI Bootkit Persistence # Analyzing UEFI Bootkit Persistence
skills/analyzing-usb-device-connection-history/SKILL.md
+21 -3
View File
@@ -1,12 +1,30 @@
--- ---
name: analyzing-usb-device-connection-history name: analyzing-usb-device-connection-history
description: Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable media usage and potential data exfiltration. description: Investigate USB device connection history from Windows registry, event
logs, and setupapi logs to track removable media usage and potential data exfiltration.
domain: cybersecurity domain: cybersecurity
subdomain: digital-forensics subdomain: digital-forensics
tags: [forensics, usb-forensics, removable-media, registry-analysis, data-exfiltration, device-history] tags:
version: "1.0" - forensics
- usb-forensics
- removable-media
- registry-analysis
- data-exfiltration
- device-history
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1052.001
- T1025
- T1091
- T1005
- T1074.001
--- ---
# Analyzing USB Device Connection History # Analyzing USB Device Connection History
skills/analyzing-web-server-logs-for-intrusion/SKILL.md
+25 -7
View File
@@ -1,16 +1,34 @@
--- ---
name: analyzing-web-server-logs-for-intrusion name: analyzing-web-server-logs-for-intrusion
description: >- description: Parse Apache and Nginx access logs to detect SQL injection attempts,
Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, local file inclusion, directory traversal, web scanner fingerprints, and brute-force
directory traversal, web scanner fingerprints, and brute-force patterns. Uses regex-based patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP
pattern matching against OWASP attack signatures, GeoIP enrichment for source attribution, enrichment for source attribution, and statistical anomaly detection for request
and statistical anomaly detection for request frequency and response size outliers. frequency and response size outliers.
domain: cybersecurity domain: cybersecurity
subdomain: security-operations subdomain: security-operations
tags: [analyzing, web, server, logs] tags:
version: "1.0" - web-log-analysis
- apache-logs
- nginx-logs
- sql-injection-detection
- lfi-detection
- directory-traversal
- intrusion-detection
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- DE.CM-01
- RS.MA-01
- GV.OV-01
- DE.AE-02
mitre_attack:
- T1190
- T1059.007
- T1110
- T1595.002
- T1505.003
--- ---
skills/analyzing-windows-amcache-artifacts/SKILL.md
+28 -9
View File
@@ -1,19 +1,38 @@
--- ---
name: analyzing-windows-amcache-artifacts name: analyzing-windows-amcache-artifacts
description: > description: 'Parses and analyzes the Windows Amcache.hve registry hive to extract
Parses and analyzes the Windows Amcache.hve registry hive to extract evidence evidence of program execution, application installation, and driver loading for
of program execution, application installation, and driver loading for digital digital forensics investigations. Uses Eric Zimmerman''s AmcacheParser and Timeline
forensics investigations. Uses Eric Zimmerman's AmcacheParser and Timeline Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and
Explorer for artifact extraction, SHA-1 hash correlation with threat intel, timeline reconstruction. Activates for requests involving Amcache forensics, program
and timeline reconstruction. Activates for requests involving Amcache forensics, execution evidence, Windows artifact analysis, or application compatibility cache
program execution evidence, Windows artifact analysis, or application compatibility investigation.
cache investigation.
'
domain: cybersecurity domain: cybersecurity
subdomain: digital-forensics subdomain: digital-forensics
tags: [amcache, windows-forensics, program-execution, AmcacheParser, eric-zimmerman, timeline-analysis, DFIR] tags:
- amcache
- windows-forensics
- program-execution
- AmcacheParser
- eric-zimmerman
- timeline-analysis
- DFIR
version: 1.0.0 version: 1.0.0
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1070.004
- T1070.006
- T1036.005
- T1014
- T1005
--- ---
# Analyzing Windows Amcache Artifacts # Analyzing Windows Amcache Artifacts
skills/analyzing-windows-event-logs-in-splunk/SKILL.md
+34 -7
View File
@@ -1,16 +1,43 @@
--- ---
name: analyzing-windows-event-logs-in-splunk name: analyzing-windows-event-logs-in-splunk
description: > description: 'Analyzes Windows Security, System, and Sysmon event logs in Splunk to
Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, detect authentication attacks, privilege escalation, persistence mechanisms, and
privilege escalation, persistence mechanisms, and lateral movement using SPL queries mapped to lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC
MITRE ATT&CK techniques. Use when SOC analysts need to investigate Windows-based threats, analysts need to investigate Windows-based threats, build detection queries, or
build detection queries, or perform forensic timeline analysis of Windows endpoints and domain controllers. perform forensic timeline analysis of Windows endpoints and domain controllers.
'
domain: cybersecurity domain: cybersecurity
subdomain: soc-operations subdomain: soc-operations
tags: [soc, splunk, windows-events, sysmon, event-logs, mitre-attack, active-directory] tags:
version: "1.0" - soc
- splunk
- windows-events
- sysmon
- event-logs
- mitre-attack
- active-directory
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
d3fend_techniques:
- Restore Access
- Password Authentication
- Biometric Authentication
- Strong Password Policy
- Restore User Account Access
nist_csf:
- DE.CM-01
- DE.AE-02
- RS.MA-01
- DE.AE-06
mitre_attack:
- T1110
- T1053.005
- T1547.001
- T1021.002
- T1558.003
- T1003.006
--- ---
# Analyzing Windows Event Logs in Splunk # Analyzing Windows Event Logs in Splunk
skills/analyzing-windows-lnk-files-for-artifacts/SKILL.md
+21 -3
View File
@@ -1,12 +1,30 @@
--- ---
name: analyzing-windows-lnk-files-for-artifacts name: analyzing-windows-lnk-files-for-artifacts
description: Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers for forensic timeline reconstruction. description: Parse Windows LNK shortcut files to extract target paths, timestamps,
volume information, and machine identifiers for forensic timeline reconstruction.
domain: cybersecurity domain: cybersecurity
subdomain: digital-forensics subdomain: digital-forensics
tags: [forensics, lnk-files, windows-artifacts, shortcut-analysis, timeline-reconstruction, evidence-collection] tags:
version: "1.0" - forensics
- lnk-files
- windows-artifacts
- shortcut-analysis
- timeline-reconstruction
- evidence-collection
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1547.001
- T1204.002
- T1005
- T1025
- T1074.001
--- ---
# Analyzing Windows LNK Files for Artifacts # Analyzing Windows LNK Files for Artifacts
skills/analyzing-windows-prefetch-with-python/SKILL.md
+22 -3
View File
@@ -1,12 +1,31 @@
--- ---
name: analyzing-windows-prefetch-with-python name: analyzing-windows-prefetch-with-python
description: Parse Windows Prefetch files using the windowsprefetch Python library to reconstruct application execution history, detect renamed or masquerading binaries, and identify suspicious program execution patterns. description: Parse Windows Prefetch files using the windowsprefetch Python library
to reconstruct application execution history, detect renamed or masquerading binaries,
and identify suspicious program execution patterns.
domain: cybersecurity domain: cybersecurity
subdomain: digital-forensics subdomain: digital-forensics
tags: [digital-forensics, windows, prefetch, execution-history, incident-response, malware-analysis] tags:
version: "1.0" - digital-forensics
- windows
- prefetch
- execution-history
- incident-response
- malware-analysis
mitre_attack:
- T1036.005
- T1070.004
- T1070
- T1003.001
- T1057
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
--- ---
# Analyzing Windows Prefetch with Python # Analyzing Windows Prefetch with Python
skills/analyzing-windows-registry-for-artifacts/SKILL.md
+21 -3
View File
@@ -1,12 +1,30 @@
--- ---
name: analyzing-windows-registry-for-artifacts name: analyzing-windows-registry-for-artifacts
description: Extract and analyze Windows Registry hives to uncover user activity, installed software, autostart entries, and evidence of system compromise. description: Extract and analyze Windows Registry hives to uncover user activity,
installed software, autostart entries, and evidence of system compromise.
domain: cybersecurity domain: cybersecurity
subdomain: digital-forensics subdomain: digital-forensics
tags: [forensics, windows-registry, artifact-analysis, regripper, registry-explorer, evidence-collection] tags:
version: "1.0" - forensics
- windows-registry
- artifact-analysis
- regripper
- registry-explorer
- evidence-collection
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1012
- T1547.001
- T1112
- T1003.002
- T1025
--- ---
# Analyzing Windows Registry for Artifacts # Analyzing Windows Registry for Artifacts
skills/analyzing-windows-shellbag-artifacts/SKILL.md
+26 -3
View File
@@ -1,12 +1,35 @@
--- ---
name: analyzing-windows-shellbag-artifacts name: analyzing-windows-shellbag-artifacts
description: Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable media and network shares, and establish user interaction with directories even after deletion using SBECmd and ShellBags Explorer. description: Analyze Windows Shellbag registry artifacts to reconstruct folder browsing
activity, detect access to removable media and network shares, and establish user
interaction with directories even after deletion using SBECmd and ShellBags Explorer.
domain: cybersecurity domain: cybersecurity
subdomain: digital-forensics subdomain: digital-forensics
tags: [shellbags, windows-registry, sbecmd, shellbags-explorer, folder-access, user-activity, removable-media, network-shares, bagmru, dfir] tags:
version: "1.0" - shellbags
- windows-registry
- sbecmd
- shellbags-explorer
- folder-access
- user-activity
- removable-media
- network-shares
- bagmru
- dfir
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- RS.AN-01
- RS.AN-03
- DE.AE-02
- RS.MA-01
mitre_attack:
- T1083
- T1074.001
- T1135
- T1025
- T1070.004
--- ---
# Analyzing Windows Shellbag Artifacts # Analyzing Windows Shellbag Artifacts
skills/auditing-aws-s3-bucket-permissions/SKILL.md
+25 -6
View File
@@ -1,15 +1,34 @@
--- ---
name: auditing-aws-s3-bucket-permissions name: auditing-aws-s3-bucket-permissions
description: > description: 'Systematically audit AWS S3 bucket permissions to identify publicly
Systematically audit AWS S3 bucket permissions to identify publicly accessible buckets, accessible buckets, overly permissive ACLs, misconfigured bucket policies, and missing
overly permissive ACLs, misconfigured bucket policies, and missing encryption settings encryption settings using AWS CLI, S3audit, and Prowler to enforce least-privilege
using AWS CLI, S3audit, and Prowler to enforce least-privilege data access controls. data access controls.
'
domain: cybersecurity domain: cybersecurity
subdomain: cloud-security subdomain: cloud-security
tags: [cloud-security, aws, s3, bucket-permissions, data-protection, access-control] tags:
version: "1.0" - cloud-security
- aws
- s3
- bucket-permissions
- data-protection
- access-control
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- PR.IR-01
- ID.AM-08
- GV.SC-06
- DE.CM-01
mitre_attack:
- T1530
- T1619
- T1078.004
- T1537
- T1567.002
--- ---
# Auditing AWS S3 Bucket Permissions # Auditing AWS S3 Bucket Permissions
skills/auditing-azure-active-directory-configuration/SKILL.md
+25 -6
View File
@@ -1,15 +1,34 @@
--- ---
name: auditing-azure-active-directory-configuration name: auditing-azure-active-directory-configuration
description: > description: 'Auditing Microsoft Entra ID (Azure Active Directory) configuration to
Auditing Microsoft Entra ID (Azure Active Directory) configuration to identify risky identify risky authentication policies, overly permissive role assignments, stale
authentication policies, overly permissive role assignments, stale accounts, conditional accounts, conditional access gaps, and guest user risks using AzureAD PowerShell,
access gaps, and guest user risks using AzureAD PowerShell, Microsoft Graph API, and ScoutSuite. Microsoft Graph API, and ScoutSuite.
'
domain: cybersecurity domain: cybersecurity
subdomain: cloud-security subdomain: cloud-security
tags: [cloud-security, azure, entra-id, active-directory, iam-audit, conditional-access] tags:
version: "1.0" - cloud-security
- azure
- entra-id
- active-directory
- iam-audit
- conditional-access
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- PR.IR-01
- ID.AM-08
- GV.SC-06
- DE.CM-01
mitre_attack:
- T1078.004
- T1098.003
- T1556.006
- T1069.003
- T1526
--- ---
# Auditing Azure Active Directory Configuration # Auditing Azure Active Directory Configuration
skills/auditing-cloud-with-cis-benchmarks/SKILL.md
+28 -7
View File
@@ -1,17 +1,38 @@
--- ---
name: auditing-cloud-with-cis-benchmarks name: auditing-cloud-with-cis-benchmarks
description: > description: 'This skill details how to conduct cloud security audits using Center
This skill details how to conduct cloud security audits using Center for Internet for Internet Security benchmarks for AWS, Azure, and GCP. It covers interpreting
Security benchmarks for AWS, Azure, and GCP. It covers interpreting CIS Foundations CIS Foundations Benchmark controls, running automated assessments with tools like
Benchmark controls, running automated assessments with tools like Prowler and Prowler and ScoutSuite, remediating failed controls, and maintaining continuous
ScoutSuite, remediating failed controls, and maintaining continuous compliance compliance monitoring against CIS v5 for AWS, v4 for Azure, and v4 for GCP.
monitoring against CIS v5 for AWS, v4 for Azure, and v4 for GCP.
'
domain: cybersecurity domain: cybersecurity
subdomain: cloud-security subdomain: cloud-security
tags: [cis-benchmarks, cloud-audit, compliance-assessment, prowler, security-hardening] tags:
- cis-benchmarks
- cloud-audit
- compliance-assessment
- prowler
- security-hardening
version: 1.0.0 version: 1.0.0
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_ai_rmf:
- GOVERN-1.1
- GOVERN-4.2
- MAP-2.3
nist_csf:
- PR.IR-01
- ID.AM-08
- GV.SC-06
- DE.CM-01
mitre_attack:
- T1078.004
- T1530
- T1098.003
- T1685.002
- T1580
--- ---
# Auditing Cloud with CIS Benchmarks # Auditing Cloud with CIS Benchmarks
skills/auditing-gcp-iam-permissions/SKILL.md
+24 -6
View File
@@ -1,15 +1,33 @@
--- ---
name: auditing-gcp-iam-permissions name: auditing-gcp-iam-permissions
description: > description: 'Auditing Google Cloud Platform IAM permissions to identify overly permissive
Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings, bindings, primitive role usage, service account key proliferation, and cross-project
primitive role usage, service account key proliferation, and cross-project access risks access risks using gcloud CLI, Policy Analyzer, and IAM Recommender.
using gcloud CLI, Policy Analyzer, and IAM Recommender.
'
domain: cybersecurity domain: cybersecurity
subdomain: cloud-security subdomain: cloud-security
tags: [cloud-security, gcp, iam, permissions-audit, service-accounts, policy-analyzer] tags:
version: "1.0" - cloud-security
- gcp
- iam
- permissions-audit
- service-accounts
- policy-analyzer
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- PR.IR-01
- ID.AM-08
- GV.SC-06
- DE.CM-01
mitre_attack:
- T1078.004
- T1098.003
- T1528
- T1548.005
- T1580
--- ---
# Auditing GCP IAM Permissions # Auditing GCP IAM Permissions
skills/auditing-kubernetes-cluster-rbac/SKILL.md
+25 -6
View File
@@ -1,15 +1,34 @@
--- ---
name: auditing-kubernetes-cluster-rbac name: auditing-kubernetes-cluster-rbac
description: > description: 'Auditing Kubernetes cluster RBAC configurations to identify overly permissive
Auditing Kubernetes cluster RBAC configurations to identify overly permissive roles, roles, wildcard permissions, dangerous ClusterRoleBindings, service account abuse,
wildcard permissions, dangerous ClusterRoleBindings, service account abuse, and and privilege escalation paths using kubectl, rbac-tool, KubiScan, and Kubeaudit.
privilege escalation paths using kubectl, rbac-tool, KubiScan, and Kubeaudit.
'
domain: cybersecurity domain: cybersecurity
subdomain: cloud-security subdomain: cloud-security
tags: [cloud-security, kubernetes, rbac, access-control, eks, gke, aks] tags:
version: "1.0" - cloud-security
- kubernetes
- rbac
- access-control
- eks
- gke
- aks
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- PR.IR-01
- ID.AM-08
- GV.SC-06
- DE.CM-01
mitre_attack:
- T1098.006
- T1552.007
- T1611
- T1613
- T1078.004
--- ---
# Auditing Kubernetes Cluster RBAC # Auditing Kubernetes Cluster RBAC
skills/auditing-terraform-infrastructure-for-security/SKILL.md
+25 -6
View File
@@ -1,15 +1,34 @@
--- ---
name: auditing-terraform-infrastructure-for-security name: auditing-terraform-infrastructure-for-security
description: > description: 'Auditing Terraform infrastructure-as-code for security misconfigurations
Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov, using Checkov, tfsec, Terrascan, and OPA/Rego policies to detect overly permissive
tfsec, Terrascan, and OPA/Rego policies to detect overly permissive IAM policies, public IAM policies, public resource exposure, missing encryption, and insecure defaults
resource exposure, missing encryption, and insecure defaults before cloud deployment. before cloud deployment.
'
domain: cybersecurity domain: cybersecurity
subdomain: cloud-security subdomain: cloud-security
tags: [cloud-security, terraform, infrastructure-as-code, checkov, tfsec, policy-as-code] tags:
version: "1.0" - cloud-security
- terraform
- infrastructure-as-code
- checkov
- tfsec
- policy-as-code
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- PR.IR-01
- ID.AM-08
- GV.SC-06
- DE.CM-01
mitre_attack:
- T1078.004
- T1530
- T1190
- T1552.001
- T1580
--- ---
# Auditing Terraform Infrastructure for Security # Auditing Terraform Infrastructure for Security
skills/auditing-tls-certificate-transparency-logs/SKILL.md
+27 -8
View File
@@ -1,18 +1,37 @@
--- ---
name: auditing-tls-certificate-transparency-logs name: auditing-tls-certificate-transparency-logs
description: > description: 'Monitors Certificate Transparency (CT) logs to detect unauthorized certificate
Monitors Certificate Transparency (CT) logs to detect unauthorized certificate issuance, issuance, discover subdomains via CT data, and alert on suspicious certificate activity
discover subdomains via CT data, and alert on suspicious certificate activity for owned domains. for owned domains. Uses the crt.sh API and direct CT log querying based on RFC 6962
Uses the crt.sh API and direct CT log querying based on RFC 6962 to build continuous monitoring to build continuous monitoring pipelines that catch rogue certificates, track CA
pipelines that catch rogue certificates, track CA behavior, and map the external attack surface. behavior, and map the external attack surface. Activates for requests involving
Activates for requests involving certificate transparency monitoring, CT log auditing, certificate transparency monitoring, CT log auditing, subdomain discovery via certificates,
subdomain discovery via certificates, or certificate issuance alerting. or certificate issuance alerting.
'
domain: cybersecurity domain: cybersecurity
subdomain: threat-intelligence subdomain: threat-intelligence
tags: [certificate-transparency, CT-logs, crt-sh, subdomain-discovery, TLS-monitoring, RFC-6962] tags:
- certificate-transparency
- CT-logs
- crt-sh
- subdomain-discovery
- TLS-monitoring
- RFC-6962
version: 1.0.0 version: 1.0.0
author: mukul975 author: mukul975
license: Apache-2.0 license: Apache-2.0
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1596.003
- T1583.001
- T1587.003
- T1593
- T1566.002
--- ---
# Auditing TLS Certificate Transparency Logs # Auditing TLS Certificate Transparency Logs
skills/automating-ioc-enrichment/SKILL.md
+30 -8
View File
@@ -1,18 +1,40 @@
--- ---
name: automating-ioc-enrichment name: automating-ioc-enrichment
description: > description: 'Automates the enrichment of raw indicators of compromise with multi-source
Automates the enrichment of raw indicators of compromise with multi-source threat intelligence threat intelligence context using SOAR platforms, Python pipelines, or TIP playbooks
context using SOAR platforms, Python pipelines, or TIP playbooks to reduce analyst triage time to reduce analyst triage time and standardize enrichment outputs. Use when building
and standardize enrichment outputs. Use when building automated enrichment workflows integrated automated enrichment workflows integrated with SIEM alerts, email submission pipelines,
with SIEM alerts, email submission pipelines, or bulk IOC processing from threat feeds. Activates or bulk IOC processing from threat feeds. Activates for requests involving SOAR
for requests involving SOAR enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment pipelines, or
pipelines, or automated IOC processing. automated IOC processing.
'
domain: cybersecurity domain: cybersecurity
subdomain: threat-intelligence subdomain: threat-intelligence
tags: [SOAR, enrichment, IOC, Cortex-XSOAR, Splunk-SOAR, VirusTotal, automation, CTI, NIST-CSF] tags:
- SOAR
- enrichment
- IOC
- Cortex-XSOAR
- Splunk-SOAR
- VirusTotal
- automation
- CTI
- NIST-CSF
version: 1.0.0 version: 1.0.0
author: team-cybersecurity author: team-cybersecurity
license: Apache-2.0 license: Apache-2.0
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1071.001
- T1583.001
- T1588.001
- T1590.005
- T1596
--- ---
# Automating IOC Enrichment # Automating IOC Enrichment
skills/building-adversary-infrastructure-tracking-system/SKILL.md
+24 -3
View File
@@ -1,12 +1,33 @@
--- ---
name: building-adversary-infrastructure-tracking-system name: building-adversary-infrastructure-tracking-system
description: Build an automated system to track adversary infrastructure using passive DNS, certificate transparency, WHOIS data, and IP enrichment to map and monitor threat actor command-and-control networks. description: Build an automated system to track adversary infrastructure using passive
DNS, certificate transparency, WHOIS data, and IP enrichment to map and monitor
threat actor command-and-control networks.
domain: cybersecurity domain: cybersecurity
subdomain: threat-intelligence subdomain: threat-intelligence
tags: [infrastructure-tracking, passive-dns, c2, whois, threat-actor, pivoting, threat-intelligence, domain-analysis] tags:
version: "1.0" - infrastructure-tracking
- passive-dns
- c2
- whois
- threat-actor
- pivoting
- threat-intelligence
- domain-analysis
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1583.001
- T1583.004
- T1596.001
- T1590.002
- T1071.001
--- ---
# Building Adversary Infrastructure Tracking System # Building Adversary Infrastructure Tracking System
skills/building-attack-pattern-library-from-cti-reports/SKILL.md
+30 -3
View File
@@ -1,12 +1,39 @@
--- ---
name: building-attack-pattern-library-from-cti-reports name: building-attack-pattern-library-from-cti-reports
description: Extract and catalog attack patterns from cyber threat intelligence reports into a structured STIX-based library mapped to MITRE ATT&CK for detection engineering and threat-informed defense. description: Extract and catalog attack patterns from cyber threat intelligence reports
into a structured STIX-based library mapped to MITRE ATT&CK for detection engineering
and threat-informed defense.
domain: cybersecurity domain: cybersecurity
subdomain: threat-intelligence subdomain: threat-intelligence
tags: [attack-pattern, cti-reports, mitre-attack, stix, detection-engineering, threat-intelligence, nlp, extraction] tags:
version: "1.0" - attack-pattern
- cti-reports
- mitre-attack
- stix
- detection-engineering
- threat-intelligence
- nlp
- extraction
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
d3fend_techniques:
- File Metadata Consistency Validation
- Application Protocol Command Analysis
- Identifier Analysis
- Content Format Conversion
- Message Analysis
nist_csf:
- ID.RA-01
- ID.RA-05
- DE.CM-01
- DE.AE-02
mitre_attack:
- T1566.001
- T1059.001
- T1003.001
- T1558.003
- T1550.002
--- ---
# Building Attack Pattern Library from CTI Reports # Building Attack Pattern Library from CTI Reports
skills/building-automated-malware-submission-pipeline/SKILL.md
+28 -7
View File
@@ -1,16 +1,37 @@
--- ---
name: building-automated-malware-submission-pipeline name: building-automated-malware-submission-pipeline
description: > description: 'Builds an automated malware submission and analysis pipeline that collects
Builds an automated malware submission and analysis pipeline that collects suspicious files from suspicious files from endpoints and email gateways, submits them to sandbox environments
endpoints and email gateways, submits them to sandbox environments and multi-engine scanners, and multi-engine scanners, and generates verdicts with IOCs for SIEM integration.
and generates verdicts with IOCs for SIEM integration. Use when SOC teams need to scale malware Use when SOC teams need to scale malware analysis beyond manual sandbox submissions
analysis beyond manual sandbox submissions for high-volume alert triage. for high-volume alert triage.
'
domain: cybersecurity domain: cybersecurity
subdomain: soc-operations subdomain: soc-operations
tags: [soc, malware-analysis, sandbox, automation, virustotal, cuckoo, any-run, pipeline] tags:
version: "1.0" - soc
- malware-analysis
- sandbox
- automation
- virustotal
- cuckoo
- any-run
- pipeline
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_csf:
- DE.CM-01
- DE.AE-02
- RS.MA-01
- DE.AE-06
mitre_attack:
- T1204.002
- T1566.001
- T1027
- T1055
- T1497
--- ---
# Building Automated Malware Submission Pipeline # Building Automated Malware Submission Pipeline
skills/building-c2-infrastructure-with-sliver-framework/SKILL.md
+29 -3
View File
@@ -1,12 +1,38 @@
--- ---
name: building-c2-infrastructure-with-sliver-framework name: building-c2-infrastructure-with-sliver-framework
description: Build and configure a resilient command-and-control infrastructure using BishopFox's Sliver C2 framework with redirectors, HTTPS listeners, and multi-operator support for authorized red team engagements. description: Build and configure a resilient command-and-control infrastructure using
BishopFox's Sliver C2 framework with redirectors, HTTPS listeners, and multi-operator
support for authorized red team engagements.
domain: cybersecurity domain: cybersecurity
subdomain: red-teaming subdomain: red-teaming
tags: [red-team, c2-framework, sliver, command-and-control, adversary-simulation, infrastructure, post-exploitation] tags:
version: "1.0" - red-team
- c2-framework
- sliver
- command-and-control
- adversary-simulation
- infrastructure
- post-exploitation
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
d3fend_techniques:
- File Metadata Consistency Validation
- Certificate Analysis
- Application Protocol Command Analysis
- Content Format Conversion
- File Content Analysis
nist_csf:
- ID.RA-01
- GV.OV-02
- DE.AE-07
mitre_attack:
- T1071.001
- T1071.004
- T1573.002
- T1090.002
- T1105
- T1572
--- ---
# Building C2 Infrastructure with Sliver Framework # Building C2 Infrastructure with Sliver Framework
skills/building-cloud-siem-with-sentinel/SKILL.md
+32 -7
View File
@@ -1,17 +1,42 @@
--- ---
name: building-cloud-siem-with-sentinel name: building-cloud-siem-with-sentinel
description: > description: 'This skill covers deploying Microsoft Sentinel as a cloud-native SIEM
This skill covers deploying Microsoft Sentinel as a cloud-native SIEM and SOAR and SOAR platform for centralized security operations. It details configuring data
platform for centralized security operations. It details configuring data connectors connectors for multi-cloud log ingestion, writing KQL detection queries, building
for multi-cloud log ingestion, writing KQL detection queries, building automated automated response playbooks with Logic Apps, and leveraging the Sentinel data lake
response playbooks with Logic Apps, and leveraging the Sentinel data lake for for petabyte-scale threat hunting across AWS, Azure, and GCP security telemetry.
petabyte-scale threat hunting across AWS, Azure, and GCP security telemetry.
'
domain: cybersecurity domain: cybersecurity
subdomain: cloud-security subdomain: cloud-security
tags: [microsoft-sentinel, cloud-siem, kql-queries, soar-automation, threat-detection] tags:
- microsoft-sentinel
- cloud-siem
- kql-queries
- soar-automation
- threat-detection
version: 1.0.0 version: 1.0.0
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
nist_ai_rmf:
- MEASURE-2.7
- MAP-5.1
- MANAGE-2.4
atlas_techniques:
- AML.T0070
- AML.T0066
- AML.T0082
nist_csf:
- PR.IR-01
- ID.AM-08
- GV.SC-06
- DE.CM-01
mitre_attack:
- T1078.004
- T1548.005
- T1485
- T1530
- T1021.007
--- ---
# Building Cloud SIEM with Sentinel # Building Cloud SIEM with Sentinel
skills/building-detection-rule-with-splunk-spl/SKILL.md
+30 -3
View File
@@ -1,12 +1,39 @@
--- ---
name: building-detection-rule-with-splunk-spl name: building-detection-rule-with-splunk-spl
description: Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify security threats in SOC environments. description: Build effective detection rules using Splunk Search Processing Language
(SPL) correlation searches to identify security threats in SOC environments.
domain: cybersecurity domain: cybersecurity
subdomain: soc-operations subdomain: soc-operations
tags: [splunk, spl, detection-engineering, correlation-search, siem, soc, threat-detection, enterprise-security] tags:
version: "1.0" - splunk
- spl
- detection-engineering
- correlation-search
- siem
- soc
- threat-detection
- enterprise-security
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Content Format Conversion
- File Content Analysis
nist_csf:
- DE.CM-01
- DE.AE-02
- RS.MA-01
- DE.AE-06
mitre_attack:
- T1059.001
- T1003.001
- T1021.002
- T1110.003
- T1053.005
- T1048
--- ---
# Building Detection Rules with Splunk SPL # Building Detection Rules with Splunk SPL
skills/building-detection-rules-with-sigma/SKILL.md
+34 -7
View File
@@ -1,16 +1,43 @@
--- ---
name: building-detection-rules-with-sigma name: building-detection-rules-with-sigma
description: > description: 'Builds vendor-agnostic detection rules using the Sigma rule format for
Builds vendor-agnostic detection rules using the Sigma rule format for threat detection across threat detection across SIEM platforms including Splunk, Elastic, and Microsoft
SIEM platforms including Splunk, Elastic, and Microsoft Sentinel. Use when creating portable Sentinel. Use when creating portable detection logic from threat intelligence, mapping
detection logic from threat intelligence, mapping rules to MITRE ATT&CK techniques, or converting rules to MITRE ATT&CK techniques, or converting community Sigma rules into platform-specific
community Sigma rules into platform-specific queries using sigmac or pySigma backends. queries using sigmac or pySigma backends.
'
domain: cybersecurity domain: cybersecurity
subdomain: soc-operations subdomain: soc-operations
tags: [soc, sigma, detection-rules, siem, mitre-attack, splunk, elastic, sentinel] tags:
version: "1.0" - soc
- sigma
- detection-rules
- siem
- mitre-attack
- splunk
- elastic
- sentinel
version: '1.0'
author: mahipal author: mahipal
license: Apache-2.0 license: Apache-2.0
d3fend_techniques:
- Execution Isolation
- Process Termination
- Hardware-based Process Isolation
- Web Session Access Mediation
- Process Suspension
nist_csf:
- DE.CM-01
- DE.AE-02
- RS.MA-01
- DE.AE-06
mitre_attack:
- T1059.001
- T1003.001
- T1055
- T1053.005
- T1547.001
--- ---
# Building Detection Rules with Sigma # Building Detection Rules with Sigma

Some files were not shown because too many files have changed in this diff Show More