mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 05:29:40 +03:00
8cae0648ec
Demand-driven expansion targeting the fastest-growing 2025-2026 threat and
skills categories (ISC2/WEF/CrowdStrike/Mandiant signals):
- AI Security (NEW domain, 12 skills): LLM red-teaming with garak/PyRIT,
prompt injection (direct/indirect/RAG), MCP tool-poisoning, agentic tool
invocation, guardrails, model/data poisoning, system-prompt leakage,
embedding/vector weaknesses, model extraction, continuous red-teaming
- Supply Chain Security (NEW domain, 5 skills): SBOMs, dependency confusion,
malicious-npm triage, typosquatting, SLSA/Sigstore provenance
- Hardware & Firmware Security (NEW domain, 4 skills): CHIPSEC/UEFI audit,
Secure Boot bypass, TPM measured-boot attestation, ESP bootkit hunting
- Identity (10): Entra ID/ROADtools, GraphRunner, AADInternals, ADCS/Certipy,
shadow credentials, coercion, BloodHound CE, device-code phishing, SSO abuse
- Cloud-native (8): Stratus, Pacu, CloudFox, container escape, K8s RBAC,
Falco, Trivy, kube-bench
- Offensive C2 (6): Sliver, Havoc, NetExec, DPAPI, NTLM relay ESC8, redirectors
- DFIR (6): Hayabusa, Chainsaw, KAPE, Velociraptor, EZ Tools, Plaso
- Backfill (4): OpenCTI, MISP, honeytokens, post-quantum crypto migration
Each skill follows the repo taxonomy (SKILL.md + references/{standards,api-reference}.md
+ scripts/agent.py + LICENSE), with researched real tool commands (no placeholders),
complete frontmatter, and ATT&CK/ATLAS + NIST CSF mappings. Updates README domain
table, skill count, and index.json.
78 lines
3.1 KiB
Markdown
78 lines
3.1 KiB
Markdown
# KAPE Command Reference
|
|
|
|
KAPE has two execution phases: **Target** (collection) and **Module** (processing). Switches use `--` prefix. `kape.exe` is the CLI; `gkape.exe` is the GUI.
|
|
|
|
## Target (collection) switches
|
|
|
|
| Switch | Required | Description |
|
|
|--------|----------|-------------|
|
|
| `--tsource` | yes | Source drive/volume to copy from (e.g. `C:`, `D:`, `F:\`) |
|
|
| `--target` | yes | Target/compound target name(s), comma-separated (e.g. `KapeTriage`, `!SANS_Triage`, `RegistryHives,EventLogs`) |
|
|
| `--tdest` | yes | Destination directory for collected files |
|
|
| `--tflush` | no | Delete contents of `--tdest` before copy |
|
|
| `--vss` | no | Process all Volume Shadow Copies on `--tsource` (default false) |
|
|
| `--vhdx <name>` | no | Create a VHDX container from `--tdest`; value is a base identifier, not a filename |
|
|
| `--vhd <name>` | no | Create a VHD container instead of VHDX |
|
|
| `--zip <name>` | no | Create a ZIP of the collection |
|
|
| `--zv` | no | Add `--tdest` to container then delete originals (true/false) |
|
|
|
|
## Module (processing) switches
|
|
|
|
| Switch | Required | Description |
|
|
|--------|----------|-------------|
|
|
| `--module` | yes | Module/compound module name(s) (e.g. `!EZParser`, `PECmd`, `MFTECmd`) |
|
|
| `--mdest` | yes | Destination for parsed module output (CSV/JSON/HTML) |
|
|
| `--msource` | no | Source data for processing (defaults to `--tdest` if collecting+processing) |
|
|
| `--mflush` | no | Delete contents of `--mdest` before processing |
|
|
| `--mef` | no | Module export format override |
|
|
|
|
## Global / utility switches
|
|
|
|
| Switch | Description |
|
|
|--------|-------------|
|
|
| `--sync` | Update Targets and Modules from the KapeFiles GitHub repo |
|
|
| `--tlist` | List all available Targets |
|
|
| `--mlist` | List all available Modules |
|
|
| `--gui` | Open progress in GUI window when launched from CLI |
|
|
| `--debug` | Verbose debug logging |
|
|
| `--trace` | Even more verbose tracing |
|
|
|
|
## Example command lines
|
|
|
|
```cmd
|
|
REM Triage collection
|
|
kape.exe --tsource C: --target KapeTriage --tdest E:\out\tdest --tflush
|
|
|
|
REM Collection with VSS + VHDX container
|
|
kape.exe --tsource C: --target !SANS_Triage --tdest E:\out\tdest --vss --vhdx HOST01 --tflush
|
|
|
|
REM Process an existing collection with all EZ Tools
|
|
kape.exe --msource E:\out\tdest\C --mdest E:\out\mdest --module !EZParser --mflush
|
|
|
|
REM Collect and parse in one run
|
|
kape.exe --tsource C: --target KapeTriage --tdest E:\out\tdest --mdest E:\out\mdest --module !EZParser --tflush --mflush
|
|
```
|
|
|
|
## Batch mode
|
|
|
|
Place a `_kape.cli` file beside `kape.exe`. Each non-comment line is one full argument set; run `kape.exe` with no args to execute all lines.
|
|
Variables: `%d` = KAPE directory, `%m` = machine name.
|
|
|
|
```
|
|
--tsource C: --target KapeTriage --tdest %d\Disk\%m --vhdx %m
|
|
```
|
|
|
|
## Config file types
|
|
|
|
| Extension | Purpose |
|
|
|-----------|---------|
|
|
| `.tkape` | Target definition (what to collect) |
|
|
| `.mkape` | Module definition (how to process) |
|
|
| `_kape.cli` | Batch command file |
|
|
|
|
## Output logs (chain of custody)
|
|
|
|
- `<timestamp>_CopyLog.csv` — every file copied with source/dest and SHA-1
|
|
- `<timestamp>_ConsoleLog.txt` — full console output
|
|
- `<timestamp>_SkipLog.csv` — files skipped and why
|