mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-26 19:54:37 +03:00
mukul975
8cae0648ec
Demand-driven expansion targeting the fastest-growing 2025-2026 threat and
skills categories (ISC2/WEF/CrowdStrike/Mandiant signals):
- AI Security (NEW domain, 12 skills): LLM red-teaming with garak/PyRIT,
prompt injection (direct/indirect/RAG), MCP tool-poisoning, agentic tool
invocation, guardrails, model/data poisoning, system-prompt leakage,
embedding/vector weaknesses, model extraction, continuous red-teaming
- Supply Chain Security (NEW domain, 5 skills): SBOMs, dependency confusion,
malicious-npm triage, typosquatting, SLSA/Sigstore provenance
- Hardware & Firmware Security (NEW domain, 4 skills): CHIPSEC/UEFI audit,
Secure Boot bypass, TPM measured-boot attestation, ESP bootkit hunting
- Identity (10): Entra ID/ROADtools, GraphRunner, AADInternals, ADCS/Certipy,
shadow credentials, coercion, BloodHound CE, device-code phishing, SSO abuse
- Cloud-native (8): Stratus, Pacu, CloudFox, container escape, K8s RBAC,
Falco, Trivy, kube-bench
- Offensive C2 (6): Sliver, Havoc, NetExec, DPAPI, NTLM relay ESC8, redirectors
- DFIR (6): Hayabusa, Chainsaw, KAPE, Velociraptor, EZ Tools, Plaso
- Backfill (4): OpenCTI, MISP, honeytokens, post-quantum crypto migration
Each skill follows the repo taxonomy (SKILL.md + references/{standards,api-reference}.md
+ scripts/agent.py + LICENSE), with researched real tool commands (no placeholders),
complete frontmatter, and ATT&CK/ATLAS + NIST CSF mappings. Updates README domain
table, skill count, and index.json.
2.6 KiB
2.6 KiB
Falco — Rule Schema & CLI Reference
Rule Object Fields
| Field | Required | Purpose |
|---|---|---|
rule |
yes | Unique rule name |
desc |
yes | Human description |
condition |
yes | Falco filter expression that triggers the rule |
output |
yes | Alert message (supports %field interpolation) |
priority |
yes | EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG |
tags |
no | Categorization (e.g. MITRE IDs) |
enabled |
no | Toggle a rule (true/false) |
source |
no | Event source (syscall, k8s_audit) |
Macro and List Objects
| Object | Keys | Purpose |
|---|---|---|
macro |
condition |
Reusable condition fragment |
list |
items |
Named value set used with in (...) |
Key CLI Commands
| Command | Purpose |
|---|---|
falco --validate <file> |
Validate rule syntax without running |
falco -r <file> |
Run with a specific rules file |
falco -L |
List loaded rules |
falco -l <rule> |
Describe a single rule |
falco --list |
List supported fields |
falcoctl driver config --type modern_ebpf |
Set driver type |
falcoctl artifact install <name> |
Install a rules/plugin artifact |
falcoctl artifact list |
List available artifacts |
Driver Types
| Driver | driver.kind |
Notes |
|---|---|---|
| Modern eBPF | modern_ebpf |
Default; built into binary; kernel >= 5.8 |
| Legacy eBPF | ebpf |
CO-RE eBPF probe |
| Kernel module | kmod |
Loadable kernel module |
| Auto | auto |
falcoctl picks best available |
Important Filter Fields
| Field | Description |
|---|---|
evt.type |
Syscall name |
evt.dir |
> enter, < exit |
evt.is_open_read / evt.is_open_write |
open() intent |
proc.name / proc.cmdline / proc.pname |
Process / cmdline / parent |
container.id / container.name / container.image.repository |
Container identity |
container.privileged |
Privileged flag |
fd.name / fd.type / fd.num |
FD path / type / number |
user.name / user.uid |
Acting user |
k8s.pod.name / k8s.ns.name |
Kubernetes context |
Configuration (falco.yaml)
| Key | Purpose |
|---|---|
rules_files |
List of rule files / dirs to load |
json_output |
Emit JSON for SIEM ingest |
priority |
Minimum priority to log |
outputs / http_output / program_output |
Alert sinks |
External References
- Supported fields: https://falco.org/docs/reference/rules/supported-fields/
- Rule examples: https://falco.org/docs/reference/rules/examples/
- Configuration: https://falco.org/docs/reference/daemon/config-options/