mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 12:45:17 +03:00
cb8d79e068
- Add validated mitre_attack frontmatter to all 754 skills (286 distinct techniques), verified against MITRE ATT&CK v19.1 via the official mitreattack-python library: 0 revoked, deprecated, or invalid IDs - Curate precise per-skill technique IDs for forensics, malware-analysis, threat-intel, and red-team skills (e.g. DCSync -> T1003.006, Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003) - Reconcile v19.1 tactic restructuring: Defense Evasion split into Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.* family and T1070.001/.002 remapped to active equivalents (T1685.*) - Normalize word-split tags across 35 skills (remove filename-derived stopword tags, add semantic cybersecurity tags) - Add api-reference.md for 3 skills that were missing it - Update README ATT&CK section with accurate v19.1 tactic distribution
2.5 KiB
2.5 KiB
name, description, domain, subdomain, tags, version, author, license, d3fend_techniques, nist_csf, mitre_attack
| name | description | domain | subdomain | tags | version | author | license | d3fend_techniques | nist_csf | mitre_attack | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| hunting-for-startup-folder-persistence | Detect T1547.001 startup folder persistence by monitoring Windows startup directories for suspicious file creation, analyzing autoruns entries, and using Python watchdog for real-time filesystem monitoring. | cybersecurity | threat-hunting |
|
1.0 | mahipal | Apache-2.0 |
|
|
|
Hunting for Startup Folder Persistence
Overview
Attackers use Windows startup folders for persistence (MITRE ATT&CK T1547.001 — Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder). Files placed in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup or C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup execute automatically at user logon. This skill scans startup directories for suspicious files, monitors for real-time changes using Python watchdog, and analyzes file metadata to detect persistence implants.
When to Use
- When investigating security incidents that require hunting for startup folder persistence
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
Prerequisites
- Python 3.9+ with
watchdog,pefile(optional for PE analysis) - Access to Windows startup folders (user and all-users)
- Windows Event Logs for Event ID 4663 correlation (optional)
Steps
- Enumerate all files in user and system startup directories
- Analyze file types, creation timestamps, and digital signatures
- Flag suspicious file extensions (.bat, .vbs, .ps1, .lnk, .exe)
- Check for recently created files (< 7 days) as potential implants
- Monitor startup folders in real-time using watchdog FileSystemEventHandler
- Correlate with known legitimate startup entries
- Generate threat hunting report with T1547.001 MITRE mapping
Expected Output
- JSON report listing all startup folder contents with risk scores, file metadata, and suspicious indicators
- Real-time monitoring alerts for new file creation in startup directories