mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-26 19:54:37 +03:00
mukul975
8cae0648ec
Demand-driven expansion targeting the fastest-growing 2025-2026 threat and
skills categories (ISC2/WEF/CrowdStrike/Mandiant signals):
- AI Security (NEW domain, 12 skills): LLM red-teaming with garak/PyRIT,
prompt injection (direct/indirect/RAG), MCP tool-poisoning, agentic tool
invocation, guardrails, model/data poisoning, system-prompt leakage,
embedding/vector weaknesses, model extraction, continuous red-teaming
- Supply Chain Security (NEW domain, 5 skills): SBOMs, dependency confusion,
malicious-npm triage, typosquatting, SLSA/Sigstore provenance
- Hardware & Firmware Security (NEW domain, 4 skills): CHIPSEC/UEFI audit,
Secure Boot bypass, TPM measured-boot attestation, ESP bootkit hunting
- Identity (10): Entra ID/ROADtools, GraphRunner, AADInternals, ADCS/Certipy,
shadow credentials, coercion, BloodHound CE, device-code phishing, SSO abuse
- Cloud-native (8): Stratus, Pacu, CloudFox, container escape, K8s RBAC,
Falco, Trivy, kube-bench
- Offensive C2 (6): Sliver, Havoc, NetExec, DPAPI, NTLM relay ESC8, redirectors
- DFIR (6): Hayabusa, Chainsaw, KAPE, Velociraptor, EZ Tools, Plaso
- Backfill (4): OpenCTI, MISP, honeytokens, post-quantum crypto migration
Each skill follows the repo taxonomy (SKILL.md + references/{standards,api-reference}.md
+ scripts/agent.py + LICENSE), with researched real tool commands (no placeholders),
complete frontmatter, and ATT&CK/ATLAS + NIST CSF mappings. Updates README domain
table, skill count, and index.json.
62 lines
2.2 KiB
Markdown
62 lines
2.2 KiB
Markdown
# BloodHound CE Collectors & API Reference
|
|
|
|
## SharpHound (CE / .NET collector)
|
|
|
|
| Flag | Purpose |
|
|
|------|---------|
|
|
| `-c, --collectionmethods <m>` | Methods: `All`, `DCOnly`, `Session`, `LocalAdmin`, `ACL`, `Trusts`, `Group`, `GPOLocalGroup`, `Container`, `CertServices` |
|
|
| `--outputdirectory <dir>` | Directory to write the output ZIP |
|
|
| `-d, --domain <fqdn>` | Target domain |
|
|
| `--loop` | Repeat session collection in a loop |
|
|
| `--loopduration HH:MM:SS` | How long to loop |
|
|
| `--zipfilename <name>` | Name of output ZIP |
|
|
| `--ldapusername / --ldappassword` | Alternate LDAP credentials |
|
|
| `--stealth` | Reduced-footprint collection |
|
|
|
|
## bloodhound-ce-python (Linux)
|
|
|
|
| Flag | Purpose |
|
|
|------|---------|
|
|
| `-u <user>` | Username |
|
|
| `-p <pass>` | Password |
|
|
| `-d <domain>` | Domain FQDN |
|
|
| `-ns <ip>` | Nameserver (DC IP) |
|
|
| `-c All` | Collection methods |
|
|
| `--zip` | Compress output into a ZIP |
|
|
| `-k` | Use Kerberos authentication |
|
|
|
|
## AzureHound (Entra ID / Azure RM)
|
|
|
|
| Flag | Purpose |
|
|
|------|---------|
|
|
| `list` | Subcommand: collect all supported data |
|
|
| `-u <user>` | Username |
|
|
| `-p <pass>` | Password |
|
|
| `-t <tenant>` | Tenant domain or ID |
|
|
| `--jwt <token>` | Authenticate with an acquired JWT |
|
|
| `--refresh-token <rt>` | Authenticate with a refresh token |
|
|
| `-o <file>` | Output JSON file |
|
|
|
|
## BloodHound CE REST API (selected endpoints)
|
|
|
|
| Method | Endpoint | Purpose |
|
|
|--------|----------|---------|
|
|
| POST | `/api/v2/login` | Obtain a session JWT (`login_method: secret`) |
|
|
| POST | `/api/v2/file-upload/start` | Begin a file-ingest job |
|
|
| PUT | `/api/v2/file-upload/{id}` | Upload collector ZIP/JSON to the job |
|
|
| POST | `/api/v2/file-upload/{id}/end` | Finalize and trigger ingestion |
|
|
| POST | `/api/v2/graphs/cypher` | Run a Cypher query, return graph data |
|
|
| GET | `/api/v2/domains` | List ingested domains |
|
|
| GET | `/api/v2/pathfinding` | Pathfinding between two nodes |
|
|
|
|
## Common Cypher snippets
|
|
|
|
```cypher
|
|
// Owned -> Domain Admins (RID 512)
|
|
MATCH p=shortestPath((n {owned:true})-[*1..]->(g:Group)) WHERE g.objectid ENDS WITH "-512" RETURN p
|
|
// Unconstrained delegation computers
|
|
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c.name
|
|
// Entra Global Admins
|
|
MATCH p=(n)-[:AZGlobalAdmin*1..]->(:AZTenant) RETURN p
|
|
```
|