mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-26 19:54:37 +03:00
mukul975
8cae0648ec
Demand-driven expansion targeting the fastest-growing 2025-2026 threat and
skills categories (ISC2/WEF/CrowdStrike/Mandiant signals):
- AI Security (NEW domain, 12 skills): LLM red-teaming with garak/PyRIT,
prompt injection (direct/indirect/RAG), MCP tool-poisoning, agentic tool
invocation, guardrails, model/data poisoning, system-prompt leakage,
embedding/vector weaknesses, model extraction, continuous red-teaming
- Supply Chain Security (NEW domain, 5 skills): SBOMs, dependency confusion,
malicious-npm triage, typosquatting, SLSA/Sigstore provenance
- Hardware & Firmware Security (NEW domain, 4 skills): CHIPSEC/UEFI audit,
Secure Boot bypass, TPM measured-boot attestation, ESP bootkit hunting
- Identity (10): Entra ID/ROADtools, GraphRunner, AADInternals, ADCS/Certipy,
shadow credentials, coercion, BloodHound CE, device-code phishing, SSO abuse
- Cloud-native (8): Stratus, Pacu, CloudFox, container escape, K8s RBAC,
Falco, Trivy, kube-bench
- Offensive C2 (6): Sliver, Havoc, NetExec, DPAPI, NTLM relay ESC8, redirectors
- DFIR (6): Hayabusa, Chainsaw, KAPE, Velociraptor, EZ Tools, Plaso
- Backfill (4): OpenCTI, MISP, honeytokens, post-quantum crypto migration
Each skill follows the repo taxonomy (SKILL.md + references/{standards,api-reference}.md
+ scripts/agent.py + LICENSE), with researched real tool commands (no placeholders),
complete frontmatter, and ATT&CK/ATLAS + NIST CSF mappings. Updates README domain
table, skill count, and index.json.
74 lines
3.6 KiB
Markdown
74 lines
3.6 KiB
Markdown
# GraphRunner Module Reference
|
|
|
|
Import with `Import-Module .\GraphRunner.ps1`. Run `List-GraphRunnerModules` for the live list.
|
|
|
|
## Authentication
|
|
| Function | Purpose |
|
|
|----------|---------|
|
|
| `Get-GraphTokens` | Device-code login; returns `$tokens` object (access + refresh) |
|
|
| `Invoke-RefreshGraphTokens` | Refresh the access token from the refresh token |
|
|
| `Invoke-AutoTokenRefresh` | Background auto-refresh during long operations |
|
|
| `Invoke-ImportTokens` | Import externally captured access/refresh tokens |
|
|
| `Invoke-RefreshToSharePointToken` | Exchange a Graph token for a SharePoint token |
|
|
| `Get-AzureAppTokens` / `Invoke-RefreshAzureAppTokens` | App (consent-grant) token flow |
|
|
| `Invoke-AutoOAuthFlow` / `Invoke-BruteClientIDAccess` | OAuth consent flow helpers |
|
|
|
|
## Recon & Enumeration
|
|
| Function | Purpose |
|
|
|----------|---------|
|
|
| `Invoke-GraphRecon` | Tenant + current-user permission summary (`-PermissionEnum`) |
|
|
| `Invoke-DumpCAPS` | Dump conditional-access policies (`-ResolveGuids`) |
|
|
| `Invoke-DumpApps` | App registrations, service principals, consent grants, reply URLs |
|
|
| `Get-AzureADUsers` | Enumerate all users (`-OutFile`) |
|
|
| `Get-SecurityGroups` / `Get-DirectoryRoles` | Enumerate groups / directory roles |
|
|
| `Get-UpdatableGroups` | Groups the current principal can modify (privesc) |
|
|
| `Get-DynamicGroups` | Dynamic membership groups |
|
|
| `Invoke-SearchUserAttributes` | Search all user attributes for a term (`-SearchTerm`) |
|
|
| `Invoke-GraphOpenInboxFinder` | Find mailboxes readable by the current user |
|
|
| `Find-PermissiveCalendars` | Find over-shared calendars |
|
|
| `Invoke-CheckAccess` | Check token validity/scope |
|
|
| `Get-EntraIDGroupInfo` / `Invoke-GroupLookup` | Group detail lookups |
|
|
|
|
## Privilege Escalation / Account Manipulation
|
|
| Function | Purpose |
|
|
|----------|---------|
|
|
| `Invoke-AddGroupMember` | Add a member to a group (`-GroupId -UserId`) |
|
|
| `Invoke-RemoveGroupMember` | Remove a group member |
|
|
| `Invoke-SecurityGroupCloner` | Clone a group's membership into a controlled group |
|
|
| `Create-SecurityGroupWithMembers` | Create a group with chosen members |
|
|
| `Invoke-InviteGuest` | Invite an external guest account |
|
|
|
|
## Persistence
|
|
| Function | Purpose |
|
|
|----------|---------|
|
|
| `Invoke-InjectOAuthApp` | Deploy a malicious OAuth app (`-AppName -ReplyUrl -Scope`) |
|
|
| `Invoke-DeleteOAuthApp` | Remove an injected app (cleanup) |
|
|
| `Invoke-CreateInboxForwardingRule` | Hidden inbox forwarding rule (`-ForwardTo -RuleName`) |
|
|
|
|
## Pillage / Data Search
|
|
| Function | Purpose |
|
|
|----------|---------|
|
|
| `Invoke-SearchMailbox` | Search mailbox(es) (`-SearchTerm -MessageCount -OutFile`) |
|
|
| `Invoke-SearchSharePointAndOneDrive` | Search SharePoint/OneDrive (`-SearchTerm`) |
|
|
| `Get-SharePointSiteURLs` | Enumerate SharePoint sites |
|
|
| `Invoke-DriveFileDownload` | Download a drive item (`-DriveItemIDs -FileName`) |
|
|
| `Invoke-SearchTeams` | Search Teams messages (`-SearchTerm`) |
|
|
| `Get-TeamsChat` / `Get-TeamsChannels` / `Get-TeamsApps` | Teams enumeration |
|
|
| `Get-Inbox` / `Invoke-ImmersiveFileReader` | Read inbox / files |
|
|
|
|
## Orchestration
|
|
| Function | Purpose |
|
|
|----------|---------|
|
|
| `Invoke-GraphRunner` | Automated recon + pillage pass |
|
|
| `List-GraphRunnerModules` | Print all available modules |
|
|
|
|
## Underlying Graph endpoints (examples)
|
|
| Action | Endpoint |
|
|
|--------|----------|
|
|
| List users | `GET https://graph.microsoft.com/v1.0/users` |
|
|
| List groups | `GET https://graph.microsoft.com/v1.0/groups` |
|
|
| Add group member | `POST /groups/{id}/members/$ref` |
|
|
| Search mail | `GET /me/messages?$search="term"` |
|
|
| Create app | `POST /applications` |
|
|
| Mail forwarding rule | `POST /me/mailFolders/inbox/messageRules` |
|