mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-14 19:55:16 +03:00
8cae0648ec
Demand-driven expansion targeting the fastest-growing 2025-2026 threat and
skills categories (ISC2/WEF/CrowdStrike/Mandiant signals):
- AI Security (NEW domain, 12 skills): LLM red-teaming with garak/PyRIT,
prompt injection (direct/indirect/RAG), MCP tool-poisoning, agentic tool
invocation, guardrails, model/data poisoning, system-prompt leakage,
embedding/vector weaknesses, model extraction, continuous red-teaming
- Supply Chain Security (NEW domain, 5 skills): SBOMs, dependency confusion,
malicious-npm triage, typosquatting, SLSA/Sigstore provenance
- Hardware & Firmware Security (NEW domain, 4 skills): CHIPSEC/UEFI audit,
Secure Boot bypass, TPM measured-boot attestation, ESP bootkit hunting
- Identity (10): Entra ID/ROADtools, GraphRunner, AADInternals, ADCS/Certipy,
shadow credentials, coercion, BloodHound CE, device-code phishing, SSO abuse
- Cloud-native (8): Stratus, Pacu, CloudFox, container escape, K8s RBAC,
Falco, Trivy, kube-bench
- Offensive C2 (6): Sliver, Havoc, NetExec, DPAPI, NTLM relay ESC8, redirectors
- DFIR (6): Hayabusa, Chainsaw, KAPE, Velociraptor, EZ Tools, Plaso
- Backfill (4): OpenCTI, MISP, honeytokens, post-quantum crypto migration
Each skill follows the repo taxonomy (SKILL.md + references/{standards,api-reference}.md
+ scripts/agent.py + LICENSE), with researched real tool commands (no placeholders),
complete frontmatter, and ATT&CK/ATLAS + NIST CSF mappings. Updates README domain
table, skill count, and index.json.
76 lines
2.6 KiB
Markdown
76 lines
2.6 KiB
Markdown
# OpenSSL PQC Command Reference
|
||
|
||
## Discovery
|
||
|
||
| Task | Command |
|
||
|------|---------|
|
||
| OpenSSL version (need 3.5+) | `openssl version` |
|
||
| List quantum-safe KEMs | `openssl list -kem-algorithms \| grep -i mlkem` |
|
||
| List quantum-safe signatures | `openssl list -signature-algorithms \| grep -Ei 'mldsa\|slhdsa'` |
|
||
| List TLS groups | `openssl list -tls-groups \| grep -i mlkem` |
|
||
| Inspect cert algorithm | `openssl x509 -in server.crt -noout -text \| grep -E 'Signature Algorithm\|Public Key'` |
|
||
|
||
## Key generation
|
||
|
||
| Task | Command (OpenSSL 3.5+) | oqs-provider (3.0–3.4) |
|
||
|------|------------------------|------------------------|
|
||
| ML-KEM-768 keypair | `openssl genpkey -algorithm ML-KEM-768 -out mlkem768.key` | `-algorithm mlkem768` |
|
||
| ML-DSA-65 keypair | `openssl genpkey -algorithm ML-DSA-65 -out mldsa65.key` | `-algorithm mldsa65` |
|
||
| Extract public key | `openssl pkey -in mldsa65.key -pubout -out mldsa65.pub` | same |
|
||
|
||
## Certificates
|
||
|
||
| Task | Command |
|
||
|------|---------|
|
||
| Self-signed ML-DSA cert | `openssl req -new -x509 -key mldsa65.key -out mldsa65.crt -days 365 -subj "/CN=pqc.example.com"` |
|
||
| Inspect signature alg | `openssl x509 -in mldsa65.crt -noout -text \| grep -A1 'Signature Algorithm'` |
|
||
|
||
## Sign / verify
|
||
|
||
| Task | Command |
|
||
|------|---------|
|
||
| Sign | `openssl dgst -sign mldsa65.key -out artifact.sig artifact.txt` |
|
||
| Verify | `openssl dgst -verify mldsa65.pub -signature artifact.sig artifact.txt` |
|
||
|
||
## Hybrid TLS key exchange
|
||
|
||
| Task | Command |
|
||
|------|---------|
|
||
| TLS server (hybrid group) | `openssl s_server -accept 4433 -www -tls1_3 -cert mldsa65.crt -key mldsa65.key -groups X25519MLKEM768` |
|
||
| TLS client (hybrid group) | `openssl s_client -connect localhost:4433 -tls1_3 -groups X25519MLKEM768` |
|
||
| Test public PQC endpoint | `openssl s_client -groups X25519MLKEM768 -tls1_3 -connect pq.cloudflareresearch.com:443` |
|
||
|
||
### Standardized hybrid TLS groups
|
||
|
||
| Group | Classical leg | PQC leg |
|
||
|-------|---------------|---------|
|
||
| X25519MLKEM768 | X25519 | ML-KEM-768 |
|
||
| SecP256r1MLKEM768 | NIST P-256 | ML-KEM-768 |
|
||
| SecP384r1MLKEM1024 | NIST P-384 | ML-KEM-1024 |
|
||
|
||
## NGINX hybrid config (OpenSSL 3.5+)
|
||
|
||
```nginx
|
||
ssl_protocols TLSv1.3;
|
||
ssl_ecdh_curve X25519MLKEM768:X25519:secp256r1; # hybrid first, classical fallback
|
||
```
|
||
|
||
## oqs-provider activation (openssl.cnf)
|
||
|
||
```ini
|
||
[provider_sect]
|
||
default = default_sect
|
||
oqsprovider = oqsprovider_sect
|
||
[default_sect]
|
||
activate = 1
|
||
[oqsprovider_sect]
|
||
activate = 1
|
||
```
|
||
|
||
## CBOM generation
|
||
|
||
| Tool | Command |
|
||
|------|---------|
|
||
| cbomkit-theia (dir) | `cbomkit-theia dir ./myapp --output cbom.json` |
|
||
| cdxgen (Java + crypto) | `cdxgen -t java --include-crypto -o cbom.json ./myapp` |
|