mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 21:19:40 +03:00
915ea611e5
Skills added: - implementing-privileged-access-workstation (IAM, PAW hardening) - detecting-suspicious-oauth-application-consent (cloud security, Graph API) - performing-hardware-security-module-integration (cryptography, PKCS#11) - analyzing-android-malware-with-apktool (malware analysis, androguard) - hunting-for-unusual-service-installations (threat hunting, T1543.003) - detecting-shadow-it-cloud-usage (cloud security, proxy/DNS log analysis) - performing-active-directory-forest-trust-attack (red team, impacket) - implementing-deception-based-detection-with-canarytoken (deception, Canary API) - analyzing-office365-audit-logs-for-compromise (cloud security, BEC detection) - hunting-for-startup-folder-persistence (threat hunting, T1547.001) Each skill includes SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
1.9 KiB
1.9 KiB
name, description, domain, subdomain, tags, version, author, license
| name | description | domain | subdomain | tags | version | author | license | |||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| hunting-for-startup-folder-persistence | Detect T1547.001 startup folder persistence by monitoring Windows startup directories for suspicious file creation, analyzing autoruns entries, and using Python watchdog for real-time filesystem monitoring. | cybersecurity | threat-hunting |
|
1.0 | mahipal | Apache-2.0 |
Hunting for Startup Folder Persistence
Overview
Attackers use Windows startup folders for persistence (MITRE ATT&CK T1547.001 — Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder). Files placed in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup or C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup execute automatically at user logon. This skill scans startup directories for suspicious files, monitors for real-time changes using Python watchdog, and analyzes file metadata to detect persistence implants.
Prerequisites
- Python 3.9+ with
watchdog,pefile(optional for PE analysis) - Access to Windows startup folders (user and all-users)
- Windows Event Logs for Event ID 4663 correlation (optional)
Steps
- Enumerate all files in user and system startup directories
- Analyze file types, creation timestamps, and digital signatures
- Flag suspicious file extensions (.bat, .vbs, .ps1, .lnk, .exe)
- Check for recently created files (< 7 days) as potential implants
- Monitor startup folders in real-time using watchdog FileSystemEventHandler
- Correlate with known legitimate startup entries
- Generate threat hunting report with T1547.001 MITRE mapping
Expected Output
- JSON report listing all startup folder contents with risk scores, file metadata, and suspicious indicators
- Real-time monitoring alerts for new file creation in startup directories