mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-15 15:34:56 +03:00

Files

T

mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal

- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md

2026-03-11 00:22:12 +01:00

1.5 KiB

Raw Blame History

API Reference — Hunting for Scheduled Task Persistence

Libraries Used

subprocess: Execute schtasks /query and schtasks /query /xml for task enumeration
csv: Parse schtasks CSV output for structured task analysis
python-evtx (Evtx): Parse Security EVTX for Event ID 4698 (Task Created)

CLI Interface

python agent.py enumerate                    # List and risk-score all tasks
python agent.py events --evtx-file <path>    # Scan EVTX for task creation events
python agent.py export --task-name <name>    # Export task XML definition

Core Functions

`enumerate_tasks()`

Runs schtasks /query /fo CSV /v and classifies each task as high/medium/low risk.

Returns: dict with total_tasks, high_risk, medium_risk, suspicious_tasks, non_vendor_tasks.

`scan_event_log_4698(evtx_file)`

Parses Windows Security EVTX for Event ID 4698 (Scheduled Task Created).

Parameters:

Name	Type	Description
`evtx_file`	str	Path to Security .evtx log file

`export_task_xml(task_name)`

Exports a task's full XML definition using schtasks /query /tn <name> /xml.

Risk Classification

Risk	Criteria
High	Action matches suspicious patterns (powershell -enc, certutil, temp paths)
Medium	Non-vendor task (not under \Microsoft\, \Google\, etc.)
Low	Known vendor task prefix

Dependencies

pip install python-evtx  # Optional, for EVTX parsing

1.5 KiB Raw Blame History