hunt-credential-access
Hunt for credential access techniques like LSASS dumping or browser credential theft. Use when searching for evidence of credential harvesting. Takes MITRE technique IDs and searches for behavioral indicators in SIEM.
Install with Tessl CLI
npx tessl i github:dandye/ai-runbooks --skill hunt-credential-access95
Does it follow best practices?
Validation for skill structure
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its purpose in credential access threat hunting, provides explicit trigger conditions, and uses domain-specific terminology that security analysts would naturally use. The description effectively communicates both capabilities and usage context while maintaining distinctiveness through specific technique references.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'LSASS dumping', 'browser credential theft', 'credential harvesting', and 'searches for behavioral indicators in SIEM'. Also specifies input type (MITRE technique IDs). | 3 / 3 |
Completeness | Clearly answers both what ('Hunt for credential access techniques...searches for behavioral indicators in SIEM') and when ('Use when searching for evidence of credential harvesting') with explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Includes natural keywords users would say: 'credential access', 'LSASS dumping', 'browser credential theft', 'credential harvesting', 'MITRE technique IDs', 'SIEM'. Good coverage of security analyst terminology. | 3 / 3 |
Distinctiveness Conflict Risk | Highly specific niche targeting credential access hunting with distinct triggers like 'LSASS dumping', 'browser credential theft', and 'MITRE technique IDs'. Unlikely to conflict with general security or other threat hunting skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
92%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a high-quality skill with excellent actionability and workflow clarity. The UDM queries are specific and executable, the workflow has clear decision points and escalation paths, and the content respects Claude's intelligence. Minor improvement could come from better progressive disclosure by splitting technique-specific queries into a reference file.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is lean and efficient, providing technique tables, query examples, and workflow steps without explaining basic concepts Claude already knows. Every section serves a clear purpose with no padding. | 3 / 3 |
Actionability | Provides fully executable UDM queries, specific MCP tool calls with exact syntax, and concrete examples for each technique. The queries are copy-paste ready and cover multiple credential access scenarios. | 3 / 3 |
Workflow Clarity | Clear 7-step sequence with explicit validation points (Step 4 analysis criteria, Step 5 enrichment), decision branches for escalation vs conclusion, and feedback loops for detection gap documentation. | 3 / 3 |
Progressive Disclosure | Well-organized with clear sections and tables, but the content is somewhat monolithic. The technique-specific queries could be split into a reference file, and the skill references other skills (/document-in-case, /respond-compromised-account) without clear navigation structure. | 2 / 3 |
Total | 11 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.