Anthropic-Cybersecurity-Skills
github.com/mukul975/Anthropic-Cybersecurity-Skills
Skill | Added | Review |
|---|---|---|
analyzing-packed-malware-with-upx-unpacker Identifies and unpacks UPX-packed and other packed malware samples to expose the original executable code for static analysis. Covers both standard UPX unpacking and handling modified UPX headers that prevent automated decompression. Activates for requests involving malware unpacking, UPX decompression, packer removal, or preparing packed samples for analysis. | 84 Impact Pending No eval scenarios have been run Securityby  Passed No known issues Reviewed: Version: 888bbe4 | |
analyzing-active-directory-acl-abuse Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths | 60 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
analyzing-supply-chain-malware-artifacts Investigate supply chain attack artifacts including trojanized software updates, compromised build pipelines, and sideloaded dependencies to identify intrusion vectors and scope of compromise. | 61 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 | |
analyzing-tls-certificate-transparency-logs Queries Certificate Transparency logs via crt.sh and pycrtsh to detect phishing domains, unauthorized certificate issuance, and shadow IT. Monitors newly issued certificates for typosquatting and brand impersonation using Levenshtein distance. Use for proactive phishing domain detection and certificate monitoring. | 74 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 | |
auditing-tls-certificate-transparency-logs Monitors Certificate Transparency (CT) logs to detect unauthorized certificate issuance, discover subdomains via CT data, and alert on suspicious certificate activity for owned domains. Uses the crt.sh API and direct CT log querying based on RFC 6962 to build continuous monitoring pipelines that catch rogue certificates, track CA behavior, and map the external attack surface. Activates for requests involving certificate transparency monitoring, CT log auditing, subdomain discovery via certificates, or certificate issuance alerting. | 64 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 | |
analyzing-sbom-for-supply-chain-vulnerabilities Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats to identify supply chain vulnerabilities by correlating components against the NVD CVE database via the NVD 2.0 API. Builds dependency graphs, calculates risk scores, identifies transitive vulnerability paths, and generates compliance reports. Activates for requests involving SBOM analysis, software composition analysis, supply chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing, or CVE correlation. | 70 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
building-identity-governance-lifecycle-process Builds comprehensive identity governance and lifecycle management processes including joiner-mover-leaver automation, role mining, access request workflows, periodic recertification, and orphaned account remediation using IGA platforms. Activates for requests involving identity lifecycle management, JML processes, role-based access provisioning, or identity governance program design. | 75 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
analyzing-malicious-pdf-with-peepdf Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects. | 66 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
analyzing-slack-space-and-file-system-artifacts Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data and reconstruct file activity on NTFS volumes. | 69 Impact Pending No eval scenarios have been run Securityby Critical Do not install without reviewing Reviewed: Version: 888bbe4 | |
analyzing-uefi-bootkit-persistence Analyzes UEFI bootkit persistence mechanisms including firmware implants in SPI flash, EFI System Partition (ESP) modifications, Secure Boot bypass techniques, and UEFI variable manipulation. Covers detection of known bootkit families (BlackLotus, LoJax, MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection, chipsec-based firmware integrity verification, and Secure Boot configuration auditing. Activates for requests involving UEFI malware analysis, firmware persistence investigation, boot chain integrity verification, or Secure Boot bypass detection. | 90 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 | |
analyzing-malware-persistence-with-autoruns Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry keys, scheduled tasks, services, drivers, and startup locations on Windows systems. | 78 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
analyzing-browser-forensics-with-hindsight Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation. | 69 Impact Pending No eval scenarios have been run Securityby Critical Do not install without reviewing Reviewed: Version: 888bbe4 | |
analyzing-kubernetes-audit-logs Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret access, RBAC modifications, privileged pod creation, and anonymous API access. Builds threat detection rules from audit event patterns. Use when investigating Kubernetes cluster compromise or building k8s-specific SIEM detection rules. | 74 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
analyzing-threat-actor-ttps-with-mitre-attack MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor beh | 48 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 | |
analyzing-linux-system-artifacts Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover evidence of compromise or unauthorized activity. | 69 Impact Pending No eval scenarios have been run Securityby Risky Do not use without reviewing Reviewed: Version: 888bbe4 | |
analyzing-cobalt-strike-beacon-configuration Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure, malleable profiles, and operator tradecraft. | 72 Impact Pending No eval scenarios have been run Securityby Critical Do not install without reviewing Reviewed: Version: 888bbe4 | |
analyzing-network-traffic-for-incidents Analyzes network traffic captures and flow data to identify adversary activity during security incidents, including command-and-control communications, lateral movement, data exfiltration, and exploitation attempts. Uses Wireshark, Zeek, and NetFlow analysis techniques. Activates for requests involving network traffic analysis, packet capture investigation, PCAP analysis, network forensics, C2 traffic detection, or exfiltration detection. | 85 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 | |
building-detection-rules-with-sigma Builds vendor-agnostic detection rules using the Sigma rule format for threat detection across SIEM platforms including Splunk, Elastic, and Microsoft Sentinel. Use when creating portable detection logic from threat intelligence, mapping rules to MITRE ATT&CK techniques, or converting community Sigma rules into platform-specific queries using sigmac or pySigma backends. | 90 Impact Pending No eval scenarios have been run Securityby Critical Do not install without reviewing Reviewed: Version: 888bbe4 | |
analyzing-ransomware-leak-site-intelligence Monitor and analyze ransomware group data leak sites (DLS) to track victim postings, extract threat intelligence on group tactics, and assess sector-specific ransomware risk for proactive defense. | 66 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 | |
analyzing-cobaltstrike-malleable-c2-profiles Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate network detection signatures. | 55 Impact Pending No eval scenarios have been run Securityby Risky Do not use without reviewing Reviewed: Version: 888bbe4 | |
analyzing-outlook-pst-for-email-forensics Analyze Microsoft Outlook PST and OST files for email forensic evidence including message content, headers, attachments, deleted items, and metadata using libpff, pst-utils, and forensic email analysis tools for legal investigations and incident response. | 72 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 | |
analyzing-network-flow-data-with-netflow Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data exfiltration, and C2 beaconing patterns. Uses the Python netflow library to decode flow records, builds traffic baselines, and applies statistical analysis to identify flows with abnormal byte counts, connection durations, and periodic timing patterns. | 67 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
analyzing-azure-activity-logs-for-threats Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in Azure environments. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections. | 71 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
building-cloud-siem-with-sentinel This skill covers deploying Microsoft Sentinel as a cloud-native SIEM and SOAR platform for centralized security operations. It details configuring data connectors for multi-cloud log ingestion, writing KQL detection queries, building automated response playbooks with Logic Apps, and leveraging the Sentinel data lake for petabyte-scale threat hunting across AWS, Azure, and GCP security telemetry. | 69 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
analyzing-api-gateway-access-logs Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass, credential scanning, and injection attempts. Uses pandas for statistical analysis of request patterns and anomaly detection. Use when investigating API abuse or building API-specific threat detection rules. | 74 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 |