CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-cobalt-strike-beacon-configuration

Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure, malleable profiles, and operator tradecraft.

66

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Risky

Do not use without reviewing

SKILL.md
Quality
Evals
Security

Quality

Content

77%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The content is highly actionable with executable code and a clear, validated workflow, but it is somewhat verbose and fails to use its own bundle files — inlining scripts instead of referencing them. Tightening prose and linking the existing scripts/assets/references would lift the weaker dimensions.

Suggestions

Move the four inline Python scripts into the existing scripts/ bundle and reference them (e.g., 'See scripts/ for extract_beacon_config.py'), keeping only short illustrative snippets inline.

Link assets/template.md in the Validation Criteria or Workflow section so analysts know a report template exists.

Trim the Overview and Key Concepts to operational specifics (XOR keys, TLV layout, watermark use) and drop general Cobalt Strike background Claude already knows.

DimensionReasoningScore

Conciseness

The body is mostly efficient and skill-specific (XOR keys, TLV type maps) but the Overview and Key Concepts restate background an IR analyst — and Claude — already know, and prose around the code could be tightened; not quite the lean 'every token earns its place' anchor at 3.

2 / 3

Actionability

Provides four complete, executable Python scripts plus a YARA rule and Suricata signatures that are copy-paste ready, matching the fully-executable anchor rather than the pseudocode anchor at 2.

3 / 3

Workflow Clarity

Steps 1–4 are clearly sequenced, the manual decryption step includes a feedback loop (tries v4 then v3 XOR keys, reports found/not-found), and a Validation Criteria checklist closes the process, meeting the explicit-validation anchor.

3 / 3

Progressive Disclosure

Sections are organized and external web links are present, but the provided bundle files (scripts/, assets/template.md, references/) are never referenced from the body and four long code blocks are inlined rather than split out, fitting the 'content that should be separate is inline / references not signaled' anchor at 2 rather than the well-signaled one-level-deep anchor at 3.

2 / 3

Total

10

/

12

Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific and well-targeted with strong natural trigger terms and low conflict risk, but it omits an explicit 'Use when...' clause, capping completeness at 2. Adding a trigger guidance sentence would raise it to a fully strong description.

Suggestions

Append an explicit trigger clause such as 'Use when analyzing Cobalt Strike beacon payloads, responding to incidents involving beacon artifacts, or hunting for C2 infrastructure.' to satisfy the 'when' half of completeness.

Mirror common phrasings users might say (e.g., 'beacon config', 'CS beacon', 'stager shellcode') to broaden natural trigger coverage.

DimensionReasoningScore

Specificity

Lists multiple concrete actions — 'Extract and analyze Cobalt Strike beacon configuration' and 'identify C2 infrastructure, malleable profiles, and operator tradecraft' — matching the multiple-specific-actions anchor rather than the single-domain anchor at 2.

3 / 3

Completeness

Clearly states what the skill does but lacks any 'Use when...' clause or explicit trigger guidance, so per the judging guidelines completeness is capped at 2 rather than reaching the explicit-both anchor at 3.

2 / 3

Trigger Term Quality

Uses natural terms an analyst would actually say ('Cobalt Strike beacon configuration', 'PE files', 'memory dumps', 'C2 infrastructure', 'malleable profiles') with good coverage, not generic jargon.

3 / 3

Distinctiveness Conflict Risk

Targets a narrow, well-defined niche (Cobalt Strike beacon config extraction) with distinct triggers, making conflict with other skills unlikely and clearly above the 'could still overlap' anchor at 2.

3 / 3

Total

11

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.