Anthropic-Cybersecurity-Skills
github.com/mukul975/Anthropic-Cybersecurity-Skills
Skill | Added | Review |
|---|---|---|
auditing-azure-active-directory-configuration Auditing Microsoft Entra ID (Azure Active Directory) configuration to identify risky authentication policies, overly permissive role assignments, stale accounts, conditional access gaps, and guest user risks using AzureAD PowerShell, Microsoft Graph API, and ScoutSuite. | 69 Impact Pending No eval scenarios have been run Securityby  Passed No known issues Reviewed: Version: 888bbe4 | |
analyzing-malware-family-relationships-with-malpedia Use the Malpedia platform and API to research malware family relationships, track variant evolution, link families to threat actors, and integrate YARA rules for detection across malware lineages. | 66 Impact Pending No eval scenarios have been run Securityby Risky Do not use without reviewing Reviewed: Version: 888bbe4 | |
auditing-terraform-infrastructure-for-security Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov, tfsec, Terrascan, and OPA/Rego policies to detect overly permissive IAM policies, public resource exposure, missing encryption, and insecure defaults before cloud deployment. | 69 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 | |
analyzing-email-headers-for-phishing-investigation Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation. | 69 Impact Pending No eval scenarios have been run Securityby Risky Do not use without reviewing Reviewed: Version: 888bbe4 | |
analyzing-windows-shellbag-artifacts Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable media and network shares, and establish user interaction with directories even after deletion using SBECmd and ShellBags Explorer. | 61 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
analyzing-windows-lnk-files-for-artifacts Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers for forensic timeline reconstruction. | 69 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
analyzing-cyber-kill-chain Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify which phases an adversary has completed, where defenses succeeded or failed, and what controls would have interrupted the attack at earlier phases. Use when conducting post-incident analysis, building prevention-focused security controls, or mapping detection gaps to kill chain phases. Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping, or Lockheed Martin kill chain framework. | 84 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
building-incident-response-playbook Designs and documents structured incident response playbooks that define step-by-step procedures for specific incident types aligned with NIST SP 800-61r3 and SANS PICERL frameworks. Covers playbook structure, decision trees, escalation criteria, RACI matrices, and integration with SOAR platforms. Activates for requests involving IR playbook creation, incident response procedure documentation, response runbook development, or SOAR playbook design. | 90 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 | |
analyzing-ethereum-smart-contract-vulnerabilities Perform static and symbolic analysis of Solidity smart contracts using Slither and Mythril to detect reentrancy, integer overflow, access control, and other vulnerability classes before deployment to Ethereum mainnet. | 55 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
analyzing-heap-spray-exploitation Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns, shellcode landing zones, and suspicious large allocations in process virtual address space. | 60 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
auditing-cloud-with-cis-benchmarks This skill details how to conduct cloud security audits using Center for Internet Security benchmarks for AWS, Azure, and GCP. It covers interpreting CIS Foundations Benchmark controls, running automated assessments with tools like Prowler and ScoutSuite, remediating failed controls, and maintaining continuous compliance monitoring against CIS v5 for AWS, v4 for Azure, and v4 for GCP. | 78 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
analyzing-ransomware-network-indicators Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration flows, and encryption key exchange via Zeek conn.log and NetFlow analysis | 63 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
building-identity-federation-with-saml-azure-ad Establish SAML 2.0 identity federation between on-premises Active Directory and Azure AD (Microsoft Entra ID) for seamless cross-domain authentication and SSO to cloud applications. | 74 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 | |
analyzing-malware-sandbox-evasion-techniques Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports | 61 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
analyzing-apt-group-with-mitre-navigator Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense. | 72 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 | |
analyzing-ios-app-security-with-objection Performs runtime mobile security exploration of iOS applications using Objection, a Frida-powered toolkit that enables security testers to interact with app internals without jailbreaking. Use when assessing iOS app security posture, bypassing client-side protections, dumping keychain items, inspecting filesystem storage, and evaluating runtime behavior. Activates for requests involving iOS security testing, Objection runtime analysis, Frida-based iOS assessment, or mobile runtime exploration. | 82 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
building-attack-pattern-library-from-cti-reports Extract and catalog attack patterns from cyber threat intelligence reports into a structured STIX-based library mapped to MITRE ATT&CK for detection engineering and threat-informed defense. | 66 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 | |
analyzing-dns-logs-for-exfiltration Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication, and covert C2 channels using entropy analysis, query volume anomalies, and subdomain length detection in SIEM platforms. Use when SOC teams need to identify DNS-based threats that bypass traditional network security controls. | 85 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
analyzing-cloud-storage-access-patterns Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection. | 67 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
auditing-gcp-iam-permissions Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings, primitive role usage, service account key proliferation, and cross-project access risks using gcloud CLI, Policy Analyzer, and IAM Recommender. | 78 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
analyzing-powershell-script-block-logging Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded payloads, and living-off-the-land techniques. Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts. | 67 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
auditing-aws-s3-bucket-permissions Systematically audit AWS S3 bucket permissions to identify publicly accessible buckets, overly permissive ACLs, misconfigured bucket policies, and missing encryption settings using AWS CLI, S3audit, and Prowler to enforce least-privilege data access controls. | 83 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
analyzing-docker-container-forensics Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to identify malicious activity and evidence. | 80 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 | |
automating-ioc-enrichment Automates the enrichment of raw indicators of compromise with multi-source threat intelligence context using SOAR platforms, Python pipelines, or TIP playbooks to reduce analyst triage time and standardize enrichment outputs. Use when building automated enrichment workflows integrated with SIEM alerts, email submission pipelines, or bulk IOC processing from threat feeds. Activates for requests involving SOAR enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment pipelines, or automated IOC processing. | 82 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 | |
analyzing-pdf-malware-with-pdfid Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to identify embedded JavaScript, shellcode, exploits, and suspicious objects without opening the document. Determines the attack vector and extracts embedded payloads for further analysis. Activates for requests involving PDF malware analysis, malicious document analysis, PDF exploit investigation, or suspicious attachment triage. | 81 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 |