Anthropic-Cybersecurity-Skills
github.com/mukul975/Anthropic-Cybersecurity-Skills
Skill | Added | Review |
|---|---|---|
analyzing-linux-elf-malware Analyzes malicious Linux ELF (Executable and Linkable Format) binaries including botnets, cryptominers, ransomware, and rootkits targeting Linux servers, containers, and cloud infrastructure. Covers static analysis, dynamic tracing, and reverse engineering of x86_64 and ARM ELF samples. Activates for requests involving Linux malware analysis, ELF binary investigation, Linux server compromise assessment, or container malware analysis. | 85 Impact Pending No eval scenarios have been run Securityby  Risky Do not use without reviewing Reviewed: Version: 888bbe4 | |
analyzing-security-logs-with-splunk Leverages Splunk Enterprise Security and SPL (Search Processing Language) to investigate security incidents through log correlation, timeline reconstruction, and anomaly detection. Covers Windows event logs, firewall logs, proxy logs, and authentication data analysis. Activates for requests involving Splunk investigation, SPL queries, SIEM log analysis, security event correlation, or log-based incident investigation. | 90 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
analyzing-bootkit-and-rootkit-samples Analyzes bootkit and advanced rootkit malware that infects the Master Boot Record (MBR), Volume Boot Record (VBR), or UEFI firmware to gain persistence below the operating system. Covers boot sector analysis, UEFI module inspection, and anti-rootkit detection techniques. Activates for requests involving bootkit analysis, MBR malware investigation, UEFI persistence analysis, or pre-OS malware detection. | 90 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 | |
analyzing-network-traffic-of-malware Analyzes network traffic generated by malware during sandbox execution or live incident response to identify C2 protocols, data exfiltration channels, payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata. Activates for requests involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or network-based malware detection. | 85 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
analyzing-linux-kernel-rootkits Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and tampered system structures. | 55 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 | |
analyzing-office365-audit-logs-for-compromise Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation, suspicious OAuth app grants, and other indicators of account compromise. | 61 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
building-c2-infrastructure-with-sliver-framework Build and configure a resilient command-and-control infrastructure using BishopFox's Sliver C2 framework with redirectors, HTTPS listeners, and multi-operator support for authorized red team engagements. | 69 Impact Pending No eval scenarios have been run Securityby Critical Do not install without reviewing Reviewed: Version: 888bbe4 | |
analyzing-web-server-logs-for-intrusion Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal, web scanner fingerprints, and brute-force patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP enrichment for source attribution, and statistical anomaly detection for request frequency and response size outliers. | 69 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 | |
analyzing-usb-device-connection-history Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable media usage and potential data exfiltration. | 78 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
analyzing-threat-intelligence-feeds Analyzes structured and unstructured threat intelligence feeds to extract actionable indicators, adversary tactics, and campaign context. Use when ingesting commercial or open-source CTI feeds, evaluating feed quality, normalizing data into STIX 2.1 format, or enriching existing IOCs with campaign attribution. Activates for requests involving ThreatConnect, Recorded Future, Mandiant Advantage, MISP, AlienVault OTX, or automated feed aggregation pipelines. | 70 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 | |
building-incident-timeline-with-timesketch Build collaborative forensic incident timelines using Timesketch to ingest, normalize, and analyze multi-source event data for attack chain reconstruction and investigation documentation. | 46 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 | |
building-adversary-infrastructure-tracking-system Build an automated system to track adversary infrastructure using passive DNS, certificate transparency, WHOIS data, and IP enrichment to map and monitor threat actor command-and-control networks. | 72 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 | |
building-devsecops-pipeline-with-gitlab-ci Design and implement a comprehensive DevSecOps pipeline in GitLab CI/CD integrating SAST, DAST, container scanning, dependency scanning, and secret detection. | 72 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 | |
analyzing-lnk-file-and-jump-list-artifacts Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution, and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format. | 69 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
analyzing-ransomware-payment-wallets Traces ransomware cryptocurrency payment flows using blockchain analysis tools such as Chainalysis Reactor, WalletExplorer, and blockchain.com APIs. Identifies wallet clusters, tracks fund movement through mixers and exchanges, and supports law enforcement attribution. Activates for requests involving ransomware payment tracing, bitcoin wallet analysis, cryptocurrency forensics, or blockchain intelligence gathering. | 70 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 | |
analyzing-windows-prefetch-with-python Parse Windows Prefetch files using the windowsprefetch Python library to reconstruct application execution history, detect renamed or masquerading binaries, and identify suspicious program execution patterns. | 49 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
analyzing-indicators-of-compromise Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs, and email artifacts to determine maliciousness confidence, campaign attribution, and blocking priority. Use when triaging IOCs from phishing emails, security alerts, or external threat feeds; enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist decisions. Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines. | 87 Impact Pending No eval scenarios have been run Securityby Risky Do not use without reviewing Reviewed: Version: 888bbe4 | |
analyzing-android-malware-with-apktool Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection. | 61 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 | |
analyzing-powershell-empire-artifacts Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns, default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events. | 61 Impact Pending No eval scenarios have been run Securityby Risky Do not use without reviewing Reviewed: Version: 888bbe4 | |
analyzing-memory-forensics-with-lime-and-volatility Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module and analysis with Volatility 3 framework. Extracts process lists, network connections, bash history, loaded kernel modules, and injected code from Linux memory images. Use when performing incident response on compromised Linux systems. | 74 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 | |
analyzing-persistence-mechanisms-in-linux Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring | 66 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
analyzing-golang-malware-with-ghidra Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction, and type reconstruction in stripped Go binaries. | 57 Impact Pending No eval scenarios have been run Securityby Risky Do not use without reviewing Reviewed: Version: 888bbe4 | |
analyzing-prefetch-files-for-execution-history Parse Windows Prefetch files to determine program execution history including run counts, timestamps, and referenced files for forensic investigation. | 69 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
building-detection-rule-with-splunk-spl Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify security threats in SOC environments. | 67 Impact Pending No eval scenarios have been run Securityby Passed No known issues Reviewed: Version: 888bbe4 | |
analyzing-windows-amcache-artifacts Parses and analyzes the Windows Amcache.hve registry hive to extract evidence of program execution, application installation, and driver loading for digital forensics investigations. Uses Eric Zimmerman's AmcacheParser and Timeline Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and timeline reconstruction. Activates for requests involving Amcache forensics, program execution evidence, Windows artifact analysis, or application compatibility cache investigation. | 90 Impact Pending No eval scenarios have been run Securityby Advisory Suggest reviewing before use Reviewed: Version: 888bbe4 |