Anthropic-Cybersecurity-Skills

Extract DPAPI-protected secrets such as credentials and browser data offline and online.

Take over Active Directory user and computer accounts by writing alternate certificate keys to msDS-KeyCredentialLink (Shadow Credentials) with pyWhisker, Whisker, and Certipy, then authenticate via PKINIT.

Test vector stores for embedding inversion, cross-tenant leakage, and poisoning.

Enumerate Entra ID with ROADrecon and acquire and exchange tokens with roadtx.

Run OAuth 2.0 device-code and illicit-consent phishing against Microsoft Entra ID to steal access and refresh tokens, bypass MFA, and pivot across Microsoft 365 services.

Run Microsoft Entra ID tenant reconnaissance, token acquisition and manipulation, and federation backdoor testing with the AADInternals PowerShell toolkit to validate identity-attack resilience.

Find over-permissive RBAC roles and service-account token abuse paths in Kubernetes using kubectl auth can-i, rbac-police, kubectl-who-can, and rakkess during authorized cluster security reviews.

Scan Model Context Protocol servers and tool metadata for poisoning, SSRF, and unauthenticated exposure.

Use Intel CHIPSEC to assess platform firmware configuration, SPI flash write protection, BIOS lock, SMM/SMRR, and Secure Boot variable state, dump SPI flash, and triage UEFI variables for firmware-level threats.

Run CIS Kubernetes Benchmark checks and remediate findings with kube-bench.

Architect redirectors with nginx and Apache, malleable profiles, and OPSEC for resilient C2.

Generate log2timeline and Plaso super-timelines and triage them in Timesketch.

Trigger machine account authentication with PetitPotam (MS-EFSR) and Coercer across MS-RPRN, MS-DFSNM, and MS-FSRVP to feed NTLM relay into AD CS Web Enrollment (ESC8) and other relay targets.

Wire Promptfoo and DeepTeam into CI/CD for automated regression red-teaming of LLM apps against OWASP LLM Top 10 and OWASP Agentic presets, failing the build when jailbreak or injection vulnerabilities regress.

Deploy Llama Guard, NeMo Guardrails, and LLM Guard input/output scanners as runtime defenses.

Plant canarytokens and honey credentials and alert on breach.

Write and deploy Falco rules with the modern eBPF driver to detect container escape, namespace abuse, privileged mounts, and anomalous syscalls at runtime in Kubernetes and Docker.

Identify poisoned training data and backdoored models across the ML pipeline.

Detect and prevent public-over-private name resolution in npm, PyPI, and Maven.

Hunt AADGraphActivityLogs and MicrosoftGraphActivityLogs in Microsoft Sentinel/Log Analytics for fingerprints of offensive Entra ID tools such as ROADtools, AADInternals, and AzureHound.

Detect and defend against prompt injection hidden in documents, web pages, and images consumed by an agent.

Triage npm packages for install-script malware, exfiltration, and worming behavior.

Detect model stealing, model inversion, and membership inference performed through inference-API abuse by monitoring query patterns, applying output perturbation, and red-teaming your own model's extractability.

Detect bootkits such as BlackLotus and Bootkitty and Secure Boot bypass via DBX and binary checks.

Flag misspelled, brandjacked, and typosquatted package names across npm, PyPI, and crates.io before installation using edit-distance, keyboard-proximity, and known-target corpus matching with typomania, OSSGadget, and pypi-scan.

Detonate granular AWS, Azure, GCP, and Kubernetes attack techniques to validate detections with Stratus Red Team.

Map AWS and Azure attack paths and find exploitable misconfigurations with CloudFox.

Exploit privileged pods, host mounts, runC CVEs, and exposed Docker sockets to break out of a container and reach the underlying host during authorized container-security assessments.

Enumerate and exploit Active Directory Certificate Services ESC1 through ESC16 misconfigurations with Certipy, including SAN abuse, NTLM relay to web enrollment (ESC8), and golden certificate forgery.

Use Pacu modules for AWS privilege escalation, persistence, and backdooring.

Deploy a Velociraptor server and agents and write VQL hunts across a fleet.

Produce and ingest CycloneDX and SPDX SBOMs and correlate them to vulnerability intelligence.

Produce Sigma-based EVTX timelines and summaries with Hayabusa.

Baseline the EFI System Partition and hunt malicious EFI binaries (ESPecter, BlackLotus, Bootkitty, Glupteba) by mounting the ESP, hashing and verifying boot loaders, scanning with YARA, and detecting anomalous non-EFI files.

Perform rapid Sigma and keyword hunting across Windows event logs with Chainsaw.

Detect SSO and OAuth token replay and SaaS lateral movement.

Collect Active Directory data with SharpHound and Entra ID data with AzureHound, ingest into BloodHound Community Edition, and analyze on-prem, cloud, and hybrid attack paths with built-in queries and custom Cypher.

Inventory cryptography, deploy hybrid X25519 and ML-KEM, and prioritize harvest-now-decrypt-later data.

Model threat actors, intrusion sets, campaigns, and TTPs as a STIX 2.1 knowledge graph in OpenCTI (Filigran) using the pycti Python client, connectors, and import workers for structured cyber threat intelligence.

Use NetExec for SMB, WinRM, LDAP, and MSSQL enumeration, password spraying, and execution.