| name | Blue Team Defense & Hardening |
| description | System hardening, detection engineering, security baseline monitoring, patch management, defense-in-depth architecture, and security posture improvement |
| version | 3.0.0 |
| author | Masriyan |
| tags | ["cybersecurity","blue-team","defense","hardening","detection","baseline","siem","endpoint","cis"] |
Blue Team Defense & Hardening
Purpose
Enable Claude to assist defenders with comprehensive security hardening, detection rule engineering, security baseline establishment, patch management, and security architecture review. Claude directly analyzes provided configurations, scripts, and system state — then produces specific hardening commands, detection rules, and improvement plans.
Activation Triggers
This skill activates when the user asks about:
- Hardening Linux (Ubuntu, RHEL, CentOS, Debian) servers
- Hardening Windows Server or Windows workstations (CIS Benchmarks)
- Creating detection rules (Sigma, Splunk, KQL, YARA, Snort/Suricata)
- Security baseline definition and monitoring
- Patch management strategy and prioritization
- Security architecture review (defense-in-depth, zero trust)
- Implementing Sysmon, auditd, or Windows audit policy
- Hardening SSH, nginx, Apache, or database configurations
- Network security controls and microsegmentation
- Endpoint protection (EDR, HIPS) configuration guidance
- Security posture improvement after a red team or pentest
Prerequisites
pip install pyyaml jinja2 requests
Tools used in this skill:
Sysmon — Windows endpoint telemetry (SwiftOnSecurity config recommended)
auditd — Linux audit daemon
Lynis — Linux security auditing tool
OpenSCAP / oscap — CIS/STIG compliance scanning
fail2ban — SSH and service brute-force protection
CIS-CAT — CIS Benchmark compliance tool
Core Capabilities
1. Linux System Hardening
When the user asks to harden a Linux server:
Claude produces specific commands ready to run.
SSH Hardening
cat >> /etc/ssh/sshd_config << 'EOF'
Protocol 2
PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
MaxAuthTries 3
LoginGraceTime 30
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers [specific_users]
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
X11Forwarding no
AllowAgentForwarding no
AllowTcpForwarding no
PrintMotd no
Banner /etc/ssh/banner
Subsystem sftp /usr/lib/openssh/sftp-server -l INFO
EOF
sshd -t && systemctl restart sshd
Kernel Hardening (sysctl)
cat > /etc/sysctl.d/99-security.conf << 'EOF'
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
kernel.randomize_va_space = 2
fs.suid_dumpable = 0
kernel.dmesg_restrict = 1
kernel.sysrq = 0
kernel.kptr_restrict = 2
kernel.yama.ptrace_scope = 1
EOF
sysctl --system
Firewall Configuration (iptables/nftables)
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow from [monitoring_ip] to any port 9100
ufw enable
ufw status verbose
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 10.0.0.0/8 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP
iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -j LOG --log-prefix "iptables-DROP: " --log-level 7
iptables -A INPUT -j DROP
iptables-save > /etc/iptables/rules.v4
File System Security
find / -perm /4000 -type f 2>/dev/null | sort
find / -perm /2000 -type f 2>/dev/null | sort
chmod u-s /usr/bin/at
find / -perm -002 -type f 2>/dev/null | grep -v proc
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/sudoers
apt-get install aide
aideinit
aide --check
Audit Logging (auditd)
apt-get install auditd
cat > /etc/audit/rules.d/hardening.rules << 'EOF'
-a always,exit -F arch=b64 -S execve -k exec_tracking
-a always,exit -F arch=b32 -S execve -k exec_tracking
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/sudoers -p wa -k sudoers
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k sudo_use
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k su_use
-a always,exit -F arch=b64 -S sethostname -k network_changes
-w /etc/hosts -p wa -k network_changes
-w /etc/cron.d/ -p wa -k cron
-w /etc/cron.daily/ -p wa -k cron
-w /var/spool/cron/ -p wa -k cron
-w /etc/ssh/sshd_config -p wa -k sshd_config
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -k delete
-e 2
EOF
service auditd restart
ausearch -k sudo_use -i
ausearch -k identity -i
Linux Hardening Checklist
Authentication:
[ ] Root login disabled (local and SSH)
[ ] Password authentication disabled for SSH (key-only)
[ ] Strong password policy enforced (PAM pwquality)
[ ] sudo configured with minimal privilege (specific commands, no NOPASSWD)
[ ] Inactive accounts locked or removed (>90 days)
Services:
[ ] Unnecessary services disabled (systemctl list-units --state=active)
[ ] No listening services on 0.0.0.0 that shouldn't be public
[ ] Web server runs as non-root user
[ ] Database not accessible from internet
Kernel & OS:
[ ] Security patches current (apt upgrade / yum update)
[ ] ASLR enabled (randomize_va_space=2)
[ ] ptrace restrictions (yama.ptrace_scope=1)
[ ] Core dumps disabled or restricted
[ ] AppArmor/SELinux in enforcing mode
Monitoring:
[ ] auditd installed and running
[ ] Log forwarding to SIEM configured
[ ] File integrity monitoring active
[ ] fail2ban installed for SSH protection
2. Windows System Hardening
When the user asks to harden a Windows system:
PowerShell — Immediate Hardening Commands:
# Disable LLMNR (used in LLMNR poisoning attacks)
New-Item -Path "HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient" -Force
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient" `
-Name "EnableMulticast" -Value 0 -Type DWord
# Disable NBT-NS (NetBIOS Name Service — used in Responder attacks)
$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPEnabled}
foreach ($adapter in $adapters) {
$adapter.SetTcpipNetbios(2) # 2 = Disable NetBIOS over TCP/IP
}
# Enable PowerShell Script Block Logging
$psLogPath = "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"
New-Item -Path $psLogPath -Force
Set-ItemProperty -Path $psLogPath -Name "EnableScriptBlockLogging" -Value 1
# Disable SMBv1 (EternalBlue vulnerability)
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
# Enable Windows Defender real-time protection
Set-MpPreference -DisableRealtimeMonitoring $false
Set-MpPreference -CloudBlockLevel High
Set-MpPreference -CloudExtendedTimeout 50
Update-MpSignature
# Enable Windows Firewall on all profiles
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
# Enable Credential Guard (requires Windows 10/2016+)
# Set via Group Policy: Computer Configuration → Administrative Templates →
# System → Device Guard → Turn On Virtualization Based Security
Sysmon Deployment for Endpoint Visibility:
# Download Sysmon and SwiftOnSecurity config
Invoke-WebRequest -Uri "https://live.sysinternals.com/Sysmon64.exe" -OutFile C:\Windows\Sysmon64.exe
# Deploy with SwiftOnSecurity config (most commonly recommended)
# Download config: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml
Sysmon64.exe -accepteula -i sysmonconfig-export.xml
# Verify Sysmon is running
Get-Service Sysmon64
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 10
Windows Audit Policy:
# Enable comprehensive Windows audit policy
# (Or configure via Group Policy → Computer Config → Windows Settings → Security Settings → Advanced Audit Policy)
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Logoff" /success:enable
auditpol /set /subcategory:"Account Lockout" /failure:enable
auditpol /set /subcategory:"Process Creation" /success:enable
auditpol /set /subcategory:"Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Privilege Use" /success:enable /failure:enable
auditpol /set /subcategory:"Policy Change" /success:enable
auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable
auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
# Enable command line logging in Event ID 4688
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" `
/v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
Windows Hardening Checklist (CIS Level 1):
Account Security:
[ ] Guest account disabled
[ ] Local Administrator account disabled or renamed
[ ] LAPS deployed (Local Administrator Password Solution)
[ ] No accounts with "Password never expires"
[ ] Account lockout: 5 attempts, 30-min lockout
[ ] Admin accounts not used for daily tasks
Network Security:
[ ] SMBv1 disabled
[ ] LLMNR disabled via GPO
[ ] NBT-NS disabled on all NICs
[ ] RDP restricted to VPN/jump host access only
[ ] WinRM access restricted to admin systems
[ ] PowerShell remoting disabled where not needed
Logging & Monitoring:
[ ] Windows Defender enabled and updated
[ ] EDR agent deployed and communicating
[ ] Sysmon deployed with current config
[ ] Event log size: Security 1GB+, System 512MB+, Application 256MB+
[ ] Log forwarding to SIEM configured
System Configuration:
[ ] BitLocker enabled on all endpoints
[ ] AppLocker or WDAC configured for application control
[ ] UAC: Prompt for credentials for all apps
[ ] Windows Update: Automatic, critical updates immediate
[ ] Unnecessary features removed (Telnet, SMB1, PowerShell 2.0)
[ ] WDAC Code Integrity policies for servers
3. Detection Engineering
When the user asks to create detection rules:
Claude produces complete, ready-to-deploy detection rules.
Detection Rule Development Workflow:
Step 1: Define what you're detecting
- What specific behavior? (not "malware" but "PowerShell download cradle")
- Which ATT&CK technique? (T1059.001 — PowerShell)
- What data sources? (PowerShell logs, process creation, network)
Step 2: Collect sample telemetry
- Capture true positive examples (from lab, red team, threat intel)
- Collect false positive examples (legitimate activity)
Step 3: Identify unique indicators
- What distinguishes malicious from legitimate?
- Avoid indicators that change between variants (file names, IPs)
- Prefer behavioral indicators (parent-child process, network pattern)
Step 4: Write and tune the rule
- Start with high-confidence, low-noise detection
- Test against both TP and FP datasets
- Add exceptions for known-legitimate patterns
Step 5: Deploy and monitor
- Track alert volume: sudden increase = new FP
- Review untuned rules monthly
Detection Rule Templates:
title: Office Application Spawning Script Interpreter
id: d2b45b6c-7b4e-4c2f-a8b9-1234567890ab
status: stable
description: Detects Office applications spawning script interpreters — common in macro-based initial access
references:
- https://attack.mitre.org/techniques/T1566/001/
tags:
- attack.initial_access
- attack.t1566.001
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\WINWORD.EXE'
- '\EXCEL.EXE'
- '\POWERPNT.EXE'
- '\MSACCESS.EXE'
- '\MSPUB.EXE'
- '\outlook.exe'
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
condition: selection_parent and selection_child
falsepositives:
- Some legitimate macros may spawn cmd.exe for administrative purposes (rare)
level: high
Suricata Network Detection Rule:
# Detect C2 traffic via HTTP with suspicious pattern
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"MALWARE Generic HTTP C2 Beacon - Suspicious Pattern";
flow:established,to_server;
http.method; content:"POST";
http.request_body; content:!"";
http.user_agent; content:"Mozilla/4.0 (compatible; MSIE 6.0;";
http.uri; pcre:"/\/[a-z]{8}(\/[a-z]{4})?$/"; # Random 8-char path
threshold:type both, track by_src, count 3, seconds 300;
classtype:trojan-activity;
sid:9100001;
rev:1;
)
YARA Rule for Host-Based Detection:
rule Suspicious_PowerShell_Download_Cradle {
meta:
author = "Blue Team"
description = "Detects PowerShell download cradle in scripts or command lines"
date = "2025-05-28"
strings:
$cradle1 = "(New-Object Net.WebClient).DownloadString" ascii wide nocase
$cradle2 = "IEX(New-Object" ascii wide nocase
$cradle3 = "Invoke-Expression (Invoke-WebRequest" ascii wide nocase
$cradle4 = "[System.Net.WebClient]" ascii wide nocase
$cradle5 = "iex (iwr" ascii wide nocase
$encoded = "-EncodedCommand " ascii wide nocase
$bypass = "-ExecutionPolicy Bypass" ascii wide nocase
$nop = "-WindowStyle Hidden" ascii wide nocase
condition:
any of ($cradle*) or (2 of ($encoded, $bypass, $nop))
}
4. Security Baseline Monitoring
When the user asks to define or monitor security baselines:
Baseline Definition Framework:
## Security Baseline — [System Type] — [Environment]
### Normal Behavior Profiles
**Authentication Baseline:**
- Admin accounts: Only log in during business hours (08:00–18:00 local)
- Service accounts: Never have interactive logon (Event 4624 Type 2)
- Failed logins: <5 per user per day (>5 = investigate)
- New login locations: Alert on first-time country/city
**Process Baseline:**
- Web server: Never spawns cmd.exe or powershell.exe
- Database: No outbound network connections except DB clients
- System processes: Parent process matches expected (e.g., services.exe → svchost.exe)
**Network Baseline:**
- Workstations: No direct SMB to other workstations (server-to-server OK)
- DNS: <100 queries per minute per host; 50+ unique domains per hour = investigate
- Egress: Only expected protocols (HTTPS, DNS, SMTP for mail servers)
**File System Baseline:**
- System directories: No new executables in \Windows\System32\ between patches
- User directories: Alert on new .exe, .dll, .ps1 in %APPDATA%
- Logs: Never deleted (alert on Event ID 1102)
Automated Baseline Checks:
netstat -tulnap > /tmp/services_current.txt
diff /tmp/services_baseline.txt /tmp/services_current.txt
ps auxf > /tmp/processes_current.txt
diff /tmp/processes_baseline.txt /tmp/processes_current.txt
find /bin /sbin /usr/bin /usr/sbin /lib -newer /tmp/baseline_timestamp -type f 2>/dev/null
Get-Service | Where-Object {$_.Status -eq "Running"} | Select-Object Name,DisplayName | Sort-Object Name
python scripts/hardening_checker.py --os ubuntu --output report.json
python scripts/hardening_checker.py --os windows --cis-level 1 --output report.json
5. Patch Management Strategy
When the user asks about patch management:
Patch Prioritization Matrix:
| CVSS | Exploitability | In CISA KEV? | Priority | SLA |
|---|
| 9.0–10.0 | Remote, no auth | Yes | P1 — Emergency | 24 hours |
| 9.0–10.0 | Remote, no auth | No | P1 — Critical | 48 hours |
| 7.0–8.9 | Remote | Any | P2 — High | 7 days |
| 4.0–6.9 | Local | Any | P3 — Medium | 30 days |
| 0.1–3.9 | Any | No | P4 — Low | 90 days |
| 0.0 | N/A | N/A | P5 — Info | Next cycle |
Patch Rollout Process:
1. RECEIVE patch (vendor advisory, CVE, CISA alert)
2. ASSESS severity and exploitability (CVSS + CISA KEV check)
3. TEST in non-production environment (Dev → QA → Staging)
4. PLAN rollout window (off-peak, with rollback procedure)
5. DEPLOY to production (phased: 10% → 50% → 100%)
6. VERIFY patch applied and service running
7. MONITOR for regressions (24-48 hours)
8. DOCUMENT in change management system
Track patch debt:
apt list --upgradable 2>/dev/null | wc -l
apt list --upgradable 2>/dev/null | grep -i security
yum check-update --security
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10
(New-Object -ComObject Microsoft.Update.Session).CreateUpdateSearcher().Search("IsInstalled=0 and Type='Software'").Updates | Select-Object Title
6. Security Architecture Review
When the user asks to review security architecture:
Defense-in-Depth Framework:
Layer 1 — Perimeter Defense
├── External firewall / WAF
├── IDS/IPS (Suricata/Snort)
├── DDoS protection
└── DNS filtering
Layer 2 — Network Segmentation
├── VLANs: Servers / Users / IoT / Guests / Management
├── East-west traffic controls
├── Micro-segmentation for critical systems
└── Network access control (802.1X)
Layer 3 — Endpoint Defense
├── EDR (CrowdStrike, SentinelOne, Defender for Endpoint)
├── AV / NGAV
├── Host firewall
└── Application control (AppLocker / WDAC)
Layer 4 — Identity & Access Management
├── MFA for all users
├── Privileged Access Management (PAM)
├── JIT / JEA (Just-in-Time, Just-Enough-Admin)
└── Zero Trust Network Access (ZTNA)
Layer 5 — Data Protection
├── Encryption at rest (BitLocker, dm-crypt)
├── Encryption in transit (TLS 1.2/1.3)
├── Data Loss Prevention (DLP)
└── Backup with integrity verification
Layer 6 — Detection & Response
├── SIEM (log aggregation + correlation)
├── SOAR (automated response)
├── Threat intelligence feeds
└── Vulnerability management
Zero Trust Assessment Checklist:
Identity Verification:
[ ] All access requires strong authentication (MFA)
[ ] Identity verified continuously, not just at login
[ ] Privileged accounts isolated (PAW — Privileged Access Workstations)
[ ] Service-to-service authentication (not just user-to-service)
Network Micro-Segmentation:
[ ] No implicit trust between network segments
[ ] East-west inspection enabled
[ ] Access granted per-application, not per-network
[ ] Least-privilege network access enforced
Device Trust:
[ ] Device health verified before access granted
[ ] MDM/EMM for endpoint management
[ ] Certificate-based authentication where possible
[ ] Unmanaged/BYOD devices isolated
Application Security:
[ ] Applications authenticated, not just networks
[ ] API gateway for service-to-service calls
[ ] RBAC enforced at application layer
[ ] Secrets management (Vault, not environment variables)
Post-Engagement Hardening
When the user wants to harden based on red team findings:
## Post-Red-Team Hardening Priority List
Given findings from [Engagement Date] assessment:
### P1 — Immediate (48 hours)
- [ ] Disable LLMNR and NBT-NS (used for initial credential capture)
→ `Set-ItemProperty HKLM:\... EnableMulticast 0`
- [ ] Enable MFA for all admin accounts (used for lateral movement)
- [ ] Patch [CVE-2024-XXXX] on all internet-facing servers
### P2 — This Week
- [ ] Deploy Sysmon with SwiftOnSecurity config (detection gap)
- [ ] Enable PowerShell Script Block Logging (GPO)
- [ ] Block PsExec from non-admin hosts via AppLocker
### P3 — This Month
- [ ] Implement LAPS (Local Admin Password Solution)
- [ ] Deploy network segmentation (workstation-to-workstation blocking)
- [ ] Enable credential guard on domain-joined workstations
### P4 — Next Quarter
- [ ] Implement Privileged Access Workstations (PAW) for IT admins
- [ ] Deploy deception technology (honeypots/honeytokens)
- [ ] Red team readiness exercise (purple team)
Script Reference
hardening_checker.py
python scripts/hardening_checker.py --os ubuntu --output report.json
python scripts/hardening_checker.py --os ubuntu --cis-level 1 --fix-mode
python scripts/hardening_checker.py --os windows --cis-level 1 --output report.json
Skill Integration
| Condition | Adjacent Skill |
|---|
| Red team findings → create remediation plan | ← Skill 14 (Red Team Operations) |
| Detection rules → deploy to SIEM | → Skill 12 (Log Analysis) |
| New detection rules → add to CSOC | → Skill 11 (CSOC Automation) |
| Vulnerability scanner findings → patch plan | ← Skill 02 (Vulnerability Scanner) |
| Threat hunt gaps → improve detection coverage | ← Skill 06 (Threat Hunting) |
References
v3.0 Enhancements (2026 Update)
Detection-as-code and modern baselines:
- Current OS baselines — Windows 11 / Server 2025 and recent Linux CIS benchmarks; enforce LAPS (Windows LAPS), Credential Guard, and Attack Surface Reduction (ASR) rules.
- Telemetry that matters — deploy a maintained Sysmon config (SwiftOnSecurity/Olaf base), enable PowerShell script-block + module logging, command-line auditing, and ship to the SIEM; on Linux use auditd + eBPF (Falco/Tetragon).
- Detection-as-code — manage Sigma detections in git with tests and CI conversion to the target SIEM; track ATT&CK coverage as a measurable metric (DeTT&CT-style).
- Identity hardening — phishing-resistant MFA (FIDO2/passkeys), conditional access, and tiered admin (PAW) to counter token theft and AD escalation.
- Zero Trust maturity — assess against CISA's Zero Trust Maturity Model pillars (identity, device, network, app, data) and report a maturity score per pillar.
- Cloud & container hardening — extend baselines to cloud workloads and Kubernetes (ties to Skill 10); validate with the included checker and CSPM.
Precision rule: every recommendation pairs the hardening change with the detection that proves it (or catches its bypass).