Detects T1547.001 Windows startup folder persistence by monitoring suspicious file creations, analyzing autoruns entries, and using Python watchdog for real-time filesystem monitoring.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
攻击者使用 Windows 启动文件夹实现持久化(MITRE ATT&CK T1547.001——启动或登录自动启动执行:注册表 Run 键/启动文件夹)。放置在 `%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup` 或 `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup` 中的文件会在用户登录时自动执行。本技能扫描启动目录中的可疑文件,使用 Python watchdog 实时监控变化,并分析文件元数据以检测持久化植入物。
Detects Windows startup folder persistence (T1547.001) by scanning directories for suspicious files, analyzing autoruns, and real-time monitoring with Python watchdog. For threat hunting and SOC analysis.
Detects T1547.001 startup folder persistence by scanning Windows startup directories for suspicious files, analyzing autoruns entries, and real-time monitoring with Python watchdog.
Analyzes Windows malware persistence using Sysinternals Autoruns, scanning registry keys, scheduled tasks, services, drivers, and startups. Automates suspicious entry detection with Python.
Share bugs, ideas, or general feedback.
攻击者使用 Windows 启动文件夹实现持久化(MITRE ATT&CK T1547.001——启动或登录自动启动执行:注册表 Run 键/启动文件夹)。放置在 %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup 或 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup 中的文件会在用户登录时自动执行。本技能扫描启动目录中的可疑文件,使用 Python watchdog 实时监控变化,并分析文件元数据以检测持久化植入物。
watchdog、pefile(可选,用于 PE 分析)