From cybersecurity-skills
Hunts Advanced Persistent Threats (APTs) via hypothesis-driven queries on endpoint telemetry, network logs, and memory artifacts using MITRE ATT&CK, Velociraptor, osquery, Zeek. For threat hunting cycles and anomaly probes.
npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skillsThis skill uses the workspace's default tool permissions.
Use this skill when:
Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.
Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.
Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.
Use this skill when:
Do not use this skill as a substitute for incident response when a confirmed breach is in progress — escalate to IR procedures (NIST SP 800-61).
Select a threat actor relevant to your sector using MITRE ATT&CK Groups (https://attack.mitre.org/groups/). Review the group's known TTPs mapped to ATT&CK techniques. Example hypothesis: "APT29 (Cozy Bear) uses spearphishing with ISO attachments (T1566.001) and living-off-the-land binaries (T1218) — test for unusual mshta.exe and rundll32.exe parent-child relationships."
Document hypothesis using the Threat Hunting Loop framework: hypothesis → data collection → pattern analysis → response.
Map each ATT&CK technique to required log sources using the ATT&CK Data Sources taxonomy:
Verify log coverage using ATT&CK Coverage Calculator or a custom data source matrix.
Velociraptor VQL hunt for unusual PowerShell execution:
SELECT Pid, Ppid, Name, CommandLine, CreateTime
FROM pslist()
WHERE Name =~ "powershell.exe"
AND CommandLine =~ "-enc|-nop|-w hidden"
osquery for persistence via scheduled tasks:
SELECT name, action, enabled, path
FROM scheduled_tasks
WHERE action NOT LIKE '%System32%'
AND enabled = 1;
Splunk SPL for lateral movement via PsExec:
index=windows EventCode=7045 ServiceFileName="*PSEXESVC*"
| stats count by ComputerName, ServiceName, ServiceFileName
For each anomaly identified, pivot across dimensions:
Apply the Diamond Model (adversary, capability, infrastructure, victim) to structure findings.
If hunting reveals confirmed malicious activity, activate IR procedures. If hunting reveals a gap (hunt found nothing but data coverage was insufficient), document the coverage gap and remediate.
Convert successful hunt queries into SIEM detection rules using Sigma format for portability across platforms.
| Term | Definition |
|---|---|
| TTP | Tactics, Techniques, and Procedures — adversary behavioral patterns as defined in MITRE ATT&CK |
| Diamond Model | Analytical framework with four vertices (adversary, capability, infrastructure, victim) used to structure intrusion analysis |
| Living-off-the-Land (LotL) | Attacker technique using legitimate OS tools (PowerShell, WMI, certutil) to evade detection |
| UEBA | User and Entity Behavior Analytics — ML-based detection of anomalous behavior baselines |
| Sigma | Open standard for SIEM-agnostic detection rule format, analogous to YARA for network/log detection |
| Hunt Hypothesis | A testable prediction about adversary presence based on threat intelligence and environmental knowledge |