Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

killvxk/analyzing-cobalt-strike-malleable-profiles

Name: analyzing-cobalt-strike-malleable-profiles
Author: killvxk

skills/analyzing-cobalt-strike-malleable-profiles/SKILL.md

npx skillsauth add killvxk/cybersecurity-skills-zh analyzing-cobalt-strike-malleable-profiles

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

分析 Cobalt Strike 可延展配置文件

使用说明

使用 pyMalleableC2 库解析可延展 C2 配置文件，提取失陷指标（IOC）和检测机会。结合 JARM 指纹识别来识别 C2 服务器。

from malleablec2 import Profile

# 从文件解析可延展配置文件
profile = Profile.from_file("amazon.profile")

# 提取全局选项（休眠时间、抖动、User-Agent）
print(profile.ast.pretty())

# 获取 HTTP-GET 块的 URI 和 Headers，用于构建网络签名
# 获取 HTTP-POST 块中的数据外泄模式
# 对已知 C2 基础设施生成 JARM 指纹

关键分析步骤：

解析可延展配置文件，提取 HTTP-GET/POST URI 模式
提取 User-Agent 字符串和自定义 Headers，用于 IDS 签名
识别休眠时间和抖动，用于设置 Beacon 检测阈值
使用 JARM 扫描可疑 IP，与已知 C2 指纹哈希进行匹配
将提取的 IOC 与网络流量日志进行交叉参考

示例

# 解析配置文件并提取检测指标
from malleablec2 import Profile
p = Profile.from_file("cobaltstrike.profile")
print(p)  # 重建的源码

# 对可疑 C2 服务器进行 JARM 扫描
import subprocess
result = subprocess.run(
    ["python3", "jarm.py", "suspect-server.com"],
    capture_output=True, text=True
)
print(result.stdout)
# 将指纹与已知 CS JARM 哈希进行比对

killvxk/analyzing-cobalt-strike-malleable-profiles

skills/analyzing-cobalt-strike-malleable-profiles/SKILL.md

使用 pyMalleableC2 解析 Cobalt Strike 可延展 C2 配置文件，提取 Beacon 配置、HTTP 通信模式以及休眠/抖动设置。结合 JARM TLS 指纹识别在网络上检测 C2 服务器。适用于调查疑似 Cobalt Strike 基础设施或为 C2 流量构建检测签名。

9 stars

tools

Updated Apr 16, 2026

$ install --global

skillsauth

npx skillsauth add killvxk/cybersecurity-skills-zh analyzing-cobalt-strike-malleable-profiles

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 16, 2026, 10:47 PM10.8s3 files scanned

SKILL.md

name:: analyzing-cobalt-strike-malleable-profiles
description:: >
domain:: cybersecurity
subdomain:: security-operations
tags:: [analyzing, cobalt, strike, malleable]
version:: 1.0
author:: mahipal
license:: Apache-2.0

分析 Cobalt Strike 可延展配置文件

使用说明

使用 pyMalleableC2 库解析可延展 C2 配置文件，提取失陷指标（IOC）和检测机会。结合 JARM 指纹识别来识别 C2 服务器。

from malleablec2 import Profile

# 从文件解析可延展配置文件
profile = Profile.from_file("amazon.profile")

# 提取全局选项（休眠时间、抖动、User-Agent）
print(profile.ast.pretty())

# 获取 HTTP-GET 块的 URI 和 Headers，用于构建网络签名
# 获取 HTTP-POST 块中的数据外泄模式
# 对已知 C2 基础设施生成 JARM 指纹

关键分析步骤：

解析可延展配置文件，提取 HTTP-GET/POST URI 模式
提取 User-Agent 字符串和自定义 Headers，用于 IDS 签名
识别休眠时间和抖动，用于设置 Beacon 检测阈值
使用 JARM 扫描可疑 IP，与已知 C2 指纹哈希进行匹配
将提取的 IOC 与网络流量日志进行交叉参考

示例

# 解析配置文件并提取检测指标
from malleablec2 import Profile
p = Profile.from_file("cobaltstrike.profile")
print(p)  # 重建的源码

# 对可疑 C2 服务器进行 JARM 扫描
import subprocess
result = subprocess.run(
    ["python3", "jarm.py", "suspect-server.com"],
    capture_output=True, text=True
)
print(result.stdout)
# 将指纹与已知 CS JARM 哈希进行比对

Related Skills

killvxk/conducting-social-engineering-penetration-test

testing

VerifiedTrustedCommunity

设计并执行社会工程学渗透测试，包括钓鱼、语音钓鱼、短信钓鱼和物理借口活动，以衡量人员安全韧性并识别培训差距。

10SKILL.mdUpdated Apr 29, 2026

killvxk/conducting-social-engineering-penetration-test

killvxk/conducting-post-incident-lessons-learned

testing

VerifiedTrustedCommunity

主持结构化的事件后审查，以识别根本原因、记录有效和无效的措施，并提出可操作的改进建议以提升未来的事件响应能力。

10SKILL.mdUpdated Apr 29, 2026

killvxk/conducting-post-incident-lessons-learned

killvxk/conducting-phishing-incident-response

testing

VerifiedTrustedCommunity

通过分析举报的邮件、提取指标、评估凭据受攻陷情况、在全组织范围隔离恶意邮件并修复受影响账号来响应网络钓鱼事件。涵盖邮件头分析、URL/附件沙箱检测和邮箱范围清除操作。适用于网络钓鱼响应、邮件事件、凭据钓鱼、鱼叉式网络钓鱼调查或钓鱼修复相关请求。

10SKILL.mdUpdated Apr 29, 2026

killvxk/conducting-phishing-incident-response

killvxk/conducting-pass-the-ticket-attack

tools

VerifiedTrustedCommunity

票据传递（Pass-the-Ticket，PtT）是一种横向移动技术，使用窃取的 Kerberos 票据（TGT 或 TGS）在不知道用户密码的情况下向服务进行认证。通过从已控制的主机内存中提取 Kerberos 票据，攻击者可以将这些票据注入自己的会话以模拟票据所有者。

10SKILL.mdUpdated Apr 29, 2026

killvxk/conducting-pass-the-ticket-attack

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/killvxk/cybersecurity-skills-zh.git

# Copy into Claude Code skills folder (global)
cp -r cybersecurity-skills-zh/skills/analyzing-cobalt-strike-malleable-profiles ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

killvxk/cybersecurity-skills-zh

9 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT