Can this skill be used during an active incident?

Yes, it is specifically designed to help incident responders scope the extent of a compromise by identifying how an adversary is maintaining access to the environment.

Does it provide a standardized reporting format?

Yes, it generates hunt findings in a structured format including Hunt ID, Technique, Evidence, Risk Level, and Recommended Actions.

Which security tools is this skill compatible with?

The skill provides workflow guidance and query patterns for EDR/SIEM platforms like CrowdStrike Falcon, Microsoft Defender for Endpoint, Splunk, Elastic Security, and Sysmon.

What specific registry techniques does this skill detect?

It targets common persistence vectors including Registry Run keys, Winlogon helper DLLs, Image File Execution Options (IFEO) injection, and COM hijacking.

Is this skill aligned with industry frameworks?

Yes, it is closely mapped to the MITRE ATT&CK framework, specifically targeting techniques T1547 and T1546.

Registry Persistence Threat Hunter

Name: Registry Persistence Threat Hunter
Author: micsapp

bymicsapp

0•

Security & Testing

Detects and analyzes registry-based persistence mechanisms in Windows environments to identify potential security compromises.

This skill empowers Claude to assist security analysts in proactively hunting for malicious persistence techniques within Windows registries. By targeting specific vectors like Run keys, Winlogon helper DLLs, IFEO injections, and COM hijacking, it streamlines the identification of APT activities and malware artifacts. It guides users through formulating hypotheses, executing EDR or SIEM queries, and correlating findings with the MITRE ATT&CK framework, making it an essential tool for incident response, purple team exercises, and routine security assessments.

Key Features

010 GitHub stars

02Detects IFEO injections and COM object hijacking artifacts

03Provides structured output formats for incident reporting

04Analyzes Registry Run keys and Winlogon modifications for anomalies

05Identifies MITRE ATT&CK persistence techniques (T1547, T1546)

06Offers guidance for querying EDR platforms like CrowdStrike and MDE

Use Cases

01Scoping compromise extent during an active incident response

02Proactive threat hunting based on recent threat intelligence

03Validating EDR or SIEM alerts related to suspicious registry modifications

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills hunting-for-registry-persistence-mechanisms

For use in Claude.ai and ChatGPT

Key Features

010 GitHub stars

02Detects IFEO injections and COM object hijacking artifacts

03Provides structured output formats for incident reporting

04Analyzes Registry Run keys and Winlogon modifications for anomalies

05Identifies MITRE ATT&CK persistence techniques (T1547, T1546)

06Offers guidance for querying EDR platforms like CrowdStrike and MDE

Use Cases

01Scoping compromise extent during an active incident response

02Proactive threat hunting based on recent threat intelligence

03Validating EDR or SIEM alerts related to suspicious registry modifications

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills hunting-for-registry-persistence-mechanisms

For use in Claude.ai and ChatGPT