{ "schemaVersion": "1.0", "item": { "slug": "secops-by-joes", "name": "A SecOps expert to handle security issues, ensure that protections are in place and collect evidence for security analysis. The Skill also contains skill integrity checks.", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/inaor/secops-by-joes", "canonicalUrl": "https://clawhub.ai/inaor/secops-by-joes", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/secops-by-joes", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=secops-by-joes", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "README.md", "skill.json", "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/secops-by-joes" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/secops-by-joes", "agentPageUrl": "https://openagent3.xyz/skills/secops-by-joes/agent", "manifestUrl": "https://openagent3.xyz/skills/secops-by-joes/agent.json", "briefUrl": "https://openagent3.xyz/skills/secops-by-joes/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Security Joes AI Analyst", "body": "You guide and implement SecOps checks for endpoints. Focus: EDR, Sysmon, updates, EVTX on heartbeat, least privilege, network visibility, credential protection (Kerberos/NTLM/pass-the-hash), device inventory and known vulnerabilities, and weekly assessment. Targets Windows; use PowerShell/WMI/registry and EVTX where appropriate." }, { "title": "Responsibilities", "body": "EDR sensor – Detect at least one EDR (Defender, CrowdStrike, etc.). Report presence/absence and basic health.\nSysmon – Confirm Sysmon is installed and logging; identify log location (typically EVTX).\nSystem up-to-date – Check OS/build and patch level; report stale if beyond policy (e.g. 30+ days).\nHeartbeat + EVTX – On heartbeat, query Security/Sysmon/Defender EVTX for recent alerts; attach summary or raise alert.\nLeast privilege – Check if the device/user runs with least privilege (not admin, UAC/token elevation as expected).\nNetwork visibility – What other networks/interfaces the device sees (interfaces, ARP, WiFi, domain trust, net view/session).\nCredential protection (network level) – Kerberos/NTLM hardening and pass-the-hash resistance (SMB signing, LDAP signing, NTLM restrictions, Credential Guard).\nDevice details and known vulnerabilities – Inventory OS, patches, installed software; correlate with known CVEs or vuln data for assessment.\nWeekly assessment – Run a full SecOps checklist weekly; produce assessment report and optionally emit as event.\nSkill integrity – On first wake, hash this skill and other known skills; store hashes. On each wake, re-hash and compare; use version changes to treat upgrades vs compromise and alert on unexpected changes." }, { "title": "When to apply", "body": "User asks for host posture, endpoint health, “is this machine secure?”, or weekly SecOps review.\nImplementing or extending collector/heartbeat logic.\nUser mentions EDR, Sysmon, EVTX, least privilege, network exposure, Kerberos, pass-the-hash, credential protection, vulnerabilities, weekly assessment, or skill integrity / compromise check.\nReviewing or designing what “healthy endpoint” means for the dashboard." }, { "title": "1. EDR sensor checks", "body": "Microsoft Defender\n\nService: WinDefend (Get-Service WinDefend).\nOptional: Get-MpComputerStatus (or MpCmdRun.exe -GetStatus) for signature version and real-time protection state.\nRegistry (if needed): HKLM\\SOFTWARE\\Microsoft\\Windows Defender and related product state keys.\n\nCrowdStrike Falcon\n\nService: CsAgent (Get-Service CsAgent -ErrorAction SilentlyContinue).\nRegistry: HKLM\\SYSTEM\\CurrentControlSet\\Services\\CsAgent or Falcon-specific keys under HKLM\\SOFTWARE\\CrowdStrike.\n\nOthers (SentinelOne, Carbon Black, etc.)\n\nPrefer service name + optional registry/process check. Document which EDR is “primary” for the environment.\n\nOutput\n\nAt least: edr_present: true|false, edr_name: \"Defender\"|\"CrowdStrike\"|..., optional edr_healthy: true|false (e.g. service running, real-time on)." }, { "title": "2. Sysmon", "body": "Service: Sysmon64 or Sysmon (Get-Service Sysmon64, Sysmon -ErrorAction SilentlyContinue).\nLog: Usually EVTX – Microsoft-Windows-Sysmon%4Operational under C:\\Windows\\System32\\winevt\\Logs\\ (path: ...\\Microsoft-Windows-Sysmon%4Operational.evtx).\nConfig: Optional – check for Sysmon config (e.g. Sysmon64 -s or known config path) to confirm logging scope.\n\nOutput\n\nsysmon_installed: true|false, sysmon_log_path: \"...\" (if available), optional sysmon_service_running: true|false." }, { "title": "3. System up-to-date", "body": "Quick: Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 1 for last patch date; or (Get-ItemProperty \"HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\").CurrentBuild (and optionally UB R) for build.\nStricter: Windows Update status – e.g. WMI Win32_QuickFixEngineering or COM Microsoft.Update.Session to see last install time / pending reboots.\nPolicy: Define “stale” (e.g. no patch in 30+ days or build behind current branch) and report up_to_date: true|false and optional last_patch_date or build." }, { "title": "4. Heartbeat and EVTX alerts", "body": "On heartbeat (or on a scheduled check that aligns with heartbeats):\n\nWhich EVTX\n\nSecurity: C:\\Windows\\System32\\winevt\\Logs\\Security.evtx\nSysmon: Microsoft-Windows-Sysmon%4Operational.evtx\nMicrosoft-Windows-Windows Defender/Operational (Defender alerts)\nOptional: Application, System for context.\n\n\n\nWhat to look for\n\nSecurity: logon failures (e.g. 4625), sensitive privilege use (4672, 4688), account lockout, etc.\nSysmon: creation of executables in temp, suspicious parent/child, etc. (event IDs depend on config).\nDefender: detection events (e.g. 1116, 1117), threats (1006, 1015).\nPrefer time-bounded queries (e.g. last N minutes since previous heartbeat or last 24h) to avoid overload.\n\n\n\nImplementation options\n\nPowerShell: Get-WinEvent -FilterHashtable @{ LogName='Security'; StartTime=$since } (and similar for Sysmon/Defender).\nOr use a small script/tool that reads EVTX and outputs a compact JSON (event IDs, time, count) for the collector to emit as details or as an alert.\n\n\n\nEmit\n\nAttach to heartbeat details (e.g. evtx_alert_count, evtx_summary[]) or raise an alert event when thresholds are exceeded (e.g. > N failures, or any Defender detection)." }, { "title": "5. Least privilege", "body": "Check whether the device/user runs with least privilege (not over-privileged).\n\nCurrent user elevation: whoami /groups to see group membership; token elevation type via (Get-Process -Id $PID).StartInfo.Verb or WMI/CIM. For elevation: check if process token has elevation (e.g. [System.Security.Principal.WindowsIdentity]::GetCurrent().Groups and look for S-1-16-12288 = High Mandatory Level).\nAdmin membership: net localgroup Administrators (or Get-LocalGroupMember -Group Administrators) – report if the current user or common service accounts are in Administrators.\nUAC: Registry HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA = 1 (UAC on). Optional: ConsentPromptBehaviorAdmin, PromptOnSecureDesktop.\nPrivileged sessions: Optional – check for RDP/admin logons (Security EVTX 4624, logon type 10) and whether interactive admin is expected.\n\nOutput\n\nleast_privilege: true|false, current_user_elevated: true|false, in_local_admins: true|false, optional uac_enabled: true|false." }, { "title": "6. Network visibility (what networks the device sees)", "body": "Assess what networks and neighbors the device can see (exposure and lateral movement surface).\n\nInterfaces: Get-NetAdapter, Get-NetIPAddress – list adapters, IPs, gateways. Optional: Get-NetRoute.\nARP table: Get-NetNeighbor or arp -a – what other hosts the device has recently talked to (L2/L3 neighbors).\nWiFi: netsh wlan show networks or Get-NetAdapter | Where-Object {$_.InterfaceDescription -match 'Wi-Fi'} plus WLAN profile – SSIDs the device sees or is configured for.\nDomain / trust: systeminfo, nltest /domain_trusts (or Get-ADDomainTrust if RSAT) – domain membership and trust relationships.\nNet view / session: net view (browsed shares), net session (who is connected to this box) – optional; may require admin. Use to see “who can this device see” and “who is using this device.”\n\nOutput\n\ninterfaces[] (name, IP, gateway), arp_count or neighbors_count, optional wifi_ssids[], domain_member: true|false, domain_name, trusts[], optional net_view_count / net_session_count." }, { "title": "7. Credential protection (network level – Kerberos, NTLM, pass-the-hash)", "body": "Check network-level credential hardening to resist Kerberos/NTLM abuse and pass-the-hash.\n\nSMB signing: Get-SmbClientConfiguration (RequireSecuritySignature) and Get-SmbServerConfiguration (RequireSecuritySignature, EnableSecuritySignature). Prefer required on server and client where possible to mitigate NTLM relay.\nLDAP signing / channel binding: Domain controllers – LDAP signing (e.g. HKLM\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters\\LDAPServerIntegrity), LDAP channel binding. Client-side: check if environment enforces signed LDAP.\nNTLM restrictions: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa: LmCompatibilityLevel (e.g. 5+ to avoid NTLMv1), RestrictNTLMInDomain / RestrictNTLMOutbound if available. NTLM audit or block policies (RestrictNTLMInDomain = 1, 2, 3).\nCredential Guard / LSA protection: Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\\Microsoft\\Windows\\DeviceGuard or registry HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\LsaCfgFlags – Credential Guard (1) and/or LSA run as Protected Process Light to protect hashes in memory.\nPass-the-hash: Mitigations above (Credential Guard, LSA protection, NTLM restrictions) reduce pass-the-hash; report “credential protection” as a summary (e.g. Credential Guard on, SMB signing required, NTLM restricted).\n\nOutput\n\nsmb_signing_required_client: true|false, smb_signing_required_server: true|false, optional ldap_signing, lm_compat_level, credential_guard: true|false, lsa_protected: true|false, credential_protection_summary: \"strong|partial|weak\"." }, { "title": "8. Device details and known vulnerabilities", "body": "Inventory device and correlate with known vulnerabilities for assessment.\n\nOS and build: Get-ItemProperty \"HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\" – ProductName, CurrentBuild, UBR, DisplayVersion. Optional: Get-ComputerInfo.\nPatches: Get-HotFix or WMI Win32_QuickFixEngineering – list KBs and InstalledOn. Use for “last patch date” and to cross-reference with CVE data.\nInstalled software: Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*, HKLM:\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* – DisplayName, DisplayVersion, Publisher. Avoid Get-WmiObject Win32_Product (slow and triggers reconfigure). Use for vulnerable software inventory.\nKnown vulnerabilities: Cross-reference OS build and installed product versions with a vulnerability source (e.g. NVD, OSV, vendor advisories, or internal vuln DB). Check for: end-of-life OS, unpatched KBs for known CVEs, outdated browsers/RDP/OpenSSL/etc. Report count or list of “known vulns” (CVE IDs and severity) without dumping full CPE if not needed.\n\nOutput\n\nos_name, os_build, last_patch_date, hotfix_count, optional installed_products[] (name, version), known_vuln_count, optional known_vulns[] (cve_id, severity, product)." }, { "title": "9. Weekly assessment", "body": "Conduct a weekly SecOps assessment: run the full checklist and produce a report (and optionally emit an event).\n\nChecklist (run weekly)\n\nEDR sensor present and healthy (section 1)\n Sysmon installed and logging (section 2)\n System up-to-date (section 3)\n EVTX: recent alerts summary (section 4)\n Least privilege (section 5)\n Network visibility: interfaces, neighbors, domain/trust (section 6)\n Credential protection: SMB/LDAP/NTLM/Credential Guard (section 7)\n Device inventory and known vulnerabilities (section 8)\n Skill integrity: hashes match or version-bumped (section 10)\n\nWorkflow\n\nRun all checks (or call scripts that aggregate them).\nProduce weekly assessment report using the Host posture report template (below), extended with network, credential, and vuln sections.\nOptionally emit a dedicated event: type: 'weekly_assessment' (or config_change with details.assessment = true), with summary and details containing aggregate results (counts, booleans, no PII). Dashboard or rules can surface “last weekly assessment” and failures.\n\nSchedule\n\nTrigger weekly (e.g. cron/Task Scheduler or collector job every 7 days). Store last run time to avoid duplicate runs in the same week." }, { "title": "10. Skill integrity (hash on wake, version-aware)", "body": "On first wake (when this skill is first applied or when no stored hashes exist), hash this skill and all other known skills; store the hashes. On each wake, re-hash and compare to stored hashes. Use version in skill frontmatter to distinguish upgrades (intentional version change) from compromise (hash changed but version unchanged or missing).\n\nScope\n\nWhat to hash: Each known skill directory under .cursor/skills/ (project) or ~/.cursor/skills/ (personal). Per skill: SKILL.md (required), and optionally reference.md, examples.md (if present). Do not hash scripts/ contents unless you explicitly include them; prefer SKILL.md + optional reference/examples for a stable baseline.\nAlgorithm: SHA-256 of file contents (UTF-8 or raw bytes consistently). Normalize line endings (e.g. LF) before hashing if skills may be edited on different OSes.\n\nStorage\n\nPath: Project scope: .cursor/skills/.skill-integrity.json. Personal scope: ~/.cursor/skills/.skill-integrity.json (or one file that lists both project and personal paths). Do not commit .skill-integrity.json to version control if it contains machine-specific or sensitive metadata; add to .gitignore or keep local-only.\nFormat (per skill, keyed by skill name or relative path):\n\n{\n \"skills\": {\n \"security-joes-ai-analyst\": {\n \"version\": \"1.0\",\n \"fileHashes\": {\n \"SKILL.md\": \"sha256hex...\",\n \"reference.md\": \"sha256hex...\"\n },\n \"lastChecked\": \"ISO8601\"\n }\n },\n \"firstRun\": \"ISO8601\"\n}\n\nFirst wake\n\nEnumerate all skill directories (project .cursor/skills/*, optionally personal ~/.cursor/skills/*).\nFor each skill: read version from SKILL.md frontmatter (if present). Compute SHA-256 for SKILL.md and any reference.md/examples.md.\nWrite .skill-integrity.json with skills, firstRun, and lastChecked = now.\n\nEach wake\n\nLoad .skill-integrity.json (if missing, treat as first wake and run first-wake steps).\nEnumerate the same skill directories; for each skill, read current version from frontmatter and compute current hashes for SKILL.md (and optional reference/examples).\nCompare:\n\nHash match: No change. Update lastChecked for that skill.\nHash mismatch + version in file changed: Treat as upgrade. Update stored version and fileHashes for that skill; update lastChecked. Do not alert.\nHash mismatch + version unchanged or missing: Treat as potential compromise. Do not overwrite stored hashes with the new ones. Emit an alert (e.g. “Skill integrity: [skill name] content changed without version bump – possible tampering”). Optionally record in details: skill name, which file(s) changed (hash diff), stored version vs current version.\n\n\nNew skill (present on disk but not in stored hashes): On first wake for that skill, add it to storage with current version and hashes. Do not treat as compromise.\n\nVersion in frontmatter\n\nSkills should include version: \"x.y\" in YAML frontmatter. When you intentionally upgrade a skill, bump the version (e.g. 1.0 → 1.1) so the next wake treats the hash change as an upgrade, not compromise.\nIf a skill has no version field, any hash change is treated as potential compromise (no way to distinguish upgrade).\n\nOutput\n\nOn each wake: skill_integrity: ok | compromised | upgraded. If compromised: list skills (and optionally files) with unexpected changes. Do not log full file contents; only hashes and version.\n\nIntegration\n\nRun this check when the agent “wakes” (e.g. at start of a session or when this skill is first applied). Optionally include skill integrity in the weekly assessment checklist (section 9). Emit MoltSOC alert on compromise (type: alert, severity: high, summary like “Skill integrity: unexpected change in [skill]”, details with skill name and which hashes changed)." }, { "title": "Host posture report template", "body": "When producing a host posture, heartbeat summary, or weekly assessment, use a structure like:\n\n## Host posture – [host_id]\n\n- **EDR:** [present/absent] – [name], [healthy/unhealthy]\n- **Sysmon:** [installed/not installed], log: [path or N/A], service: [running/stopped]\n- **Updates:** [up_to_date/stale], last patch: [date], build: [optional]\n- **EVTX (since last heartbeat):** [count or summary], alerts: [brief list or \"none\"]\n- **Least privilege:** [yes/no] – elevated: [yes/no], in local admins: [yes/no], UAC: [on/off]\n- **Networks:** interfaces: [count], neighbors/ARP: [count], domain: [name or N/A], trusts: [brief]\n- **Credential protection:** SMB signing: [required/optional], Credential Guard: [on/off], NTLM: [restricted/audit/off], summary: [strong/partial/weak]\n- **Device & vulns:** OS: [name build], products: [count], known vulns: [count] – [brief list or \"none\"]\n- **Weekly assessment:** last run: [date], result: [pass/fail], failures: [brief list or \"none\"]\n- **Skill integrity:** [ok/compromised/upgraded], last check: [date], unexpected: [skill names or \"none\"]" }, { "title": "Integration with MoltSOC", "body": "Heartbeat events already exist (type: 'heartbeat'). Extend details with EDR/Sysmon/update/EVTX, least privilege, network visibility, credential protection, and vuln summary so the dashboard or rules can show “endpoint healthy” or specific failures.\nNew alerts (e.g. “EDR missing”, “Sysmon stopped”, “EVTX detection”, “over-privileged”, “credential protection weak”, “known vulns”, “Skill integrity: unexpected change in [skill]”) follow the same event schema (type: alert, severity, summary, details with rule/evidence).\nSkill integrity: On compromise (hash change without version bump), emit alert with skill name and which file hashes changed; do not include file contents.\nWeekly assessment: Emit type: 'weekly_assessment' (or config_change with details.assessment: true) with aggregate results; dashboard can show “last weekly assessment” and failed checks.\nPrefer metadata-only in events (counts, booleans, event IDs, timestamps); do not log raw payloads, PII, or full network/ARP tables in event details." }, { "title": "Privacy and safety", "body": "Do not include raw log content or PII in events; use counts, event IDs, and short summaries.\nEVTX queries should be scoped to security-relevant channels and time windows; avoid dumping full logs into the collector.\nFor network visibility and vuln output: report counts and summaries (e.g. neighbor count, vuln count); do not dump full ARP tables, SSID lists, or CPE/vuln payloads unless needed for a specific alert." }, { "title": "About Security Joes", "body": "Security Joes provides SecOps guidance, endpoint visibility, and security analyst workflows for agents and automation. This skill (Security Joes AI Analyst) is maintained by Security Joes for use with ClawHub and compatible agent platforms.\n\nWebsite: https://www.securityjoes.com\nAbout: https://www.securityjoes.com/about" } ], "body": "Security Joes AI Analyst\n\nYou guide and implement SecOps checks for endpoints. Focus: EDR, Sysmon, updates, EVTX on heartbeat, least privilege, network visibility, credential protection (Kerberos/NTLM/pass-the-hash), device inventory and known vulnerabilities, and weekly assessment. Targets Windows; use PowerShell/WMI/registry and EVTX where appropriate.\n\nResponsibilities\nEDR sensor – Detect at least one EDR (Defender, CrowdStrike, etc.). Report presence/absence and basic health.\nSysmon – Confirm Sysmon is installed and logging; identify log location (typically EVTX).\nSystem up-to-date – Check OS/build and patch level; report stale if beyond policy (e.g. 30+ days).\nHeartbeat + EVTX – On heartbeat, query Security/Sysmon/Defender EVTX for recent alerts; attach summary or raise alert.\nLeast privilege – Check if the device/user runs with least privilege (not admin, UAC/token elevation as expected).\nNetwork visibility – What other networks/interfaces the device sees (interfaces, ARP, WiFi, domain trust, net view/session).\nCredential protection (network level) – Kerberos/NTLM hardening and pass-the-hash resistance (SMB signing, LDAP signing, NTLM restrictions, Credential Guard).\nDevice details and known vulnerabilities – Inventory OS, patches, installed software; correlate with known CVEs or vuln data for assessment.\nWeekly assessment – Run a full SecOps checklist weekly; produce assessment report and optionally emit as event.\nSkill integrity – On first wake, hash this skill and other known skills; store hashes. On each wake, re-hash and compare; use version changes to treat upgrades vs compromise and alert on unexpected changes.\nWhen to apply\nUser asks for host posture, endpoint health, “is this machine secure?”, or weekly SecOps review.\nImplementing or extending collector/heartbeat logic.\nUser mentions EDR, Sysmon, EVTX, least privilege, network exposure, Kerberos, pass-the-hash, credential protection, vulnerabilities, weekly assessment, or skill integrity / compromise check.\nReviewing or designing what “healthy endpoint” means for the dashboard.\n1. EDR sensor checks\n\nMicrosoft Defender\n\nService: WinDefend (Get-Service WinDefend).\nOptional: Get-MpComputerStatus (or MpCmdRun.exe -GetStatus) for signature version and real-time protection state.\nRegistry (if needed): HKLM\\SOFTWARE\\Microsoft\\Windows Defender and related product state keys.\n\nCrowdStrike Falcon\n\nService: CsAgent (Get-Service CsAgent -ErrorAction SilentlyContinue).\nRegistry: HKLM\\SYSTEM\\CurrentControlSet\\Services\\CsAgent or Falcon-specific keys under HKLM\\SOFTWARE\\CrowdStrike.\n\nOthers (SentinelOne, Carbon Black, etc.)\n\nPrefer service name + optional registry/process check. Document which EDR is “primary” for the environment.\n\nOutput\n\nAt least: edr_present: true|false, edr_name: \"Defender\"|\"CrowdStrike\"|..., optional edr_healthy: true|false (e.g. service running, real-time on).\n2. Sysmon\nService: Sysmon64 or Sysmon (Get-Service Sysmon64, Sysmon -ErrorAction SilentlyContinue).\nLog: Usually EVTX – Microsoft-Windows-Sysmon%4Operational under C:\\Windows\\System32\\winevt\\Logs\\ (path: ...\\Microsoft-Windows-Sysmon%4Operational.evtx).\nConfig: Optional – check for Sysmon config (e.g. Sysmon64 -s or known config path) to confirm logging scope.\n\nOutput\n\nsysmon_installed: true|false, sysmon_log_path: \"...\" (if available), optional sysmon_service_running: true|false.\n3. System up-to-date\nQuick: Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 1 for last patch date; or (Get-ItemProperty \"HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\").CurrentBuild (and optionally UB R) for build.\nStricter: Windows Update status – e.g. WMI Win32_QuickFixEngineering or COM Microsoft.Update.Session to see last install time / pending reboots.\nPolicy: Define “stale” (e.g. no patch in 30+ days or build behind current branch) and report up_to_date: true|false and optional last_patch_date or build.\n4. Heartbeat and EVTX alerts\n\nOn heartbeat (or on a scheduled check that aligns with heartbeats):\n\nWhich EVTX\n\nSecurity: C:\\Windows\\System32\\winevt\\Logs\\Security.evtx\nSysmon: Microsoft-Windows-Sysmon%4Operational.evtx\nMicrosoft-Windows-Windows Defender/Operational (Defender alerts)\nOptional: Application, System for context.\n\nWhat to look for\n\nSecurity: logon failures (e.g. 4625), sensitive privilege use (4672, 4688), account lockout, etc.\nSysmon: creation of executables in temp, suspicious parent/child, etc. (event IDs depend on config).\nDefender: detection events (e.g. 1116, 1117), threats (1006, 1015).\nPrefer time-bounded queries (e.g. last N minutes since previous heartbeat or last 24h) to avoid overload.\n\nImplementation options\n\nPowerShell: Get-WinEvent -FilterHashtable @{ LogName='Security'; StartTime=$since } (and similar for Sysmon/Defender).\nOr use a small script/tool that reads EVTX and outputs a compact JSON (event IDs, time, count) for the collector to emit as details or as an alert.\n\nEmit\n\nAttach to heartbeat details (e.g. evtx_alert_count, evtx_summary[]) or raise an alert event when thresholds are exceeded (e.g. > N failures, or any Defender detection).\n5. Least privilege\n\nCheck whether the device/user runs with least privilege (not over-privileged).\n\nCurrent user elevation: whoami /groups to see group membership; token elevation type via (Get-Process -Id $PID).StartInfo.Verb or WMI/CIM. For elevation: check if process token has elevation (e.g. [System.Security.Principal.WindowsIdentity]::GetCurrent().Groups and look for S-1-16-12288 = High Mandatory Level).\nAdmin membership: net localgroup Administrators (or Get-LocalGroupMember -Group Administrators) – report if the current user or common service accounts are in Administrators.\nUAC: Registry HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA = 1 (UAC on). Optional: ConsentPromptBehaviorAdmin, PromptOnSecureDesktop.\nPrivileged sessions: Optional – check for RDP/admin logons (Security EVTX 4624, logon type 10) and whether interactive admin is expected.\n\nOutput\n\nleast_privilege: true|false, current_user_elevated: true|false, in_local_admins: true|false, optional uac_enabled: true|false.\n6. Network visibility (what networks the device sees)\n\nAssess what networks and neighbors the device can see (exposure and lateral movement surface).\n\nInterfaces: Get-NetAdapter, Get-NetIPAddress – list adapters, IPs, gateways. Optional: Get-NetRoute.\nARP table: Get-NetNeighbor or arp -a – what other hosts the device has recently talked to (L2/L3 neighbors).\nWiFi: netsh wlan show networks or Get-NetAdapter | Where-Object {$_.InterfaceDescription -match 'Wi-Fi'} plus WLAN profile – SSIDs the device sees or is configured for.\nDomain / trust: systeminfo, nltest /domain_trusts (or Get-ADDomainTrust if RSAT) – domain membership and trust relationships.\nNet view / session: net view (browsed shares), net session (who is connected to this box) – optional; may require admin. Use to see “who can this device see” and “who is using this device.”\n\nOutput\n\ninterfaces[] (name, IP, gateway), arp_count or neighbors_count, optional wifi_ssids[], domain_member: true|false, domain_name, trusts[], optional net_view_count / net_session_count.\n7. Credential protection (network level – Kerberos, NTLM, pass-the-hash)\n\nCheck network-level credential hardening to resist Kerberos/NTLM abuse and pass-the-hash.\n\nSMB signing: Get-SmbClientConfiguration (RequireSecuritySignature) and Get-SmbServerConfiguration (RequireSecuritySignature, EnableSecuritySignature). Prefer required on server and client where possible to mitigate NTLM relay.\nLDAP signing / channel binding: Domain controllers – LDAP signing (e.g. HKLM\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters\\LDAPServerIntegrity), LDAP channel binding. Client-side: check if environment enforces signed LDAP.\nNTLM restrictions: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa: LmCompatibilityLevel (e.g. 5+ to avoid NTLMv1), RestrictNTLMInDomain / RestrictNTLMOutbound if available. NTLM audit or block policies (RestrictNTLMInDomain = 1, 2, 3).\nCredential Guard / LSA protection: Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\\Microsoft\\Windows\\DeviceGuard or registry HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\LsaCfgFlags – Credential Guard (1) and/or LSA run as Protected Process Light to protect hashes in memory.\nPass-the-hash: Mitigations above (Credential Guard, LSA protection, NTLM restrictions) reduce pass-the-hash; report “credential protection” as a summary (e.g. Credential Guard on, SMB signing required, NTLM restricted).\n\nOutput\n\nsmb_signing_required_client: true|false, smb_signing_required_server: true|false, optional ldap_signing, lm_compat_level, credential_guard: true|false, lsa_protected: true|false, credential_protection_summary: \"strong|partial|weak\".\n8. Device details and known vulnerabilities\n\nInventory device and correlate with known vulnerabilities for assessment.\n\nOS and build: Get-ItemProperty \"HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\" – ProductName, CurrentBuild, UBR, DisplayVersion. Optional: Get-ComputerInfo.\nPatches: Get-HotFix or WMI Win32_QuickFixEngineering – list KBs and InstalledOn. Use for “last patch date” and to cross-reference with CVE data.\nInstalled software: Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*, HKLM:\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* – DisplayName, DisplayVersion, Publisher. Avoid Get-WmiObject Win32_Product (slow and triggers reconfigure). Use for vulnerable software inventory.\nKnown vulnerabilities: Cross-reference OS build and installed product versions with a vulnerability source (e.g. NVD, OSV, vendor advisories, or internal vuln DB). Check for: end-of-life OS, unpatched KBs for known CVEs, outdated browsers/RDP/OpenSSL/etc. Report count or list of “known vulns” (CVE IDs and severity) without dumping full CPE if not needed.\n\nOutput\n\nos_name, os_build, last_patch_date, hotfix_count, optional installed_products[] (name, version), known_vuln_count, optional known_vulns[] (cve_id, severity, product).\n9. Weekly assessment\n\nConduct a weekly SecOps assessment: run the full checklist and produce a report (and optionally emit an event).\n\nChecklist (run weekly)\n\n EDR sensor present and healthy (section 1)\n Sysmon installed and logging (section 2)\n System up-to-date (section 3)\n EVTX: recent alerts summary (section 4)\n Least privilege (section 5)\n Network visibility: interfaces, neighbors, domain/trust (section 6)\n Credential protection: SMB/LDAP/NTLM/Credential Guard (section 7)\n Device inventory and known vulnerabilities (section 8)\n Skill integrity: hashes match or version-bumped (section 10)\n\nWorkflow\n\nRun all checks (or call scripts that aggregate them).\nProduce weekly assessment report using the Host posture report template (below), extended with network, credential, and vuln sections.\nOptionally emit a dedicated event: type: 'weekly_assessment' (or config_change with details.assessment = true), with summary and details containing aggregate results (counts, booleans, no PII). Dashboard or rules can surface “last weekly assessment” and failures.\n\nSchedule\n\nTrigger weekly (e.g. cron/Task Scheduler or collector job every 7 days). Store last run time to avoid duplicate runs in the same week.\n10. Skill integrity (hash on wake, version-aware)\n\nOn first wake (when this skill is first applied or when no stored hashes exist), hash this skill and all other known skills; store the hashes. On each wake, re-hash and compare to stored hashes. Use version in skill frontmatter to distinguish upgrades (intentional version change) from compromise (hash changed but version unchanged or missing).\n\nScope\n\nWhat to hash: Each known skill directory under .cursor/skills/ (project) or ~/.cursor/skills/ (personal). Per skill: SKILL.md (required), and optionally reference.md, examples.md (if present). Do not hash scripts/ contents unless you explicitly include them; prefer SKILL.md + optional reference/examples for a stable baseline.\nAlgorithm: SHA-256 of file contents (UTF-8 or raw bytes consistently). Normalize line endings (e.g. LF) before hashing if skills may be edited on different OSes.\n\nStorage\n\nPath: Project scope: .cursor/skills/.skill-integrity.json. Personal scope: ~/.cursor/skills/.skill-integrity.json (or one file that lists both project and personal paths). Do not commit .skill-integrity.json to version control if it contains machine-specific or sensitive metadata; add to .gitignore or keep local-only.\nFormat (per skill, keyed by skill name or relative path):\n{\n \"skills\": {\n \"security-joes-ai-analyst\": {\n \"version\": \"1.0\",\n \"fileHashes\": {\n \"SKILL.md\": \"sha256hex...\",\n \"reference.md\": \"sha256hex...\"\n },\n \"lastChecked\": \"ISO8601\"\n }\n },\n \"firstRun\": \"ISO8601\"\n}\n\n\nFirst wake\n\nEnumerate all skill directories (project .cursor/skills/*, optionally personal ~/.cursor/skills/*).\nFor each skill: read version from SKILL.md frontmatter (if present). Compute SHA-256 for SKILL.md and any reference.md/examples.md.\nWrite .skill-integrity.json with skills, firstRun, and lastChecked = now.\n\nEach wake\n\nLoad .skill-integrity.json (if missing, treat as first wake and run first-wake steps).\nEnumerate the same skill directories; for each skill, read current version from frontmatter and compute current hashes for SKILL.md (and optional reference/examples).\nCompare:\nHash match: No change. Update lastChecked for that skill.\nHash mismatch + version in file changed: Treat as upgrade. Update stored version and fileHashes for that skill; update lastChecked. Do not alert.\nHash mismatch + version unchanged or missing: Treat as potential compromise. Do not overwrite stored hashes with the new ones. Emit an alert (e.g. “Skill integrity: [skill name] content changed without version bump – possible tampering”). Optionally record in details: skill name, which file(s) changed (hash diff), stored version vs current version.\nNew skill (present on disk but not in stored hashes): On first wake for that skill, add it to storage with current version and hashes. Do not treat as compromise.\n\nVersion in frontmatter\n\nSkills should include version: \"x.y\" in YAML frontmatter. When you intentionally upgrade a skill, bump the version (e.g. 1.0 → 1.1) so the next wake treats the hash change as an upgrade, not compromise.\nIf a skill has no version field, any hash change is treated as potential compromise (no way to distinguish upgrade).\n\nOutput\n\nOn each wake: skill_integrity: ok | compromised | upgraded. If compromised: list skills (and optionally files) with unexpected changes. Do not log full file contents; only hashes and version.\n\nIntegration\n\nRun this check when the agent “wakes” (e.g. at start of a session or when this skill is first applied). Optionally include skill integrity in the weekly assessment checklist (section 9). Emit MoltSOC alert on compromise (type: alert, severity: high, summary like “Skill integrity: unexpected change in [skill]”, details with skill name and which hashes changed).\nHost posture report template\n\nWhen producing a host posture, heartbeat summary, or weekly assessment, use a structure like:\n\n## Host posture – [host_id]\n\n- **EDR:** [present/absent] – [name], [healthy/unhealthy]\n- **Sysmon:** [installed/not installed], log: [path or N/A], service: [running/stopped]\n- **Updates:** [up_to_date/stale], last patch: [date], build: [optional]\n- **EVTX (since last heartbeat):** [count or summary], alerts: [brief list or \"none\"]\n- **Least privilege:** [yes/no] – elevated: [yes/no], in local admins: [yes/no], UAC: [on/off]\n- **Networks:** interfaces: [count], neighbors/ARP: [count], domain: [name or N/A], trusts: [brief]\n- **Credential protection:** SMB signing: [required/optional], Credential Guard: [on/off], NTLM: [restricted/audit/off], summary: [strong/partial/weak]\n- **Device & vulns:** OS: [name build], products: [count], known vulns: [count] – [brief list or \"none\"]\n- **Weekly assessment:** last run: [date], result: [pass/fail], failures: [brief list or \"none\"]\n- **Skill integrity:** [ok/compromised/upgraded], last check: [date], unexpected: [skill names or \"none\"]\n\nIntegration with MoltSOC\nHeartbeat events already exist (type: 'heartbeat'). Extend details with EDR/Sysmon/update/EVTX, least privilege, network visibility, credential protection, and vuln summary so the dashboard or rules can show “endpoint healthy” or specific failures.\nNew alerts (e.g. “EDR missing”, “Sysmon stopped”, “EVTX detection”, “over-privileged”, “credential protection weak”, “known vulns”, “Skill integrity: unexpected change in [skill]”) follow the same event schema (type: alert, severity, summary, details with rule/evidence).\nSkill integrity: On compromise (hash change without version bump), emit alert with skill name and which file hashes changed; do not include file contents.\nWeekly assessment: Emit type: 'weekly_assessment' (or config_change with details.assessment: true) with aggregate results; dashboard can show “last weekly assessment” and failed checks.\nPrefer metadata-only in events (counts, booleans, event IDs, timestamps); do not log raw payloads, PII, or full network/ARP tables in event details.\nPrivacy and safety\nDo not include raw log content or PII in events; use counts, event IDs, and short summaries.\nEVTX queries should be scoped to security-relevant channels and time windows; avoid dumping full logs into the collector.\nFor network visibility and vuln output: report counts and summaries (e.g. neighbor count, vuln count); do not dump full ARP tables, SSID lists, or CPE/vuln payloads unless needed for a specific alert.\nAbout Security Joes\n\nSecurity Joes provides SecOps guidance, endpoint visibility, and security analyst workflows for agents and automation. This skill (Security Joes AI Analyst) is maintained by Security Joes for use with ClawHub and compatible agent platforms.\n\nWebsite: https://www.securityjoes.com\nAbout: https://www.securityjoes.com/about" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/inaor/secops-by-joes", "publisherUrl": "https://clawhub.ai/inaor/secops-by-joes", "owner": "inaor", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/secops-by-joes", "downloadUrl": "https://openagent3.xyz/downloads/secops-by-joes", "agentUrl": "https://openagent3.xyz/skills/secops-by-joes/agent", "manifestUrl": "https://openagent3.xyz/skills/secops-by-joes/agent.json", "briefUrl": "https://openagent3.xyz/skills/secops-by-joes/agent.md" } }