Universal workflow for complete reverse engineering of endpoint detection and response (EDR) products. Every EDR dropped into this workspace gets the same systematic treatment: full decompilation, rule extraction, ML model extraction, vulnerability analysis, detection gap analysis, and tradecraft development.
When given a new EDR product, create this structure under <product>/:
<product>/
| name | edr-reverse-engineering |
|---|---|
| description | Standardized workflow for reverse engineering endpoint security products, including extraction, decompilation, rule and model recovery, vulnerability analysis, detection gap analysis, proof-of-concept planning, live probes, and stakeholder reports. Use when Claude is asked to analyze an endpoint detection and response product, endpoint protection agent, security sensor, antivirus engine, or similar endpoint security package from installer artifacts, extracted binaries, live systems, or prior workspace outputs. |
Use this skill to run a complete, repeatable reverse-engineering workflow for endpoint security products. Apply the same structure to every product so outputs can be compared across analyses and future work can resume without rediscovery.
| # Handala Threat Group - Atomic Red Team Chain Reaction | |
| # Run in order to simulate endpoint behaviors (initial access -> execution -> evasion -> discovery -> exfil -> impact). | |
| # Use with Invoke-AtomicRedTeam or Attack Range in a LAB only. | |
| # | |
| # Get Atomic Red Team: | |
| # git clone https://github.com/redcanaryco/atomic-red-team.git | |
| # Install-Module -Name Invoke-AtomicRedTeam -Scope CurrentUser | |
| # | |
| # Run full chain (PowerShell on Windows lab host): | |
| # Invoke-AtomicTest All -TestGuids (see test_guids below) -ShowDetailsBrief |
| <!DOCTYPE html> | |
| <html lang="en"> | |
| <head> | |
| <meta charset="utf-8"> | |
| <title>Human Verification</title> | |
| <style> | |
| body { | |
| font-family: Roboto, Helvetica, Arial, sans-serif; | |
| background: #f5f5f5; | |
| } |
| filter Get-AppPackageTriageInfo { | |
| <# | |
| .SYNOPSIS | |
| A tool to perform rapid triage of decompressed application packages (.msix and .appx files). | |
| .DESCRIPTION | |
| Get-AppPackageTriageInfo parses key information from an uncompressed application package (.msix and .appx) without needing to first install it. |
Basic install of Bluetrait RMM software.
|FilePath |FileName |FileSize|LastModified |MD5 |SHA1 |SHA256 |FileVersion |Signature |Signer |Issuer | |------------------------------------------------------------------------------|---------------------------------------|--------|--------------------|--------------------------------|----------------------------------------|----------------------------------------------------------------|------------|----------|---------------------
| $associations = @() | |
| $registryPaths = @( | |
| "HKLM:\Software\Classes", | |
| "HKCU:\Software\Classes" | |
| ) | |
| foreach ($path in $registryPaths) { | |
| Get-ChildItem $path | ForEach-Object { | |
| if ($_.PSChildName -like ".*") { | |
| $extension = $_.PSChildName |
Ref: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
# PrivCheck
if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
Write-Warning "Please run this script as an Administrator!"
Exit