analyzing-bootkit-and-rootkit-samples

by mukul975

analyzing-bootkit-and-rootkit-samples is a malware analysis skill for MBR, VBR, UEFI, and rootkit investigations. Use it to inspect boot sectors, firmware modules, and anti-rootkit indicators when compromise persists below the OS layer. It is suited for analysts who need a practical guide, clear workflow, and evidence-based triage for Malware Analysis.

Stars6.2k

Favorites0

Comments0

AddedMay 11, 2026

CategoryMalware Analysis

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill analyzing-bootkit-and-rootkit-samples

Curation Score

This skill scores 84/100, which means it is a solid listing candidate for users who need specialized bootkit/rootkit analysis guidance. The repository provides enough trigger cues, operational references, and an actual agent script to help an agent start with less guesswork than a generic malware prompt, though it still leaves some adoption details implicit.

84/100

Strengths

Strong triggerability for pre-OS malware cases: the frontmatter and "When to Use" section explicitly cover MBR/VBR/UEFI persistence, Secure Boot integrity issues, and hidden-process/rootkit indicators.
Good operational specificity: the repo includes concrete tool references and commands for dd, ndisasm, UEFITool, and chipsec, which gives agents a usable workflow scaffold.
Real implementation support: scripts/agent.py and references/api-reference.md indicate this is more than a prose guide and can support structured analysis steps.

Cautions

No install command in SKILL.md, so users may need to wire activation and runtime setup themselves.
The excerpt shows some workflow content but not a fully end-to-end runbook; agents may still need judgment for case selection and tool execution details.

Malware Rootkit Bootkit Uefi Mbr Chipsec Forensics

Overview

Overview of analyzing-bootkit-and-rootkit-skill

analyzing-bootkit-and-rootkit-samples is a malware analysis skill for cases where compromise starts before the operating system: infected MBR/VBR code, UEFI persistence, and rootkit behavior that hides from normal security tools. Use it when you need to inspect boot sectors, firmware modules, or anti-rootkit indicators instead of analyzing a typical user-mode payload.

This analyzing-bootkit-and-rootkit-samples skill is best for incident responders, reverse engineers, and threat hunters who already suspect persistence below the OS layer. The main job-to-be-done is to turn raw disk, firmware, or memory evidence into a defensible assessment of whether a bootkit or rootkit is present, how it persists, and what to examine next.

What this skill is for

The skill focuses on pre-OS malware analysis for Malware Analysis workflows: MBR extraction, VBR review, UEFI inspection, Secure Boot checks, and rootkit-oriented triage. It is useful when normal AV or EDR misses the issue, when reimaging does not clear the compromise, or when firmware integrity looks suspicious.

Why this skill is different

Unlike a generic prompt, analyzing-bootkit-and-rootkit-samples gives you a workflow shaped around the artifacts that matter: disk sectors, firmware volumes, and low-level inspection tools. That makes it more suitable for persistence-heavy investigations than broad malware prompts that assume executable files and sandboxing.

Best-fit readers

Choose this skill if you need a practical guide for analyzing bootkit-and-rootkit-samples, not a theory overview. It fits analysts who can collect images or dumps, review disassembly, and compare findings against known boot-sector and firmware patterns.

How to Use analyzing-bootkit-and-rootkit-skill

Install it in your skill set

Use the repository install flow for the analyzing-bootkit-and-rootkit-samples install, then point your agent at the skill path under skills/analyzing-bootkit-and-rootkit-samples. Start by loading the skill definition and the supporting reference files so the workflow, commands, and tool assumptions stay aligned.

Read these files first

Begin with SKILL.md, then inspect references/api-reference.md and scripts/agent.py. SKILL.md tells you when the skill should activate; references/api-reference.md shows the concrete analysis commands; scripts/agent.py reveals what the skill expects to parse or automate. If you need licensing or provenance, check LICENSE too.

What to provide in your prompt

A strong analyzing-bootkit-and-rootkit-samples usage prompt should name the artifact, platform, and goal. For example: “Analyze this MBR dump for bootkit indicators, compare it with a clean Windows MBR, and explain whether the partition table and boot signature look normal.” If you have firmware, include the dump source, vendor, and whether Secure Boot or SPI access was involved.

Workflow that produces better output

Give the skill one evidence type at a time: first MBR/VBR, then firmware, then memory traces. Ask for specific outputs such as suspected persistence mechanism, suspicious offsets, and validation steps. This keeps the analysis focused and makes the result easier to verify against your own tools.

analyzing-bootkit-and-rootkit-skill FAQ

Is analyzing-bootkit-and-rootkit-samples only for advanced cases?

Mostly yes. It is designed for pre-OS malware and rootkit persistence, so it is not the right default for ordinary trojans, scripts, or browser malware. If the compromise survives reinstall, hides from scanners, or changes firmware state, this is the right fit.

How does it compare with a generic malware prompt?

A generic prompt usually assumes files you can upload and inspect in a sandbox. analyzing-bootkit-and-rootkit-samples instead assumes low-level evidence like disk sectors, boot code, UEFI modules, and hardware security checks. That difference matters because the analysis path, tools, and validation points are completely different.

Do I need specialized tools to benefit from it?

Yes, you will get the best results if you can use tools such as dd, ndisasm, UEFI tools, and chipsec. The skill is still useful for planning and interpretation even if you are not running every command directly, but it is strongest when paired with actual disk or firmware data.

Is this suitable for beginners in Malware Analysis?

It is usable by beginners who already understand basic malware concepts, but it is not beginner-friendly in the “no context needed” sense. If you are new, start with a clean artifact collection and ask the skill to explain each finding in terms of persistence, hiding, and validation.

How to Improve analyzing-bootkit-and-rootkit-skill

Give the skill better evidence

The biggest quality gain comes from precise inputs: exact device image, firmware vendor, OS version, suspected infection point, and any observed anomalies. For analyzing-bootkit-and-rootkit-samples for Malware Analysis, a good prompt includes hashes, offsets, boot signature status, Secure Boot state, and whether the issue affects MBR, VBR, or UEFI.

Ask for comparisons, not just conclusions

Do not ask only “is this malicious?” Ask for a comparison against a clean baseline, suspicious byte ranges, and why a boot sector or module looks altered. That encourages the skill to explain the finding in a way you can verify with disassembly or firmware extraction.

Watch for common failure modes

The most common mistake is sending a vague “check this malware” request when the problem is actually a disk or firmware persistence case. Another failure mode is mixing evidence from multiple layers in one prompt, which makes root cause harder to isolate. Split the task into separate analyses when needed.

Iterate after the first pass

Use the first result to narrow the next request: ask for deeper disassembly, a module-by-module UEFI review, or a checklist for confirming a suspected rootkit. If the output is uncertain, provide more raw context and ask the skill to state what additional artifact would confirm or rule out the finding.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

conducting-malware-incident-response

by mukul975

conducting-malware-incident-response helps IR teams triage suspected malware, confirm infections, scope spread, contain endpoints, and support eradication and recovery. It is designed for conducting-malware-incident-response for Incident Response workflows with evidence-backed steps, telemetry-driven decisions, and practical containment guidance.

Incident Response

Favorites 0GitHub 0

detecting-ransomware-encryption-behavior

by mukul975

detecting-ransomware-encryption-behavior helps defenders spot ransomware-style encryption using entropy analysis, file I/O monitoring, and behavioral heuristics. It is suited for incident response, SOC tuning, and red-team validation when you need to detect mass file changes, rename bursts, and suspicious process activity quickly.

Incident Response

Favorites 0GitHub 0

deobfuscating-javascript-malware

by mukul975

deobfuscating-javascript-malware helps analysts turn heavily obfuscated malicious JavaScript into readable code for malware analysis, phishing pages, web skimmers, droppers, and browser-delivered payloads. Use this deobfuscating-javascript-malware skill for structured deobfuscation, decode tracing, and controlled review when simple minification is not the issue.

Malware Analysis

Favorites 0GitHub 0

analyzing-powershell-empire-artifacts

by mukul975

analyzing-powershell-empire-artifacts skill helps Security Audit teams detect PowerShell Empire artifacts in Windows logs using Script Block Logging, Base64 launcher patterns, stager IOCs, module signatures, and detection references for triage and rule writing.

Security Audit

Favorites 0GitHub 0

detecting-process-injection-techniques

by mukul975

detecting-process-injection-techniques helps analyze suspicious in-memory activity, validate EDR alerts, and identify process hollowing, APC injection, thread hijacking, reflective loading, and classic DLL injection for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

analyzing-macro-malware-in-office-documents

by mukul975

analyzing-macro-malware-in-office-documents helps malware analysts inspect malicious VBA in Word, Excel, and PowerPoint files, decode obfuscation, and extract IOCs, execution paths, and payload staging logic for phishing triage, incident response, and document malware analysis.

Malware Analysis

Favorites 0GitHub 0

analyzing-golang-malware-with-ghidra

by mukul975

analyzing-golang-malware-with-ghidra helps analysts reverse engineer Go-compiled malware in Ghidra with workflows for function recovery, string extraction, build metadata, and dependency mapping. The analyzing-golang-malware-with-ghidra skill is useful for malware triage, incident response, and Security Audit tasks that need practical, Go-specific analysis steps.

Security Audit

Favorites 0GitHub 0

analyzing-supply-chain-malware-artifacts

by mukul975

analyzing-supply-chain-malware-artifacts is a malware-analysis skill for tracing trojanized updates, poisoned dependencies, and build-pipeline tampering. Use it to compare trusted and untrusted artifacts, extract indicators, assess compromise scope, and report findings with less guesswork.

Malware Analysis

Favorites 0GitHub 6.1k

analyzing-linux-kernel-rootkits

by mukul975

analyzing-linux-kernel-rootkits helps DFIR and threat-hunting workflows detect Linux kernel rootkits with Volatility3 cross-view checks, rkhunter scans, and /proc vs /sys analysis for hidden modules, hooked syscalls, and tampered kernel structures. It is a practical analyzing-linux-kernel-rootkits guide for forensic triage.

Digital Forensics

Favorites 0GitHub 0

detecting-mimikatz-execution-patterns

by mukul975

detecting-mimikatz-execution-patterns helps analysts detect Mimikatz execution using command-line patterns, LSASS access signals, binary indicators, and memory artifacts. Use this detecting-mimikatz-execution-patterns skill install for Security Audit, hunting, and incident response with templates, references, and workflow guidance.

Security Audit

Favorites 0GitHub 0

detecting-rootkit-activity

by mukul975

detecting-rootkit-activity is a Malware Analysis skill for finding rootkit indicators such as hidden processes, hooked system calls, altered kernel structures, hidden modules, and covert network artifacts. It uses cross-view comparison and integrity checks to help validate suspicious hosts when standard tools disagree.

Malware Analysis

Favorites 0GitHub 6.2k

detecting-mobile-malware-behavior

by mukul975

The detecting-mobile-malware-behavior skill analyzes suspicious Android and iOS apps for permission abuse, runtime activity, network indicators, and malware-like patterns. Use it for triage, incident response, and detecting-mobile-malware-behavior for Security Audit workflows with evidence-backed mobile analysis.

Security Audit

Favorites 0GitHub 6.1k

analyzing-ransomware-payment-wallets

by mukul975

analyzing-ransomware-payment-wallets is a read-only blockchain-forensics skill for tracing ransomware payment wallets, following fund movement, and clustering related addresses for Security Audit and incident response. Use it when you have a BTC address, tx hash, or suspected wallet and need evidence-backed attribution support.

Security Audit

Favorites 0GitHub 6.1k

analyzing-ransomware-encryption-mechanisms

by mukul975

analyzing-ransomware-encryption-mechanisms skill for malware analysis, focused on identifying ransomware encryption, key handling, and decryption feasibility. Use it to inspect AES, RSA, ChaCha20, hybrid schemes, and implementation flaws that may support recovery.

Malware Analysis

Favorites 0GitHub 6.1k

extracting-iocs-from-malware-samples

by mukul975

extracting-iocs-from-malware-samples skill guide for malware analysis: extract hashes, IPs, domains, URLs, host artifacts, and validation cues from samples for threat intel and detection.

Malware Analysis

Favorites 0GitHub 0

extracting-config-from-agent-tesla-rat

by mukul975

extracting-config-from-agent-tesla-rat skill for Malware Analysis: extract Agent Tesla .NET config, SMTP/FTP/Telegram credentials, keylogger settings, and C2 endpoints with repeatable workflow guidance.

Malware Analysis

Favorites 0GitHub 0