analyzing-windows-shellbag-artifacts

by mukul975

analyzing-windows-shellbag-artifacts helps DFIR analysts interpret Windows Shellbag registry artifacts to reconstruct folder browsing, deleted-folder access, removable media use, and network share activity with SBECmd and ShellBags Explorer. It is a practical analyzing-windows-shellbag-artifacts guide for incident response and forensics.

Stars6.2k

Favorites0

Comments0

AddedMay 12, 2026

CategoryDigital Forensics

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill analyzing-windows-shellbag-artifacts

Curation Score

This skill scores 78/100, which makes it a solid directory listing candidate. It gives users enough concrete shellbag-forensics workflow content to decide on install: the SKILL.md defines when to use it, the references document SBECmd syntax, registry paths, standards, and a workflow, and the included scripts show it can parse outputs and produce a report. Users should still expect some operational caveats because the packaging is more forensic-reference + helper scripts than a fully turnkey, highly polished agent workflow.

78/100

Strengths

Clear forensic trigger and use case: reconstruct folder browsing, removable media, and network share access from Windows shellbags.
Good operational leverage: references include SBECmd syntax, registry locations, standards, and a step-by-step investigation workflow.
Real support assets exist: scripts for parsing/analyzing shellbag data plus a report template reduce guesswork versus a generic prompt.

Cautions

No install command or explicit setup path in SKILL.md, so users may need to assemble tool dependencies themselves.
The workflow is useful but somewhat narrow: evidence focuses on SBECmd-based shellbag analysis and a CSV post-processing script, not a broad end-to-end DFIR pipeline.

Windows Registry Analysis Shellbags Shellbags Explorer Sbecmd Windows Artifacts Dfir Forensics

Overview

Overview of analyzing-windows-shellbag-artifacts skill

What this skill does

The analyzing-windows-shellbag-artifacts skill helps you interpret Windows Shellbag registry data to reconstruct folder browsing activity, including evidence of access to deleted folders, removable media, network shares, and other paths that still matter in an investigation.

Who it is for

This analyzing-windows-shellbag-artifacts skill is best for DFIR analysts, incident responders, and forensic examiners who need a fast, defensible way to turn raw shellbag artifacts into a timeline or case note without guessing at registry locations or output fields.

Why it is different

Unlike a generic prompt, this skill is centered on the actual shellbag workflow: registry hive locations, SBECmd and ShellBags Explorer usage, and the kinds of paths that are most useful in Windows investigations. That makes the analyzing-windows-shellbag-artifacts guide more practical when your goal is to prove folder interaction, not just list artifacts.

How to Use analyzing-windows-shellbag-artifacts skill

Install and locate the workflow

Use the analyzing-windows-shellbag-artifacts install command in the directory’s standard installer flow, then open SKILL.md first. For setup context, also read references/workflows.md, references/api-reference.md, and references/standards.md; those files show the intended analysis path, the tool syntax, and the registry paths the skill expects.

Give the skill the right input

The skill works best when you provide evidence source, scope, and what you need proved. Strong input looks like: “Analyze shellbag data from NTUSER.DAT and UsrClass.dat for a user suspected of accessing \\SERVER01\Finance and a USB drive on 2024-05-18; produce a concise timeline and call out deleted-folder evidence.” Weak input is just “analyze shellbags,” which leaves too much ambiguity around time range, target user, and priority paths.

Practical usage workflow

A reliable analyzing-windows-shellbag-artifacts usage pattern is: extract the hives, parse with SBECmd, review AbsolutePath, CreatedOn, ModifiedOn, and AccessedOn, then correlate the shellbag findings with MFT, LNK, and other case artifacts. If you prefer a GUI pass first, use ShellBags Explorer for fast triage, then switch to CSV output for reporting and cross-correlation.

Files to read first

Start with SKILL.md for scope, then inspect assets/template.md for the report shape and scripts/process.py if you want to understand how CSV output is classified into USB and network activity. If you need deeper parsing logic or registry coverage, scripts/agent.py and references/api-reference.md are the most decision-relevant files.

analyzing-windows-shellbag-artifacts skill FAQ

Is this only for digital forensics?

The analyzing-windows-shellbag-artifacts for Digital Forensics use case is the primary fit, but it also supports triage and threat hunting when you need evidence of directory browsing. It is not a general Windows forensics skill; it is specific to shellbag interpretation and the artifacts around folder access.

What does it do better than a normal prompt?

It reduces the guesswork around registry locations, expected outputs, and common shellbag use cases. A normal prompt may produce a summary; this skill is more useful when you need a repeatable analysis path and a report-ready result.

Is it beginner-friendly?

Yes, if you already know where the evidence came from and can supply the hive or CSV output. It is less beginner-friendly when the case lacks source material, because shellbag value depends on correct hive collection and careful correlation.

When should I not use it?

Do not use it as a substitute for full disk or timeline analysis when the question is broader than folder browsing. If your case needs browser history, execution traces, or file content evidence, shellbags alone will be incomplete.

How to Improve analyzing-windows-shellbag-artifacts skill

Provide case framing, not just files

The biggest quality jump comes from telling the analyzing-windows-shellbag-artifacts skill what question you need answered: first access, last access, removable media use, network share browsing, or proof of user presence. Include target user, date range, and the suspicious paths so the output can focus on evidence that matters.

Be explicit about sources and format

State whether you have raw hives, SBECmd CSV, or GUI exports, because the skill can be much sharper when it knows the input format. If you only have a CSV, ask for a summary by path and time; if you have hives, ask for artifact interpretation and missing-data caveats.

Ask for correlations and exclusions

Better analyzing-windows-shellbag-artifacts usage means asking the output to separate confirmed shellbag evidence from assumptions. Request correlation with MFT or LNK timestamps, and ask the model to note when drive-letter matches or UNC paths are likely but not fully proven by shellbags alone.

Iterate with a tighter second pass

If the first result is broad, feed back the most useful paths, timestamps, and conflicts. Ask for a shorter investigative narrative, a table of folder paths, or a “what this does not prove” section so the final report is easier to defend in an incident file.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

conducting-malware-incident-response

by mukul975

conducting-malware-incident-response helps IR teams triage suspected malware, confirm infections, scope spread, contain endpoints, and support eradication and recovery. It is designed for conducting-malware-incident-response for Incident Response workflows with evidence-backed steps, telemetry-driven decisions, and practical containment guidance.

Incident Response

Favorites 0GitHub 0

detecting-lateral-movement-with-zeek

by mukul975

detecting-lateral-movement-with-zeek is a Zeek-based cybersecurity skill for threat hunting and incident response. It helps detect SMB admin share access, DCE/RPC service creation, NTLM spray, Kerberos anomalies, and suspicious internal transfers using Zeek logs such as conn.log, smb_mapping.log, smb_files.log, dce_rpc.log, ntlm.log, and kerberos.log.

Threat Hunting

Favorites 0GitHub 6.2k

analyzing-usb-device-connection-history

by mukul975

analyzing-usb-device-connection-history helps investigate USB device connection history on Windows using registry hives, event logs, and setupapi.dev.log for Digital Forensics, insider threat work, and incident response. It supports timeline reconstruction, device correlation, and removable-media evidence analysis.

Digital Forensics

Favorites 0GitHub 6.2k

analyzing-bootkit-and-rootkit-samples

by mukul975

analyzing-bootkit-and-rootkit-samples is a malware analysis skill for MBR, VBR, UEFI, and rootkit investigations. Use it to inspect boot sectors, firmware modules, and anti-rootkit indicators when compromise persists below the OS layer. It is suited for analysts who need a practical guide, clear workflow, and evidence-based triage for Malware Analysis.

Malware Analysis

Favorites 0GitHub 6.2k

extracting-browser-history-artifacts

by mukul975

extracting-browser-history-artifacts is a Digital Forensics skill for extracting browser history, cookies, cache, downloads, and bookmarks from Chrome, Firefox, and Edge. Use it to turn browser profile files into timeline-ready evidence with repeatable, case-focused workflow guidance.

Digital Forensics

Favorites 0GitHub 0

analyzing-network-traffic-for-incidents

by mukul975

analyzing-network-traffic-for-incidents helps incident responders analyze PCAPs, flow logs, and packet captures to confirm C2, lateral movement, exfiltration, and exploitation attempts. Built for analyzing-network-traffic-for-incidents for Incident Response with Wireshark, Zeek, and NetFlow-style investigation.

Incident Response

Favorites 0GitHub 0

deobfuscating-javascript-malware

by mukul975

deobfuscating-javascript-malware helps analysts turn heavily obfuscated malicious JavaScript into readable code for malware analysis, phishing pages, web skimmers, droppers, and browser-delivered payloads. Use this deobfuscating-javascript-malware skill for structured deobfuscation, decode tracing, and controlled review when simple minification is not the issue.

Malware Analysis

Favorites 0GitHub 0

detecting-process-injection-techniques

by mukul975

detecting-process-injection-techniques helps analyze suspicious in-memory activity, validate EDR alerts, and identify process hollowing, APC injection, thread hijacking, reflective loading, and classic DLL injection for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

analyzing-macro-malware-in-office-documents

by mukul975

analyzing-macro-malware-in-office-documents helps malware analysts inspect malicious VBA in Word, Excel, and PowerPoint files, decode obfuscation, and extract IOCs, execution paths, and payload staging logic for phishing triage, incident response, and document malware analysis.

Malware Analysis

Favorites 0GitHub 0

collecting-indicators-of-compromise

by mukul975

collecting-indicators-of-compromise skill for extracting, enriching, scoring, and exporting IOCs from incident evidence. Use it for Security Audit workflows, threat intel sharing, and STIX 2.1 output when you need a practical collecting-indicators-of-compromise guide instead of a generic incident-response prompt.

Security Audit

Favorites 0GitHub 0

analyzing-golang-malware-with-ghidra

by mukul975

analyzing-golang-malware-with-ghidra helps analysts reverse engineer Go-compiled malware in Ghidra with workflows for function recovery, string extraction, build metadata, and dependency mapping. The analyzing-golang-malware-with-ghidra skill is useful for malware triage, incident response, and Security Audit tasks that need practical, Go-specific analysis steps.

Security Audit

Favorites 0GitHub 0

building-incident-timeline-with-timesketch

by mukul975

building-incident-timeline-with-timesketch helps DFIR teams build collaborative incident timelines in Timesketch by ingesting Plaso, CSV, or JSONL evidence, normalizing timestamps, correlating events, and documenting attack chains for incident triage and reporting.

Incident Triage

Favorites 0GitHub 6.1k

analyzing-linux-kernel-rootkits

by mukul975

analyzing-linux-kernel-rootkits helps DFIR and threat-hunting workflows detect Linux kernel rootkits with Volatility3 cross-view checks, rkhunter scans, and /proc vs /sys analysis for hidden modules, hooked syscalls, and tampered kernel structures. It is a practical analyzing-linux-kernel-rootkits guide for forensic triage.

Digital Forensics

Favorites 0GitHub 0

detecting-mimikatz-execution-patterns

by mukul975

detecting-mimikatz-execution-patterns helps analysts detect Mimikatz execution using command-line patterns, LSASS access signals, binary indicators, and memory artifacts. Use this detecting-mimikatz-execution-patterns skill install for Security Audit, hunting, and incident response with templates, references, and workflow guidance.

Security Audit

Favorites 0GitHub 0

analyzing-android-malware-with-apktool

by mukul975

analyzing-android-malware-with-apktool is a static analysis skill for Android APK malware. It uses apktool, jadx, and androguard to unpack apps, inspect manifests and permissions, recover source-like code, and extract suspicious APIs and IOCs for Malware Analysis.

Malware Analysis

Favorites 0GitHub 6.2k

detecting-rootkit-activity

by mukul975

detecting-rootkit-activity is a Malware Analysis skill for finding rootkit indicators such as hidden processes, hooked system calls, altered kernel structures, hidden modules, and covert network artifacts. It uses cross-view comparison and integrity checks to help validate suspicious hosts when standard tools disagree.

Malware Analysis

Favorites 0GitHub 6.2k