detecting-cryptomining-in-cloud

by mukul975

detecting-cryptomining-in-cloud helps security teams detect unauthorized cryptomining in cloud workloads by correlating cost spikes, mining-port traffic, GuardDuty crypto findings, and runtime process evidence. Use it for triage, detection engineering, and detecting-cryptomining-in-cloud for Security Audit workflows.

Stars0

Favorites0

Comments0

AddedMay 9, 2026

CategorySecurity Audit

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill detecting-cryptomining-in-cloud

Curation Score

This skill scores 78/100, which means it is a solid listing candidate for directory users: it has a real cloud-security workflow, clear usage triggers, and concrete detection references that reduce guesswork compared with a generic prompt. Users should still expect some adoption friction because the skill does not include an install command and the operational flow appears centered on AWS-first tooling.

78/100

Strengths

Strong triggerability for real incidents: explicitly covers billing spikes, GuardDuty crypto findings, compromised credentials, and container/runtime monitoring.
Operationally grounded: includes a script, API reference, and example AWS CLI/CloudWatch/Cost Anomaly Detection/VPC Flow Logs queries.
Good install-decision value: clear 'When to Use' and 'Do not use' guidance helps agents and users scope the skill correctly.

Cautions

AWS-heavy implementation may limit portability; Azure is mentioned, but most concrete examples and the script are AWS-centric.
No install command in SKILL.md, so users may need extra setup guidance before the skill is easy to activate.

Aws Azure Cloudwatch Guardduty Cloud Cloud Security Cost Management Network Security

Overview

Overview of detecting-cryptomining-in-cloud skill

What detecting-cryptomining-in-cloud does

The detecting-cryptomining-in-cloud skill helps security teams spot unauthorized cryptomining in cloud workloads by correlating cost spikes, suspicious network traffic, GuardDuty crypto findings, and runtime process evidence. It is best for cloud security, incident response, and detection engineering work where you need to decide whether a workload is being abused for resource hijacking.

Best-fit use cases

Use the detecting-cryptomining-in-cloud skill when you are investigating unexplained EC2, ECS, EKS, or Azure Automation consumption, or when alerts point to mining pool traffic or mining binaries. It is especially useful for a detecting-cryptomining-in-cloud for Security Audit workflow because it focuses on evidence collection and validation rather than broad malware theory.

What makes it useful

The main value is multi-signal triage: it does not rely on one noisy indicator like CPU alone. It also gives practical detection anchors such as known mining ports, GuardDuty CryptoCurrency findings, and runtime process names, which makes the detecting-cryptomining-in-cloud skill more actionable than a generic prompt.

How to Use detecting-cryptomining-in-cloud skill

Install context and first files to read

Install the detecting-cryptomining-in-cloud skill with:
npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill detecting-cryptomining-in-cloud

Start with SKILL.md, then read references/api-reference.md and scripts/agent.py. That order matters because SKILL.md explains the workflow, the reference file shows the exact signals and CLI queries, and the script reveals what the skill expects to correlate.

Inputs that produce good results

The skill works best when you provide a concrete cloud, account, time window, and evidence type. A strong prompt might be: “Investigate a suspected mining event in AWS us-east-1 over the last 24 hours using GuardDuty findings, CloudWatch CPU alarms, VPC Flow Logs, and AWS Cost anomalies. Summarize likely hosts, indicators, and next steps.” This is better than “check for cryptomining” because it gives the model enough context to narrow the hunt.

Practical workflow for a real investigation

Use detecting-cryptomining-in-cloud usage as a short loop: confirm the alert source, identify the affected account or workload, then compare compute, network, and runtime signals before concluding. If you already have an IOC, include it explicitly, such as a mining domain, port, instance ID, container cluster, or suspicious process name. The skill is strongest when you ask it to correlate evidence, not just list indicators.

Tips that improve output quality

State whether you want detection, triage, or response guidance. For example, “build a detection plan” should lead to control recommendations, while “analyze this event” should lead to evidence interpretation. If you have partial telemetry, say so; the skill can still help, but it should not invent missing GuardDuty, Flow Logs, or cost data.

detecting-cryptomining-in-cloud skill FAQ

Is this only for AWS?

No. The content is cloud-oriented, but it includes AWS and Azure signals. The practical center of gravity is AWS because the reference material includes GuardDuty, CloudWatch, VPC Flow Logs, and Cost Anomaly Detection, but the same detection logic applies to other cloud platforms.

How is this different from a normal prompt?

A plain prompt usually asks for a generic checklist. The detecting-cryptomining-in-cloud skill gives a more specific operating model: which signals to compare, which services to query, and which conditions are out of scope. That makes it easier to trigger correctly and harder to overgeneralize.

Is it beginner-friendly?

Yes, if the user can name the cloud provider and the investigation goal. It is not a beginner-friendly primer on cryptomining itself; it is a workflow skill for people who need a structured investigation path and a useful first pass at detection.

When should I not use it?

Do not use detecting-cryptomining-in-cloud for legitimate mining operations, physical-host mining outside cloud environments, or general malware hunts where the objective is broader than resource hijacking. If the issue is unclear compromise without mining indicators, use a more general incident response skill first.

How to Improve detecting-cryptomining-in-cloud

Give the skill stronger evidence

The best way to improve detecting-cryptomining-in-cloud results is to include exact signals: account ID, instance ID, cluster name, time range, cost anomaly, destination IPs, domain names, ports, or process names like xmrig or ccminer. The more specific the evidence, the better the skill can separate real mining from benign compute bursts.

Ask for the output you actually need

Be explicit about the deliverable. For example: “produce a detection hypothesis,” “draft a SOC triage checklist,” “map indicators to GuardDuty and CloudWatch,” or “write a containment plan.” This keeps the detecting-cryptomining-in-cloud guide focused and prevents the model from returning a generic security summary.

Watch for the common failure modes

The usual mistake is relying on one signal, especially CPU usage. High CPU can mean batch jobs, patching, rendering, or autoscaling. Better inputs ask for multi-signal confirmation, such as “high CPU plus mining-port egress plus crypto-related GuardDuty findings,” which aligns with the skill’s intended detection logic.

Iterate after the first pass

If the first answer is too broad, narrow the scope by adding one more constraint: environment, suspected workload type, or an observed IOC. If the answer is too confident, ask it to separate confirmed evidence from assumptions and list what telemetry is still missing. That makes the detecting-cryptomining-in-cloud install worthwhile in real incident work because you can turn one prompt into a repeatable detection workflow.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

security-threat-model

by openai

Repository-grounded security-threat-model skill for AppSec threat modeling. It maps trust boundaries, assets, attacker goals, abuse paths, and mitigations into a concise Markdown threat model. Use it when you need security-threat-model for Threat Modeling on a specific repo or path, not a generic architecture review or code check.

Threat Modeling

Favorites 0GitHub 0

solana-vulnerability-scanner

by trailofbits

solana-vulnerability-scanner is a focused Solana security audit skill for native Rust and Anchor programs. It helps review CPI logic, PDA validation, signer and ownership checks, and sysvar spoofing to catch six critical Solana-specific vulnerabilities before deployment.

Security Audit

Favorites 0GitHub 4.9k

azure-ai-contentsafety-ts

by microsoft

azure-ai-contentsafety-ts helps analyze text and images for harmful content with Azure AI Content Safety in TypeScript. Use this skill for moderation workflows, blocklists, and security audit checks for hate, violence, sexual content, and self-harm. It also covers Azure endpoint and auth setup.

Security Audit

Favorites 0GitHub 2.3k

sharp-edges

by trailofbits

The sharp-edges skill helps you find APIs, configs, and interfaces where the easy path leads to insecure use. Use it to review authentication flows, cryptographic wrappers, dangerous defaults, null or zero semantics, and misuse-prone design choices. It is a strong fit for sharp-edges for Security Audit work when you need concrete footguns, not generic security guesses.

Security Audit

Favorites 0GitHub 5k

security-review

by affaan-m

Use the security-review skill to review auth, user input, secrets, APIs, payments, uploads, and other sensitive flows. It provides a practical security-review guide with clear pass/fail checks, risky-pattern examples, and a focused process for catching common issues before release.

Security Audit

Favorites 0GitHub 156.3k

django-security

by affaan-m

django-security is a practical guide for hardening Django apps with authentication, authorization, CSRF, XSS, SQL injection prevention, secure cookies, and production settings. It helps developers and reviewers run a focused Security Audit, quickly spot risky config, and apply concrete fixes before deployment.

Security Audit

Favorites 0GitHub 156.1k

exploiting-insecure-data-storage-in-mobile

by mukul975

The exploiting-insecure-data-storage-in-mobile skill helps assess and extract evidence from insecure local storage in Android and iOS apps. It covers SharedPreferences, SQLite databases, plist files, world-readable files, backup exposure, and weak keychain/keystore handling for mobile pentesting and Security Audit workflows.

Security Audit

Favorites 0GitHub 6.2k

detecting-s3-data-exfiltration-attempts

by mukul975

detecting-s3-data-exfiltration-attempts helps investigate possible AWS S3 data theft by correlating CloudTrail S3 data events, GuardDuty findings, Amazon Macie alerts, and S3 access patterns. Use this detecting-s3-data-exfiltration-attempts skill for Security Audit, incident response, and suspicious bulk-download analysis.

Security Audit

Favorites 0GitHub 6.2k

building-incident-response-playbook

by mukul975

building-incident-response-playbook helps security teams create reusable incident response playbooks with step-by-step phases, decision trees, escalation criteria, RACI ownership, and SOAR-ready structure. It is designed for incident response procedure documentation, incident triage workflows, and audit-friendly operational response plans.

Incident Triage

Favorites 0GitHub 6.1k

building-patch-tuesday-response-process

by mukul975

building-patch-tuesday-response-process helps teams build a repeatable Microsoft Patch Tuesday process to triage advisories, rank risk, test patches, approve rollout, and track compliance. Useful for security operations, vulnerability management, and building-patch-tuesday-response-process for Project Management.

Project Management

Favorites 0GitHub 6.1k

ossfuzz

by trailofbits

Learn the ossfuzz skill for continuous fuzzing setup, project enrollment, harness planning, and build workflow review. This guide helps security engineers and maintainers assess readiness, spot build blockers, and prepare a practical path from source tree to OSS-Fuzz or private fuzzing infrastructure.

Security Audit

Favorites 0GitHub 5k

codeql

by trailofbits

The codeql skill helps you run CodeQL with fewer blind spots during a security audit. It focuses on database quality, suite selection, data extensions, and SARIF review so you can use codeql usage more reliably across supported languages. Use it for repeatable codeql guide steps when analyzing real repositories.

Security Audit

Favorites 0GitHub 5k

semgrep-rule-creator

by trailofbits

semgrep-rule-creator creates production-quality Semgrep rules for security vulnerabilities, bug patterns, taint-flow detections, and coding standards. Use the semgrep-rule-creator skill for Security Audit work when you need precise rules, test cases, and validation instead of a generic draft.

Security Audit

Favorites 0GitHub 5k

insecure-defaults

by trailofbits

The insecure-defaults skill helps spot fail-open configuration patterns that let software run with unsafe settings instead of stopping. Use it for a Security Audit of production code, deployment configs, and secret-handling logic to catch weak auth, hardcoded secrets, and permissive defaults.

Security Audit

Favorites 0GitHub 5k

constant-time-analysis

by trailofbits

constant-time-analysis is a security-audit skill for finding timing side-channel risks in cryptographic code before they become exploitable bugs. Use it to review secret-dependent math, branches, comparisons, and compiled output when checking C, C++, Go, Rust, Swift, Java, Kotlin, PHP, JavaScript, TypeScript, Python, or Ruby.

Security Audit

Favorites 0GitHub 5k

secure-workflow-guide

by trailofbits

secure-workflow-guide guides a 5-step Solidity security workflow: Slither triage, feature-specific checks, visual inspection, security-property notes, and manual review. It is built for smart contract teams, auditors, and builders who want a repeatable secure-workflow-guide guide before deployment or release.

Security Audit

Favorites 0GitHub 4.9k