detecting-rootkit-activity

by mukul975

detecting-rootkit-activity is a Malware Analysis skill for finding rootkit indicators such as hidden processes, hooked system calls, altered kernel structures, hidden modules, and covert network artifacts. It uses cross-view comparison and integrity checks to help validate suspicious hosts when standard tools disagree.

Stars6.2k

Favorites0

Comments0

AddedMay 11, 2026

CategoryMalware Analysis

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill detecting-rootkit-activity

Curation Score

This skill scores 78/100, which is a solid but not top-tier listing: directory users get a credible rootkit-detection workflow with enough operational detail to justify installation, but they should expect some setup dependence on external forensic tools and a missing in-skill install command.

78/100

Strengths

Explicit triggerability for rootkit detection, hidden process discovery, kernel integrity checks, and system call hook analysis.
Substantial operational content: cross-view detection steps, Volatility 3 commands, and Linux/Windows tool coverage support real agent execution.
The repository includes a working-looking script plus a reference file, which adds more leverage than a markdown-only skill.

Cautions

No install command in SKILL.md, so users may need to wire up execution and dependencies manually.
Tooling is external-dependent (Volatility 3, GMER, rkhunter, chkrootkit), so usefulness depends on the target OS and analyst environment.

Rootkit Memory Forensics Behavioral Analysis Volatility3 Windows Security Linux Sysinternals

Overview

Overview of detecting-rootkit-activity skill

What detecting-rootkit-activity does

The detecting-rootkit-activity skill helps you investigate whether a compromised system is hiding activity at the kernel or driver level. It focuses on rootkit indicators such as hidden processes, altered system-call paths, modified kernel structures, hidden modules, and covert network artifacts. This is not a generic malware prompt; it is a detecting-rootkit-activity skill for Malware Analysis when normal tools disagree with what memory or integrity checks reveal.

Who should use it

Use this skill if you are doing incident response, forensic triage, EDR validation, or post-exploitation cleanup and need a structured way to confirm stealth behavior. It is most valuable when Task Manager, ps, netstat, or standard AV scans look clean but the host still behaves suspiciously.

Why it is different

The main value of detecting-rootkit-activity is cross-view comparison: it compares what user-mode tools report against what memory-forensics and integrity checks can still see. That makes it more decision-useful than a broad “scan for malware” prompt, especially on systems where hiding is the core problem.

How to Use detecting-rootkit-activity skill

Install and load the skill

Use the repository install flow for the detecting-rootkit-activity install step, then point your agent at the skill path in skills/detecting-rootkit-activity. A typical install command in this repo is:

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill detecting-rootkit-activity

After install, make sure the skill activates only when the task is about hidden processes, kernel tampering, or rootkit verification.

Start with the right inputs

The detecting-rootkit-activity usage pattern works best when you provide:

OS and version
Live system vs. memory image
Symptom summary, such as “process disappears from pslist but exists in psscan”
Tools already run and their output
Whether you need triage, confirmation, or reporting

A weak prompt is: “Check for rootkits.”
A stronger one is: “Analyze this Windows memory dump for hidden processes and SSDT hooks. I have pslist and psscan output, plus suspicious driver names.”

Read these files first

For fast onboarding, inspect:

SKILL.md for activation scope and workflow
references/api-reference.md for Volatility 3 commands and cross-view steps
scripts/agent.py for the automation logic and output shape

This is the shortest path to understanding how the skill thinks before you rely on it in a case.

Use a cross-view workflow

The repository’s strongest pattern is comparing multiple views instead of trusting one tool:

Enumerate processes with pslist
Scan memory with psscan
Compare PIDs for hidden entries
Expand into ssdt, modules, driverirp, callbacks, or idt if hiding is confirmed

That workflow matters because rootkits often defeat one interface but not all of them.

detecting-rootkit-activity skill FAQ

Is detecting-rootkit-activity good for beginners?

Yes, if you already know basic malware triage. It is less suitable if you are still learning the difference between live-response tools and memory forensics. The skill is best when you can provide a concrete host image, command output, or suspected hiding behavior.

How does it compare with a normal prompt?

A normal prompt may give generic advice like “run antivirus and inspect processes.” The detecting-rootkit-activity skill is narrower and more operational: it pushes you toward cross-view checks, integrity validation, and rootkit-specific artifacts. That makes it better for detecting-rootkit-activity usage in real investigations.

When should I not use it?

Do not use it as your first step on every infection. If the problem is obvious phishing malware, commodity adware, or a simple persistence check, this skill is probably too specialized. Use it when stealth, kernel tampering, or hiding behavior is the real question.

Does it fit Windows and Linux?

Yes, but the tooling differs. The repository emphasizes Volatility 3 for memory analysis, plus Windows-oriented checks such as ssdt, callbacks, and modules, alongside Linux tools like rkhunter, chkrootkit, and unhide. Choose the branch that matches the host and evidence you actually have.

How to Improve detecting-rootkit-activity skill

Give the skill evidence, not just suspicion

The best way to improve detecting-rootkit-activity results is to provide artifacts: memory dump paths, command output, hashes, driver names, and a short timeline. The more the model can compare, the less it has to guess. A good follow-up input is: “psscan shows PID 4120, but pslist does not; here is the full output and the suspect driver list.”

State the exact question you need answered

This skill works better when you define the end goal:

“Is this process hidden?”
“Is there an SSDT hook?”
“Which driver is likely responsible?”
“Can I trust this host enough to reimage?”

That keeps the output practical instead of broad.

Watch for common failure modes

The main failure mode is overcalling a rootkit from one anomaly. Hidden artifacts can also come from stale memory, crash artifacts, EDR interference, or incomplete acquisition. Ask the skill to distinguish “likely rootkit,” “inconclusive,” and “needs more evidence” so it does not force a binary answer too early.

Iterate after the first pass

If the first result is partial, feed back the specific missing view. For example, if process hiding is suspected, add module, callback, and IRP outputs; if network hiding is suspected, add socket and port scans. That is the most effective way to improve detecting-rootkit-activity skill output quality without changing the workflow.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

conducting-malware-incident-response

by mukul975

conducting-malware-incident-response helps IR teams triage suspected malware, confirm infections, scope spread, contain endpoints, and support eradication and recovery. It is designed for conducting-malware-incident-response for Incident Response workflows with evidence-backed steps, telemetry-driven decisions, and practical containment guidance.

Incident Response

Favorites 0GitHub 0

analyzing-bootkit-and-rootkit-samples

by mukul975

analyzing-bootkit-and-rootkit-samples is a malware analysis skill for MBR, VBR, UEFI, and rootkit investigations. Use it to inspect boot sectors, firmware modules, and anti-rootkit indicators when compromise persists below the OS layer. It is suited for analysts who need a practical guide, clear workflow, and evidence-based triage for Malware Analysis.

Malware Analysis

Favorites 0GitHub 6.2k

detecting-ransomware-encryption-behavior

by mukul975

detecting-ransomware-encryption-behavior helps defenders spot ransomware-style encryption using entropy analysis, file I/O monitoring, and behavioral heuristics. It is suited for incident response, SOC tuning, and red-team validation when you need to detect mass file changes, rename bursts, and suspicious process activity quickly.

Incident Response

Favorites 0GitHub 0

deobfuscating-javascript-malware

by mukul975

deobfuscating-javascript-malware helps analysts turn heavily obfuscated malicious JavaScript into readable code for malware analysis, phishing pages, web skimmers, droppers, and browser-delivered payloads. Use this deobfuscating-javascript-malware skill for structured deobfuscation, decode tracing, and controlled review when simple minification is not the issue.

Malware Analysis

Favorites 0GitHub 0

analyzing-powershell-empire-artifacts

by mukul975

analyzing-powershell-empire-artifacts skill helps Security Audit teams detect PowerShell Empire artifacts in Windows logs using Script Block Logging, Base64 launcher patterns, stager IOCs, module signatures, and detection references for triage and rule writing.

Security Audit

Favorites 0GitHub 0

detecting-process-injection-techniques

by mukul975

detecting-process-injection-techniques helps analyze suspicious in-memory activity, validate EDR alerts, and identify process hollowing, APC injection, thread hijacking, reflective loading, and classic DLL injection for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

analyzing-macro-malware-in-office-documents

by mukul975

analyzing-macro-malware-in-office-documents helps malware analysts inspect malicious VBA in Word, Excel, and PowerPoint files, decode obfuscation, and extract IOCs, execution paths, and payload staging logic for phishing triage, incident response, and document malware analysis.

Malware Analysis

Favorites 0GitHub 0

analyzing-golang-malware-with-ghidra

by mukul975

analyzing-golang-malware-with-ghidra helps analysts reverse engineer Go-compiled malware in Ghidra with workflows for function recovery, string extraction, build metadata, and dependency mapping. The analyzing-golang-malware-with-ghidra skill is useful for malware triage, incident response, and Security Audit tasks that need practical, Go-specific analysis steps.

Security Audit

Favorites 0GitHub 0

analyzing-supply-chain-malware-artifacts

by mukul975

analyzing-supply-chain-malware-artifacts is a malware-analysis skill for tracing trojanized updates, poisoned dependencies, and build-pipeline tampering. Use it to compare trusted and untrusted artifacts, extract indicators, assess compromise scope, and report findings with less guesswork.

Malware Analysis

Favorites 0GitHub 6.1k

analyzing-linux-kernel-rootkits

by mukul975

analyzing-linux-kernel-rootkits helps DFIR and threat-hunting workflows detect Linux kernel rootkits with Volatility3 cross-view checks, rkhunter scans, and /proc vs /sys analysis for hidden modules, hooked syscalls, and tampered kernel structures. It is a practical analyzing-linux-kernel-rootkits guide for forensic triage.

Digital Forensics

Favorites 0GitHub 0

detecting-mimikatz-execution-patterns

by mukul975

detecting-mimikatz-execution-patterns helps analysts detect Mimikatz execution using command-line patterns, LSASS access signals, binary indicators, and memory artifacts. Use this detecting-mimikatz-execution-patterns skill install for Security Audit, hunting, and incident response with templates, references, and workflow guidance.

Security Audit

Favorites 0GitHub 0

detecting-mobile-malware-behavior

by mukul975

The detecting-mobile-malware-behavior skill analyzes suspicious Android and iOS apps for permission abuse, runtime activity, network indicators, and malware-like patterns. Use it for triage, incident response, and detecting-mobile-malware-behavior for Security Audit workflows with evidence-backed mobile analysis.

Security Audit

Favorites 0GitHub 6.1k

analyzing-ransomware-payment-wallets

by mukul975

analyzing-ransomware-payment-wallets is a read-only blockchain-forensics skill for tracing ransomware payment wallets, following fund movement, and clustering related addresses for Security Audit and incident response. Use it when you have a BTC address, tx hash, or suspected wallet and need evidence-backed attribution support.

Security Audit

Favorites 0GitHub 6.1k

analyzing-ransomware-encryption-mechanisms

by mukul975

analyzing-ransomware-encryption-mechanisms skill for malware analysis, focused on identifying ransomware encryption, key handling, and decryption feasibility. Use it to inspect AES, RSA, ChaCha20, hybrid schemes, and implementation flaws that may support recovery.

Malware Analysis

Favorites 0GitHub 6.1k

extracting-iocs-from-malware-samples

by mukul975

extracting-iocs-from-malware-samples skill guide for malware analysis: extract hashes, IPs, domains, URLs, host artifacts, and validation cues from samples for threat intel and detection.

Malware Analysis

Favorites 0GitHub 0

extracting-config-from-agent-tesla-rat

by mukul975

extracting-config-from-agent-tesla-rat skill for Malware Analysis: extract Agent Tesla .NET config, SMTP/FTP/Telegram credentials, keylogger settings, and C2 endpoints with repeatable workflow guidance.

Malware Analysis

Favorites 0GitHub 0