extracting-credentials-from-memory-dump

by mukul975

The extracting-credentials-from-memory-dump skill helps analyze Windows memory dumps for NTLM hashes, LSA secrets, Kerberos material, and tokens using Volatility 3 and pypykatz workflows. It is built for Digital Forensics and incident response when you need defensible evidence, account impact, and remediation guidance from a valid dump.

Stars0

Favorites0

Comments0

AddedMay 11, 2026

CategoryDigital Forensics

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill extracting-credentials-from-memory-dump

Curation Score

This skill scores 73/100, which is enough for directory listing but with clear cautions. The repository provides a real memory-forensics workflow for credential extraction, so users can likely trigger it and understand its purpose without a generic prompt; however, the install decision is tempered by missing install-command guidance and only partial operational detail in the visible evidence.

73/100

Strengths

Clear, specific use case for incident response and forensic credential extraction from memory dumps.
Substantial workflow content is present, including Volatility 3 and pypykatz usage plus a Python agent script and API reference.
Evidence-backed outputs and extraction targets are named (LSASS, NTLM, Kerberos, DPAPI, cached hashes, tokens), improving agent leverage.

Cautions

No install command is provided in SKILL.md, so adoption may require manual setup and more guesswork.
The visible excerpts do not fully show end-to-end operator guidance, so edge cases and execution flow may still need consultation with the references/scripts.

Forensics Memory Forensics Volatility3 Mimikatz Credential Access Password Hashes Credentials Kerberos

Overview

Overview of extracting-credentials-from-memory-dump skill

The extracting-credentials-from-memory-dump skill helps you analyze a captured memory image for credentials, hashes, Kerberos material, and tokens using Volatility and Mimikatz-style workflows. It is best for Digital Forensics and incident response teams that need to confirm what an attacker could have accessed, not for generic endpoint triage.

What users usually care about is speed to evidence: identify likely credential exposure, map it to affected accounts, and produce a defensible output for response or remediation. This extracting-credentials-from-memory-dump skill is strongest when you already have a valid dump and need a structured extraction workflow with clear tool choices and case-handling steps.

Best fit for forensic credential hunts

Use it when the goal is to recover NTLM hashes, cached domain logons, LSA secrets, or LSASS-derived material from a known memory dump. It is a good fit for breach scoping, pass-the-hash investigation, and post-compromise password reset decisions.

What makes this skill different

The repo is oriented around practical extraction steps rather than theory. Its supporting files point to a scriptable workflow, with volatility3 and pypykatz as the main execution path and explicit checks for dump integrity and OS context.

When not to use it

Do not use this as a replacement for disk forensics, live-response tooling, or a generic “find passwords” prompt. If you do not have authorization, a compatible memory image, or a Windows-targeted credential scenario, this skill will add little value.

How to Use extracting-credentials-from-memory-dump skill

Install and inspect the skill context

Install the extracting-credentials-from-memory-dump install package with:
npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill extracting-credentials-from-memory-dump

After install, read SKILL.md first, then references/api-reference.md and scripts/agent.py. Those files tell you what input shape the skill expects, which plugins or parsers it relies on, and which outputs are produced automatically.

Start with the right input

This skill works best when you provide: the dump path, OS target, case purpose, and what credential type matters most. A weak prompt says “analyze this dump”; a stronger one says: “Extract LSASS-backed credentials, cached domain hashes, and tokens from /cases/case-001/memory.raw for a Windows 10 incident-response review, and summarize accounts that require reset.”

Follow a practical workflow

A good extracting-credentials-from-memory-dump usage flow is: verify the image, identify the OS, locate LSASS, run targeted Volatility plugins, then parse credential artifacts into a case summary. If the first pass returns too much noise, narrow the request to one artifact class, such as hashdump, cachedump, or LSASS output.

What to read first in the repo

Prioritize SKILL.md for process, references/api-reference.md for function-level behavior, and scripts/agent.py for actual execution details and pattern matching. If you need to understand what the skill can and cannot extract, the script is more useful than a high-level overview.

extracting-credentials-from-memory-dump skill FAQ

Is this only for Digital Forensics?

It is primarily for Digital Forensics and incident response, especially Windows memory investigation. If your case is not about credential exposure, lateral movement, or account compromise, a different skill may fit better.

Do I need Volatility or Mimikatz installed first?

The skill’s workflow assumes those capabilities are available or can be installed in the environment. For extracting-credentials-from-memory-dump usage, confirm your tooling path before starting so you do not discover missing dependencies halfway through analysis.

Is a prompt enough, or do I need the skill?

A prompt can ask for credential analysis, but the skill adds a clearer workflow, repeatable tool order, and better handling of case inputs. That matters when you need an audit-friendly result instead of a one-off guess.

Is it beginner-friendly?

Yes, if you already understand the idea of a memory dump and can supply a real case artifact. It is less friendly for beginners who need help collecting the dump, choosing the right OS profile, or interpreting Kerberos and NTLM results.

How to Improve extracting-credentials-from-memory-dump skill

Give the skill case-ready inputs

The best results come from a prompt that specifies the dump location, target OS, suspected artifact type, and reporting goal. For example: “Analyze /evidence/host17.raw, identify LSASS-derived credentials and cached logons, and return a list of accounts, secret types, and remediation priority.”

Ask for scoped outputs, not everything

A common failure mode in extracting-credentials-from-memory-dump skill runs is overbroad extraction that produces noisy or redundant findings. Improve output quality by asking for one of these at a time: local hashes, domain cache, service secrets, tokens, or a triaged summary for reset decisions.

Add constraints that affect interpretation

If the dump is partial, compressed, from a crash report, or taken after containment, say so up front. Those details change which plugins are useful and how confidently the skill can claim credential presence.

Iterate from evidence to action

After the first pass, refine the request around what matters operationally: affected accounts, likely reuse risk, and immediate remediation steps. For extracting-credentials-from-memory-dump for Digital Forensics, the most useful second prompt is usually a narrower follow-up that turns raw artifacts into a clean case summary.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

conducting-malware-incident-response

by mukul975

conducting-malware-incident-response helps IR teams triage suspected malware, confirm infections, scope spread, contain endpoints, and support eradication and recovery. It is designed for conducting-malware-incident-response for Incident Response workflows with evidence-backed steps, telemetry-driven decisions, and practical containment guidance.

Incident Response

Favorites 0GitHub 0

analyzing-usb-device-connection-history

by mukul975

analyzing-usb-device-connection-history helps investigate USB device connection history on Windows using registry hives, event logs, and setupapi.dev.log for Digital Forensics, insider threat work, and incident response. It supports timeline reconstruction, device correlation, and removable-media evidence analysis.

Digital Forensics

Favorites 0GitHub 6.2k

analyzing-bootkit-and-rootkit-samples

by mukul975

analyzing-bootkit-and-rootkit-samples is a malware analysis skill for MBR, VBR, UEFI, and rootkit investigations. Use it to inspect boot sectors, firmware modules, and anti-rootkit indicators when compromise persists below the OS layer. It is suited for analysts who need a practical guide, clear workflow, and evidence-based triage for Malware Analysis.

Malware Analysis

Favorites 0GitHub 6.2k

extracting-browser-history-artifacts

by mukul975

extracting-browser-history-artifacts is a Digital Forensics skill for extracting browser history, cookies, cache, downloads, and bookmarks from Chrome, Firefox, and Edge. Use it to turn browser profile files into timeline-ready evidence with repeatable, case-focused workflow guidance.

Digital Forensics

Favorites 0GitHub 0

analyzing-network-traffic-for-incidents

by mukul975

analyzing-network-traffic-for-incidents helps incident responders analyze PCAPs, flow logs, and packet captures to confirm C2, lateral movement, exfiltration, and exploitation attempts. Built for analyzing-network-traffic-for-incidents for Incident Response with Wireshark, Zeek, and NetFlow-style investigation.

Incident Response

Favorites 0GitHub 0

deobfuscating-javascript-malware

by mukul975

deobfuscating-javascript-malware helps analysts turn heavily obfuscated malicious JavaScript into readable code for malware analysis, phishing pages, web skimmers, droppers, and browser-delivered payloads. Use this deobfuscating-javascript-malware skill for structured deobfuscation, decode tracing, and controlled review when simple minification is not the issue.

Malware Analysis

Favorites 0GitHub 0

detecting-process-injection-techniques

by mukul975

detecting-process-injection-techniques helps analyze suspicious in-memory activity, validate EDR alerts, and identify process hollowing, APC injection, thread hijacking, reflective loading, and classic DLL injection for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

analyzing-macro-malware-in-office-documents

by mukul975

analyzing-macro-malware-in-office-documents helps malware analysts inspect malicious VBA in Word, Excel, and PowerPoint files, decode obfuscation, and extract IOCs, execution paths, and payload staging logic for phishing triage, incident response, and document malware analysis.

Malware Analysis

Favorites 0GitHub 0

collecting-indicators-of-compromise

by mukul975

collecting-indicators-of-compromise skill for extracting, enriching, scoring, and exporting IOCs from incident evidence. Use it for Security Audit workflows, threat intel sharing, and STIX 2.1 output when you need a practical collecting-indicators-of-compromise guide instead of a generic incident-response prompt.

Security Audit

Favorites 0GitHub 0

analyzing-golang-malware-with-ghidra

by mukul975

analyzing-golang-malware-with-ghidra helps analysts reverse engineer Go-compiled malware in Ghidra with workflows for function recovery, string extraction, build metadata, and dependency mapping. The analyzing-golang-malware-with-ghidra skill is useful for malware triage, incident response, and Security Audit tasks that need practical, Go-specific analysis steps.

Security Audit

Favorites 0GitHub 0

building-incident-timeline-with-timesketch

by mukul975

building-incident-timeline-with-timesketch helps DFIR teams build collaborative incident timelines in Timesketch by ingesting Plaso, CSV, or JSONL evidence, normalizing timestamps, correlating events, and documenting attack chains for incident triage and reporting.

Incident Triage

Favorites 0GitHub 6.1k

analyzing-linux-kernel-rootkits

by mukul975

analyzing-linux-kernel-rootkits helps DFIR and threat-hunting workflows detect Linux kernel rootkits with Volatility3 cross-view checks, rkhunter scans, and /proc vs /sys analysis for hidden modules, hooked syscalls, and tampered kernel structures. It is a practical analyzing-linux-kernel-rootkits guide for forensic triage.

Digital Forensics

Favorites 0GitHub 0

detecting-mimikatz-execution-patterns

by mukul975

detecting-mimikatz-execution-patterns helps analysts detect Mimikatz execution using command-line patterns, LSASS access signals, binary indicators, and memory artifacts. Use this detecting-mimikatz-execution-patterns skill install for Security Audit, hunting, and incident response with templates, references, and workflow guidance.

Security Audit

Favorites 0GitHub 0

detecting-rootkit-activity

by mukul975

detecting-rootkit-activity is a Malware Analysis skill for finding rootkit indicators such as hidden processes, hooked system calls, altered kernel structures, hidden modules, and covert network artifacts. It uses cross-view comparison and integrity checks to help validate suspicious hosts when standard tools disagree.

Malware Analysis

Favorites 0GitHub 6.2k

analyzing-browser-forensics-with-hindsight

by mukul975

analyzing-browser-forensics-with-hindsight helps Digital Forensics teams analyze Chromium browser artifacts with Hindsight, including history, downloads, cookies, autofill, bookmarks, saved credentials metadata, cache, and extensions. Use it to reconstruct web activity, review timelines, and investigate Chrome, Edge, Brave, and Opera profiles.

Digital Forensics

Favorites 0GitHub 6.2k

hunting-advanced-persistent-threats

by mukul975

hunting-advanced-persistent-threats is a threat-hunting skill for detecting APT-style activity across endpoint, network, and memory telemetry. It helps analysts build hypothesis-driven hunts, map findings to MITRE ATT&CK, and turn threat intel into practical queries and investigation steps instead of ad hoc searches.

Threat Hunting

Favorites 0GitHub 0