MCP.directory

hunt-research-system-and-tradecraft

by OTRF
0
0
Source

Research system internals and adversary tradecraft to ground a threat hunt in real system behavior and realistic abuse patterns. Use this skill at the start of hunt planning, when you are given a high-level hunt topic but lack a clear understanding of how the system normally operates or how adversaries are known to abuse it. This skill informs early hunt direction by producing candidate abuse patterns, key assumptions, and cited sources, and should be used before defining a concrete hunt hypothesis or selecting data sources.

Install

mkdir -p .claude/skills/hunt-research-system-and-tradecraft && curl -L -o skill.zip "https://mcp.directory/api/skills/download/5882" && unzip -o skill.zip -d .claude/skills/hunt-research-system-and-tradecraft && rm skill.zip

Installs to .claude/skills/hunt-research-system-and-tradecraft

About this skill

Research System Internals and Adversary Tradecraft

Provide structured research context at the start of a threat hunt by incrementally applying only the references explicitly called for in each workflow step. This skill establishes a grounded understanding of system capabilities and adversary behaviors so downstream hunt planning reflects how the environment actually works and how it is realistically abused.

Workflow

  • You MUST complete each step in order and MUST NOT proceed until the current step is complete.
  • You MUST NOT read reference documents or perform web searches unless the current step explicitly instructs you to do so.
  • Do NOT output raw notes, coverage checks, intermediate reasoning, or step summaries.
  • Do NOT restate findings from previous steps outside the final report structure.

Step 1: Normalize the input

Translate the user's high-level topic into a precise research scope before any investigation begins. This step exists to remove ambiguity and establish a shared frame for system and adversary analysis.

This step is complete only when the scope is explicit and unambiguous.

  • Record the topic exactly as provided (e.g., "WMI abuse", "Kerberos abuse").
  • Identify the concrete platform, system, or feature in scope.
  • Resolve ambiguity by stating explicit assumptions when needed.
  • Set the research intent to cover both normal system behavior and adversary abuse unless the user explicitly restricts it.
  • If critical scope details are missing or ambiguous, request clarification from the user.
  • If sufficient information is available, proceed without further confirmation.

Do NOT perform web searches or read reference documents during this step.

Step 2: Research system internals

Build a grounded understanding of how the system functions under normal conditions.

  • Start with searching the web using Tavily:tavily-search, and do not exceed 5 total web search queries in this step.
  • Stop searching once core system concepts, capabilities, and observability are sufficiently understood.
  • Apply guidance from references/tavily-search-guide.md.
  • Collect raw research notes focused on system behavior and capabilities.

During this step only:

  • Evaluate coverage using references/system-internals-research-guide.md within this step ONLY.
  • If gaps are identified, perform targeted follow-up research (web or internal knowledge) and update the notes.

Do NOT read adversary tradecraft reference documents in this step. Do not synthesize or summarize findings.

Step 3: Research adversary tradecraft

Analyze how adversaries leverage or manipulate the system capabilities identified above.

  • Start with searching the web using Tavily:tavily-search, and do not exceed 5 total web search queries in this step.
  • Stop searching once dominant abuse behaviors and execution patterns are clearly understood.
  • Apply guidance from references/tavily-search-guide.md.
  • Collect raw research notes focused on behavior and outcomes, not tools.

During this step only:

  • Evaluate coverage using references/adversary-tradecraft-research-guide.md within this step ONLY.
  • If gaps are identified, perform targeted follow-up research (web or internal knowledge) and update the notes.

Do Not read system internals reference documents in this step. Do Not synthesize or summarize findings.

Step 4: Identify candidate abuse patterns

Using the completed adversary tradecraft research, extract concrete abuse patterns that will guide hypothesis-driven hunting.

  • Identify the top 3–5 distinct patterns (or fewer if one clearly dominates).
  • For each pattern, record:
    • Adversary behavior
    • System capability or assumption being abused
    • High-level observables or effects
    • Common variations that preserve the same outcome

Porivide the list of patterns if they exist. They must be tool-agnostic and suitable for use in the next hunt-planning step.

Step 5: Write the research summary

Produce the final structured research artifact using the following documents within this step ONLY.

  • Structure the output using references/research-summary-template.md.
  • Format and cite sources using references/research-citations-guide.md.

This step is synthesis only. Do not introduce new research, assumptions, or evidence at this stage.

More by OTRF

View all skills by OTRF

hunt-blueprint-generation

OTRF

Assemble a complete hunt blueprint by consolidating outputs from prior hunt planning skills into a single, structured plan for execution. Use this skill after system and tradecraft research, hunt focus definition, data source identification, and analytics generation have been completed. This skill is synthesis and packaging only and must not introduce new research, assumptions, or analytics.

00

hunt-analytics-generation

OTRF

Generate query-agnostic analytics that model adversary behavior by translating hunt investigative intent into analytic definitions grounded in schema semantics. This skill is used to define how behavior should manifest in data before query execution or validation, and works best when informed by system internals, adversary tradecraft, a structured hunt focus, and suggested data sources.

00

hunt-data-source-identification

OTRF

Identify relevant security data sources that could capture the behavior defined in a structured hunt hypothesis. Use this skill after the hunt focus has been defined to translate investigative intent into candidate telemetry sources using existing platform catalogs. This skill supports hunt planning by reasoning over available schemas and metadata before analytics development or query execution.

00

hunt-focus-definition

OTRF

Define a focused hunt hypothesis by synthesizing completed system internals and adversary tradecraft research. Use this skill after research has been completed to narrow a high-level hunt topic into a single, concrete attack pattern with clear investigative intent. This skill produces a structured, testable hypothesis and should be used before selecting data sources, defining environment scope, or developing analytics.

20

You might also like

flutter-development

aj-geddes

Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.

641968

drawio-diagrams-enhanced

jgtolentino

Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.

590705

godot

bfollington

This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.

339397

ui-ux-pro-max

nextlevelbuilder

"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."

318395

nano-banana-pro

garg-aayush

Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.

450339

fastapi-templates

wshobson

Create production-ready FastAPI projects with async patterns, dependency injection, and comprehensive error handling. Use when building new FastAPI applications or setting up backend API projects.

304231

Related MCP Servers

Browse all servers
Task MasterTask Master

Boost productivity with Task Master: an AI-powered tool for project management and agile development workflows, integrat

25,8320 tools
PerplexityPerplexity

Empower your workflows with Perplexity Ask MCP Server—seamless integration of AI research tools for real-time, accurate

1,9990 tools
PubMedPubMed

AI leverages PubMed to search, retrieve, and analyze biomedical literature for research, citation generation, and data v

640 tools
Flint NoteFlint Note

Flint Note is agent-first knowledge database software with vaults, wikilinks, and search, ideal for Microsoft note takin

1028 tools
Flint NoteFlint Note

Flint Note is a knowledge base software with wikilinks, hybrid search, and structured vaults for organized note-taking a

628 tools
FirecrawlFirecrawl

Unlock AI-ready web data with Firecrawl: scrape any website, handle dynamic content, and automate web scraping for resea

89,5930 tools

Stay ahead of the MCP ecosystem

Get weekly updates on new skills and servers.