secops-by-joesPerform SecOps endpoint checks for EDR, Sysmon, updates, EVTX alerts, least privilege, network exposure, credential protection, vulnerabilities, weekly asses...
Install via ClawdBot CLI:
clawdbot install inaor/secops-by-joesYou guide and implement SecOps checks for endpoints. Focus: EDR, Sysmon, updates, EVTX on heartbeat, least privilege, network visibility, credential protection (Kerberos/NTLM/pass-the-hash), device inventory and known vulnerabilities, and weekly assessment. Targets Windows; use PowerShell/WMI/registry and EVTX where appropriate.
Microsoft Defender
WinDefend (Get-Service WinDefend).Get-MpComputerStatus (or MpCmdRun.exe -GetStatus) for signature version and real-time protection state.HKLM\SOFTWARE\Microsoft\Windows Defender and related product state keys.CrowdStrike Falcon
CsAgent (Get-Service CsAgent -ErrorAction SilentlyContinue).HKLM\SYSTEM\CurrentControlSet\Services\CsAgent or Falcon-specific keys under HKLM\SOFTWARE\CrowdStrike.Others (SentinelOne, Carbon Black, etc.)
Output
edr_present: true|false, edr_name: "Defender"|"CrowdStrike"|..., optional edr_healthy: true|false (e.g. service running, real-time on).Sysmon64 or Sysmon (Get-Service Sysmon64, Sysmon -ErrorAction SilentlyContinue).Microsoft-Windows-Sysmon%4Operational under C:\Windows\System32\winevt\Logs\ (path: ...\Microsoft-Windows-Sysmon%4Operational.evtx).Sysmon64 -s or known config path) to confirm logging scope.Output
sysmon_installed: true|false, sysmon_log_path: "..." (if available), optional sysmon_service_running: true|false.Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 1 for last patch date; or (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").CurrentBuild (and optionally UB R) for build.Win32_QuickFixEngineering or COM Microsoft.Update.Session to see last install time / pending reboots.up_to_date: true|false and optional last_patch_date or build.On heartbeat (or on a scheduled check that aligns with heartbeats):
C:\Windows\System32\winevt\Logs\Security.evtxMicrosoft-Windows-Sysmon%4Operational.evtxGet-WinEvent -FilterHashtable @{ LogName='Security'; StartTime=$since } (and similar for Sysmon/Defender).details or as an alert.details (e.g. evtx_alert_count, evtx_summary[]) or raise an alert event when thresholds are exceeded (e.g. > N failures, or any Defender detection).Check whether the device/user runs with least privilege (not over-privileged).
whoami /groups to see group membership; token elevation type via (Get-Process -Id $PID).StartInfo.Verb or WMI/CIM. For elevation: check if process token has elevation (e.g. [System.Security.Principal.WindowsIdentity]::GetCurrent().Groups and look for S-1-16-12288 = High Mandatory Level).net localgroup Administrators (or Get-LocalGroupMember -Group Administrators) – report if the current user or common service accounts are in Administrators.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = 1 (UAC on). Optional: ConsentPromptBehaviorAdmin, PromptOnSecureDesktop.Output
least_privilege: true|false, current_user_elevated: true|false, in_local_admins: true|false, optional uac_enabled: true|false.Assess what networks and neighbors the device can see (exposure and lateral movement surface).
Get-NetAdapter, Get-NetIPAddress – list adapters, IPs, gateways. Optional: Get-NetRoute.Get-NetNeighbor or arp -a – what other hosts the device has recently talked to (L2/L3 neighbors).netsh wlan show networks or Get-NetAdapter | Where-Object {$_.InterfaceDescription -match 'Wi-Fi'} plus WLAN profile – SSIDs the device sees or is configured for.systeminfo, nltest /domain_trusts (or Get-ADDomainTrust if RSAT) – domain membership and trust relationships.net view (browsed shares), net session (who is connected to this box) – optional; may require admin. Use to see “who can this device see” and “who is using this device.”Output
interfaces[] (name, IP, gateway), arp_count or neighbors_count, optional wifi_ssids[], domain_member: true|false, domain_name, trusts[], optional net_view_count / net_session_count.Check network-level credential hardening to resist Kerberos/NTLM abuse and pass-the-hash.
Get-SmbClientConfiguration (RequireSecuritySignature) and Get-SmbServerConfiguration (RequireSecuritySignature, EnableSecuritySignature). Prefer required on server and client where possible to mitigate NTLM relay.HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity), LDAP channel binding. Client-side: check if environment enforces signed LDAP.HKLM\SYSTEM\CurrentControlSet\Control\Lsa: LmCompatibilityLevel (e.g. 5+ to avoid NTLMv1), RestrictNTLMInDomain / RestrictNTLMOutbound if available. NTLM audit or block policies (RestrictNTLMInDomain = 1, 2, 3).Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard or registry HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags – Credential Guard (1) and/or LSA run as Protected Process Light to protect hashes in memory.Output
smb_signing_required_client: true|false, smb_signing_required_server: true|false, optional ldap_signing, lm_compat_level, credential_guard: true|false, lsa_protected: true|false, credential_protection_summary: "strong|partial|weak".Inventory device and correlate with known vulnerabilities for assessment.
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" – ProductName, CurrentBuild, UBR, DisplayVersion. Optional: Get-ComputerInfo.Get-HotFix or WMI Win32_QuickFixEngineering – list KBs and InstalledOn. Use for “last patch date” and to cross-reference with CVE data.Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ – DisplayName, DisplayVersion, Publisher. Avoid Get-WmiObject Win32_Product (slow and triggers reconfigure). Use for vulnerable software inventory.Output
os_name, os_build, last_patch_date, hotfix_count, optional installed_products[] (name, version), known_vuln_count, optional known_vulns[] (cve_id, severity, product).Conduct a weekly SecOps assessment: run the full checklist and produce a report (and optionally emit an event).
Checklist (run weekly)
Workflow
type: 'weekly_assessment' (or config_change with details.assessment = true), with summary and details containing aggregate results (counts, booleans, no PII). Dashboard or rules can surface “last weekly assessment” and failures.Schedule
On first wake (when this skill is first applied or when no stored hashes exist), hash this skill and all other known skills; store the hashes. On each wake, re-hash and compare to stored hashes. Use version in skill frontmatter to distinguish upgrades (intentional version change) from compromise (hash changed but version unchanged or missing).
Scope
.cursor/skills/ (project) or ~/.cursor/skills/ (personal). Per skill: SKILL.md (required), and optionally reference.md, examples.md (if present). Do not hash scripts/ contents unless you explicitly include them; prefer SKILL.md + optional reference/examples for a stable baseline.Storage
.cursor/skills/.skill-integrity.json. Personal scope: ~/.cursor/skills/.skill-integrity.json (or one file that lists both project and personal paths). Do not commit .skill-integrity.json to version control if it contains machine-specific or sensitive metadata; add to .gitignore or keep local-only.```json
{
"skills": {
"security-joes-ai-analyst": {
"version": "1.0",
"fileHashes": {
"SKILL.md": "sha256hex...",
"reference.md": "sha256hex..."
},
"lastChecked": "ISO8601"
}
},
"firstRun": "ISO8601"
}
```
First wake
.cursor/skills/, optionally personal ~/.cursor/skills/).version from SKILL.md frontmatter (if present). Compute SHA-256 for SKILL.md and any reference.md/examples.md..skill-integrity.json with skills, firstRun, and lastChecked = now.Each wake
.skill-integrity.json (if missing, treat as first wake and run first-wake steps).version from frontmatter and compute current hashes for SKILL.md (and optional reference/examples).lastChecked for that skill.version and fileHashes for that skill; update lastChecked. Do not alert.Version in frontmatter
version: "x.y" in YAML frontmatter. When you intentionally upgrade a skill, bump the version (e.g. 1.0 → 1.1) so the next wake treats the hash change as an upgrade, not compromise.version field, any hash change is treated as potential compromise (no way to distinguish upgrade).Output
skill_integrity: ok | compromised | upgraded. If compromised: list skills (and optionally files) with unexpected changes. Do not log full file contents; only hashes and version.Integration
alert, severity: high, summary like “Skill integrity: unexpected change in [skill]”, details with skill name and which hashes changed).When producing a host posture, heartbeat summary, or weekly assessment, use a structure like:
```markdown
```
type: 'heartbeat'). Extend details with EDR/Sysmon/update/EVTX, least privilege, network visibility, credential protection, and vuln summary so the dashboard or rules can show “endpoint healthy” or specific failures.alert, severity, summary, details with rule/evidence).type: 'weekly_assessment' (or config_change with details.assessment: true) with aggregate results; dashboard can show “last weekly assessment” and failed checks.Security Joes provides SecOps guidance, endpoint visibility, and security analyst workflows for agents and automation. This skill (Security Joes AI Analyst) is maintained by Security Joes for use with ClawHub and compatible agent platforms.
Generated Mar 1, 2026
IT security teams use this skill to perform regular checks on Windows endpoints, verifying EDR presence, Sysmon logging, patch levels, and least privilege configurations. It helps identify gaps in security controls and ensures compliance with organizational policies during routine audits or incident response preparations.
Security operations centers (SOCs) leverage the skill to automate weekly assessments, generating reports on device vulnerabilities, network exposure, and credential protection. This streamlines compliance reporting and provides actionable insights for improving endpoint defenses in enterprise environments.
In managed detection and response (MDR) services, the skill queries EVTX logs on heartbeat intervals to monitor for suspicious activities like logon failures or Defender alerts. It enables real-time threat hunting and reduces manual log analysis efforts for security analysts.
Organizations implement this skill to hash and verify AI agent packages on each wake-up, detecting unauthorized modifications or version discrepancies. It ensures trust in automated security tools and prevents tampering in high-stakes environments like government or critical infrastructure.
Offer the skill as part of a cloud-based security platform with tiered subscriptions for small to large enterprises. Revenue comes from monthly or annual fees per endpoint, including features like automated reporting and integration with existing EDR tools.
Provide professional services to customize and deploy the skill for clients, including training and ongoing support. Revenue is generated through project-based fees and retainer agreements for maintenance and updates.
Release a basic version of the skill for free to attract users, with premium features like advanced vulnerability correlation or detailed weekly reports available for purchase. Revenue streams include one-time purchases for add-ons and upsells to enterprise plans.
💬 Integration Tip
Integrate with existing SIEM tools by exporting EVTX query results in JSON format, and use PowerShell remoting for scalable deployment across multiple endpoints in a network.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
Perform a comprehensive read-only security audit of Clawdbot's own configuration. This is a knowledge-based skill that teaches Clawdbot to identify hardening opportunities across the system. Use when user asks to "run security check", "audit clawdbot", "check security hardening", or "what vulnerabilities does my Clawdbot have". This skill uses Clawdbot's internal capabilities and file system access to inspect configuration, detect misconfigurations, and recommend remediations. It is designed to be extensible - new checks can be added by updating this skill's knowledge.
Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.
Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data exfiltration, system modification attempts, backdoors, and obfuscation techniques.