Detecting compromised cloud credentials across AWS, Azure, and GCP by analyzing anomalous API activity, impossible travel patterns, unauthorized resource provisioning, and credential abuse indicators using GuardDuty, Defender for Identity, and SCC Event Threat Detection.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versiondetecting-compromised-cloud-credentialsExecute the skills CLI command in your project's root directory to begin installation:
Fetches detecting-compromised-cloud-credentials from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate detecting-compromised-cloud-credentials. Access via /detecting-compromised-cloud-credentials in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | detecting-compromised-cloud-credentials |
| description | 'Detecting compromised cloud credentials across AWS, Azure, and GCP by analyzing anomalous API activity, impossible travel patterns, unauthorized resource provisioning, and credential abuse indicators using GuardDuty, Defender for Identity, and SCC Event Threat Detection. ' |
| domain | cybersecurity |
| subdomain | cloud-security |
| tags | - cloud-security - credential-compromise - threat-detection - guardduty - incident-response - anomaly-detection |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.IR-01 - ID.AM-08 - GV.SC-06 - DE.CM-01 |
Do not use for preventing credential compromise (use MFA, credential rotation, and secrets management), for detecting application-level credential theft (use application security monitoring), or for endpoint credential harvesting detection (use EDR tools).
Monitor GuardDuty findings and CloudTrail anomalies that indicate credential abuse.
# List GuardDuty credential-related findings
aws guardduty list-findings \
--detector-id $(aws guardduty list-detectors --query 'DetectorIds[0]' --output text) \
--finding-criteria '{
"Criterion": {
"type": {
"Eq": [
"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS",
"UnauthorizedAccess:IAMUser/MaliciousIPCaller",
"UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom",
"UnauthorizedAccess:IAMUser/TorIPCaller",
"UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B",
"Recon:IAMUser/MaliciousIPCaller",
"Recon:IAMUser/MaliciousIPCaller.Custom",
"InitialAccess:IAMUser/AnomalousBehavior",
"CredentialAccess:IAMUser/AnomalousBehavior",
"Persistence:IAMUser/AnomalousBehavior"
]
},
"service.archived": {"Eq": ["false"]}
}
}' --output json
# Check for console logins from new locations
aws logs start-query \
--log-group-name cloudtrail-logs \
--start-time $(date -d "7 days ago" +%s) \
--end-time $(date +%s) \
--query-string '
fields @timestamp, userIdentity.userName, sourceIPAddress, responseElements.ConsoleLogin
| filter eventName = "ConsoleLogin"
| filter responseElements.ConsoleLogin = "Success"
| stats count() by userIdentity.userName, sourceIPAddress
| sort count desc
'
# Detect impossible travel (same user from geographically distant IPs within short time)
aws logs start-query \
--log-group-name cloudtrail-logs \
--start-time $(date -d "24 hours ago" +%s) \
--end-time $(date +%s) \
--query-string '
fields @timestamp, userIdentity.arn, sourceIPAddress, eventName
| filter userIdentity.type = "IAMUser"
| stats earliest(@timestamp) as first_seen, latest(@timestamp) as last_seen,
count_distinct(sourceIPAddress) as unique_ips by userIdentity.arn
| filter unique_ips > 3
'
Monitor Entra ID sign-in logs and Defender for Identity alerts for compromised credentials.
# Check for risky sign-ins
az rest --method GET \
--url "https://graph.microsoft.com/v1.0/auditLogs/signIns?\$filter=riskLevelDuringSignIn ne 'none' and createdDateTime ge 2026-02-16T00:00:00Z&\$top=50" \
--query "value[*].{User:userPrincipalName,Risk:riskLevelDuringSignIn,IP:ipAddress,Location:location.city,App:appDisplayName,Status:status.errorCode}" \
-o table
# Check for sign-ins from anonymous or Tor IPs
az rest --method GET \
--url "https://graph.microsoft.com/v1.0/auditLogs/signIns?\$filter=riskEventTypes_v2/any(r:r eq 'anonymizedIPAddress') and createdDateTime ge 2026-02-22T00:00:00Z" \
--query "value[*].{User:userPrincipalName,IP:ipAddress,Location:location.city}" \
-o table
# List users flagged as compromised by Identity Protection
az rest --method GET \
--url "https://graph.microsoft.com/v1.0/identityProtection/riskyUsers?\$filter=riskLevel eq 'high'" \
--query "value[*].{User:userPrincipalName,RiskLevel:riskLevel,RiskState:riskState,LastDetected:riskLastUpdatedDateTime}" \
-o table
# Check for suspicious application consent grants
az rest --method GET \
--url "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?\$filter=activityDisplayName eq 'Consent to application' and activityDateTime ge 2026-02-16T00:00:00Z" \
--query "value[*].{Activity:activityDisplayName,User:initiatedBy.user.userPrincipalName,App:targetResources[0].displayName}" \
-o table
Query GCP audit logs and SCC findings for credential compromise indicators.
# Check SCC Event Threat Detection findings
gcloud scc findings list ORG_ID \
--filter="state=\"ACTIVE\" AND (category=\"ANOMALOUS_CALLER_LOCATION\" OR category=\"SUSPICIOUS_LOGIN\" OR category=\"CREDENTIAL_ACCESS\")" \
--format="table(finding.category, finding.severity, finding.resourceName, finding.eventTime)"
# Query audit logs for service account key usage from unusual IPs
gcloud logging read '
protoPayload.authenticationInfo.principalEmail:*@*.iam.gserviceaccount.com
AND protoPayload.requestMetadata.callerIp!=("10." OR "172." OR "192.168.")
AND timestamp>="2026-02-22T00:00:00Z"
' --limit=100 --format="table(timestamp, protoPayload.authenticationInfo.principalEmail, protoPayload.requestMetadata.callerIp, protoPayload.methodName)"
# Detect API calls from Tor exit nodes
gcloud logging read '
protoPayload.requestMetadata.callerIp:("185." OR "198." OR "45.")
AND protoPayload.authenticationInfo.principalEmail:*@company.com
AND timestamp>="2026-02-22T00:00:00Z"
' --limit=50 --format=json
# Check for new service account keys created (persistence indicator)
gcloud logging read '
protoPayload.methodName="google.iam.admin.v1.CreateServiceAccountKey"
AND timestamp>="2026-02-16T00:00:00Z"
' --format="table(timestamp, protoPayload.authenticationInfo.principalEmail, protoPayload.request.name)"
Create SIEM rules that correlate credential abuse indicators across cloud providers.
# siem_correlation.py - Cross-cloud credential abuse detection
import json
from datetime import datetime, timedelta
def detect_impossible_travel(events):
"""Detect same identity used from distant locations in short timeframe."""
user_events = {}
for event in events:
user = event.get('principal', '')
ip = event.get('source_ip', '')
ts = event.get('timestamp', '')
cloud = event.get('cloud_provider', '')
key = f"{user}_{cloud}"
if key not in user_events:
user_events[key] = []
user_events[key].append({'ip': ip, 'timestamp': ts, 'cloud': cloud})
alerts = []
for user_key, accesses in user_events.items():
accesses.sort(key=lambda x: x['timestamp'])
for i in range(1, len(accesses)):
time_diff = (datetime.fromisoformat(accesses[i]['timestamp']) -
datetime.fromisoformat(accesses[i-1]['timestamp']))
if time_diff < timedelta(hours=1) and accesses[i]['ip'] != accesses[i-1]['ip']:
alerts.append({
'type': 'IMPOSSIBLE_TRAVEL',
'user': user_key,
'ip_1': accesses[i-1]['ip'],
'ip_2': accesses[i]['ip'],
'time_gap_minutes': time_diff.total_seconds() / 60,
'severity': 'HIGH'
})
return alerts
def detect_credential_stuffing(events, threshold=10):
"""Detect multiple failed logins followed by success."""
user_attempts = {}
for event in events:
user = event.get('principal', '')
success = event.get('success', False)
key = user
if key not in user_attempts:
user_attempts[key] = {'failures': 0, 'success_after_failures': False}
if not success:
user_attempts[key]['failures'] += 1
elif user_attempts[key]['failures'] >= threshold:
user_attempts[key]['success_after_failures'] = True
return [{'user': u, 'failures': d['failures'], 'severity': 'CRITICAL'}
for u, d in user_attempts.items() if d['success_after_failures']]
Execute containment actions when credential compromise is confirmed.
# AWS: Deactivate access key immediately
aws iam update-access-key --user-name COMPROMISED_USER \
--access-key-id AKIA_COMPROMISED --status Inactive
# AWS: Invalidate temporary role credentials by updating role trust policy
aws iam update-assume-role-policy --role-name COMPROMISED_ROLE \
--policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Principal":"*","Action":"sts:AssumeRole"}]}'
# AWS: Revoke all sessions for an IAM user
aws iam put-user-policy --user-name COMPROMISED_USER \
--policy-name RevokeOldSessions \
--policy-document '{
"Version":"2012-10-17",
"Statement":[{
"Effect":"Deny",
"Action":"*",
"Resource":"*",
"Condition":{"DateLessThan":{"aws:TokenIssueTime":"2026-02-23T10:00:00Z"}}
}]
}'
# Azure: Revoke all sign-in sessions
az rest --method POST \
--url "https://graph.microsoft.com/v1.0/users/COMPROMISED_USER_ID/revokeSignInSessions"
# Azure: Force password reset
az ad user update --id COMPROMISED_USER_ID --force-change-password-next-sign-in true
# GCP: Disable service account
gcloud iam service-accounts disable COMPROMISED_SA_EMAIL
# GCP: Delete service account keys
gcloud iam service-accounts keys delete KEY_ID --iam-account=COMPROMISED_SA_EMAIL
| Term | Definition |
|---|---|
| Impossible Travel | Detection of the same credential being used from geographically distant locations within a time period that makes physical travel impossible |
| Credential Stuffing | Attack using stolen username/password combinations from data breaches to attempt login across multiple cloud services |
| Instance Credential Exfiltration | GuardDuty finding indicating EC2 instance role credentials are being used from outside the expected AWS network |
| Anomalous Behavior | Machine learning-based detection of API call patterns that deviate significantly from the established baseline for a principal |
| Session Revocation | Invalidating all active authentication sessions for a compromised principal to force re-authentication with new credentials |
| Persistence Indicator | Attacker actions designed to maintain access after initial compromise, such as creating new access keys or service account keys |
Context: A developer receives a phishing email that harvests their AWS console credentials. The attacker logs in from a foreign IP, creates a new access key, and begins enumerating the account.
Approach:
UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B for login from unusual countryPitfalls: Simply changing the password does not invalidate existing access keys or active sessions. All access keys must be rotated and temporary credentials revoked by adding a deny-all policy for tokens issued before the compromise was detected. Attackers may create new IAM users or roles for persistence before the initial credential is revoked.
Cloud Credential Compromise Detection Report
===============================================
Detection Date: 2026-02-23
Scope: Multi-cloud (AWS, Azure, GCP)
Period: 2026-02-16 to 2026-02-23
ACTIVE COMPROMISE INDICATORS:
[CRED-001] AWS Console Login from Unusual Location
User: [email protected]
Source IP: 185.x.x.x (Russia)
Normal Location: US-East
GuardDuty Finding: UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B
Severity: HIGH
Status: Credential deactivated
[CRED-002] Azure Impossible Travel Detection
User: [email protected]
Location 1: New York, US (09:00 UTC)
Location 2: Beijing, CN (09:15 UTC)
Risk Level: HIGH
Status: Sessions revoked, under investigation
DETECTION METRICS (Last 7 Days):
Impossible travel detections: 5
Anomalous API activity alerts: 12
Failed login attempts > threshold: 3
New credentials from unusual IPs: 2
Total compromises confirmed: 2
CONTAINMENT ACTIONS TAKEN:
AWS access keys deactivated: 3
Azure sessions revoked: 2
GCP service accounts disabled: 1
Passwords force-reset: 4
MFA re-enrolled: 4
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
Useful defaults in detecting-compromised-cloud-credentials — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
Solid pick for teams standardizing on skills: detecting-compromised-cloud-credentials is focused, and the summary matches what you get after install.
detecting-compromised-cloud-credentials is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
Registry listing for detecting-compromised-cloud-credentials matched our evaluation — installs cleanly and behaves as described in the markdown.
I recommend detecting-compromised-cloud-credentials for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Keeps context tight: detecting-compromised-cloud-credentials is the kind of skill you can hand to a new teammate without a long onboarding doc.
Solid pick for teams standardizing on skills: detecting-compromised-cloud-credentials is focused, and the summary matches what you get after install.
Registry listing for detecting-compromised-cloud-credentials matched our evaluation — installs cleanly and behaves as described in the markdown.
We added detecting-compromised-cloud-credentials from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
detecting-compromised-cloud-credentials reduced setup friction for our internal harness; good balance of opinion and flexibility.
showing 1-10 of 35