Rule Info
Name
Agentic Coding Skill Files Created by Suspicious Process
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects creation of agentic skill files by suspicious processes.
Agentic skill files are typically markdown files that define capabilities for agentic AI coding assistants like Claude Code.
Adversaries may drop malicious skill definition files and invoke them for malicious purposes.
Reference
Internal Research
Date
2026-05-15 00:00:00
Modified
None
Id
b7e94c2f-1d3a-4b8f-c6e2-9f0a5d2e8c3b
Tags
attack.persistence attack.execution attack.t1204.002
Type
Nextron Sigma feed only (private)
Rule History
Scan your endpoints, forensic images or collected files with our portable scanner THOR