Initial commit - 611 cybersecurity skills across all subdomains

2026-06-16 07:53:18 +03:00 · 2026-02-25 10:47:44 +01:00
commit 22a7ab1462
1765 changed files with 280648 additions and 0 deletions
@@ -0,0 +1,55 @@
+#!/usr/bin/env python3
+"""Fileless Attack Detector - Scans PowerShell logs for fileless attack indicators."""
+
+import json, csv, re, sys, os
+from collections import Counter
+from datetime import datetime
+
+FILELESS_PATTERNS = {
+    "encoded_command": r"(?i)(-enc\s|-e\s|-encodedcommand|frombase64string)",
+    "download_cradle": r"(?i)(downloadstring|invoke-webrequest|net\.webclient|wget\s|curl\s)",
+    "amsi_bypass": r"(?i)(amsiutils|amsiinitfailed|amsi\.dll)",
+    "reflection": r"(?i)(system\.reflection|loadassembly|gettype.*invoke)",
+    "wmi_abuse": r"(?i)(win32_process.*create|wmiclass|managementclass)",
+    "credential_access": r"(?i)(mimikatz|invoke-mimikatz|sekurlsa|logonpasswords)",
+    "invoke_expression": r"(?i)(iex\s|invoke-expression)",
+}
+
+
+def scan_powershell_logs(csv_path: str) -> list:
+    detections = []
+    with open(csv_path, "r", encoding="utf-8-sig") as f:
+        for row in csv.DictReader(f):
+            script = row.get("ScriptBlockText", row.get("Message", ""))
+            for pattern_name, pattern in FILELESS_PATTERNS.items():
+                if re.search(pattern, script):
+                    detections.append({
+                        "timestamp": row.get("TimeCreated", row.get("Date and Time", "")),
+                        "host": row.get("Computer", row.get("MachineName", "")),
+                        "technique": pattern_name,
+                        "script_excerpt": script[:300],
+                    })
+                    break
+    return detections
+
+
+def generate_report(detections: list, output_path: str) -> None:
+    by_technique = Counter(d["technique"] for d in detections)
+    report = {
+        "report_generated": datetime.utcnow().isoformat() + "Z",
+        "total_detections": len(detections),
+        "by_technique": dict(by_technique),
+        "detections": detections[:100],
+    }
+    with open(output_path, "w") as f:
+        json.dump(report, f, indent=2)
+
+
+if __name__ == "__main__":
+    if len(sys.argv) < 2:
+        print("Usage: python process.py <powershell_logs.csv>")
+        sys.exit(1)
+    detections = scan_powershell_logs(sys.argv[1])
+    out = os.path.join(os.path.dirname(sys.argv[1]) or ".", "fileless_detection_report.json")
+    generate_report(detections, out)
+    print(f"Detections: {len(detections)}")