mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-13 19:05:17 +03:00
Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
This commit is contained in:
@@ -0,0 +1,110 @@
|
||||
# API Reference: Campaign Attribution Evidence Analysis
|
||||
|
||||
## Diamond Model of Intrusion Analysis
|
||||
|
||||
### Four Core Features
|
||||
| Feature | Description | Attribution Value |
|
||||
|---------|-------------|-------------------|
|
||||
| Adversary | Threat actor identity | Direct attribution |
|
||||
| Capability | Malware, exploits, tools | Indirect - shared tooling |
|
||||
| Infrastructure | C2, domains, IPs | Strong - operational overlap |
|
||||
| Victim | Targets, sectors, regions | Contextual - targeting pattern |
|
||||
|
||||
### Pivot Analysis
|
||||
```
|
||||
Adversary ←→ Capability ←→ Infrastructure ←→ Victim
|
||||
↕ ↕ ↕ ↕
|
||||
(HUMINT) (Malware DB) (WHOIS/DNS) (Victimology)
|
||||
```
|
||||
|
||||
## Analysis of Competing Hypotheses (ACH)
|
||||
|
||||
### Matrix Format
|
||||
```
|
||||
Evidence \ Hypothesis | APT28 | APT29 | Lazarus | Unknown
|
||||
-----------------------------------------------------------------
|
||||
Infrastructure overlap | ++ | - | - | N
|
||||
TTP consistency | ++ | ++ | - | N
|
||||
Malware similarity | + | - | - | N
|
||||
Timing (UTC+3) | ++ | ++ | - | N
|
||||
Language (Russian) | ++ | ++ | - | N
|
||||
```
|
||||
|
||||
### Scoring
|
||||
| Symbol | Meaning | Weight |
|
||||
|--------|---------|--------|
|
||||
| `++` | Strongly consistent | +2 |
|
||||
| `+` | Consistent | +1 |
|
||||
| `N` | Neutral | 0 |
|
||||
| `-` | Inconsistent | -1 |
|
||||
| `--` | Strongly inconsistent | -2 |
|
||||
|
||||
## MITRE ATT&CK Group Queries
|
||||
|
||||
### Python (mitreattack-python)
|
||||
```python
|
||||
from mitreattack.stix20 import MitreAttackData
|
||||
attack = MitreAttackData("enterprise-attack.json")
|
||||
group = attack.get_group_by_alias("APT29")
|
||||
techniques = attack.get_techniques_used_by_group(group.id)
|
||||
```
|
||||
|
||||
### STIX2 Relationship Query
|
||||
```python
|
||||
from stix2 import Filter
|
||||
relationships = src.query([
|
||||
Filter("type", "=", "relationship"),
|
||||
Filter("source_ref", "=", group_id),
|
||||
Filter("relationship_type", "=", "uses"),
|
||||
])
|
||||
```
|
||||
|
||||
## Infrastructure Overlap Tools
|
||||
|
||||
### PassiveTotal / RiskIQ
|
||||
```bash
|
||||
# WHOIS history
|
||||
curl -u user:key "https://api.passivetotal.org/v2/whois?query=domain.com"
|
||||
|
||||
# Passive DNS
|
||||
curl -u user:key "https://api.passivetotal.org/v2/dns/passive?query=1.2.3.4"
|
||||
```
|
||||
|
||||
### VirusTotal Relations
|
||||
```bash
|
||||
curl -H "x-apikey: KEY" \
|
||||
"https://www.virustotal.com/api/v3/domains/example.com/communicating_files"
|
||||
```
|
||||
|
||||
## Confidence Assessment Framework
|
||||
|
||||
| Level | Score Range | Criteria |
|
||||
|-------|------------|---------|
|
||||
| HIGH | 0.8-1.0 | Multiple independent evidence types converge |
|
||||
| MEDIUM | 0.5-0.8 | Significant evidence with some gaps |
|
||||
| LOW | 0.2-0.5 | Limited evidence, alternative hypotheses remain |
|
||||
| NEGLIGIBLE | 0.0-0.2 | Insufficient evidence for attribution |
|
||||
|
||||
## STIX Attribution Objects
|
||||
|
||||
### Campaign Object
|
||||
```json
|
||||
{
|
||||
"type": "campaign",
|
||||
"name": "Operation DarkShadow",
|
||||
"first_seen": "2024-01-15T00:00:00Z",
|
||||
"last_seen": "2024-03-20T00:00:00Z",
|
||||
"objective": "Espionage targeting defense sector"
|
||||
}
|
||||
```
|
||||
|
||||
### Attribution Relationship
|
||||
```json
|
||||
{
|
||||
"type": "relationship",
|
||||
"relationship_type": "attributed-to",
|
||||
"source_ref": "campaign--abc123",
|
||||
"target_ref": "intrusion-set--def456",
|
||||
"confidence": 75
|
||||
}
|
||||
```
|
||||
Reference in New Issue
Block a user