mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 04:35:18 +03:00
Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
This commit is contained in:
@@ -0,0 +1,112 @@
|
||||
# API Reference: Office Macro Malware Analysis Tools
|
||||
|
||||
## olevba - VBA Macro Extraction (oletools)
|
||||
|
||||
### CLI Syntax
|
||||
```bash
|
||||
olevba document.docm # Full analysis
|
||||
olevba --decode --deobf document.docm # Decode + deobfuscate
|
||||
olevba --code document.docm # Extract VBA source only
|
||||
olevba --json document.docm # JSON output
|
||||
olevba --reveal document.docm # Reveal hidden content
|
||||
```
|
||||
|
||||
### Output Sections
|
||||
| Section | Content |
|
||||
|---------|---------|
|
||||
| `AutoExec` | Auto-execution triggers (AutoOpen, Document_Open) |
|
||||
| `Suspicious` | Dangerous functions (Shell, WScript, CreateObject) |
|
||||
| `IOC` | Extracted indicators (URLs, IPs, file paths) |
|
||||
| `Hex String` | Decoded hex-encoded strings |
|
||||
|
||||
### Python API
|
||||
```python
|
||||
from oletools.olevba import VBA_Parser
|
||||
vba = VBA_Parser("document.docm")
|
||||
if vba.detect_vba_macros():
|
||||
for (fn, stream, vba_fn, code) in vba.extract_macros():
|
||||
print(code)
|
||||
for (kw_type, keyword, desc) in vba.analyze_macros():
|
||||
print(f"{kw_type}: {keyword}")
|
||||
vba.close()
|
||||
```
|
||||
|
||||
## oleid - Document Capability Identification
|
||||
|
||||
### CLI Syntax
|
||||
```bash
|
||||
oleid document.docm
|
||||
```
|
||||
|
||||
### Indicators
|
||||
| Indicator | Risk Values |
|
||||
|-----------|-------------|
|
||||
| `VBA Macros` | True/False |
|
||||
| `XLM Macros` | True/False |
|
||||
| `External Relationships` | True/False |
|
||||
| `ObjectPool` | True/False |
|
||||
| `Flash` | True/False |
|
||||
|
||||
## oledump.py - OLE Stream Analysis
|
||||
|
||||
### CLI Syntax
|
||||
```bash
|
||||
oledump.py document.docm # List streams
|
||||
oledump.py -s 8 -v document.docm # Extract stream 8
|
||||
oledump.py -p plugin_vba_dco document.docm # VBA decompile
|
||||
oledump.py -p plugin_msg.py document.msg # MSG file parsing
|
||||
```
|
||||
|
||||
### Stream Markers
|
||||
| Marker | Meaning |
|
||||
|--------|---------|
|
||||
| `M` | Contains VBA macros |
|
||||
| `m` | Contains macro attributes |
|
||||
| `O` | Contains OLE objects |
|
||||
|
||||
## XLMDeobfuscator - Excel 4.0 Macros
|
||||
|
||||
### CLI Syntax
|
||||
```bash
|
||||
xlmdeobfuscator -f document.xlsm
|
||||
xlmdeobfuscator -f document.xlsm --output-format json
|
||||
```
|
||||
|
||||
### Dangerous XLM Functions
|
||||
| Function | Purpose |
|
||||
|----------|---------|
|
||||
| `EXEC()` | Execute shell command |
|
||||
| `CALL()` | Call DLL function |
|
||||
| `REGISTER()` | Register DLL function |
|
||||
| `URLDownloadToFileA` | Download file from URL |
|
||||
|
||||
## VBA Auto-Execution Triggers
|
||||
|
||||
| Trigger | Application |
|
||||
|---------|-------------|
|
||||
| `Auto_Open` / `AutoOpen` | Word |
|
||||
| `Document_Open` | Word |
|
||||
| `Workbook_Open` | Excel |
|
||||
| `Auto_Close` | Word |
|
||||
| `AutoExec` | Word |
|
||||
|
||||
## VBA Suspicious Functions
|
||||
|
||||
| Function | Risk |
|
||||
|----------|------|
|
||||
| `Shell()` | Command execution |
|
||||
| `WScript.Shell` | Windows scripting |
|
||||
| `CreateObject()` | COM object instantiation |
|
||||
| `URLDownloadToFile` | File download |
|
||||
| `MSXML2.XMLHTTP` | HTTP requests |
|
||||
| `ADODB.Stream` | Binary file writing |
|
||||
| `CallByName` | Indirect method invocation |
|
||||
| `Environ()` | Environment variable access |
|
||||
|
||||
## ViperMonkey - VBA Emulation
|
||||
|
||||
### Syntax
|
||||
```bash
|
||||
vmonkey document.docm
|
||||
vmonkey --iocs document.docm # Extract IOCs only
|
||||
```
|
||||
Reference in New Issue
Block a user