mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-05 23:38:57 +03:00
Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
This commit is contained in:
@@ -0,0 +1,193 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Active breach containment agent for incident response operations."""
|
||||
|
||||
import json
|
||||
import subprocess
|
||||
import sys
|
||||
from datetime import datetime
|
||||
|
||||
|
||||
def block_ip_at_firewall(ip_address, chain="INPUT", comment="breach-containment"):
|
||||
"""Block a C2 or malicious IP address using iptables."""
|
||||
cmd = [
|
||||
"iptables", "-A", chain, "-s", ip_address, "-j", "DROP",
|
||||
"-m", "comment", "--comment", comment,
|
||||
]
|
||||
try:
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=10)
|
||||
return {
|
||||
"action": "block_ip",
|
||||
"ip": ip_address,
|
||||
"success": result.returncode == 0,
|
||||
"error": result.stderr.strip() if result.returncode != 0 else None,
|
||||
"timestamp": datetime.utcnow().isoformat() + "Z",
|
||||
}
|
||||
except Exception as e:
|
||||
return {"action": "block_ip", "ip": ip_address, "success": False, "error": str(e)}
|
||||
|
||||
|
||||
def disable_ad_account(username, domain_controller=None):
|
||||
"""Disable a compromised Active Directory account via PowerShell."""
|
||||
ps_cmd = f'Disable-ADAccount -Identity "{username}" -Confirm:$false'
|
||||
if domain_controller:
|
||||
ps_cmd += f' -Server "{domain_controller}"'
|
||||
cmd = ["powershell", "-Command", ps_cmd]
|
||||
try:
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
|
||||
return {
|
||||
"action": "disable_account",
|
||||
"username": username,
|
||||
"success": result.returncode == 0,
|
||||
"error": result.stderr.strip() if result.returncode != 0 else None,
|
||||
"timestamp": datetime.utcnow().isoformat() + "Z",
|
||||
}
|
||||
except Exception as e:
|
||||
return {"action": "disable_account", "username": username, "success": False, "error": str(e)}
|
||||
|
||||
|
||||
def reset_ad_password(username, domain_controller=None):
|
||||
"""Force password reset for a compromised AD account."""
|
||||
ps_cmd = (
|
||||
f'Set-ADAccountPassword -Identity "{username}" -Reset '
|
||||
f'-NewPassword (ConvertTo-SecureString -AsPlainText '
|
||||
f'"TempP@ss{datetime.now().strftime("%H%M%S")}!" -Force)'
|
||||
)
|
||||
if domain_controller:
|
||||
ps_cmd += f' -Server "{domain_controller}"'
|
||||
cmd = ["powershell", "-Command", ps_cmd]
|
||||
try:
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
|
||||
return {
|
||||
"action": "reset_password",
|
||||
"username": username,
|
||||
"success": result.returncode == 0,
|
||||
"timestamp": datetime.utcnow().isoformat() + "Z",
|
||||
}
|
||||
except Exception as e:
|
||||
return {"action": "reset_password", "username": username, "success": False, "error": str(e)}
|
||||
|
||||
|
||||
def isolate_host_firewall(host_ip, management_ip=None):
|
||||
"""Isolate a compromised host by blocking all traffic except management."""
|
||||
commands = []
|
||||
if management_ip:
|
||||
commands.append(
|
||||
["iptables", "-A", "FORWARD", "-s", host_ip, "-d", management_ip, "-j", "ACCEPT"]
|
||||
)
|
||||
commands.append(
|
||||
["iptables", "-A", "FORWARD", "-s", management_ip, "-d", host_ip, "-j", "ACCEPT"]
|
||||
)
|
||||
commands.append(["iptables", "-A", "FORWARD", "-s", host_ip, "-j", "DROP"])
|
||||
commands.append(["iptables", "-A", "FORWARD", "-d", host_ip, "-j", "DROP"])
|
||||
|
||||
results = []
|
||||
for cmd in commands:
|
||||
try:
|
||||
r = subprocess.run(cmd, capture_output=True, text=True, timeout=10)
|
||||
results.append({"cmd": " ".join(cmd), "success": r.returncode == 0})
|
||||
except Exception as e:
|
||||
results.append({"cmd": " ".join(cmd), "success": False, "error": str(e)})
|
||||
|
||||
return {
|
||||
"action": "isolate_host",
|
||||
"host_ip": host_ip,
|
||||
"management_ip": management_ip,
|
||||
"results": results,
|
||||
"timestamp": datetime.utcnow().isoformat() + "Z",
|
||||
}
|
||||
|
||||
|
||||
def block_smb_lateral_movement():
|
||||
"""Block SMB (port 445) between server VLANs to prevent lateral movement."""
|
||||
cmd = ["iptables", "-A", "FORWARD", "-p", "tcp", "--dport", "445", "-j", "DROP"]
|
||||
try:
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=10)
|
||||
return {
|
||||
"action": "block_smb",
|
||||
"success": result.returncode == 0,
|
||||
"timestamp": datetime.utcnow().isoformat() + "Z",
|
||||
}
|
||||
except Exception as e:
|
||||
return {"action": "block_smb", "success": False, "error": str(e)}
|
||||
|
||||
|
||||
def sinkhole_domain(domain, sinkhole_ip="127.0.0.1", hosts_file="/etc/hosts"):
|
||||
"""Add DNS sinkhole entry for a C2 domain."""
|
||||
entry = f"{sinkhole_ip}\t{domain}\t# breach-containment {datetime.utcnow().isoformat()}"
|
||||
try:
|
||||
with open(hosts_file, "r") as f:
|
||||
existing = f.read()
|
||||
if domain in existing:
|
||||
return {"action": "sinkhole", "domain": domain, "status": "already_sinkholed"}
|
||||
with open(hosts_file, "a") as f:
|
||||
f.write("\n" + entry + "\n")
|
||||
return {
|
||||
"action": "sinkhole",
|
||||
"domain": domain,
|
||||
"sinkhole_ip": sinkhole_ip,
|
||||
"success": True,
|
||||
"timestamp": datetime.utcnow().isoformat() + "Z",
|
||||
}
|
||||
except Exception as e:
|
||||
return {"action": "sinkhole", "domain": domain, "success": False, "error": str(e)}
|
||||
|
||||
|
||||
def collect_volatile_evidence(host="localhost"):
|
||||
"""Collect volatile system data from a compromised host for forensics."""
|
||||
evidence = {}
|
||||
commands = {
|
||||
"processes": ["ps", "auxww"],
|
||||
"network_connections": ["ss", "-tunap"],
|
||||
"logged_users": ["who"],
|
||||
"routing_table": ["ip", "route", "show"],
|
||||
"arp_table": ["arp", "-an"],
|
||||
"open_files": ["lsof", "-i", "-P"],
|
||||
}
|
||||
for name, cmd in commands.items():
|
||||
try:
|
||||
r = subprocess.run(cmd, capture_output=True, text=True, timeout=15)
|
||||
evidence[name] = r.stdout.strip()
|
||||
except Exception as e:
|
||||
evidence[name] = f"Error: {e}"
|
||||
|
||||
return {
|
||||
"action": "collect_evidence",
|
||||
"host": host,
|
||||
"evidence": evidence,
|
||||
"timestamp": datetime.utcnow().isoformat() + "Z",
|
||||
}
|
||||
|
||||
|
||||
def generate_containment_report(incident_id, actions_taken):
|
||||
"""Generate a structured containment status report."""
|
||||
return {
|
||||
"report_type": "CONTAINMENT_STATUS",
|
||||
"incident_id": incident_id,
|
||||
"timestamp": datetime.utcnow().isoformat() + "Z",
|
||||
"status": "CONTAINED",
|
||||
"actions_taken": actions_taken,
|
||||
"validation_pending": [
|
||||
"Confirm C2 beacons ceased",
|
||||
"Verify disabled accounts produce auth failures",
|
||||
"Check no new lateral movement attempts",
|
||||
],
|
||||
}
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
action = sys.argv[1] if len(sys.argv) > 1 else "help"
|
||||
if action == "block-ip" and len(sys.argv) > 2:
|
||||
print(json.dumps(block_ip_at_firewall(sys.argv[2]), indent=2))
|
||||
elif action == "disable-account" and len(sys.argv) > 2:
|
||||
print(json.dumps(disable_ad_account(sys.argv[2]), indent=2))
|
||||
elif action == "isolate-host" and len(sys.argv) > 2:
|
||||
mgmt = sys.argv[3] if len(sys.argv) > 3 else None
|
||||
print(json.dumps(isolate_host_firewall(sys.argv[2], mgmt), indent=2))
|
||||
elif action == "block-smb":
|
||||
print(json.dumps(block_smb_lateral_movement(), indent=2))
|
||||
elif action == "sinkhole" and len(sys.argv) > 2:
|
||||
print(json.dumps(sinkhole_domain(sys.argv[2]), indent=2))
|
||||
elif action == "collect-evidence":
|
||||
print(json.dumps(collect_volatile_evidence(), indent=2))
|
||||
else:
|
||||
print("Usage: agent.py [block-ip <ip>|disable-account <user>|isolate-host <ip> [mgmt_ip]|block-smb|sinkhole <domain>|collect-evidence]")
|
||||
Reference in New Issue
Block a user