mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-19 05:59:40 +03:00
Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
This commit is contained in:
@@ -0,0 +1,88 @@
|
||||
# AWS Credential Exposure Detection API Reference
|
||||
|
||||
## TruffleHog CLI
|
||||
|
||||
```bash
|
||||
# Scan local git repo
|
||||
trufflehog git file:///path/to/repo --json
|
||||
|
||||
# Scan GitHub organization
|
||||
trufflehog github --org my-org --token $GITHUB_TOKEN --json
|
||||
|
||||
# Scan GitHub repo
|
||||
trufflehog git https://github.com/org/repo.git --json
|
||||
|
||||
# Scan filesystem (non-git)
|
||||
trufflehog filesystem /path/to/dir --json
|
||||
|
||||
# Scan S3 bucket
|
||||
trufflehog s3 --bucket my-bucket --json
|
||||
|
||||
# Only show verified credentials
|
||||
trufflehog git file:///repo --only-verified --json
|
||||
```
|
||||
|
||||
## git-secrets CLI
|
||||
|
||||
```bash
|
||||
# Install hooks in repo
|
||||
git secrets --install
|
||||
git secrets --register-aws
|
||||
|
||||
# Scan repo history
|
||||
git secrets --scan-history
|
||||
|
||||
# Scan specific file
|
||||
git secrets --scan /path/to/file
|
||||
|
||||
# Add custom pattern
|
||||
git secrets --add 'PRIVATE KEY'
|
||||
git secrets --add-provider -- cat /path/to/patterns.txt
|
||||
```
|
||||
|
||||
## AWS IAM CLI - Key Management
|
||||
|
||||
```bash
|
||||
# Check key last used
|
||||
aws iam get-access-key-last-used --access-key-id AKIAXXXXXXXXXXXXXXXX
|
||||
|
||||
# List access keys for user
|
||||
aws iam list-access-keys --user-name jsmith
|
||||
|
||||
# Deactivate exposed key
|
||||
aws iam update-access-key --access-key-id AKIAXXXXXXXXXXXXXXXX \
|
||||
--user-name jsmith --status Inactive
|
||||
|
||||
# Delete key
|
||||
aws iam delete-access-key --access-key-id AKIAXXXXXXXXXXXXXXXX \
|
||||
--user-name jsmith
|
||||
|
||||
# Create new key (after rotation)
|
||||
aws iam create-access-key --user-name jsmith
|
||||
```
|
||||
|
||||
## AWS Access Key Regex Patterns
|
||||
|
||||
```
|
||||
Access Key ID: AKIA[A-Z0-9]{16}
|
||||
Temp Key ID: ASIA[A-Z0-9]{16}
|
||||
Secret Key: [A-Za-z0-9/+=]{40}
|
||||
```
|
||||
|
||||
## GuardDuty Credential Findings
|
||||
|
||||
| Finding Type | Description |
|
||||
|-------------|-------------|
|
||||
| `UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS` | Instance creds used outside AWS |
|
||||
| `UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B` | Console login from unusual IP |
|
||||
| `Recon:IAMUser/MaliciousIPCaller.Custom` | API calls from threat intel IPs |
|
||||
|
||||
## AWS CloudTrail - Credential Abuse Queries (Athena)
|
||||
|
||||
```sql
|
||||
SELECT eventtime, useridentity.accesskeyid, sourceipaddress, eventname
|
||||
FROM cloudtrail_logs
|
||||
WHERE useridentity.accesskeyid = 'AKIAXXXXXXXXXXXXXXXX'
|
||||
ORDER BY eventtime DESC
|
||||
LIMIT 100;
|
||||
```
|
||||
Reference in New Issue
Block a user