Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
2026-06-13 06:34:57 +03:00 · 2026-03-10 21:02:12 +01:00
parent c74d52fa30
commit 27c6414ca5
1390 changed files with 106806 additions and 0 deletions
@@ -0,0 +1,78 @@
+# Cloud Cryptomining Detection API Reference
+
+## GuardDuty - Cryptocurrency Finding Types
+
+| Finding Type | Signal |
+|-------------|--------|
+| `CryptoCurrency:EC2/BitcoinTool.B!DNS` | EC2 querying crypto domains |
+| `CryptoCurrency:EC2/BitcoinTool.B` | EC2 communicating with mining pools |
+| `CryptoCurrency:Runtime/BitcoinTool.B!DNS` | Container DNS to mining domain |
+| `CryptoCurrency:Runtime/BitcoinTool.B` | Container network to mining pool |
+| `Impact:EC2/BitcoinDomainRequest.Reputation` | Known mining domain access |
+
+## GuardDuty CLI
+
+```bash
+# Get detector ID
+aws guardduty list-detectors --query 'DetectorIds[0]' --output text
+
+# List crypto findings
+aws guardduty list-findings --detector-id $DET \
+  --finding-criteria '{"Criterion":{"type":{"Eq":["CryptoCurrency:EC2/BitcoinTool.B!DNS"]}}}'
+
+# Get finding details
+aws guardduty get-findings --detector-id $DET --finding-ids id1 id2
+```
+
+## AWS Cost Anomaly Detection
+
+```bash
+# Create cost anomaly monitor
+aws ce create-anomaly-monitor --anomaly-monitor '{
+  "MonitorName": "EC2CostSpike",
+  "MonitorType": "DIMENSIONAL",
+  "MonitorDimension": "SERVICE"
+}'
+
+# Create alert subscription
+aws ce create-anomaly-subscription --anomaly-subscription '{
+  "SubscriptionName": "CryptoAlert",
+  "MonitorArnList": ["arn:aws:ce::123456789012:anomalymonitor/monitor-id"],
+  "Subscribers": [{"Address": "soc@company.com", "Type": "EMAIL"}],
+  "Threshold": 100.0,
+  "Frequency": "IMMEDIATE"
+}'
+```
+
+## Known Mining Pool Ports
+
+```
+3333   - Stratum protocol (common)
+4444   - Mining proxy
+5555   - Monero (XMR)
+7777   - Alt-coin mining
+8888   - Multi-pool
+9999   - Mining proxy
+14444  - XMRig default
+45700  - MoneroOcean
+```
+
+## VPC Flow Logs Query (CloudWatch Insights)
+
+```
+fields @timestamp, srcaddr, dstaddr, dstport, action
+| filter dstport in [3333, 4444, 5555, 7777, 14444, 45700]
+| sort @timestamp desc
+| limit 50
+```
+
+## EC2 Instance Remediation
+
+```bash
+# Terminate mining instance
+aws ec2 terminate-instances --instance-ids i-0123456789abcdef0
+
+# Revoke security group ingress on mining ports
+aws ec2 revoke-security-group-ingress --group-id sg-xxx \
+  --protocol tcp --port 3333 --cidr 0.0.0.0/0
+```